Hazards-risks-safety_V01
advertisement
Chapter H: Hazards, Risks and Safety 1 © HyFacts 2012/13 – CONFIDENTIAL – not for public use 1 Control of hazards and associated safety measures 1.1 Rationale 1.1.1 Definitions of hazard, risk and safety A hazard is a source or situation with a potential of corporal, material or environmental damage, or a combination of them. Examples of hazards are fires, explosions. A hazard is defined by its probability and its severity. Hazards are associated to feared events potentially producing the hazard, i.e. a deviation - such as a hydrogen leak – that may result in a fire or an explosion. The risk is a quantitative measurement of a hazard in terms of its probability P and severity S. The risk of a hazard (also called criticality) is assessed on the basis of these two parameters. Safety is freedom from unacceptable risk. This implies some level of risk is tolerable. Reference: European Industrial Gases Association, 2008, “Major Hazards”, IGC Document 142/08/E 1.1.2 Risk criteria (Individual risk criteria and societal risk criteria, criticality matrix) Risk areas The risk R of a hazard is assessed on the basis of its probability P and its severity S: R = P x S. The combination of probability and severity on a graphical view (see Figure 1) shows that there are at least two risk zones: An unacceptable risk area (in red on the Figure 1): this area indicates an unacceptable severity-probability combination. Measures must be taken to mitigate the risk. Example of a frequent event and very severe hazard. A low risk area (in green): this area represents a combination of severity and probability for which the risk is considered low and thus tolerable. Example of an improbable but very severe event. 2 © HyFacts 2012/13 – CONFIDENTIAL – not for public use In some cases, it is not so easy to get a consensus on the area where the risk stands. Between these two zones, there is an intermediate risk area (in yellow): the ALARP zone (As Low as Reasonably Practicable). In this area, additional investigations are required to see whether the risk could be decreased to the low risk area. If a residual risk remains in this area, justifications must be available to explain why the low risk area could not be reasonably reached. Probability Frequent Rare Unacceptable area Low risk area Minor Major Severity Figure 1: Risk areas (Source: Air Liquide) Assessment of the risk of a hazard: criticality matrix The criticality matrix considers these three levels of criticality and allows for an assessment of the risk of a hazard. Hazards are classified according to their probability of occurrence and to their severity. There are several classes of probability: the class with the highest probabilities corresponds to frequent events, while the class with the lowest probabilities corresponds to improbable events. There are also several levels of severity, depending on the severity of the consequences of a hazard (on safety, production, environment...). The criticality matrix displays the values of the probabilities allowing for an assessment of the probability category of a hazard, and it also displays the criteria allowing for an assessment of the severity level of the hazard. 3 © HyFacts 2012/13 – CONFIDENTIAL – not for public use Figure 2: Example of a criticality matrix defined in the frame of the European Integrated Hydrogen Project (Source: Methodology for Rapid Risk Ranking of H2 Refuelling station Concepts, by Norsk Hydro ASA and DNV, Sept 2002, European Integrated Hydrogen Project 2) Figure 3: Risk levels in the criticality matrix proposed by the European Integrated Hydrogen Project (Source: Methodology for Rapid Risk Ranking of H2 Refuelling station Concepts, by Norsk Hydro ASA and DNV, Sept 2002, European Integrated Hydrogen Project 2) Figure 4: Probability levels in the criticality matrix proposed by the European Integrated Hydrogen Project (Source: Methodology for Rapid Risk Ranging of H2 Refuelling station Concepts (Sept. 2002). Norsk Hydro ASA and DNV. European Integrated Hyprogen Project 2) 4 © HyFacts 2012/13 – CONFIDENTIAL – not for public use The criticality matrix then shows whether the risk of a given hazard is tolerable (low risk), unacceptable (measures must then be taken to reduce the risk) or medium (additional investigations are then required to see whether the risk could be decreased to the low risk area). A possible risk assessment approach one might take is: Identify the hazards Identify who might be harmed and how Evaluate the risks and decide on precaution o Can the risk be eliminated? o Can the risk be controlled? Record the findings and implement them Review the risk assessment and update if necessary. This is the approach that HSE suggests as an appropriate starting point for a risk assessment (Health and Safety Executive, 2012b). In the UK, the cost of implementing any changes are put into perspective through the application of the notion of As Low As Reasonably Practicable (ALARP) or So Far As Is Reasonably Practicable (SFAIRP), which essentially means the same as ALARP. The concept of ALARP is an integral part of the Health and Safety at Work etc. Act of 1974 (Her Majesty’s Government, 1974). One of the main features of ALARP is that it is not prescriptive, and thus is less likely to result in a mere box ticking exercise. The flexibility is perhaps also the main drawback of the ALARP principle in that it can be challenging for the HSE inspectors and the employers to exercise judgement. Assessment of what constitutes ALARP can be carried out using different tools, for example a cost-benefit analysis. Thus an employer is not legally bound to incur huge costs for undertaking remedial action if it is disproportionate to the level of risk or if humanly possible to eliminate the risk completely. Thus, what constitutes ALARP is a potentially contentious decision that might be legally challenged by lawyers acting on behalf of the employer, the employees (individually or through a union), other stakeholders or the HSE itself. 5 © HyFacts 2012/13 – CONFIDENTIAL – not for public use Individual risk criteria The individual risk represents the annual frequency of an individual dying due to a hazard. The individual is assumed to be unprotected and to be present 24/7. Individual risk can be further defined in a way that takes into account the location specific probability that an individual may be killed because of an accident linked to the industrial activity. This risk thus depends on the frequency of occurrence of the events (examples: rupture of piping, explosion of liquid oxygen storage tank). This approach takes a “worst case” type of scenario for individual exposure. In an industrial context, the assessment of an individual risk is made as following: The feared event is described. The causes of the feared event are described. The consequences of the feared event are listed. The probability of the causes and the severity of the consequences are assessed. The criticality matrix then shows whether the risk associated to the hazard is tolerable, unacceptable or intermediate and if risk reduction measures should be taken. If needed, the risk reduction measures are listed. Feared event Causes Consequences Probability Severity Severity of the consequences Effects of the feared event Description Description of the causes of the feared event Criticality Probability of the causes Risk reduction measures Additional risk reduction measures needed to reach a low risk level Assessment of the risk level according to the criticality matrix Figure 5: Typical spreadsheet of a risk analysis (Source: Air Liquide) 6 © HyFacts 2012/13 – CONFIDENTIAL – not for public use Societal risk criteria The societal risk represents the frequency of having an accident with N or more people being killed simultaneously. The people involved are assumed to have some means of protection. Societal risk differs from individual risk in that it takes into account the total number of people who may be harmed at the same time by a single accident. The level of societal risk from an installation is determined by three factors: The probability of an incident occurring on a major hazard site The nature of the incident and its severity The density and location of the population working on or living in and around the site. Therefore, a specific approach has been developed for the assessment of risks run by people in public areas. The societal risk is presented as an FN curve, where N is the number of deaths and F the cumulative frequency of accidents with N or more deaths. This FN curve corresponds to the societal risk criteria. Once the number of fatalities of a given hazard is known (depending among others on the population density), the societal risk curve indicates the maximum allowed frequency of this hazard. Then, measures to reduce the frequency of the risk below this maximum frequency can be taken. Frequency of N or more fatalities per year Unacceptable risk zone ALARP (As Low as Reasonably Practicable) Low risk zone Number of fatalities ( N ) Figure 6: Societal risk curve (Source: Air Liquide) 7 © HyFacts 2012/13 – CONFIDENTIAL – not for public use References: PURPLE BOOK “Guidelines for Quantitative Risk Assessment CPR 18E, TNO, 1999 Methodology for Rapid Risk Ranking of H2 Refuelling station Concepts, by Norsk Hydro ASA and DNV, Sept 2002, European Integrated Hydrogen Project 2 Health and Safety Executive (2012). ALARP at a glance. http://www.hse.gov.uk/risk/theory/alarpglance.htm (accessed September 2012) 8 © HyFacts 2012/13 – CONFIDENTIAL – not for public use on 4th 1.1.3 1.1.3.1 Provision of hydrogen safety Design for Safety - Safety objective and safety strategy Design for safety Designing for safety aims at making systems intrinsically safe. This is achieved by ensuring that the all possible deviations (initial events) that could potentially generate a feared event (e.g. injury) are either sufficiently unlikely or handled by the system in order to avoid the feared event. In this approach, once a system concept has been established, all hazardous deviations (also called initial event - e.g. hydrogen release) are reviewed. For each hazardous deviation, a safety objective is set, and the associated means to achieve the safety objective are identified. The design of the system is then made so that safety objectives are met – and the system is therefore intrinsically safe. Product design System Concept Hazardous deviation Safety Strategy Safety objective for each feared event Safe Design Means to achieve objective Figure 7: Design for safety (Source: Air Liquide) Categorisation of hazardous deviations for definition of corresponding safety objectives All deviations called initial events potentially generating a hazardous situation can be identified and characterized in terms of associated immediate risk (probability and initial severity) assuming absence of mitigation. Following a ranking by initial severity, sets of deviations can be defined in terms of frequency: expectable, foreseeable, conceivable or unlikely. 9 © HyFacts 2012/13 – CONFIDENTIAL – not for public use The set of expectable events is the set of all initial events up to a maximum initial severity such that the probability of having an initial event with a severity greater than this maximum potential severity is less than 10-2/yr. The set of foreseeable events is the set of all initial events with an initial severity greater than that of expectable events up to a maximum severity such that the probability of having an initial event with a severity greater than this maximum severity is less than 10-4/yr. The set of conceivable events is the set of all initial events with an initial severity greater than that of foreseeable events up to a maximum severity such that the probability of having an initial event with a severity greater than this maximum severity is less than 10-x/yr (x may depend on application). Initial events with an initial severity greater than that of conceivable events are Frequency considered unlikely. < 10 – 2 /yr < 10 – 4 /yr < 10 – x /yr Initial event class frequency limits Expectable Foreseeable Conceivable Unlikely Initial severity Figure 8: Categorization of hazardous deviations (initial events) (Source: Air Liquide) Initial and feared events One should distinguish the initial event (such as the accumulation of hydrogen and the build-up of an explosive air hydrogen mixture) from the feared event (such as an explosion). The initial event is turned into the feared event under specific conditions, such as ignition in the case of a hydrogen leak. The frequency of the feared event is lower than the frequency of the initial event as feared event happen only under conditions. The conditional probability is the probability that the initial event will produce the feared consequences. 10 © HyFacts 2012/13 – CONFIDENTIAL – not for public use Safety objectives and measures For a given feared event, the safety objectives can be expressed as a frequency limit. Safety measures aim at lowering the frequency of the feared event below the frequency limit (safety objective). To achieve this, several strategies can be combined: The severity of the initial events can be reduced to the point that having a feared event is unlikely, in order to avoid the need of mitigation. Mitigation measures can be taken, to lower the frequency of the feared event (which in that case is the frequency of failure of the mitigation measures) Frequency Small (frequent) events with escalation potential require the most reliable mitigation. Frequency vs Initial severity 2 3 FE cond. prob. without mitigation 4 FE cond. prob. with mitigation Frequency of Initial event Frequency* of Feared event (FE) without mitigation Frequency* of Feared event with mitigation i.e. residual risk < 10 – 2 /yr *Considering potential escalation < 10 –4 /yr < 10 – x /yr Initial event class frequency limits 1 OK OK OK Expectable Foreseeable Conceivable Frequency limit for Feared event OK Unlikely Initial severity Designfor forsafety safety : Act on 2on and 4 , knowing 3 toevents meet(2)1and Designing means acting the severity of the initial taking mitigation measures (4), knowing the probability of initial events becoming feared events (3), so as to meet the frequency limits (1) set as safety objectives. Figure 9: Design for safety (Source: Air Liquide) 11 © HyFacts 2012/13 – CONFIDENTIAL – not for public use Design for safety by definition of up-front deterministic safety objectives An effective form of design for safety is to translate safety objectives (frequency limit for feared event) into practical design objectives that can be implemented by design engineers: For expectable events, there should be no damage. A typical safety strategy for expectable leaks is a passive ventilation or permanent active ventilation allowing a concentration of 1% hydrogen max. For foreseeable events, there should be no injury. For conceivable events, the effects of the feared events should be reduced. No design objectives are set for unlikely feared events – which are acceptable as the frequency of these events is very low. There is no specific measure other than prevention (material choice...), only considered for emergency responses. 1.1.3.2 Requirements on the reliability of safety measures As explained previously, all deviations called initial events potentially generating a hazardous situation can be identified and characterized in terms of associated immediate risk (probability and initial severity) assuming absence of mitigation. The initial event is turned into the feared event under specific conditions, such as ignition in the case of a hydrogen leak. The conditional probability is the probability that the initial event will produce the feared consequences. If the probability and severity of the initial event as well as the conditional probability are high, the required performance level (reliability) of the safety measure should be high (see Figure 10). On the contrary, if the probability and severity of the initial event as well as the conditional probability are low, a lower reliability of the safety measure is tolerable. 12 © HyFacts 2012/13 – CONFIDENTIAL – not for public use Figure 10: Required performance as a function of the severity and frequency of the event, and of its conditional probability (Source: EN ISO 13-849) Caption: S: severity of the initial event (S1: low severity, S2: high severity) F: probability of the initial event (F1: low probability, F2: high probabilty) P: conditional probability (P1: low conditional probability, P2: high conditional probability) PL: performance level, i.e. reliability of the safety measures (e is the most reliable safety measure) 13 © HyFacts 2012/13 – CONFIDENTIAL – not for public use The performance level (reliability) of a safety measure is characterized by its Safety Integrated Level (SIL). ISO 13-849 helps defining the required level of reliability of a safety measure (i.e. its SIL). ISO 61-508 explains how to reach the SIL which has been defined thanks to ISO 13-849. References: ISO 13-849 ISO 61-508 1.1.3.3 Hydrogen safety engineering Hydrogen Safety Engineering (HSE) is defined as the application of scientific and engineering principles to the protection of life, property and environment from adverse effects of incidents/accidents involving hydrogen (Molkov and Saffers, 2011). This performance-based approach is similar to British standard BS 7974 (British Standards Institution, 2001) for application of fire safety engineering to the design of buildings, but it has expanded to reflect on specific for hydrogen safety related phenomena. HSE includes but is not limited to high pressure under-expanded leaks and dispersion, spontaneous ignition of sudden hydrogen releases to air, deflagrations and detonations, etc. The HSE process includes three main steps. 1. A Qualitative Design Review (QDR) is undertaken by a team that can incorporate owner, hydrogen safety engineer, architect, representatives of authorities having jurisdiction, e.g. fire services, and other stakeholders. The team reviews the technical characteristics, the site layout and management, establishes safety objectives, identifies hazards and associated phenomena, creates trial safety designs, sets acceptance criteria, selects the methods of analysis and describes in detail the scenarios for analysis. 2. A quantitative safety analysis of selected scenarios and trial designs is carried out by qualified hydrogen safety engineer(s) using the state-of-theart knowledge in hydrogen safety science and engineering and validated models and tools. To simplify the evaluation of a HSE design, the quantification process is broken down into several Technical Sub-Systems (TSSs). The TSSs cover all possible aspects of hydrogen safety. They are balanced between their uniqueness or capacity to be used individually, 14 © HyFacts 2012/13 – CONFIDENTIAL – not for public use and their complementarities and synergies with other. TSS contain a selection of the state-of-the-art in the particular field of hydrogen safety science and engineering, validated engineering tools, including empirical and semi-empirical correlations and contemporary tools such as CFD models and codes. TSSs are also flexible to allow update of existing or use of new appropriate and validated methods, reflecting recent progress in hydrogen safety. The TSSs are: initiation of release and dispersion; ignitions; deflagrations and detonations; fires; impact on people, structures, and environment; mitigation techniques; emergency services intervention. In addition to outlined TSSs documents, there is a supplementary document on probabilistic risk analysis for hydrogen similar to the approach of BS 7974-7 (British Standards Institution, 2003). 3. Finally, the performance of a HFC system and/or infrastructure is assessed against acceptance criteria predefined by the team. If none of the trial designs developed by the QDR team satisfies the specified acceptance criteria, the QDR and quantification process should be repeated until a hydrogen safety strategy satisfies acceptance criteria and other design requirements. Several options can be considered when reconducting QDR: development of additional trial designs; adoption of more discriminating design approach, e.g. using deterministic techniques instead of a comparative study or probabilistic instead of deterministic procedures; re-evaluation of design objectives, e.g. if the cost of hydrogen safety measures for property loss prevention outweighs the potential benefits. When a satisfactory solution has been identified, the resulting HSE strategy should be fully documented in a “Report on Hydrogen Safety Engineering”. 15 © HyFacts 2012/13 – CONFIDENTIAL – not for public use Figure 11: Hydrogen safety engineering procedures (Molkov and Saffers, 2011) This performance-based methodology offers the flexibility to assess trial safety designs using separately or simultaneously three approaches: deterministic, comparative or probabilistic. 1. The objective of a deterministic study is to analyse the performance of trial safety design(s) selected by QDR team for chosen scenarios with models based on physical, chemical, thermodynamic and human behavioural relationships, derived from scientific theories and empirical correlations. 2. In some projects, recommendations of prescriptive codes and standards when they are available might provide the near optimum solution for a safe design. If the hydrogen system is regulations and codes compliant, a full HSE study may not be necessary. For comparative type of study, the acceptance criteria may simply be defined in terms of compliance with existing code requirements. 3. The objective of a probabilistic study is usually to show that the risk of a given event occurring is acceptable or tolerably small. 16 © HyFacts 2012/13 – CONFIDENTIAL – not for public use References: British Standards Institution, British standard 7974:2001, Application of fire safety engineering to the design of buildings - Code of Practice, 2001. British Standards Institution, Published Document 7974-7:2003, Application of fire safety engineering principles to the design of buildings – Part 7: probabilistic risk assessment, 2003. Molkov, V.V, Saffers, J.B., Principles of Hydrogen Safety Engineering, 4th International Conference on Hydrogen Safety, San Francisco, California-USA, 12-14 September 2011 1.1.4 Overview and the role of regulations, codes and standards, and PreNormative Research (PNR) Pre-normative research As explained in the section 1.1.3.1, safety objectives are defined from the beginning of the product design. This often highlights knowledge gaps and raises new R&D questions. Indeed, fully understanding a potentially hazardous phenomenon is required, e.g. in order to be able to specify means that will prevent the phenomenon from developing beyond a pre-defined limit. R&D efforts should therefore focus on closing the knowledge gaps for supporting “design for safety”: this is pre-normative research. Below are examples of safety related pre-normative research topics: Behavior of hydrogen once released (leak rates, dispersion and ventilation, combustion…). Examples of Pre-Normative Reasearch (PNR) objectives supporting achievement of design objectives are: o Specify ventilation openings that will prevent the development of a flammable atmosphere in case of a leak, o Specify maximum flammable mixture concentration in order to avoid exceeding a specified overpressure. Resistance of composite cylinders to accidental loads (e.g. fire). Example of PNR objectives supporting achievement of design objectives are: o Specify maximum time to empty cylinder in order to avoid burst, o Specify thermal protection for withstanding fire conditions during a pre-defined amount of time. 17 © HyFacts 2012/13 – CONFIDENTIAL – not for public use Effects of hydrogen on metallic materials (hydrogen embrittlement). The knowledge base set up by the pre-normative research is then used to support the recognition of the means to achieve safety objectives by standardization: it supports the creation of regulations, codes and standards. Product design System Concept Safe Design Safety Strategy Feared Events Safety objective for each feared event Questions Standards Means to achieve objective Answers H2 Safety Knowledge Base Shared H2 Safety Knowledge Base Pre Normative Research Figure 12: Pre-normative research as a support for standardization (Source: Air Liquide) Role of regulations, codes and standards Regulations, codes and standards provide performance requirements (effectiveness, reliability) with regards to the means (prevention, mitigation) used to achieve safety targets. They provide design criteria ensuring fitness for purpose by relating requirements to conditions of use and standard solutions for meeting the performance requirements or safety targets. Reference: Frederic Barth, 2010, “Getting the most out of research for producing the standards we need for hydrogen energy applications”, World Hydrogen Energy Conference 18 © HyFacts 2012/13 – CONFIDENTIAL – not for public use 1.1.5 Other references Some more specific methods and approaches for achieving safe designs are covered by standards. For example: ISO 12100:2010 (updated version of ISO 14121) Safety of machinery: specifies basic terminology, principles and a methodology for achieving safety in the design of machinery. It specifies IEC 61882 Hazop studies: provides a guide for HAZOP studies of systems utilizing the specific set of guide words defined in this standard. It also gives guidance on application of the technique and on the HAZOP study procedure, including definition, preparation, examination sessions and resulting documentation and follow-up. IEC 61511-3 Functional safety: provides information on the underlying concepts of risk, the relationship of risk to safety integrity, the determination of tolerable risk, a number of different methods that enable the safety integrity levels for the safety instrumented functions to be determined. 19 © HyFacts 2012/13 – CONFIDENTIAL – not for public use
