Application of Risk Analisis in Processs Design

7/29/2019 Application of Risk Analisis in Processs Design

1/29

PART Vlll

APPLICATION OF RISK ANALYSIS INPROCESS DESIGN


2/29

INTRODUCTION TO PART Vlll

In the concluding part of the thesis we have made a case for inherently safer design as themother of all risk-reducfion exercises. We have also presented a methodology developedby us, and a case study to illustrate its manner of use, to facilitate inherently safer design.The following chapter is a reproduction of the paper accepted for publication in Journal ofLoss Prevention in Process Industries.


3/29

Chapter 19

INHERENTLY SAFER DESIGN BASED ON RAPID RISK ANALYSIS'

The importance of inherently safer design (ISD) as a strategy tominimise n'sk of accidents in chemical process industries is beingrepeatedly stressed in recent years. The increasing frequency, andextents of damage caused by such accidents across the world havecontributed to this thinking. However even as the need for ISD isbeing underscored, there are vely few reports on the precisemethods to implement this concept. S ignificant recent reports are byBerge (1993, 1995) who has suggested a scenariobased designprocedure in which construction of accidents scenarios in astructured manner is made the basis of ISD.We have been developing and applying the concept of rapid riskanalysis (Khan and Abbasi, 1995;1996a; 1997a; 1997b). In thispaper we present an approach to ISD utilising this concept. Webelieve, as detailed in this paper, that this approach is a significantimprovement upon Berge's procedure in terms of ease, speed, andeffectiveness.

Key Words: Risk analysis, inherent safety, Inherently safer design, hazard controlINTRODUCTIONRisks of accidents in chemical process industries, especially the ones hand ling hazardous* Accepted for publicanon In Journal ofLoss Preventiot~ n Process hrdustries, UK (kindly see page A 8)

399


4/29

substances andlor the ones involved with unit processes operating at extreme conditionsof temperature and pressure, can be reduced in two essential ways:a) providing safeguards such as early warning systems and damage control devices,once the plant is Commissioned;b) i n ~ r p o r a t i n gisk assessment as an essential input right at the design stage of aplant.The second of the options, which confirms to the adage, 'prevention is better than cure'is finding increasingly larger number of supporters from the industries as well asgovernmental regulatory agencies. This has resulted from the increasing awareness thatthe risks posed by chemical industries has increased over the year due to three factors:i) an ever larger numbers and types of new chemicals and processes are beinghandled,ii) the capacities of the plants are getting larger and larger,iii) the general trend of increasing population and habitation around industrial siteshas increased the risk to life and property from industrial accidents,We can see that those of the industries where safety has been taken care of at thebeginning of design are more inherently safe than others (Kletz, 1990a;1990b). Forexample, handling of large quantities of toxic and or flammable materials are inherentlyunsafe, while small quantities and/or non-toxic and non-flammable materials are inherentlysafe. Once a problem begins in an inherentiy unsafe plant, it may escalatecatastrophically, while in an inherently safe plant such a problem should not arise but, if itdoes, it is self-correcting or may escalate but to easily controllable extent (Kletz, 1991a;Marshall. 1987; Lawrence et a/. 1993). Therefore, it is almost self-evident that an

Inherently safe chemical plant is to be preferred over an inherently unsafe one, no matterhow safe the latter is made by controlling the hazards. Furthermore, it is always preferableto achieve safety inherently rather than by modification, because then the probability ofunforeseen events causing a problem is drastically reduced.Safety and economy: Central to the concept of inherently safer design (ISD) is the criteriaof safety-cost optimisation. These aspects of safety and economy are both equally~m portant o the interest of society. In the course of designing any plan t one often has tobalance parameters which pull in opposing directions vis a vis benefit-cost considerations.While attem pting ISD, the main challenge before the designer is to use the different designparameters such that the product satisfies both the safety and the economy aspect. Asdesign is basically an interactive process, starting with an idea and ending with a finalproduct through a number of modificatlons, short iterative loops linking modifications.costs, and safety benefits would increase the opportunity to find optimal solutions withlesser time and effort.APPLICATIONS OF RISK ANALYSIS TECH NIQUES TO ISDRisk analysis has been used in the chemical process industries to assess the risk posedby the operation of equipment and processes (AIChE, 1989; Khan and Abbasi, 1995). Inother words, risk analysis has been a means to evaluate dynamic processes constituting anumber of activities associated with chemical industries. Historically, the use of risk


5/29

analysis has been as a means of verification of design and is performed subsequent todesign. For this reason, risk analysis has had a rather passive role and has not beennormally considered as a design tool. Admittedly, the safety aspects have been consideredas a part of the design premises, but have not been handled as among the parameterswhich control the basic design strategy. Thus, safety aspects have been mainly sewing asthe verification criteria with a week feedback to the design process. This appears to be anillogical way of handling the safety aspects and has not been contributing to the cost-effectiveness of the design. Worst still, keeping risk analysis outside the puiview of designengineering creates the impression that design engineers are free from the responsibilityof considering risk as one of the design parameters.

We find two main reasons for introducing risk analysis as a tool for inherently saferdesign:1. design Premises should be extended to incorporate environmental and accidentalaspects in addition to purely technical requirements;II. the new elements of design premises include physical processes that are complex

and difficult to predict with traditional analytical mathematical methods. Anuncertainty in predicting the behaviours of such parameters may cause errorswhich subsequently may lead to total and catastrophic failures.lnspite of being of great importance, and having high potential of solving hazard-relatedproblems, application o f risk assessment studies during design s tage have not been givenproper attent~on. n dec iding any strategy, dealing with hazardous chemicals or severeoperating conditions, risk assessment is ignored most of the time. This situation isparticularly serious in developing countries which do not give as much importance as iswarranted to the environment and social safety.In general, industries consider capital investment, operational costs, maintenance

costs and srnsoth operation as the only relevant factors for design and associateddecision-making. Hcw ever, when a mishap or acc ident occurs either due to a mistakeof an operator or malfunctioning of an equ ipment, the consequences are oftendevastating. The accidents which have occurred at Flixborough in 1976, Bhopal in 1984,Besel in1984 and Mumbai in 1995 and hundreds of other places are examples, whlchillustrate t h ~ s point. Even if the frequency of occurrence of such accidents is low, theyneed very serious consideration because once the accident does occur, its impact is oftencatastrophic.The past attempts o n the application of safety study during early stages of designhave been made by Ramshaw (1985 ), Butcher (1990 ), Kletz (1990a,1991a,1991b),

Rogers and Hallam (1991) and Mansfield and Cass idy (1994). Kletz has discussed~nheren t afety, need of inherent safety, and effectiveness o f inherent sa fety. Rogers andHallam (1991) have reiterated the need of inherent safety and have suggested anapproach based on characteristics of chemicals. This approach highlights the~mplementation f inherent safety by evaluating the characteristics such as: intermediatesproduced, reagents used, material compatibility, catalysts used, and solvents used.Rushton et a / . (1994) have discussed inherent safety in the context of computer-aideddesign. The authors gave an overview of inherent safety, computer aided design, andneed of cons~dering nherent safety in computer aided process p lant design. Edwards and


6/29

Lawrence (1993) have discussed inherent safety and the cost of its implementation. Theyhave also proposed an index to assess the inheren! safety of the plant either in operationstage or in design stage. The index considers 16 different parameters empirically. By andlarge past reports on inherent safety have emphasised the importance of this concept andsome authors have suggested implementation of Inherent safety by virtue of removinghazardous options, which is essentially a qualitative approach. Thus far, no systematic andstructured scheme or procedure has been suggested to quantify and rank the hazardousoptions (particularly at design stage) in order to im plem ent inherent safety.

Berge (1993) has proposed a 'scenariobased' method for design, considering safety atinitial stage. Subsequently he has further modified this concept (Berge, 1995). Theresultant procedure consists of four steps: establishment of proposed solution,identification of loads (hazards), prediction of hazards, and measuring consequencesagainst acceptance criteria (Figure 1). The second o f these steps- identification of hazards- is implemented by developing scenarios. in the th ird step, the developed scenarios areassessed in detail for the consequences. Finally these consequences are compared withthe acceptance criteria.This is a good scheme for considering safety as an input to design at the initial stage ofthe design process bu t has the following limitations.i) It recomm ends the use of event analysis for the development of scenarios (Figure1). Event analysis is a cumbersome process which needs extensive data inputs(reliability data of each component, opera tional data, e tc.) and considerable time todevelop an accident scenario (event tree developm ent and evaiuation). Theseinputs are not available during the early stages of design. Further any error in thistype of data may lead to erroneous scenarios and may seriously effect the finaldesign. Moreover, event tree development and evaluation for generating accidentscenarios is an additionally tedious task.

The authors believe that their alternative of developing the most credibleaccident scenario (MCAS) on the basis of past experience, frequency ofoccurrence, operation details, and quantity of chemicals in the process is a betterapproach , as it gives sufficiently reliable scenarios with considerably lesser efforts(Khan and Abbasi, 1996a; 1997a; 1997b). Moreover, at this stage of the designprocess, the designer is more concerned about estimation of probable hazardsrather than exactly determining sequence of events, so that the final design takesthat into considerat~on. t has been observed by past case s tud~ es Marshall, 1987;Pietersen, 1990; Lees, 1996; Khan and Abbasi, 1996a; 1997a; 1997c) thatscenarios developed using maximum credible accident scenario (MCAS) conceptgive good estimation of scenario (around 90% the same scenario as beenreported by sophisticated techniques i.e. event analysis with reasonably accuratereliability data).

ii) This scheme consists of two iterative loops, one for generation and verification ofaccident scenarios, and second for the verification cf design as per acceptancecriteria. These authors feel that the first of these iterative loops can be eliminatedby using a simpler and easy-to-use techniqde such as MCAS. This would lead tofaster implementation of procedure (saving of about 30% of the total time) withoutany change in the accuracy of the final results.


7/29

Acceptancecriteria

design

Figure 1. Scenariobased design method (Berge-1995)


8/29

iii) Scenariobased method has suggested six different acceptance criteria and alsodescribed a link between a particular type of accident scenario (damaging events)with particular acceptance criteria. It makes the design process still more tedious,because for a plant there would be a number of accident scenarios of wide variety(at least one scenario for each unit) and hence designer has to check each timewhat criteria should be followed.The authors feel that a com mon acceptance criteria (sufficiently incorporating the effectof each type of damaging effect) would solve this problem and would make the wholedesign process simpler and faster (saving -15% of the time).Keeping the above points in view, the authors have proposed a simplified and easy-to-implement design procedure termed as ra pid risk analysis based design. A comparison ofrapid risk analysis bas ed design (RRABD) procedure with scenariobased design method isgiven in Table 1. A brief discussion on inherent safety and a description of the RRABDdesign procedure developed by us is presented below. A case study illustrating the use ofour procedure is also presented.

INHERENTLY SAFER DESIGNThe concept of inherently safer design was first expounded by Kletz (1976) whilediscussing the lessons of Flixborough. He has spoken about and published widely on thesubject ever since. At first, interest in inherent safety was limited, but the appalling loss oflife at Bhopal in 1984, which was associated with the convenient, but not essential,storage of a highly toxic reactive intermediate (Methyl-isocyanate), gave a strong impetusto discussions on inherent safety. A few important papers on this topic have appearedrecently (Kletz, 1991a:1991b;1992; Rushton et al. 1994; Edwards and Lawrence , 1993;Roger and Hallam, 1991; and Lawrence et al. 1993). One possible reason that ISD has notcaught on as much as it should have, is the perception that ISD is a costly and non-opt~mum pproach. These authors have examined these. This is not true, If one analysesthe total cost and financial loss due to any mishap with the probability of occurrence, thenof course, the optimum solution will be the more safer design. For example, storage of ato x~ c chemical under a high pressure can be don e in a number of storage vessels otherthan installing one big storage vessel. This, of course, (more number of vessels) willincrease capital investment. However, on considering hazard potential and frequency ofoccurrence, it will be the optimum solution. A detailed description of optimisation andsafety has been discussed by Kletz (1990b,1991 b,l 99 2) , and Taylor (1982).

The essence of inherently safer design is to avoid or remove hazards rather than addprotective equipment to control them (which would add to the costs) ISD is built on theedifice of five actions (Kletz. 1990a; Edwards and Lawrence , 1993):

intensification -using less of a hazardous material;attenuation -using a hazardous materials in a less hazardous form;substitution -using a safer material;limitation -minimisation of the effect of an acciden t;simplification -reducing the opportunities for error and malfunction.


9/29

Table 1: Com parison of scenario based design method (Berge-1995) with these authors'rapid risk analysis based design procedure

Scenario based design m ethod Rapid risk analysis based design process

1. It requires two iterative loops2. Scenarios are developed using eventanalysis3. The final design is based on the damagepotential estimated using computationalfluid dynamics models.

4. It suggests use of different acceptancecriter~a ccording to the type of dam agingevents

1. It requires one iterative loop2. Scenarios are developed using MCASconcepts3. The final design is based on r ~ s kactorswhich represent cumulat~ve ffects ofdamage potential and probability ofoccurrence4. It suggests use of a s ingle acceptancecriteria based on risk factor

5. For a sample case study (discussed indetail in this pape r) it ha s beer1 obse rvedthat this procedure takes 4 5% less timecompared to scenario-based procedure,with compa rable accuracy


10/29

It is imperative that inherent safety is considered right at the outset of the designProcess, when fundam ental decisions which could nave a large impact on inherent safetyand cannot be altered later, are made. The choice cf route (process and its step) is the keyearly design decision which influences the inheren! safety of the plant. For example, if theroute involves a hazardous intermediate, it would b e unavoidably present in the final plantand we can only try to reduce its amount, and/or in tv duce ways to attenuate the hazard . Ifwe can find an alternative route which may not invo 've a hazardous intermediate that routewould be more inherently safe,

For example, an alternative route at Bhopal coui3 have saved the lives of 2500 people,because there would have been no methyl isocyanate intermediate to escape. One suchalternative route uses the same raw materials as :he Bhopa l plant did - an Israel-basedcompany Makhteshim, manufactures the same end product carbaryl using alpha-napthai,phosgene and methylamine. In this process meth i'-isocyana te is not produced at all. It ISof course likely that the alternative may embody s o r e other form of hazard; we would thenhas to study the trade-off.There are three main classes of hazards with which process engineering is concerned :fire, explosion, and toxic release. The assessment of inherent safety must requireestimation of the potential for loss from each of tnese. In principle, the ability to makeestimates relies on knowledge of three factors which in crude terms are:how nasty -that is, what is the flammability, exp.osiveness or toxicity of the material inquestion ?how much -that is, what is the amount of materia: tnat can contribute to the hazards?how often -that is, what is the expected frequency of the hazard, in the absence of anyspec ial measures to prevent it ?In order to assess the inherent safety of a process, it is necessary to estimate thesethree quantities and combine them in some way (i.e. assess the risk factors). This is notslmple because even where there is an agreed s c ~ l eor the quantities themselves, thereis no agreed me thod of combining them. On the otner hand, it is not vital that assessment

is very accurate because the aim is to aid to decision-making in design by keeping firmly inview the poten tial for loss. The quantification of inherent safety is not an end in itself. Forthls reason, indication of the direction and m a ~ n i t u d e f change in inherent safetyconsequent on a given decision is valuable, even if the positions before and after thedecision can no t b e quantified (Kletz, 1992; Rushton et a/. 1994).Not only the hazard but costs and energy consumption may also be reduced byemploying smaller quantities of hazardous substances. However, this aspect is not

entirely simple; it is difficult to say whether a smaller quantity of a more hazardouschemical is preferable to a larger quantity of a less hazardous chemical because there isno agreed scale of measurement of 'total hazard'(Rushton e ta /. 1994; Khan and Abbasi,1995;1996a;1997b).Rapid risk analysis based design (RRABD) is a tsol to aid in such decision-making andin general implementing ISD. A brief description of RRABD in presented below.


11/29

RAPID RISK ANALYSIS BAS ED DESIGN (RRABD)A rational application of inherently safer design concept calls for techniques which mayevaluate each design option in terms of associated hazard and its impact on the plantand the surroundings. Rapid risk analysis based design is a new procedure we proposefor such a study. By using RRABD approach it is easy to evaluate various design optionsand select the optima l one.

Design premises include a lot of requirements that need to be fulfilled (Figure 2). Theseare often in conflict with each other and the optimum solution is rarely straight-forward.Figure 3 illustrates the interactive and iterative nature of a design process.If we apply the typical design process as shown in Figure 3 with safety consideration,we ge t a design cycle as illustrated in Figure 4 . This design cycle (rapid risk analysis baseddesign) describes the frame of reference for the inherently safer design. The main stepsthat constitute the RRABD procedure are as follows:a) Define a set of accident scenarios, based on leg islation , standards, codes and

experiences. Use them as design premises.b) Define acceptance criteria for the project. Consider the acceptance criteria also aspart of the design prem ises.c) Propose a design solution (or modification to existing design).d ) Perform deterministic calculations on the basis of defined accident scenarios andthe proposed geometry.e) Evaluate the results (risk factors) against acceptance criteria.f) Repeat step c) to e) until acceptable design is reached.g) Evolve the acceptance criteria during the design process to cope with the specificelements in the proposed design.A brief description of the key elements of RRABD is presented below.

Accident scenar io generat ionAn accident scenario is a description of an expected situation. It contains single events orcombinations of events. The objective of the design would be to avoid the scenario ordrastically reduce the probability of its occurrence. We shall henceforth call accidentscenario simply scenario.

The expectation of a scenario does not mean it will indeed occur, but that there is areasonable probability that it would occur. A scenario is neither a specific situation nor aspecific event, bu t a description of a typical situation that covers a set of possible events orsituations (Berge, 1993; Mansfield and Cassidy , 1994; Lees, 1996).The purpose of a scenarioConstruction of a scenario achieves the following objectives:i) It is the basis of risk study; it tells us what may happen so that we can devise waysand means of preventing or minimising the possib~lity.A scenario can influenceseveral aspects of the design.


12/29

Environmental constraintsonsile environmental requirements

. worklng environmental requirementsOff-s ite environmental requirements

,*//Sechn!ca! constraintstechnical requirements Accident load endeconomic requirements safety constraints

.on-site personnel safetyoerat~onal equirements'.. product specification ,. .off- site personnel safety.require ment of safe ty ofinvostments

Figure 2. The main constraints involved in thedesign p rocess


13/29

4 - - - Design premisesTechnicalConstraints

Evaluation of resultsuFigure 3.Conventional cycle of design process


14/29

bI Propo sed design 1-~esign premises

Evaluation of resultsLFinal d e s ~ g nr"?

R i s k A n a l y s i sSa fe ly andenvironmental conslralnts

Scenario generation

Figure 4 . The algor i thm of rap id r isk analysis based designprocedure


15/29

Example: An expected leak of toxiclflammable chemical can affectlocation of gas detectors,location of ESD valves and other valves ,insulation of equipment,load to st~cture/equipm ent,poisoning of people,operational procedures,location of fire fighting equipment,emergency preparedness equipment.

i) A scenario forms a focal point of a heuristic process. It enables use of the wisdomof hindsight (experiences of past accidents) and state-of-the-art knowledge (toevaluate its impact) in forecasting accident situations. The forecast is fed back tothe past and the present knowledge for generating new knowledge. A scenario isthus a reference point as well as a link between the past, present, and future. If,upon the analysis of scenario we reach the conclusion is that is not representative,we alter the scenarios. This altering requires updating of existing design orprocedures. The conclusion could also be that the scenario was relevant, but thechoice of design means was not relevant. In that case the scenario is valid, butmeans chosen is not good enough for the purpose. That is also a useful input inRRABD and ISD.

A scenario description contains two sets of information: a description of the situationand the expected frequency of occurrence. The description of the situation must notrecuce the freedom of finding solutions and must not restrict the means available forsoiution. A good accident scenario should describe the most prime cause of an event. Asan example: define a leak rate instead of explosion pressure because here, one could gofurther and describe the cause of the leak as well. However, the purpose of a scenario is tobe Input to a de terministic calculation (consequence analysis).

Definition of scenarios must take place in the beginning of a project; the earlier thebetter. At this time little knowledge may be available about the proposed product; too littleto perform an event analysis; event analysis being defined as a systematic analysis of theproposed design to identify accidental events and their frequency of occurrence (reliabilityassessment). The analysis concludes with a set of relevant scenarios that represents theevents identified. The analysis may also consider operational procedures to decidescenarios which in reality may not be available at such an early design stage. It istherefore practical to define scenarios on the basis of maximum credible accidents; inother words accidentai scenarios with a reasonable likelihood of occurrence.Consequence analysisConsequence analysis involves assessment of likely consequences if a scenario doesrnaterialise. The consequences are quantified in terms of damage radii (the radii of thearea in which the damage would readily occur), damage to property (shattering of windowpans, caving of buildings) and toxic effects (chroniclacute toxicity, mortality). Theassessment of consequence involves a wide variety of mathematical models. For examplesource models are used to predict the rate of release of hazardous material, the degree offlashing, and the rate of evaporation. Models for explosions and fires are used to predict


16/29

the characteristics of explosions and fires. The impact intensity m odels a re used to predictthe damage zones due to fires, explosion and toxic load. Lastly toxic gas release anddispersion models are used to predict human response to different levels of exposures totoxic chemicals. The dependence among various wnsequence models is shown in Figure5.

As consequence analysis is a part of an iterative cycle (RRABD design cycle); the abilityto perform the calculations quickly is vital for the ability to reach optimum solutions withinacceptable time-span. Today cost means a lot and the difference between 'good' and 'notso good' sol~t ionscan be the difference between a profitable and a not profitableinvestment.Acceptance criteriaRisk is commonly defined as likelihood of an undesirable happening; its severity being acombination of its Propensity for damage and the frequency of the occurrence. Attemptshave been made since long to find a general way to express risk so that one may be ableto compare risk between different kinds of activiti~s.But despite all the past efforts theclosest we have reached to this goal is to divide risk into three classes: risk to personnel(individual), risk to economy and risk to environment.

There are three groups of design acceptance criteria:1. system related criteria that sets the acceptance level for a system;2. s~ ng le component related criteria that set the acceptance level for singlecomponents:3 . dynamic related criteria that set limitations for an abnormal situation's dynamicdevelopment;Example of a system related acceptance criterion is: The main structure shall maintainit's ~ ntegrityor all type of loads with a frequency above l o 4 year. Exam ple of componentrelated acceptance criterion is: an instrument ccnnections shall remain sealed under~nfluen ce f loads with a frequency above l o 4 yea:. Exam ple of a dynamic related designacceptance criteria is: an abnormal situation must not have the probability of more than0.1% to escala te to a more critical abnormal situation.I . There must be a logical connection among the three groups of design acceptancecriteria. We may develop other criteria based on these criteria. Here are someexamples of other types of acceptance criteria:II. FAR (fatal accident rate) criteria. It is most commonly used as measure of risk.I l l . ALARP (as low as reasonable practicable) principle. it has no defined risk level,but reduction of risk being a continous endeavour, it allows for as low risk asprevailing technology allows; in other words what is, econom ic all^ defensible.IV, prescriptive solutions. It recommends standard prescriptions as solutions andmethods for design of equipment and systems. This is a rigid criterion with littleroom for situation-adapted solutions.V, Prescriptive functionality. It prescribes the functionality Of a System or a

component. This criterion provides the opportunity for situation-adapted solutions.


17/29

Figure 5. Consequence analysis diagram showing probableinteraction among different events


18/29

At the same time, it requires documentation of the fulfilment of the functionality.The principle calls for competence, innovation and advanced engineering tools inorder to have its potential realised to the full.VI. Accepted influence. All kinds of activities influence their environment to a certaindegree. The accepted influence criterion is based on the principle that restrictionson activities should relate to their influence on the surroundings. The acceptablelevel of influence is determined by the resilience of the surrounding to get back toits original start after the perturbations has caused and the surrounding's ability tomaintain its function during the perturbations.There are hvo conditions an acceptance criteria must meet to b e a valuable in design:i) The designers must understand the criteria; in other words engineers working inthe different disciplines must understand the implication o f the criteria.ii) It must be possible to compare the results from consequence analysis with thecriteria.For RRABD these two conditions are crucial; as it is the designer's obligation tocompare his proposed solutions with the acceptance criteria. In the opinion of theseauthors ALARP is the best criteria.We now present a case study in which RRABD design procedure has been used intaking decisions pertaining to design.

CASE STUDYProblem statementThe case study pertains to an industry engaged in manufacturing glycol and polyol, byusing propylene and propylene oxide as main raw materials.

The industry procures the two raw materials from a nearby petroleum refinery. Asthere are frequent interruptions in the availability of raw materials, the production getsinterrupted at least once every month. To circumvent this prob lem, the management ofthe industry has decided to enhance the storage capacity of the two key chemicals(propylene and propylene oxide) in order to meet the requirements of the plant for 15days without interruption. After a detailed cost-analysis study, the industry has come outwith six different options (design of various type and variant capacities of storage vessels)to meet the said requirements. These options are listed in Tab le 2. The management ismost interested in option 6 as it is the m ost cost-effective.A detailed study is carried out for each option using the RR AB D design proceduredetailed earlier before making any firm design decision in order to achieve inherentsafety, The step-by-step results of the study are presented in the following sections.

Scenario generationProDvleneThe most credible accident scenario for propylene storage has been generated (takingthe help of past case studies and considering the vulnerability of the unit) for eachoption as listed in Table 3. The accident scenario for options 1,3,4 and 5 has beenenvisaged as BLEVE (boiling liquid expanding vapour explos ion) followed by a fire ball.


19/29

Table 2. List of options and their details

Option Number of vessels m i o n a l Conditions Capital InventoryNumber 'capacity Temperature Pressure Investment(MT),shape OC kPa Rs(1akhs) (days)

Propylene1 2'125 bullets2 1'400 spheres3 2'80 bullets4 2'80 bullets5 3'80 bullets6 1'250 spherePropylene oxide1 1'300 sphere2 2'150 bullets3 2'1 34 bullets4 2'100 bullets5 3'1 34 bullets6 1'250 sphere


20/29

The accident may be caused as follows: a leak in pressurised storage vessel ofpropylene may cause sudden release of chemical. The boiling liquid expanding vapourmay meet an ignition source -even heat energy generated due to explosion could besufficient to ignite propylene -tur ni ng in to a fire ball.The accident scenario for options 2 and 6 have been developed as CVCE (confinedvapour Cloud explosion) followed by a fire ball. It is because high pressure build-up in thevessel, either due to heat stratification, over-filling or shock absorption, may lead to aneXplOSi~e elease of the chemical as CVCE. The released chemical on meeting heatsource may ignite instantly resulting in a fire ball. Th is scenario has been verified bythe past case studies .in which similar accidents have been reported to have occurred(Marshall, 1987; Prugh, 1991; Lees, 1996).The accident scenario anticipated for options 2 and 6 is different from options 1,3,4 and5 because options 2 and 6 involve storage of chemicals in large quantum (horton sphereswith large capacity) under extreme conditions of pressure and temperature. This makesthe system more vulnerable to failure as confined explosion because the high pressure

build-up in a vessel is directly proportional to the capacity of the chemical, storingpressure and such physical properties of the chemical as vapour pressure and specificheat.

The accident scenario for propylene oxide has been developed as BLEVE (boiling liquidexpanding vapour explosion) followed by fire ball (Table 4). This accident may occur in amanner similar to that explained for propylene vessel. A leak in the storage vessel maylead to sudden release of propylene oxide (stored under high pressure) forming BLEVEand as the chemical is highly flammable, it soon gets ignited to a fire ball. This scenariois common for all storage vessels (spheres as well bullet shaped ones). It is because, ,the pressure and temperature at which propylene oxide is stored are not so high as toeasily exceed explosion pressu re limit and causes CVCE. Thus, the most credible accidentscenario for these vessels is visualised as BLEVE followed by fire ba il.Consequence analysisThe software MAXCRED (Khan and Abbasi, 1996b) has been used to estimate thedamage potential (consequence assessment) of each option of storage of propylene andpropylene oxide. The results of MAXCRED -based simulations are presented in Tables 3and 4. It is clear from Tab le 3 that option 2 (sphere of 400 MT capacity) has maximumdamage potential due to the simultaneous impact of various dam aging effects (heat load,overpressure, missiles). Dam age of 50% probability due to overpressure (shock wave)would be occur across an area of -1822 meters radius. Similarly, Tab le 4 which presentsthe damage potential for propy lene oxide storage reveals tha t options 1 and 6 havemaximum damage potentials. The radii for 50% probability of dam age would extend upto-400 meters from the acc ident epicentre. It is evident from the Tables 3 and 4 that thedamage potential for various options of propylene oxide storage are lower compared tothat of propylene.

Further a detailed study has been conducted to analyse the likelihood of domino effect(chain of accidents). For this purpose a software package DOM IFFECT (Khan and Abbasi,1996c) has been used. The results are presented in Tables 5 and 6. Table 5 reveals that


21/29

Table 3. The damage potential of each option for propylene

Options Accident scenario Damage distance, meters, due to Max~ rnum amagedistance, rnoverpressure missiles heat load

1 B L N E ' + fire ball 975.7 1173.4 225.7 975.72. CVCE" + fire ball 1822.1 21 30.4 403.7 1822.13. BLEVE +fi re ball 739.0 1094.3 180.5 739.04 BLEVE + fire ball 739.0 1094.3 180.5 739 .05. BLEVE + fire ball 739.0 1094.3 180.5 739.06. CVCE +fire ball 1123.5 1937.2 319.2 1123.5

' Boiling liquid expanding vapor explosion@ Confined vapor cloud explos ~on.S The pro bab~ lity f meeting target is not considered


22/29

Table 4. T he dam age potential of each option for propylene oxideOptions Accident scenario Dam age distance, meters. due to Maxlmu m damage-- distance, m

overpressure missile' heat load1 BLEVE' + fire ball 499.9 954.4 285.7 499.92. BLEVE +fire ball 396.7 900.4 201.7 362.23. BLEVE + fire ball 362.2 875.2 190.9 382.24. BLEVE +fir e ball 346.7 809.5 154.9 346.35. BLEVE + fire ball 382.3 675.2 190.9 382.36. BLEVE +fir e ball 425.7 824.5 210.2 425.7

Boiling lhquid exp and ~ng apor explosion$ The probability of meeting target is not wnsldered


23/29

Table 5. Results of domino effect analysis for propylene

Options Area under Probability of Risk factorsevere threat domino effect ---.-------------------(meters) (%) asset fatality


24/29

Table 6. Results of domino effect analysis for p ropylene oxide

Options Area under Probability of Risk factorsevere threat domino effect -------------------- ........................(meters) ( O h ) asset fatality1 285.7 15.4 1.43E-03 1.88E-042 201.2 11.2 5.07E-04 7.18E-053 190.5 9.3 8.41 E-04 2.10E-054 164.4 7.2 6.90E-05 9.05E-065 190.5 9.3 8.41E-04 2.10E-056 210.5 15.7 0.35E-03 1.88E-04


25/29

option 2 has maxim um probability (-65%) of causing an explosion in a near-by vessel(propylene oxide vessel if separated by a distance of 78 meters or lesser). The totaldamage in terms of assets and fatality would be maximum in accident scenario for option 2followed by accident scenario for option 6.The result of DOMIFFECT for propylene oxide has been presented in Table 6. It is clearfrom the table that probability of occurrence of secondary accident due to an accident inpropylene oxide vessels are low compared to propylene. The total damage (in termsof loss of assets as well as fatality) has been observed maximum for accident scenario ofoption 1 and subsequently followed by accident scenario of option 6.

Risk estimat ion and decis ion mak ingThe risk factors have been computed for various available options of propylene storage(Table 5) as well as propylene oxide storage (Table 6). In order to enable easyunderstanding and swift decision -making, risk factors of different options are plottedalong with other factors such as, cost of each option, inventory for the number of days(Figures 6 and 7). It is evident from Figure 6 that as far as installation cost and the numberof days of inventory are concerned, option 6 is optimal. However, this option is highlyvulnerable to accidents and entaiis severe risk both in terms of fatality and financialloss. On considering risk factor also as a design constraint, option 4 comes out theoptimal in all respects (financial loss, fatality, cost of the project and number ofdays of inventory).

This problem can also be optimised by formulating the mathematical expressions foreach variable and minimising for a set of boundary condition (days of inventory). When wedid so, it also confirmed that the option 4 is an optimum solution. Similarly Figure 7, whichrepresents the curves of differen t parameters for propylene oxide storage optionsreveals that option 1 and option 6 are optimal in terms of the cost and inventory for alimiting number of days. However, the risk potential is maximum for option 1, closelyfollowed by option 6. On considering all the constraints (cost, inventory and riskfactors), option 4 comes out as optimal.

All-in-all by simply observing the two Figures (Figures 6 and 7) it can be concluded thatfor propylene storage as well as for propylene oxide storage, option 4 represents theoptimum. Thus, compared to all other options, option 4 is inherently safer and hence theplant can be des igned in an inherently safe manner by selecting this option. We mustmention that the plant would still need some more hazard reduction measures after it iscommissioned; inherently safer design would minimise the need and the costs of suchmeasures.REFERENCES1. AlChE (1989). Guidelines for chemical process quantitative risk analysis,American Institute o f Chemical Engineers, New York.2. Berge, G, (1993). Scenariobased design, a new approach to the safety issue indesign, 3rd International Conference and Exhibition on Offshore Structural Design-Hazard s, Safety an d Engineering, London.


26/29

Options- ssets -fatality .x- investment -.-nventory in daysFigure 6. Various parameters plotted againstdifferent options for propylene storage


27/29

Options- ssets -fatality .* nvestment -.-nventory in daysFigure 7. Various parameters plotted againstdifferent options for propylene oxide storage


28/29

Berge, G, (1995). Description of scenarios in Scenariobased design -proposal ofmethodology and relation to acceptance criteria, 14th International Conference onOffshore Mechanics an d Arctic Engineering. Copenhagen.Butcher, C, (1990). The Chemical Engineer, 468, 17.Edwards, D W, and Lawrence, D, (1993). Assessing the inherent safety ofchemical process routes: Is there a relation between plant cost and inherentsafety. Trans I hamE, 71 Part B, 52.Khan, F I, and Abbasi, S A, (1995). Risk analysis: a systematic method of hazardassessment and control, Jr. o f Indus trial Pollu tion Control, I 1 2), 89-88.Khan, F I, and Abbasi, S A, (1996a). Accident simulation in chemical processindustries using MAXCRED, lndian Jr. o f Chemica l Technology, 3, 339-344.Khan, F I, and Abbasi, S A, (1996b). MAXCRED : A tool for rapid quantitative riskanalysis, Environmental Modelling a nd Software, (in press).Khan, F I, and Abbasi, S A, (1997d). DOMIFFECT : A com puter software fordomino (series of accidents) analysis, Environmental Modelling and Software(communicated).Khan, F I, and Abbasi, S A, (1997a). Risk analysis of Epichlorohydrin industryusing computer automated tool MAXCRED, J. of Loss Prevention in ProcessIndustries, 10(3), 21 3-234.Khan. F I, and Abbasi, S A, (1997b). Rapid risk analysis of chloralkali industrysituated in populated area, Process Safety Progress, 16(3), 176-184.Khan, F I, and Abbasi, S A, (1997~).Rapid risk analysis of a typical chem~calindustry using MAXCRED-II, lnd ian Jr. of Chemical Technology, 4, 167-179.Kletz, T A, (1976). Preventing catastrophic accidents, The Chemical Engineer,83(8). 124.Kletz, T A, (1990a). Inherently safer des ign - An update, Al Ch E Los s PreventionSymposium, San Diego, California.Kletz, T A, (1990b). Optimisation and safety, Proc. of IChemE symposium seriesnumber 700, 153.Kletz, T A, (1991a). Plant des ign for safety- A user friendly approach,Hemisphere, New York.Kletz, T A, (1991b). Process safety: an engineering achievemen t, Proc lnstnMech. Engrs, 205, 11.Kletz, T A, (1992). Inherent safer plants-recent progress, Proc of IChemEsymposium series numb er 124.22 5.Lawrence, D, Edwards, D.W., and Rushton, A.G., (1993). The design andoperation of safe and profitable process plant-Process TECH 93, IMechE, 1.Lees, F P, (1996). Loss prevention in Process industries, Buttenvorths, 2ndedition, Volume 1-3, London


29/29

Mansfield, D, and Cassidy, K, (1994). Inherently safer approaches to plant design.The benefits of an inherently safer approach and how this can be built into thedesign process, Institution of Chemical Engineers Symposium Series-134, 285-299.Marshall, V C, (1987). Major chemical hazards, John-W iley & Sons, London.Pietersen, C M, (1990). Consequences analysis of accidental release of hazardousmaterials, 3, 136-141.Prugh. R W, (1991). Quantitative evaluation of 'BLEVE' hazards, J. of FireProtection Engrs , 3(1), 9-24.Ramshaw, C, (1985). The Chemical Engineer, 416, 30Rogers, R L, and Hallam, S, (1991). A chemical approach to inherent safety,Proc. of IChemE Symposium Series number 1 24,23 5.Rushton, A G, Edwards, D W, and Lawrence, D, (1994). Inherent safety andcomputer aided process design, Trans I hemE, 72 Part B, 83.Taylor, J R. (1982). Evaluation of costs completeness and benefits for riskanalysis procedures, Rosk ilde RisoNational Laboratory, N-14-82.

Application of Risk Analisis in Processs Design

Documents

Transcript of Application of Risk Analisis in Processs Design