health, safety and environment 3
Lifting the lid on process risk
Jeremy Codd shares an insurance view of when things go wrong
THE insurance industry has the
unfortunate perspective of seeing
things go wrong with costly regularity.
However with this experience comes
a keenness to share lessons learned,
often long before legislation demands
the required improvements. It can be
frustrating for insurance engineers fresh
from a chemical site that has suffered
a loss (and installed measures to try
to prevent it ever happening again)
then to visit a site that fails to even
recognise the same issue.
a quantifiable risk
In the UK, hazardous installations
or facilities must demonstrate to the
Health & Safety Executive (HSE) that
they have made the risk to people as
low as reasonably practicable (ALARP).
ALARP is defined by levels of individual
fatality risk. For members of the public,
the Hazardous Installations Directorate
(HID) gives the corresponding fatality
risk levels as 10–4 to 10–6 per year (see
Figure 1).
Since the 1974 Flixborough disaster,
particular emphasis has been placed on
safe design. Most facilities now built to
process hazardous chemicals undergo
detailed risk assessments and seek ways
to reduce the likelihood of catastrophe.
Various process hazard analysis (PHA)
methods can be used, the most common
of which is the hazard and operability,
or Hazop, study. The analysis is usually
led by a simple series of questions
that define how and where things
can go wrong through a consensus of
experienced opinion. By defining the
hazards and quantifying the risks they
present, process plants can calculate the
probability of a fatal incident.
Insurance engineers spend much time
analysing sites in order to quantify the
level of risk they pose. The quality of
these assessments improves with the
level of detail gathered by the surveying
teams year on year. Incorporating this
information into algorithms is an even
better way of quantifying the likelihood
Figure 1: of a loss. However, to give reliable
Boundaries of odds requires a lot of detail and quality
acceptable and information. Repeat surveys over several
unacceptable years are one option; but there is
fatality risk another way.
Individual fatality risk
Acceptable Unacceptable
1 in 1 million years 1 in 10,000 years
30 tce april 2008
Date Project stage
Jan 07 Detailed design
Mar 07 Procurement
May 07 Construction end of phase 1
Jul 07 Construction end of phase 2
Sep 07 Pre-start up review
Sep 07 Construction end of phase 3
Oct 07 Precommissioning
Oct 07 Start of commissioning
Notes on PHA actions (or recommendations):
– Accepted as complete only if signed off by PHA lead or chair.
– Software actions apply to those dealing with procedural or management issues and may ordinarily not be
completed after construction.
– Hardware actions are those requiring actual physical measures affecting the design.
Figure 2: Addressing PHA recommendations over the course of a project
designed safety
Chemical plants are built by multi-
disciplined teams of engineers but the
initial designs are usually drawn up by
chemical engineers and it is at this stage
the design’s safety is scrutinised by a
PHA. The chemical engineers are invited,
along with peers from other disciplines,
to present the design for hazard
analysis. Through line-by-line analysis,
the PHA team is able to pinpoint areas
that need attention in order to reduce
the level of risk to an acceptable level.
In an ideal world it would be possible
to design a plant safe enough for
children to play on – but the real world
requires affordable practical solutions. A
PHA study will recommend improvements
to a design, which can be expensive. It
can happen that PHA recommendations
are rationalised.
Armed with detailed PHA information,
surveying insurance risk engineers could
determine which elements of a process
plant they wish to investigate before
they even arrive at a site. However,
PHAs tend to be highly confidential and
inaccessible to non-employees.
A site’s commitment to safety can
be revealed by the respect it gives
PHA findings. It is good practice to
monitor outstanding recommendations
and make sure they are analysed
early and implemented. The further a
project progresses, the more expensive
it is to perform retrospective design
work to implement PHA-recommended
safeguards. Financial pressures can
PHA actions
Outstanding
Completed
Software Hardware
0 30 50
15 30 35
25 25 30
30 25 25
45 20 15
55 20 5
56 20 4
67 10 3
cause managers to accept cheaper, possibly
less robust solutions. It is good practice
for the PHA leader or chair to sign off
recommendations once solutions have been
satisfactorily implemented. Actual detail of
PHA recommendations – especially the ones
that took a long time to sign off – would
further help insurance risk engineers.
Figure 2 shows typical progress in
addressing PHA recommendations over the
course of a project. The table illustrates
how satisfactory hardware recommendations
are implemented throughout the project
life. Interestingly from this example
the last few were not completed during
construction and are likely to have
needed rework or justification for non-
implementation.
revisiting safety
Similarly, with operational plant it is
possible to measure a site’s commitment
to the integrity of a design ratified by a
PHA. A site’s credence to the PHA process
is a reflection of its safety culture. The UK
compliance guidelines and enforcement
procedures for process safety management
of highly hazardous chemicals (CPL 02-02-
045, revised) says that the PHA should be
revisited every five years, which requires
commitment to comprehensively achieve.
However, without diligent revisiting of a
PHA, any hazardous installation cannot
demonstrate continuing risk management,
and could even be accused of failing to
meet its public responsibilities. Every site
undergoes changes to its design and/or
operation, and the cumulative effect of
these changes over time can fundamentally
www.tcetoday.com

change the plant from the design
presented to the PHA team. Most sites
assess the risks posed by individual
changes prior to their introduction, but
an overall review of the PHA provides a
safety net for the cumulative effect of
changes and the opportunity to apply
new standards, codes and best practices.
Figure 3 shows a typical summary of
operating plant PHA reviews. It suggests
that the site’s distillation process needs
to be reviewed, and that there might be
issues with the polymerisation unit.
the basis of safety
PHA studies identify and define the
designed framework within which the
hazards must be contained. Consider the
following simplified example: a liquefied
flammable gas is passed through a
reactor and mixed with other reactants.
Let us say that too much of one reactant
(Z) leads to a runaway reaction, causing
over pressure. Engineers install devices
to measure and control the flow of
reactants, provide a reaction kill
chemical to inject if control is lost and
install a bursting disc on the reactor
vent that relieves to flare in case of
overpressure. The events that can lead
to catastrophe are identified but even
multiple protections can only reduce the
risk of overpressure because no single
piece of equipment is 100% reliable.
Figure 4 shows how a quantifiable
structure emerges. Instruments,
controllers and safety devices all serve
to keep the hazard contained but each
with a probability of failure. If say each
element had a 1% chance of failure
then too much Z would have a 1 in 100
chance of going out of control, with a
1 in 100 chance of not being able to
kill the reaction, and a further 1 in 100
chance of not safely relieving the reactor
overpressure. Giving a 0.013 = 0.000001
chance of failure, too much Z carries a 1
in 1m chance of failure.
maintaining the design
The safeguards installed above are
clearly critical and the loss of any one
of them increases the chance of failure
by one hundredfold. The duty of care
for these items must be paramount.
In order to ensure this level of safety,
the installed protective equipment or
systems should be identified as critical
and sufficiently tested and maintained.
There are inherent weaknesses in every
plant and a workforce unaware of them is
a dangerous combination.
Figure 4: Containing the risks of
a runaway reaction
www.tcetoday.com
Identified Dates
Recommendations
processes of five-
generated at last
requiring PHA yearly
review
review reviews
Distillation –
1997 &
Reformer 20
Aug 04
Blending Due 08
Solvent extraction Feb 04 15
Ethylene Sep 04 10
Polymerisation Mar 06 15
At the PHA stage, assumptions have
to be made such as the properties of
the pipework and vessels, an example of
which might be the strength of a pipe
under pressure to contain the dangerous
materials within. An operating plant
cannot sustain this assumption without
a reliable programme of inspection
and maintenance. Not surprisingly,
inspection and maintenance practices
feature heavily in insurance risk
engineering surveys. Even when all
hazards of a process plant have been
defined and quantified, the plant can
be compromised at any time by human
error. Extending the analysis of risk down
to individual items of equipment helps
identify leak-prone points, ie pump seals,
pipe joints and pressure relief devices.
These studies can highlight the need for
engineered improvements to equipment
integrity or secondary safety initiatives
such as fire protections and emergency
scenario responses.
the best of sites
Full PHA studies lift the lid on the risks
associated with any given process plant.
Without a demonstrable commitment
to PHA reviews, a site cannot reliably
control the potential for catastrophe. A
process plant’s PHA performance gives a
useful leading indicator of the health of
its process safety management. Do refer
to the Health and Safety Executive’s
excellent publication HSG254 Developing
process safety indicators.
It is sometimes said that actuarially
it is not easy to assess a chemical
plant’s likelihood of a loss because of
the relatively small number of sites and
incidents, compared to say car accidents.
However, each insured major hazard site
is responsible for quantifying the level
of risk it poses. A catastrophic incident
at a chemical facility has a measurable
chance of occurrence because there are a
health, safety and environment 3
Time to implement Cost of
or number of PHA man- implementing
outstanding hours recommendations
recommendations GBP
6 months 400 100,000
7 months 320 80,000
5 months 240 100,000
3 outstanding 240 50,000
limited number of events that can occur Figure 3: A typical
in any given set of pipes and vessels. A summary of
PHA seeks to determine these plausible operating plant
possibilities each of which can be PHA reviews
evaluated by further quantitative studies
in order to meet acceptable risk criteria.
Statistical summaries of PHA
programmes are easy to produce. If a
company is unable to provide them,
then this could be taken as an indicator
of a lack of fundamental risk reduction
activities. A good site will be one
that seeks to revisit and adhere to the
guidance offered by the PHA, as doing
so will directly influence its prospects
of suffering a loss. Even an older site
that was constructed before the advent
of commonplace PHAs may not have
any original PHA records but can start
the process of PHAs and achieve the
exemplary standard of a five-yearly
review.
‘Best practice’ sites usually give
inspection and maintenance the priority
needed to preserve the design intent.
They also keep abreast of industry
developments and apply lessons learned
long before regulatory pressures dictate.
In conclusion, all site functions
are sustained by the operating plant
and exemplary management of process
safety will protect that plant and its
workforce from devastating loss. An
installation that holds the containment
of its hazards as its utmost priority also
benefits from a culture of safety that
percolates throughout its systems of
work.
the future?
This article demonstrates just how useful
a measure of hazard management PHA
statistics can be. However this is just
one indicator. With reference again
to the publication HSG254, in time
chemical sites will be able to present Jeremy Codd
to visiting insurance engineers a whole (jeremy.codd@
suite of metrics indicating the status zurich.com) is
of all the risk control systems. A site a senior risk
with inbuilt health checks of its process engineer with
hazards management will be safer and Zurich Global
more attractive to the insurer. tce Energy
april 2008 tce 31