proce-While RP14C provides guidance on the need for process safetydevices, it is desirable to perform a complete hazards analysis of thefacility to identify hazards that are not necessar
Trang 1be detected as process upsets Finally, a system of safety management isimplemented to assure the system is operated and maintained in a safemanner by personnel who have received adequate training.
Safety analysis concepts are discussed in this chapter by first ing a generalized hazard tree for a production facility From this analysis,decisions can be made regarding devices that could be installed to moni-tor process upset conditions and to keep them from creating hazards
describ-^Reviewed for the 1999 edition by Benjamin T Banken of Paragon Engineering
Services, Inc.
386
Trang 2Safety Systems 387
This analysis forms the basis of a widely used industry consensus
stan-dard, American Petroleum Institute, Recommended Practice 14C,
Analy-sis, Design, Installation, and Testing of Basic Surface Systems for shore Production Platforms (RP14C), which contains a procedure for
Off-determining required process safety devices and shutdowns The dures described here can be used to develop checklists for devices notcovered by RP14C or to modify the consensus checklists presented inRP14C in areas of the world where RP14C is not mandated
proce-While RP14C provides guidance on the need for process safetydevices, it is desirable to perform a complete hazards analysis of thefacility to identify hazards that are not necessarily detected or contained
by process safety devices and that could lead to loss of containment ofhydrocarbons or otherwise lead to fire, explosion, pollution, or injury topersonnel The industry consensus standard, American Petroleum Insti-
tute Recommended Practice 14J, Design and Hazards Analysis for
Off-shore Facilities (RP14J), provides guidance as to the use of various
haz-ards analysis techniques
The final portion of this chapter describes the management of safetyusing Safety and Environmental Management Programs (SEMP) as
defined in API RP75, Recommended Practices for Development of a
Safety and Environmental Management Program for the Outer tal Shelf (OCS) Operations and Facilities, and using a Safety Case
Continen-approach as is commonly done in the North Sea
HAZARD TREE
The purpose of a hazard tree is to identify potential hazards, define theconditions necessary for each hazard, and identify the source for eachcondition Thus, a chain of events can be established that forms a neces-sary series of required steps that results in the identified hazard This iscalled a "hazard tree." If any of the events leading to the hazard can beeliminated with absolute certainty, the hazard itself can be avoided
A hazard tree is constructed by first identifying potential hazards.Starting with the hazard itself, it is possible to determine the conditionsnecessary for this hazard to exist For these conditions to exist, a sourcethat creates that condition must exist and so forth Using this reasoning, ahierarchy of events can be drawn, which becomes the hazard tree In ahazard analysis an attempt is made, starting at the lowest level in the tree,
to see if it is possible to break the chain leading to the hazard by
Trang 3elimi-nating one of the conditions Since no condition can be eliminated withabsolute certainty, an attempt is made to minimize the occurrence of each
of the steps in each chain leading to the hazard so that the overall bility of the hazard's occurrence is within acceptable limits
proba-This process is perhaps best illustrated by a simple example Figure14-1 shows a hazard tree developed for the "hazard" of injury whilewalking down a corridor in an office The conditions leading to injury areidentified as collision with others, tripping, hit by falling object, and totalbuilding failure The sources leading to each condition are listed underthe respective condition Some of the sources can be further resolved intoactivities that could result in the source For example, if no soil boringwas taken this could lead to "inadequate design," which would lead to''building failure," which could lead to ""injury."
It is obvious that it is impossible to be absolutely certain that the hazardtree can be broken It is, however, possible to set standards for ceilingdesign, lighting, door construction, etc., that will result in acceptable fre-quencies of collision, tripping, etc., given the severity of the expectedinjury from the condition That is, we could conclude that the probability
of building failure should be lower than the probability of tripping because
of the severity of injury that may be associated with building failure
Figure 14-1 Hazard tree for injury suffered white walking in a hallway.
Trang 4Safety Systems 389
It should be obvious from this discussion that the technique of creating
a hazard tree is somewhat subjective Different evaluators will likelyclassify conditions and sources differently and may carry the analysis tofurther levels of sources However, the conclusions reached concerningbuilding design, maintenance, layout of traffic patterns, lighting, etc.,should be the same The purpose of developing the hazard tree is to focusattention and help the evaluator identify all aspects that must be consid-ered in reviewing overall levels of safety
It is possible to construct a hazard tree for a generalized productionfacility, just as it is possible to construct a hazard tree for a generalizedhallway That is, Figure 14-1 is valid for a hallway in Paragon Engineer-ing Services' offices in Houston, in Buckingham Palace in London, or in
a residence in Jakarta Similarly, a generalized hazard tree constructedfor a production facility could be equally valid for an onshore facility or
an offshore facility, no matter what the specific geographic location.Figure 14-2 is a hazard tree for a generalized production facility Thehazards are identified as "oil pollution," "fire/explosion," and "injury."Beginning with injury, we can see that the hazards of fire/explosion andoil pollution become conditions for injury since they can lead to injury aswell as being hazards in their own right The tree was constructed bybeginning with the lowest level hazard, oil pollution Oil pollution occurs
as a result of an oil spill but only if there is inadequate containment That
is, if there is adequate containment, there cannot be oil pollution.Onshore, dikes are constructed around tank farms for this reason Off-shore, however, and in large onshore facilities it is not always possible tobuild containment large enough for every contingency The requirementfor drip pans and sumps stems from the need to reduce the probability ofoil pollution that could result from small oil spills
One source of an oil spill could be the filling of a vessel that has anoutlet to atmosphere until it overflows Whenever inflow exceeds out-flow, the tank can eventually overflow Another source is a rupture orsudden inability of a piece of equipment to contain pressure Events lead-ing to rupture are listed in Figure 14-2 Note that some of these eventscan be anticipated by sensing changes in process conditions that lead tothe rapture Other events cannot be anticipated from process conditions.Other sources for oil spills are listed For example, if a valve is openedand the operator inadvertently forgets to close it, oil may spill out of thesystem If there is not a big enough dike around the system, oil pollutionwill result It is also possible for oil to spill out the vent/flare system Allpressure vessels are connected to a relief valve, and the relief valve dis-
Trang 6* Indicates sources that can be anticipated by sensing changes in process conditions
Figure 14-2 Continued
Trang 7charges out a vent or flare system If the relief scrubber is not adequatelysized, or if it does not have a big enough dump rate, oil will go out thevent system.
Fire and explosion are much more serious events than pollution Forone thing, fire and explosion can create catastrophes that will lead to pol-lution anyway, but for another thing, they can injure people We clearlywant to have more levels of safety (that is, a lower probability of occur-rence) in the chain leading to fire or explosion than is necessary in thechain leading to pollution That is, whatever the acceptable risk for oilpollution, a lower risk is required for fire or explosion
For fire or explosion to occur, fuel, an ignition source, oxygen, andtime to mix them all together are needed If any of these elements can beeliminated with 100% assurance, the chain leading to fire or explosionwill be broken For example, if oxygen can be kept out of the facility,then there can be no fire or explosion Eliminating oxygen can be doneinside the equipment by designing a gas blanket and ensuring positivepressure For practical purposes it cannot be done outside the equipment,
as a human interface with the equipment is desired
Fuel cannot be completely eliminated, though the inventory of bustible fuels can be kept to a minimum Oil and gas will be present inany production facility, and either an oil spill or escaping gas can providethe fuel needed Escaping gas can result from rapture, opening a closedsystem, or gas that is normally vented The amount of fuel present can beminimized by preventing oil spills and gas leaks
com-Ignition sources are numerous, but it is possible to minimize them.Lightning and static electricity are common ignition sources in productionfacility, especially tank vents It is not possible to anticipate the ignition
by sensing changes in process conditions, but gas blankets, pressure
vacu-um valves, and flame arresters can be installed to ensure that flame willnot flash back into the tank and create an explosion Electrical shorts andsparks are also sources of ignition These are kept isolated from any fuel
by a whole series of rules and regulations for the design of electrical tems In the United States, the National Electrical Code and the API Rec-ommended Practices for Electrical Systems (Chapter 17) are used to mini-mize the danger of these ignition sources Human-induced ignitionsources include welding and cutting operations, smoking, and hammering(which causes static electricity) Flash back is also a source of ignition Insome vessels a flame exists inside a fire tube If a fuel source developsaround the air intake for the fire tube, the flame can propagate outside thefire tube and out into the open The flame would then become a source of
Trang 8be sufficiently hot to ignite oil or gas A hot engine manifold can become
a source of ignition for an oil leak An engine exhaust can become asource of ignition for a gas escape
Exhaust sparks from engines and burners can be a source of ignition.Any open flame on the facility can also be a source of ignition
Fire tubes, especially in heater treaters, where they can be immersed incrude oil, can become a source of ignition if the tube develops a leak,allowing crude oil to come in direct contact with the flame Fire tubescan also be a source of ignition if the burner controls fail and the tubeoverheats or if the pilot is out and the burner turns on when there is acombustible mixture in the tubes
Because these ignition sources cannot be anticipated by sensingchanges in process conditions and since oxygen is always present, a haz-ards analysis must concentrate on reducing the risk of oil spill and gasleak when any of these ignition sources is present Or the hazards analy-sis must concentrate on reducing the probability that the ignition sourcewill exist at the same location as an oil spill or gas leak
Injury is always possible by fire, explosion, or the other conditionslisted in Figure 14-2 A fire can lead directly to injury, but normally thereneeds to be several contributory events before the fire becomes largeenough to lead to injury For example, if a fire develops and there is suf-ficient warning, there should be sufficient time to escape before injuryresults, if the fuel is shut off and there is enough fire-fighting equipment
to fight the fire before it becomes large, the probability of injury is small.When an explosion occurs, however, it can directly cause injury Asubstantial cloud of gas can accumulate before the combustible limitreaches an ignition source The force of the explosion as the cloud ignitescan be substantial
There are other ways to injure people, such as physical impact due tofalling, tripping, slipping on a slick surface, or being hit by an object or
by direct physical impact from a rapture Asphyxiation can occur, cially when dealing with toxic chemicals
espe-Electric shock and burns can also lead to injury Burns can occur bytouching hot surfaces They can also occur from radiation
The probability of injury from any of these conditions is increased by
an inability to escape All the conditions tend to be more likely to lead to
Trang 9injury the longer people are exposed to the situation Therefore, escaperoutes, lighting, appropriate selection of survival capsules or boats, firebarriers, etc., all lead to a reduction in injury.
DEVELOPING A SAFI PROCESS
In going through this hazard tree it can be seen that many of thesources and conditions leading to the three major hazards have nothing to
do with the way in which the process is designed Many sources cannot
be anticipated by sensing a condition in the process For example, it isnot possible to put a sensor on a separator that keeps someone who isapproaching the separator to perform maintenance from falling Anotherway of stating this is that many of the sources and conditions identified
on the hazard tree require design considerations that do not appear onmechanical flow diagrams The need for proper design of walkways,escape paths, electrical systems, fire-fighting systems, insulation on pip-ing, etc., is evident on the hazard tree, in terms of developing a processsafety system, only those items that are starred in the hazard tree can bedetected and therefore defended against
This point must be emphasized because it follows that a productionfacility that is designed with a process shut-in system as described in APIRP14C is not necessarily "safe." It has an appropriate level of devicesand redundancy to reduce the sources and conditions that can be antici-pated by sensing changes in process conditions However, much more isrequired from the design of the facility if the overall probability of anyone chain leading to a hazard is to be acceptable That is, API RP14C ismerely a document that has to do with safety analysis of the processcomponents in the production facility It does not address all the otherconcerns that are necessary for a "safe" design
The starred items in the hazard tree are changes in process conditionsthat could develop into sources and lead to hazards These items are iden-tified in Table 14-1 in the order of their severity
Overpressure can lead directly to all three hazards It can lead directlyand immediately to injury, to fire or explosion if there is an ignitionsource, and to pollution if there is not enough containment Therefore,
we must have a very high level of assurance that overpressure is going tohave a very low frequency of occurrence
Fire tubes can lead to fire or explosion if there is a leak of crude oil intothe tubes or failure of the burner controls An explosion could be suddenand lead directly to injury Therefore, a high level of safety is required
Trang 10Safety Systems 395
Table 14-1 Sources Associated with Process System Changes
Contributing Source Source Hazard of Condition
Overpressure Injury None
Fire/Explosion Ignition Source Pollution Inadequate Containage Leak Fire/Explosion Ignition Source
Oil Pollution Inadequate Containage Fire Tubes Fire/Explosion Fuel
Inflow Exceeds Outflow Oil Pollution Inadequate Containage Excessive Temperature Fire/Explosion Ignition Source
Oil Pollution Inadequate Containage
Excessive temperature can lead to premature failure of an item ofequipment at pressures below its design maximum working pressure.Such a failure can create a leak, potentially leading to fire or explosion ifgas is leaked or to oil pollution if oil is leaked This type of failure should
be gradual, with warning as it develops, and thus does not require as high
a degree of protection as those previously mentioned
Leaks cannot lead directly to personal injury They can lead to fire orexplosion if there is an ignition source and to oil pollution if there isinadequate containment Both the immediacy of the hazard developingand the magnitude of the hazard will be smaller with leaks than withoverpressure Thus, although it is necessary to protect against leaks, thisprotection will not require the same level of safety that is required to pro-tect against overpressure
Inflow exceeding outflow can lead to oil pollution if there is quate containment It can lead to fire or explosion and thus to injury byway of creating an oil spill This type of accident is more time-dependentand lower in magnitude of damage, and thus an even lower level of safe-
inade-ty will be acceptable
The hazard tree also helps identify protection devices to include inequipment design that may minimize the possibility that a source willdevelop into a condition Examples would be flame arresters and stackarresters on fire tubes to prevent flash back and exhaust sparks, gasdetectors to sense the presence of a fuel in a confined space, and fire
Trang 11detectors and manual shutdown stations to provide adequate warning and
to keep a small fire from developing into a large fire
PRIMARY DEFENSE
Before proceeding to a discussion of the safety devices required forthe process, it is important to point out that the primary defense againsthazards in a process system design is the use of proper material of suffi-cient strength and thickness to withstand normal operating pressures.This is done by designing the equipment and piping in accordance withaccepted industry design codes If this is not done, no sensors will be suf-ficient to protect from overpressure, leak, etc For example, a pressurevessel is specified for 1,480 psi maximum working pressure, and itsrelief valve will be set at 1,480 psi If it is not properly designed andinspected, it may rupture before reaching 1,480 psi pressure The primarydefense to keep this from happening is to use the proper codes anddesign procedures and to ensure that the manufacture of the equipmentand its fabrication into systems are adequately inspected In the UnitedStates, pressure vessels are constructed in accordance with the ASMEBoiler and Pressure Vessel Code discussed in Chapter 12, and piping sys-tems are constructed in accordance with one of the ANSI Piping Codesdiscussed in Volume 1
It is also important to assure that corrosion, erosion, or other damagehas not affected the system to the point that it can no longer safely con tain the design pressure Maintaining mechanical integrity once the sys-tem has been placed in service is discussed later in this chapter
FAILURE MODE EFFECT ANALYSIS—FMEA
One of the procedures used to determine which sensors are needed tosense process conditions and protect the process is called a Failure ModeEffect Analysis—FMEA Every device in the process is checked for its var-ious modes of failure A search is then made to assure that there is a redun-dancy that keeps an identified source or condition from developing for eachpotential failure mode The degree of required redundancy depends on theseverity of the source as previously described Table 14-2 lists failure modesfor various devices commonly used in production facilities
In applying FMEA, a mechanical flow diagram must first be developed
As an example, consider the check valve on a liquid dump line It can fail
Trang 12Safety Systems 397
Table 14-2 Failure Modes of Various Devices
Operate Prematurely
Fail to Close (Check) Leak Internally Leak Externally Orifice Plates (Flow Restrktor)
Fail to Pump Pump to Overpressurization Leak Externally
Fail to Control Level Fail to Control Temperature Fail to Control Flow Operate Prematurely Fail to Control Low Level Fail to Control High Level Fail to Reduce Pressure Fail to Control Pressure Fail to Activate Alarms
Fail Open Fail Close Fail to Open Fail to Close Leak Internally Leak Externally
FTI
Switch FS PC FO Engine FTD FXP Transformer FTP
General OF NP NS FP MOR NA Rupture Disc RP
FTO LEX Meter FTOP LEX BL Timer FTAP FTSP
Fail to Indicate
Fail to Switch Fail Close Fail Open
Fail to Deliver Deliver Excess Power Fail to Function
Overflow Not Processed
No Signal Fail to Power Manual Override Not Applicable
Rupture Prematurely Fail to Open Leak Externally
Fail to Operate Properly Leak Externally Block
Fail to Activate Pump Fail to Stop Pump
one of three ways—it can fail to close, it can leak internally, or it can leakexternally The FMEA will investigate the effects that could occur if thisparticular check valve fails to close Assuming this happens, some redun-dancy that keeps a source from developing must be located in the system.Next, the process would be evaluated for the second failure mode, that is,what occurs if the check valve leaks internally Next, the process would be