S2S, a gateway for plant and process safety

S2S
A GATEWAY FOR PLANT AND PROCESS SAFETY
Proposal No.: CTC1 2001 43061 Contract No.: G1RT CT 2002 0594

Document Title: Risk Assessment Methodology Editors: Dr. Zoe Nivolianitou, Dimitrios Kefalas, DEMOS Author(s): J Sales (JRC), L.Kelnar, S.E.NISIPEANU (INCDPM),..

Document Date: 30/09/2005 Document No: S2S-R- WP1-T2-NCSR-12(1)D56_ Risk Assessment Methodology Document Version: first Document Status: Open Draft

DEMOS

S2S, a gateway for plant and process safety

Table of Contents
Summary Introduction Purpose of the Guide Risk assessment overview Risk assessment steps Preconditions for carrying out risk assessment Assessment of Plant Damage States and their Frequency of occurrence Hazard source identification Accident sequence determination Plant damage state definition Data and parameters assessment event frequency estimation Accident Sequence and Plant Damage State Quantifications Assessment of Consequences Consequences form toxicity Consequences from radiation and peak overpressure Risk integration Individual risk Group risk List of Figures List of Tables

DEMOS

S2S, a gateway for plant and process safety

Summary
This guide outlines a procedure for assessing risk in the process industries.

DEMOS

S2S, a gateway for plant and process safety

Introduction
Purpose of the Guide

Risk assessment overview A risk assessment consists of four basic components: 1. Hazard identification, 2. Dose-response evaluation, 3. Exposure assessment, and 4. Risk characterization/uncertainty analysis The last component integrates information collected under the first three. Essentially, these components address the following questions: What are the contaminants and their known or possible modes of actions? What is the cause-effect relationship between exposure and human health impact from each contaminant? Who is being or may possibly be exposed to the contaminants and what is the nature and magnitude of exposure? How "bad" is the site; i.e., does it pose an unacceptable human health risk if no remedial action is taken? Risk assessment steps The procedure for quantification the risk can be distinguished into three major phases: 1. Assessment of Plant Damage States and their Frequency of occurrence 2. Assessment of Consequences 3. Risk Integration The Risk assessment methodology is a straightforward procedure which can be distinguished into several successively steps within each of the above mentioned phases. Preconditions for carrying out risk assessment Definition of the objectives The first step of the risk assessment methodology is the definition of the objectives of the assessment. One should clearly state the objectives, scope, purpose and damage states that are of interest. This bounds the problem and makes clear the aim of the assessment. Definition of the system of interest The second step of the procedure requires the definition of the system. Of course, it is important to look at the total system but when this does not mean that the whole plant must be studied when only a specific part of the plant is in concern. Definition of the system implies the understanding of the human-machine interfaces, the

DEMOS

S2S, a gateway for plant and process safety

environmental conditions, the operating conditions, the mechanical and electrical equipment and many other important aspects.

Assessment of Plant Damage States and their Frequency of occurrence

1. Hazard source identification The main sources of potential hazardous-substance releases are identified and the initiating events that can cause such releases are determined. 2. Accident sequence determination A logic model for the installation is developed in this step. The model includes each and every initiator of potential accidents and the response to the installation to these initiators. Specific accident sequences are defined (in models called event trees) which consist of an initiating event, specific system failures or successes and their timing, and human responses. Accident sequences result in plant damage states which involve release of the hazardous substance. System failures are in turn modeled (in models called fault trees) in terms of basic component failures and human errors to identify their basic causes and to allow for the quantification of the system failure probabilities and accident sequence frequencies. 3. Plant damage state definition A plant damage state uniquely characterizes the conditions of release of the hazardous substance. Accident sequences resulting into the same conditions of release are grouped into groups each corresponding to a particular plant damage state. 4. Data and parameters assessment event frequency estimation Parameters which must be estimated include the frequencies of the initiating events, component unavailability and probabilities of human actions. Whenever sufficient data from the past history of the installations operation exist plant-specific estimation of these parameters are possible. Otherwise, generic values are used. 5. Accident Sequence and Plant Damage State Quantifications This step quantifies the accident sequences and the plant damage states, that is calculates their frequency of occurrence. In particular, the plant model built in the second step is quantified using the parameter values estimated in the fourth step. Accident sequences to be quantified in the event trees are specified and manipulated according to the laws of Boolean algebra in order to be put in a form suitable for quantification. Two forms of quantification can be performed: a point-value calculation in which all parameters are assumed deterministically known; or an uncertainty calculation where various forms of uncertainty are quantified. The results of this step is the calculation of the frequency of occurrence of each accident sequence and consequently of each plant damage state.

Assessment of Consequences

DEMOS

S2S, a gateway for plant and process safety

The second phase of the quantified risk assessment aims at the establishment of the consequences of the released hazardous substances. 1. Consequences form toxicity For toxic substances the assessment of the consequences involves the following procedural steps: Determination of Release Categories for Toxic Materials For toxic substances to be dispersed in the atmosphere, this step comprises the determination of all the conditions (installation dependent and environmental) that affect atmospheric dispersion. This includes quantity and physical conditions of the substance released from its containment (outflow models), evaporation rate ( if released in liquid form), temperature, other weather conditions, and so on. Plant Damage States usually are associated with one release category. It is possible, however, that a plant damage state can lead to one of several release categories depending on various uncertain parameters and conditions. Atmospheric Dispersion of Toxic Materials In this step a model simulating dispersion of a toxic substance is established. The model estimates the concentration of the toxic substance as a function of time and space. Each release category leads to a specific concentration level for each point of time and space. Dose Assessment Given the concentration of the toxic substance an individual in the general area of the installation will receive a certain dose (inhalation) of the toxic substance. This depends also on the particular emergency response plan, implemented, in each case. Consequence Assessment A dose/response model receives as input the dose calculated by the dose model and calculates the probability of fatality for the individual receiving the dose. 2. Consequences from radiation and peak overpressure A parallel set of major steps can be distinguished for the assessment of the consequences of released flammable substances. Determination of Release categories of Flammable Material A release category for a flammable material uniquely determines the type of the physical phenomenon that could result in fatalities or injuries. For example, in the case of the LPG, it is established whether a BLEVE will take place or whether an explosion or deflagration will result following atmospheric dispersion of the gas. The type of fire that might result from other flammable materials is another example. Estimation of Heat Radiation and Peak Overpressure In this step, a model for simulating the heat radiation or the peak overpressure resulting from the released flammable material and the associated physical phenomenon is established.

DEMOS

S2S, a gateway for plant and process safety

Dose Assessment The integrated, over time, exposure of an individual to the extreme phenomenon generated by the flammable material is calculated. This defines the dose an individual receives. Consequence Assessment Appropriate dose/response models receiving as input the dose of heat radiation or overpressure calculate the probability of fatality or injury of the individual receiving the dose.

Risk integration
Integration of the results obtained so far, that is combining the frequencies of the various accidents with the corresponding consequences results in the quantification of risk. Two risk measures are usually used to quantify risk. Individual risk at a location Group risk in a given area

1. Individual risk Individual fatality risk is defined as the frequency (probability per unit of time) that an individual at a specific location (x, y) relative to the installation(s) will die as a result of an accident in the installation. The following components are combined to form the individual fatality risk : fi: frequency of the ith initiating event that can lead to an accident (i = 1, . .. , I)

pdi:conditional probability that the ith initiating event will lead to the dth initiating event plant damage state (d = 1, . . . . , D) fd: frequency of the dth plant damage state (d = 1, . . . ., D)

it follows that :

f d =f i Pdi
i= 1

(1)

prd: conditional probability that the dth plant-damage state will lead to the rth release category (r = 1, . . . . , R). It is reminded that the space of release categories includes all possible combinations of installation-related, as well as, other parameters that determine the consequences of the release. (E.g. hole size, conditions of outlet, weather conditions, ignition time). fr : frequency of the rth release category It follows that :

DEMOS

S2S, a gateway for plant and process safety

fr = fd prd =
d=1 D d=1

prd fi pdi
i=1

(2)

cr(x,y): Level of adverse exposure (e.g. heat radiation, dose of toxic material, over pressure) at location (x,y) conditional on release category r. For toxic release this is the dose at point (x,y) given the conditions specified by release category r. pc: Conditional probability of fatality given that one individual is exposed up to a level c of the adverse effect of the hazardous material. pr(x,y): Conditional probability of fatality for an individual at location (x,y) given release category r. It follows that :
Pr x, y = Pc C r x, y

{ (

)}

(3)

R(x,y)

: Frequency of fatality for an individual at location (x,y).

It follows that :

R( x,y) = fr pr ( x,y)
r=1

(4)

Frequencies fi, conditional probabilities pdi and frequencies fd are calculated in the first phase of the analysis (see section 4.1) or are directly estimated (f d) from past operating experience. Frequencies fr include all possible uncertainties in the parameters that determine the level of an adverse effect at a location (x,y) and at time t, consequences cr(x,y) and probability pr(x,y) are calculated during the consequences estimation phase along with the corresponding doses. Usually individual risk is expressed in terms of isorisk curves that are the loci of points with the same level of individual risk. 2. Group risk Group fatality risk precedes one step further than individual risk by taking into consideration the population size and distribution around the site of the installation. Group risk is expressed in terms of the so called (F, N) curves and gives the frequency for the number of fatalities, which exceed the number N. Group risk is calculated as follows: d(x,y): Nr: is the population density at location (x,y) of an area A. is the total number of people that will die in area A given the release

DEMOS

S2S, a gateway for plant and process safety

category r. It follows that :
Nr = Pr x, y d x, y
A

) (

(5)

This process result in R doublets (Nr, fr) which can then be sorted out to form the cumulative distribution function of N or the (F N) curves.

DEMOS