Risk Analysis of a Fuel Storage Terminal Using HAZOP and FTA

The size and complexity of industrial chemical plants, together with the nature of the products handled, means that an analysis and control of the risks involved is required. This paper presents a methodology for risk analysis in chemical and allied industries that is based on a combination of HAZard and OPerability analysis (HAZOP) and a quantitative analysis of the most relevant risks through the development of fault trees, fault tree analysis (FTA). Results from FTA allow prioritizing the preventive and corrective measures to minimize the probability of failure. An analysis of a case study is performed; it consists in the terminal for unloading chemical and petroleum products, and the fuel storage facilities of two companies, in the port of Valencia (Spain). HAZOP analysis shows that loading and unloading areas are the most sensitive areas of the plant and where the most significant danger is a fuel spill. FTA analysis indicates that the most likely event is a fuel spill in tank truck loading area. A sensitivity analysis from the FTA results show the importance of the human factor in all sequences of the possible accidents, so it should be mandatory to improve the training of the staff of the plants.


Introduction
Technological and social development has led to an increase in the size and complexity of chemical plants. At the same time, the existence of such plants and the transport of their products involve certain risks that need to be controlled and minimised [1,2].
Risk is understood as the possibility that someone or something is adversely affected by a hazard [3], while danger is defined as any unsafe situation or potential source of an undesirable and damaging event [4]. Other definitions of risk are the measure of the severity of a hazard [5], or the measure of the probability and severity of adverse effects [6].
In recent decades, interest in the safety of chemical industrial plants has greatly increased [2,7]. This has led to the development of a scientific discipline known as process safety that focuses on the prevention of fires, explosions, and accidental chemical releases in chemical processing facilities [8]. This discipline has as objective to improve prevention in the facilities, learning from accidents and from continuous analysis of the production process.
Directive 2012/18/EU (or Seveso III) [9] defines as a serious accident an event (such as a major leak, fire, or explosion) resulting from an uncontrolled process during the operation of any plant and producing a serious danger, whether immediate or delayed, to human health or the environment, inside or outside the plant, and involving one or more hazardous substances. Examples of serious accidents in industrial processes include: Flixborough in Britain (1974), Seveso in Italy (1976), Bhopal in India (1984), Enschede in the Netherlands (2000), Toulouse in France (2001) and Buncefield in Britain (2005) [10][11][12][13][14][15]. In Spain, examples include an accident at the Repsol refinery in Puertollano (2003) in which an explosion in a gas storage area killed nine workers and injured many others, as well as causing property damage.
The complexity and severity of accidents at these plants requires the implementation of risk management systems. The ISO 31000: 2010 [16] standard defines risk management as "coordinated activities to manage and control an organisation with regard to risk" and comprises the following steps: communication and consultation, establishing the context, risk assessment (identification, analysis, and evaluation), risk treatment, monitoring, and review.
The purpose of this article is to show the procedure for risk analysis in chemical and allied industries that is based on a combination of HAZard and OPerability analysis (HAZOP) and a quantitative analysis of the most relevant risks through the development of fault trees, fault tree analysis (FTA). HAZOP can identify possible fault root causes and their consequences and FTA develops fault propagation pathways and provides a quantitative probability importance ranking of fault causes. These results can guide the decision making of management staff to mitigate or avoid potential process hazards. This working method is applied to a case study consisting of the terminal for unloading chemical and petroleum products, and the fuel storage facilities of two companies, in the port of Valencia (Spain).
This paper is organized as follows. Section 1 introduces the theme. Section 2 introduces the main data of the chemical industry in Spain and the framework for risk assessment process of major accidents. Section 3 introduces the methodology. Section 4 details a case study with the HAZOP and FTA analysis. Section 5 presents the conclusions. Appendixs A-D present complementary documentation of case study.

The Chemical Industry in Spain
Turnover of the chemical industry in Spain totalled €56.39 billion in 2014, representing 12.4% of industrial Gross Domestic Product (GDP) [17] and making the industry the fourth largest after the food, transport and metal industries. This is also the second largest sector of the Spanish economy in terms of exports with 58.1% of sales going abroad.
The largest concentration of chemical companies is found in Catalonia with 43% of total turnover, followed by Andalusia (12.7%) and Madrid (13.5%). The Valencian Community is in fourth place with €4.88 billion or 8.4% of total turnover. The chemical sector employed 191,100 people in 2008, a figure that has fallen to around 174,600 in recent years because of the economic crisis [17].
The Spanish Chemical Industry Federation (FEIQUE) in its 2015 annual report on industrial accidents in the chemical sector [18] noted that the frequency index was 3.44 (the index frequency represents the number of accidents for every million hours worked). Compared with data published by the Ministry of Employment in 2015, this index is lower than the industrial sector index (5.03) and the construction sector index (6.59). The severity index for the sector was 0.12 (the severity index represents the number of days lost per 1000 working hours), which reflects the great importance that is given to safety in the Spanish chemical industry.

The Regulatory Framework
The disastrous accident at Seveso (Italy) in 1976 led to European Union legislation intended to prevent accidents in certain industries using hazardous substances and thus limit the impact on employees, the general population, and on the environment. The resulting standard was Directive 82/501/EEC [19] better known as Seveso I. This regulatory framework established that a manufacturer company which used in their process hazardous substances listed in the Appendix A or stored hazardous substances listed in the Appendix B, or both, must develop (among other documents) interior and exterior protection and emergency plans that include risk assessment.
During the implementation of Seveso I, there were more than 130 serious accidents in Europe and new risks appeared due to technological advances. Consequently, the European Commission introduced Directive 96/82/EC (called Directive Seveso II) [20] in 1996. This directive classified plants into "not affected", "low risk" and "high risk" according to the quantities of dangerous substances present. Seveso II was revised in Directive 2012/18/EU or Seveso III [9] with the aim of increasing levels of protection for people, property, and the environment.
In Spain, in 2016, according to data from the Directorate General for Civil Defence [21], there were 422 high risk plants subject to the Seveso directive and 470 low risk plants. The geographical distribution is similar to that for turnover: Catalonia was first with 101 high risk plants (23.9%), Andalusia with 70 (16.6%), the Valencian Community with 39 (9.2%) and the Basque Country with 28 (6.6%).
According to a study by Planas et al. [2], there have been 89 accidents in Spain since the beginning of the twentieth century. Some 44% of these accidents occurred during transport, the most serious accident occurring at Los Alfaques campsite in July 1978 where 217 people died. The second major source of accidents were processing areas (19%); and the third source were storage areas. Explosions occurred in 49% of accidents, leaks in 37% and fires in 24%.
The chemical industry has implemented improvements in process safety and environmental protection with four strategies: inherent safer design; risk assessment processes; use of instrumented safety systems; and the implementation of safety management systems. In the risk assessment process, the HAZOP method is the technique most used to identify risks [2]. HAZOP studies evolved from the Imperial Chemical Industries (ICI) as a "Critical Examination" technique formulated in the mid-1960s. One decade later, HAZOP was published formally as a disciplined procedure to identify deviations to the process industries by Kletz in 1978 [22], and some publications [23], corporate guidelines, standards (IEC 61882 [24]) and national guidance notes (Nota Técnica Prevención (NTP) 238 [25]) were developed after.

Methodology
Risk assessment is the process of identifying, analysing, and evaluating the hazard posed by an industrial plant and the main aim is the prevention and mitigation of accidents in potentially hazardous facilities [26,27].
The phase of hazard identification is the process in which hazards are identified and recorded. The analysis phase involves developing an understanding of the hazard and providing information for evaluation. The evaluation phase involves comparing the estimated hazard levels with predefined criteria to define the importance of the level of hazard and decide whether it is necessary to address the hazard-as well as the most appropriate strategies and methods of hazard treatment [8].
Choosing the appropriate risk assessment techniques is a difficult decision that will depend on factors such as the complexity of the problem, the methods for analysis of the amount of information available, the need for quantitative data, and available resources [28]. Often, authors combine some techniques with the purpose of blending, i.e., to take advantage of the strengths of each method whilst compensating for their weaknesses.
In this paper, the methodology used is based on the combination of HAZOP analysis and a quantitative analysis of the most relevant hazards by FTA. HAZOP is a qualitative technique that carries out a structured analysis of the process and allows identifying the deviations that may take place with regard to the intended functioning, as well as their causes and consequences. HAZOP does not try to provide quantitative results but, in many situations, it is necessary to rank the identified hazards, mainly to prioritize the actions to mitigate them because this decision depends of the risk level. For this purpose, HAZOP is combined with other techniques; in these cases, quantitative techniques such as FTA. It can identify the potential causes and the ways of failure and can assess quantitatively the probability of development of the accident. The blending of the two techniques was defined as positive because minimize the uncertainty [29][30][31].
There are many examples of blending HAZOP and FTA in the literature: Demichela et al. [32] developed the Recursive Operability Analysis (ROA), linking HAZOP results and FTA development; Cozzani et al. [33] developed a specific methodological approach to analyse the risk from hazardous materials in marshalling yards; Casamirra et al. [34] integrated HAZOP, FTA and Failure Mode and Effect Analysis (FMEA) to assess the safety of a hydrogen refuelling station; and Kim et al. [35] combined HAZOP and FTA to carry out safety assessment of hydrogen fuelling stations at Korea.
The methodology ( Figure 1) begins with a detailed study of the industrial process and substances used. Subsequently, an historical analysis of accidents is made-which is the study and analysis of accidents in similar plants to identify risk and causes. This stage is performed by referring to specialised scientific publications and literature review. With this available information, a HAZOP analysis is conducted. After the HAZOP sessions, the possible fault causes and consequences of the given deviations from the design are identified. These data allow, according to the criteria of the HAZOP team, identifying the initiating events, modelling the fault propagation process, and finally building the fault tree analysis. Subsequently a quantitative analysis is performed and results obtained rank risks and allow prioritizing the corrective and/or preventive measures.  [33] developed a specific methodological approach to analyse the risk from hazardous materials in marshalling yards; Casamirra et al. [34] integrated HAZOP, FTA and Failure Mode and Effect Analysis (FMEA) to assess the safety of a hydrogen refuelling station; and Kim et al. [35] combined HAZOP and FTA to carry out safety assessment of hydrogen fuelling stations at Korea.
The methodology (Figure 1) begins with a detailed study of the industrial process and substances used. Subsequently, an historical analysis of accidents is made-which is the study and analysis of accidents in similar plants to identify risk and causes. This stage is performed by referring to specialised scientific publications and literature review. With this available information, a HAZOP analysis is conducted. After the HAZOP sessions, the possible fault causes and consequences of the given deviations from the design are identified. These data allow, according to the criteria of the HAZOP team, identifying the initiating events, modelling the fault propagation process, and finally building the fault tree analysis. Subsequently a quantitative analysis is performed and results obtained rank risks and allow prioritizing the corrective and/or preventive measures.

HAZOP Method
The HAZOP technique [36] is a structured and systematic examination of a product, process, or procedure-or an existing or planned system. This is a qualitative technique based on the use of guide words ( Table 1) that question how design intent or operating conditions may fail to be achieved at each step of the design process or technique. The guide words must always be appropriately selected to the process which is analysed and additional guide words can be used. This technique is applied by a multidisciplinary team during a series of meetings where work areas and operations are defined-and each of the variables that influence the process are applied to the guide to verify the operating conditions and detect design errors or potentially abnormal operating conditions (Figure 2).

HAZOP Method
The HAZOP technique [36] is a structured and systematic examination of a product, process, or procedure-or an existing or planned system. This is a qualitative technique based on the use of guide words ( Table 1) that question how design intent or operating conditions may fail to be achieved at each step of the design process or technique. The guide words must always be appropriately selected to the process which is analysed and additional guide words can be used. This technique is applied by a multidisciplinary team during a series of meetings where work areas and operations are defined-and each of the variables that influence the process are applied to the guide to verify the operating conditions and detect design errors or potentially abnormal operating conditions ( Figure 2).  In addition of the amount of water of the process was added

Fault Tree Analysis
FTA is a technique to identify and analyse factors that may contribute to an unwanted specified event (called the "top or main event"). Causal effects are identified deductively and organised in a logical manner and shown using a tree diagram that describes the causal factors and their logical relationships ( Table 2) with respect to the top event.  In addition of the amount of water of the process was added

Fault Tree Analysis
FTA is a technique to identify and analyse factors that may contribute to an unwanted specified event (called the "top or main event"). Causal effects are identified deductively and organised in a logical manner and shown using a tree diagram that describes the causal factors and their logical relationships ( Table 2) with respect to the top event.  A fault tree can be used qualitatively to identify potential causes and the ways in which failure (the top event) occurs or quantitatively, or both, to calculate the probability of the top event from the probabilities of causal events.
The stages for the application of this technique are: (1) Define the top event.
(2) Construction of the fault tree: From the top event, the possible immediate causes of the failure modes are established and it is possible to identify how these failures can occur at basic levels or in basic events. (3) Qualitative evaluation: The aim to find the minimum set of faults, establishing a mathematical formulation from the relationships established in the fault tree. To achieve this, the "OR" gates are replaced by the "+" sign (not addition but a union of conjunctions) and the gates "AND" by the "x" sign (equivalent to the intersection of conjunctions). Boolean algebra is used. (4) Quantitative evaluation: From the frequency of failure of basic events, the probable frequency of an accident is calculated (if it occurs) as well as the most critical fault routes (i.e., the most probable among combinations of susceptible events that may cause the top event). Quantitative evaluation enables a complete risk analysis before implementing and prioritising actions to improve the safety and reliability of the system under study. A complementary sensitivity analysis can be performed to check the effect of the basic events in the global risk assessment. These data allow prioritizing the preventive measures and the efforts of the risk control process.

Application to a Case Study: The Chemical Terminal at the Port of Valencia
The application of the methodology is performed for the jetty and pipe work of the chemical terminal, as well as the connected storage facilities, at the Port of Valencia. These storage facilities are owned by two companies: Terminales Portuarias SL (TEPSA) and Petróleos de Valencia SA (PTROVAL) [38,39]. Both companies work in the reception, storage, loading, and distribution of liquid products-divided into two groups: chemicals and oil.

Identification of Products Handled
TEPSA stores and distributes gasoline, diesel, methanol, and other chemicals in smaller  A fault tree can be used qualitatively to identify potential causes and the ways in which failure (the top event) occurs or quantitatively, or both, to calculate the probability of the top event from the probabilities of causal events.
The stages for the application of this technique are: (1) Define the top event.
(2) Construction of the fault tree: From the top event, the possible immediate causes of the failure modes are established and it is possible to identify how these failures can occur at basic levels or in basic events. (3) Qualitative evaluation: The aim to find the minimum set of faults, establishing a mathematical formulation from the relationships established in the fault tree. To achieve this, the "OR" gates are replaced by the "+" sign (not addition but a union of conjunctions) and the gates "AND" by the "x" sign (equivalent to the intersection of conjunctions). Boolean algebra is used. (4) Quantitative evaluation: From the frequency of failure of basic events, the probable frequency of an accident is calculated (if it occurs) as well as the most critical fault routes (i.e., the most probable among combinations of susceptible events that may cause the top event). Quantitative evaluation enables a complete risk analysis before implementing and prioritising actions to improve the safety and reliability of the system under study. A complementary sensitivity analysis can be performed to check the effect of the basic events in the global risk assessment. These data allow prioritizing the preventive measures and the efforts of the risk control process.

Application to a Case Study: The Chemical Terminal at the Port of Valencia
The application of the methodology is performed for the jetty and pipe work of the chemical terminal, as well as the connected storage facilities, at the Port of Valencia. These storage facilities are owned by two companies: Terminales Portuarias SL (TEPSA) and Petróleos de Valencia SA (PTROVAL) [38,39]. Both companies work in the reception, storage, loading, and distribution of liquid products-divided into two groups: chemicals and oil.  A fault event that occurs because of one or more antecedents causes acting through logic gates fault tree can be used qualitatively to identify potential causes and the ways in which failure p event) occurs or quantitatively, or both, to calculate the probability of the top event from the bilities of causal events. he stages for the application of this technique are: efine the top event. onstruction of the fault tree: From the top event, the possible immediate causes of the failure odes are established and it is possible to identify how these failures can occur at basic levels or basic events. ualitative evaluation: The aim to find the minimum set of faults, establishing a mathematical rmulation from the relationships established in the fault tree. To achieve this, the "OR" gates e replaced by the "+" sign (not addition but a union of conjunctions) and the gates "AND" by e "x" sign (equivalent to the intersection of conjunctions). Boolean algebra is used. uantitative evaluation: From the frequency of failure of basic events, the probable frequency of accident is calculated (if it occurs) as well as the most critical fault routes (i.e., the most obable among combinations of susceptible events that may cause the top event). Quantitative aluation enables a complete risk analysis before implementing and prioritising actions to prove the safety and reliability of the system under study. A complementary sensitivity alysis can be performed to check the effect of the basic events in the global risk assessment. ese data allow prioritizing the preventive measures and the efforts of the risk control process. The aim to find the minimum set of faults, establishing a mathematical the relationships established in the fault tree. To achieve this, the "OR" gates e "+" sign (not addition but a union of conjunctions) and the gates "AND" by alent to the intersection of conjunctions). Boolean algebra is used. ation: From the frequency of failure of basic events, the probable frequency of culated (if it occurs) as well as the most critical fault routes (i.e., the most ombinations of susceptible events that may cause the top event). Quantitative s a complete risk analysis before implementing and prioritising actions to y and reliability of the system under study. A complementary sensitivity rformed to check the effect of the basic events in the global risk assessment. rioritizing the preventive measures and the efforts of the risk control process. m the top event, the possible immediate causes of the failure sible to identify how these failures can occur at basic levels or find the minimum set of faults, establishing a mathematical established in the fault tree. To achieve this, the "OR" gates ddition but a union of conjunctions) and the gates "AND" by rsection of conjunctions). Boolean algebra is used. frequency of failure of basic events, the probable frequency of urs) as well as the most critical fault routes (i.e., the most usceptible events that may cause the top event). Quantitative k analysis before implementing and prioritising actions to of the system under study. A complementary sensitivity k the effect of the basic events in the global risk assessment. reventive measures and the efforts of the risk control process.

Intermediate event
A fault event that occurs because of one or more antecedents causes acting through logic gates A fault tree can be used qualitatively to identify potential causes and the ways in which failure (the top event) occurs or quantitatively, or both, to calculate the probability of the top event from the probabilities of causal events.
The stages for the application of this technique are: (1) Define the top event.
(2) Construction of the fault tree: From the top event, the possible immediate causes of the failure modes are established and it is possible to identify how these failures can occur at basic levels or in basic events. (3) Qualitative evaluation: The aim to find the minimum set of faults, establishing a mathematical formulation from the relationships established in the fault tree. To achieve this, the "OR" gates are replaced by the "+" sign (not addition but a union of conjunctions) and the gates "AND" by the "x" sign (equivalent to the intersection of conjunctions). Boolean algebra is used. (4) Quantitative evaluation: From the frequency of failure of basic events, the probable frequency of an accident is calculated (if it occurs) as well as the most critical fault routes (i.e., the most probable among combinations of susceptible events that may cause the top event). Quantitative evaluation enables a complete risk analysis before implementing and prioritising actions to improve the safety and reliability of the system under study. A complementary sensitivity analysis can be performed to check the effect of the basic events in the global risk assessment. These data allow prioritizing the preventive measures and the efforts of the risk control process.

Application to a Case Study: The Chemical Terminal at the Port of Valencia
The application of the methodology is performed for the jetty and pipe work of the chemical terminal, as well as the connected storage facilities, at the Port of Valencia. These storage facilities are owned by two companies: Terminales Portuarias SL (TEPSA) and Petróleos de Valencia SA (PTROVAL) [38,39]. Both companies work in the reception, storage, loading, and distribution of liquid products-divided into two groups: chemicals and oil.

Identification of Products Handled
TEPSA stores and distributes gasoline, diesel, methanol, and other chemicals in smaller amounts. PTROVAL (owned by Galp Energía) stores and distributes gasoline, diesel, and kerosene. The four substances (petrol, diesel, methanol, and kerosene) are hazardous substances according to Schedule I of Royal Decree 1254/1999 [40] and the large volumes handled mean that the plant is considered high risk under the Seveso classification. Such high-risk plants are required to conduct a risk analysis.
Person and Lönnermark [10] listed 479 fires involving hydrocarbon storage tanks between 1951 and 2003. Based on this work, Hailwood et al. [11] identified 21 tank explosions followed by a fire.
In a specific study of risk assessment for Liquefied Natural Gas (LNG) terminals, Aneziris et al. [42] identified the initiating events of accidents of LNG terminals. They divided the LNG terminals in five areas: LNG tanks, unloading section (from ship to tank), send-out section, condenser and outlet pipeline.
In tanks section, the main initiating events are boil-off removal malfunction (during unloading or during storage), a high temperature in LNG (when coming from ship), an excess of external heat in storage tank area, an overfilling of the tank, a rollover during unloading or during storage, an inadvertent starting of additional compressors, a continuation of uploading beyond lower safety level and an increase of send out rate from tank. In unloading section, the main initiating events are an excess external heat in jetty area, a water hammer in loading arm (due to inadvertent valve closure), an inadequate cooling of lading arm and high winds during uploading.
In Appendix A, a list of well documented past accidents has been extracted from reports and works available in the literature. The list includes accidents in petroleum and LNG product storage facilities [12,13,43,44].
The origins of these accidents were leaks or spills (9), explosions (7) and fire (6). Leakage (in the form of liquid) is the most common source of major accidents-leading to fires and explosions that may cause other leaks, thus lengthening the accidental chain. The possible consequences of leakage depend on the flammability and toxicity of the leaked liquids and the environmental conditions in which the leak occurs.
Seventeen of the cases originated in storage tanks, two in tanker ships, one in pipes, one in a steam boiler of a LNG plant and in one case there was no specific origin.
Factors that may cause an accident are grouped into general and specific. Among the general causes are those that are: external to the plant, human behaviour, mechanical failure, failure caused by impact, violent reactions; instrumentation failure, and failure of services. These general causes include a number of specific causes provided by details of specific accidents. Note that a single accident can occur for more than one general cause, and a general cause may be the result of more than one specific cause. The recorded data on the general causes of accidents shows that the cause was human behaviour in ten cases, instrumentation failure on four occasions, electrostatic spark on two occasions, mechanical failure in two occasions, unknown causes on two occasions, and two accidents were caused respectively by mechanical impact failure and external causes respectively.
Ignition sources provided the energy needed for the combustion of a flammable mixture. These sources can be thermal, electrical, mechanical and chemical. Data shows that in seven accidents the cause was electrical, in three the cause was welding during maintenance works, mechanical in three cases, thermal in two cases, and unknown in seven cases.

HAZOP Analysis
The Valencian plant is divided into three systems (Figure 3) that correspond to the three activities of the companies: unloading, storage, and loading for distribution.
These three systems are divided into six sub-systems and these again are divided into specific points or nodes that correspond to the sequence of operational steps in the plant (Table 3). Table 4 shows guide words and parameters used in the HAZOP analysis and Table 5 shows the result of the HAZOP analysis for node 2.1.1 (opening tank valves) and some variables of node 2.1.2 (filling tank). As a result of this analysis, it can be seen that, in the areas for loading and unloading liquid products (Systems 1 and 3), the greatest danger is the possibility of an uncontrolled spill. The occurrence of this event is closely linked to the effectiveness of the staff responsible for handling the tasks. Relative to System 2, the risk of a fuel loss in the pipelines and leakage or fuel loss in the storage tanks is noteworthy. The latter event could be caused by overfilling or a partial rupture of the tank. Special attention must be given to such events because they can cause fires and explosions that may have more serious consequences for the plant and its staff.   As a result of this analysis, it can be seen that, in the areas for loading and unloading liquid products (Systems 1 and 3), the greatest danger is the possibility of an uncontrolled spill. The occurrence of this event is closely linked to the effectiveness of the staff responsible for handling the tasks. Relative to System 2, the risk of a fuel loss in the pipelines and leakage or fuel loss in the storage tanks is noteworthy. The latter event could be caused by overfilling or a partial rupture of the tank. Special attention must be given to such events because they can cause fires and explosions that may have more serious consequences for the plant and its staff.   The best way to avoid corrosion is to select the most resistant alloy for the valve-depending on the corrosive nature of the fluids. When damage is minor and possible to repair the body of the valve-at least provisionally-with a metal weld or with epoxy resin (for low pressures and temperatures).

Fault Tree Analysis (FTA)
By using HAZOP analysis, four events were extracted for analysis using the fault tree technique. These events or top events were: Top event (1)

Fault Tree Analysis (FTA)
By using HAZOP analysis, four events were extracted for analysis using the fault tree technique. These events or top events were:   Once the fault trees have been made, the mathematical expressions are defined ant the probability values are calculated according to the Boolean algebra related to FTA (Tables 6 and 7). Table 6. Qualitative evaluation of top event (1).

Equations System Boolean Equation
A = B + C A = (3 × 1) + (4 × 1) + (8 × 1) + (9 × 1) + (5 × 2) + (6 × 2) + (7 × 2) B = D × 1 C = E × 2 D = 3 + 4 + F E = 5 + 6 + 7 F = 8 + 9 From these equations and data on the frequency of failures of basic events, a quantitative assessment of the trees enables a calculation of the probability of the occurrence of the top event (year −1 ). The procedure for calculating the top event (1) is shown in Table 7. In the four analysed top events, some 19 basic events are defined and fault frequencies were determined using data from the Spanish National Institute on Health and Safety at Work [45] and research on fuel storage [12,41,46,47]. In the Appendix C similar tables are developed for the others top events.
In Table 8, the results of failure frequency for each of the top events and their ways of failure are presented. A column called "Importance" has been added in order to show the importance of the failure frequency of the events (and also of their ways of failure) developed through the fault tree technique. The results indicate that the top event (4) "Fuel spill in tank truck loading area" has a failure rate of 1.7 events/year, i.e., 85% of the events developed through the fault tree technique. There are two ways a top event (4) can be generated: the first is via a "connection leak" with an importance of 80.28% and the second is via "leak caused by broken hose" which accounts for 5.02% of importance. If the basic events are analysed, the main causes for a connection leak are a bad hose connection and a response failure following the detection of an emergency (incorrect staff response, failure of the acoustic alarm, or seizure of the manual closure valve).
The next most significant source of risk for the overall failure sequence is "connection leakage" in the top event (1) "Fuel spill in ship-terminal unloading area" (with a failure frequency of 0.17 events/year). This event occurs following a loss of product (caused by a bad connection of the loading arm or damaged parts) together with human error. The probability of occurrence is low since it is one of the most complex operations and involves very strict protocols. A sensitivity analysis has been performed (see Appendix D) in order to check the effect of the basic events in the global risk assessment. In the top event (1) ( Table 9 and Figure 5), the basics events with more influence in the sequence of the accident are in order of importance: operator distracted, operator failure, badly connecting loading arm and collision against jetty during manoeuvres. In the top event (2) are corrosion, operator distracted and with the same importance vehicles collision and fatigue defect. In the top event (3) are operator failure and with equal importance the failure of the sensor level and the failure of response of the shut-off valve. In the top event (4) are hose incorrectly connected, after with equal importance, the acoustic signal failure and the sticking of the manual shut-off valve, and in the fourth level the operator failures. These results show the importance in all the sequences of accident of the failure or distraction of the operators, so it should be mandatory a plan for training the staff of the plants. Planning of the maintenance actions of the facility must take into account both the general results from the risk assessment and the results from the sensitivity analysis.

Conclusions
In this paper, a methodology that combines HAZOP analysis and FTA is used. HAZOP analysis identifies the risks and their possible causes and consequences. FTA, based on the HAZOP analysis, represents the fault propagation pathways and produces a qualitative and quantitative assessment of the sequences of events that can lead to accidents or serious failures. Results from FTA allow

Conclusions
In this paper, a methodology that combines HAZOP analysis and FTA is used. HAZOP analysis identifies the risks and their possible causes and consequences. FTA, based on the HAZOP analysis, represents the fault propagation pathways and produces a qualitative and quantitative assessment of the sequences of events that can lead to accidents or serious failures. Results from FTA allow prioritizing the preventive and corrective measures in order to minimize the probability of failure.
An analysis of case study about a fuel storage terminal is performed. HAZOP analysis shows that loading and unloading areas are the most sensitive areas of the plant and where the most significant danger is a fuel spill-tasks that can produce such an event are closely supervised by staff. Tasks related to transferring fuel from ships to tanks and storage tanks are the most automated and so the influence of personnel is reduced-although the consequences are more serious if an accident occurs. FTA analysis indicates that the most likely event is "Fuel spill in tank truck loading area" and the sequence of events that would most likely cause such an event is a "connection leakage" caused by improper hose connection and a failure of emergency systems. A sensitivity analysis of the FTA results shows the importance of the human behaviour in all sequences of the possible accidents. A slight increase or decrease of the frequency of failure of human operations generate an important increase or decrease, respectively, of the frequency of failure of the top event, so corporation's prevention plans must increase the training of the staff, develop of automatic control measures and develop or improve control procedures to check the human operations.
In future research, we will apply a similar analysis to other type of plant, as LNG plants or storage of chemical products at a process plant, in order to improve the use of the combined method and to compare results from the risk assessments. In this way, we will build a database of HAZOP cases and FTA analysis and could improve the maintenance plans of the various types of plants.

Conflicts of Interest:
The authors declare no conflict of interest. Explosion of a tank of 1400 m 3 containing crude oil. The roof was ejected several meters away and the tank's base slightly lifted. The most probable ignition source is an electrostatic discharge.

2009
Bayamón (Puerto Rico) [43] Gasoline, Diesel, Kerosene Spill In the plant of the Caribbean Petroleum Corporation (a storage, distribution, and fuel blending service) the failure of the sensor system for filling a gas tank caused a fuel spill that triggered a series of explosions and fires. The disaster affected 18 tanks, destroyed 50% of the plant, and caused considerable damage to the environment and the local area.

2007
Sløvâg (Norway) [44] Gasoline Fire Accident took in the facilities of company Vest Tank AS, on the Sløvâg industrial area. The first explosion took place in a tank where the base-shell weld ruptured and the upper part of the tank was launched up in the air and landed in the north-eastern corner of Tank Farm II. Subsequent explosions and fires destroyed the other tank farm. There were no casualties in the accident. This accident occurred during purification of coker gasoline (reduction of the content of mercaptans). The investigation found that addition of hydrochloric acid during the process reduced the solubility of mercaptans in the solution, leading to the build-up of a flammable mixture. Air filter with activated carbon placed on the roof absorbed mercaptans, leading to a self-ignition and the explosion.

2006
Spoleto (Italy) [43] Oil Explosion An explosion occurred at Umbria Oil plant near Spoleto, Italy, when five workers were welding a structure on the roofs of several tanks. Firstly, one tank containing raw pomace oil exploded, rising up of about 10 m. This first explosion led to a pool fire that spread in the tanks' park. One hour later, two other tanks exploded, with rupture of the bottom welding, ejecting missiles of 10 tons 80 m away near warehouses storing by-products and packaging materials. Four workers lost their life in this accident.

2006
Partridge-Raleigh (USA) [44] Petroleum Explosion The explosion at Partridge-Raleigh Oilfield was caused by sparks of the welding of pipes that joined tanks. Three workers died and other suffered serious injuries.
2005 Hertfordshire (England) [13,43] Gasoline Spill In the storage terminal known as "Buncefield depot" 300 tons of gasoline overflowed in a storage tank because of a high-level device failure and the failure of safety device that close the filling valves and raise the alarm. Fire broke out when the gasoline vapour cloud ignited. The ignition source may have been a backup generator, or a spark produced by a vehicle. In total, 20 storage tanks (containing 13.5 million litres each) burned for several days.
LNG: Liquefied Natural Gas. The steam boiler of the LNG production plant exploded, triggering a second, more massive vapour-cloud explosion and fire. The explosions and fire destroyed a portion of the LNG plant and caused 27 deaths, 74 injuries, and material damage outside the plant's boundaries.

2003
Puertollano (Spain) [10] Naphta Explosion An explosion in a naphtha tank in the refinery resulted in an intense fire that spread to six other tanks containing 8600 m 3 of gasoline.

2003
Oklahoma (USA) [44] Diesel Explosion In a Conoco-Phillips plant a diesel tank exploded with 900 m 3 of fuel, triggering a fire that involved three other liquid fuel storage tanks. The cause of the incident was the generation of a volatile mix inside the tank after it was emptied. The likely source of ignition was an electrical discharge from a nearby line.

2001
Kansas (USA) [10,12] Crude petroleum Fire A worker who was checking the level of oil in a storage tank at night lit a match. The flame ignited vapours and caused a huge explosion.

2000
Hampshire (United Kingdom) [10] Crude petroleum Leak A crack in the bottom of a storage tank of crude oil (caused by corrosion) caused a catastrophic spill of crude oil.

1997
Ashdod (Israel) [12] Gasoil Leak In the tank farm of Ashdod Oil Refinery the explosion of a 15,000 m 2 gasoil tank caused loss of one worker. The investigation concluded that a non-complete gasoil stripping with hydrogen at the exit of gasoil hydro treating unit caused penetration of hydrogen inside the tank. The source of ignition was most likely electrostatic spark initiated by synthetic rope used to get samples out the tank.
1995 Rouseville (USA) [44] Wastewater Tank Explosion During a welding operation near the wastewater tank that contained a layer of flammable liquid, sparks ignited flammable vapours at openings in the tank. The deflagration caused the tank to fail at the bottom seam and shoot into the air. Five workers died and fire ignited other tanks and caused loud explosions.

1993
Port of Tarragona (Spain) [12] Naphta, fuel oil and crude oil Fire A Danish petroleum tanker with 22,000 tons of naphtha on board collided with the REPSOL wharf in Tarragona during docking. The collision broke three pipes on the wharf containing naphtha, fuel oil, and crude oil-fire quickly broke out and produced a thick smoke. The combustion wastes contaminated nearby beaches. REPSOL estimated that damage to the wharf totalled the equivalent of €18 million.
1988 Santander (Spain) [12] Diesel Fire A fire started during cleaning operations in an empty oil tank at a CAMPSA (now CLH) plant.
1987 Lyon (France) [10,12] Gasoline and kerosene Fire A fire started in an enlarged Shell terminal holding up to 43,000 m 3 of Class B oil products (gasoline and kerosene among others) and Class D products (asphalt). Nearly 7000 m 3 of products were burned, two people dead, and 16 were seriously injured. The causes are unknown, although it is known that changes were being made to the wiring system.

1986
Thessaloniki (Greece) [41] Fuel-oil Leak A fire caused by a fuel oil leak in an ESSO Pappas terminal set 10 of the 12 storage tanks ablaze. The fire lasted eight days, extended over 75% of the total area of the terminal, and destroyed the stationary fire-fighting system, as well as the systems controlling pumps and loading. The fire started during maintenance work after a leak in a tank went undetected.

1985
Port of Naples (Italy) [41,43] Gasoline Spill At an AGIP plant a cloud of gasoline vapour exploded and damaged nearby houses. Windows broke up to 600 meters away. Tanks of gasoline, kerosene, and diesel were set on fire. The incident resulted in four deaths and 170 injuries. Twenty-four of the 32 storage tanks were affected. The probable cause was an accident when unloading a ship or a storage tank overflow.

1983
New Jersey (USA) [41] Gasoline Spill An overfilled floating roof tank spilled 1300 barrels of gasoline. The resulting explosion destroyed two storage tanks and a neighbouring terminal. A cloud of vapour was blown to a nearby incinerator and set it on fire as well.
1979 Duisburg (Germany) [10,12,41] Gasoil Fire In the river port area, a fire started in the storage area with 24 diesel and fuel oil storage tanks of between 1500 and 4700 m 3 capacity. The accident occurred during the renovation of thermal insulation of the storage tanks.
1978 Stockton (USA) [10,12] Gasoline and additives Leak A fire broke out in a plant with eight large tanks of petroleum products. Two of the gasoline storage tanks caught fire as well as various tanks containing additives. All stocks of foam within 90 km were used. The origin was a leak from a gasoline tank that produced a cloud of vapour which travelled about 220 m and came into contact with a water heater in a nearby yard.