vvEPA
United States Air and Energy Engineering
Environmental Protection Research Laboratory
Agency Research Triangle Park NC 27711
EPA/600/8-87/028
July 1987
Research and Development
Prevention Reference
Manual:
User's Guide
Overview for
Controlling Accidental
Releases of
Air Toxics
-------�
NOTICE
This document has been reviewed in accordance with
U.S. Environmental Protection Agency policy and
approved for publication. Mention of trade names
or commercial products does not constitute endorse-
ment or recommendation for use.
-------�
EPA/600/8-87/028
July 1987
PREVENTION REFERENCE MANUAL: USER'S GUIDE
OVERVIEW FOR CONTROLLING ACCIDENTAL
RELEASES OF AIR TOXICS
by:
Daniel S. Davis
Glenn B. DeWolf
Jeffrey D. Quass
Radian Corporation
Austin. Texas 78766
Contract No. 68-02-3889
Work Assignments 84 and 98
EPA Project Officer
T. Kelly Janes
Air and Energy Engineering Research Laboratory
Research Triangle Park. North Carolina 27711
AIR AND ENERGY ENGINEERING RESEARCH LABORATORY
OFFICE OF RESEARCH AND DEVELOPMENT
U.S. ENVIRONMENTAL PROTECTION AGENCY
RESEARCH TRIANGLE PARK, NC 27711
-------�
ABSTRACT
Accidental air releases of toxic chemical must be prevented by all
reasonable means, and when they do occur, appropriate measures must be taken
to reduce their consequences. This User's Guide, which presents an overview
of the methods available for identifying, evaluating, and controlling hazards
in facilities that use, manufacture, or store acutely toxic chemicals that
could be released into the air, is one of a series of manuals dealing with
various aspects of toxic chemical releases. Other volumes focus on specific
chemicals, on the procedures and technologies for preventing and protecting
against accidental releases of toxic chemicals, and on ways to mitigate a
release if it occurs.
First, a brief history of accidental releases and their control is
presented. Hazardous chemicals and their key properties of interest are
defined. Hazards in process operations that relate to process design,
physical plant design, and to management and maintenance procedures and
practices are examined. Formal methods of hazard identification are
described and evaluated, and major features of the most common formal
methods are compared. The principles of prevention, protection, and
mitigation control are discussed, and example control technologies are
listed. Finally, an example guide to facility inspections is presented.
ACKNOWLEDGEMENTS
This manual was prepared under the overall guidance and direction of
T. Kelly Janes, Project Officer, with the active participation of Robert P.
Hangebrauck, William J. Rhodes, and Jane M. Crum, all of U.S. EPA. In
addition, other EPA personnel served as reviewers. Sponsorship and technical
support was also provided by Robert Antonpolis of the South Coast Air Quality
Management District of Southern California, and Michael Stenberg of the U. S.
EPA, Region 9. Radian Corporation principal contributors involved in
preparing the manual were Graham E. Harris (Program Manager), Glenn B.
DeWolf (Project Director), Daniel S. Davis, Nancy S. Gates, Jeffrey D. Quass,
Miriam Stohs, and Sharon L. Wevill. Contributions were also provided by other
staff members. Secretarial support was provided by Roberta J. Brouwer and
others. Special thanks are given to the many other people, both in government
and industry, who served on the Technical Advisory Group and as peer
reviewers
11
-------�
TABLE OF CONTENTS
Section
ABSTRACT ii
ACKNOWLEDGEMENTS ii
FIGURES iv
TABLES V
1 INTRODUCTION 1
1.1 General Background ..... 1
1.2 Historical Background and Accidental Events Overview. . . 3
1.3 Purpose of This Manual 11
2 CHEMICAL HAZARDS 24
2.1 Toxic Chemicals 26
2.2 Physical and Chemical Properties 26
3 HAZARDS IN PROCESS OPERATIONS 29
3.1 Background 29
3.2 Process Design Considerations 32
3.3 Physical Plant Design Considerations 35
3.4 Procedures and Practices 38
4 METHODS OF HAZARD IDENTIFICATION AND EVALUATION 42
4.1 Hazard Identification 42
4.1.1 Checklists 48
4.1.2 Safety Reviews 49
4.1.3 Dow and Mond Hazard Indices 49
4.1.4 Preliminary Hazard Analysis 49
4.1.5 "What If" Method 50
4.1.6 Hazard and Operability (HAZOP) Studies 50
4.1.7 Failure Modes, Effects, and Criticality Analysis . 50
4.1.8 Fault Tree Analysis ..... 52
4.1.9 Event Tree Analysis 52
4.1.10 Cause-Consequence Analysis 52
4.2 Methods for Hazard Evaluation 53
5 OVERVIEW OF PRINCIPLES OF CONTROL 56
5.1 Background 56
5.2 Prevention 58
5.2.1 Process Design Considerations 58
5.2.2 Physical Plant Design Considerations 61
5.2.3 Procedures and Practices 68
5.3 Protection 71
5.4 Mitigation 74
5.5 Control Technology Summary 76
6 GUIDE TO FACILITY INSPECTIONS 83
6.1 Background 83
6.2 General Procedure 84
6.3 Specific Procedures 86
iii
-------�
TABLE OF CONTENTS (Continued)
Section Page
7 COSTS OF ACCIDENTAL RELEASE PREVENTION 87
7.1 Costs of Hazard Identification. Evaluation, and
Inspection 87
7.2 Costs of Control Technologies 88
7.3 Cost Implications for Policy Planning 93
8 REFERENCES 97
APPENDIX A - LIST OF ACUTELY TOXIC CHEMICALS 99
APPENDIX B - EXAMPLE DETAILED PROCEDURES FOR HAZARD EVALUATION FACILITY
INSPECTIONS 109
APPENDIX C - GLOSSARY 159
APPENDIX D - METRIC (SI) CONVERSION FACTORS 164
FIGURES
Number Page
1-1 The role of various accidental release control measures in
reducing the consequences of an accidental release 4
1-2 In-plant acute hazardous events by location 8
1-3 Causes of loss in the chemical and allied industries from
insurance survey 9
1-4 Functional areas of a typical chemical process facility 21
1-5 Example of logic flow for accidental release control plan review . 23
3-1 Major phases of facility life cycles 39
3-2 Types of errors leading to hazards 40
4-1 Relationship between hazard evaluation procedures and hazard
evaluation process 54
7-1 Example of a toxic gas storage system 94
IV
-------�
TABLES
Number Page
1-1 Major Toxic Release Incidents Between 1950 and 1980 ....... 5
1-2 Distribution of Event Locations as Reported by Kletz . 10
1-3 Major Organizations Providing Codes and Standards. Recommended
Practices. Design Criteria, or Guidelines for Equipment in
Chemical and Allied Industry Process Plants .. 12
1-4 Areas Covered by Codes. Standards, and Recommended Practices.
Design Criteria, or Guidelines of Designated Organizations .... 14
1-5 Examples of Needs and Approaches for Regulators and Companies
Addressed by Prevention Reference Manuals .. 19
2-1 Selected Properties of Some Common Hazardous Chemicals 27
2-2 Chemical Property Data Pertinent to Accidental Release
Evaluations 28
3-1 Some Typical Process Hazard Areas and Examples of Corresponding
Control Technologies 33
4-1 Summary of Key Features of Hazard Identification and Evaluation
Methods 44
4-2 Example Guide Words and Corresponding Deviations for HAZOP
Analysis 51
5-1 Examples of Possible Releases and Controls 77
7-1 Estimated Lower Bound Costs for Various Hazard Identification
and Evaluation Procedures 89
7-2 Estimated Costs For Typical Inspections 90
7-3 Costs of Some Individual Instrumentation and Control Components
For Process System Safety Modifications 91
7-4 Examples of Control Costs for a Toxic Gas Storage System 95
7-5 Specifications Associated with Toxic Storage System ....... 96
-------�
SECTION 1
INTRODUCTION
1.1 GENERAL BACKGROUND
Increasing concern about the potentially disastrous consequences of
accidental releases of toxic chemicals has resulted from the Bhopal, India
methyl isocyanate release on December 3, 1984, which killed approximately
2,000 people and injured thousands more. Concern about the safety of process
facilities that handle hazardous materials increased further after the
accident at the Chernobyl nuclear power plant in the Soviet Union in April of
1986.
While headlines of these incidents have created the current awareness of
toxic release problems, there have been other, perhaps less dramatic, inci-
dents in the past. These previous accidents contributed to the development of
the field of loss prevention as a recognized specialty area within the general
realm of engineering science. Interest in reducing the probability and
consequences of accidental toxic chemical releases that might harm workers
within a process facility and people in the surrounding community prompted the
preparation of this manual and a planned series of companion manuals. The
other manuals in the series will cover:
Chemical specific information,
Prevention control technologies, and
Mitigation control technologies.
These manuals compile the technical information that is necessary for develop-
ing approaches to preventing and controlling accidental releases. They cover
various aspects of release control, including identification of causes;
methods of hazard identification and evaluation; and prevention, protection,
and mitigation measures. Prevention involves design and operating measures
-------�
applied to a process to ensure that primary containment is not breached.
Protection focuses on the capture or destruction of a toxic chemical involved
in an incipient release after primary containment has been breached, but
before an uncontrolled release of the toxic chemical to the environment has
occurred. Mitigation measures reduce the consequences of a release once it
has occurred. The manuals are based on current and historical technical
literature and they address fundamental considerations of the design, con-
struction, and operation of chemical process facilities where accidental
releases of toxic chemicals could occur.
Four types of releases are encountered in facilities that use, manufac-
ture or store toxic chemicals:
Releases from limited process upsets,
Process vents,
Fugitive emissions, and
Accidental, sudden, large releases.
Accidental releases are the primary subject of this manual and of other
manuals in the series.
The User's Guide is a general introduction to the subject of toxic
chemical releases and to the broad concepts addressed in more detail in the
other manuals. The manual gives a brief history of toxic chemical releases
and overview of the accidental release problem. Primary industrial chemicals
of concern are identified and the fundamental causes of toxic releases are
summarized. Methods commonly used in hazard identification and evaluation are
briefly discussed and an overview of the general principles of hazard control
are presented. An example of the kind of guide to facility hazard inspections
that can be developed from the information in this and other manuals is also
presented.
-------�
The chemical-specific manuals in the series will focus on release hazard
issues associated with specific chemicals in their most common industrial
uses. The control technologies manual will focus on the fundamentals of
process design, equipment design, and procedures and on how changes in these
areas can help prevent and reduce the probability and magnitude of accidental
releases. The mitigation manual will discuss ways of reducing the conse-
quences of accidental releases.
The ultimate objective of controlling accidental chemical releases is to
reduce adverse consequences to human health and to the general environment.
The place of various controls in achieving this objective is illustrated
conceptually in Figure 1-1. Each category of controls contributes to the
reduction of the consequences of an accidental release. A full accidental
release control program will contain some control methods from each of the
categories listed in the figure.
1.2 HISTORICAL BACKGROUND AND ACCIDENTAL EVENTS OVERVIEW
The Bhopal incident, one of the most dramatic chemical accidents in
history, eclipsed the 1976 major toxic discharge in Seveso, Italy, and numer-
ous other significant, but less disastrous chemical releases over the years.
The historical development of concern about accidental releases tracks
the general advance of loss prevention in the process industries. Much of
that development has focused on fire and explosion protection. Since physical
property losses are largest in these incidents, the magnitude of losses from
fire and explosions has dominated industrial insurance issues for years.
Accidental toxic releases have not been ignored, however. Lees (1) presents a
summary table of major fire, explosion, and toxic release incidents in the
chemical industry from the early years of this century through 1979. A
listing of toxic releases taken from that table is presented in Table 1-1.
-------�
RELEASE
HAZARDS
HAZARD IDENTIFICATION
PRE RELEASE PREVENTION
^^^^^^^^^wJ
PRE - RELEASE PROTECTION
r
POST - RELEASE MITIGATION
1
COMMUNITY RESPONSE
1
r
ULTIMATE CONSEQUENCES
Figure 1-1. The role of various accidental release control measures
in reducing the consequences of an accidental release.
-------�
TABLE 1-1. MAJOR TOXIC RELEASE INCIDENTS BETWEEN 1950 AND 1980
Date
1950
1952
1961
1961
1961
1962
1963
1963
1966
1967
1967
1968
1968
1969
1969
Location
Foza Rica, Mexico
Wilsum, Germany
Billingham, Great Britain
La Barre, Lousiana
Morganza, Lousiana
Cornwall, Ontario
Brandtsville, Pennsylvania
Philadelphia. Pennsylvania
La Spezia, Italy
Bankstown, Australia
Newton, Alabama
East Germany
Lievin, France
Crete, Nebraska
Glendora, Mississippi
Chemical
Hydrogen sulfide
Chlorine
Chlorine
Chlorine
Chlorine
Chlorine
Chlorine
Chlorine
Chlorine
Chlorine
Chlorine
Vinyl chloride
Ammonia
Ammonia
Vinyl chloride
Deaths
22
7
0
1
0
0
0
0
0
0
0
24
5
ca. 8
0
Injuries
320
Unknown
Unknown
114
17
89
Unknown
430+
Unknown
5
Unknown
Unknown
Unknown
20
Unknown
Source: Reference 1
(continued)
-------�
TABLE 1-1 (Continued)
Date
1970
1971
1973
1973
1973
1974
1976
1976
1976
1977
1978
1978
1978
Location
Blair, Nebraska
Floral, Arkansas
Loos, British Columbia
McPherson, Kansas
Potchef stroom,
South Africa
Nebraska
Baton Rouge, Louisiana
Houston, Texas
Seveso, Italy
Columbia
Baltimore, Maryland
Chicago. Illinois
Youngstown, Florida
Chemical
Ammonia
Ammonia
Chlorine
Ammonia
Ammonia
Chlorine
Chlorine
Ammonia
Dioxin (TCDD)
Ammonia
Sulfur trioxide
Hydrogen sulfide
Chlorine
Deaths
0
0
0
0
18
Unknown
Unknown
6
0
30
Unknown
Unknown
8
Injuries
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Source: Reference 1.
-------�
Various other surveys also address accidental releases. A recent publi-
cation by the U.S. Environmental Protection Agency (EPA), the Acute Hazardous
Events Data Base, examines the causes of toxic chemical accidental release
events (2). Along with other statistics, this report presents the locations
of toxic release events within a process facility, as shown in Figure 12.
The causes of losses in the chemical and allied industries as shown in an
insurance survey are presented in Figure 1-3 (3). Table 1-2 summarizes
similar information from two other sources (A).
Examination of this information shows that it is difficult to absolutely
quantify the distribution of accidental release causes; every survey results
in a somewhat different distribution of causes. A likely reason for these
differences is that every survey uses a different and fairly limited data set.
Another possible reason is the difficulty in consistently defining the actual
causes of a release. As an example, if a valve were to fail because of
corrosion and result in an accidental release, the cause might be classified
as valve failure, maintenance failure or design failure, depending on the
classification criteria of the specific survey. Even within this complexity,
however, some trends can be observed. A comparison of the information shows
that faulty pipes and fittings are common causes of accidental releases.
The occurrence of such incidents tends to obscure the long and dedicated
activity of numerous individuals and organizations who have contributed to the
field of loss prevention. Some organizations that have been very active in
this area, especially in the last two decades, include the Institute of
Chemical Engineers (Britain), the American Institute of Chemical Engineers,
the American Petroleum Institute, other organizations and many major corpora-
tions, especially in the chemical industry. Two leaders in this field have
been Dow, which developed the well-known Dow Index for ranking process facili-
ties for fire and explosion potential, and Imperial Chemical Industries, for
modifying this index to the Mond Index, which includes toxicity in the rank-
ing. Activity in both the public and private sectors in this area is intense.
-------�
ALL EVENTS
DEATH/INJURY EVENTS
00
VALVES/PIPES
19.4*
VALVES/PIPES
te.er.
NUMBER OF EVENTS = 5179
NUMBER OF EVENTS = 304
Figure 1-2. In-plant acute hazardous events by location.
Source: Reference 2.
-------�
60 %
40*
20%
OX
INSTRUMENTATION
EXCHANGERS
GASKETS
COMPRESSORS
SIGHT GLASSES
MECHRNICRL
EQUIPMENT
FRILURE
PROCESS
UPSETS
HUMRN
ERROR
RRSON OR
SRBOTRGE
Figure 1-3. Causes of loss in the chemical and allied
industries according to insurance survey.
Source: Adapted from Reference 3.
-------�
TABLE 1-2. DISTRIBUTION OF EVENT LOCATIONS AS REPORTED BY KLETZ
Q
Percentage Attributable to Each Location
Location (Data Source A) (Data Source B)
Pipes and fittings 34 61
Vessels 9
- internal reactions 22
- other 21
Relief valves, vents, drains 11 22
Pumps 6 4
Equipment under maintenance 6 4
100 100
Source: Reference 4.
Two references were cited by Kletz. Data source A is: One Hundred Largest
Losses, Marsh and McLennan, Chicago, Illinois, Sixth Edition, 1985. Data
source B is: Davenport, J., Chemical Engineering Progress, September, 1977,
p. 54.
10
-------�
as each strives to apply the latest knowledge and technology to the prevention
and mitigation of accidental toxic chemical releases.
A number of public and private organizations have developed codes and
standards, recommended practices, design criteria, or guidelines establishing
at least minimum standards for equipment and systems potentially involved in
accidental releases. Table 1-3 presents a list of some of these organi-
zations. Some of the codes and standards developed by these organizations
present recommended design criteria for individual pieces of equipment or for
entire plant systems. Others present recommended practices for conducting a
safe operation. Some of these organizations have published specific hazard
evaluation and reduction information. A complete presentation of such infor-
mation is beyond the scope of this manual, but the reader may contact in-
dividual organizations for additional information. Table 1-4 summarizes
general areas addressed by the various organizations.
1.3 PURPOSE OF THIS MANUAL
The User's Guide is an introduction to the overall area of accidental
chemical releases prevention, protection, and mitigation for government agency
personnel, industry managers, technical people, and other persons concerned
with reducing the risk of accidental toxic chemical releases. It is intended
to assist and inform the reader about where and how to seek additional infor-
mation. The manual is also a guide to the more detailed information in the
companion set of manuals and to the general technical literature.
Government agencies will probably continue to become more involved in
this area as awareness specific to accidental releases increases and more
regulations are promulgated. Past involvement by industry has been broad.
Future participation in the area of accidental release prevention, protection,
and mitigation is expected to increase in response both to new regulations and
to increased awareness of toxic air release issues on the part of company
management, technical staff and the general public.
11
-------�
TABLE 1-3. MAJOR ORGANIZATIONS PROVIDING CODES AND STANDARDS, RECOMMENDED
PRACTICES, DESIGN CRITERIA, OR GUIDELINES FOR EQUIPMENT IN
CHEMICAL AND ALLIED INDUSTRY PROCESS PLANTS
Name
Abbreviation
Technical and Trade Groups
Air Conditioning & Refrigeration Institute
Air Moving and Conditioning Association
American Association of Railroads
American Gas Assocation
American Petroleum Institute
American Water Works Association
Chemical Manufacturer's Association (formerly
Manufacturing Chemists Association)
Chlorine Institute
Compressed Gas Association
Cooling Tower Institute
Manufacturers Standardization Society
National Electrical Manufacturers Association
Pipe Fabrication Institute
Scientific Apparatus Makers Association
Society of Plastics Industry
Steel Structure Painting Council
Tubular Exchanger Manufacturers Association
U.S. Government Agencies
Bureau of Mines
Department of Transportation
U.S. Coast Guard
Hazardous Materials Regulation Board
Federal Aviation Administration
Environmental Protection Agency
National Bureau of Standards
Occupational Safety and Health Administration
Testing Standards and Safety Groups
American National Standards Institute
American Society for Testing and Materials
National Fi.re Protection Association
Underwriters Laboratories, Inc.
National Safety Council
ARI
AMCA
AAR
AGA
API
AWWA
CMA
(MCA)
CI
CGA
CTI
MSS
NEMA
PFI
SAMA
SPI
SSPC
TEMA
BM
DOT
USCG
HMRB
FAA
EPA
NBS
OSHA
ANSI
ASTM
NFPA
UL
NSC
(Continued)
12
-------�
TABLE 1-3 (Continued)
Name Abbreviation
Insuring Associations
American Insurance Association AIA
Factory Insurance Association FIA
Factory Mutual System FM
Oil Insurance Association OIA
Professional Societies
American Conference of Governmental
Industrial Hygienists ACGIH
American Industrial Hygiene Association AIHA
American Institute of Chemical Engineers AIChE
American Society of Mechanical Engineers ASME
Amer. Soc. of Htg. Refrig. & Air-Cond. Engs. ASHRAE
Illumination Engineers Society IES
Institute of Chemical Engineers (Britian) IChE
Institute of Electrical and Electronic Engineers IEEE
Instrument Society of America ISA
Source: Adapted from Reference 6.
13
-------�
TABLE 1-4. AREAS COVERED BY CODES, STANDARDS, RECOMMENDED PRACTICES. DESIGN
CRITERIA, OR GUIDELINES OF DESIGNATED ORGANIZATIONS (SEE TABLE
1-3 FOR SYMBOLS DEFINITIONS)
Accident Case History
Air Compressors
Air-Fin Coolers
Boilers
Combustion Equipment and Controls
Compressors
Cooling Towers
Drain and Waste Systems
Dust Collection Equipment
Dust Hazards
Electric Motors
Electrical Area Classification
Electrical Control and Enclosures
Emergency Electrical Systems
Fans and Blowers
Fire Protection Equipment
AGA, AIA, AIChE, API, FIA, FM,
NFPA, NSC, OIA, OSHA, USCG
AIA, ANSI, FM, USCG
ARI, ASHRAE, OIA, USCG
ANSI, NFPA, NSC, UL
ANSI, FIA, FM. NFPA, NSC, OIA,
UL, USCG
AIA, ARI, ASHRAE, ASME,
FM, OIA, USCG
CTI, FM, NFPA, OIA
AICHE, AWWA, MCA, USCG
FIA, FM, NFPA, USCG
ACGIH, AIHA, ANSI, BM, FIA, FM,
NFPA, NSC, UL, USCG
ANSI. IEEE, MCA, NFPA, UL, USCG
AIA, ANSI, API, FIA, FM, MCA,
NFPA. NSC. OJA. OSHA, USCG
AIA, ANSI, ARI, FIA, FM, IEEE,
ISA, MCA, NEMA. NFPA, NSC. OIA,
OSHA. UL, USCG
AGA. AIA, FM, IEEE, NEMA,
NFPA, USCG
ACGIH, AIHA, AMCA, ARI, ASME,
FM, USCG
AIA, ANSI. API, AWWA, BM. CGA,
FIA, MCA, NEMA. NFPA, NSC,
OIA, OSHA, UL, USCG
(Continued)
14
-------�
TABLE 1-4 (Continued)
Fire Pumps
Fired Heaters
Gas Engines
Gas Turbines
Gear Drives Power Transmission
Grounding and Static Electrical
Inspection and Testing
Instrumentation
Insulation and Fireproofing
Jets and Ejectors
Lighting
Lubrication
Material Handling
Materials of Construction
Noise and Vibration
ANSI, FM, HI. IEEE, NFPA, UL, USCG
ANSI. ASME. FIA. FM. NFPA.
OIA. UL, USCG
FM, NFPA, OIA, USCG
AGA. FIA. FM, NFPA, OIA, USCG
AGMA, AIA, ANSI. NSC. USX
AIA, ANSI. API. FIA, FM, IEEE,
NEMA. NFPA. NSC. OIA. OSHA, UL,
USCG
ABMA. AGMA, AIChE, AMCA, API,
ASHRHE, ASTM, AWWA, CGA, CTI,
DOT, HEJ, HI, IEEE, MSS, NFPA.
NSC. PFI, USCG
AIA. ANSI, API, ARI, ASTM. AWWA.
CGA, FIA. FM. HMRB, IEEE. ISA,
NBS, NFPA. OIA, SAMA, UL, USCG
AIA, ANSI. ASHRAE, ASTM, FM,
OIA, UL, USCG
HEI, USCG
ANSI, FM. IEEE. IBS. NEMA.
NFPA, NSC, UL, USCG
AMCA, ANSI, ASME, NFPA
MCA, NFPA. NSC, OSHA
AIA, ANSI, ASTM, AWWA, CGA,
CI. CTI, FM, HMRB, ISA, MCA,
NBS, NFPA, NSC, OIA, TEMA. UL.
USCG
AGA, AIChE, AIHA, AMCA. ANSI,
API. ARI. ASHRAE. ASTM. EPA,
ISA, NFPA, NSC, OSHA, UL
(Continued)
15
-------�
TABLE 1-4 (Continued)
Painting and Coating
Piping Materials and Systems
Plant and Equipment Layout
Pneumatic Conveying
Power Wiring
Pressure Relief Equipment Systems
Pressure Vessels
Product Storage and Handling
Pumps
Refrigeration Equipment
Safety Equipment
Shell and Tube Exchangers
Shutdown System
Solids Conveyors
Stacks and Flares
AIChE. ANSI, ASTM. AWWA, HMRB,
OSHA. NBS, SSPC, UL
AGA, AIA. ANSI, API, ARI, ASHRAE,
ASTM, AWWA, CGA. CI. FIA, FM.
HMRB, IBS, MSS, NBS, NFPA, NSC,
PFI. SPI, UL, USCG
AAR, AIA. API, AWWA, CGA, FIA.
FM, HMRB, MCA, NFPA. NSC, OIA,
USCG
ANSI, FIOA, NFPA, USCG
ANSI. API, FIA, FM. IEEE. NEMA,
NFPA, OIA, OSHA, UL. USCG
AIA, API, ASME, CGA. CI. FIA.
FM,
AIA, API, ASME, CGA, DOT.
NFPA, NSC, OSHA, USCG, HMRB,
OIA, OSHA, USCG
AAR, AIChE, AIA, ANSI, API, CGA,
CI, FIA, FM, MCA, NFPA. OIA. OSHA,
USCG
AIChE, ANSI, AWWA. CI, NFPA, OIA,
UL, USCG
ANSI, API, ASHRAE, FM, NFPA, UL,
USCG
ACGIH. AIHA, ANSI, BM, CGA, CI,
FM, MCA, NSC, OSHA, UL. USCG
AGA, AIChE. API, ASHRAE, ASME,
CGA, PFI, USCG
AIA. API. FIA, NFPA, OIA, UL,
USCG
MCA
FAA. OIA, USCG
(Continued)
16
-------�
TABLE 1-4 (Continued)
Steam Turbines
Storage Tanks
Ventilation
Venting Requirements
AIA. FM, IEEE. OIA, USCG
AWWA, CI. NBS. NFPA, OIA, OSHA,
UL, USCG
ACGIH, AIHA, ANSI, BM, FIA, FM,
NFPA, NSC, UL. USCG
API, FIA, FM. HMRB, NFPA, USCG
Source: Adapted from Reference 6.
17
-------�
Table 1-5 illustrates the potential needs of government agency personnel
and individual companies if called on to enforce or comply with a regulation
specifically geared toward accidental release prevention. These needs include
the resources that will be required for such a task. The table summarizes
approaches to meeting these needs. The User's Guide and companion manuals
will provide one information resource for responding to accidental release
regulations established by local authorities. For needs or approaches not
specifically covered in the manuals, or for areas where more detail is re-
quired than the manuals can provide, the references cited in the manuals can
help the reader obtain more detailed information.
For both regulators and companies interested in release prevention, an
overall concept of a process facility must be developed in terms of the
physical and functional areas that would be covered by a complete release
prevention evaluation or control plan. Such a concept is shown in Figure 1-4.
These aspects of a facility must be addressed at each stage in the total life
cycle of the facility.1 The basic stages, design, construction, startup,
operation and shutdown, are discussed further in Section 3.4.
Chemicals are transported to the facility and pass through a sequence\of
transfer, storage, and process operations that produce more chemicals that
pass through a similar sequence until they leave the facility. To develop a
company hazard control plan or for a regulatory review of such a plan, each
step in the sequence must be scrutinized for the following: '
The toxic chemicals used and where.
Hazardous processes and operations, and
Control measures.
Later sections of this manual address each of these considerations by:
summarizing the fundamental principles of chemical hazards, process and opera-
tional hazards, hazard identification and evaluation, and hazard control.
18
-------�
TABLE 1-5. EXAMPLES OP NEEDS AND APPROACHES FOR REGULATORS AND COMPANIES ADDRESSED BY
PREVENTION REFERENCE MANUALS
Need*
Government
Approach
Meed*
Industry
Approach
Basic Information
Types of Facilities
vD
Types of Processes
Hazard Identification
Prioritization
Identify facilities within the regulators
jurisdiction that are subject to safety
concerns covered by the accidental release
guidelines or regulations.
Gather historical background on previous
accidental releases at each facility and
accidental releases at similar facilities.
Obtain intonation about the processes used
at each facility.
Become aware of the range of accidental
release hazards associated with the
processes used at each of the facilities
covered by the regulation.
Develop a criteria for ranking the
facilities for accidental release risk.
Compare the available resources to the
ranking and select which facilities require
further investigation and specifically
which processes within a facility should be
examined for compliance.
Identify the range of potential control
techniques that could be applied to each
process to be examined.
Control Measure Verification
Document Review
Identify which accidental release control
techniques are in place at each facility by
requesting summary documentation of a
control plan.
If the documentation provided does not
indicate compliance then request additional
documentation.
Basic Information
Types of Processes
Hazard Identification
Evaluate the requirements of the
accidental release safety objectives.
guidelines, or regulations in light of the
specific processes in use at the facility.
Gather historical background on previous
accidental releases at similar facilities.
Become aware of the range of accidental
release hazards associated with the
processes used at the facility.
Use hazard identification and evaluation
methods to evaluate the adequacy of the
accidental release prevention measures
already in place and to pinpoint areas of
deficiency.
Control Measure Selection and Evaluation
Prioritization
Identify the control measures that could
be applied to the areas where the present
control measures are deficient.
Evaluate the resources that are required
to perform each level of control.
Evaluate the effectiveness of each control
method.
(Continued)
-------�
TABLE 1-5 (Continued)
Needs
Government
Approach
Needs
Industry
Approach
Facility Inspection If the additional documentation does not
indicate compliance then visit the facility
and perform a detailed review of control
plan documentation.
If compliance is not confirmed then inspect
those portions of the facility that are of
interest.
Resources Required/Available
Historical literature Newspapers; local news stations.
Technical literature Loss prevention journal articles and text
books; Accidental Release Prevention
Reference Manual (ARPRM) series.
Apply measures that will bring the
facility into compliance and will provide
the most efficient use of resources.
Prepared both detailed and summary
documentation of control practices.
Periodically reinspect the facility;
especially important when process changes
are made.
Resources Required/Available
Public records
Organizations
Regulations
Personnel
Costs
State or local data base.
Technical societies and trade
organizations; local, state and federal
regulatory organizations; consultants.
Related regulations that impact accidental
release prevention; other regulations that
specifically apply to accidental release
prevention.
Experienced personnel within the regulatory
agency.
Personnel from other regulatory agencies
with experience in accidental release
prevention.
Outside consultants with experience in
accidental release prevention.
The costs the agency will incur by
performing document and facility reviews at
various levels of detail.
The facility's cost to perform different
varieties of internal hazard evaluation.
the cost to implement various control
measures, and the cost of assembling a
comprehensive control plan.
Historical literature
Technical literature
Public records
Organizations
Regulations
Personnel
Costs
Newspapers; local news stations.
Loss prevention journal articles and text
books; Accidental Release Prevention
Reference Manual (ARPRM) series.
State or local data base.
Technical societies and trade
organizations; local, state and federal
regulatory organizations; consultants.
Related regulation that impact accidental
release prevention: other regulations that
specifically apply to accidental release
prevention.
Experienced personnel within the plant.
Outside consultants with experience in
accidental release prevention.
The cost to perform different varieties of
internal hazard evaluation, the cost to
implement various control measures, and
the cost of assembling a comprehensive
control plan.
-------�
Transport
I
Transfer
I
Storage
i
Transfer
I
Processing
Transfer
1
Storage
I
Transfer
i
Transport
Figure 1-4. Functional areas of a typical chemical process facility.
21
-------�
Once an accidental release control plan is developed, the review of the
control plan by a regulator or the company itself may follow the kind of logic
flow shown in Figure 1-5. A regulator will probably go into less detail than
a company reviewer, but the logic of analysis will probably be the same. This
diagram highlights major decision points in the review process and illustrates
the possible iterations that may be involved before a plan can be considered
acceptable. Procedures may differ from this in detail in individual circum-
stances.
The remainder of this manual discusses chemical hazards in Section 2,
hazards in process operations in Section 3, methods for hazard identification
and evaluation in Section A, an overview of principles of control in Section
5, a guide to facility inspections in Section 6, costs of prevention in
Section 7, and references in Section 8.
22
-------�
u>
Review Drawings,
Specifications and
Operating Pro-
cedures and Com
pare lo Proper
Practices for Reac-
tor Systems
Figure 1-5. Example of logic flow for accidental release control plan review,
-------�
SECTION 2
CHEMICAL HAZARDS
A fundamental need from either a regulator's or company's point of view
is the identification and ranking of chemical hazards within a process
facility. The primary basis for selecting chemicals that pose a significant
danger if accidentally released is their acute toxicity, but other properties
also enter the selection process. Various lists of hazardous chemicals have
been prepared by numerous organizations, including the U.S. Environmental
Protection Agency (EPA) and the European Economic Community (EEC). Current
hazardous chemicals of primary interest to the U.S. EPA are listed in an EPA
publication (5). This list is reproduced in Appendix A of this manual.
This section of the manual discusses major considerations for identifying
and classifying toxic chemicals and serves as a guide for setting up priority
lists of the chemicals themselves. An example ranking system is also illus-
trated.
2.1 TOXIC CHEMICALS
In the context of accidental releases, hazardous chemicals are materials
with acute toxic and other properties that make them an imminent threat to
human health and/or the general environment, even after brief exposure.
Releases of chemicals that have the potential for long-term health effects
and/or environmental damage are also of concern, and while many of the
principles discussed in this manual would apply to these, the primary focus is
on acute toxic chemicals.
24
-------�
The primary methods of expressing toxicity are:
Immediately Dangerous to Life and Health (IDLH), defined
as the maximum level to which a healthy male worker can be
exposed for 30 minutes and escape without suffering
irreversible health effects or impairing symptoms. These
values have been developed and specified by the National
Institute for Occupational Safety and Health (5) .
Low Lethal Concentration (LCL ) is the lowest lethal
concentration observed in tests on laboratory animals or
in accidental human exposure.
50% Lethal Concentration (LC ) is the concentration for
which 50% of the test animals died when exposed for a
specified period of time.
Permissible Exposure Limit (PEL) , defined as the maximum
air concentration to which a healthy male worker can be
exposed for 8 hours per day, 40 hours per week without
adverse effects as determined by the Occupational Safety
and Health Association (OSHA) .
Short-term Exposure Limit (STEL) is the maximum concen-
tration to which workers can be exposed for up to 15
minutes, provided no more than four exposures per day are
permitted with at least 60 minutes between exposure
periods.
The relative acute toxic hazard of different chemicals may be ranked
using any one of these criteria. In a recent document, the U.S. EPA suggests
using the IDLH as the primary criterion for estimating consequences of
25
-------�
accidental releases, with the LC.O and LC as second and third choices, or
other criteria if these are not available (5) .
The ultimate adverse consequences of a release result from the toxicity
of the chemical, but other physical and chemical properties are also important
when considering the causes and prevention of releases, and their consequen-
ces.
2.2 PHYSICAL AND CHEMICAL PROPERTIES
Significant physical and chemical properties include boiling point, vapor
pressure, heat of vaporization, density, viscosity, and reactivity. Low
boiling points and high vapor pressures increase the quantity of chemical
emitted to the air during a release. A low heat of vaporization results in an
increased rate of vaporization from spills or liquid releases of volatile
toxic chemicals. High vapor or gas densities hinder dispersion and result in
low lying clouds which imperil people at ground level. In the case of
liquids, viscosity is important because a spilled or leaked low viscosity
material will flow and spread more rapidly than a high viscosity material.
Other physical properties, also significant in the evaporation and dispersion
behavior of liquids, vapors, and gases, include surface tension, diffusivity,
and heat capacities. For solids, particle size is important. Reactivity
includes properties such as flammability, explosivity, exothermicity, and
corrosiveness .
Flammability is the ability of a chemical to burn. Explosivity is the
ability of a chemical to react rapidly enough with itself or other materials
including oxygen in ambient air, to cause an explosion. A common destructive
manifestation of reaction with air is a vapor cloud or dust explosions when a
material is within its explosive limits. Exothermicity refers more to
specific chemical reactions than to the chemicals themselves, but this ability
for the reactions to generate significant amounts of heat means that if they
get out of control, they can result in thermal runaway, overpressure in
26
-------�
containment equipment, and possibly to explosions. Finally, corrosiveness,
another aspect of reactivity, can damage equipment and cause equipment
failures and chemical releases. A more detailed discussion of the
relationship between specific chemical properties and release hazards can be
found in the technical literature (1, 6).
Vapor pressure, vapor density, and the IDLH are the minimum property data
needed to establish that a specific chemical is an acute toxic, air release
hazard. Values for some common hazardous chemicals are presented in Table
2-1.
TABLE 2-1. SELECTED PROPERTIES OF SOME COMMON HAZARDOUS CHEMICALS
Chemical
Ammonia
Carbon Tetra-
chloride
Chlorine
Chloropicrin
Anhydrous Hydrogen
Chloride
Anhydrous Hydrogen
Fluoride
Phosgene
Sulfur Dioxide
Hydrogen Cyanide
Boiling
Point
°F
-28.03
170.1
-29.29
233.6
-121.1
67.10
45. 46
13.96
78.26
Vapor (psi)
Pressure
68°F
128.9
1.74
92.8
0.35
0.505
15.0
23.5
47.9
12.8
Vapor Density
(Air = 1)
32°F
0.597
5.32
2.49
5.70
1.27
1.56
3.40
2.26
0.95
IDLH
(ppm)
500
300
25
4
100
20
2
100
50
Sources of data: References 7, 8, 9, 10 and 11.
Table 2-2 shows a more complete list of properties as would be required
for a complete comparative evaluation of chemicals.
Once the chemicals of concern have been identified, the next step in
controlling accidental releases is to examine the operations in which these
chemicals are used. Hazards in process operations is the subject of the next
section of this manual.
27
-------�
TABLE 2-2. CHEMICAL PROPERTY DATA PERTINENT TO ACCIDENTAL RELEASE EVALUATIONS
Chemical name, synonyms, and Chemical Abstracts Service Registry Number (CAS #)
Chemical formula and/or drawing of structure
Phase at room temperature
Boiling point (normal and/or at pressure)
Melting point
Liquid density and/or specific gravity at temperature
Vapor pressure at temperature(s) (e.g., Antoine equation)
Gas density and/or specific gravity at temperature
Solubility in water, alcohol, ether, and other reactants/products
Liquid viscosity
Enthalpy at temperature(s)
Specific heat at constant volume
Specific heat at constant pressure
Critical temperature
Critical pressure
Critical volume
Flash point
Limits of flammability and explosivity
NEPA 704M Safety Hazard Rating (health, flammability. reactivity, special)
Differential thermal analysis
CHETAH (Chemical Thermodynamics and Hazards) evaluation (or equivalent)
Hazard Properties: Oral Poison Inhalant Poison
Contact Poison Lachrymator Contact Irritant
Inhalation Irritant Pyrophoric Teratogen
Carcinogen Mutagen
Releases Vapors Hyroscopic
Reaction Properties: Reacts with Air Reacts with Water
Reacts with Acids Reacts with Bases Reacts with Alkanes
Exothermic Releases Gases Foams
Solidifies Violent Reaction Forms Toxic Products
Reacts with Metals Polymerizes Autocatalytic
Decomposes Light Sensitive Shock Sensitive
28
-------�
SECTION 3
HAZARDS IN PROCESS OPERATIONS
Once a regulator or company has identified the toxic chemicals manufac-
tured, used, or stored at a facility, the process situations that could lead
to a release should be identified so that the adequacy of proposed controls
(in the case of the regulator), or select appropriate control measures (in the
case of the company) can be evaluated. Before identifying process hazards,
discussed in Section 4, and their corresponding control measures for specific
facilities, discussed in Section 5, an understanding of the kinds of hazards,
and available control measures is required.
This section of the manual presents an overview of hazards and failure
modes of process systems for toxic chemicals as they relate to process design
considerations, physical plant design considerations, and operational proce-
dures and practices at any stage in the life cycle of a facility. Examples of
specific hazards and possible causes are cited for each of these key areas.
3.1 BACKGROUND
The preceding sections have presented an overview of accidental releases.
The hazard of a release increases with the toxicity and reactivity of the
chemicals involved, the process energy content, the inventory, and the com-
plexity of the process system. The more toxic a material, the more severe may
be the consequences of release. Reactive materials are more dangerous than
less reactive materials because physical containment may be more difficult
(e.g., corrosion problems), and operational problems may be more severe (e.g.,
hard to control rapid chemical reaction). Operating pressure and temperature
determine process energy content. The higher the energy content, the higher
the potential driving force for release and the more difficult it is to design
29
-------�
the containment equipment. Large inventories are a greater hazard than small
inventories because more material can be released. The more complex a process
is, the more physical components there are that can fail, making control more
difficult. These broad categories of hazards must be addressed in the safe
design, construction, and operation of process systems for toxic chemicals.
They can be addressed in the following general categories:
Process design considerations;
Physical plant design considerations; and
Operational procedures and practices.
Each of these categories organizes specific hazards, failure modes, and
control measures in terms of prevention, protection, and mitigation. Examples
of specific hazards and failure modes are discussed in this section. Preven-
tion, protection, and mitigation control measures are discussed in Section 5.
Basic causes of releases can be summarized as follows:
Process or operational failures causing pressure or
temperature to exceed limits of the process equipment;
Equipment containment failures at normal process condi-
tions;
Operational or maintenance errors, omissions, or deliber-
ate criminal acts (e.g., vandalism) leading to either of
the above two conditions, or to direct releases (e.g.,
inadvertently opening a valve and releasing material); and
Imposition of external damaging factors such as fire,
explosion, flooding, or mechanical stress, which directly
30
-------�
lead to equipment failure. Natural phenomena such as
flooding, earthquakes, or wind storms can be contributing
factors here.
Each of these general causes can have many specific initiating and
enabling events or contributing causes, forming a chain leading to the final
event which physically results in the release. Prevention and protection
measures interdict the event chain at a point before the final release event
can occur.
Some specific areas of process facilities that should always receive
close attention are:
Large inventories of toxic materials such as storage
areas, and inventories of flammable or explosive materials
near large toxic inventories,
Exothermic chemical reactors, and inventories of chemicals
prone to exothermic reactions with other materials, even
if by contamination rather than by design,
Any process areas with high energy content; high temper-
ature and pressure operations,
Any process operations with positive energy input such as
distillation,
Processes with complex sequencing or unit operations
interactions such as recycles,
Processes involving toxic chemicals in combination with
highly corrosive, flammable, or explosive materials, and
31
-------�
Existing process facilities that have recently been
modified, are very old, or very new.
There are many other specific areas that can be listed, but the above
represent areas of high priority.
Table 3-1 presents examples of a few typical process hazard areas and
possible corresponding control technologies. Other hazard areas and corre-
sponding controls could be listed.
3.2 PROCESS DESIGN CONSIDERATIONS
Process design considerations encompass technology, procedures and
practices associated with the sequence and conditional state of all of the
process steps and operations in a chemical process. These considerations
include the nature of the chemical materials used in the process and the
fundamental manipulated process variables. Process design considerations
address the relationships between physical variables and time; in other words,
the physical states of the process as a function of time and the means and
characteristics of process control. Process design considerations include:
Process characteristics and chemistry,
Overall process control,
Flow control,
Pressure control,
Temperature control,
Quantity control,
Mixing effects,
Composition control,
Energy systems,
Detection and alarm systems, and
Fire and explosion protection.
32
-------�
TABLE 3-1. SOME TYPICAL PROCESS HAZARD AREAS AND EXAMPLES OF
CORRESPONDING CONTROL TECHNOLOGIES
Hazard Area
Large inventories of toxic
materials
Exothermic chemical reactors
Contamination of stored
chemicals
Distillation processes
Example Control Technologies
Change process or procedures to reduce
need for large inventories.
Use substitute.
Design storage for higher containment
reliability.
High reliability cooling systems,
including backup cooling.
Change process chemistry.
High reliability feed process control.
(e.g., feed interlocks, ratio control)
Emergency relief systems.
Emergency dump systems.
Emergency quench and inhibition
systems.
Special backflow protection.
Special isolation valves.
Equipment/process segregation.
High reliability process control.
Venting and pressure relief to
emergency scrubbers or flares.
High reliability heating systems, with
emergency shutdown interlocks.
Distillation under vacuum.
33
-------�
Process failures leading to an accidental release may be related to
deficiencies in any of these areas. Such failures would cause the conditional
state of the system to exceed the design limits of the equipment or the
ability of a human operator to respond quickly or accurately enough to main-
tain control for changes that are occurring in the process . For example, the
loss of flow control of a reactant to an exothermic chemical reactor could
lead to a loss of temperature control, which, in turn, could cause overpres-
sure (loss of pressure control). This could lead to a vessel rupture. If
events occurred fast enough, a human operator might not be able to detect and
respond quickly enough to take corrective action.
Some examples of specific hazards associated with each of these consider-
ations include:
Process characteristics and chemistrypotential explosive
mixtures, or highly exothermic reactions;
Overall process controla control system which is improp-
erly configured for the dynamics of the process, causing
sensitivity and difficult-to-control conditions;
Flow controlsignificant deviations such as insufficient
cooling water rates, excessive reactant feeds, or block-
age;
Pressure controloverpressure or severe cycling or
surges;
Temperature controloverheating equipment to the point of
materials failure or runaway chemical reactions;
Quantity controlincorrect sequence of reactant charge,
incorrect reactant ratio, or overfilling a vessel;
-------�
Mixinginadequate mixing causing poor heat transfer and
overheating;
Compositioncontamination leading to unexpected reactions
or corrosion;
Energy systemsloss of critical heating or cooling;
Detection and alarm systemsinadequacy or instrument
failure;
Fire and explosion protectioninadequacy or equipment failure.
Details of hazards associated with each of these areas will be discussed
in a companion manual on prevention and protection control technologies, in
this series.
3.3 PHYSICAL PLANT DESIGN CONSIDERATIONS
As stated earlier, a release may result from the conditional state of the
process exceeding the physical limits of the equipment, or at normal process
conditions when the physical limits of the equipment deteriorate below those
required for containment. In either case, equipment will fail. Physical
plant design considerations address both situations, as well as the interac-
tions of individual equipment failures with failure of the total system.
Physical plant design considerations include the following:
Codes and standards,
Complexity and operability,
Reliability,
Materials of construction.
35
-------�
Vessels (e.g. heat exchanger colunms, tanks, and reac-
tors) ,
Piping and valves,
Process machinery,
Instrumentation, and
Siting and layout.
Design must ensure that equipment and components can withstand normal
operating conditions for the anticipated life of the facility and can tolerate
abnormal conditions within certain bounds. A common cause of failure is the
deterioration of equipment over time through various materials failure phenom-
ena such as corrosion. Codes and standards provide some basis for ensuring
adequate design, but these are primarily minimum standards. In specific
cases, design beyond these minimum standards may be important. The complexity
and operability of the equipment may also influence how well a process is
controlled, and how easily the equipment and its components are maintained.
Reliability, the ability of equipment and components to perform their func-
tions with few or no failures, depends on adequate design, construction, and
maintenance. A fundamental principle of reliability is that the system will
be only as reliable as its most unreliable component, which is the basis for
backup or redundancy in physical systems.
Specific causes of failure have been classified in the technical litera-
ture (1). Some common causes of mechanical failure are:
Excessive stress,
External loading,
Overpressure,
Overheating,
* Mechanical fatigue and shock,
Thermal fatigue and shock,
Brittle fracture,
Creep, and
36
-------�
Chemical attack (e.g., corrosion, hydrogen blistering, etc.)
Conditions leading to such failure modes range from improper design
through improper installation and operation. For example, improper alignment
can lead to excessive stress on couplings or shafts of rotating equipment. If
properly recognized and evaluated, the prevention of each of these failure
modes can be incorporated into initial facility design and construction. The
first line of prevention of such failures is in the proper selection and use
of construction materials. As can easily be seen, however, some of these
conditions are related to operating conditions which can change over time.
Recognition of these failure modes is the basis for many of the specific
equipment considerations for the categories of vessels, piping and valves,
process machinery, and instrumentation. The manual on control technologies
will address these considerations in more detail.
Siting and layout are also considered to be within the realm of physical
plant design considerations. Hazards associated with siting may include both
natural and man-made factors. Some natural factors include floods, earth-
quakes, and windstorms. Man-made factors include the siting of facilities
near other high hazard facilities, or in areas where an adequately educated
and trained labor force may not be available. Layout considerations refer to
the relationships among equipment and components within a process unit and
among process units in an overall facility. Hazards can arise from layout,
for example, when highly toxic and flammable materials or incompatible reac-
tive materials are stored close together.
In summary, physical plant design considerations are concerned with the
hardware, as opposed to process design considerations, discussed earlier,
which are concerned with the "software" of a process facility.
37
-------�
3.4 PROCEDURES AND PRACTICES
The final general hazard area in process operations involves procedures
and practices. Hazards in this area arise from human error in decision
making, physical actions controlling a process, and in planning, supervising,
and other non-physical activities in the design, construction, and operation
of process facilities at any stage of a facility's total life cycle. Figure
3-1 illustrates the various phases of a facility life cycle where errors
leading to hazards may be introduced. Figure 3-2 illustrates some kinds of
errors that may be introduced. The realization of some hazards in this area
are indirect; for example, a lax management policy that does not enforce its
own safety standards. Others are direct, such as the operator who takes a
wrong action at a control panel.
One categorization of procedures and practices includes:
Management policy,
Operator training and practices,
Maintenance practices, and
Communications.
Management policy is important because the successful prevention of
accidental releases requires the commitment of the human, financial, and
material resources of an organization to do what is necessary for release
prevention. One of the most important roles of management, after an appropri-
ate safety policy has been established, is to enforce it, keep it up to date,
and change it as circumstances change. For example, a preventive maintenance
program for high hazard process areas may be well defined and properly written
up, but if the program is not audited to see that it really works, then the
program may not accomplish its objective. The focus on loss prevention can be
so much on specific details that the indirect problem of poor management or
supervision in failing to create a proper safety environment is overlooked.
Management policy should address special safety procedures for toxic chemicals
38
-------�
DESIGN
ODCPATIOM
SHUT - DOWN
to
n
Figure 3-1. Major phases of facility life cycle.
-------�
DESIGN ERRORS
EQUIPMENT
FAILURE
INADEQUATE SPECIFICATIONS
INADEQUATE SUPERVISION
INADEQUATE HAZARD
EVALUATION
CONSTRUCTION
ERRORS
- INADEQUATE CONTROL
INADEQUATE MAINTENANCE
INADEQUATE INSPECTIONS
WRONG MATERIALS
- IMPROPER PRACTICES
INADEQUATE SUPERVISION
HUMAN
ERROR
INADEQUATE QUALIFICATIONS
INADEQUATE TRAINING
INADEQUATE OPERABILITY
INADEQUATE EMERGENCY
PROCEDURES
Figure 3-2. Types of errors leading to hazards.
-------�
through all parts of the chemical process life cycle that was shown in Figure
3-1.
Operator training and practices have a more direct bearing on release
prevention. The skill and knowledge of the operators should be commensurate
with the needs of the process, and high hazard processes should, therefore,
require a higher standard of operator skill and knowledge than low hazard
processes. An often overlooked aspect of operator training is performance
auditing. Performance auditing requires a systematic way of obtaining a
measurable check on individual operator knowledge is necessary, and especially
the operator's knowledge of the possible causes of and means of dealing with
unlikely yet potentially serious accidental release events. Emergency re-
sponse plan drills should be a regular part of operator training.
Maintenance practices are crucial to accidental release prevention. Even
if a process facility is originally designed in a way that minimizes the
potential for accidental releases, both deliberate and unrecognized changes
may occur over time that render a facility unsafe. Proper maintenance is the
primary prevention measure that ensures that the original specifications are
adhered to and that all special preventive or protective systems are function-
al.
Finally, the whole human component of accidental release prevention is
tied together by effective communications. Information transmitted among the
various parts of the organization must be clear, accurate, and timely.
Communications procedures for high-hazard facilities should receive high
attention and may require different approaches from more routine communica-
tions.
A more detailed discussion of each of these areas will be found in the
manual on control technologies.
-------�
SECTION 4
METHODS FOR HAZARD IDENTIFICATION AND EVALUATION
Hazard identification is the first step in controlling hazards; the
evaluation of hazards follows. Hazard identification is qualitative; hazard
evaluation is quantitative. Evaluation seeks to determine the relative impor-
tance of two different hazards identified and in some cases the relative
probability that a specific hazard will be realized. Various formal and
systematic methods for both hazard identification and evaluation are used for
facilities manufacturing, using, or storing toxic chemicals.
This section of the manual presents general descriptions of the various
methods of formal hazard identification and identifies key features of each of
these methods including: the purpose, best times to use, nature of the
results, staff size required, and the relative cost. Also discussed are the
various methods of hazard evaluation and the purpose they serve in the various
steps of the hazard evaluation process.
These methods or variations of them are applicable for use by both
regulators and companies. The regulator needs to be familiar with them in
order to evaluate their appropriateness, interpret results presented by
companies who use the methods, and recommend methods to companies who don't.
In some cases a regulator may actually use a technique directly to verify a
company's analysis. The company needs to be familiar with the techniques in
order to identify, analyze, and control hazards.
4.1 HAZARD IDENTIFICATION
The preceding section summarized where hazards can arise in process
operations. The first step in hazard control is hazard identification in a
specific process or facility. A publication of the American Institute of
42
-------�
Chemical Engineers (AIChE) on guidelines for hazard evaluation lists the
following methods of formal hazard identification (12):
Checklists,
Safety Review,
Relative Ranking,
Preliminary Hazard Analysis,
What-If Analysis,
Hazard and Operability Studies,
Failure Modes, Effects, and Criticality Analysis,
Fault Tree Analysis,
Event Tree Analysis,
Cause Consequence Analysis, and
Human Error Analysis.
A summary table of key features of these methods is presented in Table 4-1.
The Chemical Manufacturer's Association confirmed the use of these
methods in a survey of 39 companies (13). "What-If" analyses and Hazard and
Operability (HAZOP) studies were named as the top two methods.
In general, hazard identification procedures can be divided into four
main classes:
Expience,
Augmented experience,
Analytical methods, and
Creative methods.
The experience method compares a new process or equipment situation with
knowledge gained from previous experience with similar processes. This method
is an inherent part of the principles of design standards and codes, so that
hazard identification consists of identifying where deviations from
-------�
TABLE 4-1. SUMMARY OF KEY FEATURES OF HAZARD IDENTIFICATION AND
EVALUATION METHODS
Relative
METHOD Checklist Safety Review Ranking (Mond)
PURPOSE
Identify common hazards Identify hazards
Ensure compliance with
prescribed procedures
Ensure compliance
with prescribed
procedures
Ensure compliance
with design intent.
Identifies possible
changes
Determines
applicability of
new technology to
existing hazards
Reviews adequacy of
safety maintenance
Provide relative
process ranking
by risk
WHEN TO
USE
Design
Construction
Startup
Operation
Shutdown
Startup
Operation (i.e.,
existing facility)
Shutdown
Design
Operation
NATURE OF Qualitative
RESULTS
STAFF SIZE Small
RELATIVE Low
COST
Qualitative Relative
qualitative
ranking
Small - Moderate Moderate
Low - Moderate Moderate
(Continued)
44
-------�
TABLE 4-1. (Continued)
METHOD
Preliminary
Hazard Analysis
What If
Analysis
HAZOP
PURPOSE Identify hazards early
in process life cycle
prior to final plant
design
Identify hazards
Identify event
sequences
Identify possible
methods of risk
reduction
Identify hazards
Identify
operability
problems
Identify event
sequences
Identify possible
methods of risk
reduction
WHEN TO
USE
Early design
Process
development
Pre-startup
Operation
Late design
Operation
NATURE OF
RESULTS
Qualitative
Qualitative
Qualitative
STAFF SIZE Small
RELATIVE Low
COST
Small - Moderate Moderate - Large
Moderate Moderate - High
(Continued)
-------�
TABLE 4-1. (Continued)
METHOD
Failure Modes, Effects
and Criticality Analysis
Fault Tree Analysis
PURPOSE
Identify system/equipment
failure modes
Identify effect of failure
on system/plant
Rank criticality of each
failure mode
Determine causes and
event sequence leading
to a defined event
Identify combinations of
causes including both
equipment failures and
human errors
WHEN TO
USE
Design
Construction
Operation
Design
Operation
NATURE OF
RESULTS
STAFF SIZE
RELATIVE
COST
Qualitative
Quantitative for relative
ranking of equipment
failures
Small
Low - Moderate
Qualitative
Quantitative
Small - Large
Low - High
(Continued)
-------�
TABLE 4-1. (Continued)
METHOD
Event Tree Analysis
Cause-Consequence
Analysis
Human Error
Analysis
PURPOSE Determine consequences
sequence of defined
initiating event
Identify both cause
sequences and
consequence
sequences of events
Identify potential
human errors
Identify effects of
human errors
Identify cause of
human errors
WHEN TO
USE
Design
Operation
Design
Operation
Design
Construction
Operation
NATURE OF Qualitative
RESULT
Quantitative
STAFF SIZE Small - Large
RELATIVE Low - High
COST
Qualitative
Quantitative
Small - Large
Low - High
Qualitative
Small
Low
47
-------�
established safe procedures exist, based on experience. Basically the exper-
ience method relies on comparing a new situation to a known past situation.
The augmented experience method relies on various checks on design and
operation beyond mere comparison to standards or previous situations. As
indicated by the previous list, the "What-If" method appears to be one of the
most commonly used. Each step of a process is reviewed to determine what
would happen following equipment failures, process upsets, or operating
errors.
The analytical approach uses either logic diagrams or various types of
checklists. Logic diagrams include fault trees, event trees, and
cause-consequences diagrams. Logic diagrams clearly define cause-effect
relationships and identify combinations of failure that can lead to an unde-
sirable event. These methods can be combined with quantitative data on
probabilities to provide a method of hazard evaluation.
These summary descriptions are based on more detailed descriptions
presented in the AIChE publication cited previously (12). These methods are
also highlighted in some AIChE short courses presented at national meetings.
A general description of each hazard identification method follows. These
same methods apply for hazard evaluation as discussed in Section 4.2 of this
manual.
4.1.1 Checklists
A checklist is a set standard evaluation elements for equipment, materi-
als, or procedures in a chemical process facility. Its purpose is to identify
standard hazards at any time in the life cycle of a chemical process from
research and development through shut-down. In its most basic configuration,
a checklist is merely a memory aid that helps the evaluator remember all the
items he should consider. If the checklist is prepared based on pooled
corporate or industry experience, it becomes a vehicle for transferring a
48
-------�
broader experience base to the evaluator. The level of detail varies with the
situation.
4.1.2 Safety Reviews
In the context of accidental releases, a Safety Review is a comprehensive
facility inspection to identify facility conditions or procedures that could
ultimately lead to a toxic chemical release. This technique is applicable to
operating facilities, pilot plants, laboratories, storage facilities, or
support functions.
4.1.3 Dow and Mond Hazard Indices
The Dow and Mond Indices are quantitative methods for developing a
relative hazard ranking for different chemical processes facilities. Various
characteristics of a facility are assigned scores. Features which can lead to
an accident are given a negative score and features that can prevent or
mitigate the effects of an accident are given positive scores. Scores are
combined to yield a ranking index for the process facility being evaluated.
4.1.4 Preliminary Hazard. Analysis
The Preliminary Hazard Analysis (PHA) is a hazard identification method
for use in the preliminary phase of plant development. The purposes of the
PHA are early identification of potential hazards for design and process
development personnel. Its special applicability is for the early phases of
new processes where there is little past experience. A list of hazards is
developed which is used to develop safety guidelines and criteria to be
followed as design and development progress.
49
-------�
4.1.5 "What If" Method
A "What If" analysis systematically considers the consequences of unex-
pected abnormal events that may occur in a process facility. It can include
design, construction, operating, or other deviations from the norm. This
examination can include all parts of a process facility. Its comprehensive-
ness and success depends on the experience level of the staff conducting the
analysis.
4.1.6 Hazard and Operability (HAZOP) Studies
A HAZOP study can identify process hazards and Operability problems. A
HAZOP study involves the multidisciplinary team that works together by search-
ing for deviations from expected design and operating conditions. The team
carefully examines the process facility stream by stream, or component by
component using standard design "guide words." Consequences of deviations are
examined using the guide words. Example guide words are presented in Table
4-2.
4.1.7 Failure Modes, Effects, and Criticality Analysis
Failure Modes, Effects, and Criticality Analysis (FMECA) examines the
ways in which a process system or its equipment could fail, consequences of
failure, and the estimated failure probabilities. FMECA is not efficient for
identifying interactions of combinations of equipment failures that lead to
accidents because it considers each failure individually and traces its
consequences. Criticality rankings can be expressed as probabilities or by
various ranking scores based on evaluators' experience.
50
-------�
TABLE 4-2. EXAMPLE GUIDE WORDS AND CORRESPONDING DEVIATIONS FOR HAZOP
ANALYSIS
Guide Word
Deviations
None No forward flow when there should be, i.e.» no flow or reverse
flow
More of More of any relevant physical property than there should be,
e.g., higher flow (rate or total quantity), higher temperature,
higher pressure, higher viscosity, etc.
Less of Less of any relevant physical property than there should be,
e.g., lower flow (rate or total quantity), lower temperature,
lower pressure, etc.
Part of Composition of system different from what it should be, e.g.,
change in ratio of components, component missing, etc.
More than More components present in the system than there should be,
e.g., extra phase present (vapor, solid), impurities (air,
water, acids, corrosion products), etc.
Other than What else can happen apart from normal operation, e.g.,
startup, shutdown, uprating, low running, alternative operation
mode, failure of plant services, maintenance, catalyst change,
etc.
Reverse
Variable or activity is reverse of what it should be, e.g.,
reverse flow.
51
-------�
4.1.8 Fault Tree Analysis
Fault Tree Analysis (FTA) is a method that constructs a logic tree of
events leading to a specifically defined failure event, the "top event." FTA
seeks to develop the chain of interrelated events that can lead to a top
event. These chains of events include equipment failures and human errors.
The FTA results in identification of combinations of equipment and human
failures that are sufficient to result in the top event. The minimum number
of independent combinations that can cause the top event are known as minimal
cut sets. Probabilities can be assigned to events and the top event probabil-
ity determined by Boolean algebra.
A.1.9 Event Tree Analysis
An Event Tree Analysis is similar to a FTA except that the logic is to
trace the consequences of an initiating event forward to its ultimate conse-
quence. Rather than beginning with the definition of the top event, the event
tree finds the top events resulting from initiating and propagating events. A
quantitative evaluation can be developed using probabilities in the same
manner as with fault trees. The event tree defines multiple consequences of
an initial event, whereas a fault tree identifies multiple causes of a final
event.
A.1.10 Cause-Consequence Analysis
Causeconsequence analysis combines characteristics of both event tree
analysis and fault tree analysis. A cause consequence analysis logically
relates both multiple consequences and multiple basic causes or initiating
events.
Like a FTA, the cause-consequence analysis leads to minimal cut sets
which are all the combinations of basic events that can result in the various
52
-------�
top events. Quantitative analysis can be applied to estimate frequencies or
probabilities of various top events.
4.2 METHODS FOR HAZARD EVALUATION
Many of the methods for hazard identification discussed in the preceding
section also apply to hazard evaluation (also referred to as hazard analysis
or "KAZAN"). Hazard evaluation is the next step after hazard identification
in the total assessment of risk for accidental releases. The evaluation step
attempts to rank the hazards qualitatively, quantitatively, or both, seeks to
identify measures that reduce the probability that the hazard will be real-
ized, and examines the potential consequences of the hazard if it is realized.
As with the method of identification, evaluation methods are also discussed in
depth in the technical literature (12, 13, 15). A recent publication of the
American Institute of Chemical Engineers presents a comprehensive summary of
procedures with considerable discussion of distinguishing features, such as
applicability and expected results (12). A summary table is presented, shown
in slightly modified form in Figure 4-1.
It is clear that the various methods all have some features in common and
yet are distinguished by differences that reflect the specific suitability of
one method over another in certain situations. Only a few of the methods are
specifically suited for quantitative hazard evaluations where probabilities of
an accident are to be determined. Another significant difference is that some
methods are hardwareoriented while others easily accommodate the effects of
human interactions with the process being evaluated.
None of the listed methods deal explicitly with consequences outside the
process itself, but some methods, such as Fault Tree Analysis, can easily
accommodate such an extended analysis. Another approach is to conduct a
completely separate consequence analysis, with the accident event being the
starting point.
53
-------�
Ul -
Slaps In Hazard
Evaluation
Process
Identify Deviations
From Good Practice
Identify
Hazards
Estimate "Worst
Case" Consequences
Identify Opportunities
to Reduce Consequences
Identify Accident
Initiating Events
Estimate Probabilities
of Initiating Events
Identify Opportunities to
Reduce Probabilities of
Initiating Events
Identify Accident Event
Sequences and Consequences
Estimate Probabilities
of Event Sequences
Estimate Magnitude of
Consequences of
Event Sequences
Identify Opportunities to
Reduce Probabilities and/or
Consequences of Event
Sequences
Quantitative
Hazard Evaluation
Hazard Evaluation Procedures
Failure Modes
Effects and
Crltlcality
Analysis
Key:
Primary Purpose
B Secondary Purpose
E) Provides Context Only
&S Primary Purpose for Previously Recognized Hazards
6-86-24766a
Figure 4-2. Relationship between hazard evaluation procedures and hazard evaluation process.
Source: Adapted from Reference 12.
-------�
The consequence analysis can also be qualitative, quantitative or both.
Numerous mathematical models have been proposed and some are in common use for
predicting the effects of fire, explosion, and accidental releases. Methods
for examining the effects of accidental releases are often based on various
forms of dispersion models. A summary of procedures available up through the
late 1970s is presented in Lees (1). The prediction of affected areas and of
concentrations resulting from accidental releases can be combined with health
and environmental effects data to estimate the severity of the consequences of
any release in the affected area. A recent report reviews major available
models (16).
A more detailed discussion of these methods is beyond the scope of the
present work. The reader is referred to the general technical literature for
more details.
55
-------�
SECTION 5
OVERVIEW OF THE PRINCIPLES OF CONTROL
Both regulators and companies need to be familiar with the fundamental
principles of control: the regulator, to intelligently review and evaluate
company control plans and practices; companies, to evaluate existing company
practices and to implement safer practices.
This section of the manual presents an introductory discussion on control
technologies as they relate to reducing the probability and consequences of an
accidental chemical release. Three fundamental levels of control are
addressed: prevention, protection, and mitigation. Specific process design
considerations, physical plant design considerations, and procedures and
practices are discussed as they relate to prevention. Various protection and
mitigation technologies are also discussed. In addition, examples of possible
causes of releases and potential controls are illustrated.
5.1 BACKGROUND
The control of accidental chemical releases involves reducing the
probability and consequences of such releases. Such control can be viewed as
consisting of .three fundamental levels:
Prevention,
Protection, and
Mitigation.
The purpose of prevention is to reduce the probability of accidental
releases. Prevention refers to all those measures taken to ensure that the
primary containment of the chemical, that is storage, transfer, and process
equipment, is not breached. These measures include process design, physical
56
-------�
plant design, and operational procedures and practices, and involve considera-
tions ranging from process control and hardware design to operator training
and management policy. The ideal result of a successful prevention effort is
that accidental releases of a chemical from its primary containment do not
occur. In reality, prevention can be successful in reducing the probability
of a release to a reasonable minimum.
"Reasonable minimum" is an imprecise criterion; however, the inherent
characteristics of any process are that equipment can fail, and people make
mistakes, so that from time to time an accidental release event will happen.
The probability can be reduced if appropriate prevention measures are taken.
These prevention measures enhance the control of a process or the ability of
the hardware to tolerate severe process conditions, process upsets, and human
error.
When preventive measures fail, a second level of control deals with
protection from releases. In the context of this manual, protection means to
contain, capture, neutralize, or destroy a toxic chemical subsequent to
release from primary containment, but before it escapes into the environment.
Protective systems are defined as add-on equipment and processes systems not
considered part of the actual chemical process system itself, but which
control a potential release. Examples of protection technologies include
diking, flares, and scrubbers. Protection systems will also fail from time to
time.
A deficiency in a protection system when it is needed may allow a toxic
vapor or gas to escape into the environment. Once this occurs, the conse-
quences may be reduced by using effective mitigation measures. Mitigation
refers to equipment and procedures that can reduce the concentration of a
chemical below levels that would otherwise occur and hopefully below levels
harmful to sensitive receptors. Measures include technical approaches such as
water sprays, or steam curtains for dilution and dispersion, barriers for
diversion and dispersion, and procedures such as closing doors and windows,
57
-------�
and evacuation in affected areas. It should be noted that mitigation is not a
back-up approach to protection as protection is to prevention. The latter two
areas are directed toward stopping a release. Mitigation merely attempts to
control a release that has already occurred.
A detailed discussion of prevention and protection is the subject of the
manual on control technologies. Mitigation will be the subject of a separate
manual. A summary of major considerations in these three areas is presented
in the ensuing subsections.
5.2 PREVENTION
Prevention measures can be classified into the general topical areas of:
Process design considerations,
Physical plant design considerations, and
Procedures and practices.
These measures include consideration of both operational and hardware aspects
of a chemical process system. Operational aspects include both the inherent
characteristics of the process itself and human aspects such as operator
training, maintenance procedures, and general management policy and proce-
dures. Prevention measures are applicable to new facilities as well as
existing facilities, where they are the basis for process modification.
5.2.1 Process Design Considerations
Process considerations involve the areas listed in Section 3, which can
be regrouped as follows:
Chemical process characteristics;
58
-------�
Control system characteristics;
Hazard control for flow, pressure, temperature, quantity
measurement, composition, mixing, and energy systems; and
Hazard control for fire and explosion.
The design of a process in which toxic chemicals are used or produced
should be based on sufficient data to ensure a safe operating system. Neces-
sary data to be considered in the design process include, but are not limited
to, the following: chemical, physical, thermodynamic, and toxicological
properties of the individual chemical components used or produced in the
process; the process potential for explosive reaction or detonation under
normal or abnormal conditions; process reactivity with water or other common
contaminants; .possibility of self-polymerization or heating; potential side
reactions and conditions under which they are favored; whether reactions are
endothermic, exothermic, or thermodynamically balanced; the explosive range of
volatile or gaseous components and the possibility of explosive mixtures
during storage, processing, or handling; the possibility of dust or mist
explosions; and interactions with materials of construction.
Flow, temperature, pressure, quantity measurement, and composition
control are fundamental process variables. Mixing is a fundamental process
phenomenon. These process elements have associated with them the basic
potential operational hazards of any process. Prevention measures associated
with these elements include the appropriate process control measures discussed
above applied to the specific process effects and hazards of these elements.
The fundamental hazards of all these variables arise from deviations that
exceed the limits of the operational or physical system. For example, excess
flow may be a hazard if it causes a change in a process system faster than the
operator or control system can respond. The excess flow of a reactant in an
exothermic reaction might cause a thermal runaway sooner than emergency
cooling or other safety measures could be activated. Or, flow blockage could
59
-------�
prevent cooling water flow in a critical circuit. For each of the above
variables, there are specific measures that can reduce the chances for devia-
tions or minimize their effects.
The control characteristics of the process should be understood and the
control system should be appropriate for the system. This means that the
process dynamics should be properly considered and the control system must be
compatible with the available operating and maintenance staff knowledge and
skills. Specific technological prevention measures in all control systems
include using control components of greater reliability and accuracy and
faster response times. A fundamental principle in control system components
is redundancy, or the use of independent backup to critical components. The
key word here is independentto avoid a common mode failure in critical
systems. For a specific process, reducing the probability or magnitude of
process deviations or upsets that could lead to an accidental release may
involve design changes in a control system ranging from individual components
through the entire control strategy and hardware.
Fire and explosion protection is basic to release prevention. Preventing
the conditions that lead to fire and explosion is inherent in the items
already discussed above and also involves physical plant design considerations
discussed in the next section. Once a fire has started in or near a process
involving toxic chemicals, controlling the fire becomes of paramount concern.
Design considerations for fire protection are based on the removal of fuel,
oxygen, or heat from the fire. Adequacy and reliability of water supply,
possible chemical fire fighting measures, and suitable fire fighting equipment
are the primary process design considerations for fire protection beyond
initial fire prevention through careful process design.
Explosion protection relies on preventing dangerous process conditions
such as the formation of explosive mixtures from occurring, preventing contact
of potentially explosive mixtures with ignition sources, and applying special-
ized explosion suppression systems. Explosion protection also relies on
60
-------�
appropriate physical plant design considerations, as discussed in the next
subsection.
5.2.2 Physical Plant Design Considerations
Physical plant design considerations address hazards and their control in
the following areas:
Siting and layout,
Structures and foundations,
Vessels,
Piping and valves,
Process machinery, and
Instrumentation.
Hazards were discussed in Section 3. Control considerations are discussed
here.
At a minimum, codes and standards should be followed in the design of
each of these areas. However, additional protection measures above and beyond
those specified by the codes and standards should be incorporated into the
design based on the specific situation. Problems arise because codes and
standards are not developed with specific situations in mind. Thus, code
cannot be relied upon unless the basis matches the scenario of concern with
great precision.
Siting is the first area considered. A plant's location might affect
frequency or severity of an accidental release. Siting considerations in-
clude, but are not limited to, the following: drainage systems should prevent
the runoff of spilled liquid chemicals onto adjacent properties and prevent
the spread of toxic and/or flammable liquid chemicals in a manner that mini-
mizes adverse effects within and outside of the plant boundaries; minimization
of the effects of natural calamities such as freezing, fire, wind, floods,
61
-------�
earthquakes, and landslides in contributing to an accidental release should be
incorporated into equipment design, for example, different foundation designs
in earthquake prone areas; the potential impact of accidents such as fires,
explosions, or hazardous chemical releases at adjacent industrial facilities,
roads, or railways should be recognized as a possibility; reliable water and
power supplies should be available with backups where a failure could cause an
accidental chemical release; and traffic flow patterns within the plant and
around the perimeter should be designed to prevent congestion and allow access
by emergency response vehicles and appropriate movement of personnel in an
emergency.
The layout of a plant is the next area considered. Layout considerations
include, but are not limited to, the following: process units and the equip-
ment and piping within a unit should be arranged to minimize congestion; where
possible, hazardous processes should be segregated from other hazardous
processes or sensitive areas within the plant or plant property; adequate
spacing should be available for access by maintenance and emergency response
personnel and equipment; explosion barriers should be applied where appropri-
ate as described, for example, in the Dow guide (17); escape routes for per-
sonnel should be easily accessible; and offices, lunchrooms, or other support
structures should be located at the perimeter of the facility.
Foundations should ensure the stability of all vessels and non-
transportable equipment containing hazardous chemicals. The design should be
in accordance with recognized construction and material specification stand-
ards in the industry as a minimum requirement. The design should consider all
normal and abnormal load and vibration conditions, as well as severe condi-
tions caused by freezing, fire, wind, earthquakes, flood, or landslides.
Transportable equipment should be secured to prevent the upset or accidental
detachment of process lines conveying hazardous chemicals during use and
should not be used to permanently replace a stationary piece of equipment
unless a given situation dictates a preference or requirement for such trans-
portable equipment from a safety standpoint.
62
-------�
Structural steel should, at a minimum, be designed and constructed in
accordance with appropriate construction and material specification standards
in the industry. The design should consider all normal and abnormal dead
loads and dynamic loads resulting from wind, collision, earthquake, or other
external forces. As a minimum, fireproofing should be used for areas in which
hazardous chemicals are manufactured, stored, handled, or generated and such
areas should conform with legally applicable codes and standards. Fire
protection beyond minimum standards should be considered for hazardous areas
in which hazardous chemicals are present.
Vessel design and construction should conform to recognized design and
material standards for the specific application in the industry as a minimum.
Standards and specifications should be reviewed for adequacy of criteria.
Stricter standards may sometimes be appropriate. Design should consider the
combination of conditions anticipated for quantity, fill rate, pressure, tem-
perature, reactivity, toxicity, and corrosivity. As a minimum, all vessels
should be equipped with the following safety features: overfill and
overpressure protection and, where appropriate, vacuum protection; storage
cooling systems for low boiling point liquids and liquefied gases; storage
vessels should be surrounded by diking, firewalls, or other containment
devices unless such features are deemed to create a more severe secondary
hazard in specific cases; vessels and vessel fittings should be protected from
damage caused by collision or vibration and should be adequately braced to
support the weight of piping; columns should be adequately supported to
withstand the maximum wind loads expected in the area; and operators should be
trained concerning the vessel's limits for pressure, temperature, fill and
emptying rates, and incompatible materials.
Additional items such as nitrogen blanketing, improved fire protection,
or release reduction equipment (e.g., water or steam curtains) may be appro-
priate in certain situations.
63
-------�
All pressure vessels and vessel jackets should be fitted with adequate
pressure and/or vacuum relief. The relief systems should be designed accord-
ing to recognized design procedures and standards appropriate in the industry
as a minimum. Stricter procedures and standards may sometimes be appropriate.
Containment systems should be designed according to recognized design pro-
cedures for containment systems. Valves upstream of pressure or vacuum relief
devices should be prevented from being closed in such a way that the vessel
will be isolated from all pressure relief or vacuum relief. Where possible, a
pressure trip system should be used along with a pressure relief system. This
will help minimize the frequency of releases of hazardous chemicals through
the pressure relief system. All pressure or vacuum relief devices should be
inspected and maintained periodically as part of routine maintenance. Testing
a values capacity should be done whenever any corrosion, fouling, or scaling
has occurred. The adequacy of a pressure or vacuum relief system should be
reevaluated when a vessel or process unit is used to handle more material, or
a different material, than that for which it was originally designed.
As a minimum, heat exchangers should be constructed in accordance with
accepted industry codes and standards. Standards should be reviewed for
adequacy of criteria. Stricter standards may sometimes be appropriate. The
materials of construction should be selected to minimize corrosion and foul-
ing. All exchangers should be equipped with pressure relief, by-pass piping,
and adequate drainage facilities. Exchanger design should allow for thermal
expansion and construction without causing excessive stress on connections.
Turbines, drivers, and auxiliary machinery should be designed, con-
structed, and operated in accordance with applicable industry standards and
codes. Standards should be reviewed for adequacy of criteria. Stricter
controls may sometimes be appropriate. The equipment should have adequate
protective devices to shut down the operation and/or inform the operator
before danger occurs. Vibration sensors and/or shutdown interlocks may be
required on high speed rotating equipment.
64
-------�
Heaters and furnaces should be located so as to minimize the possibility
of bringing an open flame and/or extreme heat too close to a hazardous area.
Basic units and controls should be designed in accordance with applicable
standards and codes as a minimum. Standard should be reviewed for adequacy of
criteria. Stricter standards may sometimes be appropriate. Examples of some
of the basic requirements for furnaces include the following: provision for
adequate draft; positive fuel ignition; automatic water level controls;
pressure relief devices; and fuel controls. Air heaters should have igniters
designed to provide positive ignition, proper safety controls on fuel sources,
sight glasses for flame observation, monitoring devices for flame-out detec-
tion, and high temperature alarms. All heaters and furnaces should be in-
spected regularly. Where heaters and furnaces handle hazardous process
materials, appropriate precautions should be taken to prevent releases in the
event of tube failures, such as cracking, rupture, or plugging.
As a minimum, piping, valves, and fittings should be designed according
to recognized industry codes and standards pertaining to working pressures,
structural stresses, and corrosive materials to which they may be subjected.
The thermal stress of repeated heating and cooling cycles or excessive tem-
peratures, either high or low, should be considered. Some additional con-
siderations include, but are not limited to, the following: dead ends or
unnecessary and rarely used piping branches should be avoided; the type of
pipe appropriate for pumping a hazardous chemical should be selected (e.g.,
using welded or flanged pipe instead of threaded pipe or using a suitable
metal or lined metal piping instead of plastic wall piping); backflow protec-
tion should be installed where necessary, but backflow prevention should not
be relied on as the only means of avoiding a backflow hazard; materials of
construction suitable for the application should be selected and checked
before installation to confirm the composition; recordkeeping on critical
lines should be provided to prevent incorrect future substitutions; a means of
remotely shutting off the flow in lines that carry a large volume of hazardous
materials should be provided; adequate structural support should be provided
to protect against vibration and other loads and to protect piping from
65
-------�
potential collisions with vehicles in the vicinity; piping should be pitched
to avoid unintentional trapping of liquids; and provisions should be made to
ensure that a liquid-full condition cannot exist in a blocked section of line
unless such a section of line has pressure relief.
Extra precautions should be taken in the design of pumps and compressors
to minimize the potential for an accidental release of a hazardous chemical.
Extra precautions include, but are not limited to, the following: where a
pressurized hazardous material is being pumped or where the consequence of a
seal failure could result in the accidental release of designated chemical.
seals should be suitable to ensure reliable leak prevention (e.g., double me-
chanical seal with a pressurized barrier fluid that is compatible with the
process fluid and equipment materials of construction); totally enclosed pump
or compressor systems may be appropriate, if safely vented and inerted and
monitored for oxygen where enclosure could result in a secondary hazard such
as an explosive mixture; remotely operated emergency isolation valves and
power shutoff switches may be appropriate on the suction and discharge sides
of a pump or compressor; compressors or positive displacement pumps should be
fitted with adequate overpressure protection; instrumentation to determine
when flow into or out of a pump has ceased may be appropriate; where overheat-
ing could result in a fire or explosion, temperature monitoring may be appro-
priate; a backup power supply should be used for critical pumping systems;
surge protection should be provided for pumps; and pumps, compressors, and
their associated piping should have foundations and supports that protect
against damage caused by vibration and any static and dynamic loads.
Every reasonable effort should be made to maximize the effectiveness of
automatic process control systems for preventing an accidental release. All
systems and instrumentation should be of the "fail-safe" type. Instruments
should be made of materials capable of withstanding the corrosive or erosive
conditions to which they are subjected. Central control rooms should be
protected from fire and explosion hazards. An owner-operator should evaluate
the ability of control systems to operate on manual control and should install
66
-------�
a backup power supply in situations where operating on manual control would be
impractical.
A variety of miscellaneous modifications may be appropriate, depending on
the needs of the particular process unit. Examples of these modifications
include, but are not limited to the following: the addition of control
systems where none are presently employed; redundancy of key components;
replacing components to improve accuracy, reliability, repeatability, or
response time; the addition of a backup control system; simplification of an
existing control system to improve operability; replacing a system that
indirectly controls the variable of interest with a system that directly
measures and controls the variable of interest; the addition of trip systems
for emergency situations; and the redesign of a control system to conform to
acceptable design standards.
All wiring and electrical equipment should be installed in accordance
with the National Electric Code or stricter standards, if applicable. Elec-
trical equipment for use in hazardous locations should comply with accept-
ability standards of recognized testing organizations. Standards should be
reviewed for adequacy of criteria. Stricter standards may sometimes be
appropriate. All electrical apparatus should be grounded.
Protection devices should have the capability of warning operating
personnel when emissions are not being controlled. Plant alarms such as
klaxons and sirens can be used to alert or signal such personnel. If a device
is only used on an intermittent basis, then a testing program should be in
place to ensure that the system will function when necessary. In addition,
alarms should be tested, audited, and inspected to ensure reliability.
As a minimum, plant fire protection systems should be laid out in accord-
ance with recognized codes and standards, such as those prepared by the
National Fire Protection Association. A reliable water supply for all por-
tions of the plant should be available. Flammable gas detection systems are
67
-------�
recommended for locations where flammable chemicals are used at elevated
temperatures and pressures. Central fire alarm systems should be in place.
In addition to water, firefighting materials, such as spray foams, dry chemi-
cals, and carbon dioxide, may be appropriate to handle various specialized
types of fires.
5.2.3 Procedures and Practices
Operational Controls
The following types of reactive materials should be stored so that the
potential for mixing in the event of an accidental release is minimized by
dikes or other physical barriers: materials that react to form a hazardous
chemical; hazardous chemicals that react exothermically and thereby contribute
to the rate of evaporation of the chemicals; and hazardous chemicals where
reactions will contribute to the potential for an accidental release. Chemi-
cals may be mutually reactive or reactive with other materials that may be
nearby such as cooling or heating fluids, cleaning agents, and materials of
construction.
Extra precautions may be required where there is a potential for mixing
two incompatible chemicals within a process. Such precautions could include
backflow protection, composition monitoring, and interlocks that prevent
valves from being opened in combinations that allow for cross-contamination.
Use of common lines for handling such incompatible chemicals should be avoid-
ed.
All materials of construction should be capable of withstanding normal
operating conditions, normal shutdown conditions and potential deviations from
normal operation. Where a specialized material is required, initial con-
struction materials and replacement parts should be tested before use to
ensure that the composition is consistent with specifications.
68
-------�
Safe procedures should be established to minimize the risk of an acci-
dental release of a hazardous material during filling or emptying operations
for tanks, vessels, tank trucks, or tank cars. Some considerations include,
but are not limited to, the following: before material is added to a vessel,
tank, tank truck, or tank car, the operator in charge of the addition should
be able to verify what material is in the vessel or was last in the vessel;
where hoses are used, a system should be in place to ensure that the proper
type of hose is used for each application (e.g., different types of fittings
for each application); hoses should be regularly inspected and maintained as
necessary; efforts should be made to decrease the possibility of materials
being sent to the wrong location; a system should be in place to prevent tank
trucks or rail cars from moving away with a hose still connected; when a hose
is used to transfer materials, it should be possible to stop the flow if the
hose should fail; equipment should be grounded and operators trained in the
appropriate methods for chemical transfer so as to avoid static charge accumu-
lation.
Procedures and equipment should be in place so that every reasonable
effort may be made to prevent an accidental release from the storage, han-
dling, or treatment of wastes containing the hazardous chemicals.
Management Controls
Programs to train plant personnel to handle normal operating conditions,
upset conditions, emergency conditions, and accidental releases should be
used. The programs should include written instruction, classroom-type in-
struction, and field drills. Periodic review and drill exercises should be
part of such programs. Printed materials describing standard and emergency
procedures should be provided to employees and revised as necessary to be
consistent with accepted practices and recent plant modifications.
A plant-wide fire prevention and protection plan should be used. All
operating personnel should be instructed concerning fire prevention and fire
response. All facility personnel should be instructed in basic first aid and
69
-------�
fire extinguisher use. The formation and training of specialized fire fight-
ing teams and first aid teams should be in accordance with or exceed minimum
specified requirements. All fire protection and prevention plans should be
periodically reviewed and training drills held.
The owner/operator of a facility should formulate a comprehensive contin-
gency plan to handle major plant disasters. All facility personnel should be
trained to participate in plans for controlling facility emergencies related
to accidental releases including emergencies such as large windstorms, earth-
quakes, floods, power failure, fires, explosions, and accidental releases of
hazardous chemicals.
The contingency plan should describe coordination between the plant and
local police, fire, and other emergency personnel. The plan should be specif-
ic in designating responsibilities and in addressing specific high-hazard
situations that are possible for the plant. Communications responsibilities
and procedures for relaying information during emergencies should also be
clearly defined. The plan should include procedures for emergency notifica-
tion of community and local governments. Where an accidental release could
adversely affect the local community, the plan should include appropriate
community emergency response procedures.
Simulated emergency exercises involving plant personnel should be per-
formed on a regular basis. Disaster exercises that incorporate local emergen-
cy response organizations should also be undertaken periodically. Exercises
may include tabletop exercises, emergency operations simulations, drills, and
full field exercises.
An inspection, testing, and monitoring program for process equipment and
instrumentation should be considered for areas of high hazard potential.
Systems and components to which this program can be applied include, but are
not limited to, the following: pressure vessels; relief devices and systems;
critical process instruments; process safety interlocks (trips); isolation,
70
-------�
dump, and drowning valves; process piping systems; electrical grounding and
bonding systems; fire protection systems; and emergency alarm and communica-
tions systems. Engineering drawings and design specifications should be
available for inspection, if requested.
Maintenance staff qualifications, skill level, and numbers should be
consistent with the hazard potential at the specific operation.
A process safety review consistent with the magnitude of the modification
should be made before implementing any modification. Documentation of modifi-
cations should be made and be available for inspection, if required.
5.3 PROTECTION
Protection measures are equipment and systems that prevent or reduce the
quantity of chemical that is discharged in an incipient release that has
already escaped primary containment. Protection technologies include flares,
scrubbers, diking, and enclosures (i.e. containment buildings). Each of these
technologies may be appropriate in specific circumstances, but none of them is
universally applicable to accidental releases. Much depends on the specific
toxic chemical involved, the quantity released, the rate of release, and how
it is released.
Flares are commonly used in chemical process plants and in petroleum
refineries to dispose of flammable gases and vapors resulting from normal
operating upsets. They may be suitable in certain circumstances for the
destruction of toxic chemicals that would otherwise be released to the envi-
ronment. A prerequisite for destruction in a flare system is that the toxic
material be flammable, or that it at least thermally decompose to less toxic
compounds at flare flame temperatures. The other requirement is that the
nature of the emergency discharge be compatible with the overall design and
operating requirements of flares, such as the maintenance of specific gas
velocities at the flare tip, and flow fluctuations within the design turn-down
71
-------�
capabilities of the particular flare system. There may also be some real
difficulty in the safe design of a flare system for the emergency discharge of
toxic materials combined with normal process discharges of other process
materials. Considerations in this area include the manifold system and how
backflows and inappropriate mixing of incompatible materials might be avoided.
A dedicated flare system is not necessarily a solution to the problem since
keeping a flare on standby for a relatively rare emergency may not be feasi-
ble. Flares are an option that can be considered for the right circumstances
for treating emergency discharges that are still confined by a pipeline or
stack. The use of flares in such an application, however, must be carefully
evaluated for possible secondary hazards that could make the use of flares
more dangerous than not using them. For example, improper design could lead
to flash back.
Scrubbers are another alternative for treating confined toxic discharges
before they are released to the environment. Scrubbers have a long history of
success in the process industries. Many of the considerations that apply to
combined versus dedicated flare systems apply also to scrubbers. Scrubbers
may be easier to maintain on a standby basis than flares, however.
The applicability of scrubbers depends on the solubility of a toxic
chemical in a suitable scrubbing medium or the ability of the scrubbing medium
to reactively neutralize the toxic chemical. Chemicals soluble in water or in
various aqueous solutions are not a particular problem. Other toxic materials
that require nonaqueous scrubbing liquids could present more difficulties.
For example, it would be hazardous to use a flammable organic liquid as a
scrubbing medium since one could easily create a flammable mixture. Most
scrubbing systems that would be considered feasible for toxics would probably
be based on aqueous scrubbing chemistry.
The type of scrubber that is suitable for use depends on the nature of
both the discharge circumstances and the scrubbing chemistry. Since a low
system pressure drop appears desirable for emergency scrubbing systems, simple
72
-------�
spray towers may be appropriate in many applications. However, other types of
scrubbers, such as packed beds and Venturis, may also be appropriate in some
situations.
Both scrubbers and flares can be used when the incipient release is still
confined by piping or a stack, as might be the case with an emergency dis-
charge from a relief valve. When the release results from equipment failure,
such as a vessel or pipeline rupture, containment is required before the
chemical can be disposed of by flaring, scrubbing, or in-place neutralization.
Such temporary containment can be effected by diking and enclosures. Diking
is a physical barrier around the perimeter of process equipment or areas
designed to confine the spread of liquid spills and to minimize the liquid
surface area. It can be simple earthen berms or it might be concrete walls.
The diking might be little more than a high curb, or it could be a high wall
rising to the top of a storage tank. The applicability of diking to spills of
volatile liquids is readily apparent. By containing the liquid, the dike
reduces the surface area available for evaporation, at the same time allowing
a liquid to be cooled by evaporation so that the vapor release rate is dimin-
ished. In this way, diking can reduce the rate at which a toxic material is
released to the air. The material can be allowed to evaporate at a manageable
rate, collected into alternate containers, or neutralized in place.
Enclosures or containment buildings directly provide secondary contain-
ment for materials that have escaped primary containment. Suck buildings can
be designed to contain the toxic chemical until it is vented through an
appropriate destruction system such as a flare or scrubber, collected into an
alternative container, or neutralized in place. The primary difference
between diking and a complete enclosure or containment building is the roof.
The building confines virtually all of the material, whereas diking permits
the continuous release of some of the material.
The applicability of either diking or enclosures must be carefully
evaluated to determine if there might be secondary hazards associated with
73
-------�
their use. For example, if the toxic material is also flammable, containment
could create a fire or explosion hazard which could be as or more serious in
its consequences than the original release itself. When properly applied,
however, diking and enclosure can be effective protection technologies for
accidental releases.
5.4 MITIGATION
Once a toxic chemical has been released to the air or that has the
potential for entering the air, the primary concern becomes reducing the
consequences to the plant and the surrounding community. Reducing these
consequences is referred to as mitigation. Two aspects of mitigation are
measures to control the quantity of toxic material that could reach receptors,
and protect the receptors by ensuring that they remain in or are evacuated to
locations that will prevent or minimize their exposure to the chemical. An
emergency response plan addressing the issues is a key part of mitigation.
The other part is the technology of controls. Mitigation technologies include
such measures as physical barriers, water sprays, steam curtains, and foams.
Mitigation technologies divert, limit, or disperse the toxic chemical that
has been released to the atmosphere.
An emergency response plan must be based on identifying the consequences
of the accidental release based on downwind quantities, concentrations, and
duration of exposure at various receptor sites. The plan should include the
information required to decide whether evacuation should be undertaken, or
whether people in the path of the release might be better protected by remain-
ing indoors in their own homes or other places. The plan should include
specific first aid steps to be taken for the exposed population. Finally, the
plan should lay out the specific responsibilities and activities of all
facility personnel and community response teams in addressing the emergency.
Physical barriers may be specially constructed for the purpose, may be
constructed for another purpose but function as barriers, or they may be
74
-------�
natural terrain features. An example of a specially constructed structure is
a diversion wall. A functional barrier could be a building. A natural
terrain feature that might be a barrier is a hill or a line of trees. The
primary function of a physical barrier is to protect especially sensitive
receptors and provide additional time in which to respond to the accidental
release emergency. A physical barrier located in the right place can also
contribute to enhancing the dispersion of the released chemical. Physical
barriers do not, however, directly capture or neutralize the chemical. They
might improve the performance of other mitigation measures such as water
sprays, however. Applicability and overall performance will depend on the
nature of a specific release and on the meteorological conditions at the time
of the release.
Water sprays and steam curtains are methods used to increase the disper-
sion rate of the released chemical, divert its direction, serve as a barrier
between the toxic cloud or plume and potential receptors, and even absorb the
chemical. The applicability and effectiveness of these methods depend on the
nature of the release, the properties of the specific chemical, and the
capability of extending to the highest effective point of a release. Effec-
tiveness will also depend on meteorological conditions at the time these
mitigation methods are applied.
A final mitigation technology is the use of foams. Foams are chemical
mixtures that can be applied to liquid spills with special foam generating
apparatus and, by covering the surface of the spill, reduce the rate of evapo-
ration. Foams can be applied to spills that would otherwise result in the
release of large quantities of toxic vapors as long as the foam is physically
and chemically compatible with the spilled material. A fundamental
requirement is that the foam have a density lighter than the liquid over which
it is applied, and that the material over which the foam is applied does not
easily diffuse through the foam. Foams may sometimes permit a spill to be
transferred to containers for final disposition.
75
-------�
Mitigation technologies and community preparedness are the final line of
defense in reducing the risks of accidental releases of toxic chemicals.
5.5 CONTROL TECHNOLOGY SUMMARY
The various technologies discussed in this section of the manual are
discussed in greater detail in the manual on control technologies. It is
apparent that controls applicable for the prevention of, protection from, and
mitigation of accidental chemical releases, cover a wide range of both equip-
ment and procedural measures. These measures may range from changes in the
process employing a toxic chemical to the addition of specialized equipment
outside of the immediate needs of the process itself.
Table 5-1 summarizes some locations and possible causes of accidental
chemical releases, and presents corresponding control measures that might be
applied. Selection of appropriate control measures depends on the results of
a hazard evaluation that would define the most likely causes for a given
process system. For most processes combinations of alternatives could reduce
the probability of release and also reduce the consequences of any release
that might occur. Additional discussion of this issue is also provided in the
manual on control technologies.
76
-------�
TABLE 5-1. EXAMPLES OF POSSIBLE RELEASES AND CONTROLS
Location of
Accidental Release
Cause
Potential Controls
External Causes
General equipment failure
General process failure
Pipebridge
Fire at adjacent plant
Explosion at adjacent plant
Traffic or rail accident from
outside the plant
Natural disaster, (flood.land-
slide, earthquake, windstorm)
Fire in adjacent
process unit
Explosion in adjacent
process unit
Loss of process control as
result of utility failure
Trench fire
Control room destroyed by
fire/explosion
Collision with plant vehicle
Extra fire protection
Protective barriers
Coordination of emergency response efforts
Protective barriers
Coordination of emergency response efforts
Protective barriers
Reroute traffic flow
Protective barriers
Strengthened equipment foundations and structural support
Alter surface contours to facilitate drainage around the plant
Emergency response plans for each potential event
Adequate spacing between process units
Protective barriers
Utility piping arranged in a way that prevents
loss in adjacent units when one unit fails
Adequate spacing between process units
Protective barriers
Strengthened equipment foundations and structural support
Provide local or plant wide backup for crucial utilities
Where possible, improve process operability so that the process
can be manually operated or shut down when utilities are lost
Arrange utility distribution so that utility losses will only effect
a small area within the plant
Install covers that are two thirds closed and one third grate
Place flame traps periodically throughout the trenches
Protective barriers around control room
Relocation of control room
Where possible, improve process operability
so that the process can be manually operated
Pressurize control room with clean air supply
Construct control room with extra fire protection
Protective barriers
Warning signs of restricted clearance
Rerouting in-plant traffic flow
Remote shutoff valves on both sides of bridge
(Continued)
-------�
TABLE 5-1 (Continued)
Location of
Accidental Release
Cause
Potential Controls
Vessel
Overpressure as a result of
vessel BLEVE when exposed to
fire
Operating/Haintenance/Hanagement Error
General equipment failure
00
General process failure
Vessel
Piping
Thermal shock
Replacing a worn part with a
part made of a material that
is incompatible with the
process
Loss of process control as
when a valve is incorrectly
operated
Tank overfill as a result
of operator error
Internal explosion as a result
of static discharge in the
presence of a flammable
mixture
Collapse due to underpressure
when the tank is emptied or
cooled too quickly
Overpressure as a result of
incorrectly adjusted relief
valve
Overpressure caused by
reaction between process
material and old material
held up in a seldom used
piping run
Adequate deluge system
Water spray monitors available to cool the vessel
Adequate pressure relief for handling heating from fire
Flow and temperature control
Improve operator training
Periodically inspect and test equipment for signs of fatigue
Establish testing procedures to certify materials of construction
Where materials of construction are critical, have written details as to
what materials of construction are appropriate or inappropriate for a
given application
Clearly label lines
Physically segregate piping according to use
Relieve congestion
Eliminate unused and excess piping
Improve employee training
Level gauges and alarms
Overflow catch tank
Surround tanks with dikes
Improve operator training
Operator training as to the hazards of static discharge
Establish specific procedures for transfer operations
Operator training as to the physical limitations of the
vessel and how this effects operating procedures
Establish specific procedures for filling, emptying, heating
and cooling
Test all relief valves after any adjustments have been made
Allow only certified personnel to work on relief devices
Train operators as to potential incompatibilities between process
materials
Blind off unused sections of pipe
(Continued)
-------�
TABLE 5-1 (Continued)
Location of
Accidental Release
Cause
Potential Controls
vo
Flange
Pipe fitting
Threaded joint
Valve
Improper installation
Poor weld
Improper installation
Overpressure caused by
water hammer
Loading/Unloading operations Mixing incompatible materials
Truck leaves without
disconnecting hose
Instrument Malfunction
General equipment failure
Loss of reaction control as a
result of inadequate control
system performance
Loss of reaction control as a
result of failure of an
adequately designed control
system
Replace with a welded joint
Maintenance training
Establish a check procedure to certify work before operating
Alternate variety of gasket
Radiographic weld test
Personnel training
Replace with a flanged or welded joint
Weld seal threaded joints
Leak or pressure test all critical joints
Personnel training
Operator training
Establish procedures for verifying heel composition
Dedicate tanks for only one use
Block wheels during operation
Install remotely operated emergency shutoff upstream of flexible line
Install additional control systems where none are employed
Redundancy of key components
Upgrade components to improve accuracy, reliability, repeatibility
or response time
Backup the entire control system
Simplify to improve operability
Alter the variables that are monitored to more closely monitor the hazard
Add trip systems
Redesign the system to conform to present standards
Install alarms
For critical areas, install alarms that are audibly distinct
Provide emegency backup systems such as emergency cooling
Periodically inspect and test control systems
Design so that the failure of one component will not result
in a total control system failure
Use only fail-safe equipment
For critical areas, regularly replace portions of the system
to prevent an on-line failure
Use of non-interruptible power supply
(Continued)
-------�
TABLE 5-1 (Continued)
Location of
Accidental Release
Cause
Potential Controls
Equipment Failure
General equipment failure
Leak and ignition from hot
oil system
Substitute with a nonflammable or less flammable material
Locate furnace away from process
Vibration
Loss of process control as a
result of internal valve
mechanism failure
Additional supports
Shortened piping (lower the vibration frequency)
Pulsation dampeners
Pipe loop to allow for expansion
Determine if mechanical problem and repair it
A more reliable type of valve
Periodically test valves
OO
O
Vessel
Vessel shell
Heat exchanger tube
Loss of process control as a
result of check valve failure
Overpressure as a result of
relief device failure
Corrosion
Overpressure of trapped fluid
Drain line from storage tank Valve failure
Pipe break
Bolted or rivoted seams
Thermal expansion
Stress corrosion
Multiple check valves
More sophisticated backflow protection
Regularly inspect check valve internals
Size pressure relief devices using accepted practices
Consider two-phase flow when sizing
Install backup relief device
Install a trip system as a first line of defense
Design the vessel to fail in a manner that minimizes the release
Enclose the vessel in a protective enclosure
Fabricate the tank with an additional corrosion allowance
Upgrade the materials of construction
Use double walled construction
Seal all insulation around fittings
Shell and tube side pressure relief
Periodic inspection of tube integrity
Add remotely operated emergency isolation valve
Add a second drain valve in the line
Limit the diameter of the drain line to 3M inch to restrict flow
Install a pipe loop to allow for expansion
Use supports that allow for lateral movement
Use welded seams
(Continued)
-------�
TABLE 5-1 (Continued)
Location of
Accidental Release
Cause
Potential Controls
Welded seam
00
Threaded joint
Valve stem
Valve
Pump or compressor
Design Error
General equipment failure
Vessel
Poor fabrication
Corrosion
Thermal shock
Failure due to temperature
or pressure cycles
Corrosion
Wear
Overpressure
Overpressure caused by
water hammer
Seal failure
Overpressure as a result of
a valved off relief device
Overpressure as a result of
overfill
Loss of reaction control as
result of a loss of mixing
Overpressure as a result of
undersized relief device
Radiographic weld testing
Leak and/or pressure test equipment
Use ASME code vessels
Use ASME code vessels
Use alternate type of weld
Apply protective measures specific to the chemicals and type
of corrosion involved
Use ASME code vessels
Set controls to restrict the rate and frequency of heating and cooling
cycles
Regularly replace crucial equipment before failure
Replace with a flanged or welded joint
Weld seal necessary threaded joints
Tighten packing
Choose a more reliable type of valve
Limit the closing rate of the valve
Upgrade type of seal
Install double mechanical seal with sealing fluid
Enclose the pump or compressor in a ventillated enclosure
Substitute with a sealless variety of pump
Interlock two parallel relief devices so that only one may be
closed at a time
Restrict fillrate by limiting the size of fill lines
Use identical capacity for fill lines and drain lines
Monitor agitation directly by monitoring the mechanical drive
assembly on the mixer or indirectly by monitoring temperature or flow
Size using accepted methods
Resize every time a system is used for a new service
Consider the potential for two phase flow
(Continued)
-------�
TABLE 5-1 (Continued)
Location of
Accidental Release
Cause
Potential Controls
Vessel (continued)
00
NJ
Heat exchanger tube
Vent or vented enclosure
system or vented enclosures
Piping
Pump or compressor
Loading/Unloading operation
Internal tank explosion
caused by a static discharge
in the presence of a flammable
mixture
Tank collapse as a result of
emptying or cooling too
quickly
Stress failure of a nozzle
caused by inadequate pipe
support
Deflector plates at liquid entry
Nitrogen blanketing
Restricted feedrate
Properly ground all equipment
Use of explosion pressure relief
Install breather vent or nitrogen blanketing
Restrict the maximum possible empty or cooling rate
Added support for piping
Additional reenforcement around the nozzle
Wherever possible, place vessel fittings above the normal liquid level
Overpressure of trapped fluid Provide shell and tube side pressure relief
Internal explosion caused by
ignition of a flammable
mixture
Incorrect materials of
construction
Overpressure as a result of
a reaction between process
material and old material
held up in a seldom used
piping run
Blocked discharge, resulting
in an overpressure
Truck overfill
Purge vents with inert gas
Dilute with inert gas until the concentration is below the flammable
limit
Monitor for flammable mixtures
Proper material specifications based on lab and pilot testing
Inspect all parts to validate the material of construction and
their integrity before installation during construction or maintenance
Simplify piping, eliminate dead ends or seldom used sections of pipe
Install overpressure protection where mixing of incompatible
materials is likely to occur
Provide upgraded overpressure protection
Monitor flow
Monitor temperature of the fluid in the pump case
Install remotely operated shutoff valves
Install level monitoring controls
-------�
SECTION 6
GUIDE TO FACILITY INSPECTIONS
The preceding sections of this manual have broadly discussed the identi-
fication, evaluation, and control of hazards. In addition to procedures
already discussed, there remains the actual inspection of physical facilities.
This section of the manual presents a brief example guide to facility
inspections. General procedures including one possible approach to setting up
and conducting an inspection is discussed. Specific procedures involving
detailed inspection are also covered. Regulators may find this material
useful as a guide to establishing their own procedures for facility inspec-
tions. Companies may find the information useful for the same purpose or for
comparison with existing procedures. In either case, while the broad aspects
of the procedures are applicable to most facilities that handle toxic
chemicals, there may be variations in detail that are site-specific. These
procedures are intended to initiate a thought process for an inspector knowl-
edgeable about chemical processes.
6.1 BACKGROUND
Inspection of process facilities is an inherent part of reducing the
probability of accidental chemical releases. Such inspections may be carried
out by regulatory agencies or by companies themselves. The kind of inspection
will usually differ for these two bodies; an inspection by a regulatory agency
will generally be less detailed and focus on a few key items, whereas that by
company will generally be more detailed and broader.
The hazard identification procedures discussed earlier can be used to
identify key areas for inspection. An inspection should include all
83
-------�
functional parts of a physical facility where a release could conceivably
occur. These parts were generally identified in Figure 1-4, Section 1 of this
manual.
The purpose of an inspection by a regulatory agency is to ensure that
equipment and procedures for prevention and control of accidental releases are
consistent with what a company has reported to the agency, and to determine if
there may have been oversights in critical areas. The regulatory agency
inspection will primarily identify problem areas. The purpose of an inspec-
tion by a company is similar, except that the time and resources available are
likely to allow a more detailed look at the facility. The company's inspec-
tion will be much more focused on setting priorities for specific corrective
actions rather than just identifying problem areas.
6.2 GENERAL PROCEDURE
There are many ways to set up an inspection evaluation protocol and conduct
inspections. This section discusses one possible approach.
The overall procedure involves the following steps:
Establishment of an inspection team;
Determination of preliminary information requirements and
acquisition of information including preparation of a facility
questionnaire if necessary. The questionnaire will be com-
pleted by responsible parties at the facility to be inspected
and returned to the inspection team if the team is from
outside the facility;
Review of the questionnaire and other preliminary information,
including process flow diagrams, piping and instrumentation
diagrams, operating manuals, and descriptions of maintenance
84
-------�
records to become familiar with the facility and identify
critical areas for special attention;
Meeting between the outside inspection team and a team of
plant personnel including management to arrange a specific
inspection plan, or planning meeting for the internal inspec-
tion team;
A walk-through overview tour of the facility;
In-depth inspections of specific areas according to the
considerations discussed below in Subsection 6.2 and any other
specific considerations that may be appropriate;
A meeting between the outside inspection team and plant
personnel at the conclusion of the inspection to review
results, or a meeting of the internal inspection team for the
same purpose;
Preparation of a written inspection report which:
states the purpose and summarizes the findings,
identifies hazards found during the inspection,
discusses the risk implications of those hazards, and
discusses possible remedies to correct deficiencies and
reduce hazards.
85
-------�
6.3 SPECIFIC PROCEDURES
Specific inspection procedures involve detailed examination of all parts
of the process facility where toxic materials are used, manufactured, or
stored. This inspection covers a number of specific elements which should
include, but are not necessarily limited to:
Process characteristics and process chemistry,
Facility siting,
Plant layout,
Pressure relief systems,
Maintenance and structural integrity,
Fire protection,
Electrical system,
Transportation practices, and
Contingency plan and emergency response coordination.
Details of specific considerations in each of these areas are presented
in Appendix B of this manual. It must be emphasized that these are guidelines
only, and are representative of, but not necessarily all inclusive of, the
kinds of considerations and observations that should be made during inspec-
tions. The technical literature presents many other examples of how an
inspection protocol would be set up.
86
-------�
SECTION 7
COSTS OF ACCIDENTAL
RELEASE PREVENTION
With a commitment to and the knowledge required for accidental release
prevention in place, the inevitable question is the cost of hazard identifica-
tion and evaluation procedures, inspections, and control measures themselves.
It is beyond the scope of this manual to exhaustively analyze the economic
implications of accidental release prevention, but some general, very rough
costs can be presented to provide a feel for the significance of economic
issues.
This section provides cost data associated with the various hazard
identification and evaluation procedures, inspections, and control technolo-
gies presented in previous sections of this manual. An example of the costs
associated with the application of different combinations of controls to a
specific system is illustrated. The implications of the costs of different
control options is also discussed in light of policy planning.
7.1 COSTS OF HAZARD IDENTIFICATION, EVALUATION, AND INSPECTION
Attempting to assign specific costs to these activities is extremely
difficult without specifics on the number, size, and type of facilities
involved. As was shown in Table 4-1, formal hazard identification and evalua-
tion procedures can be broadly classified in relative terms as low, medium,
and high cost activities. Costs for any procedure depend on the complexity
and size of the system being analyzed, and on the quality of the initial
information on the system.
The literature from which the table was developed attempted to assign
staffing and time requirements to each of the procedures listed. Careful
87
-------�
analysis of these requirements suggests that some approximate costs can be
developed as a lower bound for such activities. Results are shown in Table
7-1.
Costs for inspections are also highly variable, and again depend on
system complexity, size, and quality of the initial information available. A
minimal inspection might take at least four hours by one or two people, and a
more detailed inspection might last two to three weeks with a team of three or
four people. On this basis, estimated costs are as presented in Table 7-2.
These costs are intended as rough guidelines only, and can be expected to
vary significantly in specific situations.
7.2 COSTS OF CONTROL TECHNOLOGIES
Costs of control technologies range from the costs of an individual
component such as an additional thermocouple to costs of a complete alterna-
tively designed process system for handling a toxic chemical. A fundamental
concept in evaluating the costs of control technologies for accidental release
prevention is that increased safety may result from increasing levels of
controls. As controls are added to a system, costs will increase. It is
possible to compare costs for systems with different levels of controls and
evaluate the relative improvements in safety that might result. This could be
done through estimates of the reduction in accident probability by quantita-
tive fault or event tree analyses.
Costs of control technologies are addressed in more detail in a companion
volume in this series on control technologies. The ensuing discussion pre-
sents an overview of control technology cost issues.
Table 7-3 summarizes cost ranges for some individual components that
could be involved in enhancing the safety of a facility handling toxic chemi-
cals, whether a storage or process facility. Costs for such enhancement could
88
-------�
TABLE 7-1. ESTIMATED LOWER BOUND COSTS FOR VARIOUS HAZARD IDENTIFICATION
AND EVALUATION PROCEDURES3
Basis: One process unit
Staffing
Procedure (personnel)
Checklist
Safety Review
Ranking Procedures
Preliminary Hazard Analysis
What-If Analysis
Hazard and Operability Study
(HAZOP)
Failure Mode, Effects, and
Criticality Analysis (FMECA)
Fault Tree Analysis (FTA)
Event Tree Analysis
Cause Consequence Analysis
Human Error Analysis
1
3
3
3
3
4
2
4
4
4
1
Timec
(days or weeks)
ld-2w
3d-3w
3d-lw
Id-lw
3d-lw
2w 6w
2w - 6w
2w - 6w
2w - 6w
Iw - 6w
Iw
1.040
4,680
4,680
1,560
4,680
20,800
10,400
20,800
20,800
10,400
2,600
Costd
($)
- 10,400
- 23,400
- 7,800
- 7,800
- 7,800
- 62,400
- 31,200
- 62,400
- 62,400
- 62,400
aBased on staffing and time estimates in Reference 12.
"One process unit" is roughly defined as a process system consisting of from
one to perhaps three major unit operations (e.g., a complex chemical reactor
system, or a simple reactor, a few heat exchangers, and a distillation
column). The basis for the time and staffing for the various methods was not
well defined in Reference 12.
c"d" = days; "w" = weeks
Based on an average loaded rate of $65/hour per staff person.
89
-------�
TABLE 7-2. ESTIMATED COSTS FOR TYPICAL INSPECTIONS3
Team
Size
(Personnel)
3
3
3
Preparation
0,5
2
5
Time
(Days)
On-Site
0.5
5
15
Reporting
1.0
2
10
Cost
($)
3,120
14,040
46,800
Preparation time, on-site, and reporting for team only based on loaded labor
rate of $65/hour. Does not include plant personnel time required to assist
inspection team. Does not include team travel costs or subsistence costs,
if any, at site.
90
-------�
TABLE 7-3. COSTS OF SOME INDIVIDUAL INSTRUMENTATION AND CONTROL
COMPONENTS FOR PROCESS SYSTEM SAFETY MODIFICATIONS*1
Capital Cost
Range ($)
Flowmeters
Flow indicators
Check valves
Pressure sensors
Pressure indicators
Rupture disks
Relief valves
Temperature sensors
Indicators
Auxiliary cooling water capacity
2,500
400
400
200
200
150
7.000
200
1,000
30
- 5,100
- 1,000
- 600
- 500
- 600
- 300
- 12,000
- 300
- 1,700
- 80
per gpm
Auxiliary refrigerated brine capacity
Load cell systems
Level detection systems
Flow switches
Pressure switches
Density measurement
pH measurement
Viscosity measurement
3,000
per
12,000
1,100
ca.
ca.
500
4,000
2,000
- 8,000
ton
- 16,000
- 15.000
500
500
- 5.000
- 5,000
- 12,000
Annual Cost
Range ($/yr)
400
60
60
30
30
30
600
30
150
5
per
450
per
2,400
80
ca.
ca.
90
700
350
- 800
- 150
- 90
- 80
- 100
- 50
- 1,000
- 50
- 250
- 12
gpm
- 1.200
ton
- 3,200
- 2,300
80
80
- 900
- 900
- 2,200
(Continued)
91
-------�
TABLE 7-3 (Continued)
Capital Cost
Range ($)
Chemical species analyzers
Controllers
Control valves
Complete control loops
700
800
3,000
6,000
- 40,000
- 6,000
- 6,000
- 15,000
Annual Cost
Range ($/yr)
130
70
500
300
- 7,300
- 500
- 900
- 1,300
oasis: All costs were based on specific standard sizes which are documented
in a companion manual in this series on control technologies. Costs
are intended as rough guides to general magnitude only.
Specific types will be found in the manual on control technologies.
92
-------�
involve something as simple as adding a sensor where one was not previously
used, or adding an extra one for backup, to something as complex as the design
and implementation of an entirely different control system.
More extensive application of control technologies could involve numerous
changes in individual components, and even complete add-on subsystems such as
scrubbers. Table 7-4 presents an example of how different levels or combina-
tions of controls might affect the costs of a toxic gas storage tank system,
based on the conceptual drawing in Figure 7-1. This type of analysis can be
applied to any system where the evaluation of the cost implications of acci-
dental release control measures are desired.
All of these costs are to illustrate concepts and the general magnitude
of costs. Actual costs will vary widely depending on the size and type of
facility, exact specifications of equipment used, and the individual organ-
ization that builds or modifies the facility.
7.3 COST IMPLICATIONS FOR POLICY PLANNING
Costs of identification, evaluation, inspection, and control technologies
can be used to roughly estimate costs of various programs for accidental
release prevention and control by either regulatory agencies or companies.
The costs given previously in Tables 7-1 and 7-2 can be used to estimate time
requirements that might be associated with some of the regulatory aspects of
hazard control plans evaluations by regulation, and compliance and preparation
of plans by affected companies. Cost estimates such as shown in Table 7-4
provide a measure of what specific regulatory requirements involving process
equipment would cost companies, excluding, of course, many indirect costs.
This methodology can also be used to provide companies with a rough measure of
cost impacts of various process control options.
A complete analysis of cost implications of accidental release control is
beyond the scope of this manual, but the overview presented here should be
useful for preliminary planning purposes.
93
-------�
TO HYDROGEN
FLOURIDE ABSORPTION
SYSTEM
PRESSURE RELIEF VALVE
PUMP
BLEED AND SAMPLE
WITH CAP TO LIMESTONE
PACKED TILE DRAIN
PRESSURE RELIEF
DEVICE
COMPRESSED
GAS
LEVEL GAUGE WITH
HIGH LEVEL ALARM
(LOCAL)
LEVEL GAUGE WITH
HIGH LEVEL ALARM
(REMOTE TO CONTROL ROOM)
PRESSURE RELIEF
DEVICE
MATERIAL
PLACARD =
V ANHYDROUS HF
PERSON IN ATTENDANCE
W / PROPER PROTECTIVE
EQUIPMENT
COMPRESSED
GAS
DERAIL
SPILL
COLLECTION
PAN
Figure 7-1. Example of a toxic gas storage system.
-------�
TABLE 7-4. EXAMPLES OF CONTROL COSTS FOR A TOXIC
STORAGE SYSTEM3
Capital Cost Annual Cost
Prevention/Protection Measure (1986 $) (1986 $/yr)
Continuous moisture monitoring 7,500-10.000 900-1.300
Flow control loop 4.000-6.000 500-750
Temperature sensor 250-400 30-50
Pressure relief
- relief valve 1.000-2.000 120-250
- rupture disk 1.000-1.200 120-150
Interlock system for flow shut-off 1,500-2.000 175-250
pH monitoring of cooling water 7.500-10,000 900-1,300
Alarm system 250-500 30-75
Level sensor
- liquid level gauge 1,500-2,000 175-250
- load cell 10,000-15,000 1,300-1,900
Diking (based on a 10,000 gal. tank)
- 3 ft. high 1.200-1.500 150-175
- top of tank height. 10 ft. 7.000-7,500 850-900
Increased corrosion inspection 200-400
aSee Table 7-5 for design basis. Details of estimating procedures are
provided in a companion manual on control technologies of this series.
95
-------�
TABLE 7-5. SPECIFICATIONS ASSOCIATED WITH TOXIC STORAGE SYSTEM
Item
Specification
Continuous moisture monitoring
Flow control loop
Temperature sensor
Pressure relief
- relief valve
- rupture disk
Capacitance or infrared absorption
system
2-inch globe control valve, Monel*
trim, flowmeter and PID controller
Thermocouple and associated thermowell
1-inch x 2-inch, Class 300 inlet and
outlet flange, angle body, closed
bonnet with screwed cap, carbon steel
body, Monel* trim
1-inch Monel* disk and carbon steel
holder
Interlock system for flow
shut-off
pH monitoring system
Solenoid valve, switch, and relay
system
Electrode, electrode chamber,
amplifier - transducer and
indicator
Alarm system
Level sensor
- liquid level gauge
- load cell
Diking
- 3 ft. high
- 10 ft. high
Indicating and audible alarm
Differential pressure level gauge
Electronic load cell
6-inch_reinforced concrete walls,
5.2 yd
10-inch_reinforced concrete walls,
36.3 yd
96
-------�
SECTION 8
REFERENCES
1. Lees, F.P. Loss Prevention in the Process Industries. Butterworth's,
London, England, 1980.
2. Industrial Economics, Inc., et al. Acute Hazardous Events Data Base.
Executive Summary. EPA-560/5-85-029(a.), U.S. Environmental Protection
Agency, 1985.
3. One-Hundred Largest Losses, A Thirty-Year Review of Property Damage
Losses in the Hydrocarbon-Chemical Industries. Ninth Edition, Marsh and
McLennan Protection Consultants, Chicago, IL, 1986.
4. Kletz, T.A. Talking About Safety. The Chemical Engineer, April 1976.
5. Chemical Emergency Preparedness Program, Interim Guidance. Revision 1,
9223.0-1A, U.S. Environmental Protection Agency, Washington, DC, 1985.
6. Hazard Survey of the Chemical and Allied Industries. Technical Survey
No. 3, American Insurance Association, 1979.
7. Kirk, R.E. and D.F. Othmer. Encyclopedia of Chemical Technology. Third
Edition, John Wiley & Sons, Inc., 1980.
8. Weast, R.C. (ed.). CRC Handbook of Chemistry and Physics. 63rd Edition,
CRC Press, Inc., Boca Raton, FL, 1982.
9. Green, D.W. (ed.). Perry's Chemical Engineers' Handbook. Sixth Edition,
McGraw-Hill Book Company, New York, NY, 1979.
10. Dean, J. (ed.). Lange's Handbook of Chemistry. Twelfth Edition,
McGraw-Hill Book Company, New York, NY, 1979.
11. NIOSH/OSHA Pocket Guide to Chemical Hazards. DHEW (NIOSH) Publication
No. 78-210, September 1985.
12. Battelle Columbus Division. Guidelines for Hazard Evaluation Procedures.
The Center for Chemical Plant Safety, American Institute of Chemical
Engineers, New York, NY, 1985.
13. Process Safety Management, Control of Acute Hazards. Chemical
Manufacturers' Association, Washington, DC, May 1985.
14. Kletz, T.A. Eliminating Potential Process Hazards. Chemical
Engineering, April 1, 1985.
97
-------�
15. Ozog, H. Hazard Identification, Analysis and Control. Chemical
Engineering, February 18, 1985.
16. McNaughton, D.J. et al. Evaluation and Assessment of Models for
Emergency Response Planning. TRC Environmental Consultants, Inc.,
Hartford, CT, February 1986.
17. Fire and Explosion Index. Hazard Classification Guide. Fourth Edition.
Dow Chemical Company, Midland, MI, 1976.
18. Fisher, H.G. DIERS Research Program on Emergency Relief Systems.
Chemical Engineering Progress, August 1985.
19. Chemical Emergency Preparedness Program, Interim Guidance. U.S. EPA,
Revision 1, 922.3.01A.
20. National Fire Codes, 1986, National Fire Protection Association, Quincy,
MA.
21. UL Handbook for Fire Ratings. Underwriters' Laboratories, Chicago, IL.
22. Perry, R.H. and Chilton, C.H. Chemical Engineer's Handbook. Fifth
Edition, McGraw-Hill Book Company, New York, NY, 1973.
98
-------�
APPENDIX A
This appendix contains a listing of acutely toxic chemicals which
appeared in a U.S. EPA publication addressing community preparedness for
chemical emergencies (19). There are actually two separate lists entitled
Acutely Toxic Chemicals" and "Other chemicals." Some of the chemicals on the
second list are also acutely toxic. Both lists appear separately in this
appendix. At the time this manual was prepared word was received that three
chemicals from the second list had been deleted. The modified list actually
is the one used in this appendix.
99
-------�
11/01/85
Acutely Toxic Chemicals
Alphabetic List of Common Names and CAS Numbers
Common Name
CAS Number
Acetone cyanohydrin
Acetone thiosemicarbazide
Acrolein
Acrylyl chloride
Aldicarb
Aldrin
Allyl alcohol
Allylamine
Aluminum phosphide
Aminopterin
Amiton
Amiton oxalate
Ammonium chloroplatinate
Amphetamine
Aniline, 2,4,6-trimethyl-
Antimony pentafluoride
Antimycin A
Antu
Arsenic pentoxide
Arsenous oxide
Arsenous trichloride
Arsine
Az inphos-ethy1
Az inphos-methy1
Bacitracin
Benzal chloride
Benzenamine, 3-(trifluoromethyl)-
Benzene, 1-(chloromethyl)-4-nitro-
Benzenearsonic acid
Benzenesulfonyl chloride
Benzotrichloride
Benzyl chloride
Benzyl cyanide
Bicyclo[2.2.1]heptane-2-carbonitrile, 5-chloro.,
Bis(chloromethyl) ketone
Bitoscanate
Boron trichloride
Boron trifluoride
Boron trifluoride compound with methyl ether (1;
Bromadiolone
Butadiene
Butyl isovalerate
Butyl vinyl ether
C.I. basic green 1
Cadmium oxide
Cadmium stearate
Calcium arsenate
Camphechlor
Cantharidin
Carbachol chloride
1)
00075-
01752-
00107-
00814-
00116-
00309-
00107-
00107-
20859-
00054-
00078-
03734-
16919-
00300-
00088-
07783-
01397-
00086-
01303'
01327'
07784'
07784
02642
00086
01405
00098
00098
00100
00098
00098
00098
00100
00140
15271
00534
04044
10294
07637
00353
28772
00106
00109
00111
00633
01306
02223
07778
86-5
30-3
02-8
68-6
-06-3
00-2
-18-6
-11-9
-73-8
-62-6
-53-5
-97-2
-58-7
-62-9
-05-1
-70-2
-94-0
-88-4
-28-2
-53-3
-34-1
-42-1
-71-9
-50-0
-87-4
-87-3
-16-8
-14-1
-05-5
-09-9
-07-7
-44-7
-29-4
-41-7
-07-6
-65-9
-34-5
-07-2
-42-4
-56-7
-99-0
-19-3
-34-2
-03-4
-19-0
-93-0
-44-1
100
-------�
11/01/85
Acutely Toxic Chemicals
Alphabetic List of Conation Names and CAS Numbers
Common Name
CAS Number
Carbamic acid, methyl-, 0-[[(2,4-dimethyl... 26419-73-8
Carbofuran 01563-66-2
Carbophenothion 00786-19-6
Carvone 02244-16-8
Chlordane 00057-74-9
Chlorfenvinfos 00470-90-6
Chlorine 07782-50-5
Chlormephos 24934-91-6
Chlormequat chloride 00999-81-5
Chloroacetaldehyde 00107-20-0
Chloroacetic acid 00079-11-8
Chloroethanol 00107-07-3
Chloroethyl chloroformate 00627-11-2
Chloromethyl ether 00542-88-1
Chloromethyl methyl ether 00107-30-2
Chlorophacinone 03691-35-8
Chloroxuron 01982-47-4
Chlorthiophos 21923-23-9
Chromic chloride 10025-73-7
Cobalt 07440-48-4
Cobalt carbonyl 10210-68-1
Cobalt, [[2,2'-[l,2-ethanediylbis(nitrilomethy... 62207-76-5
Colchicine 00064-86-8
Coumafuryl 00117-52-2
Coumaphos 00056-72-4
Coumatetralyl 05836-29-3
Cresylic acid 00095-48-7
Crimidine 00535-89-7
Crotonaldehyde 00123-73-9
Crotonaldehyde 04170-30-3
Cyanogen bromide 00506-68-3
Cyanogen iodide 00506-78-5
Cyanophos 02636-26-2
Cyanuric fluoride 00675-14-9
Cycloheximide 00066-81-9
Cyclopentane 00287-92-3
Decaborane(14) 17702-41-9
Demeton 08065-48-3
Demeton-S-methyl 00919-86-8
Dialifos 10311-84-9
Diborane 19287-45-7
Dibutyl phthalate 00084-74-2
Dichlorobenzalkonium chloride 08023-53-8
Dichloroethyl ether 00111-44-4
Dichloromethylphenylsilane 00149-74-6
Dichlorvos 00062-73-7
Dicrotophos 00141-66-2
Diepoxybutane 01464-53-5
Diethyl chlorophosphate 00814-49-3
Diethyl-p-phenylenediamine 00093-05-0
101
-------�
11/01/85
Acutely Toxic Chemicals
Alphabetic List of Common Names and CAS Numbers
Common Name
CAS Number
Diethylcarbamazine citrate
Digitoxin
Diglycidyl ether
Digoxin
Dimefox
Dimethoate
Dimethyl phosphorochloridothioate
Dimethyl phthalate
Dimethyl sulfate
Dimethyl sulfide
Dimethyl-p-phenylenediamine
Dimethyldichlorosilane
Dimethylhydrazine
Dimetilan
Dinitrocresol
Dinoseb
Dinoterb
Dioctyl phthalate
Dioxathion
Dioxolane
Diphacinone
Diphosphoramide, octamethyl-
Disulfoton
Dithiazanine iodide
Dithiobiuret
EPN
Emetine, dihydrochloride
Endosulfan
Endothion
Endrin
Ergocalciferol
Ergotamine tartrate
Ethanesulfonyl chloride, 2-chloro-
Ethanol, 1,2-dichloro-, acetate
Ethion
Ethoprophos
Ethyl thiocyanate
Ethylbis(2-chloroethyl)amine
Ethylene fluorohydrin
Ethylenediamine
Ethyleneimine
Ethylmercuric phosphate
Fenamiphos
Fenitrothion
Fensulfothion
Fluenetil
Fluorine
Fluoroacetamide
Fluoroacetic acid
Fluoroacetyl chloride
01642-
00071-
02238-
20830-
00115-
00060-
02524-
00131-
00077-
00075-
00099-
00075-
00057-
00644-
00534-
00088-
01420-
00117-
00078-
00646-
00082-
00152-
00298-
00514-
00541-
02104-
00316-
00115-
02778-
00072-
00050-
00379-
01622-
10140-
00563-
13194-
00542-
00538-
00371-
00107-
00151-
02235-
22224-
00122-
00115-
04301-
07782-
00640-
00144-
00359-
54-2
63-6
07-5
75-5
26-4
51-5
03-0
11-3
78-1
18-3
98-9
78-5
14-7
64-4
52-1
85-7
07-1
84-0
34-2
06-0
66-6
16-9
04-4
73-8
53-7
64-5
42-7
29-7
04-3
20-8
14-6
79-3
32-8
87-1
12-2
48-4
90-5
07-8
62-0
15-3
56-4
25-8
92-6
14-5
90-2
50-2
41-4
19-7
49-0
06-8
-------�
11/01/85
Acutely Toxic Chemicals
Alphabetic List of Common Names and CAS Numbers
Common Name
CAS Number
Fluorouracil
Fonofos
Formaldehyde cyanohydrin
Formetanate
Formothion
Formparanate
Fosthietan
Fuberidazole
Furan
Gallium trichloride
Hexachlorocyclopentadiene
Hexachloronaphthalene
Hexamethylenediamine, N,N'-dibutyl-
Hydrazine
Hydrocyanic acid
Hydrogen fluoride
Hydrogen selenide
Indomethacin
Iridium tetrachloride
Iron, pentacarbonyl-
Isobenzan
Isobutyronitrile
Isocyanic acid, 3,4-dichlorophenyl ester
Isodrin
Isofluorphate
Isophorone diisocyanate
Isopropyl chloroformate
Isopropyl formate
Isopropylmethylpyrazolyl dimethylcarbamate
Lactonitrile
Leptophos
Lewisite
Lindane
Lithium hydride
Malononitrile
Manganese, tricarbonyl methylcyclopentadienyl
Mechlorethamine
Mephosfolan
Mercuric acetate
Mercuric chloride
Mercuric oxide
Mesitylene
Methacrolein diacetate
Methacrylic anhydride
Methacrylonitrile
Methacryloyl chloride
Methacryloyloxyethyl isocyanate
Metham idopho s
Methanesulfonyl fluoride
Methidathion
00051-
00944-
00107-
23422-
02540-
17702-
21548-
03878-
00110-
13450-
00077-
01335-
04835-
00302-
00074-
07664-
07783-
00053-
10025-
13463-
00297-
00078-
00102-
00465-
00055-
04098-
00108-
00625-
00119-
00078-
21609-
00541-
00058-
07580-
00109-
12108-
00051-
00950-
01600-
07487-
21908-
00108-
10476-
00760-
00126-
00920-
30674-
10265-
00558-
00950-
21-8
22-9
16-4
53-9
82-1
57-7
32-3
19-1
00-9
90-3
47-4
87-1
11-4
01-2
90-8
39-3
07-5
86-1
97-5
40-6
78-9
82-0
36-3
73-6
91-4
71-9
23-6
55-8
38-0
97-7
90-5
25-3
89-9
67-8
77-3
13-3
75-2
10-7
27-7
94-7
53-2
67-8
95-6
93-0
98-7
46-7
80-7
92-6
25-8
37-8
103
-------�
11/01/85
Acutely Toxic Chemicals
Alphabetic List of Common Names and CAS Numbers
Common Name
CAS Number
Methiocarb
Methomyl
Methoxyethylmercuric acetate
Methyl 2-chloroacrylate
Methyl chloroformate
Methyl disulfide
Methyl isocyanate
Methyl isothiocyanate
Methyl mercaptan
Methyl phenkapton
Methyl phosphonic dichloride
Methyl thiocyanate
Methyl vinyl ketone
Methylhydraz ine
Methylmercuric dicyanamide
Methyltrichlorosilane
Metolcarb
Mevinphos
Mexacarbate
Mitomycin C
Monocrotophos
Muscimol
Mustard gas
Nickel
Nickel carbonyl
Nicotine
Nicotine sulfate
Nitric acid
Nitric oxide
Nitrocyclohexane
Nitrogen dioxide
Nitrosodimethylamine
Norbormide
Organorhodium complex
Orotic acid
Osmium tetroxide
Ouabain
Oxamyl
Oxetane, 3,3-bis(chloromethyl)
Oxydisulfoton
Ozone
Paraquat
Paraquat methosulfate
Parathion
Parathion-methyl
Paris green
Pentaborane
Pentachloroethane
Pentachlorophenol
Pentadecylamine
02032-65-7
16752-77-5
00151-38-2
00080-63-7
00079-22-1
00624-92-0
00624-83-9
00556-61-6
00074-93-1
03735-23-7
00676-97-1
00556-64-9
00078-94-4
00060-34-4
00502-39-6
00075-79-6
01129-41-5
07786-34-7
00315-18-4
00050-07-7
06923-22-4
02763-96-4
00505-60-2
07440-02-2
13463-39-3
00054-11-5
00065-30-5
07697-37-2
10102-43-9
01122-60-7
10102-44-0
00062-75-9
00991-42-4
PMN-82-147
00065-86-1
20816-12-0
00630-60-4
23135-22-0
00078-71-7
02497-07-6
10028-15-6
01910-42-5
02074-50-2
00056-38-2
00298-00-0
12002-03-8
19624-22-7
00076-01-7
00087-86-5
02570-26-5
104
-------�
11/01/85
Acutely Toxic Chemicals
Alphabetic List of Common Names and CAS Numbers
Common Name
CAS Number
Peracetic acid
Perchloror.'.ethylmercaptan
Phenarsaz^ae oxide
Phenol
Phenol, 2,2'-thiobis(4-chloro-6-methyl-
Phenol, 2,2'-thiobis[4,6-dichloro-
Phenol, 3-(l-methylethyl)-, methylcarbamate
Phenyl dichloroarsine
Phenylhydrazine hydrochloride
Phenylmercury acetate
Phenylsilatrane
Phenylthiourea
Phorate
Phosacetim
Phosfolan
Phosmet
Phosphamidon
Phosphine
Phosphonothioic acid
O-(4-nitrophenyl..
methyl-,
Phosphonothioic acid, methyl-, 0-ethyl O-[4-...
Phosphonothioic acid, methyl-, S-[2-[bis...
Phosphoric acid, dimethyl 4-(methylthio)phenyl...
Phosphorous trichloride
Phosphorus
Phosphorus oxychloride
Phosphorus pentachloride
Phosphorus pentoxide
Phylloquinone
Physostigmine
Physostigmine, salicylate (1:1)
Picrotoxin
Piperidine
Piprotal
Pirimifos-ethyl
Platinous chloride
Platinum tetrachloride
Potassium arsenite
Potassium cyanide
Potassium silver cyanide
Promecarb
Propargyl bromide
Propiolactone, .beta.-
Propionitrile
Propionitrile, 3-chloro-
Propyl chloroformate
Propylene glycol, allyl ether
Propyleneimine
Prothoate
Pseudocumene
Pyrene
105
00079-
00594-
00058-
00108-
04418-
00097-
00064-
00696-
00059-
00062-
02097-
00103-
00298-
04104-
00947-
00732-
13171-
07803-
02665-
02703-
50782-
03254-
07719-
07723-
10025-
10026-
01314-
00084-
00057-
00057-
00124-
00110-
05281-
23505
10025
13454
10124
00151
00506
02631
00106
00057
00107
00542
00109
01331
00075
02275
00095
00129
21-0
42-3
36-6
95-2
66-0
18-7
00-6
28-6
88-1
38-4
19-0
85-5
02-2
14-7
02-4
11-6
21-6
51-2
30-7
13-1
69-9
-63-5
12-2
-14-0
87-3
-13-8
-56-3
-80-0
-47-6
-64-7
-87-8
89-4
-13-0
-41-1
-65-7
-96-1
-50-2
-50-8
-61-6
-37-0
-96-7
-57-8
-12-0
-76-7
-61-5
-17-5
-55-8
-18-5
-63-6
-00-0
-------�
11/01/85
Acutely Toxic Chemicals
Alphabetic List of Common Names and CAS Numbers
Common Name
CAS Number
Pyridine, 2-methyl-5-vinyl- 00140-
Pyridine, 4-amino- 00504-
Pyridine, 4-nitro-, 1-oxide 01124-
Pyriminil 53558-
Rhodium trichloride 10049-
Salcomine 14167-
Sarin 00107-
Selenium oxychloride 07791-
Selenous acid 07783-
Semicarbazide hydrochloride 00563-
Silane, (4-aminobutyl)diethoxymethyl- 03037-
Sodium anthraquinone-1-sulfonate 00128-
Sodium arsenate 07631-
Sodium arsenite 07784-
Sodium azide (Na(N3)) 26628-
Sodium cacodylate 00124-
Sodium cyanide (Na(CN)) 00143-
Sodium fluoroacetate 00062-
Sodium pentachlorophenate 00131-
Sodium selenate 13410-
Sodium selenite 10102-
Sodium tellurite 10102-
Strychnine 00057-
Strychnine, sulfate 00060-
Sulfotep 03689-
Sulfoxide, 3-chloropropyl octyl 03569-
Sulfur tetrafluoride 07783-
Sulfur trioxide 07446-
Sulfuric acid 07664-
TEPP 00107-
Tabun 00077-
Tellurium 13494-
Tellurium hexafluoride 07783-
Terbufos 13071-
Tetraethyllead 00078-
Tetraethyltin 00597-
Tetranitromethane 00509-
Thallic oxide 01314-
Thallous carbonate 06533-
Thallous chloride 07791-
Thallous malonate 02757-
Thallous sulfate 07446-
Thallous sulfate 10031-
Thiocarbazide 02231-
Thiocyanic acid, (2-benzothiazolylthio)methyl... 21564-
Thiofanox 39196-
Thiometon 00640-
Thionazin 00297-
Thiophenol 00108-
Thiosemicarbazide 00079-
106
76-1
24-5
33-0
25-1
07-7
18-1
44-8
23-3
00-8
41-7
72-7
56-3
89-2
46-5
22-8
65-2
33-9
74-8
52-2
01-0
18-8
20-2
24-9
41-3
24-5
57-1
60-0
11-9
93-9
49-3
81-6
80-9
80-4
79-9
00-2
64-8
14-8
32-5
73-9
12-0
18-8
18-6
59-1
57-4
17-0
18-4
15-3
97-2
98-5
19-6
-------�
11/01/85
Acutely Toxic Chemicals
Alphabetic List of Common Names and CAS Numbers
Common Name
CAS Number
Thiourea, (2-chlorophenyl)- 05344-82-1
Thiourea, (2-methylphenyl)- 00614-78-8
Titanium tetrachloride 07550-45-0
Toluene 2,4-diisocyanate 00584-84-9
Toluene 2,6-diisocyanate 00091-08-7
Triamiphos 01031-47-6
Triazofos 24017-47-8
Trichloro(chloromethyl)silane 01558-25-4
Trichloro(dichlorophenyl)silane 27137-85-5
Trichloroacetyl chloride 00076-02-8
Trichloroethylsilane 00115-21-9
Trichloronate 00327-98-0
Trichlorophenylsilane 00098-13-5
Trichlorphon 00052-68-6
Triethoxysilane 00998-30-1
Trimethylchlorosilane 00075-77-4
Trimethylolpropane phosphite 00824-11-3
Trimethyltin chloride 01066-45-1
Triphenyltin chloride 00639-58-7
Tris(2-chloroethyl)amine 00555-77-1
Valinomycin 02001-95-8
Vanadium pentoxide 01314-62-1
Vinylnorbornene 03048-64-4
Warfarin 00081-81-2
Warfarin sodium 00129-06-6
Xylylene dichloride 28347-13-9
Zinc phosphide 01314-84-7
Zinc, dichloro[4,4-dimethyl-5-[[[(methylamino)... 58270-08-9
trans-l,4-Dichlorobutene 00110-57-6
107
-------�
OTHER CHEMICALS
Name
CAS Number
Acrylamide
Acrylonitrile
Adiponitrile
Ammonia
Aniline
Bromine
Carbon disulfide
Chloroform
Cyclohexylamine
Epichlorohydrin
Ethylene oxide
Formaldehyde
Hydrochloric acid
Hydrogen peroxide
Hydrogen sulfide
Hydroquinone
Methyl bromide
Nitrobenzene
Phosgene
Propylene oxide
Sulfur dioxide
Tetramethyl lead
Vinyl acetate monomer
79-06-1
107-13-1
111-69-3
7664-41-7
62-53-3
77 26-95-6
75-15-0
67-66-3
108-91-8
106-89-8
75-21-8
50-00-0
7647-01-0
7722-84-1
7783-06-4
123-31-9
74-83-9
98-95-3
75-44-5
75-56-9
7446-09-5
75-74-1
108-05-4
108
-------�
APPENDIX B
EXAMPLE DETAILED PROCEDURES FOR HAZARD
EVALUATION FACILITY INSPECTIONS
B.I Process and Process Chemistry Evaluation
Purpose
The purpose of this evaluation is to identify the most critical areas in
the process facility, based on the fundamental process chemistry and the
sequence of unit processes and unit operations. Process chemistry considera-
tions also include chemical reactions that might occur with materials that
might unintentionally enter the process as contaminants.
Procedures
Procedures for this part of the evaluation include the following:
Review of chemical equations for the process to identify
fundamental hazard potential associated with basic process
chemistry.
Review of written process descriptions and process procedures
to identify critical process areas or procedures.
Review of process flow diagrams (PFD) and/or piping and
instrumentation diagrams (PID) for the critical process areas
identified above.
Visual inspection of process areas, units, and specific
critical equipment items for oversights or deficiencies using
the information discussed in ensuing subsections as a guide.
109
-------�
Comparison of process characteristics of the inspected process
with other processes in the plant and the chemical industry as
a whole to judge relative hazard potential.
Application of various formal hazard identification and
evaluation procedures to determine qualitatively how an
accidental release might occur.
Key Factors
Materials characteristics: evaluated to determine which
materials in each process are potentially the most dangerous.
Comparison of physical properties at both process and
ambient conditions, including boiling point, melting
point, vapor pressure, viscosity, and vapor density.
Flammability as characterized by flashpoint, upper and
lower explosive limits, and auto-ignition temperatures.
Also, the chemical compatibility of mixtures in storage
areas and during handling.
Acute toxicity as characterized by the health effects of
exposure by inhalation or skin contact.
The evaluation of reactivity according to the following
parameters:
a. Whether reactions are exothermic, endothermic or
thermodynamically balanced.
b. Potential for uncontrolled reactions due to such
things as decomposition, excessive temperature,
backflow, or spontaneous polymerization.
110
-------�
c. Process reactivity with water or other possible
contaminants.
d. Potential side reactions and conditions under which
they are favored.
Corrosiveness considered in the context of the appropri-
ateness of construction materials.
Range of process conditions: the hazard potential is normally
increased the larger the process and hence inventory of toxic
material and the more severe the process conditions.
Evaluation of process capacities in terms of operating
throughput and in-process inventories of toxic materials.
Classification of the reaction type based on a unit
operation or unit process approach, for example, halo-
genation, polymerization, etc. Some types may show a
history of more hazards than others.
Categorization of reaction and separation process
temperatures as low if less than 200°F, moderate between
200 and 500°F, or high temperature if above 500°F.
Categorization of process pressures reaction and separa-
tion as low if less than 100 psig, moderate between 100
and 500 psig, or high pressure if above 500 psig.
Evaluation of the process conditions relative to the
physical properties of the chemicals.
Mode of processing and process configuration: certain process
types and configurations may be inherently more hazardous than
111
-------�
others and hazards vary according to process characteristics
(e.g., reaction time, volume, and type of reaction).
Evaluation of the implications of a process being batch,
semi-batch, or continuous. For example a large inventory
batch processes may be more of a hazard than a small
inventory continuous processes.
Evaluation of process configuration in terms of opera-
tional sequences and physical placement of equipment.
Evaluation of process complexity in terms of the number
of process steps and the nature of individual unit
operations.
Thermodynamics of Key Reactions
Exothermic reactions: considered more hazardous than
endothermic or balanced reactions.
Qualitative evaluation of the hazard potential of an
exothermic reaction according to whether it has a weak.
moderate, or strong exotherm.
Types of Instrumentation and Control Systems
Evaluation of the control system in terms of the
reliability and responsiveness to deviations and
corrective actions.
Consideration of relative reliability of pneumatic or
electronic systems for given application.
112
-------�
Computer control systems: considered to be safer than
reliance solely on manual controls, but computer systems
should have some kind of manual backup.
Backup for increasing reliability: emergency cooling and
heating systems, redundancy of the instruments, the
instrument air supply, electrical power supply, and the
computer system.
Evaluation of alarms and emergency shutdown systems for
type, complexity, location and reliability.
Process Isolation
Evaluation of the ability to isolate, quench, or dump the
process materials in an emergency: location of shut-off
valves and whether manual or automated shut-off is used.
Assessment of the possible effects of a fire, explosion,
or release in a nearby process on the process being
inspected.
Operator Training
Evaluation of operator training for routine operations by
review of operator training programs, operating manuals,
and observations of and discussions with selected opera-
tors, and observations of operators carrying out their
duties.
Evaluation of emergency awareness and preparedness for
operator response to emergency situations including
113
-------�
drills and tests in the same general manner as for
routine operations.
B.2 Facility Siting Evaluation
Purpose
The purpose of this evaluation is to assess the potential impact of a
facility's location on the frequency or severity of an accidental release and
the vulnerability of the surrounding community to an accidental release.
Procedures
Review of surrounding community: the evaluation of plant
location relative to the surrounding community by direct
observation and by maps and other written information.
Review of climatic conditions: evaluation of the potential
for severe climatic conditions and natural disasters from
discussions with plant personnel, by direct observation and
from government records for the area.
Review of municipal utility reliability: evaluation of the
reliability of municipal utilities (electricity, water, gas,
etc.) from discussions with plant personnel, direct observa-
tions of main supply lines and information of past utility
failures.
Key Factors
Location in the community: evaluation of the plant location
within the community in terms of proximity to other businesses
and population centers, land use and terrain features in
114
-------�
surrounding areas, wind patterns, and surface groundwater in
the area.
Other businesses and population centers near the plant
are potential receptors of any accidental releases,
fires, or explosions in the subject facility. The
potential danger varies with the specific hazard and
magnitude of that hazard.
The exact extent of the hazard zone depends on the
quantity released. In general, however, as a rough
guideline, receptors within a few hundred yards of a
(
facility may be considered sensitive receptors, while
receptors beyond about 2-5 miles may be considered to be
on the outer limits of typical hazard zones. It is
emphasized here, however that toxic materials can be
dangerous in clouds traveling many miles, and these
distances are only for rough evaluation purposes.
An estimate of total population, including temporary
population such as workers during certain parts of the
day, within various distances of the plant (i.e., plant
shutdown and construction personnel): the basis for
estimating the number of people outside the plant who
might be affected by a release.
Especially sensitive receptors such as schools, parks,
and hospitals.
Land use in surrounding areas: noted in the context of
the considerations just discussed, and especially promi-
nent terrain features such as physical plants (i.e.,
columns and reactors), rivers, forests, and hills which
115
-------�
could affect the dispersion of airborne chemical
releases.
Directions and speeds of seasonal and diurnal wind
patterns for the facility. This is usually shown in a
diagram called a windrose. Data for windroses are
available for most major metropolitan areas and some
other areas from the National Weather Service.
The presence of surface and groundwaters in the area:
noted in the context of the potential for contamination
by sudden accidental releases of chemicals.
Evaluation of the potential impact of an accidental
release or other hazard coming from an adjacent business.
Traffic flow patterns around the perimeter of the facil-
ity: especially points of congestion and the potential
impact of traffic congestion on the movement of emergency
response equipment and evacuated plant personnel.
Climatic conditions
Evaluation of the potential for flood, landslide, brush
fire, earthquake, severe wind or hail, subfreezing
temperatures, or other climatic conditions including
consideration of how such events might cause an
accidental release.
Assessment of the need for other protective measures to
reduce the potential for an accidental release resulting
from climatic conditions.
116
-------�
Review of municipal utility reliability
Review of past reliability of municipal utilities.
Consideration of unusual causes for utility failure,
including downed power lines resulting from a vehicle
collision with power line poles, or the loss of all
utilities because of an earthquake.
Evaluation of backup utilities in the event of a
facility-wide utility failure.
B.3 Facility Layout Evaluation
Purpose
The purpose of the plant layout evaluation is to determine if specific
features of the layout could contribute to an accidental release. A primary
consideration in the evaluation of the layout is the potential for an acci-
dental release or other accident in one section of the facility to adversely
affect other sections of the facility. As far as possible, each section
within a facility should be protected from the effects of accidents in other
sections of the facility.
Procedures
Review of the total facility plot plan and plot plans of
individual process areas.
Tour of facility: to complement information obtained from
plot plans.
Discussions with plant personnel: information obtained
directly from plant personnel, as required.
117
-------�
Key Factors
Overall Plant Configuration
Review of the overall configuration of the facility, as
well as individual process units.
Evaluation of the compatibility between materials in
adjacent process units, especially considering how the
possible release of a chemical, fire, or explosion in one
unit could affect adjacent units and lead to additional
accidental releases.
Evaluation of the compatibility of chemicals between
process units and adjacent storage areas, and between the
adjacent storage areas themselves
Evaluation of the location of individual facility process
and storage areas relative to utility and other plant
areas, considering such items as ignition sources, an
incident in a process or storage area affecting a criti-
cal utility system, and potential effects on other areas
from incidents in process and storage areas.
Evaluation of the distance between various parts of the
facility and property lines and of special terrain
features.
Process areas: should be well separated from utilities,
storage, office, and laboratory areas.
Process and storage areas for flammable materials:
should be in the prevailing downwind direction from
118
-------�
ignition sources, or otherwise located away from ignition
sources to the extent possible.
Hazardous units: separation distances from all critical
areas such as control rooms and process computer instal-
lations should at least be similar to those specified for
flammable materials as given in Lees (1) for example.
Administrative buildings and warehouses: preferably
located at the periphery of the plant.
Control rooms: should be protected from potential fire
or explosion damage and from the adverse affects of an
accidental release. Where possible, process control
rooms should be located at the perimeter of the unit they
control.
Spacing of Process and Storage Areas
Inter- and intra-unit spacing: consideration of the
distance between risk areas, and between equipment and
systems within risk areas.
Spacing of equipment: should consider the nature of the
materials, quantity, operating conditions, sensitivity of
the equipment, the need to combat fires, and the concen-
tration of personnel and hardware valuables in a given
area.
Storage tanks: should be reasonably spaced and appropri-
ately diked. Applicable codes and standards should be
adhered to as a minimum requirement.
119
-------�
Toxic materials in processes or storage areas: special
considerations of spacing and isolation.
Easy isolation and containment of hazardous materials in
an emergency: for example, is a critical shutoff valve
too close to the area of immediate impact in an accident?
Vehicular Access and Clearances
Entrances and exits to various facility areas: should be
adequate and free from uncontrollable obstruction in an
emergency. For example, would a rail car accident on
plant property block the only access road in or out so
that emergency equipment could not respond to such an
accident?
Access: there should be a minimum of at least two means
of access or egress to the facility and critical areas
within the facility.
Overhead clearances: observed for possible collapse and
obstruction of access or egress in emergencies; also
observed as the possible cause of a chemical release
incident due to a collision with vehicular traffic.
Security
Security considerations are included in the facility layout
evaluation because of the possibility of deliberate or acci-
dental sabotage. The facility property should be fenced and
access limited through gates under ready observation or direct
control of facility security personnel.
120
-------�
B.4 Pressure Relief System Evaluation
Purpose
The purpose of this evaluation is to evaluate the adequacy of pressure
relief systems designed to prevent rupture of vessels, pipelines, or equipment
which would result in the uncontrolled release of toxic, explosive, or flamm-
able materials.
Procedures
Design and Procedures Review
Review of the need for and extent of pressure relief
systems by examining process flow diagrams, process and
storage conditions, and process instrumentation diagrams.
Review of maintenance and engineering records on relief
systems.
Questioning of appropriate plant personnel about current
installations, practices, and procedures.
Field Inspection
Visual inspection of relief systems in a convenient
priority sequence determined by a consideration of hazard
potential, location in the plant, and inspection sched-
ule.
Examination of process equipment for the presence of
protection and its overall adequacy.
121
-------�
Examination of individual relief devices and systems for
proper configurations and specifications.
Checking of nominal pressure and temperature ratings on
vessels and other equipment against actual use condi-
tions.
Examination of the physical condition of pressure relief
equipment.
Key Factors
Evaluation of the appropriateness and applicability of the
relief system includes the following considerations:
- Relief systems: should be in place and functional on all
equipment where it is required by codes and standards,
and other equipment where the hazard for rupture from
overpressure exists.
Safety relief valves: should be provided on the dis-
charge side of positive displacement pumps, between
positive displacement compressors and block valves,
between back-pressure turbine exhaust flanges and block
valves, and on any equipment where liquid can be blocked
in and later warmed, or where chemical reactions, exter-
nal fire, overfilling, or other process malfunction could
result in equipment internal overpressure.
Vacuum relief devices: should be used where vacuum drawn
on equipment, if blocked in, could cause equipment
collapse from external pressure.
122
-------�
Relief devices: should be of the proper type and
specifications for the application. State-of-the-art
equipment should be used where possible on equipment
containing large inventories of toxic materials.
Specifications: including sizes, construction materials,
relief set pressure, set pressure tolerances, and service
temperature range. These must be compatible with and
specific to process conditions.
Consideration should be given to the possibility of
solids formation which could plug relief device inlets,
outlets, and working mechanisms, (e.g. polymerization of
monomer vapors from condensation on cold surfaces).
Sizing
Sizing: based on the maximum relief rate after consider-
ation of four relief situations:
a. Fire exposure
b. Reaction/decomposition overpressure
c. Maximum fill rate
d. Thermal expansion
Relief devices: should be sized using accepted pro-
cedures of the American Petroleum Institute (Recommended
Practice for the Design and Installation of Pressure
Relieving Systems in Refineries, Part I - Design, API,
1973) the National Fire Protection Association (NFPA 30
and NFPA 68), the American Society of Mechanical Engi-
neers (ASME) Boiler and Pressure Vessel Code, Section
VIII, consistent with type of service. Sizing for
123
-------�
reaction/decomposition cases can be done using methods
developed by the Design Institute for Emergency Relief
Systems (DIERS), which was sponsored and published by the
American Institute of Chemical Engineers (AIChE) (18).
Conf igurat ion
Evaluation of the possible hazards of manifolding, such
as discharge of incompatible materials.
Overall installation: should provide for ease of re-
moval, inspection, testing, and replacement of the relief
devices.
Relief devices: should not be blocked by shut-off valves
upstream or downstream unless a fail-safe system is
provided with parallel relief such that both relief lines
cannot be out of service at the same time, or some other
means is used to protect the shut-off valves from
improper closure. The former is sometimes accomplished
using a 3-way, 2-port valve upstream of dual relief
valves such that only one can be isolated at a time.
Protection from shut-off is accomplished using breakable
seals or even locks on shut-off handles to indicate or
prevent unauthorized closure.
Outlets not leading into common manifolds or flares:
should be directed in a safe manner. This means that
they should not be directed toward personnel or equipment
where the discharge could cause fire, explosion, serious
contamination, or other accidents. This is especially
important in the ignited pressure relief of flammable
124
-------�
materials where impingement of flame on vessels or other
equipment could have serious consequences.
Vents: should normally terminate outside of buildings
and be at a height that minimizes exposure hazards.
Discharge piping: should be supported independently of
the relief valve to withstand dynamic forces involved
when relief valve opens.
Drain connections, weep holes, or rain guards: should be
provided on relief discharge piping where rain, snow, or
condensation could accumulate and plug the discharge.
Low inertial covers may be provided in some cases.
Rupture disks used in series with safety relief valves:
a pressure gauge or other pressure indicator should be
provided between the rupture disk and relief valve to
indicate disk integrity. A pressure reading indicates
that the rupture disk must be replaced.
Blockage: auxiliary devices which might plug, such as
check valves, or flame arresters should not be installed
on relief system piping. Pipe plugs or caps should not
be present on relief valves.
Backpressure effects: should be considered for effect on
relief valve operation, especially when several valves
discharge into a common system.
Location: Safety relief valves should be located as
close as practical to the equipment they protect to
minimize pressure drop and valve "chattering."
125
-------�
Inlet piping: Should not be less than same nominal pipe
size as relief valve inlet.
Discharge piping: Should not be less than same nominal
pipe size as relief valve outlet. Should be run as
directly as possible with minimum changes of direction.
Common headers: Should have a cross sectional area at
least equal to the total of the connected valves.
Pressure reducing stations: For steam, air gas, etc.,
should be fitted with safety relief valves on low pres-
sure side. Safety relief valve should be sized to carry
bull load of reducing valve and its bypass.
Inspection and Testing
Safety relief valves: should be periodically inspected
for structural integrity and for signs of corrosion or
plugging. Materials that undergo polymerization, or are
extremely corrosive may require especially frequent
inspections.
Safety relief valve repair firms, including in-house
testing units, should have a current certificate of
authorization from the National Board of Boiler and
Pressure Vessel Inspectors and have a "VP" stamp.
Pressure indicators on rupture disk installations:
should be periodically checked for indications of rupture
disk activation or leakage.
126
-------�
Safety relief valves: should be tested for opening at
the required set pressure and for proper reseating.
Inspection frequencies: should follow a fixed schedule
commensurate with the type of service and risk associated
with a system failure. Safety relief valves should be
inspected at least once in five years and as much as
annually or more in high hazard applications.
Records of inspections and testing: should be main-
tained.
B.5 Maintenance and Structural Integrity Evaluation
Purpose
The purpose of this evaluation is to assess the adequacy of maintenance
procedures and the structural integrity of equipment.
Procedures
Discussions with maintenance personnel are held and written maintenance
procedures and records are examined. The physical facility as a whole and
individual equipment items believed to be most hazardous are examined during a
site tour. Maintenance equipment and facilities are also observed.
Key Factors
Maintenance Organization and Scheduling System: the overall
maintenance organization and scheduling system is reviewed
with key maintenance personnel by examining written procedures
and records.
127
-------�
Staffing levels should be appropriate for the size of the
facility. Changes in staff levels are compared to
changes in the physical facility. For example, has
staffing kept pace with and is it of the appropriate type
for recent plant modifications or additions?
Examination of staff qualifications and skill levels
relative to the .hazard potential of the specific opera-
tion.
Evaluation of the duties and responsibilities of contract
versus in-house maintenance. In-house supervision or
auditing of contract maintenance should be sufficient to
ensure satisfactory contractor performance.
Review of systems for work order initiation and implemen-
tation are reviewed.
Review of procedures for maintenance scheduling and
ranking to ensure that high hazard areas are properly
recognized.
Evaluation of the extent and adequacy of preventive main-
tenance. The frequency of such maintenance is considered
in light of the kinds of equipment and systems involved,
their potential inherent reliability, and the conse-
quences of failure.
Inspection, Testing, and Monitoring Program (ITM Program)
Determination of the presence or lack of an inspection
testing and monitoring program for process equipment and
instrumentation.
128
-------�
Evaluation of the ITM program in terms of four areas:
a. Vessels, piping, and other process equipment,
b. Rotating equipment, and
c. Instrumentation.
d. Utility systems (steam, water, air, electrical.
etc.)
Factors considered for a formal ITM program:
a. Severity of service (defined by operating tempera-
tures and pressures and corrosiveness of materials
used in the equipment),
b. Hazard potential of specific chemical and equipment
used, and
c. Size of process facility and ITM program resource
requirements.
Visual inspections of the presence and extent of corro-
sion, cracks, and improper installation such as inade-
quate foundations, missing supports, excessive vibration,
etc.
Testing: may include determination of wall thickness,
corrosion rates, the presence of cracks or pinholes,
pressure tests, and temperature tests.
Testing methods: include ultrasonics, radiography,
liquid penetrant, magnetic particle, eddy current,
acoustic emission, visual leak testing, and others.
Special tests may be required for vessels lined with
glass, rubber, or other polymeric materials.
Assessment of the need for continuous monitoring methods
or programs.
129
-------�
Inspections for rotating equipment: include vibration
analysis and monitoring, unusual sounds, and leakage
around rotating parts, in addition to inspection items
used for other equipment.
Instrumentation ITM: depends on how important the
instrumentation is to the process and the kinds of
instruments involved. For example, thermocouples may be
more reliable than resistance temperature devices.
Maintenance Record Keeping
Engineering drawings and design specifications on equip-
ment should be retained and readily available.
Records of inspections, tests, repairs, and modifications
should also be available.
Equipment records should include a detailed safety check
list for inspections, testing, and maintenance. Such
check lists should cover special precautions and proce-
dures to be taken before, during, and after maintenance
work.
Maintenance work order and scheduling records should be
maintained.
Physical Condition of Equipment
Visual examination of the physical condition of equipment
for signs of excessive corrosion, structural weathering,
and physical flaws such as cracks or other physical
damage.
130
-------�
Examination of the integrity of insulation, especially of
storage tanks and other equipment containing hazardous
materials where accumulated moisture under damaged
insulation could cause external corrosion.
Examination of instrumentation and control equipment to
ensure that housings and enclosures are in place to
prevent dirt, moisture, and corrosion from impairing the
accurate functioning of the equipment.
Examination of control valves for worn or sticking stems,
and of other valves for excessive corrosion, indicating
they might be inoperable in an emergency.
Examination of the integrity of foundations and struc-
tural steel supports for evidence of cracks, subsidence,
and corrosion.
Examination of rotating equipment for evidence of vibra-
tion, leaks, and unusual or abnormal noises.
Design Specifications and Plant Practices
Design specifications for pressure and temperature: must
be adequate for the intended service, and plant practices
must be consistent with pressure and temperature specifi-
cations. Unfired pressure vessels as a minimum standard
should be ASME Code, Section VIII Divisions 1 or 2
constructed and stamped. Other equipment should be
designed and constructed in accordance with recognized
codes and standards as a minimum requirement. Minimum
standards may not be adequate for toxic materials.
131
-------�
Safety controls for overpressure and overtemperature:
should be present and in good working order.
Type and location of sensors: as far as possible, a
sensor should directly measure the variable that must be
controlled.
Where backup systems are present: both the backup and
the primary system should be in good working order.
The most effective backup system: one that functions on
a different principle than the primary system.
Materials of construction and corrosion allowances: must
be appropriate for the service at hand.
Proper construction and installation of equipment:
including provision for ease of inspection and mainte-
nance .
Piping systems: should be designed with allowance for
stresses and movement due to thermal expansion, and
systems should be properly supported and guided.
Piping systems: should be uncluttered, with valves and
lines labelled or easily identifiable.
Systems: should be designed so that the failure of one
valve or sensor does not result in an accidental release.
All instrumentation should be fail-safe.
132
-------�
Valves and fittings: should be appropriate to their
intended service. Threaded fittings are inappropriate
for most piping handling hazardous materials.
Backflow protection: must be present in lines where
backflow is a hazard. A single backflow device is rarely
sufficient and some devices provide more reliable protec-
tion than others.
Flexible hoses: should be used only where necessary.
Some type of operational audit system, or physical
systems should be in place to prevent using hoses in
situations they are not designed for. Hoses should be
inspected regularly for signs of wear or abuse.
Freeze protection: should be provided where required,
especially in cold water lines, instrument connections,
and lines in dead-end service such as piping at standby
pumps.
Lubrication and cooling systems for process machinery:
should be in good working order. Oil filters should be
used for lubrication to critical components.
B.6 Fire Protection Evaluation
Purpose
The purpose of the fire protection evaluation is to assess the potential
contribution of fire or explosion to an accidental release. The fire protec-
tion system is evaluated for its ability to control or extinguish a fire,
limit its extent, and limit the ensuing damage. The fire protection system
must especially protect facilities containing toxic chemicals. A fundamental
133
-------�
principle is to maintain operations outside the explosive range of flammable
materials.
Procedures
Review of Drawings
Examination of the plant process diagrams and layout
drawings to identify areas where combustible, flammable,
or explosive materials are used and stored.
Review of drawings of the fire protection systems to
identify the location of the water supply, the distribu-
tion system, sprinkler systems, fire monitors, hydrants,
and special fire fighting equipment.
Review of Written Procedures
Review of emergency response plans to evaluate lines of
authority, communications, and general procedures.
Documentation of fire protection team personnel assign-
ments and training procedures.
Discussions with Personnel: interviews with personnel respon-
sible for fire protection concerning history, current pro-
cedures, problem areas, and future plans.
Site Inspection: inspection of fire protection systems in
light of the many considerations listed below under Key
Factors.
13A
-------�
Comparison of specific practices with applicable fire codes,
discussion of good practices that may not be explicitly
covered by codes, and evaluation of practices in the context
of site-specific considerations.
Selected National Fire Protection Association Codes with
special significance for chemical process plants include, but
are not restricted to, the following (20):
Code Title
11 Foam Extinguishing Systems
12 Carbon Dioxide Systems
12A & B Halon Systems
13 Sprinkler Systems Installation
14 Standpipe and Hose Systems
15 Water Spray Fixed Systems
16 Foam-Water Sprinkler and Spray Systems
17 Dry Chemical Systems
19B Respiratory Equipment for Firefighters
20 Centrifugal Fire Pumps
22 Water Tanks
24 Private Fire Service Mains
30 Flammable and Combustible Liquids Code
385 Tank Vehicles for Flammable and Combustible
Liquids
386 Portable Shipping Tanks
43A Storage of Liquid and Solid Oxidizing Materials
43C Storage of Gaseous Oxidizing Agents
493 Intrinsically Safe Apparatus
496 Purged Enclosures for Electrical Equipment
50 Bulk Oxygen Systems
50A & B Gaseous and Liquid Hydrogen Systems
135
-------�
Code Title
54 National Fuel Gas Code
58 Liquified Petroleum Gases, Storage and Handling
59 Liquified Natural Gas, Storage and Handling
61A Manufacturing and Handling Starch
63 Industrial Plants Dust Explosions
654 Plastics Industry Dust Hazards
66 Pneumatic Conveying Systems
69 Explosion Prevention Systems
71-72 (Signaling Systems and Fire Detectors)
76A Essential Electrical Systems
231 General Storage Indoor
231C Rack Storage of Materials
512 Truck Fire Protection
1961-1963 (Fire Hose and Connections)
1 Fire Prevention Code
13A Sprinkler Systems Maintenance
27 Private Fire Brigades
291 Fire Hydrants Uniform Makings
329 Underground Leakage of Flammable and
Combustible
Liquids
497 Electrical Installations in Chemical Plants
68 Explosion Venting Guide
70B Electrical Equipment Maintenance
80A Protection from Exposure Fires
136
-------�
Key Factors
Water Supply and Distribution
Water sources: must be of adequate capacity, quality,
and reliability. Supply pressure and a backup supply of
adequate capacity are fundamental considerations.
Redundancy of supply: may be advisable in some high risk
situations. Water bodies may require pretreatment, such
as filtration and chlorination to remove dirt and debris
and control organisms that could plug the system.
In-plant reservoirs or reserve supplies should typically
provide at least 4 hours of coverage. This depends on
the availability of other sources and the nature of
potential fires.
Distribution system: should consist of a looped or
gridded network of large-diameter pipe, feeding all of
the fire protection systems and equipment requiring
water. Underground piping or appropriate freeze protec-
tion should be used, depending on climate. Where above
ground portions of the system are run, they should be
secure from mechanical, fire, and explosion damage, and
freezing weather.
Pumps: must provide adequate pressure and volume for the
plant requirements.
Additional pumps may be required because of plant expan-
sion or modifications.
137
-------�
Pumps should be automatically started, but in either case
startup must be reliable and secure in an emergency.
Adequate protection must be provided to ensure that
lines, pumps, valves, and discharge devices do not freeze
and impair the fire water supply.
Pump suction supply: normally sized to provide maximum
flow rate for a minimum of four hours.
Evaluation of the sizing of the distribution system in
light of the size of the facility and nature of the
operation: normally a system is not sized to cover
simultaneous fires in all areas. However, sizing of
various portions of the system should account for the
actual layout of a specific plant since in some facili-
ties simultaneous demands on a fire protection system may
be greater than at others. A minimum diameter for
underground mains is 6 inches.
System pressures: sprinkler and water spray systems
should normally require between 50 to 100 psig.
Monitors, large hose systems and some foam systems may
require 100 to 150 psig. Fire trucks supplied by a main
can normally use 20 to 50 psig.
Fire pumps: should have capacities of 150% delivery
requirement at 65% of rated head.
Fire pumps: should preferably have automatic start
controls and a backup drive in the event of electrical
power failure. Diesel drives are usually preferred, but
if electric pumps are used, backups should be steam or
138
-------�
diesel; again diesel is usually preferred. Electric
pumps should be UL listed.
Adequacy of coverage considers but is not limited to the
following: fire protection for indoor and outdoor
storage of flammable liquids in drums, adequate spacing
and fire protection for flammable materials storage
tanks, fire protection in warehouses, fire protection of
cooling towers.
Sectional control valves in the underground fire mains
should divide the grid system into sections, limiting the
area subject to a single impairment. The number of
sprinkler risers and hydrants out of commission during
any change or repair should be specified depending on the
size of the area to be covered. With any one section
shut off, at least one water supply should be available
for the remainder of the system.
The distribution system should ensure protection of
structures and tankage.
Sprinkler and Deluge Systems
Sprinkler and deluge systems: used for localized and
broad area protection.
Automatic sprinkler protection: necessary for all
buildings containing combustible construction, or flam-
mable and combustible materials.
Evaluation of adequacy in terms of areas covered, the
density of coverage (flowrate per unit area), the
139
-------�
physical conditions of the system components, and
frequency of testing.
Sprinkler waterflow alarms: should give an audible local
alarm and automatically transmit water flow signals to a
central supervised location for any flow of water through
the sprinkler piping.
Automatic detectors: should be used where the quantity
of combustibles is limited or sprinklers are not compati-
ble with the hazard to be protected.
Hydrants and Monitors
Hydrants provide hose connections to the fire protection
water system. Monitors provide a fixed, quick response
discharge point for fire protection water streams.
Sufficient hydrants having at least two 2.5 inch hose
streams should be provided at any point in the property
where fire may occur regardless of wind direction. This
will require spacing hydrants 225 to 250 feet apart at
plant with ordinary hazards. At plants having highly
combustible occupancies, the spacing may need to be
reduced to 100 to 150 feet. For facilities with non-
combustible buildings and non-hazardous occupancies,
hydrant spacing may be extended to 250 to 300 feet. For
average conditions locate hydrants 50 feet from the
building or equipment protected.
Fire protection monitors: should be used to protect
equipment containing flammable liquids that is not in a
building or structure protected by automatic sprinklers.
140
-------�
Their principle advantage is to provide a quick stream of
water which can be operated by one man while hose lines
are being laid. Spacings of 200 to 250 feet.
Assessment of the possibility of blockage of streams from
fire monitors. Such blockage can occur when plant
modifications are made. For example, an additional tank
being put in behind an existing tank protected by a
monitor. The new tank is blocked from the monitor stream
by the existing tank. Portable monitors should be used
in such cases.
Building Protection and Portable Fire Extinguishers
Evaluation of fire protection for buildings in terms of
type of construction and contents.
Small hose stations: located inside buildings so that
every square foot of floor area is within 20 feet of a
hose nozzle attached to not more than 75 feet of 1.5 inch
woven jacketed rubber lined hose or equivalent. The
nozzles should be the combination spray and solid stream
with shutoff.
Small hose: preferably attached to risers independent of
the sprinkler system if hose streams are considered
needed when sprinklers are not operating. If this cannot
be arranged, small hose may be attached to 2.5 inch or
larger pipe on a wet pipe system.
Portable fire extinguishers: available in sufficient
number, located where they are readily accessible, and in
good operating condition.
141
-------�
Fire walls, partitions, and barricades: provided to
separate personnel areas, high value property, critical
process units, and critical utility and auxiliary units.
Foam Systems and Other Special Protection
Special fire hazard protection: includes foam systems,
carbon dioxide, dry chemicals, and explosion suppression
systems.
Fire extinguishing agents: compatible with process
materials.
Fire Proofing and Structural Protection
Fire proofing as a surface coating material: gunite or
other synthetic material. A UL standard is for two hours
of protection (21). However, hourly rating should be
chosen as appropriate for situation.
Fire proofing: used on structural steel and on walls of
vessels in a chemical process area, applied by spraying
or spread coating onto the structure. It should be
present in all areas where equipment may be exposed to
fire. It should be used on all main load-bearing
structural members that support either process piping or
equipment within hazardous areas. Fireproofing on vessel
walls is not a common practice.
Evaluation of the adequacy of fire protection in terms of
type, thickness, coverage, and integrity of the coating.
Gaps or peeling are a basis for rejection.
142
-------�
Fireproofing should extend at least 30 feet above
potential pool fires.
Fire proofing should be provided for valve operators for
all emergency safety devices.
Mobile Fire Apparatus
Mobile fire apparatus: may consist of fire trucks or
hand carts.
Fire apparatus: located in areas protected from but
accessible to plant areas where fires are likely.
Equipment: should be in sound condition and subjected to
periodic tests.
Evaluation of the adequacy of the equipment in terms of
capacity and presence of the right kinds of equipment for
the types of fires likely to occur in the specific
facility. If ponded water is a source of supplementary
water, an inlet system needs to be in place to ensure
that blockage of suction hose can not occur.
Alarm Systems
Alarm Systems: consist of various combinations of
sensors and alarm devices and should be appropriate to
the intended fire hazard. Sensors may be based on
detection of flammable vapors or heat, for example. The
selection would depend on the specific situation.
143
-------�
Evaluation of sensor locations relative to locations of
flammable materials and ignition sources.
Evaluation of the physical condition of sensors and alarm
systems.
Evaluation of system adequacy in terms of location,
coverage, and sensitivity.
Flow alarms: should be provided on sprinkler systems to
indicate their activation.
Fire Emergency Response Organization
Lines of authority and communications for fire emergen-
cies: should be clearly defined and readily available to
all plant personnel.
Procedures, individual assignments, and emergency num-
bers: should be clearly posted in operator control room
and other areas where personnel are likely to be in an
emergency situation.
Training procedures: should be clearly defined and
written. Training program should include both formal
classroom type instruction as well as field drills with
equipment. For high hazard areas good practice suggests
simulated incidents as well. Training frequency should
be consistent with the risk associated with a given
process area.
A cadre of assigned individuals should form the core of a
fire fighting team. The size of this team will depend on
144
-------�
the size of the plant and the level of risk and must be
adequate to at least contain an incident, if outside help
is available. If outside help is not available the team
must be of sufficient size and training to fully control
an incident on its own.
Maintenance of Fire Protection Equipment
A regular program of scheduled inspections, tests, and
preventive maintenance on fire protection equipment
should be adhered to.
Plant Layout Considerations
1. Adequate spacing, diking, and drainage:- should be
provided for process equipment and tanks of flammable and
combustible materials.
2. Flammable storage pumps, compressors, and other equipment
should be specific distances from ignition sources.
Location near toxic materials should be avoided where
possible.
3. Adequate drainage: should be provided to avoid large
concentrations of flammable materials in the event of
spills. It should be pitched to drain away from high
hazard structures with a minimum of 1% grade.
B.7 Electrical System Evaluation
Purpose
The purpose of the electrical system evaluation is to determine to what
extent the electrical system could contribute to an accidental release through
145
-------�
design, operation, or reliability deficiencies. All portions of the electri-
cal system should be installed in accordance with the National Electric Code
or stricter standards. Individual components should comply with the accept-
ability criteria of recognized testing organizations.
Procedures
The overall electrical system is reviewed through discussions with plant
personnel, by a plant inspection tour, and by evaluation of written data and
drawings.
Key Factors
Reliability
Total power requirement and sources of electrical power
to the plant: evaluation of the reliability of the
sources (public utility system, private system, cogenera-
tion system), including the history of outages, and
examination of the physical source of power into the
plant from outside power sources or from generating
facilities within the plant for location and physical
condition.
Evaluation of locational factors: proximity to flood-
prone areas or areas within exposure zones of fire,
explosions, or frequency of lightening.
Evaluation of the nature and extent of redundancy backup
power system: focusing primarily on critical areas,
including major power sources such as diesel generators
for a whole process area, and battery backup units for
individual processes or specific critical control ele-
ment s.
146
-------�
Evaluation of historical reliability: including the
frequency and duration of outages at the plant.
Determination of whether the facility has considered
implications of power outages for the process unit as a
whole as well as individual components such as instrumen-
tation for specific intervals ranging from say, one
minute to two hours.
Evaluation of voltage variations in light of possible
effects on sensitive equipment. Could power surges
damage a critical component in a control system such as
software on a disk drive in a process control computer?
Evaluation of the configuration of the distribution
system in terms of the adequacy of loops or independent
circuit to different process area. Within a process
area, electrical load blocks should correspond to process
load blocks.
Electrical system: should be physically protected to
minimize exposure to fire, corrosion, and mechanical
damage; should be simple in schematic and physical layout
to minimize human error in isolation load transfer; and
should be accessible for ease of repair and maintenance.
Electrical system: should have adequate instrumentation
for monitoring and the efficient diagnoses of failures,
and protection by fuses and circuit breakers should be
adequate.
147
-------�
Bonding and grounding: should be provided to protect
personnel and protect systems from static buildup and
lightening.
Maintenance and testing: the nature, frequency, and
adequacy for power transformers, circuit breakers, relays
and other devices, whether by the utility company,
outside contractors, or the company, is evaluated.
National Electric Code (NEC) Compliance
The electrical system in a chemical plant must conform to
the specifications for hazardous locations as specified
in Section 501-5(a) of the National Electric Code (NEC).
Process and storage areas are viewed in terms of the NEC
hazardous location class, division, and grouping system.
For example, Class I - Division II - Group D describes
areas where flammable liquids and gases are handled, but
are normally confined within closed systems, and where
chemicals are typical organics. Other common categories
for chemical plants include chemicals in Groups B and C.
Class II areas, which is for atmospheres containing
combustible dust, and Class I - Division I service, which
is for atmospheres which continuously or intermittently
contain high concentrations of flammable gases or vapors.
Key principles to be checked: isolation of the elec-
trical system components and containment of the flame
front should ignition occur inside of equipment. In
practice this is accomplished by sealed conduits, circuit
breakers, lights, motors, and switches.
148
-------�
Evaluation of proper pressurization and venting of closed
areas.
Inspectors: should be alert to the use of any portable
electrical equipment not conforming to NEC codes.
Evaluation of equipment maintenance conditions by obser-
vations of specific components of the electrical system
such as: outside electric lines, insulators, support
structures, switchgear, distribution panels, circuit
breakers, lighting, grounding systems, motor starters and
control centers, generators, transformers, relays, and
lightening arresters.
B.8 Transportation Practices Evaluation
Purpose
The purpose of this evaluation is to assess the potential for a transpor-
tation incident causing an accidental release on plant property or elsewhere.
Areas of concern include: loading and unloading procedures, adequate design
of vehicles to handle the materials they transport, inspection and maintenance
practices, and practices regulating the movement of vehicles within the plant.
Procedures
Review of written guidelines and procedures pertinent to
in-plant transportation practices.
Inspection of loading and unloading areas, along with
equipment and selected vehicles that happen to be present
at the time of the visit.
149
-------�
Discussions with both supervisory and operating personnel
associated with transportation.
Key Factors
Review of General Transportation Procedures.
Determination of vehicle type and of the rationale for
the use of these vehicles. The compatibility of the
vehicle with the type of service is evaluated in terms of
materials being hauled in adherence to Department of
Transportation requirements as well as special procedures
and requirements established by the individual plant and
company.
Evaluation of construction materials, and vehicle tank
specifications in terms of pressure ratings, temperature
ratings, wall thicknesses, valving, and on-vehicle
sensors and instrumentation relative to the kinds of
materials being shipped.
Evaluation of special practices, such as refrigerated and
insulated vehicles for temperature sensitive products
from a "what-if mentality.
Brief visual inspections of vehicles may be made at the
time of the inspection to look for malfunctioning, poorly
maintained, or incorrect equipment, such as inappropriate
pressure relief devices.
Review of plant procedures for routine inspections.
150
-------�
Consideration of extra precautions taken for pressurized
tank vehicles and high hazard materials.
Review of certification procedures, usually through
discussions with plant personnel. Such procedures would
cover verification of the previous contents of the
vehicle, cleaning after the last load, and similar
considerations.
Review of numbers, frequency of shipments, and sizes of
shipments.
Review of Loading and Unloading Operations
Examination of the use and scope of loading checklists.
Methods of overfill protection: common procedures for
overfill protection include level sensors, automatic
shut-off actuated by quantity totalizers, scales and load
sensors, and reliance on operators. For hazardous
materials an overfill protection system should have a
back up.
Spill control measures: provisions should be available
for both containment and cleanup, and where highly
volatile materials or gases are involved, the plant
should have a contingency plan for responding to air
borne releases.
Availability of automatic shut-offs actuated by abnormal
conditions and remote shut-offs: in case equipment can
not be reached during an emergency.
151
-------�
The responsibilities of the plant personnel and the
driver: should be clearly defined and understood. For
high hazard loading and unloading operations a plant
representative should always be present.
Review of labeling, stenciling, placarding, and other
informational practices for compliance with DOT require-
ments and a plant's own special requirements.
Review of controls on in-plant routing and stationing of
vehicles. Potential hazards related to these factors
include the potential for vehicular collisions with
equipment in tight areas and vehicle accidents caused by
poor locational practices. As an example of the latter,
a fully loaded tank trailer parked off the pavement on
soft ground, could overturn as a result of the wheels
sinking on one side and the vehicle falling over.
Definition of procedures for the management of rail car
traffic on the plant premises. Special provisions for
protection against derailment incidents are noted.
Review of procedures for dealing with liquid heels in
tank vehicles. It is common practice not to sample or
analyze the heels in vehicle tanks dedicated to a single
service. Plant procedures for avoiding cross-
contamination of products in transportation vehicles and
receiving racks are evaluated.
Evaluation of equipment condition and its use. For
example, do hoses show signs of significant abrasion and
where? Are couplings appropriate for the type of ser-
vice? What precautions are taken to maintain cleanliness
152
-------�
in filling and unloading equipment where contamination
could be hazardous? Is equipment being used as it was
intended, or has jerry-rigging occurred as products have
changed?
Evaluation of precautions used for static electricity
grounding.
Check valves and/or other precautions: should be in
place to prevent backflow and siphoning conditions form
occurring.
Color coding or other means of designating multiple lines
and spouts: desirable at multi-material loading and
unloading facilities.
Are flow rate limiters in use?
Is there thermal expansion relief for blocked-in valve
lines?
Evaluation of procedures to prevent drive-away with the
attendant breakage of lines and accompanying chemical
releases.
Recalibration of gaging and metering equipment: should
be carried out periodically.
Off-Site Risks
Review of driver qualification, training, and certifica-
tion procedures.
153
-------�
Review of accident histories for clues as to potential
causes and impacts of future incidents. Changes in
equipment or procedures occasioned by previous incidents
are noted.
Review of routing procedures in the context of DOT
regulations, special local rules, and other considera-
tions that may be specific to the plant and the materials
it handles.
a. DOT regulations
b. Other considerations
B.9 Contingency Plan and Emergency Response Coordination
Purpose
The purpose of the emergency response evaluation is to ensure that
adequate procedures and equipment are in place to reduce the effects of an
accident on people and property both within and outside the plant. Plant
personnel and, where necessary, personnel from local emergency response
agencies should be trained to participate in plans for controlling plant
emergencies during large windstorms, earthquakes, floods, power failure,
fires, explosions, and accidental releases.
Procedures
Review of Written Procedures: written procedures are reviewed
and the accessibility of these procedures to plant personnel
are observed. Written procedures are evaluated in terms of
comprehensiveness and specificity to the peculiarities of the
individual facility. Recognition of the most significant
hazards is noted.
154
-------�
Discussions with Plant Personnel: the interviewing of selec-
ted plant personnel to evaluate their perceptions, to gauge
their knowledge and attitudes toward emergency response, and
to obtain additional factual information for use in the
evaluation.
Key Factors
Evaluation of contingency plans for dealing with various
emergencies in terms of the following:
The plan should be comprehensive and cover fire, explo-
sion, and chemical releases.
The plan should be specific. It should clearly designate
responsibilities for individual unit personnel as well as
plant personnel involved in fire fighting teams, medical
teams, evacuation teams, etc. It should also address
specific high hazard situations such as incidents in
specific units or process areas, and specific kinds of
incidents such as the accidental large release of a toxic
chemical.
Plans should be up to date. A process plant is rarely a
static entity. Changes and modifications made over the
years may affect process hazard potential. Corresponding
changes in emergency response plans should also be made
and clearly dated to allow evaluation of the appropriate-
ness of the current plan.
Evaluation of the availability of the plan to plant
personnel: this includes physical distribution of the
155
-------�
plan and the way it is stored and treated by plant
personnel.
Responsibilities for personnel: should be clearly
defined. The definition of responsibilities for the
evening and night-time work shifts is especially impor-
tant, since staffing on these shifts is usually less than
in the day time.
Personnel Training
Personnel training programs: should include written
materials and include both formal "class room" instruc-
tion as well as field drills.
Instruction and drills: commonly cover routine fire
fighting and some times non-catastrophic spills. For
areas with high hazard potential, specific drills for
dealing with potential catastrophic incidents are impor-
tant.
Evaluation of operator awareness: by questioning them
about what incidents they consider to be the greatest
hazards in their areas and how they might respond to such
incidents.
Emergency Communications Systems
Communications systems available for dealing with emer-
gencies: may include telephones, radios, signals, and
alarms.
156
-------�
Evaluation of the effectiveness and reliability of the
communications system. Because telephone lines may be
out of service in an emergency, radio communication is an
important backup.
Definition of communications responsibilities and plans
for relaying information in times of emergency.
Consideration of alternatives to telephone and radio
communications, such as area wide alarm signals.
Emergency Response Equipment
Emergency response equipment availability: may include
air packs, chemical suits, medical packs, and mobile tool
kits.
Evaluation of the effectiveness and reliability of the
equipment. The total available supply of emergency
breathing air is critical.
Coordination with Outside Agencies and the Community
Evaluation of the availability of support facilities,
equipment, and personnel. Support facilities include
hospitals, emergency aid stations, and fire stations.
Equipment includes fire vehicles, ambulances, and
specialized tools. Numbers and skills of support
personnel are noted. Because chemical plant operations
can sometimes be esoteric to the outside community, the
hazard potential of a facility may be reduced if outside
authorities and emergency services are properly informed
and are familiar with the plant and its operations.
157
-------�
Local fire departments should be aware of the methods and
equipment necessary, to fight a chemical fire for each
chemical in use. The plant's program in this regard is
evaluated.
Consideration of plant participation in joint training
activities with the community.
Consideration of the proximity of support facilities and
response times. Response times longer than 15-20 minutes
are reaching the extreme of utility for an emergency
response.
Consideration of -accessibility to the plant and various
areas within the plant, especially to how emergency
access and egress may differ from normal entrance and
exit patterns.
Review of plans for emergency notification of the com-
munity and for community evacuation. While a community
evacuation plan is beyond the control of the plant,
recognition of the need for such a plan and steps the
plant may have taken to have the community develop such a
plan are noted.
Mutual aid from neighboring industry: is it available?
Evaluation of general community relations and of histori-
cal relations by discussions with plant personnel. This
may be important in engaging community support in emer-
gencies, as well as in securing the plant against pos-
sible sabotage.
158
-------�
APPENDIX C
GLOSSARY
This glossary defines selected terms used in the text of this manual
which might be unfamiliar to some users or which might be used differently by
different authors.
Accidental release; The unintentional spilling, leaking, pumping, purging,
emitting, emptying, discharging, escaping, dumping, or disposing of a toxic
material into the environment in a manner that is not in compliance with a
plant's federal, state, or local environmental permits and results in toxic
concentrations in the air that are a potential health threat to the
surrounding community.
Alkane: A chemical compound consisting only of carbon and hydrogen in which
the carbon atoms are joined to each other by single bonds.
Assessment; The process whereby the hazards which have been identified are
evaluated in order to provide an estimate for the level of risk.
Autocatalytic; A chemical reaction which is catalyzed by one of the products
of the reaction.
Carcinogen; A cancer causing substance.
Containment/Control; A system to which toxic emissions from safety relief
discharges are routed to be controlled. A caustic scrubber and/or flare can
be containment/control devices. These systems may serve the dual function of
destructing continuous process exhaust gas emissions.
159
-------�
Contingency Plan; A plan which describes the actions that facility personnel
will take to minimize the hazards to human health or the environment from
fires, explosions or accidental releases of hazardous materials.
Control System; A system designed to automatically maintain all controlled
process variables within a prescribed range.
Creative Checklist; A list of major hazards and nuisances designed so that
when an individual item from the list is associated with a particular material
or a significant part of a unit, an image of a specific hazard or nuisance is
generated as a stimulus to the imagination of members of a multidisciplinary
team.
Creative Checklist Hazard and Operability Study; A Hazard and Operability
Study which uses a Creative Checklist to stimulate a systematic, yet creative
search for hazards.
Emergency Response Plan; A plan of action to be followed by source operators
after a toxic substance has been accidentally released to the atmosphere. The
plan includes notification of authorities and impacted population zones,
minimizing the quantity of the discharge, etc.
Event Tree; A logic diagram which depicts all pathways (success and failure)
originating from an initiating event.
Exothermic; A term used to characterize the evolution of heat. Specifically
refers to chemical reactions from which heat is evolved.
Facility; A location at which a process or set of processes are used to
produce, refine or repackage chemicals, or a location where a large enough
inventory of chemicals are stored so that a significant accidental release of
a toxic chemical is possible.
160
-------�
Fault Tree; A logic diagram which depicts the interrelationships of various
primary events and subevents to an undesired top event.
Fire Monitor; A mechanical device holding a rotating nozzle, which emits a
stream of water for use in firefighting. Fire monitors may be fixed in place
or may be portable. A fire monitor allows one person to direct water on a
fire whereas a hose of the same flowrate would require more than one person.
Guide Word Hazard and Operability Study; A Hazard and Operability Study which
uses Guide Words to stimulate a systematic yet creative search for hazards.
Hazard; A source of danger. The potential for death, injury or other forms
of damage to life and property.
Hazard and Operability Study; The application of a formal systematic critical
examination to the process and engineering intentions of the new facilities to
assess the hazard potential of maloperation of individual items of equipment
and the consequential effects on the facility as a whole.
Hygroscopic; Readily taking up and retaining moisutre (water).
Identification; The recognition of a situation, its causes and consequences
relating to a defined potential, e.g. Hazard Identification.
Lachrymator; A substance which increases the flow of tears.
Mitigation; Any measure taken to reduce the severity of the adverse effects
associated with the accidental release of a hazardous chemical.
Mutagen; An agent that causes biological mutation.
Plant; A location at which a process or set of processes are used to produce,
refine, or repackage, chemicals.
161
-------�
Prevention; Design and operating measures applied to a process to ensure that
primary containment of toxic chemicals is maintained. Primary containment
means confinement of toxic chemicals within the equipment intended for normal
operating conditions.
Primary Containment; The containment provided by the piping, vessels and
machinery used in a facility for handling chemicals under normal operating
conditions.
Probability/potential; A measure, either qualitative or quantitative, that an
event will occur within some unit of time.
Process; The sequence of physical and chemical operations for the production,
refining, repackaging or storage of chemicals.
Process machinery; Process equipment, such as pumps, compressors, heaters, or
agitators, that would not be categorized as piping and vessels.
Protection; Measures taken to capture or destroy a toxic chemical that has
breached primary containment, but before an uncontrolled release to the
environment has occurred.
Pyrophoric; A substance that spontaneously ignites in air at or below room
temperature without supply of heat, friction, or shock.
Qualitative Evaluation; Assessing the risk of an accidental release at a
facility in relative terms; the end result of the assessment being a verbal
description of the risk.
Quantitative Evaluation; Assessing the risk of an accidental release at a
facility in numerical terms; the end result of the assessment being some type
of number reflects risk, such as faults per year or mean time between failure.
162
-------�
Reactivity: The ability of one chemical to undergo a chemical reaction with
another chemical. Reactivity of one chemical is always measured in reference
to the potential for reaction with itself or with another chemical. A chemical
is sometimes said to be "reactive", or have high "reactivity", without
reference to another chemical. Usually this means that the chemical has the
ability to react with common materials such as water, or common materials of
construction such as carbon steel.
Redundancy; For control systems, redundancy is the presence of a second piece
of control equipment where only one would be required. The second piece of
equipment is installed to act as a backup in the event that the primary piece
of equipment fails. Redundant equipment can be installed to backup all or
selected portions of a control system.
Risk; The probability that a hazard may be realized at any specified level in
a given span of time.
Secondary Containment! Process equipment specifically designed to contain
material that has breached primary containment before the material is released
to the environment and becomes an accidental release. A vent duct and
scrubber that are attached to the outlet of a pressure relief device are
examples of secondary containment.
Teratogenic: Causing anomalies of formation or development.
Toxicity; A measure of the adverse health effects of exposure to a chemical.
163
-------�
APPENDIX D
TABLE D-l. METRIC (SI) CONVERSION FACTORS
Quantity
Length:
Area:
Volume:
Mass (weight) :
Pressure:
Temperature :
Caloric Value;
Enthalpy:
Specific-Heat
Capacity:
Density :
Concentration:
Flowrate:
Velocity:
Viscosity:
To Convert From
in
ft
ft2
in3
ft3
gal
Ib
short ton (ton)
short ton (ton)
atm
mm Hg
psia
psig
°F
°C
Btu/lb
Btu/lbmol
kcal/gmol
Btu/lb-°F
lb/ft3
Ib/gal
oz/gal
quarts/gal
gal /min
gal/day
ft /min
ft /min
ft/sec
centipoise (CP)
To
cm
m
cm2
m2
cm
m3
m3
kg
Mg
metric ton (t)
kPa
kPa
kPa
kPa*
°c*
K*
kJ/kg
kJ/kgmol
kJ/kgmol
kJ/kg-°C
kg/m3
kg/m3
kg/m3
cm3/m3
m /min
m /day
m /min
m/min
m/sec
Pa-s (kg/m-s)
Multiply By
2.54
0.3048
6.4516
0.0929
16.39
0.0283
0.0038
0.4536
0.9072
0.9072
101.3
0.133
6.895
(psig)+14.696)x(6.895)
(5/9)x(°F-32)
°C+273.15
2.326
2.326
4.184
4.1868
16.02
119.8
25 , 000
0.0038
0.0038
0.0283
0.3048
0.3048
0.001
*Calculate as indicated
Source: Adapted from Reference 22.
164
U.S. GOVERNMENT PRINTING OFFICE: 1987 7l»8-121'67017
-------� |