Reliability Engineering and System Safety 29 (1990) 55-68
Quantitative Risk Analysis in the Chemical Process Industry
Gary R. Van Sciver Rohm and Haas Company, Box 584, Bristol, Pennsylvania 19007, USA
A BSTRA C T Quantitative Risk Analysis ( Q RA ) is a tool that is being used increasingly in the chemical process industry (CPI) to help prevent rare but potentially catastrophic events. The QRA methodology includes: (1) (2) (3) (4) (5)
establishing QRA priorities, identifying accident scenarios, quantifying the frequency of each scenario, quantifying the consequences of each scenario and quantifying total risk.
A wide variety of factors contribute to the rather large uncertainty of QRA results. The results of a Q RA can be expressed in terms of absolute risk which can be compared to established levels of unacceptability. The results can also be expressed in terms of relative risk, indicating the effect on risk of various design options. However, the most important result of QRA is the operational insights revealed to the analysts which lead to risk reduction and understanding of the sources of residual risk. This paper describes the QRA method as it is used in the CPI.
INTRODUCTION In the last few years, there has been increasing emphasis on the prevention of rare but potentially catastrophic events in the chemical process industry (CPI). Sophisticated techniques are being used to identify high risk 55 Reliability Engineering and System Safety 0951-8320/90/$03"50 © 1990 Elsevier Science Publishers Ltd, England. Printed in Great Britain
56
Gary R. Van Sciver
operations and to identify means for reducing the risk of accidents in these operations. Quantitative Risk Analysis (QRA) is among the most important of these techniques. Risk is the likelihood o f suffering loss or injury. It is a function of three factors: what can go wrong, the likelihood of it going wrong, and the consequences of it going wrong. In a QRA, an analyst identifies accident scenarios associated with an operation and quantifies the likelihood and consequences of these accidents. Q R A has been in existence for m a n y years. Before its use in the CPI, it was used extensively in the nuclear industry. 1 Unfortunately, the application of Q R A in the CPI is much more difficult than in the nuclear industry. This is because o f the greater diversity of processes, hazardous materials, equipment types and control schemes in the CPI. This diversity requires new capabilities of QRA, capabilities that are continuously evolving. In this paper, the methodology of Q R A (with an example), the interpretation of Q R A results, and the future of Q R A in the CPI are discussed.
PROCESS SCREENING Q R A is a tool that usually requires a large expenditure o f time and money. In any given year, it m a y be feasible to look at only a few operations within a company. Therefore, it is essential that Q R A be selectively applied on a priority basis. It would be an unfortunate misappropriation of resources to perform a Q R A on an operation which is relatively low risk and ignore one which is relatively high risk. Engineering and m a n a g e m e n t judgement play an important role in setting priorities for QRA. For example, there may be a particular operation which handles large quantities o f an especially hazardous substance or there m a y be a facility which has a history of accidents or of near misses. Table 1 is a list of typical factors that m a n a g e m e n t considers in selecting systems for a TABLE 1
Factors Affecting the Need for QRA Is a QRA of the process needed to satisfy regulatory requirements? Is the process a new design? Are the materials in the process highly flammable or highly toxic? Does the process (or a similar process) have a history of accidents or near misses? Is there public concern about the process materials? Is the process likely to experience a runaway reaction? Will extended process outages due to accidents result in loss of market share?
Quantitative risk analysis in the chemical process industry
57
QRA. The more questions in this table that are answered yes, the greater the need for a QRA. Although establishing QRA priorities is usually a qualitative procedure, quantitative techniques do exist which can help. For example, the Dow Fire and Explosion Index, 2 the Mond Fire, Explosion and Toxicity Index 3 or other indices 4 can be used. These are quick and systematic procedures for ranking processes by their intrinsic hazards. Operations which are assessed the highest index value would be candidates for QRA.
HAZARD IDENTIFICATION The first step of a QRA is hazard identification. The objective of this step is to answer the question: what can go wrong? This is the most important step because hazards that are not identified will not be quantified, leading to an underestimated risk. It is important to devote adequate resources to this step to insure a thorough understanding of the hazards. Some of the techniques used for hazard identification include HAZOP Analysis, Failure Mode and Effects Analysis (FMEA), 'What If' Analysis, Preliminary Hazard Analysis (PHA) and Checklist Analysis. The AIChECCPS Guidelines f o r Hazard Evaluation Procedures 5 describe these techniques in detail. The method used most often in the CPI is HAZOP Analysis. The word HAZOP is short for H A Z a r d and OPerability. The technique was invented by the ICI in the early 1970s, 5 and has become widely used in the USA in the last 5-10 years. In HAZOP Analysis, brainstorming techniques are used to methodically determine the causes and consequences of deviations from normal operating conditions. A HAZOP committee, normally made up of 5-7 individuals with diverse technical backgrounds, identifies the causes and consequences of process upsets. A typical HAZOP study may take from 20 to 80 h, depending on its scope. There are benefits of performing a HAZOP Analysis beyond identifying hazards for a QRA. The hazards identified during a HAZOP make it easier to assess the relative risk of the process so that QRA priorities can be established. Also, many recommendations for risk reduction result directly from a HAZOP. After the hazards have been identified, the scope of a QRA can be defined. The QRA will normally focus on accident scenarios associated with specific operations. For example, the QRA may focus on transportation accidents involving a very hazardous material or on runaway reactions in a particular reactor.
58
Gary R. Van Sciver
FREQUENCY QUANTIFICATION After the scope of the Q R A has been defined and the accident scenarios are developed, a second key question is: how likely is each accident? The objective of frequency quantification is to calculate the probability of each accident scenario. Two c o m m o n sources of this information are historical data and fault tree analysis. Historical data are based on the accident experience of the system while fault tree analysis is based on the accident experience of the components. The use of historical data is the quickest technique of quantification, if the appropriate data are available. For example, historical data may be available for a transportation risk study to indicate how many train derailments per year on average can be expected on a particular route. Although the available data are limited, accident probabilities are much easier to calculate directly from historical data and the results are often more accurate. However, it is important that the failure data used are from systems that are very similar to the system being analyzed. If little historical failure data exist, then the uncertainty may be large. Fault tree analysis 5 is another method for calculating the probability of an accident. This technique has been used extensively in the nuclear industry. It involves modeling the failure mechanisms of a device or a system by use of a logic diagram of A N D gates and OR gates. The failure of interest, called the TOP event, is expressed in terms of logical combination of basic events (e.g. component failures and operator errors). The frequency of failure of the basic events is estimated from reliability data bases supplemented by engineering judgement. After the failure data of all basic events have been determined, the frequency of the TOP event can be calculated. Depending on the scope of the QRA, there may be several fault tree analyses or several variations of the same tree. Ultimately, the frequency of each accident scenario under consideration must be determined. Fault tree analysis has several weaknesses, but two of the more important ones are model incompleteness and frequency uncertainty. First, the analysis is only as good as the completeness of the listed failure mechanisms. An exhaustive search for these mechanisms is essential for high quality results. Nevertheless, the possibility always exists that an important failure mechanism has been overlooked and not included in the fault tree. Secondly, the absolute value calculated for TOP event frequency is dependent on the quality of the basic event reliability data. Even though the quality of the reliability data that are available in the CPI is continuously improving, data on specific applications are often not available. If this is the case, engineering judgement must be used to estimate reliability data. A big advantage of fault tree analysis is the insights it provides into the operation. The procedure requires the analyst to continually ask: how can
Quantitative risk analysis in the chemical process industry
59
this happen? It requires extensive knowledge of the mechanics of a system. Further, it enables the analyst to identify the most important contributors to TOP event frequency, and often leads to the most effective risk reduction measures. Also, fault tree analysis takes into account the specific system design, e.g. emergency systems, process conditions, and operating procedures.
C O N S E Q U E N C E ANALYSIS The third element of risk is consequences. The analysis of consequences in the CPI is very complex due to the great variety of materials, chemical reactions and technologies. Consequence analysis is the aspect of Q R A that is growing most rapidly. The objective of consequence analysis is to quantify the negative impact of an event. Consequences are normally measured in terms of the number of fatalities, although they could also be measured in the number of injuries or in property loss. The three types of effects that are normally considered are thermal radiation, explosion overpressure and toxic exposure. A wide variety of models are used in consequence analysis. Source models 6 are used to predict the discharge rate, the degree of flashing, the a m o u n t of aerosol formation, and the amount of evaporation. Vapor cloud models 6 are used to predict the a m o u n t of downwind dispersion, taking into account meteorological conditions and vapor density. Impact intensity models T are used to predict the consequence zones of fires and explosions. Toxic gas models a are used to predict human response to a range of exposures to a toxic material. Other models are used to predict the effects on humans of exposure to fires or explosion overpressure. A substantial a m o u n t of research is being conducted to minimize the uncertainty which exists with many of these models. Nevertheless, because much is still u n k n o w n about these phenomena, significant error (an order of magnitude) can be expected in most consequence analyses. Consequence analysis can be an effective risk reduction tool by itself. The sensitivity of the results to inventory size, storage temperature, storage pressure, buffer zones and material properties can point the way to inherently safer plants.
M E A S U R E S OF RISK The last step of a Q R A is to calculate the actual risk. A number of accident scenarios have been identified. Frequency and consequences have been calculated for each and risk can now be determined.
I0-3
10-4
CUMULATI VE FRE~PUENCY
10-5
I0-6
10-7
I 10
,\
I 100 DAMAGE
i000
10,000
Fig. 1. Typical risk profile. LOWRISK CONTOUR
HIGH RISK CONTOUR
I
PROCESS I FENCELINE
l I l _J HIGHWAY
Fig. 2. Typical risk contours.
Quantitative risk analysis in the chemical process industry
61
One method of presenting the results of a QRA is a risk profile. This is a plot of frequency versus cumulative number of fatalities and is a measure of risk to society. A typical profile is shown in Fig. 1. The advantage of presenting the results in a risk profile is that the population distribution around the plant and the local meteorological conditions are taken into account. An alternative method for presenting the results of a QRA is in the form of a risk contour (see Fig. 2) where individual risk is measured instead of risk to society. Individual risk is defined as the likelihood that an individual at a specific location would be exposed to the consequences of accidents associated with the operation under study. While the population distribution is n o t taken into account with individual risk, the contours are still very useful because the risk at a particular point can be shown, e.g. at the plant fence line.
EXAMPLE CPI QRA To illustrate the techniques used in QRA, consider the following example. A proposal has been made for the construction of a new process which features a 3000 gallon CFSTR (continuous flow stirred tank reactor). The reaction is catalyzed and exothermic. As shown in Fig. 3, the heat of reaction is removed by cooling water passing through the reactor jacket. Management is concerned because a smaller existing reactor underwent a runaway reaction last year which released toxic material to the atmosphere. No one was injured, but it is feared that a similar incident with this larger reactor may have more severe consequences. Therefore, it is decided that a QRA should be performed. The first step of the QRA is a HAZOP study of the process. The seven participants in the study include representatives from the plant, engineering and research. The study takes a week to complete. A number of accident scenarios are identified that could lead to an atmospheric release. Some of these are listed below: 1. 2. 3. 4.
loss of coolant flow, agitation interruption, catalyst flow interruption, temperature indicator failure.
These accident scenarios will form the basis of the QRA. The next step is quantification of frequency which will be done with fault tree analysis (FTA). The TOP event of the fault tree is atmospheric release from the reactor rupture disc discharge line. The upper levels of the fault tree
Gary R. Van Sciver
62
DISCHARGE
REACTANT A
-L
m-
I I L
REACTANT B
1
I
L
CATALYST
o-
r RUPTURE DISC
COOLANT OUT
I I
C::> < : 0
J
COOLANT IN
TEMPERATURE CONTROLLER PRODUCT
Fig. 3. QRA example: process schematic.
are shown in Fig. 4. Based on these results, a number of recommendations (below) that should significantly reduce the probability of a release are identified. Recommendations from the FTA 1. 2. 3. 4.
Install a redundant temperature indicator. Interlock the coolant flow and the reactant feeds. Interlock the catalyst flow and the reactant feeds. Interlock the agitator rotation and the reactant feeds.
The next step o f the Q R A is the consequence analysis. A wide variety of models are used to estimate the consequences o f a runaway reaction. Some o f the things that are considered include the reaction kinetics, the flow
Quantitative risk analysis in the chemical process industry
I
ATMOSPHERR C I ELEASEFROM REACTORRDDS ICHARGE
i
I
PREMATURE RD FAILURE
OVERPRESSURE
! I
RUNAWAY REACTION
I
I
AGITATION N I TERRUPTO IN
I
LOSS OF TEMPERATURE CONTROL
I
ir
CATALYST FLOW INTERRUPTION
I
LOSS OF COOLANT
TEMPERATURE INDICATOR FAILURE
Fig. 4. QRA example: fault tree.
WIND/ /
°'~cx'V
J /
I
I
FENCELN IE
/'3
/VAPOR
/~
I I
..i
HIGHWAY
Fig. 5. QRA example: consequence analysis results.
63
Gary R. Van Sciver
64
CUMULATIVE FRE UENCY
ORIGINAL CASE
MODIFIED CASE
I
I DAMAGE....
Fig. 6. QRA example: risk profiles. through the rupture disc line, the vapor cloud behavior, and the weather conditions. The results for one set of conditions are shown in Fig. 5. Finally, the overall risk is calculated from the frequency and consequence estimates. The results are presented in risk profiles (Fig. 6) and risk contours (Figs 7 and 8) for the process with and without the recommendations for improvement implemented. These comparisons clearly show the quantitative improvement gained by implementing the recommendations.
UNCERTAINTY The development of Q R A in the CPI is still in its infancy. Some aspects of risk are inherently difficult to quantify due to a lack of knowledge or data. Assumptions must often be made to reduce the scope of the Q R A to a manageable level, but this often eliminates some risk contributors. All of
Quantitative risk analysis in the chemical process industry
65
ln-6
10-4
I PROCESS
I I
FENCELINE
HIGHWAY
Fig. 7. QRA example:original risk contour. these factors contribute to the uncertainty of QRA in the CPI. Tables 2 and 3 list specific sources of uncertainty. Some of the listed items contribute to the error of both frequency and consequence estimates. Some of the listed items are very significant contributors. This list is not complete but it still indicates how QRA estimates can be in error by an order of magnitude or more.
I III I
I
~
~ ___~ ~ . _ 1
I I I I
HOUSES
FENCELINE~ HI GHWAY
Fig. 8. QRA example: modifiedrisk contour.
66
GaG, R. Van Sciver TABLE 2
Contributors to Frequency Uncertainty 1 2 3 4 5 6 7 8 9 10 11 12
Incomplete hazard identification study Incomplete knowledge of the chemical hazards Incomplete fault tree analysis Incomplete reliability data Human behavior assumptions Incomplete list of common mode failures Plant construction errors Process changes Procedural changes Maintenance schedule changes Incomplete operator training Management errors
Part of the uncertainty stems from the difficulty of verifying results. Since the accident scenarios under consideration are such rare events, we would not expect to actually experience any during the entire operating life of the plant. In addition, m a n y o f the individual assumptions which contribute to uncertainty are difficult to verify. For example, the h u m a n response to exposure of toxic materials is virtually impossible to test. Usually Q R A models are conservative so that the calculated risk of identified hazards is overstated. O f course, the calculated risk o f u n i d e n t i f i e d hazards is not included. These two effects tend to cancel each other, but either m a y be dominating.
TABLE 3
Contributors to Consequence Uncertainty 1 Assumptions regarding the quantity, temperature, pressure and composition of the hazardous material 2 Source model assumptions 3 Vapor cloud model assumptions 4 Impact intensity model assumptions 5 Toxicityassumptions 6 Thermal radiation model assumptions 7 Explosion model assumptions 8 Ignition source assumptions 9 Meteorological assumptions 10 Population distribution assumptions 11 Vulnerability of population assumptions 12 Mitigating factor assumptions
Quantitative risk analysis in the chemical process industry
67
QRA BENEFITS The estimate of risk is n o t the most important result ofa QRA. QRA is a tool for examining the elements of risk. There are a multitude of ways to reduce risk, but the analysts should be able to determine which measures will be most effective. This is how QRA can best serve the CPI. During the process of performing a QRA, the analysts are required to learn the chemical operation in detail. The chemical hazards must all be thoroughly understood. Every important failure mechanism must be uncovered. All of the factors which determine if people can be harmed by the operation are completely analyzed. By following this exhaustive procedure, the analysts will likely develop insights into how to reduce the risks of the operation in the most cost-effective manner. For example, during the course of the QRA the analysts may observe that a particular process is inherently too hazardous to be placed near a large population center. They may observe that the use of a key safety interlock can dramatically reduce the likelihood of a runaway reaction. They may observe that the hazards of storing a large quantity of a toxic material cannot be substantially reduced by engineering controls, and therefore the inventory of the material must be reduced. These insights are typical of those an analyst will learn during the course of his review.
F U T U R E OF QRA One question will be asked of every chemical process that is built: is it safe? The answer is never straightforward. There will always be a demand for more information. QRA is an obvious source of that information. Trends indicate that in the future, QRA will play an increasingly important role in risk management throughout the CPI. It could be argued that the state of the art of QRA is not sufficiently developed to provide a useful product. However, it is likely that in the future the uncertainty of QRA estimates will continually be reduced. The models should become more and more accurate as they are verified with research. Also, as people become more familiar with the strengths and weaknesses of the tool, they will probably put it to better use. QRA is already being used by some European governments as a tool to measure absolute r i s k . 9 The risk must meet standards that have been established for acceptability and unacceptability. Those who understand the uncertainties inherent to QRA may object to such a rigid application of the tool. There is a legitimate fear that excessive resources will be spent on an exercise which encourages overly simplified risk management. Nevertheless,
68
Gary R. Van Sciver
the use of Q R A in the public and political arena is likely to expand. The need to develop skills in risk management and in the application of QRA must be recognized.
CONCLUSIONS Indications are that Q R A will be used increasingly in the future. However, there is always a danger of using the results o f a Q R A blindly, without sound engineering and management judgement. But the need for sound judgement is evident whether Q R A is used or not. Without QRA, the effects of poor judgement may be worse. With the expected rapid growth of Q R A in the CPI, there are likely to be improvements to the method and reduction in the uncertainty. Nevertheless, the tool must be kept in perspective. It is only one small part of a total risk management program. The most important part is having competent engineers, operators and managers.
REFERENCES 1. WASH-1400, Reactor SajeO' Stud)'; An Assessment of Accident Risks in US Commercial Nuclear Plants. US Nuclear Regulatory Commission, Rockville, MD, October 1975. 2. Dow's Fire and Explosion Index Hazard Classification Guide, 6th edn. AIChE, New York, 1987. 3. Lewis, D. J., The Mond Fire, Explosion and Toxicity Index--A Development of the Dow Index, presented at the AIChE Loss Prevention Symposium, Houston, Texas, April 1979. 4. Mudan, K. S., Hazard Ranking for Chemical Process Facilities, presented at the ASME Winter Annual Meeting, Boston, MA, December 1987. 5. Guidelines for Hazard Evaluation Procedures. Prepared by Battelle Columbus Division for CCPS/AIChE, AIChE, New York, 1985. 6. Guidelines for Use of Vapor Cloud Dispersion Models. Prepared by Steven R. Hanna and Peter J. Drivas for CCPS/AIChE, AIChE, New York, 1987. 7. The Assessment of Major Hazards. The Institution of Chemical Engineers, London, 1982. 8. Risk Analysis in the Chemical Industry. Chemical Manufacturers Association, Government Institutes Inc., Rockville, MD, 1985. 9. Environmental Program of The Netherlands 1986-90, the Government of The Netherlands, 1985.
