LOPA-Multiple causes
advertisement
GCPS 2016 __________________________________________________________________________ Risk Criteria Selection and the Impacts on LOPA Results: To Sum or Not to Sum, That is the Question Aaron Huberman aeSolutions 3800 Centerpoint Drive, Suite 620 Anchorage, AK 99503 aaron.huberman@aesolns.com Prepared for Presentation at American Institute of Chemical Engineers 2016 Spring Meeting 12th Global Congress on Process Safety Houston, Texas April 11-13, 2016 AIChE shall not be responsible for statements or opinions contained in papers or printed in its publications 1 GCPS 2016 __________________________________________________________________________ Risk Criteria Selection and the Impacts on LOPA Results: To Sum or Not to Sum, That is the Question Aaron Huberman aeSolutions 3800 Centerpoint Drive, Suite 620 Anchorage, AK 99503 aaron.huberman@aesolns.com Keywords: Layer of Protection Analysis (LOPA), Target Mitigated Event Likelihood (TMEL), Target Frequency (TF), Risk Summation, SIL Selection, Risk Criteria, Risk Tolerance Abstract In the CCPS book Layer of Protection Analysis – Simplified Process Risk Assessment, Layers of Protection Analysis (LOPA) is initially described as the analysis of a single cause-consequence pairing. However, later in the book, there is the discussion of summing risk for multiple scenarios. In practice, several companies prefer to sum the frequencies of multiple causes leading to a single consequence when conducting LOPA. Summing the causes can be a useful tool in that it will ensure proper integrity of a safety function to address all of the causes for a single consequence and assist in the reduction of the numbers of Independent Protection Layers (IPLs) necessary at a facility. However, caution must be taken in using this method, as there may be unrealized effects on LOPA results, and therefore unintended impacts to the entire safety lifecycle. In contrast, evaluating only a single cause-consequence pair also poses different concerns when relating the results to selected risk criteria. This paper will seek to provide insight into the effects of each choice, including the pros and cons of each method. Deeper examinations into the definitions of risk criteria and consequence will be explored. 1 Introduction Layers of Protection Analysis (LOPA) is a simplified risk analysis that uses order of magnitude approximations to provide more precise estimations of likelihood for hazardous scenarios. LOPA GCPS 2016 __________________________________________________________________________ is intended to be a semi-quantitative middle ground between the qualitative hazard identification techniques, such as Hazard and Operability Study (HAZOP), and full Quantitative Risk Assessment (QRA). The methodology allows a process to be analyzed in finer detail than can be achieved with HAZOP, without requiring the extensive time and effort of QRA. The LOPA methodology has been more extensively used in industry since publication of the CCPS book Layer of Protection Analysis: Simplified Process Risk Assessment [1]. Further guidance on the application of LOPA has been provided through the recent publication of the CCPS Guidelines for Enabling Conditions and Conditional Modifiers in Layer of Protection Analysis [2] and Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis [3]. Despite the guidance in these publications, there are still aspects of LOPA for which guidance either does not exist or is very broad, as LOPA is still an evolving methodology. In Layer of Protection Analysis: Simplified Process Risk Assessment [1], as well as IEC 61511 [4], there is a brief discussion on the topic of summation of risk for multiple scenarios. However, in application in a wide range of industries, companies have chosen to sum the likelihoods of causes before comparison to risk tolerance criteria (referred to as “summing causes”). Although this can be a very useful variation of the methodology, it does create additional potential for inaccuracy of results, if not properly addressed. 2 Risk Tolerance Criteria In order to discuss the idea of risk tolerance criteria, it is first necessary to define risk. In CCPS Guidelines for Developing Quantitative Safety Risk Criteria [5], the definition of risk is provided as follows: A measure of human injury, environmental damage, or economic loss in terms of both the incident likelihood and the magnitude of the loss or injury. A simplified version of this relationship expresses risk as the product of the likelihood and the consequences (i.e., Risk = Likelihood x Consequence) of an incident. This definition, while effective, leaves much to the interpretation of those making risk-based decisions. Many factors must go into the proper evaluation of risk. One of the major questions regarding risk tolerance criteria is how to categorize risk to varying receptors (e.g., cumulative risk to personnel, acute risk to personnel, risk to offsite persons, risk to environmental receptors, etc.). LOPA is conducted on the basis of a single consequence and therefore often does not necessarily match the ideas of acceptable risk at a facility, unless this is taken into account when developing risk tolerance criteria. The idea of risk tolerance is the notion that a certain level of risk may be endured in order to gain the benefits of the activity creating the risk. For example, a petroleum refinery operation creates significant hazards due to heat, pressure, flammable materials, and other sources. However, in order to create useful products out of crude oil, the refining process is necessary. The benefit of gasoline, diesel, or other refining products in terms of the potential for profit due to societal demand provides sufficient reason to continue the refining operation. Another example is the operation of chlorination facilities for water treatment. Although there is the potential for a GCPS 2016 __________________________________________________________________________ chlorine release, which could have acute toxic effects, the overall benefit of providing disinfected drinking water necessitates the need for the inherent risk in the disinfection process. “Tolerable” is a term often preferred over “acceptable” when discussing risk, as hazards are not generally viewed as bearable, but are necessary to gain benefits. In either case, the goal is to reduce the risk to a level where the benefits outweigh the potential hazards. All hazardous operations aim to avoid consequences, but only if prevention of the consequences does not exceed reasonable costs. The LOPA process is designed to estimate the likelihood portion when evaluating risk. In the LOPA process, risk tolerance criteria are usually defined in terms of a Target Mitigated Event Likelihood (TMEL) or Target Frequency (TF). This is basically a goal of how often the consequence of interest will occur for the process being evaluated (e.g., the likelihood that a fatality will occur). Since this is defined as a frequency or likelihood (often used interchangeably, despite potential differences between the two), it is usually expressed on a per year basis (1/year). The LOPA methodology is intended for use with a single consequence or hazardous event (to be discussed later), usually taken directly from the HAZOP. Part of the reason for this is that LOPA is intended as a hazard assessment technique, unlike HAZOP which is intended as a hazard identification methodology and inherently identifies the consequence as part of scenario development. For example, a HAZOP would be used to determine the ways a process upset could lead to a fatality, but a LOPA would be used to more accurately define the likelihood of the same scenario. LOPA is known to be effective for only a limited range of scenario types. Most companies develop criteria to determine which scenarios are further reviewed using LOPA. The most common approach is to apply LOPA to high consequence severity scenarios where an instrumented solution may be applied to prevent the scenario. Using this method, choosing the severity of the consequence in the HAZOP also assigns the TMEL for the subsequent LOPA. Figure 1 provides an example of an onsite safety risk matrix. For simplicity, this risk matrix is only intended to address the risk estimation for workers onsite. For a complete analysis, the risk matrix would need to be expanded upon, or additional risk matrices would need to be created to address other categories of risk, such as offsite impacts, environmental impacts, and commercial impacts. Many companies will choose to provide descriptions for different consequence types while using the same general matrix for simplicity. In addition, other companies will never define any risk as intolerable, but instead will define the level of approval required to continue the operation (i.e., the higher the risk, the higher position, potentially up to president of the company, required to approve the risk). In Figure 1, locations in the matrix that represent tolerable levels of risk are green. Therefore, when evaluating a scenario, the severity is a fixed row on the matrix, so the goal is to reduce the likelihood in order to move left in the matrix until tolerable risk is reached. For example, if a scenario is being analyzed that may result in a single fatality, additional mitigations are required until the frequency of the scenario is less than one in 10,000 per year (i.e., TMEL = 10-4/year). It should be noted that this implies the target for the single scenario being evaluated on the risk matrix. Severity GCPS 2016 __________________________________________________________________________ A 3+ Fatalities L M M M H H B 1-2 Fatalities L L M M M H C Severe Injury L L L M M M D Recordable Injury L L L L M M E First Aid Injury L L L L L M <10-5/year 10-4/year 10-5/year 10-3/year 10-4/year 10-2/year 10-3/year 10-1/year 10-2/year >10-1/year 1 2 3 4 5 6 Likelihood H High Risk – Immediate mitigation or shutdown necessary M Medium Risk – Mitigation should be implemented as soon as possible M Marginal Risk – Mitigation should be implemented, if reasonable L Low Risk – Tolerable as is, no further mitigation required Figure 1 – Example Onsite Safety Risk Matrix By having tolerable risk defined by a risk matrix used on a per scenario basis, it must be understood that the cumulative risk at the facility is actually higher. At a facility, there may be a large number of different scenarios that could result in the same severity which would have to be aggregated to determine the overall risk to personnel. This must be considered when developing risk criteria. For example, using the risk matrix above, if there were 100 possible scenarios that result in a fatality, the overall potential for fatality at the facility would actually be one in 100 per year (102 /year). While this may still be a reasonable target for overall risk at a facility, this must be considered against the appropriate risk tolerance. If a company had determined a fatality one in 10,000 per year (10-4/year) was the overall requirement, the risk target would not be met in this case. Another consideration in defining the risk tolerance criteria is the application of the criteria. If corporate standards define the risk tolerance for all locations, the cumulative risk at each facility must be taken in to account. For instance, an oil and gas company may own multiple refineries in different locations. Due to advances in technology, varying dates of construction of each facility, and desired products from the facility, the complexity and design of each facility may vary greatly. However, if the corporate risk criteria are set on a per scenario basis, without taking the potential variations into account, the overall risk at each facility may be very different, as the more complex or older facilities may have a significant number of additional scenarios, potentially reaching an order of magnitude difference. This variation may be acceptable based upon greater production GCPS 2016 __________________________________________________________________________ and therefore greater benefit of operation of a larger plant, but it must be taken into consideration at the time of risk criteria development. In turn, a plant with less production that uses old technology may have a greater overall need for risk reduction due to the lack of improvements. Once again, the key is to ensure these factors are taken into account on the front end. 3 Consequences and Hazardous Events As mentioned previously, the LOPA process is designed to estimate the likelihood portion when evaluating risk, but it depends on proper definition of consequence before conducting the LOPA. Therefore, the definition of consequence defined in Guidelines for Developing Quantitative Safety Risk Criteria [5] should be examined: The undesirable result of an incident, usually measured in health and safety effects, environmental impacts, loss of property, and business interruption costs. Although this definition provides a starting point for estimating the consequence of an event, due to the potential impacts of interpretation of the consequence, there can be significant impacts on the results of a LOPA, especially when summing the frequencies of multiple causes leading to the same consequence. When conducting a LOPA using a single cause-consequence pairing, the precise definition of consequence becomes less important. If the cause is pressure control valve failure, it is simple to define the potential for overpressure, rupture, and potential fatality. The sequence of events from the cause to the consequence can be clearly laid out. The primary concern is proper selection of the appropriate severity ranking, and therefore, usually, the appropriate target mitigated event likelihood (TMEL) or target frequency (TF). The target (i.e., TMEL or TF) is automatically determined by selecting the severity according to the risk matrix being used in the analysis. It should be noted that in some cases a company will set TMEL based on a combination of the severity and likelihood chosen as part of the risk ranking portion of the hazard identification effort (often with the use of the HAZOP methodology). While this method may be applied, it adds subjectivity to the likelihood ranking in the HAZOP, which may therefore add inaccuracy in the analysis. If this method is used, proper definition of the TMEL is further complicated, both in the case of single cause-consequence LOPA and summed-cause LOPA. However, when summing causes (i.e., aggregating the mitigated event likelihoods of multiple causes for comparison to a single target), the consequences must be more clearly defined to determine which items should actually be summed. Depending on the definition of consequence, the LOPA results could range by an order of magnitude or more, which can result in unnecessary costs and/or meaningful impacts to the actual risk in terms of the level of protection provided. Often used interchangeably with the term “consequence” is the term “hazardous event.” However, the differentiation between the two terms becomes important in the context of summing causes in LOPA. IEC 61511 Edition 2 [4] defines a “hazardous event” as an event that can cause harm. Since this does not provide clear guidance for the term “hazardous event,” in the context of risk GCPS 2016 __________________________________________________________________________ analysis, it could be thought of as a specific event leading to the outcome of concern. In other words, the hazardous event requires a specific chain of events to lead to the consequence. For example, while a fatality may be defined as a consequence, a hazardous event may be defined as overpressure of a vessel with release and personnel exposure to a toxic material, leading to a fatality. 4 Summing Causes in LOPA The concept of summing causes in LOPA has been mentioned previously, but has not been defined to this point. In a single cause-consequence pair LOPA, the basic calculation performed is as follows: ∏ ∏ Where: RRF = Risk Reduction Factor, a unitless measure of the additional protection necessary, this is the inverse of the probability of failure on demand (PFD) IEF = Initiating Event Frequency (often referred to as Initiating Event Likelihood), the order of magnitude approximation of the frequency of occurrence of the initiating event per year (1/year) ∏ = Product of the probabilities of failure on demand of each independent protection layer (IPL), a unitless measure of the probability that an IPL will fail when needed to protect against a consequence ∏ = Product of the Frequency Modifiers (often referred to as Conditional Modifiers) applicable for the scenario, a unitless adjustment factor to take into account items such as Probability of Ignition, Occupancy Factor, Time at Risk Factor, Enabling Conditions, etc. When summing causes, the formula modifies slightly to become the following: ∑ ∏ ∏ It may be noted that, in this version of the equation, different protection layers and/or frequency modifiers may be applicable for different causes of the same consequence. Depending on the way the methodology is applied at a specific company, this equation may have to be slightly modified. Now that the equation has been defined, what does it really mean to sum causes? What LOPA really does is estimate a frequency of reaching the final consequence and compare that frequency GCPS 2016 __________________________________________________________________________ to a target. If causes are summed and compared to the same target that is applied to a single causeconsequence pair, the precision of the results may be skewed. 4.1 What to Sum? The basic concept behind summing causes seems simple; however, selecting the appropriate causes to sum is where the difficulty lies. Some companies will choose to sum the causes that lead to a specific consequence, which raises the question of how to properly define a consequence. For the purpose of severity determination in HAZOP, the consequence may be looked at as the impact to persons or the environment, but not both simultaneously. Using that definition of consequence, any fatality that occurred due to any process upset could possibly be summed. This would prove ineffective in application to the LOPA process. There would be no reasonable method to reach the risk target in LOPA, as Independent Protection Layers (IPLs) in general would not be able to address all of the reasons for fatality at once. Another summing methodology often applied in industry is to sum for all causes that lead to the same hazardous event. However, defining which hazardous events are actually equivalent is difficult. For example, in a fired heater, there are multiple reasons for loss of flame, which could lead to deflagration and fatality. Results of the LOPA may vary depending on the definition of the hazardous event. If flameout due to high pressure of the fuel gas is considered the hazardous event, there may only be a small number of causes that are summed. However, for the same heater, if flameout by itself is considered the hazardous event, the number of potentially summed causes, and therefore requirements for any installed SIF, will increase. Yet another example of when to sum is to sum all causes that lead to the same hazardous event, and will share the same SIF. Using this methodology, it can be argued that the results of the LOPA will then reflect the overall demand rate for the SIF being evaluated. However, care must be taken to ensure the SIF definition and application are appropriate, as loss of precision of the results can easily occur if improperly defined. 4.2 Summing Example Below is a simplified drawing of a forced draft fired heater. The primary method to protect the heater is to shut off the flow of fuel gas to the heater by closing the Shut Down Valves (SDVs). Several different inputs may result in shutdown of the heater. In general, it could be assumed that low fuel gas pressure on PT-1, high fuel gas pressure on PT-1, low air flow on FT-1, high air flow on FT-1, and loss of flame on BE-1 would all cause the SDVs to close. GCPS 2016 __________________________________________________________________________ Figure 2 – Example Heater It is assumed that any upset in the balance of air and fuel may lead to flameout of the burner (i.e., more or less flow or pressure of air or fuel would result in the mixture in the heater not being appropriate to sustain combustion), which could lead to accumulation of fuel gas in the heater and subsequent deflagration. Examples of causes of loss of flame include failure of the combustion air blower, or an upset in any of control loops, such as PV-1 or FV-1. In this example, it is assumed that the heater is located in an area where personnel are not constantly present, allowing the use of an occupancy factor frequency modifier of 0.1 (i.e., it is assumed that only 10% of the time will there be a person present in the event of deflagration). Because the heater would be assumed to be in operation, the residual heat is assumed to be an ignition source, and therefore the probability of ignition is conservatively taken as 1 (meaning 100% chance of providing an ignition source). For simplicity it is assumed that the initiating event frequency (IEF) for each cause is one in ten per year (0.1/year). Also for simplicity, there are assumed to be no enabling conditions for any of the causes. Deflagration of the heater could lead to one or two fatalities if the area was occupied. Using the risk matrix provided earlier in Figure 1, the TMEL for the event is therefore one in 10,000 per year (10-4/year). When examining a single cause-consequence pair with LOPA, assuming no credit for any IPLs other than the proposed SIF, the calculation would look as follows: 0.1 Where: RRF = Risk Reduction Factor IEF = Initiating Event Frequency Po = Occupancy Factor 0.1 10 1 100 GCPS 2016 __________________________________________________________________________ Pi = Probability of Ignition Note that for the single consequence pair method for this example, the specific cause being examined does not matter, as it was assumed that each cause has the same IEF. By not applying any credit for the SIF in the scenario, it helps determine the total RRF that will be required by a SIF to provide the necessary Safety Integrity Level (SIL)1 to protect against the consequence. With each different SIL level, there are different requirements for the SIF. IEC 61511 [4] relates SIL Levels to the RRF according to the following table: Safety Integrity Level (SIL) Risk Reduction Factor (RRF) 4 >10,000 to ≤100,000 3 >1,000 to ≤10,000 2 >100 to ≤1,000 1 >10 to ≤100 Now, if it was assumed that summing was used for LOPA for all causes that lead to flameout of the heater, either ignoring which SIFs were related or assuming that the only SIF was a shutdown on loss of flame, the initiating events that would have to be considered would be pressure valve PV-1 closing, PV-1 opening, manual valve HV-1 being closed, pressure regulating valve PRV-1 closing, PSV-1 opening, PRV-1 opening, flow valve FV-1 closing, FV-1 opening, forced draft fan FD-1 failing, and filter F-1 plugging.2 All of these causes may lead to an imbalance in the fuel to air ratio in the heater leading to flameout. Note that for causes that would lead to reduced fuel input, it is assumed that the cause could be either partial closure, providing insufficient fuel to sustain combustion or closing allowing loss of flame, then reopening (e.g., instrument air system issue causing a momentary loss of air which could close the valve, then reopen upon air being reestablished). Being that there are ten causes, assuming each at 0.1/year, as before, the calculation would look as follows: 10 0.1 0.1 10 1 1,000 Note that although it is shown as multiplication, the calculation is actually the addition of ten similar causes, and shown as multiplication for simplicity. This assumes the same risk tolerance criteria as the single cause-consequence calculation. This results in an entire order of magnitude increase in the necessary risk reduction. Note that if the only SIF on the heater that existed was 1 Safety Integrity Level is a term used to describe the reliability of a safety instrumented function. Industry standards such as IEC 61511 [4] are used to define requirements for SIF design based on the SIL. 2 It should be noted that for certain control loops, failures resulting in a valve going both open and closed could be counted as one cause. In this case, they are assumed as separate causes to support the subsequent discussions. In general, this level of detail may be more appropriate for a more rigorous methodology. GCPS 2016 __________________________________________________________________________ shutdown based on loss of flame, and there were no other IPLs, the last calculation would provide the target for the SIF. For the next calculation, it is assumed that summing is based on a combination of hazardous event and SIF for the case of high pressure causing flameout, which will be protected by a single SIF that will close SDV-1 and SDV-2 based on loss of flame on BE-1 or low air flow on FT-1 (i.e., either loss of flame or low flow alone would close the valves, creating a 1oo2 voted input to the SIF). Once again, the same risk tolerance criteria will be applied. In this case, there are three causes that would have to be considered: flow valve FV-1 closing, forced draft fan FD-1 failing, and filter F-1 plugging. Therefore, the calculation would look as follows: 0.1 4.3 0.1 1 0.1 0.1 10 1 0.1 0.1 1 300 What Do the Results Mean? In the previous three calculations, three different results were achieved when analyzing what can be considered to be the same process, depending on the summing method applied. The question then becomes: Which answer is correct? In reality, there is no wrong answer. In any of the cases above, protection layers would be added to ensure safety of personnel based upon the above described risk tolerance criteria. However, in the first case where only a single cause-consequence pair was examined, the SIF built to address the scenario would only require a SIL1 system to be put in place (although a SIL2 would likely be more appropriate). This means that there would be lower lifecycle costs for the system than the other results. However, the fact that the SIF would be less robust would result in slightly higher risk at the facility. In either case, it may meet the risk tolerance criteria set by the company. On the other hand, in one of the subsequent cases, the SIF must meet SIL2 requirements which will cause increased lifecycle costs. In order to increase the integrity of a SIF from SIL1 to SIL2, hardware redundancy would be required which would increase the capital costs of SIF. For example, a simple SIL1 SIF may only be comprised of a single transmitter, single SDV, and simple Programmable Logic Controller (PLC), whereas a SIL2 SIF may require two transmitters in a one out of two (1oo2) voting scheme, with two SDVs in series (meaning either closing may prevent the hazard), and an upgraded PLC. In addition, the varying requirements may require more frequent testing, which equates to additional operational costs throughout the life of the process. While creating a SIF that is more robust than necessary may be a positive in terms of the safety of persons at risk, the added safety may not be worth the increased lifecycle costs. In addition, the more robust system could increase the potential for spurious trips, which could negatively impact the company commercially. While a redundant architecture, such as 1oo2, is less likely to fail to trip when needed, there are also more devices that could fail which could lead to a spurious trip, resulting in lost production and less revenue. 4.4 To Sum or Not to Sum? All of this variation brings up the question, is it better to sum causes in LOPA or to evaluate on a single cause-consequence basis? Either methodology will result in evaluation of the hazards at facility. Conducting a LOPA on a single cause-consequence basis may result in additional time GCPS 2016 __________________________________________________________________________ and/or paperwork for analysis because each one needs to be documented separately. In addition, the results may be less conservative, as they do not look at combined demand rates on a specific protection. On the other hand, summing causes introduces some level of subjectivity into the analysis by choosing what items to sum. The results may be either excessively conservative, or not conservative enough based on what items are chosen to sum. In the previous examples, the resultant RRF could range from 100 to 1,000 depending on what items were summed. However, once again, there is no correct answer about whether to sum or not. Some companies may choose to apply multiple levels of risk criteria to address both single cause and summed causes separately. Some companies may choose to perform the analysis on a single cause basis, but adjust the target results if it is noted that there are a significant number of causes for a consequence (e.g., more than four causes leading to the same consequence results in adjusting the SIL target by a level from SIL1 to SIL2 to account for the multiple causes). Any methodology can provide an effective analysis if applied properly. The major caveat is that whichever method is chosen, the risk tolerance criteria need to be designed appropriately. The lack of precision between the results from summing or not is less important than providing accurate results by defining the risk tolerance criteria appropriately for the chosen methodology. 5 Conclusion Developing risk tolerance criteria for LOPA is an extremely important activity as it sets the basis for a potentially large amount of work that may follow as part of the safety lifecycle. While there are many examples and much guidance available of the topic, there is no definitive answer given by any source. In general, there is no “correct” answer for the results of a LOPA, but how the risk tolerance criteria are defined may skew the results which could lead to a process being safer or costing more to operate than intended. The goal of developing risk tolerance criteria is to find the appropriate middle ground that will allow for worker safety while minimizing negative impacts on the economics of the business. There are a variety of intricacies of LOPA that may differ between industries, companies, and even facilities. These differences are tolerable, as long as the differences are understood and taken into account before the LOPA begins. Regardless of which option is chosen, it is important to understand the strengths and weaknesses of each option, to ensure proper application. Also, it is important that those responsible for selection of the risk criteria have an understanding of the available options for the range of quantitative assessment techniques. 6 References [1] CCPS. Layer of Protection Analysis: Simplified Process Risk Assessment. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 2001. [2] CCPS. Guidelines for Enabling Conditions and Conditional Modifiers in Layer of Protection Analysis. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 2013. GCPS 2016 __________________________________________________________________________ [3] CCPS. Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 2015. [4] Committee Draft IEC 61511, Edition 2. Functional safety – Safety instrumented systems for the process industry sector, Parts 1–3. Geneva: International Electrotechnical Commission. 2015. [5] CCPS. Guidelines for Developing Quantitative Safety Risk Criteria. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 2009.
