Microsoft Word - 42landucci.docx CHEMICAL ENGINEERING TRANSACTIONS VOL. 82, 2020 A publication of The Italian Association of Chemical Engineering Online at www.cetjournal.it Guest Editors: Bruno Fabiano, Valerio Cozzani, Genserik Reniers Copyright © 2020, AIDIC Servizi S.r.l. ISBN 978-88-95608-80-8; ISSN 2283-9216 Recursive Operability Analysis as A Tool for Risk Assessment in Plants Managing Metal Dusts Marco Barozzia, Martina S. Scottona, Marco Derudi b, Sabrina Copelli*a a Università degli Studi dell'Insubria, Dept. of Science and High Technology, Varese, Italy b Politecnico di Milano, Dept. of Chemistry, Materials and Chemical Engineering "G. Natta", Milano, Italy sabrina.copelli@uninsubria.it In industrial processes, it is not uncommon to replace regular processes and procedures with temporary ones, due to factors such as maintenance operations, breakdown of equipment or machines. All risks associated with the implementation of these temporary procedures are not analyzed, because they are applied usually for short periods. Nevertheless, the lack of proper attention levels towards the introduction of such modified procedures can lead to unfortunate and unpredictable accidents. In order to update the risk assessment document properly, fast and effective methods are needed but widely acknowledged methods are not currently available. In this work we propose the Recursive Operability Analysis – Cause Consequence Diagrams as a fast and efficient tool to include temporary and/or special procedures in an already developed risk analyses. The model was applied to the Zhong Rong Metal Products Co case study, which witnessed a severe explosion of an aluminum-alloy dust. The accident was mainly due to the implementation of a manual procedure to perform the cleaning of the bag filters present in the plant, subsequent to the breakdown of an electric motor. Results show that the update of the risk analysis can be performed in a fast and efficient way. 1. Introduction An adequate safety level in the process industry can be reached only by knowing in detail the characteristics of all the processes and procedures involved. In this sense, Quantitative Risk Analysis (QRA) proved and it is still proving to be an effective tool to perform a proper risk assessment (Casal, 2018; Khan et al., 2015; Marhavilas et al., 2011). In a real plant, it is possible that, due to extraordinary maintenance or faulty equipment, a regular procedure is replaced by a different one, usually more human operators intensive, in order to fulfil the requirements of the production line. Also, risk analyses are not always updated accordingly to these changes. This fact is scarcely analyzed in the current literature. A lot of indirect references to this issue can be found instead. Barton and Nolan already indirectly hinted the effect of sudden new, uninvestigated procedures with their work (Nolan and Barton, 1987). More recent industrial accidents provided unfortunate evidence about this topic: this is the case of the Imperial Sugar refinery dust explosion (2008) (Chemical Safety Board, 2009), the Seveso (1976) (Lees, 2005) and the Synthron Chemical accident (2006) (Chemical Safety Board, 2007) and the more recent explosion at the Zhong Rong Metal Products Co (2014) (Li et al., 2016). In each one of these accidents, it is noticeable that some non-standard operations or procedures were introduced at some point of the plant or in a certain process and, apparently, these changes were never considered in the risk assessment. It would be extremely useful to have tools to update risk assessment in a fast and efficient way. Some of the most known and used methods, such as HazOp (Crawley and Tyler, 2015) and FMEA/FMECA (Liu, 2019) lack of organization of collected information into a set of structured data. Thus, updating a risk assessment following a situational change of regular industrial procedures may be excessively time consuming. In this work, the Recursive-Operability-Analysis with Cause Consequence Diagrams (ROA- CCD) (Contini et al., 2015, 2016) is considered and implemented with this scope. The ROA-CCD is essentially an evolution of the original ROA (Piccinini and Ciarambino, 1997), and it allows for an automatic generation of fault trees. From the fault trees, the computation of the probability of occurrence of an unwanted event is then straightforward. Recursive Operability Analysis already proved to be a consistent tool to perform risk DOI: 10.3303/CET2082008 Paper Received: 3 February 2020; Revised: 28 March 2020; Accepted: 28 August 2020 Please cite this article as: Barozzi M., Scotton M., Derudi M., Copelli S., 2020, Recursive Operability Analysis as a Tool for Risk Assessment in Plants Managing Metal Dusts, Chemical Engineering Transactions, 82, 43-48 DOI:10.3303/CET2082008 43 assessment on chemical plants (Demichela et al., 2002), and given its high flexibility and generality, it can be used for several risk assessment purposes. 2. Materials and Methods This work basically shows how it is possible to update a risk analysis performed with the ROA-CCD method, given deviations from the original process. At first, the ROA-CCD method requires the computation of the ROA table (Table 1). The ROA table condenses the information of the HazOp (Node-Deviation-Variable), in a single column, and combines causes and consequences in a structured way, based upon the principle of causality. Table 1: Classic ROA table Rec NDV Causes Consequences due to protections failure Plant state with protections working correctly Protections Notes TE Manual Automatic safety systems actions Alarm (optical/acoustic) Operator actions on components 1 2 3 4 5 6 7 Once the ROA table is complete, Cause Consequences Diagrams can be generated from each record according to the method proposed by Contini et al. (Contini et al., 2016). From the combination of all CCDs, the final fault tree is generated for each Top Event identified in the analysis. In order to update an analysis following process modifications, some data are required: • Which components/human operations are involved? • Which process variables are affected by the new procedure? • What are new failures/human errors involved? • How new errors/procedures may impact the system? After such information are collected, the ROA table can be updated accordingly, and so the fault trees and the estimation of the new probability of occurrence associated with the Top Event(s). 2.1 Case study The polishing area of the Zhong Rong Metal Products Co is considered as the case study for this work. On August 2, 2014, a catastrophic dust explosion occurred at an industrial facility in Kunshan (China) (Li et al., 2016). The plant was dedicated to polishing aluminum-alloy wheel-hubs, with a workplace including about 350 workers. Figure 1: Scheme for the polishing line The plant was organized in 32 polishing production lines (16 polishing lines on the basement and 16 polishing lines on the first floor). Along each line, there were 12 working stations. Each 2 polishing lines, a dust venting piping was connected, with bag filters as equipment to purify the air (8 in total). After the cleaning operation, which was handled by a mechanical vibrating system, the residual dust was collected inside dedicated steel barrels, located at the bottom of each bag filter. It was highlighted that at a certain point, due to the breakdown of the electrical motor, the cleaning operation of the bag filters was manually handled by workers (Li et al., 2016). This fact contributed with to the accumulation of dust deposits inside the bag filter enclosure, allowing concentrations above the Minimum Explosive Concentration (MEC) (Eckhoff, 2003), that is 40 g/m³ (Li et al., 2016). The ignition source was supposed to be an exothermic reaction between aluminum-alloy dust and water which accumulated inside the external collection barrels. Water would infiltrate inside a barrel due to abundant rains and corrosion of the steel bottom. From there, a fire would trigger, reaching the Minimum Ignition Temperature (MIT) (Eckhoff, 2003) of the dust cloud, that is 540°C (Li et al., 2016). In order to apply the proposed method, a ROA-CCD on the original plant must be carried out. A single line will be considered as example, since all the 12 working stations can be considered equal. Figure 1 represents a line, highlighting the nodes for the analysis. 44 Table 2: ROA table for the regular process (node 1) Rec NDV Causes Cons. Plant state with protections working Protections Notes TE Manual Automatic safety means Alarm Operator actions 1.0 1hC Suction fan broken OR Bag filters clogged Aluminum dust spillage System goes back to normal functionality - Pressure drop reader - - Aluminum dust cannot be sent to the dust filter TE1 1.1 1hT Friction spark Local fire An operator may generate a spark by dropping a wheel hub TE2 Components involved are the following: grinders, used for polishing, a suction fan, bag filters, a vibrating motor for cleaning operations, electric equipment (wires), the steel barrel itself, piping and pressure drop control loop. In the regular process, operators can interact with the process on the workstation and with the barrel (operators should manually change it twice per week (Li et al., 2016)). Process variables involved are: concentration C of aluminum dust, mass m of aluminum dust (indicating a dust deposit), level L of water, temperature T of the air. Table 3: ROA table for the regular process (node 2). 2.1 and 2.2 indicate the filter bag enclosure and the clean side, respectively Rec NDV Causes Cons. Plant state with protections working Protections Notes TE Manual Automatic safety means Alarm Operator actions 2.0 2.1hC Cleaning operation (motor) 2.1hT - - - - Concentration >MEC 2.1 2.2hC Wearing of bag filters Fan wearing AND Aluminum dust released in the environment - Pressure drop reader - - - TE3 2.2 2.1hT (3hT OR Electric spark) AND 2.1hC Dust explosion - - - - TE4 Ignition sources considered are: friction spark, electric spark (Eckhoff, 2003), exothermic reaction between water and aluminum dust (Li et al., 2016). Tables 2,3,4 report the ROA analysis performed on nodes 1,2,3, respectively. In this case, it was necessary to distinguish between the clean part of the bag filter (node 2.2), and the part processing dirty air (node 2.1). According to the ROA analysis, the most severe Top Events are local fire (TE2), which can take place inside the barrel and in the production line, and a primary dust explosion (TE4). A dust explosion can occur during the regular cleaning operation, where the dust dropping from the bags generates dust cloud inside the MEC range. It is known that, at some point, the vibrating motor was broken, and the cleaning operation was then manually performed by operators every day. How is it possible to update the risk analysis, in order to estimate the hazards represented by the introduction of this process modification? Following the steps proposed, it is possible to obtain meaningful information: • Which components/human operation are involved? Components involved are bag filters and the vibrating motor (unavailable). Operators need to perform a new task. • Which process variables are affected by the new procedure? The only process variable directly involved is aluminum dust concentration in the bag filter enclosure. According to new errors and failures, air temperature and aluminum dust concentration in the clean side of the venting line may be involved too. 45 Table 4: ROA table for the regular process (node 3) Rec NDV Causes Cons. Plant state with protections working Protections Notes TE Manual Automatic safety means Alarm Operator actions 3.0 3hL Raining AND Corrosion of the barrel 3hT (water can trigger a reaction with aluminum dust) System goes back to normal functionality Visual inspection Replace the corroded barrel Use plastic barrels 3.1 3hm Barrel full OR Barrel change not performed 3hT AND Barrel completely full System goes back to normal functionality Visual inspection Replace with an empty barrel TE5 3.2 3hT 3hL AND 3hm 3hT (Local fire) AND 2.1hT - - - Temperature may reach the MIT TE2 • What are new failures/human errors involved? Since the new operation is entirely human-based, the errors are related to this: operators may omit procedure (they forget to clean the bags), operator may break the bags during the operation. • How new errors/procedures may impact the system? Due to the breakdown of the vibrating motor, electric spark is not an issue anymore. Also, operators may rip the bags or generate a friction spark during the operation. Finally, pressure drops and dust concentration inside the enclosure change, because the manual cleaning is carried out only in the morning: pressure drops are thus higher over day, causing a reduction of the air flowrate, and bags are more easily worn (Green and Perry, 2007). Table 5 collects the modified elements of the ROA, according to process modifications. Table 5: Modified ROA records Rec NDV Causes Cons. Plant state with protections working Protections Notes TE Manual Automatic safety means Alarm Operator actions 2.0 2.1hC Manual cleaning OR Operator omits procedure 2.1hT - - - - Concentration >MEC 2.1 2.2hC Wearing of bag filters OR Bag ripped Fan wearing AND Aluminum dust released in the environment - Pressure drop reader - - Wearing of bag is increased to due to a greater load TE3 2.2 2.1hT (3hT OR Friction spark) AND 2.1hC Dust explosion - - - - TE4 1.0 1lC Suction fan broken OR Bag filters clogged Aluminum dust spillage System goes back to normal functionality - Pressure drop reader - - Bag filters become more clogged over the day TE1 3. Results and discussion Now that the ROA is complete, it is possible to deduct the fault trees for all the identified Top Events. The most crucial one, which is a primary dust explosion, will be reported and analyzed. Figure 2(a) reports the FTs for both the regular process, and Figure 2(b) reports the modified one. 46 Figure 2: FT for the TE dust explosion with both the regular process (a), and the modified process (b) Fault trees can be solved with dedicated software, such as OpenFTA or FaultTree+ (Kritzinger, 2017). In this case, OpenFTA 1.0 was used. In order to be properly solved, failure rates/human errors are required. Table 6 shows the values used, recovered from literature databases. Some data required some speculation in order to be defined. According to process information, each day a dust venting line would work for 12h, with a flowrate of 22300 m³/h and an average concentration of dust equal to 0.1 g/m³ (Li et al., 2016). This results in almost 27 kg of dust deposit in the barrels. It also appears that the barrels would be eventually emptied twice a week. This means that potentially, on 4 days over 7 of a regular working week, the dust in the barrel is present and it is sufficient to trigger a consistent fire. In order to define the frequency of the cleaning operation, it was postulated a cleaning cycle per hour, lasting for 30 seconds, a reasonable value for a bag filter (Green and Perry, 2007). This gives about 2.3 kg of accumulated dust before the mechanical shaking. For raining, the number of rainy days in the Kunshan region for 2014 was used (“World Weather Online | World Weather | Weather Forecast,” n.d.). The possibility of having a friction spark during the manual cleaning was represented as an error during manual operation (Bello and Colombari, 1980). For the computation of probabilities of occurrence, a Poisson distribution for a mission time of one year was assumed. Now it is possible to numerically solve the FTs, for a mission time of one year. Table 7 collects the main results obtained for the Top Event representing a dust explosion. Table 6: Failure rates and probabilities of the basic events involved ( a(Lees, 2005),b(Bello and Colombari, 1980)) Basic event Type of failure/event Failure/Event RateProbability Cleaning operation Vibrating motor activation 4.0E-03 [1/d] 1.0E01 Manual cleaning Manual cleaning operation 2.9E-01 [1/w] 1.0E01 Full barrel Barrel filled with dust 5.7E-01[1/w] 1.0E01 Electric spark Short circuit (electric motor) 1.0E-08[1/h]a 8.76E-05 Bottom corrosion Corrosion of opened steel layer 3.0E-05 [1/y] 3.0E-05 Raining - - 4.5E-01 Friction spark Error in manual operation - 5.0E-03b Inspection not performed Operator does not execute procedure - 2E-03b Barrel change not performedOperator does not execute procedure - 2E-03b Procedure not performed Operator does not execute procedure - 2E-03b From results, it is clearly noticeable that the introduction of process modifications led to an increment of two order of magnitude of the probability associated with the Top Event, highlighting a loss in process in safety. Moreover, the max order of the Minimal Cut Set (MCS) was reduced by one, indicating a safety level reduction. Table 7: FTA results for the Top Event “Dust explosion” Basic event Standard process Modified process # of MCS 3 3 Max order of MCS 5 4 Probability 8.76E-05 5.0E-03 It is interesting to show that the importance of the local fire inside the barrels as triggering event appears to have a low importance, since the dedicated MCS have probabilities around 1.0E-08 for both cases. This is in a b 47 contrast with the most credited ignition source reported in the literature (Li et al., 2016). It is possible that the low importance estimated here is due to the introduction of the visual inspection of the barrel of the operators, that acts as a protective measure, lowering the likelihood of the associated process failures. Nevertheless, results from this simulation highlight the issues which can rise from not considering process modifications in risk assessments, even if they are supposed to last for short periods of time. 4. Conclusions In this paper, it is shown that the ROA-CCD technique can be a powerful tool, thanks to its systematic nature, to update risk assessments following process modifications. Such modifications may heavily impact process safety, and lead to extremely severe coincidences, as shown by many historical industrial accidents. The method discussed is an attempt to propose a structured and organized method, in order to have a fast and reliable risk assessment update. References Bello, G.C., Colombari, V., 1980, The human factors in risk analyses of process plants: The control room operator model ‘TESEO.’ Reliability Engineering 1, 3–14. Casal, J., 2018, Chapter 11 - Quantitative Risk Analysis, in: Casal, J. (Ed.), Evaluation of the Effects and Consequences of Major Accidents in Industrial Plants (Second Edition). Elsevier B.V.: Amsterdam, NL, 439–481. Chemical Safety Board, 2009, Imperial Sugar Company Dust Explosion and Fire < https://www.csb.gov/assets /1/20/imperial_sugar_report_final_updated.pdf?13902> accessed 20.12.2019 Chemical Safety Board, 2007, Synthron Chemical Explosion accessed 20.12.2019. Contini, P.M., Contini, S., Copelli, S., Rota, R., Demichela, M., 2015, From HazOp study to automatic construction of cause consequence diagrams for frequency calculation of hazardous plant states. Presented at the Safety and Reliability of Complex Engineered Systems - Proceedings of the 25th European Safety and Reliability Conference, ESREL 2015, 347–355. Contini, S., Contini, P.M., Torretta, V., Cattaneo, C.S., Raboni, M., Copelli, S., 2016, Comparison of classical and “cause consequence diagrams” Recursive Operability Analysis: The T2 Laboratories accident. Chemical Engineering Transactions 53, 109–114. Crawley, F., Tyler, B., 2015, Chapter 3 - The HAZOP Study Method, in: Crawley, F., Tyler, B. (Eds.), HAZOP: Guide to Best Practice (Third Edition). Elsevier B.V.: Amsterdam, NL, 10–12. Demichela, M., Marmo, L., Piccinini, N., 2002, Recursive operability analysis of a complex plant with multiple protection devices. Reliability Engineering & System Safety 77, 301–308. Eckhoff, R.K., 2003, Dust Explosions in the Process Industries. Elsevier B.V.: Amsterdam, NL. Green, D., Perry, R., 2007, Perry’s Chemical Engineers’ Handbook, Eighth Edition, ed. McGraw-Hill Education, New York, US. Khan, F., Rathnayaka, S., Ahmed, S., 2015, Methods and models in process safety and risk management: Past, present and future. Process Safety and Environmental Protection 98, 116–147. Kritzinger, D., 2017, 4 - Fault tree analysis, in: Kritzinger, D. (Ed.), Aircraft System Safety. Woodhead Publishing: Cambridge, UK, 59–99. Lees, F., 2005, Lees’ Loss Prevention in the Process Industries: Hazard Identification, Assessment and Control. Elsevier B.V.: Amsterdam, NL. Li, G., Yang, H.-X., Yuan, C.-M., Eckhoff, R.K., 2016, A catastrophic aluminium-alloy dust explosion in China. Journal of Loss Prevention in the Process Industries 39, 121–130. Liu, H.-C., 2019, Improved FMEA Methods for Proactive Healthcare Risk Analysis. Springer Singapore, CHN. Marhavilas, P.K., Koulouriotis, D., Gemeni, V., 2011, Risk analysis and assessment methodologies in the work sites: On a review, classification and comparative study of the scientific literature of the period 2000–2009. Journal of Loss Prevention in the Process Industries 24, 477–523. Nolan, P.F., Barton, J.A., 1987, Some lessons from thermal-runaway incidents. Journal of Hazardous Materials 14, 233–239. Piccinini, N., Ciarambino, I., 1997, Operability analysis devoted to the development of logic trees. Reliability Engineering & System Safety 55, 227–241. World Weather Online | World Weather | Weather Forecast accessed 11.12.19. 48