Safety analysis of the Priolo ethylene plant. SYMPOSIUM SERIES NO. 110 SAFETY ANALYSIS OF THE PRIOLO...

I.CHEM.E. SYMPOSIUM SERIES NO. 110

Achehsge

fmuwcdath

Ieip

*S

SAFETY ANALYSIS OF THE PRIOLO ETHYLENE PLANT

J.G. Sellers*, D. Beltrame# and G. Picciolo+

A major ethylene plant suffered a major accident resulting in a shutdown of nearly one year. In the early stages of rebuilding, the owner commissioned a safety report both to satisfy Italian regulations for the control of major industrial hazards and to achieve safer and more reliable operation. A hazard and operability (HAZOP) study to identify potential incidents was followed by quantification of the onsite and offsite risks, and a risk-reduction analysis to assess the improvements in safety from various recommendations. A review of alternative techniques for conducting the safety analysis provides some guidance on appropriate choices.

lthough safety has always been taken very seriously during the design, onstruction and operation of process plants which handle potentially azardous materials, recent European legislation now requires the operator of ach 'major hazard' plant to prepare a 'safety case' describing the potential azards and the measures taken to handle them safely. The regulations differ omewhat in each country of the European Community, but the requirement enerally applies immediately to all new plants and, by mid-1989, to all xisting plants.

The content of a safety case is clearly defined in respect of certain actual information, such as the inventories and properties of hazardous aterials, and the conditions of temperature and pressure in which they are sed. However, the regulations do not specify in such detail the information hich will enable the authorities to judge whether or not there is adequate ontrol of the hazards; discussions between operators and authorities will oubtless continue until there has been considerable experience in preparing nd reviewing safety cases. In this paper, we describe the approach which we ook to prepare the safety case for a major plant with a large throughput of ighly flammable materials.

THE ETHYLENE PLANT

CAM S.p.A. (now EniChem Base S.p.A.) operates a 600,000 tonne per year thylene plant, which was commissioned in 1981. It is located in an ndustrial zone at Priolo on the eastern coast of Sicily, adjacent to other etrochemical plants operated by another company. As shown in Figure 1, the

Arthur D. Little Ltd., London, # Technipetrol S.p.A., Roma, +EniChem Anic .p.A., San Donato Milanese, Italy

469


principal feedstocks for the plant are naphtha and gas oil; these are cracked to produce ethylene, propylene and other co-products, which are recovered, purified and sent offsite by pipelines to storage and to consumer plants. The plant incorporates many safety features designed to reduce the size and possible escalation of any incident. Even so, accidents can still occur when large quantities of highly reactive materials such as ethylene are being handled - indeed there was a major accident during 198 5 in the cold end portion of the plant which resulted in a plant shutdown of nearly one year to rebuild certain major equipment items.

THE SAFETY ANALYSIS

In the early stages of rebuilding, ICAM decided to prepare a safety report for the ethylene plant and sought assistance from both the engineering contractor who had designed the plant and from an international safety consultant. The safety report had to meet two requirements:

• To satisfy the regulations which, in the case of Italy, are set out in Decreto Ministeriale n.246 of August 2, 1984.

• To help the owner to operate the plant more safely and reliably.

It was felt that a 'high-level' study, based on inventories of hazardous materials, identification of the areas which might be affected, and general discussions about the control and safety systems, might meet the formal requirements of the regulations. It would not, however, help the owner to decide how to Improve the plant, nor would it enable the authorities to assess whether the integrity of the plant was sufficiently high to protect people living and working in the vicinity. A more detailed approach was therefore selected, consisting of three parts:

• In a hazard and operability (HAZOP) study, many potential incidents were identified and recommendations for mitigation were produced, most of which the owner accepted. He requested further advice on certain changes which would be difficult to introduce into the existing plant.

• In a risk analysis, the onsite and offsite risks were quantified, on the assumption that the recommendations accepted by the owner had already been implemented. This analysis showed risk levels generally comparable with those occurring in and around other modern facilities designed to handle hazardous materials in a safe manner.

• A risk-reduction analysis was conducted to assess the improvement in safety if the owner were to implement each of the outstanding recommendations from the HAZOP study. This showed a reduction of about one third in onsite risks and a similar effect offsite if all the recommendations were implemented, but also showed that nearly all the reduction in risk derived from less than ten per cent of the recommendations. •

The techniques of HAZOP study and risk analysis are described by Trevor A. Kletz in "HAZOP & HAZAN - Notes on the Identification and Assessment of Hazards" (The Institution of Chemical Engineers, U.K., 1983); the ways in which those techniques were used for the ICAM ethylene plant are now briefly discussed. (A paper describing the study techniques in more detail is available from the authors).

470


Hazard and Operability Study

The HAZOP study was carried out on site by a small multi-disciplinary team of engineers. A risk management consultant with long experience of HAZOP studies led the team, which consisted of the technical specialist responsible for the operating efficiency of the plant, an operating supervisor from the plant, a process engineer from the plant design contractor, and a safety/instrumentation specialist. Because there were about 120 piping and instrument diagrams (P&IDs) for the plant, the team considered studying only those systems where upsets might lead to serious accidents. However, ICAM decided that the greatest benefit for plant operation as well as safety would be achieved by studying all the P&IDs. As a result, the study took 50 three-hour sessions, i.e. two sessions per day for five weeks. Outside the formal study sessions, the plant personnel dealt with essential duties and assisted the process engineer to answer the HAZOP queries, while the consultant documented the study and prepared for the next session.

The HAZOP study started with the feed to the plant, following it across the different P&IDs as it went through various processing and storage stages - we find this more effective than attempting to complete each P&ID in turn without having already reviewed the upstream sections of recycle or heat recovery streams. In the usual way, each line and equipment item was examined critically for areas where deviations from normal operations can lead to undesired outcomes, whether in safety or operability.

This first stage of the safety analysis - the HAZOP study - was of course qualitative - i.e. the experience of the team was used to judge If a particular accident event were:

• So unlikely ("non-credible") or of such low consequences (no hazard) that no further action was needed.

• One which would have serious consequences if failure occurred, and where the probability may be sufficiently high for the risk to be significant - such cases were subsequently evaluated in further detail, as discussed later.

• Such that a clear recommendation could be made to improve safety or operability.

HAZO? Recommendations. When a group of experienced engineers conduct a HAZOP study on a complex plant which was designed in the mid 1970s and commissioned in 1981, it may be expected that they will identify changes to equipment and procedures which, in their judgement, will improve the safety or operability of the facility. Such was the case here and many such changes were recommended.

To assist ICAM in evaluating the safety recommendations, the HAZOP team ranked the corresponding risks into three priority classes - high, medium and low - both before and after modification. Assignment to these categories, which are shown in Table 1, was based on the frequency and severity of the potential consequences using the team's judgement, and not on any formal quantification. The team also estimated the approximate capital cost, if any, to implement each recommendation.

471


TABLE 1 - Severity and Frequency Classifications for HAZOP Recommendations

SEVERITY OF EVENT//

Description

Fatalities

Damage Cost* $million

FREQUENCY OF EVENT

Negligible Marginal Substantial Critical Catastrophic

0 0 1 2-10 >10

<0.1 0.1-1 1-10 10-100 M O O

PRIORITY FOR IMPROVEMENT

Rare Low Low Low Low Medium (less than once in 1,000 years)

Infrequent Low Low Medium Medium High (once in 10 years to once in 1,000 years)

Occasional Medium Medium High High High (more than once in 10 years)

Notes:

# The severity of an event is based on the fatalities or the cost, whichever is the more severe. The categories do not imply the value of a life, but attempt to equate their impacts.

* Cost of repairing damage, i.e. materials plus erection expenses.

Certain of the recommendations were generally applicable across the ICAM ethylene plant and frequently reflected 'best current practices' for equipment and procedures which had evolved since the time of the design - for example:

• Remove or disconnect equipment or piping which is no longer used, to reduce the possibility of leaks or major releases. Priority : medium

• Provide a highly reliable power supply for all motor-operated valves (MOVs) which may be used as remotely operated block valves (RBVs) in emergency situations. All the MOVs will be fed from the preferential power supply, with the entire system (cables, actuator, motor and valve) duly protected against fire. Priority : high

• Establish a procedure to 'car seal open1 (CSO) the inlet seawater valve on all seawater-cooled exchanges whenever there is process fluid in the exchanger, unless the process side cannot exceed a pressure of 7.5 kg/cm2. The procedure for preparing such exchangers for maintenance must ensure that the process side is isolated and drained before the seawater side is isolated, with reinstatement in the reverse order.

472


This is to protect the exchangers against tube rupture. Priority : low

• Improve integrity of the low pressure steam purge system used extensively in the hot section to prevent cooking of instruments and bellows. ICAM proposes to CSO the main steam purge valve and to introduce a procedure to check that the steam purge valves on each furnace are open before furnace startup. The steam purge pipes will be felt by operators routinely to check that they are hot. Priority : medium

• CSO inlet block valves on the lines used to inject firefighting foam to storage tanks. The foam injection systems are upstream of these valves and would be inoperative if the inlet block valve were closed. Priority : medium

• Install check valves in the steam supply to all steam-heated exchangers when the process pressure exceeds the steam pressure. This will minimise the flow of process fluid back Into the steam supply system and reduce the possibility of escalating an incident. Priority : medium

• Provide detailed check lists for infrequent critical operations, such as recommissioning of a furnace, swinging of reboilers, driers and reactors, and start-up of big compressors, to minimise the likelihood of error. Priority : medium

There were also many specific recommendations which the team divided into two types, depending on whether they related principally to safety or to operability. The classification could not be rigid - many of the safety-related items also had a significant operability impact through plant downtime, and accidents frequently occur during plant shutdowns due to operating problems.

Risk Analysis

The HAZOP team selected, for further study, accidental events which they considered might contribute to the overall risk - i.e.:

• The consequences of the event were sufficiently large that it might cause casualties.

• The probability of the event occurring was sufficiently high for it to be considered credible.

About 180 events were identified for further study. These included events which might result in pool fires, vessel explosions, vessel ruptures, jet fires, tank fires, vapour cloud fires and explosions and boiling liquid expanding vapour explosions (BLEVEs).

As the study progressed, many of the 180 events were eliminated from further consideration - for example, when modifications were authorised to the plant or procedures, when quantification of the consequences showed an event to have negligible effect or when preliminary quantification showed that the probability of the event was very low. The risks of some 40 accidental events were quantified. This work was done by the safety consultant, but reviewed in detail by ICAM and their design contractor.

The risk analysis was carried out in four steps:

473


• Quantification of the frequency of the event, using fault tree analysis. The failure rates for human errors and equipment were based where possible on information supplied by ICAM or, where insufficient data were available, on information reported in the literature or collected by the safety consultant during other relevant studies.

• Quantification of the consequences of the event, first setting criteria for potentially fatal consequences of thermal radiation, vapour cloud fires and explosions, then using hazard models to assess the hazard ranges of the possible outcomes of each event.

• Combining the frequency and consequences of each event to estimate risk levels both onsite and offsite. Offsite hazard contours were developed by combining all the individual results, taking account of factors such as release frequency, consequences, local distributions of wind direction and atmosphere stability, location and intensity of ignition sources, relative probabilities of flash fire or blast overpressure in an ignited vapour cloud. These hazard contours showed the annual chance of being exposed to a hazard level which is potentially fatal. As well as calculating offsite hazards, fatality rates for plant employees were developed by estimating the probability that a fatality would result from each particular incident.

• Comparison of those risks with other occupational and societal risks to help ICAM and its authorities to judge whether or not the risks seemed acceptable. None of the events which might occur in the ICAM ethylene plant had the potential to affect residences in the neighbouring city so this was not a concern. The risks for travellers in the vicinity were not significantly increased above the normal risks of travelling. Finally, the risks for employees were comparable with process-related occupational risks in the oil and chemical industry (we recognise that ethylene plants have a higher loss rate than 'typical' oil and petrochemical plants but were unable to identify fatal accident rates specific to this type of unit).

Risk-Reduction Analysis

Using the qualitative judgement of the HAZOP team, it had been relatively easy to prioritise their recommended improvements to equipment and procedures; many of these recommendations were implemented very quickly by ICAM, either before the plant restart or at the first opportunity later. However, there were others which could not be implemented so readily in the existing plant so ICAM requested more quantitative assistance in setting priorities. This was done after the risk analysis by calculating the further reduction in risk which would be achieved by each of the major remaining improvements, and it was clearly shown that about ten per cent of the remaining recommendations would reduce risk levels by about one third, but that the other 90 per cent had little effect on risk. Thus, ICAM was able to concentrate on implementing the key risk-reducing recommendations; the recommendations with little impact on risk could then be considered for implementation against other criteria such as better operation, good practice, or simpler maintenance.

BENEFITS OF THE SAFETY ANALYSIS

This study was a major investment by ICAM in staff time and consulting fees, so it is important to question whether the benefits were worthwhile. The first objective - that of producing a safety case to satisfy the

474


regulations - was clearly achieved, but it is also certain that ICAM has gained a great deal of information which will help it to operate the plant more safely and reliably.

The key factor in achieving this second objective was the close and enthusiastic involvement of ICAM, particularly by assigning operating and technical specialists from the plant as members of the HAZOP team; indeed, this is the part of risk analysis which many plant owners consider to be of the greatest value. However, the ICAM technical specialist was also strongly supportive of the role of risk quantification in ranking the recommendations - without a cost-benefit analysis, safety costs can be limitless.

There is no doubt that the size of this study reflected the complexity of the ICAM ethylene plant and the particularly hazardous nature of the materials handled there. Much shorter studies are required for simpler plants or ones handling significantly smaller quantities of hazardous materials.

Could the safety analysis have been done differently?

There are various ways to approach such a study and it is instructive to review these in retrospect.

Overall organisation of the study. The approach used is outlined in Figure 2, showing how many of the events identified in the HAZOP were successively eliminated from further consideration because either their probabilities or consequences (or both) were too small to contribute to the overall risk. This was a rigorous technique which ensured that all potential events were properly considered, but it required significant effort (30 man weeks for the HAZOP alone) and an elapsed time of about nine months to complete all the stages.

In fact nearly all the events which contributed to the overall risk could have been identified by the safety consultant by applying knowledge of past studies followed by a one-week coarse HAZOP of the process flow diagrams of the critical plant areas; this identification would have been followed by consequence analysis to eliminate events with no offsite impact, then a detailed HAZOP limited to the remaining events in order to develop fault trees. This study could have been completed in about one third of the time using one quarter of the effort; it would have estimated the levels of offsite risk and recommended the changes which would have a significant impact on them. However ICAM would have relied on the expertise of the safety consultant, rather than being personally involved in the rigorous analysis, and more importantly would not have conducted the detailed HAZOP of the whole plant, which they considered had greatly increased their understanding of how to improve the safety and operability of this complex plant. Thus this would have met the first study objective (to satisfy the Italian regulations) but not the second (to help the owner to run the plant more safely and reliably). Therefore we consider that the overall organisation was appropriate in this instance, but might judge differently had the plant been subjected to detailed HAZOP during the design.

Focus of the study. By their nature, HAZOPs and Risk Analyses focus on equipment failures and detailed human errors. The HAZOP was extended to include a review of startup, shutdown, and emergency shutdown; the latter identified that the shift organisation gave ambiguous responsibilities for managing the response to an accident both at the scene and in the control

475


room, so a restructuring was recommended. Also there were numerous recommendations to provide or amend detailed procedures for operations or maintenance. However the safety analysis did not incorporate a formal review of the overall management systems to control hazards. Elsewhere in the 'Rapporto di Sicurezza' (Safety Report), of which this Safety Analysis formed a part, there was a description of the relevant management systems but not a critical review.

In several more recent studies we have preceded the HAZOP/Risk Analysis phases by a 'Safety Review' which critically examines the overall site management of safety matters as well as identifying the plant units which have the highest priority for detailed study. We consider that we covered the key points at ICAM, albeit informally, but a formal review would have been more complete.

Detailed conduct of the HAZOP. For this complex plant with no previous in-house experience of HAZOP, the team proved highly effective comprising experienced staff from a safety consultant, the design contractor, and the plant. By conducting the study on site, frequent plant visits could be made to check details being studied on the drawings and to confirm the size and accessibility of equipment, as well as its proximity to other equipment; the plant personnel exercised strong discipline to ensure that they were not disturbed during the HAZOP sessions.

The HAZOP was conducted by the safety consultant in English, with some bilingual participants and others who spoke only Italian; inevitably this slowed the pace somewhat while there were heated Italian discussions which sometimes had to be translated to the safety consultant to ensure his full understanding. Obviously it would be preferable to conduct the HAZOP in the language of the plant, but only if personnel were available with the necessary knowledge of HAZOP and similar plants; however we found here (and elsewhere) that a two-language HAZOP is perfectly workable.

Two three-hour study sessions per day for five days per week gave a much more intensive programme than the two or three sessions per week recommended by Kletz and others. The less intense schedule would have been impractical for team participants from London, Rome, Milan and Sicily, also it would have extended the HAZOP study over six months or more, making it impossible to implement recommendations before the plant restart as well as giving severe problem of continuity of personnel through holiday periods. Although the intensive pace was tiring, we found that the team were still able to keep their imagination active and do not consider that the study quality suffered.

Sequence of risk analysis. There is inevitably an iteration between fault tree development and consequence analysis, with the former helping to define better the cases to be studied in the latter, which then demonstrates that some events have no hazardous impact. We developed the fault tree logic, reviewed and agreed that with ICAM, quantified the fault trees for the existing situation (which involved some changes to the logic), reviewed the quantified fault trees, then recalculated them to incorporate possible improvements. Meanwhile the consequence analysis proceeded in parallel.

In recent studies we have found it more effective to:

- Conduct an initial consequence analysis on the accidental events, making conservative assumptions where necessary.

- For those events with potential impacts, develop fault trees which are

476


quantified for the existing situation, with data for potential improvements shown in brackets on the same tree. It is essential to document clearly the source and justification for the failure rate data used. The trees are then reviewed with the client, who can clearly see which branches of each tree contribute significantly to the top event and can concentrate his attention on those. However this one-step approach is not so helpful for a client who wishes to develop his own expertise in fault tree analysis.

Conclusion

There is no single approach to safety analysis which can be applied to every situation, but increasing experience permits a better selection from the range of available techniques.

477


478


479

Safety analysis of the Priolo ethylene plant. SYMPOSIUM SERIES NO. 110 SAFETY ANALYSIS OF THE PRIOLO...

Documents

Transcript of Safety analysis of the Priolo ethylene plant. SYMPOSIUM SERIES NO. 110 SAFETY ANALYSIS OF THE PRIOLO...