INTRODUCING SAFETY 3

MAJOR ACCIDENT HAZARD (MAH) SCENARIOS

The main elements in the Safety and Environmental Critical Elements identification process are as follows:

Major Accident Hazard identification
Major Accident Hazard scenario selection
Scenario’s likelihood assessment
Scenario’s consequence assessment
Risk ranking
Barrier’s selection
Safety and Environmental Critical Elements identification identification

Identification of Major Accident hazard is done using different techniques, involving both qualitative and quantitative methods which include, among others:

Hazard Identification Studies (HAZID)
Hazard and Operability Studies (HAZOP)
Layer of Protection Analysis (LOPA)
Safety integrity level determination (SIL)
Quantitative Risk Analysis (QRA)
Fire and Explosion Risk Assessment (FERA)

Major Accident Hazard scenarios serve various purposes, including but not limited to:

To demonstrate that a specific scenario, in practice, no longer poses a Major Accident Hazard risk due to the implemented measures
To show how the impact of a specific scenario has been minimized by the protective measures (barriers) in place
To demonstrate the efficiency and effectiveness of barriers put in place
To establish whether the activity should be considered acceptable
To establish whether further barriers are required

In connection with the risk assessment the technical parameters, the equipment used for safety, and their fitness for purpose need to be justified, e.g.,

Degree of redundancy
Reliability criteria
Etc.

MAH SCENARIOS EVALUATION AND BOWTIES

The Safety Management System shall demonstrate (in the Safety Case) the adequateness of barriers implemented by systematic identification of possible Major Accident Hazard scenarios and their initiating events (causes). The scenarios are normally based on the assumption of loss of the safe containment event. However, some other scenarios may also be applicable.
The principles and procedures followed to determine the scenarios shall be documented. Among others, they can be based on safety alerts, industry historical accident data, similar industries’ (petrochemical, chemical, O&G, etc.) historical accident data, and relevant literature.

A Major Accident Hazard scenario is usually described in the form of loss of containment specified by its technical type, among others:

vessel rupture
pipe rupture
vessel leak
etc.

As a visual representation of the Major Accident Hazard scenarios, a bowtie diagram is usually prepared, see Figure 4 below.

Figure 4. Typical Bowtie Diagram

The center of the bow-tie diagram is the loss of contaminant event (Major Accident Hazard).
The bowtie left side depicts the overall possible causes, which would lead to the occurrence of the Major Accident Hazard. The crosses refer to barriers put in place to prevent the particular scenario evolution to the Major Accident Hazard.
The bow-tie right side describes the development of possible outcomes resulting from the Major Accident Hazard. The crosses in the bowtie right refer to the barriers put in place to prevent/ mitigate the Major Accident Hazard that causes harm to personnel, the environment, and the plant equipment.

The following non-exhaustive list provides the most relevant event types that describe the consequences of the Major Accident Hazard development:

Pool fire
Jet fire
Flash fire
Tank fire
Vapor cloud explosion
Toxic cloud
Boiling liquid expanding vapor explosion
Environmental pollution

These events may occur in:

Process units (electrolyzers, compressors, methanol synthesis, carbon capture, etc.)
Storage units (intermittent and final products)
Pipework and ducts
Loading and unloading facilities
On-site transport of hazardous substances

The hazardous substances may also be present under various physical conditions (temperature, pressure, aggregate form). The evaluation shall demonstrate that, of these possible scenario elements, the relevant scenarios were chosen. The selection may follow the order of:

Event likelihood
Consequences
How representative the scenario is.

BOWTIES - LEFT HAND SIDE

The Major Accident Hazard can arise from various sources, including initiating, internal, and external causes, as well as lapses in plant security. Other contributing factors might stem from the plant’s design, Safety Management System, maintenance, and similar aspects. It is crucial to thoroughly assess all these causes and develop corresponding fault trees.
At a minimum, the following initiating causes should be considered:

Limits of physical and chemical process parameters
Hazards during specific operation modes such as warm start-up, cold start-up, shut down, blackout, partial load, etc.
Containment failure
Malfunctions and technical failures in equipment and systems
Secondary impacts from other equipment and systems
Utility supply faults
Human factors in operation, testing, and maintenance
Chemical incompatibility and contamination
Ignition sources

Internal causes could include fires, explosions, or the release of hazardous substances within the plant, affecting other areas and disrupting normal operations. For example, a fracture in the cold cooling water pipe might impair the plant’s cooling system, reducing cooling capacity.

External causes to consider primarily involve:

Effects of accidents (fire, explosion, toxic release) in nearby facilities (domino effect)
Off-site transportation of dangerous substances
Interdependence with nearby installations, such as host plants
Shared pipelines, utilities, and transport networks
Natural hazards like extreme weather, lightning, floods, landslides, seismic activity, etc..

Plant security shall assess the effect of possible intentional acts that could affect plant safety.

Other causes linked to design, construction, and safety management should also be considered. These may pertain to the entire life cycle of the plant, including commissioning, decommissioning, modifications, and maintenance.

The “fault tree” is represented at the left-hand side of the bowtie diagram, see Figure 5.

Figure 5. Fault Tree

Protective measures, or barriers, in a process can be categorized into two types: those that are permanent and independent of the process’s state, and those that are activated in re-sponse to the process’s state. The latter type can either disable an action or initiate one or more barriers.

For instance, the example in Figure 6 illustrates both types of actions. The first type is passive, such as the Ex rating of electrical components that may be exposed to flammable gases. The second type is active, as demonstrated by the release of inert gas into the containment area when flammable gases are detected exceeding safe limits or composition.

Figure 6. Passive and Active Barriers

BOWTIES - RIGHT HAND SIDE

Evaluating the consequences of the Major Accident Hazard on people, the environment, and equipment is a crucial component of the overall risk assessment process. The Safety Case, or Safety Report, should comprehensively summarize and document the findings of this assessment phase.
In certain situations, this assessment may involve detailed calculations or modeling, like a Fire and Explosion Study, Dispersion Study, Radiation Study, Emissions Study, and others. Such modeling is typically based on a set of specific reference scenarios. The Event Tree, often represented on the right-hand side of the Bowtie diagram (as shown in Figure 7), serves as a foundational reference for these models. In these assessments, measures (or barriers) intended to mitigate the consequences are also taken into consideration.