1-s2.0-s0950423001000262-main eo

Journal of Loss Prevention in the Process Industries 15 (2002) 129–146www.elsevier.com/locate/jlp

Design and evaluation of safety measures using a newly proposedmethodology “SCAP”

Faisal I. Khana,*, Tahir Husaina, S.A. Abbasib

a Faculty of Engineering and Applied Science, Memorial University of Newfoundland, St John’s, Canada A1B 3X5b Centre for Pollution Control and Energy Technology, Pondicherry University, Pondicherry 605 014, India

Abstract

An increase in the number of accidents in the process industries and the concomitant damage potential is a cause of concern inmany countries. In order to control the alarming risk posed by these industries, the United States government has asked eachmanufacturing facility to carry out a worst-case disaster study and to develop alternatives to control this high risk. Other developedand developing countries such as Canada and India have taken similar measures.

Recently Khan and Abbasi (J. Loss Prevent. Process Ind. (2001a) in press) have proposed a maximum credible accident analysiswith a maximum credible accident scenario approach, which scores over a worst-case scenario approach for being realistic andreliable. In another effort, Khan and Abbasi (J. Hazard. Mater. (2001b) in press) have developed an efficient and effective algorithmfor probabilistic fault tree analysis. These two approaches have been combined to yield a new methodology for a more realistic,reliable, and efficient safety evaluation and the design of risk control measures. The methodology is named SCAP:Safety,CredibleAccident,Probabilistic fault tree analysis. The methodology is comprised of four steps of which the last step is a feedback loop.This paper recapitulates this methodology and demonstrates its application to ethylene oxide (EO) plants. The application of SCAPto EO plants identifies five units as risky and needing more safety measures. Further, this study recommends safety measures anddemonstrates through SCAP that their implementation lower the risk to an acceptable level. 2002 Elsevier Science Ltd. Allrights reserved.

Keywords: Risk assessment; Safety measures; Industrial hazards; Worst-case scenario; Maximum credible accident analysis

1. Introduction

Petroleum refineries and petrochemical industrieshandle large quantities of highly hazardous chemicalsoften at extreme conditions of temperature and pressure.Any mis-operation is prone to be a source of disastercausing heavy financial losses as well as casualties. Thisis evident from the case studies highlighted below:

Ahmadi, 2000: On 25 June 2000, at 4:24 a.m. an acci-dent ripped through a unit at the Ahmadi refinery andcaused heavy material damage. It was reported that fourpeople were killed and 49 injured. Ahmadi, the biggestrefinery in Kuwait has a refining capacity of 444,000barrels per day. It was built in 1948, subsequently reno-

* Corresponding author. Tel.:+1 709 737 7652; fax:+1 709 7374042.

E-mail address: [email protected] (F.I. Khan).

0950-4230/02/$ - see front matter 2002 Elsevier Science Ltd. All rights reserved.PII: S0950-4230 (01)00026-2

vated in 1984 and in 1986, and has 1450 employees(CNN, 2000a; BBC, 2000).

The accident was caused by the ignition of a vaporcloud which formed due to a leak of liquefied petroleumgas from one of the transporting lines. The explosionwas so intense that its effects were observed over kilo-meters. A building located 500 m from the scene of theaccident was badly damaged; the administration buildinglocated 2 km from the point of the accident also suffereddamage. Two fuel production units and one major distil-lation unit were completely damaged while another dis-tillation unit suffered heavy damage. The full details ofthe accident have not yet been made public.

Shuaiba, 2000: In early June 2000, an accidentoccurred in Kuwait’s Shuaiba refinery, killing twopeople and injuring many. The accident occurred duringthe start-up operation of the jet fuel unit. The preliminaryenquiry reported a deficiency in the operation and train-ing side and insufficient preparation to handle such inci-dents (CNN, 2000b).

130 F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129–146

Washington, 1999: In June 1999, a pipeline trans-porting gasoline from a refinery to the coast of Seattle,Portland and Oregon ruptured spewing 229,000 gallonsof gasoline. The released gasoline ignited into a wall offire hundreds of feet high, running down a creek andthrough a wooded park. The fire incinerated everythingin its path and killed three people. The United StatesDepartment of Transport has imposed a $3.05 millionfine to the owner of the pipeline (CNN, 1999a).

Tennessee, 1999: On 30 June 1999, two people werekilled and one seriously injured in an explosion whichoccurred in an oil storage tank during repair work. Atthe time of the accident only three people were presenton the site; otherwise, the number of casualties wouldhave been higher (CNN, 1999b).

Nigeria, 1998: On 18 October 1998, two deadly pipe-line explosions set off fires that ripped through severalvillages in southern Nigeria. This aboveground pipelinelinked an oil refinery in the coastal city of Warri withthe northern city of Kaduna. About 200 people died fromsevere burn and suffocation. Although it has not beenconfirmed, this accident is believed to have been an actof sabotage (CNN, 1998).

Texas, 1997: On 22 June 1997, at 7:12 a.m. an acci-dent was reported in the Shell Oil Company plant atHouston. The plant, which produces ethylene and propy-lene as feedstock for other chemical industries,employed about 2,400 people. The accident was causedby an explosion, which was subsequently followed by afire. One person was injured and heavy material loss wasreported. At the time of the accident only a few peoplewere at the site; otherwise, casualties would have beenhigher (CNN, 1997).

Vishakhapatnam, 1997: On 14 September 1997, ahuge fire and explosions devastated the terminals andstorage tanks at the Hindustan Petroleum CorporationLimited refinery at Vishakhapatnam, India. More than55 people were killed and dozens more seriously injured(Khan & Abbasi, 1998a, 1999a,). The death toll couldhave been much higher had the fire started one half hourlater, when the first shift workers were due to arrive.Even more significantly, as the accident occurred onSunday, a holiday, the administrative personnel, severalhundred, were also not on duty. Assets of more than 60million rupees were damaged in this accident (Khan &Abbasi, 1998a, 1999a).

Sparks, 1998: On 7 January 1998, two explosions inrapid succession destroyed the Sierra Chemical Com-pany (Sierra) Kean Canyon plant near Mustang, Nevada,killing four workers and injuring six others. The KeanCanyon plant manufactured explosive boosters for themining industry. When initiated by a blasting cap or det-onation cord, boosters provide the added energy neces-sary to detonate less sensitive blasting agents or otherhigh explosives. The boosters manufactured at the KeanCanyon plant consisted of a base mix and a second

explosive mix, called Pentolite, both of which werepoured into cardboard cylinders. The primary explosivesused in the base mix were TNT (2,4,6-trinitrotoluene),PETN (pentaerythritol tetranitrate), and Comp-B, a mix-ture of TNT and RDX (hexahydro-1,3,5-trinitro-1,3,5-triazine). Pentolite is a mix of TNT and PETN. Theinvestigation team determined that the first explosionoccurred in the plant’s Booster Room 2 and was fol-lowed seconds later by an explosion in the PETN build-ing. There was no physical evidence or eyewitness toconclusively pinpoint the cause of the explosion in Boos-ter Room 2; however, the investigation team identifiedfour credible scenarios. The investigation team also rec-ommended a comprehensive process safety managementprogram that was ineffective earlier (CSB, 1999).

Helena, 1997: On 8 May 1997, an explosion and firein a building containing 200,000 pounds of pesticideskilled three firefighters and injured sixteen people. Thepesticides, their combustion products, and even chemi-cals formed during firefighting activities, formed ahighly toxic cloud which forced an evacuation of theregional hospital, along with residents within three mileradius (Lees, 1996; Khan & Abbasi, 1999c).

Houston, 1989: On 23 October 1989, a releaseoccurred in a polyethylene plant at the Phillips Com-pany’s chemical complex at Pasadena near Houston,Texas. A vapor cloud formed and ignited, giving riseto a massive vapor cloud explosion. A series of furtherexplosions and a fire followed the initial explosion.Twenty-two people were killed on the spot, one laterdied from injuries sustained in the explosion, and morethan 130 were injured (Lees, 1996; Khan & Abbasi,1999c, 2001c).

Antwerp, 1987: On 3 July 1987, an explosion occurredinside an ethylene oxide purification column in a factoryat Antwerp, Belgium. The explosion was due to thedecomposition of ethylene oxide. It was accompanied bya fireball, which started a number of secondary fires.These, together with blasts and missiles, caused exten-sive damage, and fourteen people were injured (Khan &Abbasi, 1998a, 1999c).

These accidents are representative examples from acomprehensive list comprised of hundreds of such acci-dents.

2. Cause of concern

A recent study in the United States claims that from1993 to 1995 over 23,000 accidents related to the releaseof toxic clouds have occurred. Further to this approx.25% of the manufacturing facilities that involve extra-ordinary hazardous chemicals could potentially create azone of injury and death extending more than five milesfrom the facility. More than 20% of these facilities createvulnerable zones of more than ten miles or greater. The

131F.I. Khan et al. / Journal of Loss Prevention in the Process Industries 15 (2002) 129–146

National Environmental Law Committee of the UnitedStates has analyzed the worst-case disaster potential byindustry sector and has found that the chemical andpetrochemical sectors are the most vulnerable. Despitestate-of-the-art control facilities, an increase in the num-ber of such incidents as well as their concomitant dam-age potential is a major source of concern. In order tocontrol the alarming risk posed by these industries, theUnited States government has asked each manufacturingfacility to carry out a worst-case disaster study and todevelop alternatives to control this high risk (Laplante,1998; Perrow, 2000).

The frequency of accidents and the attendant damagepotential is considerably higher in other countries thanin the United States. Consequently, these industries notonly suffer heavy financial losses but also lose credi-bility.

It is therefore urgent to analyze possible accidents andtheir basic causes, and to develop strategies/plans toavert such situations. A preliminary study provided thefollowing observations:

1. Most of the accidents have occurred, despite activesafety measures on the unit. The main reasons forsuch accidents are that safety measures are notdesigned considering the probable accident scenarios,and safety measures effectiveness are not beenreviewed periodically.

2. Disaster management or contingency plans are eitherimproper or ineffective. Most disaster managementplans (DMP) are designed through subjective decisionmaking without a quantitative or scientific approach.These programs are hardly tested and in cases wherethey are tested, it is done as a formality and for lim-ited known accident scenarios.

These observations highlight a need for systematic, com-prehensive yet rapid methodology for risk assessmentand safety evaluation. These authors agree that there hasbeen substantial work on the development of method-ologies for effective and reliable risk assessment. Thereare good methodologies and tools available to conductdetailed risk assessments: quantitative risk analysis, pro-babilistic safety analysis, worst-case methodology forrisk assessment, and optimal risk analysis. A criticalreview of these methodologies is presented by Khan andAbbasi (1998a, 1998c, 2001c) and Papazoglou, Nivoli-antiou, and Christou (1992).

Khan and Abbasi (2001b) have recently introduced anew methodology by integrating Analytical Simulation(a new methodology for fault tree analysis proposed byKhan & Abbasi, 2001b) and maximum credible accidentanalysis (a methodology proposed for rapid risk assess-ment by Khan & Abbasi, 1997a,b, 1998a,d, 2000,2001c). The methodology intended to identify the pres-ence of hazards in an industry, quantifies the hazard,

forecasts the impact of likely accidents in and aroundthe industry, suggests safety measures, and then loopsback to reassess the hazards by incorporating the sug-gested safety measures. In this manner, it enables one towork out exactly what safety measures, of what sophisti-cation, can decrease the hazard to an acceptable level.For an operating plant, it enables the assessment ofwhether the existing safety measures are sufficient orneed further attention. It is also able to distinguish theunits that cannot be made safe even after the installationof all conventional safety measures. This technique thusisolates units, which require special emergency pre-paredness, and disaster management plans. We havegiven the acronym SCAP to this technique: Safety,Credible Accidents, and Probabilistic fault tree analysis.

3. SCAP methodology

The steps involved in the SCAP methodology aredepicted in Fig. 1. The features of each the step is sum-marized below.

3.1. Step 1: Hazard identification and ranking usingSWeHI

This step utilizes the Safety Weighted Hazard Index(SWeHI) system developed earlier by us (Khan,Husain, & Abbasi, 2001) for hazard identification andranking. The SWeHI system enables computation of afire and explosion damage index (B1), a toxic damageindex (B2) and a safety performance index (SPI).

SWeHI aims at providing a ‘single frame’ view of theindustry, or the desired process unit, vis-a-vis the haz-ards posed by it under a given set of external forcingfactors (ranging from meteorology to social upheavals).It simultaneously integrates this information with thesafety measures as they are and as they ought to be. Inquantitative terms, SPI represents the radius of the areaunder hazard (50% probability of fatality/damage) due tothe given unit/plant considering the chemicals, operatingconditions, environmental setting etc involved at thatinstant. In mathematical terms it is represented as:

SPI�B/A

where, B is the quantitative measure of the damage thatmay be caused by a unit/plant, and is measured in termsof area under 50% probability of damage. A representsthe credits due to control measures and safety arrange-ments made to counter the undesirable situations. B hastwo components: B1 addresses damage due to fire andexplosion, while B2 considers damage due to toxicrelease and dispersion. The SPI represents the damageradii when safety measures are duly taken into consider-ation. The higher the value of SPI, the more vulnerableis the unit to the likely hazards.


Fig. 1. The SCAP algorithm.

The distinguishing features of the SWeHI system are:

1. It considers the impact of various process operationsand associated parameters for hazard identification;

2. It provides quantitative results of good reliability;3. Most of the penalties used in computing hazard poten-

tial index B and hazard control index A in SPI arederived from the tried and tested models of thermo-dynamics (CCPS, 1989; API, 1990; Greenbook,1992). A few penalties for B1 and B2 have beenquantified with the help of empirical models and haz-ard ranking procedures such as National Fire Protec-tion Agency (NFPA). In other words adequate depthand rigor has gone into the formulation of SWeHI;

4. It scores over the Dow Fire and Explosion Index,Mond Toxicity Index, IFAL, etc. and these author’sHIRA-based indices, fire and explosion damage index(FEDI) and toxic damage index (TDI) (Khan &Abbasi, 1998b), in terms of its ability to weigh thehazards against the effectiveness of the safety meas-ures and provide a single score for the trade-off;

5. It does not need case-to-case calibration, as its magni-tude directly signifies the level of hazard;

6. It may be used for a rapid reconnaissance of risk.

3.1.1. Quantification of B1For the purpose of quantifying B1, the various units

of an industry are classified by five different units(similar to HIRA system—Khan & Abbasi, 1998b): (i)storage units, (ii) units involving physical operationssuch as heat transfer, mass transfer, phase change, pump-ing and compression, (iii) units involving chemical reac-tions, (iv) transportation units, (v) other hazardous unitssuch as furnaces, boilers, direct-fired heat exchangers,etc.

The estimation of B1 involves the following steps:

1. Classification of the various units in an industry intothe five categories mentioned above

2. Evaluation of energy factors3. Assignment of penalties


4. Estimation of damage potential5. Quantification of B1

3.1.2. Quantification of B2B2 is measured in terms of the radius of the area (in

meters) affected lethally by toxic load (50% probabilityof causing fatality). This index is derived using transportphenomena and empirical models based on the quantityof chemical(s) involved in the unit, the physical stateof the chemical(s), the toxicity of the chemical(s), theoperating conditions, and the site characteristics(Fowcett, 1993; Tyler, Thomas, Doran, & Grieg, 1994).The dispersion is assumed to occur under slightly stableatmospheric conditions. We have opted for ‘slightlystable atmospheric conditions’ as these represent amedian of high instability and high stability. Further-more such conditions are often prevalent during acci-dents—as happened at Bhopal, Basel, Panipat, and otherplaces (Cristen, Bhnenblust, & Seitz, 1994; Lees, 1996;Khan & Abbasi, 1997c, 1998a, 1999c).

The estimation of B2 is done with one core factor,named ‘G factor’ and several penalties. The G factortakes into account the following:

1. during the accidental release of super-heated liquid(liquid stored or processed above its normal boilingpoint) from the unit, a part of the liquid would flashto vapor and the remaining part would form a liquidpool which would subsequently evaporate;

2. the release of gases would directly lead to dispersionin the atmosphere and cause a build-up of lethaltoxic load;

3. liquefied gases would a have two-phase release, fol-lowed by dispersion and a build-up of toxic load;

4. pyrophilic solids would give toxic vapors whichwould generate a toxic load in the air.

3.2. Quantification of A

Factor A incorporate the quantification of the variouscontrol measures adopted by the industry as well as thesafe operation practices implemented in a unit/process.A is quantified as:

A�0.15∗(1�cr1)∗(1�cr2)∗(1�cr3)∗(1�cr3)∗(1

�cr4)∗(1�cr5)∗(1�cr6)∗(1�cr7)∗(1�cr8)

where cr1 to cr8 represents credit factors for emergencyresource planning, disaster management plans, otherdamage control measures, process control systems,detecting devices, emergency control measures, humanerror, and equipment reliability, respectively.

3.3. Step 2: Quantitative hazard assessment—maximum credible accident analysis

Maximum credible accident analysis (MCAA) is com-prised of two sub-steps:

1. Accident scenario forecasting2. Damage estimation for previously envisaged acci-

dent scenario.

Forecasting likely accident scenarios is the mostimportant step in this exercise. The number of accidentscenarios can be envisaged in a unit; however, it is notpossible for the analyst to analyze all possible accidentscenarios. There needs to be a system to shortlist theimportant scenarios. Recently, Khan and Abbasi (2001a)have developed an approach called maximum credibleaccident scenarios (MCAS). This approach centers onthe theme of the credibility, which is defined as a combi-nation of impact area and the probability of occurrence,and is estimated as:

C�(AA2�BB2)1/2

where AA and BB represent the credibility factor esti-mated for assets damage and population damage effects,respectively. For details refer to Khan and Abbasi(2001a).

A computer-automated tool, MAXCRED (Khan &Abbasi, 1999b) and its higher version MAXCRED-III(Khan & Abbasi, 1999e), that performs maximum cred-ible accident analysis have been developed. The packageenables the simulation of accidents and an estimation oftheir damage potential. MAXCRED-III has beendeveloped to provide a more versatile and accurate toolfor rapid risk assessment than is possible with existingpackages. An earlier version of MAXCRED-III has sig-nificantly greater capabilities than other commercialpackages, whereas the more sophisticated MAXCRED-III incorporates a domino/cascading effect, and theimplementation of advanced concepts of software engin-eering (Khan & Abbasi, 1999e).

MAXCRED-III has five main modules (options):scenario generation, consequence analysis, domino,documentation, and graphics.

In the scenario generation module accident scenariosare generated for the unit under study. This step, basedon the MCAS approach, is an important input for sub-sequent steps. The more realistic the accident scenario,the more accurate is the forecast of the type of accident,its consequences, and associated risks; and, conse-quently, the more appropriate and effective are the stra-tegies for averting and managing crisis.

The consequence analysis module involves the assess-ment of likely consequences if an accident scenario doesmaterialize. The consequences are quantified in terms ofdamage radii (the radii of the area where the damage


would readily occur), damage to property (shattering ofwindow-panes, caving in of buildings) and toxic effects(chronic/acute toxicity, mortality). The assessment ofconsequences involves a wide variety of mathematicalmodels. For example, source models are used to predictthe rate of release of hazardous materials, the degree offlashing, and the rate of evaporation. Models forexplosions and fires are used to predict the character-istics of explosions and fires. Impact intensity modelsare used to predict damage zones due to fires, explosionsand toxic load. Toxic gas models are also used to predictthe human response to different levels of exposures totoxic chemicals. Several types of explosion and firemodels such as confined vapor cloud explosion (CVCE),vapor cloud explosion (VCE), boiling liquid vapor cloudexplosion (BLEVE), pool fire, flash fire, jet fire, andfireball, are included. Likewise, models for both liquidand two-phase release have been incorporated. A specialfeature of MAXCRED-III is that it is able to handle thedispersion of heavy (heavier-than-air) gases as well aslighter-as-air and light-than-air gases.

The domino module analyzes the damage potential ofthe primary event at the point of location of the second-ary unit, and checks for the likelihood of the occurrenceof the secondary accident. If the probability of the sec-ondary accident is sufficiently high, then the appropriateaccident scenarios are developed and analyzed for conse-quences.

The graphics module enables the visualization of riskcontours in the context of the accident sites. This optionhas two facilities: (i) site drawing, and (ii) contour draw-ing. The site drawing option enables the user to drawany industrial site layout using freehand drawing or anyalready defined drawing tool. The contour drawingoption has the facility for drawing various damage/riskcontours over the accident site. These contours can bedrawn in different shapes and sizes according to therequirement of the user.

The documentation module of MAXCRED-III mainlydeals with the handling of different files: data file, scen-ario file, output file and flow of information. This objectworks as an ‘ information manager’ : it provides thenecessary information to each module and sub-moduleto carry out the desired operations, and stores the resultsin different files.

3.4. Step 3: Probabilistic hazard assessment—analytical simulation methodology (ASM)

In this step, fault trees of the previously forecastedaccident scenarios are constructed. In order to developprobabilistic fault trees and analyze them swiftly, theseauthors have developed an analytical simulation method-ology (Khan & Abbasi, 2001b). A completely automatedtool called PROFAT (PRObabilistic FAult Treeanalysis) (Khan & Abbasi, 1999d) has also been

developed to perform analytical simulation. The analyti-cal simulation methodology (ASM) is comprised of thefollowing steps:

1. A logical dependency between the causes leading tothe top event (accident scenario) is developed andrepresented in terms of a fault tree. Such a fault treecan be developed for an individual unit or a combi-nation of units, depending upon the convenience ofthe user.

2. The developed fault tree as above is transformed toa Boolean matrix. If the dimension of the Booleanmatrix happens to exceed the processing ability of theuser’s computer, a structural moduling technique maybe applied (Shafaghi, 1988; Yllera, 1988). This tech-nique proposes moduling of the fault tree into a num-ber of smaller sub-modules with a dependencyrelationship between them. This reduces the memoryallocation problem as well as speeds up the compu-tation (Bossche, 1991).

3. The Boolean matrix is then solved for minimum cut-sets using analytical method (Khoda & Henley, 1988;Papazoglou et al., 1992; Greenberg & Slater, 1992).If the problem has been structurally moduled, theneach module is solved independently, and the resultsare combined. The resultant minimum cutsets may beoptimized using any appropriate technique.

4. The already optimized minimum cutsets are processedfor probability estimation. These authors recommendthe use of the Monte-Carlo simulation method (Soon,Joo, & Myung, 1985; Worrel & Stack, 1990; Rauzy,1993) for this purpose instead of direct estimationbecause the simulation method not only gives theprobability of the top event, but it also provides infor-mation on the sensitivity of the results. Simulation isalso helpful in studying the impact of each of the initi-ating events. To increase the accuracy of the compu-tations and reduce the margin of error due to inaccur-acy involved in the reliability data of the basic events(initiating events), we recommend the use of fuzzyprobability sets (Dubois & Prade, 1980; Noma, Tank-ara, & Asai, 1981; Tanaka, Fan, Lai, & Toguchi,1983; Prugh, 1992).

5. An added advantage of the analytical simulationmethod is that it enables a study of the importance ofeach component, or in other words, each cause(initiating event) which leads to the top event. Thecontribution of each cause is estimated by repeatingprevious step (step 4) while that particular cause isabsent. Subsequently, the contribution of each causeis transformed into an ‘ improvement index’ whichsignifies the percentage contribution of each cause inleading to the top event. Thus, from the improvementindex one can easily deduce what events are mostlikely to cause an accident and need immediate care.


The methodology summarized above was resolved intoa computer-automated tool PROFAT (PRObabilisticFAult Tree analysis) which has been coded in C++ andconsists of five main modules: DATA, minimum cutsetsanalysis, probability analysis, improvement factor analy-sis, and general-purpose modules. Each module performsa specific task, and is linked with the other modules. Forexample, the minimum cutsets analysis module uses dataprovided in the form of a Boolean relation (fault treerelation) by the DATA module to generate minimumcutsets. Each module of PROFAT is comprised of twoor more sub-modules. For example, matrix formulation,matrix solution, and cutsets optimization are subordi-nates (derived classes) to the main minimum cutsetsanalysis module (main minimum cutsets analysis class).These sub-modules (derived classes) inherit functionsdefined in the main module (main class) to serve specificapplications as well as comprise some ‘ friends’ functions(functions which are not part of the class but are other-wise useful) (Khan & Abbasi, 1999d).

3.5. Step 4: Risk quantification and design of safetymeasures

Using the results of the previous steps of hazardassessment and probabilistic hazard assessment, the riskis computed and subsequently compared with the regu-latory standards; if it exceeds it, extra safety measuresneed to be added to the unit. After deciding the necessarysafety options to be implemented, steps 2 and 3 arerepeated and the latest risk is again compared with regu-latory standards. This is repeated until the risk factorsfall in the range of acceptable level.

4. Application of the SCAP to ethylene oxide plant

The SCAP system of methodology discussed abovehas been used to design the safety measure for an ethyl-ene oxide plant. The plant is at the design stage andwill be located in an industrial complex (Fig. 2). A briefsummary of the process of ethylene production is givenbelow, for details refer to TVS Petrochemical (1999).

4.1. Process summary

Ethylene oxide (EO) is produced by the oxidation ofethylene with pure oxygen. Ethylene and oxygen arereacted at 10–30 atmospheres and 400–500°F in a fixedbed catalytic reactor. The catalyst beds consist of largebundles of tubes that contain supported silver catalystspheres or rings. The tubes are 6–12 m long and 20–50mm in diameter. The reactor off-gas is fed to CO2 scrub-bers, then to EO scrubbers, which absorb the EO intothe liquid phase. The EO is recovered from the liquid ina desorber and distilled to remove water. EO purity is

typically greater than 99.5%. Fig. 3 shows the processflow diagram (PFD) of complete EO process plant.

C2H4�0.5O2→C2H4O (1)

C2H4O�2.5O2→2CO2�2H2O (2)

C2H4�3O2→2CO2�2H2O (3)

Catalyst pellets are designed to favor selective oxidation[epoxidation, Eq. (1)] over total oxidation [Eqs. (2) and(3)] by limiting the availability of active sites. Silver issupported on pure aluminum oxide having pore diam-eters ranging from 0.5 to 50 µm and a specific surfacearea �2 m2/g. The motivation for designing this catalystis that a less active catalyst will promote the partial oxi-dation of ethylene to EO, but it will promote neither thetotal oxidation of ethylene nor the subsequent oxidationof EO. The catalyst is operated with alkali metal pro-moters, usually cesium, and chlorine-containing inhibi-tors. The main drawback of using a silver catalyst is that,although its initial selectivity ranges from 79 to 83%, asit ages its selectivity deteriorates, and there are no gener-ally applicable methods of regeneration. The life span ofthe catalyst is 2–5 years.

The effluent from the reactor passes through theabsorber, in which the EO and some of the carbon diox-ide, hydrocarbons, and aldehydes dissolve in the water.Most of the unabsorbed gas that leaves the top of theabsorber is cooled and becomes the recycle ethylenestream. Gaseous impurities from the oxygen feed, suchas argon, are purged from the recycle gas stream throughthe main process vent (Vent A). Because there are fewerimpurities in the oxygen feed, the purge stream is totallyrecycled. Thus, there is a build-up of by-product CO2

that could reduce catalytic selectivity to EO at high lev-els if not removed from the system. A portion of theoverhead gas from the absorber passes through a CO2

absorber which uses potassium carbonate as an absorb-ent, then joins the recycle to the reactor. The spent CO2

absorbent is reactivated in the CO2 desorber, and thenrecycled to the CO2 absorber. The CO2 is vented fromthe CO2 desorber. The dilute aqueous solutions of EO,CO2, and other volatile organic compounds (VOC) fromthe absorbers are combined and fed to the desorberwhere the EO and dissolved inerts are distilled underreduced pressure. The desorber water, virtually free ofEO, is re-circulated to the absorbers. The crude EO fromthe desorber is sent to a stripper for the removal of CO2

and inert gases and then sent to a final refining column(distillation column). Light gases separated in the strip-per are vented overhead (Vent B). The final product,99.5 mol% EO, is stored under a nitrogen atmospherein pressurized tanks.

4.1.1. Safety practicesThe oxygen feed rate is kept consistent with the ethyl-

ene feed rate during start-up; therefore, the emission rate


Fig. 2. Plot showing location and layout of the EO plant along with population distribution.

from the main process vent during start-up is about thesame as that for normal operations. Process upsets, how-ever, can cause a sharp increase in emissions. When anupset occurs, the ethylene feed rate is reduced to lessenthe amount of VOC in the vent stream. Because EO iscompletely soluble in water, the purge absorber can be99.9% effective for its removal. The EO content of themain process vent stream (Vent A) is therefore quitelow. The ethane and ethylene content, however, is suf-ficient for combustion. This stream is now normallyburned in a thermal oxidizer. During upsets, the mainprocess vent stream can be directed to an emergencyflare. The stripper vent (Vent B) of the air oxidation pro-cess releases the inert gases and ethylene which wereabsorbed into the main and purge absorber. The amountof emissions is affected by the water use rate, but not byprocess start-ups or shutdowns. EO is normally scrubbedfrom the stripper vent stream with water and returned tothe process. The resulting vent stream is normally com-busted in a boiler, effecting virtually 100% EO emissionscontrol. The ethylene content of the main process ventstream (Vent A) is sufficient to support combustion andis routinely vented to a boiler or incinerator. The CO2

desorber vent (Vent B) contain more than 99.7% CO2

and water. It is estimated that maintenance required inplant will be 6% of the operation time.

4.2. Hazard identification—SWeHI

The SWeHI system has been used to screen all unitsof the EO plant. The results are summarized in Table 1.Considering the planned process control arrangementsand primary safety measures, the reaction unit and theEO storage unit have been identified as highly hazardousunits, whereas the ethylene transportation line, EO distil-lation column, and ethylene reboiler are ranked as haz-ardous units. These units need a further detailed assess-ment of risk and accordingly safety measures designedto counter these escalated risks. Other units such as theEO scrubber, EO desorber, stripping column, and heatexchangers were moderately or low hazardous, and donot need further study.

4.3. Quantitative hazard assessment—MCAA

4.3.1. Envisaging of accident scenariosWith the help of MCAS methodology credible acci-

dent scenarios have been envisaged in each unit. Out ofthe credible accident scenarios, the maximum credibleaccident scenario has been used here for a detailedMCAA of that particular unit.


Fig. 3. Process flow diagram of the ethylene oxide (EO) plant.

4.3.1.1. Transportation of ethylene: Scenario 1 Ethyl-ene has been transported through a pipeline to the reac-tion unit. A fraction of the pipeline runs along the road.The most credible accident scenario envisaged for thisunit is the release of ethylene either through a leak orrupture, causing the development of a vapor cloud whichon meeting ignition source, cause a fireball.

4.3.1.2. Reaction unit: Scenario 2 The reaction unitis the most vulnerable part of the plant as it handleshighly unstable chemicals under severe conditions oftemperature and pressure. Any mis-operation in the unitmay cause a build-up of high pressure in the reactorwhich would cause an explosion. On ignition, thereleased material would cause a fireball. The most cred-ible accident scenario envisaged for this unit is a con-fined vapor cloud followed by a fireball.

4.3.1.3. Distillation column: Scenario 3 A distillationcolumn is used to purify the EO. Any untoward situationin the column would cause the release of highly unstableEO as BLEVE; the released chemical on ignition wouldform a fireball.

4.3.1.4. Ethylene oxide storage: Scenario 4 Excess-ively high pressure developed in the vessel is either dueto overfilling or a runaway reaction in the vessel. Theinstantaneous release of high pressure causes the vessel

to fail as CVCE. The released chemical on ignitionwould burn as a fireball.

4.3.1.5. Reboiler: Scenario 5 Due to improper main-tenance or other effects, a leak develops in the reboiler,causing the release of chemicals. The leaking area isbelieved to be 40% of the input/output of the pipelinecross-sectional area. The released chemical forms avapor cloud over the area of the congested units. Thevapor cloud on meeting an ignition source would causea vapor cloud explosion. The unburned chemical wouldburn as a flash fire.

4.4. Hazard quantification

The forecasts for scenario 1 (fireball) are presented inTable 2. The vapor cloud generated byinstantaneous/continuous release on ignition wouldcause a fireball, which would generate a heat radiationeffect. It is clear from Table 2 that an area of �90 mradius faces a 50% probability of being damaged due toheat load. The heat radiation may cause a fatality as wellas second-order accidents by seriously damaging otherunits/assessories. The worse affected would be the ethyl-ene oxide reactor and its accessories.

The forecasts based on detailed calculations for scen-ario 2 are presented in Table 3. CVCE followed by afireball would cause extensive damage. It is evident from


Table 1Safety weighted hazard index (SWeHI) for various units of the EO plant

Fire and Hazard Potential Safety perfmanceToxic Hazard

Type of major Explosion Index (B) index (SPI)= B/AUnits Chemical of concern Damage Control

Hazard present DamageIndex (B2) Index (A)

Index (B1)

Ethylene Fire andEthylene 440.3 145.5 440.3 HHa 39.3 11.2 H

transportation line explosionEthylene and Ethylene Fire and

Reaction unit 575.4 177.5 577.5 EH 35.0 16.5 HHoxide explosion

Ethylene oxide Fire andEthylene oxide 267.5 98.0 267.5 H 35.2 7.6 MH

scrubber explosionEthylene oxide Fire and

Ethylene oxide 183.2 46.5 183.2 MH 42.6 4.3 LHdesorber explosion

Fire and toxicCO2 scrubber Carbon dioxide 45.0 67.5 67.5 LH 33.8 2.0 LH

releaseFire and toxic

CO2 desorber Carbon dioxide 55.4 41.0 55.4 LH 30.8 1.8 LHreleaseFire, explosion

Light end and ethyleneStripping column and toxic 175.5 79.0 175.5 MH 31.3 5.6 MH

oxiderelease

Ethylene oxide Fire andEthylene oxide 380.5 135.0 380.5 HH 33.1 11.5 H

distillation column explosionEthylene oxide and Fire and toxic

Heat exchanger 1 105.0 47.0 105.0 MH 36.0 2.9 LHCO2 releaseEthylene oxide and Fire and toxic



Heat exchanger 4 84.5 57.0 84.5 LH 36.0 2.3 LHCO2 release

Fire andReboiler Ethylene oxide 281.7 106.5 241.7 H 26.8 10.5 H

explosionEthylene oxide Fire and

Ethylene 541.5 165.7 541.7 EH 30.9 17.5 HHstorage explosion

a EH, Extremely hazardous; HH, highly hazardous; H, hazardous; MH, moderately hazardous; LH, less hazardous; NH, not hazardous.

Table 2Results of maximum credible accident analysis for the ethylene trans-portation line–scenario 1

Parameters Values

Fire: FireballRadius of the fireball (m) 50.00Duration of the fireball (s) 21.00Energy released by fireball (kJ) 9.20e+05Radiation heat flux (kJ/m2) 1406.00Damage Radii (DR) due to thermal loadDR for 100% fatality/damage (m) 50DR for 50% fatality/damage (m) 88DR for 100% third degree of burn (m) 139DR for 50% third degree of burn (m) 181

Table 3 that damage of a high degree of severity due tooverpressure and shockwave would be operative over anarea of �100 m radius, while moderate damage (50%probability of lethality) would occur over an area of�150 m radius. The released unburned chemical wouldbe burned as a fireball. The heat load generated due to

the fireball would be lethal over an area of more than125 m radius. Heat load and shockwave generated dueto this unit may initiate secondary and higher order ofaccidents in the units placed within the proximity of thedamage area.

As briefed elsewhere, the distillation column handlesEO at quite high temperatures. The results of the damagecalculation for the most credible accident scenario(scenario 3) in this unit are presented in Table 4. It isevident from the results that damage causing shock-waves would be effective over an area of more than 140m radius. The burning of a vapor cloud as a fireballwould generate an intensive heat load which would bedevastating over an area �125 m radius. As many otherunits are in close proximity to this unit, this scenario ismost likely to cause a domino effect.

The results of scenario 4 are presented in Table 5. Itis evident from the results that this scenario would be themost disastrous one. As the damage causing shockwavewould be operative over an area of �150 m radius, theheat load sufficient to cause fatality would envelope anarea of �200 m radius. Though the storage vessel is


Table 3Results of maximum credible accident analysis for the ethylene oxidereactor—scenario 2

Parameters Values

Explosion: CVCEEnergy released during explosion (kJ) 3.06e+09Peak over pressure (kPa) 600.00Variation of over pressure in air 511.00Shock velocity of air (m/s) 753.00Duration of shock wave (ms) 87.0Missile characteristicsInitial velocity of fragment (m/s) 539.00Kinetic energy of fragment (kJ) 7.26e+05Fragment velocity at study point (m/s) 528.00Penetration ability at study point (based on empirical model)Concrete structure (m) 0.4153Brick structure (m) 0.5307Steel structure (m) 0.0538Damage Radii (DR) for various degrees of damage due to overpressureDR for 100% damage (m) 100DR for 100% fatality or 50% damage (m) 152DR for 50% fatality or 25% damage (m) 224Damage radii (DR) for the varying degree of damage due tomissileDR for 100% damage or 100% fatality (m) 2904DR for 50% damage or 100% fatality (m) 3019DR for 100% fatality or 10% damage (m) 3123Fire: FireballRadius of the fireball (m) 92.00Duration of the fireball (s) 38.00Energy released by fireball (kJ) 1.28e+07Radiation heat flux (kJ/m2) 4896.00Damage Radii (DR) due to thermal loadDR for 100% fatality/damage (m) 99DR for 50% fatality/damage (m) 127DR for 100% third degree of burn (m) 181DR for 50% third degree of burn (m) 240

located in the extreme corner of the plant (relatively iso-lated place), however, the damage radius due to heatload, overpressure (shockwave), and missile effectwould envelope some of the vulnerable units of theplant, which may initiate a higher order of accidents.

Unlike the storage vessel and the EO reactor, thereboiler poses fewer hazards. Though the scenario hasbeen envisaged as a vapor cloud explosion followed bya flash fire, detailed analysis reveals that a vapor cloudexplosion is unlikely to occur with the given constraints.Therefore, there is no threat due to overpressure orshockwave. However, the damaging effect of heat loaddue to a flash fire would be effective over an area �70m radius (Table 6).

4.5. Probabilistic hazard assessment—ASM

This step is comprised of two activities: (i) fault treedevelopment, and (ii) fault tree analysis. We have con-ducted this step for all five of the pre-identified units.

Table 4Results of maximum credible accident analysis for the distillation col-umn—scenario 3

Parameters Values

Explosion: BLEVETotal energy released (kJ) 1.3e+09Peak over pressure (kPa) 510.00Variation of over pressure in air (kPa/s) 490.00Shock velocity of air (m/s) 745.00Duration of shock wave (ms) 94.0Missile characteristicsInitial velocity (m/s) 335.00Kinetic energy of fragment (kJ) 2.79e+05Fragment velocity at study point (m/s) 328.00Penetration ability at study point (based on empirical models)Concrete structure (m) 0.2028Brick structure (m) 0.2591Steel structure (m) 0.0334Damage Radii (DR) for various degrees of damage due to overpressureDR for 100% damage (m) 95DR for 100% fatality or 50% damage (m) 140DR for 50% fatality or 25% damage (m) 210Damage radii (DR) for the varying degree of damage due tomissileDR for 100% damage or 100% fatality (m) 2674DR for 50% damage or 100% fatality (m) 2790DR for 100% fatality or 10% damage (m) 2893Fire: FireballRadius of the fireball (m) 74.00Duration of the fireball (s) 30.00Energy released by fireball (kJ) 1.18e+07Radiation heat flux (kJ/m2) 4493.00Damage Radii (DR) due to thermal loadDR for 100% fatality/damage (m) 74DR for 50% fatality/damage (m) 126DR for 100% third degree of burn (m) 180DR for 50% third degree of burn (m) 238

However, due to limited space we present details of onlytwo units, and a summary of the others.

4.5.1. Ethylene transportation line

4.5.1.1. Fault tree development The top event wasidentified as a release causing the formation of a vaporcloud, which on meeting an ignition source would leadto a fireball. There are twelve basic events which maycontribute directly and/or indirectly to the accident scen-ario. These events with their frequency of failure aregiven in Table 7. Most of the data is obtained from thespecific industry; however, the values of some para-meters were obtained from the literature, as industry-spe-cific data was not available for these events (Lees, 1996).Based on the process description and the detailed studyof the reactor, a fault tree was developed (Fig. 4).

4.5.1.2. Fault tree analysis The result of fault treeanalysis (output of PROFAT) is presented in Table 8.


Table 5Results of maximum credible accident analysis for the ethylene oxidestorage—scenario 4

Parameters Values

Explosion: CVCEEnergy released during explosion (kJ) 2.05e+09Peak over pressure (kPa) 580.00Variation of over pressure in air (kPa/s) 504.00Shock velocity of air (m/s) 753.00Duration of shock wave (ms) 80.0Missile characteristicsInitial velocity of fragment (m/s) 283.00Kinetic energy of fragment (kJ) 2.00e+05Fragment velocity at study point (m/s) 277.00Penetration ability at study point (based on empirical model)Concrete structure (m) 0.1579Brick structure (m) 0.2018Steel structure (m) 0.0283Damage Radii (DR) for various degrees of damage due to overpressureDR for 100% damage (m) 97DR for 100% fatality or 50% damage (m) 150DR for 50% fatality or 25% damage (m) 220Damage radii (DR) for the varying degree of damage due tomissileDR for 100% damage or 100% fatality (m) 2594DR for 50% damage or 100% fatality (m) 2710DR for 100% fatality or 10% damage (m) 2814Fire: FireballRadius of the fireball (m) 145.00Duration of the fireball (s) 59.00Energy released by fireball (kJ) 2.89e+07Radiation heat flux (kJ/m2) 8038.00Damage Radii (DR) due to thermal loadDR for 100% fatality/damage (m) 145DR for 50% fatality/damage (m) 200DR for 100% third degree of burn (m) 277DR for 50% third degree of burn (m) 360

Table 6Results of maximum credible accident analysis for reboiler—scen-ario 5

Parameters Values

Explosion: UVCENo explosionFire: Flash FireVolume of vapor cloud (m3) 389Effective time of fire (s) 213787Effective thermal load (kJ/m2) 1762Damage Radii (DR) due to thermal loadDR for 100% fatality/damage (m) 69DR for 50% fatality/damage (m) 93DR for 100% third degree of burn (m) 142DR for 50% third degree of burn (m) 165

Table 7Elements of the fault tree developed for the most credible accident inthe ethylene transportation line

Number Elements Failurereferred in frequencyFigure (/yr)

1 Release due to accident with road 4.5e-05tanker

2 Release due to damage caused by 1.0e-08earthquake

3 Choking of the pipeline 3.6e-024 Compressor overrun 1.2e-025 Side reaction in the pipeline 2.5e-046 Heating of the pipe 3.5e-037 Leaks from the joints and/or bends 4.3e-038 Leaks from bends 2.5e-039 Leak from the straight run pipe due to 7.8e-03

corrosion10 Mechanical failure or fault in the 4.0e-05

pipeline11 Leak from the valves 2.6e-0412 Ignition source 1.0e-01Events added for safety measures13 Cooling system failed 1.0e-0114 Safety relief system failed 1.0e-0215 Flammable chemical detector failed to 5.0e-02

function on demand16 Inert gas purging/blanking system to 1.0e-01

dilute released toxic/flammable gasesfailed

17 Flame arrestor failed to function on 5.0e-02demand

Fig. 4. Fault tree for an accident in a pipeline.


Table 8Results of PROFAT for the most credible accident scenario in the ethylene transportation line

Event not occurring Probability Improvement Improvement Index

0 8.077949e-03 0.000000e+00 0.0000001 7.677899e-03 1.600200e-03 2.4812822 8.077963e-03 5.855691e-08 0.0000913 3.939644e-03 1.655322e-02 25.667634 6.704153e-03 5.495187e-03 8.5208955 8.049340e-03 1.144345e-04 0.1774436 7.677839e-03 1.600440e-03 2.4816607 7.586344e-03 1.966421e-03 3.0491548 7.792205e-03 1.142977e-03 1.7723139 7.185653e-03 3.569184e-03 5.53441510 8.073375e-03 1.829898e-05 0.02837511 8.048296e-03 1.186125e-04 0.18392212 0.000000e+00 3.231180e-02 50.10301

The total probability of occurrence of the undesiredevent when all initiating events occur is estimated as8.07E-03 per year.

The improvement factor analysis (fifth step of ASM)suggests that event 12 has the largest contribution (about50%) to the probability of the eventual accident. Table8, which summarizes the results of the improvementanalysis, indicates that events which would have thelowest contribution towards the undesired event are 2,5, 10, and 11. The study concludes that particular atten-tion must be paid to events 12, 3, 4, 9, 7, 6, and 1,which are most likely to lead to the eventual accident(top event).

4.5.2. Ethylene oxide storage vessel

4.5.2.1. Fault tree development As mentioned else-where, the most credible accident scenario for this unitis envisaged as CVCE followed by a fireball. There arenineteen basic events that contribute directly andindirectly to an accident. The likely sequences of eventsare depicted in Fig. 5. The probability of the occurrenceof these basics events is presented in Table 9.

4.5.2.2. Fault tree analysis The developed fault tree(depicted in Fig. 5) has been analyzed using PROFAT.The result of the analysis is presented in Table 10. Theoverall probability of occurrence of this particular scen-ario is estimated as 8.269E-04 per year. It is evident fromTable 10 that events 18, 6, 1, 2, and 3 contribute to theextent of 45%, 18%, 13%, 8%, and 8% respectively, incausing this accident. Control of these events would con-siderably reduce the overall probability of occurrence ofthe top event.

4.5.3. Reaction unit, EO distillation column, andreboiler

A fault tree has been developed for the most credibleaccident scenario in the reaction unit. The developed tree

Fig. 5. Fault tree for an accident in a storage vessel of EO.

contains 25 basic events. Similarly, the fault tree for thedistillation column contains 23 basic events, and for thereboiler, 18 basic events. These fault trees are sub-sequently analyzed using PROFAT. The results revealthat the most credible accident in the reaction unit islikely to occur with a frequency of 4.292E-03 per year.


Table 9Elements of the fault tree developed for the most credible accident inthe ethylene oxide storage vessel

Number Elements Failure frequencyreferred in (/yr)Figure

1 Truck hitting the storage tank 2.0e-032 Road accident causing generation 5.0e-02

of heat load3 Cooling failed or inadequate 2.0e-024 Damage due to earthquake 1.0e-085 Failure due to corrosion 6.0e-046 Joint failed 3.0e-037 Hitting from external source 2.0e-048 Impurities present in the tank/or 1.0e-01

EO impure9 Decomposition of EO 2.5e-0110 Pressure control failed 2.5e-0111 Excess flow (overfilling of the 1.0e-01

tank) in the tank12 Inflow to storage is at higher 3.5e-02

pressure13 Overheating due to high 5.0e-02

temperature EO inflow14 Temperature controller failed 2.5e-0115 Heat generation due to side 5.0e-03

reaction16 Bursting disk capacity 2.0e-02

inadequate/failed to function17 Relief valve inadequate/failed to 2.0e-02

function18 Ignition source 1.0e-0119 Alarm failed 1.5e-01Events added for safety measures20 Installed insulated barrier (wall) 1.0e-02

between transportation andstorage vessel failed

21 Improper maintenance or 1.0e-01maintenance failure to detect thedefect

22 Emergency relief valve to 5.0e-03evacuate the content to anothervessel failed

23 Installed cooling system failed 1.0e-0124 Inert gas purging/blanking 1.0e-01

system to dilute releasedtoxic/flammable gases failed

25 Flame arrestor failed to function 5.0e-02on demand

Accidents in the distillation column and the reboiler areless likely to occur (1.45E-04 per year and 3.50E-04 peryear, respectively, Table 11).

4.6. Risk quantification

Using the results of steps 2 and 3, risk has been com-puted. The summary of the average individual risk factorcaused by different accidents is given in Table 11.Analysis of these results reveals that the ethylene trans-portation line and the reaction unit pose maximum indi-

vidual risk, 2.34E-03 and 1.575 E-03 per year respect-ively, because the probability of occurrence of bothevents is quite high.

FN curves for these units have been plotted in Figs.6–10. It is evident from these figures that except forsome parts of the distillation column and the reboilermost of the FN curves are far above the acceptance cri-teria (Dutch acceptable risk criteria). Thus, these unitsrequire extra safety measures.

4.6.1. Risk reduction through add-on safetymeasures—MCCA–PFTA controller system

A list of the possible control options to reduce the riskis given in Table 12. From these, various combinationsof the control measures were selected to reduce the riskpotential of a unit. When these measures were accountedfor, the fault tree for the unit was modified, as shown inFig. 11 for an ethylene transportation line. On analyzingthe new fault tree (Fig. 11), the frequency of occurrenceof the top event (envisaged accident) was changed to3.153E-05, which is about 250 times lower than the pre-vious value. The risk profile (FN curve) after theimplementation of control measures for an ethylenetransportation line is shown in Fig. 6, revealing that aftersafety measures were taken into account, the risk profiledecreased to well within the acceptable limits. Afterdeciding the safety measures, the fault tree for the stor-age vessel was modified, as shown in Fig. 12. The modi-fied fault tree has been processed through PROFAT forprobability estimation. The results reveal that afterimplementing the safety measures, the probability ofoccurrence decreases to 4.515E-06, a value about 180times lower than the previous value (Table 11). It canbe seen from Fig. 9 that the FN curve for the modifiedsituation is well within the acceptable range.

This step has also been repeated for the reaction unit,the distillation column, and the reboiler. A significantlowering of the probability has been observed in thesecases as well (Table 11). The risk profiles for these unitsare presented in Figs. 7, 8 and 10. For the reboiler unit,implementation of only a few safety measures brings theFN curve to an acceptable range. On the other hand, forthe reaction unit and to some extent for the distillationcolumn, the implementation of considerable safety meas-ures, similar to those for the storage vessel, are requiredto bring FN curve to an acceptable range (Figs. 7 and 8).

5. Conclusion

The objective of this paper is to discuss a recentlyproposed methodology for safety management througha quantitative feedback system of risk assessment, andto demonstrate its application to real life. The method-ology is basically a combination of four quantitativesteps, each requiring independent methodology and com-


Table 10Results of PROFAT for the most credible accident scenario in the chlorohydrin reactor

Event not occurring Probability Improvement Improvement Index

0 8.269699e-04 0.000000e+00 0.0000001 5.960017e-04 9.238724e-04 12.603452 6.803274e-04 5.865701e-04 8.0019843 6.802230e-04 5.869873e-04 8.0076754 8.270441e-04 2.969609e-07 0.0040515 7.576942e-04 2.771026e-04 3.7802316 4.803985e-04 1.386285e-03 18.911697 8.039474e-04 9.208970e-05 1.2562878 8.254201e-04 6.199130e-06 0.0845689 8.200557e-04 2.765663e-05 0.37729110 8.245261e-04 9.775176e-06 0.13335311 8.264632e-04 2.026922e-06 0.02765112 8.268506e-04 4.770845e-07 0.00650813 8.267462e-04 8.948991e-07 0.01220814 8.254646e-04 6.021248e-06 0.08214215 8.270144e-04 1.779845e-07 0.00242816 8.172244e-04 3.898186e-05 0.53179017 8.172244e-04 3.898186e-05 0.53179018 0.000000e+00 3.307879e-03 45.1260619 8.172244e-04 3.898186e-05 0.531790

Table 11Average individual risk factor before and after add-on safety measures have been decided

Process units Before improvement of safety measures After implementation of safety measures

Average individual risk Average individual riskProbability of occurrence Probability of occurrence

factor factor

Ethylene pipeline 8.077E-03 2.340E-03 3.153E-05 9.90E-06Ethylene oxide reactor 4.292E-03 1.575E-03 1.455E-05 5.32E-06Distillation column 1.450E-04 5.200E-05 7.562E-06 2.73E-06Ethylene oxide storage 8.269E-04 4.540E-04 4.515E-06 2.50E-06Reboiler 3.505E-04 1.020E-04 1.150E-05 3.37E-06

Fig. 6. FN curves for an ethylene transportation pipeline. Fig. 7. FN curve for an EO reactor (reaction unit).


Fig. 8. FN curve for a distallation column.

Fig. 9. FN curve for an EO storage vessel.

Fig. 10. FN curves for a reboiler.

puter-aided tools. The first step is to identify and screenthe hazards in an industry; for this the robust, reliableand efficient methodology of SWeHI has been rec-ommended. The next step, hazard quantification(MCAA), uses the recently proposed methodology ofMCAS and computer tools such as MAXCRED-III.Another part of this step estimates the probability of anenvisaged accident scenario and is conducted using the

Table 12Various add-on safety options that have been suggested for implemen-tation over different units to bring risk factors to the acceptable values

Frequency ofControl option

failure (/yr)

Flame arrester 0.050Installing insulated barrier (wall) between

0.010transportation and storage vesselRegular maintenance scheme for corrosion and

0.100other mechanical defectsSprinkling system 0.010Advanced control mechanism, i.e. feed forward,cascade control, neural network based control, 0.005DDCAdvanced final control element (digital controller) 0.001Installation of pressure monitoring with emergency

0.050relief systemInstalling cooling system 0.100Replacement of old valves with more reliable

0.090valvesCheck valve with relief provision 0.030Installation of additional controllers 0.020Installation of by pass line 0.040Flammable chemical detector 0.050Safety relief valve 0.010Emergency relief valve to evacuate the contents to

0.005another vesselInert gas purging/blanking system to dilute

0.100released toxic/flammable gases

fault tree analysis, PROFAT, the recommended com-puter-automated tool. In the third step, the results of theprevious two steps are combined to compute risk. Theestimated risk is subsequently compared with the cri-teria; if it exceeds the acceptable level, step 4 isexecuted. Step 4 is the feed back step, which carries outstep 3, once the necessary safety measures to control therisk have been decided.

The proposed methodology has been given the acro-nym SCAP, Safety, Credible Accident, Probabilisticfault tree analysis. The usefulness of the methodologyhas been demonstrated by applying it to a real life situ-ation (ethylene oxide plant) where SCAP showed howsuccessive safety measures lowered the risks posed byfive units of the plant within levels defined ‘safe’ . Theseauthors believe that this methodology scores better in thefollowing ways:

� Easy to implement: there are only four straightforwardsteps with structured methodology and guidance toconduct each step.

� Faster in implementation: the use of a computer-auto-mated tool will considerably reduce the time of theapplication.

� More reliable results: as the methodology rec-ommends the use of the latest, reliable methodologyand models for each step such as SWeHI, MCAS, and


Fig. 11. Modified fault tree diagrams after implementing controlmeasures for an accident in an ethylene pipeline.

ASM, the final outcome of the study will be morereliable.

� No interpretation of results: the outcome of each stepis of direct importance and does not require anyinterpretation; e.g. the results of SWeHI—radius ofarea under threat; MCAS—most credible accidentscenario; risk computation—individual risk factor andFN curve, etc.

Acknowledgements

Support provided by Faculty of Engineering andApplied Science, Memorial University of Canada andCentre for Pollution Control and Energy Technology,Pondicherry University of India is highly appreciated.Authors are also grateful to Dr. Iona Bulgin for editingthe text of the manuscript.

Fig. 12. Modified fault tree diagrams after implementing controlmeasures for an accident in a storage vessel of EO.

References

API (1990). Management of process hazards, American PetroleumInstitute Recommended Practice 750 (1st ed.). Washington, DC:API.

BBC (2000). Huge blast rocks Kuwait’s refinery. WWW.BBC.COMBossche, A. (1991). Computer aided fault tree synthesis; system mode-

ling and causal trees; Fault tree construction; real time faultlocation—I. Reliability Engineering and System Safety, 32, 217–241.

CCPS (1989). Guidelines for chemical process quantitative risk analy-sis. New York: AIChE.

CNN (1997). Explosion and fire reported at Shell Oil Company plant.www.cnn.com/us9706/22/briefs/shwll.oil.expl/index.html

CNN (1998). Fuel from vandalized Nigerian pipeline ignites killing50. www.cnn.com/2000/world/africa/03/22/nigeria.pipeline.fire

CNN (1999a). Largest fine ever sought for fatal pipeline explosion inWashington state. www.cnn.com/2000/law/06/02/pipeline.safety.fine/index.html

CNN (1999b). 2 killed in Tennessee oil tank blast.www.cnn.com/us/9906/30/tank.explodes

CNN (2000a). Explosion hits Kuwait’s al-Ahmadi refinery.www.cnn.com

CNN (2000b). 4 dead, 49 hurt in blast at Kuwait’s largest oilrefinery. www.cnn.com


Cristen, P., Bhnenblust, H., & Seitz, S. (1994). A method for assessingcatastrophic damage to the population and environment. ProcessSafety Progress, 13 (4), 1–4.

CSB (1999). Investigation report explosive manufacturing facility atSierra chemical company, Chemical Safety and Hazard Investi-gation Board, 2175 K Street, N.W. Suite 400, Washington, DC.

Dubois, D., & Prade, H. (1980). Fuzzy sets and systems: theory andapplications. New York: Academic Press.

Fowcett, H. H. (1993). In H. H. Fowcett, & W. S. Wood, Toxicityversus hazards, safety and accident prevention in chemical oper-ation (pp. 245–260). New York: Wiley.

Greenberg, H. R., & Slater, B. B. (1992). Fault tree and event treeanalysis. New York: Van Nostrand Reinhold.

Greenbook (1992). Methods for determining of possible damage topeople and objects resulting from release of hazardous materials.Report CPR 16E, Voorburg, Warrington.

Khan, F. I., & Abbasi, S. A. (1997a). A maximum credible accidentanalysis based quantitative risk assessment study of chemical pro-cess industry. Indian Chemical Engineer, A39 (2), 92–98.

Khan, F. I., & Abbasi, S. A. (1997b). Risk analysis of chloralkaliindustry situated in populated area using MAXCRED-II, Processsafety progress. American Institution of Chemical Engineers(AIChE), 16 (3), 172–184.

Khan, F. I., & Abbasi, S. A. (1997c). Accident hazard index: a multi-attribute scheme for process industry hazard rating. TransactionInstitution of Chemical Engineers: Environmental Protection andSafety, 75B, 217–221.

Khan, F. I., & Abbasi, S. A. (1998a). Risk assessment in chemicalprocess industries: advanced techniques. New Delhi: Discovery.

Khan, F. I., & Abbasi, S. A. (1998b). Multivariate hazard identificationand ranking system. Process Safety Progress (AIChE), 17 (3),157–165.

Khan, F. I., & Abbasi, S. A. (1998c). Techniques for risk analysis ofchemical process industries. Journal of Loss Prevention in ProcessIndustries, 11 (2), 91–105.

Khan, F. I., & Abbasi, S. A. (1998d). Accident simulation as a toolfor assessing and calculation environmental risk in CPI: a casestudy. Korean Journal of Chemical Engineering, 11 (2), 12–19.

Khan, F. I., & Abbasi, S. A. (1999a). The worst chemical industryaccident of 1990s—what happened and what might have been: Aquantitative study. Process Safety Progress, 18, 135–141.

Khan, F. I., & Abbasi, S. A. (1999b). MAXCRED—a new softwarepackage for rapid risk assessment in chemical process industries.Environment Modeling and Software, 14, 11–25.

Khan, F. I., & Abbasi, S. A. (1999c). Major accidents in process indus-tries and analysis of their causes and consequences. Journal of LossPrevention in Process Industries, 12, 361–378.

Khan, F. I., & Abbasi, S. A. (1999d). PROFAT: a user-friendly systemfor probabilistic fault tree analysis. Process Safety Progress, 18(1), 42–49.

Khan, F. I., & Abbasi, S. A. (1999e). Assessment of risks posed bychemical industries-application of a new computer automated toolMAXCRED-III. Journal of Loss Prevention in Process Industries,12, 455–469.

Khan, F. I., & Abbasi, S. A. (2000). Studies on the probabilities andlikely impacts of chains of accident (domino effect) in a fertilizerindustry. Process Safety Progress, 19 (1), 45–53.

Khan, F. I., & Abbasi, S. A. (2001a). Criteria for developing credibleaccident scenarios for risk assessment. Journal of Loss Preventionin Process Industries (in press).

Khan, F. I., & Abbasi, S. A. (2001b). Analytical simulation and PRO-FAT II: a new methodology and a computer automated tool forfault tree analysis in chemical process industries. Journal of Haz-ardous Materials (in press).

Khan, F. I., & Abbasi, S. A. (2001c). Risk analysis of a typical chemi-cal industry using ORA. Journal of Loss Prevention in ProcessIndustries, 14 (1), 43–59.

Khan, F. I., Husain, T., & Abbasi, S. A. (2001). Safety Weighted Haz-ard Index (SWeHI): a new user-friendly tool for swift yet compre-hensive hazard identification and safety evaluation in chemical pro-cess industries. Trans IChemE, 79 (B), 66–80.

Khoda, T., & Henley, E. J. (1988). On digraphs, fault trees and cutsets. Reliability Engineering, 20, 35–42.

Laplante, A. (1998). Too close to home: a report on chemical accidentrisks in the united states. US Public Interest Research Group (U.S.PIRG), 218 D Street, S.E., Washington, DC.

Lees, F. P. (1996). Loss prevention in CPI. London: Butterworths.Noma, K., Tankara, H., & Asai, K. (1981). Fault tree analysis with

fuzzy probability. Journal of Ergonomics, 17, 291–297.Papazoglou, A., Nivoliantiou, A. O., & Christou, M. (1992). Proba-

bilistic safety analysis in chemical installation. Journal of Loss Pre-vention in Process Industries, 5 (3), 181–191.

Perrow, C. (2000). PIRG Toxics too close to home.www.pirg.org/reports/enviro.

Prugh, R. W. (1992). Computer-aided HAZOP and fault tree analysis.Journal Loss Prevention Process Industries, 5, 3–12.

Rauzy, A. (1993). New algorithms for fault tree analysis. ReliabilityEngineering and System Safety, 40, 203–211.

Shafaghi, A. (1988). Structure modeling of process systems for riskand reliability analysis. In A. Kandel, & E. Avni, Engineering riskand hazard assessment (pp. 45–64) (Vol. 2). Boca Raton, FL:CRC Press.

Soon, H. C., Joo, Y. P., & Myung, K. K. (1985). The Monte-Carlomethod without sorting for uncertainty propagation analysis inPRA. Reliability Engineering, 10, 233.

Tanaka, H., Fan, L. T., Lai, F. S., & Toguchi, K. (1983). Fault treeanalysis by fuzzy probability. IEEE Transactions on Reliability, R-32, 453–456.

Tyler, B. J., Thomas, A. R., Doran, P., & Grieg, T. R. (1994). A tox-icity hazard index. Hazards, 13, 351.

TVS Petrochemical (1999). A techno-feasibility report of ethylenemanufacture. ARSF consultants, Amsterdam, The Netherlands.

Worrel, R. B., & Stack, D. W. (1990). A SETS user’s manual forthe fault tree analyst. SAND77-2051. Sandia National Laboratory,Albuquerque, NM.

Yllera, J. (1988). Modularization methods for evaluating fault tree ofcomplex technical system. In Kandel, & Avni, Engineering riskand hazard assessment (pp. 81–100) (Vol. 2). Boca Raton, FL:CRC Press.

1-s2.0-s0950423001000262-main eo

Documents

process ow diagram

united states government

disaster management plans

probabilistic safety analysis

fault tree analysis

process safety progress

sierra chemical company

ethylene transportation line