This Technical Measures Document (TMD) is concerned only with the emergency isolation of plant following a breach of containment. The routine isolation of plant, pipework, control systems and electrical systems for maintenance purposes is considered in TMDs on:
Relevant SRAM Level 2 Criteria:
Having paid due attention to the question of inherent safety, the focus when addressing the risk of a major accident turns to measures that prevent loss of containment. Such measures seek to reduce the likelihood that the consequences of a major accident will be realised. However, preventive measures cannot be 100% reliable. Even when all reasonably practicable preventive measures are in place, some residual risk remains. The Operator of a COMAH installation has a duty to ensure that residual risks are made ALARP. Accepting that preventive measures may fail, the risk associated with a loss of containment event may be reduced further by measures to limit (or mitigate…) the consequences. The facility to be able to close strategically located valves and isolate sections of plant following a breach of containment is a key Technical Measure. By isolating the upstream plant, the total quantity of substance that escapes, and hence the scale of the consequences of the release, can be reduced.
Other approaches to the management of hazardous inventories in an emergency are possible. These include systems to depressurise, divert or "dump" material to another safe location. Such systems may be preferred, particularly for complex interconnected plant, e.g. refineries. Large numbers of isolation valves may result in operational difficulties and indeed can introduce new hazards. However, the absence of isolation valves needs to be justified by the implementation of alternative measures that are at least as effective, and ALARP for the circumstances.
For the purposes of the ALARP demonstration, the safety report should identify a representative set of major accident scenarios, selected from the overall list of scenarios identified for the installation. For some of these scenarios, the provision for emergency isolation will serve to reduce the duration of a release and the overall quantity lost. Both these factors will influence the extent and severity of the consequences. Depending on the proximity and distribution of the surrounding population, this may reduce the risk associated with that major accident.
Isolation valves can be manual, or remotely operated. Remote isolation may require operator intervention or may be activated automatically - e.g. by pressure sensors, gas detectors or other instrumentation.
Factors influencing the decision about which method is appropriate include:
The ALARP demonstration should show that the Operator has considered the benefits of emergency isolation in reducing risk from the scenario(s) in the representative set. It should show that the implications of the various methods of operation (manual, remote activation and automatic) have been properly considered. The decision whether or not to provide isolation valves and the activation method chosen should be consistent with current good practice as a minimum. But unless the application of good practice makes risks from the installation broadly acceptable, then there should be a demonstration that a higher standard (if available) is not reasonably practicable. So if, for example, it is good practice to provide a manual isolation valve, but the risks are such that a ROSOV is reasonably practicable, then one should be fitted.
The provision for emergency isolation is only one small part of the total package of measures needed to make risks ALARP. In forming a judgement about the adequacy of arrangements for emergency isolation, the first port of call will usually be to relevant sector/industry guidance on good practice. In the absence of more specific guidance, reference may be made to generic guidance, or analogies drawn between the case at hand and others for which advice is available.
The following section introduces users of this manual to some of the key existing guidance relevant to this topic.
The following generic guidance will be of use when the situation being assessed does not fall within the scope of more specific guidance. Where the application of existing good practice results in residual risks in the ALARP region, generic guidance may be useful in assessing the provision for emergency isolation as an additional risk reduction measure.
1. "Emergency isolation of process plant in the chemical industry": HSE Information Sheet - Chemicals Sheet No 2
This Chemicals Information sheet was produced in response to the report of the investigation into the fire at the Associated Octel Company. One of the key conclusions of the report was that the incident escalated rapidly because it was not possible to isolate the initial release. This would have been possible if ROSOVs were fitted as they were elsewhere on the site. In the event, plant personnel were unable to safely access manual isolation valves while the release was in progress, and were put at substantial risk in the attempt.
The report placed actions on Operators to review their provision of ROSOVs and on HSE to develop and publish guidance. The information sheet was HSE's interim response, pending the development of more detailed guidance. The document gives a broad, but fairly shallow overview of the issues surrounding emergency isolation and the use of ROSOVs. It retains a large element of "goal-setting" and does not attempt to define particular sets of circumstances in which there would be an expectation that a ROSOV would be provided.
The information sheet provided a useful introduction to the topic of emergency isolation but it was recognised that more detailed guidance was needed on when it would be considered good practice to provide ROSOVs (or other equally effective measures…). The aim of this new guidance, due for publication during 2004, was to expand upon the advice given in the information sheet, and to provide clearer benchmarks, in the form of decision criteria. These criteria could be used to identify circumstances in which it was judged that it would be good practice to provide ROSOVs unless another equally effective approach was taken to managing hazardous substance inventories in an emergency.
The guidance recognises the issues associated with retrofitting of ROSOVs to an existing plant. The criteria can be used to identify areas where the absence of an effective means to rapidly isolate inventories exists, which if not addressed by other means, increases the risk of a major accident. In these circumstances there needs to be an explicit demonstration that the measures in place make risks ALARP or that retrofitting of a ROSOV or another alternative method of mitigation is not reasonably practicable. Duty holders are not expected to justify the absence of a ROSOV if they have already demonstrated that an alternative approach has been taken that is ALARP for the circumstances. The absence of a ROSOV where one is indicated by the guidance and no evidence that other equivalent measures have been taken calls for an explicit demonstration that a ROSOV is not reasonably practicable.
In keeping with the policy set out in the ALARP suite every attempt was made to refine the structure and format of this document to minimise the risk of it being used inappropriately. In particular a quite detailed scope section, setting out the applicability of the guidance is included:
Substances are limited to those that are:
Substances with the primary classification Dangerous to the Environment are excluded, though the EA/SEPA were consulted with the aim of avoiding any conflicts between respective requirements.
Offshore installations and Transmission pipelines are explicitly excluded, as is application to Petroleum Retail.
The guidance is concerned solely with the use of remotely operated valves for emergency isolation and it does not cover isolation for maintenance or the use of ROSOVs to control exothermic reactions. No detailed advice is given on the selection of valves or the various detection systems that may be used to activate ROSOVs automatically (ASOV).
Where it is evident in the report that there are items of plant containing significant quantities of hazardous substances it is reasonable to expect a discussion of the Operator's overall approach to managing these in the event of a loss of containment downstream. A more detailed treatment will be needed where emergency isolation is relevant to one or more major accident scenarios in the representative set used for the ALARP demonstration. The discussion should include the basis for any decision made not to provide ROSOVs, to demonstrate that there is a robust management process behind it. If none of the key major accident scenarios discussed in detail cover this topic, the technical assessor may wish to consult with the predictive assessor to reach a view on whether the major accidents described are truly representative of the risks from the installation. If satisfied that the set is representative then emergency isolation may be a suitable topic for inspection.
Where provision for emergency isolation (or another means of inventory management) is identified during the assessment as one of the key risk controls, it is appropriate to verify this by inspection. However, it is possible that the topic will not have been dealt with in detail during assessment. But an inspector may become concerned during inspection that there are items of plant with the potential to release large quantities of hazardous substances following a foreseeable failure downstream without any measures to manage this emergency being apparent. The first step in tackling this could be to inspect part or all of the installation against relevant good practice. Relevant good practice includes the generic guidance previously discussed and any more specific guidance such as that discussed below.
Where there are deviations from current good practice, it will be necessary for the Operator to show that either they have implemented other equally effective measures, or that the installation has been upgraded to current good practice so far as is reasonably practicable. The cost of implementing some measures retrospectively will not differ significantly from that of implementing them on a new installation. A determination of the reasonable practicability of a particular package of measures is effectively made when the good practice is established and should only be revisited if there are significantly greater costs associated with retrofitting.
A strong line on retrofitting is appropriate where it is clear that the good practice was well established at the time the installation was constructed. The principle is not what it is "reasonably practicable" to do to remedy the current situation, but the fact that they did not do what was "reasonably practicable" in the first instance. Duty holders are obliged to keep themselves informed of such matters, and therefore should bear the cost of their mistake or oversight.
More specific guidance on emergency isolation is available for some types of major hazard installation including:
Specific guidance may be made available because:
This guidance may be produced by HSE or by other groups including major employers and trade associations. Where possible, representatives of the industry concerned are encouraged to produce their own guidance, which will benefit from their particular insight.
Wherever chlorine is stored in large quantities there is the potential for a release of toxic gas that may, subject to various factors including weather and the local terrain, disperse over large distances and cause harm to numbers of persons on and off-site. These installations rank among the most significant of those for which the HSE's Hazardous Installations Directorate is responsible.
1. HS (G) 28 (rev) Safety advice for bulk chlorine installations, HSE, 19991
Extensively revised in 1999, foremost among the guidance available to HSE Technical Assessors is this publication. However, application of the guidance, particularly to existing installations, requires a degree of interpretation. Parts of the guidance remain "goal setting" and require the user to assess whether or not particular measures are reasonably practicable in a particular case. It is therefore necessary for any ALARP demonstration using HS (G) 28 (rev) as its foundation, to include the relevant demonstrations where the options described have been rejected as not reasonably practicable.
In some places the language in the guidance is rather vague. Measures that are "recommended" in the guidance would normally be considered to be good practice and therefore should be implemented on any new installation. Retrofitting of measures to an existing installation is a more complex decision and may have to be considered on a case-by-case basis. However, the onus will be on the duty holder to show that the measure is not reasonably practicable to implement. Arguments based on professional judgement alone are unlikely to make a convincing demonstration unless the installation is at the low end of the proportionality spectrum. Where guidance urges duty holders to "consider" particular controls, then the expectation is that for any installation with risks in the ALARP region, an explicit evaluation of these options will be made, where they are relevant controls for the scenario being discussed.
The plain text in the following section below details the minimum standard required for any new installation. Additional text highlighted in blue bold gives a commentary on the standard and discusses circumstances in which a higher standard may be required.
Paragraph 91 of the guidance recommends isolation valves should be fitted directly to the branches on the manlid or the tank so that any pipework with branches or tee connections can be isolated.
This paragraph also states that the system should be designed such that only gaseous chlorine (from the vessel head space) will be released via these connections if they fail. The implication is that such relatively low pressure, gaseous releases represent a lower risk. Consequently, manual operation of these particular isolation valves may be justifiable if their operation does not require the operator to enter an area containing a dangerous concentration of chlorine gas. HSE's generic guidance on remotely operated shut off valves defines a dangerous concentration as one from which a typical individual could not escape unaided.
Paragraph 95 recommends that on the liquid chlorine inlet line a main isolation back up valve should be provided, which may be remotely operated. If a manual back up valve is used, the isolation valve at the delivery point end of the pipework should be remotely operable from the emergency stop points.
Paragraph 97 advises that on the chlorine outlet line, the main isolation valve needs to be backed up by an additional valve to enable isolation if one valve fails to seat effectively. Depending on the local piping arrangement, provision of one or more remotely controlled valves is recommended for emergency control. A remotely operated valve, which is designed to give positive isolation and which is suitably positioned may also serve as one of the two isolation valves required above.
Paragraph 75 suggests that conical plug valves, PTFE sleeved, are satisfactory for isolation of liquid chlorine lines, particularly when quick isolation may be required.
Paragraph 77 reports that ball valves with spherical turning limited to a quarter-turn, PTFE seals and straight-through flanging can be used for isolation in liquid chlorine lines.
Paragraphs 76 and 78 advise that where conical plug valves or ball valves are used then provision needs to be made to avoid the problems arising from liquid chlorine trapped in the bore when the valve is closed. Where the valves are unidirectional, clear indication of the direction of flow needs to be made to assure correct installation.
Paragraph 79 Advises that for remotely controlled valves, the rate of closure should not be so rapid that it causes undue pressure surges. The standard rate of closure should be satisfactory for pipework up to 50mm diameter. Long runs of larger diameter pipework may require lower rates of closure to prevent liquid hammer. Advice should be sought from the valve supplier.
Installations storing qualifying quantities of LPG also make up a significant proportion of the installations for which HID is responsible. These range from relatively small installations storing LPG in cylinders and smaller bulk tanks to very large installations within manufacturing complexes and refineries. These installations can cover a broad band of proportionality and perhaps as a result there is no single recognised package of measures that is considered good practice for all. Installations at the low to medium scale are generally served by the various codes of practice produced by the Liquefied Petroleum Gases Association (LPGA); while the larger and generally higher proportionality sites may be better served by alternative codes produced by the Energy Institute. (The Energy Institute was created in 2003 by the merger of two key energy organisations - the Institute of Petroleum and the Institute of Energy). This is because some of the measures aimed at preventing or mitigating particular major accidents only become reasonably practicable when the potential consequences are very great; which tends to be linked to failures involving the larger vessels found on the bigger chemical complexes and refineries. Reference should be made to good practice that is appropriate for the scale and nature of the installation. And in either case, the application of good practice alone may not be sufficient to demonstrate ALARP - particularly where there is a significant element of societal risk.
In the past, HSE produced its own guidance for bulk storage of LPG in HS (G) 34 "Storage of LPG at Fixed Installations". Older installations may have been constructed to this standard, much of which has been incorporated into the newer LPGA COP 1: Parts 1 & 42. There are some significant differences between the two codes. Existing installations should be reviewed against current good practice and where this sets a higher standard, should be upgraded if this is reasonably practicable. However, HS (G) 34 is obsolete for new installations and the codes of practice produced by the LPGA generally represent the most authoritative source of current good practice for bulk storage of LPG. Assessors should be aware that the LPGA has produced a number of different codes. Some of these (including COP 1:Part 1 (Above ground) and COP 1:Part 4 (Buried/Mounded)2 have been reviewed and revised in consultation with HSE and carry an endorsement to this effect. Some of the other codes have not been through this process. These may still be useful but may not necessarily reflect current good practice as recognised by HSE.
For larger installations such as those found on refineries, reference may be made to the Energy Institute, Model Code of Practice, part 93. For a long time, it was considered that part 9 had been superseded by the corresponding LPGA codes. But in the context of COMAH, there have been difficulties with the application of the LPGA codes to very large vessels. The LPGA have been reluctant to extend the scope of their code. Accordingly, the Energy Institute undertook to revise and update part 9, however at the time of writing no date was available for release of the updated code.
2. LPGA COP 1 Part 1: Design, Installation and Operation of Vessels Located above Ground2
LPGA COP 1 Part 1:1998 (Amended September 2001) This Code of Practice replaces both the 1991 edition and HSE publication HS(G)34 "The Storage of LPG at fixed installations" (with the exception of text related to Buried/Mounded Vessels which is replaced by LPGA COP 1 Part 4) and the 1978 edition of COP 1 Part 1. It comprises 9 comprehensive sections covering plant location and safety distances, design of the vessels and associated equipment, fire precautions, electrical requirements, installation and commissioning, operations and records. The Code has been completely redesigned to make it easier to use. It includes new diagrams and tables to add clarity to the contents.
LPGA COP 1 Part 1 is recognised by HSE as an authoritative source of Good Practice for the storage of LPG in bulk, in above ground tanks. As set out in the ALARP suite, HSE expects duty holders to implement Good Practice as a minimum for a new installation, and existing installations should be upgraded to the same standard so far as is reasonably practicable. This is a minimum standard and conformance with this standard alone may not achieve an ALARP solution. Duty holders should always consider if there are any additional measures that would reduce the risk, and assess these for reasonable practicability.
The plain text in the following section below details the minimum standard required for any new installation. Additional text highlighted in blue gives a commentary on the standard and discusses circumstances in which a higher standard may be required.
This paragraph states the requirement for the fitment of shut-off valves either manual or remotely actuated for all connections on the vessel other than safety relief valves) where the passageway into the vessel is greater than 1.5mm diameter.
Where there are no mechanical joints between the shut-off valve flange and the vessel, and the intervening piping is designed, constructed, and tested in accordance with the vessel's design code, the shut-off valve may be located at the downstream end of that length of piping.
This represents a conditional relaxation to the normal presumption that the isolation valve will be located as close to the vessel as practicable.
This paragraph specifies the type of shut-off valves required by 184.108.40.206 for connections of greater than 1.25"(ca 32mm) nominal bore and the applicable standards for design (BS 5351)4 and fire-test (BS 6755 Part 2 or equivalent)4. These should be ball valves, except for vessels up to 9000 litres (4 tonnes) when proprietary combination multi-valves are acceptable.
A ROSOV, an excess flow valve, or a back check valve (non-return valve) should be fitted to all connections into the vessel greater than 3mm diameter for liquid and 8mm diameter for vapour (with the exception of those for relief valves). A back check valve should only be used on a fill line or a liquid return line.
For installations with liquid service pipework having a nominal internal diameter of greater than 25mm (in HSG34 this value was 19mm) the manual valve required by 220.127.116.11 should be provided with an emergency remote actuation facility where: there is frequent making/breaking of connections ["frequent" is open to interpretation, but is assumed to refer to regular, routine coupling and uncoupling operations as a part of normal operation, rather than irregular activities associated with e.g. maintenance]; or the public has uncontrolled access; or circumstances (numbers, location, lack of familiarity with emergency procedures) make rapid evacuation difficult; or the vessel water capacity exceeds 22500 litres (100 tonnes) unless the connection is either: protected by an excess flow valve or back check valve and the connection or pipework contains a device giving equivalent protection; or it is a drain valve connection.
The minimum standard that can be deduced from this is a manual isolation valve plus either an excess flow valve or a back check valve for any vessel larger than 100 tonnes.
However, these are not considered to give an equivalent standard of protection to a ROSOV. Therefore any safety report ALARP demonstration should consider whether the higher standard (ROSOV) is reasonably practicable. For a new installation this may lead to the conclusion that a ROSOV should be fitted in preference.
For vessels smaller than 100 tonnes, there is not the same presumption in the code that these measures will be taken in every case. However, the same duty to demonstrate ALARP exists and the good practice for larger vessels may be used to identify options for further risk reduction that may be appropriate for smaller vessels in a particular case.
For small scale installations where a remotely operated shut-off valve is not a practicable proposition, such a device referred may take the form of a pump differential valve arranged to close automatically when the pump is stopped.
Smaller pipe sizes for vessels meeting one or more of the criteria above may also require a remotely operated shut-off valve if the person in control of the liquid flow (for example at a cylinder filling plant) is located some distance from the vessel, such that prompt closure of a manual valve at the vessel may not always be possible.
The shut-off valve should be capable of remote actuation to close the valve, and should also close automatically on loss of actuating power or fire engulfment. The valve's fire performance should meet the requirements of BS 6755 part 24 or other recognised standard giving at least an equivalent level of performance.
The valve should preferably be the primary shut-off valve and mounted on or as close to the vessel as practicable and in any case no further than 1.5m. The pipework connecting this valve to the vessel should be as short as possible, and should be given the same degree of fire protection as the vessel itself.
Where valve actuators are fitted, they should be sized to operate the valve at the maximum pressure that may be reached in service. Pneumatically operated actuators should have a speed control on the opening cycle to avoid inadvertent operation of the excess flow valve.
Any manual override facility provided on a valve with power actuator should be capable of disconnection, designed so that it will not create a hazard to an operator in the event of unexpected closure.
The operation of all manual isolation valves should be clear. The operating points for remotely operated isolation valves should be clearly identified and the mode of operation marked.
Where necessary a suitable notice to warn of remote actuation should be placed on or near the valve.
This section of the code states that drive away protection devices either on the vehicle or the fixed installation "should be used to ensure that a hazard cannot occur if the vehicle is moved before the hose is disconnected". Examples of such devices include "Means to shut emergency isolation valves on both fixed plant and the tanker automatically".
The Code does not set a limit on the size of the vessel - excepting the overall minimum of 150 litres set out in the scope.
Previously, Paragraph 156 of HS (G) 34 suggested "Consideration should be given to the provision of a 'drive-away' protection device on all installations with vessels of 9000 litres capacity (4te) or above".
3. Model Code of Safe Practice part 9: Liquefied Petroleum Gas. Vol 1. Large Bulk Pressure Storage & Refrigeration LPG. (Energy Institute). ISBN No: 0 471 91612 93
Provides guidance to safe practice in the design, operation and inspection of large LPG storage.
Paragraph 2.3.8 recommends that an emergency shut-off valve be fitted to all liquid and vapour connections, which are larger than 3 mm for liquids and 8 mm for vapour, other than for relief valves, level gauges and drainage connections. The guidance recommends that the emergency shut-off valve be installed in addition to manual shut-off valves. Where the shut-off valve is actuated, can be operated from a safe area and is of the fail-safe type, then an additional emergency isolation valve is not deemed necessary. The shut-off valve should be located as close to the vessel connection as practicable.
Paragraph 2.3.8 considers three types of emergency shut-off valve;
Paragraph 18.104.22.168 recommends the construction of shut-off valves be of the fire-safe type.
Paragraph 2.4.15 recommends the installation of emergency shut-off valves in pipelines, to which hoses and articulated connections are linked, to limit the discharge of LPG in the event of their failure.
Pressure surges arising from the rapid closure of emergency shut-off valves need to be considered at the design stage.
The chemical release and fire at the Associated Octel Company Limited, A report of the investigation by the Health and Safety Executive into the chemical release and fire at the Associated Octel Company, Ellesmere Port on 1 and 2 February 1994, Published 1996. ISBN No: 0 7176 0830 15.
Selection criteria for the remote isolation of hazardous inventories - CRR 205/1999
The Chemical Release and Fire at the Associated Octel Company Limited, Ellesmere Port, Cheshire. 1st February 1994
Full details of the incident and the findings of HSE's investigation are described in the above report.
The incident started with a release of reactor solution from a re-circulating pump near the base of a 25 tonne ethyl chloride (EC) reactor vessel at the factory. The reactor solution was highly flammable, corrosive and toxic, mainly consisting of ethyl chloride, a liquefied flammable gas, mixed with hydrogen chloride a toxic and corrosive gas, and small quantities of solid catalyst, aluminium chloride.
In spite of attempts by on-site and external emergency services to isolate the leak, a cloud of vapour and a pool of liquid formed. Approximately 90 minutes after the release started the flammable vapours of ethyl chloride ignited, causing a major pool fire, which was most intense at the base of the reactor. The fire caused damage to other flanges. Despite their being protected by an intumescent fire protection coating, there were concerns that two process vessels exposed to jet flames might explode. This had the potential to damage chlorine vessels on an adjacent plant.
The leak occurred at a point between fixed pipework and the discharge port of a pump re-circulating liquids to the reactor. HSE believes the most probable cause was the failure of a corroded securing flange on the pump working loose. The most likely source of ignition was an electrical control box for a compressor nearby.
Attempting to isolate the release two fire fighters and an Octel employee entered the white cloud that had formed, wearing protective suits and breathing apparatus, to close manual isolation valves. They were successful in closing the manual valves on the reactor outlet to the pump manifold and the discharge outlets of two associated pumps. These did not stop the leak. Two further isolation valves including one half way up the reactor proved too difficult to reach given their height and the presence of the cloud. Foam was applied to the evaporating pool of ethyl chloride but did not prevent ignition and flash back, leading to a pool fire around the base of the reactor.
Those entering the cloud were exposed to risks from toxic and corrosive vapours and a potentially explosive atmosphere. The PPE used gave a measure of protection against the toxic and corrosive components. One of the fire fighters had to be led out of the cloud because the corrosive effects of the vapour had obscured his facemask. If he had become separated from his companions he might not have been able to escape the area before exhausting his air supply. Had ignition occurred while the three men were in the vicinity it seems likely that some or all would have been seriously injured or killed.
Reliance on manual valves meant that persons were put at risk trying to effect isolation and the difficulties experienced in accessing the valves meant that their efforts were ultimately unsuccessful. Reliance on PPE to protect persons operating plant is contrary to the principles of COSHH. Had remotely operated shut off valves been provided to allow rapid isolation of the principal process vessels from a safe(r) location, the risks to personnel dealing with the emergency would have been greatly lessened. The fire might have been avoided or its scale substantially reduced.
The role of good practice in assessing compliance with the law is discussed in the ALARP suite, published on HSE's Web Site. Where there is relevant good practice applicable to the circumstances then HSE expects this to be implemented for any new installation, as a minimum. This is not a bar to other approaches as long as they are equally or more effective in controlling risk. Existing installations should be upgraded to reflect current good practice, but only so far as is reasonably practicable. In some cases, it may not be practicable to retrofit measures, or the costs of doing so retrospectively are so much greater as to become disproportionate.
Guidance on good practice may be found in a variety of forms including published HSE guidance, national and international standards and industry-developed codes. Guidance may be generic, or it may be tailored to the specific needs of a particular industry or sector.
Where the implementation of good practice is sufficient to reduce risks from the installation to the broadly acceptable level then that, subject to verification, may be sufficient to demonstrate that all measures necessary have been taken. Conversely, when risks remain in the ALARP region following the application of all relevant good practice, then duty holders are expected to demonstrate that they have considered and where applicable implemented any additional reasonably practicable measures.