- 1-1 Engineering Ethics
- 1-2 Myths about Process Safety
- 1-3 Safety Culture
- 1-4 Individual Risk, Societal Risk, and Risk Populations
- 1-5 Voluntary and Involuntary Risk
- 1-6 Safety Metrics
- 1-7 Accident and Loss Statistics
- 1-8 Risk Perception
- 1-9 Risk Tolerance/Acceptance and Risk Matrix
- 1-10 Codes, Standards, and Regulations
- 1-11 Safeguards
- 1-12 The CCPS 20 Elements of Risk-Based Process Safety
- 1-13 Inherently Safer Design
- 1-14 The Worst Chemical Plant Tragedy: Bhopal, India, 1984<sup><a id="ch01fn13_r" href="ch01.xhtml#ch01fn13">13</a></sup>
- 1-15 Overview of Chemical Process Safety
- Suggested Reading
- Problems
This chapter is from the book
This chapter is from the book
This chapter is from the book
1-11 Safeguards
Figure 1-4 shows the sequence of events in an incident. The hazard is shown on the left side of the figure, and the consequences are shown on the right side. The initiating event, or cause, may be “a device failure, system failure, external event, or improper human inaction that begins a sequence of events leading to one or more undesirable outcomes.”7 It is usually caused by internal plant events such as operational problems, equipment failures, human error, and design deficiencies, to name a few possibilities. The initiating event may also be caused by events external to the plant, including natural phenomena such as lightning strikes, floods, tornadoes, or other influences outside the plant boundaries.
)
Figure 1.4 The sequence of events causing a hazard to result in an incident with consequences.
The enabling conditions are “operating conditions necessary for an initiating cause to propagate into a hazardous event. Enabling conditions do not independently cause the incident, but must be present or active for it to proceed.”8 An enabling condition makes the beginning of the scenario possible. Such conditions are represented as probabilities—for example, the probability of a unit being in a particular state of operation (e.g., recycle mode, startup), the probability that a particular raw material or catalyst is in the process, or the probability that the temperature or pressure is within high or low values.
Conditional modifiers are conditions that occur after initiation and impact a step in the sequence either before or after the incident has occurred. They could include weather conditions (wind direction and speed), presence of people, and probability of ignition, among other factors.
Chemical plants use several types of safeguards to prevent incidents or to reduce the impact of an incident. Once an initiating event has occurred, safeguards come into play, as shown in Figure 1-4. A safeguard is a design feature, equipment, procedure, or even software that is in place to prevent or mitigate the consequences of an initiating event. Two types of safeguards are distinguished: preventive and mitigative. A preventive safeguard (also called a protection layer) intervenes after the initiating event to stop the event from developing further into an incident. A mitigative safeguard is a safeguard that reduces the consequences after an incident has occurred. Thus, preventive safeguards stop the propagation of the initiating event to an incident while mitigative safeguards reduce the consequences after an incident has occurred. Table 1-17 lists a variety of common preventive and mitigative safeguards used in the chemical industry.
Table 1-17 Common Preventive and Mitigative Safeguards Used in the Chemical Industry
Preventive Safeguards: Prevents an initiating event from proceeding to a defined, undesirable incident; also called a protection layer.
Mitigative Safeguards: Reduce the consequences after an incident has occurred.
|
Source: Guidelines for Risk Based Process Safety, AICHE Center for Chemical Process Safety (Wiley, NY), 2007.
In reality, not all safeguards are 100% effective or are working all the time. Figure 1-5 shows these safeguards as slices of Swiss cheese, where the holes represent defects in the safeguards. These kinds of defects in safeguards are dynamic and can come and go—that is, the “hole” size can change with time and even move around on the Swiss cheese. Only a few Swiss cheese safeguards are shown in Figure 1-5 to simplify the figure—the actual number of safeguards depends on the magnitude of the hazard.
)
Figure 1.5 Swiss cheese model showing defects in the safeguards. If the defects line up, an incident will occur with resulting consequences.
Preventive maintenance of equipment at specified frequencies is designed to ensure that safeguards work properly, even as equipment ages. Only one preventive safeguard must work successfully for the incident to be stopped. Since multiple safeguards are present, if one safeguard has a defect, the initiating event will propagate through the defective safeguard but will be stopped by another safeguard. If the defects or “holes” in all the preventive safeguards line up, however, then the initiating event will propagate to an incident. Many well-known catastrophic incidents have occurred with many safeguards in place.
Once an incident has occurred, consequences are expected, although they might be minimal at this point. If mitigative safeguards are lacking, it is possible that the incident could expand in scope. For instance, the incident might be the leak of a flammable liquid from the process to the surroundings. If the flammable liquid ignites, then a fire or explosion might occur, greatly expanding the consequences. Thus, the mitigative safeguards, in this case, are intended to prevent the ignition of the released flammable liquid and the expansion of the consequences. In this example, the mitigative safeguards might be foam, water sprays, or other fire protection methods to prevent ignition.
It is possible that the mitigative safeguards could completely contain the incident and prevent it from increasing in scope and consequences. However, if some of the mitigative safeguards are not working or not effective, then additional consequences are expected.
Mitigative safeguards may be effective for only a specific incident outcome. For instance, safeguards designed to reduce the probability of ignition of a flammable material may not be effective in reducing the toxicity of the vapor if it does not ignite.
To see how preventive and mitigative safeguards work together, consider the following example: A chemical reactor vessel can be damaged by the effects of high pressure, maybe even resulting in the destructive bursting of the reactor vessel. The basic process control system (BPCS) controls the operation of the reactor to prevent high pressure. However, high pressure can arise from many sources—almost too numerous to completely prevent using the BPCS. Thus, reactor vessels are also equipped with relief devices in the form of spring-operated valves that open with high pressure, discharging the reactor contents to reduce the pressure. The BPCS is a preventive safeguard since it prevents the buildup of pressure in the reactor—but it cannot be expected to work all the time or to handle all possible situations. The relief device is a mitigative safeguard since it operates after the high-pressure incident has occurred and reduces the consequences of the incident. As a result of the relief device’s actions, the consequences of the high pressure incident are loss of product from the reactor and a clean-up of the relief discharge. Without the relief device, the consequences of the high-pressure incident might be permanent pressure damage to the reactor vessel or maybe even destructive bursting of the vessel, leading to substantial damage to the surrounding equipment and workers. Since there are many ways for high pressure to build up in a reactor vessel, many preventive and mitigative safeguards are usually present.