Risk Analysis

International Journal of
Environmental Research
and Public Health
Article
Risk Analysis of a Fuel Storage Terminal Using
HAZOP and FTA
José Luis Fuentes-Bargues 1, * , Mª Carmen González-Cruz 1 , Cristina González-Gaya 2
and Mª Piedad Baixauli-Pérez 3
1 Departamento de Proyectos de Ingeniería, Universitat Politècnica de València, Camino de Vera s/n,
46022 Valencia, Spain; mcgonzal@dpi.upv.es
2 Departamento de Ingeniería de Construcción y Fabricación, ETSII, UNED, C/Ciudad Universitaria s/n,
28040 Madrid, Spain; cgonzalez@ind.uned.es
3 Universitat de València, Avda. de la Universidad s/n, 46100 Valencia, Spain; mabaipe@alumni.uv.es
* Correspondence: jofuebar@dpi.upv.es; Tel.: +34-96-387-7000 (ext. 85651)
Academic Editor: Jason K. Levy

Received: 10 May 2017; Accepted: 23 June 2017; Published: 30 June 2017
Abstract: The size and complexity of industrial chemical plants, together with the nature of
the products handled, means that an analysis and control of the risks involved is required.
This paper presents a methodology for risk analysis in chemical and allied industries that is based on
a combination of HAZard and OPerability analysis (HAZOP) and a quantitative analysis of the most
relevant risks through the development of fault trees, fault tree analysis (FTA). Results from FTA allow
prioritizing the preventive and corrective measures to minimize the probability of failure. An analysis
of a case study is performed; it consists in the terminal for unloading chemical and petroleum
products, and the fuel storage facilities of two companies, in the port of Valencia (Spain). HAZOP
analysis shows that loading and unloading areas are the most sensitive areas of the plant and where
the most significant danger is a fuel spill. FTA analysis indicates that the most likely event is a fuel
spill in tank truck loading area. A sensitivity analysis from the FTA results show the importance of
the human factor in all sequences of the possible accidents, so it should be mandatory to improve
the training of the staff of the plants.
Keywords: risk; HAZard and OPerability analysis (HAZOP); Fault Tree Analysis (FTA); fuel; storage
1. Introduction
Technological and social development has led to an increase in the size and complexity of chemical
plants. At the same time, the existence of such plants and the transport of their products involve
certain risks that need to be controlled and minimised [1,2].
Risk is understood as the possibility that someone or something is adversely affected by
a hazard [3], while danger is defined as any unsafe situation or potential source of an undesirable
and damaging event [4]. Other definitions of risk are the measure of the severity of a hazard [5],
or the measure of the probability and severity of adverse effects [6].
In recent decades, interest in the safety of chemical industrial plants has greatly increased [2,7].
This has led to the development of a scientific discipline known as process safety that focuses on
the prevention of fires, explosions, and accidental chemical releases in chemical processing facilities [8].
This discipline has as objective to improve prevention in the facilities, learning from accidents and
from continuous analysis of the production process.
Directive 2012/18/EU (or Seveso III) [9] defines as a serious accident an event (such as a major
leak, fire, or explosion) resulting from an uncontrolled process during the operation of any plant and
producing a serious danger, whether immediate or delayed, to human health or the environment, inside
Int. J. Environ. Res. Public Health 2017, 14, 705; doi:10.3390/ijerph14070705 www.mdpi.com/journal/ijerph
Int. J. Environ. Res. Public Health 2017, 14, 705 2 of 26
or outside the plant, and involving one or more hazardous substances. Examples of serious accidents
in industrial processes include: Flixborough in Britain (1974), Seveso in Italy (1976), Bhopal in India
(1984), Enschede in the Netherlands (2000), Toulouse in France (2001) and Buncefield in Britain
(2005) [10–15]. In Spain, examples include an accident at the Repsol refinery in Puertollano (2003)
in which an explosion in a gas storage area killed nine workers and injured many others, as well as
causing property damage.
The complexity and severity of accidents at these plants requires the implementation of risk
management systems. The ISO 31000: 2010 [16] standard defines risk management as “coordinated
activities to manage and control an organisation with regard to risk” and comprises the following steps:
communication and consultation, establishing the context, risk assessment (identification, analysis,
and evaluation), risk treatment, monitoring, and review.
The purpose of this article is to show the procedure for risk analysis in chemical and allied
industries that is based on a combination of HAZard and OPerability analysis (HAZOP) and
a quantitative analysis of the most relevant risks through the development of fault trees, fault tree
analysis (FTA). HAZOP can identify possible fault root causes and their consequences and FTA
develops fault propagation pathways and provides a quantitative probability importance ranking of
fault causes. These results can guide the decision making of management staff to mitigate or avoid
potential process hazards. This working method is applied to a case study consisting of the terminal
for unloading chemical and petroleum products, and the fuel storage facilities of two companies,
in the port of Valencia (Spain).
This paper is organized as follows. Section 1 introduces the theme. Section 2 introduces the main
data of the chemical industry in Spain and the framework for risk assessment process of major
accidents. Section 3 introduces the methodology. Section 4 details a case study with the HAZOP
and FTA analysis. Section 5 presents the conclusions. Appendixs A–D present complementary
documentation of case study.
2. The Chemical Industry in Spain and Serious Accidents
2.1. The Chemical Industry in Spain

Turnover of the chemical industry in Spain totalled €56.39 billion in 2014, representing 12.4%
of industrial Gross Domestic Product (GDP) [17] and making the industry the fourth largest after
the food, transport and metal industries. This is also the second largest sector of the Spanish economy
in terms of exports with 58.1% of sales going abroad.
The largest concentration of chemical companies is found in Catalonia with 43% of total turnover,
followed by Andalusia (12.7%) and Madrid (13.5%). The Valencian Community is in fourth place with
€4.88 billion or 8.4% of total turnover. The chemical sector employed 191,100 people in 2008, a figure
that has fallen to around 174,600 in recent years because of the economic crisis [17].
The Spanish Chemical Industry Federation (FEIQUE) in its 2015 annual report on industrial
accidents in the chemical sector [18] noted that the frequency index was 3.44 (the index frequency
represents the number of accidents for every million hours worked). Compared with data published
by the Ministry of Employment in 2015, this index is lower than the industrial sector index (5.03) and
the construction sector index (6.59). The severity index for the sector was 0.12 (the severity index
represents the number of days lost per 1000 working hours), which reflects the great importance that
is given to safety in the Spanish chemical industry.
2.2. The Regulatory Framework

The disastrous accident at Seveso (Italy) in 1976 led to European Union legislation intended
to prevent accidents in certain industries using hazardous substances and thus limit the impact on
employees, the general population, and on the environment. The resulting standard was Directive
82/501/EEC [19] better known as Seveso I. This regulatory framework established that a manufacturer
company which used in their process hazardous substances listed in the Appendix A or stored
hazardous substances listed in the Appendix B, or both, must develop (among other documents)
interior and exterior protection and emergency plans that include risk assessment.
During the implementation of Seveso I, there were more than 130 serious accidents in Europe
and new risks appeared due to technological advances. Consequently, the European Commission
introduced Directive 96/82/EC (called Directive Seveso II) [20] in 1996. This directive classified plants
into “not affected”, “low risk” and “high risk” according to the quantities of dangerous substances
present. Seveso II was revised in Directive 2012/18/EU or Seveso III [9] with the aim of increasing
levels of protection for people, property, and the environment.
In Spain, in 2016, according to data from the Directorate General for Civil Defence [21],
there were 422 high risk plants subject to the Seveso directive and 470 low risk plants. The geographical
distribution is similar to that for turnover: Catalonia was first with 101 high risk plants (23.9%),
Andalusia with 70 (16.6%), the Valencian Community with 39 (9.2%) and the Basque Country with
28 (6.6%).
According to a study by Planas et al. [2], there have been 89 accidents in Spain since the beginning
of the twentieth century. Some 44% of these accidents occurred during transport, the most serious
accident occurring at Los Alfaques campsite in July 1978 where 217 people died. The second major
source of accidents were processing areas (19%); and the third source were storage areas. Explosions
occurred in 49% of accidents, leaks in 37% and fires in 24%.
The chemical industry has implemented improvements in process safety and environmental
protection with four strategies: inherent safer design; risk assessment processes; use of instrumented
safety systems; and the implementation of safety management systems. In the risk assessment
process, the HAZOP method is the technique most used to identify risks [2]. HAZOP studies
evolved from the Imperial Chemical Industries (ICI) as a “Critical Examination” technique formulated
in the mid-1960s. One decade later, HAZOP was published formally as a disciplined procedure to
identify deviations to the process industries by Kletz in 1978 [22], and some publications [23], corporate
guidelines, standards (IEC 61882 [24]) and national guidance notes (Nota Técnica Prevención (NTP)
238 [25]) were developed after.
3. Methodology
Risk assessment is the process of identifying, analysing, and evaluating the hazard posed by
an industrial plant and the main aim is the prevention and mitigation of accidents in potentially
hazardous facilities [26,27].
The phase of hazard identification is the process in which hazards are identified and recorded.
The analysis phase involves developing an understanding of the hazard and providing information
for evaluation. The evaluation phase involves comparing the estimated hazard levels with predefined
criteria to define the importance of the level of hazard and decide whether it is necessary to address
the hazard—as well as the most appropriate strategies and methods of hazard treatment [8].
Choosing the appropriate risk assessment techniques is a difficult decision that will depend on
factors such as the complexity of the problem, the methods for analysis of the amount of information
available, the need for quantitative data, and available resources [28]. Often, authors combine some
techniques with the purpose of blending, i.e., to take advantage of the strengths of each method whilst
compensating for their weaknesses.
In this paper, the methodology used is based on the combination of HAZOP analysis and
a quantitative analysis of the most relevant hazards by FTA. HAZOP is a qualitative technique
that carries out a structured analysis of the process and allows identifying the deviations that may take
place with regard to the intended functioning, as well as their causes and consequences. HAZOP does
not try to provide quantitative results but, in many situations, it is necessary to rank the identified
hazards, mainly to prioritize the actions to mitigate them because this decision depends of the risk level.
For this purpose, HAZOP is combined with other techniques; in these cases, quantitative techniques
such as FTA. It can identify the potential causes and the ways of failure and can assess quantitatively
the
Int. J.probability of development
Environ. Res. Public Health 2017, 14,of
705the accident. The blending of the two techniques was defined 4 of as
27
positive because minimize the uncertainty [29–31].
There are
There are many
many examples
examples of of blending
blending HAZOP
HAZOP and FTA in
and FTA in the
the literature:
literature: Demichela
Demichela et al. [32]
et al. [32]
developed the
developed the Recursive
Recursive Operability
Operability Analysis
Analysis (ROA),
(ROA), linking
linking HAZOP
HAZOP results
results and
and FTA
FTA development;
development;
Cozzani et
Cozzani et al.
al. [33]
[33] developed
developed aa specific
specific methodological
methodological approachapproach to to analyse
analyse the
the risk
risk from
from hazardous
hazardous
materials in
materials in marshalling
marshalling yards;yards; Casamirra
Casamirra et et al.
al. [34]
[34] integrated
integrated HAZOP,
HAZOP, FTA FTA and
and Failure
Failure Mode
Mode and and
Effect Analysis (FMEA) to assess the safety of a hydrogen refuelling
Effect Analysis (FMEA) to assess the safety of a hydrogen refuelling station; and Kim et al. [35] station; and Kim et al. [35]
combined HAZOP and FTA to carry out safety assessment of hydrogen
combined HAZOP and FTA to carry out safety assessment of hydrogen fuelling stations at Korea. fuelling stations at Korea.
The methodology
The methodology(Figure (Figure 1) begins
1) begins withwith a detailed
a detailed study ofstudy of the industrial
the industrial process and process
substancesand
substances used. Subsequently, an historical analysis of accidents is
used. Subsequently, an historical analysis of accidents is made—which is the study and analysis made—which is the study and
analysis
of accidentsof accidents
in similar in similar
plants to plants to identify
identify risk and riskcauses.
and causes.
This This
stagestage is performed
is performed by by referring
referring to
to specialised
specialised scientific
scientific publications
publications andliterature
and literaturereview.
review.WithWiththis
thisavailable
availableinformation,
information, aa HAZOP
HAZOP
analysis is
analysis is conducted.
conducted. After AfterthetheHAZOP
HAZOPsessions,
sessions, thethe
possible
possiblefault causes
fault andand
causes consequences
consequences of theof
given
the deviations
given deviations fromfromthe the
design are are
design identified. These
identified. datadata
These allow, according
allow, to the
according criteria
to the of the
criteria of
HAZOP team, identifying the initiating events, modelling the fault propagation
the HAZOP team, identifying the initiating events, modelling the fault propagation process, and finally process, and finally
building the
building thefault
faulttreetree analysis.
analysis. Subsequently
Subsequently a quantitative
a quantitative analysisanalysis is performed
is performed and resultsandobtained
results
obtained
rank risksrank
and risks
allowand allow prioritizing
prioritizing the corrective
the corrective and/or preventive
and/or preventive measures.measures.
STUDY OF SUBSTANCES USED AND PROCESS
HISTORICAL ANALYSIS OF ACCIDENTS
HAZARD ANALYSIS AND OPERABILITY (HAZOP)
FAULT TREE ANALYSIS (FTA)
RESULTS
Figure 1. Methodology of study.

Figure 1. Methodology of study.
3.1. HAZOP Method
3.1. HAZOP Method
The HAZOP technique [36] is a structured and systematic examination of a product, process, or
The HAZOP technique [36] is a structured and systematic examination of a product, process, or
procedure—or an existing or planned system. This is a qualitative technique based on the use of guide
procedure—or an existing or planned system. This is a qualitative technique based on the use of guide
words (Table 1) that question how design intent or operating conditions may fail to be achieved at
words (Table 1) that question how design intent or operating conditions may fail to be achieved at
each step of the design process or technique. The guide words must always be appropriately selected
each step of the design process or technique. The guide words must always be appropriately selected
to the process which is analysed and additional guide words can be used.
to the process which is analysed and additional guide words can be used.
This technique is applied by a multidisciplinary team during a series of meetings where work
This technique is applied by a multidisciplinary team during a series of meetings where work
areas and operations are defined—and each of the variables that influence the process are applied to
areas and operations are defined—and each of the variables that influence the process are applied to
the guide to verify the operating conditions and detect design errors or potentially abnormal
operating conditions (Figure 2).
the guide to verify the operating conditions and detect design errors or potentially abnormal operating
conditions (Figure
Int. J. Environ. 2). Health 2017, 14, 705
Res. Public 5 of 27
Figure
Figure 2. 2. HAZardand
HAZard andOPerability
OPerability analysis
analysis(HAZOP)
(HAZOP)process.
process.
Table 1. HAZard and OPerability analysis (HAZOP) guide word method. Source: ISO 31010: 2011
Table 1. HAZard and OPerability analysis (HAZOP) guide word method. Source: ISO 31010: 2011 [27].
[27].
Guide Word
Guide Word MeaningMeaning Example of Deviation
Example of Deviation
NO Absence of the variable to which it applies No flow in line
NO
LESS Absence of thereduction
Quantitative variable to which it applies Less No
flowflow in line
MORE Quantitative increase Higher temperature
LESS Quantitative reduction Less flow
OTHER Partial or total replacement Other substances were added
MORE
INVERSE Opposite function Quantitative increase
to design intention Higher
Return flow temperature
Qualitative decline. Only part of what should
OTHER
PART OF Partial or total replacement Part of volume Other substances
required were
by recipe was added
added
happen occurs
INVERSE
IN ADDITION
Opposite
Qualitative increase. function to design
More is produced thanintention
In addition of the amount Return flow
of water of the process
intended was added
Qualitative decline. Only part of what Part of volume required by recipe
PART OF
should happen occurs was added
3.2. Fault Tree Analysis
Qualitative increase. More is produced In addition of the amount of water
IN ADDITION
FTA is a technique to identify and analyse factors that may contribute
than intended ofto anprocess
the unwanted
wasspecified
added
event (called the “top or main event”). Causal effects are identified deductively and organised in a
logical manner and shown using a tree diagram that describes the causal factors and their logical
relationships (Table 2) with respect to the top event.
3.2. Fault Tree Analysis

FTA is a technique to identify and analyse factors that may contribute to an unwanted specified
event (called the “top or main event”). Causal effects are identified deductively and organised
in a logical manner and shown using a tree diagram that describes the causal factors and their logical
relationships (Table 2) with respect to the top event.
Table 2. Symbols used in fault trees. Source: ISO 31.010:2011 [27] and Vesely et al. [37].
Symbol Meaning Description
Logic gate AND The output event happens only if all input events happen
Int. J. Environ. Res. Publicgate

Logic Health
OR2017, 14, 705 The output event occurs if any of the input events happen 6 of 27
Table 2. Symbols used in fault trees. Source: ISO 31.010:2011 [27] and Vesely et al. [37].
Int. J. Environ. Res. Public Health 2017, 14, 705 Failure of a component that has no identifiable6primary
of 27
Basic event
Symbol Meaning cause. It is the highestDescription
level of detail in the tree
Table 2. Symbols used
Logic inAND
gate fault trees.
The Source: ISO
output event 31.010:2011
happens
Failure of aonly[27]
if alland
component Vesely
input eventset
with al. [37].cause undeveloped
happen
a primary
Environ. Res. Public Health 2017, 14, 705 Undeveloped event 6 of 27
Symbol Meaning because of lack of information
Description
Logic gate OR The output event occurs if any of the input events happen
Table 2. Symbols used
Logic inAND
gate fault trees.
The Source: ISO 31.010:2011
output event happens only[27] and
ifAallfault Vesely
event
input ethappen
that
events al. [37]. because of one or more antecedents
occurs
ealth 2017, 14, 705 Intermediate event
Failure of a component 6 through
that hasofno27identifiable primary cause. It is the highest level of
Basic event causes acting logic gates
bol Meaning Description
detail in the tree
used in
mbols Logic fault
gate AND trees. Source: ISO 31.010:2011
Undeveloped [27]
The output event happens only if allFailure and Vesely
input events et al. [37].
happen
of6 aofcomponent
27 with a primary cause undeveloped because of lack of information
A fault treeevent can be used
Failure qualitatively
of a component that has tonoidentify potential
identifiable causes
primary cause. and
It is the the ways
highest levelinofwhich failure
Basic event Description
(the top event) detail or
occurs in the
Intermediate tree A fault event
quantitatively, or that occurs
both, to because of
calculate one
theor more antecedents
probability of causes
the topacting through
event fromlogic
t trees.The
ND Source:
outputISO event31.010:2011
happens
Undeveloped [27]if and
only all Vesely
event
input et al.
events [37].
happen gates
the probabilities ofFailure causal of events.
a component with a primary cause undeveloped because of lack of information
Failure of a component that has no identifiable primary cause. It is the highest level of
event
Basic event Description
The stages
A faultfortree can be used of
the application this technique
qualitatively are:
to identify potential causes and the ways in which failure
The output event occurs detail in
Intermediate the tree
if any of the inputA fault event
events that occurs because of one or more antecedents causes acting through logic
happen
ent happens only
Undeveloped if all input
event(the
events top event)
happen occurs
gates or quantitatively, or both, to calculate the probability of the top event from the
Failure (1) Failure
Define of athe top event.
component with a primary cause
It isundeveloped because
of of lack of information
event of a componentprobabilities
that has no identifiable
of causal primary cause.
events. the highest level
detailif in
ent occurs Atree
theof
any
Intermediate fault
the(2) tree
input can
AConstruction
events
fault be stages
happen
The
event used
that ofqualitatively
thebecause
for
occurs fault
the tree: toFrom
application
of one identify
or moreofthe potential
thistop event,
technique
antecedents causes
the
causesare: and
possible
acting theimmediate
through ways
logic in which
causes failure
of the failure
event(the top event) occurs
modes
gates or
are quantitatively,
established and or
it both,
is to
possible calculate
to the
identify probability
how these of the
failures top
can event
occur from
at the levels or
basic
mponentFailure
that ofhasa component
no identifiablewith a primary
primary cause
cause. It isundeveloped
the highest levelbecause
of of lack of information
probabilities of (1)causal
in Define
basic the top
events.
events. event.
Aeefault tree event
can be thatused qualitatively
(2) Constructionone to identify
of the potential
fault tree: causes
From and
actingthe thelogic
top ways the
event, in which failure
set of possible immediate acauses of the failure
A fault occurs because
The stages
(3) for the of
Qualitative
or more
application
evaluation:
antecedents
of this
The
causes
technique
aim to find are: through
the minimum faults, establishing mathematical
op event)
mponent
gates
withoccurs
a primaryor quantitatively,
cause modes
undeveloped orbecause
are both, to
established
of calculate
lack ofand the
it is
information probability
possible to of the top
identify howevent
thesefrom the can occur at basic levels or
failures
formulation from the relationships established in the fault tree. To achieve this, the “OR” gates
abilities of(1) Define
causal the topin
events. event.
basic events.
be
thatused qualitatively
because of oneto identify
orare replaced potential
bycauses
the causes
“+” and
sign thelogic
(not ways in but
addition which failure
a union of conjunctions) andofthe
occurs
The stages(2)forConstruction
the application
more
(3) ofantecedents
the
of this
Qualitativefault tree:
technique
acting
From
evaluation:
through
are:theThe topaimevent,
to thethe
find possible
minimum immediate
set causes
of faults, thegates
establishing
“AND” by
failurea mathematical
or quantitatively, or both, the to
“x” calculate
sign the probability
(equivalent to the of the top event
intersection of from the
conjunctions). Boolean algebra is used.
modes are established formulation and fromit is possible
the to identifyestablished
relationships how these failures in the can tree.
fault occurTo at achieve
basic levels this,orthe “OR” gates
events.
Define the top event. (4) events.
Quantitative
vely to identify potential
in basic causes
areFrom and evaluation:
replaced the by ways the in From
“+” which the frequency of failure of basic events, the probable frequency
failure
signpossible
(not addition but acauses
union of of conjunctions) and the gates “AND” by
e applicationof
Construction of the
thisfault
technique
of tree:
an are:
accident theistop event,
calculated the
(if it occurs) immediate the failure
y, or both,(3) to calculate
Qualitative theevaluation:
probability
the “x” sign of (equivalent
The the
aim top toevent from
findtothethe the as well
minimum
intersection setofofas faults,
the most critical
establishing
conjunctions). Boolean
fault routes (i.e., the most
a mathematical
algebra is used.
modes are established and it is possible
probable among tocombinations
identify howofthese failuresevents
susceptible can occur that atmay
basic levels
cause theortop event).gates
Quantitative
ent. formulation from the relationships established in the fault tree. To
(4) Quantitative evaluation: From the frequency of failure of basic events, the probable frequency of achieve this, the “OR”
n basic events. evaluation enables a complete risk analysis before implementing and prioritising actions to
he hisfault
technique
tree: are are:replaced
From the topby event,
anthe thesign
“+”
accident possible
is (not immediate
addition
calculated (if butcauses
a union ofas thewell
of failure
conjunctions) and critical
the gates “AND” by
Qualitative evaluation: The improve aim to
the find the
safety minimum
and set itofof
reliability
occurs)
faults,
the establishing
system
as the
under
most
astudy.
mathematical
A
fault
complementary
routes (i.e., the most
sensitivity
shed and it is the possible
“x” sign to identify
(equivalent
probable howamong these
to failures
the intersection
combinations can occur
of of at basic levels
conjunctions).
susceptible or that
Boolean
events algebra
may is used.
cause the top event). Quantitative
ormulation from the relationships analysis canestablished
beFrom
performed in the to fault
checkof tree.
the To achieve
effect thethis,
ofbasic basic the “OR”ingates
events the global risk assessment.
(4) Quantitative evaluation:
evaluation enables the frequency
a of
complete failure
risk analysis of events, the probable frequency of
om the top event,
re replaced by thethe “+”possible
sign
These (not immediate
data addition
allow causes
but a union
prioritizing theof failure
the conjunctions) andbefore
theand implementing
gates “AND” bythe and prioritising actions to
ation: The aim antoaccident
find the isminimum
calculated
improve set(if
the of itfaults,
safety occurs)
and as preventive
establishing
well asaof
reliability the measures
mathematical
themost critical
system
the
underfaultefforts
routes
study.
of
A
risk
(i.e., thecontrol
complementarymost process.
sensitivity
ssible to identify how these failures can occur at
he “x” sign (equivalent to the intersection of conjunctions). Boolean algebra is used.basic levels or
the relationships probableestablished
among in
analysis the can
combinationsfaultbetree. of To
performed achieve
susceptible to this,
events
check the
the “OR”
that may
effect gates
of cause
the the top
basic event).
events in Quantitative
the global risk assessment.
Quantitative evaluation: 4. Application
From the to a Case Study:
frequency of failure TheofChemical
basic events, Terminal at the Port
the probable of Valencia
frequency of
he “+” sign (not addition but
evaluation enablesa union
These adata ofallow
completeconjunctions)
risk analysis
prioritizing andthe the gatesimplementing
before
preventive “AND” by
measures and the
and prioritising
efforts of actions
the risk to control process.
on find the minimum
accident is calculated set of faults,
(ifapplication establishing
it occurs) as a mathematical
wellmethodology
as the most is critical fault routes (i.e., the
improve The
valent to the intersection theofsafety
conjunctions). of the
and reliability Booleanofalgebra the system performed
is used. under study. for the A jetty andmost
complementary pipe work of the chemical
sensitivity
srobable
established in the
among combinations fault tree. To
of achieve
susceptible this, the
events that “OR” gates
may cause the at topthe
event). Quantitative
uation: From analysis terminal,
the frequency can4. asperformed
beof well
failure
Application asofthe
tobasic
toconnected
athe events,
check
Case Study: storage
thethe probable
effect
The offacilities,
the frequency
Chemical basicTerminal
events Port
of inatof
the
theValencia.
global
Port ofto These
risk storage facilities
assessment.
Valencia
addition
valuationbut a union
enables a of conjunctions)
complete risk and
analysis gates
before “AND”
implementing by and prioritising actions
lculated (if itThese are
occurs) dataowned wellby
asallow as two
the companies:
prioritizing mostthe critical Terminales
fault routes
preventive measures Portuarias
(i.e.,and thethe SLefforts
most (TEPSA) of theandriskPetróleos de Valencia SA
control process.
ersectionthe
mprove of conjunctions).
safety(PTROVAL) Boolean
and reliability algebra
of the system is ofused.
theunder study.
combinations of susceptible The
events application
[38,39]. thatBothmaycompanies
cause methodology
the work in theA
top event). is complementary
performed
reception,
Quantitative for the
storage, sensitivity
jetty and
loading, andpipe work ofofthe
distribution chemical
liquid
frequency
nalysis can of
be failure
performed of terminal,
basicto events,
check as theeffect
the
well probable
as the of thefrequency
connected basic of facilities,
events
storage in the global
at therisk
Portassessment.
of Valencia. These storage facilities are
es a complete 4. Application to a Case
riskproducts—divided
analysis beforeStudy: into The two Chemical
implementing groups: Terminal
andchemicals
prioritising and at actions
the
oil. Porttoof Valencia
curs)data
hese as wellallow asprioritizing
the most owned critical
the fault
preventive
by under routes
two companies: measures (i.e., the
and most
the efforts
Terminales Portuarias of the risk control process.
SL (TEPSA) and Petróleos de Valencia SA
ty and reliability of the system study. A complementary sensitivity
susceptible events The application
that (PTROVAL)
may cause of the the methodology
top event).
[38,39]. Both is performed
Quantitative
companies work forin thethejetty and pipestorage,
reception, work ofloading,
the chemicaland distribution of
erformedterminal,
to check as thewelleffectas of the
the basic events
connected storage in facilities,
the global at risk
the assessment.
Port of Valencia. These storage facilities are
sk analysis
plication to abefore implementing
Case Study: liquid The and
Chemical
products—divided prioritising
Terminal into actions
at the
two Portto
groups: of Valencia
chemicals and oil.
prioritizing the preventive measures and the efforts of the risk control process.
y of the ownedsystem by under twostudy.companies: Terminales Portuarias
A complementary sensitivity SL (TEPSA) and Petróleos de Valencia SA
The application of the methodology is performed for the jetty and pipe work of the chemical
ck the effect (PTROVAL)
of the basic [38,39].
events
4.1. Both
in
Identification companies
the global
of Port
Products work
risk in the reception, storage, loading, and distribution of
assessment.
Handled
ase
nal,Study:
as wellThe Chemical
as the connected Terminal
storageatfacilities,
the atoftheValencia
Port of Valencia. These storage facilities are
preventive liquid products—divided
measures and the effortsinto of the two risk groups:
control chemicals
process. and oil.
d by two companies: Terminales TEPSA stores Portuarias SL (TEPSA)gasoline,
and distributes and Petróleos diesel, de Valenciaand
methanol, SA other chemicals in smaller
4.1. Identification of Products Handled

TEPSA stores and distributes gasoline, diesel, methanol, and other chemicals in smaller amounts.
PTROVAL (owned by Galp Energía) stores and distributes gasoline, diesel, and kerosene. The four
substances (petrol, diesel, methanol, and kerosene) are hazardous substances according to Schedule I
of Royal Decree 1254/1999 [40] and the large volumes handled mean that the plant is considered high
risk under the Seveso classification. Such high-risk plants are required to conduct a risk analysis.
4.2. Historical Analysis of Accidents

Chang et al. [41] performed a study of storage tank accidents in industrial facilities between 1960
and 2003. They collected and reviewed 242 tank accidents, 207 belonging to crude oil, oil products
(fuel oil, diesel, kerosene, lubricants), gasoline/naphtha and petrochemicals products. The main causes
of tanks accidents were in order of importance: lightning (33.1%), maintenance (13.2%), operational
error (12.0%), equipment failure (7.9%), sabotage (7.4%), crack/rupture (7.0%), leaks and line rupture
(6.2%) and static electricity (3.3%).
Person and Lönnermark [10] listed 479 fires involving hydrocarbon storage tanks between 1951
and 2003. Based on this work, Hailwood et al. [11] identified 21 tank explosions followed by a fire.
In a specific study of risk assessment for Liquefied Natural Gas (LNG) terminals, Aneziris et al. [42]
identified the initiating events of accidents of LNG terminals. They divided the LNG terminals
in five areas: LNG tanks, unloading section (from ship to tank), send-out section, condenser and
outlet pipeline.
In tanks section, the main initiating events are boil-off removal malfunction (during unloading
or during storage), a high temperature in LNG (when coming from ship), an excess of external
heat in storage tank area, an overfilling of the tank, a rollover during unloading or during storage,
an inadvertent starting of additional compressors, a continuation of uploading beyond lower safety
level and an increase of send out rate from tank. In unloading section, the main initiating events
are an excess external heat in jetty area, a water hammer in loading arm (due to inadvertent valve
closure), an inadequate cooling of lading arm and high winds during uploading.
In Appendix A, a list of well documented past accidents has been extracted from reports and
works available in the literature. The list includes accidents in petroleum and LNG product storage
facilities [12,13,43,44].
The origins of these accidents were leaks or spills (9), explosions (7) and fire (6). Leakage
(in the form of liquid) is the most common source of major accidents—leading to fires and explosions
that may cause other leaks, thus lengthening the accidental chain. The possible consequences of
leakage depend on the flammability and toxicity of the leaked liquids and the environmental conditions
in which the leak occurs.
Seventeen of the cases originated in storage tanks, two in tanker ships, one in pipes, one in a steam
boiler of a LNG plant and in one case there was no specific origin.
Factors that may cause an accident are grouped into general and specific. Among the general
causes are those that are: external to the plant, human behaviour, mechanical failure, failure caused by
impact, violent reactions; instrumentation failure, and failure of services. These general causes include
a number of specific causes provided by details of specific accidents. Note that a single accident
can occur for more than one general cause, and a general cause may be the result of more than one
specific cause. The recorded data on the general causes of accidents shows that the cause was human
behaviour in ten cases, instrumentation failure on four occasions, electrostatic spark on two occasions,
mechanical failure in two occasions, unknown causes on two occasions, and two accidents were caused
respectively by mechanical impact failure and external causes respectively.
Ignition sources provided the energy needed for the combustion of a flammable mixture.
These sources can be thermal, electrical, mechanical and chemical. Data shows that in seven accidents
the cause was electrical, in three the cause was welding during maintenance works, mechanical in three
cases, thermal in two cases, and unknown in seven cases.
4.3. HAZOP Analysis

The Valencian plant is divided into three systems (Figure 3) that correspond to the three activities
of the companies: unloading, storage, and loading for distribution.
These three systems are divided into six sub-systems and these again are divided into specific
points or nodes that correspond to the sequence of operational steps in the plant (Table 3). Table 4
shows guide words and parameters used in the HAZOP analysis and Table 5 shows the result of
Int. HAZOP
the J. Environ. Res. Public for
analysis Health 2017,
node 14, 705
2.1.1 8 of 27
(opening tank valves) and some variables of node 2.1.2 (filling tank).
Figure 3. Three areas of activity.

Figure 3. Three areas of activity.
As
As aa result
result of
of this
this analysis,
analysis, itit can
can bebe seen
seen that,
that, in
in the
the areas
areasforforloading
loading and
andunloading
unloading liquid
liquid
products (Systems 1 and 3), the greatest danger is the possibility of
products (Systems 1 and 3), the greatest danger is the possibility of an uncontrolled an uncontrolled spill. The occurrence
spill. The
of this eventofisthis
occurrence closely
eventlinked to the
is closely effectiveness
linked of the staff
to the effectiveness responsible
of the for handling
staff responsible the tasks.
for handling the
Relative to System 2, the risk of a fuel loss in the pipelines and leakage or fuel loss in
tasks. Relative to System 2, the risk of a fuel loss in the pipelines and leakage or fuel loss in the storage the storage tanks
istanks
noteworthy. The latter
is noteworthy. Theevent
lattercould
eventbe caused
could by overfilling
be caused or a partial
by overfilling or arupture of the tank.
partial rupture Special
of the tank.
attention must be given to such events because they can cause fires and explosions
Special attention must be given to such events because they can cause fires and explosions that may that may have more
serious
have moreconsequences for the plantfor
serious consequences and theitsplant
staff.and its staff.
Table3.3.Systems,
Table Systems,subsystems,
subsystems,and
andnodes
nodesfor
forHAZOP
HAZOPanalysis.
analysis.
System
System Sub-System
Sub-System Nodes
Nodes
1.1.1 Docking ship at terminal
Connection ship 1.1.1 Docking ship at terminal
1.1 Connection ship 1.1.2 Extension of marine loading arm
1.1 terminal 1.1.2 Extension of marine loading arm
terminal 1.1.3 Joining
1.1.3 Joiningofofmarine
marinearm
armand
andmanifold
manifold
11 Unloadingship
Unloading ship 1.2.1 Opening of valves
1.2.1 Opening of valves
1.2.2 Product movement
1.2 Transfer to tanks 1.2.2 Product movement
1.2 Transfer to tanks 1.2.3 Closure of valves
1.2.3 Closure of valves
1.2.4
1.2.4 Cleaning
Cleaningofoftubes
tubes
2.1.1 Opening tank valves
2.1.1 Opening tank valves
Storage of product in 2.1 Filling tanks 2.1.2 Filling tank
2 Storage of product 2.1 Filling tanks 2.1.2 Filling tank
2 2.1.3 Closing
tanks
in tanks 2.1.3 Closingtank
tankvalves
valves
2.2 Product storage 2.2.1 Product storage
2.2 Product storage 2.2.1 Product storage
Arrival at loading 3.1.1 Positioning of tank truck
3.1
station
Arrival at loading 3.1.1
3.1.2 Positioning
Flexible hose of tank truckto tank truck
connection
Loading product in tank 3.1
3 station 3.1.2
3.2.1 Flexible tank
Opening hose truck
connection
valvesto tank truck
Loading product
truck
3 3.2 Transfer from tanks 3.2.2 Transfer
in tank truck 3.2.1 Openingand filling
tank truckofvalves
tank
Transfer from 3.2.2 Transfer and filling of tank
3.2 3.2.3 Valve closure
tanks
3.2.3 Valve closure
Table 4. Guide Words and Parameters used in the HAZOP analysis.
ID ID Sub-
Id Nodes Guide Word Parameter
System System
1.1.1 Wrong/More Mooring/Speed
1.1.2 Other/No/Less Direction/Movement/Safety
1.1
Element/Connection/Electrical Isolation
1.1.3 Other/No/No/Less
/Safety
1.2.1 No/Less/More/More/More Flow/Flow/Speed/Static Electricity/Corrosion
1
More- Pressure/Maintenance/Flow/Static
1.2.2
Less/Less/Less/More/Yes/More Electricity/Collision/Corrosion
Table 4. Guide Words and Parameters used in the HAZOP analysis.
ID
ID System ID Nodes Guide Word Parameter
Sub-System
1.1.1 Wrong/More Mooring/Speed
1.1
1.1.2 Other/No/Less Direction/Movement/Safety
1 Element/Connection/Electrical
1.1.3 Other/No/No/Less
Isolation /Safety
Flow/Flow/Speed/Static
1.2.1 No/Less/More/More/More
Electricity/Corrosion
1.2
Pressure/Maintenance/Flow/Static
1.2.2 More-Less/Less/Less/More/Yes/More
Electricity/Collision/Corrosion
Flow/Speed/Pressure/Static
1.2.3 Yes/More/More-Less/More/More
1.2.4 No/Less Cleaning/Pressure
2.1
2
2.1.2 More/More Level/Static electricity
2.1.3 Yes/More/More-Less/More/More
Flammability/Corrosion/Pressure/
2.2 2.2.1 Yes/More/More/Less
Maintenance
Entry into the loading
3.1.1 Wrong/Wrong/Different bay/Manoeuvrability at the loading
3.1
bay/Loading position
3
3.1.2 Less/Less Connection/Safety
3.2
Level/Connection/Stop filled/Static
3.2.2 More/No/Yes/More/Less
Electricity/Safety
3.2.3 Yes /More/More-Less/More/More
ID: Identity.
Table 5. Example of HAZOP analysis for nodes 2.1.1 and 2.1.2.
System 2: Product Storage in Tank

Node 2.1.1: Tank Opening Valves
Sub-System 2.1: Filling Tank
Guide Word Variable Deviation Possible Causes Possible Consequences Comments and Corrective Measures
The faster the speed of flow, the greater
Possible risk of explosion if
Accumulation of static Circulation of liquid in the valve. charge generated.
More Static electricity difference in electrical
electricity than expected Bad earth grounding. Valves and flanges that are completely painted
potential occur.
should be conductively bridged and earthed.
The best way to avoid corrosion is to select
Exposure to corrosive the most resistant alloy for the valve– depending
Uniform deterioration of surface of
environment. on the corrosive nature of the fluids.
More corrosion of materials valve (general corrosion).
More Corrosion Attack of impurities at points When damage is minor and possible to repair
than expected Reduction in the useful life
with imperfections or fatigue. the body of the valve—at least
(weakening).
Lack of maintenance. provisionally—with a metal weld or with epoxy
resin (for low pressures and temperatures).
System 2: Product Storage in Tank
Node 2.1.2: Filling Tank
Sub-System 2.1: Filling Tank
Guide Word Variable Deviation Possible Causes Possible Consequences Comments and Corrective Measures
Activate tank vents to reduce or stop emissions
of vapour.
Product over flow.
Staff training.
Spill of liquid down external
Renewal of level sensors.
tank walls.
Faulty level sensor. Verification of state of all valves.
Formation of inflammable
More level than expected Incorrect valve setting. Automatic level alarms as operator activated
More Level atmosphere as fuel hits floor.
(overfill) Supervisor failure to redundant safety devices.
If source of ignition exists there is
recognise problems. Use of indicators that measure volume to avoid
serious risk of explosion and/or
confusion with specific weight.
pool fire with chain reaction to
Spill containment berm system should have
affect nearby tanks.
a capacity greater than the tanks (including
safety percentage).
As a safety measure, it is recommended that
the filling tube is always below the liquid surface
Liquid projected by jet. Production of electrostatic sparks level (meaning that it reaches the floor), or if not
Liquid enters tank being filled. with sufficient energy to possible, the flow should be reduced.
Accumulation of static
More Static electricity Movement of liquid in tank cause ignition. Fluids should slide along the walls of tanks so that
electricity than expected
causing turbulence Generation of extremely serious charges can dissipate through the earthed
and splashing. fires and/or explosions. protective coverings.
Speed of fluid should not exceed 7 m/s.
Air humidity should be around 60%.
Int.
Int. J.J. Environ.
Environ. Res.
Res. Public
Public Health 2017, 14,
Health 2017, 14, 705
705 11
11 of
of 26
27
4.4.
4.4. Fault
Fault Tree
Tree Analysis
Analysis(FTA)
(FTA)
By
By using
using HAZOP
HAZOP analysis,
analysis, four
four events
events were
were extracted
extracted for analysis using
for analysis using the
the fault
fault tree
tree technique.
technique.
These events or top events were:
These events or top events were:

Top
Top event (1): Fuel
Fuel spill
spill in
in ship-terminal
ship-terminal unloading area.

Top
Top event (2): Fuel leak in pipelines.
Fuel leak in pipelines.

Top
Top event
event (3):
(3): Fuel
Fuel spill
spill in
in storage
storage tank.
tank.


Top
Top event (4): Fuel spill in tank truck loading
event (4): Fuel spill in tank truck loading area.
area.
The faults and relationships for each top event have been identified and a logical combination
The faults and relationships for each top event have been identified and a logical combination
of incidents has been deduced that can trigger unwanted events. In this way, each tree contains
of incidents has been deduced that can trigger unwanted events. In this way, each tree contains
information about how the combination of certain faults leads to overall failure (Figure 4). Appendix
information about how the combination of certain faults leads to overall failure (Figure 4). Appendix B
B presents the fault trees of the other top events.
presents the fault trees of the other top events.
Figure 4.
Figure 4. Top
Top event
event fault
fault tree
tree (1).
(1).
Once the fault trees have been made, the mathematical expressions are defined ant the
Once the fault trees have been made, the mathematical expressions are defined ant the probability
probability values are calculated according to the Boolean algebra related to FTA (Tables 6 and 7).
values are calculated according to the Boolean algebra related to FTA (Tables 6 and 7).
Table 6. Qualitative evaluation of top event (1).
Top Event (1) Fuel Spill Ship-Terminal Unloading Area

Equations System Boolean Equation
A=B+C
B=D×1
C=E×2
A = (3 × 1) + (4 × 1) + (8 × 1) + (9 × 1) + (5 × 2) + (6 × 2) + (7 × 2)
D=3+4+F
E=5+6+7
F=8+9
Table 7. Top event failure frequencies (1).
Top Event (1) Fuel Spill in Ship-Terminal Area

Basic Event Description Failure Frequency (year−1 )
1 Operator failure 8.8 × 10−2
2 Operator distracted 1.8 × 10−1
3 Ship collision with another in transit 6.0 × 10−4
4 Manoeuvring collision against jetty 3.3 × 10−1
5 Corrosion 4.4 × 10−3
6 Badly connected loading arm 8.8 × 10−1
7 Damaged connection caused by inadequate use 8.8 × 10−2
8 Loading arm damaged by inadequate use 8.8 × 10−2
9 Manufacturing defect 8.8 × 10−3
B Leakage caused by broken loading arm 3.7 × 10−2
C Connection leak 1.7 × 10−1
A=B+C Top event (1) 2.1 × 10−1
From these equations and data on the frequency of failures of basic events, a quantitative
assessment of the trees enables a calculation of the probability of the occurrence of the top event
(year−1 ). The procedure for calculating the top event (1) is shown in Table 7. In the four analysed
top events, some 19 basic events are defined and fault frequencies were determined using data
from the Spanish National Institute on Health and Safety at Work [45] and research on fuel
storage [12,41,46,47]. In the Appendix C similar tables are developed for the others top events.
In Table 8, the results of failure frequency for each of the top events and their ways of failure
are presented. A column called “Importance” has been added in order to show the importance of
the failure frequency of the events (and also of their ways of failure) developed through the fault tree
technique. The results indicate that the top event (4) “Fuel spill in tank truck loading area” has a failure
rate of 1.7 events/year, i.e., 85% of the events developed through the fault tree technique. There are two
ways a top event (4) can be generated: the first is via a “connection leak” with an importance of 80.28%
and the second is via “leak caused by broken hose” which accounts for 5.02% of importance. If the basic
events are analysed, the main causes for a connection leak are a bad hose connection and a response
failure following the detection of an emergency (incorrect staff response, failure of the acoustic alarm,
or seizure of the manual closure valve).
The next most significant source of risk for the overall failure sequence is “connection leakage”
in the top event (1) “Fuel spill in ship-terminal unloading area” (with a failure frequency of
0.17 events/year). This event occurs following a loss of product (caused by a bad connection of
the loading arm or damaged parts) together with human error. The probability of occurrence is low
since it is one of the most complex operations and involves very strict protocols.
Table 8. Results of quantitative analysis.
Description Frequency of Failure (year−1 ) Importance (%)

Top event (1): Fuel spill in ship-terminal unloading area 0.21 10.54
Leakage caused by broken loading arm 0.037 2.00
Connection leak 0.17 8.53
Top event (2): Fuel leak in pipelines 0.0081 0.41
Breakage caused by cracking 0.0061 0.31
Undetected leak 0.0020 0.10
Top event (3): Leak in storage tank 0.075 3.76
Overfilling 0.063 3.16
Loss of leak tightness 0.012 0.60
Top event (4): Fuel spill in tank truck loading area 1.7 85.29
Leak caused by broken hose 0.085 5.02
Connection leak 1.6 80.28
A sensitivity analysis has been performed (see Appendix D) in order to check the effect of the
Int. J. Environ. Res. Public Health 2017, 14, 705
basic
14 of 27
events in the global risk assessment. In the top event (1) (Table 9 and Figure 5), the basics events with
more influence
0.0862 0.0375in the sequence
0.1696 of the accident
0.2070 0.0862are in order of importance: operator
0.0373 0.1698 distracted, operator
0.2071
0.0857 badly
failure, 0.0375 0.1695 loading
connecting 0.2069 arm and0.0857
collision against0.0373 0.1698
jetty during manoeuvres. In the0.2071
top event
Event
(2) are9corrosion,
B C
operator A
distracted and with the same importance vehicles collision and fatigue
0.0090 0.0375 0.1698 0.2073
defect.
0.0089
In the top
0.0375
event
0.1698
(3) are operator
0.2073
failure and with equal importance the failure of the sensor level
and the
0.0089 failure
0.0375 of response
0.1698 of the
0.2073 shut-off valve. In the top event (4) are hose incorrectly connected,
after with equal
0.0088 0.0375 importance,
0.1698 the acoustic signal failure and the sticking of the manual shut-off valve,
0.2073
0.0088
and 0.0375 level
in the fourth 0.1698 0.2073 failures. These results show the importance in all the sequences of
the operator
0.0087 0.0374 0.1698 0.2073
accident
0.0087
of0.0374
the failure or distraction
0.1698 0.2073
of the operators, so it should be mandatory a plan for training
the staff of 0.0374
0.0086 the plants. Planning
0.1698 of the maintenance actions of the facility must take into account both
0.2073
the general0.0374
0.0086 results from
0.1698the 0.2073
risk assessment and the results from the sensitivity analysis.
Sensitivity Analysis Top Event (1)

0.2300
0.2250
0.2200 Event 1
Top Event (year-1)
0.2150 Event 2
Event 3
0.2100
Event 4
0.2050
Event 5
0.2000 Event 6
0.1950 Event 7
Event 8
0.1900
Event 9
0.1850
- 0.1000 0.2000 0.3000 0.4000 0.5000 0.6000 0.7000 0.8000 0.9000 1.0000
Event (year-1)
Figure 5. Sensitivity Analysis for the Top event (1).

Figure 5. Sensitivity Analysis for the Top event (1).
5. Conclusions
In this paper, a methodology that combines HAZOP analysis and FTA is used. HAZOP analysis
identifies the risks and their possible causes and consequences. FTA, based on the HAZOP analysis,
represents the fault propagation pathways and produces a qualitative and quantitative assessment
of the sequences of events that can lead to accidents or serious failures. Results from FTA allow
Table 9. Sensitivity Analysis for the Top event (1).
Top Event (1) Fuel Spill Ship-Terminal Unloading Area

Equations System A = B + C = (3 × 1) + (4 × 1) + (8 × 1) + (9 × 1) + (5 × 2) + (6 × 2) + (7 × 2)
Event 1 B C A Event 2 B C A
0.1077 0.0460 0.1698 0.2158 0.1953 0.0375 0.1892 0.2266
0.1027 0.0439 0.1698 0.2137 0.1903 0.0375 0.1843 0.2218
0.0977 0.0417 0.1698 0.2115 0.1853 0.0375 0.1795 0.2170
0.0927 0.0396 0.1698 0.2094 0.1803 0.0375 0.1747 0.2121
0.0877 0.0375 0.1698 0.2073 0.1753 0.0375 0.1698 0.2073
0.0827 0.0353 0.1698 0.2051 0.1703 0.0375 0.1650 0.2024
0.0777 0.0332 0.1698 0.2030 0.1653 0.0375 0.1601 0.1976
0.0727 0.0310 0.1698 0.2009 0.1603 0.0375 0.1553 0.1927
0.0677 0.0289 0.1698 0.1987 0.1553 0.0375 0.1504 0.1879
0.0008 0.0375 0.1698 0.2073 0.3502 0.0392 0.1698 0.2090
0.0008 0.0375 0.1698 0.2073 0.3452 0.0388 0.1698 0.2086
0.0007 0.0375 0.1698 0.2073 0.3402 0.0383 0.1698 0.2081
0.0007 0.0375 0.1698 0.2073 0.3352 0.0379 0.1698 0.2077
0.0006 0.0375 0.1698 0.2073 0.3302 0.0375 0.1698 0.2073
0.0006 0.0374 0.1698 0.2073 0.3252 0.0370 0.1698 0.2068
0.0005 0.0374 0.1698 0.2073 0.3202 0.0366 0.1698 0.2064
0.0005 0.0374 0.1698 0.2073 0.3152 0.0361 0.1698 0.2060
0.0004 0.0374 0.1698 0.2073 0.3102 0.0357 0.1698 0.2055
0.0046 0.0375 0.1699 0.2073 0.8966 0.0375 0.1733 0.2108
0.0045 0.0375 0.1698 0.2073 0.8916 0.0375 0.1724 0.2099
0.0045 0.0375 0.1698 0.2073 0.8866 0.0375 0.1716 0.2090
0.0044 0.0375 0.1698 0.2073 0.8816 0.0375 0.1707 0.2081
0.0044 0.0375 0.1698 0.2073 0.8766 0.0375 0.1698 0.2073
0.0043 0.0375 0.1698 0.2073 0.8716 0.0375 0.1689 0.2064
0.0043 0.0375 0.1698 0.2073 0.8666 0.0375 0.1681 0.2055
0.0042 0.0375 0.1698 0.2072 0.8616 0.0375 0.1672 0.2046
0.0042 0.0375 0.1698 0.2072 0.8566 0.0375 0.1663 0.2038
0.0897 0.0375 0.1702 0.2076 0.0897 0.0376 0.1698 0.2074
0.0892 0.0375 0.1701 0.2075 0.0892 0.0376 0.1698 0.2074
0.0887 0.0375 0.1700 0.2074 0.0887 0.0375 0.1698 0.2074
0.0882 0.0375 0.1699 0.2074 0.0882 0.0375 0.1698 0.2073
0.0877 0.0375 0.1698 0.2073 0.0877 0.0375 0.1698 0.2073
0.0872 0.0375 0.1697 0.2072 0.0872 0.0374 0.1698 0.2072
0.0867 0.0375 0.1696 0.2071 0.0867 0.0374 0.1698 0.2072
0.0862 0.0375 0.1696 0.2070 0.0862 0.0373 0.1698 0.2071
0.0857 0.0375 0.1695 0.2069 0.0857 0.0373 0.1698 0.2071
Event 9 B C A
0.0090 0.0375 0.1698 0.2073
0.0089 0.0375 0.1698 0.2073
0.0089 0.0375 0.1698 0.2073
0.0088 0.0375 0.1698 0.2073
0.0088 0.0375 0.1698 0.2073
0.0087 0.0374 0.1698 0.2073
0.0087 0.0374 0.1698 0.2073
0.0086 0.0374 0.1698 0.2073
0.0086 0.0374 0.1698 0.2073
5. Conclusions
In this paper, a methodology that combines HAZOP analysis and FTA is used. HAZOP analysis
identifies the risks and their possible causes and consequences. FTA, based on the HAZOP analysis,
represents the fault propagation pathways and produces a qualitative and quantitative assessment
of the sequences of events that can lead to accidents or serious failures. Results from FTA allow
prioritizing the preventive and corrective measures in order to minimize the probability of failure.
An analysis of case study about a fuel storage terminal is performed. HAZOP analysis shows that
loading and unloading areas are the most sensitive areas of the plant and where the most significant
danger is a fuel spill—tasks that can produce such an event are closely supervised by staff. Tasks related
to transferring fuel from ships to tanks and storage tanks are the most automated and so the influence of
personnel is reduced—although the consequences are more serious if an accident occurs. FTA analysis
indicates that the most likely event is “Fuel spill in tank truck loading area” and the sequence of
events that would most likely cause such an event is a “connection leakage” caused by improper
hose connection and a failure of emergency systems. A sensitivity analysis of the FTA results shows
the importance of the human behaviour in all sequences of the possible accidents. A slight increase or
decrease of the frequency of failure of human operations generate an important increase or decrease,
respectively, of the frequency of failure of the top event, so corporation’s prevention plans must
increase the training of the staff, develop of automatic control measures and develop or improve
control procedures to check the human operations.
In future research, we will apply a similar analysis to other type of plant, as LNG plants or storage
of chemical products at a process plant, in order to improve the use of the combined method and to
compare results from the risk assessments. In this way, we will build a database of HAZOP cases and
FTA analysis and could improve the maintenance plans of the various types of plants.
Acknowledgments: This paper was funded by the Universitat Politècnica de València and UNED, both of Spain.
Author Contributions: Mª Piedad Baixauli Pérez and José Luis Fuentes-Bargues conceived, designed and
performed the experiments. Cristina González-Gaya analysed the state of the art about Major Hazards.
José Luis Fuentes-Bargues wrote the paper and Mª Carmen González-Cruz and Cristina González-Gaya revised
the document.
Conflicts of Interest: The authors declare no conflict of interest.
Appendix A. Historical Analysis of Accidents
Table A1. Analysis of Accidents.
Products Origin of
Date Location Description
Involved Accident
Explosion of a tank of 1400 m3 containing crude oil. The roof
Burosse-Mendousse
2010 Oil Explosion was ejected several meters away and the tank’s base slightly lifted.
(France) [44]
The most probable ignition source is an electrostatic discharge.
In the plant of the Caribbean Petroleum Corporation (a storage,
distribution, and fuel blending service) the failure of the sensor
Bayamón (Puerto Gasoline, Diesel, system for filling a gas tank caused a fuel spill that triggered a series
2009 Spill
Rico) [43] Kerosene of explosions and fires. The disaster affected 18 tanks, destroyed 50%
of the plant, and caused considerable damage to the environment
and the local area.
Accident took in the facilities of company Vest Tank AS, on the
Sløvâg industrial area. The first explosion took place in a tank where
the base–shell weld ruptured and the upper part of the tank was
launched up in the air and landed in the north-eastern corner of Tank
Farm II. Subsequent explosions and fires destroyed the other tank
Sløvâg (Norway) farm. There were no casualties in the accident. This accident
2007 Gasoline Fire
[44] occurred during purification of coker gasoline (reduction of the
content of mercaptans). The investigation found that addition of
hydrochloric acid during the process reduced the solubility of
mercaptans in the solution, leading to the build-up of a flammable
mixture. Air filter with activated carbon placed on the roof absorbed
mercaptans, leading to a self-ignition and the explosion.
An explosion occurred at Umbria Oil plant near Spoleto, Italy,
when five workers were welding a structure on the roofs of several
tanks. Firstly, one tank containing raw pomace oil exploded, rising
up of about 10 m. This first explosion led to a pool fire that spread
2006 Spoleto (Italy) [43] Oil Explosion
in the tanks’ park. One hour later, two other tanks exploded, with
rupture of the bottom welding, ejecting missiles of 10 tons 80 m away
near warehouses storing by-products and packaging materials.
Four workers lost their life in this accident.
The explosion at Partridge-Raleigh Oilfield was caused by sparks of
Partridge-Raleigh
2006 Petroleum Explosion the welding of pipes that joined tanks. Three workers died and other
(USA) [44]
suffered serious injuries.
In the storage terminal known as “Buncefield depot” 300 tons of
gasoline overflowed in a storage tank because of a high-level device
failure and the failure of safety device that close the filling valves and
Hertfordshire
2005 Gasoline Spill raise the alarm. Fire broke out when the gasoline vapour cloud
(England) [13,43]
ignited. The ignition source may have been a backup generator,
or a spark produced by a vehicle. In total, 20 storage tanks
(containing 13.5 million litres each) burned for several days.
LNG: Liquefied Natural Gas.
Table A1. Cont.
Products Origin of
Date Location Description
Involved Accident
The steam boiler of the LNG production plant exploded, triggering
a second, more massive vapour-cloud explosion and fire.
Skikda (Algeria)
2004 LNG Explosion The explosions and fire destroyed a portion of the LNG plant and
[42]
caused 27 deaths, 74 injuries, and material damage outside the
plant’s boundaries.
Puertollano (Spain) An explosion in a naphtha tank in the refinery resulted in an intense
2003 Naphta Explosion
[10] fire that spread to six other tanks containing 8600 m3 of gasoline.
In a Conoco-Phillips plant a diesel tank exploded with 900 m3 of fuel,
triggering a fire that involved three other liquid fuel storage tanks.
Oklahoma (USA)
2003 Diesel Explosion The cause of the incident was the generation of a volatile mix inside
[44]
the tank after it was emptied. The likely source of ignition
was an electrical discharge from a nearby line.
Kansas (USA) A worker who was checking the level of oil in a storage tank at night
2001 Crude petroleum Fire
[10,12] lit a match. The flame ignited vapours and caused a huge explosion.
Hampshire (United A crack in the bottom of a storage tank of crude oil (caused by
2000 Crude petroleum Leak
Kingdom) [10] corrosion) caused a catastrophic spill of crude oil.
In the tank farm of Ashdod Oil Refinery the explosion of a 15,000 m2
gasoil tank caused loss of one worker. The investigation concluded
that a non-complete gasoil stripping with hydrogen at the exit of
1997 Ashdod (Israel) [12] Gasoil Leak
gasoil hydro treating unit caused penetration of hydrogen inside
the tank. The source of ignition was most likely electrostatic spark
initiated by synthetic rope used to get samples out the tank.
During a welding operation near the wastewater tank that contained
a layer of flammable liquid, sparks ignited flammable vapours at
Rouseville (USA)
1995 Wastewater Tank Explosion openings in the tank. The deflagration caused the tank to fail at
[44]
the bottom seam and shoot into the air. Five workers died and fire
ignited other tanks and caused loud explosions.
A Danish petroleum tanker with 22,000 tons of naphtha on board
collided with the REPSOL wharf in Tarragona during docking.
The collision broke three pipes on the wharf containing naphtha,
Port of Tarragona Naphta, fuel oil
1993 Fire fuel oil, and crude oil—fire quickly broke out and produced a thick
(Spain) [12] and crude oil
smoke. The combustion wastes contaminated nearby beaches.
REPSOL estimated that damage to the wharf totalled the equivalent
of €18 million.
Santander (Spain) A fire started during cleaning operations in an empty oil tank at
1988 Diesel Fire
[12] a CAMPSA (now CLH) plant.
A fire started in an enlarged Shell terminal holding up to 43,000 m3
of Class B oil products (gasoline and kerosene among others) and
Lyon (France) Gasoline and Class D products (asphalt). Nearly 7000 m3 of products were burned,
1987 Fire
[10,12] kerosene two people dead, and 16 were seriously injured. The causes are
unknown, although it is known that changes were being made to
the wiring system.
A fire caused by a fuel oil leak in an ESSO Pappas terminal set 10 of
the 12 storage tanks ablaze. The fire lasted eight days, extended over
Thessaloniki 75% of the total area of the terminal, and destroyed the stationary
1986 Fuel-oil Leak
(Greece) [41] fire-fighting system, as well as the systems controlling pumps and
loading. The fire started during maintenance work after a leak
in a tank went undetected.
At an AGIP plant a cloud of gasoline vapour exploded and damaged
nearby houses. Windows broke up to 600 meters away. Tanks of
Port of Naples gasoline, kerosene, and diesel were set on fire. The incident resulted
1985 Gasoline Spill
(Italy) [41,43] in four deaths and 170 injuries. Twenty-four of the 32 storage tanks
were affected. The probable cause was an accident when unloading
a ship or a storage tank overflow.
An overfilled floating roof tank spilled 1300 barrels of gasoline.
New Jersey (USA) The resulting explosion destroyed two storage tanks and
1983 Gasoline Spill
[41] a neighbouring terminal. A cloud of vapour was blown to a nearby
incinerator and set it on fire as well.
In the river port area, a fire started in the storage area with 24 diesel
Duisburg
and fuel oil storage tanks of between 1500 and 4700 m3 capacity.
1979 (Germany) Gasoil Fire
The accident occurred during the renovation of thermal insulation of
[10,12,41]
the storage tanks.
A fire broke out in a plant with eight large tanks of petroleum
products. Two of the gasoline storage tanks caught fire as well as
Stockton (USA) Gasoline and various tanks containing additives. All stocks of foam within 90 km
1978 Leak
[10,12] additives were used. The origin was a leak from a gasoline tank that produced
a cloud of vapour which travelled about 220 m and came into contact
with a water heater in a nearby yard.
LNG: Liquefied Natural Gas.

Appendix B. Top Event Fault Trees
Figure
FigureA1.
A1.Top
Topevent
eventfault
faulttree
tree(2).
(2).
Figure A1. Top event fault tree (2).
Figure A2. Top event fault tree (3).

Figure A2.
Figure Top event fault tree (3).
A2. Top
Figure A3. Top

Top event fault tree (4).
Appendix
Appendix C.
C. Qualitative
Qualitativeand
andQuantitative
Quantitative Top
Top Events
Events
Table A2. Qualitative evaluation of top event (2).

Top Event (2) Fuel Leak in Pipelines
Equations System Top Event (2) Fuel Leak in Boolean
Pipelines Equation
A = B + Equations
C System Boolean Equation
B=1+2+3 A=B+C
A = 1 + 2 + 3 + (5 × 4) + (6 × 4) + (7 × 4)
C=D×4 B=1+2+3
A = 1 + 2 + 3 + (5 × 4) + (6 × 4) + (7 × 4)
D=5+6+7 C=D×4
D=5+6+7
Table A3. Top event failure frequencies (2).
Basic Event Description
Top Event (2) Fuel Leak in Pipelines Failure Frequency (year )
−1
1 Basic Event Corrosion

Description 4.4 × 10 (year−1 )
Failure Frequency
−3
2 Vehicles collision 8.8 × 10−4

1 Corrosion 4.4 × 10−3−4
3 2
Fatigue defect
Vehicles collision
8.8 × 10
8.8 × 10−4
4 3 Operator distracted
Fatigue defect 1.8××1010
8.8 −4−3
5 4 Pressure Operator
probe failure
distracted −3−2
4.1××1010
1.8
−2−1
6 5 Pressure probe
Signal transmission failure
failure 8.8××1010
4.1
6 Signal transmission failure 8.8 × 10 −1
7 Valve shut-off response failure 2.2 × 10−1
7 Valve shut-off response failure 2.2 × 10−1 0
D Failure control leakage 1.14 × 10
D Failure control leakage 1.14 × 100
C C Undetected leak
Undetected leak 2.0××1010
2.0 −3−3
B B BreakageBreakage
caused caused
by cracking
by cracking −3−3
6.1××1010
6.1
−3−3
A=B+C A=B+C Top eventTop(2)
event (2) 8.1××1010
8.1
Top Event (3) Leak in Storage Tank

A=B+C
B=D×1
C=E+F
A = (2 × 1) + (3 × 1) + (4 × 1) + 5 + 6 + 7 + 8 + 9
D=2+3+4
E=5+6
F=7+8+9

2 Sensor level failure 4.1 × 10−1
3 Valve shut-off response failure 2.2 × 10−1
4 Acoustic signal failure 8.8 × 10−2
5 Reinforcement breaking 2.2 × 10−3
6 Tank breaking 2.2 × 10−3
7 Corrosion 4.4 × 10−3
8 Insufficient revisions 1.8 × 10−3
F Crack formation leak 8.0 × 10−3
E Catastrophic tank rupture 4.4 × 10−3
D Level control failure 7.2 × 10−1
C Loss of leak tightness 1.2 × 10−2
B Overfilling 6.3 × 10−2
A=B+C Top event (3) 7.5 × 10−2
Top Event (4) Fuel Spill in Tank Truck Loading Area

A=B+C
B=D×1
C=2×E A = (3 × 1) + (4 × 1) + (5 × 1) + (2 × 6) + (2 × 7) + (2 × 8)
D=3+4+5
E=6+7+8

2 Hose incorrectly connected 8.8 × 10−1
3 Collision against hose 8.8 × 10−4
4 Hose defects due to misuse 8.8 × 10−2
5 Manufacturing effects 8.8 × 10−3
6 Incorrect alarm response 8.8 × 10−1
7 Acoustic signal failure 8.8 × 10−1
8 Manual shut-off valve sticking 1.0 × 10−1
E Emergency action failure 1.86 × 100
D Broken Hose 9.7 × 10−2
C Connection leak 1.63 × 100
B Leak caused by broken hose 8.5 × 10−3
A=B+C Top event (4) 1.7 × 100
Appendix D. Sensitivity Analysis of Results
Table A8. Sensitivity Analysis for the Top event (2).

Equations System A = B + C = (1 + 2 + 3 + (5 × 4) + (6 × 4) + (7 × 4)
0.0064 0.0081 0.0020 0.0101 0.0011 0.0063 0.0020 0.0083
0.0059 0.0076 0.0020 0.0096 0.0010 0.0063 0.0020 0.0083
0.0054 0.0071 0.0020 0.0091 0.0010 0.0062 0.0020 0.0082
0.0049 0.0066 0.0020 0.0086 0.0009 0.0062 0.0020 0.0082
0.0044 0.0061 0.0020 0.0081 0.0009 0.0061 0.0020 0.0081
0.0039 0.0056 0.0020 0.0076 0.0008 0.0061 0.0020 0.0081
0.0034 0.0051 0.0020 0.0071 0.0008 0.0060 0.0020 0.0080
0.0029 0.0046 0.0020 0.0066 0.0007 0.0060 0.0020 0.0080
0.0024 0.0041 0.0020 0.0061 0.0007 0.0059 0.0020 0.0079
0.0011 0.0063 0.0020 0.0083 0.0020 0.0061 0.0022 0.0083
0.0010 0.0063 0.0020 0.0083 0.0019 0.0061 0.0022 0.0083
0.0010 0.0062 0.0020 0.0082 0.0019 0.0061 0.0021 0.0082
0.0009 0.0062 0.0020 0.0082 0.0018 0.0061 0.0021 0.0082
0.0009 0.0061 0.0020 0.0081 0.0018 0.0061 0.0020 0.0081
0.0008 0.0061 0.0020 0.0081 0.0017 0.0061 0.0019 0.0081
0.0008 0.0060 0.0020 0.0080 0.0017 0.0061 0.0019 0.0080
0.0007 0.0060 0.0020 0.0080 0.0016 0.0061 0.0018 0.0079
0.0007 0.0059 0.0020 0.0079 0.0016 0.0061 0.0018 0.0079
0.0432 0.0061 0.0020 0.0081 0.8966 0.0061 0.0020 0.0081
0.0427 0.0061 0.0020 0.0081 0.8916 0.0061 0.0020 0.0081
0.0422 0.0061 0.0020 0.0081 0.8866 0.0061 0.0020 0.0081
0.0417 0.0061 0.0020 0.0081 0.8816 0.0061 0.0020 0.0081
0.0412 0.0061 0.0020 0.0081 0.8766 0.0061 0.0020 0.0081
0.0407 0.0061 0.0020 0.0081 0.8716 0.0061 0.0020 0.0081
0.0402 0.0061 0.0020 0.0081 0.8666 0.0061 0.0020 0.0081
0.0397 0.0061 0.0020 0.0081 0.8616 0.0061 0.0020 0.0081
0.0392 0.0061 0.0020 0.0081 0.8566 0.0061 0.0020 0.0081
Event 7 B C A
0.2212 0.0061 0.0020 0.0081
0.2207 0.0061 0.0020 0.0081
0.2202 0.0061 0.0020 0.0081
0.2197 0.0061 0.0020 0.0081
0.2192 0.0061 0.0020 0.0081
0.2187 0.0061 0.0020 0.0081
0.2182 0.0061 0.0020 0.0081
0.2177 0.0061 0.0020 0.0081
0.2172 0.0061 0.0020 0.0081
Int. J.Int.
Environ. Res.Res.
J. Environ. Public Health
Public 2017,14,
2017,
Health 14,705
705 22 of21
27of 26

0.0105
0.0105
0.0100
0.0100
0.0095 Event 1
0.0095 Event 1
0.0090 Event 2
(year-1)
0.0090 Event 2
(year-1)
0.0085
Int. J. Environ. Res. Public Health 2017, 14, 705 Event 3
0.0085 Event 323 of 27
0.0080 Event 4
event
0.0080 Event 4
event
0.2142 0.0075 0.0626 0.0123 0.0748 0.0872 0.0630 0.0123 0.0752

Event 5
0.2092 0.0075 Event 5
Top
0.0621 0.0123 0.0744 0.0867 0.0629 0.0123 0.0752

Event 6
Top
0.0070
0.2042 0.0070 0.0617 0.0123 0.0740 0.0862 0.0629 0.0123 0.0751
Event 6
0.1992 0.0065 0.0613 0.0123 0.0735 0.0857 0.0628 0.0123 Event 7
0.0751
0.0065 Event 7
Event 5 0.0060 B C A Event 6 B C A
0.00239 0.0060 0.0630 0.01246 0.07547 0.0024 0.0630 0.01246 0.07547
0.0055
0.00234 0.0055 0.0630 0.01241 0.07542 0.0023 0.0630 0.01241 0.07542
- 0.1000 0.2000 0.3000 0.4000 0.5000 0.6000 0.7000 0.8000 0.9000 1.0000
0.00229 0.0630
- 0.01236
0.1000 0.075370.4000 0.5000
0.2000 0.3000 0.0023 0.0630
0.6000 0.7000 0.8000 0.90000.01236
1.0000 0.07537
0.00224 0.0630 0.01231 Event 0.0022
0.07532 Event (year-1) 0.0630 0.01231 0.07532
(year-1)
0.00219 0.0630 0.01226 0.07527 0.0022 0.0630 0.01226 0.07527
0.00214 0.0630 0.01221 0.07522 0.0021 0.0630 0.01221 0.07522
Figure A4. Sensitivity Analysis for the Top event (2). Events 1 to 7.
0.00209 0.0630 Figure
Figure A4.Sensitivity
A4.
0.01216 0.07517Analysis
Sensitivity for the
Analysis0.0021
for theTop
Topevent
event (2).Events
(2).
0.0630 Events 1 to
7. 7.
10.01216
to 0.07517
0.00204 0.0630 0.01211 0.07512 0.0020 0.0630 0.01211 0.07512
0.00199 0.0630 0.01206 0.07507 0.0020 0.0630 0.01206 0.07507
Event 7 B C Sensitivity
A Analysis
Event 8 Top EventB (2) C A
0.00457 0.0105 0.0630 0.01246 0.07547 0.00195 0.0630 0.01246 0.07547
0.0105
0.00452 0.0100 0.0630 0.01241 0.07542 0.00190 0.0630 0.01241 0.07542
0.00447 0.0100 0.0630 0.01236 0.07537 0.00185 0.0630 0.01236 0.07537
0.0095
0.00442 0.0095 0.0630 0.01231 0.07532 0.00180 0.0630 0.01231 0.07532
Event 1
0.00437 0.0090 0.0630 0.01226 0.07527 0.00175 0.0630 0.01226 Event 1
0.07527
(year-1)
0.0090
(year-1)
0.00432 0.0085 0.0630 0.01221 0.07522 0.00170 0.0630 0.01221 0.07522

Event 2
0.00427 0.0085 0.0630 0.01216 0.07517 0.00165 0.0630 0.01216 0.07517
Event 2
0.0080
event
0.00422 0.0080 0.0630 0.01211 0.07512 0.00160 0.0630 0.01211 0.07512

event
0.00417 0.0075 0.0630 0.01206 0.07507 0.00155 0.0630 0.01206 Event 3

0.07507
0.0075 Event 3
Top
Event 9 0.0070 B C A
Top
0.00195 0.0070 0.0630 0.01246 0.07547 Event 4

0.0065 Event 4
0.00190 0.0065 0.0630 0.01241 0.07542
0.00185 0.0060 0.0630 0.01236 0.07537
0.0060
0.00180 0.0630 0.01231 0.07532
0.0055
0.00175 0.0055 0.0630
- 0.01226
0.0010 0.07527 0.0030
0.0020 0.0040 0.0050 0.0060 0.0070
0.00170 -
0.0630 0.0010
0.01221 0.0020
0.07522 0.0030 0.0040 0.0050 0.0060 0.0070
Event (year-1)
0.00165 0.0630 0.01216 0.07517 Event (year-1)
0.00160 0.0630 0.01211 0.07512
0.00155 0.0630 Figure A5.Sensitivity
A5.
0.01206
Figure 0.07507Analysis
Sensitivity for the
Analysis for theTop
Topevent
event(2).
(2).Events
Events 1 to
1 to 4. 4.
Figure A5. Sensitivity Analysis for the Top event (2). Events 1 to 4.
Sensitivity
Table Analysis
A9. Sensitivity Top
Analysis forEvent
the Top(3)
event (3).
0.0900 Equations System A = B + C = (2 × 1) + (3 × 1) + (4 × 1) + 5 + 6 + 7 + 8 + 9
Equations System A = B + C = (2 × 1) + (3 × 1) + (4 × 1) + 5 + 6 + 7 + 8 + 9
0.1077
0.0850 0.0774 0.0123 0.0896 0.4320 0.0648 0.0123 0.0770
0.1077 0.0774 0.0123 0.0896 0.4320 0.0648 0.0123 0.0770 1
Event
0.1027 0.0738 0.0123 0.0860 0.4270 0.0643 0.0123 0.0766
0.1027 0.0738 0.0123 0.0860 0.4270 0.0643 0.0123 0.0766
Event 2
Top Event (year-1)
0.0977 0.0702 0.0123 0.0825 0.4220 0.0639 0.0123 0.0761

0.0800 0.0702
0.0977 0.0123 0.0825 0.4220 0.0639 0.0123 0.0761
0.0927 0.0666 0.0123 0.0789 0.4170 0.0634 0.0123 0.0757
Event 3
0.0927 0.0666 0.0123 0.0789 0.4170 0.0634 0.0123 0.0757
0.0877 0.0630 0.0123 0.0753 0.4120 0.0630 0.0123 0.0753
0.0877 0.0630 0.0123 0.0753 0.4120 0.0630 0.0123 Event 4
0.0753
0.0750 0.0594
0.0827 0.0123 0.0717 0.4070 0.0626 0.0123 0.0748
0.0827 0.0594 0.0123 0.0717 0.4070 0.0626 0.0123 0.0748
Event 5
0.0777 0.0558 0.0123 0.0681 0.4020 0.0621 0.0123 0.0744
0.0777 0.0558 0.0123 0.0681 0.4020 0.0621 0.0123 0.0744
0.0727 0.0522
0.0700 0.0522 0.0123 0.0645 0.3970 0.0617 0.0123 0.0740
Event 6
0.0727 0.0123 0.0645 0.3970 0.0617 0.0123 0.0740
0.0677 0.0486 0.0123 0.0609 0.3920 0.0613 0.0123 0.0735
0.0677 0.0486 0.0123 0.0609 0.3920 0.0613 0.0123 0.0735
Event 7
Event 3
0.0650 B C A Event 4 B C A
0.2392 0.0648 0.0123 0.0770 0.0897 0.0632 0.0123 0.0754
Event 8
0.2392 0.0648 0.0123 0.0770 0.0897 0.0632 0.0123 0.0754
0.2342 0.0643 0.0123 0.0766 0.0892 0.0631 0.0123 0.0754
0.2342 0.0643 0.0123 0.0766 0.0892 0.0631 0.0123 Event 9
0.0754
0.0600 0.0639
0.2292 0.0123 0.0761 0.0887 0.0631 0.0123 0.0754
0.2292 0.0639 0.0123 0.0761 0.0887 0.0631 0.0123 0.0754
0.2242 - 0.0634
0.0500 0.0123
0.1000 0.1500 0.2000 0.2500
0.0757 0.3000 0.3500
0.0882 0.4000 0.45000.0123
0.0631 0.5000 0.0753
0.2242 0.0634 0.0123 0.0757 0.0882 0.0631 0.0123 0.0753
0.2192 0.0630 0.0123 0.0753 Event (year-1)
0.0877 0.0630 0.0123 0.0753
0.2192 0.0630 0.0123 0.0753 0.0877 0.0630 0.0123 0.0753
Figure A6. Sensitivity

FigureA6. Analysisfor
Sensitivity Analysis forthe
theTop
Top event
event (3).(3).

Equations System A = B + C = (2 × 1) + (3 × 1) + (4 × 1) + 5 + 6 + 7 + 8 + 9
0.1077 0.0774 0.0123 0.0896 0.4320 0.0648 0.0123 0.0770
0.1027 0.0738 0.0123 0.0860 0.4270 0.0643 0.0123 0.0766
0.0977 0.0702 0.0123 0.0825 0.4220 0.0639 0.0123 0.0761
0.0927 0.0666 0.0123 0.0789 0.4170 0.0634 0.0123 0.0757
0.0877 0.0630 0.0123 0.0753 0.4120 0.0630 0.0123 0.0753
0.0827 0.0594 0.0123 0.0717 0.4070 0.0626 0.0123 0.0748
0.0777 0.0558 0.0123 0.0681 0.4020 0.0621 0.0123 0.0744
0.0727 0.0522 0.0123 0.0645 0.3970 0.0617 0.0123 0.0740
0.0677 0.0486 0.0123 0.0609 0.3920 0.0613 0.0123 0.0735
0.2392 0.0648 0.0123 0.0770 0.0897 0.0632 0.0123 0.0754
0.2342 0.0643 0.0123 0.0766 0.0892 0.0631 0.0123 0.0754
0.2292 0.0639 0.0123 0.0761 0.0887 0.0631 0.0123 0.0754
0.2242 0.0634 0.0123 0.0757 0.0882 0.0631 0.0123 0.0753
0.2192 0.0630 0.0123 0.0753 0.0877 0.0630 0.0123 0.0753
0.2142 0.0626 0.0123 0.0748 0.0872 0.0630 0.0123 0.0752
0.2092 0.0621 0.0123 0.0744 0.0867 0.0629 0.0123 0.0752
0.2042 0.0617 0.0123 0.0740 0.0862 0.0629 0.0123 0.0751
0.1992 0.0613 0.0123 0.0735 0.0857 0.0628 0.0123 0.0751
0.00239 0.0630 0.01246 0.07547 0.0024 0.0630 0.01246 0.07547
0.00234 0.0630 0.01241 0.07542 0.0023 0.0630 0.01241 0.07542
0.00229 0.0630 0.01236 0.07537 0.0023 0.0630 0.01236 0.07537
0.00224 0.0630 0.01231 0.07532 0.0022 0.0630 0.01231 0.07532
0.00219 0.0630 0.01226 0.07527 0.0022 0.0630 0.01226 0.07527
0.00214 0.0630 0.01221 0.07522 0.0021 0.0630 0.01221 0.07522
0.00209 0.0630 0.01216 0.07517 0.0021 0.0630 0.01216 0.07517
0.00204 0.0630 0.01211 0.07512 0.0020 0.0630 0.01211 0.07512
0.00199 0.0630 0.01206 0.07507 0.0020 0.0630 0.01206 0.07507
0.00457 0.0630 0.01246 0.07547 0.00195 0.0630 0.01246 0.07547
0.00452 0.0630 0.01241 0.07542 0.00190 0.0630 0.01241 0.07542
0.00447 0.0630 0.01236 0.07537 0.00185 0.0630 0.01236 0.07537
0.00442 0.0630 0.01231 0.07532 0.00180 0.0630 0.01231 0.07532
0.00437 0.0630 0.01226 0.07527 0.00175 0.0630 0.01226 0.07527
0.00432 0.0630 0.01221 0.07522 0.00170 0.0630 0.01221 0.07522
0.00427 0.0630 0.01216 0.07517 0.00165 0.0630 0.01216 0.07517
0.00422 0.0630 0.01211 0.07512 0.00160 0.0630 0.01211 0.07512
0.00417 0.0630 0.01206 0.07507 0.00155 0.0630 0.01206 0.07507
Event 9 B C A
0.00195 0.0630 0.01246 0.07547
0.00190 0.0630 0.01241 0.07542
0.00185 0.0630 0.01236 0.07537
0.00180 0.0630 0.01231 0.07532
0.00175 0.0630 0.01226 0.07527
0.00170 0.0630 0.01221 0.07522
0.00165 0.0630 0.01216 0.07517
0.00160 0.0630 0.01211 0.07512
0.00155 0.0630 0.01206 0.07507

Equations System A = B + C = (3 × 1) + (4 × 1) + (5 × 1) + (2 × 6) + (2 × 7) + (2 × 8)
0.8966 0.0872 1.6246 1.7118 0.8966 0.0853 1.6616 1.7469
0.8916 0.0868 1.6246 1.7113 0.8916 0.0853 1.6524 1.7377
0.8866 0.0863 1.6246 1.7108 0.8866 0.0853 1.6431 1.7284
0.8816 0.0858 1.6246 1.7104 0.8816 0.0853 1.6338 1.7191
0.8766 0.0853 1.6246 1.7099 0.8766 0.0853 1.6246 1.7099
0.8716 0.0848 1.6246 1.7094 0.8716 0.0853 1.6153 1.7006
0.8666 0.0843 1.6246 1.7089 0.8666 0.0853 1.6060 1.6913
0.8616 0.0838 1.6246 1.7084 0.8616 0.0853 1.5968 1.6821
0.8566 0.0833 1.6246 1.7079 0.8566 0.0853 1.5875 1.6728
0.00090 0.08531 1.6246 1.70989 0.0897 0.0870 1.6246 1.7116
0.00089 0.08531 1.6246 1.70988 0.0892 0.0866 1.6246 1.7112
0.00089 0.08530 1.6246 1.70988 0.0887 0.0862 1.6246 1.7107
0.00093 0.08534 1.6246 1.70991 0.0927 0.0897 1.6246 1.7143
0.00088 0.08530 1.6246 1.70987 0.0877 0.0853 1.6246 1.7099
0.00087 0.08529 1.6246 1.70987 0.0872 0.0849 1.6246 1.7094
0.00087 0.08529 1.6246 1.70986 0.0867 0.0844 1.6246 1.7090
0.00086 0.08528 1.6246 1.70986 0.0862 0.0840 1.6246 1.7086
0.00086 0.08528 1.6246 1.70985 0.0857 0.0835 1.6246 1.7081
0.0090 0.0855 1.6246 1.7100 0.8966 0.0853 1.6421 1.7274
0.0089 0.0854 1.6246 1.7100 0.8916 0.0853 1.6377 1.7230
0.0089 0.0854 1.6246 1.7100 0.8866 0.0853 1.6333 1.7186
0.0093 0.0857 1.6246 1.7103 0.8816 0.0853 1.6290 1.7143
0.0088 0.0853 1.6246 1.7099 0.8766 0.0853 1.6246 1.7099
0.0083 0.0849 1.6246 1.7094 0.8716 0.0853 1.6202 1.7055
0.0078 0.0844 1.6246 1.7090 0.8666 0.0853 1.6158 1.7011
0.0073 0.0840 1.6246 1.7086 0.8616 0.0853 1.6114 1.6967
0.0068 0.0835 1.6246 1.7081 0.8566 0.0853 1.6070 1.6923
0.8966 0.0853 1.6421 1.7274 0.1201 0.0853 1.6421 1.7274
0.8916 0.0853 1.6377 1.7230 0.1151 0.0853 1.6377 1.7230
0.8866 0.0853 1.6333 1.7186 0.1101 0.0853 1.6333 1.7186
0.8816 0.0853 1.6290 1.7143 0.1051 0.0853 1.6290 1.7143
0.8766 0.0853 1.6246 1.7099 0.1001 0.0853 1.6246 1.7099
0.8716 0.0853 1.6202 1.7055 0.0951 0.0853 1.6202 1.7055
0.8666 0.0853 1.6158 1.7011 0.0901 0.0853 1.6158 1.7011
0.8616 0.0853 1.6114 1.6967 0.0851 0.0853 1.6114 1.6967
0.8566 0.0853 1.6070 1.6923 0.0801 0.0853 1.6070 1.6923

1.7500
1.7400
1.7300
Event 1
Top Event (year-1)
1.7200 Event 2
Event 3
1.7100
Event 4
1.7000 Event 5
Event 6
1.6900
Event 7
1.6800 Event 8
1.6700
- 0.1000 0.2000 0.3000 0.4000 0.5000 0.6000 0.7000 0.8000 0.9000 1.0000
Event (year-1)
FigureA7.
Figure SensitivityAnalysis
A7.Sensitivity Analysisfor
forthe
theTop
Top event
event (4).
(4).
References
References
1.
1. Tixier,
Tixier, J.;
J.; Dusserre,
Dusserre, G.; G.; Salvi,
Salvi, O.;
O.; Gaston,
Gaston, D. D. Review
Review of 62 analysis methodologies
methodologies of of industrial
industrial plants.
plants. J.J. Loss
Loss
Prev. Process Ind. 2002, 15, 291–303.
Prev. Process Ind. 2002, 15, 291–303. [CrossRef]
2.
2. Planas,
Planas,E.;E.;Arnaldos,
Arnaldos, J.;J.;
Darbra,
Darbra,R.M.;
R.M.;Muñoz,
Muñoz, M.; M.;
Pastor, E.; Vílchez,
Pastor, J.A. Historical
E.; Vílchez, evolution
J.A. Historical of process
evolution safety
of process
and major-accident
safety and major-accident hazardshazards
prevention in Spain.
prevention Contribution
in Spain. of the of
Contribution pioneer Joaquim
the pioneer Casal. Casal.
Joaquim J. LossJ.Prev.
Loss
Process Ind. 2014,
Prev. Process Ind.28, 109–117.
2014, 28, 109–117. [CrossRef]
3.
3. Woodruff,
Woodruff, J.M. J.M. Consequence
Consequence and and likelihood
likelihood in in risk
risk estimation:
estimation: AAmattermatterofofbalance
balancein inUKUK health
health and
and safety
safety
risk
riskassessment
assessmentpractice.
practice.Saf.Saf.Sci.
Sci.2005,
2005,43,43,
345–353.
345–353. [CrossRef]
4.
4. Reniers,G.L.L.;
Reniers, G.L.L.;Dullaert,
Dullaert,W.; W.; Ale,
Ale, B.J.M.;
B.J.M.;Soudan,
Soudan,K. K.Developing
Developingan anexternal
externaldomino
dominoprevention
preventionframework:
framework:
Hazwin.J.J.Loss
Hazwin. LossPrev.
Prev.Process
ProcessInd.
Ind.2005,
2005,18,18, 127–138. [CrossRef]
127–138.
5.
5. Høj,N.P.;
Høj, N.P.;Kröger,
Kröger,W. W.Risk
Riskanalyses
analysesofof transportation
transportation ononroadroadandand railway
railway from from a European
a European perspective.
perspective. Saf.
Saf.2002,
Sci. Sci. 2002, 40, 337–357. [CrossRef]
40, 337–357.
6.
6. Haimes,Y.Y.
Haimes, Modelling, Assessment
Y.Y. Risk Modelling, Assessment and and Management,
Management, 3rd 3rd ed.;
ed.; John
John Wiley
Wiley &
& Sons
Sons Inc.:
Inc.: San
SanFrancisco,
Francisco,CA, CA,
USA,2009.
USA, 2009.
7.
7. Marhavilas,P.K.;
Marhavilas, P.K.; Koulouriotis,
Koulouriotis, D.; D.; Gemeni,
Gemeni,V. V. Risk
Risk analysis
analysis and
and assessment
assessmentmethodologies
methodologiesin inthe
thework
worksites:
sites:
On aa review,
On review, classification
classification andand comparative
comparative study study of of the
the scientific
scientific literature
literature of
of the
the period 2000–2009. J.J. Loss
period 2000–2009. Loss
Prev. Process
Prev. ProcessInd. Ind.2011,
2011,24,24,477–523.
477–523. [CrossRef]
8.
8. Center for
Center for Chemical
Chemical Process
Process Safety
Safety (CCPS). Guidelinesfor
(CCPS). Guidelines for Engineering
EngineeringDesign
Designforfor Process
Process Safety,
Safety, 2nd
2nd ed.;
ed.;
American Institute of Chemical Engineers: New
American Institute of Chemical Engineers: New York, NY, USA, 1993. York, NY, USA, 1993.
9.
9. EuropeanUnion.
European Union.Directive
Directive 2012/18/EU
2012/18/EU of theof European
the European Parliament
Parliament and
and the the Council
Council of 4th of July
4th of July
2012 on2012the
on the of
control control of major-accident
major-accident hazards hazards
involvinginvolving
dangerous dangerous
substances, substances,
amendingamending and subsequently
and subsequently repealing
repealing96/82/EC.
directive directiveOff.96/82/EC. Off. J.2012,
J. Eur. Union Eur.1–37.
Union 2012, 1–37.
10.
10. Persson,H.;
Persson, H.;Lönnermark,
Lönnermark,A. Tank Fires:
A.Tank Fires: Review
Review of of Fire
Fire Incidents
Incidents1951–2003;
1951–2003;SP SPSwedish
SwedishNational
NationalTesting
Testing andand
Research Institute: Borås, Sweden,
Research Institute: Borås, Sweden, 2014. 2014.
11.
11. Hailwood,M.;
Hailwood, M.;Gawlowski,
Gawlowski,M.; M.;Schalau,
Schalau,B.; B.; Schönbucher,
Schönbucher,A. A. Conclusions
Conclusionsdrawndrawnfromfrom thethe Buncefield
Buncefield and and
Naplesincidents
Naples incidentsregarding
regardingthe the utilization
utilization of of consequence
consequence models.
models. Chem.Chem.
Eng.Eng. Technol.
Technol. 2009,2009, 32, 207–231.
32, 207–231.
12. [CrossRef]
Casal, J.; Montiel, H.; Planas, E.; Vílchez, J.A. Análisis del Riesgo en Instalaciones Industriales; Edicions UPC:
12. Casal, J.; Montiel,
Barcelona, Spain, 1999.H.; Planas, E.; Vílchez, J.A. Análisis del Riesgo en Instalaciones Industriales; Edicions UPC:
(In Spanish)
13. Barcelona,
Batista Abreu, Spain, 1999. (In
J.; Godoy, Spanish)
L.A. Investigación de causas de explosiones en plantas petrolíferas: El accidente de
13. Batista Abreu,
Buncefield. Rev.J.; Godoy,
Int. DesastresL.A.Nat.
Investigación
Accid. Infraest. de Civ.
causas de9,explosiones
2009, 187–202. (Inen plantas petrolíferas: El accidente
Spanish)
14. Rev. Int. Desastres Nat. Accid. Infraest. Civ.
Willey, R.J.; Hendershot, D.C.; Berger, S. The accident in Bhopal: Observations(In
de Buncefield. 2009, 9, 187–202. 20Spanish)
years later. Process. Saf. Prog.
14. Willey, R.J.; Hendershot,
2007, 26, 180–184. D.C.; Berger, S. The accident in Bhopal: Observations 20 years later. Process. Saf. Prog.
15. 2007, 26, 180–184.
Homberger, [CrossRef]
E.; Reggiani, G.; Sambeth, J.; Wipf, H.K. Seveso Accident, its nature, extent and consequences.
Ann. Occup. Hyg. 1979, 22, 327–370.
15. Homberger, E.; Reggiani, G.; Sambeth, J.; Wipf, H.K. Seveso Accident, its nature, extent and consequences.
Ann. Occup. Hyg. 1979, 22, 327–370. [PubMed]
16. International Standard Organization (ISO). Risk Management. In Principles and Guidelines on Implementation;
ISO 31000:2010; ISO: Geneva, Switzerland, 2010.
17. Federación Empresarial de la Industria Química Española (FEIQUE). Estadísticas\Radiografía Económica del
Sector Químico 2016. Available online: www.feique.org/pdfs/Radiografia_Economica_del_sector_2016.pdf
(accessed on 17 January 2017). (In Spanish)
18. Federación Empresarial de la Industria Química Española (FEIQUE). Estadísticas de Seguridad\Informe
de Siniestrabilidad 2013. Available online: www.feique.org/pdfs/informeseguridad2015.pdf (accessed on
17 January 2017). (In Spanish)
19. European Union. Directive 82/501/CEE of the Council of 24 June 1982 on the major accident hazards of
certain industrial activities. Off. J. Eur. Union 1982, 1, 1–18.
20. European Union. Directive 96/82/EC of 9 December 1996 on the control of major-accident hazards involving
dangerous substances. Off. J. Eur. Union 1996, 1, 13–33.
21. Dirección General de Protección Civil (DGPC). ¿Qué Hacemos?/Riesgos: Prevención y
Planificación/Tecnológicos/Químicos/Distribución. Available online: www.proteccioncivil.es/riesgos/
quimicos/distribucion (accessed on 17 January 2017). (In Spanish)
22. Kletz, T.A. What you don’t have can’t leak. Chem. Ind. 1978, 6, 287–292.
23. Kletz, T.A. HAZOP and HAZAN. In Identifying and Assessing Process Industry Hazards, 4th ed.; IChemE:
Rugby, UK, 1999.
24. International Electrotechnical Commission (IEC). Hazard and Operability Studies (HAZOP Studies)—Application
Guide; IEC 61882:2001; IEC: Geneva, Switzerland, 2016.
25. National Institute of Health and Safety at Work (NIHSW). Papers Prevention. Nº 238: HAZOP at Processing
Facilities. Available online: www.insht.es/InshtWeb/Contenidos/Documentacion/FichasTecnicas/NTP/
Ficheros/201a300/ntp_238.pdf (accessed on 13 July 2015). (In Spanish)
26. Dunjó, J.; Fthenakis, V.; Vílchez, J.A.; Arnaldos, J. Hazard and operability (HAZOP) analysis. A literature
review. J. Hazard. Mater. 2009, 173, 19–32. [CrossRef] [PubMed]
27. Demichela, M.; Camuncoli, G. Risk based decision making. Discussion on two methodological milestones.
J. Loss Prev. Process Ind. 2014, 28, 101–108. [CrossRef]
28. Mitkowski, P.T.; Bal, S.K. Integration of Fire and Explosion Index in 3D Process Plant Design Software.
Chem. Eng. Technol. 2015, 38, 1212–1222. [CrossRef]
29. Bendixen, L.; O’Neill, J.K. Chemical plant risk assessment using HAZOP and fault tree methods.
Plant Oper. Prog. 1984, 3, 179–184. [CrossRef]
30. Ozog, H. Hazard identification, analysis and control: A systematic way to assess potential hazards helps
promote safer design and operation of new and existing plants. Chem. Eng. 1985, 92, 161–170.
31. Ozog, H.; Bendixen, L. Hazard identification and quantification: The most effective way to identify, quantify,
and control risks is to combine a hazard and operability study with fault tree analysis. Chem. Eng. Prog.
1987, 83, 55–64.
32. Demichela, M.; Marmo, L.; Piccinini, N. Recursive operability analysis of a complex plant with multiple
protection devices. Reliab. Eng. Syst. Saf. 2002, 77, 301–308. [CrossRef]
33. Cozzani, V.; Bonvicini, S.; Spadoni, G.; Zanelli, S. Hazmat transport: A methodological framework for
the risk analysis of marshalling yards. J. Hazard. Mater. 2007, 147, 412–423. [CrossRef] [PubMed]
34. Casamirra, M.; Castiglia, F.; Giardina, M.; Lombardo, C. Safety studies of a hydrogen refuelling station:
Determination of the occurrence frequency of the accidental scenarios. Int. J. Hydrogen Energy 2009, 34,
5846–5854. [CrossRef]
35. Kim, E.; Lee, K.; Kim, J.; Lee, Y.; Park, J.; Moon, I. Development of Korean hydrogen fuelling station codes
through risk analysis. Int. J. Hydrogen Energy 2011, 36, 13122–13131. [CrossRef]
36. International Standard Organization (ISO). Risk Management. In Risk Assessment Techniques; ISO 31010:2011;
ISO: Geneva, Switzerland, 2011.
37. Vesely, W.E.; Goldberg, F.F.; Roberts, N.H.; Haasl, D.F. Fault Tree Handbook; NUREG-0492; Nuclear Regulatory
Commission: Rockville, MD, USA, 1981.
38. Segovia Andújar, R. Proyecto de Ejecución de Nueva estación de descarga de productos inflamables
en el muelle norte del puerto de Valencia. In Autoridad Portuaria de Valencia; Ministerio de Fomento:
Madrid, Spain, 2006. (In Spanish)
39. Terminales Portuarias SL (TEPSA). Declaración Ambiental y Responsabilidad Social Corporativa.
Available online: www.tepsa.es (accessed on 14 July 2015). (In Spanish)
40. Boletín Oficial del Estado. Royal Decree 1254/1999 of 16 July, on the Control of Major-Accident Hazards
Involving Dangerous Substances; Boletín Oficial del Estado: Madrid, Spain, 1999; Volume 172, pp. 27167–27180.
(In Spanish)
41. Chang, J.I.; Lin, C.C. A study of storage tank accidents. J. Loss Prev. Process Ind. 2006, 19, 51–59. [CrossRef]
42. Aneziris, O.N.; Papazoglou, I.A.; Konstantinidou, M.; Nivolianitou, Z. Integrated risk assessment for LNG
terminals. J. Loss Prev. Process Ind. 2014, 28, 23–35. [CrossRef]
43. Batista Abreu, J.; Godoy, L.A. Investigación de causas de explosiones en una planta de almacenamiento
de combustible en Puerto Rico. Rev. Int. Desastres Nat. Accid. Infraest. Civ. 2011, 11, 109–122. (In Spanish)
44. Taveau, J. Explosion of Fixed Roof Atmospheric Storage Tanks, Part 1: Background and Review of Case
Histories. Process Saf. Prog. 2011, 30, 381–392. [CrossRef]
45. National Institute of Health and Safety at Work (NIHSW). Papers Prevention. Nº 333: Probabilistic Risk
Analysis: Fault Tree Analysis. Available online: www.insht.es/InshtWeb/Contenidos/Documentacion/
FichasTecnicas/NTP/Ficheros/301a400/ntp_333.pdf (accessed on 14 July 2015). (In Spanish)
46. Ronza, A.; Carol, S.; Espejo, V.; Vílchez, J.A.; Arnaldos, J. A quantitative risk analysis approach to port
hydrocarbon logistics. J. Hazard. Mater. 2006, 128, 10–24. [CrossRef] [PubMed]
47. International Association of Oil and Gas Producers (IAOGP). Storage Incident Frequencies. In Risk Assessment
Data Directory; Report No. 434-3; OGP: London, UK, 2010. Available online: http://www.ogp.org.uk/pubs/
434-03.pdf (accessed on 16 July 2015).
© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access
article distributed under the terms and conditions of the Creative Commons Attribution
(CC BY) license (http://creativecommons.org/licenses/by/4.0/).

Risk Analysis

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Risk Analysis

Încărcat de

Drepturi de autor:

Formate disponibile

International Journal of

Academic Editor: Jason K. Levy

2. The Chemical Industry in Spain and Serious Accidents

2.1. The Chemical Industry in Spain

2.2. The Regulatory Framework

STUDY OF SUBSTANCES USED AND PROCESS

HISTORICAL ANALYSIS OF ACCIDENTS

HAZARD ANALYSIS AND OPERABILITY (HAZOP)

FAULT TREE ANALYSIS (FTA)

Figure 1. Methodology of study.

3.2. Fault Tree Analysis

Symbol Meaning Description

Int. J. Environ. Res. Publicgate

4.1. Identification of Products Handled

4.2. Historical Analysis of Accidents

4.3. HAZOP Analysis

Figure 3. Three areas of activity.

Table 4. Guide Words and Parameters used in the HAZOP analysis.

Table 4. Guide Words and Parameters used in the HAZOP analysis.

Table 5. Example of HAZOP analysis for nodes 2.1.1 and 2.1.2.

System 2: Product Storage in Tank

Table 6. Qualitative evaluation of top event (1).

Top Event (1) Fuel Spill Ship-Terminal Unloading Area

Table 7. Top event failure frequencies (1).

Top Event (1) Fuel Spill in Ship-Terminal Area

Table 8. Results of quantitative analysis.

Description Frequency of Failure (year−1 ) Importance (%)

Sensitivity Analysis Top Event (1)

Figure 5. Sensitivity Analysis for the Top event (1).

Table 9. Sensitivity Analysis for the Top event (1).

Top Event (1) Fuel Spill Ship-Terminal Unloading Area

Appendix A. Historical Analysis of Accidents

Table A1. Analysis of Accidents.

Table A1. Cont.

Int. J. Environ. Res. Public Health 2017, 14, 705 18 of 27

Figure A2. Top event fault tree (3).

Figure A3. Top

Table A2. Qualitative evaluation of top event (2).

1 Basic Event Corrosion

2 Vehicles collision 8.8 × 10−4

Table A4. Qualitative evaluation of top event (3).

Top Event (3) Leak in Storage Tank

Table A5. Top event failure frequencies (3).

Top Event (3) Leak in Storage Tank

Table A6. Qualitative evaluation of top event (4).

Top Event (4) Fuel Spill in Tank Truck Loading Area

Table A7. Top event failure frequencies (4).

Top Event (4) Fuel Spill in Tank Truck Loading Area

Appendix D. Sensitivity Analysis of Results

Table A8. Sensitivity Analysis for the Top event (2).

Top Event (2) Fuel Leak in Pipelines

Sensitivity Analysis Top Event (2)

0.2142 0.0075 0.0626 0.0123 0.0748 0.0872 0.0630 0.0123 0.0752

0.0621 0.0123 0.0744 0.0867 0.0629 0.0123 0.0752

0.00432 0.0085 0.0630 0.01221 0.07522 0.00170 0.0630 0.01221 0.07522

0.00422 0.0080 0.0630 0.01211 0.07512 0.00160 0.0630 0.01211 0.07512

0.00417 0.0075 0.0630 0.01206 0.07507 0.00155 0.0630 0.01206 Event 3

0.00195 0.0070 0.0630 0.01246 0.07547 Event 4

0.0977 0.0702 0.0123 0.0825 0.4220 0.0639 0.0123 0.0761

Figure A6. Sensitivity

Table A9. Sensitivity Analysis for the Top event (3).

Top Event (3) Leak in Storage Tank

Table A10. Sensitivity Analysis for the Top event (4).

Top Event (4) Fuel Spill in Tank Truck Loading Area