TheBuncefieldIncident AReviewandthePathForward

KENEXIS

2010

PresenterIntroduction Presenter Introduction

Peter Herena PeterHerena SeniorEngineer,KenexisConsulting 12YearsPetrochemicalIndustry 12 Years Petrochemical Industry Experience 9 Years Control and Safety Systems 9YearsControlandSafetySystems BSChE,BSEnvE,Northwestern University y PE,ISA84SFS/SSS

KENEXIS

2010

BuncefieldBackground Buncefield Background

Major pipeline Majorpipeline transfercrossroad 5th largest fuel largestfuel storagedepotinUK 40k 40kmnorthof h f London
Source:BuncefieldFinalReport

KENEXIS

2010

BuncefieldSurroundings Buncefield Surroundings

MaylandsIndustrial y Estate
630 businesses 630businesses 16,500people

Residentialareas TownofHemel Hempstead

Source: Buncefield FinalReport KENEXIS

2010

MapofAffectedArea Map of Affected Area

Source:BBC

KENEXIS

2010

LocalIncidentEffects Local Incident Effects

43 injuries 43injuries 2,000evacuated Damageestimate: i 1billion

Source:BuncefieldFinalReport

KENEXIS

2010

RegionalEffects Regional Effects

Disruption to fuel Disruptiontofuel supply Environmental Environmental Damage N li ibl DW NegligibleDW Contamination PossibleMTBE/BTEX threat
KENEXIS

2010

Cost&Litigation Cost & Litigation

RecentHighCourtRuling,Totalliablefor civildamages civil damages HOSLClaims:625million C i i li Criminalinvestigationongoing ti ti i

KENEXIS

2010

Timeline:InitialEvents Timeline: Initial Events

Pipeline transfer to load Tank 912 at HOSL PipelinetransfertoloadTank912atHOSL withpetrolbegannightofSat,10Dec05 Tank level indication unchanged Tanklevelindicationunchanged Nooperatorintervention Ultimatehighlevelsensorfailedtofunction

KENEXIS

2010

Tank 912 Schematic Tank912Schematic

Source:BuncefieldFinalReport p

KENEXIS

2010

Timeline: Tank Overflow Timeline:TankOverflow

O fl f Overflowfrom ~0520onwards Pumprate increasedat0550

Source:BuncefieldFinalReport

KENEXIS

2010

Timeline: Tank Overflow Timeline:TankOverflow

Vapor cloud flowed Vaporcloudflowed fromBundAinall directions Between0530and 0600observedby 0600 observed by witnesses

Source:BuncefieldFinalReport KENEXIS

2010

Timeline: Tank Overflow Timeline:TankOverflow

White MistExtendedtofarendsofsome WhiteMist Extended to far ends of some Maylandsbldgs

Source:BuncefieldFinalReport Source: Buncefield Final Report

KENEXIS

2010

Timeline:Explosions Timeline: Explosions

Occurredat0601 Aseriesof explosionsthat startedmassivefire Burnedfor4days
Source:HSE

KENEXIS

2010

TimelineOverview Timeline Overview

Initiating event: Initiatingevent:
Misoperationduringloading

Propagating events/conditions Propagatingevents/conditions:

Pooradministrativecontrols Failureofprimarylevel&alarm Failureofoperationstorecognize Failureofsafetysystemtoact Poormaintenancepractices
KENEXIS

2010

MIIB Board Recommendations MIIBBoardRecommendations

Intended for Buncefieldtypesites Intendedfor Buncefield type sites 78Recommendationsin5keyareas
Off it h Offsitehazardmitigation d iti ti Emergencyresponsepreparedness Landuseplanning Regulationforinspectionenforcement Riskbasedapplicationofpreventionmeasures

KENEXIS

2010

Recommendation#3 Recommendation #3
Application of high integrity automatic Applicationofhighintegrityautomatic overfillpreventionsystems Physically and electrically separate and Physicallyandelectricallyseparateand independentfromtankgaugingsystem

KENEXIS

2010

Recommendation#8 Recommendation #8
Called for consideration of alternate sensors Calledforconsiderationofalternatesensors
Easiertotest More reliable Morereliable Betterdiagnostics D Donotrequirecomponentsinternaltotank t i t i t lt t k

KENEXIS

2010

Recommendation#11 Recommendation #11

Consider employing measures to detect Consideremployingmeasurestodetect hazardousconditionsuponlossof containment
Flammablegasdetectorsinbunds Connect flammable gas detectors to overfill Connectflammablegasdetectorstooverfill protectionsystem Apply CCTV equipment that can detect and ApplyCCTVequipmentthatcandetectand respondtoconditionchanges

KENEXIS

2010

ISA84 (IEC 61511) Application ISA84(IEC61511)Application (IEC

Recommendations 15 directly or indirectly Recommendations1 5directlyorindirectly referencesISA84(IEC61511)
Select a SIL using its methodology SelectaSILusingitsmethodology VerifyOPS(new/existing)achievesSIL Design OPS using its methodology DesignOPSusingitsmethodology Prooftestperitsmethodology P Proceduresformaintenanceandtesting,keep d f i t d t ti k testrecords
KENEXIS

2010

Challenges in Tank Measurement ChallengesinTankMeasurement

D it /T Density/Temperature t fluctuations Corrosion Foreignmaterialbuildup Foaming Testing/Diagnostics COST
KENEXIS

2010

TankLevelInstrumentation Tank Level Instrumentation

Radar/Microwave / Float/ServoGauge RFCap,AdmitorImp RF Cap Admit or Imp Conductivity Hydrostatic Ultrasonic TuningFork
KENEXIS

2010

ISA84StandardSafetyLifecycle ISA84 Standard Safety Lifecycle

International Society of Automation (ISA) InternationalSocietyofAutomation(ISA) ISA84,SafetyInstrumentedSystemsfortheProcess IndustrySector y Provideacompletesafetylifecycletoaddressallroot causesoffailure
Identificationofsystems Id tifi ti f t Design Testing Maintenance ManagementofChange

KENEXIS

2010

WhatdoesISA84 require? What does ISA 84require? ISA

Performancebased Definesasafetylifecycle Requiresselectionof performancetarget Requiresconfirmationof targetachievement, target achievement quantitatively

KENEXIS

2010

TypicalSISDesignLifecycle
Conceptual Process Design Process Hazards Analysis S SIF Definition e to SIL Selection PSAT Conceptual Design SIL Verification Design Specifications Operation, Maintenance and Testing Procedure Development

Construction, Installation, And Commissioning

Management of Change

KENEXIS

2010

PrincipalsofRiskManagement Principals of Risk Management

Definitions LayersofProtectionConcepts DifferentPhilosophicalapproaches p pp RiskManagementCriteria

KENEXIS

2010

SafetyInstrumentedFunction SafetyInstrumentedFunction PracticalDefinition

SafetyInstrumentedFunction(SIF)is
Specificactionstobetakenunderspecificcircumstances,whichwill automaticallymovetheprocessfromapotentiallyunsafestatetoa automatically move the process from a potentially unsafe state to a safestate

Sensors Finalelements Fi l l t

Logic Solver

KENEXIS

2010

What is a Safety Integrity Level (SIL)? WhatisaSafetyIntegrityLevel(SIL)?

AmeasureoftheamountofriskreductionprovidedbyaSafety p y y InstrumentedFunction(SIF) Safety Integrity Level Probabilityof Probability of FailureonDemand RiskReduction Risk Reduction Factor 100,000to10,000 10,000to1,000 1,000to100 1 000 to 100 100to10

Safety

SIL4 SIL3 SIL2 SIL 2 SIL1

>99.99% 99.9%to99.99% 99%to99.9% 99% to 99 9% 90%to99%

0.001%to0.01% 0.01%to0.1% 0.1%to1% 0 1% to 1% 1%to10%

KENEXIS

2010

How do I assign SIL? HowdoIassignSIL?

WhatistheSafety h h f IntegrityLevelformy SafetyFunction?

AssignSILthatreducesriskto tolerablelevel Numeroustechniques

LayerofProtectionAnalysis RiskGraph Quantitative Others

B Beconsistent! i t t!

KENEXIS

2010

Whatisrisk?
Riskisameasureofthe Risk is a measure of the likelihood ofoccurrenceof anunwantedevent

andtheconsequence of and the consequence of adverseeffects;

Howoftencanithappen,and whatwillbelostifitdoes?

KENEXIS

2010

TypesofRisk Types of Risk

Safety
Workers Public

Environment E i t PropertyDamage BusinessInterruption B i I t ti LossofMarketShare

KENEXIS

2010

HowISA HowISA84RelatestoConceptof Risk

Decisions about when to use and SIS and DecisionsaboutwhentouseandSISand theSILshouldbebasedonRisk Dontprescribehowmuchrisktotolerate Moststandardsdonotdirectlyuserisk, theyhaveprescriptiverequirementsthat they have prescriptive requirements that provideanappropriatedegreeofsafety
KENEXIS

2010

TolerableRisk
HighRisk IntolerableRegion
103/yr (workers)
TOLERABLEifriskreduction isimpracticableorifits costisgrossly g y disproportionatetothe improvementsgained

104/yr (public)

ALARPorTolerable Region
106/yr

105/yr

BroadlyAcceptable Region NegligibleRisk

KENEXIS

2010

Layers of Protection y
EmergencyResponse Dikes,BlastResistance
PhysicalDevices Physical Devices (e.g.,Press.Relief)

EngineeredSafeguards f
ReliefSetPoint

SafetyInstrumented EmergencyShutDown System(SIS)

Triplevelalarm

Operator Intervention BasicProcess ControlSystem

RegainOperationalControl
Processalarm

Process Value

NormalRange Time

KENEXIS

2010

ReducingRisk Reducing Risk

L i k e l i h o o d
InherentRisk I h t Ri k ofthe Process
IncreasingRisk

Unacceptable RiskRegion Tolerable RiskRegion ALARP RiskRegion

Consequence
KENEXIS

2010

NonSIS Risk Reduction NonSISRiskReduction

NonSISRisk Reduction,e.g. PressureRelief Valves

L i k e l i h o o d

Consequence Reduction,e.g., materialreduction, containmentdikes, physicalprotection h i l i

InherentRisk I h t Ri k ofthe Process

IncreasingRisk

Unacceptable RiskRegion Tolerable RiskRegion ALARP RiskRegion

Consequence C
KENEXIS

2010

SISRiskReduction SIS Risk Reduction

NonSISRisk Non SIS Risk Reduction,e.g. PressureRelief Valves Consequence Reduction,e.g., materialreduction, containmentdikes, physicalprotection h i l i

InherentRisk I h t Ri k ofthe Process

IncreasingRisk

L i k e SIL1 l SIL2 i h SIL3 o o d

SISRiskReduction

Unacceptable RiskRegion Tolerable RiskRegion ALARP RiskRegion

Consequence C
KENEXIS

2010

Requirements of a Layer of Protection

Independentprotectionlayershavethefollowing characteristics
Specificity Independence Dependability D d bilit Auditability

KENEXIS

2010

Commonly used IPLs

OperatorIntervention
Annunciatedalarm Continuouslymannedlocation Propertrainingforalarmresponse AdequateResponsetime q p

Reliefdevices Check valves Checkvalves BPCS

KENEXIS

2010

AllocationofRisk Allocation of Risk

Afterallprotectionlayers areconsidered,the remainingriskthatisin remaining risk that is in excessofwhatistolerableis assignedtoprotection layers,usuallyasSIS

KENEXIS

2010

Principles of Risk Management Summary

NecessarytoadoptariskapproachtodetermineSIS ecessa y o adop a s app oac o de e eSS designrequirements Criteriafortolerable riskneedstobeestablished Consistentmethodsforanalyzingriskneedtobe established.Nostandardindustryapproach. Consider: Consequence Likelihood LayersofProtection
KENEXIS

2010

TypicalSIL1Design Typical SIL 1 Design

PT PLC UC

SV
IAS

FC

PFD(Sensors)+PFD(LogicSolver)+PFD(FinalElements) =1%to10%

KENEXIS

2010

TypicalSIL2Design Typical SIL 2 Design

PT
1oo2

PLC UC PT

SV
IAS

SV
IAS

FC

FC

PFD(Sensors)+PFD(LogicSolver)+PFD(FinalElements) =0.1%to1%

KENEXIS

2010

SILVerification SIL Verification

Purpose is to Purposeisto quantitativelyverify selectedequipmentand testingmeets requirements Usesreliability engineeringcalculations

KENEXIS

2010

ParametersimpactingSIL
Component Selection Diagnostic Coverage Fault Tolerance

Safety Integrity Level

Common C Cause Failures

KENEXIS

Functional Test Interval

2010

ComponentSelection Component Selection

Devicesuitableapplication Deviceissuitableforsafety
Proveninuse Mfg.inaccordancew/IEC61508

TechnologyofDeviceAppropriate gy pp p
SafeFailureFraction Switches versus Transmitters SwitchesversusTransmitters Relayvs.PLCvs.SafetyPLC
KENEXIS

2010

Diversification Diversification theOnly FreeLunch?

Sensor diversification should be strongly Sensordiversificationshouldbestrongly considered Whenmultiplecomponentsareworking h li l ki toperformasafetyfunction,common causecandisablesimilarcomponents di bl i il

KENEXIS

2010

SafetyRequirementsSpecifications Safety Requirements Specifications

P Purpose
Selectequipmentappropriatefor SIL Specifyhowthesystemoperates Basisfordetaileddesign BasisforManagingChange

Result
Logic Solver Functional Specification LogicSolverFunctionalSpecification (a.k.a,safetyrequirements specifications)
KENEXIS

2010

TestPlans Test Plans

OneforeachSIF Describeseachsteptaken MatchesPFDcalculations Matches PFD calculations Takesintoaccountstartup resources
Personnel Equipment Time

KENEXIS

2010

RecurringNightmare Recurring Nightmare

PuertoRico,2009 Twoinjuries
KENEXIS

Burnedfor2days Destroyed20tanks
2010

Conclusions/Overview
Ch ll Challengetomeetnewrequirements i Riskbasedapproachallowsconcentrationon biggesthazards bi th d SafetyLifecyclehasmutuallysupporting components Selectinginstrumentationrequiresbalancing manyfactors many factors Sometoolscanstreamlineprocess
KENEXIS

2010

ThankYouforAttending! h k f di !
Peter G. Herena Kenexis Consulting Corporation 2929 Kenny Road, Suite 225 Columbus, OH, 43221 USA (614) 451-7031 http://www.kenexis.com http://www kenexis com
KENEXIS

2010