RISK MANAGEMENT OF A PETROLEUM REFINING FACILITY
USING FAULT TREE ANALYSIS
STEVEN T. MAHER
DR. DAVID R. SHARP
CONTRIBUTORS: FELICIA D. STEVENSON
DIRK S. LEACH
RISK ASSESSMENT TECHNOLOGY
WESTINGHOUSE ELECTRIC CORPORATION
PITTSBURGH, PA 15230-0355
ABSTRACT
Recently, industrial accidents have occurred that resulted in great personal and financial loss. Managing these risks in today's environment is the concern of every industry, because either real or perceived incidents can quickly jeopardize the financial viability of a business. Many facilities involve petrochemical or manufacturing processes that have the potential for accidents which may be catastrophic to the plant, work force, environment, or public. These financial losses especially cannot be tolerated with the current price of crude oil.
Formal risk management techniques have had their foremost application as decision-making tools within the commercial nuclear power industry. Recently, these risk management techniques have been applied in the petroleum and chemical industries and this application has enhanced plant safety through modifications in plant design and operation.
This paper discusses the application of state-of-the-art fault tree analysis techniques to a refining facility that produces diesel fuel from a crude oil stream. This fault tree analysis was used to identify the failure sequences which could lead to process hazards, and the analysts used these results to evaluate the impact of specific hazards on process safety. Through recommendations presented in the study, the facility owner gained an increased awareness of potential problems and made modifications to reduce the possibility of a hazardous condition and subsequent catastrophic failure.
I. RISK MANAGEMENT IN THE 80's
Recently, a number of well-publicized industrial accidents have occurred in process facilities and have had significant impacts. This has prompted corporations in diverse industries to examine their operations more closely for risks to the public, employees, and capital investments. Additionally, existing government regulations and those that are currently evolving in the United States provide an incentive to owners to have a specific risk management plan by verifying the safety aspects of a proposed design, validating the safety of an operating plant, and making cost-effective and safety-conscious decisions concerning system changes to minimize risk. In short, business is turning to risk management with increasing frequency to ensure the financial viability of its various operations.
What is risk management? To manage risk simply means reducing to acceptable limits the occurrence or consequence of undesired events. This can be done by evaluating the likelihood and the financial or safety impact of the undesired event. Numerous benefits can be realized through risk management for society at large as well as for the profit-making institution. Industry can use risk management techniques to:
 | Identify corrective action to avoid safety hazards and to minimize the possibility of financial loss and unscheduled downtime caused by system failures, accidents, inefficient maintenance procedures, and operability problems |
| Create a "living" system reliability model to continually evaluate the cost and benefits of proposed process modifications and operations changes |
| Identify those areas where increased operator awareness can most readily increase safety or reduce financial risk, or where relaxed operating procedures would minimally affect risk or reliability |
| Provide environmental, regulatory, and insurance agencies with comprehensive, quantitative risk statements that help the agency assess hardware modifications under consideration by the owner for the reduction of risks |
| Improve public relations by making a conscientious effort to reduce risks to public health and safety |
Since 1975 with WASH-1400, "Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Power Plants", Westinghouse has used risk management techniques extensively and has become a leader in the field. Although these techniques were developed in the rigorous regulatory environment of the nuclear industry, we have conducted successful risk management programs in other industries; including petroleum, chemical, defense, and public transportation.
II. APPROACH TO RISK MANAGEMENT
Hazards which have been identified through any number of ways [e.g.. history of known problems in a system, Hazard and Operability Studies (HAZOPS), Failure Mode and Effects Analysis (FMEA), etc.] can be systematically analyzed, evaluated and documented using fault tree analysis (FTA), event tree analysis, and/or consequence analysis. Consequence analysis examines the impact of the identified hazard on equipment, personnel, the environment, and the public. Representative phenomena investigated during consequence analysis may include hazardous material dispersion, shock wave propagation, thermal radiation effects, runaway reactions, health effects, environmental impact, and financial impact. Results of this analysis can be expressed in terms of facility downtime or related cost, equipment losses, cost of on-site and/or off-site clean-up, and estimates of health effects caused by hazardous material exposure.
For this study, fault tree analysis was used to evaluate potential hazards at a petroleum refining facility. The basis for fault tree analysis is a fault tree, or a logical structure which describes the causal relationship between the basic hardware, human, and environmental events resulting in system failure. The logical connections between the events are made by event statements and logic gates such as AND, OR, and exclusive OR. At the top of the fault tree is the undesired event, or hazard. Subsequent lower levels, or branches identify all faults or fault combinations which may cause the undesired event. The lower levels may include random component failures, common cause failures, human errors, and test and maintenance unavailabilities (figure 1 depicts an example fault tree). Boolean algebra techniques quantify the probability of the occurrence of the top level hazard, using the contributing probability of lower level events. FTA should be used when it is necessary to analyze a specific hazard for its contributing causes and probability of occurrence.
FIGURE 1
FAULT TREE DEVELOPMENT OF
OVERHEAD ACCUMULATOR OVERPRESSURE
In contrast to FTA, event tree analysis uses forward logic in a decision tree-like diagram to define accident sequences that involve the complex interrelationships between systems. Although simple in form and easilyinterpreted, it is a powerful tool for depicting an event which involves multiple system failures, support system failures, and operator action. The tree begins with the initiating event on the left, and branches to the subsequent successes and/or failures of essential mitigating equipment. All meaningful combinations of events, failures, and errors that may emanate from the initial event condition are identified. Like a fault tree, an event tree is a "living" computer logic model representation of a physical system which can be readily changed to reflect the sensitivity of risk to design or operations changes. Quantification of an event tree uses failure data from FTA or other sources and results in estimates of the frequency of occurrence of hazard conditions.
Contingent upon the type of system and the desired application of results, consequence, fault tree, and event tree analyses alone or in any customized combination can be used to assess hazards in a system and to create a "living" logic model representation of a system. This assessment is a meaningful decision-making tool for risk management and can be vital part of the overall process hazard management effort. By weighing the probability of a given hazard versus the hazard's safety and financial consequences, one can identify the largest contributors to risk and recommend effective methods to reduce risk to an acceptable level. These recommendations resulting from risk assessment may include changes to the plant/system design or operating procedures. Thus, the goal of risk management is to make educated decisions in optimizing a system with respect to safety and cost.
Westinghouse utilizes state-of-the-art interactive computer graphics, calculational, and modeling tools to streamline the risk management effort substantially and provide for a high quality analysis. These tools are adapted for both minicomputer and personal computer use and include: an interactive graphics fault tree construction and management package and an interactive event tree construction and evaluation code. The fault tree analysis package consists of interactive fault tree graphics, a data base management system, and a fault tree quantification code. The graphics portion can be used to construct, store, update, and print fault trees interactively. The second function of the analysis package supports the fault tree development by minimizing hand calculations and data entry for fault tree analysis. It receives input component failure probability data and places these values at appropriate nodes in the tree according to a referencing label, or identifier. If failure probability data is not directly available, the code calculates this data from failure rates and system mission times. Additionally, the software creates a master data file for all fault trees necessary for a given project. A third function of the software is to identify the minimal cutsets, or component failure combinations, of the fault tree for a given cutoff probability. When fault tree quantification is desired, it calculates the mean failure probability and variance of the top event and other specified lower events. Component failure rate data from the Westinghouse Reliability Data Base is used for quantification purposes.
Since the general approach of risk management is to systematically reduce the whole to an analysis of its parts, industries whose processes are founded on complex operating/ control systems and relatively new, untested technologies are inherently likely candidates. Specifically, pipeline support operations, offshore petroleum facilities, facilities using new or complex extraction and refining technologies, synfuel plantsincluding tar sands, coal, shale, and heavy oil sands - as well as natural gas processing plants can achieve numerous benefits from risk management. To illustrate, we will apply qualitative fault tree analysis techniques on a petroleum refining facility to identify and assess potential hazards.
III. HAZARDS ANALYSIS OF A PETROLEUM REFINING FACILITY
Like many facilities in the petroleum and chemical industries, substantial capital investments and the desire to reduce operational downtime as well as the probability of catastrophic failures characterized the subject of this case study, a petroleum refining facility. Of special importance for this case study are explosion hazards due to the processing of flammable materials at excessive temperatures and pressures. The facility was in the design and construction phase, and several modifications (which are discussed later) were made to the facility as a result of the hazards analysis. A general process description of the facility follows and is diagrammed in figure 2.
This facility receives unprocessed crude oil and separates it into naphtha, heavy residual crude, and diesel fuel. The diesel fraction is further fractionated to derive diesel fuel suitable for local use. All of the crude oil, except for the derived diesel fuel and a small amount of process gas is returned to the main crude oil stream. This facility is composed of the following subsystems:
| A gas-fired crude oil heater to achieve the desired fractionation of crude oil constituents |
| A crude tower and fuel stripper for separating the diesel from the lighter and heavier products |
| A gas processing system with an overhead condenser for condensing the lightweight hydrocarbons from the crude tower overhead and an accumulator for collecting the condensed overhead |
FIGURE 2
SIMPLIFIED SCHEMATIC OF THE PETROLEUM REFINING FACILITY
| A glycol coolant system for cooling the exiting streams of residual crude oil and diesel fuel |
| A chemical injection system |
| A storage and loading facility for dispensing diesel fuel to bulk carriers and individual users |
The methods used to perform the qualitative hazards analysis of the petroleum refining facility were designed to promote an efficient and thorough analysis. With customer consultation, the analysis team leader developed fault tree analysis and hazard identification guidelines to ensure consistency throughout the project. Hazards of particular concern were those having occurred in previous operating experience or those believed to be credible due to the nature of the process. Both of these guidelines constituted a general agreement between Westinghouse and the customer regarding how potential hazards should be identified and the mechanics of fault tree formulation. Topics included random fault postulation, the basis for test and maintenance faults, and consideration of operator action. The guidelines also provided component failure logic modules. These modules, which covered the generic fault tree development of various types of pumps, valves, and the electric power supply system, provided for fault tree standardization and consistent treatment throughout the study. Enhancing project productivity, the modules were modified as required by the analyst.
To facilitate the identification and analysis of potential hazards, the team leader first divided the risk assessment team into smaller subteams which paralleled the division of the overall process into smaller, more workable subsystems. At this point, each subteam carefully reviewed system descriptions, piping and instrumentation diagrams, process control diagrams, and all other pertinent process documentation. As a result, team members were able to formulate thoughtful questions to ask of system designers, operators, and engineering personnel. This constant interaction between facility personnel and the analysts was essential to the subsequent development of a valid and useful fault tree model. Another essential attribute of the hazard evaluation was constant interaction among team members through a formal internal review procedure. Through internal review, team members benefited from subsystem similarities and ensured the completeness, validity, and general quality assurance of the fault tree development of potential hazards.
Each hazard identified by the team was documented in a report form which included major assumptions, supporting data, and recommendations to alleviate relatively high probability - high consequence hazards. All hazards involving 3 or fewer simultaneous, independent equipment and/or human failures (e.g. valve disposition, equipment malfunction, etc.) were described in detail. Additionally, fault tree models of all potential hazards involving 4 or fewer simultaneous failure states were included in the report. In general, analysts considered such potential problems as:
| Overpressure of vessels due to excessively high pump discharge pressure or excess fuel gas supply |
| Piping overpressure due to excessively high pump discharge pressure |
| Explosion or overheating of heaters due to excess fuel gas and faulted protection systems |
| Vacuum formation that collapses the crude tower due to the unavailability of the fuel gas supply |
| Spillage of hydrocarbon fluids into the offgas or flare systems due to vessel level control faults |
| Spillage of hydrocarbon liquids or vapors to the environment |
| Inappropriate mixing of compounds (Impurity, Combustion, Explosion) |
Specifically for the gas processing subsystem, analysts identified several hazard scenarios requiring three or fewer simultaneous failures, including a scenario involving overpressurization of the overhead accumulator. To illustrate Westinghouse process hazards assessment techniques, we will discuss the development of an overpressure hazard within the gas processing system in detail; a description of the specific system follows.
The gas processing system receives overhead vapor (naphtha) from the crude tower and condenses it in the overhead condenser by fan cooling. The temperature of the condensed naphtha is controlled by two control loops which simultaneously regulate the speed of the two forced draft fans and the amount of internal air recirculation via multiple louvers in the overhead condenser. Condensed naphtha from the overhead condenser flows by gravity into the overhead accumulator, which has a design pressure of 125 psig.
The primary function of the overhead accumulator is to separate uncondensed (process) gas, naphtha, and any small amounts of produced water. Produced water is disposed of via small diaphragm pumps. Produced naphtha is pumped from the overhead accumulator and most is returned to the crude tower for recirculation, while the remainder is mixed with the residual crude and transported offsite.
Additionally, produced gas allows the overhead accumulator to perform its secondary function - regulating the pressure of the entire fractionation process. The overhead accumulator pressure is maintained by controlling the withdrawal rate of the process gas to an offsite process gas handling system. If the process gas flow exceeds that which can be accommodated by the process gas handling system, the excess gas is passed through a much larger valve to a flare system. Alternately, a pressure regulating valve is set to dump fuel gas into the overhead accumulator to maintain the pressure above 5 psig and preclude the formation of a vacuum. During emergency situations, the fuel gas is isolated from the overhead accumulator by an emergency shutdown valve.
The pressure the fuel gas which is used to preclude the possibility of vacuum formation in the process vessels is 200 psig. Since the design pressure of the overhead accumulator is 125 psig, either the pressure relief valves to the process gas handling system or the flare system must open to mitigate a potential overpressure event. If one of the valves isolating the high pressure fuel gas source fails open or fails to seat properly and relief systems are unavailable, the design pressure of the overhead accumulator will be exceeded.
Figure 1 illustrates a very simplified version of the fault tree model of this potential problem. This fault tree, which is excerpted from one subtree of a much larger model, used deductive logic to identify the overpressure sources (pressure control valve P169CV, its bypass, or pressure regulating valve P98RV failing open) and the pressure relief devices which must be available for mitigation (the process gas handling system or the flare system). As the deductive fault tree model converges to an increasing level of detail, variables such as operating mode are explicitly modeled in the fault tree. Therefore, the analyst does not have to completely reevaluate each operating mode separately for potential hazards. For example, at first examination, exceeding the design pressure of the overhead accumulator would seem to require three simultaneous failures: the failing open of one of the valves regulating the high pressure fuel gas source, the failure of the relief valve to the flare system, and the failure of the relief valve to the process gas handling system. With the ability to rapidly analyze the fault tree computer model, the analyst was made aware of a component which closes and disables the process gas handling system during a separate operating mode - operational (controlled) shutdown. Therefore, during operational shutdown, only two simultaneous failures are required.
As a result of this analysis, two changes to the system design were suggested to reduce the potential for overhead accumulator overpressurization, subsequent explosion, and fire. The addition of a second pressure control valve in series with the existing pressure regulators would provide an extra level of protection against vessel overpressurization. This second valve would regulate fuel gas supply pressure to a value below the vessel design pressure. A second possible solution is the addition of a valve to automatically isolate the fuel gas source on high process system pressure.
IV. RESULTS OF THE HAZARDS ANALYSIS
The hazards analysis performed for this facility was based on the identification hazards using fault tree development based on prior experience, checklists, and guidelines. In the early stages, this procedure was similar to other qualitative techniques, such as HAZOPS. Like HAZOPS, this systematic, comprehensive, and deductive methodology enabled analysts to identify and examine system perturbations, their consequences, and potential causes. Unlike other qualitative techniques, however, highly efficient computer codes generate graphic fault tree models and component failure combinations which enable the analyst to quickly evaluate potential process hazards. Analysts were also able to identify multiple or common cause failures and system interactions more efficiently using these fault tree analysis techniques. These developed models can also be readily updated at any time in the future to reflect design or operation changes.
The hazards analysis of this facility resulted in Westinghouse recommendations for several low-cost, large-benefit design changes. Those changes eventually implemented include:
| Install a high pressure alarm on the crude tower set at a pressure below the crude tower and overhead accumulator maximum allowable working pressure. This modification adds a level of protection for events which threaten to overpressurize the crude tower or overhead accumulator by alerting the operator to the event. |
| Install a high-high level alarm on the overhead accumulator to alert operations personnel of the potential for spillage of light hydrocarbon liquids to the compressors in an adjoining facility. This adds a level of protection for prevention of severe damage to the compressors. |
| Install a low pressure alarm on the overhead accumulator and the crude tower, along with a fuel gas supply bypass. This alerts the operator to the potential collapse of the vessels due to vacuum formation and provides a method for supplying fuel gas to the vessels. |
| Install a check valve in the line connecting the closed hydrocarbon drain and flare system. This adds a level of protection against backflow of flare gas to the closed hydrocarbon drain and into a habitable area in the facility. |
| Install pressure safety valves on piping downstream of several pumps to guard against overpressure of downstream piping and vessels. |
| Car-seal-open several valves in the facility to inhibit inadvertent closure of these valves. |
| Provide warnings and operating procedure modifications in the operations manual to help plant personnel operate and maintain the facility safely. |
V. CONCLUSIONS
The results of either real or perceived incidents can quickly jeopardize a business investment making risk management a good investment for today's industry. The application of the approach discussed in this paper can provide tangible benefits to enhance safety and decrease financial risk for complex industrial systems. As an illustration, the potential problem depicted for the petroleum refining facility represents only one of several high priority concerns identified through risk management.
The complexity of the facility, its potential for hazards due to the nature of its process, and the high capital investment involved made it a prime candidate for risk management. Through the risk management study, areas of safety concern were systematically identified, analyzed, and qualitatively evaluated for their overall contribution to the delicate balance between the likelihood of a hazard versus its potential financial or safety impact. Using the study to tip the balance in their favor, facility owners gained an increased awareness of process problems and made cost-effective and safety-conscious decisions toward minimizing risk.
