Factory Mutual 7-43

Property Loss Prevention Data Sheets 17-2
May 1999
Supersedes February 1974
Page 1 of 50
LOSS PREVENTION IN CHEMICAL PLANTS
Table of Contents
Page
1.0 SCOPE ,.................................................................................................................................................. 3
2.0 RECOMMENDATIONS ........................................................................................................................... 3
2.1 Process Safety Management (PSM) System .................................................................................. 3
2.1.1 General .................................................................................................................................. 3
2.1.2 Accountability and Responsibility .......................................................................................... 4
2.1.3 Process Safety Knowledge and Documentation ................................................................... 4
2.1.4 Process Safety Review (Process Hazard Analysis) .............................................................. 4
2.1.5 Management of Change ........................................................................................................ 5
2.1.6 Process and Equipment (Mechanical) Integrity .................................................................... 5
2.1.7 Incident Investigation ............................................................................................................. 5
2.1.8 Training and Performance ..................................................................................................... 6
2.1.9 Human Factors ...................................................................................................................... 6
2.1.10 Standards, Codes and Laws ............................................................................................... 7
2.2 Highly Protected Risk (HPR) ........................................................................................................... 7
2.3 Principles of Inherent Safety ........................................................................................................... 8
3.0 DISCUSSION .......................................................................................................................................... 8
3.1 Process Risk Management Strategies ............................................................................................ 8
3.1.1 Tier 1 « Inherent Safety ......................................................................................................... 9
3.1.2 Tier 2 «Passive ..................................................................................................................... 9
3.1.3 Tier 3« Active ...................................................................................................................... 10
3.1.4 Tier 4 - Procedural ............................................................................................................... 11
3.1.5 Summary .............................................................................................................................. 11
3.2 Process Safety Management ......................................................................................................... 11
3.2.1 Accountability and Responsibility ........................................................................................ 11
3.2.2 Process Safety Knowledge and Documentation ................................................................. 12
3.2.3 Process Safety Review (Process Hazard Analysis) ........................~ ................................... 14
3.2.4 Process Risk Management ................................................................................................. 16
3.2.5 Management of Change ...................................................................................................... 19
3.2.6 Process and Equipment (Mechanical) Integrity .................................................................. 22
3.2.7 Incident Investigation ........................................................................................................... 24
3.2.8 Training and Performance ................................................................................................... 27
3.2.9 Human Factors .................................................................................................................... 29
3.2.10 Standards, Codes, and Laws ............................................................................................ 33
3.2.11 Audits and Corrective Actions ........................................................................................... 33
3.2.12 Emergency Response Planning ........................................................................................ 36
3.3 Concepts of Highly Protected Risk ................................................................................................ 37
3.3.1 Requirements to Achieve HPR Status. .. ............................................................................. 37
3.4 Concepts of Inherent Safety .......................................................................................................... 43
3.4.1 Intensification ....................................................................................................................... 43
3.4.2 Substitution .......................................................................................................................... 43
3.4.3 Attenuation .......................................................................................................................... 44
3.4.4 Limitation of Effects ............................................................................................................. 44
3.4.5 Simplification/Error Tolerance .............................................................................................. 45
©1999 Factory Mutual Engineering Corp. All rights reserved. No part 01 this document may be reproduced. stored in a retrieval system,
or transmitted. in whole or in part, in any form or by any means. electronic, mechanical. photocopying, recording. or otherwise, without written
permission of Factory Mutual Engineering Corp.
7-43
17-2 Loss Prevention in Chemical Plants
Page 2 Factory Mutual Property Loss Prevention Data Sheets
4.0 BIBLIOGRAPHy .... ............................................................................................................................... 45
4.1 Process Safety and Risk Management ......................................................................................... 45
4.2 Highly Protected Risk Guidelines for Chemical Industry .............................................................. 45
4.3 Concepts of Inherent Safety .......................................................................................................... 46
4.4 Preventive Main.tenance ................................................................................................................ 46
4.5 Chemical Hazard Information ........................................................................................................ 46
APPENDIX A: INTERNATIONAL ORGANIZATIONS AND REGULATORY CODES OVERSEEING
CHEMICAL PLANT PROCESS SAFETY .......................................................................... 47
A.1 Mandatory Regulations Covering PSM and Related Chemical Industry Safety Oversight .......... 47
A.1.1 Europe ................................................................................................................................. 47
A.1.2 United States ...................................................................................................................... 47
A.2 Voluntary Chemical Industry Programs and Resources ............................................................... 49
A.2.1 Australia .............................................................................................................................. 50
A.2.2 Canada ................................................................................................................................ 50
A.2.3 India .................................................................................................................................... 50
A.2.4 Far East .............................................................................................................................. 50
A.2.5 South America ..................................................................................................................... 50
A.2.6 United Kingdom .................................................................................................................. 50
A.2.7 United States ...................................................................................................................... 50
List of Tables
Table 1. Comparison of OSHA and EPA Thresholds of the More Common Hazardous Chemicals .......... 48
©1999 Factory Mutual Engineering Corp. Ali rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 3
1.0 SCOPE
This data sheet describes general principles and concepts of chemical risk loss prevention and the mini­
mum requirements for a chemical operation to qualify as a Highly Protected Risk (HPR). Other Factory Mutual
(FM) data sheets, listed in Section 4.0, provide specific guidance on protection concepts and design require­
ments within this HPR framework.
An HPR chemical facility is one that meets the highest standards of property loss prevention including man­
agement commitment, process control, fixed active and passive protection where needed, and employee
training and awareness.
Process safety management (PSM) as a way of conducting business has been developed over many years
to guide the chemical process industry toward safer facilities before being adopted by various regulatory
agencies. It can and should be considered the foundation of all loss prevention activities in this industry as
well as related industries with hazardous chemical processes. Process safety management is a neces­
sary component of an HPR facility to minimize or prevent episodic releases or events that can cause prop­
erty damage and business interruption.
A number of U.S. national and state regulations, as well as those of the European Union and other intema­
tional regulators, have adopted PSM in one form or another. (Highlights of some of these regulations are
in the Appendix.) This data sheet is not meant to address issues associated with regulatory compliance but
also does not introduce any conflicts with these regulations.
As a fundamental subset of PSM and HPR concepts, principles of inherent safety, as they apply to the chemi­
cal industry, are also discussed. By practicing the concept of inherent safety, a hazardous plant or pro­
cess can be significantly reduced in overall risk.
The concepts of Highly Protected Risk, process safety management, and inherent safety are aU interre­
lated and apply to chemical facilities as well as non-chemical facilities with chemical processes. The level
of detail to which PSM principles are implemented is in proportion to the level of hazard of the operation. PSM
principles are not a cookbook to be followed but a philosophy to be applied according to need.
2.0 RECOMMENDATIONS
2.1 Process Safety Management (PSM) System
2. 1. 1 General
2.1.1.1 Chemical plants and hazardous chemical operations in other plants should have a process safety
management system in place to assure that the following (or equivalent) elements· of process safety are inte­
grated into plant operations:
a. Accountability and Responsibility
b. Process Safety Knowledge and Documentation
c. Process Safety Review (Process Hazard Analysis)
d. Process Risk Management
e. Management of Change
1. Process and Equipment (Mechanical) Integrity
g. Incident Investigation
h. Training and Performance
I. Human Factors
j. Standards, Codes, and Laws
k. Audits and Corrective Actions
L Emergency Response Planning
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 4 Factory Mutual Property Loss Prevention Data Sheets
• These 12 elements are based on the Center for Chemical Process Safety (CCPS) "Plant Guidelines for Tech­
nical Management of Chemical Process Safety". Other guidelines are equivalent and can be substituted.
A list of CCPS and other references on PSM is provided in Section 4.0, Bibliography.
2. 1.2 Accountability and Responsibility
Key components of this element are a policy statement; management commitment; procedural requirements;
and a peJiormance measurement.
2.1.2.1 Management should develop a written policy statement that clearly defines process safety and loss
prevention as a priority which is shared by management as well as plant operations personnel. The state­
ment could include a Process Safety Management organization chart which clearly shows positions, lines of
authority, and process safety functional titles. The policy statement should receive broad distribution to all
sectors of the organization, backed by genuine management interest in loss prevention. The statement and
organizational chart should be reviewed regularly and updated as needed to reflect things such as manage­
ment changes within the facility.
2.1.2.2 The facility's PSM program should have procedures to resolve safety and loss prevention con­
cerns which arise from new design, HAZOP reviews, Management of Change (MOC) issues, etc. and should
include input from operations employees, where appropriate. These procedures should designate a per­
son or position that is responsible for achieving resolution.
2.1.2.3 A program should be in place to track how well safety and loss prevention concerns are resolved.
Of particular interest are those concerns that were not easily resolved. This could be as simple as a monthly
report of the status of unresolved issues sent to a designated responsible person as indicated by the orga­
nizational chart or plant procedures.
2. 1.3 Process Safety Knowledge and Documentation
2.1.3.1 The organization should assign a responsibility for maintaining key material and process hazard
information, design basis information, design standards, electrical area classifications, key design deci­
sions, alternate process considerations, and basic operation and maintenance procedures for all chemical
processes. Documents would also include accident investigations, causes and corrections as well as records
of process, equipment and maintenance changes.
2.1 .3.2 All processes should have detailed written procedures that document normal operating proce­
dures, as well as start-up, shutdown and abnormal situations. These procedures should be kept up-tO-date
and written in such manner as to be understood by all operating personnel. Should the facility be multilin­
gual, procedures should be maintained in separate form for each language. Any changes to the docu­
mented procedures should follow the Management of Change procedures of the PSM program. Operator
involvement in writing the procedures will ensure comprehensiVe detail in the procedures.
2.1.3,3 A periodic review or audit should be peJiormed for all written procedures to ensure they remain
current.
2.1.4 Process Safety Review (Process Hazard Analysis)
2.1.4.1 The following are considered a minimum to meet the Process Safety Review requirements in an
effective program based on PSM principles:
a. Collaboration between process and loss prevention specialists at the concept stages of a project.
b, Agreement on a protection philosophy with special consideration given to inherently safe design in
site selection, construction and protection features,
c. Conduct a detailed process safety review using a recognized methodology (HAZOP, Checklist, FEMA,
etc.) at an early stage in the project. The review should be updated whenever process changes are made
and a complete re-evaluation made on a regular basis (about 5 yr. intervals).
©1999 Factory Mutual Engineering Corp, All rights reserved,
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 5
2. 1.5 Management of Change
2.1.5.1 Management should establish and implement written procedures to manage change in technology,
facilities and personnel. These procedures should be flexible enough to accommodate both major and minor
changes and should be understood and used. These procedures should:
a. Provide a method for identification of changes that should be subject to MOC procedures.
b. Provide for documentation of the process and mechanical design basis for the proposed change.
c. Provide an analysis of the loss prevention considerations involved in the proposed change, including
a formal process hazards review. if appropriate. The effects of the proposed change on separate but inter­
related upstream or downstream facilities should also be reviewed.
d. Identify the need for modifications of the operating procedures, updating P&IDs, updating personnel
training, etc.
e. Provide for communication of the proposed change and the consequences of that change to appropri­
ate personnel such as maintenance engineers, operators, safety. and emergency response staff.
f. Establish administrative procedures needed (documentation, checklists that cover hazards, records of
personnel skills, responsibilities and training.)
g. Provide for tracking of and limiting the duration of any temporary change.
h. Identify the required authorizations.
2.1.5.2 A qualified member of the plant loss prevention, safety, or engineering staff should be assigned to
communicate changes to the FM specialist where appropriate. This individual should assure that all plant per­
sonnel follow accepted methods for management of change and that the FM specialist is notified at the ear­
liest stages of significant changes to allow for proper consideration of the loss prevention aspects.
2. 1.6 Process and Equipment (Mechanical) Integrity
2.1.6.1 To implement this element of PSM, programs should be in place to address the following:
a. Reliability Engineering - Tracking and evaluating of individual equipment and processes to prevent
unexpected incidents throughout its lifetime.
b. Materials of Construction and Fabrication - Assuring equipment is built according to appropriate stan­
dards with materials appropriate to the service conditions with appropriate supporting documentation.
c. Installation Procedures - Planning quality control, inspection and pre-startup integrity testing to insure
installation in accordance with specifications and direction of the manufacturer. Poor installation can invali­
date a good design.
d. Preventive Maintenance - Documenting procedures to insure maintenance is completed on sched­
ule, unscheduled work is properly authorized and completed without introducing additional hazards, and
records are maintained and evaluated to identify future needs. This would include a comprehensive ves­
sel and piping inspection program as well as instrumentation inspection, testing and calibration.
e. Demolition Procedures - Documenting methods to isolate, remove and dispose of obsolete or
unneeded equipment without creating unnecessary hazards.
2. 1.7 Incident Investigation
2.1.7.1 The corporation should have a system based on PSM principles that requires incidents to be recorded
and investigated. The investigation methods should consist of the basic elements outlined above and records
should be kept detailing each incident, the level and results of the investigation and the status of any find­
ings or recommendations developed.
2.1.7.2 Management should make use of all incident investigations and near-misses to evaluate recur­
rences. Action should be taken to eliminate the source of error, either through system redesign or addi­
tional training. Important lessons learned in these investigations should receive wide distribution to interested
and affected parties.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 6 Factory Mutual Property Loss Prevention Data Sheets
2.1.8 Training and Performance
2.1.8.1 Operators should be fully trained in the normal operation 01 the facility, as well as the appropriate
action for each alarm condition. Since every process excursion cannot be detailed, the operators should be
trained in diagnostic and trouble-shooting skills to facilitate an orderly correction. For the most critical appli­
cations, for example nitrations, some polymerization and other highly reactive systems, use of a process
simulator for training purposes is strongly suggested. If a simulator is to be used, the control panel and instru­
mentation should be designed to match the actual equipment that will be used in the operation.
2.1.8.2 When either temporary or permanent changes are made to a process, the process documentation
and drawings should be updated prior to implementation of the changes. All employees whose responsibili­
ties involve the affected area should be retrained in the new process parameters and safe working condi­
tions. This will allow integration of the new procedures into the day-to-day functioning of the facility.
2.1.8.3 Special care must be taken when critical actions are infrequently completed in the normal course
of operations. Actions such as responding to infrequent critical alarms may result in catastrophic events if the
response is incorrect. In these cases, frequent retraining is needed.
2.1.8.4 Training should be mandatory for contract employees working in the area so they may perform in
a safe and effective manner. Training for contract employees may need to be as stringent as for operators.
2.1.8.5 A comprehensive retraining program should be in place for all operating personnel. The time inter­
val for retraining will vary depending on the criticality of the process and number of changes made. Manage­
ment should have a formal method to determine retraining frequencies.
2.1.8.6 A formal method for evaluating the effectiveness of the training program should be developed. This
may be a written test, hands-on demonstration, simulation or an extended period of on-the-job training. A
feedback mechanism should be established to inform the operator of areas requiring further study and
improvement. Records should be kept of these evaluations to facilitate improving the method of training
employees.
2.1.9 Human Factors
2.1.9.1 Organization
2.1.9.1.1 The plant's program should have written guidelines requiring that all new processes incorporate fun­
damental concepts of human lactor engineering from the design phase of the project. If human factor spe­
cialists are not available in-house, consideration should be given to retaining outside specialists to assist in
this area.
2.1.9.1.2 Human factor elements should be incorporated into existing processes, if economically viable,
whenever changes or improvements are being planned.
2.1.9.1.3 HAZOP reviews should specifically explore human factor issues to determine if appropriate design
has been included.
2.1.9.1.4 Each of the above activities should include input from operating personnel to ensure that day-to­
day operating knowledge is incorporated into the proposed improvements.
2.1.9.1.5 Management should create an environment where process safety is paramount above produc­
tion demands. Operators should be empowered to invoke a controlled shutdown of a process if operating con­
ditions indicate an imminent loss-of-control situation. A written statement to this effect, signed by senior plant
management, should be posted in the control rooms.
2.1.9.1.6 If staff reductions are anticipated, management's commitment to safety and loss prevention should
remain paramount. Special attention is needed during these times to ensure that operating personnel remain
motivated to perform their functions in a consistent and safe manner.
2.1.9.2 Alarms
2.1.9.2.1 All alarms should be ranked according to severity and displayed visually and audibly in this order
to avoid alarm overload during an actual emergency.
©1999 Factory Mutual Engineer
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 7
2.1.9.2.2 Critical alarms should be grouped separately from "information only" alarms. Audible and visual
alarms should be distinctly different for these type alarms so that priority can be given to critical alarms.
2.1.9.2.3 Critical process information should be easily accessible on the control panel so that an exces­
sive number of screen changes will not be required to understand the information in an emergency situa­
tion.
2.1.9.2.4 Critical process information and alarms should be logged, by computer or manually as appropri­
ate, and maintained for a reasonable period of time to aid in incident investigation or future process
improvements.
2.1.9.2.5 The operator should have a proactive role in the monitoring and control of process variables rather
than simply waiting for alarm conditions to sound. This will encourage the operator to be familiar with the pro­
cess data and facilitate an appropriate response in an emergency situation.
2.1.9.3 Environmental
2.1.9.3.1 Optimal performance occurs when environment factors are within specific boundaries. Proper cloth­
ing should be available for employees whose work is outside a climate-controlled environment.
2.1.9.3.2 For areas having excessive noise, proper hearing protection should be provided and a method
of communications established as vocal communication will not be feasible.
2.1.9.3.3 Proper lighting should be provided in all operations areas, and most importantly in control rooms,
to ensure control and process equipment is visible.
2.1.9.4 Maintenance Operations
2.1.9.4.1 All maintenance operations that may adversely impact the safe operation of a process or produc­
tion facility should require written authorization. Included in this authorization is notification to all areas of
the facility that the work will impact. In most cases, operations will need to be stopped or bypassed, to allow
safe work in the area. All such process modifications should be thoroughly studied to determine the ramifi­
cations of the process change.
2. 1. 10 Standards, Codes and Laws
2.1.10.1 The organization should define the minimum codes, standards and laws that will be applied for
maintaining an acceptable level of safety.
2.1.10.2 Responsibility should be assigned to ensure all codes, standards and regulations (internal or exter­
nal) are maintained current and are available to those needing to use them.
2.1.10.3 A variance procedure should be developed that can be applied when an alternative to an existing
code is to be used.
2.2 Highly Protected Risk (HPR)
A Highly Protected Risk (HPR) level of loss prevention based on FM data sheets and industry guidelines
should be the goal at chemical risks. (See also 3.3)
2.2.1 An HPR chemical risk is one that meets all of the following minimum guidelines
a. A fully integrated system based on PSM principles at a level appropriate to the hazards
b. Management commitment and oversight including early involvement of FM specialists at an early stage
of all projects
c. Adequate process control and safety instrumentation
d. Operator training and empowerment adequate for the process complexity
e. Piping and vessel overpressure protection for the hazards that exist
f. Maintenance, inspection, and testing programs covering all critical equipment and instrumentation
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2
Loss Prevention in Chemical Plants
Page 8
Factory Mutual Property Loss Prevention Data Sheets
g. An adequate and reliable water supply and delivery system
h. Ignition source control
I. Adequate spacing of buildings, process units and tanks
j. Emergency response and post-loss contingency plans
k. Testing and understanding of process chemistry
Where needed based on hazard an HPR chemical risk also incorporates the following features:
\. Adequate and reliable fixed suppression systems
m. Drainage and containment systems
n. Fire protection of structural steel
o. Damage limiting and noncombustible construction
p. Combustible gas detection
q. Inerting and purging systems
r. Barriers, barricades and/or distance separation
s. Protection against natural hazards
2.3 Principles of Inherent Safety
2.3.1 Principles of Inherent Safety should be applied where possible when designing or improving chemi­
cal plant processes. Inherent safety (see also 3.4) includes the following general principles:
a. Intensification using smaller amounts of a hazardous substances.
b. Substitution - replacing a hazardous chemical with a non-hazardous or less hazardous one.
c. Attenuation - using less hazardous process conditions or a less hazardous form of a material.
d. Limitation of effects - designing a facility to minimize the impact of a release of hazardous material
or energy, for example by sufficient spacing or more resistant construction.
e. Simplification/error tolerance - designing a facility so that operating errors are less likely or the pro­
cess is more forgiving if errors are made.
3.0 DISCUSSION
In the following sections, concepts and strategies for risk reduction in the chemical industry are discussed.
These include approaches to loss prevention using:
a. CCPS four-tiered Process Risk Management Strategy
b. CCPS systematized Process Safety Management approach
c. Factory Mutual concepts of a Highly Protected Risk
d. Concepts of Inherent Safety.
3.1 Process Risk Management Strategies
The CCPS four-tier safety strategy for reducing risk in a chemical facility includes inherent safety, passive
safety, active safety, and procedural safety.
These strategies are listed in preferred selection order as a loss prevention technique. By this method, when
designing a plant, one would approach the safety aspects by applying these strategies starting with an inher­
ent safety concept, followed by passive protection where still needed, followed by active systems, and then
by procedural or administrative systems as needed. As you move down the layers to minimize or prevent a
loss, the frequency or consequences of loss can increase.
@1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 9
3. 1. 1 Tier 1 - Inherent Safety
The first tier and most preferred approach to chemical plant loss prevention is Inherent Safety (IS). Inher­
ent safety is defined as eliminating the hazard through intensification, substitution, attenuation, limitation of
effects, or simplification/error tolerance. Refer to Section 3.4 for a full discussion on inherent safety con­
cepts including definitions of these terms. The intent of applying inherent safety is to eliminate the need for
add-on layers of passive, active, or procedural protection which have to function as designed to limit the
effects of a loss.
Examples of implementing inherent safety would be:
• substitution of water for process cooling in place of a combustible thermal oil.
• substitution of a non-flammable solvent for a flammable solvent, for example using supercritical carbon diox­
ide in place of hexane for extraction.
• through chemical research, replacing a high pressure process using extremely reactive materails in a flam­
mable solvent with an atmospheric pressure process using non-flammable solvents in a reaction that is
incapable of generating any pressure in the event of a runaway reaction.
• storing flammable gases such as ethylene in low pressure refrigerated tanks rather than pressurized tanks.
In these examples, the revised cooling and extraction systems represent no fire hazard. They require no
fixed fire protection with its installation, maintenance, and testing costs. With the new reaction system, there
is no potential for overpressure because of the chemistry of the process and the physical characteristics
of the materials have no need for costly and failure-prone add on controls, emergency relief devices or reac­
tor strengthening. Finally, with the refrigerated storage, the amount of vapor produced in the event of an unex­
pected release of the liquid will be minor compared to a similar event with pressurized storage.
Note that there may be tradeoffs when applying IS techniques or any of the four strategies. The water cool­
ing system is more susceptible to freezing and may need more cold weather protection than a thermal oil sys­
tem to prevent a costly freeze damage loss. The CO
2
extraction system requires extremely high pressures
and process equipment will be susceptible to overpressurization, requiring add on passive or active protec­
tion or procedural controls. The reaction system might require use of a corrosive material that could cause
long term building damage, requiring costly steel protection or maintenance. The economics and overall risk
reduction for all approaches, all of which carry risks, need full evaluation.
The potential for risk reduction through use of inherent safety is most likely very early in the design pro­
cess. To affect the chemistry of the process may require years of experimental work. Other more tolerant
changes and safety improvements may be made during plant design.
While opportunities to apply inherent safety concepts should always be explored, there will always be situa­
tions where other risk management strategies may need to be employed.
3. 1.2 Tier 2 - Passive
The next tier, and the next in safety selection preference is the passive approach. A passive approach is
one that requires no mechanical device or system to actively function to limit or prevent the loss. A passive
approach can also be one that stores or uses hazardous materials in a form or state that is as benign as
possible.
For example, after a process review it is determined that water cooling cannot be used and the process
requires a reaction that is capable of generating 50 psig in the event of a runaway reaction.
If a combustible thermal oil must be used for cooling, a passive approach would attempt to use an oil with
the most benign properties and under the lowest temperature and pressure as possible. Further, this approach
would limit the amount of potential oil released by eliminating bulk storage of material within the unit and siz­
ing the coolant feed system to the minimum flow requirement. Finally, in the event of spill, the process area
would be designed for rapid drainage and building steel fireproofing rather than placing reliance on (active)
fixed fire suppression systems that may fail.
In the case of the reactor system, instead of relying on an active system such as a safety relief valve to pro­
tect the reactor in the event of a runaway, a passive approach would be to design the reactor to contain
the maximum expected overpressure.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 10 Factory Mutual Property Loss Prevention Data Sheets
Some additional examples of a passive approach are: diking and containment systems; fire barriers; blast
resistant construction; using stainless steel in place of plastic in corrosive environments; proper spacing of
buildings, vessels and process units; plant design to prevailing meteorological or geological hazard; enclos­
ing plastic electric cables in metal conduit; processing potentially combustible dusts as a slurry, etc.
The single most favorable aspect of a passive approach is its performance reliability. Because it is not an
active system, it is not prone to failure unless process conditions or materials are changed without commen­
surate improvements to the passive system.
3. 1.3 Tier 3 Active
The next tier, and the next in safety preference is the active approach. An active strategy is one that requires
a mechanical device or protective system to actively respond and function to limit or prevent the loss. An
active system must be:
• reliably designed to work when intended
• installed according to strict installation rules
• maintained and tested over its entire life.
Because of this, an active system is more prone to failure than a passive system and may cost more over
the life of the plant. Active systems are also known as engineered controls.
In a previous example, if the thermal oil system is used under more hazardous operating conditions or the
drainage and fire proofing systems are lacking, insufficient, or too costly to retrofit, then an active fixed water
suppression system becomes the protection device of choice. This system must be properly designed and
maintained and tested over its entire life to be considered reliable and effective. Once activated, more dam­
age will occur than with a passive system because the fuel (thermal oil) is not removed by drainage, the build­
ing steel is not protected against radiant heat (and may structurally fail), and the water system itself may
cause damage to sensitive instrumentation. Finally, if the suppression system should fail, always a possibil­
ity, reliance for protection becomes dependant on the fourth tier, procedural or administrative controls. If reli­
ance on procedures (i.e., manual response) is needed, a significant increase in damage will usually occur
due to delayed response.
In the reactor example, an active (engineered) approach would be to design the reactor to 15 psig and
acknowledge the potential for a 50 psig overpressure by depending on process and management controls
to prevent the runaway reaction, and by providing properly designed emergency relief venting if it does run­
away. The active system is complex and becomes even more complex as vent gas collection systems are
installed, etc.
This active approach is the traditional approach to reactor protection and most other loss prevention activi­
ties in a chemical plant. One primary reason is timing. Often protection is added after the plant is con­
structed. Inherent safety and passive approaches become less economical if not completely impractical after
a plant has entered the equipment design phase.
An active approach does not provide the same level of risk reduction that the inherently safe or passively
safe systems do. In the case of the reactor, with an active approach the loss would be significant if the emer­
gency relief system failed (reactor failure, building blast damage, ensuing fires, and production loss). In the
case of the passive system the pressure would be contained with minor risk effects (perhaps time and cost
to investigate, recertify the vessel, and retrain employees, etc). In the inherently safe system the event could
not occur.
Some additional examples of an active strategy are: large deluge systems with high capacity water sys­
tems; automatic sprinklers over grouped electrical cables; explosion suppression systems in dust collec­
tors; flow, thermal and pressure controls and interlocks; emergency shutdown systems, etc.
While not as effective and reliable as the inherently safe or passive approach, nevertheless, active sys­
tems are often required and necessary for adequate protection of a chemical plant.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 11
3. 1.4 Tier 4 - Procedural
The next tier, and last in safety preference is the procedural or administrative control approach. A proce­
dural response to safety is one using operating procedures, administrative checks, emergency response, and
other management approaches to prevent or minimize the severity of an incident.
An example would be to provide written procedures for operators to take corrective action for the runaway
reactor, rather than provision of active automatic controls or relief systems. In this scenario, emergency action
such as leaving the control room, inspecting the reactor, and manually adding quench water might be the
only loss prevention response. In the event of a thermal oil release and fire, the plant may have only the emer­
gency response of the fire department to rely upon for damage control.
3.1.5 Summary
The application of a tiered approach to risk management does not necessarily imply a singular strategy. A
complex HPR facility will feature aspects of all four safety tiers - inherent, passive, active, and procedural
within the plant. Given a sufficiently hazardous process, all four tiers might be applied to the single pro­
cess to provide assurance to risk managers that if one level fails, additional levels are available to limit the
loss.
Application of this tiered approach is fully consistent with HPR loss prevention concepts.
3.2 Process Safety Management
The CCPS defines process safety management as the application of management systems to the identi­
fication, understanding, and control of process hazards to prevent process related incidents.
The CCPS defines process safety management systems as comprehensive sets of policies, procedures,
and practices designed to ensure that barriers to episodic incidents are in place, in use, and effective.
The CCPS guidelines focus on twelve elements of chemical process safety:
- Accountability and Responsibility
Process Safety Knowledge
Project Review and Design (Process Hazard Analysis)
- Process Risk Management
- Management of Change
- Process and Equipment (Mechanical) Integrity
- Incident Investigation
- Training and Performance
- Human Factors
- Standards, Codes, and Laws
- Audits and Corrective Actions
- Emergency Response Planning
In addition to CCPS, other organizations have developed PSM guidelines which may have different ele­
ments and terminology but nonetheless are equivalent to the CCPS guidelines and may be fully substi­
tuted in application. Some are listed in the Appendix. There are also government regulations, both U.S. and
international, which mandate application of PSM guidelines under specific conditions. Some information on
these regulations is also in the Appendix.
All 12 CCPS points are needed for a reliable system based on PSM prinCiples but they need to be custom­
ized for the corporation (Le., making baking soda does not need the same program used for making poly­
vinyl chloride).
3.2. 1 Accountabifity and Responsibility
Accountability and responsibility are at the heart of any facility's program. These concepts must be ingrained
into the philosophy of an organization to be successful. Key components of accountability are a policy state­
ment; management commitment; procedural requirements; and performance measurement.
©1999 Factory Mutual Engineering Corp, All rights reserved,
7-43
17-2 Loss Prevention in Chemical Plants
Page 12 Factory Mutual Property Loss Prevention Data Sheets
The degree to which management demonstrates interest in implementing programs based on PSM prin­
ciples at its facilities is of paramount concern to safe operation of the facility. Without solid management back­
ing even the best written program will never achieve successful implementation. Management interest should
be demonstrated with a written policy statement that is shared with and understood by each member of the
facility. Management's interest in loss prevention should be obvious in the day-to-day activities of a facility.
Simply having a paper document on file will be of no benefit. Routine safety meetings, communication of
safety issues to employees and publishing lessons learned from incident investigations are just a few ways
in which this interest will be demonstrated.
The policy statement should be site-specific and should assign ownership of safe operations to manage­
ment, as well as to every employee involved in the operation. Expectations of every member of the organi­
zation will be detailed and written in language understandable at every level of the organization. The policy
statement should be reviewed on a periodic basis and changes made as needed. For example, when changes
occur within an organization such as change in management structure, the policy statement should be
updated to reflect these changes.
The policy statement should clearly outline the objective of the PSM program. These principles should be rou­
tinely communicated to all employees so as to reinforce a safety-conscious work force. Generally, a review
of the policy statement will be included in the orientation of new employees. Periodic review with all employ­
ees within the organization is also useful.
Each employee should feel responsible for the safe operation of a facility. There should be no fear of repri­
mand should a safety concern be reported. Only when the channels of communication remain open and
free can a program based on PSM principles become and remain effective.
As safety issues arise in new facility design, HAZOP reviews, changes to the process, etc., there will be
issues that are not easily resolved, or will involve interpretation of codes or standards. A method should be
in place to handle such issues so that resolution at the lowest level of management is achieved.
Once implemented, the success of program based on PSM principles should be evaluated on a periodic
basis to ensure the procedures achieve results. This can be in the form of random audits, routine reports to
management or direct communication with those involved. Findings from this feedback mechanism should
be incorporated into the policy statement to facilitate constant improvement of the PSM program. Issues that
are difficult to resolve often lead to input on ways that the PSM program could be improved.
3.2.1.1 Example: Liquefied Petroleum Gas (LPG), Mexico City, MexiCO
On November 19, 1984, an 8 in. (200 mm) pipe line at a government-owned LPG terminal rupturedO. The sup­
ply was not shut off and the vapor cloud was subsequently ignited 10 minutes later by a ground level burn
pit. Additional LPG tanks and spheres BLEVEd (Boiling Liquid Expanding Vapor Explosion) due to expo­
sure to excessive heat. Management and organizational factors reportedly were the major factors in this inci­
dent. Reportedly, management at this facility had not taken action on recommendations from previous studies.
The deluge systems that were designed to cool the LPG vessels were deemed grossly inadequate. Ves­
sel design was inadequate and the vessels lacked proper inSUlation. There was also no gas detection sys­
tem available at the facility. The loss estimate is in excess of $25 million property damage (current values) 1.2
3.2.1.2 References
1. Gertman, D.I., and Blackman, H.S., Human Reliability and Safety Analysis Data Handbook, John Wiley
& Sons, New York (1994).
2. Mahoney, D., Ed, Large Property Damage Losses in the Hydrocatbon-Chemical Industries, A Thirty­
year Review, M&M Protection Consultants, Chicago (1995).
3.2.2 Process Safety Know/edge and Documentation
Process safety knowledge and documentation, which includes process safety information, is the basis for
understanding the hazards of the process. This is achieved by acquiring process information and using this
knowledge while conducting process hazard analyses.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 13
The CCPS defines process safety information as the data describing the process and its chemistry. Pro­
cess safety knowledge, in general terms, includes both process safety information and the ability to under­
stand and interpret the information. It also includes the tracking and storing of key initial design bases,
records of critical design decisions, design standards, site and equipment drawings, accident investigation
information, etc. This data can be used as a baseline for future changes.
Data on process hazards and material chemistry can be obtained from numerous sources including test­
ing, manufacturer issued Material Safety Data Sheets (MSDS) (or equivalents), and literature sources.
Some examples of needed process safety information and the sources where the information is found fol­
low as an example of a new process under design.
A chemical company is proposing a process using flammable solvents, reactants, and catalysts to produce
a chemical intermediate for the pharmaceutical industry. The process will include a potentially exothermic
reaction, mixing, distillation, and drying to produce a powdered product. Prior to conducting a process haz­
ard analysis or determining levels of protection, information is needed on the various materials and the way
they may interact normally or abnormally.
The company may find information from the following sources:
a. Material Safety Data Sheets. These, if available, will give information on flammability (i.e. flash points),
explosibility (i.e. explosive limits), toxicity, corrosiveness, and potential reactivity with other materials.
b. Factory Mutual data sheets and National Fire Protection Association (NFPA) standards. Lists of haz­
ardous materials are presented with fire and explosion information.
c. Public domain literature such as the Kirk Othmer Encyclopedia of Chemical Technology, Sax Danger­
ous Properties of Industrial Materials, CRC Handbook of Chemistry and Physics and numerous other simi­
lar sources.
d. Proprietary industry or trade group research and testing reports.
e. Expert opinion such as engineers from the corporation, Factory Mutual or outside consultants.
f. Intentional and systematic testing of the materials.
In the example, the final product of the new process is a powder with a possible dust explosion hazard. The
material is unique and no known data on its properties can be found by conventional literature search. To
determine hazardous properties such as minimum ignition energy, lower explosive limits, maximum rate of
pressure rise and possible overpressures produced should it explode, tests are conducted in an ASTM E1226,
20-liter sphere.
Information on the mixture within a reactor or other vessels is needed to determine potential for exothermic
runaway or other chemical instability. Laboratory-scale reactivity screening should be done in advance of
scaling up to pilot or full scale processing. This data can be obtained using a number of devices including
the Accelerating Rate Calorimeter (ARC), the DIERS Vent Sizing Package (VSP) and others.
Site information is also developed during this stage. This may include meteorological data (for later vapor dis­
persion modeling), geographic data for exposure to natural hazards, accident exposures from nearby indus­
trial sites, and utility data such as reliability and adequacy of water, fuel, and power supplies.
After basic chemistry, physical, and thermodynamic properties of materials are developed and site charac­
teristics are found, conclusions on different release and impact scenarios are qualitatively determined. For
example, if a solvent is flammable, it will be qualitatively concluded that a spill can result in fire. If boiled
and held under pressure, an indoor or outdoor flammable vapor explosion potential may exist. The catalyst
to be used might be known to overheat and produce equipment damaging pressure if not refrigerated. These
"generic" conclusions are all derived in the process safety information phase. However, the sequence of
events by which the scenario and its consequences will be realized will not surface until a process hazard
analysis is conducted on the system in which the materials are used. Finally, the action steps, such as fixed
mitigation, taken to reduce the quantified hazard or consequences will not surface until the process risk man­
agement stage.
©1999 Factory Mutual Engineering Corp. All rights reserved,
7-43
17-2 Loss Prevention in Chemical Plants
Page 14 Factory Mutual Property Loss Prevention Data Sheets
Under this activity, in addition to developing and maintaining basic process and material hazard informa­
tion, it is necessary to include accumulation of all the design details, altemative process considerations, key
design decisions and basic operation and maintenance plans.
Here, the corporation should develop rationale and responsibility for collecting and maintaining this data as
well as data on operating experience, accident investigations, causes and corrections as well as changes
developed and reviewed under the Management of Change processes (described later).
This collection of data will preserve initial design records (ensure replacements comply with design intent),
reasons for key design decisions (aid to future projects and modifications) and provide a basis for under­
standing how the process should be operated. It also serves as a baseline for evaluating future changes.
The collection of this information provides the process safety knowledge needed in subsequent PSM steps
(as well as a record of the original review process) so that the process can be started up and run through­
out its intended life without an unanticipated incident or unprotected hazard. The information is documented
and made part of the overall process safety management package, which will eventually also include data
from the process hazard analysis and process risk management steps. This is then used for employee train­
ing, future process changes, etc.
Enhancement of process safety knowledge is a subset of this element and is sometimes added as a sepa­
rate element of PSM. As the life of the plant progresses, new technology in process operation, inherent safety,
or loss prevention techniques may be developed. While not known or cost effective during initial plant design,
they may become so later in the life of the plant. It is important for an organization to stay fully abreast of
new technology and apply it as appropriate. Use of a Management of Change procedure will assure that lat­
est technology and information will be available.
3.2.3 Process Safety Review (Process Hazard Analysis)
This element of PSM is often identified as Process Hazards Analysis (PHA) and should include the project
review for new facilities or modifications to existing facilities that have a significant process or capital impact.
Where no major changes occur, the review should be revisited on a regular basis. A suggested frequency
would be about every 5 years with longer intervals for less hazardous processes. The element also includes
the necessary design and pre-startup review of such projects to ensure that recommendations were, in fact,
implemented.
The CCPS discusses staffing, hazard reviews, siting, plot plan, etc. in the context of phases of capital projects.
As a supplement to the CCPS material, an HPR chemical plant should consider the following sections related
to property and business interruption loss prevention.
Principles of loss prevention and risk management should guide plant siting decisions. These principles are
usually defined in the corporate guiding principles or business objectives. Most sites can be made accept­
able if sufficient funding is allocated to overcome deficiencies presented by the site selection.
Sites chosen should be selected to avoid or minimize exposures by perils of:
a. Fire
b. Natural Hazards (flood, wind, lightning, snow, freezing, earthquake, volcano, etc)
c. Explosion
d. Transportation (aircraft, motor vehicle, rail, ship)
e. Pipeline or tank farm exposures
Sites should feature:
a. Access for safe disposal of waste
b. Access to fire fighting assistance (public or other)
c. Access to an adequate source of water to meet present and future demands
d. Access to reliable security and emergency services
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 15
e. Access to the site during adverse conditions (riot, traffic, etc.)
In addition to location of the plant site, equal considerations should be applied as well to the location of :
a. Process units
b. Pipe racks
c. Storage facilities
d. Unloading facilities for rail cars, trucks and water craft
e. Flare stacks
f. Utility plants
g. Waste water treatment facilities
h. Electrical power lines
i. Process Control Rooms
Once site selection is complete, the project should have sufficient funding to implement FM/corporate loss pre­
vention guidelines. In addition to basic project design and construction costs, finances should:
a. allow time for a thorough review of loss prevention aspects of the design and construction using
accepted hazard analysis methods. Designs should use inherent safety and risk mitigation concepts.
b. permit installation of proper loss prevention features affecting construction, protection. drainage, elec­
trical equipment, freeze protection, etc.
3.2.3.1 Examples
3.2.3.1.1 The ABC chemical company proposes building a new polymerization plant at the site of an exist­
ing chemical plant in the Gulf Coast area. It could be located in any of three different areas near the exist­
ing plant. The raw material (ethylene) is supplied to the main ABC plant, but the facilities will need to be
enlarged to accommodate more ethylene. New facilities will need to be developed for storage of propane,
butylene, and other future monomer feedstocks.
The ABC company has a license to use a new process to make the finished copolymers, but sizes and lay­
out of major equipment have yet to be finalized. At this point, a team was created including specialists from
FM, ABC, and several design and construction engineering companies. Early meetings developed a time
line for the construction, plan reviews, site visits, and pre-startup reviews. These meetings developed a plan
to conduct a thorough hazard analysis.
Full HAZOP and What-if analyses were performed. FM specialists participated in the hazard analysis meet­
ings, and provided an important perspective on damageability, available protection and mitigation meth­
ods, and analysis of business interruption potentials.
A full site survey was conducted at all three sites with a team made up of various speCialists including the
FM engineer. Through this process, a site was chosen to minimize flood exposures, and the potential for fire
and explosion exposures presented by nearby plants, pipe racks and railways. Plans were modified to include
relocation of pipe racks, along with rerouting of rail sidings.
Through early team meetings, objectives from corporate guiding principles were interpreted to define objec­
tives for limiting the maximum foreseeable loss, and normal loss expectancies. Through collaboration, speci­
fications were developed for the plant construction, particularly control room construction, fire protection
water supply piping sizes and locations, pipe rack locations, drainage patterns, sprinkler valve house loca­
tions, and feedstock and product delivery contingencies. These methods resulted in mitigation of Vapor Cloud
Explosion (VCE) potentials (see DS 7-42 for additional information on VCE hazards).
Note: The level of FM participation can vary from project to project depending on the needs of all the parties involved, contractor, insured,
insurance company, etc.
©1999 Factory Mutual Engineering Corp, All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 16 Factory Mutual Property Loss Prevention Data Sheets
3.2.3.1.2 XY Chemical Company planned and constructed a polymer manufacturing plant along the Texas
Gulf Coast. Design work was conducted at the home offices in the northeastern US using highly experi­
enced personnel.
Project designs did not consider incident history and advice for this area relative to freeze protection. As a
result, the plant was built with numerous outdoor sprinkler systems as well as elements of the process and
instrumentation system with insufficient freeze protection.
As a result, the plant suffered a $2 million loss related to broken pipe, instrument lines, and loss of produc­
tion in the 1983 and 1989 freezes. This pointed to a normal frequency of freezing weather in this area, wor­
thy of protection. A cost estimate of $75,000 for correction of the deficiencies was developed in consultation
with the local FM specialist. Economic conditions dictated that these improvements be extended over a period
of 3 years resulting in a need to prioritize the modifications.
If the concepts and guidelines of this data sheet had been used in siting of this plant, the freeze potential
and its frequency would have been identified. A loss potential of $2 million with an average 10-year recur­
rence interval would have been mitigated. The cost at the time this plant was designed could have been much
lower.
3.2.4 Process Risk Management
Process risk management involves the identification, evaluation, control, or risk transfer of potential haz­
ards that may be associated with existing operations, new projects, acquisitions, and customer supplier
activities.
Process risk management is the system whereby conscious risk improvement decisions are made based
on results and information obtained during the process knowledge and process hazard analysis stages. If haz­
ard information data is available at very early stages of a plant design, inherent safety features can be
designed in. Later in the design, passive, active, and procedural improvements and protection are usually
added. The need and level of fixed suppression systems such as sprinklers and deluge systems, building steel
fireproofing, damage limiting construction, barriers, process controls, etc., are decided in the process risk
management phase of PSM. Fire safety professionals in partnership with the chemical plant determine the
level of protection needed to meet HPR status and loss exposure goals. Ultimately the exposure is improved
through fixed protection and management systems, is transferred through insurance, or is completely avoided
by eliminating the hazardous activity.
Data and information from process knowledge gathering and hazard analysis activities must be evaluated
as to economics and potential for risk reduction. Not all risk in a facility can be eliminated or reduced through
engineering. Process risk management assures that a balance of inherent or engineered safety and risk
transfer (i.e., insurance) is maintained and that all mandatory regulations, corporate standards, and indus­
try and insurance guidelines are met. Process risk management requires screening, ranking, and engi­
neered assessment tools. A high level assessment, such as Quantitative Risk Analysis (QRA) may be
needed to make final decisions. The four tier safety strategy is still followed. Regardless of methods, docu­
mentation of the basis for risk decisions is important.
3.2.4.1 Case Study
ABC Chemical company is planning a facility to produce polyvinyl chloride (PVC) plastic using a licensed pro­
cess. Production of this material will include use of vinyl chloride monomer (VCM), a liquefied gas, flam­
mable solvents, and reactive peroxide-based catalysts in a moderately high pressure, high temperature,
continuous autoclave (single reaction vessel) system. The process will be located in a single process unit sup­
ported by raw materials delivery and storage, in-process storage, combustible heat transfer media, heat,
steam, power, and fuel utility systems, and final product handling, storage and transfer to market. The final
product will be sold as a solid extruded pellet, some of which will be custom made with plasticizers. The ben­
zoyl peroxide (BP) catalyst is to be manufactured on site. The process will be constructed at a new site not
previously developed.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 17
In the process safety knowledge step the following technical information may be obtained based on a litera­
ture search or testing and documented:
- flammability and explosivity characteristics of gases and liquids
- flammability and explosivity characteristics of heat transfer media
- reactivity data on catalysts
- combustibility and explosivity data on solid powder product
- reactivity of the PVC reaction at given process conditions
- reactivity and hazard of catalyst manufacture
The following site information might be obtained based on a site study and documented:
- meteorological data (prevailing winds/speeds/atmospheric stability)
- freeze and snowfall/rainfall data
- flood data
- earthquake data
- windstorm data
- data on adequacy and reliability of utility services
- information on nearby hazardous exposures
General conclusions might be derived based on the above chemical and site information and qualitative analy­
sis. At this stage, these conclusions are based on generiC knowledge obtained from experts or from the lit­
erature and are used for establishing more definitive scenarios during a process hazard analysis. Detailed
consequence studies such as vapor cloud dispersion, explosion overpressure, or pool fire radiant heat effects
are conducted as part of the hazard analysis.
The following general conclusions are not meant to be all inclusive but only to demonstrate types of infor­
mation and scenarios that could be developed during this step.
a. Flammable liquid spill fire potentials exist from delivery, storage, process vessel, and piping systems
for raw and intermediate materials and for the heat transfer media system.
b. Vapor cloud explosion potentials exist from storage, process vessels, and piping systems using VCM.
c. Reactor, vessel, pumps, and piping failure potentials exist due to high pressure, corrosivity, and reac­
tivity exposures.
d. BP manufacture requires potentially unstable hazardous materials.
e. Dust explosion potentials exist from plasticized product.
f. The plant is in a semi-tropical climate but is subject to periodic severe freezes.
g. The plant is in a potential hurricane zone.
h. Power supplies are subject to possible off-premises interruptions.
i. Public water supplies and emergency response are not available.
j. A plant with potential wide range explosion hazard borders the site.
In the process hazard analysiS step, the above data and design drawings (as complete as possible) are sub­
jected to a systematic and critical examination to determine failure modes whereby incidents could occur.
HAZOP, What If, Checklist, Failure Modes and Effects Analysis (FMEA), and more quantitative analysis meth­
ods might be used. Vapor dispersion, explosion and radiant heat modeling, if needed, will be done during
this stage. These examinations might reveal the following potential concerns and consequences:
a. The manufacture of peroxides on plant presents many failure modes and several potentials for a per­
oxide self initiation, with high damage potential, compared with the relatively small amounts of material
needed.
b. Flammable spill fire and vapor release potentials cannot be completely eliminated through process con­
trol or design, short of not producing the product. Steel structure is subject to severe radiant heat. con­
firmed by fire modeling.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 18 Factory Mutual Property Loss Prevention Data Sheets
c. VCM represents a vapor cloud explosion potential and the process unit arrangement and congestion
will produce high overpressures throughout the plant as confirmed by modeling.
d. Prevailing winds and distance indicate potential for vapor cloud from neighboring facility to enter pro­
cess unit, confirmed by modeling.
e. A single large reaction autoclave is harder to control, presents extreme liquid spill or vapor release
potentials thus increasing protection system demands, and if damaged would shut down all operations.
f. Plasticized plastic dust presents a dust explosion hazard, confirmed by laboratory testing.
g. A rare but possible sudden freeze could severely damage plant utilities.
h. A sudden power outage could cause loss of control of the reaction.
i. Many different release and failure modes of vessels, pumps, piping, and utility systems exist, but these
can be mitigated through process control and design improvements.
j. Use of a large volume combustible heat transfer material presents significant fire potential on a higher
frequency than other flammable materials due to its high corrosivity, confirmed by loss history.
In the process risk management step all of the data collected and derived from the two prior steps is used
to make risk management decisions. In the example, these may include (but not be limited to) the follow­
ing decisions, listed in order of a tiered preferential safety approach:
Inherent safety:
a. Replace combustible thermal oil system with water system.
b. Reduce production bottleneck by changing from one large reactor to several smaller reactors.
c. Reduce in-unit flammable inventories by eliminating product day tanks, large reboilers, large reactor,
oversized piping, etc.
d. Purchase additional land to protect against off premises exposures
e. Refrigerate VCM bulk storage tanks to reduce vaporization.
f. Collect plastic dust in wet slurry to reduce dust hazard.
Passive mitigation:
a. Use a concrete frame for process unit or fireproof steel.
b. Space unit apart from support facilities and site boundaries.
c. Use open process unit for maximum explosion venting.
d. Limit and space equipment within unit to minimize congestion.
e. Layout unit with flammable materials accessible on outer edge.
f. Install drainage systems.
g. Design process controls and interlocks to maximize reliability of process.
h. Design process vessels/piping to maximum expected pressure.
I. Blast proof control room and emergency services building.
j. Provide emergency containment systems.
Active mitigation:
a. Provide on site fire water system.
b. Provide deluge sprinkler protection.
c. Provide combustible gas detection.
d. Inert and purge flammable storage, process and piping systems.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 19
e. Provide reactor emergency quench system.
f. Provide reactor emergency venting.
g. Computerize process control.
h. Provide on-site emergency power supplies.
i. Design to hurricane codes.
j. Protect plant against freeze up.
Operational administrative controls:
a. Develop and train on site emergency fire response brigade.
b. Train and empower operators to take manual process control.
c. Provide ignition source control systems.
d. Provide backup manual reactor emergency quench system.
e. Provide natural hazard alert procedures.
Risk Avoidance:
a. Eliminate on-site manufacture of peroxide catalyst.
Risk transfer:
a. Accept inherent risk by retention of high insurance deductibles.
In the risk management process, there may be a need to revisit and re-analyze hazards several times prior
to deciding on the level and type of mitigation or use of other risk tools such as elimination of hazard or risk
transfer. In fact, risk management becomes a constant cycle of analYSis, transfer and acceptance through­
out the life of the facility. As the facility ages and changes are made, the risk will change. Keeping abreast of
this aging and change process will assure that the facility will achieve the risk management goals origi­
nally accepted.
3.2.4.2 HPR Requirements
The decision to meet or not meet HPR protection guidelines is determined during the process risk manage­
ment stage. While achieving HPR status should always be the risk management goal, there may be condi­
tions, especially in existing older plants, where this may not be economically or technically achievable.
There are minimum requirements for a facility to qualify as an HPR risk. These are briefly identified in Sec­
tion 2.2.1 and further discussed in Section 3.3, Concepts of Highly Protected Risk.
3.2.5 Management of Change
Management of Change (MOC) means evaluating every change to technology, facilities or personnel at the
earliest possible stage for its potential impact on property loss prevention. The earliest possible stage is the
moment an idea or proposed change comes to light. These changes can be emergency, permanent, tem­
porary, recognized or unrecognized. The purpose of a management of change process is to prevent the unrec­
ognized change.
Changes are made routinely throughout the life of a facility. These may vary from major highly visible projects
to daily routine maintenance activities. Changes can occur to technology, chemicals, products, equipment,
and procedures. Any change from original design intent represents a deviation. If the impact of this devia­
tion is not fully understood, the change, even if minor, can cause a significant incident. Appropriate pro­
cess hazards management systems should be put into place to help ensure that hazards associated with a
change or deviation are identified and controlled.
Changes fall into three main categories: technology, facilities and personnel or organization.
Although some changes may be minor, with little likelihood of compromising loss prevention and process
safety, all changes have some potential for disruption.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 20 Factory Mutual Property loss Prevention Data Sheets
3.2.5.1 Change in Technology
Change in technology arises whenever the process or mechanical design is altered. Examples are changes
in feedstocks, catalysts, product specifications, byproducts or waste products, design inventory levels, instru­
mentation and control systems, or materials of construction.
Typical instances in which change in technology would likely occur include the following:
a. New projects that involve tie-ins or equipment modifications on existing units.
b. Projects to increase facility throughput or accommodate different feedstocks or products.
c. Significant changes in operating conditions, including pressures, temperatures, flow rates, or process
conditions different from those in the original process or mechanical design.
d. Equipment changes including the addition of new equipment or modifications of existing equipment.
These can include changes in alarms, instrumentation and control schemes.
e. Modifications of the process or equipment that cause changes in the facility's relief requirements. These
can include increased process throughput, operation at higher temperatures, increased size of equip­
ment, or the addition of equipment that might contribute to greater relief requirements.
f. Bypass connections around equipment that is normally in service.
g. Changes in operating procedures, including procedures for startup, normal shutdown, and emer­
gency shutdown.
h. Changes made in the process or mechanical design or in operating procedures that result from a PHA
performed as described in Section 3.2.3.
i. Introduction of new or different process additives (for example corrosion control agents, antifoulants,
antifoam agents).
j. Corrective actions developed as a result of an accident investigation.
3.2.5.2 Changes In Facilities
Change in facilities are those in which physical changes are made that would not necessarily appear on
plant drawings, or piping and instrument diagrams (P&ID). Examples are: temporary connections, replaced
components that are "not in kind", site modifications, transient storage, temporary structures, etc.
Specifically, these can include the following:
a. Temporary equipment (tanks, offices, drum storage, etc.).
b. Replacement equipment or machinery that differs from the original equipment.
c. Temporary piping, connections, hoses, or wiring.
d. Temporary software configurations, jumpers, shortened algorithms, bypassed controls.
e. Pipe clamps, braces, stands, wiring, ropes.
t. Temporary utility connections (steam, power, water, etc.)
g. An alternative supply of process materials, catalysts, or reactants, such as through temporary drums
or tanks located within the facility.
h. Temporary electrical equipment or connections.
These changes have the ability to affect design, construction, operation, maintenance, and decommissioning.
3.2.5.3 Changes in Personnel
Changes in personnel are those in which key responsibilities are shifted from a position of stability to insta­
bility. Examples are retirement, promotion, other career changes and personal issues (sickness, death, leave­
of-absence, etc.). These changes are ones in which continuity of responsibility may lapse.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 21
Training and assignment of alternates is a key feature needed to mitigate lapses caused by these changes.
Supervision must be skilled for early recognition of these changes, with an ability to plan in advance to miti­
gate these changes. Goals of the company, business and operating unit must support prevention efforts
associated with these changes.
3.2.5.4 Examples
3.2.5.4.1 The Clean Air Act Amendments of 1990 require a 50% reduction of sulfur dioxide levels (S02) in
the U.S. by the year 2000. This act affects approximately 2,000 electric utilities. The method of choice to con­
trol S02 emissions probably will be the installation of wet scrubbers as they provide the highest level of con­
trol. Along with the additional costs and plans for scrubber installations, the person(s) planning these
changes need to look at the effect these installations will have on loss prevention. For instance, scrubbers
are subject to fires and explosions and they can affect furnace draft. Induced draft fans may have to be
upgraded, which, in some cases could increase the risk of implosions and boiler vibrations. To prevent cor­
rosion of scrubbers, ducts and stacks, it may be necessary to use plastic or plastic-lined equipment, which
could present a fire hazard.
A typical agreement between a company and the property insurance company calls for a loss prevention pro­
fessional within the company to be advised of all management of change activities in the plant. This indi­
vidual is then responsible to involve the specialist from FM and allow an opportunity for the change to be
evaluated in its earliest stages.
3.2.5.4.2 ABC is a manufacturer of commodity polymer using batch-scale polymerization of the monomer.
Because of favorable opportunities in the market, ABC has plans to double the capacity of its seven-reactor
plant in a two-phase expansion over the next 10 years. The first phase will include construction of utilities
and the footprint for a second seven-reactor manufacturing building. Initially, a building containing three reac­
tors will be built.
There is a close relationship between ABC and the FM specialist assigned to this plant. When the idea is
being developed by senior management within ABC, meetings are held with the FM specialist to discuss the
affect this may have on loss prevention. ABC is guided by a principle that promotes continuous improve­
ment in all areas of operation including loss prevention and they call upon the expertise of FM to provide guid­
ance to meet this goal.
In consultation with the FM specialist, several opportunities are identified. These include ways to mitigate
VCE potentials, provide more cost efficient and effective water spray systems, and arrange the Instrumenta­
tion and Control features for increased reliability. In order to expand the process water features for the new
plant expansion, several pumping and distribution changes were needed. Opportunities were identified to
add outlets and normally closed connections between the fire protection system and the process water sup­
ply system. This increased both the normal supply to the fire protection water system, and increased the sup­
ply that would be available in a catastrophic event.
In consultations, an opportunity was identified to relate current maintenance issues for the older electronic
heat detection systems on the water spray systems to a design specification needed for all the new water
spray systems. Review of maintenance records and costs pointed to an opportunity to replace older elec­
tronic heat detectors with air-pilot detection systems. In doing this, the plant maintenance was provided with
a single common type of system which has lower maintenance costs, a single set of replacement parts and
requires simpler maintenance skills.
Often, during plant expansions, for simplicity, existing features for protection and control are duplicated
exactly. Many design groups operate with the assumption that existing protection and control features are
adequate and satisfactory, and they do not take the opportunity to consider improvements, as above.
3.2.5.4.3 Mr. Howard has been the person in charge of fire protection in this plant for many years. He is
the direct interface between top management, engineering, and safety personnel for matters relating to loss
prevention. He is in charge of administering all loss prevention related inspection programs within the plant.
He supervises all impairments to fire protection, and reports them throughout the company and to FM. Mr.
Howard is very important in the review process for new construction. Because he is very familiar with cur­
rent design requirements, he is able to work closely with plant and corporate engineers to develop plans
for new construction and modifications.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 22 Factory Mutual Property Loss Prevention Data Sheets
Mr. Howard spent many years in the plant as an operator. Because of this involvement, he oversees many
important operator duties as they relate to fire response, and use of emergency process equipment (flares,
alarms, shut-downs, etc.). He is also the liaison to community groups including the mutual aid groups.
Mr. Howard has announced he will retire in 2 years when he reaches the age of 60. Loss of this level of expe­
rience could create serious gaps related to steady provision of the service provided by Mr. Howard.
All of his job duties should be described in writing.
A plan for his replacement, with alternates, should be developed sufficiently in advance of his departure so
that proper training can be provided.
If timing is not sufficient to establish that his duties have been sufficiently taken over by others, manage­
ment should arrange for Mr. Howard to return to work as a consultant. He should periodically return after his
retirement to make sure all areas of past responsibility are being covered.
In the planning for replacement of Mr. Howard, the local assigned FM specialists should be notified. Spe­
cific sessions can be arranged so that the programs recommended by FM can be introduced or reviewed with
the person who has taken over for Mr. Howard.
3.2.5.4.4 Mr. Jones was the Safety Engineer at this major plastiC film plant reporting to the plant manager
before he resigned. He was responsible to implement all safety and loss prevention programs in the plant. He
was the direct liaison to the plant maintenance department, providing review and supervision of all mainte­
nance and testing of the plant fire protection systems including the fire pump, suction tank, sprinkler sys­
tems, alarm systems, and gaseous extinguishing systems. Because of his expertise he was the interface
between local contractors who provide maintenance and testing. Mr. Jones kept aU the letters, files, receipts,
plans, and correspondence in his office relating to protection systems and plant insurance matters.
Unfortunately, he quit at a time when the plant was completing a 50% production expansion, and is begin­
ning to plan for a new warehouse expansion. Ongoing issues relate to false alarms, alarm system repairs, and
a history of broken underground water mains in a certain area of the plant. Mr. Jones had been a propo­
nent of looping of the plant fire water mains to provide better service to the areas of future expansion.
In a case like this, it is important that key plant personnel from all levels meet to review the impact of this depar­
ture on loss prevention. Some careful accounting should begin at once to make sure elements of Mr. Jones'
responsibilities are identified. The FM contact should be advised of the personnel change. This will allow
for meetings to take place to assure that proper training is provided to a replacement employee. In many
cases, FM can provide the following:
- Training on fire protection systems, maintenance and testing can be offered to a new employee.
- A review of maintenance and testing programs can be made to assure that correct programs are not
lost or lapsed.
- Contract maintenance programs can be evaluated to determine adequacy of these programs.
3.2.5.5 References
Management of Process Hazards, API Recommended Practice 750, First Edition, January 1990, American
Petroleum Institute.
Managing Change. FM publication P9201.
3.2.6 Process and Equipment (Mechanical) Integrity
Equipment that processes hazardous materials and accessory or utility equipment that is important to con­
tinued operation of the plant should be designed, constructed, installed, operated, protected and main­
tained in a way which minimizes the risk, while providing process reliability. This element of the PSM program
addresses the management system required to achieve this objective and is called Process and Equip­
ment Integrity by the CCPS, and Mechanical Integrity by others.
A Process and Equipment Integrity program should address some or all of the following: pressure vessels
and piping, tanks, rotating machinery, electrical equipment, boilers and furnaces, etc., together with their
instrumentation, controls, accessories and supporting structures.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 23
The components of Process and Equipment Integrity, which are discussed further below, are reliability engi­
neering, materials of construction and fabrication, installation procedures, preventive maintenance and
demolition procedures.
As with all elements of PSM, a strong audit and verification component is necessary to ensure that all the
required procedures are being followed and qualified personnel are used to perform the various steps.
3.2.6.1 Reliability Engineering
Reliability engineering is the evaluation of a process system or individual component to determine its safe
operating lifetime. Since, at some point, all equipment requires inspection, testing, maintenance or replace­
ment, the evaluation should include equipment accessibility and suitability for the process, and the need
for standby/spare equipment and bypasses.
Identifying the critical equipment and determining its reliability can affect installation decisions and mainte­
nance planning. An important component of reliability engineering is to establish factual data on equipment
operation and history. A file for each piece of process equipment should be maintained. It should contain infor­
mation that covers its specifications, materials of construction, instrumentation diagrams, electrical equip­
ment and emergency relief. The file should also contain the operating and inspection history of the
eqUipment, as well as any data on repair, alteration and re-rating, as applicable. This information can then
be used to plan future maintenance, set sparing requirements and schedule replacement. If maintenance fre­
quency is high, it could justify using better equipment for replacement.
The information should be readily available for review by knowledgeable personnel who can identify trends
that could indicate future reliability concerns.
3.2.6.2 Materials of Construction and Fabrication
Choice of suitable materials for construction or repair can be critical in safe operation of a facility. This ele­
ment of Process and Equipment Integrity should assure that appropriate vessel and piping standards are
adopted (national standards like ASME and API, for example), standard updates are recognized and adopted
and that specific responsibility for such efforts is assigned. (See also 3.2.10.)
Once such standards are adopted, a system is present to assure compliance. This could include "mill to instal­
lation" tracking of material for critical components or a much simpler system for other components.
Protection of the equipment is imperative to help prevent catastrophic failures involving hazardous materi­
als or equipment critical to the plant's operation. It is provided by installing safety devices that protect against
abnormal operating conditions such as overpressure, overheating, vibration, over speed, electrical faults,
misalignment, etc.
During fabrication, maintenance or repair, the system should identify needed qualification or certification of
craftsman. A quality assurance system should be in place and be able to track and assure compliance includ­
ing use of proper material, installation/fabrication according to specification and documentation of neces­
sary tests and inspections. Where outside vendors are involved, the management system may need to extend
to their operations.
Prior to startup of a new process or restart after modifications, the Process and Equipment Integrity sys­
tem should identify the need for field inspection and identify the areas of concern such as piping location,
safety and emergency equipment features, accessibility of process and safety equipment, operation, func­
tional testing and calibration of instrumentation, controls, protective devices, etc. A good pre-startup review
should be based on a checklist.
3.2.6.3 Installation Procedures
Planning and quality control are needed to ensure the proper installation of process equipment, as speci­
fied in the design or the instructions of the manufacturer. They should include the critical steps and impor­
tant verification points during the installation. In many cases, especially in piping systems, installations are not
covered by codes or standards, and, therefore, poor execution may lead to failures. Prior to startup, con­
duct an overall equipment integrity check to validate the installation.
©1999 Factory Mutual Engineering Corp. All rights reserved.
Loss Prevention in Chemical Plants
Page 24 Factory Mutual Property Loss Prevention Data Sheets
3.2.6.4 Preventive Maintenance
This element addresses ongoing preventive maintenance needed to monitor and service the equipment so
that defects are detected before serious failures occur. Preventive maintenance consists of a system to
develop and track the following activities: identifying the critical equipment; determining the required tests
and inspections, together with the associated acceptability Criteria; establishing the frequency of each test and
inspection; establishing maintenance procedures; training of the maintenance personnel; documenting and
analyzing the results.
At a minimum, preventive maintenance should follow manufacturer's recommendations. For some equip­
ment, FMRC standards specify procedures and frequency beyond the manufacturer's minimums. FMRC
requirements should then become the minimum acceptable level. These requirements do not eliminate the
possibility of "Risk Based Inspections" (RBI). If RBI are implemented, detailed records on the basis for the
chosen inspection frequency are needed including the test results, process data and decision trees used to
develop the decision.
The documented maintenance procedures should address the targeted equipment with detailed instruc­
tions on performing the particular activity. It should address the steps needed to prevent adverse condi­
tions both during the procedures and when the equipment is put back in service. It should provide a means
to ensure the completion of the work as ordered. Scheduled and unscheduled maintenance should be initi­
ated by written work orders and/or work permits prepared by authorized personnel with clear responsibili­
ties. Periodic reviews of these procedures is needed to monitor their effectiveness and insure they are up to
date.
Process monitoring and alerting the operators to abnormal conditions is necessary for reliable operation.
Therefore, the preventive maintenance program should include alarms, instrumentation and safety devices.
3.2.6.5 Demolition Procedures
Demolition procedures entail an appropriate method for the safe removal of a piece of equipment or process
which is no longer needed. The procedures should include isolation from active equipment, marking to iden­
tify its out of service condition, any necessary decontamination and ultimate disposal of the equipment.
3.2.7 Incident Investigation
This element assures that all incidents - classified as major accident, accident or near-miss by CCPS are
promptly and comprehensively investigated. The depth of investigation is commensurate with the level of
complexity and size of incident. This will assure that lessons learned can be quickly applied within the facil­
ity or corporation. Lessons might manifest themselves as physical, process control or personnel changes
or new or better training programs. Documentation and periodic review aids in determining common cause
or root cause factors when multiple losses have occurred.
The purpose of incident investigation is to prevent a recurrence. This requires a management system that:
a. Investigates incidents to determine the root cause.
b. Develops recommendations to prevent a recurrence.
c. Ensures follow-up to complete recommendations as part of MOC.
Incidents can be grouped many ways, but the three general types listed below (as defined by CCPS) will
serve for most purposes.
Major Accident an incident where the impact is above an acceptable level, usually involving major prop­
erty damage, multiple injuries or fatalities.
Accident an incident having an undesirable impact on company resources, usually involving minor prop­
erty damage or a single injury.
Near-miss: An incident with the potential to be an accident or major accident.
©1999 Factory Mutual Engineering Corp. Ali rights reserved.
7..43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 25
3.2.7.1 Basic Elements
There is a long history of incident investigation in the chemical process industry, but only since about 1985
has it been recognized that incident investigation needs to be formalized as part of the overall process safety
management system. Basically, this requires management to be involved for support and direction, so inci­
dent investigation results can be used to support the other elements of PSM. Suggested elements needed
for incident investigation are as follows:
Management Commitment Top management support is required for an effective program. This is neces­
sary for the resources required, and the ability to hold managers accountable for achieving results. Docu­
mentation should clearly define the details of the process safety management system employed and the
expected performance.
Classification System: Several classification systems have been developed to group incidents including the
CCPS version noted above. None have been adopted for universal use. They may be modified to meet the
needs of the organization. It should be understood that all classification systems have vague areas gener­
ated by differences in opinion along technical lines. The biggest area of disagreement is the near-miss clas­
sification, where views on probability and possibility of consequences vary greatly.
Team Organization: Team make-up and organization will vary greatly depending on the size and nature of
the company. Normally accepted assignments include team leader, safety department representative, opera­
tions representative, maintenance department representative and a supervisor and worker from the unit
involved in the incident.
There may be a need for others, depending on the nature of the incident. This can include those inside the
company with speciality knowledge, or even outside consultants.
It is difficult for the team to be impartial unless it is autonomous. Reporting through the normal chain of com­
mand should be avoided, where possible.
Team Selectionffraining. Team members should be selected based on their interest, job function, and expe­
rience. All members should be trained in the basics of process safety management, not just incident inves­
tigation.
Team Function: The incident investigation team function needs to be integrated with the overall emergency
response plan. Well established lines of communication and assigned functions will let the team perform
its assigned work.
Incident Investigation:
a. Determine Cause: Determining the cause (root causes and contributing causes) is one of the main func­
tions of the incident investigation team. Some special effort will likely be needed to determine underly­
ing system related causes.
b. Develop Recommendations: Recommendations needed to prevent a recurrence should be identified.
While it might not be possible to actually prevent a recurrence in all cases, it is likely preventive mea­
sures can be developed that will reduce the probability and/or consequences.
c. Implement Prevention Measures: Management should have a system that assures follow-up action is
taken to implement recommendations.
3.2.7.2 Incident Investigation Concepts
Incident investigation covers a broad area. Some investigations are extremely structured and detailed. One
example would be the investigation to determine why a passenger plane crashed. Some are brief for com­
mon accidents that are easily understood and have low impact, such as a small non-hazardous chemical spill
at a dispensing station. However, for an adequate process safety management program, all need to be
reported and investigated, with adequate follow-up to assure corrective action is taken.
Procedures should document how this is done, with all major incidents elevated to upper management. Minor
incidents and near misses might be handled only at the local level, but could be elevated if the lesson learned
could be applied to many plants. All should be reported, since company trends can be spotted that might
elude the local level.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 26 Factory Mutual Property Loss Prevention Data Sheets
If minor incidents and near-misses are too numerous, and the procedures do not give good guidance con­
cerning the difference between reporting and investigation, the system can break down. Extensive investiga­
tion of all reported incidents is generally beyond the ability of most companies.
Incident investigation is usually a problem-solving process. Generally this involves data collection, data analy­
sis, and presentation of findings. Tools and effort deployed depend on the type of incident and conse­
quences. A systems oriented approach integrated with a process safety management program is usually
required for a major accident. However, it is important to investigate a near-miss incident that had the poten­
tial for a catastrophic failure, and they can be just as difficult to analyze. One example, would be a major flam­
mable vapor release that dissipated without ignition.
3.2.7.3 LrlVestigative Techniques
In simple terms, scope and resources required for incident investigations can be classed in three broad areas:
1. Area supervisor conducts an informal investigation, in the traditional manner.
2. Team-based investigation requiring specialized knowledge to determine a credible scenario.
3. Team-based investigation and a systems-oriented approach integrated with a process safety manage­
ment program aimed at determination of root causes.
Usually the traditional informal investigation done by the area supervisor does not employ advanced tech­
niques, nor are they needed.
Some advanced techniques could be used by the team-based investigation that requires specialized knowl­
edge. Frequently some system is needed to keep the team focused, and to assure all necessary areas are
considered.
The third type of investigation inherently requires advanced techniques. It should be noted that while there
are many advanced techniques, the science is still evolving. Basically there is no one technique usable for all
cases.
There are some common features essential to a structured analytical approach, regardless of the tech­
niques used. Some of these issues are:
a. Force the team to dig beneath the obvious to determine the underlying causes.
b. Determine as many of these causes as possible.
c. Provide excellent documentation that aids training and information sharing, and provide support for
recommendations.
A process safety incident investigation is similar to a process hazard analysis. The main difference is the inves­
tigating team knows the incident happened. As a result, many of the PHA techniques can be applied with
good results.
Once the evidence has been collected, application of a system theory is necessary to analyze it Many ana­
lytical tools inherent in PHA can be applied directly to incident investigation, and have been incorporated
into many of the techniques. Many of the PHA tools are well developed, and have been proven to provide reli­
able results. Frequently they are available as PC-based software.
Some of the publicly available systematic techniques are:
Deductive
FTA: Fault Tree Analysis
AAM: Accident Anatomy Method
MORT: Management Oversight and Risk Tree
MCSOII: Multiple-Cause Systems-Oriented Incident Investigation
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property L.oss Prevention Data Sheets Page 27
Inductive
HAZOP: Hazard and Operability Analysis
AAM: Accident Anatomy Method
CELD: Cause and Effect Logic Diagram
Other techniques have been developed for use where the major effort required by the above techniques
was not considered necessary or justified.
The field of incident investigation is still developing and the approach applied by the investigator does not
have to be limited by the above. However, the investigator should be aware new approaches need to be built
on proven and accepted concepts.
3.2.7.4 ===
Phthalic anhydride made by air oxidation of a-xylene is very exothermic. Typically, heat of reaction is col­
lected by a molten salVwater heat exchanger to make steam. In this case, three pumps supplied water to the
heat exchanger, with one normally operating and two on standby.
When the operating pump failed, the operator first tried to restart it several times. When this did not work,
the operator tried to start one of the standby pumps, but one was out of service, and the second one was
tagged out. The second pump had actually been repaired on the previous shift, but the "Do Not Operate" tag
had not been removed.
During the period when the operator was trying to clear the tag and reduce o-xylene feed, the reactor over­
heated igniting the phthalic anhydride. Eventually 20 fire departments responded, but the loss was still in
excess of $1 million (mostly due to damage to catalyst tubes).
On the surface, the cause appears to be a mechanical failure, compounded by operator action. However,
some of the human factors that could be considered the underlying cause are:
1. Design: A process design that allows operation where one failure can cause a incident could be consid­
ered unsafe. Alternates include an assured back-up water supply, and/or interlocks to prevent operation with
only one pump available.
2. ManagemenVOperations: There are several possibilities in this area. Management that encourages con­
tinued operations when the process is upset (reason operator delayed initiating shutdown) is operating on
the edge. Management that accepts an unsafe design, and then does not take operational steps (require two
pumps be available at all times) is ignoring safety.
3. Maintenance: There are several possibilities in this area also. While the backup pump repair had been com­
pleted, the tag was not removed because the worker's shift ended. Maintenance workers on the next shift
had already been assigned their work, and removing the tag went to the end of the work list. Repairs to the
other pump had been delayed due to cost (needed new impeller). Obviously some of the human factors
listed here could also reflect management style (overtime and expensive repairs were discouraged).
The above is an extreme example, but does illustrate some of the underlying causes in a multiple-cause
incident.
3.2.8 Training and Performance
Training is the systematic transfer of knowledge, skills and abilities to workers that results in improved per­
formance in the work place.
Proper training of all personnel is critical to the safe operation of a chemical processing facility. Due to the mag­
nitude of different hazards normally found in such facilities, numerous types of process eqUipment, and elabo­
rate computer control schemes currently in use, a thorough understanding of all aspects of the operation
is necessary for safe operation. As newer technology is implemented, the need for training will continue to
escalate.
Before a successful training program can be developed, a needs analysis should be conducted. An analy­
sis of the job for which training is to be accomplished is required to determine which tasks are actually required
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 28 Factory Mutual Property Loss Prevention Data Sheets
for a specific job, and which skills, knowledge and abilities are essential to success in the task. The first ele­
ment is to analyze the needs of the organization, that is the goals of management, resource allocation and
time frame for training purposes. The second element is to evaluate the specific area in which training is
to be given. This could be in the form of job evaluation, observation or an interview with those currently per­
forming the job. Information gathered during this phase will be used to determine critical elements of the
job where training is needed. Last, an evaluation of the individuals to receive the training is performed. This
is useful in establishing a baseline in the development of the training as well as providing feedback on the
effectiveness of the trainer.
Training in chemical processing facilities should focus on plant-wide aspects, as well as process-specific cri­
teria. Plant-wide training should include general plant safety rules, alarm designations, smoking regula­
tions, hot work procedures, etc. Process-specific training should begin with an overview of the specific process
or operation and the associated unit operations involved in that particular area. The hazards (flammability,
explosivity, toxicity) associated with each material used in the process should also be covered. Due to the
widespread use of computer control of chemical processes, it is vital that all operators understand how the
process is monitored, controlled and safeguarded by the computer system.
Next, training in the process chemistry associated with the operation along with typical operating param­
eters should be covered. In addition, abnormal process parameters should be detailed. The training pro­
gram should utilize the "Standard Operating Procedure" and typical operator logs for the specific operation.
This will ease the transition when the operator returns to the work area to perform the learned material. Not
only should the operator possess a cursory understanding of the process chemistry, but should also have
the depth of knowledge necessary to trouble-shoot and diagnose abnormal process conditions. This compo­
nent of training is necessary due to the fact that every conceivable process excursion cannot be taught to
each and every operator.
Once the formal training has been given, a method to evaluate the effectiveness of the program is needed.
Not only is it necessary to evaluate the level of learning that has occurred during the actual training ses­
sion, but also to measure the level to which the knowledge is applied to the actual work situation. Formal
evaluation of an employee's training may consist of one or all of the following methods depending on the types
of skills or knowledge presented: written tests, practical hands-on performance evaluation or simulation. The
types of skills and knowledge conveyed in the training program will dictate which of the three, or combina­
tion of the three will be needed.
Regardless of the proficiency of operators, re-training should be conducted on a regular frequency. Some
activities (fork truck operations, lockoutftagout, etc.) fall under regulatory requirements that have estab­
lished re-training frequencies. Management should establish a program to identify the need and frequency for
re-training all employees. Re-training should also be considered when changes are made to the process.
3.2.8.1 Example: Three Mile Island
On March 28, 1979, a combination of mechanical failures and human error resulted in a release of nuclear
radiation to the environment at a nuclear power facility. The incident was initiated by a loss of cooling water
to the nuclear reactor that automatically initiated a trip of the feed water pumps and the turbine generator. As
a result of the shutdown, a buildup of steam pressure within the cooling system of the reactor occurred, which
automatically opened an electromagnetic relief valve. The operators did not recognize that the valve was
stuck in the open position as the control panel indicated the valve to be closed. Simultaneously, the reac­
tor shut down and the control rods lowered into the reactor core to absorb neutron flow as designed. At this
point, multiple audible and visual alarms were activated in the control room.
As the water coolant pressure dropped, the relief valve failed to reseat as designed which allowed coolant
to escape into the containment building unknown to the operators. Due to loss of cooling water through the
relief valve, the water level around the core started decreasing. By design, an emergency core cooling sys­
tem was automatically actuated and it was assumed to be functioning properly, although the cooling sys­
tem did not operate as designed. The control room instrumentation however did show a rise in water level
in the core. Unknown to the operator was the fact that two valves in the emergency feed water system had
been closed two days subsequent for maintenance. There were alarm lights registering the valves as shut
on the control panel. However, one was obscured by a caution tag and the other was blocked by an opera­
tor. This resulted in no cooling water to the core for an extended period.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 29
The control panel incorrectly indicated that too much water was entering the core, therefore, the operator over­
rode the automatic control system and reverted to manual control. Ultimately, the shut coolant water lines
were discovered and reopened which again flooded the control panel with a Christmas-tree effect of red and
green indicator lights. Assuming the coolant system was now operating, the feed pumps were activated which
ultimately forced water through the stuck-open relief valve into a tank designed for containment of radioac­
tive water and steam. The rupture disc on the tank burst which allowed contaminated water onto the floor of
the auxiliary building. As a result of loss of cooling water, the reactor core was partially uncovered result­
ing in excessively high temperatures. This contributed to increased radiation levels within the facility. Esti­
mates of this loss range from $1.0 to $1.86 billion, with roughly 60% of this being costs of replacing the lost
power resulting from the event.
1
This loss shows the importance of proper training of all employees and recognition of human factor ele­
ments of operators and maintenance operations in production facilities. The operators were not well versed
in the process intricacies, specifically the relationship between pressure and temperature in the reactor. The
operators did not recognize the fact that a small amount of water was being lost. It was also recognized that
the operators were not trained in process diagnosis.
2
While this incident occurred in a nuclear power generating facility, similar events are equally as likely to occur
in chemical processing facilities. This event also demonstrates the fact that incidents of this magnitude typi­
cally involve several consecutive failures as opposed to a single discrete incident.
3.2.8.2 References
1. Cantelon, Philip L, and Williams, Robert C., Crisis Contained: The Department of Energy at Three Mile
Island, Southern Illinois University Press, 1982
2. Kletz, Trevor A., An Engineer's View of Human Error, The Institute of Chemical Engineers, Rugby, War­
wickshire, England, 1985
3.2.9 Human Factors
Human factor refers to the complex interaction between people and the processes and equipment they
operate. Optimization of these interactions is the principal objective when using a human factor approach
to minimize and/or mitigate risk in an industrial setting. Factors such as employee selection, work design,
ergonomics, human/computer interaction, work conditions and training methods are all important in improv­
ing the level of reliability of the human/machine interface.
It is not the intent of this data sheet to prepare the user to design systems/processes from a human factor per­
spective. The principle objective is to familiarize the user with the concepts of the field, which should aid
in evaluating the effectiveness of a facility's existing programs. Design and implementation of human factor
systems should be performed by those specially trained for such functions, including system designers,
human performance specialists and psychologists.
Various references estimate that human factor errors are responsible for between 80 to 90% of all loss
incidents.
1
The best references to human factor empirical data relates to nuclear plants, where human error
is reported to contribute 50 to 70% of the risk.2 One reference cites that 10% of all human error accidents
result from personal influences such as carelessness, emotional health or physical health. The remaining 90%
have been attributed to external factors, such as inadequate procedures, ineffective training, poor design
of human-machine interfaces, work environment and reduced staffing levels.
3
These statistics show that more
emphasis needs to be placed on human factor engineering than has been in the past.
Many types of errors occur in a production facility. However, these can be broken down into two broad cat­
egories. The first type, low-stress error, is an action planned but not carried out as intended. Such is the
case when an operator presses the wrong push button on a control panel, although pressing the proper push
button was intended. These type errors generally do not result from a lack of time to make a jUdgment, or
a highly stressful situation. Often these errors can be designed out of the system by simply separating the
push buttons.
The second class of error, high-stress error, usually occurs due to a faulty decision or diagnosis of a prob­
lem, or lack of planning. In many cases, these type errors can be eliminated by proper training and fre­
quent rehearsal of critical emergency procedures. In reviewing most severe losses, it is usually obvious that
©1999 Factory Mutual Engineerir
7-43
17-2 Loss Prevention in Chemical Plants
Page 30 Factory Mutual Property Loss Prevention Data Sheets
multiple errors occurred prior to the significant event. Rarely does a single human error result in cata­
strophic failure.
4
The impacts that human behavior, physiological and psychological effects have on individuals in the work
place are multiple and diverse - much too complex to be detailed in this text. These elements of human factor
can be divided into three broad categories: human behavior, human/machine interface and environmental.
3.2.9.1 Human Behavior
Human behavior is shaped by the way in which a human being senses (touch, smell or hearing) a stimu­
lus, processes the information and ultimately responds. The subsequent response may be either appropri­
ate or inappropriate, depending on the conditions in the environment and thought process at that particular
instant. A human's sensing and information processing capabilities are limited and therefore, must be under­
stood and considered in the design of the worker's environment. For example, an operator's short-term
memory is extremely limited. If operators perform a critical task infrequently, there is a high probability that
erroneous action will be taken when actually required to respond in an emergency situation. However, once
training and practice with real life situations have been accomplished, the operator has a better chance of
reacting in a more reliable manner.
Operators become accustomed to the way processes normally operate. Therefore, when changes are made,
care should be taken to ensure all operators are thoroughly aware of these changes through operator logs,
internal directives, etc. If not, in an emergency situation, operators will tend to react to how the system was
previously arranged rather than how the system is presently configured. All of the above reinforces the need
for continual operator training, to allow the operator to remain familiar with the proper actions to take in emer­
gency situations.
Operator performance sharply declines during extended work periods (e.g., double shifts, seven day shifts,
etc.) and after repetitive tasks. The work environment also influences human behavior to a great extent. High
levels of stress, such as during periods of job layoffs, economic uncertainty and reorganization negatively
impact worker performance. Additionally, as operators approach task overload, accuracy and efficiency are
compromised. All of these factors influence an operator's information processing ability in an emergency
situation.
In addition to training programs for employees and limiting overtime hours for dangerous or critical service
duty, a commitment to human behavior issues could be indicated by the presence of a "Fitness for Duty" Policy
and the availability of access to outside stress hotlines.
3.2.9.1.1 Q!flanization
The dynamics within an organization have changed over the years, changing from companies that once main­
tained long-term relationships with employees, to companies required to reduce their numbers due to glo­
bal competition and other factors. Due to the need to reduce operating costs, many organizations have
resorted to such business initiatives as downsizing, restructuring, mergers, etc. These initiatives have the
obvious impact of reducing the number of employees available to operate a production facility. This in turn
can lead to reduction or elimination of safety-related functions that will also impact the effectiveness of a
plant's safety programs.
The impact that is not so obvious is the loss or reduction in morale of chemical plant employees which may
also jeopardize the safety of an operation. While quantifying the effect that downsizing has on safety in a
chemical facility is difficult, its impact should not be ignored.
5
3.2,9.2 Human/Machine Interface
3.2.9.2. 1 Computer Control
Chemical processes are now commonly controlled with complex distributive control systems as opposed to
the earlier analog control systems. Much more of the process control is placed in the domain of the com­
puter versus active monitoring and controlling by the operator.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17..2
Factory Mutual Property loss Prevention Data Sheets Page 31
Studies have shown that optimum performance is achieved when moderate levels of mental activity are
present. This phenomenon was originally reported by Yerkes and Dodson
6
. However, more current litera­
ture by Poulton
7
and Welford
B
support these findings. When mental activity is either too high or too low,
reduced performance usually results. With the increased usage of computer control and lesser involvement
by the operator, care should be taken to ensure that process safety is not compromised due to the lower men­
tal activity required of the process operator. It has also been shown that humans are unable to remain alert
during extended periods of inactivity, such as in a control room setting when a process is running smoothly.
While many tasks can be adequately automated, there remain tasks where human understanding is required
to prevent jeopardizing reliable system performance. This has been shown in many recent losses. Opera­
tors must work in conjunction with, and not isolated from, the computer interface for effective control of the
process. Studies have shown that failures of computer controlled systems can be attributed to operator error
that disables protective features (20%) and software failures (20%), both of which have the ability to dis­
able the entire system.
9
Operator error can include actions of operators, as well as actions during mainte­
nance operations, which compromise the integrity of the control system.
Errors associated with software are especially critical as the software is often the only element of the con­
trol system that is not redundant. Therefore, software can become the critical link in a computer controlled pro­
cess. Errors in software are not obvious until an unusual sequence of events occurs. If a software error can
produce devastating results, a thorough HAZOP is critical for the software as well as the process parameters.
3.2.9.2.2 Alarms
Another significant occurrence associated with increased computer control is the increasing number and com­
plexity of process control interlocks and alarms. Alarms should be categorized according to their impact on
process control and designated accordingly, so that the operator is able to understand and prioritize the
alarms sounding in the control room environment. As noted earlier, extremely high mental activity during a del­
uge of alarms may be detrimental to achieving optimum process control.
3.2.9.2.3 Control Panel Layout
The design of control and display panels plays a critical role in operator intervention in an abnormal or emer­
gency situation. If the display and controls are well laid out and understood by an operator, the chance of
appropriate action is increased. Much study has been given to ergonomic design in the control room to facili­
tate safer operations. All displays should be legible, labeled appropriately and arranged for optimal view­
ing by the operator.
The display should be designed such that abnormal or emergency situations are readily apparent. Moni­
tors are now typically arranged with multiple screens requiring operators to scroll through many screens to
view individual parameters. Care is needed to design systems that allow prompt discovery of abnormal or
emergency situations. Only pertinent data necessary to observe the process should be present on the moni­
tor to prevent extraneous information that could divert the operator or require additional time to find and react
to pertinent information.
3.2.9.3 Environmental
The environment in which workers operate plays a significant role in their ability to perform as intended.
Improper lighting can lead to erroneous operation of equipment and/or controls. Abnormal operating condi­
tions requiring operator intervention may be hindered by inadequate illumination. Excessive noise can inter­
fere with communications between personnel, leading to either a misunderstood communication or even
failure to hear the communication. Additionally, excessive noise may impact the operators cognitive ability
to make appropriate decisions in abnormal or emergency situations. Operators exposed to extreme tempera­
ture can also be detrimental to optimal performance. Research shows that exposure to extreme tempera­
tures, such as below 60°F (16°C) or above 85°F (30°C) reduce a worker's physical as well as mental
performance as exposure duration increases. When operators are exposed to vibrations, many work place
implications can occur. For instance, visual acuity is often impaired as a result of exposure to vibration, and
operations requiring steadiness or precision are jeopardized.'o
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 32 Factory Mutual Property Loss Prevention Data Sheets
3.2.9.4 l:1uman Factor in Maintenance Operations
The discussion thus far has referred specifically to operator-machine interfaces. However, maintenance of
a process system poses similar concerns. Communication between operators and maintenance operations
is critical so that all parties are aware of the scope of work to be performed. To facilitate optimum commu­
nication, all maintenance activities should require written authorization prior to start of work.
3.2.9.4.1 Exa!!!Efe: Phiffips Petrofeum, Inc.
On October 23, 1989, a release of approximately 85,200 lb. (36,646 kg) of hot isobutane from a vertical loop
reactor occurred at a large polyethylene plant in Pasadena, Texas. High density polyethylene is manufac­
tured using ethylene gas dissolved in isobutane at high temperatures and pressures in the loop reactors. As
a result of the reaction in the system, polyethylene settles out in the settling leg of the loop reactor and is even­
tually removed from the system. In this particular system, plugging of the leg occurs frequently, requiring
that a single block valve on the bottom of the reactor be closed and the leg removed for cleaning. Clean­
ing of the settling legs is routinely conducted by contractor employees.
Work was started on cleaning three of the six legs on a single reactor but was ceased for a crew lunch break.
After returning from lunch, work on cleaning of the fourth leg resumed and a contractor employee was dis­
patched to the control room to request assistance from an operator. Shortly thereafter, initial release was
reported from the unattached settling leg. This resulted in release of 99% of the reactor's contents within sev­
eral seconds. After reaching an ignition source, the unconfined vapor cloud ignited which created a severe
overpressure that caused extensive damage to the facility. Reports of the damage indicate nearly $750 mil­
lion in property damage and $700 million in business interruption.
An investigation after the explosion revealed air lines that activate the valve used to isolate the settling leg
were installed in reverse position. In this configuration, the valve would open even though shown to be in the
closed position.
This incident highlights several oversights directly attributable to human factor errors. The design of the block
valve was determined to be inferior as it allowed installation of the air lines in a fashion that would allow
the valve to open when assumed closed. In addition, there was no safe work permit system in place to allow
for coordination with maintenance contractor employees and operators at the facility.
3.2.9.5 References
1. Attwood, D.A., Schmaltz, LE., and Wixom, E.D., "The Exxon Chemical, Human Factors Program", 29th
Annual Loss Prevention Symposium, AIChE (1995)
2. Gertman, D.I., and Blackman, H.S., Human Reliability and Safety Analysis Data Handbook, John Wiley
& Sons, Inc., (1994)
3. Bridges. w.G., Kirkman, J.Q., and Lorenzo, D.K., "Including Human Errors in Process Hazard Analy­
sis", Chemical Engineering Progress, May 1994, (74-75).
4. Latino, C.J., "Solving Human-Caused Failure Problems", Chemical Engineer Progress, May 1987, (42­
43).
5. Friedlander, R. H. and Perron, M.J., "Downsizing's Effect on Safety in the CPIIHPI", 29th Annual Loss Pre­
vention Symposium, AIChE, (1995)
6. Yerkes, R.M. and Dodson, J.D., "The Relation of Strength of Stimulus to Rapidity of Habit Formation", Jour­
nal of Comparative Neurology and Psychology, 18, 459-482, (1908)
7. Poulton, E.C., Environment and Human Efficiency, Springfield, III.: Charles C. Thomas Publisher, (1970)
8. Welford, A.T., Skilled Petformance: Perceptual and Motor Skills, Glenview, III.: Scott, Foresman and
Company, (1976)
9. Paula, H.M. and Battle, R.E., "Reliability Performance of Fault-Tolerant Digital Control Systems", 24th
Annual Loss Prevention Symposium, AIChE, (1990)
10. McCormick, E.J., Human Factors in Engineering and Design, McGraw-Hili Book Company, New York,
(1976)
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 33
3.2.9.6 Other Resources
Bailey, R.W., Human Performance Engineering: A Guide for System Designers, Prentice-Hall, Inc., New Jer­
sey, (1982)
Burgess, J.H., Designing for Humans: The Human Factor in Engineering, Petrocell Books, Princeton, New
Jersey, (1986)
Kletz, T. A., Chung, P., Broomfield, E. and Shen-Orr, Chaim, Computer Control and Human Error, Institute
of Chemical Engineers, Rugby, Warwickshire, England, (1985)
Lorenzo, O.K., A Manager's Guide to Reducing Human Error: Improving Human Performance in the Chemi­
callndustry, Chemical Manufacturers Association, Inc., Washington, D.C., (1990)
3.2.10 Standards, Codes, and Laws
The purpose of this element in a program based on PSM principles is to address and communicate a
company's minimum acceptable safe practices from the corporate level and assure that all locations within
the company share the same approach to process safety. This can be accomplished by creating internal
standards to address the critical issues or by documenting and communicating which national regulations,
industry standards or consensus standards will be applied. This will insure a consistency in decision mak­
ing by design engineers and plant personnel.
Once a set of standards is adopted, there is a need to develop a variance procedure where local condi­
tions make precise application unreasonable. The variance procedure should require demonstration that the
alternative approach is at least equivalent in safety to the required method. There should be a formal approval
procedure for the variance at a management level, commensurate with the scope of the deviation from
accepted practice. The variance procedure should be well documented and maintained as part of the plant
design records.
It will also be necessary to assign responsibility for maintaining the standards current and in keeping with
the latest technology. This would include obtaining and filing the latest revisions of existing national regula­
tions, industry or consensus standards as well as any new regulations applicable to the company's opera­
tions. Where the changes are substantive, a company-wide bulletin should alert users to the change and direct
any steps that are needed either in updating current practices or applying to future designs. Internal stan­
dards need to have a formal review cycle to maintain currency.
Finally, there is a need for an audit procedure to ensure consistent application of the correct standards across
the organization. This audit should ensure that new projects are in agreement with the latest standards and
that any variances have followed the required approval steps. It will also be necessary to audit the vari­
ous operating sites relative to their compliance with company policy and current documents. This audit can
be part of the overall PSM program audit function described in the following section.
3.2.11 Audits and Corrective Actions
Audits are needed to assure the PSM system is consistent, effective, and appropriate for the exposure. These
are usually done by a third party but many chemical companies have staff auditing teams. An audit employs
a well-defined review process to ensure consistency. Corrective action items are reported and the com­
pany reviews and resolves the items. While just one part of overall process safety management, it is the criti­
cal one that attempts to assure management control of the other parts.
3.2.11.1 PSM Audit Preparation
Scope: All parties need to understand the scope of the audit. Scope can be shaped by many factors, includ­
ing regulatory requirements, corporate policies, resources available, and nature of exposure. Usually there
is a balance between available resources and exposure, taking into account regulatory requirements.
This balance is impacted by type of facility, ownership, location, program content, and degree of site cover­
age needed. As an example, a small, low hazard, joint venture in a remote location does not command the
same resources as a nearby high hazard wholly owned plant making products critical to the company. In
©1999 Factory Mutual Engineering Corp. All rights reserved.
7..43
17-2 Loss Prevention in Chemical Plants
Page 34 Factory Mutual Property Loss Prevention Data Sheets
some cases, it is more efficient to audit process units by type, where preparation is difficult and the pro­
cess units are accessible. At remote locations where travel costs are high, a complete audit is usually more
economical.
Frequency. Audit frequency is controlled in part by some of the scope factors (regulatory requirements, cor­
porate policies, exposure and resources). Other important factors to consider include results of prior audits,
incident history, program maturity, and process maturity. Some of these factors affecting audit frequency
decisions are noted below:
a. Degree of Risk vs. Maturity of Process. Operations that are inherently hazardous should have a higher
audit frequency than operations that are inherently safe. Extremely exothermic reactions involving
unstable materials is an example of the former. Endothermic reactions involving stable materials is an
example of the latter.
A mature process involving an extremely exothermic reaction may not need a higher audit frequency.
Bulk Grignard reactions are considered hazardous. However, some have been done for over 40 years with­
out major incident. Along the way, major incidents and technology indicated there were some essential fac­
tors for safe operation. A new Grignard process may still need more frequent audits, particularly if the
vessel is not properly designed (low design pressure reactor with small rupture disk).
b. Prior Audits. Results of prior audits may indicate an audit frequency change is justified. A finding of
gaps in the PSM procedures indicates more frequent audits are needed. In turn, the frequency can be
reduced for low hazard processes where the PSM procedures are excellent.
c. Incident History. More frequent audits would be prudent for a process with a high incident history, or
even a history of "near misses".
d. GovernrT}ent Regulation and Company Policies. Sometimes the audit frequency is set by government
regulations or company policy.
Audit Staffing: A single person can conduct an audit, where the process is mature, well understood, and
well documented. However, a mature process that is being changed needs special attention.
A team effort is normally needed for a comprehensive audit at a more complex process. As a group, team
members should have experience in process safety management and auditing techniques. At least one should
be familiar with the process being audited.
Audit Report Content While report content can vary from plant to plant, reports should be consistent within
a company. The required content should be formalized ahead of time for consistent results. This should
include treatment of audit findings.
Audit Report Distribution: The value of an audit is limited if distribution does not include appropriate individu­
als. Naturally distribution should include those responsible for any needed corrections, but could include man­
agement responsible for similar production units for common cause problems. It should be noted that some
legal departments hamper audit report distribution.
Audit Follow-up: Items requiring corrective action need to be addressed using some form of audit follow­
up. The procedure should be formalized, with assigned responsibilities and expected completion dates. Veri­
fication of completed steps should also be formalized. Usually it is best if the verification process is performed
by the audit team, either at the next audit or a by a special review.
3.2.11.2 Pj:)M Audit Techniques
Pre-Audit Planning: Proper preparation and planning are critical to the audit quality. Initial steps include select­
ing units to be audited, selecting the team, and scheduling the visit. Initially, selection of units to be audited
should be based on process hazards, or value to the company. However, geography (location of units) and
maturity of the PSM program can also be factors.
Interim steps include defining the scope of the audit, and collecting supporting documents. Audit scope should
be a formalized part of the PSM program. Collecting adequate supporting documentation can be the most dif­
ficult part for an older unit that has been modified over the years. Even well run companies have found criti­
cal drawings, such as P&ID, wiring, and piping drawings are not current, or there is only one set of hand
corrected paper plans.
©1999 Fac10ry Mutual Engineering Corp_ All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 35
The final steps involve a review of background information and preparing the audit agenda. The team needs
to understand the process, including the basic design and modification, plus the organizational system used
for operation. The latter includes corporate policies, facility organization and regulatory requirements.
Audit Activities: The audit team needs to develop an understanding of the plant's internal PSM system used
to operate the facility before actually auditing the unit. An excellent corporate process safety management
system still depends on local management and operating staff for proper enforcement. Basically, the audi­
tor needs to determine if the local system employed meets the intent of the overall program. This is done
by auditing the plant's process safety management system.
Excellent documentation is a good start, but alone does not assure the unit is operated as intended and is
safe. Some potential weaknesses include inadequate staff to administer the local program, production goals
that impair the PSM goals, and a relaxed management style concerning the PSM program. Considerable
judgment is needed to determine if these weaknesses are actually deficiencies. Actual deficiencies need to
be addressed as part of the audit report.
Where satisfactory program controls exist, the auditor can focus on how well they function on a consistent
basis. This can be done by interviewing staff, observing the operation and checking records. A deviation from
the desired operation is a negative, but it is how well the process safety management system responds to
the deviation that is important. It should be noted that no process safety management system will eliminate
all deviations, so trends (deviations going up or down) are actually more important.
During the audit, the team should review progress and discuss areas of concern that may need additional
attention. Plant staff should be involved in these reviews Since they can frequently supply the missing infor­
mation or explain how and why local procedures differ from expected performance. Negative findings should
be fully explored since it is poor technique to base an audit finding or recommendation on a single item.
Actually, the quantity of information collected should be adequate to support the objectives of the audit and
the conclusions of the team. To be adequate, the information collected should be relevant to the unit being
audited, be completely unbiased, and should be objective. Enough information should be collected so the
same conclusion can be determined by different people.
At the conclusion of the visit, the audit team should finalize tentative findings and discuss them with man­
agement. Areas of disagreement should be resolved. If team findings are consistent with the PSM goals while
taking into account local variances, the areas of disagreement will be minimized.
Post-Audit Activities: The audit team usually prepares a formal report which is distributed in accordance with
the program. They may also be involved in the action plan prepared by the unit audited to assure it meets
the intent of the audit findings.
Audit Tools: The process safety management system will usually have suggested tools to aid the audit pro­
cess. Some of the tools include guidelines, checklists, questionnaires, outlines and suggested procedures.
While they are not required to be used, the suggested tools usually have proven to be effective in aiding data
collection.
Data Collection: As an example, a "Process Safety Information" guideline, which can be customized to meet
the needs of the corporation and tailored to match the requirements of individual production units might sug­
gest the following information be documented:
1. Chemical hazard
a. Toxicity
b. Permissible exposure limits
c. Physical, reactivity, and corrosion data
d. Thermal and chemical stability
e. Hazardous effects of mixing
2. Process technology
a. Process description and flow diagram
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 36 Factory Mutual Property Loss Prevention Data Sheets
b. Process chemistry
c. Inventory permitted
d. Safe upper and lower limits for temperature, pressure, flows and compositions
e. Consequences of deviations
3. Process equipment
a. Construction materials
b. P&ID
c. Electrical classification drawing
d. Relief system design and design basis
e. Ventilation system design
f. Drainage system design
g. Design codes and standards
h. Material and energy balance
i. Safety systems (interlocks, detection, control and suppression systems)
4. Safety inspections
a. Code inspection reports for pressure equipment
b. Policy mandated inspection reports for safety equipment (rupture disk, safety relief valves, etc.)
c. Policy mandated inspection/test reports for safety systems (short stop system, water quench system,
interlocks, back-up power, etc.)
3.2. 12 Emergency Response Planning
Emergency response planning is intended to cover a wide range of activities for mitigating and controlling
incidents, such as fires, explosions, vapor releases and chemical spills.
A well developed emergency response plan is fully documented and well thought out. The level of detail of
the various components of the plan should be commensurate with the site hazards. A management sys­
tem should be in place to assure the emergency response system is effective and kept current with changes
at the facility. The following plan elements should be available, up to date, and documented:
1. Facility policy regarding emergency response planning
2. Facility description
a. Organization and staffing
b. Risk assessment of site hazards
c. Plot plans
3. List of site hazardous material safety information
4. Emergency response plans
a. Description of possible incident scenarios
b. Plan to respond to each scenario
c. On-site emergency equipment and supplies
d. Description of external resources and support organizations
©1999 Factory Mutual Engmeering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 37
5. Emergency response teams
a. Staffing and organization
b. Capabilities of members
c. Retraining plans
6. Description of emergency systems and equipment
7. Post incident contingency plan
8. Regulations applicable to the facility
3.3 Concepts of Highly Protected Risk
The high hazard chemical industry, like other industries, can be protected to a loss prevention level which
is defined, by insurance companies and risk management, as preferred risk. Preferred risk is also known as
Highly Protected Risk (HPR). For any plant, whether high hazard chemical or otherwise, this level of pro­
tection has been established over decades of loss experience and fire and explosion research.
In many occupancies, the difference between HPR and non-HPR status is usually based on whether or not
the facility has sprinkler protection with adequate water supplies. This is somewhat simplistic in that other fac­
tors, such as management interest in loss prevention, also play an important role.
In the chemical industry the presence or lack of sprinklers alone cannot solely define HPR status.
3.3.1 Requirements to Achieve HPR Status.
In the chemical industry all of the following elements are considered required, as needed based on expo­
sure, for HPR status. Sprinklers or other automatic suppression systems alone cannot always be the divid­
ing line between a good plant and a poor plant. Because chemical incidents can occur so fast and in some
cases approach worst case type events with the initial event sequence, sprinklers alone may not be capable
of providing the desired level of mitigation. In some cases sprinkler systems in these occupancies can only
cool steel components without any effect on suppression or control.
Prevention activities, as defined in an integrated program based on PSM principles, are critical to identifica­
tion of potential incidents and to minimize the occurrence through careful design and process control. In
fact, there are unsprinklered chemical facilities with excellent fireproofing, drainage, on-site response, and
fully integrated PSM systems that may be equivalent to a fully sprinkle red facility without a PSM system in
place. The latter facility may have more frequent losses, one of which may "get away" due to poor atten­
tion to maintenance, testing, and inspections of suppression systems.
In most cases, however, the need for sprinklers is a minimum requirement along with other protection. The pro­
tection scheme includes all components working as a system. If one is missing, the system may not be effec­
tive in limiting potential loss to the desired level and the plant may not be suitable for HPR status.
The following elements are considered when determining HPR status of a chemical facility. Several Fac­
tory Mutual data sheets specific to the element are listed when appropriate. Many other data sheets and ref­
erence sources on each element may exist but are not listed.
3.3.1.1 Integrated PSM System
Process safety management is described elsewhere in this document. This HPR element can be com­
pared to the need for property conservation programs in other occupancies. PSM should be fully inte­
grated into the chemical facility for all processes and activities, not just for those processes, systems, or
chemicals mandated by government regulations. There are many processes and materials, for example, pow­
ders (dusts), fuels, and propellants, that are usually excluded from PSM regulations. (Sometimes these could
be included under the umbrella of the General Duty Clause found in most regulations.) These can and should
benefit from a program based on PSM principles as well as regulated processes or chemicals. In other words,
an integrated PSM system means that all processes within the boundaries of the plant are covered.
PSM is critical toward identification of hazardous materials and processes, mitigation of those hazards, and
management of change throughout the life of the plant.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 38 Factory Mutual Property Loss Prevention Data Sheets
A plant without a fully integrated program based on PSM principles appropriate for the level of hazard (or
equivalent program by any other terminology) cannot be considered for HPR status.
This subject is also broadly covered in FM Data Sheet 9-7/17-5, Property Conservation, and numerous pub­
lications by the CCPS, API, CMA, and other groups. (See Bibliography.)
3.3.1.2 Management Commitment and Oversight
Management commitment and oversight of loss prevention and process safety activities are crucial toward
achieving and maintaining the desired level of protection throughout the life of a chemical facility. Examples
abound how one management group which is production oriented, without commensurate attention (both
monetary and staffing) to loss prevention, passes on a loss prone legacy to the next generation. Manage­
ment commitment must start at corporate level, be part of the management culture at all lower levels, and be
continued throughout the life of the plant.
3.3.1.3 Instrumentation and Process Control
Control of processes through proper instrumentation and interlocks minimizes operator error and assures
incipient events are detected in time to take corrective action. There is no correct level of instrumentation or
interlocks. Each facility or process within a facility needs individual assessment prior to determining needs.
Needs are usually predicated on results of hazard analyses backed by common sense and loss history.
Benign processes, which are easy to control and have little potential exposures, may require only a single
layer of process control or perhaps only manual control. Highly complicated or hazardous processes may
require multiple levels of interlocks and controls designed to fully fail safe. Most chemical processes require
one or more levels of redundancy.
Data Sheet 7-45, Instrumentation and Control, addresses process safety controls, not operational process
control systems. Other occupancy-specific data sheets, such as 7-35, Air Separation Processes, cover needs
for that occupancy.
3.3.1.4 QQerator Training and Empowerment
Operators must be trained not only in the hazard of the materials but in the way these materials interact
within the process system. "What if" scenarios are helpful in training operators in potential variances from nor­
mal operation. Because the operator is responsible, on a daily basis, for assuring both plant and process pro­
duction and safety, this position is critical toward overall loss prevention. Where possible, the operator should
be involved in hazard analyses. Operators must be empowered to make and act upon decisions without man­
agement oversight. The ability to shut down production when safety of the plant is at risk must be resident
with the operators.
Operator involvement and human factors are covered in more detail elsewhere within this document.
3.3.1.5 yessel, Piping and Reaction Overpressure Protection
Equipment within a chemical facility is designed to contain energy. Vessels, piping, pumps, and other equip­
ment may contain gases, liquids under pressure, or solids that can produce pressure if reacted or ignited
within the system. Equipment must be protected, usually by code, to normal expected pressures and for unex­
pected but potential overpressures caused by reactivity or other events, such as confined dust or vapor explo­
sions.
Most significant chemical incidents can be attributed to failure of a pressurized system.
Many FM data sheets cover overpressure protection, from vessel design to safety relief valves to emer­
gency reactor venting. A few are listed:
7-46/17-11, Chemical Reactors and Reactions
7-49/12-65, Emergency Venting of Vessels
7-59, Inerting and Purging
7-73, Dust Col/ectors and Col/ection Systems
7-76, Prevention and Mitigation of Combustible Dust Explosions and Fires
12 Series on boilers and pressure vessels
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 39
3.3.1.6 Maintenance, Inspection, and Testing programs
Once systems are installed, they need maintenance, inspection, and testing on identified frequencies. This
applies to production equipment which is in day-to-day operation as well as emergency systems such as
sprinklers and alarms. An HPR plant will have these programs in place commensurate with appropriate stan­
dards, codes, and manufacturers' recommended practices.
Refer to FM Data Sheet 9-0/17-0, Maintenance, and various protection system, pressure vessel, mechani­
cal equipment, and electrical equipment data sheets, such as OS 2-8N, Installation of Sprinkler Systems; 5-201
14-22, Electrical Testing. 12-0, Applicable Pressure Equipment Codes and Standards; and 12-43. Pressure
Relief Devices.
3.3.1.7 Adequate and Reliable Water Supply and Delivery System
Water supplies are usually required for a chemical facility regardless of whether sprinklers are needed or pro­
vided. A strong water supply feeding an underground main system with properly spaced and arranged
hydrants or monitor nozzles is a minimum requirement for HPR status. Larger chemical facilities may need
systems capable of providing tens of thousands of gallons per minute to cool steel and protect exposures
around a flammable liquid pool fire. The system must be laid out as reliably as possible; often, multiple sources
at opposite ends of the facility are provided for maximum availability and reliability.
Water supply and distribution system needs and design considerations that may be used when evaluating
chemical plants are covered in various FM data sheets including:
3-0, Hydraulics of Fire Protection Systems
3-2, Water Tanks for Fire Protection
3-7N/13-4N, Centrifugal Fire Pumps
3-10, Installation/Maintenance of Private Service Mains and their Appurtenances
3.3.1.8 Ignition Source Control
Ignition source control is a broad area covering such potential sources as smoking, electrical, hot work, light­
ning, non-sparking equipment, spontaneous or chemical decomposition heating, hot surfaces such as heat
transfer fluid or steam piping, chemical reaction heat and other process heat sources, and open flames such
as flares or gas-fired equipment. Some potential sources, such as hot work, are easily identified and can be
controlled by awareness, training and permit systems. Others, such as reaction heat, may occur only under
adverse conditions and may not be identifiable without a hazard analysis.
The intent in chemical facilities is to eliminate ignition sources so that a spill or vapor release can be miti­
gated before ignition occurs.
Ignition source control is covered in several FM data sheets including:
5-1, Electrical Equipment in Hazardous Locations
5-8, Static Electricity
5-10/14-10, Protective Grounding for Electrical Power Systems and Equipment
5-11/14-19, Lightning and Surge Protection for Electrical Systems
7-0, Causes and Effects of Fires and Explosions
7-99, Heat Transfer by Organic and SynthetiC Fluids
3.3.1.9 Adequate Spacing of Buildings, Process Units and Tanks
The degree of confinement or openness of a chemical facility will determine the potential for a small incident
to progress into a worst case event. Closely spaced facilities can be exposed to larger incidents due to "knock
on" events, such as thermal radiation, missiles and fragments, and overpressure. In general, process units
should be separated by 100 feet (30 m) from other process units by unobstructed roadways. Tank farms or
other unusually hazardous processes such as catalyst manufacture may require additional spacing. Admin­
istrative, utility, and emergency response facilities also require careful siting, remote from process hazards.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 40 Factory Mutual Property Loss Prevention Data Sheets
The following FM documents provide guidance on chemical plant spacing:
7-28, Explosive Materials
7-42, Guidelines for Evaluating the Effects of Vapor Cloud Explosions using a TNT Equivalency Method
7-44/17-5, Spacing of Facilities in Outdoor Chemical Plants
7-88, Storage Tanks for Flammable Liquids
3.3.1.1 ° and Post-loss Contingency Plans
An HPR plant will have a plan in place to respond to any potential incident scenario. Scenarios will be devel­
oped based on hazard analyses. Incident response includes both response of operators to control the event
and emergency fire fighting, but is not limited to these activities. It also includes a timely investigation to
determine cause and written contingency plans for acquiring spares, restoring production, obtaining raw mate­
rials, etc., following the incident.
3.3.1.11 Testing and Understanding of Process Chemistry
This HPR element ties in well with process safety knowledge, described in Section 3.2.2. Knowledge of the
hazards of materials and their reactivity when combined with other materials, either intentionally or uninten­
tionally, is critical to safe operation of the facility.
Several FM data sheets provide guidance on process safety information including:
7-19N, Fire Hazard Properties of Flammable Liquids, Gases and Volatile Solids
7-46, Chemical Reactors and Reactions
7-49/12-65, Emergency Venting of Vessels
and occupancy specific data sheets such as:
7-22, Hydrazine and its Derivatives
7-51 , Acetylene
7-52/17-13, Oxygen
7 -53, Liquefied Natural Gas
7 -54, Natural Gas and Gas Piping
7-55/12-28, Liquefied Petroleum Gas
7-58, Chlorine Dioxide
7-80, Organic Peroxides
7-89, Ammonium Nitrate and Mixed Fertilizers Containing Ammonium Nitrate
7-91, Hydrogen
7 -92, Ethylene Oxide
3.3.1.12 Adequate and Reliable Fixed Suppression Systems
Because of large quantities of high heat release hydrocarbons and other flammable liquids and gases, chemi­
cal facilities almost always require some level of fixed automatic suppression. Due to cost and reliability,
water-based deluge or water spray systems are often used. Protection may include exposed structural steel,
production vessels, pumps, tanks, pipe racks, loading stations, and oil lubricated rotating equipment. Foam
systems are used when faster suppression is needed, often due to poor drainage or lack of steel protec­
tion. High speed systems are used for high-energy materials such as propellants. Explosion suppression may
be used in high frequency areas with combustible dusts or vapors. High volume water spray systems may
be used for vapor cloud dispersal or as thermal shields between process units.
An HPR chemical facility requires fixed suppression, where needed, as a minimum requirement for pre­
ferred risk.
FM resources on suppression system selection and design include:
2-8N, Installation of Sprinkler Systems
4-0, Special Protection Systems
4-1 N, Water Spray Fixed Systems
4-7N, Low Expansion Foam Systems
7-17, Explosion Suppression Systems
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 41
For resources on protection needs for process units, structures, or equipment common to chemical plants,
also see:
1-6, Cooling Towers
5-4/14-8, Transformers
5-31/14-5, Cables and Bus Bars
5-32, Electronic Data Processing Systems
7-2, Waste Solvent Recovery
7-14, Fire and Explosion Protection for Flammable Liquid, Flammable Gas and Liquefied Flammable Gas
Processing Equipment and Supporting Structures
7-29, Flammable Liquids in Drums and Smaller Containers
7-32, Flammable Liquid Operations
7-48, Disposal of Waste Materials
7-54, Natural Gas and Gas Piping
7-55/12-28, Liquefied Petroleum Gas
7-78, Industrial Exhaust Systems
7-88, Storage Tanks for Flammable Liquids
7-95, Compressors
7-99, Heat Transfer by Organic and Synthetic Fluids
Other data sheets that are specific to certain chemical occupancies also have guidelines on fixed suppres­
sion needs, including:
7-30N, Solvent Extraction Plants
7-34, Electrolytic Chlorine Processes
7-35, Air Separation Processes
7-89, Ammonium Nitrate and Mixed Fertilizers Containing Ammonium Nitrate
3.3.1.13 and Containment Systems
Fires involving lighter-than-water hydrocarbons cannot be suppressed by water systems alone. While the
water can be effective at keeping building and equipment steel cool and allowing emergency response to gain
access, other systems are needed for full suppression. Drainage systems and containment, such as curbs
and dikes, are important to channel liquids away from important equipment or confine liquids at a safe loca­
tion. In fact, drainage systems can aid in suppression by elimination of oxygen within the drainage piping
and collection system.
Care must be taken to assure hazardous material drainage systems are not connected to benign systems,
such as those from a control room. Incidents have occurred when flammable or corrosive vapors have
entered non-hazard rated areas and exploded or contaminated sensitive electronic equipment.
Attention to environmental regulations is needed to assure a drainage or containment system is acceptable.
The following FM data sheets cover these systems and their design in detail:
7-83, Drainage Systems for Flammable Liquids
7-88, Storage Tanks for Flammable Liquids
3.3.1.14 EqUipment and Steel Fire Protection
Exposed building steel under load cannot withstand a hydrocarbon fire exposure for any significant length
of time. Because steel is often the structural element of choice, due to cost or flexibility, special protection is
needed to prevent early collapse of an important process structure. Steel vessels such as reactors, exchang­
ers, and distillation columns, or tanks on steel legs are also highly susceptible to heat failure which could
release contents, adding fuel to a fire. The goal is to keep the steel cool while the burning liquids or gases
are removed by drainage or the fluid release is stopped. Steel can be protected by water spray or by fire­
proofing with noncombustible heat resistant materials. Preferably, reinforced concrete would be the struc­
tural choice where there are large amounts of flammable liquids or gases that may be released.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 42 Factory Mutual Property Loss Prevention Data Sheets
Refer to the following FM data sheets for information on steel protection:
1-21, Fire Resistance of Building Assemblies
7 -14, Fire and Explosion Protection for Flammable Liquid, Flammable Gas and Liquefied Flammable Gas Pro­
cessing Equipment and Supporting Structures
3.3.1.15 Damage Limiting and Noncombustible Construction
To minimize the effects of fire and explosion pressure damage, an HPR facility will have appropriate dam­
age limiting (DLC) or fire resistive construction. Examples of DLC include high strength, blast resistant con­
trol rooms and low strength venting walls for an occupancy containing flammable vapors or dusts.
Noncombustible construction is also an HPR requirement for important support and utility buildings.
Control rooms and other critical operations or emergency response centers need careful evaluation as to hard­
ening against blast overpressures. Cost and importance to safe shutdown and continued long term produc­
tion are key variables.
The following FM data sheets provide information and application requirements:
1-44, Damage Limiting Construction
1-57, Rigid Plastic Building Materials
3.3.1.16 Combustible Gas Detection
Combustible gas detection is desirable for fast notification of a release of gas or hot vapor. This may prompt
an automatic or manual emergency response such as vapor cloud water spray dispersal systems or fire
department response. Refer to Data Sheet 5-49, Gas and Vapor Detectors and Analysis Systems, for more
information on this subject.
3.3.1.17 Inerting and Purging Systems
Elimination of oxygen within flammable vapor spaces is often required to prevent explosion or fire inci­
dents. Nitrogen inerting or purging prior to filling a system with hydrocarbons is commonly used. In many
cases, a pressurized inert gas is used to push materials safely through a system. Detection to assure oxy­
gen levels are maintained at proper concentrations are part of an inerting system. Inerting can apply to stor­
age vessels, production vessels, piping, and drainage/collection systems.
The following FM data sheets cover this subject:
7-30N, Solvent Extraction Plants
7-59, Inerting and Purging of Equipment
7-88, Storage Tanks for Flammable Liquids
3.3.1.18 Barriers and Barricades
In some cases, a barricade may be needed to protect important buildings or production areas against mis­
sile or fragment impact from a nearby high frequency explosion source. Barriers and barricades are com­
monly used in plants handling explosives and propellants. They have been successfully applied in chemical
facilities such as high pressure polyethylene plants. Barriers are not usually acceptable for overpressure pro­
tection. Pressure waves generated by a vapor cloud or vessel explosion will pass around or over barriers
and reform on the back side.
Fire resistive barriers, such as noncombustible fire walls, are often used as separation between important pro­
duction areas or between high hazard and low hazard areas.
The following FM Data Sheets provide more detail on these systems:
1-19, Fire Walls, Subdivisions, and Draft Curtains
1-20, Protection Against Fire Exposure (From Buildings and Yard Storage)
1-22, Criteria for MFL Fire Walls and Space Separation
1-23, Protection of Openings in Fire Subdivisions
7-16, Barricades
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 43
3.3.1.19 Protection Against Natural Perils
Chemical facilities may be exposed, like all occupancies, to a variety of natural events, some potentially cata­
strophic, such as earthquakes, hurricanes, and floods. Less obvious, but potentially equally damaging expo­
sures such as a hard freeze in a temperate climate, have also caused large loss incidents. The following
FM data sheets provide more detail on these exposures and methods of analysis and protection:
1-2, Earthquake
1-7, Wind Forces on Bui/dings and Other Structures
1-54, Roof Loads for New Construction
9-2, Surface Water
9-13, Evaluation of Flood Exposure
9-18/17-18, Prevention of Freezeups
3.4 Concepts of Inherent Safety
Opportunities exist to reduce the risk at a chemical facility at many stages of its life, but the primary oppor­
tunity exists during new project development or during major changes. At these stages, inherent safety oppor­
tunities can be explored economically.
An inherently safer plant relies on the reduction or elimination of hazardous materials or processes through
changes in the chemistry and physics of the process rather than layers of "add on" safety control and fixed
protection systems. The traditional approach to loss prevention has been to accept the hazard and then to pro­
tect against it. This latter approach requires expensive active and passive protection systems which are sub­
ject to failure within the life of the plant. An inherently safer plant has eliminated or reduced the hazard to
where these systems may not even be needed, saving initial installation cost, lifetime maintenance and test­
ing costs, and potential loss costs should systems fail.
According to Kletz, there are five approaches to the development of inherently safer plants: intensification,
substitution, attenuation, limitation of effects and simplification/error tolerance.
3.4. 1 Intensification
Intensification means using smaller amounts of a hazardous material.
For example, a polyolefins plant required large quantities of LPG feedstock. In the past it had a large day
tank within the process unit. This tank was fed from bulk storage spheres located many hundreds of feet away.
The day tank was found to severely expose the production unit and in fact was installed only as a produc­
tion convenience if supplies were temporarily cut off from the larger tanks (due to a pump failure, for example).
The day tank was eliminated and spare pumps installed for reliability. The plant was able to operate as effi­
ciently without the hazardous large volume inventory within the production unit.
In another case, a hazardous reaction involving potentially detonable materials was at one time conducted
in a moderately sized batch reactor. The possibility of runaway with a subsequent detonation of a large quan­
tityof high energy material existed due to many different failure modes because of the reactivity of the mate­
rials involved. The process was changed so that the two reactants were continuously reacted in a small pipe
reactor with flows less than 5 gpm. The same amount of product was produced at a reduced risk due to sub­
stantially lower amounts of high energy material available at any given time.
3.4.2 Substitution
Substitution means replacing a hazardous material with a non-hazardous or less-hazardous material.
The classic example of substitution is use of water as a coolant instead of combustible thermal oil. The advan­
tage is obvious. Water is both nonflammable and non-corrosive. Fire protection will not be needed for the
coolant alone, which could have been the case for the thermal oil.
Another example is using an ammonia refrigeration system in an outdoor process unit instead of propy­
lene. The propylene system represents fire and vapor cloud explosion hazards where the ammonia hazard
is substantially less from a fire and explosion standpoint. A trade off in toxicity, which may affect manual fire
fighting response, would occur with this choice.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 44 Factory Mutual Property Loss Prevention Data Sheets
A third example is use of supercritical carbon dioxide instead of highly flammable solvents in processes that
require extraction of oils, such as agricultural products. The hazard of fire and explosion from the solvent
are eliminated, although combustible oils may still be present. A possible hazard trade off is made in the high
pressures required for supercritical extraction.
Substitution can apply to non-chemical systems as well. Use of noncombustible construction in buildings,
use of electric cable inside metal conduit instead of exposed plastic insulated cable, and use of stainless steel
instead of plastic for duct systems handling some corrosives are all examples of this element of inherent
safety.
3.4.3 Attenuation
Attenuation means using less hazardous process conditions or a less hazardous form of material.
Attenuation is commonly achieved by using lower temperatures and pressures. It may be achieved through
process chemistry (Le., a new reaction with less potentially energetic effects).
The 1974 Flixborough, U. K., incident was caused by a release of boiling cyclohexane, a raw material used
to make caprolactam, an intermediate for nylon. Hundreds of thousands of pounds of boiling cyclohexane
were present in the system under high pressure. Upon accidental release, the material flashed to vapor and
an outdoor vapor cloud explosion occurred with essentially total damage to the plant.
Another plant discovered a way to produce caprolactam using cyclohexane in a process below its boiling
point. Should the cyclohexane be released, a severe fire hazard will exist. However, the fact that the material
is below its boiling point at all times has completely eliminated any possibility of a vapor cloud explosion.
Another common example is refrigerated storage of hazardous materials, such as ethylene oxide. Ethylene
oxide stored at ambient conditions can form large vapor clouds if released. If stored as a refrigerated liq­
uid, essentially no vapor cloud can form.
In another plant, a combustible silicon metal dust presented an unacceptable risk. The dust was tested and
found to have a very high energy potential, and conventional damage limiting systems would not be effec­
tive in reducing overpressures should the material ignite. The solution was to immediately dilute the dust in
an inert material, a process called phlegmatization. This was done within the duct system prior to any large
or important collection system. The resultant mixture was rendered noncombustible and the explosion haz­
ard was eliminated.
Another inherently safe solution for undesirable combustible dusts is to collect them in a liquid slurry.
3.4.4 Limitation of Effects
Limitation of effects means designing a facility that minimizes the impact of a release of hazardous mate­
rial or energy.
The most common approach to this element of inherent safety is in proper siting and location of facilities.
This can reduce the impact of a release or event by distance and by limitation of add-on events such as
BLEVEs or missile punctures. Other factors considered could include proper drainage patterns, prevailing
winds and meteorological conditions.
At one plant, a typical process unit is constructed of a one-story concrete supported structure known as a
pump house. The pump house has open walls and a solid concrete roof. Pumps are located within the con­
crete structure at grade level and piping is located at ceiling level. Major processing equipment, such as puri­
fication columns and rundown tanks with high volume flammable materials, are located around the perimeter
of the concrete structure or on the solid roof. The structure is long and narrow with heavily sloped drain­
age toward the outside of the unit. All important equipment is fireproofed.
These features were intentional to assure that all significant quantities of flammable materials were fully
accessible for manual fire fighting. Upon a release, the materials flow outward from the unit and can be more
easily controlled. Damage, even in a worst case event, will be limited to peripheral eqUipment.
Another approach to limitation of effects is by limiting the magnitude of a process deviation. For example,
the rate of addition of a material to a reactor can be limited by sizing the feed pump so that it cannot possi­
bly exceed the safe addition rate. This can also be achieved by use of small piping or orifice plates in pipes.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 45
Use of smaller but deeper dikes around LPG and other liquefied gases such as LNG and ethylene will sub­
stantially reduce the amount of exposed liquid surface area subject to vaporization.
Another classic example of limitation of effects is by provision of barriers or complete containment of a haz­
ardous material or process. This has been used effectively by the nuclear power and the propellant and solid
rocket motor manufacturing industries. Blast barriers have been used effectively around high pressure eth­
ylene processes. Containment is now commonly used for liquid chlorine tanks.
3.4.5 Simplification/Error Tolerance
Simplification/error tolerance means designing a facility so that operating errors are less likely or the pro­
cess is more forgiving if errors are made.
This can apply to many operating conditions within a plant. For example. use of gravity systems is prefer­
able to pumping systems because of the lack of moving parts and less potential for leaks (such as at pumps
seals). If pumps must be used, pumps without seals or double-sealed are preferable. Piping should be welded
if possible, flexible couplings minimized or eliminated, and glass level devices eliminated. Sample pOints
should be avoided. but should have double valving and collection pots if necessary.
Many simplifications can be done to process units, especially in batch reactions, to minimize the potential
for error in charging of reactants. Small charge vessels can be added for initial mixing instead of "dump­
ing" all materials into one large reactor where hot spots can form due to poor mixing or cooling.
At one petrochemical plant, the plant was simplified by reducing by 60 the number of vessels and equip­
ment needed to run a similar but older plant. The complexity of running the plant and thus potential for loss
was substantially reduced.
4.0 BIBLIOGRAPHY
4.1 Process Safety and Risk Management
Center for Chemical Process Safety Guidelines Series, AIChE:
G-10, Guidelines for Technical Management of Chemical Process Safety, 1992
G-18, Guidelines for Hazard Evaluation Procedures, 1992
G-19, Guidelines for Investigating Chemical Process Incidents, 1992
G-20, Guidelines for Auditing Process Safety Management Systems, 1993
G-25, Guidelines for Implementing Process Safety Management Systems, 1994
G-27, Guidelines for Process Safety Documentation, 1995
Chemical Process Safety Management - Control of Acute Hazards, Chemical Manufacturers Association
(CMA), May 1985
"Management of Process Hazards" American Petroleum Institute (API) Recommended Practice 750, 1990
"Process Safety Management of Highly Hazardous Chemicals", 29 Code of Federal Regulations No
1910.119, Occupational Safety and Health Administration, August 26, 1992
"Risk Management Programs (RMP) for Chemical Accidental Release Prevention", 40CFR, Part 68; (Fed­
eral Register Vol 61, No.120, pgs 31667-31730), Environmental Protection Agency, June 20,1996
EC Directive 82/501/EEC and its 1987 revision (87/216/EEC) (Europe)
4.2 Highly Protected Risk Guidelines for Chemical Industry
FM Data Sheets:
1-44, Damage Limiting Construction
5-1, Electrical Equipment in Hazardous Locations
7 -0, Causes and Effects of Fires and Explosions
7-14, Fire and Explosion Protection for Flammable Liquid, Flammable Gas and Liquefied Flammable Gas Pro­
cessing Equipment and Supporting Structures
7-42, Evaluating the Effects of Vapor Cloud Explosions
7 -44/17 -3, Spacing of Facilities in Outdoor Chemical Plants
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 46 Factory Mutual Property Loss Prevention Data Sheets
7-45, Instrumentation and Control
7-46/17-11, Chemical Reactors and Reactions
7-47, Physical Operations in Chemical Plants
7-49/12-65, Emergency Venting of Vessels
7-59, Inerting and Purging of Equipment
7 -83, Drainage Systems for Flammable Liquids
7-88, Storage Tanks for Flammable Liquids
7-95, Compressors
7 -99/12-19, Heat Transfer by Organic and Synthetic Fluids
12-0, Applicable Pressure Equipment Codes and Standards
4.3 Concepts of Inherent Safety
Guidelines for Vapor Release Mitigation, Chapter 2, CCPS Guideline G-4, 1988
Englund, S.A.,"lnherently Safer Plants: Practical Applications", Process Safety Progress, Vol 14 No 1 pp
63-70, Jan. 1995
Englund, S. A., "Opportunities in the Design and Operation of Inherently Safer Chemical Plants," Advances
in Chemical Engineering, 15, pp 73-135, 1990
Englund, S. A., "Design and Operate Plants for Inherent Safety," Chemical Engineering Progress, March,
pp 85-91, 1991
Kletz, T, A., "Inherently Safer Plants, An Update", Proceedings of the 24th Annual Loss Prevention Sympo­
sium, San Diego, CA August, 1990, American Institute of Chemical Engineers
Kletz, T, A., "Friendly Plants", Chemical Engineering Progress, pp. 18-26, July 1989
Hendershot, D.C., "Some Thoughts on the Difference Between Inherent Safety and Safety", Process Safety
Progress, Vol. 14 No 4, pp 227-228, Oct. 1995
Hendershot, D.C., "Conflicts and Decisions in the Search for Inherently Safer Process Options", Process
Safety Progress, Vol. 14 No 1 pp 52-56, Jan. 1995
4.4 Preventive Maintenance
Pressure Vessel Inspection Code, American Petroleum Institute (API) Publication 510, 1997
Piping Inspection Code, American Petroleum Institute (API) Publication 570, 1997
4.5 Chemical Hazard Information
Encyclopedia of Chemical Technology, 24 vols. 4th ed. Kirk-Othmer, John Wiley & Sons, Inc., 1991
Hawley's Condensed Chemical Dictionary, 12th ed. Ed. by Richard J. Lewis, Sr., Van Nos Reinhold, 1993
Dangerous Properties of Industrial Materials, 3 vols. 7th ed., N. Irving Sax & Richard J. Lewis, Sr., Van Nos
Reinhold, 1988.
Perry's Chemical Engineers' Handbook, 6th ed. Ed. by Don W. Green, McGraw-Hili, 1984.
Physical Properties of Hydrocarbons, 2 vols., R. W. Gallant, Gulf Publishing Co., 1968, 1974,
CRC Handbook of Chemistry and Physics, 73rd ed, Edited by D. R. Ude, CRC Press, 1993
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 47
APPENDIX A: INTERNATIONAL ORGANIZATIONS AND REGULATORY CODES OVERSEEING
CHEMICAL PLANT PROCESS SAFETY
A.1 Mandatory Regulations Covering PSM and Related Chemical Industry Safety Oversight
To date, mandatory regulatory oversight of process safety has occurred only in the European Economic Coun­
cil Countries (EEC) or European Union (EU), and within North American only in the United States. There
are currently no mandatory PSM regulations in Canada, Mexico, or the AustralAsia countries, although stud­
ies are underway to promulgate laws similar to Europe and the U.S. in many of these areas.
PSM regulation started in Europe following a series of serious chemical plant incidents, Flixborough (1974),
Beek (1975) and Seveso (1976) being the most noteworthy. In 1982, the EU developed EC Directive 82/501/
EEC which required adoption of PSM. In 1992, following a series of accidents in chemical plants in the U.S.,
including Phillip Petroleum (1989), the OSHA 1910.119 PSM Rule was enacted. Also in response to environ­
mental releases, the EPA in 1993 issued a proposal to require chemical plants to develop risk manage­
ment plans. The EPA Rule was enacted in June 1996 with an effective date of August 19, 1996.
A. 1. 1 Europe
A.1.1.1 EC Directive 82/501/EEC and its 1987 revision (87/216/EEC) are known as the Seveso Directive.
A third revision (88/610/EEC) was developed following a major accident in Basel, Switzerland, in 1986. The
purpose of the directive is to place into law an administrative structure to "identify, assess, control, and miti­
gate the major accidents, hazards and risks" of chemical and related industries.
The directives contain the following key provisions:
unifying standards across the European Community
- identification of competent oversight authorities
- provision of a framework of controls involving:
- identification
- assessment
- control
- mitigation
- information exchange between member states and the European Community
- Community-wide reporting, with data base, of major accidents
The directive requires a company to:
- comply when certain threshold chemicals or process systems are present
- report major accidents
- demonstrate that plant risks have been identified, safety measures adopted, and that information, train­
ing, and equipment has been provided to personnel, following an established and documented process
safety management program.
Exemptions include nuclear, military, explosives and ordinance, mining, and waste disposal sites.
A byproduct of the regulations is research into major industrial hazards including developing technologies
for accident prevention and environmental restoration; improving the understanding of chemical and physi­
cal hazard phenomena; and improving the understanding of managing risk.
A. 1.2 United States
The U.S. Clean Air Act (CAA) Amendments of 1990, signed into law on November 15, 1990, included pro­
visions for chemical accident prevention. Both the Occupational Safety and Health Administration (OSHA) and
the Environmental Protection Agency (EPA) were instructed to promulgate process safety regulations. In
addition, a number of individual states have adopted related regulations including, California, Delaware,
Texas, Nevada and New Jersey.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 48 Factory Mutual Property Loss Prevention Data Sheets
A.1.2.1 Occupational Safety and Health Administration
In response to this act, OSHA promulgated Process Safety Management of Highly Hazardous Chemicals
(29 CFR 1910.119) that went into effect on August 26, 1992. This law covers chemical accidents which can
occur on a plant site and expose plant workers and the public to (principally) fires and explosions. The law
lists 141 specific chemicals plus all flammable hydrocarbons, and provides threshold values above which
a company using, storing or producing the chemicals must comply with the provisions of the law. The law is
a performance-based standard rather than specification-based, so there are no specific measurements that
the company is mandated to meet. The OSHA PSM law lists 14 specific provisions, including a require­
ment to conduct extensive process safety analyses, for compliance. When the law was passed, it was esti­
mated that approx 87,000 U.S. facilities would meet threshold requirements and need to comply with the
law.
Elements of process safety within the OSHA PSM Rule are similar to the CCPS elements. One significant dif­
ference between the two documents is in scope. CCPS is a general guideline that does not define what pro­
cesses need to fall under PSM oversight. It is intended to be applied by the users according to their needs.
OSHA specifies which areas of a facility must be managed by listing 141 specific chemicals and all flam­
mable hydrocarbons. It also lists process situations and occupancy defaults. The law applies if these defaults
are triggered. PSM does not have to be applied if these defaults are not triggered.
Some of the OSHA-listed chemicals and their thresholds, as compared to EPA thresholds, are provided in
Table 1.
Table 1. Comparison of OSHA and EPA Thresholds of the More Common Hazardous Chemicals
Substance EPA threshold Ib (kg) OSHA threshold Ib (kg)
._-_..
Anhydrous Ammonia 1,000 (450) 5,000 (2250)
Chlorine 1,000 (450) 1,500 (680)
Chlorine dioxide 500 (225) 1,000 (450)
I
Anhydrous hydrochloric acid 1,000 (450) 5,000 (2250)
i
Sulfuric acid 5,000 (2250) Not listed
I
Titanium tetrachloride 500 (225) Not listed
I
Flammable hydrocarbons 10,000 (4500) 10,000 (4500)
Explosives all (per DOT) Not covered
I
A.1.2.2 Environmental Protection Agency
In response to the Clean Air Act Amendments of 1990, the U.S. EPA announced in the October 20, 1993 Fed­
eral Register (Vol 58, No. 201, 54190) a proposed rule entitled Risk Management Programs (RMP) for Chemi­
ca! Accidental Release Prevention (40 CFR Part 68). The rule was finally enacted in 1996, with an effective
date of August 19,1996. The rule is intended to protect public health and the environment. It closely paral­
lels the OSHA law covering Process Safety Management of Highly Hazardous Chemicals which is prima­
rily intended to protect in-plant workers.
The EPA RMP and the OSHA PSM laws are different yet complementary to each other. OSHA's focus is
on workplace consequences while EPA is on offsite consequences. However, EPA acknowledges that most
locations that comply with the OSHA law will also comply to some extent with the EPA rule.
The EPA estimated that the new rule will effect 140,000 U.S. facilities that have one or more of the 100 listed
toxic substances, 62 flammable liquids or gases, or high explosives on their site above identified threshold
values. The thresholds for toxic substances are based on a ranking method that considers each substance's
toxicity and potential to become airborne and disperse. The thresholds for listed flammable liquids and gases
are based on the quantity that potentially might be involved in a vapor cloud explosion. The threshold for
explosives is based on the quantity that could produce lethal blast waves from an explosion at a distance of
100 meters (330 ft.). The presence of a threshold quantity is to be determined based on the maximum quan­
tity in a single process.
More facilities fali under the EPA rule than under the OSHA rule due to generally lower threshold values of
listed chemicals in the EPA rule. (A sample threshold list is shown in Table 1.)
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
Loss Prevention in Chemical Plants 17-2
Factory Mutual Property Loss Prevention Data Sheets Page 49
In addition to complying with the OSHA PSM provisions, the EPA rule adds two major components as part
of the facility's risk management program: hazards assessment and response programs.
Facilities that meet EPA thresholds have to conduct hazard assessments for each covered substance. The
hazard assessment has to look at a range of accidental release scenarios including worst case. The worst
case release scenario is defined by EPA as "the release of the largest quantity of a regulated substance from
a vessel or process line failure, including administrative controls and passive mitigation that limit the total
quantity involved or the release rate. For most gases, the worst case release scenario assumes that the quan­
tity is released in 10 minutes. For liquids, the scenario assumes an instantaneous spill; the release rate to
the air is the volatilization rate from a pool 1 cm (3/8 in.) deep, unless passive mitigation systems (e.g., dikes)
contain the substance in a smaller area. For flammables, the worst case assumes an instantaneous release
and a vapor cloud explosion".
The EPA lists meteorological conditions (wind speeds and atmospheric stability) which define worst case. It
should be noted here that the OSHA law does not assume worst case, and for this reason much more severe
exposures could be proven after conducting an EPA hazard assessment. The EPA rule does not yet define a
likelihood (probability) beyond which an event can be considered "extreme" worst case. It does however
address "alternative release scenarios". These non-worst case accidental releases for the hazard assess­
ment portion of the risk management plan were presumed "more likely to occur" and "more realistic" than the
worst case. EPA believes facilities should have flexibility to select non-worst case scenarios that are the most
useful for communication with the public and first responders and for emergency response preparedness
and planning. For "alternative scenarios", facilities may consider the effects of both passive and active miti­
gation systems.
The EPA rule also goes well beyond OSHA in its provision for emergency response. Facilities will need to
develop more extensive plans that detail how the facility would respond to a release to limit offsite conse­
quences. EPA requires facilities to conduct drills and exercises to test their program. Facilities have to coor­
dinate plans with the local emergency planning committee (LEPC), which is not required by OSHA.
The EPA rule also allows for full public availability of the facility's hazard analysis and response proce­
dures, although there is still considerable discussion as to how this will be done.
Examples of facilities covered by the new EPA law, that might not have been under OSHA, are smaller plants
using ammonia refrigeration systems and waste treatment plants (using chlorine).
With the EPA rule now law, a company has three years (from the effective date of August 19, 1996) to bring
it into full compliance.
A.2 Voluntary Chemical Industry Programs and Resources
There are many chemical industry resources and programs for process safety. The most noteworthy inter­
national program is called Responsible Care. This was started in Canada as a way to partner chemical plants
with the neighboring communities. Hazard information is shared and emergency plans are developed and
tested for hazard material release response. Responsible Care programs are generally not regulatory. That
is, they are not mandated by law but instead are voluntary. However, they are usually a compulsory part
of belonging to a local or national chemical industry association. That is, by voluntarily joining the organiza­
tion, the company agrees to participate in Responsible Care. In Canada, the Canadian Chemical Produc­
ers Association (CCPA) oversees Responsible Care. In the U.S., it is overseen by the Chemical Manufacturers
Association (CMA) and the Synthetic Organic Chemical Manufacturers Association (SOCMA).
Following is a list of global chemical industry organizations that promote chemical process safety and pub­
lish guidelines.
©1999 Factory Mutual Engineering Corp. All rights reserved.
7-43
17-2 Loss Prevention in Chemical Plants
Page 50 Factory Mutual Property Loss Prevention Data Sheets
A.2. 1 Australia
A.2.1.1 Hazardous Industry Planning Advisory Paper No.3, Environmental Impact Assessment Guidelines,
Ministries of Local Government and Planning, Dept of Planning, Sydney. 1989
A.2.1.2 Plastics and Chemicals Industries Association (PACIA)
A.2.1.3 National Community Advisory Panel (NCAP)
A.2.2 Canada
A.2.2.3 Canadian Chemical Producers Association (CCPA)
A.2.3 India
A.2.3.1 Indian Chemical Manufacturers Association (ICMA)
A.2.4 Far East
A.2.4.1 Association of International Chemical Manufacturers (AICM)
A.2.4.2 Singapore Chemical Industries Council (SCIC)
A.2.4.3 Chemical Industries Council of Malaysia ( CICM)
A.2.4.4 Petrochemical Industry Association of Taiwan (PlAT)
A.2.4.5 Korean Petrochemical Industry Association (KPIA)
A.2.4.6 Japan Chemical Industry Association (JCIA)
A.2.5 South America
A.2.5.1 Responsible Care is present in Argentina, Brazil, Chile, Colombia, and Venezuela
A. 2. 6 United Kingdom
A.2.6.1 Health and Safety Commission (HSC) Advisory Committee on Major Hazards, 1980
A.2.6.2 Institution of Chemical Engineers (IChemE)
A.2.7 United States
A.2.7.1 Chemical Manufacturers Association (CMA)
A.2.7.2 American Institute of Chemical Engineers (AIChE)
A.2.7.3 Center for Chemical Process Safety (CCPS)
A.2.7.4 American Petroleum Institute (API)
A.2.7.5 Synthetic Organic Chemical Manufacturers Association (SOCMA)
FM Engr. Comm. Sept. 1998
©1999 Factory Mutual Engineeri!

Sign up to vote on this title
UsefulNot useful