Safety and Loss Prevention Teaching Notes

Safety and Loss Prevention/Safety Engineering
Notes prepared by Eur Ing F K Crawley, for use in UK University

Courses based on notes produced for the University of
Strathclyde
Copyright University of Strathclyde, 2014
licensed under a Creative Commons licence CC BY NC ND 2.5 Scotland
Copyright University of Strathclyde, prepared by FK Crawley for IChemE 1

Contents
Preface 1
Outline of Notes
Learning Objectives 14
Part A
A Introduction and background to SHE
A 1 Identification of hazards 15
A 2 Introduction to Accident Causation 16
A 3 Defence in Depth an Overview 16
A 4 Definitions of Frequently Used Terms 19
A 5 Regulatory Structure and Powers - an Overview 19
A 6 Legal Structure in the UK as applied to SHE An Overview 21
A 7 Nature of Risks 25
A 8 What is an Acceptable Risk and What is Not Acceptable!? 27
A 9 Safety Cases 28
A 10 Phases of a Process Plant Development an overview 29
A 11 Operational Safety 31
A 12 Safety Dossier 31
Part B

B Identification of Hazards
B 1 Introduction 32
B 2 Problems with Identifying Hazards 33
B 3 Safety Studies/Project Hazard Analysis (PHA) 33
B 4 Hazard and Operability Studies HAZOP 36
B 5 HAZID 50
B 6 Overpressure Protection or Relief and Blow down Studies 64
B 7 Fire Protections and Detection 64
B 8 Hazards in Operation 64
Part C
Basic Management Systems

C 1 Introduction 65
C 2 Systems (Annual Appraisals, Management of Change (MoC) Procedure or Hardware, Procedure
Change, Hardware Change, 65
C 3 Permit to Work (See Part F Advanced Management Systems for more detail and an illustration)
68
C 4 PIs or Sis or WGOs 69
C 5 What is more important - the permit to work or the execution of the plan? Extract from LPB
71
Part D
Design for Safe Operation and Safe Operation Techniques

D 1 Introduction and Background 74
D 2 Hazard Studies Design Phases and Details 75

D 3 General Design Principles 81
D 4 Chemical Reactors 82
D 5 Layouts and Access 86
D 6 Overpressure Protection or Relief and Blow down Systems 89
D 7 Sizing of Pressure Relief Valves (PRV) 93
D 8 Hazardous Area Classifications 96

D 9 Shutdown Systems 101
D 10 Standards of isolation 104
D 11 Fire Detection and Protection 105
D 12 Safe Operation Role of Managers See also Part F Advanced Management Systems 105
D 13 Layer of Protection Analysis (LOPA) and Safety Integrity Level (SIL) 110
D 14 Inherency some examples 119
Part E
Risk Assessment
E 1 Risk Assessment An Overview 126
E 2 Outflow 141
E 3 Gas Dispersion 146
E 4 Fires 157
E 5 Explosions 182
E 6 Quantification (The Frequency or Probability of an Event) 198
E 6.1 Event Outcome Trees 193

E 6.2 Fault Trees 197
E 6.3 Reliability Formulae/Protective Systems 204
E 7 Shutdown Systems 210

E 8 Vulnerability, Toxics Doses and Effects Models 214
8.1 The Human 214

E 8.2 Migration of Gas into an Enclosed Volume 220
E 8.3 Effect Models Humans & Hardware 221
Part F
Management of Safety/the Environment
Or
The Generation of Safety/Environment Management Systems
F 1 Introduction 224
F 2 Culture 225
F 3 Why Do People Make Mistakes? 228
F 4 Defence in Depth 232
F 5 Role of Managers in Safety and the Environment 234
F 6 Management of Safety/the Environment or The Generation of Safety/Environment Management
Systems 237
F 7 Management Systems at the Work Place 243
F 8 Safety Management Systems (SMS) 250
F 9 Standing Instructions or Permanent Instructions or Works General Orders or Operating Procedures
F 10 Testing of Protective Systems 275

F 11 Management of Change 279
F 12 Safety/Environmental Audits 285
F 13 Accident Investigation 300
F 14 Human Error 318

Part G
Human and Environmental Assault 335
Part H
Historic Incidents that illustrate the breaches in Defence in depth 360
Incident Studies and Illustrated Safety Teaching Examples for ChemEngers
It is of fundamental importance that the correct messages of the incidents are transmitted.
The messages are mostly failures in Mangement Systems with the occasional failures of equipment,
probably also due to a Management failure.
Part I
Illustration of the use of Hazard Studies 440
A template which can be followed during the Final Year Design Project.

Safety and Loss Prevention (aka Safety Engineering)
Preface
Safety and Loss Prevention (more recently called Safety Engineering) is a required element in the
Accreditation, by IChemE, for a Chemical Engineering Degrees. This will apply to other accreditation
routes. It is an evolving and practical topic which does not sit readily with the more theoretical topics in
Chemical Engineering; however, it is an essential topic which has to be fully assimilated as a pre-requisite
for Professional Status.
Experience gained in the training of qualified Engineers shows that those who have not had a foundation
in Safety and Loss Prevention at the undergraduate level do not grasp the fundaments during their
professional life. In other words the post graduate cascade down process is ineffective and may also be
erroneous.
Most books, if not all, on this topic are written for the professional engineer and pitched at a level too high
for the Undergraduate. These notes and incidents have been written by a Registered Safety Professional
and are based on his own experiences both good and bad. Some of the notes have been written in both
first and third first person as a means to producing a more friendly approach.
The bulk of the notes are an attempt to be as complete as is appropriate for a BEng course. It is probably
more fulsome than teaching time would allow so some may be set aside from the BEng and incorporated,
with Advanced Management Systems (Part F) into a MEng course. HOWEVER it should be remembered
that large tracts of the first four topics will apply to the Design Project and must be taught before the Final
Year Design Project can be completed.
The notes are supplemented by:
1. Incident Studies which can be used to illustrate the failings in and need for Management Systems.
2. A complete Safety (Hazards) Study series which can be used as a template for the Design Project.
The contents are divided into a number of parts:
Part A is basically non-numerate: Background, Introduction to the Law, defence-in-depth.

Part B is Introduction to Hazards Identification.
Part C is basic Management Systems.
Part D is basically Design Oriented. Design features which should be incorporated into the design project.
Part E is numerate and includes: Phenomenology outflow, dispersion, fires, explosions, event/fault trees,
reliability and consequence/effect data.
Part F is Major Management Systems which are more appropriate to the MEng Course
Part G is Human and Environments Assault a collection of ideas.
Part H is Incidents to support the teaching and to illustrate then role of management in safety
Part I is Safety (Hazards) Study a worked example of the design hazard identification process. A template
for the Design Project
Caveat
These notes MUST NOT be altered as the context may be lost and incorrect analysis then may result.
Acknowledgement and Disclaimer
The notes that follow are based on my teaching notes produced, evolved and developed for and used in
the Department of Chemical and Process Engineering, Strathclyde University (1985 2005). These have
been revised and updated for publication on the IChemE web site. I am grateful to Department of
Chemical and Process Engineering. Strathclyde University for their support for publishing these revised
notes but errors within them are my responsibility.
These notes are provided for information and teaching purposes only, they are not designed for
professional use. They are based on my professional experience but are not, are not intended to be and
should not be treated as, formal professional and/or legal advice. The reader should not act in any way on
the basis of these notes without seeking, where necessary professional advice concerning their own
circumstances.
These notes may only be used as a basis of teaching but are supplied on an as is basis and no warranties
are given as to their usefulness or otherwise. The author, the University of Strathclyde and IChemE assume
no responsibility for, and disclaim all liability (including responsibility for any actions taken) to the fullest
extent permitted by law in respect of the information in these notes.
Please note that whilst every effort has been made to ensure these notes are accurate and up-to-date,
there may have been subsequent developments and legal changes in the period since writing and
publication.
The author thanks IChemE for permission to reproduce pictures from ICI Safety Newsletters and LPB.
The Author would like to thank M Kidd (Department of Chemical and Process Engineering) for the
production of the majority of the diagrams/graphics.
Eur Ing Dr F K Crawley FIChemE
Department of Chemical and Process Engineering

Why This Subject?
Or Human and Environmental Assault
It is often useful to stand back to take on oblique look at ourselves from the position of a third party - this
section is best illustrated by the report of an extraterrestrial who has just visited the earth:
The insignificant little planet third in distance from an insignificant little sun is strangely beautiful. From a
distance it is a patchwork of white, blue and reddish brown. Close up the colours are more varied, the
basic solid of this planet varies from light grey through red to dark brown, the liquid phase is a blush/green
and the vapour phase is white and blue.
The basic living materials are based on carbon molecules. The surface of the planet is usually covered by
static green living organic materials varying from 1 cm to 100 metres high and these can be covered by
extra features of many colours, red, orange, yellow, green, blue, indigo and violet. We believe there are
called flowers.
There are many mobile organic structures which occupy this beautiful little planet. In the vapour phase
there are colourful objects which propel themselves on what we believe are called wings. In the liquid
phase there are a variety of elongated organic objects which all seem to have control surfaces which are
believed to be called fins. On the solid phase the mobile objects are various and colourful. There seems
to be a pattern, they either have no appendages for propulsion, two appendages or four appendages - it
will be noted that this is the binary sequence - 0, 10, and 100. The height of these objects appears to vary
from 0.1 cm to 5 metres and the colour tends to be similar to the solid phase. There are also very simple
but invisible organic objects which appear to cause the larger organic objects distress we believe they are
called germs and viruses.
All of the organic objects with the exception of one have an external coating which keeps them warm. The
one exception appears to require either the external coating of other organic objects or some artificial
coating - obviously a sign of inferiority. This one type of organic object seems to have some very poor
design features yet has an arrogant belief it is superior to anything else - it seems to rejoice in the name
Homo Sapiens (H.S.). We believe Sapiens means wisdom - demonstrably untrue.
H.S. appears to propel itself on two of its four appendages - this defies the laws of stability and therefore
requires a complex control system with a high feed back which is upset by a force of about 10 Newtons.
H.S. has stereophonic senses which respond to small pressure changes over 4 sterands and has light
sensors which operate over 2 sterands. The light sensors can detect movement over 2 sterands but
only detect small objects over 0.001 sterands. The sensors do not function well with high or low light
intensities. The light sensors are also damaged by acids, alkalis, sharp and blunt objects but also by high
electromagnetic energy which we believe is called ultra violet light. The pressure sensors are very
sensitive and are damaged by small cyclic pressure changes over a few hundred cycles per second. The
surface of H.S. is very inferior. It is damaged by temperatures of over 70oC and less than -20oC (90oC range
is very low). The surface is damaged by acids, alkalis, sharp and blunt objects, all in all a very inferior
design material.
The framework of H.S. is very weak and is damaged if it falls about five metres or is hit by a hard object
weighing only a few kilograms moving at ten metres per second.

The power source for H.S. occupies about half its volume and requires organic materials with traces of
inorganic materials, oxide of hydrogen (H2O) and oxygen. The oxygen must be at a partial pressure of 10
kilopascals to 30 kilo Pascals; outside this range its performance is severely impaired.
The remaining two appendages on H.S. appear to be used for moving material to its energy source and
using a pathetically simple computer.
There is a small computer built into H.S. which is pathetically slow to programme, taking about 20 years to
become fully effective, but works fairly well thereafter. We have noted that this computer can only accept
a limited amount of data and if given too much data it is known to overload, one more of its limitations.
H.S. requires oxide of hydrogen to function but will not function if immersed in it. H.S. requires oxygen
but it is very selective in its partial pressure. The diluent, nitrogen is obviously critical. Other diluents such
as carbon dioxide are totally unacceptable to H.S. Various other vapour phase materials are also totally
unacceptable and can cause total malfunction of H.S. These include:
Chlorine
Sulphuric Oxide (SO2)
Carbon Oxide (CO and CO2)
Nitrogen Hydride (NH3)
Nitrogen Oxide (NO2)
Carbon Oxychloride (COCl2)
And dozens more
Solids in the vapour phase such as Silicon Dioxide and other materials can cause serious malfunction of
H.S.
While H.S. requires organic components to function about 250 cc of Ethene Hydroxide (C2 H5 OH) causes it
to fail to function properly. Various other organic and inorganic materials can cause failure.
These include:
Chromium
Zinc
Arsenic
Mercury
Benzene
Toluene
Asbestos

And hundreds like this.
Some of these compounds cause total failure of the unit, some create cell mutation and some cause
disorientation not unlike Ethene Hydroxide.
It has been noted that H.S. incorrectly believes it has wisdom. It seems to have a driving need to destroy
this beautiful planet. It digs up the surface and lays black coatings on which are to be found multi wheeled
steel objects which produce oxides of Carbon, Nitrogen and Sulphur all of which are harmful to H.S. H.S.
also needs to create ugly objects on the solid phase on which H.S. spends most of its time. H.S. also needs
to destroy the organic material over about 0.5 metres high. H.S. uses the vapour phase to dispose of many
harmful gases. H.S. uses the liquid phase to dispose of many toxic liquids and solids and the solid phase to
cover up many solids. H.S. seems to have forgotten that biological decomposition of organic compounds
produce Carbon Hydrides and as every extraterrestrial knows carbon hydrides and oxygen react violently.
One of the vapours released by H.S. seems to have formed a hole over the colder parts of the planet - we
cannot see this hole but we are looking for it.
While this oblique look may appear to be a little frivolous it is also a serious analysis of human weaknesses
and the impact of humans on this planet and what we call the environment.
FKC 1990

Outline of Notes
These notes are an introduction to Safe Design, Hazard Identification and Quantification as applicable to
process plant. It starts with concepts, definitions and the general legal framework, the notes also covers a
brief introduction to the identification of the Risk Drivers and Procedures designed to reduce the
likelihood or magnitude of the event (in general terms). Finally they examine the assessment of the likely
hazards and their impact on not only the people but also the Environment and the Corporate Cash Flow.
The notes cover HAZOP, HAZID, Emission, Dispersion, Fires/Radiation, Explosions, Event Outcome Trees,
Reliability Theory, Toxicology and their Effects.
The Management Systems for Health and Safety and Environmental Management are also covered but
they are outlined in Part B with more detailed analysis in Part F which is more applicable to a Masters
Course. In reality Management Systems are quite complex so are illustrated by real incidents in Part H. The
two, text and illustrations, feed into each other.
The whole contents are more than would be expected from a BEng Degree Course but the Tutor can mix
and match various parts of these notes such that the Course is not the same two years running but that
which is not covered explicitly is available for use outside the Academic regime when a Graduate enters
the first full-time job. Some could be incorporated into a MEng Course with Part F.
The Layout Structure is as follows:
Part A - Basics - Introduction, Essential Definitions, Legislation,
Part B - Hazard Identification
Part C - Basic Management Systems
Part D - Design for Safety
Part E - Numeracy quantification of risks and effects/vulnerability of personnel and equipment
Part F - Advanced Management Systems
Part G - Human and Environmental Assault
Part H - Incident Studies which are to be used to highlight the Role of Managers In Safety
Part I - A simple Hazard Study which can be used as a template in the Chemical Engineering Design
Project.
Some topics will be repeated deliberately under different headings as they have multiple homes, Hazard
Studies is but one.

Learning Objectives of These Notes
Through the notes the reader should: -
Understand the sequences of events that lead towards an untoward Safety, Health or
Environmental event.
Have some understanding of the concept of 'Defence in Depth'.
Be able to carry out simple Hazard Identification exercises.
Have an understanding of how Risk Assessment is carried out.
Be able to make simple assessments of event magnitude and effect.
Be able to make simple assessments of event frequency.
Have the ability to make judgements of the appropriate safety design features (for any
project) and be able to support them by assessment.
Understand the good design features which should be incorporated into the process plant
Design Project.
Understand the role of Managers in Safety.
Understand some of the good Safety Management Systems essential in safe operation both
through text and illustrated real cases.
Have some appreciation of why humans make mistakes.
It might appear that much attention in this document has been paid to The Plant. It is there
that the BIG events occur and whatever the role be it design or operations it is important that
the potential of The Plant is fully appreciated.
It will be noted that some topics in these notes have been repeated under more
than one home. This is deliberate and should help the reader understand how
the various elements interweave and when they can or should be used.
Textbook
There is no suitable textbook at present. Access to 'Loss Prevention in the Process Industries' (F.P. Lees,
Butterworth) would be of advantage. Various other texts are more specialised and cover only parts of the
whole, this is an attempt to capture the main and essential building blocks within a single text.

PART A
INTRODUCTION AND BACKGROUND TO SHE
A 1 Introduction
This part is very much one of scene setting and should be read before the other parts as it attempts to
put all of the parts into context.
A hazardous process which is well designed and well managed is potentially safe while a safe process
which is badly designed and badly managed will be hazardous
The mantra of FKC
Most Chemical Engineers will have an input, directly or indirectly, into a Chemical Process, be this
hazardous plant, water treatment or food processing as examples. That input, be it in design or operation,
has the potential for the impact on the safety and health of persons near to or distant from the site and on
the environment. It is self evident that the release of a compound into the environment has the
potential to contaminate soil, air or water and likewise that compound could affect the health or the
safety of persons if it were toxic or flammable. The three areas of impact are often referred to by the
acronym SHE or HSE. The impact on one has the potential for impact on another so it is easier to treat the
three as one and not to differentiate between the elements. As a result the generalised approach will be
to use the word Safety but equally it could be Health or Environment and no differentiation is
intended by this simplifying choice.
In general a process plant should operate in a safe and non-harmful manner. However, there are process
upsets and aging factors which lead to Loss of Containment (LoC) or an uncontrolled process leading to a
major event. The need for Safety and Loss Prevention is to be found in the Laws of the Land, which
addresses the health and safety of people, and the need to maintain the integrity of the Process Plant and
the cash flow of the Company. It is self-evident that if the Plant is damaged the plant can not produce
money for the Company.
First the potential problem areas must be identified (Part B) and the causes understood. Ideally these
should be eliminated but this is not always possible so they can be controlled by Management Systems
(Part B and F [illustrated in Part H]) and Design Features (Part D). There is no single solution but a blend of
possible solutions or STRATEGIES where Design and Management Systems work together; this is Defence
in Depth which is discussed in this Part.
Finally it is necessary to assess the risks and to reduce them to as low as is reasonably practicable,
see later.
These notes therefore ask: -
How do events occur?

How can these be eliminated or reduced?
What tools are available to reduce the magnitude hardware or software?
What is the likelihood of the event?
What is the magnitude of the event?

What is the effects of the event?
What are the physical effects of the event human, environment or physical damage to property?
The various Parts can be abstracted as a mix and match which will cover both the Foundation in the
Bachelors Degree and lead into the more advanced management based - approach for the higher or
Masters Degree.
A 2 Introduction to Accident Causation
It should be noted that the word Causation is used in this introduction. Accidents do not happen on
their own, they are caused by people. The causes may be due to poor design and specification, poor
procedures, poor operation or poor inspection. All are the responsibility of Management. The start of the
accident is often loss of containment. One cause may be the operation of the process plant outside the
defined design envelope of flows, temperatures, pressures or compositions. The operating envelope may
also be compromised during normal operation by an upset but also by the slow drift in the operating
parameters over a number of years. Another may originate in corrosion, equipment failure or
inappropriate human intervention such as opening valves or working on live equipment. The design
must address these as it is developed and fit the appropriate protections. The operations must be vigilant
to systematic drift in controls and practices. Other contributions to the causation may include poor
training, poor procedures and human aging (Part F).
The task in Loss Prevention and Environmental Protection or safety Engineering is first to identify the
event, the likely causes of that event and then to identify the systems which might prevent it, be they
Management Systems (Parts B and E illustrated by part G) or Design Features (Part D). Once there is a
Loss of Containment the history is less certain and requires Risk Assessment. The release may DISPERSE
safely or unsafely when it might result in a FIRE, an EXPLOSION or a TOXIC EVENT.
A 3 Defence in Depth an Overview
Before the ideas are developed it must be recognised that the Management of HSE and it has to be
managed, is based on Defence in Depth (DiD). This requires a multifaceted approach with many defensive
layers. These layers may be of many forms, such as physical protection, (as used in a Laboratory) or Design
or Procedural. Whatever they are they can be put into four generalised categories as follows: -
Procedures design, operating, maintenance, testing (quality control and assurance) handling and
control of documentation
Equipment design, testing, maintenance and performance checking
Training skills and knowledge and continuous professional development
Supervision guidance given by Managers and controls imposed on personnel
This can be reduced to the acronym PETS or STEP.
Throughout these notes you will find reference to defences or protective systems. Any attempt to define
them in more detail at this point could be counter productive.
A simple analysis of accidents in many walks of life including domestic, civil, transport and industrial
accidents shows the following pattern:-

Number of Breaches of Defence Outcome
1 Nil
2 Nil
3 Possible near miss
4 Possible minor injury
5 Possible major injury
6 Possible fatality
7 Probable fatality
8 Probable multiple fatality
The extension to Defence in Depth is that the probability of the event occurring is the product of the
individual probabilities of their occurrence (see Event Outcome Trees Part E). The more defences in place
the lower the likelihood of the event. See also Safety Cases.
The concept of Defence in Depth (DiD) can be illustrated by the reduction of road fatalities from about
10,000 in 1950 to fewer than 4,000 in 2014. In the mean time the traffic numbers had increased by a
factor of at least 5. What were those defences?
Procedures Impact tests for new cars, MOT for the car, health checks for the driver (another form of
MOT?), traffic management systems and more focused legislation
Equipment crash barriers, improved visibility in the car, seat belts, crumple zones for impact absorption,
side impact systems, inflation bags, profiled and softened interiors, improved illumination of roads,
improved signage and road markings
Training driving tests, including the Advanced Motorist and the use of skid pans.
Supervision speed monitoring, Policing
This is not complete but is given as an illustration of DiD. It will be noted that most of the defences are
now focused on the protection of the driver and passengers.
Defence in Depth can be shown graphically by the Jim Reason Swiss Cheese Model (and Swiss Cheese is
not the best defence) but if all the holes line up a bullet or armour piercing shell can penetrate the
defences:

Defence in Depth Reason Model
Swiss Cheese Model after - James T Reason 1990
Leading indicators (effectiveness of

barriers) How good was it when we
HAZARD Supervision last measured?
Procedures
Controls
Safeguards
People
HARM
Incident or
Near Miss
Lagging indicators (ineffectiveness Note: not all barriers

of barriers) what went wrong? are equally effective in
controlling risk
The other, and better model, is Cobham Armour on a Tank or Kevlar Body Protection. The thicker the
armour (or more layers of defence in place) the better. However if any part of the armour is weakened or
flawed the bullet or Armour Piercing Shell may be able to penetrate the armour. The greater the damage
to the protection the greater the energy in the Armour Piercing Shell or bullet which can or will penetrate
the system. If only minor weakening the impact may be a minor injury but if it is totally remover the result
will be a fatality
Another simple model is that of The Layer of Protection Onion. The rings are the protections.
Layer of Protection Analysis

(LOPA)

A 4 Definitions of Frequently Used Terms
The following are some definitions for terms that are used frequently in these notes. They are universal
and it is important that they are used correctly, not only in this work but in future work.
Hazard a physical situation with a potential for human injury, damage to property, damage to the
environment or some combination of these.
Individual Risk The frequency at which an individual may be expected to sustain a given level of harm
from the realisation of specified hazards.
Loss Prevention A systematic approach to preventing accidents or minimising their effects. The activities
may be associated with financial loss or safety issues. (In USA it is called Process Safety and the name
Safety Engineering is becoming the norm in UK)
Redundancy The performance of the same function by a number of identical but independent means.
Risk The likelihood of a specified undesired event occurring within a specified period or in specified
circumstances. It may be either a frequency (the number of specified events occurring in unit time) or a
probability, (the probability of a specified event following a prior event), depending on circumstances.
Risk Assessment The quantitative evaluation of the likelihood of undesired events and the likelihood of
harm or damage being caused, together with the value judgements made concerning the significance of
the results. Risk Assessment can be used non-quantitatively for routine day-to-day operations.
Societal Risk The relationship between frequency and the number of people suffering from a specified
level of harm in a given population from the realisation of specified hazards.
These definitions are taken from the IChemE publication Nomenclature for Hazard and Risk Assessment in
the Process Industries, where further useful definitions can be found.
Please ensure that the words RISK and HAZARD are used correctly
A 5 Regulatory Structure and Powers - an Overview
These notes are as the Regulatory Structure applies in the UK but increasingly the Structure, Powers and
Legal framework of other countries are converging on those of the UK. There are some subtle legal
differences, which may produce minor differences between the UK and other Countries around the
world. These notes are a useful introduction to what is a complex relationship of Law, Regulated and
Regulator.
As already mentioned in the Introduction Safety and Loss Prevention is driven by both the need for steady
production (cash flow) but also it is a Legal Requirement laid on all who work in any form of industry. As
will be seen later this involves the Designer, The Process Manager and the Process Operator. In simple
terms where ever you work you will have to discharge your responsibilities to comply with the Law of the
Land.

Structure
The roles of Health and Safety Commission (HSC) and Health and Safety Executive (HSE) have now been
rolled into one body. The Environmental Agency (EA) has the same role as Scottish Environmental
Protection Agency (SEPA) in Scotland. The roles of the Environmental Regulator, the Environmental
Agency (EA) in England or Scottish Environmental Protection Agency (SEPA) in Scotland are similar. The
reason for there being a separate Regulator in Scotland is a mix of Devolved Powers and Scottish Law.
It is now appropriate to examine the functions of the Safety Regulator; The Health and Safety Executive.
There are three main branches within HSE. These are: -
Policy - The policy branches advises on all matters which concern the future directions of its
affairs. They have to review the state of safety and health, consult with the parts of the HSE
and formulate the HSE response. They maintain contact with government and other bodies
national and international and oversee the implementation of EC Directives. It has its own
Industry Advisory Committees (IAC) made up of representatives of Employers, work people
and independent experts which give advice to the HSE.
Technological, Scientific, Medical - These are responsible for giving/supplying the highest
level quality guidance to industry, government and other areas of Health Safety and
Environment in their particular fields.
Field Operations - These are the policing function and feed back the knowledge and practical
experience for policy development.
It can be seen that the HSE is a very integrated and focused organisation. The Field group will
often work with Companies producing like products in a number of National Interest Groups
(NIGs). There are well over 15 of these groups. These are intended to allow the Industry and
Executive to work together.
1. To supply a source of expertise within a Health Safety and Environment.
2. To provide a centre for data collection on practices, precautions and standards

and to provide guidance for internal/external use.
3. To provide a guidance for internal/external use
4. To provide a central forum in HSE for the analysis and discussion of health and
safety problems and the impact on the maturity of HSE policies (feed back).
5. To develop contact with the bodies in industry at all levels.
6. To identify health and safety rules.
7. To develop ways of improving health and safety performance.
8. To identify areas for further research.

9. To ensure consistency of enforcement (this is very sensible and worthy of
recognition).
10. To stimulate thinking and promote constructive initiatives by the industry.
Powers
Field Groups are the Inspectors and Enforcers. The HSE and EA have significant powers. They carry
warrants and can instruct a company to cease operation if they have serious concerns for the Safety of the
operation or the impact on the Health of employees (or the local public) or the impact of the operation on
the Environment. If there are concerns they will impose an IMPROVEMENT NOTICE or a PROHITION
ORDER. It is unlikely that they will impose the highest level of control the PROHIBITION ORDER without
having already imposed an IMPROVEMENT NOTICE. In simple terms a Prohibition Order is a powerful tool!
It is not used very often but it could be expected should there be a serious injury or worse, a fatality. The
Prohibition Order is usually only imposed if there has been a failure to comply with the Improvement
Notice it is immediate and there is no appeal. On the other hand the Improvement Notice will usually
have a time frame for the work to be completed.
A 6 Legal Structure in the UK as applied to SHE An Overview
Physical Safety has been in existence since the Industrial Revolution in the Factory Acts (1844), the Alkali
Act (1863) was one of the first Environmental Acts. As the years have evolved and knowledge increased it
has became increasingly aware, to many, that it is impossible to use physical safety to protect the
employer or the plant but it is necessary to use strategies these are to be found throughout this
document. In the years up to about the middle of the 20th century "Safety" was very much aimed at
"gloves and goggles". Such a strategy seemed acceptable, as the process plants were well spread out and
had limited capacity and potential. During the 1950s and 1960s there were major changes in the process
industry - size was increasing at about 2 fold compound every 5 years, new processes were being
developed and some of the "old rules" did not work. As a result, in the late 1960s, there were a number of
technical and safety problems built into the plant and from this came Loss Prevention (also known as
Safety Engineering) and thence Environmental Protection. In the 1960s it was also recognised that there
were a number of chemicals which were injurious to health - Asbestos/Benzene/ Naphthylamine just to
name three. In the 1970s/80 both Occupational Health and the Environment became talking points and
since the 1990s the Management Systems are to the fore. The rate of change within the area of "Safety
and Loss Prevention" is far from linear. This can be shown by the following bar chart: -

1850 1900 1950 1960 1970 1980 1990 2000
Safety
Loss Prevention
Occupational
Health
Environmental
Management
Start of real activity Some evidence of activity

_____ _____
Figure A 6.1 The Evolution of SHE
The legislation in the UK as it affects SHE (Safety, Health and Environment) can not be given in detail. It is
far too complex to give even the most condensed version without leaving some of the key features out of
the discussion. As a result this must be treated as only a summary (and a brief one at that) and used as a
lead-in to the full subject, which is more detailed than might be thought!
Above all, Industrial Law is more complex that Civil Law and it is prosecuted by a powerful body call Health
and Safety Executive (see earlier). In UK there are two forms of law, the first is Common Law and the
second is Statute Law. Common law is basically law which has been handed down from our
predecessors. It is based on cases tried under basically a common sense approach and is embodied in
Case Law where previous Judgements are used to try a case. Into this category might come such as
trespass onto your property or land. Statute Law is debated in The Commons in Parliament and then in
The Lords before it is law. The law in so far as SHE is concerned is based on Statute Law but it has some
minor twists. . In practice the law in Scotland may well be subtly different from that in England for historic
reasons. The exclusions have to be read with care!
The Legislative structure is multi-layered. At the top of the layer are the ENABLING ACTS such as Health
and Safety at Work etc Act 1974 (HASWA) and The Environmental Protection Act (EPA). These are, as the
name suggests, debated in Parliament. Below the Acts come THE REGULATIONS. These are called
STATUTORY INSTRUMENTS (SIs) and are given a numbering reference; the Regulation could be called
Statutory Instrument (DATE) (NUMBER). The SIs or Regulations are drawn up by HSE and circulated to
interested bodies for comment. (Such bodies are IChemE, CIA, Companies and also individuals with
interest in that topic/subject). The Regulations put detail into the more generalised wording of the
relevant Act. Any court action will be taken out under the Act. Below the Regulations come THE
GUIDANCE NOTES, these are a further elaboration on the wording of the Regulations. Finally there are the
CODES OF PRACTICE (CoP); sometimes they are APPROVED CODES OF PRACTICE [ACOP] if approved by
industry. There is a sting in the tail (as might be expected with legislation), the CoP is not a legal document
but is usually a document that contains the wording to the effect this is not a legal document BUT if there
is a an incident and this CoP was not followed there will be the assumption of guilt unless the client can
prove that the intent of the CoP was achieved by an alternative means. This wording imposes a Duty to
comply without question or to spend time and effort demonstrating that there is an equally good solution.
This undermines the original intent of HASWA, which was to move from Prescriptive Regulation to Self
Regulation
The Enabling Acts are written in general terms and are a statement of the duties of persons that they
apply to. For example the HASWA does not say what should be done but what should be achieved. This is
done through the SI or ACOP. The Act is interesting, is quite readable and lays down the general duties
that are required of the various parties. It lays the duty of care on employers, employees and their duty to
each other and the public. These are fairly wide ranging. Para 2 states:
1. It shall be the duty of every employer to ensure, so far as is reasonably practicable, the health,
safety and welfare at work of all his employees.
2 Without prejudice to the generality of an employers duty under the preceding subsection, the
matters to which that duty extends include in particular
(a) the provision and maintenance of plant and systems of work that are, so far as is reasonably
practicable, safe and without risks to health;
(b) arrangements for ensuring, so far as is reasonably practicable, safety and absence of risk to
health in connection with the use, handling, storage and transport of articles and substances;
Para 2, 2 (a) requires:

The provision and maintenance of plant and systems of work that are, so far as is reasonably
practicable, safe and without risk to health.
Consider the following features, which may satisfy these requirements.
(a) Maintenance and inspection of equipment, and, if so, required non-intrusive testing such as thickness
measurements and corrosion coupons inspected on a greater routine than the physical inspection. The
first physical inspection would be expected at 1 year. If it is acceptable the next would be after two
more years and if satisfactory after three more years. Ditto six more years. Each interval being double
the previous experience.
(b) Inspection can only be carried out if the system is safe to enter. Consider the following:
(a) Isolation Standards
(b) Standards of preparation for entry, air and gas tests in and around the equipment
(c) Permits and controls for entry
(d) Special requirement for Personal Protective Equipment (PPE). Is self contained air mask
breathing required? What footwear, gloves and body protection is required?
(e) Is a stand-by man required?
(f) Is the working environment likely to change as a result of the inspection? If so should the
working environment be checked continuously?
(g) If repairs are required what extra precautions are required?
(h) Etc, etc etc.
Para 4 imposes duties on those who are not their employees.

Para 6 States
It shall be the duty of any person who designs, manufactures, imports or supplies any article for use at
work; it lists those duties so far as is reasonably practicable.
Clearly Para 6 could apply to any designer.
Para 7 states;
It shall be the duty of every employee while at work -
(1) to take reasonable care for the health and safety of himself and other persons who might be
affected by his acts or omissions at work; and
(2) as regards any duty or requirement imposed on the employer or any person by or under any of the
relevant provisions, to co-operate with him so far as is necessary to enable that duty or requirement
to be performed or complied with.
Consider the following features, which may satisfy this requirement:
(a) wear your PPE at all times, this might include hearing protection, helmet, goggles, gloves, boots and
cover-all
(b) do not abuse the PPE
(c) report any defect in your PPE
(d) do not abuse safety equipment (for example eye wash sprays or solutions, fire extinguishers,
showers, hand rails, safety gates etc, etc)
(e) do not fool about or abuse any process equipment
(f) report any obvious process defect or potential hazard as soon as is practicable
(g) clear up after any work that you have carried out
The act goes on to training, information and supervision, maintenance, access and egress and working
environment.
The duties apply to employees and the duty to the public outside the site.
(It is obvious that the Military are exempt from some of this Act.)
The duties go, as far as to say, in general terms, that abuse of any safety equipment by an employee is an
offence in law. If you discharge a fire extinguisher as a prank, the offender could be taken to Court under
HASWA!!!
Note the term so far as is reasonably practicable which runs throughout the Act. In general this is not
defined by the Act. This is treated as ensuring that the residual risk should be as low as is reasonably
practicable or ALARP. (Remember that risk refers to both the severity and the frequency or probability
of the event.) Should the risk from a machining task be assessed as having as having a risk of a cut finger
once in 106 years for all operations this could be treated as ALARP but if it is serious injury every 10 years it
most certainly is not ALARP.
One of the drivers for change in legislation are European Directives. These are usually in a generalised
form; it is for the Member States to give the framework to those Directives. In Britain these will be as SIs,
which are enabled by the Acts already mentioned. One such Directive was called The Seveso II Directive
which became The Control of Major Accident Hazards (COMAH).
In your future working environment you will probably have to comply with of the order of 50 SIs. Failure to
comply could result in your prosecution. Even in your design project you will have to comply with the
following in the UK for starters:
Control of Major Accident Hazards Regulations may require a Safety Case see below
Construction (Design and Management) Regulations
Control of Substances Hazardous to Health Regulations COSHH
Dangerous Substances and Explosive Atmospheres Regulations
Pressurised Systems and Transportable Containers Regulations
The Management of Health and Safety at Work Regulations (MHSWR) 1992 SI 1992 No. 2051
The Personal Protective Equipment at Work (PPE) Regulations 1992 SI 1992 No. 2966
The Health and Safety (Display Screen Equipment) Regulations 1992 SI 1992 No. 2792
The Manual Handling Operations Regulations 1992 SI 1992 No. 2793
Use of Work Equipment Regulations 1992 SI 1992 No. 2932
The Work Place (Health, Safety & Work Place) Regulations 1992 SI No. 3004
The Noise at Work Regulations 1989 SI 1989 No. 1790
It is not practicable to give illustrations of the SIs and the legislation in a real situation. Acts, SIs and
Guidance Notes mesh together. The Acts over layer the SIs and Guidance Notes.
A 7 Nature of Risks
It is important that the terminology is clear and understood by all:
HAZARD refers to the event and the potential for any impact on SHE
RISK refers to the modification of the HAZARD by a frequency or probability of occurrence
This can be illustrated by a simple example of the HAZARD of lightning, which can kill people if they are
struck by it. The RISK or the LIKELIHOOD of any one person being killed in the UK is 10-7 per person per
year. Risk will have a probability or frequency term while hazard will be dimensionless. This means that

about 5 persons will be killed per year in England and only 1 every two years in Scotland. THE RISK IS THE
SAME IN BOTH COUNTRIES.
It is now necessary to discuss the impact of an incident on a group of persons. In reality there is a three
dimensional relationship between the numbers of persons affected, the effect on those persons (delayed
or immediate) and the nature of the hazard. The best way of demonstrating this is to examine a cube.
Each axis can be defined by an effect. One is single or multiple, another is chronic or catastrophic (Chronic
means that the effects live on for a long time, catastrophic generally means a fatality at the site) and the
third is Chemical/ Process or Technical/ Non-process. The test is to ask the question Could the risk be
changed by a change in the chemistry or the process? If the answer is Yes it is a chemical or process
risk! If it is No it is a technical or non process risk.
Roughly half of all risks are chemical or process and half are technical or non-process coming under the
generalised heading of slips, trips and falls. These are important but are very much based on
compliance with good standards and are not best dealt with in Loss Prevention.
Remember chronic comes from the Greek word for time chronos and can refer to delayed effects or
effects that will not go away. The amputation of a limb is a chronic effect as are the delayed effects of
toxics.
Figure A 7.2 The Safety Cube

The intellectual properties to the Safety Cube belong to D S Scott.
A1 = Single, Chronic, Technical (a broken leg which does not knit or a damaged eye)
A2 = Single, Catastrophic Technical (nitrogen asphyxiation)
A3 Single Chronic, Process (gassing or acid burn)
A4 = Single, Catastrophic, Process (small fire)
B1 = Multiple, Chronic, Technical (post traumatic shock)
B2 = Multiple, Catastrophic, Technical (structural collapse)
B3 = Multiple, Process, Chronic (Bhopal or Chernobyl)
B4 = Multiple, Process, Catastrophic (Piper Alpha or Flixborough)

A 8 What is an Acceptable Risk and What is Not Acceptable!?
There is the continuous reference in all walks of life for The Risk Assessment. It appears to be a necessity
for every operation both in industry and in non-industry. The difficulty is that if the hazard is not
recognised how can the risk be assessed? In most cases it is only necessary to examine the potential
hazard and to look at means of reducing the likelihood of occurrence or mitigating the effects should it
occur. This is what occurs in a non-industrial environment or when issuing a Permit to Work, Parts B and F.
In the industrial environment the risks are potentially more significant and the means of reducing the
likelihood or mitigating the effects requires a more detailed study. This is called Quantified Risk
Assessment (QRA Part E); in most cases this is a specialised study. However the question still stands
what is safe enough? Consider now: so far as is reasonably practicable what does it mean? It means
that if it is possible to reduce the risk, it should be done! There may be a limitation to this as the costs may
be totally disproportionate to the benefit. Even the definition of disproportionate is becoming confused.
The Government has assessed the notional cost of a life as 1M (as of 2000) and road improvements and
hospital procedures are based on this notional value for a life saved. Industry might be expected to go
beyond 10M per notional life saved!!
There is no absolute answer to the question of acceptability but it is best illustrated by the Dagger
Diagram:
Figure A 8.3 The ALARP DAGGER
It will be noted that there are two levels, the unacceptable and the tolerable with a zone called as low as
is reasonably practicable using the acronym ALARP. (Compare the wording of HASWA so far as is
reasonably practicable.)
There are a number of pointers to the Intolerable regime. One is the risk to Nuclear Workers and the
other is to be found in the Offshore Safety Case Regulations. The total risk should not exceed 10-3 per
person per year. This covers ALL RISKS WITHIN THE WORKING ENVIRONMENT from trips and falls to
process risks. INDIVIDUAL risk contributions to this total must be significantly less than 10-3 per person per
year. Is this appropriate for another industry? The answer is probably No. The upper level must reflect
past performance and is likely to be nearer 10-4 per person per year for the process and allied industries.
What is broadly acceptable? Once again this is not cast in tablets of stone but a TOTAL risk of 10-5 per

person per year is probably acceptable. Note that by setting the broadly acceptable line where it is the
effect is to drive down the overall risk to employees as in reality a risk value of 10-5 per person per annum
is a holy grail not achieved in reality.
ALARP, that is, the requirement to examine methods of risk reduction will inevitably cost money and the
question arises Is the cost disproportionate to the benefit and could this money be spent more
beneficially else where? The answer to this is not always as clear as it might be. If the notional cost of a
life saved (and it is notional) is more than about 10,000,000 to 20,000,000 it might be disproportionate
but there may still be good reasons for the expenditure namely good will or the security of production and
avoidance of consequential losses. Simple changes may be cost disproportionate but may be good
common sense, particularly with small changes which are easy to carry out and so avoid a long protracted
discussion with the regulator.
One of the weaknesses in ALARP is that it is difficult to demonstrate that procedural controls are effective
and are not being corrupted with time. Often procedures can be very cost effective but they are subject to
aging and the performance can not be verified but hardware solutions, more expensive though they are,
can be tested and the performance assessed so can result in a watertight QRA.
A 9 Safety Cases
Increasingly the Regulator is using Safety Cases to focus the thoughts of the Asset Owner (Operator of the
Process Plant) on the Safe Operation of that Plant. The origin is in COMAH (Control of Major Accident
Hazards) and requires the Asset Owner to tell the regulator: -
What are the hazards?

How will the hazards will be controlled?
Who might be affected?
What is the potential risks on/off site?
How will the hazard be managed or handled?
How may the environment be affected by the hazards?
How may the environment be remediated if it is harmed?
The safety case is focusing more on the Management of the Process Plant (Major Accident Prevention
Policy MAPP) and requires a dialogue with the Regulator as the Design of the Process Plant is evolving
and may require changes as a result of the Case. It will also require a routine update more particularly if
there is a material change to the original Case. (This occurs quite frequently as improvements to the
process are incorporated.)
In some respects the Safety Case is an examination of the Defence in Depth. It must be recognised that
there may be a need for a Safety Case with certain processes as laid down in the Regulations and that the
scope of it is recognised. The detail is an advanced topic.
See also A 12 Safety Dossier

A 10 Phases of a Process Plant Development Hazard Studies (HS) - an overview
This topic will be introduced as part of the introduction so as to give a structure which will be followed
throughout these notes. This technique is fundamental in the whole of SHE as it can be applied to design,
management of change, hardware and management structure, as well as producing operating
instructions.
It is a cornerstone of Safety.
There are eight Hazard Studies or phases in a process plant. The numbering is slightly modified as there
were originally 6 phases recognised in the 1970s but two new ones have been introduced recently and it is
easier to keep the original numbering. This will be dealt with in more detail under the Part B Hazard
Identification. This is a suitable synopsis for the Introduction. The TOTAL SHE input is given in general
terms but must be remembered that there will be other Engineering/Science disciplines involved during
the various stages of the project, more so during the design phase.
The function of each study is appropriate to all projects large or small but the time allocation is more
representative of a MAJOR project of multimillion pounds.
The durations are given for LARGE projects. Smaller ones will obviously be shorter.
See also a worked example: The template for a Design Project. See Part I
Hazard Study 0 Inherently Better?
Timing as early as possible

Objective to determine if there is a process route, chemistry or unit operations that offers a lower risk
and has an INHERENTLY safer (lower risk to the environment) nature.
SHE input a few person days
End point the identification, or not, of inherently better solutions
Hazard Study 1 Concept Selection

Timing once the stage 0 has been completed
Objective to determine those SHE features which must be addressed during the
development of the design and also to determine if the concept is viable.
SHE input few person weeks/months
End Point the identification of the best process solution; which could be that the Project is non-viable!
Hazard Study 2 Front End Engineering Design (FEED) or Concept Development
Timing once the project is identified as viable

Objective to identify solutions to design issues and if appropriate to carry out the initial risk assessments
for the Safety Case
SHE input a person year
End Point solutions are in place and are realistic. Equally it could be that the problems can not be solved
and the Project should be abandoned or another route chosen.
Hazard Study 3 - Detailed Design
Timing The Project will now be sanctioned

Objective the design will include the following tasks:
Detailed design/specification of equipment
HAZOPs
Overpressure protection or Relief and Blow Down Reviews
Hazardous Area Classification
Lay out
Civils
Detailed design of Protective Systems (active or passive)
SHE input much
End Point the design is completed and all studies implemented and signed off. The Safety Case if
required - will be produced and approved; as the Safety Case may produce actions that the HSE wish to
see implemented it would be advisable that the minimum of construction is attempted before approval is
given for the Safety Case.
Hazard Study 4 Construction
Timing construction could be carrying on while the design is being completed

Objective - to ensure that the Plant is built as the designer and operator intended
SHE Effort not to be underestimated
End Point the plant can be handed over to the operations team
Hazard Study 5 Pre Start-up
Timing as the name suggests

Objective to ensure that all systems and training is in place and to test, so far as is possible, all
equipment and protective systems
SHE input more the form of an Audit taking a few person weeks
End Point ready to start-up following close out of actions from the Audit. The start up can not go ahead
until the Safety Case is approved.
Hazard Study 6 Post Start-up
Timing about a year after start-up

Objective to identify both the GOOD and BAD lessons learned and how these can be recycled into the
Corporate Knowledge Base
SHE input few person weeks
End Point - enhanced Knowledge Base and Standards
Hazard Study 7 Demolition
Timing unknown
Objective to identify the hazards that might occur during the demolition and to produce a complete plan
of action. It is also likely that a Safety Case may be required.
Consider the impact of the design on the demolition process early in the design phases (2 and 3). The
demolition of the first generation nuclear power stations is now coming to haunt the industry.
SHE input uncertain
It is now becoming recognised that after about 5 years the design intent of the process may have
changed and that the various modifications which individually satisfied the Management of Change

procedure may now interact in an unpredictable form. As a result it may be necessary to repeat all or
part of the Study 3.
A 11 Operational Safety
It is now necessary to look at the operational approach to safety. This is somewhat different from the
Design and Construction approach and is more oriented to procedures. These will include such as:
Management of Change
Permit to Work
Standing Instructions (Permanent Instructions) and Operating Instructions
Performance Assessments both Human and Equipment
Requirements for Continuous Professional Development and Promotion
Inspections and Maintenance
Audits
Emergency Planning
These will be expanded upon in parts B and F
A 12 Safety Dossier
Throughout these notes there will be reference to decisions made, as in the Hazard Studies, proposed
action, as in HAZOP, sizing calculations, as in Over Pressure Protection and Risk/Availabilty Calculations, as
in Risk Assessment.
ALL OF THESE MUST BE LOGGED AND CAPTURED IN A SAFETY DOSSIER WHICH THEN
BECOMES THE FEEDER TO THE SAFETY CASE. EVEN A SMALL PLANT SHOULD HAVE
SUCH A DOSSIER AS IT SHOWS HOW THE PLANT HAS EVOLVED AND HOW/WHY
CHANGES OCCURED. IT IS THE PLANT MEMORY.
THE DOSSIER MUST BE A LIVE DOCUMENT.

PART B
IDENTIFICATION OF HAZARDS
B 1 Introduction
The identification of hazards is a skill and requires a large knowledge base as well as a good structure
within which to work.
This gives a high level overview of the Identification of Hazards - each company, present or future, will
have its own "tools" and these may be corporate confidential. There are, however a number of general
techniques for the Identification of Hazards.
1. Codes, Standards
2. Databases
3. Audits/Studies
4. Hazard and Operability Studies (HAZOP)
5. HAZID
6. "Eyeball" the problem - use experience
The eyeball approach as unacceptable - it was used for many years and did not work as it was based on
the experience of the team and had no structure. Codes and Standards, either corporate or national, are
still powerful tools and must not be ignored, there are too many and too varied to even start to outline
them but there are various sources such as:-
American Petroleum Institute (API)
American Society of Mechanical Engineers (ASME)
International Standards (I.S.O.)
If nothing else these are the starting point for any design, these will be reintroduced in later chapters.
Unfortunately there is no standard design for any one production unit; each has differences due to size,
efficiency, feedstock and even the designers own ideas so items 2, 3, 4 and 5 above must not be
overlooked. It is almost impossible to achieve a competence in all of the techniques which can be applied
so all these notes can do is to give an overview.
B 2 Problems with Identifying Hazards
Do not underestimate the problems associated with "Identifying Hazards". Designers are becoming very
insular - even within any discipline they are becoming very specialised - so inter-disciplinary problems are
common. Projects are becoming more "fast track", these limits the time available to sit down and think
about the possible problems. The knowledge base is also limited and most of it is shared knowledge over

about 20 years, in the meantime the projects are becoming more complex due to a drive for thermal
and/or chemical efficiency with all the associated novel problems.
Some of the readers may have already been on some of the studies that will be described during vacation
work or placements - please bear with those who have not have been on these studies as they are part of
these notes. For those who have experienced these studies please do read the notes as they may give you
a different perspective into the techniques - and that is to be encouraged.
Above all it is now recognised that any team needs a "Facilitator" - (leader in other words the title
Chairperson is not applicable as it does not give the full description of the role of the leader). Even if the
reader may never be a Facilitator yourself it is useful to know what he/she is trying to achieve. Some of
the "Facilitators" techniques are to be found wrapped up within the notes.
B 3 Hazard Studies/Project Hazard Analysis (PHA)
This is an expansion of the Structure laid out in the Part A. Ideas that can utilise Inherency are to be found
under Design Part D 13.
As a project moves on from the "idea" to "completion" many SHE problems have to be handled - and
many potential problems are built into the design. One of the tools used to solve these problems is a
Hazard Study (HS), Audit or Process Hazard Analysis (PHA). The classic technique was developed by ICI in
about 1970 and had 6 steps. The latest thinking is that there should be two extra studies/phases given the
numbers 0 and 7 as discussed in Part A, these are now outlined with the phase of the project during which
they are carried out. Some companies use a variation of the technique on the form of an external audit
but it must be noted that "ownership" of problems leading to the correct resolution only comes from
within the project team.
Study 0 Inherently Safe
Inherently safe and environmentally friendly is a concept that has to be analysed in some detail, it requires
thinking outside the box and is not easy without some depth of experience. In general, with the
pressures on design teams it is not one of the issues that receives a high priority, more particularly should
it result in a change in the process or the chemistry. This idea will be expanded upon.
This study is one which should be carried out on the very earliest idea and is at the research/technical
boundary.
An inherently safer or greener process means a process route which has safety and environmental
protection built into the design from the very start. There are many ways in which, theoretically, it is
possible to have an inherently safer process but it is not always as easy as it sounds! First of all, and this is
typical of all of the identification techniques, it uses a series of guidewords designed to trigger ideas in
the mind of the designer. The guidewords, with their interpretations, are at the start of each technique.
Study 1 Concept - well before sanction
Objective To identify the major problems which have to be overcome before the concept can
become a viable project.
Basically, are there any show stoppers which are so insurmountable that it is not worth carrying
on with the Project?
End Point The concept should be capable of development into a project.
SHE Topics HAZID Studies: Toxic Data availability: Reactors Kinetics particularly exothermic
properties of reactants and reactions: Effluent Handling: Alternative Processes: Availability of
feedstock, the means by which it might reach the site and the risk to the public during the
transfer: Coarse Hazard Indices: Environmental Impact Studies: Equipment Availability studies:
Reliability Studies on Safety Critical Items such as shut down systems and gas detection
systems: Special materials of construction that might have a safety implication, e.g. corrosion.
SHE Effort A few person months on a large project
Timing Once the project concept has been identified it could still only be an idea in the minds of
the Technical Department
Study 2 Project Development or Front End Engineering Design - before sanction
Objective To analyse and assess all of the major problems and to design in the current safety
features to ensure risks are "as low as reasonably practicable".
End Point The project can proceed to detailed design.
SHE Topics Reactor Start-up and an analysis of the stability (risk) and any requirements for safety
features: Shut-down dynamics and possible impact on safety through the violation of the
pressure-temperature envelope: Initial Layout: Detailed Risk Assessments: This should include
the integrity of protective systems (Part D 12 - SIL). Product/feedstock movement and storage
studies: Requirements for fire fighting/protection and particular requirements for
environmental monitoring, locally or more globally. Resolution of any problems from study 1.
Safety Case preparation if required.
Management Systems will be discussed later in Part C and in more detail in Part F
SHE Effort. Up to a person year for a large project. More if there is a safety case.
Study 3 Detailed Design - before the design is "frozen" and as it is sanctioned
Objective To ensure that the detailed design is correct, has addressed all of the problems in steps
1 and 2 and that the plant will operate, start up and shut down safety and efficiency.
End Point The construction can start.
SHE Topics HAZOP Studies, Relief and Blow down Studies: Area Classification: Special protective
systems, including shut down/ESD, fire protection, gas detection and other systems: Special
operating procedures. Resolution of any problems from study 2.
Design Features will be discussed in more detail later in these notes and Part D
SHE Effort Possibly a number of person years but spread over a few years
Study 4 Construction after the Project is frozen
Objective To ensure the project is built as intended and no "modifications" are missed.
End Point The project can start to move to commissioning.
SHE Topics The SHE topics are really those topics which are of interest to all discipline (punch or
reservation lists) plus the outputs from study 3.
SHE Input As much as is required on a large project the effort should not be underestimated.
Study 5 Commissioning before start up.
Objective Is everything ready?
End Point Start up.
Topics Not necessarily unique to SHE. Operating Instructions, training, trip testing, and safety
equipment in place.
These will be discussed in more detail in Part C (BEng) and Part F
Study 6 Post-Start up 1 year of operation.
Objective What went well and what went wrong?
End Point Up date design techniques/data bases
Topics not necessarily unique to SHE. What was good and what was bad about the
design/project? What would you do differently and what might you want to incorporate into
your Design Guides?
Study 7 How do you decommission and demolish the plant safely and without any risk to the
environment?
Demolition is not the reverse of construction.
Objective How can it be ensured that the equipment is clean and is not weakened by corrosion.
What are the disposal routes for metallic materials? Can be identified? Likewise the disposal
route for lagging and other residual materials?
End Point Start the demolition
Topics Structural integrity safe size reduction, cleanliness verification (including records from the
last shut down), order of removal confirmed (it may not be as constructed!),
disposal routes and implications on cleanliness.
In general studies 0 to 6 will apply to any task, be it a procedure or a laboratory scale apparatus. It is a
good discipline to test the development of any task against these mile stones (kilometres?).
These studies may take days or weeks no rules can be given and typically there may be a team of 3-5
persons of mixed skills.

The results from all of these studies should become part of the safety register
It is quite clear that each study is timed to minimise the corrective effort/costs. If the concept is not
viable there is no use in designing it wasting the design effort, delaying the final project and missing a
sales opportunity. If the development is wrong there is no use in carrying out detailed design.
NOTE
1. After a number of years it may be prudent to repeat all or part of study 3 as the design intent
and the accumulated effect of a number of changes (modifications) may have invalidated the
original design intent used in the previous studies.
2. The earlier design studies should, where possible, reflect the future demolition of the process.
Some effort in these stages may be very beneficial in the future. Reflect on the problems of the
demolition of the first generation nuclear power stations!
B 4 Hazard and Operability Studies - HAZOP
What is a 'HAZOP' Study?
See HAZOP Guide to Best Practice Second Edition (IChemE 2008)
A HAZOP study is a rigorous, systematic, structured technique for identifying potential failures of
equipment or plant systems which may otherwise become HAZARDS or OPERABILITY PROBLEMS. Ideally,
the process is carried out during the design phase of a project, before the plant is actually built. The
problems are identified and corrected 'on the drawing board', not only preventing accidents, plant upset
and lost production, but also making the start-up quicker and achieving flow sheet rates more quickly. The
net result is that the cash flow is high early in the product life without unnecessary extra expenditure on
modifications.
The whole HAZOP process is exceedingly tiring and requires mental and team discipline with critical and
creative thought processes.
Above all a HAZOP only identifies possible problems. The analysis and resolution must take place outside
the study itself. Maybe not all of the data is available during the meeting and much valuable time will be
lost if the study becomes a problem solving exercise. Further the analysis is a distraction from the primary
objective of identification. If there is a perceived problem, record the concerns, and move on. Typically
only about 20% of the points raised need action and some of these end up as notes in the operating
instructions.
Do not think that HAZOP only applies to hardware it can apply to a procedure and a computer system.
The parameters and guide words will change but the principals will be the same. See later.

How is a 'HAZOP' Study Carried Out?
It is difficult to teach the HAZOP technique without actually doing a HAZOP Study - it is a practical tool not
a theoretical tool so the main steps will be outline. Once the reader has been on a HAZOP Study it will be
possible to identify with these steps.
A HAZOP is an audit tool it is not a design tool and the Team have no authority to change the design in
the study see the comments on the recording, later.
A HAZOP study requires a team (see under "Who is in a HAZOP Team?") and an object to be studied. The
usual item of study is centred on the Piping and Instrument Diagrams (P & ID), sometimes called
Engineering Line Diagrams (ELD). Also in the study, there should be access to the following:-
a) Specification sheets
b) Equipment drawings
c) Operating instructions if available
d) 'HAZOP Matrix' used in the study (see later)
A HAZOP is somewhat iterative and uses the same basic words over and over again but it is the role of the
Facilitator to make it less of a mechanistic study and to add some colour to the questioning. One way is to
ask What would happen if the pump were to stop? It is clear that this is no flow but it helps the team to
think laterally.
Other duties that the Facilitator is trying to achieve are: -
Involve all of the team
Challenge points of confusion/inaccuracy
Avoid conflict and to stop it as soon as it raises its head
Control the progress round the route map of the P & ID
Ensure that due procedure is followed and all issues are duly recorded
Figure B 4.1 (below) shows the flow diagram for a HAZOP Study taken from the Guide to Best Practice:

Figure B.4.1 Flow diagram for the HAZOP analysis of a section of an operation a parameter-first
approach (From HAZOP Guide to best practice - IChemE)
Roles of Team Members
The Facilitator and Scribe should be able to communicate almost telepathically! The Scribe should be able
to filter the discussion and then to produce accurate and condensed notes within the worksheets. The
Facilitator will be aware of the Scribe making notes but only occasionally may it be appropriate to ask for a
note to be made. Occasionally the discussion becomes a bit confused and the Facilitator has to call the
discussion to a conclusion and to ask for a synopsis of the discussion that the Scribe can then record. The
Facilitator also has to plan and to follow the route map through the design and to handle problems as they
arise. The Facilitator has to steer the discussion, to listen to the discussion, to draw in members into the
discussion and when appropriate to curtail discussion if it has entered a loop. The Facilitator has to be
alert to fatigue and the drop off in discussion.
The Facilitator has to avoid potential conflicts in the team and head them off in a timely manner. The
Facilitator also has to ensure that all of the relevant discussion is carried to completion, the records made,
and when a line, or part of the process, has been studied fully that it is marked off as studied by a
highlighter. The Facilitator has to ensure that all lines and interconnections are studied in full and
highlighted.
The Facilitator will also keep a running list of the actions (usually as a note on the P & ID) as part of the
Quality Control and will highlight them on an hourly basis so as to reinforce the points and to ensure that
the team agrees with the records.
Finally at the end of the day of the study the Facilitator and Scribe will sit down and analyse the records
for construction, language, inaccuracies and completeness.
The other Team Members have to be active contributors to the discussion and deliberations. They MUST
BE CONSTRUCTIVE, there is nothing to be gained by being destructive and combative. It is a team effort.
How long does a HAZOP study last?
There are no absolute rules, but typically 2 to 3 hours will be spent per major piece of plant equipment
such as:
PUMP
VESSEL
HEAT EXCHANGER
These will include all of the connections, instruments and all of the P & I D connections.
A maximum study time of 6 hours per day is advised.
The list of key words is a mixture of Parameter, Guidewords (deviations) and Others which have
special significance. The derivation of Others guidewords are often particular to the process itself and
may have special meaning for that process, but a skilled Facilitator should be able to flush out the
problems with just the use of Parameter' and Deviation'.
'Parameter' words describe how the process might work; they include:-
FLOW (F)
PRESSURE (P)
TEMPERATURE (T)
LEVEL (L)

HEATING (H)
MIXING (M)
REACTION (React)
Table B 4.1 HAZOP Parameters
'Guidewords', (sometimes called deviations) describe how the above may depart from the designers
intent; they include:-
MORE (M)
LESS (Less)
NO/NOT (N)
PART OF (Part)
REVERSE (Rev)
OTHER THAN (OT)
LESS THAN (Less than)
MORE THAN (More

than)
AS WELL AS (AWA)
Table B.4.2 HAZOP Guidewords
Not all of the Parameters will have a likely associated guideword; however it is important to think of those
possible deviations before the HAZOP Study is started. The following matrix gives some of the more likely
combinations. However it is not a global set and must be reviewed on a case or process basis. Some of
the combinations may appear a little odd, before condemning the list think a little deeper! Reverse plus
Pressure could occur during a process upset when the higher pressure system is de-pressured but the
lower pressure system is still maintained under pressure. Can an incompatible fluid enter the system?
Take for example cooling water entering a system made of Stainless Steel with the resultant stress
corrosion cracking (SCC), or the collapse of a tube due to reverse pressure. Note that other than level
does have a meaning, it could be an emulsion. It is the analysis and the interpretation of the combinations
of parameter and deviation which are key to a good HAZOP.

Parameters/Deviations
Flow Pressure Temp Level Heating Mixing Reaction
More X X X X X X Emulsions X
Less X X X X X X X
No X ? X X X X
Part X ? X
Reverse X X ?
Other X ? Emulsions ?
Than
Less Than X X ? X ? ?
Unreacted
Materials
More X X X ? ?
than
As Well As X ???
Table B.4.3 Typical Combinations of Parameters and Guidewords (Matrix) in a HAZOP Study
X means that there is a likely combination of parameter and guideword.
The Table B 4.3 above indicates possible combinations of parameter and guidewords which may well
have significance during a HAZOP. However, think of the parameter Diagnostics and the guideword
No. It is worth thinking about the requirements to carry out mass balances and the information required
in order to analyse an upset process condition. Think also about the meaning of the parameter Phase and
the guideword Change this could be sublimation or evaporation or condensation.
'Others' words describe those major differences which may occur during non-steady operation, such as:-
MAINTENANCE
PURGING
ACCESS
Table B.4.4 Some other Parameters to consider
Each HAZOP Study Team should spend a little time on identifying special issues which can be given
particular guide words and attention. The main steps are:-
Describe the Process Intention
This uses the P and ID plus a word description of the design intent or that which is done. It will include a
description of the flow temperature, pressure, composition and other properties, each will have a
magnitude in appropriate units.
The next part is to select a line (node) and to apply the matrix in table B.4.3. It is important to choose the
first line with care as it must represent the START of the analysis. Logically it would be the first line on the
first P & I D but maybe it should be the line supplying the feedstock from the upstream Plant. An upset
there might cause a bigger upset on the plant being studied!!!
(A node is a clearly defined section of line where the main parameters are fixed and do not change. With
experience it is possible to include within a main node a parameter which has changed this is very much
and advanced technique which has to be handled with skill).
Recording Sheets
These can be as a spread sheet or a commercial recording program. The commercial program should
follow the recognised convention as shown below.
1 Reference number
A unique number that can be used to track the actions at any time; it could be alpha numeric or by P & ID
number but it can only be used once. That reference can then be used to track the actions in electronic
format.
2 Parameter
The parameters are a description of the detail of the process as described above. It does not discuss the
engineering (see table B 4.1 & B 4.2).
3 Guideword (or Deviation)
This is a description of the violation of the design intent (see tables B 4.1 & B 4.2).
4 Cause
Self explanatory.
5 Consequences
This may need a little more description to explain the effect in a meaningful manner.
6 Hazard
This is a description of the consequences of the effect/event
7 Protective Systems
These are those systems, hardware and software, (defences in depth) which are used to prevent the cause
of the event reaching an unacceptable condition. These usually refer to shutdown systems

8 Risk
This is better done outside the meeting.
If the assessment is carried out during the study there is a grave loss of loss of time and momentum and
there could be some arguments.
The effect will be reviewed WITH and WITHOUT the protective system in place. If the protective system
is critical the action should specify the performance standard that may be may be required.
9 Action
Again self explanatory but is usually advisory such as verify, assess, it is only very rarely that a firm
recommendation for a specific remedial action is given. This is out with the competence of the study but
does occur occasionally where the team identifies a breach of a code or standard.
10 Action on
The owner of the action or that person who is charged with the resolution of the action.
As the structure of the study is so systematic, it can ideally be described in a flow sheet Figure B 4.1.
Other Information
Typically the worksheet would also include: -
Date
Intent of that Node or section of piping under study
Attendees and their affiliations
P & ID Numbers
How Is A HAZOP Study Recorded?
The records will normally be in column form and contain as a main head the general design intent of the
piece of equipment. The columns will then contain:-
Ref Parameter Deviation Cause Consequences Hazards Protective Risk* Actions Action
Systems on
o
N M/F
Table B.4.5 Typical Headings in a HAZOP Worksheet
It is best to complete the column Risk* (Magnitude and Frequency) outside the meeting for the reasons
given and when the issue has been fully understood.
The structure of the columns may change from process to process or from company to company. A more
developed example for the petrol station is shown in Table B 4.6 at the end of the exercise.

The results from these studies should become part of the safety register
HAZOP in Action
The operation of a HAZOP study cannot be described as a strict procedure. It is best described by taking a
typical example as a starting point, using the flow sheet shown in Figure B 4.2 shown below. It is the
simple flow sheet for a continuous or semi-continuous system to be used to fill a car petrol tank.-
It is recognised that T1 is the underground bulk storage tank, F1 is the integrating flow meter on the filling
station and V3 is the manual trigger (and cut-off valve), T2 is the fuel tank in the car. Only part of the study
can be recorded in this illustration and it is self evident only a fraction of the records are given in the
worksheet.
Step 1: Select a vessel: The storage tank.
Step 2: Explain the intent: The storage tank contains 3000 gallons of petrol; it is stored underground near
to the forecourt of the petrol station. The pump draws petrol from the tank and discharges it to a flexible
hose, at the end of which is a valve which is controlled by the operator. The valve is fitted in a metal filler
pipe which fits into the mouth of the car petrol tank.
Step 3: Select a line: The hose.
Step 4: Describe its intent: To transfer petrol at a flow rate of about 5 gallons (25 litres) per minute from
the pump to the car tank. (The first parameter is FLOW).
Step 5: Apply a guide word Deviation: NO.
Step 6: Develop a meaningful Deviation: There is no flow into the petrol tank T 2.
Step 7: Possible causes: The valve in the filler is not open.
Step 8: Consequences: The pump overheats and gas locks.
Step 9: Hazard/Operability Problem: The pump loses suction and the filler station cannot be used.
Step 10: Record.
Step 11.1: Other guideword/deviation: MORE.

Step 11.2: Deviation: More flow is fed to the tank and the tank over-fills.
Step 11.3: Causes: The operator/driver is distracted.
Step 11.4: Consequences: Petrol is spilled onto the forecourt.
Step 11.5: Hazard: Possible fire.
Step 11.6: Record and note the need for some level cut-off device. etc.
Do not do the design - leave that to a team outside the meeting to review the action.
Step 12: Mark the line: Colour the line with a highlighter pen to record it has been studied, etc.
This shows how the study is exceedingly structured (and potentially boring). The Facilitator has to keep the
discussion to the point and also avoid conflict and boredom.
Some of the 'other' words which may be applied to the filling process could include
Other than petrol?
What if there is water?
What if there is diesel?
Static electricity, etc.
The HAZOP study tends to be very repetitive but consider this statement. "It is difficult to find a fault if a)
you do not know what you are looking for and b) where to look for it."
HAZOP forces the team to concentrate on one aspect at a time (where?) and assess the final potential
faults (what is it?) in a structured and systematic manner. If the structure is not used it is likely that the
team will miss some of the problems.
Illustration
Consider this dialogue as a piece of play-acting to illustrate the HAZOP process.
The team members are:
F = Facilitator
S = Scribe
O = Operations Person (Forecourt attendant)
U = User (the reader)
D = Designer
Only one combination will be considered, that of Flow and High as applied to the filling line.

F Can you give the Team a verbal description of the Process?
D The intent is to fill a car with 95 Octane lead free petrol. The petrol is stored underground in tank T1,
pumped by a pump, through an integrating flow meter F1 into the car fuel tank T2. The tank T1 is fitter
with a breather vent. The flow is controlled by valve V3 at a peak flow of 25 l/minute but can be as low as
1 l/m when the car fuel tank is approaching full.
F Thank you, that was very concise. I would like the team to concentrate on the parameter FLOW. I would
like you to think how the flow could exceed the desired rate. However D gave us two flow rates one at the
start and one at the end of the cycle. Can we take the start first?
D The pump is a swash plate type which is self limiting in rate; it can not exceed 25 l/m.
S I will note this in the records
F Yes please. Can we now look at the high flow at the middle of the filling cycle?
D There is a valve controlled by the car owner and he/she can regulate the flow as required.
O But what happens if he/she ignores the flow and walks away?
D The valve V3 is a dead-mans handle and will close automatically on high level in T2.
U But it will not be the first time that the user has over ridden the V3 and the tank could over fill or V3
could fall out of the filler point in T2.
F Has anyone any comments?
O It is possible but of more concern is the fact that than the 25 l/minute of petrol will be spilled and the
drains will possibly become overloaded and then there could be a fire!
D Good point, I think that O and I should look at this in more detail
S Recorded
Part of the records sheet for FLOW NO is shown, it will be noted that the flooding issue has appeared in
entry 1.8.
(It is not unusual for the same issue to come up against a number of parameters/guide words. This is a
form of quality assurance.)

Table B 4.6 Operability Study Automobile Filling Worksheet
Ref Parameter Guideword Cause Consequence Hazards Protective Actions Action

No A B C D E Systems G on
F H
1.1 Flow of No (flow.) 1. Pump Tank on car not 1. Sales 1,2,3,4,5,9. No 1.1 Check O
petrol into Fails filled. interrupted. flow indicated spares
car tank i.e. (electrical or 2. Possible on flow availability for
from T1 to mechanical) overheating of meter. pump.
1.2 T2. 2. V2 shut. pump (3,4,9 Operator can 1.2. Morning O
3. V3 shut. also). also observe opening
4. Strainer 5. Sludge and hear procedure
blocked. and/or water petrol not should include
5. Stock tank pulled out of flowing. opening V2.
empty. stock tank. 5. Tank 1.3 Check D
1.3 6. Flexible 6. & 7. Spillage dipping whether pump
hose fails. of fuel, procedure. overheating
7. Nozzle not drainage No indication could be a
in car tank. problems, fire of pump problem.
8. Vent on hazards. overheating. 1.4 Should D
1.4 stock tank 8. Possibility of No indication shutting V3 trip
blocked. pulling-in of tank vent out- pump?
9. Line stock tank. blockage. 2. & 3.
choke. 2. & 3. If V2 1.5 Is pump D
1.5 and V3 shut protected
together and against
pump expansion of
continues to liquid running
run, possibility blocked-in?
1.6 of over 1.6. Ensure that O
pressure due tank is dipped
to liquid sufficiently
expansion. frequently.
1.7. Ensure that O
1.7 flexible hose is
inspected
regularly (e.g. 1.
8. Are drains O&D
1.8 able to cope
with petrol
spillage?
1.9. Will V3 O&D
1.9 automatically
shut if nozzle
falls out of
tank?
1.10. Ensure O
1.10 that tank vents
are checked
regularly (is
vent big
enough?).

Variations - Batch Processes
There are variations from this 'steady state' process for batch processes such as batch reactors or any
other intermittent process. This is best shown on the following simple filter diagram:
Figure B 4.3 Simplified P & ID of a Parallel Pair of Filters
Note there is NOT a physical connection between D and F it is an aberration in the drawing. Maybe there
should be a HAZOP action Verify that there is no connection between valves D and F?
The design intent is to filter solids from the process stream in a duplex on-line filter. The process can be
studied as a series or valve positions:
Open A,B,C,D - more flow: discharge to vent or drain.
Closed others.
Open A: no flow.
Closed B,C,D: no flow to the process.
The ideal method for handling this process is as follows:-
1) Decide how it should be operated - this is fairly obviously B,D,E,F,G,H closed; A, C open - label valve
positions with little coloured stickers or coloured pencil 'dots' (Red is Open, Green is Closed).
2) Carry out the HAZOP on all lines in and out of the filter.
3) Change one valve position - cover the original sticker with an overlapping sticker or change the pencil
dot colour so that the valve sequence can be followed - Open/Closed/Open/Closed.
4) Carry out the HAZOP on all lines into and out of the filter.
Very quickly it will be seen that B and/or D can not be open when either A or B is open and that A and C
MUST be open to allow a flow of process fluids. Following all possible variations of valves A - G you will
take ages - it is just too complex and often obviously fruitless. It is better to start with a defined procedure
and then to analyse the issues if the procedure is not followed properly. Variations in a batch process
could include A added after B, A added to slow/fast, and others.
Other - Batch Processes
The parameters for a truly batch process require a bit of analysis. The following table is a starter.
Batch Parameter
Rate of Addition
Timing of addition
Mixing
Reaction
etc
Table B 4.7 Possible Batch Parameters
Likewise the following is one set of batch guidewords: -
Batch Guidewords
Too slow
Too fast
Too early
Too late
Incomplete
Wrong order
etc
Table B 4.8 Possible Guidewords for a Batch HAZOP
Follow-Up 1
It would be nice to think that the study ended when all of the lines and vessels have been marked off with
a highlighter pen as "study complete". Unfortunately this is not true.

The study now needs to assess the consequences of the deviations in more detail - in some cases using
simple risk assessment techniques to determine the best change or modification option. This can be done
by a small section of the team, usually by the Leader and Secretary. This approach is preferable as if it
were to be carried out during the study itself there is the grave risk of a loss of focus and momentum.
In an ideal world (and this is where PC records do help), the team should have an overview of the previous
day's Minutes before the start of the next meeting. While much of HAZOP is 'consensus engineering', key
items must be analysed with skill and in great detail.
Follow-Up 2
It would be nice to think that the study now ended here! Unfortunately, again, this is also not true. Any
change proposed by the study must now be "re-HAZOPed" by a small element (say 50%) of the original
team.
Study End
The study is complete when all actions have been agreed with the client; all changes have been re-
HAZOPed, the report issued and all marked up P and IDs returned to the client's record system. The Report
and marked up P and ID are part of the QA process.
The following g section is a potted summary of a team interaction and one which requires both technical
and facilitating skills. Topics such as these can only be learnt from experience are typically:
Where to start the study?
How to link all of the P & I Diagrams?
How to study a modification?
How to handle a cross link such as across a heat exchanger?
How to handle the links of P & ID to a vent or drain system?
When is it justified to treat a spare by examination only?
If so, what additional actions might be needed?
See the worked example in the HAZOP Guide to Best Practice - IChemE.
B 5 HAZID
Introduction
The causes of major hazards are not normally immediately obvious and are often the result of a number of
simultaneous events or the breaches of the defence in depth. The identification of major hazards was
therefore for many years based on experience and allegorical stories from the industry. The HAZOP study
is not ideally suited to the identification of these major hazards while HAZID is. Other approaches have

been used to address problems such as checklists and peer review but these rely on the knowledge at the
table.
HAZID has been developed over the last few years to identify the interaction between systems and
thereby to identify those breaches of the "defence in depth" which may lead to major hazards. It has
proven particularly effective in analysing the interfaces between systems, layout or juxtaposition of
equipment and the roles or interfaces between disciplines and functions. In particular it is consequence
driven and pre-supposes a set of scenarios and then tries to identify those defences which have to fail for
the event to occur (and of course how the failure may occur). (See the LOPA Onion in part A). The whole
process is summarised in the following description.
HAZOP examines the internal process to identify the potential operational hazards and problems which
may occur with return periods of, typically, 10 to 100 years, but it does not tend to identify those major
hazards which typically have return periods of over 1000 years, that is the role of HAZID.
The HAZID approach has been contrasted with HAZOP and it has been argued that it is more effective as it
considers both external as well as very unusual internal events.
HAZOP is still the recommended identification process for P & IDs.
The significant benefits of HAZID over other Hazard Identification techniques such as checklists and peer
review lies in its more rigorous and wide ranging approach. Techniques which utilise a checklist and peer
review approach rely heavily on the assumption that any type of hazard which might occur has already
been thought of, and is incorporated in the checklist. Peer review depends on the direct knowledge that
participants bring to the exercise. Whilst HAZID utilised guidewords their only function is as a starting
point for further discussion to explore hazards which may or may not have been considered previously and
to challenge the accepted practice. Through the guide words and by questioning, the Facilitator can elicit
information. Eliciting ideas and information is the whole basis of the study process. HAZID seeks to
broaden the hazard understanding of all participants by encouraging lateral thinking. In summary, HAZID
has been developed to incorporate the best features of HAZOP, checklists and peer review thereby
providing an approach that is superior to the other three techniques in isolation.
A further document titled Hazard Identification Methods has been published by IChemE.
Applications of HAZID
HAZID is a study designed to identify the mechanisms by which safety objectives may be violated, these
may be hardware, such as mechanical failure, or software, such as Management System or Procedures. (In
this respect it is a form of examination of the LOPA onion Parts A). For example, a safety objective could
be the containment of fluids and a violation could be caused by impact, corrosion, fatigue or the like.
While HAZOP is cause driven, HAZID is consequence driven. Further, HAZOP will accept a conclusion that
an event can not occur but HAZID assumes that if it is credible it will occur and requires the analyses of the
sequence of events required to cause that event.
The following example of car brakes is an attempt to illustrate the differences between consequence and
cause driven studies. It is very simplified and is a means to illustration only.

The analysis of the P & I Diagram of a car's braking system in a HAZOP could produce the following
results:-
System: Hydraulic Piping
Safety Objective: To carry pressurised fluid to the brake cylinder
From this a somewhat simplified HAZOP worksheet (and it is recognised that it is simplified) might look as
follows:
Parameter Deviation Cause Effect Recommendation
Pressure None Corrosion Loss of braking potential, Install a separate braking

car crash system
Table B 5.1 The Possible worksheet from HAZOP on the Car Brakes
This shows that having identified a deficiency via HAZOP the usual response is to recommend installation
of further hardware in the form of a redundant braking system.
The analysis of the same system using HAZID which uses a guideword approach (see later) could produce
the following results:-
System: Car Braking System
Safety Objective: To arrest the car in controlled manner.
Guide Event Cause Consequence Control of Hazard Index Action
Word Nature /Escalation Mitigating Cons. Required/

Freq.
Factors Comments
Failure of Leaking Seal Loss of Likely to be H L Review the

the Brakes brakes reliability of the
master failure progressive seal
- car crash
cylinder if corrosion
& injury
Failure Leaking Corrosion Loss of Could use H M-H Consider fitting a

brakes hand brake segregated
(Brakes) hydraulic or impact braking system
- car crash
line and injury
Table B 5.2 The Possible Worksheet from a HAZID Study on the Car Brakes
The logical end point of this analysis shows that the solution is not always the addition of hardware and in
this example it is the desirability of a diagonal braking system as fitted on most, if not all, modern cars.

HAZID Methodology
Reprise
HAZOP study is different from HAZID study, as already noted, in that the former is cause driven and the
latter consequence driven. The former looks at the internal process and the latter the external process. It
follows that the HAZID study requires a considerable degree of preparation.
Definition of Objectives or the Guidewords
The first step of the study is to define the safety objectives and safety/hazard issues for each section of
the installation. This may in part be already prepared as a project document but the older the installation
the less likely it is that these will be available. To define the objectives accurately, it is usually necessary to
have a pre-meeting between the Facilitator and the client representative, who should have a very good all
round understanding of the installation.
For piping the safety objective would be "no leakage of process lines", that is no loss of containment. This
violation in piping may be due to, amongst others: -
Corrosion
Erosion
Mechanical Impact
Fatigue
Overstress/load
This list is only illustrative and typically would run to two pages to define all of the causes of the deviations
from the safety objectives for a process plant. The effort put into the definition of guidewords is
considerable but is usually amply rewarded during the study. The length of the initial meeting is initially in
the order of 3 to 6 hours total but can be considerably less for a "look alike" installation. The lists of guide
words can then be refined and translated under the headings, such as and including:-
Reactor Design
Production/loss of containment
Protective Systems
Communications
These should only be treated as indicative and would, of course, vary from installation to installation.
During the analysis of the objectives and the derivation of the guidewords it is likely that the tabulation
will in the initial stages appear a bit haphazard such is the nature of lateral thought but they can be
gathered together under suitable headings. The following is a VERY simple attempt to put this idea into
more focus.
Start with the structural failure leading to its collapse. The initial ideas could be:

Causes of structural Collapse
Overload
Degradation
Civil (soil)failure
Table B 5.3 Some of the possible Causes of Structural Collapse
It is now possible to look more closely at each of the causes and to add more definition or colour.
Take overload for a start. What could be the causes?
Causes of Overload of Structure
New equipment added
Poor Specification in Design
Snow or Ice
Earthquake
Dropped Object
Etc
Table B 5.4 Some of the Contributions to Overload of Structure
The final set of guide words might look as follows:
Overload
New equipment added:
New reflux drum
New piping system
Etc
Poor specification
Does it cater for icing conditions?
What is the basis of the design?

Is there any conflict?
Now?
Future?
Degradation
Corrosion
Acids
Process fluids
Rain water
Snow and Ice
See above what is the basis for design and can it change with time?
Civils (soil)
Are there any known/unknown under soil workings?
What recent soil surveys have been carried out?
Have there been historical soil surveys?
Is there any record or evidence of mining?
Earthquake
What is the seismic history of the area?
Should a limit of say 0.25g be set?
Dropped Object
Maintenance
Construction
This is only illustrative but should show how much attention MUST be paid to the derivation of the
Guidewords
Team Selection
Team members should be typically 3 to 6 plus Facilitator and Scribe. The construction of the team may
change but essentially there should be a core of Facilitator, Scribe, Facilities/Operations Engineer and
Safety Engineer. In the case of an older installation it would be very beneficial to have at least one senior
operator who knows all of the "tricks of the process", how it operates and has to be operated. These
would be supported by Structural, Construction, Electrical, Machinery, and Process Design all as
appropriate. The team content will change from day to day but too frequent changes must be avoided as
there is often a one to two hours learning curve for each member. The balance of the team, its experience
and commitment are possibly the second most important feature after the definition of the guide words. If
the team is unbalanced the study may not be objective and of course there may be no self catalysis or
creative thinking.
Drawings and Documents
The main drawings used in a HAZID study are Plot Plans (including maintenance routes), Escape Route
Drawings, Process Flow Diagrams and those drawings depicting the location of emergency systems such as
Emergency Shutdown Valves, Relief/Blow down Valves, Deluge Valves and Fire Extinguishers and the like.
During the study process the layout diagrams will be used to define the interactions and as a result they
must be sufficiently detailed that they show all equipment with significant inventory and be sufficiently
uncluttered such that process data such as follows can be added to drawing:-
Pressure
Temperature
Flow
Capacity
Composition
Once again, the data and drawings should be sufficient to allow all possible interactions to be explored.
Execution of a HAZID Study
The study is potentially more mentally tiring than a HAZOP study due to the need for intense lateral
thought. A study period of 3 hours is typical and it is often more difficult than for a HAZOP study to restart
a study after a break. Two sessions a day (6 hours) is the suggested limit but external pressures may
require greater effort.
The study starts with a brief overview of the installation and then a detailed description of the equipment
and its layout. The layout (plant) drawings are used and marked with key equipment data. The object is to
show the potential for interaction. This part of the study will take typically one hour and is a "settling in
period" when an enhanced understanding of the installation is generated.
The Facilitator uses the guidewords to formulate scenarios where the design intent may be violated and
therefore centres on the lateral thought processes. The objective is to define how an event could happen
and what would then be the consequence; the "causes" could be hardware or software failure. The
investigation of how it can occur will not allow a statement such as "it can not occur!" Usually, during this
period of time, three thought processes are occurring:-
1. The potential for interaction is being fully appreciated.
2. The lateral thinking process is being developed.
3. The objectives and HAZID study techniques are being fully understood.

The principle step of the HAZID technique is represented in the flowchart shown below as step 2 of the
study.
The process flows through the use of guidewords and the Facilitator constructs scenarios for the team to
explore. These naturally lead on to other scenarios and the Facilitator has then only to direct the team
away from trivia. As each potential guideword is exhausted the Facilitator moves on to a new guide work.
While HAZOP examines a line at a time, HAZID examines a unit operation or part of the process at a time.
The final part of the study is to itemise the mitigations or controls in place. All recording is done on a
proforma record sheet, whose headings are typically as shown below.
Ref Guide Event Cause Consequence/ Control of Hazard Index* Action

No
Word Nature Escalation Mitigating Consequence & Required
Frequency
Factors On and any
Comments
Table B 5.5 Typical HAZID Worksheet
Note: that the Hazard Index will be filled in after the study is complete.
Follow-up
After the sessions it will be necessary to quantify the various events as to their Magnitude (consequence)
and Frequency. This can take about 10 minutes to half an hour per event (about 20 minutes on average).
The final Magnitude and Frequency values must then be ranked against pre-determined criteria and
prioritised. Inevitably the assessment does require some simplification and usually falls on the Facilitator
and/or Scribe. However, the assessment is usually fairly easy as the AND/OR logic required in Fault and
Event outcome trees (see part E) for that event will have already been discussed during the study.
Typically about half an hour will be expended on quantification for every hour of study time.
The final list of events or hazards can then become the core of the safety case and a set of integrated and
objective safety studies set in motion. The definition of the safety studies may require a further analysis.
The Scribe may be independent or a company employee. Additional specialist staff may be drafted in as
the topic under consideration dictates.
Flow Sheet for HAZID
The flow sheet for the whole process is given below.
Step 1 - Prior to Study
(a) Analyse the whole system.
(b) Identify blocks in this system whose function can be clearly defined.
(c) Identify safety objects within the block.

(d) Draw up guidewords which can be used to describe how the safety objectives may be violated and
therefore identify consequence scenarios.
(e) Identify a team of 3 or 4 members (plus Facilitator and Scribe) who can assist in developing the
scenarios.
Step 2 - During the Study
(1) Define a block in the system
(2) Identify all of the major elements in the systems.
(3) Note the function, contents and nature of the fluids of the elements in the system.
(4) Note the objective of that piece of equipment if non process
(5) Describe how the elements interact.
1. Use the guideword to construct a series of meaningful violations of the safety objectives.
Examples may be structural collapse or impact or corrosion under insulation (CUI).
2. Use the guide word to define what elements may be damaged or which must function to
achieve the overall safety objective. Examples might be the mechanism which might cause
the safety systems to fail to operate.
(6) Discuss the violation and describe a meaningful scenario.
(7) Identify the mechanisms required to create the scenario.
(8) Record the guideword.
(9) Record the cause.
(10) Record the nature of the event.
(11) Record the consequences/escalation.
(12) Record controls or mitigations.
(13) Record any proposals/observation.
(14) Select a new guideword.
(15) Repeat 5.1 to 13.
(16) When all guide words are exhausted chose a new system.
(17) Carry out steps 5 to 13 analyse the interaction across the interface between two adjacent systems.

Assessment - Post Study Meeting
The Facilitator will normally spend about hour assessing the magnitude and frequency of each event
identified. This process is much easier than might seem as the logic of the fault tree will be fully
understood from the discussion during the study itself the biggest problem will usually be collecting data
appropriate to the problem. Once the assessment has been made it is possible to produce
recommendations, one of which is to accept the situation of the risk as "trivial".
As HAZID is examining remote events the study cannot accept that it is not possible until it has been
fully assessed (and eliminated) by Quantitative Risk Assessment (QRA). See Part E
Variation 1 Operating Procedure
It is possible to examine an operating procedure as a variation of method study by using guidewords such
as:-
1. Why then?
2. Why that way?
3. Why that order?
4. What is the end objective?
5. Verification of operation?
6. Only partial operation?
7. Monitoring/supervision
8. Assurance of objective?
9. Accuracy of result?
10. What happens if ...........?
A procedure can equally be studied by a HAZOP in line with the batch process.
Application of HAZID An Example
The starting point to the study is to examine all of the possible safety objectives/issues which must be
addressed. For example the objectives/issues would start at a high level such as The Environment or
The Safety of the Operator or The Integrity of the Plant. Below each top objective issue/issue would
be another series of more focused objective/issues. The Integrity of the Plant could be impaired by Loss
of Containment (LOC) or poor protection. Below the Loss of Containment could be a set of causes
such as impact, corrosion, fatigue or the like. Below each set of causes there could be another
subset. For example impact could be due to a dropped object or a swinging load on a crane or a
maintenance trolley being pushed without due regard for the work place. The top-level therefore generate
a form of pyramid with more focused objective/issues at a lower level which have to be considered or
addressed. The objective/issues result in a set of guidewords which are specific to that particular
problem.

The pyramid is illustrated by examining the digging of a hole in a road. The top objective/issues are
traffic management, access to business or homes, emergency services access, service integrity and the
safety or security of the operator. Lesser issues may involve noise and the general disturbance of the
public.
Starting with the integrity of the services. It is obvious that there may be some services underground and
that the digging may disturb or damage them. Some may be more critical than others for example digging
into a power cable could cause the death of the operator but digging into a gas main could cause a fire or
an explosion which could kill some by-stander. The pyramid leading to the Guidewords now can be
developed.
Guidewords
Service Damage
Location
` Nature Electricity, Gas, Water, Sewers, Telephone
Impact following damage on: -
Operator
By-stander
Local industry or housing
Emergency Isolation? Location? Access? Ease of operation?
Should any Service be isolated before work starts? Public notification? Warning and
back ups?
Is there an implication for access so far as the emergency services are concerned?
The Operator
Collapse of the Excavation

Does it need shoring up?
Does the excavation require to be pumped out?
Where will the spoil be located so as to stop it falling back into the excavation?
Rescue of the operator How? Standby? Emergency Procedures?
Risks from services (see above) electricity, gas, water, sewers, telephone, others?
Other risks
Fumes exhaust, other (sewers)
Disease - rats, Wiels Disease, other (sewers)
Noise traffic, digger, drill
Vibration white finger drill
Eye damage wind borne, chippings
B 5.6 HAZID Checklist for digging the hole
The check list can be developed further as required but is should be noted that each step becomes more
focused until there is a clear point which must be addressed. It will be noted that the check list or guide
works are generally consequence or effect driven and are totally different in form to the parameters
and deviations of a Hazop which are generally cause driven.
Illustration: This is a short piece of dialogue to illustrate this example.
F = Facilitator
S = Scribe
D = Designer
E = Installation Engineer
ES = Emergency Services
You will note that the Team is completely different from that of the HAZOP example!
F Can I have a brief description of what is to be done? I will assume that there is a good reason
for this and other options have been investigated.
D Yes, we have investigated other options and this is the only one available to use.
I We have to dig a hole in the middle of Lime Street to repair a water pipe.
F I assume that you have looked at fitting a plastic internal sheath?
D Yes, the pipe is in such a state that replacement will be necessary within 2 years whatever is
done now.
F to S I think that this is worth recording.
S Done
F Now, what are the problems with this task and how will you handle them?
E We have studied the records in the Council Offices and have identified that there are a number
of services underground. Unfortunately the records are old and are not 100% accurate.
ES You do realise that this is a busy road and is one of the priority routes for the Emergency
Services?
E Yes, we must develop a strategic plan that addresses this and we will include ALL Services
including Police, Fire Brigade and Ambulance.
S This is recorded.
Etc
Variation 2 Application of HAZID to Existing Plant
The preceding has covered the background to HAZID and the broad methodology for its implementation. It
is now necessary to consider particular aspects of its application to existing (as opposed to new)
installations.
Background
As has been discussed, the application of HAZID is directed towards identification and preliminary
assessment of hazard. This is done by eliciting the knowledge of key personnel in a structured manner. For
a new installation this knowledge essentially lies within the design team. For existing plant the base
knowledge is held by the operations team. In fact the operations team will hold a large database of
knowledge in that they will have first hand knowledge of how the plant performs and fails to perform.
The design team however are likely to be "success oriented" and will logically have concentrated on how
the plant is operated to meet its design targets rather than how it might fail to do so.
The operations team will, hopefully, not have had any experience of the major catastrophes that HAZID
seeks to identify and even if they do, they cannot possibly have the experience of all the major accident
scenarios that might conceivably occur, or have occurred elsewhere. What they will have, however, is
direct experience of the day to day upset conditions that can occur. They will be aware of the plant's weak
points such as a section of the process that is prone to corrosion, a temperamental shut down system or
an unreliable pump. These points of reference act as indicators of the existence of potential major
accident precursors (holes in the cheese or layers of the onion). It is widely appreciated that most major
accidents occur as a result of a chain of occurrences, rather than as a result of a single event, thus
knowledge of plant weak points may give a strong indication of potential routes to a major catastrophe.
The HAZID of operational plant should not only concentrate on initiating events that have already
occurred, the exercise must be wider ranging in order to allow for as yet unseen problems. This, however,
requires a degree of discipline in conducting the sessions as operations personnel may tend to dismiss
initiating events if there has been no evidence, to date, that they can occur.
Guidewords
These will then be more "process directed and will include ideas such as:-
More Flow
More Pressure
High/Low Level
More/Less Reaction
What equipment causes outage?
What equipment is hard to access?
Are there issues of isolation?
Are there issues of reliability?
Have you ever had unexpected events that have not been resolved?
What equipment gives you cause for concern?
Can you define your concerns?
Example of HAZID:
This is a brief study on the HAZID of a design of a rally car.

1. Safety Objectives
It is not difficult to define the safety objectives as follows:
1) Road Holding
2) Visibility
3) Protection of the Driver
4) Ease of escape.
Note speed is not a safety objective.
Now take each objective in turn and define how it can be violated - this is shown in part in the next table.
Once again it should be noted that the HAZID process is practical and best learnt by "doing it". It is also a
very useful tool for stage 1 of the Safety Study/Audit process and exceedingly useful for analysing the
potential problems during the construction phase.
Ref Guide Event Cause Consequence Control or Consequences Action Required

No Word Nature Mitigating F/M Comments
Factors
1 Visibility Loss of Mud spray 1. Unable to 1. HH 1. Ensure washer pump

Mud visibility due leaves on see the road Windscreen has adequate capacity
to dirt on the 2. Vehicle wipers 2. Top up reservoir at end
the windshield slows down 2. of each stage
windscreen (or crashes) Windscreen 3. Fill reservoir with
3. Lost time washers antifreeze (methanol)
4. Ensure wiper motor is
over-sized
5. Renew wiper blades at
the end of each stage
2 Visibility Loss of Weather 1. Unable to Weather HM 1. Supply radios in the car

Mist visibility due changes see the road forecasts 2. Locate weather
to mist 2. Lost time lookouts around the
stage with radios
3 Adhesion Car hits mud Poor road Car crashes MH Supply special profile
Mud and/or surface tyres
water splash
4 Adhesion Car loses Ice on the Car crashes Special tyres MH See 3 above
Ice adhesion on road (see 3
ice above)
5 Escape Doors jam Impact on Driver/navigat 4 point LH 1. Supply crash cage

shut in a the side of or trapped in harness 2. Supply quick release
crash. Driver the car the car doors
injured 3. Remove doors!
6 Escape Car crashed Major crash Driver killed 4 point LH 1. Driver to be clothed in
Fire and bursts after crash harness 'Nomex'
into flames. 2. Supply emergency air
3. Supply emergency
automatic fire
extinguisher
4. Install fuel cut-out
5. Remove fuel tank

6. Fill tank with expanded
foam matrix to limit fuel
spill
Table B 5.6 Possible HAZID Worksheet for a Rally Car
Now that the hazards have been identified it is necessary to eliminate them, manage them, design them
out as far as possible or fit protection and finally to demonstrate that the risks are ALARP!
B 6 Relief and Blow down Studies
Relief and Blow down Review has been put into design and operability for safety Part B as it fits better
there so there is no apology for the apparent dislocation. This to be one of the identification tools which
you should know about see Part D 6 later on in this text.
B 7 Fire Protection and Detection
This is covered under Fires Part E
B 8 Hazards in Operation
How do you identify the Hazards Associated with Routine Maintenance and Operations?
Operations are a topic beyond that of a first degree course. However it is appropriate to note that many of
the Management Systems described in Parts C & F apply to Operations.
The Incident Studies Part H show where problems were not handled properly and incidents occurred
The identification of hazards that has been applied will still apply to any changes (see Parts C and F
Management of Change) but every form of Maintenance will require a special form of Hazard
Identification sometimes given the name Task Analysis where each step of the maintenance work from
isolation through to refitting is analysed carefully, the hazards identified and the need for special features
(including Personal Protective Equipment) is specified. This becomes part of a Management System called
Permit to Work (PtW) (See Part F for a worked example).

Part C
BASIC MANAGEMENT SYSTEMS (SMS & EMS)
C 1 Introduction
The Safety and The Environment must have Systems by which they can be managed. This is a
convoluted statement but in simple terms it means that if there is no management, the safety and
environmental controls will disintegrate. This part is an attempt to illustrate some of the Safety
(Environment) Management Systems (S/EMS) and how they operate. This Part was put after that on
Hazard Identification as it is, almost, a stand-alone which is best dealt with early before the more
technical items are introduced. These Systems are the software part of Defence in Depth. More
advanced systems are given in part F which is possibly more appropriate to a Masters Course.
In part A the general principals of HASWA were explained. The change that HASWA introduced was a
move from prescription to self-regulation. In simple terms prior to HASWA (and some of the
Regulations set up by the Factories Acts are still in operation) the approach changed from:
You will fit guards wherever necessary
To:
You will protect your employees so far as is reasonably practicable.
This was the intent but the Guidance Notes are becoming more and more prescriptive such that there is a
drift back to the pre-HASWA approach.
In the older Factories Act there was a requirement to fit handrails on all structures over 6 feet above the
ground (1.83 m). So, if it structure was 5 foot 11 inches high (1.80 m) it would not be necessary to fit
handrails. HASWA removes the definition of height and leaves the duty on the employee to prove that the
protection was appropriate so far as was reasonably practicable. This would indicate that a rail would be
required for any height. Likewise a pump coupling installed with a poorly fitted guard might satisfy the
spirit of the old Factories Acts but would fail the duty of so far as was reasonably practicable layed down
in HASWA.
Management Systems are central to the Safety Cases required for Major Hazard Processes.
C 2 Systems
The following is a simple approach to what is a complex study and only some of the more common S/EMS
are outlined. It would be wrong to differentiate between Safety and Environmental Systems. Many are
similar and have only minor differences, for example a release of a toxic material has an impact on both
Safety and Environment. The result is that they will only refer to Management Systems.
Annual Appraisals

At first you might think that Appraisals are totally for managing people, this would be a mistake. Consider
what can be done within that appraisal. The appraisal is a dialogue where the strengths are praised and
areas of weakness are pointed out with suggestions for improvements using Continuous Professional
Development (CPD). There is also the opportunity to review the Skills Matrix against possible
promotions. If the employee is due for promotion is there a need for certain skills to be enhanced and new
ones added? In this manner the employee is being groomed for promotion and hits the ground running!
to use the modern idiom. This is good management and avoids the mistakes that might result from
inexperience.
Management of Change (MoC) Procedure or Hardware
Changes are one of the major causes of incidents. The classic example is Flixborough (1974) but equally it
was a change that created the steam explosion at Chernobyl in 1984. (See incident Studies Part H)
The rule is that if the change is not like for - like it is a real change and that change has to be managed!
This rule may appear to be dogmatic but it has to be so for good reasons. Some years ago the replacement
of a valve, which had identical dimensions, but had a slightly different internal construction, resulted in
the release of materials and the injury of a Fitter Figure F 13.1 (See also incident Studies Part H). Could this
have been predicted? Most definitely YES!
The MoC applies not only to hardware but also equally to procedures and management structures and
personnel. Remember what I said about Appraisals. If the new Manager does not have the skills there is
the potential for a problem. The MoC must manage the change from the state "A with the original
Manager in place to state "B with a new Manager in place.
The MoC System will vary between companies and processes. This is outlined later. An assessment form
which has been imitated by many companies is shown in Part F. It is historic but to date no-one has
devised a better one!
Procedure Change (see Part F later)
Think about a change in a procedure. This could be a Design Guide, which is the record of best practice
based on the experience of the company in that sphere of endeavour, or an Operating Procedure called
by different names such as a Works General Order (WGO), Standing Instruction (SI) or a Permanent
Instruction (PI). (The names may differ but the Procedure has the same intent.) (Note that there is a slight
conflict in the contraction with Statutory Instruments and Standing Instructions) The original
procedure probably worked well but in the light of new circumstances or experience it might require to be
changed. The approach would be very much as outlined in the introduction.
What requires to be changed?
What are the implications of this change?
Are all of the best people there to review the change?
If the change is an operating procedure the Operations Staff must be in the discussions and of
course there will be the need for training. How will it be implemented and verified?

When the new procedure is to be put into place how do you manage the distribution of the new
procedures and the removal and destruction of the old procedures?
Is the timing and announcement of the change sufficiently clear?
How do you ensure that ALL old copies are recovered? This is not a silly question as Engineers and
Operators have their own copies. There is only one way of ensuring that there are no rogue copies
and that is to ensure that the Master Copies are marked with a RED stencil. This will copy BLACK
and will be clearly visible as an illicit copy. This is yet another Management System.
Hardware Change
In the case of a piece of Hardware there is usually a detailed checklist (taken from an ICI Safety
Newsletter and shown in Part F) which has to be filled in and reviewed by an independent person. In the
ultimate the review could become as shown in Part B on Identification of Hazards. The checklist covers
questions that must be answered such as:
What physical changes will take place?
If it is an operating procedure what changes will be made to the operating parameters

Flow,
Temperature,
Pressure,
Level
Composition?
What effects might these changes have on?

Corrosion,
Wear,
Reaction kinetics
What might these changes and effects have on?

Pressure Protection (Pressure Relief Valves)
Controls
Instrumented protective systems Shut Downs - ESD
What impact might the change have on the access to safety equipment or means of
escape?
What improvements are required for illumination or maintenance access?
In the case of a hardware change not like-for-like the questions may be as follows:
What internal and external changes will take place?
Can the integrity of the item be violated during maintenance?
Are there any potential traps for fluids?
This listing is only illustrative and is not complete - See Part F for more detail
Following the completion of the check-list it will be reviewed by an independent assessor and the change
will be accepted, rejected or accepted with conditions, one of which may be that all or part of the Hazards
Study Review are carried out (see part B).
C 3 Permit to Work (See Part F Advanced Management Systems for more detail and an illustration)
All work that is not routine day to day operations require to be carried out under a Permit to Work (PtW).
These have different names in different companies. They could be called a Works Clearance. Whatever the
name they are a requirement for safe systems of work are required by HASWA.
It is appropriate to describe PtW at this point. This Management System requires that the full assessment
of the risks is carried out (qualitatively in most cases) and that the appropriate risk reduction features are
put into place to reduce the risks so far as is reasonably practicable. These risk reduction features will be
detailed on the Permit with the task to be carried out, the scope and the other conditions that must be
adhered to.
Essentially it is a written record of the HAZARD IDENTIFICATION carried out PRIOR to any form of
maintenance. For the most part this will be non-quantitative and based on experience. It will record those
tasks that require to be done (and those that may not be done) and the tools by which it may be done. It
will then record the perceived risks and the precautions required to mitigate those risks. These will include
isolation (Design Part D) and personal protective equipment (Part G). Finally there will be a written and
signed contract between the operations group and the maintenance group were the equipment is
handed over" from one to the other. At the end it will be handed back under signature once again. The
names of this document have changed over the years from Hand Over Certificate to Clearance
Certificate but PtW is far more descriptive.
There are a number of PtWs with reducing risk potential. At the very top is the Entry permit and at the
bottom is the Isolation Certificate.
These are:
Entry Permit* - to a Confined Spaces. Risk of fumes, asphyxiation or worse.
Hot Work Permit* Open Flame. High potential for a fire
Hot Work Permit Drilling or grinding but spark producing. Low potential for a fire. See
also sources of ignition in Part D
Maintenance Permit to Work Specification of appropriate site preparation (including
isolation) and use of Personal Protective Equipment (PPE) (Part G)
Electrical Isolation Permit Potential for electrocution
Nucleonic Isolation Permit Potential for nuclear radiation
Isolation Permit (process valves) Wrong valve may be closed resulting in a process upset
There are other PtWs, which include:

Under-pressure Break-in* - Potential to lose containment
Roof Access Permit Falling through the roof
Excavation Permit Potential to dig into underground piping or cables
In general those permits with the highest risk potential (shown as *) are only authorised by the Senior
Supervisors or even Managers. In some companies there is a unifying permit which contains sections for
all of these activities in other companies they are single permits for each operation and it is obvious that
there could be a Permit to Work, an Entry Permit PLUS a Hot Work Permit if a welding repair is required on
the inside of a vessel.
Too many incident reports which resulted in fatalities were caused by poor use of Permits. The Epitaphs
could have read:
Did not follow the permit ..

Did not have an appropriate permit ..
The permit was inadequate
He was only an innocent bystander!
C 4 PIs or SIs or WGOs
PIs, SIs or WGOs (as indicated above) are different names for the same system and cover a whole raft of
objectives. At one end they may cover the detailed procedure for plant operation operating instructions.
At the other end they may be simple statement of Policy - it is a statement to the effect, This is what
YOU should do! In the final analysis they are the Management Systems put in place for whenever the
Manager is not present. Illustrations are to be found in Part F.
Some examples would include:
All personnel will wear eye protection while still on company property and when outside the
office
All visitors will be escorted, at all time, by a Company Employee!
Ultimately there are the detailed and thought out Procedures for operation and also for maintenance.
The following is a tabular approach which is an attempt to illustrate the preparation of a SI, PI, WGO or a
Design Guide.
SYSTEM COULD IT BE DONE PROPERLY? WAS IT DONE PROPERLY?

Operating Instruction Did it consider and give guidance on the
SI/ PI/WGO following:
Preplanning
1 Are valves Accessible? 1 Was the sequence followed if not

2 Hazard Identification complete? why?
2 Was a different parameter or value

used?
3 Could the valve be accessed easily?
Procedure
1 Hazards that may be encountered

2 Line of Command
3 The line of Communication
4 The Responsibilities of each person in
the group
5 The EXACT sequence of events which
MUST occur
6 The clear objectives and the "window"
of the operation
7 The abort condition of the operation
8 Verification of the attainment of the
objective
Design Guide Did it consider:
1 Start up 1 Was the HAZOP carried out?

2 Shut Down 2 Were the operators asked to review
3 Operation the guide?
4 Failure of Services
5 Operators well meant but ill-advised
operation
6 Were all protective systems specified?
Ask the two questions Could it be done safely? and Was it done safely? to show how far reaching
Management Systems can be!
Have you thought out the problem?
Consider:
Design Guides/Codes
Hazard Studies
HAZOP Studies
Operating Instructions
Emergency Procedures
PtW
MoC
Was it carried out correctly?
Do managers carry out walk-about tours round the work place be it office or Plant?
Are checks carried out on PtW?
Are operating procedures checked on routine?
Are checks carried out on a design as it is being developed?
Are audits carried out?
Are there rrecording and follow-up systems in place?
Are quality checks carried out?
Trip testing
Performance testing after Maintenance
Environmental checks

S & E performance indicators
All of these a Management Systems!
Finally, this is an article written for the IChemE Loss Prevention Bulletin 104 after an incident that occurred
Offshore. The article was sanitised and was written incognito so as to protect the guilty!!
C 5 What is more important - the permit to work or the execution of the plan? Extract from LPB
The incident is used to illustrate and to discuss the significance of this question. It looks at the task, the
execution and the potential consequences and then uses this to answer the question.
The Task
The task was to replace a boiler drum level control bypass valve. This valve was welded in. Unfortunately
the feed water manifold isolation valve "z" was leaking and some other positive isolation was required
(See Figure below).
Sketch of piping isometric of boiler feed system
The Plan
The plan, as devised, was to install an ice plug using a nitrogen bath in a VERTICAL section of pipe line
(shown hatched above). As a back up the plug would be pressure tested by injecting water at "Y" with
valve Z closed so as to achieve a pressure equal to the line rating. After this the level control valve was to
be removed and a stopple fitted in the line. With this arrangement there would be a double block with
one proven isolation.
Execution 1
The execution was not totally according to plan. First the main isolation valve (Z) was leaking so badly that
no pressure test could be achieved. Second the stopple could not be installed due to difficulty with access.
Whatever the rights and wrongs the task was completed successfully and the ice plug thawed out. The
boiler was put on line and as all the tools were on site it was decided to do the same task on an adjacent
boiler drum level control valve bypass.
Execution 2
The piping configuration on the adjacent boiler was different and the only suitable section of piping was
oriented horizontally. As a result a different nitrogen bath had to be fitted. Once again the pressure test
could not be achieved and the stopple could not be fitted. The plan had now been violated on three
accounts but the task had started and no-one thought any more about it.
Early in the execution of this task the Nitrogen Dewar Flask level indicator malfunctioned, however it was
decided that the flask could be weighted and thereby the weight of the remaining nitrogen could be
determined. As the task proceeded it was evident that a second Dewar flask of liquid nitrogen would have
to be used, unfortunately, for some reason, the hose did not fit onto the Flask. (It is possible the coupling
on the second flask had been damaged in transit).
At this point the work site was only protected by a single isolation which is only effective as long as the
flow of nitrogen was maintained to the nitrogen bath and that flow was not guaranteed.
The inevitable occurred, whether it was due to premature loss of nitrogen or low nitrogen flow matters
little, the ice plug blew out and hot feed water sprayed out of the line. The levels in the on-line boilers
started to fall and by means of reduced throughput and putting on extra feed pumps, boiler levels were
maintained during a controlled shutdown.
Analysis of this Incident
The analysis of this incident illustrates one of the major misunderstandings and application of the Permit
to Work system. Too often there is heated debate about the niceties of the layout of the Permit itself. The
Permit to Work should be written record of:
1. The Work Planning (including calculations of loads, forces, stresses or other physical engineering
limitations).
2. The preparation of the work itself (Isolation, draining, purging etc).
3. The preparation of the work site (sand bagging drains, isolation of local equipment).
4. Limitation of incompatible practices (such as draining flammables during hot work).
5. The exact scope and limitations of the work to be carried out.
6. The exact method and tools to be used to carry out that work.
7. The monitoring and supervision of the work site.
8. The physical protection to be adopted by the person doing the work.
9. The precautions to be adopted by the person doing the work.
10. The possible process and physical hazards associated with the work site.
11. The contingency plans to be adopted should anything untoward develop, including how and when the
work should stop.

12. The agreement in the form of signature, that all parties visited the work site, inspected it and agree
that the work will be done as described, without deviation and that all possible precautions have been
carried out in order to make the work and the site safe (sfairp) for the operation.
Where appropriate this should include testing the tools and associated equipment to ensure they will
work as required, when required.
Far too often, steps 1, 4, 7, 11 and particularly 12 are omitted. In this case in question:
1. The plan was not devised properly nor was it followed.
2. The site was poorly supervised and monitored.
3. Contingency plans were not developed and the work should have been aborted on a number of
occasions.
4. The equipment had not been tested.
What would have happened if the fluids had been toxic or flammable or corrosive - the consequences
could have been quite unthinkable.
What is more important - the permit to work or the execution of the plan? Surely it is the execution of the
detailed plan which is embodied in written format in the permit to work.
Postscript
As time has passed it is possible to say that this incident was sanitised, in reality, and it was the failure of a
process isolation on an offshore platform and could have resulted in a major loss of life - some three or
four years before Piper Alpha. The fluids were not boiler feed water but were hydrocarbons. These
flooded onto the installation but did not ignite.

Part D
DESIGN FOR SAFE OPERATION AND SAFE OPERATION TECHNIQUES
Some of this is a repeat of the Part B on Identification. The topics have two homes so it is better to repeat
them rather than miss them.
D 1 Introduction and Background
It is not possible to eliminate all hazards to personnel/property however much effort is put into the task
but there will always be a chance that a hazard will occur.
The very nature of hazards is that they are a complex interplay of causes (reverse of Defence in Depth). No
firm rules can be laid down and so this part, on design features, is presented in general terms so that you
will be able to appreciate the application of techniques and solutions to particular processes. These are
just some of the hardware Defences in Defence in Depth.
In general, the effects of hazards can be divided into the following categories:
Pollution (including noise)
Chemical Reactions and Reactivity
Toxicity (including Asphyxiation and long term effects)
Mechanical Failure
Corrosion
Nuclear Radiation (where appropriate)
The small event leading to a larger event (Domino Effect)
Fire
Explosion
The hazards may affect the following:-
1. The environment (land, water, air)
2. Company employees within, or the public outside the site
3. Plant equipment, storage facilities, offices, warehouses, laboratories, etc.
4. Property outside the site

5. The company cash flow (by loss of revenue, replacement of damaged equipment and/or
payment of claims for damages)
Commonly hazards are controlled by:-
1. Elimination
2. Containment
3. Reduced Frequency
4. Reduced Effect
5. 'First Aid' Measures
In some cases the hazard will be dealt with by a hardware or engineering solution and in others by a
management or "software" procedure. Generally hardware solutions are used during the design phases of
a project and software procedures during the start-up and operating phases of the project. The relative
costs and ease of implementation will also affect the choice of solution. While it is possible to specify the
performance of a hardware protective system and test the hardware to determine if the desired
performance is achieved, it is less easy to assess the performance of software systems and to determine
the performance of the software (procedures.) Procedures tend to become degraded with time and it is
often difficult to assess the level of degradation other by an Audit (See Advanced Management Systems
Part F.)
As accidents cannot be totally eliminated you must aim to reduce them to an acceptably low level.
Further, you should recognise that reducing one risk may increase another and the final result must be a
balance of risks. For example, a solution which reduces human risk may increase the environmental risk
and the designer must take into account this delicate balance. The total risk to the environment, humans,
plant fabric and cash flow must be acceptable both to the company and to the Regulatory Authorities.
The prevention of incidents leading to injury, health problems and pollution of the environment must
therefore start at the design stage. Once design faults are incorporated it is very much a case of the use of
palliatives. This is not in the spirit of inherently safer. There are a number of tried and tested design
procedures which have been applied and it is appropriate to put these into one condensed Part. These
have been selected and probably represent a small percentage of the possible list of design techniques or
tools. The order given is not in priority.
D 2 Hazard Studies Design Phases and Details
The various design phases were introduced in Part A as it is a corner stone of procedures, design and
others such as maintenance. It is now necessary to add a little more detail; the numbering is as in Part A as
this has stood the test of time and Engineers can relate to this numbering.
Study 0 Inherency
Inherency is that concept that challenges the accepted and asks Is there a better way? The objective is
to make the design safer by the very design. Various strategies can be adopted and are triggered by guide
words as given. See Part D 13 for examples.

Intensify
Concentrate the process in a smaller, higher pressure reactor and reduce the working inventory or total
leak potential. An example might be a high pressure catalytic reactor which is significantly smaller than the
conventional low pressure reactor. Another might be the use of a linear reactor instead of a continuously
stirred back mixed reactor. Another might be the use of specialised equipment which has by the very
nature of the design a very low inventory, some of the modern compact heat exchangers would fit into
this heading. The end point is that while the peak out flow rate from a hole (loss of containment LOC)
may be higher the total out flow will be significantly lower.
Attenuate
Reduce the working pressure/temperature such that the leak rate should it occur is less or less likely to
ignite/vaporise. An example might be the use of refrigerated storage of cryogenics instead of pressurised
storage. Once again the use of a catalyst lends to inherency.
Substitute
Change the process route using chemicals which are safer or which do not produce hazardous by-products
or intermediates. Steam is inherently safer than hot oil. Steam heating may be inherently safer than
electrical heating in that it has a self limiting upper temperature limit.
Simplify
This is self evident.
Getting it Right First Time
Avoid the need for last minute change or even recognising the whole spectrum of conditions which may
apply to choosing the correct materials for fabrication and the choice of design pressure for equipment. It
can also mean de-clutter the process and avoid a surfeit of add-on safety features which do little for
SHE or efficiency but create operational problems.
Change
While the concept of change is simple it does require a bit of thought! Consider the change in a layout
such as to segregate flammable materials from sources of ignition or the positioning of a valve such that
access is enhanced the layout or access is then inherently safer. Change may involve a new process if the
environmental implications were adverse. Change is simple but finding the solution is less so!
Eliminate
This is more a statement of the obvious. Consider the design pressures; can you eliminate the need for
overpressure protection by the selection of the equipment design pressures?
Eliminate and Change look at the same basics problem from different directions.
Second Chance/fails safe
The ability to recover from and to survive an upset or to tolerate the extremes of the operating/upset
conditions envelope.

Capture and recycle.
Capture leakage and rework it. This has application in terms of the environment.
Study 1 Concept - well before sanction
Objective To identify the major problems which have to be overcome before the concept can
become a viable project.
Basically, are there any show stoppers which are so insurmountable that it is not worth carrying
on with the Project?
End Point The concept should be capable of development into a project
The concept requires a fundamental review of all aspects that could stop the development of the project
or the process chosen. They need not necessarily be process related but will also address the possible
effluents, the source of feedstocks, the source of water, the availability of trained staff for operation and
maintenance. Finally the site chosen may be Brown Field or one that has been used before and may
require remedial treatment. Even worse it may be on recovered land and require consolidation or piling.
The chemistry and the separation processes will require serious review as will the reaction process to
make the product. During this phase the major issues must be highlighted with potential solutions. If there
are no solutions it is likely that the project will fail at a later stage.
Study 2 Concept Development or Front End Engineering Design
During the conceptual design there is an attempt to identify those problems which must be solved before
there is a viable project. You must be satisfied that there is a safe, reliable process with minimal
environmental impact. Shortly after conceptual design it will also be necessary to satisfy the regulatory
authorities and local planning authorities of its safety. This may require a Safety Case. If all the
significant hazards are not identified during this phase, redesign may be expensive, the project may be
delayed and the extra design features may make the project non viable.
Chemical, Physical and Toxicological Properties
Do you understand the chemistry of the process in particular the thermal stability of the reactants and
reactions? Is there a potential for an exothermic reaction of the reactants at elevated temperature? Under
what conditions may the reaction become thermally unstable and runaway? In addition to analysing the
basic chemical reaction consideration you should also consider side reactions and reactions between
products, by-products and intermediate products. These should be examined over a wide range of
pressures, temperatures, concentrations and residence times. The extremes of conditions should be
realistic - the maximum temperature could be that of the steam jacket, the maximum pressure could be
that of the relief valve lift pressure plus accumulated pressure. See Part D 4 Chemical Reactors.
Chemical processes which must be considered to be potentially hazardous are those which:-
Involve fast reactions
Have exothermic reactions

Contain chemicals which react vigorously with common contaminants such as rust or water or
by-products
Produce exotherms (or may produce exotherms in the possible design temperature range)
Produce polymers either by intent or accident
Handle unsaturated hydrocarbons (particularly Acetylene)
Handle flammable fluids at elevated temperature and pressure
Involve oxidation or hydrogenation processes
Handle or produce thermally sensitive feed stock, products or by-products
Handle acids or alkalis
Handle toxic compounds
Produce dusts or sprays
Have high stored pressure energy
This work can be facilitated by examining databases, both chemical and hazard, and world wide
experience. From this it should be possible to draw up the physical, chemical, and toxicological properties
of the materials processed including feedstock, product/by-product intermediate products and catalysts.
(MHDS) Remember to include additives used for water treatment, boiler feed treatment, catalysts and
other treatment agents such as used for anti-corrosion. Suitable reference sources are manufacturers'
data sheets, and databases. It may be necessary to initiate investigations to determine the properties of
intermediate and by-product which may not have been studied in detail but have been identified in the
laboratory or the Pilot Plant. The properties of the materials should include not only short term but also
the long-term effects on both humans and the environment.
Consideration should be given to the inadvertent mixing of incompatible fluids in drains or effluent
systems. This has been a safety issue on many plants. It may be necessary to have segregated drains which
can be handled according to the properties of the materials.
It is worth noting that historically one of the major sources of hazard has been the lack of knowledge of
both the nature of the by-products and their properties, the classic example being Seveso.
Effluent
Estimates of the types of effluent that might be handled; the quantities and concentrations should be
drawn up. Remember that noise and smell are nuisance effluents. Consider how you are to handle
abnormal materials and amount and nature of the off-specification products produced under upset
conditions such as commissioning, start-up and production upset when off specification materials are
inevitable. Means for disposing of these effluents should be outlined and may include:-
Dilution (within consent limits)
Neutralisation or chemical destruction

Bio treatment
Combustion in a flare or incinerator - (consider also the effects of the by-products of a

combustion)
Regeneration/Recycling. (This has a limited life as it can only take place while there is storage
available. Sometimes it is possible to re-run or recycle small amount at a time and so to
recover the products.)
Reduction/Attenuation in the case of noise
Consider in addition the effects of fugitive emissions from tank vents and simple process leaks. Could
these be unsafe or a nuisance either to the employee or the public?
Feedstock/Product Handling
An assessment should be made of the type of storage of feedstock, products and intermediates.
Consideration should be given to how the materials will be transported to/from the site and the risks
associated with the transport. In general transport by a pipeline is safer than transport by road/rail and
results in smaller buffer storage.
Layout (See also D 5 for more detail)
Layout of the plant is at best a form of compromise. The plant will inevitably have neighbours or the public
and all attempts must be made to arrange the layout which is both visually acceptable, produces the
minimum of disturbance by light, noise and odour and has the lowest risk to the public. This is a difficult
task! Consider the following-
Segregate process furnaces with open combustion, from adjacent sources of flammable fluids.
Segregate large inventories of flammable fluids by means of fire breaks and containment bunds?
Arrange the layout such that large volumes of flammable and toxic fluids can be located as far
away from the public, offices and control rooms as is practicable
Arrange the layout so that noisy equipment such as compressors are located as far as is
practicable from the public.
Likewise sources of visual disturbance such as flare stacks and tall equipment like distillation
columns. Is it better to arrange the column as two sections of half the height? (This may be in
conflict with inherency!)
Arrange the layout such that sources of malodorous effluent are located as far from the public as
is practicable.
Can inventories be reduced at study 0 by the inherently safer approach?
Note that fire breaks or breaks between reactors and process equipment can be created by interposing
safe (non combustible) services such as instrument air systems or road and access ways.

Finally, but not least, the layout should also take into account the prevailing wind direction and
atmospheric conditions. This will affect the way toxic and flammable fumes could spread across and
outside the site.
Process Equipment
Are there any unusual features which may create problems in the future or which must be eliminated
during the design phase of the project? Typical problem areas could be:
Exotic materials of construction which require special means of hydro test.
Arduous shaft sealing duties - for example slurries or high speed shafts
Novel processing equipment which has not been proven in the field
Operating in a condition close to a phase change boiling or freezing when special precautions
such as heat tracing to avoid freezing may be required.
Operations which require extremes of cleanliness not only cleanliness from dirt but also from
water should it freeze. (Traces of oxygen can produce stress corrosion cracking of Ammonia
storage vessels).
Consideration should also be given to the following:-
The potential for damage to pipelines and essential services through fire, impact or corrosion. This
could be internal due to the process or external due to wet lagging.
The access for emergency services for rescue of the injured. The access for the Fire engines to
various parts of the site and how the fire engines can reach the site may be a complex study.)
Two access routes are essential.
Can the local topography affect the way in which fires may spread? Look at the topography and
ask: Can a fire or toxic gas flow downhill to vulnerable equipment?
Risk Assessment and Safety Cases
As a result of the risk assessment and the Safety Case it may be necessary to change the process or layout.
It may be that the protective systems, active or passive, have to be enhanced. (Active refers to
Shutdown Systems (See Part D 8) and Passive refers to Fire Protection by fireproofing lagging and the
like). The layout including the location of major inventories may have to be changed. It is self evident that
the Safety Case hurdle has to be overcome before construction can start!
If the performance of the Shut down System (SIS) is left till the Detail Design Stage there is the possibility
of project delays as the design is rethought and equipment ordered.
Study 3 Detailed Design
Whereas the conceptual design phase gives a general outline of what the process system will look like
there are no firm decisions made. In the design phase you will make many decisions which finalise the
plant design. Most of these concern equipment which, once ordered, is not readily replaced or modified.

Pressure Vessels must be designed and tested to recognise design standards and are also subject to legal
requirements these vary round the world. They must be designed correctly, tested correctly, inspected
correctly and operated correctly.
The design of seals on Pumps/Compressors requires careful analysis so as to minimise harmful leakage of
toxic, flammable, corrosive or other harmful fluids. Where appropriate the leakage should be captured
and recycled.
Piping must be carefully designed for stresses imposed on it by both internal pressure as well as thermal
growth/contraction. It must be carefully designed for reaction forces at bends and constrained to move
only in one axis at any location. The stress analysis is complex and often uses sophisticated computer
programmes.
The detailed design phase should not only address the plant safety with respect to the list given in the
introduction - it should also address access, tripping, falling and other operational hazards. Access will
involve safe removal of equipment.
During conceptual design the problems associated with the chemical reactions and/or processing system
should have identified. The toxicological and physical properties of the reactants products/by-products
intermediate products and catalysts should also have been determined and hazardous properties sheets
been drawn up. The likely disposal routes for effluents should have identified and the required site and
plot dimensions should have been specified.
Part B identified typical procedures which should be carried out to identify and quantify hazards. When P
& IDs have been completed Hazard and Operability studies should be carried out and any necessary
changes incorporated. When pipe routes are defined, Relief and Blow down studies should be carried out
to ensure that the relieving capacities and pipe sizes (pressure drops) are adequate for the largest
foreseeable demands and combination of relief loads.
The following phases have been analysed in Part A:
4 Construction
5 Prestart-up
6 Post Start-up
7 Demolition
It is important that Demolition is considered at all stages of the design
D 3 General Design Principles
The design must be robust and capable of handling both over-pressure and under-pressure conditions and
temperature excursions where appropriate. The design should be such as to ensure a secure containment
system. The design MUST use internationally recognised codes/standards for equipment, likewise piping.
Mix and Match is NOT an acceptable design philosophy.

If the process handles flammable materials the sources of ignition must be kept to a minimum and the
specification of the electrical equipment must be appropriate to the gases (see later D 7) and the likely
occurrence of flammable vapour. It should also be tolerant of small fires and be so designed as to
minimise the frequency of large fires and/or explosions.
In the case of corrosive fluids the design should be tolerant of corrosion both inside and outside the
containment. This means that leakage of corrosive materials must not damage its support or the support
of another system.
The design should be such as to avoid one event setting off another larger event the domino effect. A
simple example would be a power failure which leads to a runaway reaction resulting in an explosion;
another could be corrosion which results in structural collapse.
Safe design can be achieved by the use of a number of tried and tested techniques which will be expanded
upon in separate discrete sections.
D 4 Chemical Reactors
See the notes on stability in section B 1.1
Reactors come in many forms:

1a Exothermic heat given out by the reaction
1b Endothermic heat consumed by the reaction
2a Solid bed usually a catalyst
2b Back-mixed internally mixed (usually liquid phase)
3a Liquid phase
3b Gas phase
The combinations of types 1, 2 and 3 give 8 possible types.

Exothermic, Solid Bed, Liquid Phase
Endothermic, Solid Bed, Liquid Phase
Exothermic, Back Mixed, Liquid Phase
etc.
In general the endothermic reactions are not as issue as they die if heat is not added. There may be
some issues about by-products under these circumstances.
The main issue is with EXOTHERMIC reactions. In these heat is generated and if not controlled or removed
the reactants warm up and follow the ARRHENIUS LAW so the reaction accelerates. It is not difficult to see
that the loss of temperature control of the reactor could (and does) result in an EXPLOSIVE REACTION.
It follows therefore that integrity (reliability) of the temperature control is fundamental to both
operability and safety. Heat exchangers used to cool the reactor should be oversized to account for
possible fouling and likewise pumps due to fouling or wear and tear.
The reliability has to be assessed as part of the process safety; a weak link could be disastrous. Typical
exothermic reactions involve hydrogenation and oxidation but polymerisation reactions have exothermic

potential. Increasingly more fine chemical processes are being used with small scale batch reactors with
elegant chemistry which also have the potential for exothermic reactions.
There are some possible twists that require consideration with catalysts. Some catalysts are very selective
over a limited temperature band and become non selective outside that band creating adverse by-
products which may cause product contamination or reactive by-products. As a generalisation, catalysts
also have to be raised to a critical temperature before the reaction can take place and if they cool too
much the reaction will die or stop. Critical is case specific, in the case of the partial combustion of
methanol to make formaldehyde it is about 850oC but in others it can be as low as 60oC. Catalysts can also
become poisoned by impurities - this can be used to kill a runaway reaction or it may require careful
control of the quality of the reactants to avoid poisoning the catalyst.
The safety of a chemical reactor design should be treated on an individual basis. The following hints may
find application.
1. Reduce the inventory of reactants and products as far as practicable.
2. Dilute the reactants with an inert fluid (to increase the heat sink) if the reaction is exothermic and fast.
This slows the rate of temperature build up it does not arrest it. Temperature control is still vital. The
heat can then be removed by cooling the batch with an internal or external cooler or by allowing the inert
fluid to boil and then be returned as liquid from a condenser.
3. In exothermic reactions ensure that there is an excess of cooling capacity - design the cooler
(condenser) for the worst possible reactor temperature conditions and if necessary add some extra
surface area against internal and external surface fouling or fall off in performance of the recirculation
pump(s).
4a. Avoid stagnant flow areas in reactors where catalysts may settle out (particularly in a continuous back
mixed liquid phase reactor) or where vigorous side reactions may be initiated in liquid phase reactions.
Enhanced mixing may be required following flow modelling.
4b. Ensure vigorous vertical and radial mixing in liquid phase reactions.
4c. Locate the inlet branches on the reactor such as to assist the mixing process. This may require a
detailed analysis of the fluid dynamics in the reactor. (Model tests have simulated complex flow regimes
within reactors, including a switching from one flow regime to another.)
5. Install a coolant quench which will flood the reactor with a cold inert fluid, so cooling the reaction below
an initiating temperature or dump the reactants into a quench tank. (This is used in the nitration of
glycerine.)
6. Install a catalyst kill system.
7. Carefully sequence and control the rate of addition of the reactants (and catalysts if applicable) into the
reactor to avoid high rate of temperature rise conditions (a variant of 2).
8. Monitor the temperature of the bulk of reactor at many points to locate "hot spots" particularly on fixed
bed exothermic reactors.
9. Monitor the reactor for deviations in level, temperature, flow, pressure, catalysts, imbalance in reactant
flows and abnormal residence times.
10. Monitor the feed reactant qualities to determine if abnormal adverse impurities are present.
11. Monitor the reactor effluents for evidence of adverse chemical reactions - for example oxides of
carbon in hydrocarbon oxidation processes.
12. In the ultimate case it may be appropriate to install bursting discs which rupture and depressurise the
reaction process to a safe disposal point. This is the Design Institute Emergency Relief Systems (DIERS)
approach. The rate of reaction is reduced by the adiabatic expansion of the reactor contents and some
reactants are ejected in the venting process where they are recovered.
This is a specialised design process.
It has to be analysed and assessed by the hazard studies 1 and 2.
The list is not complete but is meant to be indicative of the range of potential controls which may be
required.
The problems with reactors and therefore many these are just some:-
Runaway loss of cooling

Channelling and hot spots
By-product formation if operated outside closely defined conditions
Reactant slippage (incomplete conversion)
Catalyst Poisoning
Explosive decomposition of reactants/products
The monitoring and control of the reactor is fundamental and special shutdown features are imperative to
avoid hazardous conditions. Shutdowns could involve arresting the feed of one of the reactants, dumping
the reactants, adding a kill reagent to arrest the reaction, over sizing coolers to give adequate safety
margins, depressurise the reactor to reduce the reaction rate. There are no rules only a series of strategies
developed from the knowledge of the reaction, its by-products and the catalyst used.
The objective of the design must be to prevent an untoward event and, if it cannot be totally prevented,
you should reduce it to an acceptable magnitude and frequency.
It follows that there has to be a detailed understanding of the reaction characteristics as well as the
catalyst characteristics for efficient and safe operation.
This requires a detailed dialogue between the Chemist and the Chemical Engineer.
The following are some historic problems which have occurred:-
Seveso
In this reaction no harmful by-products were expected but it was believed that superheated steam in the
steam heating coil created a hot spot. The reaction was generally endothermic but the reaction which
produced dioxin was exothermic and once initiated on the hot spot it could not be controlled. (LPB 104)
Nitration of Glycerine

This reaction is generally a slow exothermic reaction, which is controlled by cooling. If the temperature
rises the reaction becomes more vigorous, the Arrhenius equation shows this. If the heat can not be
removed fast enough ultimately the reaction will lead to the detonation of the Nitro-glycerine within the
reactor with catastrophic results. The cooler is therefore oversized so as to prevent the thermal runaway
and ultimately the reactants are dumped into a sink of cold water which both cools the reactants and
dilutes the acids so arresting the reaction.
Acetylene (Ethyne) Hydrogenation
A mixture of acetylene (Ethyne) and Ethylene (Ethene) and ethane is passed over a Palladium Catalyst with
Hydrogen. The reaction is exothermic but the flow of hydrogen is controlled at the stoichioimetric amount
to convert Ethyne to Ethene. During a process upset or if the reactor temperature exceeds fixed values the
Hydrogen flow is stopped. If the hydrogen flow is not stopped and the hydrocarbon flow is stopped the
reaction will carry on, eventually leading the hydrogenation of Ethene. The reaction temperature rises and
can eventually reach temperatures which initiate decomposition of the Ethene leading to an explosive
detonation. As a result a leaking (passing) hydrogen valves can create a reactor explosion and the shut
down system and integrity of the isolation of the hydrogen is safety critical.
Hydrocarbon Oxidation
Many synthetic fibres and produced by air oxidation of hydrocarbons. Nylon starts with the air oxidation
of liquid Cyclohexane and Terylene starts with the air oxidation of liquid Paraxylene. In general the
reaction is self-regulating as the hydrocarbon is in excess in the liquid phase and the air flow is controlled
to maintain the correct conversion ratio. If the air flow rises, more heat is produced and more
hydrocarbon is vaporised and condensed and returned to the reactor so maintaining the reactor in a
stable regime. If the air is not internally mixed there can be localised hot spots at the air inlet pipes which
result in the combustion of cyclohexane/paraxylene to produce Carbon Dioxide. This is called submerged
combustion.
The production of ethylene oxide is a gas phase reaction over a catalyst close to the lower flammable limit.
Once again there is the potential for an explosive decomposition of ethylene and/or ethylene oxide so the
control of the reaction temperature and oxygen/ethane ratio is critical and involves a complex shutdown
system with majority voting (n out of m). (See Part D 8)
Air Oxidation of Ammonia
Nitric Acid is produced by the air oxidation of Ammonia on an exotic metal catalyst at about 1000oC. The
Oxygen/Ammonia ratio is just on the lean side of the flammable limit. If the converter is lit at the wrong
ratio (ammonia rich) there could be an explosion and if the reaction is incomplete due to low catalyst bed
temperatures the Ammonia slip could result in the formation of Ammonium Nitrate. Ammonium Nitrate is
potentially explosive!
Bhopal
The full story of Bhopal is confused but the likely cause was the systematic erosion of the safety systems in
the storage of a large quantity of methyl isocyanide (MIC). First, the material was contaminated with
chloroform (a by-product of the reaction process). Second, a refrigeration system was non-operational (it
had broken down and had not been repaired.) Third some pre-warning alarms had not been fitted. Fourth,
and this is not totally clear, the evidence indicates that the final link in the chain a flare or also known as
a thermal oxidiser was not lit. The initiating event appears to have been the inadvertent introduction of
water (Yes! Water!) into the storage. This was the catalyst that initiated the exothermic decomposition of
the MIC which was then vented through the flare stack. Inherent safety would indicate that the use of the
guideword attenuate was applied the materials would have been stored at low temperature (as was the
intent but the refrigeration unit was not working) but there was another approach namely reduce the
quantity in storage.
To recap:
The problems with reactors and therefore many these are just some:-
Runaway loss of cooling (following the Arrhenius Equation)

Channelling and hot spots leading to by-products or loss of conversion
By-product formation if operated outside closely defined conditions
Reactant slippage (incomplete conversion)
Catalyst Poisoning due to impurities in the feedstock
Explosive decomposition of reactants/products
The monitoring and control of the reactor is fundamental and special shutdown features are imperative to
avoid hazardous conditions.
Shutdowns could involve:
1. Arresting the feed of one of the reactants

2. Dumping the reactants
3. Adding a kill reagent to arrest the reaction
4. Over sizing coolers to give adequate safety margins,
5. Depressurise the reactor to reduce the reaction rate by means of a bursting disc.
There are no rules, only a series of strategies developed from the knowledge of the chemistry of the
reaction, its by-products and the catalyst used.
The objective of the design is to prevent an untoward event and, if it cannot be totally prevented, reduce
it to an acceptable magnitude and frequency. Many potentially runaway processes are carried out
remotely.
D 5 Layout and Access
Layout involves placing compatible equipment (persons) in different areas from incompatible equipment
(persons). Two incompatible pieces will be Fired Heaters and sources of flammable gases/liquids. This is a
sensible example as fired heaters would be at variance with Hazardous Area Classification (Part D 7).
Another incompatibility may be people and moving equipment such as drive shafts this means fitting
guards.
Other safety-related issues associated with layout are:
Access maintenance
All equipment which might require maintenance should be accessible by lifting equipment and /or means
of transporting if for repair at a workshop or other safe area. Lifting beams or davits should be fitted and
withdrawing space defined for heat exchangers or dropping zones for other equipment. These lifting
systems require to be inspected on routine. Clear access routes for moving large pieces of equipment
such as heat exchangers should be defined and kept clear. Moving loads have the potential for serious
impact and possible loss of containment. Loads passing over pressurised equipment are not
recommended. (See access human).
In addition, there should be safe access for those working on the equipment; this will involve safe access
to valves (for isolation), orientation of valves and safe access to the equipment as well as a safe escape
should there be an emergency.
All equipment, which has rotating parts, should be guarded to avoid contact with hands, feet, hair or loose
clothing.
All hot metal (and cold metal) should be lagged/shielded from contact by humans. Cold burns hurt as
much as hot burns!!!
Access human
Particular attention must be paid to access. Good access is required for operational, maintenance and
emergencies (escape of personnel and access for fire fighting and rescue). This is regrettably not always
achieved, as there is a loss of information exchange between design disciplines.
The following are some access problems which need attention during design.
1. Escape routes - It is a general rule that TWO means of access/escape are required; this is not always
possible at, say, the top of a distillation column, but for most structures it can be readily arranged.
2. Head clearance.
3. Valve access - should they be fitted vertically or horizontally and should the valve spindle move up or
down? Is there an excessive reach or twist of the body needed for access?
4. Position of valve spindles = do they protrude into an access way?
5. Position of ladders and stairways ladders should not open to a handrail due to the risk of falling over
the rail when leaving the safety cage.
6. Adequate means of ventilating vessels before entry - manholes, position of weirs and internals.
7. Space for pulling tube bundles.
8. Routes for equipment removal pumps, heat exchangers, pressure relief valves and the potential for
impact on pressurised equipment.
In the case of processes handling toxic or corrosive fluids it may be desirable to forbid access to certain
areas. In this case the design may have to cater for remote valve operation and instruments may have to
be located out of the restricted area.
Valves requiring routine operation should not be located in pits or other inaccessible areas.
Other areas where access should be restricted include areas with automatic CO2 fire protection and areas
where ignition sources could be present (e.g. analyses houses and switch rooms in process areas).

In addition to access to/from equipment and potential for injury, consideration must be given to
emergency access/escape. Single walkways should be an absolute minimum of 1m and preferably 1.5m
wide. Escape routes or routes where injured personnel may require stretchers must be at least 1.5m wide
and have sufficient access on landings to turn a stretcher. Headroom in all cases should be at least 2.25m.
The guiding question must be can I get into and out of the area in an emergency and can I assist an
injured person out of the area?
When entering confined spaces under permit control TWO routes are preferred (or more) for both gas
freeing the space and then ventilation, but in some cases this may not be possible due to other design
constraints.
Access must also include access/reach to avoid back injury, so the location of valves, instruments and
access structures requires detailed analysis.
Access Emergency Services
The need for medical access is obvious, but fire-fighters have different needs. They may have to set up
cooling firewater nozzles through 360; these can be hindered by walkways or similar. Emergency services
may also require hard standing for fire engines (or ambulances) and easy access to fire water
ponds/hydrants.
Access Lighting
The location of lighting with respect to equipment may cast shadows and personnel may trip and bump
into something. For half the year artificial lighting will be required on continuous process plants. The
placement of equipment and strip/floodlights requires care and skilful analysis to avoid dark
spots/shadows.
Spacing
It is self-evident that congested equipment creates potential air turbulence, which increases the over
pressure potential in a vapour cloud explosion (See also Part E explosions). An open, airy plant is
desirable, but it increases the capital costs and land usage. In general, a long, thin plant is better than a
square plant, but it requires more piping and financial constraints may lead to congestion.
As a rule of thumb, the projected area of the plant should be about 20 times the footprint area of ALL
of the major pieces of equipment. This will allow sufficient area for access for maintenance and also give
some segregation and allowance for Hazardous Area Classification. Sometimes the classified area
includes roadways. This is not a problem as; in general, it is not good practice to have vehicles driven
round a plant (due to the risks of road accidents and pedestrian injury). If access is required it can be done
under permit control and, of course, in an emergency, the access for Emergency Services will be under
supervised controls.
Remember that the layout is a three dimensional study which also looks in the vertical plane. Condensers
will be above their receiver and the pumps will be below their suction vessel. Should the pump be offset
such that a seal fire will not play on the vessel? (The off-set is a good design principal.)
Segregation
Fired Heaters are potential sources of ignition, but pumps are potential sources of both fuel and fires.
In general, pumps should not be placed close to or under other vulnerable equipment (as discussed
above.)
Other potential problem areas are agitator shafts, filters and other equipment opened up frequently
where process fluids may be trapped or released.
Layout is a complex issue which is more experience than rule based. These notes are an attempt to
record some of the generalizations. In the final analysis there is an engineering limit to the spread of
the equipment due to increasing costs and operational costs. Layout is eventually a risk-based decision.
Layout is, therefore, dictated by the laws of Chemical Engineering as well as Safety and Loss Prevention.
D 6 Overpressure Protection or Relief and Blow down Systems
Equipment is, in general, not designed for the worst case imposed pressure. For example it may not be
possible to design a vessel to contain liquid methane at ambient temperature, the design pressure and the
stresses in the vessel walls may be excessive. All materials have an ultimate stress limit which will dictate
the pressure limitation. Overpressure can be mitigated by a Pressure Relief Valves (PRV) and system. The
pressure relief system should be designed for the greatest credible flow. For example, it is not realistic to
expect all fire relief valves to lift together and discharge into the headers but it is possible that many valves
will lift on cooling water failure or for discrete sections of the plant to be engulfed in fire.
The sizing of the pressure relief valve for any one piece of equipment should address all of the upset
conditions which might occur.
The following conditions which could result in an overpressure arising so require a little more detail.
1. The total or localised failure of the power supply, this allows liquid levels to build up. Localised failure
of power may result in an obstruction to flow at some point in the process line.
2. The failure of the cooling system, be this water or refrigerant (see also 6b below), while heating sources
are still in operation.
3. Failure of heating systems, which might result in high viscosity fluids and restricted flow.
4. Localised instrument failure on the exit flow out of a vessel or into a vessel. This may cause a control
valve to open or close. An opening control valve may result in a high pressure to low pressure blow-by
(see also 9 below) and a closed valve may result in the isolation of the system or loss of control.
5. The total of the Instrument Air supply, which allows all valves to move into the predetermine position.
This requires a careful review. Many valves will close on air failure BUT some should open, particularly if
they control the cooling cycle.
6a. The failure of a pump, this might allow liquid levels to build up, or the loss of a coolant circulation.
Pumps are usually provided to increase pressure and flow rates.
6b. The failure of a compressor, which stops forward flow of gases or stops a refrigerant system (see 2
above).

7. The dead head of a pump or compressor, with the dead head over pressuring the piping. (This is
particularly important with a positive displacement pump or compressor where the peak flow is the swept
volume of the device.)
8. The failure of a heat exchange tube, with the gross leakage of fluids from the high to the low pressure
side. (It is assumed that the worst case scenario is two guillotined ends, with a clean split of the tube as
if cut by a guillotine.) Sadly, the dynamics following the transient of forcing out liquids to allow a gas
channel to the relief valve could be such as to cause the vessel to rupture if the tube split is "sudden" (high
pressure gas on tube side cooling water on shell side). Fortunately sudden total severance is very rare and
is indicated initially by leakage.
9. Interconnections, such that fluids may flow from one part of the plant to another (including a change
from liquid to gas - i.e. blow-by). This is a particular problem with complex inter-connecting drains
systems. (see 4 above)
10. Blow out or purging, this might result in an excess flows of high pressure gases into a low pressure
system. It is most likely to occur during preparation for inspection and particularly with atmospheric
storage tanks.
11. Blockage of piping due to solids or ice or the physical isolation of the cold side of the heat exchanger
with the heating side still flowing. Consider also the thermal expansion of fluids, which are isolated and
trapped between two closed valves due to fire or solar radiation.
12. Operator error, which results in loss of flow or reverse flow. One such example might be the isolation
of one side of a heat exchanger while the heating fluid is still flowing.
13. Fires under vessels which result in gross heat input to vessels. (See later)
14. Chemical reactions, which result in the release of large volumes of gases. See Part D 4 this may
require a complex assessment of the rates of pressure rise and the effects of multi-phase flow through the
device. In general the solution will require the installation of a full flow bursting disc (DIERS) and a
collecting/disposal system.
15. Control valve bypass too large for the process. (See also 4 & 9 above.)
16 Others it should also note that low pressure tanks are particularly vulnerable to over pressure caused
by rapid filling or overfilling. Also they can be over pressured by the rapid boiling of water heels above oil
or process liquids whose temperature is in excess of 100oC (boil over/froth over) or volatile fluids dropped
into hot oil. Likewise consider the effects of a roll-over.
Note that there is a move to use instrumented protective systems in place of pressure relief valves. The
assessment MUST take into account any leakage passing the final shut off valve. This can be more
complex than first thought particularly in the case of hydraulic systems.
Examples of under pressure conditions are:-
1. The draining down or pumping out of a vessel.
2. Cooling a vessel with a cooling coil.
3. Condensing steam in a vessel when the weather changes or cold fluids are put into the vessel.

In the case of heavy duty process vessels the design may already cater for full vacuum in which case under
pressure is not a consideration but this will not be the case with low pressure storage vessels.
Relief Devices
There are two main categories of relief devices: pressure relief valves and bursting discs. We will look
briefly at each type.
Pressure Relief Valves
There are three main types of relief valve:-
Pilot Operated
This valve gives good seating/sealing at high pressure differentials. It also has an on/off snap
action which makes it particularly useful for atmospheric dispersion.
Balanced Bellows
This valve is particularly useful on high back pressure systems where there is a high pressure
drop in the header. However, the vent in the bellows must never be plugged or lead to the
flare system.
Conventional
This valve is simple and effective but it can chatter if there is a high back pressure or low flow.
Bursting Discs
Normally used on heat exchangers where there are high pressure gases on the tube side and fast response
is required.
The Rupture Disc
This disc is designed to burst and tear out. Its setting is not very accurate.
Reverse Buckling Disc
This disc is designed to flip and come out of a holder. The setting is very accurate but it must
be put in the correct way, bowing into the pressure, or else it will operate at the wrong
pressure.
It is worth indicating some fallacies about relief valves.
1. A pressure relief valve will not protect a gas filled vessel from rupture in a fire. It maintains the pressure
while the wall softens and eventually ruptures. This can also occur in the vapour spaces of vessels. Good
design will also include depressurising systems.
2. A pressure relief valve opens relatively slowly due to inertial effects, and will not necessarily protect a
vessel against a very high pressure gas burst tube. Bursting discs are more effective. They will not protect
against explosions.

3. A relief valve sized to handle x volumes of gas per minute will only handle a fraction of the flow as
liquid. Mixed flow is a more complex and special design case.
4. A control valve designed to pass liquid will pass an enormous volume of gas, so much so that a
downstream pressure relief valve could be overloaded by 'blow by'. (See earlier D 6 .9)
Given the critical analysis that has to be undertaken in making the correct selection of a particular valve
for a particular task it will be appreciated that it is essential that relief valves are not subject to tampering.
Subsequent substitution or replacement of a valve must only take place if it matches the original design
specifications and has been subject to a detailed review.
All relief valve calculations must be put into a Safety Dossier for future reference/review.
It is a safety requirement that every valve must have a name plate, as shown in American Petroleum
Institute Recommended Practice 520, displaying the following information:-
Size Set Pressure
Type Back Pressure
Capacity at Over Pressure
Cold Differential Test Pressure
Serial Number
It is worth noting that sizing of a pressure relief valve is dictated by flange sizes (inches nominal bore) and
the size of the orifice, e.g. 4P6 means 4" inlet 6" outlet, P is the code letter for a particular orifice size. The
set pressure is the same as the lift pressure. However, the cold differential test pressure may not be the
same as it takes allowance of back pressures and thermal effects.
Factors Affecting Release Rates
General
Having assessed the source of the overpressure condition the designer must now consider the amount of
fluid (liquid or vapour) that has to be removed to prevent the overpressure or under pressure of the piece
of equipment. Some allowance can be taken for the elevation of the boiling point of the fluids due to the
pressure accumulation (10%) due to the lift characteristics of a Pressure Relief Valve (PRV). See Sizing of
Pressure Relief Valves Process Load below.
The designer has to decide which condition produces the highest release rate and under what condition.
This is not always as simple as it might seem and requires a systematic approach examining all of the
possible causes. Certain vessels are completely full of liquid and a vapour space may have to be generated
before a vapour relief route is available. This may affect the sizing of the relief valve and the flare headers.
All conditions must be checked and the worst condition established.
It is normal to size the protective pressure relief valve on 'single jeopardy' conditions - that is, only a single
failure event. In general this will be realistic but the designer has to be aware that two events may occur

together and create an even worse condition. There are no hard and fast rules for this and any causes
should be identified on a Hazard and Operability Study (see earlier).
The results of all of the studies are committed to record (and future audit) in data sheet in a safety
register.
Experience shows that, in general, there are two dominating cases. The first is the effect of the maximum
heat flow into the system without any cooling and the second is the effect of the maximum heat flow from
a fire, but it is not always true.
Once the likely release rates have been identified, the designer has to decide what type of relieving device
should be installed as above.
D 7 Sizing of Pressure Relief Valves (PRV)
This requires derailed calculations which should be independently verified. The size of the pressure relief
valve orifice increases by about a factor of 50% per size. This means that the size at the cusp between two
orifice sizes has to be chosen with care. More particularly this is important if the LARGER size is selected
producing on/off flow and if the smaller is chosen and the pressure drops are not assessed properly there
is the risk of chatter or feathering where the valve does not open cleanly and the cycling leads to
damage to the seat of the valve.
Valves usually have a specification change INSIDE the body itself. The inlet must of course satisfy the
process conditions but the outlet could be class 150 lb to class 300 lb., shown by a spec change running
across the valve.
The sizing follows the compressible/incompressible flow valves but Cd is taken as 0.975 (or the valve
designers figure) plus a number of other factors which allow for: -
Back Pressure
Fluid Viscosity
Valve Characteristics, etc
Always read the designers literature and ask him/her to verify your calculations. Normally Relief Devices
are set by codes about 10% above operating pressure for many good reasons some of which are:-
The actual set pressure is often the MAXIMUM ALLOWABLE WORKING PRESSURE (MAWP) However,
dependent on the codes; the valve does not normally reach full flow until 10% over pressure is reached.
This allows the valve to open then "float" to give a steady "blow". Inlet pressure drops are limited to 3% of
set pressure to avoid "chatter". [Think of what would happen if the pressure drop was high. The PRV
would open then the pressure at the valve would fall so it would reseat. The static pressure would now lift
the valve and the cycle goes on].
Process Load
Consider now for example a heater. As the pressure rises, the boiling point also rises and it is theoretically
possible for a process to "stop boiling". A classic example could be a reboiler on a distillation column. In
practical the elevation of the boiling point reduces the log mean temperature difference such that the
relief capacity could be less that the process duty. All of this is covered by heat transfer.
HEAT LOAD
Demand (kg/unit times) =
LATENT HEAT
All values at 110% of MAWP.
Fire Load
In the case of a fire it is normally assumed flames can be up to 15 metres high (an arbitrary number which
was 50 feet prior to metrication). Some allowance is made for the fire protection but heat will still reach
the vessel. In any totally full vessel the liquid will expand when heated and dribble out of the relief valve.
As the temperature increases the liquids will boil off low molecular weight gas. These in turn must displace
liquids before they can discharge freely. (That is a two-phase flow will pass through the relief valve). At
higher temperatures higher molecular weight gases will pass through the relief valve. This may influence
the final sizing of the relief valve. (The two phase flow regime may dictate the final sizing)
The sizing for fire is somewhat different and is covered by the American Petroleum Institute codes.
1) Determine the "wetted area" that is the likely highest liquid level in the vessel including walls and
dished ends.
2) Add a notional value for piping etc.
This is the area through which heat may flow - as in a "kettle".
3) Use the chart D 6.1 to determine the heat flow into the vessel - note it is not linear.
4) Determine the "demand" as above.
5) Size your valve accordingly.
The heat flow into a vessel assaulted by fire varies with the exposed or wetted area (A m2) according to
the following:
2
Area (A) m Heat flow kW
0 - 18.6 63.1 A
0.566
18.6 - 92.6 224.3 A
0.338
92.6 - 260.1 630.4 A
0.82
> 260.1 43.2 A
Table D 7.1 Heat flow into a vessel assaulted by fire kW (above)

As will all designers the sizing valves is very much RULE DRIVEN and various extenuating factors are added
such that the final assessment often looks like "a fix". One of the set of "fixes" are to be found for relief
valves in fire, you can have factors for "LAGGING" and factors for "SURFACE DRAINAGE". Each is less than
times 1. The lagging factor is usually 0.3 for securely held process lagging.
Disposal Routes Relief Headers and Flare Stacks (Thermal oxidisers)
The design of the relief headers should pay particular attention to drainage; lutes (U traps) are to be
avoided, as are two-phase flow in the form of slugs and the mixing of water and cryogenic fluids which
could cause the blockage of relief lines.
The designer should choose the disposal point for the fluid very carefully. If the vapours are to be burnt in
a flare stack (also known as a thermal oxidiser) there should be a liquid knock out drum and a liquid
disposal system before the gases enter the stack. There must also be adequate gas purging to avoid
oxygen ingress as well as a reliable pilot system.
Flare stack areas are often remote from the plant to allow for high thermal radiation and liquid drop out.
Process equipment should not be installed in areas of high thermal radiation.
Low level ground flares are becoming more common but the reliability of the pilot system must be
exceedingly high. Where multistage burners are switched on by pressure switches their reliability must be
adequate.
Low flow vents as well as high velocity vents for steam and inert gases can discharge directly to
atmosphere if the gas dispersion is adequate and it is not pollutant. Toxic and corrosive vent gases,
however, may have to be processed through a wash/scrubber system or even an incinerator to absorb,
neutralise or destroy the harmful components of the gases.
Headers Sizing
The sizing of headers does not assume that "worst on worst" case or else they would be very heavy and
very large. Normally fire relief is based on "Fire Zones or Areas"; this may be 20 to 30% of the plant area
and treated as "moving circles" to capture the worst combination. Process relief may be sized for "works
power failure" or "local power failure" whichever is the worse. A total power failure may result in a shut
down with no heat flow into equipment but a local failure could produce a flooded condenser and
produce a high demand.
The header sizing must now consider:
Pressure Drop
Effects of back pressure on relief valves
Drainage slope
Single or two phase flow
Sequence in header
(Low set pressure nearest the low pressure exit not the high pressure closed end).

Flare stacks are a learned document all on its own right!
D 8 Hazardous Area Classification
Hazardous Area Classification follows on from the Dangerous Substances and Explosive Atmospheres Regs.
It is quite a simple concept; it requires that the quality of electrical equipment is matched to the likelihood
of there being flammable gases present, therefore it is risk based. In areas where flammable fluids are
likely the quality of the electrical equipment must be such that sparks, for whatever reason, are unlikely
indeed.
Hazardous Area Classification Methodologies, of which there are many, are based on the likely presence
of flammable vapours. It does not consider the effects of an emergency such as a full bore rupture of
piping. However fittings do leak and there could be a small plume of flammable gas round plant fittings.
The following is a very general presentation of the topic - each company or code will have its own
approach which will probably be based on this model.
Sources of Fuel
There are three main sources of flammable gas:
Continuously present where flammable gas is present such as inside vessels or sumps.
Frequently present where flammable gas is expected during normal operation such as:
Bund areas
Sample points
Near pump seals
Tanker loading points
Atmospheric Storage Tank breathers
Analyser houses
Filters opened frequently for cleaning
Vents and drains in frequent use
Infrequently present where flammable gas is not expected during normal operation:
Flanges
Blanked vents and drains
Compressor seals (away from the immediate area)

Filters opened very infrequently
It is self evident that for safe design every effort should be made to reduce these sites by all engineering
methods available.
Classification of Zones
It is normal to review the classification in a pragmatic way. If there are many flanges in an area the
judgement may be that overall some leakage could be expected during normal operation. The durations
have no scientific basis, other than they are based on engineering judgement and experience and that
they work.
Zone 0 flammable gas is expected over 1000 hrs/year
Zone 1 flammable gas is expected 10 to 1000 hours/year (cross hatch in the figure above)
Zone 2 flammable gas is expected up to 10 hours/year (single hatch in the figure above)
Non-Hazardous flammable gas is not expected by virtue of its location and the equipment in this area.
Note: non-hazardous does not mean safe it only means that hazards are not expected.
Extent of the Hazardous Zone
The extent of each zone depends upon the following factors:
the type of hazard (possible outflow)

the effectiveness of ventilation
characteristics of the released flammable liquid, gas or vapour, particularly whether it is lighter or
heavier than air
the layout of equipment
For the extent of Zone, reference may be made to relevant codes, e.g.
Institute of Petroleum
American Petroleum Institute
British Standard,
Corporate Codes,
HSE Guidelines - Quadvent
Code Distances
Each code will have slightly different distances for the extent of the three zones. It is not appropriate to
quote them in detail but do not mix two codes, use one in its entirety.
It will be notes that the metrification of the imperial distances has produced a sense of accuracy due to
the introduction of a decimal place!!! This is not a reality. The original distances were typically: 3 feet, 5
feet, 10 feet, 25 feet and 50 feet. These have become 1 m, 1.5 m, 3 m, 7.5 m and 15 m!

How is the risk of ignition reduced to an acceptable level?
1. Use an appropriate code to define the design requirements for those pieces of equipment which
may be used in the appropriate areas.
2. Draw a Petal Diagram. This is a series of intersecting arcs taken from each leak site.
3. Rearrange layout as necessary.
4. Install only appropriate equipment within defined Zones.
5. The distances round equipment is based on sound judgement - no one measures them with a
tape but some classification methods do attempt to be more analytical. Each classification
method, be it corporate or national, will define different distances and shapes round potential
leak sources where gas may be present.
The figure below D 7.1 shows one possible method.
Cross hatch = zone 1 Single hatch = zone 2
Fig D 8.1 Area classification around source of hazard that is giving rise to explosive air/gas mixture
during normal operation
Electrical Standards and "Fitness" For the Zone
Electrical equipment must be matched to the likelihood of flammable gas being present. In the case of
Zone 0 the equipment must be intrinsically safe. This means that by the design it can not produce
sufficient electrical energy to generate an incentive spark even in a failed condition. This is difficult with
portable instruments but is easier with fixed instruments. Some instruments can be made intrinsically safe
using Zener diodes or by fitting them outside vessels. By definition electric motors can not be classified as
being intrinsically safe.
Intrinsically safe equipment is labelled as:

Exia or Exib
In Zone 1 areas there are two types of electric equipment preferred. In this case electrical equipment
could be a motor or an instrument.
1. Pressurised and interlocked to shut down if pressuring fails, designated "Exp"
2. Flameproof - that is, the flanges are specially designed to quench any flame, designated "Exd".
Note: If anyone disturbs the interlock on Exp or interferes with the flanges on Exd equipment the electrical
integrity may be lost.
"Exd" equipment is expensive and has to be inspected and checked for integrity on a regular basis so it is
not surprising that electrical equipment is only localised in Zone 1 areas when it is really essential.
In Zone 1 areas sometimes equipment with increased safety features and special internal clearances are
used and is designed "Exe". There is some debate about the use of Exe equipment in Zone 1. In Zone 2
areas the non sparking equipment used is designed "Exn". "None sparking" does not mean "never none
sparking".
"Fitness" for the Gas (Energy)
Gases are categorised into groups according to the ignition energy. See Fires Part E.
Group 1 contains the higher ignition energy gases.
Group 11A contains saturated gases such as Methane, Ethane and the paraffin series.
Group 11B includes unsaturated gases such as Ethylene or Propylene.
Group 11C includes Hydrogen and Acetylene.
"Fitness" for Gas (Auto Ignition)
Gases are further categorised according to their auto Ignition Temperatures. See also Fires Part E.
T6 means the maximum surface temperature must not exceed 85oC under maximum load similarly
T5 will not exceed 100oC
Overall Fitness
Electrical equipment must not only satisfy the demands of spark frequency but it must also match the
demands of energy and temperature.
The figure D 7.2 below shows a typical name place from an electrical motor. It will be noted that this unit
has a rotational speed of 30 Hz and a supply frequency of 60 Hz. It is a unit from a refinery which used
United States Standards. It will be noted that it is over specified as this unit could be used with IIB gases
(ethene) while it will only be used for IIA gases (ethane).
In the example below the information of note is between the manufacturers name and the operating
characteristics. The crown with the letters Ex written within it is the symbol of the UK Certifying Authority
(BASEFA). Also present in a BASEEFA Number BASEEFA No. EX811075'. This means that the equipment for
this design and fabrication has a certificate number 811075 certifying its design and the specific conditions
under which it may be used. Also the Ex inside the hexagon is the EEC Certifying Authority symbol.
Figure D 8.2 Typical Motor Name Plate
Finally there is the code Exd11BT4' - this contains the vital information regarding the fitness of the piece
of equipment for a particular use.
This motor is suitable for a Zone 2 area on an Olefine or paraffin processing plant.
D 9 Shutdown Systems
See also Part E 1 for the derivation of the theory of Shutdown Systems.
The design of shutdown systems and the ability to test them correctly requires skills, which are out with
this course. It must be noted that a shutdown system is designed with a reliability (Fractional Dead Time
[FDT] or Probability of Failure on Demand [PFD]) appropriate to the perceived frequency and magnitude of
the event (The Risk). In addition, it is essential that the complexity of the shutdown system does not

inhibit safe and reliable operation. Shutdown systems sometimes have to be overridden to facilitate start
up (such as a low level or low pressure shutdown the shutdown system must be inhibited until a level or
pressure is established. The design of the override is complex and must not be used indiscriminately.
The elements are:

1. A shutdown valve itself
2. A detector or switch
3. A means of converting the signal into a means of shutting an emergency shutdown valve.
The Shutdown Valve is an on/off device which is held open by an air or hydraulic oil supply.
The detector may be a pressure switch, which operates at a preset pressure, a level switch which operates
at a fixed level or temperature switch which operates at a preset temperature. The design of these devices
varies between designers and in some cases they are standard control measurements, which are triggered
at set points as an on/off signal. The output signal is often electrical and is used to hold a solenoid valve
open loss of power causes the solenoid valve to change its position and interrupt the air or hydraulic oil
supply to the Emergency Shutdown Valve (ESDV), that is it fails safe.
Fail safe means that it assumes the worst case scenario it may be fails to nuisance. It must be assumed
that the operation is real. See also Part G on testing Shutdown Systems.
Figure D 9.1 Simple Shutdown Circuit
An arrow on the ESDV shows the manner by which it shuts on loss of signal. Up = open and down = closed.
The figure above shows the SOV venting the fluid on operation.
The shut down system must be tested on routine in order to assess the performance and to correct any
failures. The test must be real (and synthesise the demand state correctly and all elements proved to work
including the ESDV). This requires a test facility, which allows all elements of the shut down to function
properly without the plant being shutdown. This is usually achieved by installing a device, which prevents
total closure of the ESDV (or plant shutdown). During testing, the shutdown system has to be inhibited
leading to TRIP TEST DEAD TIME. The design of the test facilities and the test programme requires detailed
analysis and obviously consideration has to be given to means of overriding the test facilities, should a
genuine plant upset occur during the testing (TRIP TESTING). As already discussed, sometimes the
shutdown has to be bypassed to facilitate start up of the process. This creates potential hazards if the
bypass is left in place. The design can incorporate automatic resets of the shutdown or key controlled
bypasses, controlled by rigorous procedures, which can only be operated by senior personnel. If the
system is not restored to the operating state there results in a factor for HUMAN UNRELIABILITY.
In some shutdown systems it may not acceptable to override the trip for testing purposes. A fully
redundant trip system is then installed as below, figures D 8.2 and D 8.3.
Each sensor and valve can be tested on routine with no interruptions to the process.
In more sophisticated systems a failure of the sensor or valve may cause a process upset so new strategy is
adopted redundancy, where Two out of Three (2 o o 3) sensors are fitted and each is fed into a logic
or voting system, which votes any 2 out 3 to initiate a shutdown. Failure of any part of the shutdown
system will reduce the system to 1 out of 2.
The circuit looks as follows:
Figure D 9.2 Two out of Three Voting Circuit
Any 2 sensors operating will cause a shutdown; one sensor operating spuriously will not cause a shutdown
and so can be tested on line.
The shutdown valves can now be lined in parallel such that one valve can be closed at any time without
causing a full shutdown.

Figure D 9.3 Shut Down Valve with Test Valve in Parallel
Ultimately, 6 sensors could be used, 3 to close both valve A and 3 to close both valve B this is a fully
redundant showdown. The whole system can be fully tested without any Trip Test Dead Time. Nuclear
shut downs are one level more complex and use multiple shut off valves in series. Even this can be devised
to be tested on line.
THE DESIGN AND TESTING OF SHUTDOWN SYSTEMS IS AN ART/SKILL.
Comparison of Protective Systems (Redundant Systems)
Not all protective systems are simplex, some are redundant. The fractional dead time for the system alone
then becomes as follows:-
System Fail Safe Fail to Danger Fault Rate Fractional
Fault Rate Faults/Years Dead Time
Faults/Year
1 out of 1 S F FT
2 2 2
1 out of 2 2S FT F T
2
2 out of 2 2S T 2F FT
3 2 3 3
2 2 2 2
2 out of 3 3S T 3F T FT
Table D 9.1 Fail Safe/Danger rates for Redundant Protective Systems
Where: -
F = Fail Danger Rate per year
S = Fail Spurious or Safe per year
T = Test Interval year
As a result the limiting FDT is as follows:-
1) 1 of 1 = 0.05
2) 1 of 2 = 0.005 - 0.001
3) 2 of 3 = 0.001 to 0.0005
See ALSO D 12 - SIL

However, the typical test dead time for a 2 out of 3 system can tend to zero as on-line testing is possible.
The human element still remains.
D 10 Standards of isolation
Standards of Isolation are at the interface between safe design and safe operation.
Equipment must be isolated from the process before it can be removed for maintenance (a statement of
the obvious) but valves do leak and no not form perfect seals against process fluxes all the time. The
standard of isolation is determined by the perceived risk should the valve pass. Low-pressure differential;
and benign fluids will produce a low risk leak (frequency or magnitude) however, as the pressure or driving
force increases the potential risk increases and a single isolation valve may be considered as unacceptable
due to potential leakage. For a low risk the isolation can be a single valve. As the driving force or the risk
increases a new strategy is used. Double Block and Bleed. (DB&B)
Figure D 10.1 A Double Block and Bleed Arrangement for High Pressure/Hazardous Systems
The removal of the sheet of metal in a double block and bleed involves venting the interspace between
valve B and the metal sheet D before closing valve B and removing the metal sheet at D. It is a strict
procedural driven event.
It is now necessary to isolate the process physically and totally. With the valves A and B closed any leakage
through A are lead to a safe place via valve C and the joint at D can be broken and a solid sheet of metal
inserted and clamped in place by tight bolts. This is called POSITIVE ISOLATION. This metal sheet is called
variously:
Slip plate, line blind or spade
With the sheet of metal held in place by tight bolts no leakage is possible into the work place.

When entering a vessel or confined space it is required ALL SOURCES OF LEAKAGE INTO THE VESSEL SPACE
MUST BE POSITIVLEY ISOLATED. LOCKED CLOSED VALVES ARE NOT ACCEPTABLE AS THEY CAN STILL LEAK!
Then the Environment must be tested for:-
Oxygen (20.8%v/v
Flammables (Zero)
No moving parts
Toxics of any type gas, liquid or nuclear (Zero)
Think very carefully should you be entering a harmful environment what requirements do you need to
ensure your life is not at risk?
The design and operation of isolation systems is fundamental to safety of the plant/personnel
D 11 Fire Detection and Protection
See Fires Part E where Detection and Protection Devices are explained
D 12 Safe Operation Role of Managers an Introduction See also Part F Advanced Management
Systems
Introduction
Operating in a safe manner is very much an advanced study. It is impossible to summarise it into a
document such as this without missing a number of important features. These are a selection and by no
means all or approaching all of the features.
All of the problem areas that follow can be examined by Audits (Part F) and the problem areas
identified.
The operational problems can usually be traced back to one or more of the following: -
Loss of or Lack of Operational Knowledge (training)
Lack of Awareness (this is a variation of the above)
Management Relaxing Controls on Procedures
Management Losing Awareness
Fatigue or Stress Leading to Errors (I dislike the word carelessness)
Boredom and Complacency (leading to short cuts)
Operator Aging Equipment Aging (a variation of the above but also includes maintenance)
Some causes selected for use in a BEng Course but others can be found in Part F
Operational Knowledge
The skills and knowledge of the Managers and the Operating Team are possibly the most important
features in maintaining safe operation. The training of the manager may well have involved a degree of
grooming such that the skills were available when the manager took up the role. However, it is
impossible to learn all of the finer features of the plant and its peculiarities without experiencing them
first.
One final potential for loss of skills and knowledge is during the final run down of a Plant prior to shut
down and demolition when the best operations team is moved to a new plant and the second team is
left to carry on.
Hand over
One vital feature of the handover between Managers is the listing of the equipment, the problems
experienced, the problems to look out for and how to handle them. This is the downward knowledge
transfer. There is second source of knowledge to be found in databases of that type of process. Both are
essential readings. Finally the operators can (and will) tell you some stories about their operating
problems!
The shift or team hand over is equally important and should contain a list of the Permits in operation, the
process status, any concerns or work that has to be carried out, such the preparation of a piece of
equipment for maintenance.
Hand over in a Management Role and a Shift Role are one of the highest risk drivers
Training
The training of the Team Operators may well have been by the traditional cascade from the more senior
operators. This does carry some potential risks in that some of the teaching may not be best practice,
some may even be bad practice. Training Schools are available as are courses on operations. These should
be reviewed and applied for new recruits. Refresher training is also to be encouraged.
The one situation where training is essential is on a new process or if the operation instructions have been
changed. The instructions should be reviewed periodically, about once every two years to determine if
they are appropriate to the plant in the light of best practice and new operational experience/conditions.
Training for Managers starts at University and then continues through CPD.
Awareness
Awareness comes from observation! It is necessary to look for potential problems. The only way of
finding these problems, be they design and operations practice, is to look, listen and feel. (Look, listen and
feel can also apply to an office environment. Tour the Plant (Office) each day, take a different route each
day, try to approach the Plant (Office) from a different direction each day and try to time the tour at
different times (if this is possible and it is recognised that this may be a constraint).
LOOK

Look for trip hazards.
Observe operators (staff) are they following the instructions?
Observe maintenance work are they following the PtW? (Parts A and F)
Look for leaks, damaged lagging, loose fittings, house keeping, missing blanks on vents and drains. (Are
there any trip hazards in an office?)
Where possible look around the process equipment this may be limited in scope.
Look at the plant records and laboratory records. Are the parameters and analyses in the correct bands?
(Are the design procedures used correctly in an office environment?)
If any parameter is out of range what actions have been or should have been taken?
If no action was taken what are your duties?
If you take your eyes out for a tour they will SEE something, somewhere!
LISTEN
Listen to what the operations team (staff) are saying they may well have a good point but can not put it
into technical language.
Listen to the grievances they may be justified.
Listen to the worries one of the team may have problems at home, health or financial problems.
Is there any evidence of persons being picked upon?
Is there any evidence of persons working outside their remit?
Listen to the equipment it may be telling you something.
If you take your ears out for a tour they will HEAR something, somewhere
FEEL
Use your human feelings to identify concerns which may not be expressed explicitly.
Use your human touch with those with worries.
Feel the equipment is it telling you anything?
If you take your senses out for a tour they will FEEL something, somewhere
Management Relaxing Control
This could be known as aging management when Management lose their enthusiasm (see later). This
may be due to the age of the plant and equipment or it may be that the managers realise that the job is

very much a dead end with no future. Senior Managers must be alert to this and to resist it by whatever
means they can.
Audits are a very powerful tool in the event of managers relaxing controls.
Management Losing Awareness
This might be called manager fatigue The likely loss of awareness is that the Manager (or Operations
Team) have been in the job for too long, have lost incentive and possibly see no future in that role. This is
a Senior Management issue does the problem go all of the way to the top, is the problem at the top of
the organisation?
After a few years it is possible that some form of complacency will set in and it is time for that manager
moved to a new post.
Audits are required on a routine to identify this drift.
Fatigue Leading to Errors (See also Part F)
Fatigue can come in two forms. First there is the fatigue caused by lack of stimulation or job
advancement and second there is the pure physical and mental fatigue. The first is very much a
Management issue and has to be dealt by Management; the second is the result of long, hard days on the
Plant with little rest. This is most likely to be the result of a major shut down (turn-around) and a long and
difficult start-up or an urgent design in the office. This is again a Management issue and all Managers must
be alert to the symptoms and the effects on the team. At some time all staff will experience this form of
fatigue and it beholds the prudent Manager to take a little longer to think through the problem and not to
jump to the first conclusion!
There is no complete answer to this problem other that the use of a little management sensitivity!
Boredom and Complacency (leading to short cuts)
This can result from three main causes. The first is the Plant which has no vices, operates without any
intervention and, possibly, is entering the end of life cycle. The second is likely to come from fatigue and
the third comes from the lack of awareness by the Manager and the Manager relaxing control. The first
cause is very much a Management issue but it is likely that it is a hidden effect that can best be addressed
by audits. Inevitably short cuts will be adopted but the alert Manager will stop them at the first
opportunity. The Manager must not tolerate these or else the Manager is equally guilty of complacency.
If the Manager loses control it is time that he/she moved to a new post.
Audits (Part F) are powerful tools in identifying this problem.
Operator Aging
Just as with equipment operators age and become less alert and dextrous. This is a fact of life and as
industries mature and go into their twilight years so also do the operators. The Managers must be alert to
the aging process leads to a loss of dexterity but they must also be aware that the plant operations
knowledge base is often held by the older/senior operators and that any retirements must not dilute this
knowledge. This means that the average age of the team should be maintained and not allowed to drift
upwards.

Equipment Aging
This has two meanings, day to day maintenance and true end of life aging (as with a car or any mechanical
equipment).
During the life of the plant equipment it will require routine maintenance due to fair wear and tear.
There are three potential strategies for maintenance, one is break-down maintenance, the next is
routine maintenance on a fixed schedule and the last is on condition maintenance. However, the act
of maintaining equipment has the potential to age it! For example the removal of a bearing from a pump
shaft does scrape a thin sliver of metal such that after many changes the fit is lost and the shaft can only
be scrapped. (See end of life).
Maintenance
Routine Maintenance
This involves taking the equipment out of service (with a spare in place) and renewing key components
which are known to known to have a finite life span before they come to the end of that span. This is very
much the approach to maintenance on a car. Unfortunately not all of the components can be or are
replaced and one will fail at some time in the future leading to break-down maintenance
Break-down Maintenance
This involves running the equipment until it fails in duty. Normally some of the more vulnerable
equipment will be fitted with a stand-by spare so, provided the changeover can be affected before failure,
all will be well.
Consider risk based maintenance for aging equipment. It may be more frequent than for new
equipment. See also End of Life below
On Condition Maintenance
This involves monitoring key performance parameters on the equipment and when key indicators are
found the maintenance is made.
The key parameters may be one or more of the following: -
Vibration (velocity or acceleration) with or without analysis to assist the diagnostics
Oil debris using Ferrography or Spectrometric Analysis of Oil Pollutants (SAOP)
Heat
True performance using process parameters such as heat transfer coefficients, polytrophic
parameters and the like
Physical inspection such as may be used for inspection of major pieces of equipment
Non destructive techniques such as ultrasonic thickness detection are appropriate to both
equipment and piping systems.

There are no firm rights or wrongs for maintenance other than to note that any break-down which
involves a loss of containment is not acceptable.
End of life
As the equipment reaches the end of life it has been overhauled on many occasions. Interference
clearances or fits open up and the likelihood of failure can increase for that reason alone but also that the
equipment is truly reaching the end of its life the wear out phase. In this phase there is no
satisfactory maintenance routine other than total replacement. However it may be that the plant and
equipment is now being run into the ground and the maintenance is reduced to a minimum when in fact
it should be increased. This is a dangerous approach and carries many potential risks non less than the
accumulative wear and tear which may result in the following problems: -
Corrosion Under Insulation external - (CUI)
Corrosion inside piping
Erosion inside piping
Fatigue in equipment subject to cyclic loads (pressurising and depressurising is one such cyclic
load)
As equipment ages a new approach is required RISK BASED MAINTENANCE. This requires that the
frequency of maintenance is adjusted to the perceived risk. It may be that the frequency must be
increased or that special attention is paid to corrosion. In high temperature equipment it might be
necessary to monitor the equipment for high temperature creep and in equipment subject to cyclic
loads it might be necessary to monitor for fatigue.
These examples are only some of many monitoring policies.
At some point the equipment will be so aged that no matter what amount of maintenance it will have to
be scrapped.
There is always a great temptation to Sweat the Assets at the end of life. This must be resisted, as it
has been a major cause of incidents.
D 13 Layer of Protection Analysis (LOPA) and Safety Integrity Level (SIL)
One of the inevitable changes in any a dynamic technology is that old techniques are reinvented and called
by new names!! In addition it develops its own jargon or language; this makes it a form of closed shop!
This is true of LOPA and SIL. Both have been in use for over 40 years but were known by another name.
LOPA developed from the very first form of Risk Assessment when the conditional probabilities were ill
defined and SIL was developed from a relatively simple technique which was an attempt to classify the
performance of shutdown systems against loss of production, environment and life.
LOPA should be treated as screening tool as it is more tuned to low risk event and not to high risk events
(see the definitions).
These are tools of which all engineers should be aware.

LOPA
LOPA does show the structure of any analysis and assessment and believe it or not it is an analysis of
Defence in Depth. The LOPA Onion, below, illustrates this clearly. The analysis is sometimes devolved
to Engineers who are not skilled Risk Assessors but who can follow the rules in LOPA. The rules are not
difficult to follow as they are to be found in look-up tables (see later). It is inevitable that there will be
the big BUT word as the simplistic approach of LOPA can, and does, overlook the finer detail of Risk
Assessment, more particularly the mutual inclusivity and exclusivity. This is particularly important with
high risk (consequence) events.
Figure D 13.1 LOPA Onion
The HSE are keen to see the analysis of the Layers of Protection or defences so LOPA is seen as an
essential tool in the safety armoury.
The American Institute of Chemical Engineers (AIChE) have issued a book on LOPA and sub-titled it
Simplified Process Risk Assessment. This is exactly what was used 40 years ago when fully developed
Conditional Probabilities had not been codified with any real accuracy. Put simply it was little better than a
set of orders of magnitude. Likewise the level of integrity in a shutdown system (now known SIL) was
determined by simple rules e.g. loss of production required a simplex shutdown, environmental protection
a redundant system and life protection a 2 - o - o - 3 systems.
The basis of risk assessment is the three questions: -
How Big? How Often? So What?
Without a detailed assessment of the contributions to the causations and the mitigations the How Big
and the How Often could be significant in error. Further the So What requires some form of Risk Graph,
too often this is given in a stepwise format (see figure D 12.2) which may fit in with the order of magnitude
approach but does not fit in well with high risk events where the error bands are potentially quite
significant. (Please look at some of the indicative failure rate data shown later in this part.)
This introduction may seem a bit harsh but it is meant as a warning to the unwary, treat
The use of LOPA with care and pay attention to the detail in design and systems of work.

The Author of this section has had some disturbing experiences of lax analysis of major risk events and the
LOW TOLERABLE TOLERABLE TOLERABLE TOLERABLE TOLERABLE
use of the stepwise criteria.
Some Matrices have a grey zone between the Not Acceptable and the Tolerable.
Figure D 12.2 Risk Matrix
The figure above shows the step wise castellated risk map or matrix the so what? question. It has
some weaknesses as it only works in decades and not in a linear progression.
The slope of the matrix is -1 which reflects the aversion to events which have a major consequence. In
a risk adverse society there are arguments that the slope of the plot called risk aversion should be
between -1 and -2.
Common sense requires that the Risk Matrix should be linear and not stepwise. For example an event
with a defined consequence and with an assessed frequency of 9 x 10-3 per year might fall into the
tolerable zone but if it were 1 x 10-2 per year it might fall into the not acceptable zone.

NOT
TOLERABLE TOLERABLE TOLERABLE TOLERABLE
ACCEPTABLE
CONSEQUENCE
NOT NOT
TOLERABLE TOLERABLE TOLERABLE
ACCEPTABLE ACCEPTABLE
NOT NOT NOT
TOLERABLE TOLERABLE
ACCEPTABLE ACCEPTABLE ACCEPTABLE
NOT NOT NOT NOT
HIGH TOLERABLE
ACCEPTABLE ACCEPTABLE ACCEPTABLE ACCEPTABLE
HIGH FREQUENCY LOW
Acronyms and Abbreviations used in LOPA & SIL
AIChe American Institute of Chemical Engineers
ALARP As Low as (is) Reasonably Practicable
BPCS Basic Process Control System
CCF Common Cause Failure (same as CMF)
CMF Common Mode Failure
CCPS Center for Chemical Process Safety (AIChE) [American Spelling]
D Demand Rate (number of demands or challenges on a system) per unit of time
ETA Event Tree Analysis
F Failure Rate per unit of time
f Frequency per unit of time
FBR Full Bore Rupture
FTA Fault Tree Analysis
HAZOP Hazard and Operability Study
IPL Independent Protective Layer
LOPA Layer of Protection Analysis

PFD Probability (of) Failure (to) Danger or Process or Process Flow Diagram (AKA for many
years as FDT - Fractional Dead Time)
SIF Safety Instrumented Function
SIS Safety Instrumented System (instrumented protective system)
T Test Interval (time)
This should suffice for the time being.
Please note that IPL really does mean INDEPENDENT PROTECTIVE LAYERS. The layers must be truly
independent; two of the same style are not truly independent as there may be a CMF/CCF in the system.
Take a maintenance procedure and an operating procedure, the CMF/CCF could lie within the corporate
culture or Management.
LOPA is a form of simplified ETA as shown in Figure D 12.3, it moderates the frequency of the event BUT
there may be side branches in figure D 12.3 (as shown in Part E) which are dismissed and may have lesser
but significant consequences, much will depend upon the performance of the other Independent
Protective Layers (IPLs). The full Event Tree will analyse these branches but LOPA only follows the main
path. As already indicated this may be acceptable for low consequence events but it may require more
attention for the higher consequence events more particularly as the complexity of the event tree
increases.
Figure D 13.3 Simple FTA used in SIL
Much of the data is codified into look up tables (which are very much as were evolved 40 years ago).
This runs the risk of disengaging the brain from the analysis process. This is perfectly acceptable if the
structure of the analysis is to be demonstrated but it can be a problem if high risk events are being
assessed quantitatively. Take for example 2 off IPLs with PFDs which are taken from the table but in reality
have been a half order of magnitude over or under assessed, the answer will be out by one order of
magnitude!!
(In uncertainty the geometric mean of 1 and 10 is 101/2 or 3.1 or a half order of magnitude).
It is now right to explain that the failure rate can be expressed as a decimal (0.01 per annum) or as 10-2 or
as the negative log10 as 2.
The following table is a sample of failure rate data taken from the CCPS document on LOPA. A number of
companies have adapted this to their own needs.

Event Frequency 1 Frequency 2
-6
Pressure Vessel Failure 10 /A 6
-5
Piping Leak /100m (FBR) 10 /A 5
-1
SIS (simplex system)/A 10 /A 1
1 -1
BPCS 10 /A 1
2 -1
Pump Seal Failure 10 /A 1
-2
Operator Failure to carry out a 10 per opportunity 2
3
routine event with training
-1
SIS (simplex system)/A 10 /A 1
Table D 13.1 Sampled Failure Rate Data
1 There are good and proper reasons to believe that, due to other monitoring systems, this value is
too high.
2 Dependant on the duty.
3 To prove the point about error bands personal experience suggests that 3 x 10-3/opportunity is
more realistic.
It will be obvious that these numbers have had a lot of rounding up or down and if too many are used in
multiplication mode the error bands will be very significant.
The structuring of a LOPA assessment can be as simple as drawing an ETA or it can be as tabulation as
indicated below: -
Event Description
Initiating Event Frequency
Condition Modifiers
Ignition probability
Probability of person being in the area
Probability of fatality (contingent on above)
Others (use your imagination to visualise the event)

IPLs
BPCS
Beneficial or otherwise human intervention
SIS
Pressure Relief Valves
Others
Others
Passive fire protection
Active fire protection
Manual isolation remote
Others
Frequency of event with mitigations?
Consequence of event?
Risk Tolerance for this sequence?
Criteria met or are more IPLs required?
The risk criteria (matrix) are usually shown as a stepwise structure where the as the magnitude goes up
by an order of magnitude the frequency falls by an order of magnitude. This is a bit coarse for a full QRA
however with the order of magnitude approach in the tables it may be tolerable. The risk categories 1
5 apply to not only life but also public reaction, the environment, consequential loss and others that you
might think of. As a result there will be a minimum of 4 tables of criteria which must all be matched! There
are no absolutes and it would be unprofessional to declare absolutes but it is appropriate to give some
INDICATIVE VALUES which all companies have a responsibility to codify.
Table of indicative values for risk criteria which are based on judgement. They will change with time and
public reaction.
Please treat these as a best guess and not definitive values. They should indicate the thinking of the
Regulator and Industry as a whole.
Table D 13.2 Indicative values for risk maps
P = Personnel
L = Loss of capital or production
E = Environment

R = Public reaction
Level 1/2
P no injury
L few 10s of thousands
E none
R none
Level 3
P one sever injury
L possibly up to 500,000
E Possible impact offsite
R Press complaint
Level 4
P More than 1 significant injuries or one fatality at the extreme of the level
L 5M
E Long term impact
R major reaction
Level 5
P Multiple fatalities
L 50M loss of cash flow for a year
E major lasting impact
R Offsite injury and questions in Parliament
It will be noted that the criteria rise by one order of magnitude per level!!!
So that is LOPA!
SIL

Safety Integrity Levels (SIL) are a measure of the integrity of an instrumented protective system (SIS).
These will be derived from either another simple Event Tree in the SIL technique, LOPA or a full QRA.
As already noted the words IPL have been used in LOPA; they apply equally to SIL/SIS the systems MUST
BE TRULY INDEPENDENT this may apply to the inspection/testing, the routing of the data highways, the
design and other features such as using the same manufacturer for the supply of components. All of these
are potentials for common mode failure (CMF) or common cause failure (CCF). This is given a term which
can be as high as 5% of the total failure rate.
For two units with PFD 0.1 it might seem that the PFD of 2 o o 2 is 0.01 however is 0.05 so the PFD is
0.05.
Once the assessment of the PFD of the SIS or protective system has been assessed it is necessary to
choose a design standard of the SIS or protective system. The following listing gives a measure of the
design standard and the range of the PFD/FDT.
SIL 1 = 0.1 to 0.01
SIL 2 = 0.01 to 0.001
SIL 3 = 0.001 to 0.0001
SIL 4 =0.0001 or better and is a special study which requires a special assessment.
In simple terms SIL is the negative log10 of the highest PFD. For SIL 1 it is 10-1 and defines the design
standard.
SIL 1 is satisfied by a simplex (un-spared) system
SIL 2 is satisfied by a 1 out of 2 system
SIL 3 is satisfied by a 2 out of 3 voted system
SIL 4 will require both redundant and diverse systems
See also Part D 8
Please note:-
The lowest PFD/FDT in any SIL group (best performance) will be difficult to achieve. For SIL 1 the limit may
be the human factor, for SIL 3 the human factor must be assessed carefully and the redundant elements
may have to be procured from different suppliers to avoid CMF/CCF.
Finally (yes, finally) the LOPA or QRA will define the required PFD/FDT. The designer must then
demonstrate, from a reliability analysis, that the required PFD/FDT CAN be achieved and the Production
Department must carry out function testing to prove that the required PFD/FDT WAS achieved. If there is
a shortfall the whole design must be reviewed.
D 14 Some examples of Inherency

The following are possible applications of inherency. It is a simple idea but requires a lot of
careful thought and analysis. Some of the ideas have been in existence (but under a different
name) for some time; some are quite novel and tax the brain. Again guidewords are required:
Intensification
Reducing the working inventory requires some thought. Concentrate the process in a smaller, higher
pressure reactor so reducing the working inventory or total leak potential. An example might be a high
pressure catalytic reactor which is significantly smaller than the conventional low pressure reactor. The
end point is that while the potential peak out flow rate from a hole (loss of containment LOC) may be
higher, but the actual total out flow will be significantly lower.
The classic photo of the operator of Nobel Explosives (Ardeer) for the manufacture of nitroglycerine taken
in about 1905 is shown below:-
When the reaction temperature exceeds a certain level (the thermometer can be seen on this photo) the
operator pulls a dump line which dumps the reactants into a cold water tank. In spite of the process being
inherently unsafe the operator sits on a one legged stool. This stool is the start of inherent safety - if the
operator falls asleep he falls off the stool and assumedly he wakes up. Another inherently safe solution
might to tie the operators fingers to the reactor dump line, in which case falling asleep automatically
initiates the dump process.
The inherently safer process used in the nitration process involves the intimate mixing (dispersion and
increased surface area for the reaction) of the reactants in a venturi, only one fluid is pumped; the first
reactant inspires the other reactant and also ensures not only intimate mixing but also ratio control. The
reactants in the nitration process are reduced to only a few kilograms in a linear reactor (over 100 fold
intensification).

Nitration injector in the NAB process for manufacture of nitroglycerine
Various processes can be adapted to linear or tubular reactors with intensification over the continuous
stirred reactors. The skill is ensuring the intimate mixing of the reactants at the feed point and the
separation of the reactant by-products.
.Another might be the use of a linear reactor instead of a continuously stirred back mixed reactor. (See
next). Another might be the use of specialised equipment which has by the very nature of the design a
very low inventory, some of the modern compact heat exchangers would fit into this heading but the
down side is that they are more prone to fouling and are difficult to clean. Various options include:-
Finned tube
Plate-fin
Printed circuit
One of the negative features of these compact units is their use is limited to clean fluids only. Volume
compaction can be almost 10 fold for the plate-fin exchanges. Cleaning these exchangers is difficult.
Intensification can be achieved by reduce buffer storage in the process such as reflux drums. Likewise
inter-stage storage can be reduced by better by better controls and production planning.
Storage & Bunds
The classic form of attenuation is the storage of cryogenic fluids (methane, propane etc) at atmospheric
pressure using a refrigeration circuit. Large LPG storage tanks can be of the order of 104 Tonne and under
atmospheric condition 150 C the flash from Butane can be about 10% with some aerosol formation.
Further enhancements can be in this form of secondary containment round the primary containment such
as a secondary tank or bund.
Process
Any process which uses a catalyst will be expected to operate at lower temperatures and/or pressures.
In general, for the same conditions of temperatures and pressure a liquid leak from any given hole size will
be 10 to 15 times that of a gas leak. The value is dependent on the fluid properties and is not a fixed value
and may be influenced by any flashing effects at the orifice - a flashing leak is about a quarter of the liquid
leak. This suggests that catalysed gas phase reactions are better than liquid phase reactions but is contrary
to the laws of mass action.
The original polythene plants operated at a pressure of about 109 Pa but the modern ones operate at
nearer 106 Pa with enhanced catalysts. Changes in the polypropylene process have resulted in a vapour
phase reaction as opposed to liquid phase reactions. This example straddles intensification and
attenuation.
The variable of Temperature, Pressure and Phase do make separation processes less amenable to
alteration but reactors and storage do offer some scope.
Tray hold up can be reduced by a factor of two for packed columns and a factor of four for film type trays.
One distillation column for the separation of propane and propylene was 5m diameter and contained 150
trays. The reflux ratio was 11:1 and the velocity time lag between a change in reflux and its effect on the
base was of the order of 10 minutes. The column was very sluggish!
The inventories were:-
Trays & downcomers 40m3
Reflux Drum 50m3
Base 50m3
140m3 or 100 Tonnes
The feed rate was 30 tonnes per hour therefore the holdup represented 3 hours of production!! Various
inherently safer routes could be considered:
Operating at lower pressure with enhanced relative volatility/separation
Change the column intervals with savings in the tray hold up and the reflux drum and base
inventory.
(The condenser for this column used re-used water - it first passed through refrigeration
condensers so saving power on the compressor drivers before its second use in a
condenser. Efficiency and environmental issues were not always in harmony with safety!)
See also HIGEE.
HIGEE is a concept looking for an application. It appears to be technically sound but has a number of
engineering weaknesses namely the seal of the drive shaft and its overall availability. The process is
essentially a rotating mesh or packed drum with a liquid fed at the centre and a vapour exit at the
periphery.

HIGEE Distillation Unit
The acceleration levels vary across the mesh and are typically 104 m/s2. The effective area is low but under
this high g or acceleration the vapour/liquid contact is exceedingly effective with high liquid and vapour
loading and low back mixing. The process therefore has application as a distillation column, a stripping
column, an absorption column or a reactor. The intensification is of the order of 103 and it is not difficult to
imagine a number of processes in series or parallel. In the distillation column it is necessary to have
different units for stripping and rectification section of the column and if there are side streams each
section must be a HIGEE unit.
As a reactor it may be possible to have one unit for reaction phase to facilitate separation of
reactants/waste products.
The process is not quite as inherently safe as it may appear to be. There will have to be pumps between
units but there is no reason why gravity may not be used if appropriate.
The unit seems to be so simple and the theory so sound that it is difficult to see why it has not been used
more in industry. Is it that engineers desire to be second and let someone else eliminate the bugs? Is there
a cost penalty? Is the operability/reliability poor? Why is it not used more?
Attenuate
Reduce the working pressure/temperature such that the leak rate should it occur is less or less likely to
ignite/vaporise. An example might be the use of refrigerated storage of cryogenics instead of pressurised
storage.
Once again the use of a catalyst lends to inherency.
Substitute
Change the process route using chemicals which are safer or which do not produce hazardous by-products
or intermediates. Steam is inherently safer than hot oil. Steam heating is inherently safer than electrical
heating in that it has a self limiting upper temperature limit. Likewise oil heating MAY be safer than
electric heating.

Change
While the concept of change is simple it does require a bit of thought! Consider the change in a layout
such as to segregate flammable materials from sources of ignition or the positioning of a valve such that
access is enhanced the layout or access is then inherently safer. Change may involve a new process if the
environmental implications were adverse. Change is simple but finding the solution is less so!
Eliminate
This is more a statement of the obvious. Consider the design pressures; can you eliminate the need for
overpressure protection by the selection of the equipment design pressures?
Has the need for a protective system been fully analysed and understood. Is there a more simple solution?
Eliminate and Change look at the same basics problem from different directions.
It is possible to specify pumps which do not have seals. In effect the leak source at the seal is eliminated.
A welded system as opposed to flanged systems eliminates a leak source BUT it might make maintenance
more difficult.
Simplify
This is self evident.
Is there an easier way? There is no doubt that Engineers are taught to think verticality. This the way we
always do it. Engineers do not always look for other ways. The design is usually examined, a hazard
identified and then a protective system added. Why not find an alternative route? The simple break tank
in a home or elsewhere is a means to preventing reverse flow and cross contamination, it is inherently
safer than a non return valve.
Capture and recover
This idea may apply more to the environment. An alternative may be recycle.
Modern flare systems can capture leakage into the piping from passing (leaking) valves, compress and
recycle it to the process as opposed to combustion.
Getting it Right First Time
Avoid the need for last minute change or even recognising the whole spectrum of conditions which may
apply so choosing the correct materials for fabrication and the choice of design pressure for equipment. It
can also mean de-clutter the process and avoid a surfeit of add-on safety features which do little for
SHE or efficiency but create operational problems.
Can a process be devised which does not require a complex pressure relief system by the specification of
the system design pressures? In one hydrocarbon processing plant, the operating pressure was 900kPa
and a relief system was required because the vessels were designed for 1100kPa (the piping was designed
for 1800kPa). It was then realised that the relief valves discharged to atmosphere and vapours could fall to
the ground, ignite and generate a VCE. The initial solution was to add a simple high pressure shut down
system. The performance was assessed and it was found that the discharge frequency was still too high, so

a 2 out of 3 shut down system was added (vertical thought). The maximum process pressure due to
heating with steam was 1500kPa - the piping was adequate for this and a small increase in the wall
thickness - possible as with as little as 1mm of steel would have eliminated all the soul searching. Of
course a small fire relief system would still be required, this would be relatively cheap, but the inherent
safety and operability would be much higher. The net cost of thicker vessels would have been lower than
the added on features and the process would be more operable.
What is the worst case scenario and can a change to the design eliminate the scenario?
The classic example of this dilemma is to be found with Chernobyl Pressurised Water Reactor. The RBMK -
1000 reactor had a positive void coefficient which meant that at below 20% power, there was a positive
power coefficient which made it intrinsically unstable at low power. The accident occurred basically
because the reactor entered this regime for a series of reasons explained in Part H. The RBMK - 1000 did
not fail safe but the UK PWRs do fail safe, the difference between the two reactors is based on efficiency -
the stable unit is less efficient but it is safer.
Second Chance/fails safe
The ability to recover from and to survive an upset or to tolerate the extremes of the operating/upset
conditions envelope. The brittle failure of a heat exchanger at Longford, Victoria, Australia was caused by a
thermal shock. If the materials were specified for colder duty the exchanger would have tolerated the
shock.
Variations on fail safe can be found on the control of the rates of reactants and the thermal inertia in the
system. The cyclohexane oxidation process has such inertia but entails a high recycle of reactants.
The hydrogenation of ethyne in Olefine plants can either be at the front end where the process gases, a
mix of hydrocarbons and hydrogen, are fed across a catalyst. The alternative process at the back end,
involves feeding hydrogen into a mixed ethane, ethene, ethyne. In the front end process, the reactor has a
high thermal inertia and the arrest of the feed produces no runaway. The back end process requires
careful ratio control of the fed and hydrogen, hydrogen has to be stopped to avoid thermal runaway and
explosive decomposition of ethene. The first catalyst is truly fail safe. Once again the problem illustrating
fail safe is finding specific and easy to explain examples of how it might operate.
Intrusive v Non Intrusive Instruments
Non Intrusive instruments not only eliminate a source of leakage but they can be readily overhauled
without intrusion into the process. There are now many types of non-intrusive instruments flow by
Doppler, level by nucleonic.
Materials which are specified for the expected operating envelope are far better than ones which are
specified for a limited band. The process depressuring can often result in very low temperatures which
may prohibit start up until the equipment has warmed up. Low temperature steels are more operable
than carbon steel.
Passive Fire Protection is inherently safer than active fire protection with deluge.
Attention must be paid to ensuring any leakage does not accumulate in vulnerable areas? The sloping of
concrete should be to direct spills away from vulnerable equipment. The design and location of the drains
can also reduce the accumulation of fuel in vulnerable areas of the plant.

A pump located outside the confinements of a pipe track with suitable bunding and sloping of concrete
will result in less damage, less escalation potential, as well as a site where the fire attack can be more
effective.
The design of pump seals and also remote shut off valves will also produce an inherently safer process.
Double mechanical seals with buffer fluids give a second chance against leakage but they may not be as
operable.

Part E
RISK ASSESSMENT
Quantification
There has been some emphasis recently on "number crunching" in the preparation of Risk Assessment.
This is potentially self defeating. It is more important to understand the laws of science and how these
affect the safety process than to crunch numbers. The skill is in getting the correct solution to the problem
- this can only be achieved by understanding the "causes" of accidents, (accident causation), why they
occur in the first place, and the contributory factors which lead to escalation or to mitigation. See the
Bow Tie Figure E 1.1 later.
It is recognised that "numbers" are necessary but on a personal basis I am rarely surprised by the answer
which usually provides support for what was known to be correct from experience.
These notes on quantification are therefore written not from the stand point of a "here is an equation"
but include the "causes", "prevention", "mitigations" plus calculation. It is far better to "know" that
outflow rate through a hole the size of a 1p coin (decimal) at 20 bars is in excess of one kg per second, that
the fire will be large, and steel work will be affected, thereafter the calculation is a nicety! The next feature
is that no hole is sharp sided, round and to standard dimensions of 10 mm. The leak size is far from
certain, the frequency of the occurrence is open to discussion and these swamp any errors with
calculation of, say, the flame size. "Source terms" or the way the leak source is specified will dominate the
answer.
Equally importantly it should be recognised that the models are all very much empirical models and do
not stand up to dimensional analysis. They have to be taken on face value and recognised that they have
been derived from rigorous physical modelling in research experiments.
E 1 Risk Assessment An Overview
Introduction
When all of the Design is finished and the Management Systems are in place it is the requirement that the
risks are ALARP. In some cases it may be possible to demonstrate that the design is to best practice
but this may not be the case for a more complex Process Plant. In this case the risk has to be assessed
and ALARP demonstrated.
It would be wrong to think of Risk Assessment as being accurate or a science - it is approximate, and at
best it is an art. As will be shown later the data used has to be treated with care and the calculations are
based on empirical formulae, which have many subjective factors. The only certain thing of risk
assessment is that final value will be between the extremes of the most optimistic and pessimistic
assumptions!! Fortunately the theory of uncertainty indicates that the errors tend to be self cancelling.
However after each assessment it must be challenged by the question Does this reflect reality? Some of
the simplest (and elegant) risk assessments have been carried out in one side of paper without the use of a

computer! The classic is the assessment of the power of the first nuclear explosion in the Nevada Desert
by Oppenheimer. It was based on an experienced judgement and a form of intuitive analysis, it was quick
and it was accurate!
Everyone carries out some risk assessment every day and while there may be no absolute values of
tolerability there are some reasonably well-defined bounds which will be used by many people.
Risk Assessment
There are three steps to Risk Assessment, known as:-
How Big? (is the problem) This requires an assessment of the physical result of the event
tempered by the effects of that event.
How Often? (will it occur)
So What? (shall I do about it)
This is very blunt but it is a simple guide or aid to the memory. As a means to illustrating this it is worth
looking at a risk assessment that everyone carries out every day - crossing the road. No one sits with a
calculator in their hand but the mental assessment process will be something like the following:
Car Speed 2 mph - judgement.
How Big? Impact followed by a bruise or at worst a cut if hit by a car - (judgement).
How often? 2 mph = 0.9 metres per sec. Time to traverse the width of the car (1.7
metres) at a walking speed of 3 mph (1.3m/sec) = Transit time
Transit time = 1.34 seconds (accurate value).
If the car is 1.1 metres or more away it will be possible to pass in front without being hit.
So what? Evidence of being hit tends to zero if 2 metres away - in any case you can
walk faster than the car so you could walk away from it and if necessary it
should be possible to execute a rugby hand off!!!
How big? Bruise, this is a judgement based on the analysis of previous events.
How often? Very unlikely, once in 10,000 crossings (say).
If the values are now changed such that the speed of the car is now say 40 mph the uncertainty in the
speed assessment, the uncertainty in the judgement of distance and the uncertainty in the likely outcome
(fatality) are such that the judgement of the risk will tend to err on the safe side. Uncertainty is one of the
significant features of risk assessment

A broad definition of Risk and Hazard was given in the Introduction and other definitions used in Risk
Assessment in Part A. These have been repeated here as this is another logical home. The following are
taken from the IChemE publication Nomenclature for Hazard and Risk Assessment in the Process
Industries.
Hazard a physical situation with a potential for human injury, damage to property, damage to the
environment or some combination of these.
Individual risk The frequency at which an individual may be expected to sustain a given level of harm from
the realisation of specified hazards.
Loss prevention A systematic approach to preventing accidents or minimising their effects. The activities
may be associated with financial loss or safety issues. It is now being known as Safety Engineering!
Redundancy The performance of the same function by a number of identical but independent means.
Risk The likelihood of a specified undesired event occurring within a specified period or in specified
circumstances. It may be either a frequency (the number of specified events occurring in unit time) or a
probability, (the probability of a specified event following a prior event), depending on circumstances.
Risk assessment The quantitative evaluation of the likelihood of undesired events and the likelihood of
harm or damage being caused, together with the value judgements made concerning the significance of
the results.
Societal risk The relationship between frequency and the number of people suffering from a specified
level of harm in a given population from the realisation of specified hazards.
Please ensure that the words risk and hazard are used correctly.
It is now appropriate to expand on the 3 elements of the assessment process.
How Big?
Models used in the process industry an Overview
There are many tools and models available to assess the consequence of the event. The effects of heat,
thermal radiation and toxics (such as carbon monoxide) are fairly well known and understood.
Unfortunately the effects change with age, state of health and sensitivity so have to be adjusted from
individual to individual.
The main models used in RISK ASSESSMENT, as applied to the process industry, are Gas Dispersion, Fires
and Explosions. The impact of a toxic gas release involves the calculation of toxic concentrations through
dispersion and then the analysis of the physiological effects of those concentrations on the human. In the
case of fires it requires an analysis of the rate of build up of temperature on the challenge body (human or
structural) and the analysis of the weakening in the case of structures. In the case of explosions it
requires an analysis of the structural response to an imposed loading due to pressure or impulse (pressure
times time).
Why were these chosen? Dispersion is fundamental to the safe dilution of any gases be they toxic or
flammable. Those affected may be on site or off site. They also feed back to the concept of Hazardous
Area Classification See Part D. Fires are possibly the most destructive of the mechanisms but it is often

limited in area. It will destroy steels and injure humans. Explosions are probably the next most destructive
mechanism but the damage tends to be total and business interruption is major. It can also affect persons
off site. The scope of any notes such as these limits the use of sophisticated Effects Models - such as
would be handled by Consultants. This should not be an excuse for not assessing the effects by manual
calculations and so gaining a better understanding of the phenomena and the variables which might
affect the outcomes.
The main types of dispersion are:-
Jets - release at high exit velocity.
Puff - the sudden release of a neutrally buoyant gas.
Passive - the release at low exit velocity.
Heavy Gas Dispersion - the dispersion of a sudden release of a heavy (denser than air) gas.
The first, jet release, describes the release from a vent or production equipment. The second, puff release,
describes the release from a burst or ruptured container. The third, passive release, describes releases at
low velocity which relies, for the most part, on the internal turbulence within the air. The history of the
plume, be it a jet or a passive release, depends on:-
Release rate (kg/sec);
Release velocity;
Angle of the release to the wind direction;
Wind speed;
Weather;
Distance;
Physical properties of the gas;
The concentration at any point beyond the release point will also include an assessment of: -
The height of the release
The relative elevation of the receiver point and the release point
In the case of a puff release the main parameters are:
The mass released;
Weather;
Distance;
Physical properties of the gas;

To a lesser extent other parameters which may be assessed for both releases are
Roughness of the surrounding area, (just as surface roughness in a pipe).
Relative Humidity of the Air
Only the passive plume and puff releases are addressed in this part.
The main types of fire are:-
Torch (Jet) release of fluids at high velocity.
Pool fire, where the spread is defined by bunds, drains or the rate of release and rate of
combustion.
Boiling Liquid Expanding Vapour Explosion (BLEVE) Fireball - the rupture of a vessel in a fire
and the sudden release of massive quantities of fuel.
Flash Fire the low pancake like fire lasting only a few seconds as the flame traverses through
the cloud of flammable gases at about 3 to 5 m/s without any flame acceleration.
Running fire the cascade of fuel down stairs or a structure. (These are significant following an
aircraft fire).
Each describes very different types of fire. The history of a fire depends on the:-
release rate (kg/sec);
release velocity;
wind speed;
natural confinements of the fluids;
distance;
chemical nature of the fluids.
Only the pool fire and BLEVE are addressed in this part.
The main types of explosion are:-
Confined - a pump room or analyser house, a compressor house, an office, warehouse building
or a dwelling house.
Unconfined - a vapour cloud explosion in an open plant or structure where flame velocities
approach that of sonic.
The history of the explosion depends on the:-
Release rate (kg/sec);

Dispersion process;
Confinement or explosion venting;
Turbulence generation;
Chemical nature of the fluids
Only the vapour cloud explosions (VCE) are addressed in this part.
Consequences Models
This requires an understanding of the effects on either the human or the physical equipment. This
requires an analysis of physiological data, the analysis of past events or research into the effects. The
effects are given later in this part.
How Often?
Frequency models used in the process industry
There are three main techniques for assessing the frequency of an event.
1. Experience.
2. Event Outcome Trees
3. Fault trees.
Use of Experience
Individual experience may show that on average pumps have to be overhauled once every three years but
this may not be the experience of someone else. A more reliable source of experience is to be found in
failure or reliability databases of which there are many. The database MUST be relevant to the system
under analysis. Data taken from equipment handling water is not relevant to equipment handling
corrosive or erosive products! Data must be analysed very carefully. Data taken from many databases may
cover an order or magnitude (factor of 10); this data may not represent the reality of the problem under
study.
Data exists for the likely ignition probability for a specific leak size, human performance and other
probabilities. These are based on global experience but may require to be adjusted for case specific
studies.
Event Outcome trees - Fault Trees
The simplest way of showing the linkage of Fault and Event trees is by The Bow Tie Diagram. The LEFT
HAND SIDE are the CAUSES of the Event where all of the barriers are collapsing and the RIGHT HAND SIDE
are the MITIGATIONS or Protective Systems built into the design.

Figure E 1.1 The Bow Tie Diagram
Fault Trees
Fault Trees are the logical analyses of the condition required to create an event and produce results in the
form of probability or frequency. The magnitude is assessed independently. Fault Trees normally start at
the end point - such as an explosion - and start to define the exact combination of events that are required
to create this event (top down). The structure is very precise and strict rules have to be applied - one rule
that must be observed is that of UNITS (probability and frequency) have to be analysed carefully and be
used consistently. Another is AVOIDING DOUBLE COUNTS (see also Common Mode). The data used must
to be fully justified against references but occasionally "engineering judgement" has to be used and fully
justified. Beware if the final result depends on that judgement.
The final result must be viewed against "credibility": Does the result look credible; does it fit
reality/expectation?
Event Outcome Trees
Event Outcome Trees are a variation on fault trees and use a "yes/no" probability logic to define the event
flow. The starting point is given the left hand side of the bow tie - such as a leak every 100 years, The
event outcome tree, the right hand part of the bow tie, moderates the frequency of the event to assess
the probability of escalation (or control) and as with fault trees the magnitude requires assessment using
models.
The values of the probabilities may be based on judgement or data. Once again the values have to be
justified.
Once again the final results must be viewed against "credibility".
So What? (See also Part A)
The world can have anything it wants provided the world can afford it! Do you spend 50 million on signal
improvements on rails or 50 million on road improvements or 50 million on kidney transplants?
Someone has to decide! The decision may not be popular!!!!
Criteria are subjective and personal but, where one person may cross 10 metres in front of a car travelling
at 20 mph, and another may only cross 15 metres in front, both may have made their judgement against
the same objectives/end points - or maybe the first would have missed the last bus home!
Deviation of Criteria
Criteria are not single but are multiple and are not necessarily in sympathy with each other. For example
the improvement in safety in one area may have an adverse effect on the environment. The reverse is
true, Halons were excellent for fire extinguishers but they had adverse effects on the environment. The
environment won and safety lost!
The main criteria are: -
Life/Limb
Health
Environment
(Negative) Public Reaction
Capital Cost
Consequential Losses
Life/Limb
There are many papers on risk to employees and the public. In the historic evolution of risk criteria the
first marker used was Fatal Accident Rate (FAR). This was defined as the number of fatalities per 108
worked hours, this has now become simplifies to the risk to the person which has units of frequency of
fatality per person per year. Values were suggested the Introduction and reiterated below under What
values may be used?
However it must be stated that risk values may not be appropriate elsewhere in the world. Court cases
following fatal accidents have also given sightings on what value should be assigned to life. The Piper
Alpha accident in July 1988 has shown that in the UK a value of at least 1 Million per life is accepted in
courts so it behoves industry to value it higher or else punitive action may be brought. There is no doubt
that local or national legislation must be borne in mind as was found out by the Ford Motor Corporation
following accidents on the "PINTO" car and The Deepwater Horizon blow out where the punitive fines
were significantly more that 1 million per life.
The Advisory Committee on Major Hazards First Report gave a very guarded comment which suggested
that a major accident which occurred once per 10,000 years was just about acceptable. This does not
suggest that this is acceptable on a global basis, some industries have an inherently higher risk than
others, nor does it infer that this value is acceptable - it is just about acceptable so must be bettered - nor
does it suggest that there can be 100 events each with a period of return of 10,000 years.
The range of tolerable total risk values ranges from 10-3 per person per year for the more hazardous
industries such as Nuclear and Offshore Oil and Gas Production to 10-4 per person per year for the
Chemical and allied industries. This must include the traditional slips trips and falls. Each industry must
set its own criteria. There is a form of logic that suggests that there is a series of decreasing injury with

reducing frequency. A cut hand might be tolerable once per year but a broken arm only once per 10 years.
A serious injury, such as amputation, might be tolerable once per 1,000 years and a lesser injury once per
100 years. Again look at the Risk Matrix figure D 12.2.
It must not be forgotten that the public have a criterion which is 10-6 per person per year and is evidenced
by HSE "Guidance on land use planning". This is two orders of magnitude less than that of the employee. It
is an observation on many risk assessments that if the employee criteria satisfied it is likely that the
criteria for the public will be also be met this is not an absolute rule but generality.
In the UK it is generally accepted that the risk of the chemical industry is made up half from slips, trips
and falls (the technical accidents) and half from process or design-influenced accidents. The slips, trips
and falls are dealt by design of access and standard of stairs and housekeeping, the process or design-
influenced risks are relevant to this part.
Health
Health can be viewed as an extension of Life/Limb. It is now recognised that not only are some chemicals
carcinogenic and lead to death but also some produce loss of quality of life.
Values can be applied to the negative value of harmful materials which might affect the health.
Values for NOx and Particulates and other potential carcinogens have been derived.
Environment
There is an international awareness that pollution of the environment is no longer to be tolerated. The
Sandoz pollution of the Rhine, Braer pollution in the Shetland, Scotland, Sea Empress in Milford Haven and
Exxon Valdez pollution in Alaska have shown that clean-up can be prohibitively expensive and that major
pollution is no longer internationally acceptable. (Though it was accepted in principle that the Industrial
Revolution had to have pollution - "Where there's muck there's brass" - there is clear evidence, as
witnessed in East Germany, that it is not now acceptable.) This is a study outwith the scope of these notes
but it should be noted that Safety and Environment do not necessarily pull in the same direction and a
balance has to be reached!
Values for pollutants are being produced by the day. One is the cost of oil spilled on the high seas; this has
a notional value of between 5,000 and 10,000 per tonne if released close to land. It is less easy to
ascribe values to some others such as phosphates and nitrogen run-off.
Public Reaction
There are pressure groups within society which are influencing industry so there is a twin pronged attack.
The first is at the nuisance level such as smells and visual disturbance which results in adverse press and
also letters to the Member of Parliament but the second one is the public aversion to major accidents. This
is evidenced by the fact that one accident killing 10 people in one day produces a major press headline but
10 accidents each killing one person each day at different locations get only local press reports. The result
is one of frequency vs. number criteria which are to be found in Holland and to a lesser extent in the UK
Land Use Planning Criteria.
See also the risk Matrix figure D 12.2

Capital Cost and Consequential Loss
This may be viewed as an insurance policy. What do you insure? What do you accept as self insurance?
As a generalisation it is the consequential loss or loss of sales which is the most punitive.
Are Criteria Absolute?
Criteria can not be absolute values with a clearly defined cut point - it is not realistic. There is clear
recognition of a "target" to be aimed at - within that target are the bands of "the acceptable" and the
"intolerable or unacceptable". The latter defines the upper end of the target and the former the lower
end of the target. If the risk is in the acceptable regime there should be no further effort expended but if
the risk falls between the two bands there MUST be further effort to reduce the risk. In reality the ALARP
zone is the grey area where money should be spent to reduce the risk so far as is reasonably practicable.
The ALARP dagger has been reproduced as a reminder of this concept.
Figure E 1.2 The ALARP Dagger
Disclaimer
It is obvious that no external person should give or set another company's criteria. The values quoted in
the text are those quoted elsewhere and used by other companies. Each company must choose its own
criteria.
The use of Instrumented Systems to Reduce Risks the Theory
In many simple risk assessments there is a requirement for a shutdown system, (trip or protective system).
This was introduced in the Part D Design for Safety
The assessment process is as follows:-
"Is the cost of the protective system likely to be more than the saving"?
Obviously if the answer is "YES" the protective system produces negative cash flow.
The saving of the protective system is easy to assess:-

Cost of losses without protective system minus cost of losses with the protective system
The protective system is not perfect it can fail, and, if there is a human link that link could also fail. The
failure is related to the age of the equipment. There are three phases, wear in or burn in where the
failure rate falls with time as the equipment is young and is bedding in, beneficial life or use where the
failure rate is low and constant and is not age related and wear out or burn out where the equipment
is long overdue for maintenance and the failure rate rises with time as components start to fail.
For most equipment burn in takes only a few days, possibly up to a month, beneficial life then lasts 4 or 5
years and aging sets in at about 5 years.
The probability of a protective system being in operation at any time T years assuming random failure - i.e.
no burn in or wear in or burn out or wear out is:-
e-FT (E 1 .1)
Where:
F = the sum of the failure rates of ALL of the elements (per year). This is usually obtained from Failure
Databases. However many databases give the value of F as the total failure rate. In reality some of the
failures are fail safe or spurious, that means that the shutdown system fails in a safe manner and
shuts the process down. This is often given a failure rate designated as S. The fail danger is the other
failure mode which is the one of interest where the failure results in the non-operation of the system on
demand. This is designated F.
T = the test interval - value in years (every 6 months = 0.5 years) -
Note T will usually be less than 1
Therefore the probability of the trip being in a failed state or non functional after T years is: -
1 - e-FT
The expansion of the exponential equation - 1-e-FT is:
1 {1 - (FT)1 +2!(FT)2 - 3!(FT)3 + 4!(FT)4 etc}
(The devisor is factorial n or n!,)
So the final answer is:
FT - 1/2!(FT)2 + 1/6(FT)3 1/24(FT)4 etc
Clearly provided FT is small the second and subsequent parts of the equation can be ignored.
This reduces to:
FT (E 1. 2)
This is the value after T years but it is the average value that is of interest. The probability of failure at time
T = 0 is obviously zero so the mean value between 0 and T is the average or a half of the bigger value so
the probability that the system fails to shut the process down is:
FT (E 1. 3)
This only applies when FT is less than about 0.1 as the expansion of e is:
1 + 1 + 1/2 + 1/6 + 1/24 + 1/120 + etc
The derivation of this equation has a number of assumptions open to intellectual debate, the equipment is
not experiencing wear in/wear out and the equipment is always returned to service "as new". Humans
wear in over the first 6 months and wear out after 40 years of use!
FT is called the Fractional Dead Time or FDT or Probability of Failure on Demand PFD. Note FDT and
PFD have NO UNITS and are a PROBABILITY. As the saving is not "perfect" or 100% but only (1- FDT) of the
possible maximum the saving will be accrued. So, if losses were 100 per annum without a trip the losses
with a trip would be 0.05 x 100 giving a saving of 95 per annum.
In reality testing is not perfect; humans make mistakes during testing and the trip has to be bypassed or
taken out of circuit for on-line testing (sometimes it can be tested off line but not always on a continuous
plant).
Therefore FDT (PFD) =
FT + human error + Trip Test Dead Time
0.5
= 1 2 FT + 0.005 + (E 1. 4)
(T 8760)
The human failure rate is about 0.005 or 1 in 200 and the trip test dead time is simply the time for the test
(in hours here taken as 0.5) times the tested per year (I/T) divided by hours per year.
A shut down system can now be designed and the performance specified. For values of T less than about
0.02 (weekly testing) the last term, called the trip test dead time, dominates and the FDT starts to rise for
smaller values of T. For values of T over 0.5 (half yearly testing) the FT factor dominates and rises with
larger values if T. The FDT derived from equation E 1.4 tends to a flat value for FDT between 0.03 to 0.05
for values of T between 0.1 and 0.25 so test intervals of about two or three months are realistic and
economic. A good starting value for the FDT of a simple shut down system in a risk assessment is 0.05.
Unfortunately there is a cost to set against a saving. Each company will have to spend cash to buy the
protective system. This in time will incur interest charges and operational costs such as repairs and testing.
It is not unusual for this to reach 20% of the capital cost (half being interest charges + half operational
costs). It also has to pay off the capital so it is not difficult to see that for a short lived modification the
return must be nearer 50% of the capital cost (pay off = 3 years).

Percent Rate of Return / Year Years to pay off
(Savings per year / Cost of Trip) x 100
50% 3.0
40% 4.5
30% 7.0
Table E 1 1 Likely Pay-off Times for Add-on Safety at 20% annual costs
The usual value used for return = 20% for the first assessment.
The equation now becomes:
(Capital Cost x 0.20) < Annual Savings x 0.95 (E 1. 5)
Pitfalls in Assessing Fraction Dead Time
There are always pitfalls in the calculation of risks using "dead time" inherent in the simplifying
assumptions. When the probability of a system being failed was assessed it was assumed that FT was less
than 0.1 so the next term in the expanded exponential was trivial. FDT is the same as Probability of Failure
on Demand - PFD but is used from here on as PFD is sometimes used for Process Flow Diagram!)
Simplifying Equation
The simple equation was:
HAZARD FREQUENCY = FREQUENCY OF EVENTS X FDT
Where the frequency of the event is the sum of all the plant failures to a danger or hazardous state or
another way:-
HAZARD RATE = DEMAND RATE (D) X FDT
In reality, if DT or FT is nearer 1 the equation has the following awesome form. This is given for interest
only: -

HAZARD RATE:
FD
1 -
1
( 1 - e-( F + D ) T ) (E 1. 6)
F+D (F + D)T
Where:
F = failure rate of components (/ year)
D = demand rate for the process (/ year)

T = test interval (years)
Only use this equation if DT or FT is large
Consider now a car which has brakes which fail once per 10 years.
F = 0.1 per year
Let us assume that the brakes are applied once every 3 minutes; that is
3
T =
8760 x 60
Clearly FT is definitely less than 0.1 so you would expect the crash hazard rate for a years driving of 1 hour
per day to be:-
3
365 1.0 0.5 0.1 x
8760 60
= Demand Rate x FDT
= 1.04 x 10-3 / year
Well this is not true as the first time the brakes are applied after failure there will be a crash. The crash
rate tends to the failure rate as shown by equation E 1. 6
Simplifying Assumptions
1. It is implicit that all equipment as tested is returned to "as new" this is not necessarily so. Also some
additional failures will still be due to burn in or wear in or burn out or wear out.
2. FT and DT less than 0.1
3. All other effects such as trip test Dead Time and Human Reliability are added together with the final
value.
4. Simplex system
5. No Common Mode Allowance
The common mode is that element of a trip system where the failure of the shutdown system is not time-
dependant but is a function of design, the operating conditions or some other external effect which might
make all or part of a larger system fail at the same time. Instruments are vulnerable to a potential
common mode such as a fire or explosion, in this case it is sometimes called common cause, but also
multiple shut down valves with a spring close action are likely to have common mode failures with the
spring or the release mechanism. Consider also multiple pressure tappings - common modes which might
make all of the tappings fail at the same time could be wax, dirt or ice.

As a result the limiting FDT is as follows:-
1) 1 of 1 = 0.05
2) 1 of 2 = 0.005 - 0.001
3) 2 of 3 = 0.001 to 0.0005
Design of Shutdown Systems
The design of shutdown systems, outlined in Part D, and the ability to test them correctly requires skills,
which are out with the scope of these notes. Part F gives some markers. It must be noted that a shutdown
system is designed with a reliability (Fractional Dead Time or Probability of Failure on Demand)
appropriate to the perceived frequency and magnitude of the event (The Risk). In addition, it is essential
that the complexity of the shutdown system does not inhibit safe and reliable operation. Shutdown
systems sometimes have to be overridden to facilitate start up and they also have a low level shutdown
it will inhabit start up until a level is established there has to be either an override or a means of
establishing the level in a safe manner.
See also Part D Design for Safety where there is a discussion on the use of redundant systems (a two out
of three system designated 2 o o 3).
Hazards in Operation
How do you identify the Hazards Associated with Routine Maintenance and Operations?
Operations are a topic beyond that of a first degree course. However it is appropriate to note that many of
the Management Systems described in Parts C & D apply to Operations.
The Incident Studies Part H show where problems were not handled properly and incidents occurred
The identification of hazards that has been applied will still apply to any changes (see Part F Management
of Change) but every form of Maintenance will require a special form of Hazard Identification sometimes
given the name Task Analysis where each step of the maintenance work from isolation through to
refitting is analysed carefully, the hazards identified and the need for special features (including Personal
Protective Equipment) is specified. This becomes part of a Management System called Permit to Work
(PtW) (See Part F.

Physical Models or Phenomenology
E 2.1 Outflow
Before any physical models can be analysed it is necessary to know how much fluid will come out of a
hole. The classic systems are Gas and Liquid but flashing fluids behave differently - as would be expected.
Gas Outflow
At high pressures over 200 kPa the classic gas outflow model is
+1
M 2 -1 (E 2.1.1)
M = C d A Pu
RT u + 1
2 RTu
V=
M ( + 1)
(E 2.1.2)
M = Outflow (kg/s)
V = Exit Velocity (m/s)
Cd = Coefficient of Discharge
Pu = Upstream Pressure (Pascals)
A = Orifice Area (m2)
M = Molecular Weights
Tu = Upstream Temperature (Degrees Kelvin)
R = 8314 (Joules/Mole/oK)
= Ratio Specific Heat of the Gas at Constant Pressure and

Volume (Cp/Cv)
At very high pressures greater than 1 mega Pa these equations still hold well but the orifice velocity and
hence jet mixing velocity is underestimated. In most cases this is not significant.
At upstream pressures less than about 190 K pa, the equations E 2.1 and E 2.2 no longer hold as the gas
velocity is subsonic:-

+1
2

M Pu Pu 1 (E 2..3)
M LP = C d APu
RT u 1 Po Po

Po = Atmospheric Pressure (Pascals)
MLP = Outflow (Kg/sec) (low pressure)
Others as above
Liquids (not flashing)
The outflow equation is the standard incompressible fluid flow equation: -
M = C d A 2 (P u - P o )
(E 2.4)
Cd = Coefficient of discharge
A = Orifice Area (m2)
= Density (Kg/m3)
Po = Downstream Pressure
(Pascals)
Liquids (flashing) on the orifice including LPG, Chlorine and other volatile components
The outflow equation has to be modified to somewhere between a gas and an incompressible flow
equation: -
M = C d A 2 c (Pu - P c ) (E 2.5)
Where: -
c = Density of Fluids at 0.55 Pu (Kg/m3)

Pc = 0.55 Pu
To find c it is necessary to use tables of physical properties to assess the fraction of fluid flashed at Pc and
then to combine the phases to assess c. However, once out of the orifice the fluids will continue to flash
to atmospheric pressure conditions. Conventionally when flashing cryogenics into the atmosphere, it has
been taken that the mass in the cloud was twice the final flash to make allowances for the aerosol
formation. In practise, total volatilisation is more likely when the fluids are more than about 50oC
superheated (relative to ambient temperature) at source.
Experimental results suggest that if the effects of flashing are unclear the following are useful
correlations:-
Flashing flow = 0.25 Liquid alone flow
Gas flow = 0.25 Flashing flow
or Flashing flow
(gas flow through the orifice x liquid flow through the orifice)1/2 (E 2.6)
This is a "ready reckoner" when equilibrium data is not available.
There are more reliable equations methods, one of which is called the Homogenous Equilibrium Method
(HEM). The increased accuracy with the uncertainties in any assessment do not justified the use of HEM in
these notes.
Coefficients of Discharge
The best case value for the coefficient of discharge is nearer 1 for a well rounded nozzle entry. It is also the
worst case for outflow or risk assessment. The value for the coefficient of discharge for a sharp edged
orifice can fall to 0.61; a middle ground value of 0.8 is often used for a short pipe stub. If in doubt use the
geometric mean for the two values for the coefficient of discharge:
(1 x 0.61)1/2 (E 2.7)
This tends to 0.8, a value used for outflow from a loss of containment. It is recognised that this is also the
arithmetic mean but in the event of uncertainty it is better to use the geometric mean where the error is
minimised.
A further complication for ruptured piping is that the flashing may take place inside the pipe upstream of
the actual rupture. As a result there is the complication of a two phase flow pressure drop which again
arrests the flow rate. Plots of the L/D for the upstream length of pipe and the modifying factor are
available but are not part of these notes.

Flash Fraction
If all data is known the physical properties tables should be used, however, the simple formula below is a
good approximation.
cP ( T u - T o ) (E 2.8)
Flash Fraction = 1 - e- cv

Where: -
Cp = Specific Heat (Joules/kg)
Cv = Latent Heat (Joules/kg)
Tu = Upstream Temperatures (Degrees Kelvin)
To = Orifice or Downstream Temperature
There are good reasons for believing that based on tests on pressurised sources with upstream pressures
>500 kPa plus >5OoC superheat (e.g. LPG stored in bullets or even pressurised chlorine) flashed fluids will
result in total evaporation due to forced evaporation from the fast moving droplets as they move through
the air so resulting in negligible "rain out".
Evaporation from Pools
Pools evaporate at the surface and boil due to heat ingress from the soil/substrate. The evaporation is
fairly simple but the heat ingress is very complex and involves knowledge of the physical properties of the
substrates. This results in a decaying evaporation curve. It is worth being aware of the equations as it
closes the gap between spills and evaporation. It is really part of a higher level discussion.
The peak evaporation rates E in kg/sec are given by the following equations.
Square Pools
MW P 0.78 0.89
E = 2.6 x 10-4 u x y (E 2.9)
T
Circular pools
MW P 0.78 1.89
E = 7.9 x 10-4 u R (E 2. 10)
T
Where:
E = evaporation rates - kg/sec
MW = molecular weight
P = Vapour pressure of the liquid - Pa
0
T = Absolute temperature of the fluid - K
U = wind speed - m/s
R = radius of pool - m
x = downwind side of rectangle
y = cross wind side of rectangle
The significance of these equations is that of the vapour pressure of the fluid. If the pool can be blanketed
with foam or another device which prevents contact between the air and the pool surface the evaporation
rate can be reduced greatly as the forced evaporation tends to zero but boiling due to heat gain from the
ground will still occur but at a reducing rate as the substrate (soil) chills.

E 3 Gas Dispersion
Gas dispersion is chosen as the first phenomenon as in many ways it feeds into some of the other models.
Also if it disperses safely there should not be a problem.
Photo E 3.1 A Plume of a Continuous (heavy) Gas Release

Note:
1. The looping - the plume is not coherent (See Figures E 3.1 & E 3.6)
2. The momentum rise (See Photo E 3.1 and Figure E 3.1)
3. The gravity fall for the gas (which in this case had a density of about 3 kg/m3)
Introduction and General Background
Dispersion is fundamental to the safety of persons both on and off a site. It is necessary to understand
what conditions may increase the risk following a release of toxic or flammable gases. It is also necessary
to know how far a release of odoriferous gas may travel and still be smelled. The public have a right to a
clean and odour free environment. Dispersion also feeds into hazardous area classification see Part D.
It is fairly obvious that gas dispersion is an essential feature of the earths boundary layer and we live in
that boundary layer! If it were not so any releases from a site would stay at that unique concentration

until it had gone round the world! Luckily, as experienced in reality, the air is a fairly homogenous mixture
and there are strong mixing processes within it. The mixing processes are four fold Jet, Bulk, Turbulent
and Diffusion - see photo E 3.1 and figure E 3.1. In the case of Jet Mixing there is a high velocity jet with
high internal turbulence. The action of the jet upon the air produces vortices at the sheared interface of
the jet and the air stream, these plus the internal turbulence in the jet are powerful mixing mechanisms.
The Bulk Mixing (sometimes called Translation Mixing) is caused by two gas streams travelling in different
directions to each other - one is injected into the other in a shearing or smearing action. During this phase
the plume is turned and moves with the air stream at a relative velocity tending to zero. The third and
possibly the most important mechanism is Turbulent Mixing due to the local vortices within the air
stream. The air always has movement within it - this is evident from the study of the movement of water
droplets in clouds (fog) and the movement of smoke leaving a chimney. The final effect (and by far the
smallest) is Molecular Diffusion or the molecular velocities which are random in direction. This results in a
uniform concentration of gas - be it light or heavy - within an enclosed room. In theory and in practice
hydrogen can appear under the floor boards and hydrogen sulphide behind the ceiling tiles. Be very aware
of the potential hazards created by diffusion it can be a real killer!
Figure E 3.1 The Plume History
Initially the following two mechanisms are given more detailed analysis:-
Jet Mixing
Turbulent Mixing.
Later the Puff Releases Dispersion will be discussed
It is reasonable to note that anything which slows up air flow and creates stagnant zones is a hindrance to
dispersion (See the formulae later on). An open, uncongested process plant is safer than a congested plant
or a confined space which has to be force ventilated. A plant where equipment is well spread out is safer
than one where equipment is close together. A plant where there are walls or enclosures are to be
resisted as are artificial enclosures such as created by pipe tracks, these all result in a plant which is less
than an open. Ventilation rates from fans are often based on 6-12 changes per hour, this produces 'wind'

speeds of about 0.1- 0.2 m/sec, but even on a very still day air speeds of 0.5 m/sec are readily achieved in
the open air.
The history of any gas plume is at best complex and can only be assessed with tolerable accuracy using
sophisticated computer models, these are not available to most Universities and even these have their
own limitations. It is not difficult to see even by visualising this problem that a jet may initially start off up
wind but if the wind is in an adverse direction the resultant plume may find its way into a safe area. This is
illustrated by the plots below.
Fig E 3.2 Plume of gas blown by the wind
Heavy Gas Dispersion is even more perverse! LNG (say Liquid Methane) requires heat from the air to
complete the evaporation process and at the point of heat balance where all of the un-flashed liquid is
fully vaporised the final air temperature is -160oC or 113K. Even though Methane has a density of 0.71
kg/m3 at atmospheric temperature compared to 1.22 kg/m3 for air, and while there may be 25% v/v
methane in the resultant cloud the true cloud density for methane/air at 113K will be over twice that of air
until it warms up. Initially it will sink - not rise and it will flow as a thin cloud slumping under the effects of
gravity on the cloud. The same is true for a spill of water onto the floor! There are methodologies for
heavy gas dispersion but they are complex.
Beware the perverseness of gas dispersion!
Meteorology
The atmosphere in contact with the earth is in fact a boundary layer and subject to both temperature and
velocity gradients. If a small cylinder of gas was raised from the surface of the earth it would expand
adiabatically and cool at a temperature gradient of about - 1oC/100 metres, this is called the adiabatic
lapse rate and applies when there are no rising or falling thermals. (In reality it is nearer 0.8oC but the
value of -1oC is easier to remember.) If the earth is heated by the sun the thermal gradient may increase to
-2oC/100 - that is the air at the ground level is more buoyant than the air above so it will rise in "thermals".
The opposite is true on a starry night, the temperature gradient is zero or even positive so there are
descending thermals and the air is trapped at ground level with little dispersion. This leads to fogs. In the
case of the adiabatic lapse rate there is no effective buoyancy gradient, so there are no thermals rising or
falling.
The rising thermals induced by the sun are therefore a mixing process. In some cases there are inversions,
that is, the density of the air above the inversion layer is lower than that below the layer, so, air can not
penetrate it by buoyancy alone and the gases are "trapped". This was shown classically in the photos of
the smoke plumes during the Buncefield Tank Farm fires photo E.3.2. (Hydrogen will still rise through the
layer as it has inherent buoyancy but low concentrations of noxious gases such as Sulphur and Nitrogen
Dioxides can become trapped with a significant impact on pollution.)
Photo E 3.2 Inversion Conditions during the Buncefield Terminal Fire
Note the flat top of the plume
Stability
The temperature gradient has been discussed earlier and is of importance and is defined by Pasquill
"Stability Levels".
Fig E 3.3 Temperature profile in the boundary layer
Level A equate to a hot bright summer day, temperature gradient over -2oC per 100 m.

Pasquill F equates a cold star lit winter cold/frosty night where the temperature gradient is 0 or
maybe 1oC per 100 m.
Between A and F there are 4 levels - the most common being D where the temperature gradient is
-1oC per 100 m. This occurs in the UK for almost 80% of the time.
This ratio will be different in any other country round the World.
The main equations worthy of note are the gas dispersion equations for passive and puff releases. But it is
of note that there are also equations which describe the mass of fuel between flammable limits. These are
not given in this part but it is mentioned as it has some significance when you are looking at Vapour Cloud
Explosions.
Within the earth atmosphere there is a velocity gradient as befits any boundary layer for fluid flow. It is
not of any major concern and increases, with height and as a result all meteorological references for wind
speed are referred to a standard of +10m. This gradient results in wind speeds at the top of mountains
which are significantly higher than that at sea level and of course the jet stream at 10,000 m. In more
complex dispersion calculations elevation has to be taken into account as it modifies the local wind speed.
Dispersion Theory
Continuous Release
The main equations of Turbulent Dispersion are the downwind concentration at ground level or on the
centre line equation gives the generalised centre line concentration at x, 0, 0. Where x is the downwind
distance, 0 is the cross wind distance (y) and 0 is the vertical distance (z).
1 Q
= (E 3.1)
K1 y z u
K1 = 1 for a ground level release
K1 = 2 for an elevated release
y z are dispersion coefficients see later Table E 3 .1
This equation derives from the full equation
Ground Level
Q y 2 z2
xyz = exp - 21 +
2 2 (E 3.2)
y z u z
y
Where: -
xyz = The concentration kg/m3
Q = Release rate kg/s

y and z are the dispersion coefficients in the y (horizontal) and z (vertical axes)
y and z are the horizontal and vertical axes
u is the wind speed m/s
The part of the equation E.3.2 defined by; -
Q
xyz = (E 3.3)
y z u
represents the concentration along the centre line where it is at the highest. This occurs as at the centre
line y2 = z2 = 0 and exp - 0 = 1 and value of xyz is a maximum for any fixed value of x.
The exponential part of the equation: -
y 2 z2
exp - 21 +
2 2 (E 3.4)
z
y
represents the concentration decay across the plume in the y axis and vertically in the z axes. The
equations might suggest that the plume goes on to infinity. It should be limited vertically and horizontally
to about 3 values.
xyz = concentration Kg/m3
x x = dispersion coefficients
x,y,z = are ordinates from source x

along, y across, z up/down
Elevated Release
Q - y 2 (z - H)2 ( z + H )2
xyz = exp
exp- + exp -
2
2 y z u 2 2y 2 y 2 2
z

(E 3.5)
H = release height above the ground
Where the centre line value is required y2 = 0 and exp - 0 = 1, z = H and so (z - H)2 = 0. Where H is more
than 3 or 5 metres exp - (Z + H)2 tends to zero. Note: this is only given for completeness. Use equation E
3.3 with the K1 moderator.
Pasquill y (m) z (m)

Category

A y = 0.493 x0.88 z = 0.087 x1.10 (100 < x < 300)
D
y = 0.128 x0.90 z = 0.093 x0.85 (100<x<500)
F
y = 0.067 x0.90 z = 0.057 x0.80 (100<x<500)
Table E 3. 1 - Dispersion coefficients for Passive Plumes
The Dispersion coefficients are only accurate in the range shown - minor errors will result out with these
bands. Their origins are shown later in Figure E.3.4 & 5. It will be noted that there are actually 6 stabilities
(and a rare one of G) but the three given are the most relevant in simple risk assessment. In more complex
assessments it would be necessary to explore ALL stabilities, ALL wind speeds and ALL wind directions. This
gives potentially up to 1000 combinations. Fortunately there are some mutual exclusions which can
reduce the combinations to nearer 40. For note only the very UNSTABLE A stability and VERY STABLE F
stability conditions do not occur with wind speeds above about 5 m/s. This helps the assessment process.
For simple risk assessments in the UK, and the UK only, reasonably accurate results can be derived from
the simplifying assumption that 80% of the year can be characterised by 5 m/s winds, stability D (5D) and
20% of the time it is 2 m/s and stability F (2F).
Figures E 3.4 & E 3.5 Derivation of Dispersion Coefficients y and z given in Equation E 3.4 (As Gifford)
It will be noted that the plots are on a log v log basis and have a limited linearity such that the correlations
fall down where x is less than 100 m. There are more sophisticated correlations used in computers but the
accuracy is still open to debate where x is small.

For elevated sources two mirror images can be considered - so any value is half what you expect. Consider
two parcels of gas in image formation - each of Q/2 and inject this into the equations.
The shape of the cloud defined by equation E.3.2 is that of a half tear drop. The maximum dimensions in
the y and z axes are about 2/3 along the length of the plume.
Hence for Pasquill Stability D at 2m/sec and 0.5 Kg/second leak rates at an elevated level, the distance to a
safe dispersion as measured along the centre line (x) is: -
0.5
Distance = 1.75
2 x 2 x 0.128 x 0.093 x
, the concentration should have a modifying factor, described below, and applied to it.
Peak to TWA Concentrations
Fig E 3. 6 Shapes of a family of dispersing plumes (see also Photo E 3.1)
In this set you will see there are 3 "snapshots" of a single release taken at different times - say every
minute. The equations given, E.3.2, E.3.3 describe the TIME WEIGHTED AVERAGE (TWA) taken over the
extremes of the three plumes and shown as the two divergent lines forming a triangular envelope around
the three plumes in Figure E.3.6. This averaging was typically taken over a 6 minute interval. (Think of the
problems of sampling and analysing a time varying plume of gas!) BUT, at any one time the peak
concentration may be 2.5 times the TWA, close in to the release it may be even 4 times that predicted.
This means that it is necessary to:
1. Ensure the safety margin is included.
2. Use 40% of the target or desired limiting concentration if using a computer programme. (These
programmes usually assess the "time weighted average" (TWA) usually over 3 or 6 minutes - and not the
instantaneous values). (For example use 40% of the lower flammable limit table E 4.1 later).
3. Multiply any concentration values derived by calculation by a factor of 2.5 to reflect that the peak value
could be significantly higher than assessed by the TWA equations.

Conversion vol/vol and weight/vol
Remember that the gas concentrations are often given as vol/vol and the dispersion equations give results
in kg/m3. To convert between vol/vol and weight/vol (kg/m3) use the conversion:
Molecular Weight

22.41 (E 3.6)
0.1x 22.41
0.1 kg/m3 of gas MW = 40 = = 0.056025 vol/vol
40
Likewise a concentration of 10% vol/vol has a mass concentration of 0.1785 kg/m3.
Jet Dispersion
The assessment of a sonic jet concentration is given by the equation:-
0.5 (E 3.7)
2 l
= 0.32 a
Ca dj g
where:-
Ca = Axial concentration at distance l along the jet - kg/m3
l = Distance along the jet - m
dj = the jet diameter (or effective diameter of a sonic jet if released from over
200 kilo Pascals)
a g Are the air and gas densities in kg/m3 respectively
Whence the jet usually disperses in about 200 equivalent jet diameters dj*, where dj* is the equivalent
diameter of a jet of gas moving at Mach 1 at Atmospheric Pressure. This is given for completeness.
Limitations in the use of gas dispersion equations
The calculation of gas plumes and the concentration is not as accurate as would be wished. Care must be
taken to assess the true variables accurately.
1. The range of results between a hot windy day and a cold still starry night can vary by a factor of greater
than 10 - wind speed and atmospheric stability must be assessed as variables.
2. Elevation affects the results.
3. Buoyancy affects the results.
4. Efflux conditioners - velocity and orientation to the wind effects the results.

5. The variables within the computer programme and how these are modelled affect the results.
The answers are probably only accurate to 2.
In order to carry out a simple dispersion calculation, assess the axial concentration using equation E.3.3
and then apply the moderation of equation E.3.4. Note that it is possible to assess safe the cross wind
width (or vertical height) by rearranging the equations to make an equation with an exponential. This is
solved by taking natural logs (ln) of both sides of the arrangement.
Instantaneous Releases
Instantaneous releases, sometimes called "Puff Releases" are typified by a "burst vessel". The release is
neutrally, positively or negatively buoyant. For the most part the releases tend to be negatively buoyant,
that is, heavier than air. The reasons for this are that in general the fluids are heavy or of a high molecular
weight or are potentially cryogenic or are cold when the pressure is released and the gases expand
adiabatically.
Heavy gases mix with air by two mechanisms, first there is the potential energy of the heavy collapsing
cloud. The energy produces a "pancake cloud" with a rolling vortex at its edge - this is a powerful mixing
mechanism. The analysis of this requires at best long, interactive calculations or computer models but the
non buoyant model is easier to handle and probably produces higher concentrations at any point
downwind of the release.
The most simple model for the concentration is the following:
*
Q
= K 1k
x 2
(E 3.8)
where:
Concentration kg/m3
Q* is the mass released (Kg)
x downwind distance (metres)
K1/K2 are constants
Remember if Q* is the resultant release of an air/gas mixture due to a puff release the values of need
adjusting. First the mass of the new mixture Q* which has both air and gas is needed and Second a new
mass dilution, modified is needed for that mixture. The overall concentration is then the blend of the two
diluting mechanisms, the initial mixing and then the dispersion mechanism. Heavy gas dispersion is a
totally different and more complex study which is beyond the scope of these notes. The collapsing heavy
gas will result in a more vigorous mixing process than the puff release, as outlined earlier.
Instantaneous Release
The dispersion coefficients are functions of the atmospheric stability and time after release, downwind
distance, (as for continuous releases). The equation E.3.8 gives concentration around the cloud centre,
which moves with the speed and direction of the prevailing wind.
A common equation for a ground-based instantaneous release comes from the Sutton model:
x2 y 2 z 2 (E 3.9)
2.Q *
(x, y, z,t) = exp - 2 + 2 + 2
3 x y z
( )2 x y z
where:
x,y,z,t = Axes of the cloud downwind, crosswind and vertical (m) for a
moving cloud from the centre of the cloud after time t seconds
t = time after release
Q* = size of release (Kg)
x,y, z = dispersion coefficients in downwind, crosswind and vertical

directions
= average point concentration (Kg/m3)
One simple correlation for the dispersion coefficients assumes that:
x2 = y2 = z2 = C2.(u.t)(2-n) (E 3.10)
Pasquill Category C n
A 0.20 0.17
D 0.14 0.25
F 0.09 0.35
Table E 3.2 Values for C and n in equation E 3.9.
Please note that the equations use (u.t), this is speed times time which is of course distance. (u.t is the
downwind distance travelled by the puff release and is effectively x in the continuous release equations.)
Whence: -
45 Q*
2.745
(E 3.11)
= (ut ) Unstable - (Pasquill A)

131 Q*
2.625
(E 3.12)
= (ut ) Neutral (Pasquill D)
493 Q *
(E 3.13)
2.475
= (ut ) Very Stable (Pasquill F)
Equation E 3.9 describes a hemisphere, travelling down wind at the speed of the wind but expanding
slowly as it moves. The concentration at any point in the cloud, with equidistance measured radially from
the centre, will be the same. (It can be looked at as a half onion with the onion rings being the location of
equal concentration [isopleths].) It is a simple equation to use but in reality the shape is more of a split
rugby ball with the major axis along the wind axis. As with the continuous release the non exponential part
of the equation E.3.9 defines the concentration at the centre of the hemisphere as it contacts the ground
and the exponential part defines the concentration decay at any other part of the hemisphere.

E 4 Fires
Photo E 4.1 A Tank Fire
Note:
1. The downwind lean in a wind of about 7 m/s wind
2. The smoky nature of the Fire smoke = C + CO
3. Unburned paint cooled by the stored fluids possibly petrol
4. Minor wind induced flame drag down the tank beyond the tank edge
General Introduction and Background
Fires are one of the major process causes, if not the major cause, of loss of production and life on a
process plant. Yet the assessment of fires and their effects is still a somewhat inexact science.
Fires have a potential for major damage. Steel looses most of its structural strength at about 450oC and
softens. Equipment handling materials under pressure may rupture and spill their contents into the flame,
structures may collapse and joints in piping systems may spring which then spill their contents into the
flame. This is the domino effect.
The combustion of fluids may burn to relatively non toxic gases however carbon monoxide is not safe nor
is carbon dioxide or carbon particulates. Compounds which contain nitrogen or halogens within the
molecule and the mix of compounds in a warehouse may burn together to produce toxic materials such as
HCN, COCl2 and HCl.

Fuel/Air/Ignition
The usual graphical representation of the fire process is in the fire triangle - remember fires may also
produce an explosion as a precursor to a fire.
Fig E 4.1 Fire Triangle
This triangle is a useful beginning for the discussion.
Fuel Fuels come in all sizes and phases: solid, liquid and gas.
Solids: Could be can dust, wood, coal, metal powders - these can also
explode.
Liquids: Could be Petrol, Diesel Oil or others.
Gas: Could be Hydrogen, Methane, Propane and others.
It is not the solid or liquid which burns it is the gas, so, a wooden log requires some form of "lighter", just
as does Diesel Oil. (It should be possible to snuff out a match using Diesel oil but please do not try it!)
See figure E 4.2 later.
Oxygen: Just as with human life, combustion requires oxygen and flames can not exist at
low concentration of oxygen typically less than 10% v/v or a partial pressure of
10kPa. See later
Ignition: This ignition energy is usually low; a spark is all that is usually required.
Given the 3 sides they all have to be together and in the correct balance - take one away - nothing
happens.
It may seem odd that metals or dust can explode. A finely divided solid will have a large surface area;
these are typified by as corn dust or aluminium powder. If the material is reactive and there is sufficient
energy to set off the reaction. Once initiated the exothermic process will take over.

Flammability Envelope
The fuels are not flammable across the whole concentration range of 0 - 100% fuel in air. Thankfully, there
is only a limited concentration bound in which flames may be supported. This is shown graphically in the
flammability diagram or envelope figure E 4.2, below. The diagonal line represents concentration locus
of a mixture of air and a Nitrogen/Methane (80% Nitrogen & 20% v/v methane). At 3 volumes of air to 1
volume of Nitrogen/Methane the mixture is just flammable. At blends of less than 3:1 with air the blend is
non flammable (too rich) and with blends more than 4:1 the blends are also non flammable (too lean).
Please note that purging out this mixture with air will cut inside the flammable envelope and there may be
a point in the purging cycle where there could be a disastrous ignition and explosion.
Fig E 4.2 Flammability Envelope
In air (20.8% v/v oxygen) the flammable range is usually only 2 times and 0.5 times the stoichiometric
concentration. The two extremes where the flame can just exist are the Upper Flammable Limits and
Lower Flammable Limits (LFL and UFL) (sometimes "explosive" is used interchanged with "flammable").
"Just Exist" means that the flame will just propagate vertically and only vertically. The "x 2 and x rule" is
not absolute but it is worth remembering if the data is not otherwise available.
The envelope widens as the oxygen concentration increases. In addition the ignition energy falls (table
E.4.3). Ultimately at high oxygen concentrations ignition may occur spontaneously.
Stoichiometry
CH4 + 202 + 7.616N2 = CO2 + 2H2O + 7.616N2
1 vol + 2 vol + 7.616 vols
For methane the stoichiometric concentration is: -
1
vol/vol ratio or 9.42% v/v.
10.616

Fuel LFL% v/v UFL% v/v Stoichiometric % v/v
Hydrogen* 4.0 75.0 29.4
Methane 5.0 5.0 9.4
Ethane 3.0 12.4 7.7
Propane 2.1 9.5 4.0
Butane 1.8 8.4 3.1
Ethylene* 2.7 3.4 6.5
Acetylene* 2.4 100.0 12.2
Table E 4.1 Flammability Limits for Selected Hydrocarbons
It should be noted that Hydrogen and unsaturated fuels marked * tend to break the general pattern of 2
times and 0.5 times stoichiometric.
If the gas is in a mixture this flammability limit can be achieved by Le Chatelier's rule: -
1 Ni (E 4.1)
=
LEL LELi
Where: -
Ni = vol % of gas i
LELi = LEL v/v of gas i
The lower apex of the flammability envelope (shown in figure E.4.2) is usually about 10% v/v Oxygen, 90%
v/v Nitrogen. This means that a fire can be prevented by keeping the oxygen concentration to a flow level -
that is "inerting. An "economic" value of 5% v/v oxygen is often used. Coincidently humans lose
consciousness when the oxygen concentration falls to 10% v/v or a partial pressure of 10 kPa.
The bounds of the flammability envelope expand with increased temperature and pressure - that is the
minimum oxygen level and the LFL goes down and the UFL goes up in value.
As the oxygen level increases (see figure E.4.2) the energy falls. High pressure, high temperature and
oxygen concentrations all enhance the ignition process and require lower ignition levels as would be
expected from simple chemistry and the laws of mass action. Ultimately it is possible for liquids and solids
to ignite spontaneously with ultra high oxygen concentrations in the supporting atmosphere. This has
resulted in disastrous fires, none less than that in one of the NASA Apollo modules (Apollo 1) on ground
test in the 1960s.
Diesel oil had a very low vapour pressure - that is the fuel/air mixture at room temperature is "too lean" or
below the LFL as the flash point of diesel is well above 20oC. Once the oil is warmed locally above its "flash
point" it will ignite. (The flash point is that temperature where the vapour pressure is JUST sufficient to
provide a flammable vapour in air.) The flash point of petrol is less and 0oC (or your car would not start on
a cold day). Note: - flash point is a physical ignitability test carried out on potentially flammable fluids
using a specially designed piece of apparatus it has nothing to do with flashing fluids.
Typical inerting gas concentrations are as follows for Nitrogen:
N2/Air N2% in Air equivalent v/v
Methane 38% 12.9
Ethane 46% 11.2
Propane 43% 11.8
Butane 41% 12.3
Ethylene 50% 10.4
Table E 4.2 Dilutions for inerting with N2
The flammability diagram is only a means of showing the flammable regime for oxygen and fuel. Yet,
ignition is still necessary - it has to be the correct energy and intensity. The energy varies throughout the
diagram, at the edge of the flammable regime it is very high but there is a minimum value near to the
stoichiometric regime which produces the minimum levels. The following apply for Air:
Fuel Energy milliJoules
Hydrogen* 0.019
Methane 0.29
Ethane 0.24
Propane 0.25
Butane 0.25
Ethylene* 0.12
Acetylene* 0.02
Table E 4.3 Ignition Energy for Various Fuels
Once again hydrogen plus the unsaturates appear to fall out of line.
0.25 milliJoules may or may not seem much energy - it is equivalent to dropping 1 bag of sugar about 25
centimetres; the energy in the bag of sugar is present but not the intensity so ignition usually requires high
temperature localised energy or high intensity. When the car does not start on a cold winter morning - try
to think about ignition energy and the flammability envelope. These may help to diagnose the fault -
failing this, kick the car!
Taken that the composition has to be correct, the ignition energy has to be correct and at the correct
location, it is not surprising that only a small percentage of all leaks actually ignite (fortunately).
Site of Leakage Possible Cause of Leakage
Piping Corrosion; erosion; fatigue; metallurgical failure such as

stress corrosion cracking; physical over pressure;
physical over load due to lack of adequate supports;
impact
Vessels/Equipment As above
Reactors Poor ventilation; poor enclosures
Equipment opened for Poor preparation; poor isolation; poor procedures

maintenance
Jointing & Flanges Fair wear and tear; attack by internal fluids; incorrect
fitting; poor joint alignment; poor bolting; corrosion of
the bolting
Vents Use and abuse; inadvertently opened.
Vents should be blanked off when not in use.
Drains As above
Pump Seals Wear and tear; failure of the seal or radial bearing
collapse
Compressor Seals As above; or seal oil failure
Filters Use; poor procedures; poor isolations
Sample Points Sample point left open
Maintenance Poor preparation; poor standards of isolation
Tank Breathers Poor location; process upset and volatile fluids
Drum filling Poor ventilation and controls
Analyser Houses Inherent with analysers; poor ventilation
Table E 4.4 Sources of Leakage
See also Part D on Design and Hazardous Area Classification
Sources of Ignition
There are many causes of ignition too many to itemise here. The more common ones are formulated
below:

Auto Ignition
The ignition of a fuel by contact with hot materials such as superheated stream mains, hot bearings,
welded metal or the like. The values are to be found in the literature but usually are over 200oC and many
over 350oC. The quoted values are "ideals" and just a wind cooling the surface or a layer of dust or dirt
may mean that the actual surface temperatures are lower than anticipated. Don't rely on wind or dirt, but
it is fair to note that auto ignition at the quoted temperatures is difficult to achieve.
Chemical Reaction
Oily rags can burst into flames due to slow exothermic reactions. The same is true of oil soaked lagging,
iron sulphide (Pyrophoric Iron or FeS2) and other reactive substances. The build up is exponential and may
take some time to be obvious but once it is warm the rate of temperature rise can be quite dramatic at the
end of the process and ignition takes place with no warning.
Compression
See every diesel car! But beware if equipment containing air is pressurised with hydrocarbon (pipelines or
pigging equipment). The compression of air and fuels to about 20 bars can cause ignition - so ideally purge
out the air with inert gas such as nitrogen.
o
Pressure (Bar) Temperature (Max) C
10 280
20 379
30 461
40 525
Table E 4.5. Adiabatic compression of air - Temp oC at P bar.
Flame/Spark
These include welding, chipping, grinding, electric fault - these are only indicative but give the general clue
- do not forget bearings (rolling) or hot drive belts. It is for these reasons that there is a requirement for
Permits to Work and Hot Work Permits, see Part F
Permanent Electrical Equipment
Fixed, permanent electrical equipment on plants handling potentially flammable materials has to be fit
for purpose. This means that the likelihood of flammable materials has to be assessed, the areas
identified, the likelihood of the flammable gases being present assessed and finally the appropriate
electrical equipment specified and installed. Fuller discussions are to be found in Part D Design for Safety,
Hazardous Area Classification.

Static Electricity
Static electricity is formed when there is charge separation by two-phases moving relative to each other.
Solid/Solid
Solid/Liquid
Solid/Gas
Liquid/Gas
Liquid/Liquid
[Gas/Gas is not an apparent source of static]
Static electricity has many causes/sources - in general when high resistivity fluids are sheared due to flow
or pumping static can be generated. The threshold resistivity for fluids that might result in the formation
of static electricity is about 1012 ohm centimetres; this includes diesel oil but tends to exclude fuel oils.
Two phase flow - solids, flashing flow or water in oil enhances the generation of static electricity. Static can
accumulate on unearthed lagging, ball valves, filters and even humans. Static can also be caused by splash
filling, jetting water, CO2 extinguishers, steam lances, water settling through hydrocarbons and many
more. The message is that static is a very potent source of ignition.
Ignition by static electricity probably occurs more frequently than most people believe. When all other
sources of ignition have been eliminated it is assumed that the ignition source had to be static electricity
but in reality it may have been the main source even when other sources were present.
The two classic forms of static ignition are:
Lightning where liquid as rain drops (or solids as hail) are cycled by strong upward thermals in a cloud.
Charges accumulate in the cloud and static electricity, as lightning, discharges between clouds, within the
cloud or from cloud to earth.
Humans where solids such as clothing rubs on the body or shoes scuff on carpets (both are solid/solid).
In the case of human induced static it should be noted that it only occurs on dry days or in air conditioned
buildings where the relative humidity is less than about 60-70%. With higher humidity the charge tends to
leak away and can not accumulate.
The human body has a capacitance of about 200 Pico Farads and can be charged to about 10,000 volts.
The charge energy (1/2 CV2) is about 10 milliJoules which is more than sufficient to ignite most gas/air
mixtures in fact, as a demonstration; a Bunsen burner was ignited by an experimenter wriggling in a
plastic coated chair! The shock when touching a filing cabinet or the click from the discharge means that
the discharge was almost certainly an incendive spark with ignition potential.
Another variation is the static generated on a plastic comb following vigorous combing of dry hair (again
solid/solid) which can produce small sparks or the charged comb can be used to lift small pieces of
paper.

Figure E 4.3 Generation of static electricity in liquid systems: (a) electrical double layer at a liquid-liquid
interface; (b) electrical double layer at a liquid-solid interface; (c, d) Charge separation as oil flows
through a pipeline; (e, f) charge separation as a water drop falls through oil; (g, h) charge separation as
oil splashes on a tank wall. As shown by F P Lees
Liquid systems
The figure above shows the phase and charge separation process and charge accumulation.
Figures (a) and (b) are general models but figures (c) and (d) show fluid flow on a pipeline (solid/liquid),
figures (e) and (f) show one phase dropping through another (liquid/liquid), figures (g) and (h) show a
droplet hitting the wall of a tank.
The charge can accumulate inside the fluid or be given up to unearthed conductor such as a metal filter in
the line or the ball valve with soft plastic seats. In these examples the spark is between an insulated
conductor and an earthed conductor such as the pipeline itself. It is normal to earth all conductors where
charges may accumulate.
A variation of this is the filling of a tank with a non-conducting fluid. The fluid itself is charged and only
discharges slowly (charge relaxation) to the walls. If the fluid is dipped (to determine its level accurately)
with a metal dip tape there could be a local discharge to the tape and a spark causing a fire or worse, a
tank explosion. It should be noted that fuel road tankers have a wooden dip rod not metal for this
reason.
(It is worth noting that switch filling tankers are a major source of ignition. In switch filling diesel is put
into a tank which has previously contained petrol. The diesel carries the charge and ignition takes place.
Think of the filling of Road Tankers and of course the garden 5 liter containers!)

Slurry systems, where solids are transported in a turbulent regime on pipes, are even more potent courses
of static electricity as there is a complex phase movement:
Solid (slurry) and Liquid

Liquid and Piping
Solid (slurry) and Piping
Splash filling
Splashing organic fluids can generate static changes ((g) and (h) above). It is normal to introduce liquids
below the liquid surface to prevent this; filler pipes for petrol/diesel are also electrically earthed through
the hose to prevent charge build up.
Droplets
Lightning is one obvious source of droplets causing charges.
Water droplets draining through non-conducting fluids can also cause charges to accumulate so it is
essential that care is taken when water settles out of non conductive fluids, such as wet diesel oil (figures
(e) and (f)).
Flashing process fluids can produce charged clouds. The cloud then induces a charge on an unearthed
conductor, which then results in a small spark where it discharges to an earthed body. Flashing fluids
bearing solids as slurries are even more powerful sources of static electricity.
Wet steam from steam lances have been known to ignite organic fluids and under certain circumstances
carbon dioxide fire extinguishers can produce sparks from the discharge horn.
Variation on a theme
Some critical properties of solids and gases are given below. The properties of organic vapours are similar
to solid systems.
3 3
Fuel Solid Powder Form Lower Concentration Kg/m (g/m ) Minimum Ignition Energy mJ
Aluminum 0.045 (45) 50
Magnesium 0.03 (30) 40
Sugar 0.045 (45) 30
Wheat flour 0.05 (50) 50
Polystyrene 0.02 (20) 15
Table E 4.6. Some Properties of Flammable Solids

Fuel Gas LFL V/V% UFL V/V% Minimum Ignition Energy mJ
Acetylene 2.5 100 0.02
Ammonia 1.5 28 40.0
Benzene 1.4 8 0.22
Methane 5 15 0.29
Ethane 3 12.4 0.24
Propane 2.1 9.5 0.25
Ethylene 2.7 36 0.12
Table E 4.7 Some Properties of Flammable Gases
Also note vapour is given as v/v and the solid wt/volume, the conversion from vol/vol to wt/vol gives a
minimum gas concentration in the range 0.03 to 0.05kg/m3. This is almost identical to that of solids.
The maximum contained over pressure for confined explosions of gases are in the range 900Pka to 1MPa
and for solids the range is 500kPa to 800kPa. (See Part E 5)
Grinding/Milling
When solids are milled, solids move relative to solids and charges can accumulate on the solids; these can
result in sparks.
Grain silos
Grain is often pneumatically conveyed into storage silos. The silo can also contain grain dust or starch and
if the grain is charged there can be a major explosion inside the silo with horrendous consequences.
Belts
Slipping drive belts between a pulley and a motor or slipping conveyor belts can generate incentive sparks
either through friction or static electricity.
Filters
Dust filters can become charged during filtration or during discharge of the solids from the filter. If the
solids are organic shaking the filter or back blowing the filter can create sparks.
Case Histories to illustrate the perversity of ignition
Case histories can sometimes be serious or humorous.

Fire steam
An operator was trying to inert a leak of hot benzene with fire steam blanket using a fire steam lance to
exclude air and so to prevent ignition and a fire. Unfortunately, the fire steam was wet and generated a
spark which ignited the benzene, the very event the operator was trying to prevent.
Emptying a polythene sack
An operator was emptying a sack of off-specification polythene into a silo, the sack contained some
ethylene (ethene) and the movement of the polythene (solid) out of the polythene sack (solid) resulted in
a spark which resulted in a minor fire. The operator was not injured but was left holding the two corners
of the sack the rest of the sack melted in the short lived fire.
Sampling
An operator took a sample of organic fluid in a steel pail splash filling. The handle was insulated by a
plastic coating so a charge built up on the pail and the spark between the pail and sample point caused the
fluid to ignite much to the operators surprise.
Pump and Seal Leak
The seal of a pump handling hot organic fluid containing a solid catalyst failed catastrophically. The hot
fluid flashed and created a small charged cloud, this induced a secondary charge on an unearthed sheet of
metal pipe cladding, which in turn discharged to an adjacent earthed section across a gap of only 1
millimeter. The spark across this narrow gap ignited the cloud. (In another incident the bearing of a pump
failed due to loss of interference fit, the shaft started to precess so allowing the seal to leak. The fluid then
ignited in the hot bearing).
Unearthed Valve
A ball valve was fitted with plastic seats. The ball became charged by the organic fluid flowing in the line
and a spark discharged between the ball valve handle and the pipe line. After a period of time the arcing
process cut a small hole in the pipe and the leak was ignited.
Drum Filling
A spirit drum (45 gallon) was being filled on a trolley fitted with nylon wheels. The drum was therefore
insulated. The filler pump was started but the filling was delayed a few minutes during which time the
spirits were heated and sheared in the pump. When the filler nozzle was put into the drum and the filler
opened there was an explosion in the drum. It was believed there was a small spark between this pipe and
the charged drum. One person was killed.
Steam Leaks
An operator walked through a steam cloud from a steam leak. The operator received a nasty shock when
he touched a hand rail.
A Plastic Coated Hand Rail
A hand rail on a stair was coated with plastic to prevent corrosion. The operators found that they became
charged as their hand slid down the hand rail and then received a shock when they touched an earthed

structure. The operator found a solution do not use the hand rail but one slid on the stair and was
injured. This is one example of a poorly specific protective system causing an injury.
Solutions
There are many strategies which can be used to prevent static electricity or the effects of an electrical
discharge; each has to be used in a case-specific manner:
Eliminate the flammable regime by inerting the system to exclude oxygen (look at the
flammable envelope diagram Figure E 4.1 and Table E 4.2.)
Modify the fluid conductivity by adding special conductive fluids.
Earth and bond all equipment to prevent charge accumulation (charges will still take time to relax
in large tanks).
Inert all storage tanks.
Reduce the transport velocity to less than 1 m/s this is not always practicable.
Avoid splash filling and/or setting water.
Earth all personnel with special footwear.
Avoid the use of earthed dip tapes.
Flame Shapes and Radiation Assessments
Flames can be considered in two ways. The first is to treat the flames as a point source from which all of
the radiant heat emanates. The second is to consider the flame as a solid body which radiates heat
uniformity from all over its surface. The surface can be anywhere from a Grey Body to a Black Body
radiator - this will be explained later. The main problem in assessing radiation is that the amount of heat
radiated is very uncertain and is almost a "guesstimate" although tables of values based on research work
using radiometers are available. It is necessary to bring in two small pieces of theory to assist
understanding.
Heat Balance
There is a heat balance round a flame.
The heat in is: the fuel burn rate x (heat of combustion - losses due to partial combustion). The heat out is:
the heat in the products of combustion + Radiant Heat.
Radiation Laws
The heat radiated from any m2 of flame surface (called the Surface Emissive Power or SEP), is the standard
Stefan-Boltzmann equation as follows:-
w
= 2
= T 4 (E 4.2)
m

where = a constant (5.67 x 10-8 w/m2 K4)
= is the emissivity (or "blackness")
T = is the absolute temperature (oK)
= 1 for a black body and can be as low as 0.1 for a
translucent flame.
All values are in consistent numbers.
There is one other modifier which is not essential at this level of discussion but may be important in major
studies. This is the atmospheric absorption of heat by the water vapour and carbon dioxide. In most cases
it is very much second order.
Figure E 4.4 shows a graphical representation of the heat balance round a flame boundary. The top,
horizontal, line is the TOTAL amount of heat available in the ideal combustion process. In reality not all of
this heat will be released as there will be some partial combustion resulting in the formation of soot and
carbon monoxide. This is indicated by the horizontal 50% line.
Fig E 4.4 Heat Balance in a Fire
The straight, inclined, line encloses the sensible heat losses which will also be determined by the excess air
but to the first approximation can be determined by: [m1cp1T]: where the symbols have the traditional
meaning, cp (specific heat) will tend to change with temperature but for this model it can be treated as a
constant. The curved line represents the radiative heart losses and follows the equation E 4.2. But T and
the emissivity, , are not fixed.
Taking all of this together the amount of heat radiated from a perfect black body flame in perfect
condition will probably not exceed 40% and the flame temperature will not exceed about 1450oC.

However if there was an imperfect conditions such as incomplete combustion the temperature could be as
low as 800oC if it is very sooty due to incomplete combustion. This can be demonstrated by lowering the
total combustion line to the 50% line. By changing the shape of the "radiative" curve (E 4.2) the effects of
emissivity can be demonstrated. Fuels, which are rich in hydrogen, do not produce soot. It is the soot
which is the black body radiator. The emissivity of gases is significantly less than unity (neared 0.1) and so
again the area between the radiation line and the sensible heat line is reduced. The flame temperature has
to increase to affect the heat balance. There is a slight converse situation in that the NON-SMOKEY flames
are hotter but have a lower level of radiated heat. The less radiative the flame so the hotter must be the
flame to release all of the heat of combustion.
Typically a methane flame will radiate about 10% maximum of the heat of combustion but have a flame
temperature of about 1600oC. On the other hand a smoky flame may only radiate 10% of the total heat of
combustion but the temperature may be as low as 800oC. On the other side Oxy-propane or Oxy-acetylene
cutters do not have the inert Nitrogen to carry the heat of combustion and the burner is designed for good
combustion so the flame is well into the blue end of the spectrum (even going clear or white) and the
flame temperature is nearer 2,200 oC.
Flame temperatures can be judged by colour:
Straw Yellow = 1350oC
Cherry Red = 850oC
Blue = 1600oC
Remember the colours of the rainbow! Red, Orange, Yellow, Green, Blue, Indigo and Violate. The
sequence still works.
Unfortunately the flame surface is not uniform in colour or texture so the TRUE amount of heat radiated
from the surface must be assessed using a radiometer. On the other hand some reasonably accurate
assessments can be made knowing the amount of flame covered by soot, the visible flame area and the
flame colour.
Flame Shape
The flame shape is traditionally a cylinder or tilted cylinder or cone or tilted cone. The base of the cone is
traditionally a circle but in the bund of a tank farm or in a gully it must be rectangular and a hydraulic
mean diameter "D" applies. This can be calculated from the following
Pool Area
D= 4 x ( E 4.3)
wetted circumference
The diameter may also be defined by the balance of the combustion rate and outflow (volume terms) such
that
D2
Outflow Kg/ sec = x m (E 4.4)
4

m = Burn rate kg/ m2 / sec
The burn rate ( m ) can be found from tables but is typically about 0.1 Kg/m2/sec but for known fuels the
value derived from E 4.5 is more accurate.
) = 0.001
Burn Rate ( m
CV kg/m2/sec
(E 4.5)
LH
Where CV is the calorific value and LH is the latent heat of evaporation of the fuel kJ/kg.
This correlation is shown below for various fuels.
Figure E 4.5 Burn Rate for Various Fuels
Where Hc is heat of combustion kJ/kg and Hl is Latent Heat of vaporisation kJ/kg. Beware when there
are multi component fuels. Hc and Hl (heat of combustion and latent heat of evaporation -
kilojoules/kilogram) may be variables with time. When fuels fall on water Hl may also be higher due to
the heat lost to the water heat sink. This will reduce the burn rate. (Note that in the diagram above the
latent heat of evaporation is defined as Hv
The "diameter" of the fire can now been defined either by
1) Confines, such as a bund.

2) Confines, such as a gully.
3) Balance of outflow rate and burning rate.
The height can now be defined by a tried and tested equation:-
Where:
0.61
m
Height = Diameter e x 42 x
g De
a c (E 4.6)
a = is density of air = 1.22 Kg/m3
gc = 9.81 m/sec2
m = Burning rate kg/m2/sec see

equations and figures E 4.5
De = equivalent diameter see E 4.3
This describes a vertical right cylinder which is appropriate these basic notes. There are also equations for
tilted cylinders but this is more advanced.
The shape of the flame is now fully defined. But there are some other features which need explanation, so
as to deal with the risk assessment.
Fire Balls
The fire ball is typically the Boiling Liquid Expanding Vapour Explosion or BLEVE caused by a bursting tank
or pressurised container. The volume can be defined by a sphere whose Diameter D and life T in seconds is
defined by:
D = 1 (E 4.7)
5.8 W 3 metres
T = 0.46 W 3
seconds (E 4.8)
D = Diameter (metres)
T = Duration (secs)
W = wt of fuel in the fire ball (Kg)
Solving these gives a burn rate of

0.2kg/m2/sec

Torches
Torches can be defined as an acute cone:
L/D - length/diameter = 1/10
where: -
L = 10 W0.46 (gas) (E 4.9)
L = 17 W.46 (fluids) (E 4.10)
W = outflow (Kg/sec)
This is a fairly advanced study and is only given for completeness.
Utilising Data to Access Heat Fluxes
It is now necessary to assess the "view factor" F12 for a flame. Most of the values of F12 are obtained from
the equation:-
dA1 Cos dA2 Cos 2

A1 F 12 = R2
A1 A2 (E 4.11)
The graphical solution of equation E 4.11 is shown below, where H = Height, R = Radius and X = distance
from the flame centre (all in consistent units).
There are a whole series of plots for tilted cylinders but this is a level of complication that is not
appropriate to this part.

Fig E 4.6 View factor for a vertical cylinder
Note: This plot is in log v log notation not linear.
Fortunately F12 can be found as solutions in literature - for a fire ball F12 is
2
D
(E 4.12)
2x
where x is distance and D is the fire ball diameter.
There is one minor extra to be considered - that is atmospheric attenuation - or the reduction of radiation
due to water vapour. This value is often called attenuation. For most real events it has a value of about 0.9
so it is not significant.

With knowledge of F12 it is now possible to assess the flux at point x.
x = F12 (E 4.13)
where: -
x is flux at point x -(kW/m2)
F12 is view factor
is Surface Emissive Power of the source (kW/m2)
Note: View factors are additive. A flame on a tank can be treated as:-
View Factor flame = View Factor of (flame + tank) - View Factor (tank)
At X/D = 10 (just for convenience of reading the plots) a tank H/D = 1 will have a view factor f12 = 0.004.
Likewise for a tank H/D = 1 and a flame on top of the tank H/D = 2 (total H/D = 3) the view factor f13 =
0.011. The view factor of the elevated flame f23 = 0.011 0.004 = 0.007. This is nearly in ratio 1:2 but the
proper method does take into account the elevation and the change in the angle as viewed by the
receiver.
The one missing piece of information is the Surface Emissive Power. This is tabulated in Table E 4.8
Values of F and SEP
Pool Fires
o
F SEP TC
LNG 0.2 200 1300
LPG 0.1-0.2 100 1300
NAPHTHA 0.1 75 1000
FUEL OIL 0.075 50 900
Torch Fires
LNG 0.15 200 1400
LPG 0.3 350 1350
BLEVE
Any - other 250 1250

than CH4 or
H2
Table E 4.8 Values for F used in equation E 4.15

Limitations
The calculation of thermal radiation profiles has many potential errors:-
1. Wind lean effects under the influence of the wind. (See photo E 4.1)
2. Flame temperatures - locally or overall (See photo E 4.1)
3. Emissivity (Black or Grey Body) (See photo E 4.1)
4. Bunding/Pool confines
5. View Factors for an irregular shape
6. Temperature variations across the flame. (See photo E 4.1)
Are These Models Realistic?
The answer is yes and no! It is most unlikely that there will ever be a true vertical flame. This only occurs
on a completely dead calm day not very often in Britain! However the reality of a fire attack is that this is
a simple model which will probably err on the side of safe. No Fireman would approach a fire from the
downwind side they will always approach from the upwind direction. The hot products of combustion
would be intolerable if not also toxic, remember the combustion of plastics can produce Hydrogen
Chloride, Hydrogen Cyanide and Phosgene and of course Carbon Monoxide, all of which are toxic. Further
the lean away from the Fireman reduces the view factor so reducing the heat flux. Finally and equally
important is that a fire hose/monitor is more effective when the water is carried by the wind and not
injected into the wind.
Point Source Model
The most simple model for a fire is the point source model. In this all of the heat is considered to radiate
from a "point".
Q = 4 x2 x (E 4.14)
Where:
Q is the total heat radiated (kW)
x is the distance from the point to the receiver
is the flux at the receiver (kW/ m2)
and
Q = F x M x Cv (E 4.15)
where: -

F = fraction of generated heat which is radiated
M = combustion rate (kg/sec)
Cv = calorific value, (kJ/kilogram)
This simple model is quite useful where the distance between the source and the receiver is at least 2 x
main dimension (length) of the flame. It should be noted that the view factor plots shown in figure E 4.6
approximate to the inverse square law (equation E 4.14) at a distance where X/D is over about 5. The
limitation is now the values of F and Cv.
Effects on Humans/Equipment
The effects of fires on humans can be viewed two ways; the first is external and the second internal. See
Part G for a more detailed description.
External
The limits of thermal radiation are defined by the dose equation
4 4
i Fluxi3 Durationi = Dose (kw/ m2 )3 secs (E 4.16)
This means that as a person runs away the flux, and hence dose, is dropping all of the time but the dose is
still being accumulated. Some references have suggested that 1 Kw/m2 be removed from the flux to allow
for human tolerance - or else no one could go out in the sun! There is also the burning effect of the hot
gases.
In the final assessment individual response differs between persons, but the following will apply:-
Dose Effect
2 4/3
(kW/m ) secs -
250 Pain
1050 1% Fatality
2080 50% Fatality
1400 2nd Degree burns
Table E 4.9 Human Response to heat doses

2
Flux Kw/m Tolerance
1.9 8 hours still weather
2.5 8 hours gentle cooling breeze
Table E 4.10 Human Response to low level heat fluxes
Internal
Hot products of combustion are potentially toxic if breathed in the heat in the hot products can damage
the bronchi and the alveoli. Further smoke particles can clog the alveoli in the lung and require a long
recovery period to remove them in the phlegm. The nature of the fire will affect the nature of the toxic;
synthetics produce cyanide, phosgene or acid gases such as HCl. Heavy fuel oils may produce 5% v/v CO if
poorly aerated or 0.5% v/v CO if well aerated and persons have died as a result of CO poisoning.
Equipment
Fluxes of up to 100 Kw/m2 heat flow into flame-licked equipment have been measured. The simple energy
balance suggests that flame affected metal will rapidly heat up to 450oC where much of its strength or
rigidity will be lost. Values of 300 Kw/m2 have been measured for torches.
Woodwork or clothing may spontaneously ignite at radiation levels 12 Kw/m2 but steel should be tolerant.
Mitigation
See also under Part D - Design for Safety
The obvious mitigation is to avoid the problem in the first place - this can be achieved by preventing
ignition (see earlier) or preventing leakage by good design, maintenance and monitoring - not always as
easy as saying it that way.
Thereafter, the obvious mitigations are protection of equipment/structures in the form of lagging or by
cooling with water.
There are others, which are practical solutions to theoretical problems:-
Reduce the pool size by bunding or sandbags (see the equation for flame height)
Drain pools of flammable fluids from the equipment by casting concrete with a slope away
from equipment into drains or a safe area.
Isolation and depressurisation of equipment, no pressure = no flow.
Apply Fire Protection active or passive to vulnerable equipment or structures. Active is

water deluge and passive is physical insulation. Remember that the physical protection can
only last so long as it holds on to the structure. (See table E 4.11 - later.)

Detection/Protection (See also Part D Design)
The following is a list of possible fire protection and detection mechanisms:
Protection Detection
Water which cools the fire assaulted P.O.C. (Products of Combustion) - the household fire
surface detector is a P.O.C. (The products are electrically
charges particles)
Cement which physically insulates the Temperature which cause a bi-metallic strip to
fire assaulted surface change shape and open a circuit
"Insulation" as cement but is usually an IR/UV which are properties of the flame and can be
industrial heat loss lagging detected by the appropriate instrument
Intumesced Paint which intumesces on Plastic Tube which melts or fuses and vents a
fire assault and produces an insulation pressurised air source so activating a low pressure
barrier switch at the extreme of the tube
"Epoxy Coatings" such as Eutectic Insulated Wire where the eutectic salt
Pyrocrete/Chartek which again chars insulates two conductive wires. When heated to
o
and produces an insulating barrier about 75 C the eutectic melts and opens an
electrical circuit between the two wires
Grading the Concrete which drains the Eutectic Solder which melts and allows a fire door to
fuel away from the fire site close
o
Bunding which confines the fire spread Quartzoid Bulb which bursts at about 60 C and vents
and reduces the size a pressurised source often water as a sprinkler
Draining which removes the fuel and Opacity caused by smoke in a corridor or a
reduces the fuel which can be burned warehouse. A light beam is shone onto a distant
detector.
Table E 4.11 Fire Detection and Protection
These are essential Design Details See Part D
As the heat flow in a pool fire is about 75 Kw/m2 and a fire water rate of 10 litres/min/m2 of water is
required (the torch flux is 300 kW/m2 and requires special water sprays). Common thermal lagging with
well designed retention can also be of use.

E 5 Explosions
Photo E 5.1 A Gas Phase Detonation
Note:
1. This is actually a detonation as the shock cells are visible
2. The difference between this and an Gas Phase Explosion (below) is marginal other than the peak
over pressures
Photo E 5.2 A Gas Phase Explosion
Note the different flame boundary

Introduction
Explosions are relatively rare but when they do occur the damage is usually extensive and can extend into
the public sector. Therefore their potential is not only on site but also off site. The resultant cost of an
explosion is major and includes site restoration, loss of sales and probably litigation if property outside the
site is damaged.
Explosions are no more than the very fast release of energy. On Piper Alpha in July 1988 about 75 kg of
fuel was consumed in less than 0.5 second giving an instantaneous rate of 7500 M Joules/sec or 7500 M
Watts, the residual fire prior to the riser rupture released heat at about 65 M Watts. The difference
between a fire and an explosion is the rate and density at which the energy is released. This simple
statement may seem surprising but it is the key to differentiating between explosions and fires. In a liquid
based fire the energy can only be released if the fuel is supplied either as an atomised jet or by the liquid
vaporising in (from) the pool due to heat input from the fire itself, therefore the flame has limitations set
upon it by the ability of the oxygen to diffuse into the combustion process these flames are called
diffusion flames. (These are different from a furnace flame where the oxygen (in the form of air) is
injected into the combustion zone and the radiation from the furnace assists in the evaporation of the
fuel.)
In the case of a flash fire there may be a significant potential cloud of fuel - some kilograms - but the flame
does not have a feed back mechanism so there is no explosion see later and the flame may only
move at a few metres per second.
It is clear that there are pre-requisites for an explosion. Either there must be some form of confinement
such as a compressor house or some form of turbulence which acts as a fast feed back in the reaction
process. In reality the two occur together in most process area. Walls round reactors act as confinement
and piping and equipment create turbulence. The explosion in the Polythene Plant at ICI Wilton in 1969
and that on Piper Alpha were caused by confinement while the explosion at Beek in Holland and
Flixborough in England were caused by turbulence plus localised confinement.
The drawing E 5.1 shows the turbulence (as lines emanating from the rear of pipes) resulting from a
rapidly advancing flame front on the right. This turbulence mixes the fuel/air mixture and instead of the
flame depending upon diffusion it has turbulence to enhance the combustion process. In addition the
turbulence at the flame front mixes in the free radicals from the combustion process, and as a result there
is a high feed-back resulting in flame acceleration which eventually runs up to an explosion.
Figure E 5 .1 Massive Turbulence

The explosion history is not as simple as might be expected. See figure E 5.2. which is for a typical military
or condensed phase explosion. The positive pressure phase is a sharp pressure rise and decay which
eventually becomes a negative pressure phase marked I. This can produce some rather odd effects such
as glass sucked out of a window.
Figure E 5.2 Time v Pressure History for a military Explosion
In a vapour cloud explosion the shape of the positive wave is more like a triangle, see figure
E 5.3. However there is still the negative pressure phase.
Figure E 5.3 Pressure v Time History of a VCE

There are other forms of explosion which should be recognised. They are not an integral part of these
notes but they should be recognised as potential problems. These are given below:
Bursting Vessels
There are equations for the energy released when vessels burst, this needs some interpretation.
Essentially about half of the stored energy is released as blast and half is transferred into flying fragments.
Rapid Phase Transformation
This is a rapid, almost instantaneous, boiling of superheated fluids. Consider melted metal quenched in say
water, the water may become locally superheated (over 100oC) and then suddenly nucleates on metal
sites and boils explosively. Similar effects can be obtained by releasing cryogenic fluids under water, the
water is the heat source and the fluids boil explosively. The theory is outside the scope of these notes.
Compressor Houses
The explosion in a compression house (such as Piper Alpha) may contain from 50 to 250 kg of gases and if
it were to be ignited it would result in a large explosion (due to the confinement). In this case they are
confined and the overpressure is limited by blow out panels. Such a cloud in the open may cause no
more than a "pop". Large Vapour Cloud Explosions in open air process plant - now called VCE - may require
1000 kg or more of fuel before there is an explosion. It is reasonable to assume that this is the threshold
and smaller releases are less critical but only in the "open air".
Pressure Piling
Pressure piling may occur with a series of chambers and joining corridors, the pressure in the second
chamber is pre-compressed by the explosion formed in first, upstream, chamber. The explosion therefore
starts at a higher starting pressure such that if there are a series of chambers the piling may become
severe. Eventually walls will fail, so limiting the final effect, but pressures will be larger than expected.
Piling can be dismissed from initial studies. This is not part of these notes.
Explosions in Reactors
In this there is a violent exothermic reaction which leads to the overpressure of the vessel containing the
reaction. This is a complex study which is discussed in Part D from a process stand point.
Detonations
In a gas phase detonation (photo E 5.1) the flame front travels at a speed greater than the sonic velocity
of the unburnt gases, velocities may reach 2000 m/sec and the overpressures may reach 20-25 bar. The
detonation can be achieved in very rare conditions, but it is most unlikely and can be dismissed for initial
studies. Suffice it to know that under very rare conditions of turbulence and confinement such as pipes
and with some gases detonation can occur but it is an extreme event.
Explosions in Houses
Explosions inside houses have to be modelled in a different manner. Once again the theory is outside the
scope of these notes. See Ronan Point below, which was a mixture of pressure piling but then the

structure was destroyed and the building went into systematic collapse). Typically walls will blow out at a
fraction of a bar overpressure. (See table E 5.3).
Photo E 5.3 Ronan Point
(See also Pressure Piling and Compressor Houses)
Military Explosives
It is appropriate to make note of the differences between gas phase explosions and the military use of
explosives. The military use condensed phase explosives where the oxidiser is within the fuel. Peak
pressures at the front can be thousands of bars. Various formulations can be made to enhance the
fragmentation effects. Of course there are special bombs which carry only the fuel which is then sprayed
into the area of attack and then seeded with detonators driving the flame front into a vapour phase
detonation.
Explosions
TNT Equivalent Model (1)
The TNT model was the first developed for the process industry in the 1960s. It was a serious attempt to
understand the problem and to model the effects of the explosion as data on TNT explosions was
widespread from the Military. As with all simplifications the model falls down in the near field - that is
close to the explosion and tended to overestimate overpressures so an arbitrary 0.7 to 1 bar ceiling was
imposed (Over-pressures of 0.7 to 1 bar will result in massive destruction, as a result this is not a major

weakness in the model. In reality there is a fair amount of evidence to show that under certain conditions
the overpressures at the epicentre can be well over 1 bar.)
The TNT equivalent model is not appropriate to a confined space.
In its simplest form the TNT equivalent model compares the energy release of the gas/fuel in terms of its
calorific values and them equates it to a TNT charge of the same energy. The weight of TNT is then fitted
to scaled effects. The process is very simple, fairly accurate, but relies on some very basic assumptions -
none less than "what fraction of the release actually explodes or releases energy"? The assumption is that
about 4% (usually taken as 4.2%) of the release is involved in this explosion. The weight of TNT with the
same energy equivalent as the release is then: -
Mass of fuel released before ignition x calorific values of fuel (E 5 .1)

0.042 x
Carolific value TNT
Calorific value of TNT = 4.6MJ/kg
The mass of fuel for flashing fluids has been traditionally 2 x flash percent x total release. Evidence now
suggests a more realistic assumption is that low molecular weight fuels are totally vaporised; this may not
be true for high molecular weight fuels. The fuel released is either known or can be assessed, for example,
it is the capacity of a vessel or the maximum credible outflow for 5 minutes from a severed drain or pipe.
Appropriate allowances should be made for the operation of ESD systems or the capacity of the system -
the fuel can not exceed the inventory of the system! The assumption that there is a 5 minute discharge is a
bit arbitrary and is tied into the arbitrary yield value 0.042. 0.042 was a committee number but has
some justification as some of the fuel will have dispersed before ignition, possible over 90%.
The next problem is to assess where will be the epicentre of the explosion? That can only be done by
engineering judgement; the rest of the analysis is to be found under "Scale Laws".
Scale Laws
Once the TNT equivalent is known by whatever of the two methods chosen, it is possible to read off the
likely overpressures for a graph using a scaled distance, where D is the distance from the epicentre to the
target:
Distance (D)
Scale Distance = (E 5.2)
3
. TNT
Where D is the distance in metres to the receiver of the blast from the epicentre
TNT is the equivalent charge of TNT in kg with the same potential energy release.
The word "likely" was used because, although the line is there the accuracy is not as well defined - see
Figure E 5.4. This curve is based on Military explosions, but slightly modified and so may not be a complete
equivalence to VCEs. Particularly the impulse and the duration may not be the same.
Note: This plot is in Log v Log notation not Linear. Misread the scales and the error potential is significant.
Differentiate between the two pressure scales of Pascals and PSI.

Once the TNTe has been assessed using equation E 5.1, the scale distance can be assessed from equation
E 5.2 and the overpressure assessed from figure E 5.4. From the overpressure it is now possible to assess
the damage from table E 5.3.
Fig E 5.4 TNT Scale Law Curve
Volume Explosion model (2)
The following is a simple model based on a fair amount of research and tested against real events.
The fuel factor K1 (or peak, local cloud overpressure (Bar)) is derived from the relationship:
K1 = k.vflame2.71 (E 5.3)
k in equation E 5.3 is usually about 10 but varies with different researchers. 10 is the best fit for most fuels.
v flame is the fundamental burning velocity of the fuel and lies in the range 0.35 0.85 m/s (with the
exception of Hydrogen and Ethyne [Acetylene])
If in doubt plot on a log v log the overpressures and fundamental burning velocities for the two following
fixed points:
CH4 = 0.6 bar (Burning Velocity 0.35 m/s)
C2H4 = 3.2 bar (Burning Velocity 0.65 m/s)

Vertical axis flame velocity m/s and the horizontal axis Factor K1. Draw a straight line through these
points and read off the value of K1 for any other fuel with different burning velocity. For mixed gases add
by volume/moles.
Damage profiles are shown in the table E 5.3
1) Assess the volume of the likely explosion cells separated by at least 10 metre breaks. These cells are
discrete plant volumes. (The 10 m break, as at Flixborough) allows the flame front to slow down and so to
disconnect from the upstream cell.)
2) Determine fuel factor Table E 5.1 - K1 (or the fundamental burning velocity is known use equation E
.5.3)
Fuel Fuel Factor (K1 bar)
CH4 0.6
C2H6/C3H8/C4H10 1
C3 H6 2.0
C4 H6 1.8
C4 H8 1
C2H4 3.2
H2/C2H2 Detonation 20
CO 1
Aromatics 1
Ether 1
Table E 5.1 Likely Maximum Overpressures for Various Fuels Based on the Fundamental Burning Velocity
3) Determine the turbulence factor for each cell (K2).
Turbulence Factor. K2
10% blockage = 1, 5% blockage = 0.3
4) Determine the confinement factor (K3).

Typical Plant = 1
Pipe Rack with closure overhead + 1 other side = 2
Compressor house / Analysed house = 4
Table E 5.2 Overpressure Enhancements for Design Features
Multiply confinements to be taken as 1.25 times the highest value from above.
5) Peak Pressure = P (Peak) = K1 x K2 x K3 = P (Peak) bar. For most cases the K1K2K3 factor will be 1
(E.5.4)
6) Determine the volume of the flammable cloud to establish the scale factor.

Case 1: Release unknown. Take the largest vessel capacity M kg volume = 15M m3

Case 2: Release rate known take the greatest. Release rate over one minute = Q kg volume
= 15Q m3
7) Determine the radius of the equivalent hemispherical cloud. V = 2/3 R3
(Note this is once again the inverse cube root to be found in the TNTe scale law equation E 5.2.)
M x 45 (E 5.5)
CASE 1 R = 3
2
Q x 45
CASE 2 R = 3 (E 5.6)
2
8) Draw circles radius of R from the plant centre.
9) Assess the volume of each cell within the circle.
10) Calculate the volume of the cells in (9). Volume = length x breadth x height (within areas of turbulence
generators) including pipe tracks as appropriate.
11) Calculate the scale distance L for each cell in (9)
1
3 vol 3
= L = (E 5.7)
2

12) Assess the highest pressure for all sources at distance x metres from edge of the plant and plot isobars.
This assumes that the pressure decay from the edge of the plant is proportional to 1/distance
Pmax x L (E 5.8)
Px =
(L + x )
13) Repeat 6 to 12 with the hemisphere displaced up to 75 M or the radius, whichever is the lesser to
assess the maximum damage potential.
Blast Effects (Humans)
Overpressure Effects on humans (kilo Pascals)
O/P Injury probability

(Pa)
7 0
7-21 10% injury
21-24 25% injury
34-48 70%injury
48 + 95% injury
300 + Internal injury/disruption high probability of fatality
Table E 5.2 Injury profiles for Humans
The injury profiles at low overpressures are influenced by being blown off the feet and impacting on
hard/sharp objects. The Military use slit trenches! The injury at higher overpressures is influenced by
internal organ damage even in slit trenches.
Damage (Equipment/Houses)
For assessed overpressures it is now possible to assess damage from tables of results from known events.
The table may be different to others that might be available. There is a relationship between damage and
impulse (overpressure x time bar.seconds) as well as damage and overpressure. This table uses only
overpressure.

Damage Overpressure kPa
Domestic Houses
Glass Failure 5% 0.7
50% 2.0
90% 4.5
Building uninhabitable 7
Severe damage to building 15
Total Destruction of Building 75
Process Buildings
Serious Damage 15
(major report necessary)
Process Equipment
Instrument displaced 5
(major replacements necessary)
Piping Spring
Storage tank 20
Process piping or Pipe Track 40
Serious Damage
Storage Tank 20
(90% full) 40
System Displaced
Fired Heater 50
Major piece of Heavy Equipment 40
System Fails
Fired Heater 60
Major piece of Heavy equipment 50
Missile Flight
At pressure of 2ka
Total Destruction 75
Table E 5.3 Suggested Damage Profiles
Multi Energy Method (3) MEM
The MEM is not part of these notes but is given for completeness.
The MEM is a relatively simple tool, which has elements of the Volume Method (2). It uses a simple
graphical correlation with a scale distance similar to that in the Volume Method (2). It starts with the
premise that the fuel energy concentration is fuel-dependent but in reality it is 3.5 MJ/m3 for a whole
range of fuels with only minor deviations. It has a series of lines, which reflect the turbulence potential,
and the fuel reactivity. Recent extensions of MEM have included equation E 5.3 and more sophisticated
tools for the assessment of the turbulence effects.
The MEM graph is shown in figure E 5.5.
Figure E 5.5 MEM Overpressure v Scale Distance/Turbulence
Explosion mitigation:
Explosion prevention is the best mitigation. These include: -
Reduce turbulence
Increase venting and reduce enclosure
Good dispersion
Avoid leaks
However it is possible to slow and even arrest a flame front with: -
Suppression water mists

Suppression powder as with dry powder extinguishers
(Halons were better but are now proscribed. They mopped up the free radicals which assisted
the flame propagation)
E 6 Quantification (The Frequency or Probability of an Event)
The Need
There is a general acceptance that events of catastrophic proportion can and do happen and that
improved design/technology can reduce both the frequency and consequence but it cannot be eliminated.
It is essential that the balance is drawn between the magnitude and frequency in the form of criteria
which have already been discussed but to do that it is essential to know how often an event might occur.
This exercise (the assessment of the frequency) has a twin benefit; obviously the frequency has been
assessed but also the weak links in the system (physical and numeric) will be identified and the solution
may be fairly obvious from this analysis. It is also fair to note that the frequency assessment has the
greatest bounds of error in any risk assessment.
Only one technique will be describe in detail, event trees, and the second, fault trees will be outlined. The
outline on fault trees will describe what they are and how they are used, as these require experience in
execution and it is easy to produce the wrong answer if not used properly. However it is important that
there is an understanding of what fault trees are and the potential difficulties with their construction and
quantification.
In addition notes on Reliability Theory are given as this can impact on Loss Prevention.
E 6.1 Event Outcome Trees
Event outcome trees are relatively simple to explain so will be introduced first.
The simplest technique for assessing the frequency of an event is the Event Outcome Tree (used in the
right hand side of the Bow Tie (Fig E.1.1). It starts with the frequency of an event which is then modified by
a branched system which could have 2n end points (where n is the number of events). Each branch
represents a probability of success and failure, where (success + failure) = 1. Each probability (called
conditional probability) is derived from tables, databases or is calculated as Fractional Dead Times (PFD).
In reality the outcome of the initial event be assessed by engineering judgement or be based on the
rigorous numeric assessment of the effects.
The best way of describing this is to give a word description of a particular event. Take an event such as a
toxic release. It is possible to assess the likely spread of leak rates and frequencies knowing the leak
frequencies for different sizes of breach, the system pressures. With the wind/weather spectrum it would
be possible to assess the likely outcome at any set distance from that release for all combinations of size
and weather distribution. The event outcome tree for one set of leak rates (kg/s) will be complex as shown
in figure E 6.1. (which has only been started).
Hint: When constructing the tree attempt to arrange the logic such that all of the successes and
failures are at the top or bottom by adjusting the logic. This is not always possible but it does help in the

analysis of the outcomes. A little planning before the construction can pay dividends in time, detail and
ease of use. In many cases it is quite likely that the event tree can be reduced by a series of manipulations.
This requires a little skill and a lot of care. The example of the throw of a head is an easy way to show the
reduction process.
Figure E 6.1.1 Event Outcome Tree for a Toxic Release
It can be seen that this is an enormous tree so it might be simpler to draw it up as a series of trees for
either weather stabilities or wind speeds where once again all of the combinations of wind and weather
stability must be 1 and all leak profiles are described. This could result in 10 or more trees!
An even simpler example is the toss of a coin and the throw of a head. In this example there are only two
outcomes, head = success and tail = non-success. But the outcomes can be predicted quickly as in figure E
6.1.2. In this case the success is 50% per throw. It is possible to take this one stage further. If a head was
thrown at the first throw it was a success so the event outcome tree would have just two branches.
However if the rules are that you have to throw at least one head some of the outcomes may be
redundant and the tree can be tidied up. Figure E 6.1.2 represents the full tree after 4 thrown and figure E
6.1.3 represents the purged or reduced tree. It will be noted that the probability of failure to throw a
head after n throws is 0.5n, that is, it is necessary to throw an infinite number of times to be absolutely
certain that there will be a head! Think about the event outcome trees when throwing dies in gambling
tables!!

Figure E 6.1.2 Extended Tree for 4 Throws of a Coin
Figure E 6.1.3 Purged or Reduced Tree for 4 Throws of a Coin
Generally the event outcomes will not necessarily be simply success or failure but will have various
shades of success or failure. This will be evident from the examination of a release of toxic and flammable
fluids. If the wind is away from the public and the plant, the leak may disperse safely (but it could create
possible environmental damage). On the other hand if the leak ignites, the toxic properties will no longer
be a problem but explosions may kill people. So the outcomes must include safe dispersion, unsafe
dispersion, fire, and explosion. Delayed ignition could create an unsafe dispersion resulting in a toxic gas
cloud followed by fire or explosion. The probability of each outcome will be the product of the
probabilities of the events (the Conditional Probabilities) leading to this outcome. The differences in the
various outcomes may require a little judgement but the calculations can be done quite readily. The only
difficulty is should there be an overlap of toxic effects prior to injury from an explosion or fire.
This explains why each success (or failure) probability must be rigorously justified on each and every case
using references or data.
Now consider a simpler event, the leak of a flammable. Once again from the system pressures and the leak
(breach) spectrum frequencies it is possible to assess the likely outcome for any likely duration of leak. The
probabilities (the conditional probabilities) would now include:
Immediate ignition (therefore no explosion)
Delayed ignition (leading to the possibility of explosion)
Successful operation of the shut down and depressurising system
Successful operation of the fire protection system (systems)
Person being present at the time of the event
Person evacuating from the area
This may require two event outcome trees one the Process Plant and one for the Operator. Figure E 6.1.4
represents the Process Plant Event Tree. Once again the probability of ignition, (immediate + delayed +
none) = 1.
Figure E 6.1.4 Event Outcome Tree for a Flammable Leak and a Process Plant
For the ease of calculation I have taken the leak rate as 1 per annum, the prompt ignition as 0.1 per
demand, the delayed ignition as 0.1, if delayed, and the probability of successful operation of the shut
down and fire protection systems as 0.9 per occasion. This assists the calculations and should not be
treated as indicative of real values.
Figure E 6.1.4 results as follows:
All events = 1 /A
No damage = 8.1 x 10-1 /A (fire only)
Mild damage = 1.4661 x 10-1 /A (fire only)
Slight damage = 1.629 x 10-2 /A (fire only)
Serious damage = 1.629 x 10-2 /A (fire only)
Major damage = 1.081 x 10-2 /A (fire plus explosion)
It will also be note that the more defences in place the lower the final frequency of the major event, this
proves the benefits of defence in depth.
E 6.2 Fault Trees
Fault trees are an essential part of risk assessment, they are difficult to generate and simplify.
Knowledge of their existence and the difficulties with their use is an essential part of understanding but
the ability to use them is not.
The event outcome tree is perfectly acceptable for analysis if all the events leading to an outcome are
clearly understood. In general the analysis is more of a "macro size". If the combinations of the events and
- worse still - the events themselves are not fully understood it is necessary to develop a fault tree, which
then analyses the events in more detail. The fault tree uses logic such as "AND" or "OR" (and sometimes
NEITHER or NOR but these can be converted to AND/OR logic).
Conversion of Units
Frequency data can always be converted into probabilities by the concept of Fractional Dead Time (FDT or
PFD). However it is less easy to convert probability data to frequencies without knowledge of the data
source, so, a manipulation of the fault tree may be necessary.
Gates
The gates are the point where a number of items or operations come together for a single operation.
These are the and or logic. The dimensions that operate in each gate have to be analysed carefully and
follow the correct rules.

Figure E 6.2.1 The symbols for and or logic
The simplest fault tree can be found in Fig 6.2.2. Yet nearly every plant has a small leak somewhere but
the leak does not ignites very often so the fault tree is not quite correct and the ignition path requires
development, as shown in Figs E 6.2.3 and E 6.2.4.
Clearly, with the exception of pumps there is only a small chance of an ignition source being near enough
to ignite a small leak and experience shows that small leaks very rarely ignite.
The Fault Trees have so far demonstrated AND logic - that is events have to occur together. But OR logic
requires that either case will satisfy the event, so fuel could be caused by a leaking gland or leaking seal or
corrosion.
Combination of Logic in Fault Trees
The combination of logic within fault trees (which will then require numerical evaluation) is of absolute
importance. The logic must be correct not only in flow but in dimensions. Data can come in two forms
FREQUENCY - 'f' or PROBABILITY - 'p'. Frequency has units of "per unit time" and Probability is a "number"
lying between 0 and 1.
Development of a Simple Fault Tree
To have a "Fire" what is required?
Fuel Yes
Oxygen Yes, but in the correct proportions with the fluid
Ignition Yes, but at sufficient energy
"Fire" results from "Fuel" + "Oxygen" + "Ignition" remove any element and there is no fire.
Fig E 6.2.2 Simple Fault Tree for a Fire
It is now possible to develop each step one level more:

Fuel: Leaks from glands/flanges/corrosion
Oxygen: Readily available at 20.8% v/v with air
Ignition: Faulty electric, damaged bearings (etc)
Fig E 6.2.3 Expanded Fault Tree for a Fire
Figure E 6.2.4 Final simple Fault Tree for a Fire
Figure E 6.2.5 Fire Fault tree with and or logic

As it is necessary to ADD units of similar nature, OR logic must only have ONE dimension. However, in AND
logic it is necessary to MULTIPLY units of different natures, therefore AND logics must not contain more
than one frequency - (whoever heard of Failures2 per Year2?). In the same manner there can be no
frequencies if in Fig E 6.2.2 should the answer be the "PROBABILITY OF A FIRE"! On the other hand if the
answer is to be in units of "Frequency", put failure in frequencies into one gate (box) and one gate (box)
only in Fig E 6.2.4 and the rest into probabilities. Fig E 6.2.5 shows OR logic coming into the fuel gate, this
is addition and the rest, oxygen, ignition etc are now probabilities.
Minimum Cut Sets
The development of a fault tree may produce a slightly anomalous solution if the logic is not cleared of all
irrelevant data. In logic terms this is a fairly obvious statement but purging and rearranging the fault tree
so that it is correct may require a lot of care, time and effort and it is not unusual to draw a fault tree three
or four times before it is "correct".
Consider the single pump circuit in Fig E 6.2.6 and the simple fault tree shown in Fig E 6.2.7. In logic terms
this appears to be correct. However, it will be noted that "TANK EMPTY" appears at items 1 and 6 so there
is the risk of double counting. The logic can be rearranged as shown in Fig E 6.2.8 with all data in terms of
probability.
Fig E 6.2.6 Simple Pump Set
Fig E 6.2.7 Over Simple Fault Tree for Fig E 6 2.6

Gate 1: Gate 2 x Gate 3 - (AND logic)
Gate 2: 1 + 2 + 3 - (OR logic)
Gate 3: 4 + 5 + 6 - (OR logic)
Gate 1: 1.4
1.5
1.6
2.4
2.5
2.6
3.4
3.5
3.6
Or Is It?
1.6 is the same event as 1.1 and if the tank is empty it is irrelevant to whether the pump fails to start!
No fluids = No flow
1.1 AND 1.6 are therefore 1 by Boolean logic (thank you Reverend Bool).
1.4 and 1.5, as well as 2.6 and 3.6, are therefore redundant and the count becomes 1, 2.3, 2.5, 3.4, and 3.5
which is exactly the logic which would be derived from Fig E 6.2.8. The same tree has been drawn in
frequency terms in Fig E 6.2.9.

Fig E 6 2.8 Correct Fault Tree for Figure 6.2.6
Fig E 6.2.9 Fault Tree for Figures E 6.2.6 and E 6.2.8 with the Answers given as a
Frequency (f) or probability (p)
Common Mode Effects
The example of the pump introduces the "common mode effect", so at some time a refinement has to be
added to fault trees. Common modes, as their name suggests, are the unique events which causes all
equipment to fail simultaneously. One common mode effect is clearly the empty tank and it has been
taken out separately. There is at least one other common mode - electrical power failures. This can be
drawn out in the logic tree into the "OR" gate under no flow at Gate X, Fig E 6.2.8 and E 6.2.9. What other
common modes can be found? (Hint instrument failure, human error are but two).
In general, common mode effects only have importance when the probabilities are very small; in this case
it is the common mode effects which are likely to dominate the answer.
One way of avoiding the common mode effects in the example of the pumps is providing "redundancy" in
the power supply. However, even so the switchgear may have a common mode fault such that if a certain
condition occurred both items would be put out of operation simultaneously. This could be a fabrication
defect, a design defect or simply a fire.
The following are just some of the possible causes of common mode failures:
cable routing,
design features,
installation feature,
maintenance faults,
operator errors (failure to open or close valves),
failure of an operator to react to a situation (if he fails to react to the first event he will certainly
fail to react to the second).
Human Impact on Fault Trees
Not only are people one of the direct common mode effects but also people are sometimes required to
complete a control loop. In the example of the pump "Failure of pump A to start" does not define how it
was to be started. Very often humans are the first level Protective System and they must respond to some
visual or audible alarm and then take some actions. As fault trees are developed to the final details it is
almost certain the human element will appear.
This brief outline is an attempt to show that fault trees are not easy to construct and that it is easy to
make mistakes! They are not for the faint hearted!
E 6.3 Reliability Formulae/Protective Systems
Introduction and Background
It may seem odd at first to include 'Reliability' in a Safety and Loss Prevention course, it is, however, quite
logical as the reliability of systems do have an impact on Loss Prevention. This can illustrated very easily.
Which is the better arrangement 1 off 150% Fire Water Pump, 2 off 100% pumps or 3 off 50% pumps?
There is a big difference in the availability and costs, and the answer is 2 off 100% pumps!
Equipment does not break down on a fixed routine and there is no fixed repair time, failure is usually
taken to be a random event and repair time a log normal distribution. Reliability theory used for assessing
the performance of process systems can therefore be very complex but it is necessary to challenge the
absolute accuracy of the theory in the light of the relatively inaccurate data. This does not infer that short
cuts should be taken but more that common sense should be used and that the simple formulae may be
more appropriate to the crude data available and also allow an order of magnitude result to be arrived at
quickly.
Often errors or the accumulation of errors in a calculation do make engineers suspicious of the answer and
fear that the answer could be a long way from the truth. To a degree this is true. The potential error is
quite large but the probability of the worst-case combination occurring is relatively small. As probabilities
are not points but are probability density functions, the uncertainty tends to cancel out in multiplication
(AND gates) but accumulate in addition (OR gates). This means that the evaluated probability or frequency
of an event occurring in practice is likely to be fairly near to the truth even though the data is subject to a
fairly high factor of uncertainty.
Reliability Theory
Reliability can be used to assess the performance of many systems. None less than the availability of the
plant or a safety system such as the firewater system.
Calculation of Probabilities
The simplest way of remembering how combinations may occur is to complete a "TRUTH TABLE". A very
simple example is the toss of an unbiased coin twice. 1/4 of the time there will be two heads, 1/4 there
will be two tails and 1/2 there will be 1 head and 1 tail. By the same token it is possible to do the same
thing for 3 pumps. If the success probability is S and the failure probability is F (F = 1 - S) the truth table is
as follows in figure E 6.3.1: -
PUMP
A B C PROBABILITY
3
S S S S
2
S S F SF
2
S F S SF
2
F F SF
S
2
S S SF
F
2
F S SF
F
2
S F SF
F
3
F F F
F
Table E 6.3.1 Truth Table for 3 Pump Units
This condenses to the following quadratic equation:
S3 + 3S2F + 3SF2 + F3 = (S + F)3 (E 6.3.1)
As F = 1-S It can be seen that the sum of all states is 1.

Availability
If a unit is not capable of operating (failed F/year) and is under maintenance lasting B hours it is
unavailable (FB) hours per year. Now divide by 8760 hours per year and the unavailability in probability
terms is as below:
F B/8760. (E 6.3.2)
First start off with a description of the process:
If there is a pump (or any other unit) it can be in one of two states - AVAILABLE (S) or UNAVAILABLE (F). If
the probabilities of each state are S and F it is obvious that
S+F=1 (E 6.3.3)
There are many combinations of group arrangements for example 1 out of 1 (1 out of 2, 2 out of 3 and 1
out of 3 etc). This is given as the binomial expansion:
(S+F)n (E 6.3.4)
where n is the number of installed pumps
N STATES
1 S + F
2 S2 + 2SF + F2
3 S3 + 3S2F + 3 SF2 + F3
4 S4 + 4S3 F + 6S2 F2 + 4 S F3 + F4
Etc
Table 6.3.2 The Combinations of States for N Units
Note for the 3 units this is the truth table E 6.3.1
Etc. The numbers come from Pascals Triangle where each number is derived from the addition of the pair
above; The next sequence is 1 : 5 : 10 : 10 : 5 : 1
a) S, S2 ,S3 ,S4 represent the probability that ALL units are available
b) 2SF, 3S2F, 4S3F represents the probability of 1 unit being unavailable (and the other/others available)
c) F, F2, F3, F4 represent the productivity of ALL units being unavailable.
So to illustrate this and to answer the question posed earlier if there are 2 units and only one is needed to
satisfy the demand. The availability = S2 + 2SF (which is 1-F2). For 3 units and needing 2 on line. = S3 + 3 S2 F
(or 1-(3SF2 + F3))
It will be noted that the unavailability of a 2 o o 3 system tends to three times that of a 1 o o 2 system.
It is easier to illustrate this with numbers, if pump is available 90% of the time
S = 0.9 and F = 0.1
1 out of 2 = S2 + 2 S F = 0.81 + 2 x .1 x .9
I out of 2 = 0.81 + 0.18 = 0.99
Or: - = (1- F2)
1 out of 3 = S3 + 3S2 F + 3SF2 = (1- 0.001) = 0.999
2 out of 3 = S3 + 3S2 F = 0.729 + 0.243 = 0.972
The answer the question posed in the first paragraph is shown in the following table:
Availability = Success Unavailability = Failure
1 x 150% 0.9 0.1
1.o.o.2 x 100% 0.99 0.01
2.o.o.3 0.972 0.028
Table E 6.3.2
Note: success plus failure will always equal 1
Now link the units together. 1 out of 3 pumps (1 o o 3) and 2 out of 3 (2 o o 3) heat exchangers are AND
logic in terms of availability so are multiplied.
If A = 0.9 and U = 0.1 - only as it helps the computation - the availability of each item can be read from
above.
Availability of a I o o 3 pump = 0.999
Availability of a 1 o o 2 heat = 0.99

exchanger
Availability of Both (the product) = 0.98901
As can be seen it is not difficult to erode the availability. The event tree can also be used to combine other
conditions such as the probability that a pump is unavailable.
As the numbers coming out of single items have a number of 9s it is important that there is no attempt
to round-off until there is the final answer.
Take two fire water pumps Availability = 0.9 - and start on demand = 0.01

Fig E 6.3.2 Event Tree for Fire Pumps
The success items are 3, 5, 7, and 8. and the failure items are 1, 2, 4, and 6.
1 = 0.12 = 0.01
2 = 0.1 x 0.9 x 0.01 = 0.0009
4 = 0.1 x 0.9 x 0.01 = 0.0009
6 = (0.9 x .01)2 = 0.000081
= 0.011881
Table E 6.3.3 Failure rates from Figure E 6.3.2
Coincidentally this can be derived from logic
State
A 2 pumps unavailable = U2
B 1 pump unavailable the other = AU, B available but won't start

available but will not start
C As B but reverse pairing = BU, A available but wont start
D Both available, non starters = (A Non Start)2
This can be drawn as a fault tree.

Fig E 6.3.3 Fault Tree for Fire Pump
(Compare the Event Tree E 6.3.2)
Reliability block diagrams
Reliability Block Diagrams (RBDs) are a convenient way of displaying the configuration of the process. Each
piece of equipment is described as a single block and where there is more than one piece of equipment
the blocks are linked as shown in figure E 6.3.4 below. No attempt is made in the RBD to differentiate
between a 2 out of 2 or a 1 out of 2 configurations, this is done by the logic. The overall availability of each
set of blocks must be carried out using the binomial expansion and the data given. This in turn can be
added to the RBD so that the analogue and data are stored in one document. The RBD can be drawn
vertically or horizontally. For LARGE RBDs the vertical configuration may be more appropriate. Eventually
the overall availability of the system will be the AND logic which requires multiplication of the individual
availabilities. As these may well be 0.999 or less it is essential that the data is stored in a calculator OR the
data is recorded manually to at least 6 decimals. If this is not done the systematic rounding will produce an
erroneous answer.
In reality there may be outage for function or trip testing safety systems, this is unlikely to be
significant as it can usually be done on-line or spare equipment can be fitted. In addition for a large
continuous process there will be some major maintenance carried out according to the regulations. This
may well involve a month of outrage every 3 or thereabouts years. This will affect the overall production
of the process. If for example an annual through put of 100 units is required the peak design throughput
may well be 105 units (or more) to allow for the intermittent outage during maintenance.
Take a simple process of

1 Vessel Outage 8 hours per 2 years
1 o o 2 Heat Exchangers Outage 8 hours per year
2 o o 3 Pumps Outage 4 hours twice per year
The RBD will look as follows:
Figure E 6.3.4 The Reliability Block Diagram for the Simple Process
The availabilities of each subset of equipment using the binomial expressions are as follows:
0.999543379 0.99999916 0.9999974996
The values above give the individual reliabilities of the three systems shown in the RBD above.
The OVERALL availability is therefore the product or 0.9995400461. This is dominated by the unspared
vessel, as would be expected.
E 7 Shutdown Systems (Repeat of Part D)
As discussed in Part D there are three main elements in the shutdown system
The detector or switch
A means of converting the signal into a means of shutting an emergency shutdown valve.
The shutdown valve itself
This section now expands on the non availability of the system.

The detector may be a pressure switch, which operates at a present pressure, a level switch that operates
at a fixed level or temperature switch, which operates at a present temperature. The common feature of
all shutdown systems is that they fail-safe. This means that the interruption of the power or any signal will
put the system into the safe condition. This usually means that the system will initiate a shut down. The
design of these devices varies between designers and in some cases they are standard control
measurements, which are triggered at set prints as an on/off signal. The output signal is often electrical
and is used to hold a solenoid valve open loss of power causes the solenoid valve to change its position
(fails safe) and interrupt the air (or hydraulic) supply to the Emergency Shutdown valve (ESDV). The ESDV
is held open by the air (or hydraulic) signal and is driven closed by a spring: -
Figure E 7.1 A Simple Shutdown System (Simplex)
The arrow on the ESDV shows it shuts on loss of signal.
In some cases the valve may be held open by a hydraulic supply (instead of air).
As the test must be real and all elements proved to work including the ESDV, there must be a test
facility, which allows all elements to function properly without the plant being shutdown. This is usually
achieved by installing a device, which prevents total closure of the ESDV (or plant shutdown). During
testing, the shutdown system has to be inhabited leading to TRIP TEST DEAD TIME. The design of the test
facilities and the test programme requires detailed analysis and obviously consideration has to be given to
means of overriding the test facilities, should a genuine plant upset occur during the testing (TRIP
TESTING).

As already discussed, sometimes the shutdown has to be bypassed to facilitate the start up of the process.
This creates potential hazards if the bypass is left in place. The design can incorporate automatic resets of
the shutdown or key controlled bypasses, controlled by rigorous procedures, which can only be operated
by senior personnel. In some cases the control may be only be rigorous procedures operated by senior
personnel.
In some shutdown systems it may not be acceptable to override the trip for testing purposes. Therefore a
fully redundant trip system is installed. Each sensor and valve can be tested on routine with no
interruptions to the process.
In more sophisticated systems a failure of the sensor or valve may cause a process upset so new strategy is
adopted 2 out of 3. Three sensors are fitted and fed into a logic system, which vote any 2 out 3 to
cause shutdown. Failure of part of a shutdown system will reduce the system to 1 out of 2.
The circuit looks as follows:
Figure E 7.2 A Simple Two out of Three Voting Circuit
Any 2 sensors operating will cause a shutdown; one sensor operating spuriously will not cause a shutdown
and so can be tested on line.
The shutdown valves can now be lined in parallel such that one valve can be closed and tested at any time
without causing a full shutdown.
Figure E 7.3 Shut Down Valve with Test By-pass with DMH
The by-pass valve would be controlled by a dead mans handle which if released would initiate closure
of that valve.
Ultimately, 6 sensors could be used, 3 to close valve A and 3 to close valve B this is a fully redundant
showdown typical of nuclear power stations. The whole system can be fully tested without any Trip Test
Dead Time.
THE DESIGN AND TESTING OF SHUTDOWN SYSTEMS IS AN ART/SKILL.
Comparison of Protective Systems
Not all failure fail-safe. Some fail spurious, that is, they fail in such a way that they initiate a shutdown.
Not all protective systems are simplex, some are redundant. The fractional dead time for the system alone
then becomes as follows (S = spurious and F = danger): -
System Fail Safe Fail to Danger Fault Rate Fractional
Fault Rate Faults/Years Dead Time
Faults/Year
1 out of 1 S F FT
2 2 2
2
2 out of 2 2S T 2F FT
3 2 3 3
2 2 2 2
2 out of 3 3S T 3F T FT
Table E 7.1 Fail Safe/Danger Rates for Redundant and non Redundant Protective Systems
However, the typical test dead time for a 2 out of 3 system can tend to zero, as on-line testing is possible.
The human element still remains.
No Common Mode Allowance
The common mode (as already discussed earlier in this Chapter) is that element of a trip system which is
dependent of itself and not time-dependant. Instruments are vulnerable to a potential common mode
such as a fire or explosion, but also multiple shut down valves with a spring close action - are likely to have
common mode failures with the spring or the release mechanism. Consider also pressure trappings -
common modes could be wax, dirt or ice.
As a result the limiting FDT is as follows: -
1) 1 of 1 = 0.05
2) 1 of 2 = 0.005 - 0.001

3) 2 of 3 = 0.001 to 0.0005
Note: A 1 out of 2 system is almost as good as a 2 out of 3 system - but you avoid spurious trips.
E 8 Vulnerability, Toxics Doses and Effects Models (see part G for more advanced information)
Introduction
It is fairly obvious that the simple calculation of concentrations of gases or thermal radiation or
overpressures do not tell the whole story. The next step is the "Effect" on the receiving body, be it
mechanical or human. In most cases it will be found that the human is the limiting factor. These effects
have been collected together but can be found above but under different headings.
The effect of 104 ppm carbon monoxide on a piece of process equipment is negligible but for humans it is
different. What happens if it lasts for 1 second? 100 seconds? 1000 seconds? The consequence models will
show what is the instantaneous effect but some interpretation is necessary when "total exposure" is the
problem. The analysis must therefore consider: -
How long the incident will last?
What is the effect of that incident, for that time?
The effect models are not absolute values but an analysis of historic data. Further individual
responses will vary so that effect on one person of different ages or state of health will be
different from another. The final point that must be stated is that all effects, which may affect
health of life, are corporate decisions and must be agreed at a corporate level.
E 8.1 The Human
Physical Protection
See Personal Protective Equipment Regs
No one would design the human in the same way as evolution. It is poorly designed and very vulnerable
to many potential routes for assault. The human cannot perform in heat, cold, reduced oxygen
concentration, acceleration dull or bright light and loud noise. Consider the following:
Area Some Sources of Human Vulnerability

Head (1) Impact; loose hair being caught in moving equipment
Eyes (2) Light; low or high; Ultra Violet Light; Grit; Acid; Alkali; Dust; Projectiles
Ears (3) Noise 120 dBA equals pain, 90 dBA for 8 hours equals hearing loss
Nose/lungs (4) Toxics; dust; low oxygen concentration; Hot, dry air; nuclear radiation
Skin (5) Acid; alkali; nuclear radiation; heat; cold; thermal radiation; projectiles;

sharp objects; trips/falls
Bone (6) Heavy objects; trips/falls
Brain (7) Information overload /cognitive dissonance/mind
set/stress/confusion/lack of training/panic
Balance (8) Wind of 50 m/sec; acceleration of 0.1g laterally
Muscle and Poor Ergonomics: stretching; lifting; trying to exert forces by load
Tendon Damage (9) oblique paths etc. (The list is legion.)
Table E 8.1.1 Areas of Human Vulnerability
The list is not complete and is sufficiently detailed to show that the human needs to be protected with
care.
The industrial safety helmet will give reasonable protection against a light impact or light dropped object.
(Say 1 kg dropped 10 m.) It will not necessarily protect the wearer against walking into a low beam. (The
author can vouch for this!) Nor will it protect against a sharp edged or pointed dropped object.
The industrial safety spectacles and full wrap round goggles give good eye protection against dusts but it
may be necessary to use a full-face visor for hazardous fluids. Green Glasses can protect the eyes against
intense light such as experienced in a furnace.
At noise levels over 100dBA communication is difficult and the threshold for noise induced hearing loss is
sometimes quoted as low as 85dBA for 8 hours. Hearing loss is accumulative and initially speech appears
to be distorted, as the high frequency elements are lost, ultimately there is a problem of tinnitus (hissing
or ringing sounds in the head). A disco is a powerful source of damage. If 90dBA is taken as the
threshold, 93dBA for 4 hours is equal to 90dBA for 8 hours, likewise of 96dBA for 2 hours or 99dBA for 1
hour or 102 dBA for hour. Ear plugs give some protection but noise can still be transmitted through the
human tissue. Ear muffs are far better protection.
Face masks (filters) are available for dusts but they are of no use for harmful gases. The use of Breathing
Air (BA) masks is necessary. (It should be noted that the Gas Masks used in WW2 were of the activated
charcoal absorbent type.) BA may be by a demand valve when the pressure in the mask falls below
atmospheric pressure (as a SCUBA air mask so leakage can take place around the face mask seals) or it
may be by a supply valve, which keeps the face mask slightly over pressures with respect to the
atmosphere.
Gloves come in various forms. Standard gloves will protect against cold and also can have rubber studs
to enhance grip. Leather gloves can protect against sharps and rags. However special gloves, mitts or
gauntlets will be needed for hot, cold or harmful duties. (Remember to tuck clothing such that the spills
shed away from the tucks and not into the gloves)
Steel tipped safety boots, like helmets, can give protection against light dropped objects. (Again about 1 kg
dropped from about 10 m.) Special boots may be needed for harmful fluids. (Remember to tuck clothing
such that the spills shed away from the tucks and not into the boots)
Industrial cover-alls can give good, general, protection against benign fluids but it may be necessary to
use acid/alkali resistant clothing. .) In some areas it might be appropriate to wear flame retardant

protection. (Remember to tuck clothing and such that the spills shed away from the tucks and not into
them)
Consider the impact of confusion and also the dangers of wind load on the body when working in stormy
weather.
Dry air at 100C will damage the mucous membranes in the lung; dusts or smoke can coat the lung (more
miners die from silicosis than injury). 10% oxygen will result in unconsciousness.
The skin cannot tolerate temperatures less than -10C or temperatures over 60C for more than a few
seconds. Thermal radiation of 6Kw/m2 for 20 seconds produces real pain.
Eyes (2)
Head (1,7,8)
Ears (3)
Nose (4)
Hands (5)
Lung (4) Skin (5)
Bone (6) Muscle Tendon (9)
Toes (6)
Figure E 8.1.1 The Areas of Human Vulnerability
Toxic Effects: Classes of toxic material Classed in relation to the effects of exposure.
Irritants Respiratory (Chlorine), skin, eyes. Irritants affect the body tissue at the
site of contact. Effects range from discomfort to death. Some make the
victims more susceptible to infections such as pneumonia. Panic result
from exposure to irritant gases and the response may be unpredictable
reaction know as fight or flight.
Narcotics Some common chemicals e.g. hydrocarbon vapours produce narcosis,
which can interfere with an individuals ability to look after him/herself.
Asphyxiates Simple suffocation by reducing oxygen concentration e.g. nitrogen
Chemical Link, in competition with oxygen, in the blood hemoglobin (carbon
monoxide, hydrogen cyanide being two)
Systemic poisons Cause either temporary or permanent damage to the body system.

Dusts Many dusts can lodge in the lungs and eventually produce disease.
Historically, three times as many coal miners died from lung disease
attributed to dust than died in accidents.
Table E 8.1.2 Some Properties of Toxics
One substance can exhibit a number of different effects (glue sniffing causes narcosis, irritation of skin,
mouth and nasal passages and systemic damage).
Carcinogenic Materials
Many industrial chemicals are capable, to some degree, of causing cancer, and the list of potential
carcinogens is growing every year. Exposure to these materials produces effects which are delayed,
typically, 15-20 years. The handling of some of these materials presents particular problems since it is
generally accepted that there may be no threshold dose below which no damage will be done. Exposure
limits are set at levels where risks are acceptable. Benzene is one such chemical where the true safe
threshold is not known accurately and is falling with time. It has been reduced from 25 ppm v/v to 1 ppm
v/v over 40 years. Hydrazine and aniline are two other carcinogens.
Toxic Materials
Liquid Toxics can enter the human body via the skin or the mouth. The skin is not imperious and nerve
gases can gain entry through this route. There is also the problem of acids and alkalis as well as sensitivity
to certain chemicals even nickel can produce allergic reactions.
Gaseous Toxics enter the human body via the skin or more likely the lung. Some can result in that person
becoming susceptible to lung diseases particularly pneumonia.
Solid toxics enter the human body via the stomach, skin or the lung
The human physiology is not the same as that of animals. Certain chemicals produce different effects.
Thalidomide is the classic example that animal tests were not a guarantee of the effects on humans.
Doses for chemicals are to be found in data books. Solid and liquid toxics are often given as LD0 or LD10 or
LD50, the dose which will produce 0, 10% or 50% fatality in a group. The values are usually milligrams per
kg weight. LC10 is not really sensible you have killed someone, somewhere!
Other doses are often given as OEL (Occupation Exposure Limits) in tables.
TLV is the threshold value for 8 hours per day. STEL is the Short Term Exposure time for 15 minutes.
BEWARE the values are often revised downwards every year as the full effects are re-analyzed and re-
assessed.
Toxics and Doses
Different toxics have different effects on the Body systems.
Carbon Monoxide produces carboxyhaemoglobin, most other toxics affect the lung for example Chlorine
and Ammonia produce Pulmonary Oedema while Nitrogen Oxides can damage the lung and the cilia and
so make the invalid more susceptible to Pneumonia. These effects can be delayed for a few weeks!

The toxic dose models have the form: -
Dose = C n t (E 8.1.1)
Where
C is the concentration of toxic (ppm usually)
t is the exposure in seconds, minutes or hours
n is a constant.
The value of n varies from toxic to toxic for carbon monoxide n = 0.9, for Chlorine and Ammonia n = 2.75
and for NOX or oxides of nitrogen n can be 3 or 4. What this means is that doubling the concentration
reduces the exposure limit by a factor of 6-8. Of more importance is that the actual concentration at any
point in a plume is varying with time (see the section on dispersion - E .3) so the true value of:
Dose = C n t may be significantly higher than might be expected from the TWA value of C from the
dispersion equations. In fact it is possible that the dose derived from the TWA value of C might be
harmful but the true dose, taking into account the peaks, could be fatal.
For Carbon Monoxide a dose of about 4,000 ppm for 10 mins is likely to be serious.
Figure E 8.1.2 Data Used for Toxic Dose of CO (Derived by the Author)
The toxic data is usually derived by plotting the concentration and exposure duration on a log v log graph
against time with the recorded physiological effect. The best fit was actually nearer a slope of 0.9 but it
was assumed that the fit would be linear. More research shows that the plot is nearer a slope of 0.9.
For Chlorine a dose of about 75 ppm for 5 mins is likely to be serious
For Ammonia a dose of about 2,500 ppm for 15 mins is likely to be serious
For NOX a dose of about 250 ppm for 10 mins is likely to be serious
It is very much a case of horses and courses - or avoid leakage and do not assess the risk by calculation - it
is too late once it is out of the piping!
These "numbers" also show the merits of well located escape breathing air sets (BA) round plants
handling toxic fluids.
As the dose is the area under a curve (the integral of the ingress of toxic into a "refuge" or building
produces a rapidly worsening situation. Ultimately if the building is fairly leaky the person may be
incapacitated and too weak to help in any rescue.
Probits
There should be some mention Probits for the completeness of Toxics- the task is to avoid any risks -
prevention being the objective.
The dose effects can be converted into probability of fatality by a probit equation
P = A + B Loge (Dose) (E 8.1.2)
P = Probit
A and B are constants
Dose = C n t (E 8.1.3)
There are equations for Thermal Reaction, Explosions Chlorine, Ammonia, Phosgene etc.
To give some idea of the likely range of effects the following are some calculated dose values from probits.
These are not quite the same as given earlier as they are derived in a different manner.
Cause % Fatality Variable
1% 50%
4/3
Thermal Radiation 1,000 3000 kW Secs
2.75
Chlorine 120,000 480,000 ppm Mins
10 15 2.75
Ammonia 2.6 x 10 2 x 10 ppm Mins
Table E 8.1.3 Some typical hazardous doses based on Probit Values
Thermal radiation is also a "dose effect" that is the effect is a function of time in this case the effect is
Flux 4/3 x time

Dose Effect
2 4/3
Pain 250 (Kw/m ) secs
2 4/3
1% Fatality 1050 (Kw/m ) secs
2 4/3
50% Fatality 2080 (Kw/m ) secs
2 4/3
1st Degree 250 (Kw/m ) secs
2 4/3
2nd Degree 1400 (Kw/m ) secs
2 4/3
3rd Degree 3000 (Kw/m ) secs
Table E 8.1.4 Thermal Doses
(Some of these values were hard to believe as from personal experiments with thermal radiation and it
was possible to take 6.3 Kw/m3 for 20 seconds before experiencing real pain (230 k4/3 secs) - then
following a 5 min break the test could be repeated again and again and again. Also a dose of 2000 ppm of
ammonia for one lung-full produced a bronchial spasm and the inability to breath. (It is likely that this was
the peak (times 2.5 TWA.)
Other Physical Effects
There are many other effects so it is imperative that there is a continuous assessment of the
likely injury potential for any task.
E 8.2 Migration of Gas into an Enclosed Volume
The migration of gas into a room can be assessed (as is the concentration profile of a continuously back
stirred reactor) as follows:
concentration inside
(1 - ekt ) (E 8.2.1)
concentration outside
K = air changes per hour or min - about 1/2 per hour for a modern home and 6
for outdoor building or houses with chimneys and fires
t = time of exposure (hours or min)

E 8.3 Effect Models Humans & Hardware
Heat
Metals lose their integrity when heated. Steel has little strength above a temperature 600oC. Stainless
Steels have more integrity but it is not a lot more. Heat gain to a flame-engulfed vessel is of the order of
300 kW/m2 from a torch flame and about 75 kW/m2 for a pool fire.
The survival damage for humans (as in Triage) is shown in table E 8.3.1.
Table E 8.3.1 Effect of Thermal Radiation on Humans (Triage Table)
Survival probability (0 to 1) is related to age and the area of damage, younger persons may survive 70%
burns but older persons may succumb to 30% burns. This is not such a problem as much of the working
population have an age 20-40 years old.
Process equipment can tolerate 12 Kw/m2 for long periods of time but clothing and cellulose materials
(wood or grass) may ignite spontaneously after 30 mines at these fluxes.
Humans
What are not readily described are the effects of hot gases and soot on humans. Above 125oC the lungs
can be severely damaged and of course a film of soot in the bronchi and alveoli can be fatal.
There have been a number of unfortunate fires (more particularly in Brazil January 2013) where the
fatalities were affected by smoke. This may be particulates which clog the alveoli or Carbon Monoxide.
However other Products of Combustion (POCs) include Hydrogen Cyanide and Hydrogen Chloride, neither

are safe! It has been noted that partial combustion of hydrocarbons can produce up to 5%v/v Carbon
Monoxide. This includes the use of paraffin burning space heaters in buildings!!!
In fires fatality can be caused by trampling as well as internal organic damage leading to crush
syndrome.
Blast Effects
Overpressure Effects (Mechanical) Effects Human (kilo Pascals)
Overpressure kPa Effect on Humans
7 0
7 - 21 25% injury due to being blown over
21 - 34 70% injury thrown, physically, against solid objects
34 - 48 95% injury - a worse condition
48 + Internal injury/disruption, high probability of fatality
Table E 8.3.2 Overpressure Effects - Humans
Once again the values in table E 8 3.3 are to be treated as approximate and indicative. These were derived
by the Author from many sources and take into account the impulse or pressure multiplied by duration.
Damage Overpressure kPa
Domestic Houses
Glass Failure 5% 0.7
50% 2.0
90% 4.5
Building uninhabitable 7
Severe damage to building 15
Total Destruction of Building 75
Process Buildings
Serious Damage 15
(major report necessary)
Process Equipment
Instrument displaced 5
(major replacements necessary)
Piping Spring 20
Storage tank 40
Process piping or Pipe Track
Serious Damage 20
Storage Tank 40
(90% full)
System Displaced 50
Fired Heater 40
Major piece of Heavy Equipment
Table E 8.3.3 Suggested Damage Profiles for Overpressures

Part F
ADVANCED MANAGEMENT SYSTEMS
Role of Managers in Safety and the Environment
F 1 Introduction
This part is a blend of ideas, which are closely intertwined but can also be treated as free standing. It is
an introduction to the Role of Management in Safety and Environment and is an attempt to show that it is
an integrated whole and not a series of parts.
The main elements chosen are:
Culture
Why do people make mistakes?
Defence in depth
Role of Managers in Safety and the Environment
Management of Safety/the Environment or The Generation of Safety/Environment

Management Systems
Management Systems at the Work Place

Safety Management Systems (SMS)
Testing of Protective Systems
Safety/Environmental Audits
Accident Investigation
Human Error
Each company has its own culture and in any professional role it is possible to sense different cultures
within different companies. There is no doubt that there is an increasing recognition that there is a need
for an analysis of the corporate culture and how it can impact on Safety and the Environment. This topic
will explore this in more detail.
Even with good systems in place people will make mistakes. It is not inevitable but humans do appear to
have a predisposition to make mistakes. This part will explore some of these causes, which will be
expanded in Part G. The basis of all safety and environmental control is Defence in Depth, that is, a multi
layer approach that ensures that there are many defences in place and reprised in F 4.

In the final analysis Managers have duties and a duty of care and must Manage Safety and the
Environmental actively and not passively.
F 2. Culture
Culture is a complex idea and the definitions do not help - these include: -
A crop of experimentally grown bacteria or the like,
A particular civilisation at a particular time,
The total of the inherited ideas, beliefs, values and knowledge, which contribute the shared
basis of social action,
The total range of activities and ideas, of a group of people with shared traditions, which are
transmitted and reinforced by members of that group
Definition a. has a humorous significance but it is definitions c and d, which are most applicable. There is
no doubt that culture in the safety and environment context is a blend of these definitions. Each
company is based on evolved tradition and the way groups of people interact and perform their tasks or
duties does differ due to both evolved tradition and reinforcement by managers and peer groups. The
statement illustrates this: -
That person is a typical X company person Fill in the X and the meaning will become more obvious.
Within even one nation there will be different cultures each believing that its traditions and beliefs are
correct.
There is no unique corporate culture but a series of cultures. One company may believe in empowering
its employees to take on responsibilities, another may require a detailed audit procedure before taking on
those responsibilities, and another may request detailed supervision while taking on those responsibilities.
The differences in a corporate culture can be found in many areas. These are just some variants.
No-Blame Culture
A culture, which is perceived as blaming people for poor decisions, results in resentful, un-cooperative
employees who are unwilling to make decisions and report any incidents. (Initially it was thought that this
should say incapable of making decision. It was deleted but the message is there!)
The open, no blame, culture results in more open management with employees willing to report untoward
events and then to discuss the way they can be eliminated. The employee does make decisions and is
guided or tutored in this by his/her supervision. The no blame culture also results in easier personnel
management.
Domineering Culture
There are some companies, in which the managers foster the belief that they know best as they have
more experience than anyone in that area. This approach has a dulling influence on creativity and puts
the employee into a very subservient position. The end-point is that nothing changes and the company
stagnates and starts to lose any competitive advantages.
A variation of this is the very clearly defined boundaries of authority where only persons of a certain
level can make real decisions. This results in demoralised employees or employees are incapable or
unwilling to take a lead in improvements in Technology or Safety. Worse still the employees are unable or
unwilling to act for themselves, keeping the head below the parapet. Once again the Company
stagnates.
Club or Clique Culture
Some Companies have a very cliquey culture where they employ personnel from certain backgrounds or
Universities. Rapidly employees realise that they have to become part of that club in order to progress up
the structure or if they can not become a member of the club they have no option but to leave the
company. This results in a self-centring of style, the company becomes prematurely old or jaded as there
is a lack of innovation through outward vision and outward looking. New Companies with more modern
approaches start to corner the Market and from a safety stand point the Company can not and will not
learn from cross fertilisation of ideas.
Culture of Design/Specification
Some companies write very detailed design specifications for a design, based on their own experiences
which the contractor must follow. Some companies go so far as to specify the finest detail (part of the
we know best culture) but others specify the objective to be achieved and leave the detail to the
contractor using international codes/standards. At the extreme, some companies may set the objective
and allow a contractor to Engineer, Procure, Install and Commission the process (E.P.I.C)
Within some of the corporate specifications are to be found the reaction (over reaction) to incidents which
occurred in the past (The Corporate Memory) and within others are to be found reliance on good
personnel or procedures (The Corporate Culture). There are no rights or wrongs; each variation is the
result of culture or evolution.
Culture and Procedures
There is a wide range of detail in procedures, some companies go to the finest detail and others give a
general outline of the steps and objectives to be achieved. There are strengths and weaknesses in both
approaches; with good skilled personnel it is arguable that the steps and objectives are better than the
finest detailed. The corporate culture must therefore match the quality of the personnel to the quality of
the procedure. At the end of the day a good Surgeon does not need a detailed description of an operation,
however most car owners expect the Car Mechanic to follow the Workshop Manual when carrying out an
overhaul, including the torque limits on bolts.
It is necessary to recognise that some procedures may actually be the written decisions of a Manager. The
Standing Instructions (later) are the record of what the Manager wants to happen when he/she is not
there. This could reflect a culture with a low level of devolved responsibility; on the other hand the
instructions could be written in such a manner that the user has some scope for responsible actions. These
procedures will include not only the routine but also the handling of Emergencies and upset conditions.

Once again the detail should be appropriate to the need. In effect there is no need for anyone to make a
decision as it has already been made for him/her. On one plant which was rather prone to process leaks it
was found that each Supervisor had a completely different set of criteria for making the decision for a
plant shut down. A rule set for the decision process was written (an expert system) which the Supervisors
could follow and react accordingly. This resulted in a consistency in the decision making process but in
reality the decisions had already been made for them within the rule sets!!!
There are other procedures, which need to be recognised. Into this category would fall such as: -
Audits of Systems
Audits of Procedures in general
Permit to Work
Design Procedures
Review of Procedures
Control of Procedure Revision
Control of Drawing Revision
The list is not meant to be complete but indicative and each must be treated on merit. All of the above
would be written in some detail as will be outlined in F 8.
Training/Knowledge
There are a range of Training and Knowledge requirements, which again reflects culture. Some companies
employ honours graduates, others are less specific. Some companies require Continuous Professional
Development and others do not. Some companies require refresher training for all operating personnel
and others do not. The depth of the training and detail of knowledge is again tailored to the culture and
inclusion in this list is again only meant to be indicative.
Supervision
The level of supervision varies between company and the task to be performed. New graduates will
normally be heavily supervised and the level of supervision relaxed with gained knowledge. Special tasks
may always require detailed supervision to ensure that a procedure is fulfilled to the letter yet others may
not be supervised. This is appropriate during stressful conditions such as a start up or shut down.
It has been claimed that incidents seem to have a periodicity of 10 years. This is of some debate as it
appears to be shortening to nearer 8 years. In many Companies the average tenure for a Manager is about
3 (three) years. It is not difficult to see that there will be 3 new Managers in 10 (ten) years. If each
Manager only passes on 75% of what they were told when they had their initial hand-over by the end of
the 10 years the corporate memory will be more than halved, unless of course the memory is re-

enforced by some real events. It is not coincidental that the return time for major events is about 10
years.
It is worth noting that structural changes in organisations do change that culture. Often the history and
reasons for best operating practice are lost (that is there is a dilution of the corporate memory). In
addition it is inevitable that with down sizing there is a reduction in the level of supervision which in
turn reflects a reduction in the day-to-day audit procedure. One other effect of down sizing is that there
is a loss of Corporate Knowledge which in turn makes the company more vulnerable to the 10 year
Corporate Memory Half Life. Recent trends in USA include the appointment of a Corporate Knowledge
Manager. Guess what he/she does? They collect the history of operating practices before an employee
goes down the road. Does this help to explain why the periodicity now seems to have shortened to
nearer 8 years?
Summary
The culture of a company reflects its traditions, experience and evolution. It is passed between members
of that company and is re-enforced by a common objective. It will vary between companies and reflect
the needs of that individual company and the skills within that company.
It could be argued that no company culture is perfect but that it has evolved defences or systems to
compensate for weaknesses in its culture (without realising what it was actually doing). It could also be
argued that a root and branch change in a culture would be a disaster waiting to happen. In the final
analysis it is the flaws and weaknesses in the culture that will create problems and identifying these flaws
will not be easy.
F.3 Why Do People Make Mistakes?
This is based on personal experience and was written before the publication of HSG 48 Reducing Error and
Influencing Behaviour
It is worth pointing out that HSG 48 identifies three main causes of human failure in its figure 2:
Skill based errors
Rule based mistakes
Knowledge based mistakes.
It is hoped that these notes cover these appropriately.
There is a general belief that some people are accident-prone. This can be debated long and hard but it
is more constructive to analyse some of the possible causes. These can be broken down into many
categories the most common three are:
Experience and Skills
Psychological Make Up
Stresses
Experience and Skills
The training and knowledge of the person must reflect the job description but also that person must have
certain extra skills, which will reflect the need and ability to make decisions.
A good Engineer will normally have a good grasp of his/her own discipline and also a good understanding
of the needs of other Engineering disciplines. There is a balance between depth and breadth of
knowledge - the knowledge of the individuals discipline has to be deep but there has to be breadth so as
to work with other disciplines and understand/interpret those other problems and needs. The good
engineer has to have deductive skills to recognise where problem areas may arise and the technical skills
to overcome them. If either is missing there is the risk of an error/mistake. This not only applies to the
technical problems but also dealings/supervision/checking of members in the work group. In the case of
Management of Hazardous Plant, the Engineer must understand how the process works and also
understand the weak points in the process. These skills take time and training and require the ability to
use deductive skills which convert technical knowledge into a practical application. (Most of this is
knowledge based.)
Operating personnel require similar training, knowledge and skills are still required but at a lower level.
There may be situations that the operating personnel have not met or cannot analyse. If the operating
procedures do not give clear guidance to the operating personnel, the personnel may make mistakes, as
they will be forced to operate outside the envelope of their experience and skills. This reflects back to the
concept of culture and forward to Managers Responsibilities. (This is skills based.)
This part is an attempt to give a broad overview and it is worth considering a new process plant start-up
with novel features to illustrate the problems. The supervisors and operators were picked from an
experienced group of personnel so the experience will be satisfied by years of training. However, the new
plant had both unknown and un-experienced characteristics. The team were alert to their lack of
experiences drawing on their previous experience and detective skills.
The operation of an Acetylene (Ethyne) Hydrogenation Reactor is illustrated to show that errors can arise
from lack of experience (knowledge). The process involved passing a mixture of Hydrogen, Ethylene
(Ethene) and Acetylene (Ethyne) across a fixed bed nickel/palladium catalyst at about 60oC in a single pass.
The reaction is of course exothermic and the catalyst is both reactive and selective, that is, it has to be
raised to an initial temperature (60oC) before the Hydrogen/Acetylene reaction takes place but beyond a
threshold temperature the Hydrogen/Ethylene reaction also takes place and is favoured. There were two
shifts of Managers each had experience of Hydrogenation processes. The first had experience of a simple
mixed stream Hydrogenation process that was fairly unreactive but was very selective to Acetylene. The
second had experience of this process and a direct Hydrogenation process. The first Manager raised the
inlet temperature rapidly with an excess of hydrogen such that the reaction took place in a limited section
inlet to the bed with a rapid rise in temperature, which produced reaction conditions selective to the
hydrogenation of Ethylene and the Acetylene concentrations in the reactor exit were out of specification.
The second Manager was more careful and ensured that the reaction spread throughout the reactor bed
monitoring the Acetylene concentration exit the reactor as the inlet temperature was raised step by step.
A steady reduction in Acetylene was noted with increased inlet temperature such that it was possible to
predict the correct operating conditions for the total Acetylene conversion within a few hours. The first
Manager came on shift and wrestled with the reactor for twelve hours. The second Manager returned to
the shift and was convinced there was an error in the analysis. The only thing that had changed was the
Gas Liquid Chromatograph which had been changed to a more sensitive coil. Was the fault in the G.L.C. or
the reactor? Within the sensitivity of the analysis the first G.L.C. showed there was less than 10 ppm
Acetylene exit the reactor but the second showed there was over 100 ppm. The solution was to seek a

third G.L.C. and to test for rouges, which were masking the second G.L.C. The answer was rapidly found,
the Acetylene concentration was masked and the rogue was Butadiene - the derivative of Acetylene and
Ethylene.
There were obvious skills and knowledge used in this incident. Some of the skills and knowledge had been
acquired in an industrial environment and some in an academic environment.
Psychological Make-up
There are two forms of psychological make-up worthy of note. The first is the person who cannot handle
stress of any sort and goes into a panic at the first hint of pressure. This person is likely to be error prone.
The second is the one who will not listen to guidance and will do what he/she wants to. This is likely to
lead to errors of judgement.
Stresses
Stresses can be various and could include

Fatigue
Emotional
Work Related
The first two are self-evident; as the human becomes more tired the judgement becomes flawed and
mistakes result as the deductive skills become flawed. Emotional stresses could arise from problems at
home or personal who are set upon by a work mate. Feelings of oppression and inferiority can lead to
judgement being flawed.
Work stresses are also understandable. The human performs best under a slight or low level of stress.
High levels of stress can impair the judgement and deductive skills and low levels of stress can produce a
lethargy, which ignores information and in turn leads to lack of judgement or response. But there are
more insidious stresses caused by poor ergonomics. Aircraft designers have worked hard to develop the
Head up Display (H.U.D.), which is also becoming used in cars. Without realising it, the personnel can be
put under stresses by the layout of the pages on Distributed Control System Screen, the position, order;
ease of recognition/reading is essential. (See also Part H - Texaco Refinery Explosion).
Dont blame an operator for making an error of identification if the order is A/B; A/B; A/C/B, there are
expectations which will become rules in the mind of the operator. If an operator has to reach out over
a handrail to access a valve it is human nature to ease the damage potential to the back by climbing over
the handrail. The perceived risk of falling may be less than that of injury to the back and a precedent is
set.
Human ergonomics, as a means to reducing mistake potential involves layout but also size/colour,
postural position, eye position and many other important features.
There are a number of references to human reaction under pressure/panic conditions. Lars Weisaeth has
written extensively on this topic, one worthy of more study is Technological Disasters Psychological and
Psychiatric Aspects 7th International Symposium on Loss Prevention and Safety Promotion in the Process
Industries Taormina 4-8 May 1992. In this, he discusses perception of risk after being put under stress

such as Kuwait, Post Traumatic Stress Syndrome/Disorder - and Flight from an emergency (fight or
flight); under these circumstances survival is more imperative than the logical correction of the fault.
F. Hearfield discusses a series of what might be called Human Errors under a paper Hazards of Pressure
Testing 3rd International Symposium on Loss Prevention and Safety Promotion in the Process Industries
BASLE 11-19 September 1980.
D.E. Embrey discusses Human Errors in a paper at the 7th International Symposium on Loss Prevention
and Safety Promotion in the Process Industries. The best prediction is that all humans are error prone
and the objective is to reduce the scope or the consequences of this error (flaw in make-up).
It is now recognised that what was called shell shock has some variations one being that of guilt. Guilt
that your mate was killed but you were not. Guilt that you did not do enough to help your mate. If I had
tried to save him he would be alive now, (forgetting that both would have lost their lives!)
The Brain
Some of the problems that can result in errors are to be found in the brain. There are a number of
problems that are not easy to explain in simple terms.
Information overload
In Information overload the brain has TOO MUCH information and can not sift the critical or top level
information from the low level unimportant information. In effect the reasoning powers are swamped by
both essential and trivial information and so the outcome is that nothing is done. This can be analogous to
a juggler - there is an absolute limit to the ability to handle objects and beyond that limit things get
dropped.
The concept of Information Overload can be dealt with by two strategies. At one level the operators have
sufficient resources to handle all of the work and at the other, the information is filtered and presented on
a clear unambiguous form (skills and rules). In process plant it is not only the information but the size; on
a small plant where the transit time may be small the supervisor may be able to handle more as there is
less time used in moving from A to B to C in data collection. Above all the presentation of clear
unambiguous data with the appropriate diagnostics in a Control Room is fundamentally important. The
human can only accept a limited amount of information at any one moment and the message must be
clear and unambiguous.
Training and background knowledge all help to reduce the potential for information overload as also does
practices. There are no solutions or fixes; an understanding is required as well as the open mind and eye.
The key question must be:
How could I handle the problem/problems professionally and without error?
Mind set
The person has a fixed idea and can not be convinced that there may be an alternative explanation or idea.
It could also be called tunnel vision.
Cognitive Dissonance
This is quite difficult to explain. The mind tries to fix the evidence into a picture. Some does not fit so is
rejected or reasoned away. The brain is quite convinced that the evidence is now consistent but ignores
the fact that some key evidence may have been rejected or distorted due to some erroneous logic.
Panic
The person just can not make any decisions!

F.4 Defence in Depth See Part A (a reprise)
Introduction
Defence in Depth is the basis of safe process operation and is worthy of a reprise of Part A. The definition
is not yet written and the interpretation is variable as it is a concept and therefore requires a little
explanation.
Consider first of all the recommendations from an incident report; these will usually extend to the order of
four to eight. This means that the committee felt there were four to eight elements which contributed to
the incident and require corrective actions. Put another way the committee felt that there was no unique
cause of the incident but a number of causes. The finer analysis is that the causes of most, if not all,
incidents can be broken down into four categories.
Design/Specification (Equipment/Hardware)
Procedures (Software)
Training / Knowledge
Supervision
The categories are open to discussion but it is arguable that all are the reasonability of Management.
Further when the initiation of the cause is examined it will be found that some were in place for some
time but only when the final one was in place did the event occur. These have their parallels in the
Accident Investigation (See later). The initial causes were part of the build up until the final cause initiated
the whole sequence. Once initiated, defects in the system will lead to escalation and loss of (or poor)
control. Each cause is a breach of a defence. (The Bow Tie Model Fig E 1.1).
There are no hard and fast rules, alternatively the model may be, that the more breaches in place prior to
initiation, increases the potential damage energy in the incident. Then it is not a case of the number, but
the sequence of the initiating event. If the initiating event was number five then an injury would result,
if it were number seven a fatality would result. Whatever the model used, the evidence matches the
traditional Heinrich/Bird Triangle.
Fig F.4.1 Hazard Triangle
The ratios are open to discussion but generally follow a ratio of about 1/30, which is a typical human
failure rate or failure rate of a protective system. Put another way, for a serious injury about 306

operations (109 operations) must take place. The probability is low but by a little attention to detail, the
final probability can be significantly reduced. (A change in failure rate from 3.33% to 2.5% reduces the
final probability of fatality by a factor of 7.49. Who would not want that level of reduction in their Accident
Statistics?)
It will be noted that all contributions are the responsibility of Management.
Some studies have suggested that the causes or breaches of defences run to dozens this may be true but
they are often subcategories of one more major breach. From my own observations there is a fairly clear
pattern as follows:
Number of Major Effect
Breaches
1 Nothing
2 Nothing
3 Nothing obvious
4 Near Miss
5 Minor Injury
6 Serious Injury
7 Fatality
8 Multiple Fatality
It could now be argued that after five breaches there should be a minor injury and the breaches should
be rectified at the minor injury level and there should never be a fatality. In reality many of the
breaches are latent, some come in very quick succession and some affect the ability to control a small
event (injury) from escalating to a more serious event. The final outcome will depend very much on the
phase of the incident where the breaches were found: -
Build up
Initiation
Escalation
Control
For example breaches in the control phase may not be evident until the incident is initiated.
The Flixborough accident and the Piper Alpha incident have been used in Part H to illustrate how and
where breaches in the defence occurred. The itemised breaches may not be all that might occur but they
are the more obvious ones.
A similar approach can be taken to the Environment - while the number of defences is less obvious it is
clear that a single level is totally inadequate. It is right to consider what Duty of Care means. This means
at one level that there is a duty to maintain the Environment, which is spelt, out in EPA90: -

It shall be the duty of any person who imports, produces, carries, helps, treats or disposes of controlled
waste or as a broker, has control of such waste, or to take all such measures applicable to him in that
capacity as are reasonable on the circumstances
a) to prevent any contravention by any person of section 33 above;
b) to prevent the escape of waste from his control or that of any other person; and
c) on the transfer of waste, to secure: -
i) that the transfer is only to a person or to a person for authorised transfers purposes;
and
ii) that there is transferred such a written description of the waste to avoid a
contravention of that section and to comply with the duty under this subsection as
respects the escape of waste.
At another level there is a duty on all Managers to ensure the Health and Safety of employees and the
public as a whole (as defined in HASAWA).
There will be defences against losses at site and irregular disposal of waste.
F 5 Managers Responsibilities and the Role of the Manager in Safety and Environment
Introduction
There is sometimes a belief that certain roles are not the responsibility of Management - incidents such as
the Clapham Junction Rail Accident and the sinking of the Herald of Free Enterprise have proved this to be
untrue. Whatever the aspect or feature of safety, the areas, which contribute to accidents noted in
Defence in Depth: are all the role of the Managers.
The responsibilities above are all Management (or Managers). Managers have to ensure that the
objectives are clearly set, that the personnel have the appropriate skills and knowledge to achieve the
objectives and that the personnel achieve and do not deviate from the objectives. This is a formidable
sentence, which it is hoped captures the Role of Managers. It is possible some will disagree, some will
disagree violently and some will say ROT. Whatever the reaction they are a personal belief expressed in
these notes.
The only way this can be elaborated upon is to develop a series of illustrative examples. Some serious
thought was given to discussing:
Setting Objectives
Skills
Achievement of Objectives
Likewise some serious thought was given to discussing:

Hardware
Software
Training/Knowledge

Supervision
In many ways Hardware and Software are objectives, Training/Knowledge are skills and Supervision is
achievement as there is a potential repeat only one list could be discussed.
In the end it was decided to amalgamate the two columns and treat setting objectives, skills and
achievements of objectives as subheads and Hardware, Software, Training/Knowledge and Supervision as
main heads.
Hardware (This illustration refers to an Engineering Department)
Setting Objectives
Are there clear Design Guides, Codes of Practice, and Engineering Specifications in place? Do they
reflect the Safety Policy? Are they regularly reviewed to ensure that they reflect the changes in
technology and thinking? Are calculations stored and recorded in the appropriate files? Are
equipment specifications recorded in the appropriate files? Are P and I Ds always up dated and
reissued?
Skills
Are the Design Team suitably qualified and trained? Are annual appraisals carried out to assess the
skills/weaknesses/needs for continued professional development? Are personnel promoted by
ability and not age or another artificial yardstick? (Metre stick?)
Are calculations and specifications independently checked/audited? Are project audits on the project
carried out by independent teams? Do the Terms of Reference and Scope reflect the nature of the
audit?
Software (This illustration refers to an Operating Site)
Setting Objectives
Do the Works Standing Orders (W.S.O), Permanent Instructions (PIs) and Standing Instructions (SIs)
have clear guidance on Permit to Work/Hot Work Permits/other Permits? Do the instructions have
clear guidance on the Management of Change? Are all Operating Instructions in place and regularly
reviewed? Does the W.S.O. reflect the Safety Policy Statement?
Skills
Are the production team suitably qualified and trained. Are annual appraisals carried out to assess
the skills/weaknesses/needs for special operating training/day release courses/continued
professional development? Are personnel promoted by ability? Are some personnel frustrated and
others overstretched? Are all software systems audited?
This can be verified by audits (see later)

Training/Knowledge (This illustration is general)
Setting Objectives

Are the skill matrices for various jobs defined? Does the annual appraisal reflect the need for
training? Does the training/knowledge reflect the safety policy statement?
Skills
Are competent trainers (internal or external) used in training?

Are training and knowledge tested on routine by practices and verbal tests? Are the results fed back
on the form of changes to software or training? Are training/knowledge needs reviewed/audited?
Supervision (This illustration is general)
Setting Objectives
Do all personnel know their exact role in the company? Do they know their lines of communication?
Do they know their scope for responsibility and accountability? (The two may be different - one
person may be responsible for carrying out a task and the supervisor (or senior person) may be
accountable for the juniors actions). Do all personnel feel free to talk to their supervisors at any
time? Do they feel confident in their supervisors?
[Note: Supervisors could mean Managers]
Skills
Do the Supervisors know what their juniors have to achieve? Do they have the correct
technical/inter-personnel skills? Can they carry out a form of audit on their juniors capabilities?
Are the Supervisors tested on handling practices? Do the work team feel confident in their
supervisors? Are supervisors audited?
The illustrative examples are just that. There are many more areas for Hardware - such as work
shop/maintenance, Trip and Alarm Testing, Relief Valve Pop tests, Lifting Beam Tests just to name a few.
Software could equally refer to computer programming, laboratory procedures, security checks, road
access checks etc. The training/knowledge will change from role to role but the general model with
variations will fit. The same is true for Supervision (Management). It would be wrong to think that for a
major blue chip company the Chief Executive is beyond Objectives/Skills/Attainment of Objectives - the
shareholders are the ultimate masters!
This topic was not written lightly or without a lot of thought. If there is a sense of emotion in the words it
is because it was written with emotion. If Managers at any level get it wrong there is the possibility of
injury/pollution/loss of revenue/loss of capital (or worse).
F 6 Management of Safety/the Environment
Or
The Generation of Safety/Environment Management Systems
Introduction
Most Safety and Environmentally conscious Companies have had Safety/Environment Management
System in place for many years and actively manage their business to achieve a high Safety/Environment
performance. Initially many of the Management Systems were good common sense and good business,
and to a degree they still are. In recent years there has been a better understanding of the manner in
which management systems can affect Safety/The Environment and they have been named
Safety/Environment Management Systems S/EMS (and so gained an element of mystique).
There is no doubt that S/EMS plays a significant part in Defence in Depth. Not only is there a limitation to
the benefits of hardware based systems but they are expensive, need maintenance/checking but also
Management can be relatively cheap. (This may not be apparent in the recent wave of downsizing). For
example Permits to Work (PTW) have been in existence for many years and the concept of Auditing PTWs
was in evidence over 30 years ago (two Defences and two Management Systems).
There is no doubt that Safety and Environment standards are improving year on year but there is also
recognition that it is good business. Injuries cost UK of the order of 1010 per year (yes ten billion pounds)
there is also the added cost of lost production, lost sales potential and the remedial/repair costs.
Environmental clean up can be extremely expensive - the cost for the clean-up of a major oil tanker spill
are estimated to be in the range 108 to 109, that is 2000 to 20,000 per tonne spilled - for a product
that has a sale value of 75 -100 per tonne (2014 prices). There is also a hidden cost resulting from loss of
sales/revenue if the public refuse to purchase the product of the perceived polluters. The loss of
revenues to Shell resulting from the attempted dumping of Brent Spar is estimated to be of the order of
108. There is good evidence that dumping was the Best Practicable Environmental Option (BPEO) and
involved the minimum risk to human life - but this was not perceived to be the case by the public and
Green Peace. In retrospect, rather than dumping, on shore disposal may have been cheaper in the long
run due to the adverse public reaction. Maybe the incident could have been managed in a better manner;
this closes the loop and goes back to the start of the introduction.
Recent research has shown that there is a correlation between improved safety and environmental
awareness at work, improved production efficiency at work and accident reduction in the home.
What are S/EMS?
There is a slight dilemma in these notes - which parts of S/EMS are relevant - All? Part? The following
statement was published in the Chemical Engineer.
The Health & Safety Executive (HSE) booklet Monitoring Safety analysed 960 fatalities in all industries
during the period 1981 to 1983 and determined the prime responsibilities). Recent major accident
investigation reports have increasingly criticised management for failing to install and insist on safe
systems of working. But is it fair to blame a manager when an operator makes a mistake leading to a
serious incident? Is it reasonable to ask management to guard against human error? The answer to both
these questions must be Yes. The Figure below is a schematic chart of the major topics of loss
prevention, which have characterised the last four decades. Like all chains, safety performances are as
strong as the weakest link.

Responsibility for Fatal Accidents %
Senior Management 61
Local Management 3
Workers 17
Management and Workers 12
Others 6
No one 1
Total 100
System(s)
Is defined variously as:
1. A way of working, a method
2. A set of interconnected or interrelated parts forming a complex whole (what? FKC!)
Systematic
Is defined as:
A clearly worked out plan or method
Management
Is defined as:
The skill or practice of controlling something
Safety
Is defined variously as:
1. The quality or condition of being safe
2. A safe place
Safe
Is defined as:
Free from danger

SMS could therefore be defined as:
A worked out plan for controlling the freedom from danger of persons
(A similar approach could be added to the definition of EMS)
There are clearly defined features of any S/EMS, these are: -
Commitment
Policy
Leadership/Targets
Organisation
Planning
Followed by
Implement action
Monitoring
Audit
Review
The S/E will now be dropped and the common words Management Systems (MS) used, again deliberately
so, since we are discussing Management Practice within the S/E context. The initial description will apply
to the body corporate and then more localised detail given. The headings chosen are the key features
already given. The discussion, which follows, is meant to be at the higher, corporate, level.
Commitment
Any MS must start, and be seen to start, at the top and also be believed in by all levels of Management. It
may be easy to install a tangible hardware modification but software systems have to be kept vital and
real. In simple terms there has to be a commitment to them and to making them work by all levels of
staff, top to bottom.
Policy
There is a requirement under HASWA for a company to produce a Safety Policy Statement. Increasingly
many companies are producing Environmental Policy Statements. The corporate policy statements will
be more general and longer term but will demonstrate commitment and give authority to the lower level
(departmental) policies.
At the corporate level there is no benefit to being the best as it may be meaningless and impossible to
achieve. The policy may be more general and be of the form, to be the equivalent of the best in the
field or to strive to improve standards. Corporate policy statements are usually to be found in the
Annual Report to the Shareholders. There is no benefit to repeating or comparing company policies (as it
will end up like a beauty contest) but most are short, crisp and full of impact.
Leadership/Targets
It is sometimes difficult to separate Commitment, Leadership and Targets, they are closely inter-
connected. Once a team is committed someone has to set targets and take the lead. At the corporate
level the leader(s) could be the Managing Director, the Chief Executive Officer, the Board of Directors or it
could be the Corporate Safety Manager/Director. If there is commitment everyone becomes a leader but
there have to be targets to ensure everyone is pulling in the same direction. In the era of acronyms, these
must be SMART:-
Specific: what must be achieved?
Measurable: must be measured in a consistent manner which will demonstrate the progress to
the target
Achievable: must be realistic but a challenge. (If the target is too easy there will be no incentives,
if it is too hard the team could lose heart - (Success breeds successes)
Relevant: the team must be able to relate to the target
Timed: the target must be time marked DD/MM/YY
It is self evident that corporate targets will be on a different and longer time scale than those of the local
department and the corporate targets will be more general while the local ones will be more specific. The
corporate and local targets must therefore be complementary.
At the corporate levels the targets could be of the form:
1. To reduce injury accident rates by x% by DD/MM/YY
2. To reduce carbon dioxide production by y% per tonne of product by DD/MM/YY
3. To reduce solid effluent disposal to z tonne/yr by DD/MM/YY
Naturally the targets must be relevant to the organisation, as indicated earlier, and therefore must reflect
an area of the Safety/Environment, which the company believes (commitment), should be improved.
There must be some research (leadership) into the following aspects of performance:-
Past Performance: Any previous performance can be bettered with the correct commitment. This may
involve examination of performances such as Abnormal Incidents, Dangerous Occurrences, Accident
Causation, Injury Accidents, Effluents, Efficiency.
Bench Marks: Benchmarks for performance may be set by another company in the same sphere of
production. (If company A is better than company B, what does company A know that company B should
know?)
Legislation: Legislation will be fluid for a number of years - it may be that this sets targets. (This already
exists it The Offshore Safety Case Regulations.) The progress (good or bad) to the targets will normally
be reported in the Annual Report to the Shareholders. This also shows a corporate commitment as
shareholders may view a poor HSE performance as a good reason for selling funds in that company - this
reduces the corporate value and makes it more vulnerable to take over. (The new Management will
then sort it out with the inevitable loss of jobs in the previous company!)
Audits: The audit will probably recommend some actions for improvement.
Organisation
The HSE have given the characterisation of a good organisation under four headings:
Control
Cooperation
Communication
Competence
(Successful Health and Safety Management HS (G) 65)
Control: is (usually) a managers responsibility - the Manager must, by definition, be in overall control or
charge of the Managers job functions, including SHE. This will involve establishing the policy and setting
the targets to be achieved and monitoring the progress towards the target.
As part of the control process there should be an active identification (and if necessary quantification) of
all risks and a planned review, measurement and audit of all safety activities. The control must be
supported by active implementation and performance records. It is obvious that the words must be
supported by leadership and commitment.
Cooperation: is the act of involving all groups of the organisation in the drive for safety - the team effort.
Communication: is the act of listening to concerns as well as informing all levels of the company of the
drive for SHE.
Competence: is the act of having the correct people, with the correct skills and knowledge in the correct
job functions.
Planning
Plan is defined as a thought out arrangement or method for doing something.
The plan must be clearly thought out as there has to be a clear structure for achieving a change or else
the change will only be partial and ineffective. It is to be hoped/expected that there will be a MS within
the organisation but it will be assumed that a company has carried out a review and that the results of
this review have produced the results we are good - but we could be better.
The start of the planning process will involve three questions:
How good are we?
How good could we be?
How do we achieve the change?
It may be concluded that the answers to the first two questions require no change - would this still be
true if a new operation was introduced? When drafting these notes there was a thought that the word
could might be replaced by the word should. This was resisted as the word should infer a standard
less than the word could.
The qualitative judgement of performance can be achieved by thorough analysis based on
Industrial Best Practice
Corporate Performance
Audits
Legal
Regulations
Approved codes of Practice
Codes of Practice
International Pressures/Trends
Inevitably this analysis will produce targets for future improvements. Once these are set, the resources
and campaigns must be set in place. The campaigns must be appropriate to the organisation but should
start with some risk assessment process. First the hazards must be identified and then assessed against
best practice or other requirements. Following this, the improvements, be they
hardware/procedure/controls, can be put in place. If the procedures do not exist - for example on a new
site - this may be formidable task.
Finally, the procedures for ensuring the compliance must be devised and put in place. (See F 8).
Implementation
The implementation involves allocating the responsibilities for the execution of the plan. This will involve
targets and the authority to carry out the appropriate changes (but consider also the Management of the
Change as the change must be managed to ensure that it does not create a worse situation in the
transition). The implementation should be appropriate to the organisation. (See F10)
Monitoring
The monitoring of the plan would be very finely tuned to the organisation and its needs - these will be
discussed later but will generally involve measurement of compliance (See Audits F 11).
Audits
Naturally, one of the means by which compliance (and performance improvement) can be assessed is by
the audit process. The audit could normally be part of the planning process so (hopefully) any follow up
audit would be no more than fine tuning (See F 11).

Review
The whole change will have both a long-term objective and milestones. In the real world, some fine-
tuning will be needed, some problems will be found that need resolution and there may be a need for
more resources to reach the targets. This may result in a recycle back to Policy.
F 7 Management Systems at the Work Place
Introduction
There are many Management Systems which are common place and in general use. It would be wrong to
ignore them in the total spectrum so there are no apologies for any repetition. This is, once again, a
dilemma - to whom are these notes directed? If they are directed at a Senior Manager, there may be
tendency to say, I know! I know! But, to a young manager seeking professional qualification, there is a
risk of projecting them onto a high plain and producing a response That does not apply to me! What are
you getting at?
This is a difficult topic. Is it telling, not teaching or This is what I believe or is it This is what should be
done? This section of the notes is not meant to teach management skills but to give indications. The
skills will be learnt elsewhere. This section should be read in this manner - it is not complete but some of
it may make the reader think again or see something in a different light. At no time will any reference be
made to legislative requirements as that is implicit and cross-referencing may result in the loss of thrust in
the argument or the points being made.
Two reference organisations will be chosen to illustrate the work place Design and Operator.
Design
The Policy
Any devolved policy statement from the corporate policy will inevitably be more focussed on the work
scope, what can be achieved and what is achieved. The Policy will, however, complement the Corporate
Policy Statement and reflect what that department can achieve to satisfy the Corporate Policy.
In a Design Office, accidents can still occur, even from lifting paper or tripping over a trailing flex. The
Policy might reflect the need to use best design practice and the need to review/audit the work/design at
appropriate times. The policy may also reflect the willingness of Senior Managers to help to resolve
problems and the need to discuss problems - If in doubt, ask. A minor design error may have serious
implications for someone else. (I know, one piping designer ran a pipe at 6ft 4in and I always caught my
safety helmet on it. I am 6ft 3in tall and my helmet adds 2 inches!)
In an Operations Department, the policy may reflect the need for best operating practice and compliance
with instructions at all times. The policy may also reflect that production is subservient to safety and that
any untoward event must be reported and investigated fully. It is possible that the policy may be blunt
and to the point. Violation of instructions will be result in disciplinary action

Leadership and Targets
Leadership
The leadership must come from the top but everyone can act as a leader. The leader must set the
standard and reinforce the need for safety.
In the Design Office, the standards can be readily set but they must be seen to be meant. There must be
the resources to handle problems and a willingness to respond to problems in an encouraging manner.
There must be a clear monitoring process for all work carried out.
In the Operations Department, the leadership can be more positive. The manager must be visible and be
seen to be paying attention to safety detail, even if it is reading shift logs, walking round the plant and
talking safety to the operators. Above all, the leader must demonstrate the highest standards of safety,
both by action and reinforcement.
Targets
The targets for a Design Office are less clearly defined but could be at one level to reduce minor injuries
and at another level to have targets to carry out design reviews by (a date) and to have follow-up work
carried out by (a date). It would be fairly easy to devise other appropriate targets such as percentage
compliance on audit and training for engineers on a specific skill or legislation.
The targets for an Operating Department are more readily defined. These could be an injury frequency
rate on a moving, decreasing target year on year. Another target could be the audit of x% of all PTW with
a target of y% accuracy/detail. Yet another target could be to reduce effluent rates or fugitive emissions
or to reduce losses during a shut down/start up by z% against the previous achieved best. In yet another
target, it may be that all personnel are given fire fighting training/refreshers once per year and another
that all trip/function testing of shut down systems will be carried out within one day of the determined
routine. The same might apply to maintenance and the timely inspection of equipment.
All targets are only examples but consider, for example: -
Training in new legislation
Training in preparation for equipment maintenance
Review of operating procedures on a routine
The list in both cases is only indicative.
Organisation
Control
It is self-evident that all systems, be they management or a process, require a control system and, in the
extreme, a shut down or disciplinary system.
The first level of control is to define the responsibilities and accountabilities of all members clearly, in the
Design Office or the Operations Department. This would also extend to the scope for decision-making. In
the case of Design level there will be a fairly defined task but at the Operations level, the responsibilities

during the Dark Hours must be defined. Obviously, the Shift Supervisor will have some clearly devolved
responsibilities, which should be well defined within the WGOs/SIs and PIs, but the Operators
responsibility must be to comply with instruction and to report any deviation from normal. In particular,
the operations level operating out-with responsibilities or competence has every potential for a major
upset so the definitions of scope and responsibilities are essential and equally so is the assurance that
they are adhered to.
The next level of control is the standards and procedures, be these design standards or operating
procedures. Naturally, these will require review and amendments in the light of evolving experience.
These should be extended to contractors.
The next level of control is the resource for carrying out the HSE requirements. This may be monitoring
the environment or contractors or even the performance of personnel in the office or department. The
resources will be both manpower and finance.
The final level of control is the disciplinary process, which should be visible, but not a threat.
Cooperation
Cooperation is a two way process, which requires that all members work to a common good, and the
capturing of ideas.
In the Design Office it may be that there is a new or better way of carrying out the design (however,
ensure that the Management of Change Procedures are used properly). The Designer may perceive that
there is a potential hazard and must feel free to discuss it with someone more appropriate.
The cooperation is very much common sense and, although more could be written on it. It was felt that it
was only reiterating good management skills. The following are worthy of note:
Suggestion schemes
Abnormal Occurrence Reports/Investigation
Dangerous occurrence reporting
Safety groups or circles
Problem solving
The list is an essential part of task analysis.
Communication
One of the most important mechanisms for gaining commitment is by communication. There are also
many examples of the need for communication. Communication is not only verbal but also written. At
the verbal level, the communication could be simple day to day discussions of a piece of work, how it
could be handled in a safer manner and how it should be handled to ensure a safe objective is achieved.
Other forms of communication are obviously meetings, informal (sometimes called tool box) or more
formal in the form of safety committees. It must never be forgotten that if a meeting is considered to be
only a talking shop, with the outcome resulting little progress or change, commitment will be lost. The
verbal communication must be two - way and achieve progress.

The following map taken from the Chemical Engineer, 11 March 1999, shows the benefits of the dialogue
such that all share the same attitude and have the same positive attitude. This is corporate culture.
Stages of safety culture improvement
Above all the role of a Manager in the team can lead to enhanced safety if the Manager listens and
responds to suggestions as well as proposing changes. This results in a two-way information flow and a
team building/confidence in both parties.
At the written level, there are obvious hard systems. In the Design Office, there will be design
procedures/standards but also engineering design change procedures such that everyone can comment
on any change. There will also be Quality Assurance procedures for records and communications. This
will extend to revision of P&ID and other engineering drawings,
In the Operations Department, the written procedures become more vital. At one level, the shift
handover log which is a permanent record of what happened, why and what was done (or should be
done). There are many examples of failure on the handover system leading to a serious event. It is
arguable that one of the direct causes of Piper Alpha was poor shift handover.
Another example of written communication is the Permit to Work system but more obviously the
communication is in Operating Procedures, P&IDs, Data Collection, Hazardous Area Classification
Drawings, Design Data/Philosophies - process operating parameters and analytical results. Various other
thoughts on communication are the manner in which information is displayed and recovered. The
information should be in the right place and readily recovered. This begins to impact on the Man/
Machine Interface which is essential on aircraft - why not process plant - because a greater level of
disaster can arise?
Competence
There are two elements to competence. Knowledge is obviously essential but equally so are skills and
experience. A graduate chemical engineer should have sufficient knowledge to be a process operator

(avoiding the use of the adjective good) but it may take years to acquire the skills and experience to be
a good operator.
At the highest level, a University degree does not guarantee competence and, increasingly, Institutes
(Institutions) of Engineering require Continued Professional Development (CPD). It will be noted that
many courses and symposia now include a table giving the CPD points so that there is a form of
measure on the total CPD in a year. The manager, at whatever level, must ensure that those below (and
the managers as well) have the correct knowledge, skills and experience (skills matrix) to do the job fully
and well. This will involve reading, attending courses (internal or external) and exposure to new
situations. Inevitably, an inexperienced member of the team will require some training and, following
this, supervision until the member has demonstrated the appropriate skills and experience.
Annual appraisals are one obvious means of assessing competence but it would be wrong to ignore the
spadework required to acquire the material to do this assessment/appraisal. This may involve sampling
technical work, observing performances of juniors (at all levels), asking probing questions to test the
member - but in a very casual manner. Such a technique is used during the interview when seeking
Chartered Professional Status (IChemE). With good management skills using eyes, ears and feedback, a
very accurate assessment can be made - but it cannot be done from a desk alone.
It is obvious that the assessment of the skills and knowledge of the operation group requires exposure on
the site, walking and talking with supervisors and operators. No one can teach these skills but the
experienced eye will spot short cuts taking place. The deftness of the control room operator and the
ability to recognise faults is a skill, which can be readily recognised. Likewise, the manner in which a
pump is started or an incident is handled by a supervisor or operator is readily recognised. This is
Managing by Walking About.
In the operating environment, the speed and skills of response to an upset are fundamental to safety and
operation. If the operator/supervisor cannot handle the situations positively, it is essential to determine
if the problem is due to a lack of experience and training or is it in the psychology of that person, if so a
different action must be taken - one might be to put the person into a different job! The purpose of this
section of the notes, which are directed at a Masters level, is to give indicators. These will be the final
words on competence.
Monitoring
There is little use in having a plan if progress is not monitored and if the working practices are not
monitored. Naturally, the progress towards any targets must be monitored to determine any need for
adjustments to the safety/environmental plans but there are other monitoring techniques, which can be
applied and in some cases come very close to Audits.
In the Design Office, there are many useful tools which include:-
Structured Project Safety Studies/Audits
HAZOP
HAZID
Relief Reviews
Hazardous Area Classification

Design Standards
Design Guides
Risk Assessment
The results of all of these become part of the Safety Dossier (see part A)
In the Production Department/Environment, the monitoring is less high level but more down to earth.
Incident Investigation: Where the CAUSES determined and controls or procedures put in place.
Abnormal Occurrence Investigation: Where an unusual event which might have created an
incident is investigated to identify the corrective actions to eliminate the causative
problems.
Site Tours: Where the site is visited and compliance with procedures and performance of the
personnel and the process are verified by observation.
Plant Records Review: Where the plant records are checked to show that the process and
equipment is performing as intended. Is there any evidence of slow, systematic shift/drift?
Plant Analyses: Does the record show the product quality is consistent and not overly pure?
(This will usually mean excess energy is used in separation.)
Plant Yield: Is this monitored and recorded?
Plant Efficiency: Is this monitored and recorded?
Equipment Performance: Does any piece of equipment have a poor reliability and require
endless maintenance? (Maintenance may involve plant intervention, which can itself be a
source of hazards.)
Function Testing Protective Systems: Are the tests carried out on time and in the correct
manner? Does the performance match the required performance? (Poor performance can
lead to a hazardous situation.)
Personal Protective Equipment: Is it used properly and is it in good condition?
Are PTW issued correctly, followed correctly and are deficiencies identified and corrected
speedily?
Do operators feel uncertain about some phase of the operation and can improvements be
devised?
Are changes subject to management procedures?
Are trip hazards removed in a timely manner? (Why were they there in the first place?)
Certain clearly identifiable environmental monitoring tools might include the following:
Are samples taken correctly?

Are drains/vents blanked off?
Is all process drainage captured and recovered?
Are drums of oil stored correctly and handled correctly?
Is a maintenance site tidied up after the work and no waste left on the site?
Audits
Audits are discussed in F 10. Audits should be carried out on routine to identify areas where change may
be appropriate. These will compliment the routine, monitoring procedures, and will also reinforce the
leadership and commitment to safety.
Review
The performance targets must be kept under constant review. This will involve not only the progress
towards the safety and environmental targets but also a review of the detail of Audits and the need for
changes. This in turn must be communicated to all so that all are aware of their own achievements.
Performance Indicators
As part of the M.S. there should be performance targets and also indicators. The process performance
indicators could be yield, service usage per tonne of product but safety performance indicators need
more careful review.
Safety performance indicators could include Injury Accident Rate, Protective System Reliability, PTW
accuracy, VOC losses/dumping or any such indicator considered appropriate and meaningful.

F 8 Safety Management Systems (SMS)
Introduction
SMS are good common sense! However, they are not as simple as might be first thought and they are
becoming the key drivers in improving safety/environment. This is evidenced by the reports on
incidents/accidents which invariably have major references to deficiencies in the Corporate Management
Systems.
There are so many possible Safety Management Systems that there is not enough time or paper to write
on all of them. Design Standards are a form of SMS, as are Annual Appraisals and Training (Continuous
Professional Development). Therefore it is easier to use illustrations, more particularly in the Production
Environment, as this is where they are probably most important. (The general ideas are equally applicable
to other working conditions.)This section may appear to a repetition of expectations with nothing new.
Please read on and digest it, the main features of Management Systems are the thought and the detail
that is in them; they are not simple in any way!
Part A outlined the operation of SMS and gave some limited examples, however, at any SMS large or small
will have the following elements:-
Safety Policy Statement
Leadership and Targets
Communication
Co-operation
Audit/Review
There is a whole raft of legislations and legislative requirements which include the following small
samples:-
Safety Policy
Safety Standards
Competent Advice
Safety Representatives/Consultation
Management of PTW
Supervision
Emergency Planning
Training/Competence
Health Surveillance

Biological Hazards
PPE
Machinery/Guarding
Pressurised Systems
Maintenance
Heating and Lighting of Premises
Electrical Supplies
Control of Access/Egress
Signs
Accident Reporting
Licences
Certification
Cooling Towers, (legionella)
etc.
The list might appear to show SMS is fully covered by Regulations, Approved Codes of Practices and Codes
of Practice, this is not necessarily so. Reference to the above alone is not adequate in terms of
Professional Development.
S.M.S. A Develpment
All SMS must ask two questions:
Can it be done safely - and how?
Was it done safely?
This thread will run through the following examples
The main elements or steps in answering these questions and applying SMS are to be found in Risk
Assessment. There are:-
Identification
Assessment (Quantification\Qualification)
Control/Mitigation

Assessment - Verification
There is a recycle loop in SMS, which is not always carried out in Risk Assessment. In reality many Risk
Assessments cannot be fully verified, but there are regulations in force offshore, Prevention of Fire
Explosion and Emergency Response Regulations (P.F.E.E.R.), which request performance standards to be
established and verified. That is, if the shut down system has to operate properly on at least 95% of all
demands (FDT/PFD - 0.05), can this be demonstrated by testing? Nearly forty years ago a High Integrity
Protective System, similar to that shown in Part D was designed to achieve a certain performance but the
results of the function tests showed it was failing to achieve the performance targets. Certain detectors
did not meet the required performance standards and were changed. There was a SMS in place even
then!
As a means to demonstrating Safe Systems of Work - (HASWA) the following have been chosen for
illustration:
Permit to Work
Procedures
Testing of Protective Systems
Maintenance
Training
Performance Monitoring
The following is a form of Management System in operation in Health Monitoring, as; this has to be
managed by a mixture of Hardware and Software. The topic chosen is Noise.
Noise
Identification
Carry out a noise survey on the plant/site and plot noise contours on the plot plans.
Assessment
Noise levels over 85 dB (A), have the potential for noise induced hearing loss following 8 hours per day
exposure (82 dB (A) for 12 hours).
Control
Fit low noise equipment or fit acoustic booths around the noise sources and carry out a new noise survey.
(It will be assumed that noise reduction was attempted through equipment specification and design and
that further expenditure would have been prohibitive). However if it were possible to fit noise attenuation
features it would be necessary to have another SMS to inhibit entry to the controlled zone.

Mitigation
Mark all noise zones over (say) 80 dB (A) with clearly visible and distinguishable markings.
Install clearly noise warning signs in the area.
Install signs requiring hearing protection to be worn in the area.
Issue a Works Standing Order (SI or PI) requiring hearing protection to be worn in noise areas.
Issue approved hearing defenders, free, to all employees.
Terms of contract should request adherence to warning signs - non-adherence to be a breach

of conditions.
Verification
Carry out base line and continuous audiograms on all employees (see part G).
Check the adherence to procedures (audit).
Monitor changes in the site/plant noise profile.
Monitor any change in the audiograms for the employees.
Monitor the changes in Noise Legislation.
Finally, the commitment must be demonstrated by all Managers being seen to adhere to their own rules
without deviation.
The main sections will now be addressed: -
Permit to Work
There are many forms of Permit and they also have different names but generally mean the same thing.
The following is a list in a descending order of Risk.
(Under Pressure break in)
Entry Permit
Hot Work Permit
Electrical Isolation Permit
Nucleonic Isolation Permit
Cold Work Permit
Excavation Permit

Roof Access Permit
Road Closure Permit
Scaffold Permit
The list is not exhaustive - the top was put in brackets as some companies may consider this to be a
special permit. The order can be discussed and some may feel that the order of two could be reversed
but entry permit does come exceeding high as there is a risk of asphyxiation and the risks are higher than
for cold work. Do not forget humble scaffolding could create problems with lighting, valve access and
means of escape and a road closure could inhibit access for the emergency services.
Identification of Hazards
On routine tasks there may be a written procedure already in use but for complex tasks it may be
necessary to carry out a Task Analysis where each step is analysed in detail to establish the potential
hazards of that step and the mitigating features that might be applied. The following guidewords are
given to assist this task.
What are the tasks?
What are the hazards associated with the task?
What are the potential effects on?
Personnel Involved
The Process
The Environment
The Bystander
What are the secondary hazards of the task?
Noise
Impaired Lighting
Impaired Access
Impaired Escape
Fume
Leakage
What are the hazards in the area?
Noise
Hot Metal
Leakage
What are the means of escape?
What tasks are mutually incompatible and forbidden?
What must be done if the task cannot be carried out as intended/specified?
What should be done on sounding of alarms?
Does everyone know what is to be done and by whom?
The following are some guidewords, which will assist in the identification of some of the hazards.
Under Pressure Break In
NDT
Finite Element Analysis
Metallurgical Assessment
Means of Escape
Handling Emergencies
Handling a Process upset
Communication
Authorisation of a Qualified Engineer
Entry Permit
Isolation Process:
Process - including purges
Nucleonic
Electrical
Instruments
External sources of hazard
Purging - gas freeing
Air Tests: How?
How often?

Where?
What for?
Accuracy/Relevance/Limits
Portable Meters:
02 Deficiencies
Flammable
Toxic
Means of Escape:
How?
Harness?
Stand by?
Lighting:
Impaired or requiring reinforcing
Change of working environment due to disturbed debris or sludge.
Spillage/draining of process fluids
Communication:
Routine
Health check
Recording entry/exit other permit in operation (compatibility)
Change in wind direction
Plant condition change
Hot Work
Isolation of all process fluids
Spill collection containment - drains and other
Spark suppression/control
Sources of spillage and leakage in the area. How can they be prevented/mitigated?

Tools
Other permits in operation (compatibility)
Monitoring the local environment for hydrocarbons, toxics or changes in condition
Access
Means of escape
Communication
Change in the working environment due to disturbed debris of sludge, spillage/draining of

process fluids
Plant condition change
Isolation
Standard Task Procedure
Cold Work
Isolation - Process and Electrical
Draining
Preparation
Access
Tools to be used
Lifting hazards
Trapped fluids
Source of leakage
P.P.E.
Other hazards in the area
Means of escape
Communication
Change in the working environment due to disturbed debris or sludge, spillage/draining of

process fluids

Plant condition changes
Excavation
Toxic or flammable gas freeing can fumes drift into the excavation?
Piping/cables in the area
Consolidation of the sides of the excavation against inward collapse
Rainwater accumulation
Soil retention
Signs/barricades
Communication
Access
Means of Escape
Process upset
Roof Access
Work Below
Nets or roof ladders
Harness
Duck Boards/Roof Ladders
Road Closure
Emergency Services
Warning Signs/Detours
Runners
Scaffold
Access to/from
Load limits
Lighting

Valve access
Instrument access and possible damage
Change in process indicators
General Guidewords
Dropped loads
Fluid properties:
Flammable
Toxic
Flammable
Environmental Impact
Pressure
Temperature
Cold Work Permit
The following is a simple but usable cold work Permit and a covering Works Standing Order (PI or SI). It
will be noted it calls for competence of all parties involved.
It is important that permits their control/supervision must be adhered to completely. There have been
too many near misses recorded in LPB and other documents like it. Please read, Beware the Unexpected
- IChemE Loss Prevention Bulletin No. 104.
YOU CAN NEVER BE TOO CAREFUL!
The following is a worked example of the operation of the PTW: -
Cold Work Permit for Pump Removal
Try to fill out the permit in full. The pump in question is driven by an electric motor and contained petrol.
Identification
Process Hazards
Leaking/Fluids
Flammable could damage eyes.
In contact with a potentially a toxic/carcinogenic fluid?

Low Pressure but could be pressurised by a leaking isolation valve (called trapped pressure)
Pressure and temperature in this case are not hazards in themselves
Electrical Hazards
Motor may rotate during removal and cause injury
Mechanical Hazards
Motor may rotate during removal and cause injury
Lifting hazards while removing the pump itself - back/hand injury
Piping should be supported correctly once the pump is removed.
Chemical Hazards
Petrol - potential fire and toxicity
Access
A lifting frame will be required for the pump
Access to valves and joints is acceptable
Lighting
Acceptable - plant lighting/sunlight
Ventilation
Acceptable - open air-wind blown
Other Hazards
None - no hot metal, drains are clear
Means of Escape
Acceptable
Communication
Tannoy
Quantification
Motor must be fully isolated, isolator to be open, fuses drawn and stored in a safe
Single isolation valves are acceptable at the process pressures on suction/discharge of the
pump

Isolation valves to be locked CLOSED and the keys stored in a safe
Isolation valves to have tags fitted
Isolation integrity to be verified by a pressure rise/leak off test
Control
Motor isolated and fuses stored in a fuse safe, Motor isolation proved by a motor start and
pump isolation standards (leaving valves leading to trapped pressure) by a pressure rise in
the pump body
Access is acceptable
Lighting is acceptable
Ventilation is acceptable, keep up wind of the joint
Process fluids to be drained into the closed drain and the pump flushed with water
Non-sparking tools to be used for bolts
Mitigation
Goggles/Safety Helmets/Gloves to be worn by fitters
Area to be roped off
Piping support to be checked and props fitted if necessary
Fire extinguisher on hand
Prior to the work the Maintenance Supervisor and Process Supervisor must visit the site and
agree the whole isolation is sound and access is clear
The joints are to be broken away from the fitter such that any leakage does not spray the fitter
Once removed open ends should be blanked off tightly - the blanks should have a test cock
against valve leakage when refitting the pump.
The pump should be removed to a cleaning bay
A Cleanliness Certificate should be issued before the pump is removed to the workshop.
Verification
The work site should be visited by the Production Supervisor at least once to verify compliance with the
P.T.W.
Summary

Isolation (process) Permit
Cleanliness Certificate
Cold Work Permit
Below are examples of a Standing Instructions and a Standing Instruction for the start up of a pump.
F 9 Standing Instructions or Permanent Instructions or Works General Orders or Operating Procedures
SIs, PIs and WGOs are the record o the expectations of managers. In a design office they
may take the form of a Design Guide or Standard.
Two guiding principles will apply to any operating procedure.
Do not expect someone to do a task that you would not be happy to do.
Do not expect someone to do a task that you could not do as well - if not better.
The first principle is directed at ensuring all risks associated with the task are reduced to as low as is
reasonably practicable. (If there is any risk would you accept it?) The second principle is that the person
doing the work must feel at ease with the task and have the skills and knowledge to carry it out fully and
well. The procedure must follow the steps:
Identification
Quantification (Qualification)
Control/Mitigation
Verification

Standing Instruction Company A
Number 1
Title: Permit to Work
Prepared by: J Bloggs
Authorised: A Scouser
Copies to:
Records,
All Plant Standing Instruction Dossiers
All Plant Supervisors
Last Issue: 1 March 2014
PERMIT TO WORK
XYZ COMPANY
The following instructions and notes are given to those who use Permits to Work and those who are
Performing Authorities in the XYZ Company.
It is the policy of the XYZ Company to issue specific permits for each task that involves a change from
standard operation. Under the appropriate circumstance the Permit to Work may also require the
following additional permits, which might include:
Entry Permit
Nucleonic Instrument Isolation Permit
Process Isolation Permit
Scaffold Permit
Roof Permit
Excavation Permit
Road Closure Permit
Only those who are fully trained, assessed and authorised as Issuing and Performing Authorities may sign
the permit. Under no circumstances may the Issuing Authority and Performing Authority be the same
person. If the Performing Authority is a contractor he/she must be fully trained and assessed and
authorised to carry out the tasks.

The permit copies MUST be displayed at the work site. Routine audits of the operation and adherence to
its requirement WILL be carried out without notice. If the work is not being carried out in accordance with
the permit, the permit WILL be withdrawn and the work site returned to a safe condition.
At a shift change the status of all permits MUST be a part of the Shift Hand over.
The Main and Local Control Centre copies will be held on a special rack and be visible to all personnel for
inspection and appraisal of the plant condition.
A copy of all signed off permits will be retained for inspection for a period of two years at the issuing
centre.
A register of all incidents, which occurred during the operation of the permit, will be held in the control
room. In particular all incidents which could be dealt with by improvements to this procedure will be
recorded and actioned.

Standing Instruction Company A
Number 2
Title Instruction on Filling in the PTW (Cold Work)
Prepared by: J Bloggs
Authorised: A Scouser
Copies to:
Records,
All Plant Standing Instruction Dossiers
All Plant Supervisors
PLANT: The plant should be clearly defined by its name and location.
AREA: The exact area of the plant should be specified.
DATE: Self-Explanatory - day/month/year.
1. EQUIPMENT
The title should be exactly as the equipment is labelled on the site and P and I Diagrams. The
Number should be a unique identification. The Serial Numbers A, B, C etc, MUST be specified. A
tag number MUST be specified if there is any possibility of confusion.
2. TASK
2.1 The task must describe exactly what work is to be carried out - Maintain the Pump is NOT
ACCEPTABLE - it should define exactly what will be carried out such as Remove Pump
Rotating Unit - take to the cleaning compound - steam clean - await cleanliness certificate
before taking the unit to the work shop.
2.2 The limitations must describe what work MAY be carried out and what MUST NOT be carried
out. For example, it may say, Inspect the pump unit - no joints may be broken without
issue of a new permit.
2.3 The tools must be carefully specified to reflect the local plant hazards.
3. PERIOD OF VALIDITY
3.1 The permit will normally last for the duration of the shift issuing the permit.
3.2 The renewal may extend up to but no more than 24 hours.

4. HAZARD IDENTIFICATION
4.1 There WILL be a structured identification of all Mechanical, Process, Electrical, Civil and
Instrument and Chemical Hazards involved during the performance of the task. In the
case of routine tasks this may be in the form of a standard sheet.
Attention will be paid to: -
The means by which the equipment will be isolated from all sources of harm. This could include
lock-closed valves, slip plates, blanks, electrical isolation, clamped shafts and protection from any
moving parts.
The control of isolations covered by more than one permit.
The nature of the fluids/chemicals and their relationship to the Control of Substances Hazardous
to Health Regulations (C.O.S.H.H.).
The work at height and the means of primary and secondary escape.
The work in confined spaces and the attention to access, primary and secondary escape.
The need for Entry Permits.
In the case of the novel or unusual tasks a full task analysis (as in management of change) will be
carried out involving assessment of the risks, loads/forces, site surveys, underground surveys.
The results of these assessments will be recorded as part of the task analysis and also in the
permit. This section will be central to filling in the rest of the permit.
5. EQUIPMENT PREPARATION
5.1 The means of isolation will be specified, the isolation certificate number will be recorded, the
location of blanks, slip plates and locked valves will be itemised.
5.2 The process preparation will be specified in detail such as Drained of process fluids and
flushed with water.
5.3 The residual fluids may include process; toxic acid/alkali or flammable and water.
6. OTHER HAZARDS IN AREA
This section is self-explanatory and could include steam mains, sample points, rotating equipment
(guards must be fitted).
The section may also impose other limitations on other permits - for example, no other joints
may be broken within 25 metres of the work site.
7. AREA PREPARATION
This section should refer to the preparation of drains flushed, sand-bagged, a roped off
maintenance area where access is controlled, need for scaffolding for access, gas detection in

drains or locally. Particular attention must be paid to access and means of escape from confined
areas or work at right.
Consider if local environmental monitoring is required.
8. PERSONAL PROTECTIVE EQUIPMENT TO BE USED
8.1 This should include a detailed description of ALL of the personal protective equipment to be
worn - this could include but is not limited to helmets, visors, hearing protection, eye
protection, protective clothing, gloves, boots, and special suits. Consider also the need for
harness and breathing air sets. The range is not meant to be complete and must reflect
the hazards involved in the task and the site.
8.2 Site protection may include removal of trip hazards or protecting work areas where over-head
hazards may exist.
8.3 The preparation could include locking off sample points.
8.4 Gas detectors may be required - but it is not normal for breaking of joints.
9. SUPERVISION
9.1 This may specify the need for special supervision of unusual work is carried out - (See also
Hazard Identification).
10. WHEN MUST THE WORK BE SUSPENDED
Detail those conditions when work MUST be suspended. In particular specify those changing
conditions or the goals, which MUST be achieved before the work can proceed to its next goal.
11. WHEN MUST THE SITE BE EVACUATED
Detail the alarm signals/warnings, which will require the evacuation of the site.
Note: Section 10 and 11 are closely related. The work MUST NOT be suspended or the site
evacuated if it creates a hazardous condition.
12. ISOLATION CERTIFICATES
Detail those certificates, which will apply to the task to be performed.
13. OTHER CERTIFICATES/PERMITS
Detail those certificates/permits, which will apply to the task to be performed.
14. OTHER PERSONS WHO SHOULD BE NOTIFIED
The work may affect more than one area of the plant. Incompatible activities such as opening
joints and welding must not be carried out in close proximity. If the notification is not detailed
potential hazards may be created.

Consider the need to inform also the operators in the area/areas as well as the other issuing
authorities.
HAND OVER
This MUST NOT be signed before both authorities have discussed the task, have inspected the site
and are in TOTAL agreement with the contents of the permit.
HAND BACK
This MUST NOT be signed before both authorities have inspected the site and agree that the site
has been returned to a safe condition.
LOCATION OF COPIES OF PTW
The copies must be clearly displayed as indicated. The work MUST NOT start until all permits are
logged in the correct place.
Top copy to be held at the work site.
Second copy to be held in the main control centre.
Third copy to be held in the local control centre.
Fourth copy to be held by issuing authority.
FILING
The Control Room copy will be held in Archive for at least 2 years.
(The following permit has been condensed to save space)
It might be a useful exercise to fill one in the laboratory environment

PTW COMPANY A
PLANT AREA DATE REF. NO

1. EQUIPMENT TITLE
PLANT/EQUIPMENT NUMBER
2. TASK 2.1 EXACT DESCRIPTION OF TASK
2.2 LIMITATIONS OF SCOPE OF TASK
2.3 TOOLS PERMITTED
3. PERIOD OF VALIDITY 3.1 (TIME-DATE) TILL (TIME DATE)
3.2 MAY BE RENEWED Y/N?
4. HAZARD IDENTIFICATION 4.1 MECHANICAL REVIEW
(SPECIAL ENGINEERING FEATURES) 4.2 PROCESS REVIEW
4.3 ELECTRICAL INSTRUMENT REVIEW
4.4 CHEMICAL HAZARDS REVIEW
5. EQUIPMENT PREPARATION 5.1 MODE OF ISOLATION (INDICATE TAG NUMBERS)
5.2 DRAINING/PURGING
5.3 POTENTIAL HAZARDOUS FLUIDS IN THE EQUIPMENT
6. OTHER HAZARDS IN AREA 6.1 TRAPPED PRESSURE
6.2 SERVICES
6.3 OTHER PROCESS EQUIPMENT IN THE AREA
6.4 OTHER SOURCES OF HAZARD
6.5 OTHER PERMITS IN THE AREA
7. AREA PREPARATION 7.1 DRAINS
7.2 ROPING OFF
7.3 SCAFFOLD
7.4 OTHER ACCESS
7.5 OTHER
8. PERSONAL PROTECTIVE 8.1 PERSONAL PROTECTION
EQUIPMENT TO BE USED 8.2 SITE PROTECTION
8.3 GAS DETECTORS
9. SUPERVISION 9.1 SITE TO BE INSPECTED EVERY .HOURS BY.
9.2 PERMANENT STAND BY PERSON REQUIRED?
10. WHEN MUST WORK BE SUSPENDED?
11. WHEN MUST THE SITE BE EVACUATED?
12. ISOLATION CERTIFICATE PROCESS: NO. INSPECTED BY ..

ELECTRICAL NO INSPECTED BY ..
NUCLEONIC: NO INSPECTED BY ..
13. OTHER 13.1 HOT WORK
CERTIFICATE/ 13.2 ENTRY PERMIT
PERMITS 13.3 CLEANLINESS CERTIFICATE
13.4 SCAFFOLD CERTIFICATE
HAND OVER
1. I agree the site has been inspected and is in accordance with this
certificate.
2. I agree that the site is safe so far as is reasonably practicable.
3. I agree that the work will be carried out exactly as specified.
Issuing Authority Performing Authority
(Time . Date .. ) (Time .. Date )
LOCATION OF COPIES OF PTW

Top copy to be held in the work site.
Second copy to be held in the main control centre
Third copy to be held on the local control centre
Fourth copy to be held by issuing authority

The preparation of any procedure (a SI) is a team effort. The person who is to do the work has skills and
knowledge, which must be accessed. That person may wish to carry out the task in a manner which
involves risks or again the operator may know of a simpler and direct way of carrying out the task. If the
person doing the work thinks the procedure is wrong, it is likely that he/she will do it the way he/she
thinks best
The identification/quantification should examine every step of the process. The following guide words
would assist this process:-
Too soon
Too late
Sequence
Timing
Identification
Warning signs
Verification of success
Warning of error
Communication
Access
This would be adequate for a routine task but a more detailed procedure should be subject to a HAZOP
study.
The procedure must be clear and precise using exact terminology. Avoid terminology such as slowly
open the valve. What is the time frame for slowly? - What valve is being referred to?
The sequence of the operation must be clearly defined and the time frame defined. Valve numbers must
also be clearly defined in an unambiguous manner. Where there should be appropriate warnings and
guidance written into the procedures. These warnings should cover guidance on how the completion of
each step can be verified and what should be done if the objectives cannot be achieved. A task left part
completed is a hazard waiting to happen.
There is a balance between general tasks and the fine detail of each step of the task but the detail and
sequence of operations may be critical and a general instruction such as start up is inadequate. Once
the operation is written it should be discussed with the operating team to see if there is a better way of
carrying it up - the instruction must then be polished to ensure it has built in quality. The next step is to
practice the procedure as a desk top exercise to ensure there are no difficulties associated with the
operation. The final step is to train the operators in the instruction showing the operator what is required
and how it is to be carried out.

There are two additional steps, which need to be followed through once the procedure is in place. The
first is to speak to the operators to identify any difficulties in the operation of the procedure - if necessary
it should be further refined and enhanced. If a new refined procedure is issued it must be formally issued,
retraining carried out and the old procedure formally withdrawn. The review of the procedure must be
carried out every year and if it is unchanged the procedure would be formally endorsed for the next year.
Finally the operation of the procedure should be reviewed to ensure that it is carried out as intended and
no hazardous short cuts are incorporated, that is the Audit Process.
All operators should be checked on routine to ensure compliance and new operation formally trained -
preferably be a training supervisor not by the routine operator. There is the very real risk of errors being
incorporated by hand down training. The old story of the message from the 1st World War Front is
quite appropriate. It started off as Send reinforcements we are going to advance! It ends up as Send
three and four pence (1/6 of a pound) we are going to a dance! This is meant as a serious warning.
The procedure should be concise and accurate, written in detail, in simple language with no ambiguity or
room for deviation but a check list approach can be used as an aide memoir in parallel to the procedure.
The start up instructions for a large process gas compressor ran to 20 sheets of paper but the restart
following a trip out could be reduced to a 15-step check list.
In the final analysis any procedure is worthless if it is not improved and it is not complied with. It is an
iterative recycle process. The final words on procedures are ones directed to ownership - if the operator
feels there is a better way of doing it and the operator was not party to the work up of the procedure
dont be surprised if the procedure is ignored.

Standing Instruction Company A, Plant B
Number 3
Title: Start up of Turbine Driven Cooling Water Pump No 123
Prepared by: J. Bloggs
Authorised by: A.N. Other
Copies to: Records
Records,
All Plant B Standing Instruction Dossiers
All Plant B Supervisors
Objective of This Standing Instruction
This Standing Instruction gives a list of all of the contacts to be made when starting up Turbine Driven
Pump P-123. It also gives a list of the Pre-start up Checks, Preparation Tests and the final start up process.
Within the introduction are found the operating envelope and the prohibited operating zone.
Pre start up checks
1. Ensure from maintenance records that the turbine over speed trip has been tested in the last 2 years. If
this has not been done the turbine must not be started.
2. Ensure that the turbine lubricator is full of grade xyz oil and there are no oil leaks. In the event of any
leaks contract the maintenance department before starting.
3. Ensure that the pump lubricator is full of grade abc oil and that there are no oil leaks. In the event of
any leaks contact the maintenance department before starting.
4. Ensure the coupling guard is securely in place.
5. Ensure there are no slip plates in the process lines and start up blanks are removed.
6. Ensure the turbine exhaust Relief Valve is securely located and in place.
7. Ensure all valves are closed other than steam trap isolation valves. (See sketch 1.1).
Pre start up contacts
1. Contact the power station (telephone No. 123) and check that the correct amount of HP steam (x
Kg/hour) will be available on demand in 1 to 2 hours also check that the same amount of steam can
be admitted to the LP steam main. If this will not be possible stop the start up process until it
becomes available.

2. Contact all control rooms on the plant (telephone Nos. 124, 125 and 126) and inform them that a new
cooling water pump is to be brought in line in 1 to 2 hours time and that operators may have to
adjust cooling water flows.
Preparation Tests
Reference should be made to Piping and Instrument Line Diagrams (P and I.D.) No 12 and 34 (Sketch 1.1).
1. Slowly open steam trap bypasses ST1, ST2 and ST3 on Steam Main LPS 123 over 5 minutes and blow out
any condensate.
If condensate is found, blow the line until live steam flows then allow a small continuous escape of live
steam to assist in the warming of the steam main.
2. Slowly open steam trap bypasses ST4, ST5, and ST6 on Steam Main HP 456 over 5 minutes and blow out
any condensate, allow a small continuous escape of live steam to assist in warming up the steam
main.
3. Open the Turbine Exhaust Steam Isolation Valve LPS 123 Valve 1 very slowly over 2 to 3 minutes and
blow out any condensate from the Turbine Casing Drains. When live steam is detected, close the
drains.
4. Open Pump P-123 suction valve CW123 valve fully and open the body vent valve 10 to clear (drive out)
any air or gas. Close valve 10 when liquids are detected.
Notification
1. Notify the power station (Telephone No 123) that the pump will be spun in 5 minutes and started in 15
minutes at which times there will be a sudden draw of x Kg/hr of steam. Check if they expect any
problems or require further notification.
2. Notify all control rooms on the plant (Telephones 124, 125 and 126 that the extra cooling water pump
will be brought on line in 15 minutes.
Start up
1. Open the cooling water pump minimum flow valve CW123, Valve 3.
2. Blow out the turbine Casing Drains Valve once more to ensure that there is no condensation in the
turbine. Close the valve.
3. Slowly open the steam inlet to the turbine HPS 456 valve 2 over 15 seconds to start the turbine spinning
at a minimum of 200 RPM required to ensure adequate lubrication of the bearing. Do not exceed
1000 RPM as this is the approach to natural frequencies of the Turbine / Pump System. Use a hand
held tachometer on the free end of the turbine.
4. Check the whole unit for excessive vibration and check that the lubricators are still full of oil. Control the
speed on HPS 456, Valve 2.
5. Open the pump body vent Valve 10 over 5 seconds to check there is no gas present. Close valve 10.
6. Blow the turbine drains Valve 20 to check there is no condensate present. Close Valve 20.
7. Blow LPS 123 steam traps ST1, ST2 and ST3 bypasses to ensure that the main is condensate free. Close
the bypasses.
8. Blow HPS 456 steam trap ST4 and ST5 and ST6 bypasses to ensure the main is condensate free. Close
the bypasses.
The turbine and pump are now ready to be put on line. Contact the power station (Telephone 123)
if requested during the notification process.
9. Steadily increase the Turbine speed to 5000 RPM by opening HPS 456 Valve 2 over 1 minute and then
adjust the governor speed. Due to the throttling action valve 1 will be stiff to operate until the
turbine comes under governor control. Use a hand held tachometer on the free end of the turbine
shaft to make the measurements.
10. At 5000 RPM the turbine should come under governor speed control and HPS 456 Valve 2 should
become easy to open. Open Valve 456 Valve 2 fully once on governor control. If the governor does
not control the pump speed at 5000 RPM shut down the turbine by closing HPS 456 Valve 2 fully and
notify users, the power station and the maintenance department immediately. It may be possible to
carry out on line adjustments. It may be necessary to lock closed HPS 456 Valve 2 and LPS 123 Valve
1.
11. When the turbine is running properly under governor control, slowly open the pump discharge valve,
check the discharge pressure is at least 3 barg and then open CW 456, Valve 2 fully over 1 minute
and close the start up by-pass Valve 3.
12. Notify all users that the pump is now running.
Post Start up
1. Check the lubricator levels.
2. Check the Turbine and Pump bearing temperatures are not more than 50oC.
3. Check the vibration levels on the Turbine and Pump are acceptable (less than 2 mm/sec velocity).
4. Check Pump 123 for evidence of cavitation, if any is detected fully vent gases through valve 10, then
close valve 10.
5. Check all steam trap bypass HPS 456 ST4, ST5, ST6, LPS 123 ST1 ST2 and ST3 are functioning and not
passing steam. If they are faulty notify maintenance.
6. Check steam traps ST1, ST2, ST3, ST4, ST5 and ST6 are not isolated.
7. Ensure that users of the cooling water system have adjusted to the new pressure regime.
8. Check the whole system for joint leaks. If any are found notify the maintenance department.
Sketch P and I Diagrams

P & I D No12 Steam System
Sketch 1.1
F 10 Testing of Protective Systems
Protective systems are designed to achieve a given performance, which in term influences the safety level
of the process. It is important therefore that the performance is verified by testing and then measuring
that performance against the given performance target. The target performance will not be achieved if it
is not tested properly and on the appropriate routine.
The Protective System is a Safety Hardware system but the testing and verification is a S.M.S.
The four steps will be used once again:

Identification
Quantification
Control/Mitigation
Verification
Background
The performance of any protective system is assessed on a given test interval (T) and the failure rate of the
items of the system (F). This means that the system has to be tested at the correct routine (with a minor
flexibility) and in a manner so as to simulate the real event. (This will be explained further later). Finally,
when carrying out the test there is a dead time which is accumulative. For example in real situation the
mechanical/instrument performance of a shutdown system appeared to produce a fractional dead time of
less than 0.01 but the trip test dead time was nearer 0.01. That is the test interval was sub-optimal.
Identification
Most instruments function by an analogue of the detected event and the test must attempt to simulate
the real event fully. Short cuts can lead to improper testing. The test must be taken to a logical
completion, which can be verified. The tests must be carried out regularly and on routine, not, irregularly.
The identification requires that there are clearly defined test procedures and clearly defined routine
intervals.
Properly Tested
The main elements of a protective system are a detector, a switching system and a shut down valve. The
detector may include: -
High Pressure, Low Pressure
High Temperature, Low Temperature
High Flow, Low Flow
High Level, Low Level
There may also be an override to facilitate the process start up.
The switching system may be either electronic or electro=mechanical. The shut down valve will interrupt a
flow of energy, be it electrical, fuel, or process fluids including services such as steam. If the shut down
valve closes fully there may be a process upset but if there is debris in the line it may not close properly so
a movement test may be an improper test, that is, the protective system was not designed properly.
(See test bypasses in Part D.)
The instrument dead time is assessed on an interval - if the interval is irregular the performance may not
reach target. The fractional dead time for a simplex trip is
Weekly 0.0109
7 Weekly 0.0256
4 weekly 0.0172
If the test is carried out four weekly the FDT is 0.0172 but if irregularly between 2 and 8 weeks but
averaging 4 weeks it averages 0.0182 - the error is not much but it is real.
Quantification
Incomplete and irregular testing will degrade the performance of the protective system
Control
The test must be full and properly executed on the correct routine.
Pressure
High Pressure switches can be tested by injecting a calibrated pressure signal onto the pressure switch - it
involves isolating the switch and human error. Low Pressure switches can be tested by venting the signal
through a choke or flow resistance - this does not involve isolating the switch and is fail safe.
Temperature
High and low temperature devices can be tested by injecting a calibrated EMF at the detector - this
involves disconnecting the thermocouple and human error. Moving the set point is forbidden.
Flow
Low flow switches can be tested by isolating the flow signal - this does not involve isolation of the
detection device and is fail safe.
High flow switches can be tested by injecting a calibrated signal into the flow device - this involves
isolating the switch and human error.
Level
High level switches can be tested by floating the device on a compatible fluid - this only involves isolating
the lower isolation, this does not involve isolating the detection device and is fail safe. That is if the
lower isolation is left closed the item will still be in a tested shutdown condition and must be opened to
drain the devise and cancel the shutdown signal.
Low-level switches can be tested by draining the float - this does not involve isolation of the detection
device and is fail safe.
Start up Overrides
Start up overrides can be tested by engaging and disengaging the device during the test process.
Shut Down Valves
Shut down valves can be tested as part of the test routine if a test bypass is installed. Failing this a
detailed analysis of the implications of a partial test must be carried out. The design of the system plus
the bypass controls requires care. (Any bypass is a potential cause for abuse - sorry misuse!) The controls
on its use and the implication of valve closure needs to be analysed carefully, slam shut can damage seats
but slow stroking valves can be too slow to prevent an undesired event. Therefore, tightness and closing
time are key parameters.
Test Interval
This should be part of the prescribed procedures for the process.
Verification
The performance of all elements - the response time and the stroking time of the shut down valve should
be recorded and analysed and a report issued.
The performance (or probability of fail to danger) should be analysed against the required performance.
The whole trip system should be checked as being healthy after the test with all isolations in the safe
position (a check on the human error).
The one item, which cannot usually be tested on routine, is the emergency shutdown - this is usually
tested on a plant shut down.
It will be noted that over-speed shutdown has not been mentioned. Mechanical over-speed devices can
only be tested off line but electric/electronic devices can be tested on line.
Over Pressure Trips
There is a belief that over-pressure protection can be provided by instrumental systems. This can be true
if the system is designed properly. Hydraulic systems only need a few c.c. of fluid to cause over-pressure
and the rate of change of pressure could be faster than the valve closure speed. The valve must as, a
minimum, have a leak off system (double block and bleed). Even the design of a simple pneumatic system
has to consider the effects of valve leakage if it is possible (credible) to vent off the system in an
appropriate time periods. Too many simplex/semi-redundant designs have been produced which
theoretically, with ideal condition, produce the designed performance but which in practice were
USELESS.
Maintenance
Maintenance may not seem to be a S.M.S or a shutdown test. However, Maintenance is one of the major
sources of hazards in plant as it usually involves break into a process - valve operation - for the removal of
equipment. Frequent maintenance increases the potential for hazards.

Maintenance by definition must be handled to produce a quality repair and faults not only due to fair and
tear corrected but also design or operational short falls corrected. Further maintenance should not be
carried out too frequently or too infrequently as this will lead to wear in (infant mortality) or wear out
(old age) failures. It follows that the repair frequency may have to be adjusted for each piece of equipment
to optimise the running life without entering wear out.
From the above maintenance procedures should be clearly defined, how the repairs should be carried out
and what makes or style of parts should be replaced. The records on each piece of equipment, the cause
and symptom of the need for repair must be recorded; trends monitored and where appropriate
corrective actions taken. Further the equipment should be given a test run to eliminate the wear in
section of the bath tub curve.
The quality of maintenance requires the correct tools, skills, supervision and replacement parts
supplemented by testing or calibration in the use of instruments.
Training / Performance
Maintenance involves diagnostics and non destructive testing both of which are equally important.
Maintenance must therefore go through the cycle:-
What can go wrong/ what did go wrong?
What is its implication?
What can be done to correct it?
Was it corrected properly?
These are all part of the SMS.
F 11 Management of Change
In general most companies evolve slowly; changes are slow but steady and are readily incorporated into
the corporate culture. Occasionally more major changes are required for example a design of a plant or
equipment may require change or improvement or even a new procedure is requested. Each change
carries an inherent risk which must be managed using the steps:-
Identify
Quantify
Control / Mitigate
Verify
Change involves moving from state one to state two and that move has to be managed. The change
may be in many areas:

Management
Hardware
Computer Programs
Procedures
Change could also involve culture or in the era of take-over the change within an organisation as two
companies blend together. However, the first state or culture may be stable and if all the correct
Management of Change procedures are in place state two should also be stable - but there may be an
unstable state in between.
Fig F 10.1 shows a Management of Change proforma which was used by many companies in the past. It is
quick and simple and will raise the alarms if there is a potential problem.

Figure F 11.1 MoC Proforma
Take for example a simple operating procedure. It will now become evident why the Hazard Studies was
introduced in Part A.
First the procedure has to be assessed and deficiencies identified. This may be due to changes in
legislation, operations skills or some audit (The concept phase of a project).
Second the draft operating procedure has to be devised in outline (Front End Engineering Design in a
project).
Third, the procedure has to be polished and refined in conjunction with the operators (Detailed Design of
a project).
Fourth, the operator will have to be trained on what is required on the new procedure and when it will be
in place (The construction phase of a project.)
Fifth, the operating data has to be set and simultaneously all OLD procedures withdrawn and new
procedure just in place. There must be a record of all old procedures issued and withdrawn and new
procedures issued (The start up phase of a project.)
Finally, the operation of the procedure must be reviewed for lessons learnt. (Study 6 of a project.)
It is self-evident that there are change procedures within this change procedure!!!!
The changes may be very small but have significant outcomes as shown below.
What Constitutes a Modification?
There are no firm, water tight rules, each change has to be managed effectively and safely be it a change
in a procedure (as discussed), a change in an operating parameter or in hardware as already indicated.
However, there are other less obvious changes which may creep into the system be it a design or a process
through drift (memory fade) or short cuts. It is arguable that some of the failure of defences at BHOPAL
(in India) was due to relaxing the need for safety features (refrigeration unit). Another change is the
operators over-ride of a safety function for easier operation. How do you know how it was done and if it
was done?
An illustrative Example Case 1
A control valve was replaced by one which had two long bolts out of the total complement, the flange of
the valve was effectively cut away and instead of there being four short bolts; There was now two short
and two long bolts. On the first examination the pipe flange faces were still as they were and the P and I
Diagram did not change. Unfortunately the fluid was hot, about 150oC, and the lower, long, bolts
expanded slightly more than the top, short, bolts so relaxing the bolting forces. The joint moved, fluid
leaked ignited and the lower bolts relaxed even more in the fire. A simple change resulted in major
damage to a plant. (See sketch below)

Many companies have developed management of change for modification (hardware) and modification
(operating parameters). These incorporate the steps already outlined. The classic Management of change
produced after Flixborough (above) was based on this sequence but stopped a little short of the control
and verification steps as these were left in the hands of the Engineers / Managers. It is now evident that
more detail must be applied to these last steps and that the thinking is recorded in full. The classic fault in
a hardware system was at Flixborough and in a procedure was at Chernobyl. Both are discussed
elsewhere in these notes but it is arguable that a full safety study should have been carried out from the
very start.
The proforma shown above has been used by many companies as a template for the management of
change
Changes have the most awkward way of hitting back if not fully analysed. The following are some
examples.
Accidents, Which Occurred Because the Results of Plant Modifications Were Not Foreseen
TDC/PLC Systems
The electric logic of TDC/PLC controls does mean that the itemised logic cannot be fully checked/verified,
more particularly it is often difficult to predict what errors could occur due to poor programming. The
quality control of programming and its testing is now a major issue for safety. The QA program and the
management of the changes to the logic are fundamental and it can not emphasised too often how this
may affect the ultimate safety of the plant.
Modifications Made During or Just Before Start-up
Start-up is often a time when small modifications are made and it is always a time of intense pressure. It is
therefore not surprising that some modifications introduced at this time have resulted in serious,
unforeseen consequences.
Case 2
One incident started when a temporary start-up filter was put in a compressor suction line. Unfortunately,
it was placed between the compressor and the low suction pressure trip. (See sketch)
The filter choked, the compressor sucked a vacuum, some air was sucked in and this caused a
decomposition reaction to occur further on in the process where the pressure was higher. This caused two

pipe joints to spring, the escaping gas ignited and the succeeding fire caused over 100,000 damage (1970
values) and many months delay. The consequential losses were significantly more than the capital losses.
Sketch of Compressor and Pressure Switch
Case 3
Another incident occurred in another company. A process stream passed through a series of heat
exchangers and a catch pot into a vessel. The relief valve on the vessel also protected the last exchanger.
(Shown below)
The start up team had an extra valve (shown in black) fitted during construction; they decided it might be
useful in preventing back-flow during start-up. The design contractor said that experience showed that
the valve was unnecessary but did not say that it was unsafe.
During start-up this valve was closed and the whole train of exchangers was subjected to the full upstream
pressure. When the pressure in the last exchanger reached 400 psig, the exchanger, which was designed
for 50 psig, burst. There was a major fire and a big delay in start-up. (A Non-Return Valve would have
been inherently safer!)
Sketch of Process Case 3
Reviews that worked
On one plant a repeat relief and blow-down review was carried out one year after start-up. The start-up
team had been well aware of the need to look for the consequences of modifications and had tried to do
so as they were made. Nevertheless the repeat relief and blow-down review brought to light twelve
instances in which the assumptions of the original review were no longer true, and additional or larger
relief valves, or changes in the position of a relief valve, were necessary.
Training
Training is discussed under Human Error but it is necessary to repeat this section for completeness.
Personnel are becoming increasingly mobile and skills and knowledge can become diluted or inappropriate
for the tasks required. Traditionally training has become a hand down process which involves handing
down poor practices from one person to another resulting in the quality being degraded. Training requires
not only that trainers have the skills but that the correct skills are taught and reinforced. (For some these
notes will be refresher training and for others it will be new training). Training can sometimes be carried
out in house but sometimes it is necessary to seek specialised training - for example the training of a
HAZOP team leader (Facilitator).
Performance Monitoring
When titrating this heading there was a mind set on Individual Performance Monitoring but this mind set
(another source of errors see later) failed to see also Safety Performance Monitoring. Performance
Monitoring, in the broadest sense, is verification that the SMS are working. First there must be some
objectives or targets against which to measure performance. At an individual level there is an expectation
that performance will reach a certain level and if not more training would be given or the individual moved
to a more appropriate task/job. There is also an expectation that procedures will be complied with and if
not suitable advice given.
At another level as part of the SMS certain objectives will have been set for training, auditing, review of
operating instructions, follow up on Abnormal Incidents and Emergency Exercise (the list is endless). Were
these achieved and if not what actions have been put in place?
At the top level there will be targets for reducing accidents minor, serious or other and abnormal. Were
these achieved and if not what actions been put in place?
This final loop is a clear demonstration to everyone that the Management are committed to Safety.
F 12 Safety/Environmental Audits
Introduction
Audits are a very powerful tool in the safety armourary when use correctly.
Audits have parallels to HAZARD and OPERABILITY STUDIES - they are both systematic and rigorous. There
are a number of definitions referring to audits
BS 5660, (1996) defines an Audit as: -

A systematic and, wherever possible, independent examination to determine whether activities
and related results conform to planned arrangements and whether these arrangements are
implemented effectively and are suitable to achieve the organisations policy and objectives.
The Institution of Chemical Engineers defines a - Safety Audit as: -
A critical examination of all, or part, of a total operating system, with relevance to safety.
The International Chamber of Commerce (1989) define Environmental Auditing as:-
A management tool comprising a systematic documented, periodic and objective examination of

how well environmental organisation, management and equipment are performing with the aim
of helping to safeguard the environment by:-
1. Facilitating Management Control of environmental practice, and
2. Assessing compliance with company policies which would include meeting regulating
requirements
Management Systems are defined in BS 5660 (1996) as:-
A corporate, at any level of complexity, of personnel, resources, policies, procedures, the

components of which interact in an organised way to ensure a given task is performed, or to
achieve or maintain a specified outcome.
There are a number of definitions of audits - both Audits as well as Safety/Environmental Audits
but there are common elements such as:-
Systematic (review)
Corporate/Regulatory; Objectives/Requirements
Organisation
Operation/Performance
When the definitions are read they seem confusing but when the common elements, shown above, are
drawn out the definitions are in reasonable harmony.
Consider now a financial audit. Someone, usually independent, verifies that the corporate accounts are
correct and recorded in the correct manner. The auditor does not check every penny and entry but the
auditor samples some of the entries and checks that their invoices, receipts and that there is an audit trail
to be followed.
Consider now a health check (or audit). The Doctor checks some key factors or health features to verify,
so far as is reasonably practicable, that there is no organic fault.

The Doctor samples key parameters such as:
Blood Pressure
Pulse
Urine (for sugars and protein)
Height/weight (Body Mass Index)
Lungs
Retina
Palpates some internal organs
The doctor is looking for evidence of potential problems in the blood circulation, kidney, liver, stomach,
and bladder. The examination is definitely systematic and follows a fairly standard format. It is not a total
top to bottom audit as it is based on a selection of key parameters.
It is clear that any audit must be based on a series of factors:
The objective of the audit
Sampling key parameters/features
Measured against certain parameters or reference points
It may seem that some time has been spent trying to lay out the ground rules for an Audit but it is
essential to realise that it is:
It is systematic
It is based on sampling
It has certain defined objectives
It must have a reference against which the audit is measured
Background: to audits
Types of Audit
Audits generally require independence - or else there may be a conflict of interests or even worse,
prejudices. The audit group can be one of these types: -
External: where the auditors come from outside the organisation. This grouping ensures total
independence and produces a different perspective of the issues, there are obvious advantages.

The auditors may also be highly skilled and experienced knowing what and where to search for
tell tales which might indicate problem areas.
Internal Local: where the auditors come from the local organisation. This grouping will probably
not have total independence and may have prejudices, which may be positive or negative, and the
team may lack skills required to see the problem areas.
Internal Corporate: where the auditors come from within the corporate organisation. This
grouping will probably have more independence, less prejudices, more skills but may have an
element of corporate blindness and again are unable to see certain problem areas.
The type of audit will obviously have to be chosen to match the Terms of Reference and Scope of
the audit. It may be appropriate to use an Internal audit to examine the compliance of a particular
plant with the Permit to Work Procedure and it may be better to use an External Audit to examine
the Corporate Management Structure.
Audit Steps
There are a number of clearly defined steps in the audit as follows:
Setting the Terms of Reference and Scope
Planning and Preparation
Pre-audit Sampling/Data gathering
Organisation based Sampling/Data gathering
Forming a Judgement
Drafting the Report
Issuing the Final Report
Follow up the Report
The audit will also have some key objectives, these will include:
Identification of the strengths (and weaknesses) of the local (or corporate)

Safety/Environmental Management Systems, (S/E.M.S.)
Identification of improvements considered necessary to improve the S/E.M.S
Identify an action plan for the improvement of S/E.M.S.
Those must all be measured against a set of references, which may include a whole spectrum of markers
such as:
Corporate Policy
Corporate standards

Legislation present and future
External standards
Reasonable best practice
So that the text can be written without need to vary it too much the words Safety/Environmental have
usually been omitted. The approach for both audits is identical but the causes of a non compliance may
vary subtly between safety and environmental audits. Where there are differences the confusion
incorporated by highlighting these nuances is not worthwhile and a more general level of approach will be
adopted. Actions which result in safety issues also have some environmental implications (and vice versa)
the release of V.O.Cs. is one example. If a company does not accept strict controls for safety issues it is
not likely to adopt strict controls on environmental issues.
The main differences between the two types of audit are the skills and hazard recognition skills of the
auditors.
Sampling Data
The introduction indicated that the Audit is a sampling exercise. It is not possible to check every item in a
batch and it is necessary to draw on a sample for more detailed analysis. The sample size must reflect both
the size of the population and confidence that the sample is truly representative of the whole. If the total
population is 2 and the sample is only 1 it would be wrong to conclude that if the one sample of item was
healthy the other was also healthy, but if the population was 1000 a smaller percentage of the sample
would give good indicators of health. Various sampling factors have been suggested. The following are
indicative values.
Population Sample Size for Confidence Levels

98% 90% 85%
10 All 9 8
50 45 30 16
100 80 40 20
1000 300 60 20
2000 320 60 30
It is clear that a larger sample is needed if the auditors wish to have a higher confidence of their
conclusions.
Identification of Non Compliance
This section has been taken out of sequence for the same reasons as the previous section but also it is
central to the Audit Process and also requires the most skill. This process can be described as:

What?
Where?
Why?
The WHAT question requires an analysis of both Expectations and Required Standards. The expectations
are those Good Working Practices and Management Systems that would be expected in the particular
activity. The required standards will flow from Corporate Policies and the Legal/Regulatory Requirements.
Some expectations will flow from legal/regulatory requirements and some from experience. This is a very
open statement and requires illustration. The Health and Safety at Work etc Act requires the provision
and maintenance of plant and systems of work that are (etc). It does not call explicitly for a Permit to
Work but on a process plant one of the systems of work is the Permit to Work and they will be expected.
In an office a permit to work may not necessarily be expected. On a construction site, particularly a green
field site, tractors might be expected but the access of tractors to an operational Oil Refinery would not be
expected. The identification process requires a large measure of experience, knowing WHAT to look for
and WHERE to look for it. Sometimes check lists may help assistance, either standard lists or ones
prepared for that specific audit.
When walking around a process plant there should be a mental (not written) checklist. If it is perceived to
be a crib sheet the Auditor might appear to be acting mechanically and not really on the ball. A few
items are given:
Task Reason
a Check safety gates open/closed/stiffness Do plant personnel visit the area of the
plant?
b Are relief valves properly supported Relief valves branches may be bent by jet
against jet reaction? reaction forces and if it is bent the relief
capacity may be restricted
c Are static waste skips on the site? Do vehicles have to come into a hazardous
area to recover the skip? Is it a source of
fire/flame? What controls are applied for
their safe removal?
d Are steam relief valves tail pipe drains If the relief valve lifts someone may be
clear? burnt with hot condensate. The capacity of
the valve may be compromised.
e Are firewater drains clear of debris? If they are fouled there is a possible risk of
the escalation of a fire due to fire spread
upon the un-drained water.
f Are all sources of liquid spill or leakage Leaks may enter the water course and
handled effectively and fully contained? hydrocarbons may accumulate in the soil
to be floated out by the application of fire
water at a future date.
g Is cellulosic/waste collected in closed Waste may blow out of the site into the
containers? public area.
This list is only indicative of a very few items in a possible check list for a site tour. Other clues
which might warrant further investigation can be found in the following series of observations:
Observation Possible Implication

a Damage to curbing inside hazardous Is there unauthorised traffic in the
areas with tyre marks nearby hazardous areas (a source of ignition)?
b Tour guide appears to be leading you What is being hidden and what should

from an area of the site you not see?
c Damage to lagging or rust at the bottom Possible corrosion under insulation leading
of the tank to leaks
d Roped off areas with no signs of Is maintenance being under-funded and is
maintenance there a latent problem?
e Oil stains on roads Oil is entering the drains and bypassing
interceptors
f Open sample points Vapour release to atmosphere
The WHERE question is seeking to identify the source of the non compliance, or the deviation from
expectation and required standards within the organisation or Management Systems.
The problem may lie in:
The organisation
Personnel
Other
The WHY question is seeking the root cause of the non-compliance or deviation from expectation or
required standards. These are likely to be fairly clear and have fairly clear indications, the list is obviously
fairly long and again only illustrations can be given.
Organisational Problems could be:
Symptom: People feeling uncertain and isolated
Possible cause: Lack of Objectives
Symptom: People feeling they are given poor guidance
Possible cause: Lack of Supervision
Symptom: People feeling that any message is conditional, of course safety is important but production
comes first.
Possible cause: Lack of Commitment
Symptom: People have poor skills
Possible cause: Lack of Training
Symptom: People feel uncertain as to who is their Supervisor/Manager
Possible cause: Poor Reporting Routes
Personnel Problems could be:
Symptom: New recruits do not know what to do

Possible cause: Lack of Training
Symptom: Head strong personnel doing what they think is right - not what they are told to do
Possible cause: Corner Cutting/Lack of Discipline or Control
Symptom: Personnel feel they are being victimised or personnel having no respect for the manager and
ignoring guidance
Possible cause: Personality Clash
Other problems could be:
Poor accident investigation
Poor accident/near miss follow up
Formulating a Judgement or Conclusion
It is necessary to introduce this topic into this section to allow the procedure to be explained as a
continuum. The judgement or conclusion will lead to a finding and then to a recommendation and it is
therefore essential that the recommendation is appropriate to the issue.
First the judgement must reflect the needs and product of that company as well as its corporate structure.
This can best be described by simple examples. A research company which produces a technical product
does not necessarily require a Permit to Work System, but, if it is of sufficient size it may be appropriate to
expect one person who has a responsibility for Safety be this good housekeeping or for the practice of
office evacuations. A workshop, which employs many mechanics, may justifiably have one person
responsible for the Occupational Health and Safety of employees. The judgement must therefore reflect
the expectations of the Auditor and be in harmony with the structure and type of organisation being
audited.
Second the judgement must be measured against a reference. This reference may be a corporate
standard or a legal requirement. These should be clear-cut.
Third the judgement must be fully researched and supported. One person who did not wear head
protection or one spilled sample would not be a suitable sample and may be due to one rogue employee,
it is appropriate that this is highlighted but it is not a major finding. However, if these examples are
prevalent it may be necessary to research it further to find the real source of the problem.
The Audit Process
The main steps in the audit process were outlined in the Introduction and some of the essential tools or
skills outlined. It is now necessary to follow the sequence through in a logical order.
Terms of Reference and Scope
Normally a Manager within an organisation (Design, Operations Research etc) will ask for a
Safety/Environmental Audit for one of a number of reasons. It may be that an audit is required on a fixed
routine as required in the Corporate S & E Management Systems or a Manager may feel that there is a

short fall in the Safety/Environmental performance and an Audit would assist in identifying the problem
area. It will be noted that it is requested and not imposed!
The Manager will call for the Audit to be carried out and a Leader or Chairperson will be nominated. The
Manager and Leader will then decide upon and write the Terms of Reference and the Scope of the Audit.
The Leader and initiating Manager will agree the type of audit to be carried out and draw up a possible
short list of team members.
The Terms of Reference will generally cover:
The type of Audit to be carried out
The objectives of the Audit
The start date of the Audit
The delivery date of the Audit
The person to whom the Audit should be delivered (if different from the initiator)
The Scope will generally cover:
The areas included
The areas excluded
Any specific area for detailed attention
The references against which the Audit should be measured
The Type of Audit as discussed earlier.
Planning and Preparation
The detail, which goes into the planning and preparation, can pay dividends during the Audit. There are
many aspects which cannot be gone into in any detail. The following are worthy of serious consideration:
First The list of team members has to be finalised and agreed with the initiating Manager. The team
should be chosen according to their skills and the nature of the audit itself.
Second The domestic arrangements must be made. The listing may be trivial but if the arrangements
are incomplete a few hours delay could be costly. These may include:
Accommodation - Hotels etc
Secure Office
Telephone
Filing Cabinets for storing documents

Secretarial Support
Photocopying
Identity Badges while on the site
Liaison Person on the site
Third The team should meet to make their acquaintance and that of the Liaison Person if possible - they
may not have met before. Following from this a list of initial documentation should be drawn up for
review. The documents should be allocated amongst the team. The team should consider which items
need special attention and draw up an initial list of:
Issues to be examined
Personnel to be interviewed
Any check lists they feel appropriate for the future audits
Fourth The team should produce an initial timetable of tasks and interviews.
Pre Audit Sampling/Data Gathering
Following the initial meeting the team may have a few days in which to review documents in their own
office and analyse the data already delivered prior to the site visit. It is very possible that extra documents
or data will be required following this initial review. This should be directed to the Liaison Person who
should collect and forward as necessary.
It may or may not be necessary to have a further meeting of the Team.
Organisation Based Sampling/Data Gathering
The first on-site meeting of the team must be a Courtesy Meeting with site personnel. During this
meeting the Team and Site Personnel should be introduced to each other and the Terms of Reference and
Scope explained to the site personnel. It would be usual for the site personnel to know the Terms of
Reference or the Scope but it should be possible to expand on them and to include any particular topics,
which the Site Personnel may feel appropriate.
Following the meeting Identification Badges MUST be issued and worn the Team should then be given a
Site Safety Induction briefing and a familiarisation tour round the site to examine the detail and potential
hazards of the operation and also to be introduced to other site personnel. (If the Team is not introduced
properly and has no clear identity they should expect to be challenged). This tour may well be
supplemented by frequent more specific tours at a later time.
The Audit can now start. The task is basically searching the organisation for the WHAT?, WHY?, WHERE?
questions to produce a conclusion. The method may be by interview, data collection and analysis or by
the well-trained eye and ear. As much is based on experience no hard and fast rules can be given. It is
surprising how often a finding is identified by the well trained eye and ear.
At the end of each day a short team meeting should be held to exchange observations and classify details.
The meeting need not be highly structured but would generally include:

Provisional, preliminary findings (these may change at a later date)
Areas requiring further clarification
Gaps in knowledge
Areas needing further study
At the beginning of the day and not longer than every other day the leader should meet with the Liaison
Person and a small group of the Site Personnel to give them a feed back of the provisional findings. During
these meetings any misunderstandings can be cleared up and the site personnel will be prepared for the
final report.
Initially progress may appear to be slow and it may require further visits to the site to assist in the data
gathering and formulating the findings - the Audit team should not be put off by what might appear initial
slow progress it is not unusual as the team is in a learning curve.
It is also very important that data is logged and recorded for reference purposes and filed on a suitable
manner. The data becomes the evidence which supports the finding and recommendations, if it is not
available, confirmed and secure the finding and recommendation cannot stand.
Draft Report
If possible the Draft Report should be available and presented to the site personnel before the Team
departs. Inevitably there will be negative features of the Report so it is important that these are counter
balanced by the many positive aspects that were found. If the feedback process has been successful there
should be no surprises in the report. If the feedback process described above has not worked there is the
risk of the undermining the whole validity of the audit with the killer statement but you did not
understand (fully investigate) the issue - surely you know that....!?
Final Report
The final report must reflect the observations of those being audited. If the appropriate liaison and
supporting information is available the final report should only be a polished version of the draft.
Follow-ups
The Terms of Reference may require a follow up to determine if the actions recommended have been
complimented effectively.
Interview Technique
The auditor is eliciting information (as in a HAZOP) from the organisation and the personnel. To a degree
the interviewee will be defensive; more particularly if the auditor is not recognised or known to the
interviewee. The first task is to put the interviewee at rest by use of interpersonal skills. These may include
using first name terms, and common courtesy such as please sit down if they are visiting you.
The next task is to create the correct atmosphere. Sitting forward in a chair is considered to be an
aggressive posture (body language) but slouching in a chair is showing a disinterested posture.

The next task is to introduce questions slowly but purposefully. Start off with a benign question how long
have you worked here or where did you work before you came here? This sets the interviewee at rest
as it is simple, easy to answer and does not require a yes/no answer. The questions thereafter should be
open avoiding the questions that only require the yes/no answer and word them such they can allow a
second follow up question. The line of investigation should use questions that start with words like:
How?
Why?
When?
Who?/To whom?
Which?
Where?
These questions may produce fact, opinion, and lack of knowledge or they may produce a piece of
evidence worthy of further analysis.
The auditor is trying to elicit information so the interviewee must have the majority of the conversation,
possibly as much as 70% of the total. The questions in the interview may follow from research, prior
reading of data or documents or a concealed (mental) checklist. Do not let the interviewee see the list as
this could create a lack of trust and friction. The results of the interview will produce potential findings;
these may confirm a previous observation or give a new line for study. It is now necessary to add shape to
an observation. An aggressive I put it to you will achieve resistance but paraphrasing a reply such as
Could you expand on...? Have I got it wrong....? the use of I appears to put the auditor in a weak
position and the interviewee in a strong position and should lead to a more open and expansive reply. It is
all part of the interview technique as discussed under interpersonal skills.
Auditing requires interpersonal skills much of the Audit will be searching for information and asking
questions. If the Auditor is heavy handed the Interviewee will become defensive so the questions must be
carefully framed. The question must be framed to avoid the yes/no answer as this form of questioning
will result in no information flow - the question must be framed for an expanded answer by which the
Auditor can search for clarification or more detail. It is a case of coaxing out the information and shaping
the form of the finding.
The Auditor should also be aware of body language, an aggressive approach will result in a defensive
response and the interview will be a waste of the time two persons and may lead to conflict, which
eventually undermines the whole audit process.
Both of these are essential skills.
Useful Tips to Avoid Conflict as there is a potential for conflict if the interview is not carried out with
sensitivity:
The Auditor must, at all times, act in a professional manner.

The Auditor must, whenever possible, be aware of the potential for conflict and try to avoid it
at all times. He/she should, where possible, be careful of the dangers of putting someone in
a lose/lose position.
The Auditor must be a good listener and able to analyse what is being said quickly.
The Auditor must be able to formulate questions in an easy to understand, unambiguous

manner.
The Auditor must be open-minded and non-judgemental.
The Auditor must be open eyed.
The Auditor must be open eared.
Thinking time is essential for both parties.
Findings must be specific and not generalised.
Recommendation must be clearly formulated and also must be realistic and appropriate to this
site.
A Simple Form of Audit
A simple audit often carried out is the audit of the execution of the Permit to Work System. A Plant
Manager who could be both Initiating Manager and Auditor could carry this out.
The Terms of Reference could be
To examine the P.T.W. system to ensure that it is carried out according to works/site
procedure. (No.123)
To deliver the results to the Plant Supervisor by (name) and (date).
The Scope could be
To examine a sample of P.T.W. for the weeks x/y.
To include Hot work and Cold work permits but to exclude Entry Permits.
The Auditor must now decide on the sample size - possibly 50% for a total of 100 permits.
The Auditor should examine the permits - were they filled in correctly and unambiguously?
Is the task or job clearly specified?
Are the isolation standard clearly specified?

Are the tools clearly specified?
Are the hazards clearly specified?
Are the site preparations clearly specified?
Are the emergency procedures clearly specified?
Are prohibited acts clearly specified?
Are other tasks in the area clearly specified?
Was the permit signed off correctly?
If the task was delayed, were new conditions specified?
The Auditor should take a sample of the permits produced for one day and progress all of them, checking
that the work was being carried out correctly and as laid out in the Permit.
The Auditor should sample the permits issued by each shift so as to satisfy that there is not a weak link.
The Auditor should issue a report containing: -
1. Number of Permits inspected.
2. Number of Permits progressed on site.
3. Deficiencies noted.
4. Actions proposed or taken to correct the deficiencies.
5. The report should be issued to the Plant Supervisor and after one day discussed with the Plant
Supervisor.
Some of the Historic faults found in Permits included:-
Issuer signs on behalf of..
Conditions for a Hot Work Permit were changed on the Permit without checking the site for the
reasons or causes of the change in conditions.
No-one inspected the site of the work.
Incompatible work was taking place in the same work area.
Valves were not correctly identified (tagged) and locked shut.
There were more permits in force than any reasonably competent issuer could supervise and
check/monitor.
The maintenance crew had no idea of the potential risks in the area.

The maintenance crew had not read the permit.
The list is endless!
Use of an Audit in Academe.
It should be possible to carry out an Audit within a University Department.
First the topic must be decided and then the Terms of Reference and Scope must be defined.
Some possible topics are;
1. Are the PPE used correctly and what recommendations would you make for changes?
2. Are the risk assessments for Experiments in sufficient detail and accuracy, up to date and what
recommendations would you make for changes?
3. Do the experimenters follow the laid down written rules in detail? Are they appropriate? Are there
Safety implications if the rules are not carried out or if they are not in sufficient detail? What
recommendations would you make for changes?
4. Has a full survey of noise been carried out? What recommendations would you make for changes?
5. Good housekeeping. Is the place tidy? Is everything stored properly? Are there trip hazards? Are
escape routes clearly marked and uncluttered? Does everyone know what to do in an emergency?
6. etc

F 13 ACCIDENT INVESTIGATION
Introduction
Accident Investigation is an excellent tool for teaching Chemical Engineering skills

and also understanding human factors and the interactions between engineering
disciplines.
In the Utopian World accidents would never occur with good management. In the Real World, they do
occur rarely, in spite of good management skills. The corollary is that a good manager will have very little
accident investigation experience if and when that rare event occurs. Such events might be categorised as
Acts of God if it is not recognised that accidents are actually caused. (See Part A) Once the event has
occurred there will be the inevitable questions:-
Why did it occur? What should we do to prevent it occurring again? The final command Find out! is
rarely said but it is understood and implied.
If a pump seal gave months of satisfactory performance and then failed suddenly, there must
be a cause which should be identified to prevent the occurrence of a worse event (such as a
fire).
If an operator twists an ankle, there may be a latent cause - such as an uneven surface - which
will result in another twisted ankle if no action is taken.
Three examples are used at the end of this topic to illustrate the investigations, which did occur some
years ago, one is simple and two are more complex. Each required analyses of data, comparison of theory
with what was observed and the careful construction of a STORY which described the whole event from
the initiation to the final outcome.
The narrative of the investigation process will be generalised. In reality, sections of the process may be
unnecessary in specific incidents and may be justifiably ignored. - BUT be very careful before ignoring
them as valuable information may be overlooked or lost.
Background
Accidents may appear to occur suddenly or may appear to develop over time. In reality, all accidents have
a series of precursors, which may be dormant or unrevealed (See Defence in Depth parts A and F earlier).
The sudden event such as a twisted ankle will be over in one or two seconds and will rely on visual
descriptions of on-lookers or narrative of the injured person to give clues. The developing event may
allow detailed on the spot observations/investigations to take place while it is occurring and will rely less
on the observations of on-lookers. In a generalised model, the accident will have discreet phases.
Build-up: When the elements or causes are put in place.
Initiation: When the event is catalysed.
Escalation: When the event grows in size.

Controlling: When the event is brought under control.
Rectification: Eliminating the causes of this and hopefully other events.
(The Bow Tie Model again!)
The Build-up phase may take years. Elements of the Defence in Depth will be systematically eroded such
that an Initiating event starts the sequence of events, which lead to the accident. If some more defences
are eroded, the event may escalate - if not, it will be controlled.
In the example of the twisted ankle, the concrete surface may have been uneven since it was cast but the
operator did not go near it as the normal route between A and B was five metres away. After a number of
years, new equipment may have been installed until the operator was force to walk over an uneven
surface. The escalation may be that, when the operator fell, he/she hit his/her head on the badly placed
valve or bracket. If the medical service reacts well, the accident will be controlled quickly and the operator
taken to the medical centre. The rectification might require a recast of the concrete and relocation or
guarding round the valve.
In the example of the pump seal, the build-up may involve
Change in the tolerances
Change in the installation procedure
Dust in the work shop (house keeping)
The initiation may be the movement of a piece of grit. The escalation may involve failure of a shutdown
system (if it was not tested) or emergency drills, which were not practised.
The events in the build-up phase may be hard to detect, even for the most skilled personnel, they may be
small and systematic or they may be a manufacturing fault in a spare component. (This is not meant to be
a defence - it is a statement of reality - however, audit procedures (see above) may assist in the early
detection). The investigatory team has to consider if historic evidence, or even plant data, will be of use
and how it may be accessed. The initiating event may be significant or insignificant. [In the case of Piper
Alpha, the initiating event was a leak of 75kg of hydrocarbon but the build-up had been going on for
years]. The escalation conditions will usually be self-evident.
It must be recognised that, during an incident, there will be a whole range of data from relevant to
irrelevant. It will be impossible to determine into which of the two groups it will fall for some time, so it
is not called evidence. There may also be a third group - Ive never seen anything like this before! It is
self-evident that a clear picture and self-consistent story may require careful analysis before data can be
truly categorised as irrelevant.
A simple exercise on perspective and the need to categorise the data with care was carried out on two
Greek and two British students. They were asked to make the following into patterns or consistent
groups: -

Alpha Cormorant
Auk Bravo
Delta Brent
Dunlin Charlie
The data can be put alphabetically:
Alpha; Auk; Bravo; Brent....
Or groups of both A and both B
Alpha/Auk
Bravo/Brent
Charlie/Cormorant
Delta/Dunlin
or
Auk Alpha
Brent Bravo
Cormorant Charlie
Dunlin Delta
The Greek students put together
ALPHA
DELTA
The British students put together
Alpha/Auk, etc.
The groups were very simply

PHONETIC ALPHABET (Alpha; Bravo; Charlie; Delta)
SEA BIRDS (Auk; Brent [Goose]; Cormorant; Dunlin)
[Auk Alpha is a Shell (EXPRO) oil platform but Dunlin Delta is not]
Once a clue was given, all of the pieces fell into place - but it took time. Such is the difficulty with accident
investigation.
Investigation - General Model
There are two parallels between accident investigation on the process plant and the police investigation
into a road accident or even murder. The comparison between a forensic study and accident investigation
will not be misplaced. In this generalised model, it will be assumed the accident has occurred (or is
occurring) and the build-up and initiation are not as yet disclosed.
Start
Just as the event occurs, or even just before it occurred, someone, somewhere will have heard or seen
something. This has to be captured at sometime but these people are likely to be very active in taking
control of the event and cannot be disturbed. Investigation therefore requires skilled, tactful interviewing
as well as technical analysis.
After the event, the memories of the incident may be distorted or facts may be missed so it is important
that some visual records of the incident are recorded on video or photographic film. (Digital cameras and
videos are best as the data is available immediately). It is not a question of what should be recorded,
more a case of anything and everything. Most will be a repetition but some of the views from
different angles will add to the three dimensional picture and give some scale. If possible, the exact
physical location and time of each shot should be noted.
After the incident, nothing should be disturbed until a number of photographs of the area can be taken. If
time allows professional photographers should be used but, failing this, high quality prints, which can be
enlarged, are essential. Much of the information in the photographs will be irrelevant but some will be
relevant and no one can be sure at that point which is which. If possible, the area should be grid marked
for future reference. Before anything is moved, the position of each item should be noted against the grid
mark, or against a set of coordinates, and then carefully labelled. The objective should be that when
pieces of data are removed for inspection they can be replaced in the correct place and orientation,
should the need arise. The location of each piece of evidence against fixed coordinates, its orientation and
its location relative to other pieces may be critical later on in the investigation. (It will be noted the word
DATA was chosen instead of EVIDENCE - some will be evidence, but most will not).
The data can now be removed carefully, piece by piece, and stored in a safe, secure room or work shop
with plant records and operating parameters leading up to the incident. Immediately after the urgency of
the situation, eye witnesses must be interviewed. The interviewer will be part of the investigative team
and must know what facts to seek out (See also Part B). It is essential this is done quickly as time will start
to distort the memory and also, if eye witnesses discuss the event, the memory of a key witness may be
changed adversely. The interviewer MUST be very tactful and sympathetic to ELICIT information (See also
Audits and HAZOP). It is very likely the witness will be suffering from some degree of shock, may be
frightened and will not respond to a pressured interview. The eyewitness should be put at ease and
INVITED to write what he/she saw and heard in his/her own words.
Essential information would include:
Location of the eye witness
Approximate time (the start of the incident could be a reference but time could be distorted)
What was seen and where
What was heard and which direction it came from
What the person did then
Was more data gathered? In this case, repeat the cycle and go back to Location.
The need for tact and sympathy cannot be over-stated. The interviewee must feel confident and
relaxed with the interviewer imposing no pressure whatsoever.
The visual and audible data could be relevant and the interviewer should encourage comparisons so that
the size or noise can be referenced for more detailed assessment. The size of a fire could be measured
against a location on a structure and then height assessed by simple triangulation. Sounds could be
likened to a whistle, a jet engine or a squeal - a whistle may reflect a small gas jet leak, a jet engine
may reflect a two-phase release and a squeal may reflect a reed effect on a joint leak.
When all of the data or information (still not evidence) is compiled it is expected that there would be some
areas of data agreement but there may be some areas of data conflict. All the data or information must
still be treated as potentially useful but undisputed information could be treated as possible EVIDENCE
and disputed information may/may not be of use later. (See the example given earlier).
The team would then work to consider if it has a credible sequence of FACTS, which might make some
possible scenarios worthy of further detailed development. To use the analogy of a jigsaw, the corners
may be in place, some of the sides in place and two or three other pieces fitting together and some being
incorrectly fitted together, it is also possible that the pieces could be fitted together in a different order to
give another picture. At this point, it should be possible to eliminate certain scenarios with reasonable
confidence. Using the forensic analogy, there will now be the some useful lines of investigation but the
investigation team should still be very open-minded. The team can now address the hard data obtained
from the area of the incident and decide which pieces of data suggest the various pictures or scenarios.
Slowly, one or more of the scenarios will be proven to be wrong and can be dismissed. Some of the data
will require more detailed analysis; this may be metallurgical or by microscopic. The team should also
examine historic data from plant records and operating parameters. There may be other useful
observations where someone saw/heard something before the incident (that all-embracing word!) and
feels it may be useful.
Reverting to the analogy of the jigsaw, one picture could be developing as the likely scenarios and other
scenarios may be less likely (but still not capable of being rejected).
The time frame for the initial analysis may be one or two days. There will be great pressure for repairs to
progress and for production to be restarted. If there has been a massive mechanical failure, it is unlikely
that the repairs will have been affected but - even if they have been - could it happen again? If there has
been a fire, repairs are likely to take well over a day or two to complete - could it happen again and be
worse the next time? The Site Manager is now putting pressure on you to make a decision as to what
occurred,
and whether he can justify restarting production
and HSE want to see an interim report in 2 days time and are threatening an improvement notice
and Sales have a potential one-off sale to be delivered in one weeks time.
The pressure to produce an answer may be intense.
It is clear that destructive tests on samples must be carefully devised so as to produce the maximum
information in shortest time with minimum sample loss. The detailed analyses of the damaged elements
may require time and obviously there is little point in carrying out haphazard tests using the entire
sample in destructive tests and then, finding that one more test was essential. In addition, all of the
possible incident scenario may still be live and parts A of the jigsaw fit into scenario A, parts B into
scenario B but parts (A & B) do not fit into scenario C and there is some data which fits nothing. (This is a
fairly unlikely event, but could occur).
One other useful hint is to determine if there are patterns in the data. This could be either physical marks
or damage which may be preferentially disposed to one direction/location.
The description of the investigation has obviously been slightly overdone to make it more universal. Some
of the evidence may be so overwhelming that there is only ONE likely scenario and no further action is
needed but this will not always be the case. Slowly (and hopefully rapidly), one incident scenario will
become the probable one. The evidence should, where possible, be supported by a second set of evidence
(corroborative evidence in the forensic analogy) but there will always be a small amount of unsupported
evidence and data, which fits no scenario. The objectives, where possible, are either to prove the data is
irrelevant or to find supporting evidence.
Eventually, the whole sequence of events will be clear and there will be a very high confidence that there
is a consistent, proven story. At this point, it should be possible to predict that there should be other
evidence - this may be available already but not fully recognised or it may be necessary to find it in
metallurgical examinations or more detailed examination of the area of the incident.
At this point, it is the End of the beginning.
The Beginning of the End
The incident will have a sequence:-
Cause
Development
Result (Incident)
Correction/Prevention

The final step is to determine if the cause can be eliminated or detected or if the development can be
eliminated or detected. There are no rules for this - each situation must be treated on merit.
The End
It is possible that the final incident investigation report will have to be submitted to the HSE and must be
of high quality.
The contents may include:-
Causes Evidence
Development and Lessons Learnt
Incident Action
The causes of the incident will inevitably cover all causes. It has already been discussed, accidents do not
have a single cause but many causes, each cause should be discussed, and then a clear recommendation
or action can be defined based on the discussion.
The Development and the Incident will probably be fairly factual but will compliment and link with the
causes.
The Evidence may be one of the larger sections and may have to be summarised with the bulk of it put
into an Appendix. This section should record:
Photos
Interviews
Metallurgical Tests
Physical Tests
Calculations which support/confirm evidence
Evidence rejected - and the reason why it was rejected
Evidence which supports and compliments other evidence
Uncertainties or gaps in this evidence
The Lessons learnt come at two levels. In the first there are the conclusions, which will complement the
Causes and flow into the Actions. The second level will be the messages, which may require to be
cascaded down through the site/company or the Industry as a whole.
The Actions are of course the recommendations, which should have a time frame. It would be slightly
naive to believe that all of the issues could be cleared up within a few days; inevitably there will be some
form of risk ranking given to the recommendations, this will influence the time frame. Some of the
recommendations may be fundamental and have to be implemented before restart of the process but
others may be deferred and could be implemented within a few weeks with little risk of recurrence.

There are no hard and fast rules.
Check Lists
During the Incident
Photos
Video
Visual records
After the Incident
Close off the area
Photograph the area
Label data and its location (coordinates or grid marks with any photographs)
Remove data to a safe location
Interview observers
Collect plant records
Close out
Issue the report
Example: Incident 1
A pump handling an organic fluid at 150oC (BP at 101 kPa = 80oC) took suction at 800kPa from a suction
drum of capacity 10 tonnes some 8 m above the pump for reasons of NPSH and process configuration (See
note on lay out in Part D). The suction line was 40 cm diameter and a total length of about 10 metres. The
ESD valve was located about 4 metres from the pump isolation valve.
The pump was inspected on routine by a very competent fitter about an hour before the incident as it was
intended to carry out maintenance on the water deluge surrounding that section of the plant. The fitter -
probably quite correctly - was satisfied that the bearings were in a healthy condition and that the seal was
not leaking so the permit was issued for maintenance on the water deluge system. The deluge system was
then isolated.

Figure F 12.1.1 Simplifies Drawing of Process
A little later, a fire detector sounded and a major fire was seen completely surrounding the pump. The
ESD valve (shown above) was closed and a plant shut down. The fire did not abate when the ESD valve
was closed and either reverse flow or a passing ESD valve was possible, so extra valves were closed on the
discharge of the pump. Still the fire did not abate but the alternative explanation was the contents of the
suction line were draining into the fire. The location of the leak was hard to locate because of the fire
intensity. The flame height was about 8 metres and the diameter about 2.5 metres and access to the
pump suction valve was impossible.
The fire attack was carried out to cool the vessels/structure/piping within the area and to lay a foam
blanket to reduce the pool fire. It was not possible to extinguish the fire with foam and alternative actions
such as displacing the organic fluid with water were set in place. The option of putting out the fire with a
dry powder was also considered but put on hold as the water-cooling was very effective and the vapour
could reignite from hot metal. After about 12 to 15 minutes the fire suddenly self-extinguished over an
interval of 5 seconds.
1. Facts to date and in retrospect
Line content between ESD valve and the isolation valve about 400kg fluid.
Fire dimensions indicate a leak rate of about 0.5kg per second (See Part E)
Fuel output in 12 to 15 minutes about 360 to 450kg
2. Conclusion
The ESD valve was closed tight
The pump suction line was self-draining, under its own vapour pressure, through an orifice
3. Immediate Observation
The fire was confined to the close vicinity of the pump
The area for the investigation was closely defined
After the area was made safe, the damage was very limited. The passive fire protection to both the
structure and the piping was in good condition and the pump and motor had suffered no obvious damage.

The pump motor cables had been damaged and one box containing an Escape Breathing Air Set had
blistered paint.
Just before the fire self-extinguished, the fire seemed to be centred on the suction valve.
Initial Theory
There had been a joint leak, which ignited - the cause of ignition was not evident.
Detailed Investigation
The enquiry had a fairly clear boundary, which included the PUMP and its SUCTION VALVE. The system
was pneumatically leak tested. The joint on the suction valve was found to be loose and damaged but it
was not clear if this was cause or effect.
The pump was stripped down and the seal found to be in quite good condition but the bearing had failed
due to interference failure between the pump shaft and the inner race. The bearing was well into plastic
deformation and was probably glowing red-hot at one stage. The shaft of the pump was loose due to
the bearing failure and was probably not running concentrically. The eccentric rotation of the shaft could
have resulted in a significant leakage at the seal, which in turn would have ignited off the red-hot pump
bearing.
The evidence was so far self-evident.
The source of ignition was found.
The initial source of leakage was found.
Why did the suction valve flange leak?
It would be unwise to assume joints do not leak in a fire. Bolts expand and gasket compression can be lost
with resultant leakage (see the example of a leak with a new valve design earlier). This is a fairly common
observation and probably occurred in this incident.
All of the facts are now secure except one: Why did the pump seal take up? This could be expected once
the pump was shut down and the seal and face stopped a processional movement.
Actions to prevent the incident
Interference failure in bearings is not common and is best controlled by good bearing
specification and workshop practice, which were both in place on that site.
Seals can be reinforced with secondary seals such as double mechanical seals or lip seals. Lip
seals were fitted following this event.
Joints can be simple gaskets or spirally edge wound. Spirally edge wound gaskets were fitted
following this event.
Due to the long suction line, fire walls some 2/3 metres from the pump with extended suction
valve spindles were fitted such as to give a second isolation should the ESD valve leaked or
fail to close.

Rapid plant depressurising procedures were developed using internal recycle of flashed, cooled
fluids.
This was a very simple incident where the observation of many people before and during the incident was
fully corroborated by the evidence. It was one of the few incidents that could have been defined as Act of
God as all of the checks had been carried out in a thoroughly professional manner.
Example: Incident 2
This example of an incident refers to the failure of a turbine blade while on line. The main point about this
is not why it occurred but the difficulty in reading or interpreting the data. The diagram below shows the
two faces of a reaction turbine, the active face to the front is the main face where the gas should contact
and the inactive face is the reverse face.
_______________________ FAILURE LINE
Figure F 12 2.1 Failed Blade
The photo below F 12.2.2 shows:
On the left the stub of the Tee Root with the failure line off-set. This is fairly typical of the failure of a
turbine blade being the most highly stressed section.
At the top is one of the rubbed blades but not failed blades. Below it is the failed blade. Note
the wear and plastic deformation. It was hot!

Photo F 12.2.2 Failed Blades Showing Damage
Note the silver edge to the blades above. This is on the non active face the exhaust side away from the
main flow.
Why? It had been impacted by water in the exhaust duct which had accumulated during minor shut downs
so creating a cyclic bending moment leading to the fatigue crack. Metallurgical analysis shows this to be a
very high cycle fatigue so it had been occurring on and off for many years but the duration only lasted only
a few minutes. It took a number of hours and different lighting regimes to see these marks. The
positioning for the photo was chosen to highlight the marks.
The root cause was poor design and understanding of the implications. Would a HAZOP have identified
this potential? YES!
Example: Incident 3
This incident has elements of I have never seen this before! and I dont believe it! However, it is a
very good example of everything coming together in a coherent story.
Before the incident is described, it is necessary to give some background information to assist in the
understanding of the whole incident.
A simplified process flow diagram of the essential elements of the plant is shown below. Process gas
containing oxides of nitrogen is compressed to about 2.5bar (350 kPa) with a discharge temperature of
about 200oC (473oK). As the gas is to be fed to an absorber, it must first be cooled in an inter-changer - the
heat being used in a power recovery turbine. The absorbent was water and the lean gas leaving the

absorber passed through the interchanger, through the power recovery turbine and then on to an effluent
vent stack. The cycle is fairly typical of many used in the process industry and is not complicated.
Figure F 12.3.1 Process Flow Diagram of Absorber and Compressor
It is now necessary to consider some vibration characteristics of machinery. A vibration signal from any
machine will display harmonies of its rotational speed and if it is driven by a motor and gear box gear
mesh frequencies (and harmonics) will be found as well as mechanical and electromagnetic vibration from
the motor. These signals are usually quite low when measured on the compressor. The rotational
frequency of the compressor is usually the dominant component and reflects the residual unbalance in the
rotating shaft.
The figure below is a good vibration signature - assuming the total vibration level is low.
In this case, the compressor ran at 100Hz (6000RPM), the main component represents residual out of
balance and there would be no concern for mechanical integrity. The minor feature at 150Hz is again
typical of vibration transmitted from the motor along the support plinth.
THIS WAS A TYPICAL SIGNAL FOR THIS UNIT AND FOR ANY OTHER MACHINE OF ITS TYPE.
The relative magnitude of the harmonics relative to the rotational speed and their axes of propagation is a
clue to diagnostics. Raised levels of second harmonics may indicate minor coupling stiffness or
misalignment. Raised third and fourth harmonics may indicate misalignment. In addition to the
frequencies already mentioned, very low-level signals from natural frequencies can sometimes be
detected.
For a number of reasons, the natural frequency of the various elements of this machine had been
measured by static excitation tests and rotational run down tests - shaft-bending frequencies were known
and those of most of the rotational elements. This data will be introduced later.

Figure F 12.3.2 Figure F 12.3.3
Figure F 12 3.2. was a signal measured one day. As the magnitude (vertical scale) is a logarithmic scale and
the frequency (horizontal scale) is linear scale, the change is very significant and represented by a doubling
of the vibration level. The rotational and second harmonics have not changed but the third and fourth
harmonics appear to have risen indicating some disturbance to the alignment of the compressor. For five
to ten minutes, these signals did appear to give real cause for concern as the signature appeared to be
correct. The small spike on the right hand of third and fourth harmonic seemed to be new until the two
plots, the old Fig F 12.3.2 and the new Fig F 12.3.3, were super-imposed, it was realised that there were
two new signals at 290Hz and 390Hz corresponding to the two natural frequencies of the turbine disc.
(The horizontal line links the 3rd and 4th rotational speeds, 300 and 400 Hz). The magnitude of the
harmonics had not unchanged. The shapes of the vibrating modes and the frequencies which had been
determined some months before are shown below - the lines represent the nodes in the vibration.
290Hz 390Hz
Figure 12.3 4 Modes of vibration of power recovery turbine disc

The musical and physics purists might note that the interval between the natural frequencies is not as
might be expected. How do you describe in a drawing a nodal circle? That is two nodes, one at the hub
and the other is about midway between the hub and the periphery of the disc! This does not alter the
messages.
The only credible explanation was impact on the turbine disc BUT all process parameters were within the
normal range.
I have never seen this before!
Alarm bells were beginning to sound, SOMETHING was not right.
A week later the machine shut down on activation of high vibration trips - so many were activated that
there had clearly been a major failure of the rotating assembly. The only action to be taken was to open
the machine to find out what and where was the damage.
Twelve hours after the shut down, it was found that one of the turbine blades was MISSING. It was
subsequently found in the exhaust duct. The failure was due to fatigue at the tee root.
WAS THE VIBRATION SIGNAL TAKEN A WEEK PREVIOUS TO THE FAILURE SIGNIFICANT?
The two pieces of data did indicate that there might be some significance.
It is not necessary to add one more element of engineering fact. There are two faces to an impulse
turbine blade (such as these) - one the active face where the fluids (gas in this case) impact and the
inactive face shown below.
Figure F 12.3.5 Active/Inactive Faces of Impulse Turbine
Yet on more detailed analysis small pits were seen on the inactive face Photo F 12.3.1.
I have never seen this before!
It is now necessary to revert to theory and to consider the vector diagram for the turbine:-

Figure F 12.3.6 Vector Diagram for Gas and liquid Flows
: vector angle for shock-free entry. This would not explain the small pits!
SOME DATA WAS MISSING! What could have hit the blade? - The following are possibilities
Solids - the pits were rounded, not sharp
Water - steam turbines can handle water in mist form so was unlikely
BUT what if the water was not in the mist form?
If the water was not in a mist, it could hit the inactive face as shown by the vector diagram F 12.3.6.
BUT WATER IS IN THE VAPOUR PHASE AT 170oC (443K) and 2.2 bar (320kPa)
I DONT BELIEVE IT!
The evidence is now pointing to the impossible which appears to have occurred.
Consider now the shape of the turbine admission path a toroid with a dividing septum used for control.
Figure 12.3.7 Turbine Admission Toroid

The admission Toroid was on 3 sections - 50%, 33.3% and 16.7% with two valves at the equator sectioning
the flow so allowing control of the absorber pressure. As these were both fully open they have not been
shown. The septum was an essential element of the segregation. The acceleration at the inlet was of the
order of 9000ms so mist could be separated and enter the turbine as a discrete jet at the septum and
produce the pitting found on the turbine blades.
IF the theory is sound, the following evidence should be found.
1. Patterns would be seen on the admission valves to the two sectors.

2. Secondary pitting on the static blades would be found near to the septum but not elsewhere.
Photo 12.3.1
Both were found. See photo above.
The left hand blade is the inactive face of the stator blade located near the septum. The impact zone is
tinged in red/brown only part has been impacted as the left hand part is shielded from impact be other
blades. The right hand blade is the inactive face of the rotor blade. The right part of the blade is the impact
zone but the left, more shiny is shielded from impact by the other blades as the cross section of the path is
that of a venturi required for sonic flow. The detail is more evident in colour and is nearly lost in B & W.
The theory so far holds good but the laws of equilibrium are still being broken - or are they? Was
equilibrium established? The time of passage from the inlet to the interchanger to the turbine would be 2
or 3 seconds - the droplets would start to boil but it is entirely possible that it would not complete its total
vaporisation in the transit time, the process being a balance between heat and mass transfer. The boiling
film would inhibit heat transfer into the droplet. It is credible, but only just credible.

The plant records were examined in fine detail and for up to one hour at a time, possibly once a month,
the inlet temperature to the turbine would drop 10oC - not enough to create massive droplets but this was
a non steady state event which was worthy of further analysis.
Facts:
Water had passed through the turbine
Evidence:
1. Pitting patterns on the stator and rotating blades
2. Vibration signal
probably supported by
3. Temperature variations.
Once again, it is necessary to resort to some theory. Jet flooding can occur if a sieve tray is not properly
irrigated (or partially irrigated) so a simple experiment was carried out to illustrate this. A simple sieve
tray was built in a laboratory using air and water as the test media. When the air was turned on to the
tray first and water added second, the water hitting the tray sprayed out of the test rig - none fell through
the trays. When the water was added first and then the same airflow established second, no spray was
detected.
THE THEORY IS NOW GAINING CREDIBILITY.
1. COULD IT BE PROVED?
2. WHY DID IT OCCUR INTERMITTENTLY?
3. THERE IS NOW PRESSURE TO RESTART THE PLANT!
A drain was fitted at a bend downstream of the interchanger, which would act as the definitive proof of
the theory. If jet flooding did occur, it was more likely to occur at start up or at upset times such as
interruption of the absorbent flow or even during a process transient.
Following restart, water was detected at the sample point in variable quantities from a trickle to more
significant flows. Given the detection of more significant water flows, the temperature variations inlet the
turbine were possible. The theory is now 99% proven BUT the 1% doubt still existed until an operator was
asked Have you ever noticed SOMETHING odd? The reply was No,..... never,....., but I have seen a
white mist at the vent stack once or twice during a start up.
The theory is now 100% proven.
This incident occurred many years ago and the investigation took about three days. It had a mixture of
evidence found before the incident, which was vital in giving direction to the formal investigation. This
was very fortuitous.
The elimination of the problem required a complete review of the start up process. The root cause was
probably associated with the start up sequence but was probably precipitated by a 10% increase in plant
throughput a year or two before the failure.
The initiation was probably the rate change.
The escalation was probably the transients such as start up or process upsets.
It is very unlikely that a HAZOP or Management of Change procedure would have identified the final
outcome.
Other Reading
The Health and Safety Executive have produced an excellent report - The fires and explosions at BP Oil
(Grangemouth) Refinery Ltd 1989 ISBN.0.11.885493.3 HSE.
This also describes the sequence of events during the investigation of the incident on the Hydro cracker at
Grangemouth. The one event not described is the flight of some of the fragments. That was interesting
but not pertinent to the critical event.
F 14 Human Error
These notes were written before the publication of HSG 48
There are many books written on this subject and Industrial Psychologists frequently develop new theories
and write books and papers on the subject. Human error is a misnomer, the error occurs because of
deficiencies in:
(1) Training/Instructions
(2) Knowledge/Competence
(3) Design/Construction
(4) Personality
(5) Stressful situations/information overload
(6) Pitfalls put in the way of the human (confusion)
(7) Health
The brain can also fail due to:
Mind set
Mental Overload
Panic

Health can be dealt with quickly. There are some operators who have drink and drug problems and shift
work does allow the night shift operator to have a few drinks before coming on shift. If the law states that
over 80mg of alcohol per 100cc of blood is above the safe limit for driving a car, first, if the that person
drives to work, the person is driving it illegally and second if he/she is not fit to drive the car, he/she is not
fit to drive a process plant or do the work of the day. Any drugs or alcohol is likely to impair performance,
and the Manager must be alert to those who have such problems and disciplinary action taken. Many
companies are now carrying out routine urine analyses for evidence of drink and drug abuse.
The physical health of the operator is self-evident, being sound of wind and limb. Back injuries are
common and can be easily exacerbated, and, if the operator can not carry out all functions fully and well,
errors will result. The psychological health of an operator can also result in errors.
The operator can be put under undue psychological stress leading to impaired performance due to:
Financial worries
Health worries
Marriage worries
Family worries
The good Manager should be alert to the warning signs using the look! Listen! Feel! Technique and seek
the assistance of Supervisors in identifying operators with health problems.
Returning to the list.
Training/Instructions
Continuous Professional Development is now a requirement for all Professional Engineers. There are
moves elsewhere in the world for a positive demonstration of this training for maintenance of Professional
(Chartered) Status. (The author has to submit a five yearly report on his competence to maintain his
position on the Register of Process Safety and Loss Prevention Specialists - why should we not expect this
of all staff at whatever level?)
All staff requires training before they start a task or job and while in that job Continuous Professional
Development. The training should not be left to the team (who tend to hand down custom and practice
and not necessarily best practices) but by a skilled team of trainers who can ensure that the team
members have the appropriate skills, be they operators or engineers. One event where inadequate
operator training resulted in an incident was the recording of the suction pressure in a fuel pump. The
record was important as the fluid handled was waxy when cold. The operator did not know why this was
necessary or important nor did he care, until, on one very cold night the suction pressure fell and the plant
was shut down. The training was totally incomplete, no one had given this operator an understanding of
the operating parameters of the pump and the author must accept the blame for this. (The buck stops at
the top). There is a fine balance between teaching Granny to suck eggs and leaving the procedure too
loosely defined. It is necessary to ensure that all of the parameters in a procedure are clearly defined. This
should include timing and co-ordination as well as the physical parameters. Refer back procedures where
the procedure is in detail and also to Audits. In this it was noted that it may not be necessary for a Surgeon
to have a written procedure (however it will be finely practised) but it may be appropriate for a Car
Mechanic to follow the Workshop Manual.

Process plants are becoming even more complex and require more and more knowledge and skills to
handle even routine operations. This means that procedures must be written properly and all who use
them should be shown how they should be carried out by means of careful training. The Military train
members in skills so that they become a reflex action. The Air Force practise low flying and evasion, while
athletes train both physically and mentally and practise the event for perfect timing and co-ordination.
Training in handling routine operations and handling emergencies are essential features of safe operation.
If a mistake is due to poor training or instruction it is not human error - it is a Management Error. There
were elements of poor training and procedures in the Chernobyl and Piper Alpha disasters.
Example:
The following discussion on Three Mile Island (3MI) which may help to clarify this:
Three Mile Island
The following is an extract from an ICI newsletter (IChemE) dated February 1982. It is just as valid now.
1. An operator carried out a routine task and initiated the event. Would your Management
Systems have prevented this?
2. The warning light on the PORV could have given false information, as it was not tested properly.
Would your Management Systems have recognised that this was major safety system?
3. The operators overall knowledge was very limited as they did not recognise the relationship
between pressure and temperature. Would your training cover this?
This incident did not occur in Britain - but can you be confident that all of your systems would have
prevented it. There were not only training/procedure/supervision deficiencies in the example but also lack
of knowledge, in addition the design was poor and stress and pitfalls were put in the way of the human.
Description of the Power Station
The figure below is a simplified diagram of a pressurised water reactor, the type used at Three Mile Island.
Heat was generated in the core by radioactive fission. The heat is removed by was pumping primary water
round a loop. The water was kept under pressure so that it did no boil. (It was called a pressurised water
reactor to distinguish it from another type, a boiling water reactor.)
The primary water gave up its heat to the secondary water, which in this case did boil. The steam drove a
turbine and was condensed and the condensate recycled. (This is a conventional power cycle.)
All the radioactive materials, including the primary water, were enclosed in a containment building so that
any radioactivity would be contained if there were a leak from the process.
In the following, the sequence of events is described and at each step the lessons for the industry as a
whole.
Phase A - How the trouble started

The secondary water passed through a resin polisher unit to remove traces of impurities. There were
several parallel paths and one of them choked.
Less attention was paid to the design of this off-the-shelf ancillary unit than to the design of the main
radioactive equipment. Its reliability was not studied to the same extent and its failure led to the incident.
To try to clear the choke, the operators used instrument air to displace the obstruction. The air pressure
was lower than that of the water so water was pushed into the instrument air lines. (There was a non-
return valve in the line but it was faulty.) (This is stupid in the extreme! Instrument air should never be

used for line blowing for two reasons. Air is in limited supply and the quantity dryness must be maintained
as the consequences of contamination with water would be rust resulting in erratic control).
The water in the instrument air lines caused several instrument failures and at a later date the turbine
tripped. This stopped the removal of heat from the radioactive core. The production of heat by fission
stopped automatically within a few minutes. (Silver rods drop down into the core. They absorb neutrons
and stop radioactive fission). However, the heat produced by radioactive decay (about 6% of the normal
load) still had to be removed. The heat from radioactive decay caused the primary water to boil, the pilot
operated relief valve (PORV) on the primary circuit to lift and make-up water pumps to start up,
automatically, to replace the water evaporated from the primary circuit.
Unfortunately the PORV stuck open.
Figure F 12.1 A pressurised water reactor - simplified
Phase B - How the trouble got worse over the next two hours
The operators did not realise that the PORV was stuck open as a light on the panel told them that it was
shut. However, the light was not operated by the valve position but by the signal to the valve. The
operators did not know this (or had forgotten).
Several other readings should have suggested to the operators that the PORV was stuck open and that the
water in the primary circuit was boiling:
The PORV exit line was hotter than usual (140oC instead of 90oC) but this was thought to be due
to residual heat.
The pressure and temperature of the primary water were lower than usual.
There was a high level in the containment building sump.
The primary water circulation pumps were vibrating.
On the other hand, the level on the pressuriser was high, as it was raised by bubbles of steam.
The operators chose to believe the PORV position lights and the pressuriser level and ignore or explain
away the other readings, probably because:-
They did not really understand how the temperature and pressure in the primary circuit
depended on each other and when boiling would occur.
Their instructions and training had emphasised that it was dangerous to allow the primary
circuit to get too full of water. Their instructions and training had not told them what to do
if there was a small leak of primary water (though they had covered a major leak, such as a
pipe break).
The operators thought the PORV was shut, conditions were clearly wrong and their training had
emphasised the danger of adding too much water. They therefore shut down the make-up water pumps.
On other occasions, at other plants, PORVS had stuck open but the lessons of these incidents had not
been passed on to the operators at Three Mile Island.
Phase C - How the damage occurred
With the make-up water was isolated the level in the primary circuit fell. The top of the radioactive core
was uncovered. The steam reacted with the zirconium cans which protect the uranium and hydrogen was
formed. (See also Chernobyl in Part H)
Meanwhile the steam which was discharging through the PORV was condensing in a drain tank,
overflowing into the containment building sump and was being automatically pumped outside the
containment building.
Changes in design could have minimised these consequences but the lessons are not of general interest.
It was 2 hours before damage started. Correct diagnosis at any time during those 2 hours would have
allowed a full recovery but the operators had made their diagnosis and stuck to it although the evidence
against it was overwhelming. They had a mind-set.
Many interesting psychological experiments have demonstrated the fixating power of premature
judgements. In one experiment, colour slides of familiar objects, such as a fire hydrant, were projected
upon a screen and people were asked to try to identify the objects while they were still out of focus.
Gradually the focus was improved through several stages. The striking finding was this: If an individual
wrongly identified an object while it was far out of focus, he/she frequently still could not identify it
correctly when it was brought sufficiently close so that another person who had not seen the blurred
vision could easily identify it. What this indicates is that considerably more effort and evidence is
necessary to overcome an incorrect judgement; hypothesis or belief than it is to establish a correct one. A
person who is in the habit of jumping to conclusions frequently closes his/her mind to new information
and limited awareness hampers creative solutions.
E Raudsepp, Hydrocarbon Processing, September 1981, p291
Some General Lessons
The reports on Three Mile Island give the impression that many of those concerned believed that, if they
followed all the regulations, they must be safe. All they needed to do to achieve a safe plant was to follow
the rules.
We get less of this attitude in the UK because; instead of a lot of detailed regulations we have a general
obligation to provide a safe plant and system of work. Nevertheless signs of this attitude appear from
time to time. Whenever the HSE are being particularly demanding, someone is tempted to say Just do
what they want.

Many recommendations have been made for improvements to the Three Mile Island design. To quote the
Kemeny Report, While many of the proposed fixes seem totally appropriate, they do not come to grips
with what we consider to be the basic problem. We have stated that fundamental changes must occur in
organisations, procedures and, above all, in the attitudes of people. No amount of technical fixes will
cure this underlying problem.
There was so much concern with major failures such as a complete break of a primary water circulation
pipe, that smaller but more probable incidents were ignored. There was a belief that if large-break
incidents could be controlled, there was no need to worry about less important accidents.
At Three Mile Island, much went wrong, but no one was injured. (However, because Three Mile Island is
shut down more coal has to be mined and burning it will cause more pollution; the mining and the
pollution may cause extra deaths, perhaps two per year.) The incident showed how safe nuclear power
stations are but nevertheless it has seriously damaged the reputation of the nuclear industry in the US and
has set back the nuclear power programme.
Abstract from ICI Safety Newsletter written by T A Kletz
Knowledge/Competence
In summary the Three Mile Island Incident was caused by lack of training and poor instructions coupled
with poor procedures.
All professional persons have an annual assessment of their performance (annual appraisal) which
highlights strengths but also identifies weaknesses in knowledge or competence. Knowledge is appropriate
to the task being performed - this may be a statement of the obvious but there are many unreasonable
expectations laid on all levels of staff. In many cases, knowledge is an accumulation of facts from different
spheres of Engineering or Science, not all are relevant at any one time it was recognised that green
petrol had a high Benzene concentration long before there was a drive to reduce the Benzene content
(Benzene is a carcinogen) but did everyone know this and was it important to the motorist? On the other
hand it is vital when issuing a permit to enter a storage tank.
In many cases, operators and engineers are put in a position where they do not have all of the facts or the
knowledge base - this does not mean that they are incompetent but it does dispose them to error
potential. In the example of Three Mile Island the operator may not have appreciated the impact of water
in an instrument air system (lack of knowledge) - this did not necessarily make the operator incompetent if
he had not been told of the potential. It is important therefore that all staff is given or acquires the
knowledge required to fulfil their task fully and well and that their performance is verified. Staff should be
instructed on the hazards that they will have to address and trained on means of avoiding or handling
them if they do occur.
In a cryogenic plant the operators must be taught the hazards of low temperature fluids and a
hydrocarbon production plant the operators must be taught about the hazards of flammable fluids.
The best way to explain this is to illustrate the problem with a real incident which occurred some years
ago. The process compressors of a gas plant were driven by steam turbines fed by both a fixed flow of
waste heat steam and a variable flow of steam from boilers. The boilers tripped off line and the steam
main pressure fell, gathering momentum as power demand exceeded power supply. The plant was on a
death spiral. This author immediately went to one compressor and shut it down as he knew that the
power demand on the compressors was fixed and the power had to be supplied by the steam turbines; he
also knew (from University) that the turbines operated on (Mass Flow x Enthalpy Drop). As the steam
main pressure fell, the enthalpy drop would also fall which in turn would increase the demand for steam
which was already in short supply. If prompt action was not taken, the whole plant would have shut down
itself. The author had been given knowledge on steam systems at University and could deduce what was
happening - he did not expect his Supervisor to make that deduction, nor did he anticipate this event. The
Standing Instructions were amended.
Design/Construction
Often a design puts a manager, supervisor or operator at a disadvantage which results in errors. These
errors can be short cuts (OUCH!!) or a different non-standard mode of operation.
The simplest example is valve access. Occasionally valves are inaccessible from a normal access area and
an extended hand-wheel or chain operated valve is installed. Inevitably, the extended hand wheel sticks,
is removed and the operator climbs onto the pipe track to operate the valve. The operator is then charged
with human error when the ankle was twisted. The chain operator is not easy to operate and the
operator again cannot be charged with human error if the valve is not properly closed or the operator
was lassoed by the loose chain.
Another example of poor construction resulted in two valves being placed close together but routed fluids
to one of two different locations were. The labelling was poor and inevitably the wrong valve was selected
with the unexpected discharge of fluid in the wrong location. This was not human error but a
design/construction error.
Likewise the layout of a control panel or a page in a TDC screen can give the operator every opportunity
for misreading a signal or alarm while attention to ergonomics would have resulted in a more readily read
display.
It is to be hoped that with modern hazard identification techniques most major problems will be identified
and corrected before they become problems, however many silly items still slip through this net.
A hot oil circulation round the bottom of a scrubber column was cooled by a water cooler and a three way
control valve. The oil temperature was critical, once it rose more than a few degrees above the control
value; the oil became viscose and difficult to pump. For ten years the temperature was constant and was
routinely logged at 155oC. One day the temperature was noted at 158oC and was rising. There was no
high temperature alarm so the operator was not concerned. The three-way control valve used to control
the column parameters had stuck in the wrong position due to some debris in the valve seat and the oil
viscosity had reached an unacceptable level such that the flow through the cooler was far too low to
remove the heat load. The process was in a spiral. The situation was recovered by stroking the valve to
free the debris. The operator was not in error, the design was deficient of warnings and the instructions
did not cover this situation.
Trevor Kletz notes the problem with the engagement of ground spoiler on a DC-8 airliner. (The ground
spoiler was a braking mechanism to slow the plane once it had landed). The engagement was either
automatic on touchdown by a LIFT of the lever or manually engaged after touchdown by a PULL of the
lever. One day, a pilot PULLED the lever on approach with the resultant crash. The pilot was not in error,
it was a design/construction error put in the way of the pilot. (This is almost identical to the causes of a
crash of a B737 on approach to East Midlands Airport some 30 years ago. Basically it was pilot confusion).
A new low-pressure tank, with a level float inside a guide tube, was fabricated on the site. The guide tube,
as delivered to site, was not fully perforated along its whole length such that the top two feet were a
trapped pocket of gas. One day the operator noted that the level had been near the top of the tank but
then the level stopped rising, the operator assumed that the feed had stopped. The alarm operated off the
same guide tube so the operator was convinced there was no feed. The fluid continued to flow into the
tank; the pressure/vac valve opened and discharged fluids into the bund. Was this a design or a
construction error? It was not an operator error!

Personality
Some persons are not able to make accurate decisions when confronted with a plethora of complex
information; they freeze and do nothing. (Information overload see later) This is sometimes called panic
but it is more realistic to put it down to organic make up or lack of training.
Some persons are strong-minded and believe, rightly or wrongly, that they know best, they develop a
mind set, (as discussed earlier) such a person is likely to deviate from a fixed procedure believing that
he/she is doing the correct operation (mind set). This is the psychological makeup of the person and may
override any training of knowledge base (or maybe the knowledge base is in error).
Some persons may feel a fellow member or supervisor of a team is setting on them and as a result they
become reclusive and depressed. This will dull the decision-making skills, performance and reaction to
unusual situations.
A variation on this may be the domineering Manager or Supervisor who challenges the competence of
an employee or who is unable to accept advice from someone (or is unable to recognise the value of the
advice) and adopts a superior attitude. The end point is usually a comment such as Come on make up
your mind or Is this the best you can come up with after ** days! The employee will rapidly learn that
the best solution is to give the Manager what he wants, NOT the correct action.
A variation of the above is a blame culture (discussed earlier) where everyone is in fear of making a
mistake because of the retribution that might result or fear of blame or recriminations. As a result the
employee overlooks situations or avoids taking the correct decision such as highlighting a possible
hazardous situation or procedure. (This is a case of keeping the head below the parapet.)
Stressful Situations/Information Overload
The human performance falls off with boredom and information overload. The peak performance is
reached when there is just enough activity to keep the person alert and on their toes. Human error
tables are produced for normal situations and many protective systems are designed on the basis of a
certain level of operator error. See Table F 13.1. In the more hazardous industries, and this includes
Nuclear Power Stations), it is assumed that the operator takes no action, or takes the worst possible
actions for up to 15 minutes.
The following are some examples of errors induced, possibly by stress:
Table F 13.1 Error Probabilities with Stress
Type of Operation Error Probability
Complicated, non routine in extreme 25% (0.25)

emergency
Non routine, other duties at same time 10% (0.1)

Routine, requires care 1% (0.01)
Routine, simple 0.1% (0.001)
Simplest possible operation 0.01% (0.0001)
An example of freezing on a plethora of information occurred some years ago. An electrolytic cell (for
the production of Chlorine) was fitted with oxygen alarms in the hydrogen stream. One day the alarm
sounded and the first up alarm print out produced a stream of O2 Alarm signals. The operator could not
access any other data so could not make any realistic decisions - until there was the inevitable explosion.
Some elements of Three Mile Island discussed earlier could be put down to a stressful situation or
information overload.
Many years ago in ICI a similar sequence of events to those on Piper Alpha resulted in the death of three
persons. The shift supervisor returned from his shift break was confronted with the repair of a vital oil
pump on a Crude Oil Distillation Column. The operating philosophy was that the spare pump was always
left primed and the suction valve was left open ready for a restart in case the on-line pump tripped. The
supervisor had to read previous logs to find out what had happened on the plant over the previous three
days as well as to issue the permit for maintenance on the pump. The Supervisor was adamant that the
pump was fully isolated and the vent and drain was closed when the permit was issued. (Valve lock off
was not normal but became the norm after this incident.) It transpired that the valve was open and the
fitter clearly remembers hooking a chain operator over a spindle on the pump. Diesel above its auto
ignition temperature was released when joints were broken and three operators were trapped and died.
Was the Supervisor right or wrong? Had someone else opened the valves? No one knows. Clearly the
Supervisor was in overload.
Pitfalls put in the way of the human
There are many pitfalls which are put in front of the human. The following are some examples.
The normal procedure for off loading Ammonia Tankers was for a shift to be responsible for backing six
tankers into the off-loading bay, fully off-loading the tankers, storing the loading arms and taking the six
empty tankers out of the bay. For reasons that need not be discussed, it became a continuous operation.
At the shift change, the oncoming shift was informed that there were six empty tankers for removal.
Unfortunately, an off-loading line was still connected and as the six tankers were drawn out, the line
parted and a heel of about 500kg of ammonia was discharged.
A new offloading procedure had been put in place but was not handled as a management of change
which required more training. The team lost identity with the complete task which was no longer a well-
rehearsed activity with one shift responsible from start to finish.
A new ball valve was fitted on the line see figure F 13.1. The previous valve had a fully captive ball but the
new valve relied on bolting forces to hold the valve on its seat. No one told the Supervisor or Fitter that
the valve construction had changed so when the joint was broken the ball moved and process fluids leaked
out. No one was hurt but the fitter got a nasty surprise.

Figures F 13.1 Cut away of Two new valve where the Ball can be released if the
wrong joint is broken - ICI Safety Newsletter
System Induced Errors
The system-induced errors are legion and only some general guidance can be given to illustrate the
problems.
Control Systems
The modern processes use a compact control room utilising Totally Distributed Control systems instead of
the long panels where nearly every parameter is displayed and available for visual access. The T.D.C.
utilised a limited data display on every page and many pages or screens making up the whole. With
the old long panel control room the operator could scan the parameters and identify any deviations
from a normal condition - this can still be done with a T.D.C. system but it means using one VDU for
scanning and inevitably interrupting some of the data display. This means that the control room
operator may only wait until an alarm sounds before a page is interrogated by which time the problem
may be well advanced.

There is no doubt that the configuration of TDC screens requires some skills. I am sure that it should be
subject to a HAZOP approach to ensure that some key parameters are displayed for fault
warning/diagnostics. Two incidents illustrate this clearly:
1 Texaco Milford Haven (1994) HSE Report
A process vessel was over filled with a volatile hydrocarbon with the exit route isolated. Eventually the
vessel safety relief valve opened and discharged the hydrocarbon liquids into a flare main which was only
designed to handle vapour. Eventually the flare main collapsed under the weight of liquid, ruptured and
there was an explosion. (There were other contributory causes which need not be discussed in this
example.
The recommendation of the Inquiry included:
1. Basic Mass Balancing Skills.
2. Configuration of the display system to provide an over view of the process - including
mass/volumetric balance summaries.
2 Company 1 - 1969
A distillation column developed a high-pressure drop during a process upset. The mass balance of feed
rate minus product rates after the upset was zero. The integrated balance over two hours showed a 10%
discrepancy - namely flooding - and the feed was stopped while corrective action was taken.
No recommendations were needed the event was managed correctly and mass balance skills used to
assess the diagnosis of the event.
3 Company 2 - 1969
During start up cold fluids were fed to a distillation column with metal temperatures notionally at ambient
conditions but whose operating temperature was -50oC. No base level was detected after one hour and
there was a mass imbalance. Feed was stopped and a faulty level measurement was corrected. No
recommendations were needed.
4 Company 3 - 1976
During start up cold fluids were fed to a distillation column notionally at ambient conditions but whose
operating temperature was -50oC. No base level was detected and feed continued for some time -
eventually cold fluids spilled out of the column via the pressure control system. The fluids over filled the
flare knock out drum and entered the flare stack. The flare stack was not designed for low temperatures
and failed in brittle mode. A major fire resulted. Recommendations? Unknown.
In events 2 and 3 there was a long panel control room but in events 1 and 4 the control was by TDC.
Procedures
Occasionally procedures have to be written in detail - a typical example might be a start up of a new
process but often a simple check list approach can be used particularly for a restart.
The problem with procedures is not so much the complexity or length as the confusing speak or
gobbledy gook. The procedure should be precise, give advice on what to do and what not to do as well

as what are the success criteria for the task. Open valve A is not really adequate as it has no criteria for
speed or success.
The other difficulty is often in punctuation, spelling or deduction. The following shows punctuation which
could lead to confusion. (The term clearance has been superseded by the word permit.)
Figure F 13.2 A confusing label
The correct writing should be:

DO NOT ENTER WITHOUT THE APPROPRIATE ENTRY CERTIFICATE.
On one plant the Operating Instruction required the use of Sodium Sulphate not Sulphite as oxygen
scavenge in a boiler drum. Who knows the difference SULPHATE and SULPHITE between FLAMMABLE
and INFLAMMABLE?
The following are synonymous but it is possible that others do not realise it:
IN 1G
1L 1M were negatives!
So there could be a deduction that INFLAMMABLE means NOT FLAMMABLE!
Ergonomics
The Man/Machine interface has been discussed in various locations in this module. In some cases it is the
location of a valve and the use of hand wheel extension. In another case it may be labelling and yet
another, it may be a control panel. The modern cars have tended to pay more attention to ergonomics
and the layout of the facia/information. This is now an art form in the layout of aircraft panels, why can
we not do it in the Process Industry? The following incident illustrates some of the problems.
A reactor was being started up. It was filled with reaction mixture from another reactor which
was already on line and the panel operator started to add fresh feed, gradually increasing the flow while
he watched the temperature on a recorded conveniently situated at eye level. He intended to start a flow
of cooling water to the reaction cooler as soon as the temperature started to rise - the usual method.
Unfortunately, there was a fault on the temperature recorded and although the temperature actually rose
this was not indicated. Result: A runaway reaction.
The rise in temperature was, however, indicated on a six-point temperature recorder at a lower level on
the panel, but the operator did not notice this. (See figure F13.3). Fortunately the runaway was not serious
because a high temperature alarm on the six-point recorder alerted the operator before the temperature
got dangerously high.

6 Point Temperature Recorder.
(This is an old photo but the message is up to date).
Figures F 13.3 Analogue control panel layout
Mental Issues
There are some interesting but real mental states:
Information Overload
essential and trivial information and so the outcome is that nothing is done. This can be analogous to a
juggler - there is an absolute limit to the ability to handle objects and beyond that limit things get dropped.
sufficient resources to handle all of the work and at the other, the information is filtered and presented in
a clear and unambiguous manner. In process plant it is not only the information but the size of the plant.
On a small plant where the transit time may be small the supervisor may be able to handle more as there
is less time used in moving from A to B to C in data collection. Above all the presentation of clear
clear and unambiguous.

Mind set
It could also be called tunnel vision.
rejected or reasoned away. The brain is quite convinced that the evidence is now consistent but ignores
the fact that some key evidence may have been rejected or distorted due to some erroneous logic.
Panic
The person just can not make any decisions!
Training by Cascade
There has been some tendency over a number of years (for operations staff, in particular) to have
knowledge cascaded down from the more experienced team member. This is sometimes called learning
from Fred. This also can apply to experienced Scientists and Engineers. There is nothing wrong with this
and to a degree it is to be encouraged as it is better known as mentoring. However it is essential that the
information being passed on by Fred is current and accurate. As an example of the potential pit-fall the
following is one example of where it could have failed.
A minor upset occurred during the commissioning of a new process plant. The solution was not
obvious immediately but the Foreman declared On xyz Plant we opened up the abc valve and that sorted
the problem. That may well have been the case for the xyz plant but it would have been the wrong thing
to do on the new plant. The Foreman was doing what he thought to be correct but it was an error in
reality.
Training must be continuous (CPD) and appropriate for the changing technologies and knowledge bases.
This applies to both operations and technical staff.
Aging
It would be wrong if some notes on aging are not included in this section. First there is the aging of
equipment such that it does not perform as expected. One very simple example may be the aging of a shut
down system such that valves a sluggish or worse still fail to shut. Another example may be the internal
leakage in a heat exchanger where the high pressure fluid leaks into the low pressure fluid and the
operating team have to deduce the cause of the problem and select the correct solution. This is not as
easy as it might seem particularly if the team does not have the skills.
The more obvious aspect of aging is that of the human. There is a limit to the physical ability of the human
as it ages. This may lead to short cuts. There is a fall off in the ability to learn and adopt new ideas. The
outcome may be that the older operators (engineers) are put into dead end jobs. This results in total de-
motivation of the team and then errors creep in. Do not blame the team, blame the manager!!!! This
should have been identified as a likely outcome and the appropriate systems (checks, training and
motivation) put in place. The aging starts almost the day that the person takes up a new role. Traditionally
it was assumed that it took about 6 months for the new incumbent to be able to fill the role fully. For a
further 2 years the incumbent develops and improves the role in a creative and constructive manner. Then
the enthusiasm falls off and for about 6 moths the performance, though good is not as good as it had been
in the previous 2 years. Fatigue is setting in and it is time for a move!!!
Conclusion
While it is possible that human error does exist at a very low level of probability, the greater contribution
is management error. The manager therefore has to be alert to those potential causes of error: -
Training/Instruction
Knowledge/Competence
Design/Construction
Personality
Stressful Situation
Pitfalls
Training by cascade
Aging of both equipment and personnel
Each plays a part in the causes of error and each has to be treated on merit.
The foundation for error reduction lies in training and proof of competence but equally ergonomics,
personality, reduction in stress and avoidance of pitfalls all play their part.
The following table gives some estimates of error - how would you reduce them?

Table F 13.2 Human Error Probability see also Table F 13.1
Estimated error
probability
Activity
-4
10 Selection of a key-operated switch rather than a non-key switch (this value does not
include the error of decision where the operator misinterprets a situation and believes
key switch is correct choice).
-3
10 Selection of a switch (or pair of switches) dissimilar in shape or location to the desired
switch (or pair of switches), assuming no decision error. For example, the operator
actuates a large-handled switch rather than small switch.
-3
3 x 10 General human error of commission, e.g. misreading label and therefore selecting wrong
switch
-2
10 General human error of omission where there is no display in the control room of the
status of the item omitted; e.g. failure to return a manually operated test valve to
proper configuration after maintenance.
-3
3 x 10 Errors of omission, where the items being omitted are embedded in a procedure rather
than at the end as above.
-2
3 x 10 Simple arithmetic errors with self-checking but without repeating the calculation by
doing it on another piece of paper.
We are much more likely to develop a mind-set when we are under strain, as the following quotation
shows:
Most people, when faced with a problem, tend to grab the first solution that occurs to them and rest
content with it. Rare, indeed, is the individual who keeps trying to find other solutions to his problem.
This is especially evident when an individual feels under pressure.
And once a judgement is arrived at, we tend to persevere in it even when the evidence is overwhelming
that we are wrong. Once an explanation is articulated, it is difficult to revise or drop it in the face of
contradictory evidence.
The following incident also is of note in a black humour manner

A man slipped on a staircase, twisted his ankle and was absent for 17 shifts. The staircase seemed to be
in good condition and so did the mans boots.
When you read this your first reaction is probably that it is just another of those incidents that we can do
nothing about - another of those occasions when Man told to take more care could have appeared in
the accident report. However, on the plant concerned they were not satisfied with the easy way out. They
looked into it more thoroughly. They asked the injured man why he had not used the handrails. It then
came to light that the handrails were covered with plastic and that when anyone wearing insulated
footwear used them he got an electric shock when his hand touched bare metal. As he ran his hand along
the plastic coating he became charged, and as soon as he touched a piece of bare metal an electric spark
jumped from him to the metal. The spark, of course, was not serious enough to cause any injury, but it
was unpleasant, and people tended, therefore, not to use the handrails.

Part G
VULNERABILITY OF HUMANS AND THE ENVIRONMENT
Introduction
This is a reprise of Part F but is given in more detail as it is a complex subject.
In an earlier part it was pointed out that the human is very vulnerable to a series of physical and chemical
assaults. This part is an expansion. The objective is obviously to prevent the harm at source but in line with
the defence in depth it is necessary to protect the human against the finite but unlikely probability of
failure of the first line of defence.
This section was located here as it is really a management issue so sits well just after the management
issues.
It is now been equally evident for over 100 years that humans have enormous potential to destroy the
Environment as well as to cause injury. Initially the environment was considered to be air or water, to
a lesser extent land and the working conditions of heat and illumination. The scope of the
Environment now extends to longer term projections and includes noise, visual impact and the effects
on flora and fauna.
It is only in the last few decades that there is a realisation that the impact on the Environment has a
significantly longer time frame or cycle than the impact on humans and that the changes are more subtle;
there is no physical protection for the environment as there is for humans. For example it is not entirely
clear if global warming is due to Carbon Dioxide alone or carbon dioxide and other parameters but
assuming it only carbon dioxide it is a problem which has to be solved in the next fifty or so years. There is
a reasonable assumption that the Carbon Dioxide load must be reduced over the next few decades but the
Carbon Dioxide already in the atmosphere must also be reduced and that will take time. Total reliance on
Renewable Energy is open to debate. Wave energy may be derived from the rotational energy of the
earth (as is tidal energy), but there are no waves in Switzerland!! Stored energy is valuable for peak
sharing but it can not be sustained. If Humans wish to have steady improvement in the quality of life and
maintain the environment a more fundamental approach must be adopted to power generation and
utilisation. This is called Sustainable Development.
Most companies now have an Environmental Policy Statement and Environmental and Safety Targets are
given in the Annual Report (HASWA requires a Safety Policy Statement). It is right therefore to discuss the
Human and Environmental Assault together. They do not always pull in the same direction, the benefits to
Safety may have an environmental impact and benefits to the environment may have a negative safety
impact. It is prudent that all scientists/engineers to bear this in mind.
The time frame of the impact of events on humans and the environment are very complex and the
following are an attempt to analyse of some of them. There are well recorded events which can be traced
back by well meant events, none less than the use of CFCs which had positive safety benefits but we now
know that they have had a serious impact on the environment. The following analysis is a serious one but
is also a personal perspective.

Effects on the Human / Safety / Environment
The following are a brief analysis of Global Events and their effects on Humans and the Environment. G1/2
Table G.1 A brief analysis of Global Events and their effects on Humans.
Event and discussion Immediate Up to 10 years Over 10 years

A Lake Nyos Cameroon About 17,000 deaths Severe eye damage, skin As up to 10 years
damage from gases
21/8/86. Massive release of
CO/CO2/H2S from rotting debris
in a volcanic crater lake, about
200,000 tonnes of gases was
released.
B Minimata Japan 1970s. Nil Localised severe brain damage As up to 10 years

in a small community
Mercury effluent was released
into the sea and entered the
food cycle through the fish and
then entered the human cycle
with severe brain damage.
C Chernobyl (USSR) April 2 immediate deaths and 27 Hypo thyroidism and carcinoma Up to 10,000 premature deaths
1986. delayed due to radiation
D Bhopal India Release of 2500 deaths in a few days Total deaths of the order of 15,000 Premature deaths due
MIC to the atmosphere 5,000. Serious eye and lung to pneumonia, severe impact
damage on a society
E Chrome Processing Nil Cancer deaths Cancer deaths
19th/20th Century
F Coal Gas Production Real Real Possible Cancers
G Sea Empress Milford Haven Nil Health effects noted Health effects, possible
about 50,000 tonnes of oil premature deaths (unknown)
spilt
H CFC 1970 Nil Nil Hundreds of Melanoma deaths
J Aswan Dam - Egypt Positive Positive Fertile land becomes less fertile
leading to potential starvation.
Many metres of soil deposited
behind the dams. Loss of soil
feed downstream.

Table G.2 A brief analysis of Global Events (see table G.1 above) and their effects on the environment
Immediate Up to 10 Years Over 10 years Analysis

A Lake Nyos Cameroon Nil Nil This was caused by human
migration towards water
sources due to local population
Negligible
growth in a poorly developed
area of the world. Humans
were the main sufferers.
B Minimata Japan 1970s. Nothing serious fish become Nothing serious Food sources become polluted
inedible by uncontrolled release of
mercurous compounds.
Nil
C Chernobyl (USSR) April Uncertain Uncertain. Large area sterilised It is likely that the main impact
1986. for human use will be on humans. As research
is centred on humans the
impact on animal/vegetable life
Nil
is less certain.
D Bhopal India Release of Nil Nil The cause of the event is
MIC to the atmosphere discussed elsewhere but was
precipitated by the population
explosion and human migration
Nil
to a source of employment
E Chrome Processing Uncertain Land sterilised for human use, Uncontrolled dumping of spent
vegetable growth stunted products, very expensive clean
up cost unpredictable
Nil
F Coal Gas Production Nil As above As above
Nil
G Sea Empress Milford Haven Negligible Negligible Very costly clean up short term
about 50,000 tonnes of oil major environmental pollution
spilt and effects. Possible delayed
deaths in people living down
wind
1000s of sea birds killed
H CFC 1970 Negligible Vegetative mutation This is a potential time bomb
Nil
J Aswan Dam Degradation of fertile land Loss of fertile line The short term benefits are
clear but the longer term
effects are far less easy to
Egypt Loss of Historic
predict
Architecture
These tables are designed to show that S & E do not always pull together and that there is a complex relationship
which must be recognised.
These examples of disasters are in no way complete and are only the tip of the iceberg. Particularly the
evidence points to the fact that in the case of the human and environment assault the effects were poorly (if
ever) predicted and that in retrospect the remedial costs more than outweigh the perceived benefits.
It would be wrong to think that there was a deliberate intent by our fore fathers to injure and kill people or to
desecrate the environment. The real cause is the relatively slow learning curve and is also probably due to poor
or little hindsight. This has been discussed in the introduction and is expanded in more detail here as means to
urging caution and discretion.

Effects of the Environment
The damage/harm created by the use of Asbestos as an insulant is not disputed but no one could have
predicted the effects on the lung nor was it reasonable to do the experimentation. Asbestosis and
Mesothelioma was not immediately obvious and was probably diagnosed as lung cancer until more
accurate diagnostic techniques were developed. Once it was recognised that there was a new tumour it
was necessary to research its cause. Before the finger could be pointed at Asbestos there were two
requirements - Medical Research and Social Research. This was also true for Black Lung or Silicosis in
Miners. Once the pattern of lung damage/tumours was established it was not unreasonable to take the
logical step of assuming that dusts, organic or inorganic, are potentially harmful. This does not help the
hundreds of people who have died but the knowledge base has advanced such that face masks are far
more common now than they were 20 or 30 years ago.
Many years ago it was common to clean tools in petrol and even to fill up car fuel tanks while looking into
the filter pipe to watch for a rising level. Benzene is now recognised as a carcinogen and automatic cut
offs in the filter are now standard practise (It is recognised that there are other reasons for this but it is
also beneficial in preventing massive inhalation of Benzene vapours). Even now there is some uncertainty
as to the tolerable levels of Benzene in the air and the Maximum Exposure Levels (MEL) is dropping year
on year. Alpha Naphthylamine was produced up until the mid 1960s when there was irrefutable evidence
of a link between bladder cancer and Alpha Naphthylamine (actually Beta Naphthylamine as a by-product).
This effect was unexpected. Both of these incidents pointed strongly towards the link between Aromatics
and Cancer and there are now biological screening tests for chemicals to determine if there are
carcinogenic properties.
It is now fully recognised that many people have allergies to a variety of products about 10% are allergic to
grass pollens (Hay Fever) others are allergic to house dusts and others to Nickel (amongst others). It has
taken time for the research to realise that it is a two- step process. A low level dose will make them
sensitive - sensitising - but then a higher dose creates the reaction elicitation.
It would be reasonable to assume that, as it is now recognised that dusts, Aromatics and nearly every
other chemical could cause ill effects on humans but the problem is establishing the likelihood or link. This
is best illustrated by Thalidomide, which was tested before introduction on laboratory animals and
appeared to be safe. Unfortunately it is now known to be Teratogenic before the third month of
pregnancy and there is now evidence that it is also Mutagenic - that is it genetically transmitted from
those affected by Thalidomide. Increasingly it is being recognised that alcohol, smoking, aspirin and other
nominally benign chemicals can be Teratogenic and in some cases be mutagenic if the foetus is affected in
the first trimester. It is clear that correlation of product/chemical and effect requires detailed knowledge
of exposure and timing. This to a degree is now being addressed in industry by the records required under
the Management and Health and Safety at Work Regulations.
The final chilling fact that must be recognised is that animal experiments may not be accurate. The
biochemistry and physiology must also be similar to humans. Experiments on rats may produce different
responses between species of rats and that physiologically pigs are nearer to that of the human and for
this reason pigs are being used for human organ donors.
It is clear from this brief analysis that there is a lead - time of about 20 years for the effects of many
chemicals to become evident.
In the case of the environment it has taken about 20 years for the effects of C.F.C.s on the ozone layer to
become evident and unfortunately the effects will not be reversed overnight and it could worsen for some

years yet before a reverse trend is noted. In many cases the gross pollution of years gone by is being
recognised and serious attempts are being made to arrest the effects in present processing industries but
the historic residues are a major problem, which has not been resolved. It is now widely recognised that
Volatile Organic Compounds (VOC) have a far greater green house effect than carbon dioxide. The
greenhouse ratio CO2: Methane is greater than 1:10. However there is still debate about the effects of
flatus from bovine species, from termites and from methane seepage from old below ground
carboniferous sources.
It is clear that there is an increasing understanding of the environmental impact of chemicals but there is
a price, which has to be paid. In many cases the environmental improvements expose humans to a
more immediate risk to life and in others there is a trade off of one environmental issue against another.
This is illustrated by the cleanup of water in the offshore oil industry. The need to reduce visible pollution
from produced water on the installation resulted in a trade off of about 500 kg of bio-degradable
dispersed oil against the production of 200/Te per day of Carbon Dioxide. Which is the most damaging to
the environment?
Human Vulnerability
While humans have strengths they also have weaknesses both physical and psychological. These
limitations range from limited strength, reach, stretch, focal vision, and attention span through to
unpredictable reactions under stress and unforeseen circumstances. These limitations impose serious
problems for the designer, manager and supervisor which have to be addressed by design, training or
sympathetic understanding. The study of the humans under stress is very complex and whilst fruitful it is
still not fully understood.
Physical access
Access to equipment is an obvious problem which designers are expected to address but sometimes
forget. There is no excuse for fitting an inaccessible valve beside platforms or walkways such that an
operator has either to crouch or, even worse, to stretch over or through handrails to reach it. Both involve
the operator being in a poor state of balance and leverage. Another example of difficult access may be the
use of chain operated valves, these are mechanically inefficient and they are difficult to reach for a short
operator and a potential lasso for a tall operator. (Said with feeling). There are other obvious forms of
poor access such as the inclined valve which does not allow uniform leverage, the rising stem valve which
juts out into the passageway and, of course, the vent or drains which always seem to be just out of reach.
Access ways should have a head clearance of at least 2 m and preferably 2.2 m. Too often it is forgotten
that a safety helmet will add 5 cm to the height of individual and thermal insulation can remove another 5
cm clearance. Shoes add 2 to 3 cm and the peak of the helmet obscures upward vision - as a consequence
collisions occur, the helmet usually preventing serious injury but can produce whip lash effects.
Stairways should have adequate tread depth rise and stair angle. The arrangement should ensure that a
toe is not caught on the tread while ascending or a heel caught on the tread while ascending. Sometimes
it is necessary to install vertical ladders particularly up distillation columns; landings should be installed
every 25 m for resting.
There are a number of important safety features associated with stairways and ladders:
Where stairs or ladders have to have a short riser it is better for this to be at the bottom of the
flight and not at the top (for obvious reasons it is better to stumble at the bottom of a
ladder rather than the top).
Ladders should have a safety cage above 2 m height and down to the grating level at handrails.
Whatever the height of the ladder there should be a self- closing safety gate at the top of
the ladder.
The exit from the safety cage MUST not open onto a handrail as people can stumble as they
leave the cage and fall over that rail.
Handrails should be at least 1 metre tall and all overhead walkways should have a toe or kick
board to prevent objects being knocked onto the unwary below.
All emergency exits should be duplicated, preferably at opposite ends of the walkway or
structure. Escape ways should be at least wide enough for two persons to pass in comfort
and if used regularly they should be a minimum of 1.5 m wide.
All stairs and landings should be sized so that stretchers can be manoeuvred without lifting
them over the handrails.
Physical Ergonomics
Physical ergonomics of weights require skill and training. The straight back lift can be achieved with
compact systems but it is not always possible with sacks or when lifting equipment within a crowded area,
the load should not create excessive loads on the lower back. (Note: Manual Handling Regulations). Plant
layouts should be examined at the design stage by operating maintenance personnel and mechanical
handling experts to ensure suitable lifting equipment is available. Simple lifting frames and block and
tackle arrangements supported from overhead runway beams will greatly ease mechanical handling.
See also Manual Handling Operations Reg.
Control Room Panel and VDU Screen Layouts
Panel layouts have been the subject of much study and analysis not only in real situations but also under
experimental conditions. Typically, the eye has a very limited cone of sharp vision, possibly only two
letters in a word. However, the peripheral vision is very useful for picking up moving or flashing data. The
ear is the primary warning device, as indeed it is with most animals. Reading data is most easily done at
eye level but if any head movement is required it is easier to look up than to look down. Assuming an
analogue control panel is vertical and some 2 m high only the top half is of any real use. The typical panel
layout is shown below.
Height below top of panel (m) Zone Depth of Zone (m)

0 - 0.25 Zone A 0.5
0.25 - 0.75 Zone B 0.5
0.75 - 1.25 Zone C 0.25 - 0.5
Below 1.25 Zone D 1.00 - 0.75
Table G.2 Typical Layout of a Control Panel
Zone A will usually contain alarms and visual warning devices which are only required occasionally.

Zone B will contain the most important data and controllers with all of the main controllers set at about
eye level. At the top of this zone will be indicators, which do not require
adjustment.
Zone C is an area at waist sight and can be used for the less important controllers. The lowest part may
only be of use for simple data points.
Zone D is of no real use to the operator as it is difficult to see and probably requires stooping or bending
to view the instruments.
Increasingly control rooms are moving to TDC and touch screen displays. These notes are intended to
show some of the problems that have existed and still exist but in as different form in modern control
rooms.
Some control panels have inclined aprons at waist level, which, increase the effective visual zone but
severely limits the reach of the operator, affecting his ability to cancel or adjust controllers in the vertical
section. The final design of the panel is complex and may vary from plant to plant and company to
company.
The same analysis can be applied to VDU screens. The lean towards computer- controlled plants requires
careful architecture of each page or display on the screen. Although the layout on the screen is an
essential safety feature, no less important is the order with which the pages are recovered and the data
displayed on that page. In traditional analogue instrument panels all data was visual and the operator
could scan different panels rapidly by eye, however only a limited amount of data can be stored on each
page of a computer screen. The analysis of the plant using a Hazard and Operability Study will help the
control systems designers to devise the best and most informative displays. The prudent screen designer
should consult the operator to ascertain what key parameters should be visible on all screens so as to
assist in diagnostics and prompt fault diagnosis. The effects of VDU screens also have to be considered.
(Note also, Display Screen Equipment Regulations).
Stress and Unpredictable Behaviour
The design of control rooms and plant instrumentation must take into account human frailty. If too much
data is fed to the operator he/she will become confused and make irrational decisions (information
overload). The repeated sounding of alarms during upset conditions can either distract the operator so
that he/she fails to take effective control or may ignore important alarms and block the mind to additional
incoming data. Eventually the operator may panic and carry out irrational acts. There are no hard and fast
rules for dealing with this situation but the following are some practical suggestions.
Training
The better the operators understanding of the plant the better will be their ability to control it. This
should not only be cause and effect training but also the dynamics of the process. This knowledge can be
achieved through on-line and off-line training using simulators. The more practised the operator the more
likely he/she is to take the correct action when the need arises.
Well prepared instructions can help the operator understand what is happening in the plant, if warnings
are added the operator will understand the need the work within a tight operating envelope. This will

also give the operator confidence and will also show the operator that management are operating in a
responsible manner.
Avoid Information Overload and Mind-set
Alarms should also be fitted if they are essential and should be calibrated so that set points are at
reasonable levels outside the normal operating envelope. The worst situations occur when alarms are
frequently sounding in the control room. Operators then become engrossed in the task of control and
alarms are ignored, alternatively operators try to respond to alarms and forget about the main task in
hand which is control. The opposite can also be true on stable and simple plant, operators may ignore
changes in variables which experience shows do not usually change, vessels may drain or fill and no action
be taken even to the point of alarms being ignored.
Control instruments should have some form of supplementary check indicators or other diagnostics.
These should be simple, easy to read and readily accessible to the operator. The simple expediency of
recording control values and actual values on record sheets or data loggers will show if instruments are
drifting or giving false readings. This will assist the operator to make the correct deductions. It may be
necessary to install additional diagnostics to assist the operator; these will usually be identified during a
Hazard and Operability Study. Modern controls can incorporate a warning element for the rate of change
or drift.
Experience/Confidence
A competent operator with a depth of experience is worth his/her weight in gold. It may take years to
train this person but if management are never seen to give help and guidance, operators will lose their
confidence.
In summary, good operating instructions, good management, good training, good plant design and good
control room layout can go a long way to overcoming stress. Ultimately the final protective system will be
the Emergency Shut Down (ESD) system, which will put the plant into a safe condition and allow the
operator to restart in an orderly manner.
SAFE was put in inverted commas as the very act of shutting down and re-start carries some risks due
to thermal cycles or upsets.
Personnel Protection
One of the objectives of safe design is to avoid the need for personnel protection. This is a form of
intrinsically safe design. There are some obvious exceptions to this principle for example; exposed moving
parts on machinery should be fitted with guards. It must not be forgotten that ties, cuffs and long hair
may slip between the guards. Management will normally supply overalls for machine minders and require
the use of hair -nets where necessary. More detailed guidance on Personnel Protection is available from a
number of sources.
The most vulnerable parts of the human are, starting at the top: head; eyes; ears; lungs; hands and feet.
Various forms of protection are available; however these are not total or absolute and have limitations.
The following sections discuss their benefits and limitations.
The Brain

This has already been outlined in Part E. It is a topic that must be given a high priority so has been
repeated in this part. Attention to the mental pressures of plant and office are key to safety.
essential and trivial information and so the outcome is that nothing is done. This can be analogous to a
juggler - there is an absolute limit to the ability to handle objects and beyond that limit things get dropped.
sufficient resources to handle all of the workload and at the other, the information is filtered and
presented on a clear and unambiguous form. In process plant it is not only the information but the size of
the plant. On a small plant where the transit time may be small the supervisor may be able to handle more
as there is less time used in moving from A to B to C in data collection. Above all the presentation of clear
clear and unambiguous. This argument could also apply to an office environment where that are pressures
to achieve targets.
Mind set
It could also be called tunnel vision. Nothing but nothing will convince that person that there may be an
alternative explanation.
rejected , reasoned away or refined to fit the rest of the evidence. The brain is quite convinced that the
evidence is now consistent but ignores the fact that some key evidence may have been rejected or
distorted due to some erroneous logic.
Panic
The person just can not make any decisions and could take the wrong actions!
The Body General

The Head
The design intent of a safety helmet is to arrestor to deflect light dropped objects and to deflect the head
away from beams, fittings, brackets, etc. It does not protect the head from sharp falling objects but
should protect the head from serious injury from, say, a dropped spanner. The oblique impact loads when
hitting low beams/piping can lead to whiplash damage to the neck. The wearer may however be
knocked out by the impact. Safety helmets are a necessary protection on congested plant but are not
particularly comfortable, they are hot and sweaty, the peak obscures upward vision and can be the
causative agent for impact on low beams; as a result staff cannot be relied to wear them under all
circumstances. Maintenance areas should therefore be roped off and No Entry signs displayed. Periodic
housekeeping tours should be carried out to identify and remove loose objects. Guards should be fitted
around head hazards and if necessary they should be painted in visible colours (usually black painted and
yellow) and warning signs fitted. While the designer must try to avoid poor design features, some
instances may exist and the good manager should try to protect the operator wherever possible.
Eyes
Many types of eye protection are available (glasses, goggles, visors). Some protect the eyes from wind-
borne dust or chemical and, others from high levels of light or other forms of radiation. Goggles can
become uncomfortable and sweaty or mist up. For people not used to wearing glasses can find them a
nuisance in the rain. Goggles by nature of their design restrict peripheral vision and make the operators
task more difficult. The fit of the goggle round the face and particularly round spectacle frames is not
good and drops of chemicals can still penetrate so face visors may be appropriate. In non-hazardous plant
it may be desirable to supply industrial glasses with toughened glass and side shields to protect the eye
against dusts.
Ears
High noise levels - over 85 dB (A) for 8 hours exposure per day and sharp impactive noises (as in sheet
metal works) can lead to hearing damage. Noise induced hearing loss is rarely obvious until the damage is
quite advanced. Only then is it noticed that conversation becomes difficult to follow in noisy rooms. In
particular the sounds which result in high frequencies (s, d e and such are most distorted. Eliminating
noise at source is a task for specialists but personnel protection may still be necessary. Table G 3 gives a
typical indication of noise levels. Ears can be protected by means of ear plugs, which cut out the most
destructive high frequencies, however they must fill well. Equally ear muffs or ear defenders can be used
but these must be fitted correctly and have a good seal round the edge. This can create problems with
beards, long hair and for wearers of glasses. Ear muffs can become uncomfortable and sweaty after
prolonged use and are again not popular with operators. Ear plugs are more comfortable but a less
efficient protection, as noise can be transmitted through the facial tissue and still cause damage to
hearing.
Ear protection is not an ideal solution to high noise levels as sound energy can still be transmitted to the
ear through body tissues. Also, ear defenders may leak sound and communication is made difficult, if
not impossible. Sound attenuation at source or better still designs which are inherently low sound
emitters is much better. Noise at work is covered by regulation in the UK.
Table G.3 Noise Levels and equivalents
Approximate sound Source Distance from

pressure level, dB (A) source, m
200 Moon rocket at takeoff 300
140 Jet aircraft at takeoff 25
100 Very noisy factory
90 Large diesel lorry 7
80 Alarm clock 1
75 Inside a railway carriage

70 Inside a saloon car at 50 km/h
65 Busy office with typewriters 1
Normal conversation
40 Quiet office
35 Quiet bedroom
25 Still day in the country
The audiogram shown below was taken of a person in his early 30s. He had been subject to high noise
levels for about 8 months and received 2,500 noise excess units without adequate hearing protection.
He suffered from tinnitus. This is equivalent to 2,500 hours at 93 dB or 1250 hours at 96dB.
Note the drop-off in acuity above 2kHZ. This is the first sign of noise induced hearing loss. It can not be
repaired. 40 dB hearing loss at 6kHz is significant as hearing, particularly of speech becomes distorted. A
repeat taken some 30 years later showed the same drop-off but the whole audiogram was 15 dB lower.
This is age hearing loss.
Plot G.1
Hands
Gloves with rubber studs can be very useful for preventing loss of grip on handrails. Hands can be injured
by sharp objects, hot surfaces, chemicals, and of course dropped objects. The usual protection is gloves,
be these heavy duty or gauntlets. They should be appropriate to the protection required. They are not
popular with operators who lose their touch; generally gloves are clammy or sweaty. The primary
objective must be to protect the operator at source but in some cases this will not be possible, furnaces
will always have hot surfaces and sheet metal sharp edges or rags. Remember to fit the gauntlets INSIDE
the external body protection to avoid ingress of harmful fluids into the gauntlet.

Feet
Feet are vulnerable to impact through scuffs and dropped objects as well as hot fluids. The typical
industrial shoe or boot protects the foot against glancing impact or sharp objects and light dropped
objects (10 kg m), they cannot be fully protected against dropped heavy objects and a higher level of
protection may be required. Industrial footwear will also protect the foot against hot fluids provided they
do not enter the footwear by fitting then inside the body protection. In many cases, the safety footwear
must have electrical insulating properties. Remember to fit the boots INSIDE the external body protection
to avoid ingress of harmful fluids into the boot.
Lungs
Lungs can be severely affected by dusts or toxic gases. The simplest protective device is a dust mask,
which fits over the nose and mouth and filters out solids. The life of this type of mask is limited and the
seal round the face is important, beards generally reduce efficiency. Face masks for toxics may use either
activated charcoal absorbents, a compressed air supply will offer the great protection but once again the
seal against the face is important, beards MUST be shaved off. A better solution is to ensure that
hazardous fluids do not leak out by avoiding leak sources such as flanges, packings and seals. Face masks
would then only be required to combat the effects of mechanical failure. An alternative approach is to
ensure good ventilation and close monitoring of the environment either automatically or by policing.
There is, however, an increasing trend, for environmental reasons, towards containment at source and it
will be increasingly important to prevent any leakage of material. All welded piping is a possible solution
but this has its own problems when maintenance is required!
Face masks or breathing systems can be used to protect against the effects of toxic gases. These are
generally suitable for emergency situations or some difficult forms of maintenance work. It is
unacceptable to expect process plant workers to use gas masks on a routine basis they must only be used
in an emergency.
General Body Protection
Toxic chemicals, particularly acids and alkalis may attack the skin. In a well-run plant chemical leaks
should not occur on a day-to-day basis but drops may leak from glands etc. When carrying out
maintenance, fluids may be released and, for hazardous materials, it is necessary to specify fully body
protection. In some instances process materials may be so hazardous that full body protection is required
at all times in case a leak suddenly occurs.
A full visor or, a headpiece and visor can protect the face. The body can be protected by a total enclosed
suit made of impervious fabric. The seal between the parts of the suit and, of course, boots and gauntlets
require careful consideration; the top half must overlap the lower half. Similar the overlap between body
protection and boots and gauntlets must be tight.
In some industries, for example offshore oil production, it is becoming standard practice for all personnel
to wear overalls of fire resistance material.
Balance
Consider the benefits of harnesses and fixed anchor points where the operator might be exposed to the
extremes of weather or work in a precarious position such as a window cleaner.
Muscle Damage
This is best dealt with by affording good access, proper lifting facilities and the use of good, well trained
ergonomics. Do not allow stretching or operation at an angle to the body. This is equally applicable to an
office where back problems probably dominate the injury profile.
Control of the Working Environment (Airborne Materials)
Some plants - particularly enclosed plants which handle dust or toxic fumes - will require ventilation, this can be
in or one of two forms:-
1. Removal of the materials to avoid affecting the employee.
2. Dilution of the contaminant to acceptable levels.
In the first case the equipment is either enclosed in a booth so at to contain the material or is located
under an exterior hood. In both cases air is drawn from the hooded area and discharged into a safe
location where the material may be recovered in dust cyclones, scrubbers or discharged to the
atmosphere where it is diluted by normal dispersion mechanisms.
In the specific case of degreasing vats, where volatile organic compounds may be released, more sophisticated
ventilation; possibly involving the use of refrigeration may be required. This is a specialized study in itself.
Summary
At best protection is uncomfortable and unpopular. It must be fitted properly and used with due recognition of
its limitations; every effort MUST be made to prevent the potential for harm to the operator at source. When
there is no way of avoiding the hazard such as head or eye hazards the use of protective measures must be
rigorously enforced by Management through example and a policy of policing.
Not only must protective clothing, etc be provided, it must be suitable for the task in hand. There have been
many cases where incorrect protective equipment has been used with tragic results. Manufacturers
representatives can usually provide the necessary information and, of course reference to appropriate standards
should be made. (See also PPE)
Toxicology
Many chemicals are potentially harmful to humans and other life forms. The degree of harm depends on the
form of the substance, it concentration, its method of ingestion, the animal species concerned and a number of
other factors. The term toxicology refers to the study of harmful effects caused by the presence of chemicals,
other than those, which occur naturally.
The main sources of access for toxic materials to the human body are by nose; mouth and, of course, skin. The
concentrations, durations and effects are specific to the material itself and the effects may be specific to the site
of entry to the body. There is often difficulty in determining safe levels of exposure to chemicals as the effects
are difficult to measure and the response will vary from one individual to another. Much of the available data has
been obtained from animal tests where the animals metabolism differs from humans. There can therefore be
difficulty in translating the results of laboratory tests into useful guidance. For example, some materials are
especially harmful to women of childbearing age and may cause abnormalities to their children. Toxicology is
therefore a very specialized subject. It is, however, useful to have an indication of the most common terms used
and these are given below:

Exposure: Amount of toxic substances to which an individual
is exposed. This may be present the amount
ingested, absorbed or inhaled or it may refer to the
integral of concentration with time in the
immediate environment. Where ambiguity may
arise the basis used to define the exposure should
be specified.
Dose: Used as a synonym for exposure.
Toxic: The property of substances which, when

introduced into or absorbed by a living organism,
destroy life or injure health.
Poison: Common term for a toxic substance.
Corrosive: In the context of toxic substances a corrosive

substance is one, which may, on contact with living
tissues, destroy them.
Acute: Immediate, short-term. Relating to exposure:

conditions, which develop rapidly and may cause
harm within a short time. Relating to effects:
which appear promptly after exposure.
Chronic: Persistent, prolonged and repeated. Relating to

exposure: frequent, or repeated, or continuous
exposure to substances. Relating to effects: when
physiological affects appear slowly and persist for a
long period or with frequency recurrences.
Carcinogen: A substance which produces cancer.
Toxicity: The relative power of a toxic material to cause

harm.
Irritant: A non-corrosive material which may, through

immediate prolonged or repeated contact with the
skin or mucous membrane, cause pain, discomfort
or minor injury, or injuries as such.
Asphyxiation: Endangering life by causing a deficiency of oxygen.
Long Term exposure Limit A time weighted average concentration, usually

averaged over 8 hours, which is appropriate for
protecting against the effects of long-term
exposure.
Short Term Exposure Limit A time weighted average concentration, usually

averaged over 10 minutes, aimed at avoiding acute

effects.
Threshold Limit Value Time Weighted The time-weighted average concentration for a
Average (TLA-TWA) normal eight-hour workday or 40-hour workweek
to which nearly all workers may be exposed, day
after day, without adverse effect. (To be
superseded by the term Control Limited).
Threshold Value Ceiling (TLV-C) The concentration which should not be exceeded
even instantaneously.
Lethal Dose (LD50) The quantity of material administered orally or by

skin absorption, which results in the death of 50%
of the test group within a 14-day observation
period.
Lethal Concentration (LC50) The concentration of airborne material, the four-

hour inhalation of which results in the death of
50% of the test group within a 14-day observation
period.
Immediately Dangerous to Life or Conditions such that an actual exposure will lead
Health (IDLH) to acute or chronic effects.
The following further definitions are also of use:
Mutagen: A compound causing genetic damage.
Sensitizer: A compound which generates an immune response.
Teratogenic: A compound that causes birth defects when the developing foetus is exposed.
This list of definitions may appear bewildering; however, they are all necessary and specific. They help to
differentiate the effects of different chemicals, the site of access, the consequence and immediacy of the
effect.
It should be understood that the toxic effects and concentrations are often derived by experimentation on
animals with a very limited amount of inferred data from industrial incidents. The animals tend to be
rabbits, rats and mice. While experimentation in vivo is unpopular with the public as a whole, it is an
unpleasant necessity. There are potential hazards with this experimentation as the physiology and
biochemistry of the subject has to be a close match to that of Homo Sapiens. There are a number of
readable summaries concerning toxicology and the limitations of this form of experimentation. Bridges
gives the following note-worthy warning:-
Assessment of the lethal effects of chemicals is usually conducted only in rodents yet findings in a
rodent may be a poor indicator of toxic hazard to man. Large interspecies differences are also common.
Since the Seveso Directive is based on an incident in which Dioxin (2, 3, 7, 8 - tetrachlorodibenzo-p-
dioxin-TCDD) was released into the atmosphere it is appropriate to use this as an illustration. Ingested
Dioxin is about 100 times less acutely toxic to mice than to guinea pigs, and the Syrian hamster is about
600 times less susceptible than the guinea pig. Differences of this magnitude between three species
make extrapolation from animals to man somewhat problematical. In an attempt to identify whether
one species is more predictive of lethal properties in chemicals in man than another, Krasovskii analysed
the scientific literature on the acute toxicity of some 260 chemicals in man and other mammals.
Krasovskii concluded that man was usually more sensitive than the commonly used tested species to the
acute toxic effects of chemicals.
If no data exists to identify, for a particular chemical, which species is likely to be the most appropriate
representative of the human response the findings from the most sensitive species must be adopted for
hazard assessment purposes.
Differences in LC50 and LD50 also commonly occur between animals of different ages, sex, and between
strains of animals of the same species. Other factors include timing of observation, housing conditions
and diet may also contribute to variability of results.
The LC50 and LD50 refer to an average healthy human. There may be significant differences between healthy
subjects and ones with bronchitis or other health problems. The values quoted must be treated with caution and
the data source checked carefully for applicability and authenticity. The history of Thalidomide is a warning
against the blind acceptance of experimental data derived from animals. One particular problem is to be found
with carcinogens which have long induction periods and where the history of exposure may be limited,
particularly in a migrant working population. There are a number of sources describing the toxic effect of
chemicals, the best known being Sax N I and Lewis J R, 1989, Dangerous Properties of Industrial Materials; Van
Nostrand Reinhold, New York, USA, and Bretherick L, 1985, Handbook of Reactive Chemical Hazards;
Butterworths, London.
The HSE publish short term and long-term exposure limits under their Occupational Health Series.
Toxic Doses
The toxic doses of a mixture of gaseous chemicals to achieve certain effects, for example in a gas plume, are often
described by:
Dose = C n t (G.1)
Where:
C = concentration - ppm
n = chemical dependent factor of 1.6 to 2.8
T = time- s
This equation has to be treated with care as the concentration in the plume is not constant and may vary by a
factor of 2 to 3. Most dispersion programs give time weighted average concentrations - not necessarily dose
values and once again there must be uncertainty as to the calculated value with the time varying concentration
inherent in the dispersion process.
Alternatively the effect may be described by a probit equation of the form
P = K1+ K2 ln (Dose) K3 (G.2)

Where:
P = probit (relationship to the probability of fatality)
K1, K2, K3 and n are constants for any specific gas
Dusts
There are many examples of the harmful effects of dusts. The classic cases being silica in mines, which leads to
pneumoconiosis and asbestos and, leading to Asbestoses and Mesothelioma. Wood dust can also lead to damage
to the lung.
Metals
Many metals are toxic, including cadmium, chromium, mercury and lead, all of which can gain access to the lung
in the vapour phase. Low-level concentration, for example ingested in food, can also cause serious health
problems.
Noise
All process plant has the potential to produce noise; the frequency and strength of the noise may come
from many sources. Frequencies produced are quite specific, for example electric motors will produce
frequencies, which are multiples of 25 Hz or 50 Hz. Gearboxes emit frequencies at shaft speed and
multiples of these and also the gear mesh frequency. Noise due to the flow of fluids is typically in the
range of 1 kHz to 20 kHz, with leaks producing even higher frequencies. Turbines, control valves and
ejectors also produce noise at high frequencies. Noise and vibration can be considered as synonymous.
Low frequency noise has relatively low energy and is less damaging to human hearing but noise above 1
kHz is potentially damaging to the inner ear. (see the audiogram plot G.1)
By convention, noise is defined in Decibels (dB) by:
20 log10 (P2/P1) (G .3)
Where:
P2 = pressure of signal
P1 = reference pressure -2 x 10-5 N/m2.
As noise is measured on a logarithmic scale a doubling of the sound level is equivalent to an increase of 3
dB. As some frequencies are more damaging, the various frequency bands are given a loading factor to
average out the damage potential, lower frequencies have a lower loading factor than the higher
frequencies. The result of this normalising is the A scale, dB (A).
Exposure to noise is measured by a dose relationship; with the unit of measurement call the Leqs. The
current action level of exposure in the UK is 85 dB (A) for 8 hours but different levels may apply elsewhere.
Noise above this level requires exposure to be below a full eight-hour period, for example:
88 dB (A) for 4 hours
91 dB (A) for 2 hours

Exposure to 88 dB (A) for 2 hours + 85 dB (A) for 4 hours constitutes the daily dose so it is normal to
require the use of hearing protection within any area where the noise level is over 85 dB(A). If there are
high noise levels on the plant it is necessary to establish the employees base line hearing level and then
regularly monitor for hearing loss. Apart from the use of noise doses Leqs, there are overriding limits for
impact noise as sheet metal works. Special considerations may be necessary during construction and
demolition activities. For example during pile driving or steam blowing pipelines.
Note that noise is not numerically additive, two sources of 45 dB (A) equate to one source of 48 dB(A) and
NOT 90 dB(A). Noise from motors, control valves and piping can add up rapidly to a significant overall
noise level. The public may justifiably complain if these factors are not adequately taken into account.
The planning consent for a new green field site may impose strict noise limitations and, of course, the
addition of new plant on an existing site may require extensive noise abatement across the site. Noise
reduction is a specialist activity, which often makes use of the techniques in table G 4.
Table G. 4 Noise Sources and Possible Solutions
Noise Source Design Solution

Piping Heavy wall pipe
Dense insulation
Flow velocity
Control valves Silent trims
Silencers
Booths and insulation

Fans Silencers
Low Noise Fans

Compressor/Turbines Acoustic booths
Limit blade tip velocity

Gearboxes Design
Acoustic booths
Low gear mesh velocity

Intakes/exhausts Silencers
Diffusers
Flare stacks Design
Vibration
Vibration, generally at low frequency, can cause a variety of problems including injury to bones, joints and
tissue. The best-known vibration problem is white finger and has been a problem for personnel working
with machinery such as pneumatic drills, riveting guns etc. It usually takes many years for damage to
become apparent and is usually irreversible.
Lighting
Process plant must, obviously, be adequately lit to ensure safe operation and easy reading of instruments.
It is essential that the work place is adequately illuminated however shadows on the plant and glare are
optional problems. Emergency lighting is also essential to allow operators to escape from the site if there
is a power failure.
It is sometimes found that scaffolding may screen normal lighting and additional temporary lighting may
be necessary, this must conform to the appropriate electrical area requirements. It is necessary to
monitor the illumination of the worksite on a routine basis to check that the lights do, in fact, work.
It is also necessary to consider the effect of light on the surrounding environment during the hours of
darkness. Flares, for example, may cause problems to local residents, even at a distance.
Uses of nucleonic
Nuclear devices are becoming of increasing use in industry and life in general.
The following are just some.
Table G.2. Some Uses of Radioisotopes, Non intrusive techniques
Technique Application
Pulsed Isotope Injection Flow measurement in pipes
Flow measurement in reboilers
Drip Feed Injection Leaks in heat exchangers
Tracing underground pipes or drains
Absorption (Neutron)* Density measurement
Absorption* Level measurement
Interface measurement/control
- Rays Scans* Scanning vessels for solids build up
Scanning distillation columns for
(a) tray damage
(b) flooding
(c) tray performance

- Rays/X-Rays* Inspecting welds and castings for defects
Inspecting filters, on line, for build up or foreign
Inspecting non return valves for damage/performers in

flowing conditions
Monitoring equipment for corrosion
Nuclear Risks - Ionising Radiation
Obviously, there are special precautions needed in their application but under proper control and
supervision their use both in control and as a diagnostic tool is a potent addition to the safety armoury. .
Ionising radiation is totally invisible, within the UK; its use must be under the control of a Registered
Responsible Authority, prescribed by Regulation.
Naturally, the source strengths have to be powerful enough to penetrate metal and fluids in vessels this in
turn may require the evacuation of an area. It should be recognised that ionising radiation exists naturally.
It is present in air, rock, food, and cosmic rays and also from medical investigations and traces from
residual radiation from atomic weapon tests
Definitions
Four basic types of radiation exist; their effects and penetration ability differ significantly:
Alpha Particles: are essentially charged Helium atoms - they have relatively little
energy and can be stopped by a layer of dead skin. Their damage
potential from external exposure is low - but internally it is high.
Beta Particles: are essentially charged electrons. They have sufficient energy to
penetrate approximately one centimetre under the skin surface.
Neutrons: are uncharged. They are highly penetrating but can be arrested.
Gamma Rays: are electromagnetic waves such as X-rays. They are highly
penetrating and are very difficult to arrest. Dense layers of lead
and/or concrete are needed.
In summary: Alpha particles are relatively safe when received externally but they can be dangerous if
received internally. Beta particles are potentially dangerous if received externally but Neutrons and
Gamma Rays are very dangerous if received externally or internally.

Dose
The absorbed dose is called a Gray (Gy) and is measured in terms of energy density. One Gray is equal to
one Joule per metre squared (J/m2). The damage potential for the four types of radiation differs and the
damage potential is normalised into a dose equivalent, called a Sievert (Sv).
Radiation
The rate at which radiation is produced is called the Becquerel (Bq). A Becquerel is equivalent to the
decay of one radio nuclide per second.
Working with Radioactive Materials
Operators who use radioactive substances are designated, in the UK as Classified Workers by law, and are
subject to:
Periodic Health Checks
Radiation Dose Monitoring (Film Badges)
Detailed Record Keeping
Radioactive sources must not be used indiscriminately. Where they are used, the area must be restricted
and cordoned off; this cordon must extend all around the site, over and below, as well as horizontally.
Clear visible warning signs must be displayed at all edges of the cordon. Further the area round the site
must be monitored for radiation leakage. Sources should be registered with the appropriate regulatory
authority then held in a safe on the site when they are out of the safe a record of their movement must be
kept.
Environmental Vulnerability
From historic evidence it is possible that there are as yet unknown aspects of the environment and also ways of
causing further damage and some may be occurring even now. It takes time for them to be fully identified and it
is not possible to redress the balance or eliminate the causes overnight. This also takes time.
The main-routes of assault are
Land
Air
Water
Visibly
Audibly
Flora
Fauna

The last two are sensitive in themselves and there are strong arguments to suggest that there is a strong
negative influence on them from many industries. The main objective with SHE is to eliminate the
problem or effect and it follows that any process that produces any effluent or waste is not
environmentally acceptable (tolerable, possibly). The design or specification of the process equipment
must therefore address the environmental issues:
1a) What are the gaseous emissions - fugitive or deliberate?
1b) How can these by contained, recovered and eliminated?
2a) What are the liquid releases - accidental or deliberate?
2b) How can these be contained recovered or eliminated?
3a) What are the solid residues/wastes?
3b) How can these be disposed of in a safer manner with no long-term impact, or eliminated?
4a) What is the visual impact?
4b) How can it be reduced/disguised?
5a) What is the audible impact?
5b) How can it be reduced at source/attenuated?
6) What is the impact on the flora/fauna?
7) How will the process equipment be recycled or disposed of in a safe manner?
It will be noted that no answers are given to 6 and 7.
Note: any release should be logged so as to assist in site restitution. Many old Towns Gas works and
steel works have left tracts of land that are not fit for human habitation.
It is not always possible to eliminate all sources of release or to ensure that they have no environmental
impact. However, attention to the detail of the design and the operational procedures may go a long way
towards controlling the releases.
Plants are now becoming subject to Environmental Impact Assessments with set consent limits for
release of effluents. The consent may have limits on:-
Total release per year
Maximum concentration
Maximum average concentration
The topics covered for water may include:-
Temperature

pH
Chemical oxygen demand
Biological oxygen demand
Oil in water (soluble and insoluble)
Solids concentration (suspension)
Concentration of chemicals, e.g. phenol or heavy metals
The topics covered for air may include:-
CO2 / SOx / NOx
Solids (size/weight/concentration)
Other gases/chemicals specified
Colour
It is self-evident that for Green Field sites a background monitor of the before must be taken so that the
impact can be monitored and tracked. This requires a tracking programme such as measurements of
flow/concentration/quality on a continuous basis.
It may not be possible to eliminate the source of the pollutant, and effluent treatment is the ultimate
resort. This is often called end of pipe and very often it is the only approach. Some techniques for the
control of gaseous effluents include the following:-
V.O.C. Volatile Organic Compounds are often removed by

ventilation systems with absorption processes in the
ventilation process or by combustion processes
SOx Sox can be reduced by hydrodesulphurisation or by scrubbing

processes using lime.
NOx NOx can be catalytically converted.
Solids Solids can be reduced by cyclones, electrostatic precipitation

or direct filtration
Likewise for liquid effluents:-
pH pH can be adjusted at source but must be done with care.

Oxygen Demand Effluents can be oxygenated to reduce the demands for
oxygen.
Solids Solids can be flocculated and skimmed from the system.
Oil Oil can be biologically digested.
Chemicals Chemicals can be removed by biological treatment or by

precipitation and physical separation.
Incineration Where appropriate, recovered organic compounds can be

incinerated in a registered process.
Likewise for solids:-
The processes will usually involved disposal at a registered site.
In the first few words of this unit, a warning was made for the future. Already it is recognised that rivers
can be killed by oxygen depletion and that agricultural run-off (nitrogen and phosphates) can produce
toxic algal blooms in late summer. Even the decomposition of organics/chemicals requires oxygen and the
oxygen depletion produces sterile rivers. The longer-term effects of poisoning a river are uncertain - there
could be an accumulation, leading to silting up of the watercourse. Even now, it is clear that recovery of
flood plains for human usage in many countries is a potential time bomb. Concerns are being expressed
for the potential for flooding along the River Thames and changes to enhance navigation on the River
Rhine have allowed flood water to reach the lower reaches of the river due to by-passing or the
elimination of flood plains have resulted in flooding in areas which hitherto have not experienced these
effects. Changes in the River Mississippi resulted in higher flooding in New Orleans in 1994.
Visual light pollution is evident in Britain - there are reasons for good illumination but is it in the interests
of the environment? Noise pollution from aircraft is being addressed - but slowly. Certain aero-engines
are to be prohibited within a few years, but the noise from roads is increasing steadily
Many experience noise impact from roads.
The noise from chemical process produces a low frequency throb as the higher frequency sources are
more attenuated by distance than low frequency sources. The increase in noise levels in previously rural
areas can produce significant environmental impact.
Visual impact is to be seen in many areas, the visual pollution is often personal, but must NEVER be
ignored.
Most developments require Environmental Impact Assessment, which may also require both a base-line
measurement of flora and fauna, an assessment of the restitution of the site, the routine monitoring of
the near and far field environment and of changes in flora and fauna.
The migration of gases and solids once released into the environment can be assessed by other models.
The migration of liquids into soils and water courses is complex and can be assessed using mathematical
models in the same was as gases dispersion. At the first level the liquids may fall onto the surface water

and rapidly run off the surface into the local watercourses. At the next level it will enter the ground water
and eventually enter the water table where it will be diluted to a degree before reaching the watercourses
such as streams and rivers before reaching the sea (or worse still reservoirs).
Flora and Fauna
Much has been written on the effects of Flora and Fauna. The effect of Acid Rain is fairly well proven as
are the effects of mankind on hedgerows and draining marshland. Soil erosion is now wide spread in the
developing countries and various species of flower/animal and birds are under threat from mans
influence. The whole ecosystem is in very fine balance and a small change can have a major effect in the
long term.
If I was to give a series of examples, I run the risk of being accused of being biased or unbalanced. The
history is there for us all to see and even with the best scientific evidence H.S. seems to have an
unnerving ability to get it wrong!
The history of the dust bowl in Central USA due to the removal of hedges in the prairie Corn Belt
earlier in 19th century is well documented.
The effects of D.D.T. on bird life in U.K. are well documented but in Africa D.D.T. did produce
beneficial effects in the suppression of the Malarial Mosquito and its use was justified. (Silent
Spring)
The recovery of land near rivers for human habitation reduced flood plains and enhanced flooding
downstream. Although to improve the navigation of the Rhine produced flooding as the river
flowed more freely and created flooding at its estuary.
In the Sahara, aquifers were tapped for irrigation purposes - unfortunately salts accumulated in
the soil and the vegetation died in a few years.
If H.S. can get the macro modules so badly wrong how can H.S. be expected to solve the Micro models of a
localised Environmental Impact Study!! But legislation and Environmental Pressure says we must start.

Part H
HISTORIC INCIDENTS THAT ILLUSTRATE THE BREACHES IN DEFENCE IN DEPTH
Incident Studies and Illustrated Safety Teaching Examples for ChemEngers
Safety is no more that the application of O and A level physics and chemistry. Most, if not all of it is
known already but not applied in the right manner. (FKC)
Incident studies must not be used in isolation from the basic safety fundamentals. They are, for the most
part illustrative of management failures but the outcomes of these failures must be discussed and
reference made to the risk.
In some cases the problem may appear to be a risk to humans (for example a dripping pump seal) but if
the drip is only water the risk is zero! In some cases it might be the risk to the environment.
All activities require an analysis of the potential risks (Risk Assessment) and then the residual risks and
potential mitigations must be assessed properly! Many Risk Assessments will be qualitative (as in a
permit to work) and not quantitative in nature asking:
How can we eliminate the risk and if we can not eliminate the risk how can we mitigate the risk?

The following set of incident studies for use in the Safety Courses in University Schools of Chemical
Engineering do not describe the risk, this MUST be assessed separately. The main features of the
analysis should centre on the Corporate Management Systems.
As a generalisation most incidents are the result of:
1. Didnt think of that!

2. Poor understanding of the risks.
3. Poor risk assessment.
4. Not understanding the physics and chemistry!
5. It could not happen to me!
Is 2 to 5 a repeat of the first entry?
The tutor can use these incidents as teaching tools (and there are some cases which fall into this category)
or to ask the class to be a part of the incident investigation with the tutor answering any questions raised.
The studies have a number of elements: the word picture of the incident, possible questions and answers
that can be directed to the students, background which may be essential to the understanding of the
issues this can be given as part of the incident and finally the teaching points which are the main thrust
of the studies and must be emphasised by the tutor.
Analysis of incidents can be used to teach simple engineering, the human factors and also the
interaction between engineering disciplines.
All of these incident studies are as they occurred or with some VERY minor details changed to disguise the
guilty party. These changes DO NOT affect the conclusions or the final messages.
Caveat with Videos
Some of the BBC videos and the CSB illustrations must be reviewed critically if used during a teaching
course. It is necessary to ask what are the teaching points? And is it true and relevant to the UK
culture/regulatory system?
In the case of the BBC Disaster Series some of the facts as displayed are in error, so much so that the
real messages and conclusions may be erroneous if these errors are not recognised or corrected. Likewise
the cultural and regulatory differences between USA and Europe as in the CSB animated videos must be
recognised.
These issues are now highlighted:
Piper Alpha (BBC)
The support jacket was designed against the Gulf of Mexico wind/wave profile. The N Sea is
different and the jacket suffered from early fatigue failures (5 years against a life of 50). Some
VERY elegant bracing was installed which over came the problem.
The original design intent was that the production area would be naturally ventilated by it being
open on 3 sides.
Shortly after the fatigue analysis the then Regulator, D of E, issued a SI concerning the irrigation
rate on equipment in a fire. This required more firewater pumps which would increase the fatigue
loading or require fire zoning with fire walls. The latter approach was adopted but it violated the
design intent. (Caught between a rock and a hard place). NOTE fire walls NOT blast walls as said by
T Barrell.
The need to inhibit the fire pumps with divers in the water is a bit of a myth. In a HAZOP which I
facilitated the as well as fire water answer was a diver. So the inlet was fitted with a bell
mouth with inlet velocity of 0.5 m/s and catcher bars.
There WAS an Emergency Isolation on the Oil export riser! Did it work or was it damaged by the
initial explosion?
Oil in a pipeline is compressible and the pipe line expands under pressure. The result is a stored
amount of oil called line pack. The line pack was about 50 te, the liquid fire was equivalent to
about 20 te/hr so even if Tartan was shut down the oil (if it was oil) would still ooze past a valve.
There was an alternative source of liquid fuel in diesel oil (for the gas turbines) which was stored
in the production module roof. The handling pumps were close to the compression/production
module fire wall.
There is at least one photo showing the BLEVE of what was probably a propane bottle, stored in
the production module. Some of the BLEVE can be seen entering the well head module that is
the firewall between the production and well head modules was damaged. If that wall was
damaged could not some of the diesel oil piping be damaged?
There was some discussion on the need to have the injection pump on line or else the power gas
turbines (GTs) would shut down. The design of the fuel supply to the GTs is that there is a
continuous change-over from gas to diesel and reverse it has to be so!
Conclusion
Dont let the facts get in the way of a good story!

Texas City (CSB)
There are cultural and regulatory differences between USA and UK. As an example the storage of
Ammonium Nitrate in UK is covered by COMAH. It was not covered by OSHA Process Safety
Management in USA. Hence the explosion in West, Texas. It is covered now but too late.
The vent arrangements in TX City complied with American Petroleum Institute Recommended
Practices (API RP). They would NOT be acceptable in UK.
The position of the Pressure Relief Valves (PRVs) was at the BOTTOM of a swan neck. This
facilitated the removal of the PRVs but ensured that the imposed hydrostatic head following the
internal roll-over in the fractionator would prevent the PRV closure.
The best location for the PRVs would be exit the reflux drum which would then act as a liquid
interceptor. The root causes were bad supervision, bad engineering and bad training or
procedures. Quite a list!!!!
There were many other features as described by CSB.
Conclusion
The TX City event does not readily transfer across the pond because of the engineering, cultural and
regulatory differences.
It is an excellent incident for examining the plant design (more particularly the piping) in three
dimensions, not normally analysed well in a HAZOP which treats it as two dimensions!
The following incidents are used to illustrate the role of Management (or lack of Management) and design
faults in the build up to major incidents. Three incidents are used:
FLIXBOROUGH
PIPER ALPHA
CHERNOBYL
The Texaco Refinery Fires can be accessed through the LPB obtainable from the Institution of Chemical
Engineers. It highlights the problems with training and information overload.
LPB 104 contains an analysis of the Sevesco incident which resulted in the production of Dioxane. It is
possibly a bit too elegant for teaching purposes.
These case studies are not meant to be critical, in any way, of the asset owner. They are only there to
illustrate that failures in the defence in depth, that they occurred slowly and may not have become
manifest for a number of years. For example some of the defences at Flixborough were eroded some years
before the event but the erosion was not recognised. If there had been regular Audits it may well have
been that these failures would have been rectified and that the explosion would not have occurred.
Try to project yourselves into the Flixborough environment where energy costs were rising rapidly and
cost saving was essential for a viable future. Would you have been able to recognise the implications of
the reduction in staff numbers and competence and could you have resisted it?

Flixborough 1974
Background
The precursor for the production of nylon is cyclohexanol/cyclohexanone which is produced in a series of
continuously Back Stirred Reactors between 4 and 6 in number. The reaction is carried out by the reaction
of Cyclohexane and Air in the presence of a cobalt catalyst at conditions of about 150oC and about 900
kPa. Air is injected under the liquid and dispersed by an agitator moving at about two revolutions per
second. The conversion is about 3 to 5% so about 97 to 95% of the cyclohexane per pass has to be
distilled off and recycled to the feed point. The reaction produces acid by-products so the vessels are
usually made in Stainless Steel or Stainless Steel Clad vessels. The reactants are also quite aggressive and
attack the jointing materials.
The site layout is shown in Fig A before the event and in Fig B as an actual view after the event. The
process is shown in Fig C, it will be noted that reactor 5 is bypassed. The area and the site were rural and
there was the usual application of fertiliser and nitrate run off into the ground water and river. The nitrate
run off was not fully appreciated by the work staff. This is a feature of the ground water which played a
major role in the lead up to the final explosion.
The Incident
Cyclohexane is a solvent and dissolves the binding agent in the conventional gasketting agents. There was
a general acceptance that leaks in the process were inevitable so the occurrence and the remedy were
treated as 'custom and practice' and there was little investigation into the potential consequences. It was
standard practice to spray water onto the joint with the intent of condensing / dispensing cyclohexane.
(This was standard practice but a little analysis of the dispersing mechanisms would suggest that
condensation of the vapours was probably not affected but that the bulk air movement induced by the
sprays was beneficial, not to mention the explosion suppression benefits of the water mist.)
Unknown to the operating team the water contained Nitrates. The management systems at that time
were not ideal and were evolving; "Management of Change" was definitely in its infancy. (Large
companies such as ICI had a form of Management of Change, which relied on experience and professional
ability.) The management structure on the site at Flixborough lacked a qualified mechanical engineer, the
mechanical engineer had moved to a new job as part of the cost cutting exercise and there was no
perceived need for one as the engineering was fairly "run of the mill" after a period of steady operation.
By now there were at least six breaches in the defence.
A few weeks before the event, a leak was found in reactor 5 and after initial examination it was decided to
remove the vessel for more detailed examination. (A photo, which does not print well in the final report,
shows the reactor with a long vertical coupon about 25cm wide by 1 m long. The coupon was along the
line of hoop stress starting at a stress raiser, a nozzle on the vessel, this is indicative of stress corrosion
cracking). The process was considered to operate safely with only 5 of the 6 reactors but at reduced rate /
conversion per pass. At least one successful start up with the new piping configuration had taken place
prior to the final event.
The original piping between the reactors was bellows units - in a horizontal line as shown in Fig C.
Each step was about 1 to 2 feet vertical drop, which accounted for the hydraulic gradient (See Fig C). A
simple - non-engineering analysis suggested a "dogleg" could be fitted with the bellows to account for
differential thermal growth during start up. This was quickly engineered and scaffolding used to support
the bellows (See Fig D). No mechanical analysis was carried out but the forces/moments show an oblique
off-centred bending movement (Fig D). (This can be illustrated by rolling a sheet of paper into a cylinder
and then applying an axial load before applying an offset load or bending moment.) By now another two
defences are breached. The plant had operated for a few weeks, but during a start up on the day in
question, for whatever reason, (and many have been proposed with hind-sight), the bellows rotated, the
scaffold collapsed and the bellows tore out. Cyclohexane now rushed out of two 20" holes at a rate of
more than one tonne per second.
The wind was in such a direction that the cloud was driven back into the plant where it ignited - that actual
source is open to debate but is believed to have been the Hydrogen Plant where there were fired
furnaces.
The explosion that followed was estimated to be equivalent to 16 tonnes TNT. There is some good
evidence that there were two explosions close together. The resultant fire reduced the site to a state
requiring total demolition and rebuild. Off site there were no deaths but significant damage to local
housing.
It is now worth looking at the breaches in the defence in depth and the timing of that breach given as [ ].
Breach 1
The plant layout was congested. The potential for a vapour cloud expression were not appreciated and
the control room was located close to the process plant. [Design]
Breach 2
The specification of the joints was not ideal and joint failure (loss of containment) was quite common.
Better joints were available but were not used due to poor specification and/or engineering application.
[Design and operation]
Breach 3
Following leaks it was normal practice to spray water (water containing nitrates) onto the shell of the
reactors this resulted in stress corrosion cracking of the shell. Following inspection reactor 5 was removed
as the shell was cracked. The appreciation of the potential for stress corrosion cracking was not
understood nor were the implications of cracking appreciated. [Start-up]
Breach 4
The process had not been subject to a formal HAZOP process during design so the potential for
leakage/metallurgical damage was not recognised. [Design]
Breach 5
The management structure on the works did not contain a fully trained and experienced Mechanical
Engineer. [Some time before the event due to cost cutting] (In fairness the HAZOP technique was still in
its infancy)

Breach 6
There was no formal Management of Change Procedure was in place on the site. [Some time before the
event but MoC was not a developed management system].
Breach 7
The bypass was engineered but with breach 4 and breach 5 the full implication of the modification were
not appreciated. [Months before the event as there had been at least one successful start up with the
bypass]
Breach 8
The bypass shown in Fig D was designed as a dogleg containing a pair of bellows to take up thermal
expansion. The support of the bypass was not engineered properly and the forces on the support and the
bypass were not analysed. Fig D shows the bending movement / shear force diagram. Fig F shows the
remains of the plant close to reaction 4/6.
It can be seen that some of the breaches were on place from the design of the plant - Breach 1, 2 and 4.
Others occurred later in the life of the plant - Breach 3 and 5. Breach 6 was organic and may have been in
existence before the plant was designed. Breach 1 was also organic but also occurred before the plant
was designed. Breach 7 and 8 occurred just before the incident.
Breach 9
The wind was in the adverse direct such that the vapour cloud was blown back onto the plant where it
exploded.
Analysis
There were engineering, management, design, and supervision of workers, which lead to a systematic
breach of defences in:
Procedure
Equipment
Training
Supervision
On the 1st July 1974 there was a massive explosion, which killed 28 persons.

Figure A. Simplified site plan of the works of Nypro (UK) Ltd at Flixborough

Figure B Site after the fires were extinguished
Figure C Simplified flow diagram (not to scale) of the cyclohexane oxidation

plant at Flixborough

One photo, which does not copy well, shows the removed reactor with a vertical,
thin metallurgical coupon taken from below a nozzle. This is indicative of a stress
corrosion crack along the hoop stress line.
Figure D Sketch of pipe and bellows assembly at Flixborough showing shear

forces on bellows and bending moments in pipe (due to internal pressure only)

Figure E Reactors No 4 and 6 and the bypass assembly at Flixborough after the
explosion
Figure F Area Damage. Note the internal collapse of a distillation column. Was
this caused by the initial explosion?

Piper Alpha
Background
The offshore oil production is relatively simple. Oil in the reservoir is a mixture of hydrocarbons in the
liquid phase under high pressure of at least 5M Pa. They contain Methane, Ethane, and Propane and
extend to high molecular weight molecules with boiling points well over 300oC. The oil is flowed into a
separator at about 1M Pa where some of the lighter components come out of solution (degas). The liquid
phase is let down into other lower pressure vessels where other gases are released. The gases from the
various separators are compressed, cooled and any condensate is recycled into the separators. The main,
primary product from the installation is oil with a vapour pressure of about 500 kPa; this is pumped by
pipeline to the shore where it is further processed to produce oil, which can be transported by tanker. The
secondary product from the installation is gas from the compression cycle above, which is further
compressed and flowed into a pipeline to the shore where it is further processed to produce commercial
domestic gas and LPG. In simple terms the offshore platform separates a mixture of hydrocarbons ranging
from Methane to tars into a gas, which is mostly Methane and some Ethane, and a liquid, which contains
Propane and heavier hydrocarbons plus some Ethane.
The process flow diagram for the High Pressure section is shown in Fig A. There are gas connections to
Tartan, Claymore, export for gas to MCPO1 and hence to Saint Fergus and for oil to the Flotta terminal on
the Orkneys (Fig B).
The design of the platform is somewhat congested and evolved as the legislation in the UK offshore
processing industry evolved. The following is a personal view, which cannot be fully proved as some of the
evidence is at the bottom of the North Sea. The analysis of the breaches is based on both Lord Cullins
enquiry and experience of the offshore industry plus the sister platform (Claymore). Some of the breaches
are not fully proven but they are entirely probable.
Further information is given. At about 500oC steel has very little strength and it becoming plastic. The
products of combustion of oils in a poorly ventilated area produce about 5% v/v carbon monoxide and
humans lose consciousness when they are exposed to a dose of about 50,000 ppm mins carbon monoxide.
(10,000 ppm for 5 minutes, or 1000 for 50 mins).
The layout of the Piper Platform is shown in (Fig C1/C2). Module A contains the wells from which the
hydrocarbon flows into module B where there are the separators. Module C contains the compressors
and pumps, which handle "condensates", a mixture of Methane, Ethane and Propane. These condensates
are injected by reciprocating pumps into the oil before it flows to the Flotta Oil Terminal on shore. The oil
pipeline passed down under module B, the master oil isolation valve was located under module B. The
pipeline then passed under Module C and the accommodation before passing down to the sea at the edge
of the platform. The Master gas isolation valve on the gas pipeline is also under Module B and C. The gas
pipeline passes under module B and down to the sea under the Accommodation Module.
Diesel Oil, which is used to fire the Gas Turbine power generators, is located in the roof area of Module B.
[Fig C1]
The accommodation block is in Module D and had been extended over the years.
The Incident
There were many breaches of defence before the incident. These range from procedure to training.
The original design intent was for an open platform, which would be naturally ventilated by the wind. This
was changed into 3 compartments as a result of changes in legislation. Isolation standards were poor -
normally valves are closed, locked and in some cases slip plates (line blinds) are fitted. On Piper some air
operated valves were closed thereby giving a poor indication of status (open or closed).
Various extensions had been carried out on Piper Alpha over the years and the accommodation had been
extended as well.
Above the Module B was a Diesel Oil tank just like car diesel fuel - which was used to fire gas turbines. The
process modules were compact, if not congested. The pipelines to the shore HAD emergency isolation
valves (see Fig D).
During the enquiry there was much discussion about the Fire Pumps being isolated due to diving
operations. This is a potential red herring as the explosion would have probably damaged the fire water
system, in any case it would probably have been of no benefit in mitigating this event.
The permit to work system and handover were not well administered and training for and handling of
emergencies was poor.
During the morning shift of the day the event occurred, Pumps 2G-200A was handed to maintenance for
an overhaul on its relief valve [Fig E & F]. (Note there is a labelling error on Fig E). A blank was loosely
fitted at point X. The pump was isolated by two gas operated valves (GOV (1) and (2)). These were valves
which were operated by a pneumatic cylinder and hence difficult to inhibit or lock in position. It would be
easy to reopen the valves as no label or positive isolation was applied. At about shift change G.200 B shut
down (tripped) and an operator was asked to re-start up the pump but this proved difficult. After a short
time the permits on the A pump were signed off and the A pump started up. This is to be found almost
true centre of Fig F. The pre-start up checks were omitted due to the urgency of the re-start. Either due to
process pressure or a loosely fitting blank condensate sprayed out at about 2 kg/sec. Due to the poor
ventilation a large flammable cloud was formed - many gas detectors recorded this. After about one
minute there was an explosion - the ignition was probably static but it could have been electrical. About
100 kg of fuel were burned in a fraction of a second. The fire wall between Modules C and B and B and A
was breached - the fragments becoming missiles which individually or with dynamic drag loads damaged
instruments on smaller piping. One small line 2 P 517.4" -F15- second down from the top left hand side in
(Fig G) is of note - it carried condensate to the oil line and was particularly vulnerable and could have been
damaged when the fire wall blew out.
Emergency valves may have closed, may not have closed, and may have been damaged - this is not really
important, as they were probably located in the wrong place anyway. The resultant fire consumed fuel at
a rate of about 8 kg/sec. Some fuel ran down below module B and heated up the pipelines (see Fig C).
Eventually the Tartan Gas Riser ruptured due to fire assault and a fireball about 50 to 75 m diameter
enveloped the platform. The initial gas overflow from the ruptured line was many tonnes per second but
rapidly fell to about 100 kg per sec over half a minute. This fire lead to the collapse of the platform and/or
rupture of the other pipe lines.
The following is an analysis of the significant breaches in the Defences in Depth with the approximate
timing of the breach shown as [ ].
Breach 1
The original design intent was that the whole of the Module A, B and C would be open and ventilated by
the air/wind but in the late 1970s new regulations required that the fire water rates would be about 10
litres per minute per m2 of area within a specific fire area. The fire area was defined by the limits of fire
walls. On investigation the available fire water did not match the new requirements so two strategies
were possible:-
1. Install new firewater pumps.
2. Install new firewalls.
The latter option was adopted, as new firewater pumps would have adversely affected the fatigue life of
the structure which was already challenged. These walls affected the air movement and violated the
original design ventilation philosophy for the modules such that gas build up was more likely. [10 years
before the event]
Breach 2
There was a door into the accommodation block with access from Module C, this door was normally
closed but if left open it would allow fumes to enter the accommodation block if there was a fire in
Module C. [Installed some years before the event, but left open on the day of the event]
Breach 3
The permit to work system (safe systems of work HASWA) was poorly administered. The standard of
isolation was poor and it was possible to start up a pump while under maintenance. [Systematic over
many years]
Breach 4
The hand over at shift changes was poor and the status of equipment was not clearly described and
outlined to the on-coming shift. [Systematic over many years]
Breach 5
The line of command in an emergency was poor. The line for ultimate decision-making in an emergency
was not clearly defined. It lay somewhere between the Offshore Manager and the Onshore Emergency
Team. [Many years]
Breach 6
The practice of emergencies was poor and only involved small emergencies, further evacuation drills were
carried out under non-stressful conditions. [Many years]
Breach 7
The supervision of work was poor and the operations staff had a fairly broad scope for decision-making,
(the Standing Instructions were poor). [Some years]
Breach 8
Coupled with Breach 7 there was a general acceptance of lax operating practices and an acceptance that
hydrocarbon leaks were a norm and to be tolerated. [Some years]

Breach 9
There were design weaknesses, which predisposed the installation to failure such as piping routing, the
location of the diesel oil and others. [Design]
It is of debate that evacuation was theoretically possible up till the point where the Tartan Riser ruptured -
this is not proven nor can it be proven. There was some futile discussion about whether other platforms
pumping oil into pipelines connected to Piper Alpha should have closed in. In theory the answer is "yes"
but in practice it made no difference as it was the gas line, which ruptured.
There was also some futile discussion about the role of the emergency support vessel Tharos. The
Captain, by the law of the sea, is responsible for his crew and vessel. Should he jeopardise the lives of his
crew? The author has his opinions but will not say more.
Breach 10
The wind direction was in the adverse wind direction such as to hinder escape and drive products of
combustion into the accommodation block.
Analysis
There were weaknesses in the design Breach 9. There were weaknesses in the Management Systems
Breach 3, 4, 5, 6, and Breach 7 and 8. There was poor management of change procedures Breach 1 and 2.
169 persons lost their life.
A long discussion on the ability to run the power generation in the BBC film is a distraction as in reality the
generators are multi-fuelled (gas and diesel oil) with a continuous and seamless change-over between the
two. This is not always 100% successful but it is the design intent.

Figure A Simplified flow diagram of the second stage reciprocating compressors
and export and gas lift lines.

Figure B Pipeline connections of the Piper field
Figure C1 The Piper Alpha platform: west elevation (simplified)

Figure C2 Piper A Platform West Elevation

Figure D Simplified flow diagram of the emergency shutdown of the oil and gas
pipelines.

Figure E Simplified flow diagram of the condensate injection pumps

Figure F Layout of compressors and leak side

Figure G

Chernobyl
Introduction
This is a collation of written and verbal (unofficial) reports of the Chernobyl incident on 26th April 1986.
The analysis is given in good faith - the accuracy of the analysis is not guaranteed but is believed to be
accurate from the evidence presented - history may prove some of the points to be inaccurate in fine
detail but still basically correct.
It must be noted that the PWR of the RBMK type is not used elsewhere in the world. The design of the
RBMK is designed to squeeze the last drop of thermal efficiency from the Reactor and is potentially
unstable and difficult to control below 20% load. Other PWRs are less efficient but they are Inherently
Safer.
Summary
Between 01.24 and 01.24 and 30 seconds on 26 April 1986 a massive steam explosion occurred in the
number 4 reactor of the Chernobyl Power Station in the then Russia. (Times local). In the immediate
aftermath 31 persons were killed - 29 by radiation, over 100,000 persons were evacuated locally and
thousands of square miles of land were declared unfit for agriculture. The cost of rehabilitation,
decontamination and encasing the reactor cost the order of 50 Billion (1996 value). The subsequent
deaths were estimated to be up to 10,000 over 40 years (but in practice the ongoing evidence is that it will
be slightly less than this) while it is a large number it represents only 5% of those who would have died
due to the effects of background (natural) radiation in the then Russia.
The incident occurred because of a gross break down of procedures while testing a safety improvement
(yes, a safety improvement).
Background
The RBMK 1000 is relatively primitive and would not be permitted in UK (or elsewhere in the world). The
reactor was potentially unstable in some operating conditions; the shutdown was slow in operation and
not fully automatic.
The electrical grid system in Russia was (and still is) unreliable. It was essential that the reactor cooling
was maintained and there was a 15 second delay following loss of electrical power before the stand-by
(Diesel Driven) emergency power generations ran up to speed and synchronised. This delay was
considered to be significant but it was believed that the rotational energy in the turbines/alternators could
be converted into electricity and gives a short power back up for 30 to 45 seconds - bridging the 15 second
gap mentioned earlier.
The reactor was controlled by Boron rods and moderated by both Graphite and the water flow through
the reactor tubes. In the RBMK 1000 reactor most of the moderation was provided by graphite but if it
has a full equilibrium content of Plutonium it had a small positive void coefficient, that is, if the steam ratio
in the tubes increased the local reactivity increased, this created the need for a sophisticated local control
system, the time constant was some seconds. The daughter products - particularly Xenon-135 and
Samarium - depended upon the power history of the reactor. At high power the concentration of the
daughter products was reduced therefore local neutron fluxes and power could increase intensifying any
perturbations - this had a much greater time constant.

When shut down the reactor had a heat output of about 7% of its pre-shut down rate due to the nuclear
decay in the core itself. The products are mixed so there is no true half life - the decay curve falls from 7%
at time 0 to 0.4% after one day and 0.12% after a month, 7% represents about 200 MW of full load so
cooling is essential for some time after shut down. (But remember the heat to electricity conversion is of
the order of 32% so the heat output of a 1000 MW power station is about 3200 MW).
This residual energy was significant in the final clean up of the reactor.
The Incident
It must be re-emphasised that the incident occurred because there was an attempt to improve the safety
of the Reactor! Unfortunately it was poorly controlled!!
The build up to the incident will be described as a series of breaches of the defences on depth. These
will be given as a code with the timing in brackets or the lead times before the event thus [ ].
Loads as quoted are Thermal loads unless explicitly stated.
The reactor was Inherently Unstable - that is not Inherently Safe [20 years lead - Breach 1]. The reactor
had to be operated within closely controlled bands with a slow but sophisticated control. These
parameters were cleared defined and the envelope defined by a computer program. (The operators were
given a loaded gun with a hair trigger).
A test programme for the tests on the emergency power system had not been drawn up, analysed and
agreed in the proper manner. [A change was proposed some months before the incident, but the
implication had not been fully analysed, the complications assessed, the guidance notes prepared and
approved by an independent authority - Breach 2 but within this there were probably at least 3 breaches].
The operations were given a narrow time window within which to carry out the experimental program of
testing the conversion of rotational energy (kinetic energy) into power. This put the operators under some
stress. In preparation 24 hours before the incident the thermal load was reduced from 3200 MW to 1600
MW over 12 hours. This lead to a growth of Xenon 135 in the core. This affected the reactivity of the
core and the neutron flux distribution. The reactor was moving towards a potentially unstable zone.
At 14.00 on 25th April the emergency cooling system was disconnected from the forced circulation loop.
However, on request from the grid controller the reactor was not taken out of service [- 11 hours - This
was a violation of regulations - Breach 3]. The emergency cooling system was not put back into operation.
At 23.10 on 25th April the power could not be reduced further. The reactor was very unstable and difficult
to control. [-2 hours - The reactor was operating in a dangerous regime and should have been shut down.
- Breach 4].
At 01.00 on 26th April the reactor was stabilised at 200 MW (about 6% output) The operational reactivity
margins were very low and below those specified by regulation [-25 mins - the reactor was operating in a
prohibited regime and by regulation should have been shut down - Breach 5]. The reactor was also
poisoned by daughter products due to the prolonged period of operating at low power and this made
the control very difficult.

It was decided to carry with the tests (This is not considered to be an additional breach as there had
already been at least one violation of procedure).
At 01.07, two reserve circulation pumps were started so that power could be restored after the tests. The
flow of coolant through the reactor was 8000 m3/hr per pump [-15 mins - this flow was outside regulations
and was forbidden due to cavitation and piping vibration. This led to a change in the reactor parameters -
this was not a new violation, but it led to a worsening of the situation, which catalysed the end result -
Breach 6].
The actions above led to water levels below the emergency levels [-15 to -10 mins - Breach 7]. The
operation over-rode the emergency protective signals [-15 to -10 mins Breach 8].
At 1.22 and 30 seconds the operator realised that the reactivity conditions and availability of control rods
were unacceptable and immediate shut down was called for as the reaction was far away from its
operating envelope (30 control rods should have been in the reactor but were virtually none) however the
team decided to carry on with the tests [- 1 mins - a total violation of procedure - Breach 9].
As a result of all of the violations of procedure/instruction the reactor is now in a very unstable condition
and it is worth reviewing the situation. At 01.19 on 26th April the operator increased boiler water feed
make up to restore levels. This produced a reduction of steam voidage in the reactor resulting in the
control moving up automatically. (The reduction in voidage results in a reduction in the reactivity). Within
30 seconds the rods were fully withdrawn and the operator withdrew the manual control rods so reducing
the operational reactivity margin. This lead to the final outcome. At 1.22 and 30 seconds the reactivity
margin was less than half the maximum permitted level. Due to the breaches, the reactor was in an
irregular condition.
At 1.22 the operator had reduced the feed water flow to the reactor significantly.
At 1.23 and 4 seconds the operator closed the stop valve on the turbine steam drive to the generator.
When the turbine was shut down, the steam pressure started to rise but the water flow through the
reactor started to fall as the circulating pumps were powered by the shut down alternator. (Remember
the emergency cooling pumps had been isolated nearly 12 hours earlier). At this very moment any change
in steam voidage increases the reactivity of the reactor. This leads to an increase in power output. The
Emergency Shut Down was initiated at 01.23 and 4 seconds and the control rods were inserted. (It will be
remembered that some of the mechanical rods had already been drawn, this resulted in a reduction of the
performance of the shut down system). The rods did not fall fast enough and the freefall mode was
initiated - but too late.
Finale
Within 3 seconds the power output exceeded 530 MW (originally 200 MW) doubling every 20 seconds.
This increased the steam voidage and the reactivity. The effects were that the boiling film changed from
nucleate boiling to film boiling - or in other words the reactor cooling fell off rapidly. The reactor
temperature rose rapidly and the pressure tubes ruptured due to thermal weakening, water was injected
into the hot core producing a violent steam generation which blew off the containment cap, steam
reacted with the zirconium tubes to produce hydrogen which then also exploded.

Aftermath
It will be realised that the heat output from a nuclear reactor decays - the heat generation continued until
the nuclear reaction of fission products falls off. The hot mass produced a cloud of radioactive particulates
which entered the atmosphere and fell over a larger area of North Europe and also Scotland. Most of
the cloud missed Britain but oddly one of the first indications of the disasters outside Russia was a rise of
detected radioactivity on air filters of an offshore oil platform. The news finally broke some days later.
The first attempts to kill the source of particulates were to dump sand and clay on to the reactor from
helicopters so as to act as a filter and to cool the burden with liquid nitrogen. The helicopter pilots who
dumped sand and clay received excessive radiation doses.
The rest is history.
Within Britain statistically about 4 persons will die from the nuclear doses over the next 40 years. In the
same period over 10,000 will die from breathing, eating or being exposed to natural background radiation.
No one will be able to identify those 4 unfortunate persons nor the other 10,000 for that matter!
Postscript
I leave you to decide where the source of errors lays which are:
Compliance?
Judgement (training/experience/procedure)?
Procedural?
Design?

Texaco Refinery Milford Haven July 1994
The Explosion and Fires at the Texaco Refinery Milford Haven 24 July 1994 HSE Books 1997 is
also a useful study summarised in LPB.
Amongst the recommendations are references to the use of simple mass balances!!!

H 2 Historic Events which are easier to analyse
So as to re-enforce the message on learning from history, look at the photo above. It looks like a photo of
a rising mist cloud in a valley at dawn. Do not assume anything. It is the photo of a release of liquid
ammonia. If you were in this cloud well to put it simply - you are dead!!!
What were the causes and who was responsible?
Was it a civil engineering issue where there was differential settlement resulting in a break in the pipe?
Should the Civil Engineer have specified the support?
Was it a piping issue where the pipe was over pressured? Did the Mechanical Engineer specify the pipe
thickness for the maximum credible pressure?
Was it a corrosion issue? Did the Corrosion Engineer specify the correct corrosion protection?
Was it sabotage? Why was the pipe not patrolled or better still trenched and marked.
Was it dug up by a plough? Why was it not trenched properly and marked such that the farmer knew
where it was located. (The farmer should know all about it and the limits imposed on his operations. He is
paid (Way Leave) for the use of his land!
All these are simple issues but vital Management issues!
Thanks are due to JR Taylor for this photo

Incident Studies
Incident studies are useful in highlighting human factors, management issues; inter engineering
disciplinary issues and basic engineering.
IT IS OF FUNDAMENTAL IMPORTANCE THAT THE CORRECT MESSAGES OF THE INCIDENTS ARE

TRANSMITTED. DO NOT LINGER ON THE EVENT ITSELF
One of the richest sources of incidents is during maintenance or upset conditions. Entry to enclosed spaces
and welding are obviously another source of rich pickings but upset conditions are one of those conditions
where there is a stressful situation and action has to be taken quickly and correctly. This requires thinking
on the feet.
The sections are divided into five home:
Entry
Fires and Explosions
Maintenance
Upset
Others
Some could be considered to straddle two possible homes.
The studies include some background as well as the safety teaching points. The background could be
suppressed if the student is trying to solve the problem and then reintroduced at the conclusion. The
teaching points and answers to questions can also be suppressed and used as a check against the detail of
the investigation.
Preparation.
Slip Plates
In a number of incidents reference will be made to the use of a slip plate as shown below. Essentially it is a
blank sheet of metal inserted and held by tight bolts between two flanges. It is also called a positive
isolation as NOTHING can flow down the line into the workplace. It has to leak to atmosphere.

Preparation of equipment for maintenance which may have contained hydrocarbons
It is a standard practice to steam out equipment (including vessels) to remove the more volatile
hydrocarbon components or to displace toxics.
The elevation in temperature and the steam flow is usually sufficient to remove MOST flammable
materials BUT it does NOT guarantee that there are no traces of low volatility materials to be found later,
particularly when the system is disturbed or heated (see incident 1.4 and the HSE report - Fires and
Explosions at BP Grangemouth - HSE Investigation.)
Some simple flash calculations on a multi component mix will illustrate this. It is only simple equilibrium!!!
In effect lighter (low molecular weight hydrocarbons) will be boiled off. However in the case of heavy
films and also thick deposits there is a mass and heat transfer issue which will limit the efficacy of the
steaming process. The heat flow through the deposit may be poor and then there has to be mass transfer
such that high molecular weight materials are still left within the film/deposit. In crannies there is also a
limiting diffusion process so cleanliness is not necessary assured and deeper in the layer there may still
be harmful materials. Superficial tests may pass the acceptance criteria but the environment may change
with time.
In effect the flash point of the material may be 100oC BUT it does not guarantee that it will be non-
flammable if heated to well above 100oC. (The flash point is that temperature at which the vapour
pressure of the material is such as to JUST produce a flammable atmosphere at the lower flammable limit).
Air Tests
Air in confined spaces COULD be oxygen deficient and contain potentially harmful agents. Is the sample
representative of the whole? Do you know what might be in the air? How do you test for these? Can the
conditions change with time and human activity???????

1 ENTRY
Incident 1.1 Vessel entry at a major shut down
The incident
The figure 1 shows the simplified line diagram of a gas contactor the plant is no longer there!
Figure 1.1 Gas Contactor simple P & ID
Two oil recirculations, the lower one by hot oil at 150oC and the top one by oil at 50oC contact hot gasses.
The lower section is co-current over disc and doughnut plates and the top by counter-current over
standard trays.
The plant was to be inspected during a major overhaul and as part of the preparation the internals of the
contactor was steamed by passing hot steam at 150oC for 6 hours at point A and then displacing the
steam by nitrogen at the end of the 6 hours. The nitrogen was displaced by the chimney effect through
air entering at the lower manhole (MH) and leaving at the top manhole (MH).
All process lines were sealed after the system had cooled by metal plates known as slip plates (as above)
on the contactor side of every valve flange as shown. Air tests for oxygen and flammables were taken at
the man holes top and bottom as shown. The oxygen samples at the manholes were 20.8% v/v and the
flammables were not detectable (N/D).
Question 1.1.1
Can a safe entry be made to every part of this contactor you have to issue the entry permit?
Answer 1.1.1
NO! The air flow between the two manholes only displaces nitrogen in the vertical section of the
contactor. The section from the inlet, mid way up the column, to A is potentially a dead pocket which
could still contain nitrogen. The author of this document made that entry and suddenly realised the error
of his own judgement as he looked at the slip plate at the top of the dead pocket at A and asked what
was the last fluid in here? NITROGEN! That was the fastest exit ever made! In reality the nitrogen HAD
been displaced during the fitting of the slip plate. This was confirmed by repeat air tests done under the
correct controls.
Question 1.1.2
Why displace the steam with nitrogen - both are inert?
Answer 1.1.2
1. Steam will condense and the vacuum so produced could collapse the vessels, steam has to be
displaced by a non condensable. It is important to understand the physical properties of the
fluids being handled.
2. Entry into a wet space is very unpleasant!!
Key Safety teaching points
1. Entry into confined spaces is hazardous at the best of times. It was one task that I treated VERY
seriously. It could be my last task on this earth!!!
2. Has a full risk assessment been carried out? (A Risk Assessment had been carried out in this case
but it was incomplete.)
3. Has the atmosphere in the confined space where persons might be been checked very carefully
for, oxygen levels, flammability and toxics and increasingly nuclear debris. This will mean at least a
multiple point sampling. (The atmosphere had been tested but not at the place where the
inspection took place.)
4. Could the environment change over time as a result of the work carried out?
5. Are there any dead pockets (as above)?
6. Agitators or other mixing devices must be made safe. That is mechanically and or electrically
isolated. Humans do not mix well! Sorry for the pun.
7. There may be sharp edges in the enclosed areas such as vortex breakers and weirs.
8. The route in and means of emergency exit should be reviewed. Should there be a harness and
rope through a pulley plus stand-by-man? How does the person make an exit if there is trailing
line for breathing air? It could get tangled on fixed internals.
9. The internals should be physically isolated to prevent harmful materials entering the confined
space either from leaking valves or just atmospheric movement (from spills). Valve isolation is not
acceptable, physical disconnection is, but better still with slip plates.
10. Conditions may not be as expected or may change with time/operation in the space contingency
plans must be in place. For example how is dirt in hidden pockets or behind weirs addressed?
11. The air flow regime in a vessel has to be fully comprehended.
12. It is important to understand the physical properties of the fluids being handled.
13. Pockets behind weirs can be traps for hazardous gas/fumes see 4 & 10 above.
14. How does the inspector get out in an emergency on site, on plant or in the enclosed space?
15. Plan! Plan! Plan! It may be your life that is lost!!!!
Incident 1.2 Asphyxiation
The incident
This is a true story that seems to occur more frequently that it should.
A vessel had been purged with nitrogen and then opened up in readiness for inspection by opening a
manhole on top of the vessel. At that point there were no or gas tests taken or entry permit issued. The
vessel looked clean from inspection through the manhole so a very experienced Supervisor and Engineer
decided to check the vessel for evidence of corrosion. The Engineer entered the vessel while the
Supervisor stayed outside. After about 5 minutes it was decided to inspect the seats of two large valves at
the base of the vessel to ensure that there was no wear. The Supervisor, who was outside, opened one of
the valves and the engineer lost consciousness within seconds. The Supervisor raised the alarm and
entered the vessel where he too lost consciousness.
Question 1.2.1
Why might this have occurred?
Answer 1.2.2
There was an unauthorised and uncontrolled entry into a vessel. No tests had been carried out and no
permit issued.
There was a trap of nitrogen behind the valve. The oxygen level in the vessel fell below 10% and the
Engineer lost consciousness.
Question 1.2.2
Why did this occur?
Answer 1.2.2
The Engineer had broken a golden rule. Do not enter a confined space without a permit.
There was a breach of discipline which could have been fatal.
Outcome 1.2
The Supervisor was reduced to the ranks and the Engineer was dismissed on the spot!
Question 1.2.3
Would you have dismissed the Engineer?
Answer 1.2.3
This is a difficult call but breach of safety discipline can not be tolerated.
Sadly to relate I knew one excellent supervisor (Willy de B) who decided to do a quick
inspection of a vessel purged with nitrogen by putting his head through a manhole. He
collapsed inwards and died that is why I typed knew. Do not try it!
See the teaching points in 1,1

Incident 1.3 It was done correctly.
The incident
A vessel had to be cleaned out on routine to remove heavy oil mixed with solid materials which might
release hydrocarbons when disturbed. The vessel was slip plated and steamed out. Entry was carried out
using breathing air and flame proof clothing. The tools used were non-sparking phosphor bronze. The
work site was air tested every 15 minutes for traces of hydrocarbon which might have been released
during the cleaning process. It was a very uncomfortable clean-out, hot and slow due to the nature of the
entry conditions applied and tools used (soft phosphor bronze) - but it was safe.
Question 1.3.1
Was this excessive protection?
Answer 1.3.2
NO! It was carried out over 100 times and no-one was injured.
See the teaching points in 1,1
Incident 1.4 It was not done correctly (Same Company and 200 m from study 1.3)
The incident
A vessel was cleaned out on routine to remove traces of a latex rubber. The tank was slip plated and
steamed out. The entry was made without breathing air and non-flam clothing and the tools were not
non-sparking. The site was not inspected on routine for traces of hydrocarbon which might be disturbed
during the cleaning process.
There was a fire/explosion in the vessel, one person was killed and another seriously burned.
Question 1.4.1
How did this happen?
Answer 1.4.1
The latex was being disturbed by the digging/cleaning process. Any gas (butadiene in this case) trapped or
dissolved in the latex would be released and a flammable cloud could have been generated. The ignition
source was probably friction or impact from shovels but it is JUST possible that there was a cigarette
involved. The ignition source was not identified with certainty.
See the teaching points in 1.1

Incident 1.5 Again and this time it was done correctly
A vessel was prepared for entry with slip plates and then by boiling water in the vessel using live steam
(a steam lance put under the water). After two hours a flammable gas test was taken and traces of
hydrocarbon (5% of the lower flammable limit) were detected at a line of scum on the vessel wall. (See
the notes on diffusion/mass transfer earlier). Entry was carried out with full body and lung protection and
the area where the gas was detected was scrubber down until gas could no longer be detected. Then the
internal inspection was carried out safely without lung and body protection.
Incident 1.6 Trapped in a vessel.
The fire at Kinneil Fires and Explosions at BP Grangemouth - HSE Investigation. (HSE Books). The
ignition source was a cigarette. This probably emphasises the need to monitor the work place against
deviation from the stipulated precautions.
Incident 1.7 Asphyxiation in a scrap vessel
The Incident
This is a true story that seems to occur more frequently that it should.
An old, rusty, carbon steel vessel fitted with loose blanks on all branches and manholes was found on a
dump. The vessel had not been operated for some years. It was decided to re-use the vessel, so, it was to
be internally inspected by two engineers. Within 10 seconds of entry the two engineers lost
consciousness.
Question 1.7.1
Why did this happen?
Answer 1.7.1
The clue is in the word rusty. The vessel was in a dump so it was not considered that a full air test was
required. It should have been the message is assume nothing. Air in the vessel had reacted with the
wet steel to produce rust. The inspectors entered a vessel which was oxygen depleted and lost
consciousness.
2Fe + 3O2 = 2Fe2O3
Doh!!!!!!
Question 1.7.2
What would you do in these circumstances?
Answer 1.7.2
There is only one answer carry out the risk assessment and air test any enclosed space system however
simple it might be. How do you know that some heavy gasses have lodged in a low point and light gasses
lodged in high points?
Key points for teaching with entry to confined spaces:
See the teaching points in 1.1
It is essential that the atmosphere into which any one might enter is tested for flammables, toxics and
oxygen deficiency.
The zone must be free of moving parts and if possible sharp edges.
Where possible overhead debris should be removed this might influence the order of entry top
bottom and not the other way round.
How does the inspector get out in an emergency?
In general entry to confined spaces is the most dangerous activity that most engineers will undertake. It
has many potential unknowns which have to be analysed with care and a FULL RISK ASSESSMENT
carried out. Remember the last fluid in the system was either a process fluid or an inert fluid, neither
are life supporting!!!!
2 FIRES AND EXPLOSIONS
Study 2.1 An explosion in an oil slops storage tank.
The incident
Figure 2.1 shows a simplified diagram of the equipment. The tank collects thick oil spills and some traces
of water. The tank is heated to about 50oC by an electric heater bolted into the tank and is
thermostatically controlled (on/off) by a circuit breaker, CB2, by an integral thermocouple, TC1. The oil and
water is pumped to further storage by pump 1 under level controller, LC1. The tank is inerted with nitrogen
through a Pressure Controller, PC1, which vents to atmosphere through a flame arrestor, FA. The electrical
heater is independently shut off (CB1) if 1) the pressure in the tank falls below a critical level by PAL and 2)
if the level falls below a critical level which might expose the heating elements by LAL.
A flame arrestor is basically a spiral, corrugated coil of thin metal. The triangular gap between the
corrugations is designed for the likely gases involved and is known as the quenching diameter. The
pressure drop is very low. It can be assumed that the arrestor was fit for purpose.
During the start-up phase nitrogen from the site inert gas generator was not be available so nitrogen
bottles were used and then the inert gas generator was to be used once the plant was up and running.
About 1 year after the start-up there was a violent explosion in the tank. The electrical heater was ejected
with such violence that it damaged structural steel on which it impacted. The likely over-pressure was
about 4 barg. (This was assessed from the UTS [ultimate tensile strength] of the steel and the root area of
the bolt threads of the restraining bolts).
Figure 2.1
Question 2.1
You are the investigating team. What do you think might have been the causes of this event? You may ask
your tutor for more information should you wish.
Clues to be offered by the tutor if asked:
1. On inspection of the nitrogen connection the paint was undisturbed. That is the nitrogen bottles
had not been used and the site inert gas had not been connected.
2. A function test of the electrical shut off protection showed that it was by-passed.
3. The pressure differential across the flame arrestor was too low to allow the pressure controller to
function correctly. Even at full flow of inerting medium the differential pressure would be low
and register low pressure on PAL.
4. The pressure differential across the flame arrestor was too low to permit the low level pressure
cut off (that is the control system would be keeping the tank in the shutdown condition even if
there was an inert gas flow. That is, the design was not fit for purpose.) It was therefore
permanently in the shut-off condition and had to be inhibited by the start-up crew who did not
understand its function.
Answers 2.1 & possible Causes
1. There was a deviation from the design intent.

2. The actual design was flawed (the pressure differential could not be established to activate the
pressure switch and allow the pressure controller to function correctly).

3. The process had not been subjected to a HAZOP. If it had been the low pressure question would
have challenged the ability to establish of a pressure differential across a flame arrestor, which, by
design intent has a low pressure differential. A small STEADY purge of nitrogen would have been
enough to inert/blanket the tank.
4. The operations department carried out an unauthorised and unchecked change. There was no
Management of Change inside the Company there is now!
5. The tank had drained so exposing the electrical heater elements and the thermocouple. The oil
over heated and an explosive atmosphere was established. This ignited on the hot heater element.
Background
1. Fuel + air + ignition = Fire or Fuel + air + ignition = Bang
Key points for teaching.
1. Change of design intent requires a rigorous analysis a management of change procedure.

2. Had a HAZOP been carried out? (NO!)
3. Was the design intent valid/workable? (NO!)
4. Was the shut down system tested on routine? (NO!)
5. Did the start up crew understand the function of the various elements and have operating
instructions? NO!
This was an accident waiting to happen
A hot water heater is an inherently safe heating medium.
See also Fires and Explosions at BP Grangemouth - HSE Investigation. (HSE Books)
1. Here a shut down had been cut/bypassed so invalidating a low level cut off which eventually lead
to a vessel rupture.
2. There was no function testing routine (or else the shut down bypass would have been identified).
3. Someone, somewhere made an unauthorised change to a protective system. It is quite possible

that it was done with the best intentions but tell that to the widow of the person who was
killed!!!!
4. The analysis of the FDT/PFD of the protective system suggested that the event should have
occurred some years earlier. There was also one common cause or mode failure wax in the oil!!!!
5. The performance of the protective system had not been formally assessed.
This is a useful study which shows how things can drift without strict Management controls
Study 2.2 An explosion in a tank
The incident
Dudgeons Wharf (1969) synopsis of the Public Enquiry, HMSO
A redundant storage tank was being removed from the site. It had previously contained hydrocarbon oil,
similar to turpentine, which could create a gummy material deposit. The chosen method for size reduction
was by flame cutter (oxy-acetylene torch). The tank was prepared for size reduction by steaming out for 24
hours to steam strip any hydrocarbons from the internal surfaces. (See the notes on the limitations of
the steaming process). Once the cutting process had started flames were seen at the cut site and the open
manhole on the tank roof. The flames were put out with a water jet.
The internal cleanliness of the tank was not clear but the evidence of the flames strongly suggested that
there was gummy material on the walls/roof. As a means to checking the internal cleanliness the bottom
manhole in the tank was opened by flame cutting off the bolts. There was a violent explosion which blew
off the roof, so killing 6 persons.
Question 2.2.1
Why did this happen?
Had a Hazards Study 7 been carried out? NO!
Answer 2.2.1 & Causes
1. The tank had been prepared in some manner but a full risk assessment of the extreme conditions
had not been carried out. It is likely that the gas tests had not been taken at the walls (see 1.5)
2. The heat of the flame cutter on the bolts would have vaporised some hydrocarbon and probably
created a localised flammable cloud in the tank around the hot manhole.
3. The cloud was probably ignited by the hot metal (auto-ignition) or by the flame itself.
.Note - flames had been seen previously when cutting the roof so it is a highly credible explanation but the
demolition crew just did not have the experience to make the correct deductions.
As these tanks can only sustain a pressure equivalent to about 25cm of water before the roof blows off the
hydrocarbon explosive charge may only be about a kilogram. A simple BOYLEs law calculation will prove
this.
At best this could be classified as incompetence but it is not unlike any demolition site where the details of
the tank conditions are vague, particularly if the previous owner has no longer any interest in it.
There is now a requirement to write a safety case for demolition. This may be more difficult than you
think! However the previous owner still has a duty of care to ensure a safe hand-over to the demolition
crew.
Question 2.2.2
Could this happen again?
Answer 2.2.2
It has! However for large scale demolition work there has to be a safety case, the reverse of the safety
case required before operation can commence. The case should explain how the size reduction is to take
place, the potential hazards, the precautions to be adopted and other safety procedures to be put in place.
The case should also address the final disposal of materials. If materials have to be dumped the case will
have to address topics such as ground water contamination and if steel is to be recycled the case should
address the cleanliness requirements. This is not as difficult as it might seem, it is a case of recording the
well established procedures and then following them!
Question 2.2.3
How could it be prevented?
Answer 2.2.3
Yes! This can be summarised below:
1. There is a duty of care by the previous owner to ensure that all relevant details on cleanliness and
latent risks associated with redundant equipment is handed over to the demolition crew. (Safety
Case for Demolition). Do not expect the demolition crew to understand or investigate the possible
hazards of the equipment that they are due to demolish.
2. Steaming is not very effective for multi-component products but there are now nitrogen based
foams which are very effective in inerting cutting sites. One cut on a major oil pipeline was carried
out using these foams. The cut was done quickly and safely.
3. There is always the possibility of small traps of material behind weirs or even in down comers in
distillation columns which may be ignited inadvertently. Physical inspection using the appropriate
entry requirements (breathing air and flameproof clothing) may be required before any cutting is
allowed.
This type of incident is more common than might be expected. A review of Hazard Databases shows that it
occurs with regularity more so in vessels with a weir. Weirs are common means of separating two liquid
phases and flammable debris may still be found on the far side of the weir. Once a cut or weld is
attempted the materials behind the weir ignite and a prompt exit is necessary!!!
Background
There have been many fires and explosions in storage tanks which have contained hydrocarbons. The
messages are still valid as fatalities occur from this cause even today.
1. Fuel + air + ignition = Bang

2. Can you be sure that the RISK ASSESSMENT will cover ALL areas within the confined space? If not
there may be a hidden tiger waiting to pounce on you!
3. Can the local conditions or requirement laid down in the Permit to Work (PtW) change with time?
4. The working environment must be monitored regularly
5. If the conditions change ALL work MUST stop at once!
6. Demolition is a dangerous event possible more so than operation. It must be done under
rigorous control and supervision.

Incident 2.3 29/7/12 in the press
On 29/7/12 someone decided to split a 45 gallon drum lengthwise to make a barbeque. The cutter was a
rotary disc. The drum exploded and the person using the cutter was fatally injured. He will not do that
again!
Incident 2.4 Unpredicted explosions in crude oil tankers (1970s)
The incident
Kong Haukkon after the explosion
Marpessa, Matra and Kong Haukkon
Oil tankers are usually cleaned out using high pressure water jets. This removes residual oil which is then
separated elsewhere. The tank is also inerted using exhaust gases from diesel driven machinery as a
flammable mix is more than likely within the tank during the cleaning process.
About 40 years ago the three super tankers, owned by the same company (house colours red and
yellow), Marpessa, Matra and Kong Haukkon blew-up near to the equator over an interval of about 2
weeks. They had been carrying crude oil and were returning under ballast. Many rumours were generated
it was sabotage as they had delivered oil to South Africa during Apartheid, it was bandits etc!

Background
1. The tanks were inerted using waste gases from the diesel generator exhausts.
This is an inconvenience as the gases have to be scrubbed to remove sulphur oxides and
particulates and must be monitored for carbon monoxide (a toxic) and residual oxygen which has
to be less than about 5% v/v.
2. The inert gas generator is a piece of process equipment which is difficult to appreciate and not
in the Tanker crews Skills profile.
3. The generator is potentially a cost overhead which requires maintenance due to the corrosive SOX
in the exhaust gases.
Question 2.4.1
Why did this event occur on 3 tankers, owned by the same company, and in such a short time frame?
Answer 2.4.1
1. At the time it was far from clear what were the causes, but by reports from the crew it was neither
sabotage nor bandits. However, it appeared that for economic reasons or possibly as the Company
could not see the benefits, the inerting step had been removed from the storage tank cleaning
cycle but it was not subject to a Management of Change procedure. Further the inerting
equipment was bulky, required routine maintenance (a costly task) and the operation was not in
the skills base of mariners. It can be seen that there was a persuasive argument to drop this part
of the cycle.
2. Lightning is caused by static formation in the cloud as the droplets of water are re-circulated. It
can result in major charge accumulation as is seen from the lightning strike. It was NOT
THOUGHT that such a charge could accumulate in a tanker compartment as it was THOUGHT that
the charge generated by the cleaning spray would be too low (charge is proportional to the
droplet diameter) so as the droplets were small it was thought that the charge would be trivial.
3. A detailed study was carried out into static formation in sprays and it was found that smaller
droplets coalesced to form larger droplets (as in clouds! Surprise! Surprise!) and these larger
droplets COULD occasionally result in an incendive spark. So as to prove this point a rig was set up
simulating the cleaning operation and a polythene roof fitted. There were explosions in the rig
case proved!
4. It is easy to be wise after the event but knowledge of the formation of lightning should have been
enough to make the operators of the tankers think carefully before stopping the inerting process.
The management of change had not been carried out.
1. Changes can occur very easily if the rules for change (management of change) are not enforced
rigorously
2. Out of sight = out of supervision (or while the cat is away the mice will play!)

Who did not learn their lessons 30 years later???
Incident 2.4 Switch Filling
The incident
Road and rail tankers are used to distribute diesel oil and petrol to distribution centres and filling stations
round the country. Filling can be by bottom fill, filling the material by a fitting on the base of the tank,
this involves lifting a hose and it carries the risk of back injury and even worse the hose is out of sight
and tankers can move off station without the hose being disconnected. However this filling technique
prevents the formation of static electricity by splash filling. Alternatively the filling can be by top fill
using a lance which reaches almost to the bottom of the tank. This filling process has the potential to
produce static electricity particularly with high resistivity fluids such as diesel oil. Therefor during the initial
fill the flow rate is low (less than 1 m/s in the hose and lance) until the bottom of the lance is covered by
the fluid, once the lance is covered the risk of static generation is negligible. The rate and time to cover the
lance are programmed into the fill cycle and once sufficient fuel is added to cover the lance the fill rate is
ramped up.
The tanker may have contained petrol or diesel prior to being filled. The cross contamination is
insignificant as far as the fuel is concerned but the barrel may contain flammable vapours.
A new set of jumbo tankers was brought into operation. The diameter of the barrels was very slightly
larger than the old ones and the length was about three times longer. The fill sequence as controlled by
the same fill sequence which was locked into the logic control itself as described earlier so did not
differential between the two types of tanker.
After 3 months there was a fire in one jumbo tanker.
Question 2.4.1
Why should that be when the fill process had been applied safely for 20 years involving about a million
filling cycles?

Answer 2.4.1
The likely causes:
1. The records showed that tanker had contained petrol before it was filled. The vapour space would
be flammable containing mostly butane. The traces of petrol would not affect the specification
of the diesel.
2. The fill process was designed for the smaller tankers such that at the of the low flow part the
fill lance was not drowned in the jumbo tanker and a static regime was formed once the controller
went onto high rate fill. The extension to the low flow part of the fill cycle may have only been
a few minutes but that was enough.
3. It is likely that the operator did not understand the significance of low and high feed rates. (This
was the outcome of a safety study carried out by the author).
4. Why was not a Management of Change study carried out? There was a change!!!!!
Key points for teaching
1. Bulk supplies of diesel oil and petrol are now distributed by rail. As the demand has increased the
capacity of the rail tanks has trebled such that there are now standard and jumbo tanks.
2. Hoses and the tankers are always electrically earthed to avoid static electrical charges.
3. Splash filling is a powerful source of static ignition. There are MANY reports of fires in metal
buckets used for sampling.
4. High velocity flow of high conductivity fluids (high resistivity fluids) results in charge separation
leading to static ignition.
5. Wherever possible the tanks are re-filled with the previous material but occasionally it is necessary
to fill a tanker which previously contained petrol with diesel oil. Knowledge of the previous
contents is important in risk avoidance planning.
6. All changes, trivial or otherwise MUST be subject to a MoC study
Incident 2.5 Switch Filling
There is another example of an explosion created by a change in tanker body profile in LPB 209.
Incident 2.6 Static generated by transfer
A charge of volatile organic spirit was to be transferred from a storage tank into a 45 gallon drum. The
drum sat on a trolley fitted with nylon wheels. There were some difficulties in starting the flow from
transfer pump; it appeared to be gas locked, that is there was vapour in the pump body. After a few
minutes the flow was established and almost immediately there was an explosion in the drum, it split and
the operator was showered with ignited spirit. He died from his injuries.
Question 2.6.1
Why might this have occurred?
Answer 2.6.1

1. The churning of the transfer pump, before the flow was established, would have heated the spirit
and equally important it created an electrostatic charge in the fluid. The word spirit should have
alerted to the possibility of a high resistivity fluid which has high static charge potential.
2. The drum was electrically insulated from earth by the nylon wheels. The filling hose was not
bonded or earthed so as the spirit started to fill the drum there was a spark between the fill nozzle
(similar to a nozzle in a petrol filling station) and drum which ignited the vapour created by the
hot, churned spirit. (The fill hoses in petrol stations are earthed).
This is a fairly common problem and there are many (too many?) stories of drums or pails of spirit catching
fire when being filled.
Incident 2.7 - Displacement of air and compression ignition
Background
The flammable envelope for most flammable materials is fully defined. However is it necessary to displace
all of the air when charging with a POTENTIALLY FLAMMABLE material such as diesel oil where the ignition
temperature is about 200oC? YES! If the closed end of the pipeline is not opened the line pressure will rise
and at about 10 to 15 bar the temperature at the interface will reach auto-ignition temperatures how
else does the diesel engine run?
The incident
A pipeline, 50 km long and operating at 30 bars, was being charged with a high flash point (volatile) fluid
with an auto-ignition temperature of 200oC. The main isolation at the far end of the line was closed but
there were facilities to vent the line and displace any air to a safe area when required. The operation of
the valve and venting process was carried out on the second or receiving plant following instruction from
the first or pumping plant. This operation had been carried out many times already. One day the pipeline
ruptured following an internal explosion.
Question 2.7.1
Was the procedure inherently safe?
Answer 2.7.1
1. The procedure was NOT inherently safe. It was highly reliant on the communication between the
two ends. See also the Buncefield Tank overflows.
2. Communication over a distance is at best poor. It can also be forgotten in the heat of the
operations.
3. The vent valve had to be opened to vent the air and also to avoid a high pressure within the
pipeline.
4. There had to be an established link between the two sites and a confirmed operation of the vent
valve. This has many forms but in simple terms it is an interplant permit where the supervisors
on both plants are signatories.
Question 2.7.2
What COULD go wrong and what might be the effect?

Answer 2.7.2
If the vent at the far end was left closed, as the pipeline was pressured the air plug would be compressed
and the temperature would rise. As the pressure at the fluid/gas interface reached 10 bar the
temperature, assuming, adiabatic compression, would exceed 200oC, fluids could be vaporised at the
interface and then ignited by auto-ignition. If the charge is large enough the pipeline would be split (as it
was in this case). The pressure ratio in a confined explosion is about 8:1 so would almost certainly result in
rupture of the piping.
There have been a number of such incidents. One was the destruction of a Coking Column when starting
up, and other is to be found in Frank Lees book on Loss Prevention.
1. Communication between sites under common user is often at best awful, particularly with radio or
telephone
2. Communication between two sites not under a common user is worse than awful
3. Work involving two sites requires a written and doubly signed inter-plant work permit.
4. Who has overall control of the procedure???????? Who issues it and who receives it?
5. Ignore compression ignition and inerting at your peril!

3 MAINTENANCE
Study 3.1 A toppled crane
Background:
1. The plant handled cryogenic hydrocarbons.

2. World wide experience showed that cryogenic hydrocarbon leaks had caused a number of serious
incidents so a Gas Barrier Wall (GBW) was installed Figure 3.1. This was 5 off 25 cm concrete
slabs (1.25m in total). The height was not scientific but was called the psychological height of
attempt, that is, would you climb it in an emergency!? (The author of these studies ran over
hurdles which were 1.05 m high). Behind the wall were sections of steam pipe drilled with vertical
holes such that the upward momentum of the steam jets would entrain gas and air diluting the
gas by momentum transfer. In addition an array of Gas Detectors were installed at an elevation
of 0.75 m - not good for the knees. (Figure 3.1)
3. There was a plant rule, Standing Instruction, that NO internal combustion vehicles were allowed
inside the GBW.
4. There was a second, but unwritten plant rule that nothing was to be lifted over live, pressurised,
equipment.
5. A materials handling study had been carried out on a plant model which showed that all
equipment, control valves, pressure relief valves (PRVs) and pumps could be removed from the
plant using bogies, tracks and block and tackle. (The author of these studies was on that study).
The incident
Sometime in the life of the plant a pressure relief valve (PRV) has to be removed for inspection, this is
normal and is usually on a 2 yearly routine. There are two ways that it could be lifted down, the first is to
use the davits, as supplied, which was the design intent but this will involve riggers. The second is to
remove the PRV by use of a crane.
In this case the plant handled cryogenic hydrocarbons and the global incidence of leaks made the
management fit a Gas Barrier Wall (GBW) around the plant. Inside the wall are hydrocarbon gas
detectors as shown in figure 3.1
Figure 3.1 The basis of a gas barrier wall in the text

The plant in question was not shut down due to the general appearance (lack of scaffolding) and other
maintenance effort. (The photo of the plant will be made available after the inquiry.) You have to decide
which of the two removal methods are to be used but it should be noted that there is a written Standing
Instruction (SI, WGO, PI) that internal combustion engines are NOT allowed inside the GBW.
The choice is open to debate. A swinging or dropped load on a davit is potentially a hazard if not
controlled/supervised properly as instruments could be damaged. In addition there will be riggers who do
not necessarily understand the process operations of the plant. A crane might seem to be an easy solution
but there was an historic, but unwritten rule that no lifts should be made over pressurised equipment.
Question 3.1.1
Which method would you choose?? You make the decision.
Answer 3.1.1
In reality the PRV was lifted off by a crane outside the GBW and as it did the crane toppled onto the plant,
this required a shut down for the recovery (photo below)
Question 3.1.2
Why did the crane topple?
The essential information is as follows:
1. The crane had a MAXIMUM lift of 15 tonne

2. PRV weighted 150 kg (that is the load on the hook)
3. Extended jib 35m
4. Jib angle to the horizontal 30o
5. Weight of jib 1.75 tonne treated as a uniformly distributed load
6. Crain weight 10 tonne
7. Outrigger spread 6 m
8. The outriggers were secure and did not sink into the ground
9. The crane was fitted with a load on hook alarm not to exceed 1.5 tonne. Load on hook does not
convert to toppling moments.
Check the maths or insert your own values.
Answer 3.1.2
Using simple moments about the outriggers the crane was not at the tipping point until the load from the
PRV was on the hook. Photo 3.1 shows the outcome. The plant had to be shut down to affect a recovery of
the crane!! Nothing was gained!!!!
Note that once the crane starts to topple the moment arms and centres of mass will change and the
toppling rate will accelerate. The load on the hook has to be reduced immediately.
1. Had a statics study been carried out MOMENTS about a point simple A level Physics. NO!
2. What made the new Manager deviate from the original intent? Lifting over live plant was a
definite no-no on that Works but it was not recorded in writing! Ignorance? Bravado? I know
best! Had a Risk assessment been carried out? Obviously NO! (See notes on Human Failure and
Audits)
3. Was the crane driver fully briefed/trained/supervised? NO!
4. Had a full risk assessment been executed on the job to be carried out? NO!
Photo 3.1 The toppled crane from ICI Safety Newsletter
Question 3.1.3
1. Why was a lift over live equipment allowed? (It was the easier of the two options).
2. It was a deviation from custom and practice. Why was a static analysis of an extended lift not
carried out risk assessment?
3. Could the crane be oriented differently to avaoid the toppling moment?
4. Was the driver/contractor competent to carry out such a lift? The maximum load usually applies
to close in lifts not long reach lifts.
Answer 3.1.3
1. The new manager knew best and deviated from time established custom and practice! There
had been a violation of the plant rules.
2. It is possible that the new manager had not been trained in risk management (or knew better!)
3. No one had carried out a simple moment analysis.
4. A cheap approach to the lift had been adopted and a detailed Management of Change had not
been carried out.
5. A risk assessment had not been carried out.

Study 3.2 A Geyser
Background
Consider the mechanism driving a geyser. The water leaks from an aquifer and is heated, underground, by
the hot rocks. Provided the flow is reasonably high the rate at which the water is heated is less that the
rate of suppression of the water boiling point by the imposed hydrostatic head. At some point that column
becomes unstable and starts to boil at the base, this displaces some of the column upwards so reducing
the hydrostatic head and accelerates the depressuring (boiling off) of the superheated water at the base
of the column. This is a geyser. The flow into and rate of heating are such that the geyser, such as Old
Faithful in Yellowstone NP USA, is quite predictable.
This might seem a bit odd to be included under maintenance but read on.
The incident
Figure 3.2.1 shows a typical steam pressure relief valve (PRV) arrangement. The PRV has a vertical tail
pipe, to avoid any steam burns to bystanders should it lift, which is fitted with a weep hole of about
5mm diameter at the bottom. (See fig 3.2.1) The design intent of this hole is to drain any steam which had
leaked passed the PRV metal seats and condensed on the cold vent pipe (or rain water that may have
accumulated in the pipe.) This steam condensate, if not drained, would impose a back pressure on the
PRV, increasing the lift pressure, and it would create corrosion of the elements in the PRV causing it to
stick shut, hence the drain hole is a key safety feature.
One day there was a violent eruption of hot condensed steam from the tail pipe!
Figure 3.2.1 Typical steam relief line
Question 3.2.1
Why did this happen? This has been witnessed by this engineer!
Answer 3.2.1

1. If the drain hole is choked any slight steam leakage generates condensate which builds up as a
column of water, the column is heated by conduction from the PRV internals or the leakage of
steam. There must be a balance point of heat gain against suppression of the boiling point of the
condensate
2. More importantly the drain hole is actually a safety system who checks it? In many cases the
answer is no-one.
3. Figure 3.2.2 (below) shows what happens when the line is not properly supported against jet
reaction.
Photo 3.2.2 A bent steam vent line taken from ICI Safety Newsletter.
1. The drain hole in the tail pipe of a steam pressure relief valve (PRV) may appear to be trivial but it
is a safety feature. The function is to remove (drain) any condensed steam passing the metal to
metal seats. This avoids a back pressure and prevents corrosion of the PRV internals.
The weep hole is an essential safety feature which must be cleaned/maintained on routine.
2. Did the operations team know of this?
3. Who was responsible for checking the integrity of the valve and drain hole (function testing it)?
4. What was the secondary effect of spraying boiling water? People could get scalded!!
5. If a system is out of sight it is also likely to be out of mind and not come under the control of
anyone!!!
Problems with steam.
1. Steam is treated as a benign fluid. It is anything but benign. I have seen many variations of this
problem and as the steam system is only steam it is not treated seriously.
2. Steam mains can be split by what is called a steam hammer. This can only occur when the pipe is
being heated up from cold. The usual approach is to open all of the drains on the main (NOT steam
traps). The condensate is driven out of the main and the steam main can then be pressurised
slowly over about one hour. During an initial plant start up some years ago the drains from a 50cm
diameter, 60bar steam main were, in reality too small to drain the condensed steam being
generated during the warm-up, as a result there were three hammers of increasing ferocity before
the steam flow into the main could be isolated. The last caused the piping to move about 10 cm
a quite disturbing sight! It is surprising how fast you can run when the devil drives you!!!
3. Some years ago a steam main in a site 30 miles east of Glasgow split due to a steam hammer
resulting from inadequate condensate drainage during a cold start up following a site shut
down.
Roll-over

There is a variation of the geyser called a roll-over in cryogenic storage tanks (and Texas City Refinery).
In this there is incomplete mixing of layers of cryogenic liquids or hydrocarbons of almost identical
composition. In the layering one, denser, layer may have a slightly higher boiling point (fraction of a
degree C) with a less dense and lower boiling point material over-layering it. However, heat is still gained
from the atmosphere, the soil or heaters installed to prevent frost heave and due to the differential
density it does not mix. The boiling point of the lower, denser layer is suppressed by the hydrostatic head
of added material and due to the slight density differentials it does not mix. Eventually the lower layer
reaches its new boiling point or the density fall due to the warming allows the hotter lower layer to mix
with the colder upper layer. This results in a rapid boiling pool (which induces a new mixing process
resulting in a steady boiling of the tank contents.) This has been known to go on for some hours.
Incident 3.3 A major fire
The Incident
The sequence of events can be put down simply as follows:
1. A pump was under maintenance

2. The isolation standards were poor
3. There was a major fuel spill from the pump
4. The fuel ignited
5. An emergency isolation valve did not close
6. Persons were trapped
7. There were fatalities
8. The structure had to be demolished by explosive charges due to the fire damage
Question 3.3.1
Where did this fire occur?
Answer 3.3.1
Most people respond Piper Alpha. NO IT WAS NOT. It occurred in 1967 in a refinery in Teesside but it has
been lost to the memory. If the memory was still alive some 167 persons would not have been killed on
Piper Alpha!!!
The incident
The full story is as follows, most of the above was correct but some minor points were omitted.
1. A crude oil distillation column had a side-stream stripper which produced diesel oil. The auto
ignition temperature for diesel oil is about 200oC (how else could the compression ignition occur!)
2. The temperature of the off-take was about 200oC.
3. The off-take pump was running rough and a damaged bearing was suspected. The spare pump
was put on-line.
4. The pump was scheduled for an inspection first thing next morning.
5. It was tradition that the spare pump (in this case the damaged one) was left with the suction
valve open and the discharge valve closed in case the on-line pump failed or shut down.
6. A permit to work for the inspection was issued.
7. The inspection revealed a seriously damaged bearing and it was decided to remove the pump for
maintenance.
8. The Supervisor noted that there was already a permit to work on the pump so the pump was
removed using this (the inspection) permit.
9. The fitter was asked to break the joint at the body to assist in removal.
10. The fitter reported after the event that he had to hang a chain operator over an extended valve
spindle as it got in my way. (The suction valve for the pump was above head height and it was
necessary to fit a chain over a pulley to operate the valve. This is a poor design but can a necessity
with large equipment.)
11. Diesel oil blew out of joint on the pump as it was broken because the suction valve was not fully
closed (see 9 above).
12. The diesel oil ignited spontaneously.
13. The emergency isolation was activated but did not close (it is possible that the fire damaged the
shut-in mechanism).
14. Three persons were trapped and died.
15. The damage was such that the only safe means of demolition was by severing ligaments with
shaped charges. The only success was that the structure and column fell within 25 cm of the
desired line.
Question 3.3.2
How did this sorry sequence occur?
Answer 3.3.2
1. The slow drift in standards is sometimes difficult to detect

2. The culture had also drifted. A permit has to specify the task. It can not be used for two tasks. See
also Part D.
3. In this case the site had moved from slip plate isolation to an in-house form of valve isolation as
the plates were heavy and difficult to fit. (A cultural drift)
4. In addition the approach to site inspection prior to maintenance had drifted.
Question 3.3.3
Would this drift have been detected by an Audit?
Answer 3.3.3
YES it would! As a result it can be concluded that there had also been a drift in the Management of
Safety!!!
1. The site condition may change over a short period of time. The site should be inspected before
any work is started and if necessary at regular intervals to ensure the conditions have not
changed. (See incident 3.4 below)
2. A permit to work is specific to the task described. If the task changes a new permit MUST be issued
and a site review carried out as a result.
3. The quality of isolation was poor. Reliance of human intervention is not really acceptable (See also
Piper Alpha) and a positive isolation using a lock-off system is better and positive isolation using
blinds is even better.
4. Changes in working practice should be considered under the Management of Change system
Post script
At the inquest it was reported that the permit was drafted by the previous shift and that the pump was
fully isolated at that time. The on-coming Foreman who had returned to the job after a week break was
busy catching up on the last weeks events so signed the permit without carrying out a site inspection.
(Information or work overload). It is just credible that the pump was isolated when the permit was drafted
BUT then someone put it into a ready-to-start configuration. The lack of site inspection due to the work
overload at this hand-over was a key driver in this event as was the use of a permit to work for a use for
which it was not issued (the inspection only).
As a minimum standard the valves should have been locked in a closed position with some form of tag
or warning notice.
Incident 3.4 A change in conditions
The incident
During an Audit of the Safety Systems on one site the Production Supervisor received a radio message to
the effect that the limits for flammable gas concentrations in a work area involving some welding had
exceeded the limit specified in the work permit (10% LFL). The reply was carry on and I will alter the
permit; the site was NOT inspected.
Questions 3.4.
1. What would you have done

2. Is this acceptable
3. If not what should have been done?
Answers 3.4.
1. It is NOT ACCEPTABLE to change a Permit to Work without a review of the causes of the change in
condition.
2. The work MUST stop; the PTW MUST be cancelled.
3. The site must be inspected to ascertain the cause of the change in conditions.
4. A new risk assessment (as in the PtW) should be carried out.
5. Once proven to be acceptable, and only then, can the Permit to Work be reissued and the work
allowed to proceed.
This conversation was made in front of an Auditor - myself! I was speechless!!
Incident 3.5 Isolation standards
Background

Occasionally isolation valves leak. The typical valve has a metal to metal contact and debris in the
contact zone can result in leakage. (Some valves have soft, PTFE, seats and they are subject to wear [and
tear]).
The valve integrity, tightness of the closure, is critical to the safe removal of equipment for maintenance.
Various strategies have been evolved. One is to carry out a risk assessment, this results in a steady
increase in the integrity or quality of the isolation with the fluid pressure and its hazardous properties.
(See part B Design) Each case is company specific but typically water will only have a single isolation
between the water main and the equipment to be removed. At about 40 bar the requirement is for
double block and bleed for flammable materials. This arrangement has TWO valves in series with a vent
(bleed) for leakage to a safe area. The thinking is that if the UPSTREAM valve is tight shut there will be no
leakage but if the UPSTREAM valve is leaking the leakage can be lead to a safe area and that the pressure
in the interface between the two valves will be low and any leakage passing the second, DOWNSTREAM,
valve will be trivial. In general this arrangement has served the industry well. 40 bars is a convenient
pressure as it is also a transition pressure between two pipeline pressure ratings (ANSI 300 and ANSI 600).
ANSI is the American National Standards Institute and the pressure ratings, in pounds per square inch, are
the maximum allowable pressure at fixed conditions. By coincidence the maximum pressure is about 2
times the rating at 40oC).
It is possible to fit an ICE PLUG in a line to form a good standard of isolation in an emergency. It is formed
by fitting a bath round the pipe and then freezing a plug of ice using liquid nitrogen in the bath. It is not
quite as simple as it sounds as there has to be careful analysis of the metallurgy (low temperature
embrittlement of steel) and the bath orientation. A vertical bath is better than horizontal as in the vertical
orientation there can be no gas pockets. Even better is to have a bend downstream of the plug into which
the plug can lodge.
The incident and plan
Figure 3.5.1 shows an isolation arrangement.
The upstream valve Z is passing and the downstream valve has a small by-pass to allow the slow
pressurising of the system. A large valve is difficult to control and the forces on the valve, due to the
differential pressure, can be so large that is difficult to open the valve. The smaller valve is easier to us and
can be used to reduce the pressure differential across the larger valve.
(There is a subtle teaching point that in this specific case the by-pass valve was fitted at the bottom of the
line (180o) where fluids might accumulate and cause interface corrosion. Ideally the valve should have
been fitted horizontally at the 90o position; it can not be fitted at the 0o position due to the master valve
fittings.)
The by-pass valve piping was corroded due to interface corrosion and the small section of piping had to be
replaced this involved removing one of the double block valves plus the bypass valve. As the upstream
valve Z was leaking it was decided that an ice plug isolation would be formed in the vertical section of
piping, at the hatched section of piping, by water injected through valve Y. The combination would be
integrity tested by pressurising the interface between the ice plug and an expandable stopper or bung
fitted inside the pipe as shown. In effect this was to become a new double block and bleed. The first
isolation was the ice plug and the second was the expandable plug.

Figure 3.5.1 Simplified P & ID of work site
For various reasons the bung could not be proven to be pressure tight.
In addition the level measurement in the nitrogen flask failed but the contents could be assessed by
weight.
For various reasons the ice plug could not be fixed in a vertical section but it was fitted in the horizontal
orientation as shown.
Finally the nitrogen flask went empty but the reserve could not be fitted due to thread damage.
The ice plug blew out!
Question 3.5.1
You have to carry out a risk assessment of this method knowing that it has been used successfully many
times. What might go wrong and how can you mitigate this?
Answers 3.5.1
1. The supply of nitrogen is critical to the integrity of the ice plug. In risk terms the on-site, proven
and available, supply of nitrogen MUST be significantly more than that which might be required as
delays occur with even the best run plans. This would include function testing the hose threads
to ensure that they are not damaged.
2. The ice plug MUST only be installed by a competent team and after a full metallurgical
assessment.
3. The ice plug MUST be proven to be tight.
4. Once started the work MUST not be delayed.
5. The replacement section MUST be pre-prepared and readily available.
6. If there is a failure of any item 1 5 the work must not start.
7. What has been missed????
Question 3.5.2
Why did it occur??

Answers 3.5.2
This can be presented as a question or it can be fed as a number of defaults in the plan.
1. At which point MUST the work be aborted?

Stop as soon as the first domino falls. The original plan had a number of defences in place
(defence in depth) but once one defence was damaged safety was compromised.
2. Is there a spare nitrogen flask?
There is one but are the hose threads damaged and can the connection be made within 5
minute?. The fittings on the spare flask were damaged and it could not be fitted. It is now too late
as the plug will now melt and there is the inevitability of a leak. Note the word PROVEN in
requirement
The connections on the spare flask should have been checked BEFORE the work started
it is too late when it is found damaged when required. There is a parallel here to function testing
protective systems.
3. The plug was set in a horizontal piece of pipe (due to access) and not the in the planned vertical
section as intended. Is this acceptable?
Probably not, as the bonding between the plug and the wall will be different particularly if
there are any gas occlusions.
There has been a deviation from the intent so the work should stop and a new risk
assessment must be carried out.
4. If the expandable plug can not be fitted how can the plug be pressure tested?
5. The failure of the level measurement is not safety critical as the flask could be weighed and an
approximate level assessed with sufficient accuracy. However it should have set the warning bells
ringing!!
6. The difference between the horizontal and vertical arrangement is not a critical issue but the lack
of a down-stream bend is potentially significant.
1. All changes have to be subject to a management of change process including changes to the
change!!!!
2. This process should include a full risk assessment.
3. Changes from the plan MUST be risk assessed and if necessary work stopped. That is any changes
in the plan MUST but examined carefully as it is a change in the intent!!!
4. Changes in the local environment are a potential violation of the intent.
Incident 3.6 A flare system modification
This incident is a mix of Accident Investigation and a genuine learning experience.
The incident
A new line was to be fitted in a flare system on a hydrocarbon production plant. A section of pipe inlet to
the flare knock-out drum with flanges at each end (called a spool) was identified. The plant was shut down
and during the shutdown some light, volatile, liquids entered the flare knock-out drum. (This satisfied the
design intent of preventing liquids entering the flare tip). The flare pilots were NOT extinguished (Elgin

Franklin again). The spool was removed for modification. About 15 minutes later there was a loud bang
heard somewhere. This was repeated 15 minutes later and again after 15 minutes!
Question 3.6.1
Why had this occurred?
Answer 3.6.1
1. A full risk assessment had not been carried out.

2. There is usually a small pressure differential in a flare. This can be due to the relative density
differential of air and gases, or it can be due to the hot tip of the flare itself or it can be due to the
eductive effect of the air flow across the flare tip. In this case the open end of the spool (inlet the
flare knock-out drum) was the source of air ingress, the light, volatile, fluids in the knock-out drum
evaporated so forming a flammable system. It would take about 15 minutes for the flammable mix
to reach the pilot flame where it would ignite. The mix would then burn back to the knock-out and
out of the open end at the spool where the flame from would be extinguished.
3. The pressure differential would re-start the air movement into the flare at the spool and the
whole cycle would be repeated.
Question 3.6.2
What would you have done differently?
Answer 3.6.2
1. The pilots should have been extinguished. (However they are difficult to re-light!)
2. The open ends at the spool should have been blanked off.
3. The flare knock-out drum should have been inerted.
4. The flare drum should have been drained.
Are there any others? You decide!!!!!!
Alternative Question 3.6.3
What was the outcome? This is a more difficult question as it requires some more detailed process
knowledge.
Answers 3.6.3
1. Panic and confusion! It took some time to identify the source of the explosion.
2. The flare main was over heated by the repeated flame front and expanded slightly beyond the
design limit.
3. A MAJOR INQUIRY was initiated as to what had happened and why!
1. Any open end in piping or equipment has the potential for hazardous materials to flow out OR
contamination (in this case air) to flow in.
2. It is important that there is a mental model of the operation and what happens inside the
equipment so that the potential for an upset can be visualised and analysed.
3. A Risk Assessment MUST be carried out when ANY line or joint is broken.
4. Open ends in equipment have been the source of many fatal accidents (see incident 3.3)
5. Any break such as this MUST be positively isolated with a blank or locked closed valve.
Incident 3.7 A crude oil tanker explodes while being off-loaded
Background
Sea going tankers are effectively a long rectangular tube. Loading (and unloading) has to be carried out in
a predetermined sequence to avoid bending loads in the shell. This sequence is planned and may be
confirmed by strain gauges within the tanked shell. Uneven loading such as the full loading the central
compartments may result in a high downwards force at the centre of the tube and two resultant upward
forces at the bow and stern. The bending moment created by poorly configured loading may be such as to
overload (yield) the steel in the structure.
The incident
This is a true story of the explosion of the tanker Betelgeuse in Bantry Bay, Ireland.
The tanker had been in service for many years and was coming towards the end of its useful life. It was
carrying a parcel of crude oil which it was offloading at the oil terminal. The transfer had stopped at the
time of the incident and a significant quantity had already been discharged. A small fire was noted on the
deck itself (a place of high stress during loading operations) and over a few minutes the fire spread slowly
down the deck. Shortly after this the tanker exploded and large fragments weighting up to 1000 tonnes
flew through the air.
Question 3.7.1
Why did this occur???
Answer 3.7.1
The answers may not be clear to a student but there are some serious teaching points:
1. Corrosion of tanker walls and also bulk carrier walls is a major problem. In the case of bulk carriers
it is compounded by the impact and wear by the trucks used to clear the last remaining solids.
Coal in particular is also potentially corrosive.
2. The bending moment created by uneven loading may be such as to overload (yield) the steel in the
structure more particularly if it is corroded and thinned, as it was. See also background.
3. If the tanker shell and the internals are thinned and then the tanker put under an extreme bending
load it will tear and the tear can (and has done) ignite the fuel vapours. Eventually the flame could
reach a large container of air and flammable gases and as they say the rest will be history.
4. There is usually a corrosion allowance built into the original design but equipment ages at
different rates. The real rate of corrosion may be higher or lower than the designer specified.
5. As the equipment reaches its life expiry it becomes more and more important to carry out non-
destructive monitoring for material losses and to adopt a more critical approach to the
maintenance and monitoring strategy.
6.
This is now called Risk Based Maintenance
7. It is not clear if the tanker was being inerted during the offloading cycle. However if the tanker
shell was damaged air could still enter the tanks themselves.
8. The monitoring strategy should also examine if it has been operated outside the original design
envelope or if it has been abused.
1. Equipment, like humans, ages and becomes more vulnerable with age
2. Inspection of aging equipment is now risk based and is one of the points that the HSE look at very
carefully
3. Once a crack appears in steel there is a stress intensification which can generate a running tear it
just runs and runs
4 UPSET CONDITIONS
Background
It is worth a reprise of the earlier notes on the brain. There are five main mental states:
1. Information overload where the operator has too much information and can not differentiate the
key, essential, factors that are relevant to the situation.
2. Cognitive dissonance where the operator reads the information being transmitted in warnings but
works the warnings into a different but less hazardous scenario thinking that there is not a
problem.
3. Mind set where the operator has a fixed idea as to what is happening and can not or will not
change
4. Lack of knowledge (ignorance) where the information is not in that persons knowledge base.
5. Panic where the operator is so confused that he/she is unable to make a logical assessment of the
situation and as a result does nothing or makes a dangerous action.
These conditions are usually catalysed by an event which requires prompt action.
In one event involving the electrolysis of brine to produce chlorine the hierarchy of the alarms was so
configured that the high oxygen was the top alarm and stopped the transmission of other alarms and
warning signals which were essential to the diagnosis of the problem. The operator was overloaded with
the repeated oxygen alarms and could not make a reasoned diagnosis of the problem, the cell exploded.
Incident 4.1 Pollution of the Rhine at Basle or pressure to make decisions
The incident
A warehouse on the banks of the River Rhine at Basle contained a number of products one of which was a
mercurial insecticide. During the night there was a fire, the suggestion was that it started on a shrink

wrapped container; the fire spread to the rest of the warehouse and enveloped the mercury based
insecticides.
The smoke from the fire drifted across houses and the Fire Chief, not knowing what chemicals were in the
warehouse, had to decide if the fire should be allowed to burn out or if it should be attacked. He adopted
the latter plan not knowing that there was a mercurial compound in the warehouse. The firewater
dissolved the mercury based compounds which ran off into the Rhine so resulting in the deaths of a
number of fish.
Question 4.1.1
What was the fundamental error in the emergency planning for the warehouse and how has this now
been addressed by legislation.
Answer 4.1.1
There was NO emergency plan and the Fire Chief did not know of the contents of the warehouse or the
impact of fire water on the contents. The lines of communication were very dubious or flawed. Is this a
repeat of Buncefield? The Fire Chief was put under pressures to kill the fire by the impact of fume/smoke
on the neighbours but those requiring this did not comprehend the potential impact of this action. That is
there was NO emergency plan which might reflect the materials stored in the warehouse!!!!
Question 4.1.2
Could this happen now? What has happened in the intervening years?
Answer 4.1.2
The Seveso II Directive now applies to Warehouses and the impact of any event on process plant or a
warehouse on the environment. The safety case will include an assessment of the composition of the
water run-off and the dispersion and nature of the reaction by-products formed in a fire.
1. An emergency plan must reflect the nature of the materials stored on the site
2. The emergency plan must develop with any new materials stored and could require a safety case
3. The emergency services must be involved in the development of the plan.
4. The emergency plan must involve the neighbours.
5. Any changes to the storage may invalidate the plan.
See also Allied Colloids LPB 132.
See also Salford LPB 132
Incident 4.2 You have only 30 seconds to make a decision and act on it!
Background
The section of a centrifugal compressor is shown below. The lighter coloured (yellow) section is the body
and stationary elements. The darker coloured sections (green) are the rotating elements, shaft, step up
gear box and impellor. Within the impellor (and the volute or the section where the kinetic energy is
converted to pressure energy) are vanes which are designed on vector analysis to avoid shock flow. The
pressure rise is roughly 50% in the impellor and 50% in the volute. The pressure differential between the
inlet and volute (where kinetic energy is converted to pressure) could result in internal recycles so internal
seals called labyrinths are fitted. The name labyrinth is very descriptive of the shape and function of
this seal it is a tortuous path creating the maximum turbulence and so limits the gas flows. The gaps
between the stationary and rotating elements are about 1mm.
The impellor is (usually) manufactured from two pieces of steel, one has the vanes and the other is plain.
The fitting of shaft and impellor is metal to metal and not welded. The impellor is shrunk fitted on the
shaft and sits against a collar with a key between shaft and impellor to stop rotation (as shown).This
requires heating the impellor such that it expands and then sliding it onto the shaft against a collar
(shown) or stop while it cools and shrinks onto the shaft.. (Some smaller units can be fabricated out of a
single casting or from riveted vanes in the impellor.) Compressors can ingest light liquid mists of up to 2%
by weight for short periods of time. Slugs of liquid can result in the torsional failure of the shaft OR they
can create such high pressures inside the impellors so as to bend the two (rotating) parts of the impellor
away from each other so as to make them rub against the stationary fittings. (Treat the impellor as a
flexible system the v2 [pressure head and hence resultant force] for liquid is up to a thousand times
higher than that of a gas). Alternatively the forces can physically move one or both parts of the impellor
away from each other by a few mm such that it rubs on the stationary fittings (the tip speeds can be over
250m/s). Whatever occurs, twisting or rubbing, the damage will be severe!!!!
The incident
The Plant Manager arrived on the plant at 16.00 to carry out the end of day checks. The Supervisor was in
the compressor house looking at the alarm panel which showed that the suction vessel to a large
centrifugal compressor (10MW) had the high level and high-high level shut down activated but the
compressor was still running!! The shut down system, including the alarms, had been tested 20 times
already without any detected failures (failure rate less than 0.01 per annum) and it had been tested only 3
days earlier. As both the high and high-high level alarms were activated the situation appeared to be real
but the probability of failure of the whole shutdown system was mathematically less than 0.001. Put
another way if the machine was left running for a minute more there was a 0.001 probability of a major
wreck-up resulting and 2 months lost production, on other hand if it was shut down there would be 12
hours of lost production AND the unknown but mathematically credible risk that there might be a serious
upset during the shutdown and restart cycle.
What should be done under these circumstances?

Figure 4.2 Section of a simple centrifugal compressor
Question 4.2.1
What is your decision??? You have 30 seconds to make up your mind, doing nothing is not a choice get it
wrong and you could be looking for a new job!
Answer 4.2.1
There is no perfect answer - see the introductory comments on the mental stresses.
In reality the Plant Manger told the Supervisor to delay the manual shutdown for 30 (and no more than
30) seconds while he gathered more information. It took 20 seconds (and it seemed like 20 hours) to verify
that there was not a high-high level in the vessel so the Supervisor was asked to stand down. How the
verification was carried out is outside the scope of this incident study BUT the whole system was function
tested (trip tested) properly and an electronic fault in the visual display was identified, this was quickly
rectified.
The Plant Manger went home at 17.30.
Question 4.2.2
Was this the correct action?
Answer 4.2.2
It was in this case BUT ........How lucky can you get???????
The Supervisor challenged the wisdom of such an action, and he was right to do so. The Manager then
wrote a Standing Instruction (SI) to the effect that only the Manager could take such a decision and that if
the Manager was not present there was only one action
SHUT DOWN.

Key safety teaching points
6. It is important that there is a mental model of the operation and what happens inside the
equipment so that the damage potential can be visualised and analysed.
7. Sometimes it is necessary to carry out a risk assessment with very little time or room for error.
8. Equipment has a nasty way of fooling you! (Murphys Law)
9. It would be nice if a comment could be made about the imperative of trip testing or function
tests on shut down systems. The shutdown system performed correctly, it was an electronic card
that failed to perform correctly! Maybe the message is that following so many tests the reliability
had been shown to be very high which was instrumental in the decision making process.
Study 4.3 Collapsing vessels
The incident
A large vessel located 10m above the ground level with a design pressure of 400kPa was used to contact
two fluids in a continuous extraction process. The vessel was full and the two fluids flowed counter-
current. During maintenance the fluids in the vessel were displaced from the bottom with clean water. The
operator then opened the drain located at ground level so as to drain the water. Initially he was a little
surprised that the flow was very low until he heard the vessel groan and crumple inwards.
Question 4.3.1
Why did this happen and how could it be prevented?
Answer 4.3.1
The hydraulic head in the drain (barometric leg) was sufficient to create a full vacuum inside the vessel and
so it collapsed inwards. The simple solution is to supply a vacuum breaker either procedural or
mechanical. A simple vacuum breaker, depending on the nature of the fluids, could be no more than a
non-return valve. Unfortunately the procedural approach is the least reliable.
Consider the relative strength of a coke can under internal pressure and external pressure. The can is
strong in tension (internal pressure) but buckles when crushed inwards by external pressure. This also
affects the strength of box girder bridges.
There are variations on the basic theme; one being the draining of the tall vessel after a hydro test.
(Integrity test using water and a pressurising pump.)
1. Equipment may be strong against internal pressure but it might be weak against a vacuum
external pressure. This is evidenced by the cola can and the buckling of piping and structures
such as box girder bridges.
2. Many pieces of equipment are located in structures many metres above ground level.
3. If the equipment is drained without a form of vacuum breaker it may collapse inwards.

4. You have to understand the changes in the static and dynamic pressure regimes when maintaining
equipment.
Incident 4.4 Like Topsy it just grew!
This incident was taken from an article written by Bernard Hancock titled:
Human factors and systems failure: Case study of the fire and explosion at Chemstar
A fuller description, with drawings should be available through IChemE if not the author has a copy.
The incident
This is a rewrite, with variations, of a true case history which has occurred more than once.
When a processes plant is demolished, some of the equipment is still in excellent operating condition and
is sold on to another company who use it in a slightly different manner to produce new materials. The
previous owner can only value the equipment at scrap metal value but the demolition team may value it
as a usable item. In general the new processes are simple and do not require a hi-tech approach.
A process plant was to be demolished and the equipment was offered for sale in professional journals. The
equipment fitted into the plans of a small entrepreneurial company who saw the opportunity to recover
contaminated solvents using some of the distillation columns. Size and number of trays in the column was
not an issue so it was operated fairly inefficiently from a thermal basis but as the cash flow was high it was
not an issue. The initial operation was carried out by the owner/manager and a friend on an 8 hour per
day basis.
The equipment was installed in an old warehouse. The process was quite simple. Solvents were fed into
the distillation column on a batch basis, the heat to the re-boiler was supplied by a small steam boiler and
the condenser was cooled by water from a stream which had been dammed off. Condensed solvents were
received into a reflux drum and a small pump supplied the reflux to the distillation column. The process
was controlled manually so as to produce the product of the correct quality. As the system could be over-
pressured by steam there was a single pressure relief valve fitted to the condenser. Like any whisky
distillery the relief valve discharged inside the building.
The cash flow was so good that it was decided to change the day work to shift work. This involved training
shift workers and the original management team had to relinquish responsibility for the day-to-day
operations. The rates increased over about 2 to 3 years. At the end of this period of increase there were a
number of complaints from the local populous, particularly during hot summer days, about odours
emanating from the plant. These were not actioned and production carried on.
One summer day there was a major explosion in the warehouse.
Question 4.4.1
Why do you think this happened?
Answers 4.4.1
The whole plant had evolved by two persons who, assumedly, knew what they were doing, worked on a
one to one basis and had a minimum of operating instructions. As the throughput increased those who
had the knowledge became more remote and was operated by the shift operators who did not have a
training program for the process or operating instructions and also did not fully understanding what was
happening. As a result the activities became more haphazard.
Equipment was not fully inspected and the evidence from the odours suggests that the condenser was
either becoming fouled (three years without cleaning a heat exchanger is a long time!) or either the water
supply flow was insufficient for the duty or the water temperature too high.
The venting into an enclosed space is dangerous and of course the boiler was a very powerful ignition
source.
Like Topsy it just grew. There were no procedures, there was no management of change, and there was no
maintenance in place. While the original intent may have been acceptable just once the operational
controls are passed down to less competent personnel there has to be a training program, a monitoring
program and more detailed procedures of what to do and why.
Question 4.4.2
Why was there an explosion?
Answer 4.4.2
The whole operation was done by word of mouth with little or no training, operating instructions or
management!
The day to day maintenance was poor and there was no response to the alarm signals of odours in
summer.
The heat exchanger had become fouled with debris from the stream; the Pressure Relief Valve lifted and
vented flammable materials into n enclosed space. The vapours ignited at the boiler. (There are some
parallels to Piper Alpha!)
1. The life of a plant is dynamic nothing is steady and it changes with time.
2. The life of equipment changes with time it can corrode and it can foul. This is particularly
important with heat exchangers.
3. The production rates and spectra can change with time.
4. The management hierarchy can change with time.
5. The responsibilities can change with time.
6. Equipment performance has to be monitored and changes investigated.
7. There should be routine inspection procedures for key process items planned maintenance.
8. All of these changes have to be subject to a management of change procedure.

Incident 4.5 High levels are a hazard
Background
1. Instruments can fail in a number of manners. Some fail danger and some fail safe
2. Loss of data can be a hazard in itself but is the data correct?
3. Traditionally when starting up a distillation column the reboil (heat at the base) is only started
once a level is detected in the base of the column
4. Logically the reflux can only be started once the reflux drum contains fluids
5. If in doubt analyse all of the data available
The incident
The following are the facts:
1. The plant was being started up for the very first time (the initial start up)
2. A distillation column was being fed with cryogenic material
3. The response of the column rate of level rise was unknown as some of the heat in the steel had
to be removed by boiling off some of the feed material
4. There was both a level alarm and level measurement at the column base
5. After 30 minutes the temperature profile in the column appeared near to expectations indicating
that some fractionation was occurring and that the metal was cooled to the operational level
expected
6. There was no indication of a level in the base after feeding the column at half of the design rate
for 30 minutes
This sounds like a variation on Texas City!
What should you do!
Question 4.5.1
What actions should be taken?
Answer 4.5.1
There is no point in carrying on with unknown levels in the distillation column. The column could be full, it
can not be empty. Operating with unknown parameters is a serious hazard. Feed must be stopped and an
investigation initiated.
A mass balance was carried out and with some allowance for boil off when chilling the column there
should have been about 20 m of liquid in the base of the column!
(If this had been carried out at Texas City the whole sorry story would not have occurred.)
The level measurement was checked and appeared to indicate that there was NO LEVEL in the base for
both the alarm and the controller level measurement. Odd!!!
The situation was made more confusing as the reboiler did not seem to operate so as to heat the base
fluids! Very odd!

The investigation showed that there was a common cause failure of both the alarm and level
measurement.
Question 4.5.2
Why do you think that the reboiler failed to heat the base fluids?
Answer 4.5.2
The hydrostatic head of liquid in the column (about 1.4 bars) was sufficient to raise the bubble point of the
base fluid above the condensation temperature of the heating medium. The temperature differential
across the reboiler during normal operation was only 7oC.
(When it goes wrong, it really goes wrong!)
Compare the fact that the exit temperature in the Texas City heater was outside the operating band and
nothing appeared to be happening
1 Simple mass balances would have prevented the explosions at Buncefield, Texas City and Texaco
Milford Haven
2 Diagnostics are the key to analysing an unusual situation
3 It is important that there is a mental model of the operation so that the damage potential can be
visualised and analysed
Incident 4.6
The incident
A distillation column is being fed with 40 te/hr feed at 250K. The top product was 35 te/hr and the base
product was 5 te/hr.
Over an interval of 2 hours the pressure differential, bottom to top, rose steadily from 75 kPa to 150 kPa.
(There were 120 trays in the column!)
There was no reason to suspect that the differential pressure measurement was faulty as it had been
recording a value consistent with good operation for some days.
Question 4.6.1
What do you do?
Answer 4.6.1
Carry out a mass balance! Feed in = 120 te product out = 100 te at the top and 15 te at the base. There is a
5 te mass balance discrepancy.

Note: Normally the level of accuracy for a mass balance would be within norms of +/- 1 or 2% but in this
particular case there was an accumulation of knowledge such that the real mass balance error was trivial.
Question 4.6.2
Where is the extra 5 te? Is it holding up in the flooded trays?
Question 4.6.3
What do you do now?
Answer 4.6.2 & 3
1. There probably is flooding of the trays.

2. Stop the feed to the distillation column as it appears to be flooded and spec will be lost quite
rapidly.
3. The feed is stopped and the pressure differential does not fall! Instrument fault is the cry!
4. But wait! The base level is boiled off, the level falls to zero, nothing appears to be descending in
the column (velocity time lag for changes in the reflux rate reaching the base = 10 minutes) and
still the pressure differential is high. Is it a faulty instrument but where is the unaccounted 5 te?
5. One hour later the pressure differential fell to a reasonable value and the base level filled in!!!
There was the 5 te of material!!!!!!
Diagnosis? The column had become fouled with an unknown material. For the chemists the previous part
of the process involved hydrogenation of some impurities. The hydrogen stream contained traces of
carbon monoxide. The following is the classic methanation reaction.
CO + 3H2 = CH4 + H2O
Doh! Water freezes at 273K
1. It is important that there is a mental model of the operation so that the damage potential can be
visualised and analysed
2. The rules that are applied in Chemical Engineering are correct and must be understood in an
upset situation!

5 OTHERS
Background
The English language is complex and the same word could have different meanings in different contexts,
Further Industries develop their own jargon and sometimes it is confusing to a new-comer. The problem
is exacerbated by local dialect words. Some words that were acceptable in Dorset were considered to be
rude in the N of England!
Study 5.1 Confusion in messages
Real Incidents
Question 5.1.1
What is the difference between INFLAMMABLE and FLAMMABLE?
Answer 5.1.1
None! However in the English language IN is a form of negative. In this case the IN is a potential confusion.
Does it mean not flammable? The correct word which has no ambiguity is FLAMMABLE.
Question 5.1.2
What is the meaning of this sign hung on a manhole of a vessel under maintenance?
No Entry.
Permit Required
Is this statement logical? Does it mean ENTRY REQUIRED or NO ENTRY PERMIT REQUIRED?
Answer 5.1.2
No! The full stop is easily missed! Can entry be made without an entry permit? (As a generality the answer
must be NO!)
Question 5.1.3
Is the following an acceptable instruction?
Open the Valve.
Answer 5.1.3
Which valve? Give it a unique reference number.

At what rate should it be opened? If too fast the control system may be unable to follow the ramp
up rate. If too fast there may be a water hammer.
Question 5.1.4
Is the following statement acceptable?
Add 100 kg of material xxx
Answer 5.1.4
No! At what rate over a day or a year? Define the interval correctly. This may be a safety critical
operation with exothermic reactions. Are there any other pre-addition conditions which have to be
satisfied?
Question 5.1.5
Is the following statement acceptable? This may appear to be a trivial case but it is not so! An instruction
read:
Add a carboy of acid X.
Answer 5.1.5
Yes! You are right! The acid and carboy were added to the reactor without opening the carboy! When this
was told as a story in a meeting someone said:
That happened to us as well!
If it is garbage, do not blame the Operator it is the Manager who is to blame.
1. If it is garbage, do not blame the Operator it is the Manager who is to blame.

2. Keep the message concise and do not use technical gobbledygook.
3. It is important that there is a mental model of the operation so that the damage potential can be
visualised and analysed.
Study 5.2 Exploding pumps
Background
Centrifugal pumps are a demonstration of the classic Joule experiment on the mechanical equivalent of
heat. There are a number of potential recycle paths in a pump, one being the recycle round the wear-
rings, there are also inefficiencies which result in the generation of heat. The classic pump characteristic
(below) shows the head, flow and efficiency curves. At flows below about 10% maximum flow the
efficiency falls rapidly and the fluids in the pump heat up. For this reason it is normal to include a
minimum flow recycle (see the start up instructions in an earlier Part). However if a pump is run within
closed isolations about 30 to 50% of the full load power is absorbed as heat by the churning process and
the contents will heat up rapidly the pump characteristic below Figure 5.2 is more applicable to large
well designed pumps. As they heat the vapour pressure will rise accordingly and it is now a question of
whether the boiling fluids can be vented fast enough to prevent an explosive rupture of the casing.

Figure 5.2 Family of pump curves
The power consumptions (diagonal upper left to lower right) are not given. As the flow approaches zero
the efficiency approaches 0 but there is still a power consumption of about 30 to 50% full load.
Joule was a bright cookie.
It is sometimes appropriate to fit an auto-start on a pump which is activated by the shutdown of the on
line pump BUT in this case the suction and discharge valves must be automated to open on start up or
the pump left with suction and discharge isolations open and the reverse flow arrested by a non-return
valve.
The incident
A milk pump in creamery exploded without warning and fragments of the pump hit an operator.
Question 5.21
Why might this have happened?
Answer 5.2.1
The pump may have been started with closed isolations inadvertently by someone pushing the start
button or it may have been started by an auto start. It is also possible that the pump was started
deliberately but someone forgot to open the appropriate valves.
This occurrence happens with monotonous regularity.
In another example a pump was found running when the paint on the pump began to blister. The pump
was removed and opened up. The contents had started to decompose leaving a coke type material. As the
material was thermally sensitive it is a miracle that it did not result in a chemical explosion.

1. Joule was right!

2. Pumps should have some form of minimum flow recycle
3. Pumps must not be run within closed isolations the start should be inhibited electrically or by
procedure.
Study 5.3 Jet Reactions
The incident
Photo 5.3 shows the the tail pipe from a Pressure Relief Valve some 12 diameter which has been bent
double. VERY FORTUNATELY the PRV reseated within a second or two as in the state shown in the photo
the outflow would have been cut off and at best the PRV would not have protected the system and at
worst the piping might have ruptured!
Photo 5.3 A bent vent line from ICI Safety Newsletter
Cause
The piping designer had a total lack of appreciation of the reactive forces produced by vents (and changes
of fluid flow direction). The author missed his lunch that day!!!!
Background
Most tail pipes from pressure relief valves have robust supports to resist the jet reaction forces.
Key point for teaching:
Reaction forces can be enormous and piping has to be properly supported so as to resist reaction forces.

Incident 5.4 Cleanliness is next to godliness
Question 5.4.1
What is wrong with the following picture?
Sketch 5.4 Clutter (taken from ICI Safety Newsletter)
Answer 5.4.1
Many faults can be seen. These are just a few: -
1. The gas bottle should be in a restraining rack

2. The ladder access (and egress) is littered with trip hazards
3. Is any of the equipment contaminated?
4. Etc
5. This picture also reflects a management problem the message from this photo is that the
manager could not care tupence for safety.
6. The rest of the team will get this message loud and clear so the standards will spiral downwards.
Look round your own laboratories and you will see this picture in reality
Other incidents can be readily found in Loss Prevention Bulletins and ICI Safety
Newsletters available from IChemE

Incident Studies more complex studies Lessons Learned
The following are a simplification and adjustment of some real events which have an element of lessons
learned. The tutor can give as much background as is thought fit for that class.
There are a number of other incident studies which will be given later in this section.
The following are a bit advanced and may require some more background knowledge that might expected
of a student.
Chernobyl is complex. A very good synopsis was written by Ned Franklin in tce November 1986. The paper
is titled The Accident at Chernobyl.
The Introductory paragraph reads The accident at Chernobyl was brought about by a series of deliberate
actions which were either errors of judgement or disobedience of regulations in pursuit of an experimental
test. Within 60 seconds of the start of the test there had been a gross but localised excess of power
generation with insufficient cooling, a steam explosion and disruption of the whole top structure and
shielding of the reactor ;........
The RBMK reactor was potentially unstable below about 20% of rated capacity. This was known and that
zone of operation was forbidden.
The local electrical grid was prone to interruptions so an experiment was derived to bridge the power gap
between the interruption and the emergency power generators coming up to speed. This gap would be a
few seconds. The experiment was to use the kinetic energy in the turbo-alternator, as it ran down to
produce electricity. The frequency would fall but be adjusted by thyristor controls.
It appears that the experimental program had not been planned in detail, more importantly the
contingency planning for the experiment were nil. The preparation started at 01.00 25/4, this initiated a
positive feedback to the reactor in the form of reactivity and neuron flux. At 02.00 the emergency cooling
loop was disconnected from the forced circulation loop. Then there was a request to delay the unit test as
there was an interruption to power supply to the area. At 23.10 (nearly a day later) they were unable to
reduce power further. This created unstable conditions. (Basically if in doubt go to a known stable
condition and think it out!)
24 hours after the start it was possible to stabilise the conditions but still in the unstable regime because
of the poisoning of the reactor it was difficult to control and control rods were withdrawn. At some point
the staff over-rode emergency protective system (Help!). The control required was equivalent to inserting
30 control rods. At this point the reactor should have been shut down according to procedures.
At 01.23 4 seconds the stop control valves to the generator were closed. ....The available emergency
protection for closing the stop control valves ....had been over-ridden so as to afford the possibility of
repeating the test if the first attempt failed. This was a deviation from the test program. Following this
the thermal power started to increase. At 01.23 40 seconds the instruction was given to press the
emergency protection button which would insert all control and emergency rods into the core. The rods
did not descend fully. Maybe they were distorted by the experiment, and then there was a steam
explosion.
The steam explosion resulted from heating of the fuel rods and the softening of their containment
(zirconium). The boiler water and white hot fuel mixed and the sudden and violent evolution/generation

of steam resulted in the roof of the reactor containment being blown off. There followed some hydrogen
explosions which resulted from the reaction of Zirconium with steam/water.
Following this incident the predictions were for 10,000 premature deaths mostly from thyroid cancers. To
date the evidence suggests that this was too high. However it is of note that the premature deaths
following Bhopal are in the region of 15,000 but no one talks about that event!
This case could be delivered as a simple transcription of the article (without the introduction shown above
in italics) and then questions set such as: -
1. Was the experimental plan properly thought out?

2. What are the KEY safety features which must not be violated during this experiment?
Three Mile Island is also a nuclear incident but could be of use. A good synopsis is to be found in ICI Safety
Newsletter 156.
LPB 102 gives a very useful case study on pages 17 19 involving the decomposition of organic peroxides
and the resultant oxygen rich atmosphere. It may be a little complex for BEng students but it might be
possible for the MEng students to unravel the threads.
Essentially an inerting system was inadvertently taken out of use while a compressor was repaired. As with
many incidents the team did not recognise that there was a potential dead pocket while the compressor
was off line. Oxygen rich hydrocarbons accumulated in the tank below the sample point (O2 MW - 32 and
hydrocarbons MW over 56 butane.)
1. All maintenance has to be carefully planned

2. All maintenance has to be carefully risk assessed as all maintenance carries an element of risk.
3. As the oxygen in the supporting atmosphere rises so the ignition energy falls. This was found in
the Apollo 1 static fire disaster in the late 1960s.
4. LPB 102 was published after the Apollo 1 disaster. Did the company know of this incident and did
they relate to it?
5. Lessons learned MUST BE circulated and read again and again.
6. This is main message of these incident studies.
Bhopal is a very complex incident which still creates much debate. Essentially water entered the storage
for Methyl IsoCyanide and catalysed the exothermic decomposition of the material. There were a number
of contributory causes:
1. A refrigeration unit was not available due to a lack of spare parts

2. There is debate as to the availability of an absorber unit in the vent system and also a flare stack
(thermal oxidiser)
3. Some of the material had been contaminated with chloroform which was a catalyst to the
decomposition
4. How the water entered the process is as yet still uncertain. Many theories have been proposed
but none proven with certainty!
The main features of the incident were:
1. The amount of MIC stored was excessive and violated the INHERENT SAFETY PRINCIPLES

2. The public had moved towards the site and occupied what would be called a cordon sanitaire
The PEMEX incident in Mexico City has many of the features of Buncefield explosion.
There was a rather gruesome video titled The Day the Earth Caught Fire narrated by Orson Wells. This
may not be available to most colleges. Some of the shots show partially cremated bodies so if it becomes
available it may be necessary to carry out some prudent cutting/editing!
Essentially a large LPG storage and bottling facility expanded over the years until there were at least 4
large spheres and over 50 bullets (large horizontal storage vessels). As the site expanded the local housing
moved towards the site. (Bhopal again?) The process relief was burned off in a remote ground flare. This is
not uncommon in such facilities and can be found on sites in the UK.
As with Buncefield the stored material was produced some distance from the site and transferred to the
storage/bottling site by pipeline.
One day there was a major leak of LPG. It is not clear if this was a joint leak or a pipeline rupture. The
flammable gas cloud drifted towards the ground flare where it ignited some minutes later. The resultant
fire generated a domino effect of rupturing (BLEVE) vessels. This suggests that the initial leakage was
from a ruptured line. The causes of this are open to debate; it is unlikely that it was a trapped section of
line without pressure relief as the leak would have died off quickly. It is more likely to have been a
corroded line but the evidence is not available. It might appear that there was little (or no) remote
isolation as the leak was not arrested.
The domino resulted in the rupture (BLEVE) of at least 4 spheres and most of the bullets. One section of a
bullet travelled over 2 km.
The thermal pulse from a rupturing sphere would have been sufficient to kill anyone near the site fence.
Houses were set on fire and over 500 persons were killed.
The damage profiles were such that most if not all of the site evidence was destroyed.
1. Was the leak site a line rupture and if so why? Was it due to corrosion and if so why had it not
been spotted on inspection? (Was there any inspection of the piping in any case?) (See also
Stockline Plastics Maryhill, Glasgow)
2. Was there any semblance of sectional or remote isolation? The answer is probably no.
3. Was a ground flare appropriate? The answer may be yes.
4. Was there a structures planning development outside the site. The answer is certainly no.
5. Could this event occur in the UK? A good question large storage will come under COMAH but
what about storage of camping gas cylinders at garden centres?
Clearly this installation would have failed the UK Safety Case. Mmmmmm! But the Buncefield Safety Case
was accepted! Mmmmmmm!
Other Incident studies

There are potentially other useful studies in the BBC Disaster series and in the US Chemical Safety Board
(CSB) Series. They can be played a number of ways to achieve an objective. However it is important that
the study does not ignore the risk factor and differentiates the regulatory and cultural differences.
Each study has to be looked at carefully.
In the case of the Disaster series some of the quoted facts are inaccurate (dont let the facts get in the
way of a good story) and in the case of the CSB there is a different cultural and regulatory regime which
may confuse the analysis.
The Challenger disaster (BBC) was due, mainly, to the fact that the Solid Booster Rockets (SRB) were
manufactured by Morton Thiokol and the contract was up for renewal. The pressures were immense!
There was some evidence taken from the web which showed that the blow-by erosion on the seals in
the SRBs DID increase with a reduction in ambient temperature. The data was a bit of a scatter but there
was a trend and the conditions on the launch day were well outside the bounds of the data set.
There was the traditional gung ho!approach which might not apply in UK and some of the decisions
were made at a high level without involving those who had all of the data. In this case the blow-by data.
The telling comment is make a management decision, note management not technical!
The lock all doors is also procedural so as to preserve all data without any risk of corruption.
The Piper Alpha disaster (BBC) Spiral to Disaster has a number of inaccuracies which are discussed earlier.
The causes were:
1. Poor MoC
2. Poor design
3. Poor PtW
4. Poor isolation and control
5. Poor operating procedures
6. Poor emergency procedures
7. Poor practice of procedures
8. Poor planning of the fitting of the new riser (link between the platform and the sea bed)
9. Poor communication platform to beach inter and intra platforms
10. There must be more!!!
The T2 (CSB) incident has a mix of cultural and regulatory differences. It could occur in UK but it is less
likely. A (confidential) incident did enter the exothermic regime and although the pressure relief was
designed to DIERS it did explode with fatal consequences. All the right things were done but they did not
work as intended.
Texas City (CSB) misses a few critical aspects. Yes, there was operation outside the prescribed bands. Yes,
the supervisor was not present. Yes, there was confusion as to the base level. There were a number of
other factors discussed earlier.

Part I
HAZARDS STUDIES ON A NEW PROJECT
A template which can be followed during the Final Year Design Project.
Introduction
Hazard Studies are a systematic means of identifying the SHE (Safety Health and Environment) issues in
a project (or even a work plan). They are phased in such a manner that the issues can be identified and
resolved in a timely manner without disruption to the development of the project be it a major one or a
simple plan of work. They are the SHE backbone of all projects and this will include the Final Year Design
Project.
In reality a major project could be as long as 5 years from the concept being raised to the final start-up. As
a result the Hazard Studies process may not be obvious but it is being carried out but in the background.
Recap: The main studies are:
0 Inherency
1 Concept
2 Front End Engineering Design
3 Detailed design
4 Construction
5 Pre-start-up
6 Post start-up (Lessons Learned)
7 Demolition
0 Looks for the inherently safer or environmentally desirable features that should be considered
at the research stage.
1 Looks at the real show stoppers in the concept. If one is found the project should be cancelled!
2 Looks at the possible problem areas that need to be solved in the detailed design. It also addresses
the overall risk assessment.
3 Looks at the finer details and covers a whole series of studies including Pressure Relief, HAZOP
and Hazardous Area Classification just to name 3!
4 Asks the question Was it built as intended? This will involve a section by section assessment of
the plant against the construction drawings.
5 Asks Is all of the procedures and training in place?
6 Asks What did we learn that was good and bad?
7 Asks How do we demolish this safely? Some of the questions may result in a change to the
design to facilitate demolition.
Clearly 7 could feed back to 3. (If this was done in the nuclear industry the abandonment of the first
generation power plants would be much easier (and cheaper).

Timing a design effort
As the detail of the design becomes clearer the cost and number in the design team increases rapidly. For
a major project 10,000,000 or more maybe it is only 10 persons in the team at the concept stage but may
be 1000 at the detailed design. Clearly the problems MUST be solved before they become a drag on the
Project progress and costs incurred due to delays or late project design changes in the project. The Hazard
Studies are designed to do just that.
Template: Hazards Studies on a New Project
There is no complete example of the hazard study process available to Academe. This document is an
illustrative example of the multi-stage Hazard Study process as applied to a simple a synthetic study
taken from the IChemE booklet Practical Risk Assessment. It is based on the repair to a chemical sewer
which feeds an effluent treatment plant. The sewer receives hot effluent from a number of chemical
plants on the site. Some damage in the form of cracked and damaged concrete has been found in the
drain at the bottom of a manhole as illustrated in figure 1. The cause of the damage is not clear at present
but is likely to be attack from the fluids (chemicals) in the sewer.
Figure 1 Simplified Sketch of the Sewer to be Repaired

This will use the numbering sequence as shown earlier
Study 0 - Inherency
What is the inherently safer and environmentally friendly solution?
It might be suggested that the inherently best solution is to shut the whole site down or to carry out the
work during a site turn around. These can be dismissed as impractical for this study on both timing and
urgency for the repair.
Study 1 Concept
Before we can move into a possible solution it is necessary to know the cause of the damage. How might
this be done? If this question is not answered the project can not be developed!
First it will be necessary to inspect the damage in more detail using a remote camera, second it would be
desirable to have a sample of the damaged concrete taken by a remotely operated arm for analysis of the
damage and original composition of the concrete (was it a poor mix?), Finally it is necessary to have a
listing of the materials that enter the sewer and whether there is any possible reaction between an
individual compound and the concrete. It is possible that the damage was due only to the temperature of
the fluids in the sewer but it is more likely to be due to attack from the chemicals. Damage by thermal
effects should also be considered.
After a lot of work in the preliminary studies let us assume that following the chemical survey the problem
is identified as attack from the chemicals and it was not a thermal effect. This means that the whole sewer
may require replacement over time but the objective now is to keep the site in operation in the short
term.
With the constraints imposed the only real solution is to by-pass the damaged section using a pump and to
physically isolate the damaged manhole using expandable plugs or bungs fitted in the appropriate sides
of the upstream and left side of the downstream manholes so as to isolate the damaged section of sewer.
Is the repair to be done remotely or by human contact? Both can be done, modern remotely operated
arms are nearly as flexible as humans but for this exercise it is to be assumed that after a lot of
consideration human intervention would be more effective than a remotely operated repair this also
allows a template to be developed into a usable document.
Is pumping fluids from one manhole to another viable? It is done many times in pumping out
excavations.
There appear to be no real show stoppers. The concept can now proceed to front end engineering
design (FEED).
Study 2 FEED
What are the risks and how can they be reduced to as low as is reasonably practicable (ALARP)?
1. Collapse of the manhole: Does the manhole that is being entered require to be braced (shored up)
against collapse? (This is not likely but a full risk assessment by a civil engineer is required.)
Solution (if necessary) - design a steel bracing, the materials of construction must be compatible
with the fluids in the sewer. This could be done as the chemicals that might attack the steel are

known from the chemical survey in stage 1. It will now be possible to specify the materials of
construction.
2. Preventing ingress to the area for repair: Solution - seal the two ends at the upstream and
downstream manhole with a remotely fitted bung. Bungs are available but the materials of
construction must be compatible with the chemicals in the sewer. Sealing is possible and as the
chemicals that might attack the bung have been identified in the chemical survey in stage 1 so it
will be possible to specify the materials of construction.
3. Pumping out from one manhole to another: Solution chose a pump. What type of pump should be
used? A diesel driven pump or electric motor driven pump? Are there any implications for the
hazardous area classification? The chemicals that might be in the sewer were identified in the
survey in stage 1 so the materials for construction of the pump can be specified. See also 4 & 5
below.
4. What about the humans? From the chemical survey in stage 1 the likely toxic (and corrosive)
materials have been identified. From this it should be possible to specify the PPE. However can we
be absolutely sure that there is no other possible source of fume that might enter the manhole
while the work is being done? This will initiate another study. Can an emergency exit from the
manhole be devised using a harness, lifting frame, stand-by-man and block and tackle? This is a
fairly well practiced means of escape.
5. Finally can some form of chemical resistant epoxy resin be identified? What fumes which might
be released from the epoxy resin and what are the effects on humans? (Many have a spirit base.)
Does this mean that the PPE must include lung (BA) as well as body protection?
OK, it appears that so far there is no real impediment to the concept. The hazards have been identified
and practical solutions are available. FEED can now proceed to Detailed Design.
Study 3 - Detailed Design
There are one or two pieces of detail that are required to finalise the design.
1. What is the MAXIMUM and MINIMUM flow in the sewer? Does this influence the controls such as
minimum flow of the pump around pump or can the pump be operated on cavitation control?
2. Are there any special requirements for the pump seal? (The seal may be operating under a
negative pressure).
3. What is the vapour pressure (temperature influenced) of the effluent? Does this influence the
NPSH of the pump around pump?
4. Is an ejector required to prime the pump?
5. How is the residual fluid at the bottom of the manhole to be repaired to be removed?
6. What other sources of fume might there be?
7. What is likely duration of the job from start to finish? Does this require a standby pump? Further
does this influence the amount of fuel in store if it is not electrically driven?
8. If it is not an electrical pump what are the required fire fighting facilities and also spill recovery if
fuel is spilled (drip trays)? (Loss Prevention & Environmental Protection).
9. Will this job involve some limitations to the traffic in the area and what is the impact on the access
of emergency services to other parts of the site? What alternative routes may be required? What
signage and warning signs are required? What lighting is required both outside and inside the
manhole?
There are a whole list of actions flowing from stages 2 & 3. The major ones (as expected, arise in stage 2)
and the fine trimmings are in stage 3.
It is now necessary to carry out a few extra studies:

1. HAZOP on the pumping system, including priming, minimum flow and control.
2. Is one pump needed or should there be standby? (Could be part of Study 2).
3. Hazardous Area Classification this may not be significant but it is a necessary operation. Does
this impact on the pump specification and the lighting?
4. Impact on the emergency services rerouting and signage? Who should be informed and when.
Should the emergency services be given a site tour to familiarise themselves of the changes? Do
the emergency services have any specific requirements? Are there alternative access routes?
5. What area should be closed off to personnel with barriers or tapes defining a no entry
construction site?
6. Are any road closures used for routine access required? Are there alternative access routes?
7. Specify the PPE body protection and breathing air (BA)
8. Define the emergency exit and standby personnel.
9. Define the capacity of fuel storage.
10. What fire fighting and spill control/recovery features are required?
It has been assumed that the job is to be done with human intervention. At the end of this study we can
specify:
1. The bung & materials of construction.

2. The pump & control and the materials of construction for piping and the pump itself
3. Hazardous Area Classification.
4. Any new emergency service routing.
5. Any road closures.
6. Roped off areas.
7. The manhole support structure - very unlikely but will depend upon the report/assessment by the
civil engineer.
8. Materials for the repair.
9. The escape device.
10. PPE and need for BA (it is more than likely that this will be required). How many air bottles may be
required?
11. Fuel requirement, fire fighting & spill control.
12. Lighting.
Study 4 Construction
1. Was it built as intended?

2. Have the emergency procedures been written?
Stage 5 - Ready to go?
1. Have the emergency services been notified of D day?

2. Double check everything is in place and everyone trained in what they are required to do in an
emergency.
3. Has the repair team been trained in the use of BA, harness escape, emergency signals?
4. Does the repair team know what has to be done and the scope of their work?
5. Has the PTW been issued? Has this been discussed with the work team?
6. Has the entry permit been issued? Has this been discussed with the work team?
Study 6 - Lessons Learned

1. Even the construction of this note has been educational there is more to be done than was first
thought!
2. The structure of the HAZARD STUDIES was valuable in devising this exercise.
Study 7 Site Restoration (Abandonment)
In this case it is very unlikely that the site restoration will be complex but attention to this phase during
the design process would be beneficial.
1. Rubble for a hard standing may need to be disposed.

2. Rubble may require to be cleaned if contaminated with oil/diesel oil.
3. The pump will require to be decontaminated
4. Any equipment/PPE used in the manhole may require to be decontaminated.
If the spill/drip tray is designed properly (stage 3) there should be no need for decontamination of the
rubble (2).
It might appear that this analysis might appear to be overly complex (OTT) BUT if the job was to go pear
shaped what would you say to the Judge and Jury? Think about it!!!!
Disclaimer:
This study was devised as a working exercise and as a possible template the final year Chemical
Engineers Design Project but can not be used in any specific case.

Safety and Loss Prevention Teaching Notes

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Safety and Loss Prevention Teaching Notes

Transféré par

Droits d'auteur :

Formats disponibles

Safety and Loss Prevention/Safety Engineering

Notes prepared by Eur Ing F K Crawley, for use in UK University

Copyright University of Strathclyde, 2014

licensed under a Creative Commons licence CC BY NC ND 2.5 Scotland

Copyright University of Strathclyde, prepared by FK Crawley for IChemE 1

Copyright University of Strathclyde, prepared by FK Crawley for IChemE 2

Basic Management Systems

Design for Safe Operation and Safe Operation Techniques

Copyright University of Strathclyde, prepared by FK Crawley for IChemE 3

D 8 Hazardous Area Classifications 96

E 6.1 Event Outcome Trees 193

E 6.3 Reliability Formulae/Protective Systems 204

E 7 Shutdown Systems 210

Copyright University of Strathclyde, prepared by FK Crawley for IChemE 4

E 8.3 Effect Models Humans & Hardware 221

F 10 Testing of Protective Systems 275

Copyright University of Strathclyde, prepared by FK Crawley for IChemE 5

Human and Environmental Assault 335

Historic Incidents that illustrate the breaches in Defence in depth 360

Incident Studies and Illustrated Safety Teaching Examples for ChemEngers

Illustration of the use of Hazard Studies 440

Copyright University of Strathclyde, prepared by FK Crawley for IChemE 6

The notes are supplemented by:

The contents are divided into a number of parts:

Part A is basically non-numerate: Background, Introduction to the Law, defence-in-depth.

Acknowledgement and Disclaimer

Eur Ing Dr F K Crawley FIChemE

Department of Chemical and Process Engineering

Copyright University of Strathclyde, prepared by FK Crawley for IChemE 8

Or Human and Environmental Assault

Copyright University of Strathclyde, prepared by FK Crawley for IChemE 9

Sulphuric Oxide (SO2)

Carbon Oxide (CO and CO2)

Nitrogen Hydride (NH3)

Nitrogen Oxide (NO2)

Carbon Oxychloride (COCl2)

And dozens more

Copyright University of Strathclyde, prepared by FK Crawley for IChemE 10

Copyright University of Strathclyde, prepared by FK Crawley for IChemE 11

The Layout Structure is as follows:

Part A - Basics - Introduction, Essential Definitions, Legislation,

Part B - Hazard Identification

Part C - Basic Management Systems

Part D - Design for Safety

Part E - Numeracy quantification of risks and effects/vulnerability of personnel and equipment

Part F - Advanced Management Systems

Part G - Human and Environmental Assault

Copyright University of Strathclyde, prepared by FK Crawley for IChemE 12

Through the notes the reader should: -

Have some understanding of the concept of 'Defence in Depth'.

Be able to carry out simple Hazard Identification exercises.

Have an understanding of how Risk Assessment is carried out.

Be able to make simple assessments of event magnitude and effect.

Be able to make simple assessments of event frequency.

Understand the role of Managers in Safety.

Have some appreciation of why humans make mistakes.

Copyright University of Strathclyde, prepared by FK Crawley for IChemE 13

INTRODUCTION AND BACKGROUND TO SHE

The mantra of FKC

How do events occur?

Copyright University of Strathclyde, prepared by FK Crawley for IChemE 15

A 2 Introduction to Accident Causation

A 3 Defence in Depth an Overview

This can be reduced to the acronym PETS or STEP.