Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition
by Center for Chemical Process Safety
Copyright © 2000 American Institute of Chemical Engineers
Chemical I)rocess
Quantitative Risk Analysis
Chemical process quantitative risk analysis (CPQRA) is a methodology designed to
provide management with a tool to help evaluate overall process safety in the chemical
process industry (CPI). Management systems such as engineering codes, checklists and
process safety management (PSM) provide layers of protection against accidents.
However, the potential for serious incidents cannot be totally eliminated. CPQRA
provides a quantitative method to evaluate risk and to identify areas for cost-effective
risk reduction.
’
The CPQRA methodology has evolved since the early 1980s from its roots in the
nuclear, aerospace and electronics industries. The most extensive use of probabilistic
risk analysis (PRA) has been in the nuclear industry. Procedures for PRA have been
defined in the PRA Procedures Guide (NUREG, 1983) and the Probabilistic Safety Analysis Procedures Chide (NUREti, 1985).
CPQRA is a probabilistic methodology that is based on the NUREG procedures.
The term “chemical process quantitative risk analysis” is used throughout this book to
emphasize the features of this methodology as practiced in the chemical, petrochemical, and oil processing industries. Some examples of these features are
Chemical reactions may be involved
Processes are generally not standardized
Many different chemicals are used
Material properties may be subject to greater uncertainty
Parameters, such as plant type, plant age, location of surrounding population,
degree of automation and equipment type, vary widely
Multiple impacts, such as fire, explosion, toxicity, and environmental contamination, are common.
Acute, rather than chronic, hazards are the principal concern of CPQRA. This
places the emphasis on rare but potentially catastrophic events. Chronic effects such as
cancer or other latent health problems are not normally considered in CPQRA.
One objective of this second edition is to incorporate recent advances in the field.
Such advances are necessary and desirable as highlighted by the late Admiral Hyman
Ric kover :
I . Chemical Process Ouantitative Risk Analysis
2
We must accept the inexorably rising standards of technology, and we must rclinquish
comfortable routines and practices rendered obsolete because they no longer meet the
new standards.
Many hazards may be identdied and controlled o r eliminated through use of qualitative hazard analysis as defined in Guidelinesfor Hazard Evaluation Procedures, Second
Edition (CCPS, 1992). Qualitative studies typically identify potentially hazardous
events and their causes. In some cases, where the risks are clearly excessive and the existing safeguards are inadequate, corrective actions can be adequately identified with
qualitative methods. CPQRA is used to help evaluate potential risks when qualitative
methods cannot provide adequatc understanding of the risks and more information is
needed for risk management. It can also be used to evaluate alternative risk reduction
strategies.
The basis of CPQRA is to identify incident scenarios and evaluate the risk by defining the probability of failure, the probability of various consequences and the potential
impact of those consequences. The risk is defined in CPQRA as a function of probability or frequency and consequencc of a particular accident scenario:
Risk = F(s, c,f)
s
G
f
= hypothetical scenario
= estimated consequence(s)
= estimated frequency
This ‘‘function” can be extremely complex and there can be many numerically different risk measures (using different risk functions) calculated from a given set ofs, c,f
The major steps in CPQRA, as illustrated in Figure 1.1 (page 4), are as follows:
Risk Analysis:
1. Define the potential event sequences and potential incidents. This may be based
on qualitative hazard analysis for simple o r screening level analysis. Complete
o r complex analysis is normally based on a full range of possible incidents for all
sources.
2. Evaluate the incident outcomes (consequences). Some typical tools include
vapor dispersion modeling and fire and explosion effect modeling.
3. Estimate the potential incident frequencies. Fault trees or generic databases
may be used for the initial event sequences. Event trees may be used to account
for mitigation and postrelease events.
4. Estimate the incident impacts on people, environment and property.
5. Estimate the risk. This is done by combining the potential consequence for each
event with the event frequency, and summing over all events.
Risk Assessment:
6. Evaluate the risk. Identify the major sources of risk and determine if there arc
cost-effective process or plant modifications which can be implemented to
reduce risk. Often this can be done without extensive analysis. Small and inexpensive system changes sometimes have a major impact on risk. The evaluation
may be done against legally required risk criteria, internal corporate guidelines,
comparison with other processes or more subjective criteria.
1 Chemical Process Ouantltatlve Risk Analysis
3
7 . Identify and prioritize potential risk reduction measures if the risk is considered
to be excessive.
Risk Management:
Chemical process quantitative risk analysis is part of a larger management system.
Risk management methods are described in the CCPS Guzdelinesfi Implementing Process Safety Management Systems (AIChE/CCPS, 1994), Guidelinesfm Technical Management of Chemical Process Safety (AIChE/CCPS, 1989), and Plant GutdelinesfirTechnical
Management of Chemical Process Safety (AIChE/CCPS, 1995).
The seven steps in Figure 1.1 are typical of CPQRA. However, it is important to
remember that other risks ,such as financial loss, chronic health risks and bad publicity,
may also be significant. These potential risks can also be estimated qualitatively or
quantitatively and are an important part of the management process.
This chapter provides general outlines for the major areas in CPQRA as listed
below. The subsequent chapters provide more detailed descriptions and examples.
1. Definitions of CPQRA terminology (Section 1.1)
2. Elements that form the overall framework (Section 1.2)
3. Scope of CPQRA (Section 1.3)
4. Management of incident lists (Section 1.4)
5. Application of CPQRA (Section 1.5)
6. Limitations of CPQRA (Section 1.6)
7. Current practices (Section 1.7)
8. Utilization of CPQRA results (Section 1.8)
9. Project management (Section 1.9)
10. Maintenance of study results (Section 1.10)
CPQRA provides a tool for the engineer o r manager to quantify risk and analyze
potential risk reduction strategies. The value of quantification was well described by
Lord Kelvin. Joschek (1983) provided a similar definition:
a quantitative approach to safety. . . is not foreign to the chemical industry. For every
process, the kinetics of the chemical reaction, the heat and mass transfers, the corrosion
rates, the fluid dynamics, the structural strength of vessels, pipes and other equipment
as well as other similar items are determined quantitatively by experiment or calculation, drawing on a vast body of experience.
CPQRA enables the engineer to evaluate risk. Individual contributions to the
overall risk from a process can be identified and prioritized. A range of risk reduction
measures can be applied to the major hazard contributors and assessed using
cost-benefit methods.
Comparison of risk reduction strategies is a relative application of CPQRA. Pikaar
(1995) has related relative or comparative CPQRA to climbing a mountain. At each
stage of increasing safety (decreasing risk), the associated changes may be evaluated to
see if they are worthwhile and cost-effective. Some organizations also use CPQRA in
an absolute sense to confirm that specific risk targets are achieved. Further risk reduction, beyond such targets, may still be appropriate where it can be accomplished in a
cost-effective manner. Hendershot ( 1996) has discussed the role of absolute risk guidelines as a risk management tool.
1 Chemical Process Quantitative Risk Analysis
4
CPQRA Steps
Define the potential
accident scenarios
Evaluate the event
consequences
Estimate the potential
accident frequencies
Estimate the
event impacts
I
Estimate the
risk
I
Identify and prioritize
potential risk reduction
measures
FIGURE 1 . 1 CPQRA Flowchart
Application of the full array of CPQRA techniques (referred to as component
techniques in Section 1.2) allows a quantitative review of a facility's risks, ranging from
frequent, low-consequence incidents to rare, major events, using a uniform and consistent methodology. Having identified process risks, CPQRA techniques can help focus
risk control studies. The largest risk contributors can be identified, and recommendations and decisions can be made for remedial measures o n a consistent and objective
basis.
1 Chemical Process Ouantitative Risk Analysis
5
Utilization of the CPQRA results is much more controversial than the methodol-
ogy (see Section 1.8). Watson (1994) has suggested that CPQRA should be consid-
ered as an argument, rather than a declaration of truth. In his view, it is not practical or
necessary to provide absolute scientific rigor in the models o r the analysis. Rather, the
focus should be on the overall balance of the QRA and whether it reflects a useful measure of the risk. However, Yellman and Murray (1995) contend that the analysis
“should be, insofar as possible, tnie-or a t least a search for truth.” It is important for
the analyst to understand clearly how the results will be used in order to choose appropriately rigorous models and techniques for the study.
1.1. CPQRA Definitions
Table 1.1 and the Glossary define terms 2s they are used in this volume. Other tabulations of terms have been compiled (e.g., IChemE, 1985) and may need to be consulted
because, as dscussed below, there currently is no single, authoritative source of accepted
nomenclature and definitions. CPQRA is an emerging technology in the CPI and there
are terminology variations in the published literature that can lead to confusion. For
example, while risk is defined in Table 1.1 as “a measure of human injury, environmental
damage or economic loss in terms of both the incident I lk e lh o d and the magnitude of
the loss or injury,” readers should be aware that other definitions are often used. For
instance, Kaplan and Garrick (1981) have discussed a number of alternative definitions
of risk. These include:
Risk is a combination of uncertainty and damage.
Risk is a ratio of hazards to safeguards.
Risk is a triplet combination of event, probability, and consequences.
Readers should also recognize the interrelationship that exists between an incident, an incident outcome, and an incident outcome case as these terms are used
throughout this book. An incident is defined in Table 1.1 as “the loss of containment of
material o r energy,” whereas an incident oiitcome is “the physical manifestation of an
incident.” A single incident may have several outcomes. For example, a leak of flammable and toxic gas could result in
a jet fire (immediate ignition)
a vapor cloud explosion (delayed ignition)
a vapor cloud fire (delayed ignition)
a toxic cloud (no ignition).
A list of possible incident outcomes has been included in Table 1.2.
The third and often confusing term used in describing incidents is the incident outcome case. As indicated by its definition in Table 1.1, the incident outcome case speci-
fies values for all of the parameters needed to uniquely distinguish one incident
outcome from all others. For example, since certain incident outcomes are dependent
on weather conditions (wind direction, speed, and atmospheric stability class), more
than one incident outcome case could be developed to describe the dispersion of a
dense gas.
TABLE 1.1. Selected Definitions for CPQRA
Frequency: Number of occurrences of an event per unit of time.
Hazard: A chemical or physical condition that has the potential for causing damage to people, property, or the
environment (e.g., a pressurized tank containing 500 tons of ammonia)
Incident: The loss of containment of material or energy (e.g., a leak of 10 Ib/s of ammonia from a connecting
pipeline to the ammonia tank, producing a toxic vapor cloud) ; not all events propagate into incidents.
Event sequence: A specific unplanned sequence of events composed of initiating events and intermediate events
that may lead to an incident.
Initiating event: The first event in an event sequence (e.g., stress corrosion resulting in leak/rupture of the
connecting pipeline to the ammonia tank)
Intermediate event: An event that propagates or mitigates the initiating event during an event sequence (e.g.,
improper operator action fails to stop the initial ammonia leak and causes propagation of the intermediate event
to an incident; in this case the intermediate event could be a continuous release of the ammonia)
Incident outcome: The physical manifestation of the incident; for toxic materials, the incident outcome is a
toxic release, while for flammable materials, the incident outcome could be a Boiling Liquid Expanding Vapor
Explosion (BLEVE), flash fire, unconfined vapor cloud explosion, toxic release, etc. (e.g., for a 10 lb/s leak of
ammonia, the incident outcome is a toxic release)
Incident outcome case: The quantitative definition of a single result of an incident outcome through
specification of sufficient parameters to allow distinction of this case from all others for the same incident
outcomes. For example,a release of 10 lb/s of ammonia with D atmospheric stability class and 1.4 mph wind
speed gives a particular downwind concentration profile, resulting, for example, in a 3000 ppm concentration at
a distance of 2000 feet.
Consequence: A measure of the expected effects of an incident outcome case (e.g., an ammonia cloud from a 10
lb/s leak under Stability Class D weather conditions, and a 1.4-mph wind traveling in a northerly direction will
injure 50 people)
Effect zone: For an incident that produces an incident outcome of toxic release, the area over which the airborne
concentration equals or exceeds some level of concern. The area of the effect zone will be different for each
incident outcome case [e.g., given an IDLH for ammonia of 500 ppm (v), an effect zone of 4.6 square miles is
estimated for a 10 Ib/s ammonia leak]. For a flammable vapor release, the area over which a particular incident
outcome case produces an effect based on a specified overpressure criterion (e.g., an effect zone from an
unconfined vapor cloud explosion of 28,000 kg of hexanc assuming 1% yield is 0.18 km2 if an overpressure
criterion of 3 psig is established). For a loss of containment incident producing thermal radiation effects, the area
over which a particular incident outcome case produces an effect based on a specified thermal damage criterion
[e.g., a circular effect zone surrounding a pool fire resulting from a flammable liquid spill, whose boundary is
defined by the radial distance at which the radiative heat flux from the pool fire has decreased to 5 kW/m 2
(approximately 1600 Btu/hr-ft2)]
Likelihood: A measure of the expected probability or frequency of occurrence of an event. This may be
expressed as a frequency (e.g., events/year), a probability of occurrence during some time interval, or a
conditional probability (i.e., probability of occurrence given that a precursor event has occurred, e.g., the
frequency of a stress corrosion hole in a pipeline of size sufficient to cause a 10 lb/s ammonia leak might be
1 x 10"3 per year; the probability that ammonia will be flowing in the pipeline over a period of 1 year might be
estimated to be 0.1; and the conditional probability that the wind blows toward a populated area following the
ammonia release might be 0.1)
Probability: The expression for the likelihood of occurrence of an event or an event sequence during an interval
of time or the likelihood of occurrence of the success or failure of an event on test or demand. By definition,
probability must be expressed as a number ranging from 0 to 1.
Risk: A measure of human injury, environmental damage or economic loss in terms of both the incident
likelihood and the magnitude of the loss or injury
Risk analysis: The development of a quantitative estimate of risk based on engineering evaluation and
mathematical techniques for combining estimates of incident consequences and frequencies (e.g., an
ammonia cloud from a 10 lb/s leak might extend 2000 ft downwind and injure 50 people.
For this example, using the data presented above for likelihood, the frequency of injuring 50 people
is given as 1 x 1 O-3 x 0 .1 x 0.1 = 1 x 10"5 events per year)
Risk assessment: The process by which the results of a risk analysis are used to make decisions, either through a
relative ranking of risk reduction strategics or through comparison with risk targets (e.g., the risk of injuring 50
people at a frequency of 1 x 1 0 s events per year from the ammonia incident is judged higher than acceptable,
and remedial design measures are required)
6
7
1 . Chemical Process Ouantitative Risk Analysis
INCIDENTS
INCIDENT OUTCOME
Toxic VapM
100 IWmin
Release of
HCN from
a Tank Vent
INCIDENT OUTCOME CASES
10 mph Wind, Stability Class D
etc.
Jet Fire
BLEVE of
HCN Tank
Tank 50% Full
0
0
0
etc.
Unconfined Vapor
Cloud Explosion
After 30 min. Release
After 60 min. Release
0
FIGURE 1.2. The relationship between incident, incident outcome, and incident outcome
cases for a hydrogen cyanide (HCN)release.
The event tree in Figure 1.2 has been provided to illustrate the relationship
between an incident, incident outcomes, and incident outcome cases. Each of these
terms will be developed further in this chapter.
1.2. Component Techniques of CPQRA
It is convenient (for ease of understanding and administration) to divide the complete
CPQRA procedure into component techniques (Section 1.2.1). Many CPQRAs do
not require the use of all the techniques. Through the use of prioritized procedures
(Section 1.2.2),the CPQRA can be shortened by simplifying or even skipping certain
techniques that appear in the complete CPQRA procedure.
1.2.1. Complete CPQRA Procedure
A framework for the complete CPQRA methodology for a process system is given in
Figure 1.3. This diagram shows
9
the full logic of a CPQRA in more detail
the relationship between a CPQRA and a risk assessment
the interaction of a CPQRA with
-the analysis data base
-user requirements
-user reaction to risk estimates from a CPQRA
TABLE 1.2. CPORA Hazards, Event Sequences, Incident Outcomes, and Consequences
Event Sequences
Process hazards
Initiating events
Significant inventories of:
Flammahle marerials
Combustible materials
Unstable materials
Corrosive materials
Asphpants
Shock sensiuve materials
Highly reactive materials
Toxic materials
Inerring gases
Chnhustible dusts
Pyrophoric materials
Extreme physical conditions
High temperatures
Cryogenic remperaturcs
High pressures
Vacuum
Pressure cycling
Temperature cycling
Vibrxion/liquid hammering
Process upsets
Process deviations
Pressure
Temperature
Flow rate
Concentration
Phase/state change
Impurities
Reaction ratc/heat of reaction
Spontaneous reaction
Polymerization
Runaway reaction
Internal explosion
Decomposition
Cmnrainmcnr failures
Pipes, ranks, vessels,
gaskcts/scals
Equipment malfunctions
Pumps, valves, instruments,
sensors, interlock failures
Loss of utilities
Electrical, nitrogen, water,
refrigeration, i r , heat
transfer fluids, steam,
ventilation
Management systems failure
Human error
Design
Construction
Opcrations
Maintenance
Testing and inspection
External events
Extreme weather conltions
Earthquakes
Nearby accidents’ impacts
VandaCsm/sabotage
Intermediate events
Propagating factors
Equipment failure
safety system failure
Ignition sources
Furnaces, flares, incinerators
Vehicles
Electrical switches
Static electricity
Hot surfaces/cigaretres
Management systems failure
Human errors
Omission
Commission
Fault diagnosis
Decision-making
Domino effects
Other containment failures
Other material release
External conditions
Meteorology
Visibility
h s k reduction factors
Control/operator responses
Alarms
Control system response
Manual and automatic
emergency shutdown
Fire/gas detection system
Safety system responses
Relief valves
Deprcssurization systems
Isolation systems
High reliability trips
Back-up systems
,Mitigation system responses
Dikes and drainage
Flares
Fire protection systems
(active and passive)
Explosion vents
Toxic gas ahsorption
Emergency plan rcspnses
Sirens/warnings
Emergency procedures
Personnel safety equipment
Sheltering
Escape and evacuation
External events
Early detection
Early warning
Specially designed strucrures
Training
Other management systems
Incident outcomes
Analysis
Discharge
Flash and evaporation
Dispersion
Neutral or positively buoyant
Dense gas
Fires
Pool fires
Jet fires
BI-EVES
Flash fires
Explosions
Cmnfined explosions
Vapor cloud explosions
(VCE)
Physical explosions
l>usr explosions
Detonations
Condensed phase detonations
Missiles
Consequences
Effect analysis
Toxic effects
Thermal effects
Overpressure effects
Damage assessments
Community
Workforce
Environment
Company assets
1 Chemical Process Ouantitative Risk Analysis
9
Figure 1.3 also provides cross-references to other sections of this volume, where
details of the techniques are given. The full logic of a CPQRA involves the following
component techniqucs:
1. CPQRA Definition
2. System Description
3. Hazard Identfication
4. Incident Enumeration
5. Selection
6. CPQRA Model Construction
7. Consequence Estimation
8. Likelihood Estimation
9. Risk Estimation
10. Utilization of Risk Estimates
A brief account of the role of each of the techniques is given below, and more
detailed accounts are given in the sections indcated.
CPQRA Definition converts user requirements into study goals (Section
1.9.1)and objectives (Section 1.9.2).Risk measures (Section 4.1) and risk presentation formats (Section 4.2) are chosen in finalizing a scope of work for the
CPQRA. A depth of study (Section 1.9.3)is then selected based on the specific
objectives defined and the resources available. The need for special studies (e.g.,
the evaluation of domino effects, computer system failures, or protective system
unavailability) is also considered (Chapter 6).CPQRA definition concludes with
the definition of study specific information requirements to be satisfied through
the constniction of the analysis data base.
System Description is the compilation of the process/plant information needed
for the risk analysis. For example, site location, environs, weather data, process
flow diagrams (PFDs), piping and instrumentation diagrams (PMDs), layout
drawings, operating and maintenance procedures, technology documentation,
process chemistry, and thermophysical property data may be required. This
information is fed to the analysis data base for use throughout the CPQRA.
Hazard Identification is another step in CPQRA. It is critical because a hazard
omitted is a hazard not analyzed. Many aids are available, including experience,
engineering codes, checklists, detailed process knowledge, equipment failure
experience, hazard index techniques, what-if analysis, hazard and operability
(HAZOP) studies, failure modes and effects analysis (FMEA), and preliminary
hazard analysis (PHA). These aids are extensively reviewed in the HEP Guidelines, Second Edition (AIChE/CCPS, 1992). Typical process hazards identified
using these aids are listed in Table 1.2.Addltional information on common chemical hazards is given in Bretherick (1983), Lees (1980), and Marshall (1987).
Incident Enumeration is the identification and tabulation of all incidents without regard to importance or initiating event. This, also, is a critical step, as an
incident omitted is an incident not analyzed (Section 1.4.1).
Selection is the process by which one or more significant incidents are chosen to
represent all identified incidents (Section 1.4.2. I ), incident odtcomes are identi-
1 Chemical Process Quantitative Risk Analysis
10
EXERNAL DATA SOURCES (55)
W A R D OENTCICATION
(HEP Gulblms)
-
WCIDENT ENUMERATION
LEGEM
MelhoQlogy ErsciKbn
Soquena
+lnlormabn Flow
.
J
I
ANALVSE DATABASE
P r o o u P l n l DaU ($5.2)
Chomicrl daa
Hhlorical Incldwv A p p r o a a ($3.1)
P r o a u dorripion
Froqwncy ModoUng
Faulllroe uulysr ($3.2.1)
E m 1 000 analysis ($3.22)
Other I r h n i q w a ($5.4)
-
Complemenary Modnlinp
Common a u a o ITluro (53.3.1)
Human r d i i l i y aNlyeb ($3.32)
Erternd
analysb (53.33)
CONSEOUENCE ESTIMATION 2 )
Phyriol W e b
~
PFD nd PAID
DLcharp. (gz.l.1)
Flash A ovsporatlon
Qmruinp poodures
Environmental Daa (55.4)
Lsnd uu and lopogfwhy
disfmnion ($21.3)
Unmnflnd axplabn
Run layout
Populabn a d & m o q W v
.
,Efl.nrModolr
Toxicgu ($2.3.1)
Thermal ($2.3.2)
Expbsbn (52 3.3)
Mligakm
~
EV~WO
Aaion ($2.4)
Molaorobglal d.u
tiholihmd DPa
Hilorirrl hddon data (95.1)
ECONOMIC ASSESSMENT
SYSTEM COST EVALUATION
CALCULATION
SYSTEM MODIFCATION
OUALITY
RJ* lmmnainty.
s.nsiivny
ud
ImpoMna (94.5)
UTILIZATIONOF RISK ESTIMAX
NEWiMODlFlED
[REVISE BUSINESS STRATEGY
0 ABANDON PROJECT
0 SHUT DOWN OPERATUNS
FIGURE 1.3. Framework for CPORA methodology and chapter/section headings.
I
I Chemical Process Ouantitative Risk Analysts
11
fied (Section 1.4.2.2), and incident outcome cases are developed (Section
1.4.2.3).
C P Q U Model Construction covers the selection of appropriate consequence
models (Chapter 2), likelihood estimation methods (Chapter 3) and their integration into an overall algorithm to produce and present risk estimates (Chapter
4) for the system under study. While various algorithms can be synthesized, a
prioritized form (Section 1.2.2) can be constructed to create opportunities to
shorten the time and effort required by less structured procedures.
Consequence Estimation is the methodology used to determine the potential
for damage or injury from specific incidents. A single incident (e.g., rupture of a
pressurized flammable liquid tank) can have many distinct incident outcomes
[e.g., unconfined vapor cloud explosion (UVCE), boiling liquid expanding
vapor explosion (BLEVE), flash fire]. These outcomes are analyzed using source
and dispersion models (Section 2.1) and explosion and fire models (Section
2.2). Effects models are then used to determine the consequences to people or
structures (Section 2.2). Evasive actions such as sheltering or evacuation can
reduce the magnitude of the consequences and these may be included in the analysis (Section 2-3)
Likelihood Estimation is the methodology used to estimate thc frequency or
probability of occurrence of an incident. Estimates may be obtained from historical incident data on failure frequencies (Section 3.1), or from failure sequence
models, such as fault trees and event trees (Section 3.2). Most systems require
consideration of factors such as common-cause failures [a single factor leading to
simultaneous failures of more than one system, e.g., power failure (Section
3.3.l), human reliability (Section 3.3.2), and external events (Section 3.3.3)].
Risk Estimation combines the consequences and likelihood of all incident outcomes from all selected incidents to provide one or more measures of risk (Chapter 4). It is possible to estimate a number of different risk measures from a given
set of incident frequency and consequence data, and an understanding of these
measures is provided. The risks of all selected incidents are individually estimated
and summed to give an overall measure of risk. The sensitivity and uncertainty of
risk estimates and the importance of the various contributing incidents to estimates are discussed in Section 4.5.
Utilization of Risk Estimates is the process by which the results from a risk
analysis are used to make decisions, either through relative ranking of risk reduction strategies or through comparison with speclfic risk targets.
The last CPQRA step (utilization of risk estimates) is the key step in a risk msessment. It requires the user to develop risk guidelines and to compare the risk estimate
from the CPQRA with them to decidc whether hrther risk reduction measures are
necessary. This step has been includcd as a CPQRA component technique to emphasize its overall influence in designing the CPQRA methodology, but it is not discussed
in this book. Guidelines for decision analysis are contained in T o o l s f i Making Acute
Rzsk Decisions (AlChE/CCPS, 1995).
Before discussing the remaining functions and activities shown in Figure 1.3, it is
important to recognize that all of the component techniques introduced above have
12
I Chemical Process Quantitative Risk Analysis
not been developed to the same depth o r extent, nor used as widely for the same length
of time. Consequently, it is helpful to classify them according to “maturity,” a term
used here to combine the concepts of degree of development of the technique and years
in use in the CPI. Greater confidence and less uncertainty are associated with the more
mature component techniques, such as hazard identification and consequence estimation. Discomfort and uncertainty increase as maturity decreases. Frequency estimation
is much less developed and practiced and accordingly classified, along with incident
enumeration and selection techniques, as less mature than hazard identification and
consequence estimation. The most underdeveloped and newest technique to the CPI of
those listed, risk estimation, is the least mature of any of the CPQRA component techniques. Accordingly, the most uncertainty associated with any component technique
accompanies risk estimates.
By reviewing the maturity scale, it is easy to rank the component techniques
according to their development potential. While consequence estimation techniques
are fairly sophisticated and some may argue “well-developed,” frequency estimation
techniques offer developmental challenges and enhancement necessities. Risk estimation techniques, especially companion methodologies such as uncertainty analysis,
require substantial development and refinement, and much greater exposure before
becoming widely accepted and “user friendly.” The subject of the maturity of the techniques will be revisited in Section 1.2.2as one driving force in the precedence ordering
of CPQRA calculations.
While not considered a component technique, the development of the analysis
data base is a critical early step in a CPQRA. In addition to the data from thc systcm
description, this data base contains various kinds of environmental data (e.g., land use
and topography, population and demography, meteorological data) and likellhood
data (e.g., historical incident data, reliability data) needed for the specific CPQRA.
Much of this information must be collected from external (outside company) sources
and converted into formats usefiil for the CPQRA. Chapter 5 discusses the constniction of the analysis data base, and details the various sources of data available.
As shown in Figure 1.3, user reaction to the results of a risk assessment using the
CPQRA estimate can be summarized as a menu of modification options:
systems mohfication through engineering/operational/proceduraI changes
amendment of the goals or scope of the CPQRA
relaxation of user reqiiirements
alternative sites
adjustments to basic business strategy.
Systems modification involves the proposal and evaluation of risk reduction strategies by persons knowledgeable in process technology. Rtsk estimation provides insight
into the degree of risk reduction possible and the areas where risk reduction may be
most effective. Proposed risk reduction strategies can incorporate changes to either
system design o r operation, in order to eliminate o r reduce incident consequences o r
frequencies. As shown in Figure 1.3, such proposals need to be shown to meet all business needs (c.g., quality, capacity, legality, and cost) before being reviewed by CPQRA
techniques. The other user options arc self-explanatory and are more properly treated
in a discussion of the risk assessment process and related risk management program.
I . Chemical Process Ouantltatlve Risk Analysis
13
1.2.2. Prioritized CPQRA Procedure
Most applications of the CPQRA methodology will not need to use all of the available
component techniques introduced in Section 1.2.1. CPQRA component techniques
are flexible and can be applied selectively, in various orders. Consequence estimation
can be used as a screening tool to identify hazards of negligible consequence (and therefore a negligible risk) to avoid detailed frequency estimation. Similarly, frequency estimation can identify hazards of sufficiently small likelhood of occurrence that
consequence estimates are unnecessary. The procedure outlined in Figure 1.4 has been
constructed to illustrate one way to prioritize the calculations. It has been designed to
provide opportunities to shorten the time and effort needed to achieve acceptable
results. These opportunities arise naturally due to the ordering of the calculations. The
criteria for establishing thc priority of calculations are based on the maturity of the
component techniques and their ease of use. The more mature consequence estimation
techniques are given highest priority. These techniques are also the most easily executed. The degree of effort increases through the procedure, along with uncertainties as
the maturity cf the component techniques decreases.
The prioritized CPQRA procedure given in Figure 1.4involves the following steps:
Step l-Defme CPQRA.
Step 2-Describe the system.
Step 3-Identify hazards.
Step &Enumerate incidents.
Step 5-Select incidents, incident outcomes, and incident outcome cases
These five steps are the same as the corresponding steps in Figure 1.3, and are discussed in Section 1.2.1.
Step 6 Estimate Consequences. If the consequences of an incident are acceptable at any frequency, the analysis of the incident is complete. This is a simplification of the risk analysis, in which the probability of occurrence of the incident
within the time period of interest is assumed to be 1.0 (the incident is certain to
occur). For example, the overflow of an ethylene glycol storage tank to a containment system poses little risk cvcn if thc event were to occur. If the consequences
are not acceptable, procecd to Step 7.
Step 7 Modify System to Reduce Consequences. Consequence reduction
measures should be proposed and evaluated. The analysis then returns to Step 2
to determine whether the modifications have introduced new hazards and to
reestimate the consequences. If there are no technically feasible and economically
viable modifications, o r if the modifications d o not eliminate unacceptable consequences, proceed to Step 8.
Step 8 Estimate Frequencies. If the frequency of an incident is acceptably low,
given estimated consequences, the analysis of the incident is complete. If not,
proceed to Step 9.
Step 9 Modify System to Reduce Frequencies. This step is similar in concept
to Step 7. If there are no technically feasible and economically viable modrfications to reduce the frequency to an acccptable level, proceed to Step 10. Otherwise, return to Step 2.
14
1 Chemical Process Ouantitative Risk Analysis
r
STEP 1
DEFINE CPORA GOALS,
OBJECTIVES. DEPTH O f
STUDY, ETC.
STEP 3
IDENTIFY HAZARDS
XPERIENCE. CODES
HECKLISTS. HAZOPS, ETC.
ENUMERATE INCIDENTS
LIST OF
ENUMERATED INCIDENTS
LOUTCOME
CASES
DESIGN ACCEPTABLE
CONSEOUENCE AND
EFFECT MODELS,
DECISDN CRITERIA
I
OF OCCURRENCE
r
4
I
t CONSEQUENCES ARE TOO HIGH
YES
STEP
MODIFY SYSTEM TO
7
I
REDUCECONSEOUENCES-
HISTORCAL ANALYSIS
DESIGN ACCEPTABLE
(FREOUENCIES ACCEPTABLY
LOW FOR ANY CONSEQUENCES)
FREQUENCIES ARE TOO HIGH
4
YES
STEP 9
MODIFY SYSTEM TO
REDUCE FREQUENCIES
I
NO
DESIGN ACCEPTABLE
(COMBINATIONOF
CONSEOUENCES AND
FREOUENCIES
ACCEPTABLY LOW)
STEP 10
COMBINE FREOUENCIES
AND CONSEQUENCES TO
ESTIMATE RISK
IDECISION CRITERIA
RISKS ARE TOO HIGH
4
YES
STEP 11
MODIFY SYSTEM TO
REDUCE RISK
NO
++++
DESIGN UNACCEPTABLE
(COMBINATION OF CONSEOUENCES AND
FREOUENCES UNACCEPTABLY HIGH)
FIGURE 1.4. One version of a prioritized CPQRA procedure.
THODOLOGY EXECUTION
SEOUENCE
INFORMATION FLOW
SEOUENCE
1 Chemical Process Ouantitative Risk Analysis
15
Step 10 Combine Frequency and Consequences to Estimate Risk. If the risk
estimate is at o r below target or if the proposed strategy offers acceptable risk
reduction, the CPQRA is complete and the design is acceptable.
Step 11 Modify System to Reduce Risk. This is identical in concept to Steps 7
and 9. If no modifications are found to reduce risk to an acceptable level, then
fundamental changes to process design, user requirements, site selection, or
business strategy are necessary.
In summary, Figure 1.3 presents the overall structure ofCPQRA, and Figure 1.4
illustrates one method of implementation. A complete CPQRA as illustrated in Figure
1.3 may not be necessary or feasible on every item o r system in a given process unit.
Guidance on the selection and use of CPQRA component techniques is presented later
in this chapter.
1.3. Scope of CPQRA Studies
It is good engineering practice to pay careful attention to the scope of a CPQRA, in
order to satisfy practical budgets and schedules; it is not unusual for the work load to
“explode” if the scope is not carefully specified in advance of the work and enforced
during project execution. This section introduces the concept of a study cube ( Figure
1.5) to relate scope, work load, and goals (Section 1.3.1) and then gives typical goals
for CPQRAs of various scopes (Section 1.3.2).
1.3.1 The Study Cube
CPQRAs can range from simple, “broad brush” screening studies to detailed risk analyses studying large numbers of incidents, using highly sophisticated frequency and
consequence models. Between these extrcmcs a continuum of CPQRAs exists with no
rigidly defined boundaries o r established categories. To better understand how the
scope ranges for CPQRAs it is useful to show them in the form of a cube, in which the
axes represent the three major factors that define the scope of a CPQRA: risk estimation technique, complexity of analysis, and number of incidents selected for study. This
arrangement also allows us to consider “planes” through the cube, in which the value of
one of the factors is held constant.
1.3.1.1. THE STUDY CUBE AXES
For this discussion, each axis of the Study Cube has been arbitrarily divided into three
levels of complexity. This results in a total of 27 different categories of CPQRA,
depending on what combinations of complexity of treatment are selected for the three
factors. Each cell in the cube represents a potential CPQRA characterization. However, some cells represent combinations of characteristics that are more llkely to be
usefbl in the course of a project or in the analysis of an existing facility.
Risk Estimation Technique. Each of the components of this axis corresponds to a
study exit point in Figure 1.4. The complexity and ltvel of effort necessary increase
I6
I Chemical Process Quantitative Risk Analysis
-
RISK ESTIMATION TECHNIQUE
C
~
S
WFrequency
~
~
Risk
cube's
b
Main
Diaponal
Expansive
LlSl
FIGURE I .5. The study cube. Each cell in the cube represents a particular CPORA study with a
defined depth of treatment and risk emphasis. For orientation purposes, the shaded cells
along the main diagonal of the cube are described in Table 1.5.
along the rutis-from consequence through frequency to risk estimation-but not necessarily linearly.
In another sense, the representation of estimation by consequence, frequency, and
risk is indicative of the level of maturity of these techniques. Quantification of the consequences from an incident involving loss of containment of a process fluid has been
extensively studied. Once a release rate is established, the developmcnt of the resulting
vapor cloud can be fairly well described by various source and dispersion models,
although gaps in our ~inderstanding-particularly for flashing or two-phase discharges,
near-field dispersion, and local flow e f f e c t s 4 0 exist. Quantification of the frequency
of an incident is less well understood. Where historical data are not available, fault tree
analysis (FTA) m d event tree analysis (ETA) methods arc used. These methods rely
heavily on the judgment and experience of the analyst and arc not as widely applied in
the CPI as consequence models. Much remains to be learned about how to produce a
truly representative risk estimate with minimum uncertainty and bias.
Complexity of Study. This axis presents a complexity scale for CPQRAs. Position
along the axis is derived from two factors:
the complexity of the models to be used in a study
the number of incident outcome cases to be studied
Model complexity can vary from simple algebraic equations to extremely complex
functions such as those used to estimate the atmospheric dispersion of dense gases. The
17
1 Chemical Process Quantitative Risk Analysis
number of incident outcome cases to be studied is the product of the number of incident outcomes selected and the number of cases to be studied per outcome. The
number of cases to be studied may range from one-assuming uniform wind direction
and a single wind speed-to many, using various combinations of wind speed, direction, and atmospheric stability for each incident outcome.
Figure 1.6 illustrates how model complexity and the number of incident outcome
cases are combined to produce the simple, intermediate, and complex zones in the
study cube.
Number of Incidents. The three groups of incidents used in Figure 1.5-bounding
group, representative set, and expansive list-can be explained using the three classes of
incidents in Table 1.3.
The bounding group contains a small number of incidents. Members of this group
include those catastrophic incidents sometimes referred to as the worst case. The intent
of selecting incidents for this group is to allow determination of an upper bound on the
estimate of consequences. This approach focuses attention on extremely rare incidents,
rather than the broad spectrum of incidents that often comprises the major portion of
the risk. The representative set can contain one or more incidents from each of the
three incident classes in Table 1.3 when evaluating risks to employees. When evaluating risk to the public, the representative set of incidents would probably only include
selections from the catastrophic class of events because small incidents do not normally
have significant impact a t larger &stances. The purpose of selecting representative incidents is to reduce study effort without losing resolution or adding substantial bias to
the risk estimate. The expansive list contains all incidents in all three classes selected
through the incident enumeration techniques discussed in Section 1.4.1.
NUMBER OF INCIDENT OUTCOME CASES
ELEMENTARY
INTERMEDIATE/
FIGURE 1.6. Development of complexity of study axis values for the Study Cube. The main
diagonal values (shaded cells) correspond with the "complexity of study values" used in
Figure 1.5.
18
1. Chemical Process Quantitative Risk Analysis
1.3.1.2. PLANES THROUGH THE STUDY CUBE
The study cube provides a conceptual framework for discussing factors that influence
the depth of a CPQRA. It is arbitrarily divided into 27 cells, each defined by three factors, and qualitative scales are given for each factor or cube axis.
In addltion to considering cells in the study cube, it is convenient to refer to planes
through the cube, especially through the risk estimation technique axis. A separate
plane exists for consequence, frequency, and risk estimation. Anywhere within one of
these planes, the risk estimation technique is fured. Referring to consequence plane
studies, there are nine combinations of the complexity of study and number of selected
incidents. The use of the plane concept when describing CPQRAs is intended to reinforce the notion that several degrees of freedom exist when defining the scope of a
CPQRA study, and it is not enough to cite only the risk estimation technique to be
used when discussing a specific level of CPQRA.
1.3.2. Typical Goals of CPORAS
Examples of typical goals of CPQRAs are summarized in Table 1.4, which highlights
incident groupings that are appropriate to achieve each goal. Ideally, all incidents
would be considered in every analysis, but time and cost constraints require optimizing
the number of incidents studied. Consequently, incident groups other than the expansive list are preferred.
Goals that are appropriate early in an emerging capital project will be constrained
by available information. However, for a mature operating plant, sufficient information will usually be available to satisfy any of the goals in Table 1.4.The amount and
quality of information available for a CPQRA depend on the stage in the process’ life
when the study is executed. This effect is illustrated conceptually in Figure 1.7. A specfic depth of study can be executed only if the process information available equals or
exceeds the information required.
Each of the 27 depths of study shown in the Study Cube has specific information
requirements. The information required for a CPQRA is a function of not only the
position of the corresponding cell in the study cube (depth of study) selected, but also
the specific study objectives. In general, information needs increase as
the number of incidents increases,
the complexity of study (number of incident outcome cases and complexity of
models) increases,
the estimation technique progresses from consequence through frequency to risk
estimation calculations.
TABLE 1.3. Classes of Incidents
Medium effcct zonc, limited to site boundaries (c.g., major tire, small
explosion)
Catastrophic incident
Large effcct zonc, off site cffcca on the surrounding community (e.g., major
explosion, largc toxic release)
19
1 Chemical Process Quantitative Risk Analysis
I
PR6JECT
DETAiLED
I CC
INCEPTION nFS,CN DESIGN
I
CmSTRmTm
BASIS
PROCESS LIFE CYCLE
DECOMMIISSIONING
REC~RDS
DESTROYED
>
FIGURE 1.7. Information availability to CPORA along the life of a chemical process.
Conceptually, information requirements increase moving from the origin along
the main diagonal of the Study Cube. Specific study objectives are developed from the
CPQRA goals by project management (Section 1.9.2).These specific objectives may
add information requirements (often unique) to those established by the position in
the cube.
In order to discuss important issues of study specification, it is convenient to limit
attention to three of the 27 cells in the cube. These three cells are a simple/consequence
CPQRA, intermediate/frequency CPQRA, and complex/risk CPQRA (Table 1.5).
They occupy the main diagonal of the cube as illustrated in Figure 1.5. The cells are
defined in terms of increasing CPQRA resolution. The choice of these cells in no way
implies that they represent the most common types of risk studies. They are only presented to explain the general parameters of this form of presentation of CPQRA study
depth. Further information on CPQRA studies for different cells in the study cube is
given in Chapter 7, where a number of qualitative examples are presented. Chapter 8
presents more specific, quantitative case studies.
1.4. Management of Incident Lists
Effective management of a CPQRA requires enumeration (Section 1.4.1) and selection (Section 1.4.2) of incidents, and a formal means for tracking (Section 1.4.3) the
incidents, incident outcomes, and incident outcome cases. Enumeration attempts to
ensure that no significant incidents are overlooked; selection tries to reduce the incident outcome cases studied to a manageable number; and tracking ensures that no
selected incident, incident outcome, or incident outcome case is lost in the calculation
procedure.
20
TABLE 1.4. Typical Goals of CPORAS
1 Chemical Process Quantitative Risk Analysis
-
To Screen or Bracket the Range of Risks Present for Further Study. Screening o r bracketing
studies often cmphasix consequence results (pcrhaps in terms of upper and lower hounds of cffcct
mncs) without a frequency analysis. This type of study uses a hounding group of incidents.
To Evaluate a Range of Risk Reduction Measures. This goal is not limited to any particular
incident grouping, but representative sets or expansive lists of incidcne arc typically used. Major
contributors to risk arc identified and prioritized. A rangc of risk reduction mcast~rcsis applied t o the
major contrihutors, in u r n , and the rclativc hcnctits sscsscd. If a r ~ s ktarget is cmploycd, risk
reduction measures would he considered that could not only nicct the target, hut could cxcccd it if
available at acccptahlc cost.
To Prioritize Safety Investments. All o r p i n t i o n s have limited resources. CPQRA can hc used to
prioritix risks and ensure that safety invcstmcnt is directed tn the greatest risks. A hounding group o r
representative set of incidents is commonly used.
To Estimate Financial Risk. Even if there arc n o h x i x d s that have the potential for injury to people,
the potential for financial losses o r business interruption may warrant a CPQRA. Ikpcnding o n the
goals, different classes of incidenn might he emphasized in the C P Q K A .An annual insurance rcvicw
might highlight localized and major incidents using a hounding group with conscqucnccs spccificd in
terms of Inss of capital equipment and prtxluction.
To Estimate Employee Risk. Several compnnics have criteria for cmploycc risk, and <:PQZKA is tacd
to v c r i compliancc
~
with these criteria. In principle, the cxpansivc list of incidents could he
considered, hut the major risk contributors t o plant crnployccs arc Itxaliaxl incidents and major
incidents (Tahlc 1.3).Rare, catastrophic incidents often contrihutc less than a few percent to total
ernploycc risk. A representative set or hounding group of incidents may he apprnpriatc.
To Estimate Public Risk. As with cmploycc risk, some intcrnal-corporate and regulatory agency
public risk criteria may have been suggested or adopted as “acccptahlc r i s P Icvcls. (:PQKA can ht.
used tn check compliance. Where such criteria arc not met, risk rcduction measures may bc
investigated as discussed nhovc. The important contrihutors to off-site, public risk arc major and
catastrophic incidents. A representative set o r cxpmsivc list of incidents is normally utilized.
To Meet Legal or Regulatory Requirements. 1,cgislation in effect in Europe, Australia, and in some
States (e.g., N J and CA) may require CPQRAs. The specific ohjcctivcs of these vary, according to the
spccific regulations, but the emphasis is on public risk and cmcrgcncy planning. A hounding group o r
representative set o f incidcnts is used.
To Assist with Emergency Planning. CPQRA may he used to predict cffcct zones for use in
cmcrgcncy response planning. Where the crncrgcncy plan deals with on-site pcrsonncl, a11 classes of
incidena may need to be considered. For the community, major and catastrophic classes of incidents
arc cmphasixd. A hounding group of incidents is normally sufficient for cmcrgcncy planning
purposcs.
1.4. I . Enumeration
The objective of enumeration is to identify and tabulate all members of the incident
classes in Table 1.3, regardless of importance o r of initiating event. In practice, this can
never be achieved. However, it must be remembered that omitting important incidents
from the analysis will bias the results toward underestimating overall risk.
The starting point of any analysis is to identify all the incidents that need to be
addressed. These incidents can be classified under either of two categories, loss of containment of m.ateria1 or loss of containment of energy. Unfortunately, there is an infinite number of ways (incidents) by which loss of containment can occur in either
category. For example, leaks of process materials can be of any size, from a pinhole up
to a severed pipe line o r ruptured vessel. An explosion can occur in either a small container o r a large container and, in each case, can range from a small “ p u f f to a catastrophic detonation.
21
1 Chemical Process Quantitative Risk Analysis
TABLE 1.5. Definitions of Cells Along the Main Diagonal of the Study Cube (Figure 1.5)
___p____-
Simple/Consequcnce CPQRA
Estimatwn Techtiiqrre-Cowcqaieiicc
Complexity @Study
Numhcr of Incident Outcome (:iscs-Small
Cnmplcxity of Model-Elementary
Number of IncrAents-Roundinp Group
This is a Cl’QRA that is useful for scrccning or risk bounding purposes. It requires the least amount
of prwess definition and makes cxtcnsivc use of simplified techniques. In terms o f Figure 1.4, it
consists of consequence calculations only (Steps I through 7). A Simple/Cmnscqucncc C P Q R A is
suitable for screening at any stage of the project: in the case of an existing plant, screening might
highlight the need t o consider further study; at the dcsign stage, it might aid in optimizing siting and
layout.
Intermediate/Frequency CPQRA
Esfimathi TeciJlrrique-Freqrrency
Complm’ty@Study
Numbcr of Incident Outcome Cases-Medium
Chnplexity o f Model-Advanced
Number of biciAP,,ts-Represeiatatii,e Set
This is 3 more detailed CPQRA that corresponds to Steps I through Y in Figure 1.4. It cannot he
applied until the dcsign is substantially developed, unless historical frequency techniques arc applied. It
may hc applied at any tinic after process flow sheet definition. Complete descriptions of the process
and equipment arc not usually necessary. A Representative Set of incidents is chosen. In principle, the
results of an Intermediatc/t.‘reque~lcyCPQRA should approximate a detailed study, hut have less
resolution.
Complex/Risk CPQRA
Estimation Technique-Risk
Complexity of Study
Numbcr of Incident Outcome Ches--I.argc
Cnmplcxity of Model-Sophisticated
Number of Incidolts-&pansive List
This is the most detailed CPQRA. It employs the full methodology dcscribcd in Figure 1.4. It may be
applied to operating plants or to capital projects, hut only after detailed design has bcen completed,
when sufficient information is available. Where appropriate, it would employ the most sophisticated
analytical techniques reviewed in Chapters 2 and 3. However, it would hc unlikely to apply the most
sophisticated techniques to all aspects of the study-only to those items that contribute most to the
result. Due to the numhcr of incidents, incident outcomes and incident outcomes cases considered,
this study lcvcl provides the highest resolution.
The HEP Guidelines, Second Edition (AIChE/CCPS, 1992) outlines the roles of
HAZOP, FMEA, and What-If‘in hazard assessment. The supplemental “Questions for
Hazard Evaluation” shown in Appendn B of the HEP Chddines can be helpful for identLfying hazards, initiating events, and incidents. While none of these hazard identification
techniques dlrectly produces a list of incidents, each provides a methodology from which
initiating events can be developed. Proper scenario selection is extremely important in
CPQRA and the results of the analysis are no better than the scenarios selected.
In addition to thc above techniques, Table 1.2 can be used as a checklist to assist in
further incident enumeration through listing candidate initiating events, intermediate
events, and incident outcomes and consequences. It should be understood that there is
22
1 Chemical Process Ouantitative Risk Analysis
1
Initial List (All incidents
identifiedby enumeration)
Ew
Revised List (Initial List less
those handled subjectively)
5z
8
a
w
m
4z
Condensed List (Revised
List without redundancies)
~
Expansive List (List
from whkh hddenls
lor study are selected)
NAME LIST OF INCIDENT?
FIGURE 1.8. Incident lists versus number of incidents [comparison of lists developed through
incident selection to the reality list).
no single technique whose application guarantees the comprehensive listing of all incidents (i.e., the reality list of Figure 1.8 is unattainable). Nonetheless, use of hazard
identification techniques and Table 1.2 can lead to the identification of a broad spectrum of incidents, sufficient for defining even the expansive list of incidents (Section
1.4.2.1).
Other approaches for enumeration of major incidents and their initiating events
have been developed. One of these uses fault tree analysis (FTA). The fault tree is a
logic diagram showing how initiating events, at the bottom of the tree, through a
sequence of intermediate events, can lead to a top event. This analysis requires two
knowledge bases: ( 1 ) a listing of major subevents which contribute to a top event of
loss of containment, and (2) the devclopment of each subevent to a level sufficient to
describe the majority of initiating events. For enumeration, this process is executed
without any attempt to quantify the frequency of the top event. However, this fault
tree can serve as a means for obtaining frequencies later in the CPQRA. The success of
this technique is principally dependent on the expertise of the analyst. An example is
given by Prugh (1980).
The “Loss of Containment Checklist” included in this book as Appendix A can be
applied to enumerate credible incidents. This checklist considers causes arising from
nonroutine process venting, deterioration and molfication, external events, and process deviations. Sample incidents include the following:
1. Chemical Process Ouantitative Risk Analysis
23
overpressuring a process or storage vessel due to loss of control of reactive materials or external heat input
overfilling of a vessel or knock-out drum
opening of a maintenance connection during operation
major leak at pump seals, valve stem packings, flange gaskets, etc.
excess vapor flow into a vent or vapor dsposal system
tube rupture in a heat exchanger
fracture of a process -vesselcausing sudden release of the vessel contents
line rupture in a process piping system
failure of a vessel nozzle
breaking off of a small-bore pipe such as an instrument connection or branch line
inadvertently leaving a drain or vent valve open.
The reader should note, however, that the loss of containment checklist should not
be considered exhaustive, and other enumeration techniques should be considered in
developing an expansive list of incidents.
Another way to generate an incident list is to consider potential leaks and major
releases from fractures of all process pipelines and vessels. The enumeration of incidents from these sources is made easier by compiling pertinent information (listed
below), relevant to all process and storage vessels. This compilation should include all
pipework and vessels in direct communication, as these may share a significant inventory that cannot be isolated in an emergency.
vessel number, description, and dimensions
materials present
vessel conditions (phase, temperature, pressure)
connecting piping
piping dmensions (diameter and length)
pipe conditions (phase, pressure drop, temperature)
valving arrangements (automatic and manual isolation valves, control valves,
excess flow valves, check valves)
inventory (of vessel and all piping interconnections, etc.)
This approach is discussed in more detail in the Rijnmond Area Risk Study
(Rijnmond Public Authority, 1982) and the Manad of I n d u d Hazard Assessment
Techniques (World Bank, 1985). Of necessity, this approach excludes specific incidents
and initiating events that would be generated by hazard identification methods (e.g.,
releases from emergency vents or relief devices). Freeman et al. (1986) describe a
system that addresses both fractures and other initiating events. The list of incidents
can also be expanded by considering each of the incident outcomes presented in Table
1.2 and proposing credible incidents that can produce them. Pool fires might result
from releases to tank dikes or process drainage areas; vapor cloud explosions, flash
fires, and dispersion incidents from other release scenarios; confined explosions (e.g.,
those due to polymerization, detonation, overheating) from reaction chemistry and
abnormal process conditions; or BLEVE, from fire exposure to vessels containing
liquids.
24
I Chemical Process Ouantitative Risk Analysis
1.4.2. Selection
The goal of selection is to limit the total number of incident outcome cases to be studied to a manageable size, without introducing bias or losing resolution through overlooking significant incidents o r incident outcomes. Different techniques are used to
select incidents (Section 1.4.2.1),incident outcomes (Section 1.4.2.2),and incident
outcome cases (Section 1.4.2.3).The risk analyst must be proficient in each of these
techniques if a defensible basis for a representative CPQEU is to be developed.
1.4.2.1. INCIDENTS
The purpose of incident selection is to construct an appropriate set of incidents for the
study from the initial list that has been generated by the enumeration process. An
appropriate set of incidents is the minimum number of incidents needed to satisfy the
requirements of the study and adequately represent the spectrum of incidents enumerated, considering budget constraints and schedule.
The effects of selection are shown graphically in Figure 1.8. The reality list contains all possible incidents. It approaches infinitely long. The initial list contains all the
incidents identified by the enumeration methods chosen. The remaining lists are
described in this section. Figure 1.8. shows the relative reductions in list size that are
achieved by successive operations on the initial list.
One of the risk analyst’s jobs is to select a subset of the Initial List for further analysis. This involves several tasks, each resulting in a unique list ( Figure 1.8).Throughout
the selection process, the risk analyst must exercise caution so that critical incidents,
which might substantially affect the risk estimate, are not overlooked o r excluded from
the study. The initial list of incidents is reviewed to identify those incidents that are too
small to be of concern (Step 4, Figure 1.4). Removing these incidents from the initial
list produces a revised list (Figure 1.8).
To be cost effective and reduce the CPQRA calculational burden, it is essential to
compress this revised list by combining redundant o r very similar incidents. This new
list is termed the condensed list (Figure 1.8). This list can and should be reduced further by grouping similar incidents into subsets, and, where possible, replacing each
subset with a single equivalent incident. This grouping and replacement can be accomplished by consideration of similar inventories, compositions, discharge rates, and discharge locations.
The list formed in this manner is the expansive list and represents the list from
which the study group is selected. A detailed o r complex study would utilize the entire
expansive list of incidents, while a screening study would utilize only one o r two incidents from this list.
The expansive list can be reduced to one or both of two smaller “lists”: the bounding group o r the representative set (Section 1.3.1; and Figure 1.5). Selection of a
bounding group of incidents typically considers only the subsets of catastrophic incidents on the expansive list. This may be further reduced by selecting only the worst
possible incident or worst credible incident.
Selection of a representative set of incidents from the expansive list should include
contributions from each class of incident, as defined in Table 1.3. This process can be
facilitated through the usc of ranking techniques. By allocating incidents into the three
classes presented in Table 1.3, an inherent ranking is achieved. Further ranking of indi-
25
1 . Chemical Process Ouantitative Risk Analysis
vidual incidents within each incident class is possible. Various schemes can be devised
to rank incidents within each incident class (e.g., preliminary ranking criteria based on
the severity of hazard posed by released chemicals, release rate, and total quantity
released). A ranking procedure is important in the selection of a representative set of
incidents if the study is to minimize bias or loss of resolution.
Ranlung can also be a usehl tool if the study objectives (Section 1.9.2) exclude
incidents below a specified cutoff value. One example is the establishment of a cutoff
for loss of containment of material events by specifying a limited range of hole sizes for
a wide range of process equipment (e.g., two for process pipework, one representing a
full-bore rupture and the other 10%of a full bore rupture). This approach is presented
in the Manual oflndustrial HazardAssessment Techniques (World Bank, 1985). Such a
cutoff is arbitrary and a more hndamental approach is to identify, from consequence
techniques (Chapter 2), the minimum incident size of importance for each of the materials used on-site. This ensures consistent treatment of materials of different hazards.
Figure 1.9 (Hawksley, 1984) contains data on pipeline failures including the frequency
distributions for holes of various sizes.
1.4.2.2 INCIDENT OUTCOMES
The purpose of incident outcome selection is to develop a set of incident outcomes that
must be studied for each incident included in the finalized incident study list (i.e., the
bounding group, representative set, or expansive list of incidents). Each incident needs
to be considered separately. Using the list of incident outcomes presented in Table 1.2,
the risk analyst needs to deter nine which may result from each incident. This process is
not necessarily straightforward. While the analyst can decide whether an incident
lod
.HUS FEDERAL POWER
9>- l o d .[L
W
a
-
10-~ .
Gulf OB
10"
.
1
100
PIPE DIAMETER (INCH)
FIGURE 1.9. Summary of some pipe failure rate data. From Hawksley 11 984). Reprinted with
permission.
26
1 Chemical Process Ouantitative Risk Analysis
involving the loss of a process chemical to the atmosphere needs to be examined using
dispersion analysis because of potential toxic gas effects, what happens if the same
material is immedately ignited on release?
Figure 1.2 was presented to illustrate how one incident may create one o r more
incident outcomes, using the logical structure of an event tree. More detailed event
trees have been developed in attempts to illustrate the complicated and often interrelated time series of incident outcomes that can occur. Figure 1.10 presents such an
event tree developed by Mudan (1987) to show all potential incident outcomes from
the release (loss of containment) of a hazardous chemical. Naturally, the properties of
the chemical, conditions of the release, etc., all influence which of the logical paths
shown in Figure 1.10will apply for any specific incident. All such paths need to be considered in creating the set of outcomes to be studed for each incident included in the
finalized shldy list. After examination, it soon becomes apparent that even Figure 1.10
is not detailed enough to cover all possible permutations of phenomena that can immediately result from a hazardous material release.
Detailed logical structures (see Figures 1.11 and 1.12) have been developed [e g ,
see UCSIP (1985)] to try to account for the mix of incident outcomes that can result
following an incident. No single comprehensive logic dagram exists. Various computer programs have been developed, however, to assist the analyst. Ultimately, the
analyst must be satisfied that the set of outcomes selected for each incident in the finalized study list adequately represents the range of phenomena that may follow an
incident.
1.4.2.3. INCIDENT OUTCOME CASES
As shown in Figure 1.2, for every outcome selected for study, one o r more incident
outcome cases can be constructed. Each case is defined through numerically specifying
sufficient parameters to allow the case to be uniquely distinguished from all othcr cases
developed for the same outcome.
An easy dstinction between incident outcome cases is in the prevailing weather.
When considering the dispersion of a cloud formed from the release of a process chemical to the atmosphere, the analyst must decide how the travel of the cloud “downwind”
is to be studed. Various parameters-wind speed, atmospheric stability, atmospheric
temperature, humidity, etc.-all need to be considercd.
Once the risk analyst has identified all of the parameters that influence specification
of an incident outcome, ranges of values for each parameter need to be developed, and
discrete values created within each range. An incident outcome case is specified by the
data set containing the analyst’s selection of a unique value within the range developed
for each parameter. The number of outcome cases that can be created equals the
number of possible permutations of this data set using all of the dlscrete values for each
of the parameters.
As discussed in Section 1.9.3, the combinatorial expansion of incident outcome
cases can adversely affect resource requirements for a CPQRA without substantially
adding to the quality of the resulting risk estimate o r insights from the study. An experienced analyst will be able to limit the iiumber of incident outcome cases to be studied.
For example, problem symmetry may be exploited, worst case conditions assumed,
plume centerline concentrations selected rather than developing complete cloud pro-
27
1 Chemical Process Ouantitative Risk Analysis
No Release No Impact
I
Flame Jet
Forms (il
ignited)
I
I
Vapor Cloud
Ignites Explosion
1
t
Vapor Cloud
Travels Downwind
(if not ignited)
4
Tankcar
Explosion
or BLEVE
Release
+
Pool Fire
Occurs
'1
Liquid
Rainout
Vapor Plume
Travels
Downwind
I
I
FIGURE 1.10. Typical spill event tree showing potential incident outcomes for a hazardous
chemical release.
files, and a directional incident outcome assumed rather than study an omnidirectional
incident. Each decision removes a multiplier from the number of cases to be studied.
It is the analyst's responsibility to ensure that sufficient definition results from the
number of incident outcome cases speclfied to achieve study objectives. Decisions
made concerning parameter selection and the range of values to be studied within each
parameter need to be challenged through peer review and documented. Likewise the
perceived importance of such parameters and their values can and should be checked
through sensitivity studies following the development of an initial risk estimate. It is
1 Chemical Process Ouantitative Risk Analysis
28
I
I
I
I
I
I
I
I
I N o
I
I
I
I
I
I
I
I
I
I
Eslimatedfl
bration I
CalculateI
Release I
Raie I
I
I
A S S W S Inpad6
re^
b
I
I
I
I
Assess Inpa36
DenseCloudl
Dispersion I
Harnrless
I
I
I
I
I
I
NO
Dispersiow
I
I
Harmlesr
FIGURE 1 . 1 1 . Spill event tree for a flammable gas release.
also the analyst’s responsibility to recognize the sensitivity of the cost of the CPQRA to
each parameter and avoid wasting resources.
One effective strategy is to screen the parameter value ranges and select a minimal
number of outcome cases to complete a first pass risk estimate. Using sensitivity methods, the importance of each selected parameter value can be determined, and adjustments made in subsequent passes, maintaining control of the growth of the number of
incident outcome cases while observing impacts on resulting estimates.
It is also useful to determine upper and lower bounds for the risk estimate using
the parameter-value range available. This offers the analyst a reference scale against
which to view any single point estimate, along with its sensitivity to changes in any
given parameter. Various mathematical models are available for determining the upper
and lower bounds for the parameter-value ranges available. These include techniques
commonly used in the statistical design of experiments (e.g., see Box and Hunter,
1961; Kilgo, 1988).These methods can be used to identify critical parameters from all
of the parameters identified. Linear programming techniques and min/max search
strategies (e.g., see Carpenter and Sweeny, 1965; Long, 1969; Nelder and Mead,
1964; Spendley et al., 1962) can be used thereafter to find values for these critical
parameters that will produce both the upper and lower bounds (maximum and minimum values) for the risk estimate.
29
1 . Chemical Process Ouantitatrve Risk Analysis
.
I
I
I
I
let Flanv I
I
I
I
I
I
I
I
I
I
I
I N
I
I
I
I
I
I
I
I
I
I Yes
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
miFire I
I
calculate I
Spr.PdmdI yes
Evporatbn,
I
0
I
I
I
I
I
I
I
I
I
I
I
I
I
I N 0
)
I
I
I
I
I N o1
I
I
I
I
I
I
I
Assess Fire aPmage
+aSssFire~)
Aasecs P o l M i .
use Gas Evmt
Trecalo Modal
Gas Behavioc
Use cia8 Even
Treerto Model
Gas Behawor
I h h
I
I
Use Gar Events
Trmslo Model
Gas Bohwia
I
I
FIGURE I . 12.Spill event tree for a flammable liquid release.
Since these bounds can be established without exhaustively examining all of the
incident outcome cases possible, the experienced analyst can manage the number of
cases to be examined without compromising the desire to develop a quantitative understandmg of the range-a feel for spread-of the risk estimate.
1.4.3. Tracking
The development of some risk estimates, such as individual risk contours or societal
risk curves requires a significant number of calculations even for a simple analysis. This
can be time consuming if a manual approach is employed for more than a few incident
outcome cases. Chapter 4, Section 4.4, describes risk calculation methods and provides
examples of various simplifiied approaches. The techniques are straightforward, however many repetitive steps are involved, and there is a large potential for error. A computer spreadsheet o r commercial model is generally useful in manipulating,
accounting, labeling, and tracking this information. The case studies of Chapter 8 illustrate these grouping, accounting, labeling, and tracking processes.
1.5. Applications of CPQRA
No organization o r society has the resources to perform CPQRAs (of any depth) on all
conceivable risks. In order to decide where and how to use the resources that are avail-
30
1 Chemical Process Ouantitatwe Risk Analysis
able, it is necessary to select specific subjects for study and to optimize the depth of
study for each subject selected. This selection process o r screening technique is discussed (Section 1.5.1) along with its use for existing facilities (Section 1.5.2)and new
projects (Section 1.5.3).
1.5.1. Screening Techniques
In creating a screening program, it is helpful to determine the organizational levels that
are most amenable to screening, and those where CPQRAs can be applied most effectively. Figure 1.13 illustrates the structure of a typical CPI organization. It shows a
hierarchical scheme, with the organization divided into facilities (plants), the facilities
divided into process units, the process units divided into process systems and the process systems divided into pieces of equipment. A general observation is that the
number of possible CPQRAs increases exponentially-but that the scope of each one
narrows-moving from the top to the bottom of the hierarchy. Use of CPQRA is typically restricted to the lower levels of the hierarchy, and in those levels it is selectively
applied.
Methods are needed to screen-prioritize and select-process units, systems, and
equipment for selective application of CPQRA. These methods must ensure that all
facilities are considered uniformly in the screening process.
Establishment of a prioritized listing of candidate studies allows efforts to focus on
the most onerous hazards first and, depending o n available resources, progress to less
serious hazards. Certain listings are “zoned” according to high, medium, and low levels
of concerns, and studies placed into the lowest class receive attention only after all studies in higher classes have been executed. If a decision is made to zone a priority list, it is
important to establish zone cutoff criteria prior to screening in order to avoid bias.
Risk estimates can be developed a t any level of the typical CPI organization, but
usually focus on specific elements of the lower levels of the hierarchy-for instance, the
COMPANY
HEADQUARTERS
MANUFACTURING
FACILITIES
PROCESS
UNITS
.--
I
-m----
p
FIGURE 1.13. Structure of a typical CPI company.
I
1 . Chemical Process Ouantitative Risk Analysis
31
risk from the rupture of a storage tank. The following discussions of screening methods
show that methods are available to study various levels of the typical CPI organization.
1.5.1.1. PROCESS H A Z A R D INDICES
Dow Chemical has developed techniques for determining relative hazard indices for
unit operations, storage tanks, warehouses, etc. One generates an index for fire and
explosion hazards (Dow’s Five &Explosion Index Hazard Classtjicatwn Gutde, 7th ed.,
AIChE 1994), and another an index for toxic hazards (Dow’s Chemical Exposure
bdex Gutde, 1st ed., AIChE 1994). ICI’s Mond Division has developed similar techniques (The Mond Index) and has proposed a system for using these indices as a
guide to plant layout (ICI, 1985). A modified Mond-like index has also been proposed for evaluation of toxic hazards (Tyler, 1996). These techniques consider the
hazards of the material involved, the inventory, operating conditions, and type of
operation. While the values of the indices cannot be used in an absolute sense as a
measure of risk, they can be used for prioritization, selection, and ranlung. The value
of the index may be helpfiil in deciding whether a CPQRA should be applied, and
the appropriate depth of study.
1.5.1.2. INVENTORY STUDIES
The inventories of hazardous materials should be itemized (including material in process, in storage, and in transport containers). The information should include significant properties of the material (e.g., toxicity, flammability, explosivity, volatility),
normal inventory and maximum potential quantity, and operating or storage conditions. In some cases, screening can, or must, be done by means of government specifications (New Jersey, 1988, and EEC‘s “Seveso Directive,” 1982).
Major hazards can be identified from an inventory study. Where these are toxic
hazards, simple dispersion modeling-assuming the worst case and pessimistic atmospheric conditions-can be performed. Where fires or explosions are the hazards, similar simple consequence studies may be made. Estimated effect zones can be plotted on a
map to determine potential vulnerabilities (population at risk, financial exposure, business interruption, etc.); for screening purposes, estimates of local populations may be
sufficient. Of course, when significant vulnerabilities are found, more thorough studies
may be required.
1.5.1.3. CHEMICAL SCORING
Various systems have been developed to assign a numeric value to hazardous chemicals
using thermophysical, environmental, toxicological, and reactivity characteristics. The
purpose of each system is to provide an objective means of rating and ranking chemicals according to a degree of hazard reference scale. Three of these methodologies are
systems proposed by the NFPA 325M (1984), the U.S. EPA (1980, 1981), and
Rosenblum et al. (1983).
NFPA has a rating scheme that assigns numeric ratings, from 0 to 4, to process
chemicals. These ratings represent increasing health, flammability, and reactivity hazards; the fourth rating uses special symbols to denote special hazards (e.g., reactivity
with water). This system is intended to show firefighters the precautions that they
should take in fighting fires involving specific materials; however, it can be used as a
preliminary guide to process hazards. The U.S. EPA has developed methods for rank-
32
1 Chemical Process Ouantitative Risk Analysis
ing chemicals based on numerical values that reflect the physical and health hazards of
the substances. Rosenblum et al. (1983) give an index system that assigns numerical
values to the various hazards that chemicals possess and that can be used to prioritize a
list of chemicals. This technique is more complex and less-practiced than the NFPA
diamond system.
1.5.1.4. FACILITY SCREENING
In addition to the screening techniques presented in previous subsections, other prioritization and selection approaches have been proposed which focus o n facilities as
opposed to chemicals alone. One such approach has been offered by Mudan (1987).
This approach uses mathematical models for blast, fire, and toxicity for screening
chemical facilities. A similar approach has been proposed by Renshaw (1990). Less
sophisticated approaches have also been used to screen facilities. For example, if the
number of facilities to be screened is not too large, and if the organization’s safety pcrsonnel are sufficiently experienced, it is possible to subjectively rank facilities by consensus. Whatever method is used, it is important to apply it consistently and document
the results of its application for future reference and update.
1.5.2. Applications within Existing Facilities
In order to examine process risks from all existing facilities within an organization, it is
essential to develop a study plan. This plan documents the screening methods to be
used to qualitatively o r quantitatively rank all facilities within the organization and then
rank all process units within those facilities. These prioritized lists can then be compared and a master list developed which can be used to establish the study plan for
CPQR4.
When developing any study plan for existing facilities using a screening method, it
is most cost effective to ensure that the plan is directed a t the lowest level of the organization’s hierarchy (Figure 1.13). Once the prioritized study plan is developed, the
depth of CPQRA needs to be determined for each candidate study from the top down.
Table 1.6 offers qualitative guidance for determining the depth of CPQRA appropriate
for each of the layers of the organizational hierarchy (Figure 1.13).Recognize that this
is an idealization where a risk estimate plane CPQRA is reserved for process equipment
and system studies only and, even then, only after consequence and frequency plane
studies have been completed and show the need for Further study.
1.5.3. Applications within N e w Projects
The depth of study presented in Table 1.6 directly applies to new projects as well. The
main distinction between new projects and existing facilities (Figure 1.7) is the information available for use in the CPQRA. Early in a new project, information is constrained, limiting the depth of the study. This constraint is virtually nonexistent for
existing facilities. As a new project progresses, the information constraint is gradually
removed.
33
1 Chemical Process Quantitative Risk Analysis
TABLE 1.6. Applicability and Sequence Order of Depth of Study for Existing Facilities
Organizational
hierarchy level
Risk estimation technique
Depth of study
Consequence
Frequency
Risk
Cmmpany
Simple/consequencc
Intermcdiate/frcqucncy
<hmplcx/risk
1
N.A.
N.A.
N.A.
N.A.
N.A.
N.A.
N.A.
N.A.
Facility
Simple/consequence
Intcrmcdiate/frequency
Cmmplcxlrisk
1
1
N.A.
2
N.A.
N.A.
N.A.
N.A.
N.A.
Process unit
Simple/conscqucnce
Intcrmediatc/frequcncy
Complcx/risk
1
1
1
2
2
N.A.
3
N.A.
N.A.
Process system
Simplc/conwqucncc
Intcrmcdiatc/freqiicncy
<mmplcx/risk
1
1
2
2
2
3
3
3
Simple/consequcnce
Intcrmcdiate/frequcncy
Complex/risk
1
1
1
2
2
2
3
3
3
Equipment
1
P
‘N.A.,not applicable; 1, First task in series; 2, second task in series; 3, third task in series.
1.6. Limitations of CPORA
CPQRA limitations must be understood by management if sensible goals are to be
established for stucbes. These limitations must also be understood by the technical personnel responsible for the study. Some references address the potential limitations of
CPQRA (Freeman, 1983; Joschek, 1983; Pilz, 1980).
A summary of technical and management limitations, their implications, and possible means for reducing their impact is provided in Table 1.7. More detailed treatment
of the technical limitations of CPQRA component techniques is provided in Chapters
2 and 3. Technical limitations of the data required for CPQRA and of special topics are
addressed in Chapters 5 and 6, respectively.
From Table 1.7 it is apparent that many of the limitations of CPQRA arise from
uncertainty. The estimation of uncertainty is discussed in Section 4.5. Uncertainty
should decrease in the future, as models become standardized, equipment failure rate
data relevant to the CPI are more fully developed and collected systematically,risk analysis expertise becomes more widely disseminated, and human consequence effect data are
more widely developed. Some speclfic data (e.g., toxicity) are currently incomplete and
inexact and are a major source of uncertainty in CPQRA. Where uncertainty is a major
issue, relative or comparative uses of CPQRA may be preferable to absolute uses.
Where CPQRA risk estimates are to be compared in an absolute sense to risk targets, or risk “acceptability criteria,” concern should increase over the issue of absolute
accuracy of these estimates. Unlike process economic studies such as discounted cash
flow analysis that use cost estimate qualities with an accuracy of + 15%, CPQRA estimates have much greater absolute uncertainty, typically covering one or more orders of
34
1 Chemical Process Quantitative Risk Analysis
TABLE I .7. Limitations of CPORA and Means to Address Them
Cause of limitation
Remedies
Implication to CPQRA
TECHNICAJ.
Incomplete o r
inadequate
enumeration of
incidents
Underestimate risk for a
representative set o r
expansive list of incidents
Require proper documentation
Involve cxpcrienccd CPQRA practitioners
Apply nltcrnativc enumeration tcchniqucs
Peer rcvicw/quality control
Review by facility design and operations
personnel
Impropcr selection of
incidents
Underestimate risk for a11
incident groupings
Involve cxpcricnced CPQRA practitioners
Apply alternative enumeration techniques
Peer rcvicw/quality control
Review by facility design and operations
personnel
Unavailability of
required data
Cmnsequcncc or
frequency model
assumptions/validity
Possibility of systematic bias
Secure additional resources fix data
acquisition
uncertainty in
consequences, frequcncics,
o r risk estimates
Expert rcvicw/judgmcnt
Ensure that knowlcdgcablc people arc
involved in assessing available data
Incorrect prioritization of
major risk contributors
Check results against other mtdels o r
historical incident records; evaluate
sensitivities
Similar in effect t o data
limitations
Ensure appropriate peer review
Check results against other models o r
historical incident records
Ensure that models arc applied within the
range intended by model developers
Ensure that mathematical o r numerical
approximations that may be used for
convcniencc d o not compromise results
Use, if feasible, different models (c.g., a
more conservative and a more optimistic
model) to establish the impact of this typc
of uncertainty
MANAGEMENT
Resource limitations
(personnel, time,
models)
Skills unavailable
Insufficient rime to complete
depth of study
Extend schedule
Insufficient depth of study
Defer study until resources available
Inadequate quality of snidy
Identify major risk contributors and
cmphasi7x: these
Incorrect preparation and
analysis
Amend scope of work
Impropcr interpretation of
results
Acquire expertise through training
programs, new personnel, o r consultants
35
I Chemical Process Ouantitative Risk Analysis
magnitude. The estimate’s uncertainty is directly proportional to the depth and detail
of the calculation and quality of models and data available and used.
Both the Canvey Island (Health & Safety Executive, 1978, 1981) and Rijnmond
Public Authority (1982) studies present discussions of uncertainty and accuracy, and
the reader is referred there for further detail. Two other sources of insight into the issue
of absolute accuracy and uncertainty are also available. Figure 1.14, taken from Ballard
(1987), summarizes data collected by the National Centre of Systems Reliability on a
number of reliability assessments for the period 1972-1987. The diagram was developed through collecting data on the actual performances of plants and process systems
and prior estimates of the reliability of these same plants and process systems. While
there are a number of uncertainties related to the studies, data collection methods, etc.,
as stated by Ballard, “it is clear [from Figure 1.141 that in an overall sense one can
expect the results of a reliability study to give a very good indication of the likely accident frequency from a plant.” The 2:1 and 4:1 ranges shown on Figure 1.14 indicate
that about 60%of the predictions of failure rates were within a factor of two and about
95%were within a factor of four of actual performance data.
While Figure 1.14 presents cause for accepting risk estimates as reasonable, the
second source of insight offers cause for concern. Figure 1.15, taken from Arendt et al.
(1989),summarizes the results of a European benchmark study (see Amendola, 1986)
that showed the I f i c u l t y in reproducing CPQRA estimates, and the substantial
dependency of these estimates on the very basic, defendable, but dfierent assumptions
made by various teams of analysts. Each of the teams in the study was given identical
systems to analyze, the component techniques to use, and a common Analysis Data
’O.O/
5.0
I
1
99.99
CUMULATIVE FREQUENCY
FIGURE 1.14. Frequency distribution of the failure rate ratio collected by the National Centre
of Systems Reliability over the period 1972-1987 From Ballard ( 1 987). reprinted with
permission.
36
I Chemical Process Ouantitative Risk Analysis
0
-f
I
,
0
0
A
B
C
D
E
F
G
H
TEAMS OF CPQRA EXPERTS
I
J
FIGURE 1.15.Results of European Benchmark Study. From Arendt et at. [ 1989).reprinted
with permission.
Base. The teams were also allowed complete freedom in making assumptions, selecting
incidents to study, choosing failure rate data, etc. Figure 1.15 shows that the resulting
estimates ranged over several orders of magnitude, well beyond the range of uncertainty calculated by some of the teams. When the teams were subsequently directed to
follow similar assumptions, the resulting estimates converged to a much more acceptable range (i.e., within a factor of 5). This study and its implications is discussed in
more detail in Chapter 4. Conscquently, it is important to recognize that along with
the technical uncertainties associated with models and data discussed elsewhere in this
book, the essence of the accuracy and corresponding uncertainty of a risk estimate also
dcpend heavily upon the expertise and judgment of thc analyst. The need to document
and review such assumptions is discusscd in depth in Section 1.9.5.3 on Quality
Assurance.
1.7. Current Practices
Safety in dcsign and operation has been important to the CPI since its inception. A
wide range of safety techniques, many of which are currently used by companies and
regulatory agencies, have evolved. In the preparation of the original edition of this
book, a survey was conducted of 29 major chemical and petroleum companiesbelieved to represent the majority of companies practicing CPQRA techniques in
1986. The results of the survey are sunimarizcd in Table 1.8.
All companies use basic engineering codes and standards as part of their safety
review. Virtually all companics utilizc some qualitative methods for hazard idcntification. The most common techniques include checklist and index methods. About 60%
of the surveyed companies use structured techniques such as HAZOPs or FMEAs.
Some companies have their own customizcd or combined versions, which they refer to
as F O C ~ S Shazard review techniques. Almost half of these companies arc using one of
the risk estimation techniques. Quantitative risk targets are being used by about 10%
I . Chemical Process Ouantitative Risk Analysis
37
TABLE 1.8. Survey of Process Safety Techniques in Use'
I
Safety technique
Existing techniques
Cmdes and standards
Unstructured ha-lard identification (e.g.,indices, judgment)
Structured ha72rd identification (c.g., HAZOP, FMEA)
Percentage of surveyed
companies using technique
100
95
60
CPQRA techniques
Consequence estimation
Frequency estimation
Risk estimation
Use of risk targcts
44)
30
20
10
'Basis: Survey of 29 major U.S.companies (chemical and petroleum) done by Technica in 1986.
of the surveyed companies. Concerns have been expressed over the liability implications of conducting CPQRAs because the existence of these studies implies acceptance
of certain levels of risk. Some companies continue to rely on established practice (as
specified by engineering codes or standard practices). O n legal advice, some are reluctant to produce CPQRAs, fearing that misinterpretation of risk estimates could be
damaging. The counter argument, expressed by those companies that perform
CPQRAs, is that the expected reduction in frequency of occurrence or consequence of
various incidents more than offsets potential legal difficulties.
A few of the companies surveyed have clear corporate risk policies and targets,
which have strong and active corporate board level support. In these companies, the
application of various CPQRA techniques plays an important part in the decision-malung process. This commitment is reflected in the quality of staff and resources
available to CPQRA.
In the public arena, the U.S. government, and national organizations have
expressed substantial interest in CPQRA techniques. In some states, legislation requiring quantitative risk assessment has been considered or enacted. The establishment of
formal risk management programs, which include elements of CPQRA techniques, is a
fundamental requirement for most of the legislation (e.g., New Jersey, California,
etc.). The U.S. Environmental Protection Agency has also included some risk considerations in the Risk Management Program (RMP) rule under the Clean Air Act
Ammendments (40CFR68, h s k Management Prodrams Pr Chemical Accidental
Release Prevention).
As with any human endeavor, the risk associated with chemical processing facilities
cannot be reduced to zero. Corporate and government approaches to risk management
clearly accept this fact. A number of papers have been published on the application of
CPQRA in the U.S. and overseas, including DeHart and Gaines (1987),Freeman et al.
(1986), Gibson (1980), Goyal (1985), Helmers and Schaller (1982), Hendershot
(1996), Ormsby (1982), Renshaw (1990), Seaman and Pikaar (1995), Van Kuijen
(1987), and Warren Centre (1986).
At the time of the survey in Table 1.8, few companies possessed the technical
resources and expertise required to implement the complete range of CPQRA tech-
38
1 Chemical Process Quantitattve Risk Analysis
niques, although most employed some of the techniques. D o w Chemical, Rohm and
Haas, British Petroleum and Union Carbide have published papers describing how
they have implemented elements of CPQRA into formal risk management programs
(Mundt, 1995; Poulson ct al., 1991; Renshaw, 1990; and Seaman and Pikaar, 1995).
Many felt tha: their process safety programs would be substantially enhanced by the use
of appropriate CPQRA techniques in process design and operation, while others d d not
see any incremental benefit from implementing CPQRA techniques. The lattcr believed
that their knowledge and experience already provide for safc plant design and opcration.
1.8. Utlllzation of CPQRA Results
As identified in the management overview section, thcre are many potential uses of
CPQRA results. All of these are variations of approaches to risk reduction. This section
highlights the relative and absolute application of CPQRA results.
Relative uses of CPQRA results include a comparison and ranking of various risk
reduction schemes based on their competitive effectiveness in reducing risk. A table of
cost-risk benefits is constructed ( e g , cost of risk reduction measure vs. reduction in
risk achieved-see Section 4.1).This type of assessment is easier to apply and much less
affected by potential errors in CPQRA than absolute comparisons of risk estimates
with specified targets.
Absolute uses of CPQRA results are usually based on predetermined risk targets.
Several government agencies (e.g., Netherlands-Van, Kuijcn, 1987) have established
quantitative risk criteria that must be met for planning approvals o r for the maintenance of existing operations. Figure 1.16 shows some of the risk criteria that have been
used by various organizations. The uncertainty bands for these criteria are generally
plus o r minus one order of magnitude. Also, it should bc emphasized that the criteria
are dependent upon the method and data specified. CPQRA study results should only
be evaluated against criteria based on the exact methodology used in the study.
A few companies also employ risk targcts; however, these are usually for in-plant
risks, some of which have been published (Helniers and Schaller, 1982). Targets for
risks to the public are much more difficult to define (e.g., consideration of both individual and societal risks). Rohm and Haas and British Petroleum are companies that
have established and published risk criteria (Renshaw, 1990).Where targets are being
used, initial risk estimates are compared with these targets. Where the target has not
been achieved, further risk reduction measures are evaluated to reduce the risk estimate
to or below the targeted level. Means to reduce the risk further, below the target, are
usually pursued if the cost of implementing addtional risk reduction measures is reasonable o r the uncertainty of the risk estimate is of substantial concern. For this use,
potential errors in the CPQRA results can be important.
1.9. Project Management
This section offers an overview of the role of CPQRA project management. A CPQRA
must be carefully managed in order to obtain the required results in a timely and cost
effective manner. Project management tasks include snidy goals (Section 1.9.l ) , study
39
1 9. Prqect Management
103
104
z
c
0
10*
109
1
2
5
10 20
50 100200500 1,000
Number of Fatalities Per Even1
FIGURE 1.16. Acceptable risk criteria. A m , as low as reasonably achievable.
objectives (Section 1.9.2),depth of study (Section 1.9.3),special user requirements
(Section 1.9.4),project plan (Section 1.9.5),and execution (Section 1.9.6).
Figure 1.17 provides a logic diagram for CPQRA project management. This
figure shows the unique characteristics of a CPQRA, which depart from normal engineering project management tasks. These tasks must all be addressed within the bounds
of applicable constraints (risk targets, budget, tools, people. time, and data).
1.9.1. Study Goals
Section 1.3.2 and Table 1.4 describe typical study goals. These can originate from
external sources, such as regulatory agencies, or from internal initiatives (e.g., senior
management).
1.9.2. Study Objectives
It is critical for project management to understand the study goals and to firmly establish study objectives. The study objectives define the project goals in precise terms that
40
I
1 . Chemical Process Ouantitative Risk Analysis
DEFINE GOALS OF CPORA
(TABLE 1.4)
USER
REOUIREMENTS
(61.9.1)
I
CONVERT GOALS INTO STUDY
o w E c n v E s AND SECURE
USERACCEPTANCE
(91.9.2)
----------
Approved scope o! WMk (initial)
Approved scope 01
wwk (revised)
DETERMINE REOUIRED
DEPTH OF STUDY TO SATISFY
OBJECTIVES
\
I
I
,
*
(g1.9.3)
-
’ !
I
see
I Figure 1.18
I
I
-----------
DEFINE DOCUMENTATION
REOUIR~MENTTO
L
CONSTRUCT PROJECT PLAN
REQUIREMENTS INTO
REVISED SCOPE OF WORK
AND SECURE USER
USER REVIEWS DRAFT
e Oran
AND ACCEPTS STUDY OR MODIFIES
repon
REOUlREMENTS
+
(51.9.5)
Estimaie Resource
Requirements (g1.9.5.1)
Prepare Schedule (gi.9.5.2)
E s t W i h Quality Arsurence
Procedure6 (g1.9.5.3)
Eslablish Training
Requirements ($1.9.5.4)
Establish COJi Control
Procedures(g1.9.5.5)
I
EXECUTE AND COMPLETE
PROJECT
($1.9.6)
STUDY ACCEPTED
FIGURE I . 17. Logic diagram for CPOW project management.
lead to a project that can be satisfactorily managed to completion. This can best be
accomplished by creating a scope of work document that is reviewed and accepted by
the user. Where user requirements have been defined, in writing, in advance of the
study (e.g., determined by government regulation), this step reduces to interpretation
of the requirements for senior management approval. In converting study goals into
objectives through scope of work documents, project management defines the extent
of study within the organizational hierarchy (Figure 1.13).
Possible study objectives include
determination of societal risk from company operations that include any of a
specified list of chemicals
determination of risk to employees from modification to an existing process unit
identification of cost effective risk reduction measures for achieving target risk
levels for an existing process unit
evaluation and ranking of competitive process strategies considering impact to
the surrounding community
41
1.9. Project Management
determination of relative effectiveness of each of several alternatives to reduce
risk from a single piece of equipment.
1.9.3. Depth of Study
A careful determination of the depth of study is essential if CPQRA goals and objectives are to be achieved, adequate resources are to be assigned, and budget and schedules are to be controlled. The calculation workload for a given depth of study can
expand factorially as one moves from the origin along any one of the axes of the study
cube (Section 1.3.1). It is essential to estimate this calculation burden prior to finalizing a depth of study so that project costs and schedule requirements can be evaluated. A
risk analyst and a risk methods development specialist can provide project management
with valuable assistance in estimating this workload and with guidance in selecting an
appropriate depth of study.
Figure 1.18 presents a schematic for determining the appropriate depth of study.
Basically, given an approved scope of work, which specifies the risk measures to be calculated and presentation formats to be used, the analyst needs to select the following
(Section 1.3.1):
the appropriate risk estimation technique
the appropriate complexity of study
the appropriate number of incidents.
Once values have been assigned to each of these study parameters, the depth of
study-cell within the study cube given in Figure 1.5-has been determined.
APPROVED SCOPE OF WORK
(INITIAL OR REVISED)
Sludy Objectives
Exlent of Study
(See Fgum 1.17)
I
!
I
I
I
I
I
I
I
I
I
SELECT APPROPRIATE RISK
ESTIMATION TECHNIQUE
I
I
I
L-,,,,,
SELECT APPROPRIATE
COMPLEXITYOFSTUDY
I
I
I
I
I
SELECT APPROPRIATE
NUMBER OF INCIDENTS
---
II
oopn of rbldy dolined
0 - 1
42
I Chemical Process Ouantitative Risk Analysis
Various aids to understanding the depth of study and the sensitivity of each of
these three parameters arc provided in this volume. Table 1.5 describes the depths of
study for each of the cells along the main diagonal of the study cube, and Table 1.6
reviews the applicability and sequential order of depth of study for the various levels of
the organizational hierarchy given in Figure 1.13.Table 1.6 shows that if a risk analysis
(as opposed to consequence o r frequency analysis) is required for a facility, it is necessary to synthesize it from analyses done at the process system o r equipment levels.
After a depth of study has been selected, the cost of the study and schedule should
be estimated and presented to the user for approval. At this point, it is often necessary
to revisit study goals and objectives and approved scope of work to see if opportunities
exist for reducing costs o r accelerating schedules.
Costs have a direct relationship to each of the three cell parameters. The prioritized
CPQRA Procedure (Section 1.2.2), an illustration of one sequential approach to using
risk estimation techniques, is designed to offer opportunities for cost savings by deferring more detailed studies until simple consequence and frequency estimates have been
executed.
Hazard evaluation and consequence calculations are undertaken first to bracket or
bound the risks in a facility or establish the extent of hazard posed by a single piece of
equipment. The depth of consequence studies increases if required at successively
lower levels of the facility‘s hierarchy (Figure 1.13). Frequency calculations can next be
undertaken for process units, systems, and pieces of equipment; the depth of these
studies follows the same pattern as for consequence studes.
Finally, risk calculations are primarily reserved for process systems and equipment.
The complexity of these calculations and the number of incident outcome cases necessary
for each piece of equipment and associated piping h i t use of this technique to screening
o r intermedate studes. A decision to select a cell in the risk estimate plane represents a
“quantum jump” in complexity and calculation workload from either the consequence or
frequency planes. To dustrate, consider a system that processes flammable materials that
has 10 incidents selected for study. Suppose these 10 incidents result in 20 separate incident outcomes. If there are 8 wind drections, 3 wind speeds, 3 weather stabilities, and 2
ignition cases for each cloud, there are 144 (8 x 3 x 3 x 2) incident outcome cases for
each of the 20 incident outcomes. If the calculation grid for a risk contour plot were 10 x
10 (ix., 100 grid receptor points, which is relatively coarse for drawing risk contours) a
total of 288,000 (20 X 144 X 100) calculations is necessary.
This provides only a base-case estimate of risk. Any evaluation of the range of the
estimate o r of risk reduction measures requires multiplication of this burden by another
factor. Such an effort is often impractical for manual implementation. The number of
incident outcome cases to study can expand dramatically based on the depth of study
selected. A single, omnidirectional incident outcome (e.g., BLEVE) produces a single
incident outcome case. A directional toxic incident becomes in effect W incident outcome cases, where Wis the number ofweather cases. A flammable directional incident
becomes W incident outcome cases, where I is the number of separate cloud ignition
cases. Each incident may lead to several incident outcomes that may lead to many incident outcome cases. In effect, each aspect of the study produces a parameter. The
number of discrete values for this parameter serves as a multiplier in amplifying the
number of cases that need to be constructed and executed by the risk analyst.
43
1 9. Prqect Management
TABLE 1.9. Parameters Affecting Calculation Burden
Study parameters (Xiy
Typical values
/= Number of incident outcomes
5-30
W = Weather stability classes
2 4
N = Wind direction
8-16
S= Wind spccds
1-3
V= Day/night variations
1-2
E = Number of end points (lethality, serious injury, etc.)
1-5
T= Ambient temperature cases (SCX.OII variations)
1-4
I= Ignition cases
1-3
P= Population cases
1-3
GI= Grid points for individual risk contours
100-1 000
Gs=Grid points for stxieta1 risk curves
1-100
M = Number of iterations on base case
2-5
“Parameters listed may or may not apply in the following formula to estimate the study’s calculation burden:
Number of calculations = n X ,
#‘I
where n = number of applicable parameters and X, = study parameters from above listing.
Table 1.9 lists typical values for various study parameters and offers a formula for
estimating the number of cases. This listing is not complete, nor are the values offered
applicable to all studies. In fact, a study for a single process unit that considers isolation
and mitigation may have more than 1000 incident outcomes rather than only 5 to 30.
Evaluation of a large facility would require consideration of many such units. Although
the CPQRA methodology presented here applies to these more complex studies,
extensive use of computer models by knowledgeable practitioners is generally recommended to provide cost-effective results. As with the example presented above, the analyst would develop an estimate by selecting values for those parameters that apply and
multiplying them together. The analyst can also develop estimate sensitivity by varying
parameter values within the ranges given in Table 1.9and using the resulting variations
to determine confidence limits for the study’s cost estimate.
In selecting an appropriate depth of study, balance must be maintained between
trying to construct a representative system model and a manageable CPQRA. Excessively realistic scenarios (in terms of the number of incidents considered, the number of
weather and ignition cases, etc.) may result in a study of unacceptable duration or cost,
without providing any significant increase in accuracy or insight into process risk. The
uncertainties in a risk estimate are often such that substantially increasing the number
of incidents considered offers little improvement in estimate quality. A well-selected
44
1 Chemical Process Quantitative Risk Analysis
CPQRA a t a lesser depth of study (for example, one that can exploit symmetry and
restrict weather and ignition cases) may produce very meaningful results a t substantially reduced computational effort and costs.
1.9.4. Special User Requirements
Before constructing a project plan it is imperative to understand user requirements,
including any special requirements for reporting and documenting study results. Such
special requirements, particularly documentation, may add substantially to project
resource requirements. This is discussed in more detail in Section 4 3.
1.9.5. Construction of a Project Plan
A written project plan should be prepared for every CPQRA, regardless of the scope of
work o r depth of study. The circulation and availability of such a plan to members of
the project team provides for communication, team building, and direction. It is only
through the preparation of such a written plan that aspects of the study critical to its
success receive adequate attention.
Various texts on project management offer useful guidance on preparing a project
plan, including suggested plan contents. This material need not be presented here.
However, there are aspects of a project plan for a CPQRA that are unique and these are
discussed in the following sections.
1.9.5.1. ESTIMATION OF RESOURCE REQUIREMENTS
CPQRAs can require considerable resources. However, if the scope of work, depth of
study, and special user requirements are well defined, and if study progress is carefully
monitored, resources can be efficiently managed. Principal resources include people,
time, information, tools, and funding. A typical allocation of these resources for a
CPQRA of an ordinary process system is shown in Figure 1.19, which is an abbreviated representation of Figure 1.3, through risk estimation. The process system is considered to be of moderate complexity with reactors, distillation train, preheat and heat
recovery systcms, and associated day-storage. It is located close to populated areas, but
with no special topographical or other features that might warrant greater depth of
treatment. ltesource estimates are provided in Figure 1.19for the three depths of study
discussed in Table 1.5. Special topics addressed in Chapter 6 are not included in Figure
1.19, as they are not common to all studies. The estimates presented assume a
once-through estimate of risk. Further iterations to satisfy acceptability of the risk estimate (Figure 1.3) or to satisfy modified user requirements (Figure 1.17) are not
included. The number of iterations can be considered incremental cost multiples of the
once-through estimate.
Table 1.10 summarizes the total manpower requirements for the depth of study
alternatives obtained from Figure 1.19.The upper and lower limits are approximations
only. Nonetheless, they are in general agreement with studies conducted by experienced companies. The very broad range of time required for frequency estimation
reflects the variation in use of complex tools, such as fault trees. Fault trees are commonly used in the nuclear industry. As noted on the table, project management activi-
45
I .9. Prqect Management
--
ABBREVIATKINS
1
PE mccEss ENGINEER
RA nly( ANALYST
MW. PERSONWEEK
PFD PROCESSFLOW DIAGRAM
PLD PPlNG WSTRUMENTAIION
DIAGRAM
HAZOP * HAZARDSL OPERIBKIrY
STUDY
FMEA -FAILURE MODE 6 EFFECT
--
*Navsn
CONSEOUENCE ESTIMATON
INTERMEDIATV
PE or RA
EFFORT
TOMS
0.1.1 MW
SIMPLE
U m ls
2-3MW
DETAILED
MODELS
COMPLEX/
I
SIMPLE
5-70 MW
DETAILED
I
FREOUENCY ESTIMATION
UOOERATV
DEPTH OF STUDY
SIMPLW
CONSEWENCE
FREWENCY
PEOPLE
FT
F'EaRA
EFFORT
D O 05 MW
OOblMW
HISTORICALDATA HISTORICAL
O
P
T
m
A
L
DATA
TaXS
k
COllPCEU
RISK
EtRA
SPREADSHEET
1DZOMW
HlSTORlCAL
MTA. SIMPLE
FTMTA
DETAILEDF T M T A
AFIER S W V
HISTOAICALDATA
r
PROGRESSIONTHROVGH DEPTHS OF
STUDY (REFER TO FIGURE 1 4)
FINDYGS OF INITIAL CPORA REWIRE
INCWASED DEPTH OF STUDY
RISK ESTIMATON
MPTH OF STUDY
PEOPLE
1 EFFORT
TOOLS
SIMPLW
INTERMEDIAIW
FREOUENCY
COMPLEX/
PE
04.05 uw
PEIRA
RA
MINIMALOR
SIMPLE
COMPUTER
PACKAGE
s-0~
CONSEWEKE
MINIMAL
MODELS
0.051 MW
RlSK
2-5W
DETAILED
COMRITER
PACKAGE
FIGURE 1.19. Resource allocation guidelines for a process system CPORA.
ties have not been included in the totals presented. Administration of the project may
require an additional 5-10% of the total manpower estimates presented.
1.9.5.2. PROJECT SCHEDULING
Table 1.10 provides guidance on thc total manpower required for a risk analysis. The
elapsed time is a fiinction, to some degree, of the number of personnel provided. but
there is an inherent task structure in each depth of study that constrains project management from paralleling all individual tasks. Consequence and frequency analyses can
be done in parallel, but must logically follow hazard identification and incident selection. Final risk estimation must await completion of the consequence and frequency
analyses.
46
1 Chemical Process Quantitative Risk Analysis
TABLE 1.10. Manpower Requirements for Depths of Study of a Single Process
System (UNIT)
Activity
Simple/consequence Moderate/frequency Complex/risk
CPQRA
CPQRA
CPQRA
(person-week)"
(person-week)"
(person-week)"
0.s-1,s
2-4
4-8
1-2
2-4
4-8
Vmnsequencc estimation
0.5-1
2-3
3-10
Frequency cstimation
0.5-1
0.5-2
3-20
Kisk estimation
0.5-1
0.5-2
2-5
Preparation o f final report
0.s-1,s
2 4
2-8
3.5-8
9-19
18-59
Data compilation
Hazard identification/incicIcnt selection
Totals'
'Note that the data presented have units of person-weeks. These data also need to be converted to calendar weeks
by the project manager through development of a project schedule. The resulting number of calendar weeks may
be substantially greater than the values shown above, depending on availability of critical personnel, tools, training opportunities, etc.
&rhe values presented do not include project management activities, which can be estimated as an additional
burden of S-10% of the totals shown. Sensitivity studies are also not included and are often required to evaluate
potential risk mitigation measures.
Opportunities to execute tasks in parallel must be, balanced against opportunities
to avoid tasks through following prioritized procedures such as discussed earlier in this
chapter (Section 1.2.2).
In constructing the project schedule, it is important to obtain input and agreement
from the risk analyst and other specialist mcmbers o r groups. Milestones need to be
established that correlate with the logical end points presented Figure 1.3. Having
well-defined milestones permits meaningful status reports to be issued throughout the
life of the project.
1.9.5.3. QUALITY ASSURANCE
The first step in quality assurance is to ensure the adequacy and availability of staff and
resources for the study. Since CPQRA is a relatively new CPI technology, it is likely
that the expertise of staff support will be deficient in certain technology areas. Consequently, quality assurance is a critical check and balance procedure of any CPQRA project plan. Adequate resources need to be assigned to quality assurance as a line item in
the project plan.
Early risk analysis s t u l e s (e.g., Rijnmond Public Authority, 1982) were routinely
passed on to independent reviewers. These reviews were budgeted at up to 10%of the
primary budget. Such outside reviews are now less common, but are appropriate for
organizations relatively inexperienced in CPQRA. Alternatively, outside experts may
be commissioned to undertake the study. Their activities can be monitored by company staff. This monitoring may be done by periodic meetings o r by a staff member
assigned to the review team.
Such peer reviews or reviews by corporate staff of outside-expert work products
are only one of several layers of reviews that can be built into the project plan to ensure
1.9. Prqect Management
47
TABLE 1 . 1 1. CPQRA Reviews and Purposes
Project team internal review
Identify miscommunication; challenge method selections, models used, assumptions, etc. Perform first
complete review of the initial draft report of the study prior to release to the user
Plant st&
Reveal any misrepresentation of plant practices, existing hardware and process configurations, facility
operational data, and site characteristics
Corporate staff
Ensure consistency with previous CPQRA formats, adherence to company CPQRA practices,
adequacy of documentation, ctc. If staff includes risk analysts, provide peer review hnctions to the
project team
Peer or expert review
Review should be carried out by competent risk analysts not involved in the CPQRA. Review should
focus on appropriateness of methods, quality and integrity of the data base used, validity and
reasonableness of assumptions and judgments, RS well a.s recommendations for further study
Management
Assuming the role of user, management should bc satisfied that the report meets its requirements
completely, in line with the agreed on scope of work and that all conclusions and recommendations, if
any, are thoroughly undcrstood
quality. The need for reviews by members of the project team, by plant and corporate
staff groups, by peers or experts, and by management should be considered in planning
and scheduling activity. The purposes of these various reviews are given in Table 1.11.
Each of these reviews should produce a written report of findings to the project
team manager. All findings should be formally resolved prior to issuing a final report.
Any report from plant or corporate staff may be useful to add to the study as documentation. Reports from peer reviewers or experts should be added to the CPQRA without
alteration to enhance the credibility of the report and to document the performance of
such a critical review.
Even though the component techniques of a CPQRA are rigorous and disciplined,
numerous opportunities exist to introduce uncertainty and error into the study. For
this reason, a formal quality assurance program may be desirable. Such programs have
routinely been developed to assure the quality of probabilistic risk assessments (PRAs)
in the nuclear industry. Such efforts have focused on the following areas of concern
[PM Procedures &rde (NUREG/CR 2300, 1983)]:
Completeness. Treatment of the full range of tasks, analyses, and model construction and evaluation should be assured. The completeness issue is most signlficant in any risk analysis. It includes such diverse concerns as identification of
initiating events, determination of plant and operator responses, specification of
system or component failure modes, physical processes analysis, and application
of numerical input data.
Comprehensiveness. A probabilistic risk assessment is unlkely to identlfy every
possible initiating event and event sequence. The aim is to ensure that the significant contributors to risk are identified and addressed. Assurance must be provided
48
I Chemical Proms Ouantitative Risk Analysis
that comprehensive treatment is given to all phases of the study in a manner that
provides confidence that all significant incidents have been considered.
Consistency. Consistency in planning, scope, goals, mcthods, and data within
the study is essential to a credible assessment. Equally important is an attempt to
achieve consistency from one study to another, especially in methodologies and
the application of data, in order to allow comparison between systems o r plant
designs. In many cases, the acceptability of an activity is based on its comparability (risk) with other similar activities. Thc use of standardized methods and proccdures enhance comparability.
Traceabilly. The ability to retrace the steps taken, that is, reconstruct the
thought process to reproduce an answer, is important not only to the reviewer
and regulator but also to the study team.
Documentation. The documentation associated with a PRA is substantial.
Large amounts of information are generatcd during the analysis, and many
assumptions are made. The information must be wcll documented to permit an
adequate technical review of the work, to ensure reproducible results, to ensure
that the final report is understandable, and to permit pecr review and informed
interpretation of the study results.
Identical quality concerns exist in pcrforming CPQRAs. Table 1.12shows potential
areas within CPQRAs that require attention in the dcvelopment of specific quahty assurance procedures. Recognize that this tablc is not necessarily e,xhaustive and that any particular CPQRA will have its own quality assurance needs. At the least, planning for every
CPQRA needs to consider how each of the five areas listed above will be addressed.
1.9.5.4. TRAINING REQUIREMENTS
CPQRAs rcquirc the use of skillcd and experienced personnel. For simpler studies
(consequence o r frequency), the skills of thc process engineer with some risk analysis
training may be adequate. A CPQRA utilizing the risk plane requires inputs from both
process engineers and risk analysts. A risk analyst without the support of a process engineer experienced in the design and operation of the particular process unit, system, or
piece of equipment, is unlikely to understand the process in adequate detail to carry out
the study. Process engineers must be thoroughly trained and have participated in preparing risk estimates for real process systems before they undertake CPQRAs without
the assistance of risk analysts.
There are several reference texts and training courses that providc an introduction
to CPQRA (Appendix R ) . Important skills include knowlcdge of hazard identification
techniques [reviewed in the HEP Guideliizes, Second Edition (AIChE/ CCPS, 1992)]
and the consequence and frequency estimation techniques reviewed in this book.
Useful introductory publications to CPQRA topics includc thc other texts in the CCPS
Guidelines series, Lees (198O),TNO (1979),and Rijnmond Public Authority (1982).
The technique descriptions in Chapters 2 and 3 identify many useful references spccfic
to the individual techniques. A topical bibliography that offers numerous references
under many of the topics related to CPQRA is being made available by CCPS on diskettes. (Contact CCPS in New York for details.)
1.9. Prqect Management
49
TABLE 1.12. Focus of Project Quality Assurance Procedures
Data compilation
Data should be checked as being correct, rehant and up-to-date
Data on chemical toxicity should be reviewedfi reasonableness
Documentation of the sources of data used should be maintained
Incident enumeration and selection
The hista'cal record should be reviewed
Incidmts should reflect aU major inventmies of hazardow materials
Incidents rejected (especiauyrare, large ones) should be reviewed and documented
Documentation usedjiw hazard idmtification a n d f i incident enumeration and st :tion (€ QZOP,
What-& etc.) should be maintained
9
9
Consequence estimation
Models should be well documented
Trialruns should be compared gainst known results& valirlation (toprotect gainst misunderstanding of
model requirements)
Consequence resultsshould consider all important effects (eg.,eqlorion analysis should include blast and
t h e d radiation efects)
Effect models should correspond to the study objectives
Documentation of input data and resultsshould be maintained
9
9
9
Frequency estimation
Historical data should be confirmed as being applicable
Fault and event tree moakl results should be confirmedagainst the h h r k a l record wherefim'ble
Documentation of thefrequency estitnation should be maintained
Risk estimation
Results should be checked against ucpericncefi reasonableness
Audit trail of documentationshould he maintained
It is important to note that well-constructed and well-executed CPQRAs rely
heavily on judgment. Short training programs provide users with the necessary tools;
however, judgment can come only from the experience of applying them. Project management must be aware that estimates from inexperienced practitioners need greater
scrutiny than those from accomplished risk analysts.
1.9.5.5. PROJECT COST CONTROL
As CPQRAs can consume substantial resources, attention to cost control in developing
a project plan is essential. Once funding has been approved, it is important to document the allocation of that funding to accomplish the study. This allocation covers
manpower costs (internal to the organization) *
tool acquisition and installation (hardware and software)'
data acquisition* computer costs
training costs
travel
publication and presentation
1 Chemical Process Ouantitative Risk Analysis
outside consultant services (all types) *
project overheads
The four starred ( * ) items above offer unique problems for CPQRA project managers. They represent greater uncertainty in preparing project cost estimates than do
the other contributors. Consequently, greater effort to define them for estimate purposes is required, and greater attention to them through cost control procedures
during the project is necessary. The project manager must rely on the risk analyst for
estimating model development costs, software acquisition costs, outside consulting
services, and data acquisition expense.
Because of the potential for uncertainty, it is good practice to require that the risk
analyst provide documentation for cost estimates, includmg statements from any anticipated source of outside service (e.g., consultants, data acquisition). For example, if the
scope of work required earthquake analysis and this was beyond the capabilities of the
organization’s staff, it would be necessary to provide a t least preliminary estimates for
this analysis from outside firms. While this may require additional effort in preparing
resource requirements, this effort should result in better definition of costs prior to
project approvals and the avoidance of cost overruns thereafter. Such documentation
can also be used as input to cost control procedures over the life of the project. Otherwise, routine project cost controls in use for managing capital projects can be applied.
1.9.6. Project Execution
A project manager has successfully completed the project when he has completed his
scope of work. In preparing that scope of work, the project manager should specify the
means of measuring his project’s progress in terms of percent completion. To calibrate
the project milestones with completed performance, the project manager needs to
confer with the risk analyst and agree on the assignment of degrees of project completion with logical end points in the CPQRA sequence (Figure 1.3).
The project manager is responsible for providing status reports comparing actual
versus estimated progress presented on the approved project schedule. Causes for
delays o r cost overnins need to be investigated and explained, and remedial action identified and implemented where necessary.
1.10. Maintenance of Study Results
CPQRA results should be maintained after the completion of the study as an integral
part of a company’s risk management program. Any actions taken as a result of the
study should be documented as well. As discussed in the management overview,
CPQRA results can be important to the company’s risk management program (New
Jersey, 1988). Such a program should be kept up to date, and so should the associated
CPQRAs. The CPQRA report should be a living document. As the plant is modified
or as procedures change, the CPQRA should be updated. where relevant, to provide
management with information on the effect of such changes o n risk. The CCPS ctrrrlelinesfir Process Safty Dociunentatwn ( 1995)describe the documentation in more detail.
1 . Chemical Process Ouantitatrve Risk Analysis
51
It is important to control and monitor the dstribution of all copies of a CPQRA
report so that each recipient receives all updates and does not use outdated information
for decision-making. Periodically the register of report holders should be used to confirm location of all report copies and updated throughout the organization.
Documenting the systematic approach followcd in performing CPQRAs permits
subsequent readers, perhaps uninvolved with the original work, to follow the analysis.
Each individual stage-hazard and incident identification, consequence and frequency
estimation, and risk estiniation-can be important later. The maintenance of CPQRA
results also provides continuity to a risk management program. The importance of
management systems in the reduction of risk is receiving greater attention (Batsone,
1987). Risk management program components dscussed by Boyen et al. (1988) are
itemized below, along with their dependencies on maintained CPQRAs:
Technology
-Process Safety Information. The CPQRA provides a current summary of
hazards on the site and a listing and summary of all important relevant documents.
-Process Risk Analysis. This is the primary function of the CPQRA, one that
must be kept up to date and made available to new staff.
-Management of Change (Technology). All changes/modifications should be
subjected to the same rigor of analysis as the original shidy.
-Rules and Procedures. Thesc should be developed in the context of the
CPQRA results.
Personnel
-Staff Training. The CPQRA presents insights to speclfic facility risks with all
relevant documents appended or referenced.
-Incident Investigation. The CPQRA can be useful in incident investigation,
to check whether the event was properly identified and if protective systems
performed as expected. If not previously identified, it should be added to the
CPQRA and the results recalculated. Additional risk reduction measures may
be suggested.
-Auditing. The CPQRA can serve as a guide to the auditor to familiarize the
auditor with major risk contributors and past studies of them.
Facilities
-Equipment Tests and Inspections. The CPQRA highlights the importance
of testing intervals in maintaining protective system reliability. Regular checks
are necessary to ensure these are maintained.
-Prestartup Safety Reviews. This function is similar to the auditing role.
Important features are identified for inspection and checking.
-Management of Change (Facilities). See Management of Change (Technology).
Emergencies
-CPQRAs can assist in developing a site emergency response plan.
Some Additional Uses (not specific to the site risk management program)
-Community Relations. Discussions with the local community are often aided
by the availability of up-to-date CPQRAs.
1 . Chemical Process Quantitative Risk Analysis
52
-Plant Comparisons. Many companies operate several plants of similar design.
CPQRA data from one can be used as a guide for new plants o r for modifying
other existing plants.
-Operating Standards. All the CPQRA component techniques make assumptions of how the plants should be operated (HAZOP, fault tree failure frequencies, consequence calculations, etc.). When documented and kept current, these
can be checked at a later stage for accuracy.
It is important to recognize that a CPQRA shows whether a plant can operate at a
given risk level, but cannot ensure that the plant will operate consistent with the
assumptions used to estimate risk. Naturally, if actual operations differ from study
assumptions, the risk estimates produced cannot be considered representative. Study
assumptions need to reflect reality, and as reality changes, so must study assumptions.
Corresponding risk estimates will need to he undated. Updates can be triggered by
process changes (e.g., hardware, software, material, procedures), availability of
improved input data (e.g., toxicology data)
introduction of company risk targets
advances in CPQRA component techniques
changes to company property (e.g., neighboring process units, administration
building relocation)
changes in neighboring property (e.g., expansion of a housing development to
company property limits)
Maintenance of a CPQRA means much more than assuming the availability of a
copy of the original study in an organization’s files, though it is important to preserve
and store the results in a secured system. The need to maintain the study should be recognized and accepted at the time the commitment is made to execute the CPQRA. As
with any process documentation, without such commitment, the CPQRA report will
gradually hut assuredly become dated and lose its value to the company’s risk management program.
1.1 1. References
AIChE/CCPS (1992), Guidelinesfm Hazard Evaluation Procedures second edition with worked
examples. Center for Chemical Process Safety, American Institute of Chemical Engineers,
New York.
AIChE/CCPS (1995), 7bolsfm Making Acute Risk Decirwns, Center for Chemical Process Safety,
American Institute of Chemical Engineers, New York.
AIChE/CCPS (1995), Guidelinesfor Process Safety Documentatwn, Center for Chemical Process
Safety, American Institute of Chemical Engineers, New York.
AIChE/CCPS (1994), Guidelinesfm Implementiry Process Safty ManaJement Systems, Center for
Chemical Process Safety, American Institute of Chemical Engineers, New York.
AIChE/CCPS (1989), Guidelinesfm Technical Management of Chemical Process Safety, Center for
Chemical Process Safety, American Institute of Chemical Engineers, New York.
AIChE/CCPS (1995), Plant Guidelines fir l‘echnical Management of Chemical Process Safety,
Center for Chemical Process Safety, American Institute of Chemical Engineers, New York.
1 . 1 1 . References
53
AIChE/CCPS (1988a). Guidelinesfor Safi Storage and Handling ofH@ Toxic Hazard Materiufs.
Center for Chemical Process Safety. American Institute of Chemical Engineers, New York.
Amendola, A. ( 1986).“Uncertainties in Systems Reliability Modeling: Insight Gained Through
European Benchmark Exercises,” Nuclear Enflineeving Design 93, 21 5-225, Amsterdam,
The Netherlands: Elsevier Science Publishers.
Arendt, J. S. et al. ( 1989).A Manager’s Guide to Quantitative Risk Assessment of Chemical Process
Facilities. JBF Associates, Inc., Knoxville, Tenn., Report No. JBFA-I 19-88,prepared for the
Chemical Manufacturers Association, Washington, D.C.; January.
Ballard, G. M. ( I 987). “Reliability Analysis-Present Capability and Future Developments.”
SRS Quarter& Digest System Reliability Service, UK Atomic Energy Authority,
Warrington, England, pp. 3-1 1, October.
Batsonc, R. J. (1987).Proceedings of the International Symposium on Preventing Major Chemical
Accidents. Washington, D.C. (J. L. Woodward, ed.). American Institute of Chemical Engineers, New York. Feb. 3-5.
Box. G. E. P. and Hunter, J. S. (1961). “The 2k-p Fractional Factorial Designs. Part 1,”
Technometrics 3(3), 3 11-346.
Boyen, V. E. et al. (1988).“Process Hazards Management.” Document developed by Organ&tion Resource Counselors, Inc. (ORC) [submitted to OSHAfor future rulemaking on process hazards management], Washington, D.C.
Bretherick, L. (1983). Handbook of Reactive Chemical Hazards, 2nd edition. London:
Buttenvorths.
Carpenter, B. H., and Sweeny, H. C. (1965). “Process Improvement with ‘Simplex’
Self-Directing Evolutionary Operation.” Chemical Engineering 72( 14), 117-126.
DeHart, R., and Gaines, N. ( I 987): “Episodic Risk Management at Union Carbide.” AIChE
Spring National Meeting, Symposium on Chemical Risk Analysis, Houston. American
Institute of Chemicd Engineers. New York.
Dow’s Fire and Explosum Index-Hazard Classifiatiun Guide, 7th edition, 1994. CEP Technical
Manual, American Institute of Chemical Engineers, New York.
Dow’s Chemical Enposure Index Guide, 1994 . CEP Technical Manual, American Institute of
Chemical Engineers, New York.
EEC ( 19x2). “Major-Accident Hazards of Industrial Activities” (“Seveso Directive”). European
Economic Community. Council Directive X2-501-EEC Official Journal (0J) Reference
No. L23), 5.8.1982: Amended October 1982, [Available from European Economic Community, Press and Information Services, Delegation of the Commission of European Communities, Suite 707, 2100M Street, N.W., Washington, D.C.]
Freeman, R. A. (19x3). “Problems with Risk Analysis in the Chemical Industry.” Plant/Operatiuns Propers 2(3), 185-190.
Freeman. R. A. et al. (1986).“Assessment of Risks from Acute Hazards at Monsanto.” 1986
Annuul Meeting, Society for Risk Analysis. Nov. 9-12, Boston, MA. Society for Risk Analysis. 8000 West Park Drive, Suite 400, McLem. VA 2210’.
Gibson, S. R. (1980). “Hazard Analysis and Risk Criteria.” Chemical Engineering Profless
(Novembcr) ,46-SO.
Goyal, R. K. (19x5). “PRA-Two Case Studies from the Oil Industry.” Paper presented at Session 5A of Reliability ‘85, Symposium Proceedings, July 10-12, 1985; Vol 2, p. 5&3.
Jointly sponsored by National Centre of Systems Reliability. Warrington, England and
Institute of Quality Assurance, London, England.
Hawksley, J. L. (1984). Some Social, TechnicalandEconomicalAspectsof the RisbFofLurge Chemical
Plants. Chemrawn 111, World Conference on Resource Material Conversion, The Hague,
June 25-29.
54
1
Chemical Process Quantitative Risk Analysis
Health &Safety Executive (1978).Canvey-An Investbationof Potential Hazurdsjkom the Operatiuns in the Canvey Island/ThurVock Area. 195 pp. HMSO. London, UK.
Health & Safety Executive (1981). Canvey-A Second Report, 130 pp. HMSO, London, UK.
Helmers, E. N and L. C. Schaller (1982). “Calculated Process Risk and Hazards Management.”
MChE Meeting, Orlando, FL, Feb. 20-Mar. 3. American Institute of Chemical Engineers,
New York.
IChemE (1985). Nomenclature ofHavxrd and Risk Assessment in tl7e Process Industries. Institution
of Chemical Engineers, UK.
Hendershot, D. C. (1996)“Risk Guidelines as a Risk Management Tool,” 1996 Process Plant
Safety Symposium, Houston, TX, April 1-2, 1996, Session 3
ICI (Imperial Chemical Industries) (1985). 7he Mond Index, 2nd edition. ICI PLC, Explosion
Hazards Section. Technical Department. Winnington, Northwick, Cheshire CW8 4DJ,
England.
Joschek K. T. (1983). “Risk Assessment in the Chemical Industry.” PhntlOperations Progress
2(1 January), 1-5.
Kaplan, S., and B. J. Garrick ( 1981). “On the Quantitative Definition of Risk.” R u k Analjsis
1 (I), I 1-27.
Kilgo, M. B. (1988). “An Application of Fractional Factorial Experimental Designs.” Qualiv
Engineering, 1, 19-23. American Society for Quality Control and Marcel Dekker, New
York.
Lees, F. P. (1980). Loss Prevention in the Process Industries, 2 Volumes. Buttenvorths. London
and Boston.
Long, D. E. (1969).“Simplex Optimization of the Response from Chemical Systems.” Anal.
Chim. Acta 46,193-206.
Marshall, V. C. (1987).Major Chemical Hazards. Wiley, New York.
Mudan, K. S. (1987). “Hazard Ranking for Chemical Processing Facilities.” ASME Winter
Annual Meeting, Boston, MA. Dec. 13-18. American Society of Mechanical Engineers,
New York.
Nelder, J. A., and Mead, R. (1964). “A Simplex Method for Function Minimization.” ?he Computer Journal 7, 308-313.
Mundt, A. G. (1995). “Process Risk Management for Facilities and Distribution.” AIChE
Summer National Meeting, Boston, July 30-Aug 2, American Institute of Chemical Engineers, New York.
New Jersey (1983). “Toxic Catastrophe Prevention Act Program.” State of New Jersey,
N.J.A.C. 7: 1, 2, 3 , 4 and 6. New Jersey Register, Monday, June 20, 1988,20 N.J.R. 1402.
NFPA 325M (1984). Fire Hazard Propertier of Flammable Liquids, Gases, and Volatile Solids.
National Fire Protection Association, Quincy, MA 02269.
NUREG (1983).PRA ProceduresGuide:A Guide to the Perfwmance of Probabilistic Risk Assessment
fbr Nuclear Pwer Plants, 2 volumes, NUREG/CR-2300, U.S. Nuclear Regulatory Commission, Washington, D.C. (available from NTIS).
NUREG (1984). PRA Status &vim in the Nuclear Zndumy, NUREG-1050, Nuclear Regulatory Commission, Washington D.C. September, 1984 (available from NTIS).
NUREG (1985). Probabilim‘c Safety Analysis Procedures Guide, NUREG/CR-2815, Nuclear
Regulatory Commission, Washington D.C. August, 1985 (available from NTIS).
Ormsby, R. W. (1982). “Process Hazards Control at Air Products.”Plant/ Operations F’qgress 1,
141-144.
Pikaar, J. (1995). “Risk Assessment and Consequence Models.” 8th Zntematiunal Symposium on
Loss fievention and Safety Promotion in the Process Industries, June 6-9, 1995, Antwerp, Belgium, Keynote lecture on Theme 4.
I . I 1. References
55
Pikaar, M. J., and M. A. Seaman (1995).A Revietv of Risk Contvol. Zoetemer, Netherlands:
Ministrie VROM.
PiiZ, V. (1980). “What Is Wrong with Risk Analysis?” 3rd International Symposium on Loss
Prevention and Safety Promotion in the Process Industries, Basle, Switzerland, 6/448454.
Swiss Society of Chemical Industries, September 15-19.
Poulson, J.M. et al. (1991).“Managing Episodic Incident Risk in a Large Corporation.” AIChE
Summer National Meeting, Pittsburgh, Aug 18-21, American Institute of Chemical Engineers.
Prugh. R. W. (1980).“Application of Fault Trec Analysis.” Chemical EnBineerinJ Progress July,
59-67.
Rijnmond Public Authority (1982).A Risk Analysis of 6 Potentially Hazarhw I n d u h l Objects
in the Rijnmond Arem-A Pilot Study. D. Reidel, Dordrecht, the Netherlands and Boston,
MA.
Renshaw, F.M. (1990). “A Major Accident Prevention Program.” Plant/Operatwns Pro~ress
9(3), 194-197.
Rosenblum, G. R. et al. (1983). “Integrated Risk Index Systems.” Proceedings of the Societyfbr
Risk Analysis. Plenum Press, New York, 1985.
Seaman, M. A., and Pikaar, M. J., “A Review of Risk Control,” VROM, 11030/150,June, 1995.
Spendley. W. et al. (1962). “Sequential Application of Simplex Designs in Opthisation and
Evolutionary Operation.” Technometrics4(4),November.
TNO ( 1979).Methods for the Calculationof the Physical Efects of the Escape OfDangerowMaterials:
Liquidr and Gases, 2 Volumes. P.O. Box 312, 7300 AH Apeldoorn, The Netherlands.
Tyler, B. J. et al. (1996),“A toxicity hazard index,” Chemical Health O-Safkty, January/February,
1996,19-25.
USCIP Working Party (1985). “Standard Plan for the Implementation of Hazard Studies 1:
Refineries.” Union des Chambres Syndicales de I’ Iiidustrie dc Petrole (UCSIP), Paris,
France.
US EPA (1980).“Chemical Selection Method: An Annotated Bibliography”: Toxic Integration
Information Series. EPA 560/11IS-80-001,November (available from NTIS).
US EPA (1981). “Chemical Scoring System Development,” by R. H. Ross and P. Lu, Oak
Ridge National Laboratory. Interagency Agreement No: 79-D-x9856,June (available from
NTIS) .
Van Kuijen, C. J. ( I 987). “Risk Management in the Netherlands: A Quantitative Approach.”
U N W O Wov&shop on Hazardous Waste Management and Industrid Safety, Vienna. June
22-26.
Warren Centre ( 1986).Hazard Identijicatwn and Risk Controlfov the Chemical and Related Industries--ll.ajov Industrial Hazard Prqect Report (D. H. Slater, E. R. Corran, and R. M.
Pithlado, eds.). University of Sydney, NSW 2006. Australia.
Watson, S. R. (1994).‘The Meaning of Probability in Probabilistic Risk Assessment.” Reliability Engineering and System Safety 45, 261-269.
Watson, S. R. (1995).“Response to Yellman and Murray’s comment on T h e meaning of probability in probabilistic risk analysis’.” Reliability En&em’nJ and System Safkty 49,207-209.
World Bank (1985).Manual o f I n d u h l Hazard Assessment Techniques. Office of Environmental and Scientific Affairs. World Bank, Washington, D.C.
Yellman, T. W., and Murray, T. M. (1995). “Comment on ‘The meaning of probability in
probabilistic risk analysis’.” Reliability En@wering and System Safety 49, 201-205.