IDENTIFICATION OF THE HAZARDS WITH A NEW LOGIC DIAGRAM AND DESCRIPTOR PERFORMANCE

Duarte D.; Droguett E. L.; Henrique A.; Universidade Federal de Pernambuco, Brazil; Denys S, COPERGS, Brazil.
The motivation for this work relies basically on the necessity to develop new logic diagrams for the implementation of a risk management program, taking into account the changes introduced into our day-to-day lives by the information revolution and the on going globalization process. These changes were not visualized some years ago. Therefore, we continue to use traditional techniques to evaluate an entire new concept of design and construction with respect to both processes and buildings. It is not logical to assume that the risk management of the new millennium is based on the way of thinking developed in the past. This article presents new logic diagram, which are not recommended by the CCPS, called continuous value network. It enable the engineer to look into and evaluate the system mode of failures. One of the advantages of using these value networks is that they are flexible and provide a road map for logical thought. The main contribution of these diagrams (as well as the performance descriptors associate to them) is improving of communication. These logic diagrams and descriptors were used during the hazard identification of the distribution company of natural gas of the Pernambuco State, known as COPERGS, Brazil.

Key words: Hazards Identification, Engineering Method and Logic Diagrams 1. Introduction
It has been said that when a physician makes a mistake only one victim suffers, but when an engineer makes a mistake in design, it is probable that many will suffer. Any engineering deficiency can affect management, create malfunctions and failures, cause operator error, and so on. Therefore, we need a clearer vision of how an engineering deficiency during the design process can affect the life cycle of the system. These deficiencies could put the business mission and goals in greater risk. In the early hours of March 15th 2001, there were several explosions on the largest Petrobras platform known as P-36 operated in the Rencodor field Campos Basin (about 200Km north of Rio de Janeiro, Brazil). A total of 175 people were onboard the platform at that time. The death toll was 11. The P-36 was built in Italy in 1994 and recently refitted in Canada. On 22nd March it sunk into the Atlantic. Questions about the causes of the explosion remain unanswered, although Petrobras has said that there had been a gas leak that escaped into the column where the blast took place. A note released by Petrobras on March 23rd read: On March 12, 13 and 14 the log entries for the platform before the explosion recorded a problem in the P-36 vent system and recommended a production shutdown. [1] The accident involving the P-36 is the latest in a series of others. In January of the same year two workers died in a fire on Petrobras offshore natural gas platform (also in the Campos Basin). In addition, two massive oil spills in six-months before focused international attention on the state Oil Company. In January 2000 Petrobras dumped as much oil and fuel as was on the platform, i.e. about one million liters, into the Guanabara Bay. Six months later they were responsible for dumping four times as much crude oil into one of the main Brazilian rivers causing wide spread environmental damage. In contrast, Petrobras profits in 2001 could be harmed because of the lost of the P-36, since which the companys shares have lost 7.6% of their value [2]. The historic analysis of the main accidents faced by Petrobras since 2000 shows that the company does not care about managing their risks. On the other hand, it is difficult to believe that managing their explosion and fire risks is not one of the main concerns of Petrobras. Safety is the prime issue in guaranteeing the organization mission and goals. On the other hand, several major disaster, such as at Flixborough (UK 1974), San Juan Ixhuatepex (Mexico City, 1984), Bhopal (India, 1984), Piper Alpha (UK, 1988), and more recent the P-36 sunk, as

mentioned above have highlighted the need to improve radically the safety performance of the process industry. The need to improve the safety performance of the industries is driven not only by recent disaster, but also by changes in Health and Safety legislation, as emphasised by the Cullen Report [3]. Oil and gas organisations have shifted from a prescriptive approach to a performance based one. Under the prescriptive approach regulation explain how to achieve, while the performance based approach explain what organisation must achieve, but leaves how to achieve it to them. In this context, it is necessary and urgent to find ways to communicate what can go wrong in more efficiency ways. A clear understanding of how the specific details about failure mechanisms can develop gradually in such a way that they can cause an impact on the mission or goals of the organization will provide the organization with a basis for decision making and communicating its beliefs to others effectively. The representation schemes have been focused on the propagation of the effect of abnormal events, i.e. technical faults and human errors through the functional structure of a technical system, because a substantial part of the development has been focused on industrial plant. However, the organisational and social factors should be included in a risk analysis [4]. The intention of this paper is to present a new logic diagram which are not recommended by the Center for Chemical Process Safety [5]. We hope that the continuous value diagram will help the organizations either to see or communicate more clearly how a failure in the vent system can cause the sinking of the worlds largest oil rig [1].

2. From the past to the present

In the Tigris- Euphrates valley about 3200BC there lived a group called the Ashipu. One of their primary functions was to serve as consultants for risky, uncertain, or difficult decisions. If decisions needed to be made concerning a forthcoming risky venture, a proposed marriage arrangement, or a suitable building site, one could consult with a member of the Ashipu. The Ashipu could 1) identify the important dimensions of the problem; 2) identify alternative action, and 3) collect data on the likely outcomes, such as profit or loss, success or failure of each alternative. The best available data from their perspective were signs from the gods, which the priest-like Ashipu were especially qualified to divine. The Ashipu would then create a ledge. For each alternative, if the signs were favorable they would enter a plus, if not they would enter a minus. After the analysis was completed, the Ashipu would recommend the most favorable alternative; the last step was to issue a final report, etched upon a clay table [6]. The practices of the Ashipu mark the first recorded instance of a simplified form of risk analysis. The similarities between the practices and procedures of modern risk analysts and those of their Babylonian forebears underscore the point that people have been dealing with problems of risk for a long time, often in a sophisticated and quantitative way. Unlike modern risk analysts, who express their results in terms of mathematical probabilities and confidence intervals, such as the Quantitative Risk Analysis [7], the Ashipu of ancient Babylon expressed their results with certainty, confidence and authority. Since the Ashipu were empowered to read the wishes of Gods, probability played no part in their analyses. The Quantitative Risk Analysis-QRA as currently accepted internationally involves several steps: system description, hazard identification, frequency analysis, evaluation of the consequences and risk estimation. A well structured formal identification exercise is regarded as an essential element in a QRA. The issue of completeness in the hazard identification is important. Completeness means developing a full list of failure case that adequately address the scope of the QRA study and which potentially contribute to the risk result. The most common methods for QRA hazard identification are: engineering judgement, historical incidents approach, what if checklists, fault and event trees, and hazard and operability study. Regardless of the techniques employed for failure case identification, the end result must be an explicit set of failure cases for subsequent analysis. The contribution of completeness versus discrimination (i.e. the elimination of trivial cases) on this list, determines the quality and cost effectiveness of the overall QRA. According to Kletz, what has not been identified cannot be assessed nor mitigated [8]. Therefore, a well structured formal identification exercise is critical. On the other hand, hazard identification can mean many different things and different techniques are optimized for different objectives. In our way 2

of thinking the identification exercise should include the idea of completeness as it is accepted around the world, as well as an understanding of the major threats to the organization mission and goals such as financial impacts to the organization in the event of a fire or explosion. It is also equally important to understanding the organization perception about the hazards, Figure 1.Our philosophy about understanding the problem emerged from four questions: What is the organization perception? What is at risk? What is acceptable? What are the mechanisms of failure that could cause harm and what are their consequences, as proposed by the QRA? (As shown in Figure 1). The first step toward an understanding of the problem, we think, is to find the context in which the risks are situated and discuss this. This could help us to contextualize the risks. It is based on three heuristics commonly used in making judgements under uncertain conditions: representation, availability, adjustment. The mental process of perception about the risk is critical because it has some degree of influence in the criteria of acceptance, as well as in some stages of the implementation of a risk management. The evaluation of any risk is dependent on the evaluators perception and knowledge of the hazard and the associated consequence and, in turn, their experience of that or similar hazards. Therefore, the organization cognition process in the evaluation of risk means that its outcome may be different in kind or degree from the QRA studies. The overall process of risk assessment is different when applied to an individual than when applied to the behavior of engineering systems. The organization behavior is generally not solely determined by the numerical methods as recommended by the QRA. In some cases the objective estimation of risk could match the subjective evaluation, and it may have played some part in determining the organization perception. Large proportion of accidents, approximately 67% [9], reported by the European Commissions Major Accident Reporting Systems since 1984 was due to management failures. The organizations perception about its risks is critical information because it will determine what is acceptable in terms of consequences to human lives, to society, to the environment and properties, as required by the QRA. Nevertheless, this paper also attempts to make an allusion on the need to take into consideration the risks that could lead to business impact in the process of understanding the problem. The mission of an organization sets out why it exists and what it should be doing while the goals specify what the organization hopes to fulfil in the medium to long term. It can be a difficult process for the staff to think in terms of goals, perhaps because the organization has not transmitted to them what it hopes to achieve in a clear and objective way. Therefore, it is a hard process for the employers to think about what really matters. The definition of objectives is sometimes a difficult process, because people do not usually have the habit of thinking about what is important [10]. A functional level of the process refers to its internal characteristics that have the potential for causing harm to people, property or the environment. The identification of the hazards as recommended by the CCPS could detect deviations within the process that may lead to a series of events with some level of impact to people injury or death, property damage or environment contamination. The Piper Alpha disaster is a good example to illustrate how a single human error lead to the worst accident in the history of offshore oil exploration, and it resulted in a death toll of 167 personnel. Despite the death toll, property damage and environmental contamination other points should be highlighted, such as the shutdown of five other platforms and the cut in British North Sea oil production by 12,9% [11]. As a result the Los Angeles Occidental Petroleum Corporation could not attend market demand, and they most likely lost a share of the market. In the oil business world, the performance objectives, flexibility and reliability determine how oil suppliers are chosen. A corporation that cannot meet these basic requirements may be put out of the market. Los Angeles Occidental Petroleum Corporation explores for and sells oil and natural gas, as well as manufacturing a variety of chemical products. Its main production facilities are located in nine countries in the United States, Middle East and Latin America. Therefore, the loss of Piper Alpha most likely resulted in several business impacts: Local business impact due to the financial consequence of the damages involved in the total loss of Piper Alpha. A corporation business impact because the lost of Piper Alpha most likely put the Los Angeles Occidental Petroleum Corporation in an unfavorable competitive position, required it to use costly means of competing with the possibility of going out of the oil and natural gas market; a market impact as a consequence of loss or reduction of sales.

ORGANISATION KNOWLEDGE ABOUT THE HAZARDS CONTEXT ORGANISATION EXPERIENCE

WHAT ARE THE ORGANISATION PERCEPTION ABOUT THE RISKS?

WHAT IS AT RISK?
PEOPLE MISSION & GOALS
ENVIRONMENT NEIGHBORS

SOCIAL IMPACTS

WHAT IS ACCEPTABLE?
INTERNAL IMPACTS ENVIRONMENTAL IMPACTS

IDENTIFY THE HAZARDS

Figure 1. The concept of the understanding the problem. There is no doubt that financial globalization is promoting opportunities throughout the synergies and efficiencies in engineering, production, distribution, and so on. It is thus becoming increasingly difficult to explain accident causation by analysis of local factors within a work system. On the other hand, a very fast pace of change of technology is found at the operative level of society within all domains, such as transport, manufacturing and process industry. This pace of change is much faster than the pace of change of management structures and of safety legislation and regulation. In consequence, the dynamics of change become an important consideration for the development of effective risk management strategies. Therefore, during a risk management the organization should strive to obtain ways of pinpointing the chain of events that could lead to a major impact on its mission and goals and not only list the major functional failures, as suggested by the QRA. In addition, as the risks are dynamic the understanding of them should be of performance throughout the life cycle of the system, which is represented here by a building or a process. In the philosophy of the QRA technologies a major business impact is not included. Essentially the QRA is concerned with the identification of hazards and the assessment of their mechanism of harm and consequences. QRA does not take into account judgements about the significance of hazardous events and risk level as perceived by the organization. However, the acceptance criteria can not be established without some consideration about the organizations recognition of hazards and risks, as well as the role of the various legislative bodies. The objective of this paper is not to propose a new set of recommendations to identify the hazards or manage the risks in the process industry, nor is it to replace the CCPS guidelines, but to highlight the fact that some of them were developed in a time when the economic and technologic context were different. Programmable electronic systems are more present in organizations nowadays than 10 years ago. New systems based on information technology are being adopted to get a competitive

edge. A competitive edge is actually becoming more and more required due to the globalization process which the world market is currently facing. As a consequence of the technological and economic advance, new risks have been created, and such risks were not present some years ago. Therefore, it is necessary to develop ways of identifying the hazards in an understandable and communicative manner, while taking into account financial globalization and the changes that information technologies have incorporated in the day-to-day life of a process plant. In order to contribute something to this matter, the scope of this research is to develop a study on the Building Fire Safety Engineering Method (i.e. BFSEM), originally proposed by Prof. Robert Fitzgerald from the Worcester Polytechnic Institute-USA [10]. The BFSEM, or just the Method, is aimed to provide a new way of thinking for fire risk management in structures such as buildings, tunnels and ships. This research suggests some modifications to the Method, in order to make it applicable to the process industry as well. However, this paper focuses on the understanding of the problem, (Figure 1). It is the specific objective of this paper to present new logic diagram, which are not recommended by the CCPS in identifying the hazard.

2. The Logic Diagrams

The CCPS [5] identifies eleven hazard evaluation procedures in common use in the processing industry. Each has strengths and weaknesses, including cost of the evaluation and appropriateness of an evaluation to a situation. Examples are checklists, safety review, preliminary hazard analysis, what if analysis, hazard and operability studies, fault and event tree analysis, and others. The formal techniques included in this study are the fault tree analysis and the event tree analysis. A clear understanding of the interrelationships and interdependencies of events (i.e. an occurrence) are of fundamental importance in understanding the problem, (Figure 1). It is surprising that the logical diagrams available today, such as event tree, fault tree and others, do not allow us to visualize the sequence of events that may lead to an accident. According to Turner [12], large-scale disaster need time resources and organization if they are to occur. This means that a disaster is a result of a concatenation of events with a low probability of occurring at the same time. Turner also suggests that these events do not occur as a result of random events. Therefore, logical diagrams that communicate how the events can be connected, (like a motion picture) is fundamental in identifying the hazards of the system. An event tree is a logic diagram that identifies sequential relationships. An event tree describes behavior as a sequence of discrete, connected events. The events in the tree are conditional. Each branch represents a possible state of the system. The sequence of events enables one to identify a number of scenarios for the outcomes of a single undesirable initiating event. However, in the event tree the details of evaluation cannot be shown. On the other hand, a fault tree could be used to evaluate event tree branches. A fault tree is a diagram that identifies the casual events, which can lead to a system failure. An identified failure event is traced backwards, in order to determine its roots. In fire or explosion protection a failure in any part of the system may be the result of human error, equipment malfunction, maintenance inadequacy and inadequate performance of building feature [13]. One of the weaknesses of fault trees is the inherent difficulty in dealing with time and events relating to its dependence. However, the sequence of events that could lead to an accident is significantly influenced by time [12]. Event trees on the other hand can incorporate time intervals, but they cannot show the level of details that a fault tree can. The useful attributes of the event and fault tree may be combined in a cause-consequence diagram. Event trees, fault trees and cause consequence diagrams are useful in developing an understanding of a complex system and its interrelationships. However, in a large system there may be an enormous number of failure modes. Obviously, a computer is necessary to keep track of the events and interrelationships. The cost of this level of sophistication is justified only in special situations. An additional technique that incorporates some of the useful features of the event and fault tree, as well as the cause-consequence diagram, and also provides additional flexibility to tailor the analysis to specific needs is the logic network (as originally proposed by Prof. Fitzgerald [10]). This network 5

diagram, known as continuous values network, is a semi-graphical framework that is used to describe a thought process, to focus attention on the situation being evaluated, and to help us to communicate with others. The continuous value network is analogous to motion picture. In other words, the continuous networks help us to construct and evaluate all possible scenarios. A continuos values network starts with a specific event and identifies the future chain of events that provide a motion picture scrip of the outcomes. Time and conditionality can be incorporated into this continuous value network if desired. The process uses inductive reasoning to identify the logical sequencing of events. After a generic diagram is constructed it acts as a standard script for the motion pictures. Continuous value networks enable one to focus on the sequence of events that are being considered. It identifies conditionality in events and can incorporate time into the process. In order to get a sense of the manner in which continuos value network can be used to understand what can go wrong, let us imagine a failure in the cathodic protection of a pipeline. Pretend that a camera man can see through pipe structure and record all the events that could result in a pipe rupture. This motion picture initially would be very confusing because so many things occur simultaneously. Therefore, let us imagine that the camera has filters that filter out all information except that which will influence a particular failure. This continuous value network is shown in Figure 2. The scenario chosen to construct the network was a failure from the cathodic protection. A failure on the cathodic protection could lead to an increasing of the pipe-to-soil potential above 1200mV; as a result there will be a production of hydrogen atomic. This excess of hydrogen atomic could lead to a fire or explosion due to the hydrogen-induced crack. Even if the potential of the pipe-to-soil is greater than 1200mV probable due to the dryness of the soil the pipeline will not rupture. But, if the soil is not dry enough a damage on the external coating of the pipe could occur. The excess of atomic hydrogen could be concentrated at the damaged areas of the coating. Therefore, rupture of the pipeline could happen. On the other hand, if the external coating is not damaged the rupture could be avoided. In addition, if the surface was poisoned by sulphur compounds the atomic hydrogenous that are concentrate on the damaged coating will diffuse through the poisoned surface, and they (i.e. the atomic hydrogenous) could find voids on the metal structure. The atomic hydrogen inside the voids will produce molecular hydrogenous. The formation of molecular hydrogenous will lead to a small crack inside the wall pipe. Once the crack was formed it could propagate throughout the pipe wall, resulting in a pipe rupture. The path 0-1-3-5-7-9-11-13-15 shows the events that must occur for the rupture of the pipeline and a possible fire or explosion. The path 0-2 shows a failure in the cathodic protection was established, but the production of atomic hydrogenous was not sufficient to cause the rupture of the pipeline. The path 0-1-4 shows that a failure in the cathodic protection was established and there was a production of atomic hydrogenous, and as there was not a damage to the external pipe coating the rupture of the pipeline could be avoid. The path 0-1-3-6 shows that a damage on the e pipe external coating, but the atomic hydrogenous did not concentrate in this area, so there is a probability of the rupture of the pipe did not occur. The path 0-1-3-5-8 shows that despite the damage of the external pipe coating and the concentration of the atomic hydrogenous in the damaged area the rupture could not happen, because the surface of the pipe was not poisoned by sulphur components. The path 0-1-3-5-7-10 shows that the amount of atomic hydrogenous that diffuse through the poison surface was not enough to induced a hydrogen cracking. The path 0-1-3-5-7-9-12 shows that the amount of atomic hydrogenous that diffused through the poison surface was enough. As there was a few voids in the structure, i.e. the pipe material is well treated, the atomic hydrogenous could not find the voids, and the pipeline rupture could be avoided. Finally, the path 0-3-5-7-9-11-14 shows that the atomic hydrogenous found the voids, but as the crack inside the pipe walls did not propagate throughout the pipe structure the fire or explosion from a failure on the cathodic protection could be avoided. Our experience in using those logic diagrams, not only in the petroleum and gas industry, but also in the petrochemical and energy industries [13,14,15] has shown that the continuos value networks help us to understand the process, as well as to communicate to others what can go wrong with the process. In other words, a chain is evaluated by its weakest link; the continuous value network allow us to see and communicate to others the weak links in the process. As shown in Figure 2 failures either on the external coating or on the material structure can evolve up to the point of having an impact on Copergas (i.e. the distribution company of natural gas of Pernambuco State) mission and goals, as an explosion in a urban space. The impact of failures of external coating on company business is not clear on either event or fault trees.

FAILURE CATHODIC PROTECTION

H+ ARE PRODUCED

H+ ARE NOT PRODUCED

3
EXTERNAL COATING IS DAMAGE

4
EXTERNAL COATING IS NOT DAMAGE

CONCENTRATION OF H+ AT THE DAMAGED SURFACE

NO CONCENTRATION OF H+ AT THE DAMAGED SURFACE

7
THE SURFACE WAS POISONED

8
THE SURFACE WAS NOT POISONED

H DIFFUSE THROUGH POISON SURFACE

+

H DIDNT DIFFUSE THROUGH POISON SURFACE

+

10

11
H+FOUND VOIDS

12
H+ DIDNT FIND VOIDS

CRACK PROPAGATION

13

CRACK DIDNT PROPAGATE

14

PIPELINE RUPTURE

15

16

PIPELINE DID NOT RUPTURE

Figure 2. The continuous value network of a possible failure in natural gas distribution network.

3. Performance Descriptors
The main purpose of a graphic is to communicate information. A graphic is proposed in this study, it will be referred to as performance descriptor. The process performance and human activities under abnormal conditions are dynamic. All of the analytical components are related to time in some manner. Barrier deterioration, detection, notification, human actions, automatic suppression systems actions and plant fire brigade are all time related. Take into account these influence the horizontal axis of the performance descriptors reflect the dynamic relationship being communicated. And its ordinate describe the probability of success. In the performance descriptors, shown in Figure 3, the origin is in the upper left corner and the probabilities value increase from 0 to 1 at the bottom. In order to retain the concept that the portion of the curve near the top describes a poor performance compared with the one positioned lower.

Figure 3. A generic performance descriptor.

A B C D

E 1
In Figure 3 the segment AB describes the likelihood that a failure will be controlled before the deterioration of the barriers or protection layers between systems. The vertical line from B to C indicates the effectiveness of either the barriers or protection layers. A short line indicates a relatively ineffective barriers or layers. On the other hand, a long line represents strong ones, i.e. the barrier or protection layer represented by the vertical line DE is more effective than the one represented by BC. If the vertical line had extended entirely down to the value of 1, the engineers would have to believe down to being absolutely certain - that the failure could not extend into an adjacent system. In the Copergas study case the degree of belief was that a certain barrier prevented the failure from spreading to adjacent sytems. On the contrary, if B and C has the same position one have to assume that there are no barriers or protection layers between systems. In this representation the individual beliefs that there is some likelihood that the failure will breach the barriers or protection layers and cause the failure to extend into the next system, respectively.

4. Final Considerations
The problem understanding is the first and the most important stage during the implementation of a risk management program. Therefore, a well-structured formal exercise is critical for the understanding of the problem, (Figure 1). In a QRA the issue of completeness during the hazard identification means basically developing a full list of failure case that potentially contributes to the hazard impact.

Regardless of the techniques employed for hazard identification - such as ones mentioned in the previous section - the result must be an explicit set of failure cases for subsequent analysis. On the other hand, in our way of thinking the problem understanding should include the of completeness as it is accepted by the QRA methodology as well as by the CCPS recommendations, but it should also include an understanding of the major threats to the organization missions and goals. It is equally important to understand the financial impact on the organization in the event of a failure. The methods recommended by the CCPS to identify the hazards, aim to identify process material, systems, procedures and characteristics that can produce undesirable consequences. In this context, each system part is evaluated individually so that it is not possible to perceive how a single event in a specific part of the system may affect other places, and/or the whole system. The fault tree analysis shows a logical sequence of the independent faults, which will lead to the top event. One of its limitations is that the branches of the tree must be independent, and it becomes an unacceptable hazard identification limitation for electronically programmable systems. The modules of the electronically programmable systems possess common equipment and software. Another limitation of the fault tree is the inherent difficulty to match the events in time. No longer is this difficulty is not present in the event tree analysis. On the other hand, the event tree presents difficulties in the possible events visualization that can lead to an accident. Therefore, it makes a logic diagram that incorporates the advantages of the fault tree and the event tree together necessary. (Figures 2). It is not the intention that the ideas in this paper dictate rules, instead they provide some information about understanding the process in which the decision is to be made. This involves a clear knowledge of the normal operation of the various systems as well as the physical, economic, social and political environment in which the organization operates. The new approach for the hazard identification suggested in Figure 1 is an attempt to incorporate the organization culture into the idea of completeness and discrimination as currently accepted by the hazard identification methodologies. We have in mind that consideration of the economic, social, and political environment may not be as obvious in a risk management program. However, decision making is not done effectively in a vacuum. We also hope that the continuous value network-CVN will improve communication about what can go wrong. It should be recognized that two individuals may construct different value networks when analyzing the same system and failure mode. The networks do not need to be identical to be correct. The main test for accuracy of this logic diagrams is: 1) Will it work? 2) Is it logical? 3) Is it useful? We should expect no miracle in their use. They are intended to guide the decision maker to recognize the details of the problem and the implication of his or her decisions concerning the weaknesses of the process in a unique diagram.

Acknowledgements
We are deeply indebted to Prof. Robert Fitzgerald for his wisdom and support throughout the development of this risk assessment approach.

References
[1] [2] [3] [4] [5] [6] [7] [8] http://www.petrobras.com.br/ingles/pop/padrao/p13_17htm, on April 2000. http://www.BBC NEWS on Wednesday 21 March 2001. Hon Lord Cullen. The public enquiry into piper alpha disaster, London, UK:HMSO, 1990. Svedung, I. and Rasmussen, J., Graphic representation of accident scenarios: mapping system structure and the causation of accidents, Safety Science 40, pp. 397- 417 (2002). AIChE Center for Chemical Process Safety, Guidelines for Hazard Evaluation Procedures 2nd ed, American Intitute for Chemical Engineer, New York, pp.51-72 (1992). Thiago, T.P., Gerenciamento dos riscos de incndios uma nova maneira de pensar, Master thesis, Universidade Federal de Pernambuco-Brazil (October 2000). Arendt, J.S., and D. K. Lorenzo, Evaluating process safety in the chemical industry a users guide to quantitative risk analysis, Center for Chemical Process Safety, New York, pp. 5 (2000). Kletz, T. , Hazop and Hazan Identifying and assessing process industry hazards, 3rd ed, American Intitute for Chemical Engineer, New York, pp. 1-6 (1992). 9

[9] [10] [11] [12] [13] [14] [15]

Mitchison, N. and Papadakis, G., Safety management system under Seveso II: implementation and assessment, Journal of Loss Prevention in the Process industry 12, pp 43-51 (1999). Fitzgerald, R., The anatomy of the building firesafety volume 1, unpublihed book. Smith, E., Screaming Like a Banshee, Time, July (18-1988). Turner, B. A., Man-made disaster, Taylor and Francis, London (1978). Duarte, D., Identificao e anlise dos principais riscos da rea de secagem trmica da Petroflex-Unidade Cabo, Universidade Federal de Pernambuco, Pernambuco-Brasil (1998). Duarte, D., Identificao dos perigos associado ao compensador sncrono da SE/CMD 500Kv da CHESF, Universidade Federal de Pernambuco, Pernambuco-Brasil (1998). Duarte, D. et al., Anlise dos riscos de incndios da substao de Mirueira, Universidade Federal de Pernambuco, Pernambuco-Brasil (1999).

10