Você está na página 1de 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

Table of Contents
1. RISK-BASED DECISION MAKING ___________________________________________4 1.1. 1.2. Document Scope______________________________________________________4 Overview of the Hazard (Issue) Identification / Risk Evaluation Process ________5

1.3. Risk Assessment Basics _______________________________________________5 1.3.1. Raw Risk vs. Installed Risk ___________________________________________6 1.3.2. Priority for Risk Reduction Measures (Hierarchy of Control) __________________6 1.3.3. A Risk Matrix as a Tool for Assessing Risk _______________________________6 2. RISK-BASED DECISION MAKING SAFETY AND HEALTH (Acute Exposure)_______7 2.1. The BASF Risk Matrix____________________________ Error! Bookmark not defined. 2.1.1. Purpose __________________________________________________________7 2.1.2. Basis_____________________________________________________________7 2.1.3. Format ___________________________________________________________7 2.1.4. Using The BASF Risk Matrix __________________________________________8 2.1.5. Risk Determination and Risk Reduction_________________________________10 2.1.6. Risk Classes______________________________________________________11 2.2. Layers of Protection Analysis (LOPA) ___________________________________12 2.2.1. Introduction_______________________________________________________12 2.2.2. Applicability ______________________________________________________12 3. RISK BASED DECISION MAKING RESOURCE ALLOCATION (Economic Risk) ___12 3.1. The Kinney Method___________________________________________________13 3.1.1. Applicability ______________________________________________________13 3.1.2. Methodology______________________________________________________13 3.2. Financial Risk Matrix _________________________________________________14 3.2.1. Applicability ______________________________________________________14 3.2.2. Scope ___________________________________________________________15 3.2.3. Purpose _________________________________________________________15 3.2.4. Basis (Methodology)________________________________________________15 3.2.5. Format __________________________________________________________15 3.3. Risk Based Inspections _______________________________________________16 3.3.1. What is RBI? _____________________________________________________16 3.3.2. Applicability ______________________________________________________16 3.3.3. Methodology______________________________________________________17 3.3.4. Tools for RBI _____________________________________________________17 3.3.5. Documentation of assessment and results ______________________________17

Page 2 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

Table of Contents cont.


DEFINITIONS ______________________________________________________________ 19 APPENDICIES APPENDIX 1 Risk-Based Decision Making Process Map________________________ 21 APPENDIX 2 The BASF Risk Matrix________________________________________ 22 APPENDIX 3 Risk Matrix Quick Reference___________________________________ 23 APPENDIX 4 BASF Risk Matrix Severity Definitions___________________________ 24

APPENDIX 5 BASF Risk Matrix Frequently Asked Questions and Examples ________ 25 APPENDIX 6 Financial Risk Matrix_________________________________________ 33 APPENDIX 7 Financial Risk Matrix Severity Definitions_________________________ 34 APPENDIX 8 Financial Risk Matrix Frequently Asked Questions and Examples______ 35 APPENDIX 9 Kinney Method Probability and Severity Tables____________________ 37 APPENDIX 10 Kinney Method Frequently Asked Questions and Examples _________ 39 APPENDIX 11 RBI Examples_____________________________________________ 45 APPENDIX 12 RBI - Inspection Frequency Matrix_____________________________ 46 APPENDIX 13 Layers of Protection Analysis (LOPA)____________________________ 47 APPENDIX 14 Excerpts from Horizon Presentation on IEC-61511 regarding LOPA____ 50

Page 3 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

1.

RISK-BASED DECISION MAKING 1.1. Document Scope The processes and tools contained in this document are geared toward the analysis of Environmental, Health & Safety and economic risk related to episodic or acute risk scenarios based in the operations of chemical processes as one facet of Risk-based Decision Making. These processes are not designed for the assessment of the effects of long-term, chronic chemical exposures nor detailed financial management risk analyses. Examples showing the proper application of this processes and tools can be found in the appendices of this document. The BASF International Process Safety Expert Group (IPSEG) developed a risk matrix in 1998 for use as the determining tool when risk evaluations for health effects are undertaken anywhere in the Group. Through use and experience, this matrix has proven to be effective in meeting the needs of most risk-related decisions. However, additional emphasis on risk-based decision making has raised the awareness of, and consequently the need for additional tools to enhance and clarify proper application of the existing risk matrix as well as the need to recognize other risk evaluation tools that can appropriately complement the BASF Risk Matrix. It is the intention of this revised Guide to: Provide additional guidance in the use of the BASF Risk Matrix, and Examine other risk evaluation tools, citing appropriate areas of applicability. Unchanged from the earlier version of the BASF Risk Matrix Users Guide is the acknowledgement that the primary focus of the BASF Risk Matrix is for the examination of on-site health effects (injuries, illnesses & fatalities). Supplementary listings have been developed for off-site health effects, off-site property damage, environmental effects and negative publicity for reference purposes when on-site health effects cannot accurately be determined or do not fully describe the potential scope of an incident. The BASF Risk Matrix remains a semi-quantitative assessment tool, where severity and probability are given order of magnitude values. Experience within BASF has shown that use of the BASF Risk Matrix allows relatively abstract concepts to be expressed in a more easily understood, logical form. The methodology has provided consistency in the decision-making process, no matter where executed. It has proven effective in helping teams develop consensus on a path forward. It is well integrated into the Process Hazard Analysis logic employed throughout the BASF Group. Through benchmarking studies against a number of varying risk evaluation tools, the BASF Risk Matrix has been proven to not be overly conservative, but rather maintains a competitive risk environment that retains an acceptable conscientiousness in our business undertakings. Further interpretation assistance can be obtained by contacting any member of the NAFTA Process Safety Center of Excellence (CoE) or the Process Safety organization in Ludwigshafen, GUS/A.
Page 4 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

1.2.

Overview of the Hazard (Issue) Identification / Risk Evaluation Process Risk exists in all aspects of life. However, not everyone has the same concept of risk. What may be an unacceptable risk for one person may be an integral part of life for another. The same holds true for businesses. With such widely varying concepts of risk, a global company the size of BASF endeavors to employ a consistent approach to its risk evaluations, enabling like-for-like comparisons as well as clear guidance to defining acceptable risk levels for company activities. Risk is defined as the relationship between the frequency of an incident arising and the severity of the ensuing consequences. This relationship can be easily expressed in the form: Risk = Probability/year x Severity, or more succinctly R=PxS The evaluation task is normally executed by a multi-disciplinary team, consistent with the BASF philosophy of recognizing the value of bringing a group of people together to draw on their varied knowledge and experience to best carry out such evaluations. The risk evaluation process in its simplest form is first comprised of identifying hazards (or issues) associated with a particular process. The term process is used here in its most general form, representing a broad spectrum of possibilities, from simply crossing a street, to carrying out a chemical reaction in a manufacturing facility. From these hazards (or issues), scenarios that could occur based on the presence of a particular hazard are postulated. The probability for the triggering event is established. For each scenario, the consequences that could arise are ascertained. The severity of those consequences is then assessed. Taking the results of the probability determination and the severity of the consequences, referring to a risk matrix results in a risk value. Based on this risk value, the acceptability of the scenario is determined. For those risks that are deemed unacceptable, supporting guidance defines the additional steps necessary for risk reduction to an acceptable level.

1.3.

Risk Assessment Basics Risk-based decisions take on many forms. In the same sense, the selection of an appropriate tool for guiding the decision making process has to be chosen. For Safety & Health related risk evaluations, the use of the BASF Risk Matrix is highly recommended in order to ensure a consistent solution in line with the risk tolerance expectations of BASF. These are the most common situations encountered in the technical reviews of capital projects and in the course of carrying out hazard assessments in operating facilities. Another category of decision making involves determinations that have potential financial impact. These could include decisions related to investment in a particular area, evaluation of changing frequencies of certain activities like inspections and testing in an effort to reduce cost, or other aspects of a practice or operation. Care must
Page 5 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

be taken to ensure that the scope of the evaluation is limited to the examination of the financial impact. Where overlaps into potential Safety & Health issues arise, the BASF Risk Matrix is the evaluation tool that must be used. Financial risk evaluations can take into consideration many diverse factors, including business impact, the scale and type or publicity generated, and other matters. For these decisions, methodologies have emerged that provide guidance in the decisionmaking process. These include, among others, the Kinney Method and various forms of assessment under the general heading of Layers of Protections Analyses (LOPA). Specific guidelines with regard to the use of these tools are included in this revision of the BASF Risk-Based Decision Making Guidance Document. 1.3.1. Raw Risk vs. Installed Risk BASF assesses the raw risk of a potential hazard. This raw risk assessment is made using the basic process design and controls. The installed safeguards or control measures (PSVs, SISs, DCS interlocks, etc.) are not taken into consideration for this assessment, but rather are applied after the initial raw assessment is made. Once the raw risk is determined for a particular scenario, the risk level is compared to the applicable safeguards to determine the resulting installed risk. The installed risk must fall below the BASF acceptable risk threshold as defined in the BASF Risk Matrix. If not, the risk must be further reduced. Existing safeguards must correspond to the risk reduction measures specified by the BASF Risk Matrix (i.e. if the raw risk is unacceptable, at least one safeguard of SIL equivalent 2 or 3 must be installed in order to result in an acceptable installed risk. 1.3.2. Priority for Risk Reduction Measures (Hierarchy of Control) 1) Inherently Safer Design - To make the process or the design inherently safer (i.e., chemical substitution) have priority when selecting safeguards 2) Passive design features (i.e., pressure proof design) 3) Mechanical protective devices (i.e., PSVs) 4) I&E protective devices SIS (i.e., SIL-3, or SIL-2 instrumentation) are only implemented when the other options are exhausted or when not technically or economically feasible 5) Administrative Controls (example: checklists with sign-off) should be used to achieve risk reduction when other measures are not possible, or to further reduce the risk after other measures have been implemented. The impact of procedural measures in reducing risk is somewhat limited, normally about one order of magnitude. 1.3.3. A Risk Matrix as a Tool for Assessing Risk Description A widely used risk assessment tool is a risk matrix (See Appendix 2 for the BASF Risk Matrix). A risk matrix consists of a grid with probability rankings on
Page 6 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

one axis and severity rankings on the other. The points on the grid between the two axes represent different levels of risk. Applicability Risk matrices can be used to evaluate the effects of a hazard from several different aspects, such as Health Effects (injuries, fatalities), Environmental Effects (water contamination, soil contamination, fish kill, etc.), and Financial Effects (business interruption, property loss, etc.). When to use a Risk Matrix Risk matrices can be used anytime that hazard assessment is being performed. Researchers during process development, engineers and designers during the engineering phases of a project, the review team during the Ecology & Safety Project Reviews or PHAs, and engineers and operators during day-to-day operation of the plant all perform risk assessments. Sometimes this is done formally, but more often it is done informally as a part of everyday activities. The BASF Risk Matrix should be utilized during the step review process to help determine the appropriate risk reduction measures early in the design concept, so the risk reduction measures can be incorporated into the initial estimate of the project and not adversely impact the project costs later. 2. RISK-BASED DECISION MAKING SAFETY AND HEALTH (ACUTE EXPOSURE) 2.1.

The BASF Risk Matrix 2.1.1. Purpose The BASF Risk Matrix was developed to evaluate individual situations in a consistent manner for the protection of human life. These standards set risk reduction requirements, which are based on the maximum level of acceptable risk as determined by BASF. When the risk determined by the assessment is found to be unacceptable (risk class A, B, or C), certain design or control measures are required to reduce the risk to an acceptable level.

2.1.2. Basis The BASF Risk Matrix is a semi-quantitative assessment tool, where the severity and probability values represent orders of magnitude. At times the team may not always arrive at a clear-cut decision. The Process Safety CoE or the Process Safety organization in Ludwigshafen, GUS/A can be consulted for risk assessment guidance and assistance in interpreting the BASF Risk Matrix.

2.1.3. Format The BASF Risk Matrix is a 4x5 matrix with four severity classes (S1-S4) and five probability classes (P0-P4). The severity classes represent the magnitude of the consequences of an incident with decreasing effects. The probability classes represent the order of magnitude of how often the incident happens with decreasing likelihood. There are twenty potential risk fields within the matrix. These fields are broken down into six risk classes, designated by the letters A-F. These designations correspond with the minimum safeguards, or
Page 7 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

design / control measures required in order to bring the risk to a level acceptable within BASF.

2.1.4. Using The BASF Risk Matrix In order to obtain reliable results from the risk matrix, a consistent approach must be followed when using the BASF Risk Matrix. The following is a list of the steps to use the matrix and guidance for properly completing each step.
1) Identify the sources of potential danger. (Hazards) Hazard identification is the ability to identify sources of potential dangers of a project, process, or process change, which may cause harm to people, or damage to property and possibly the environment. This identification does not focus on what can, or may go wrong, but rather the sources of the actual danger inherent to, in this case, a particular chemical, group of chemicals, or a process. 2) Identify what can go wrong. (Deviations) Hazards are usually manifested when a deviation from normal conditions occurs, or in other words, when something goes wrong. These deviations will be the starting point. For each hazard, determine deviations, which can occur and lead to an unsafe condition. 3) Identify the Root Causes of the Deviation (Independent Primary Faults). Next, investigate the actual (root) causes of each of these deviations. This is needed to determine the likelihood. Each separate root cause is referred to as an Independent Primary Fault. There may be several primary faults, which can lead to a particular deviation. When using the risk matrix, do not consider multiple primary faults which are independent of one another and which must occur simultaneously for the deviation to occur. Multiple primary faults are considered, however, when one can lead to another (dependent), if a single failure can cause several faults (common cause failure), or if one or more of the faults can lay undetected for a period of time (passive faults). 4) Determine the result of this Deviation (Incident). For each deviation, hypothesize the potential effects. This is needed to determine the severity. There may actually be several results (incidents/consequences) from the deviations identified. Each of these undesirable incidents, which could potentially result from each deviation, should be evaluated using the BASF Risk Matrix. 5) For each Root Cause, determine the Severity of the Consequences of the Incident and the Probability of that initiating event. Once the potential incidents have been identified, the severity of the effects of the incidents and the probability, or likelihood of each occurrence, of the root causes of those events can be evaluated.

Page 8 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

Severity is the consequence or undesirable outcome of a potential hazard manifested by way of an incident. The ultimate, or final consequence needs to be identified, when assessing potential hazards, however there may be several other undesirable consequences leading up to or occurring along with the ultimate consequence, which may also need to be evaluated and addressed. Each potential hazard may have more than one undesirable outcome, which all should be addressed, with attention focused primarily on the most severe consequence. Probability is actually the likelihood of the potential hazard occurring. Identifying the probability of occurrence sometimes requires an estimation of the initiating event. BASF uses categories utilizing Orders of Magnitude, to help in identifying the frequency of occurrence ranging from P0 (happened a couple of times [once per year or more often]), to P4 (Not a credible scenario [less than once per 10,000 years]). (See BASF Risk Matrix Appendix 2) When these properties are assessed, one must not take credit for any of the existing or proposed safeguards (ex. safety interlock, PSV, etc.), use only the basic process control system and the design features as they have been planned. This is done in order to obtain a raw risk value. From this raw value, the necessary level of protection can be determined. Once the required level of protection is determined, the existing or planned safeguards can be evaluated to determine if they provide an adequate level of risk reduction. Note 1: There may potentially be several probability and severity rankings for each scenario. Perform step 5 for each pair of values to determine the greatest potential risk. Note 2: Each variation of the scenario should be evaluated, and then checked against the countermeasures designed for that particular scenario.

6) Determine the Level of Risk by locating the intersection of the Probability and Severity values on the BASF Risk Matrix. The probability and severity of each set of consequences can only be estimated. Therefore, the Probability (P0-P4) and Severity (S1-S4) values on the risk matrix are given as orders of magnitude. Follow the Probability value horizontally to the right and the Severity value vertically downward and note the point of intersection. The colored box with a letter designation represents the intersection of the Probability and Severity values. This colored box, with its letter designation identifies the risk level for the hazard scenario being evaluated. The risk levels range from A (extreme, totally unacceptable risk) to F (very small, acceptable risk). The key at the bottom of the risk matrix page gives the corresponding risk value.

Page 9 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

7) Determine the Risk Reduction Measures needed to move the risk to the acceptable level (if necessary). The letter designating the resulting risk refers to the Minimum Level of Protection necessary to make the risk acceptable. Further risk reduction may be desirable and/or necessary based on the individual situation.
BASF has implemented a hierarchy of controls for risk reduction, which gives the order of preference for the types of control measures. (See Risk Classes)

8) Determine if further risk reduction is justified. If the resulting risk is unacceptable (risk class A, B, or C), then implementing the minimum risk reduction measures will move the risk into the acceptable area. However, it is strongly recommended to take one or two additional measures (layers of protection) to further reduce the risk associated with this Deviation. If a letter D or E designates the resulting risk, then the risk is acceptable, but the plant or business group should consider taking additional measures to further reduce the risk associated with this Deviation. Other risk-based decision making methodologies such as the Kinney Method or a Financial Effects risk matrix may be used to make this cost-benefit analysis. If the letter F designates the resulting risk, then no further risk reduction is necessary or economical. 9) Documentation of the Risk Assessment Once risk assessments have been made for the hazards identified for a process review, initial PHA, revalidation, etc., they must be properly documented and the documentation retained appropriately. Documentation should include a description of the scenario, the Consequence(s) of the deviation, the Probability of each consequence, and the resulting Risk level(s). Additionally, any special circumstances or measures that affect the resulting risk should be documented. The risk assessment becomes part of the Process Safety Information (PSI) for the process reviewed. 2.1.5. Risk Determination and Risk Reduction It is BASFs practice that the initial risk reduction step from raw risk value to acceptable risk be made with only one protective device. Additional risk reduction measures can be implemented to further reduce the risk (monitoring devices, administrative controls, etc.)

Page 10 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

2.1.6. Risk Classes A. Risk Class A Extreme Risk This risk level is totally unacceptable and is not manageable using common engineering or administrative measures for risk minimization. This mandates a design modification of the system to make the process inherently safer. Risk Class B Very Large Risk This risk level is unacceptable. A process or design change, or a protective device is required. Protective measures must be equivalent to a SIL-3, if used as safeguards. It may be necessary to consult with the I&E Engineering Department and the Process Safety CoE. Additional risk reduction measures beyond the initially selected measure are recommended.
Special case risk field P1S1 (A/B) This field falls on the borderline between Risk Class A and B, and requires a case- by-case evaluation with the involvement of the Process Safety CoE. The team performing the safety review may decide the risk cannot be managed using an I&E protective device, (Risk Class A) in which case, the process or design should be modified to reduce the risk.

B.

C.

Risk Class C Large Risk This risk level is unacceptable. A process or design change, or a protective device is required. Protective measures must be equivalent to SIL-2, if used as safeguards. It may be necessary to consult with the I&E Engineering Department and the Process Safety CoE. Additional risk reduction measures beyond the initially selected measure are recommended. Risk Class D Medium Risk This risk level is acceptable, but would benefit from further reduction. A process or design change, or a protective device is optional. At minimum, a monitoring device or an administrative procedure is strongly recommended. I&E monitoring devices must be high quality with documented testing if used as safeguards. Administrative procedures have to be of high quality if used as a safeguard (i.e., checklist with sign-off, double-check by independent person, etc.) Risk Class E Small Risk This risk level is acceptable, but may be reduced further by using administrative procedures or monitoring devices. Risk Class F Very Small Risk This risk level is acceptable. No additional safeguards are necessary.

D.

E.

F.

Page 11 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

2.2.

Layers of Protection Analysis (LOPA) 2.2.1. Introduction Layers of Protection Analysis (LOPA) is a risk-based decision making methodology employed by a number of companies in the petrochemical industry. Its use is primarily oriented to the determination of Safety Integrity Levels (SIL) for Safety Instrumented Systems (SIS) or in other words, to determine the necessary reliability for I/E protective devices (interlocks) to reduce the raw risk in a given system to an acceptable level.
LOPA is one of the SIL determination methodologies recognized by ISA-84.01 and IEC 61511 and is rather popular because a certain amount of credit is given for discrete, independent protection layers, which are not explicitly credited in risk matrix use. However, when rigorously applied, experience has shown this method to yield generally the same protection requirements as the BASF Risk Matrix. A considerable drawback with LOPA is that if not used properly, credit may be assigned for protection layers that are not truly independent from others. As a result, double or triple credit is given to safeguards, leading to a false sense of security and an improperly low resulting risk.

2.2.2. Applicability The BASF Global Competence Center for Engineering, along with the BASF International Process Safety Expert Group, has determined that the BASF Risk Matrix is the only methodology to be used within BASF for SIL determination. LOPA methodologies are not highly desirable tools for applications outside of SIL determination due to high manpower time requirements and narrowly focused output; therefore, it will have very little if any applicability within BASF. 3. RISK BASED DECISION MAKING RESOURCE ALLOCATION (ECONOMIC RISK)
Risk assessment techniques can be used for more than Safety and Health evaluations. Risk can also be defined in terms of lost opportunities, lost production, poorly spent time or money, or more generally, as misapplied resources. There are rarely sufficient resources available to meet all needed and/or desired demands; therefore, it is important to be able to prioritize the allocation of these resources in order to gain the most benefit for the level of resources expended i.e., to get the most bang for the buck. It is important to note that the use of the word resource does not just denote Money, but also Time, Materials, etc. This type of resource allocation assessment is known as a cost-benefit analysis and enables the user to estimate the benefit obtained against the resources needed. There are many different types of cost-benefit analyses that can be performed depending on the situation and resources to be analyzed. This document will discuss three of the methods routinely used within BASF for optimizing the allocation of resources; the Kinney Method, an Operability/Financial risk matrix, and a Risk Based Inspections program.
Page 12 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

3.1.

The Kinney Method 3.1.1. Applicability The Kinney method may be used for evaluating all types of risk scenarios, but BASF has imposed some limitations for use in Safety and Health risk evaluations. The BASF Risk Matrix must first be used on all safety and health evaluations in order to determine if the risk involved is acceptable based on the standardized BASF acceptability criteria. Once this determination has been made, the Kinney method may be used in a number of ways.
First, if the evaluated risk is unacceptable, the Kinney method may be used to select the most cost effective solution from among the approved methods of risk reduction (typically process changes or protective measures). For example, it may be used to determine if it is better to spend $XX for a two order-ofmagnitude risk reduction, $YY for a three order-of-magnitude risk reduction, or $ZZ for a process change to limit or eliminate the hazard. Second, if the resulting risk is already acceptable, but in the D or E risk class (further risk reduction encouraged), the Kinney method may be used to determine if further risk reduction provides a cost benefit, and which method is the most cost effective. This tool may also be used for risk assessments involving operability or maintenance issues where human health or safety is not involved in the assessment, or used to evaluate organizational improvements and EHS related projects and for the prioritization or evaluation of discretionary maintenance or operational spending.

3.1.2. Methodology There are many similarities in the use of the Kinney method to the Risk Matrix; however, there are a few noticeable differences.
The severity factor (S) is selected from among various types of consequences including financial effects, quality, environmental impact, and minor health and safety issues. The Likelihood is broken up into two different terms, the first being a Probability factor (P), and the other being a Frequency of Occurrence, or Exposure factor (E). The Frequency of Occurrence factor represents the frequency that a particular operation takes place. The Probability factor signifies the probability that the intended operation will experience a failure, leading to the consequences specified. Tables of values for the Severity, Probability, and Exposure factors are found in Appendix 9. The numerical value of the three factors Likelihood, Frequency of Occurrence, and Consequence are multiplied together to obtain the numerical risk factor (R0 = P0 x E 0 x S0). This represents the existing, unimproved situation.
Page 13 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

Next, the improved situation is evaluated by theorizing values for these same factors for the future conditions after the risk reduction measures have been implemented. The three factors are assigned values based on the improved situation, which are multiplied together to find the new risk value (R1 = P1 x E 1 x S1). Finally, the cost factor, Kf, is calculated based on the implementation cost of the risk reduction measure(s) and an inflation adjusted numerical constant (Kconst currently $250).

Kconst = Cost

1/ 3

Using the original risk (R0), improved risk (R1), and the cost factor (Kf), a cost efficiency factor is calculated. This cost efficiency factor (Keff) is then evaluated to determine the relative efficiency of two or more measures, or is evaluated against a standard table to determine if the measure is economically justifiable.

eff

= (R0 R1) Kf

The two equations can be combined in the following expression:

eff

Kconst = (R 0 R1) Cost

1/ 3

Typically a Keff of greater than 20 is thought to be quite cost effective; a Keff of between 10 and 20 is usually cost effective, but should be further evaluated; and a Keff of less than 10 is likely not a cost effective risk-reduction solution.

3.2.

Financial Risk Matrix 3.2.1. Applicability Operability or Financial risk matrices have been developed for use within BASF as tools for EHS economic risk assessment, operational issue identification during EHS reviews, cost benefit analyses and other financial evaluations. The risk matrix found in appendix 6 has been successfully demonstrated to be an excellent tool for assessing operability, product and cost issues, which have a financial impact on BASF.
The attached matrix addresses on-site & off-site property damage, environmental damage and publicity all of which have financial consequences. Economic risk consideration may be made in parallel with, not instead of, safety and health risk assessments. Note: The consequences identified and associated risk reduction measures only apply to financial impacts. Health effects must be evaluated and addressed using the BASF Risk Matrix.
Page 14 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

3.2.2. Scope The scope of the Financial Risk Matrix is for determining potential operations issues identified during EHS reviews. Many times during PHAs, operational concerns, such as operability issues, product quality yield / quality, environmental cost impacts and property damage arise, which have no safety or health consequences, but may have adverse cost impacts on the company. A financial risk matrix such as the one found in appendix 6 can be used to help address these issues. Note: This financial risk matrix is not intended for determinations of investment risk, insurance risk or other major financial risk assessments for the company. 3.2.3. Purpose Financial risk matrices are developed to evaluate individual situations in a consistent manner to lessen financial impacts on BASF. These standards set risk reduction recommendations, which are based on the maximum level of acceptable risk as determined by the applicable BASF unit. When the risk determined by the assessment is found to be undesirable (risk class 1 & 2), certain design or control measures should be implemented to reduce the risk to an acceptable level, or require appropriate management approval, for not implementing the control measures.
Since different sites and business groups have differing levels of financial and operability risk tolerance, the severity diagram in Appendix 7 can be modified to represent each business group. The Severity diagram for the BASF Risk Matrix addressing safety and health may not be modified.

3.2.4. Basis (Methodology) Financial risk matrices are semi-quantitative assessment tools, where the severity and probability values represent orders of magnitude. Therefore, the team may not always arrive at a clear-cut decision. The Process Safety Center of Excellence (CoE) can be consulted for risk assessment guidance and assistance in interpreting the risk matrices. 3.2.5. Format The Financial risk matrix shown in Appendix 6 is a 5x5 matrix with five severity classes (F1-F5) and five probability classes (P0-P4).
The severity classes represent the magnitude of the consequences of an incident with decreasing effects. The matrix included in this users guide has dollar ($) amounts included for corresponding severity levels. Individual business groups, sites, plants, units, etc., may determine the dollar amounts, which closer represent undesirable financial impacts for their groups. The probability classes represent the order of magnitude of how often the incident happens with decreasing likelihood.

Page 15 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

There are twenty-five potential risk fields within the matrix. These fields are broken down into four risk classes, designated by the numbers 1-4. These designations correspond with the required appropriate level of management approval, thereby accepting the potential financial risk for site, plant, unit, etc.

3.3.

Risk Based Inspections 3.3.1. What is RBI? Risk based Inspection (RBI) is a systematic approach to establish an inspection program for process equipment based on the risk associated with the failure of that device.
Setting up a RBI program for process equipment is a two-stage process a quantitative step that looks at the likelihood of failure and a qualitative step that analyzes the consequence (effects) of that failure based on the hazards of the materials handled and the processing conditions. Quantitative risk can be defined in terms of lost opportunities, lost production, poorly spent capital or more generally, as misapplied resources. The overall consequence from the failure of a vessel in chemical service is based on the nature of the chemical. RBI as a tool can reduce the risk by minimizing the probability of the occurrence by optimally scheduling internal inspections to reduce the probability of vessel failure. Internal Inspection intervals for vessels are generally based on anticipated corrosion rates of the vessels in that specific service. There are two extremes to setting up an inspection program, to perform frequent inspections or to have set an arbitrary inspection frequency. Both options have unacceptable ramifications the first option would be prohibitively expensive (based on the cost of inspections, down-time and equipment preparation) that may not be warranted and the second option has the risk of premature failure of the vessel prior to scheduled inspection. The RBI process helps to optimize the frequency of inspections by integrating risk into the overall inspection and maintenance decision-making process. The RBI process integrates the engineering knowledge of corrosion and metallurgy with the inspection discipline.

3.3.2. Applicability Equipment owners can use RBI as a tool to establish the frequency of internal inspection for process and storage vessels. As a result of a RBI assessment, owners can optimize - increase or decrease - the established inspection interval for pressure vessels, storage tanks or pipelines.
The RBI approach is valid only for process vessels, storage tanks and pipelines. It does not address the functional failures of non-pressurized equipment such as instruments, electrical and control systems etc.

Page 16 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

3.3.3. Methodology The RBI approach uses a matrix to evaluate the risk associated with the failure of a piece of equipment. Based on the prioritized risk levels, Management has a basis to plan the frequency, order, and thoroughness of inspections. RBI assists management in optimizing inspection resources and helps the maintenance group to focus on the vessels that have a higher likelihood of failure.
RBI assessments should be conducted by a team of qualified individuals who are trained in the RBI methodology and are knowledgeable in the process chemistry, vessel construction and metal corrosion issues of the process being evaluated. The team should document in detail the information from the contributing factors used for arriving at the scores for the likelihood and consequence of the vessel failure. Based on the results, the team can establish a tank inspection strategy, which includes both the most appropriate inspection methodologies and the frequency of inspections.

3.3.4. Tools for RBI The NAFTA Engineering Competence Center recommends the use of the BASF Inspection Frequency matrix. The use of the matrix and the process of documenting the results are explained in detail in N-G-MC-105, Risk Based Inspection Guideline.
This RBI assessment tool is based on API 581 methodology. The tool provides an opportunity for a qualitative approach to establish a maximum inspection interval based on the likelihood and consequence of the equipment failure. Based on the score from the matrix, management can compare the optimized suggested frequency to the current actual level of inspection. A new inspection plan can be established that is focused on the actual risks identified and not the general risk for that type of vessel, tank or pipeline. It is necessary to adjust the programmed inspection frequency if inspection results warrant a change (i.e., if a vessel shows less corrosion than anticipated for two or more inspections, the frequency may be reduced; however, if problems are found, the inspection frequency should be increased).

3.3.5. Documentation of assessment and results Appendix A of the guideline of the BASF Guideline N-G-MC 105 provides the worksheets for the documentation of an RBI analysis.
1. Part A: Likelihood Category The overall likelihood is determined by analysis of the Equipment Factor (EF) Damage Factor (DF), Inspection Factor (IF), Process Factor (PF), Mechanical Design Factor (MDF) and Current Condition Factor (CCF).

Page 17 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Chemical Process Focused Acute Risk Scenarios
Revision: December 2004

Points are assigned based on the analysis in each area. The overall likelihood of failure is determined by the sum of the points from each category of risk factors. 2. Part B: Damage (Explosion Index) Consequence Category This section is applicable only for flammable materials. Based on the reactivity, quantity stored, and other flammable characteristics, this element documents the extent of the potential damage consequence. Part C: Health (Toxicity Index) Consequence Category. The worst effect of toxic chemicals health impact and then impact on surrounding population is evaluated. Based on the score the team determines the Overall Risk Category, ranging from very low to very high. This risk category determines the minimum frequency of internal, external or on-stream inspection.

3.

Page 18 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Revision: December 2004

Definitions
Basic Process Control System (BPCS)
A system that responds to input signals from the process and/or from an operator, and generates output signals, causing the process to operate in the desired manner. The BPCS consists of a combination of sensors, logic solvers, process controllers, and final control elements, which automatically regulate the process within normal production limits. Includes a HMI (human machine interface). Also referred to as process control system.

Consequence
The Environmental, Financial, or Health effects directly resulting from an incident.

Deviation
A departure from normal operating conditions or procedures.

Hazard
A chemical or physical condition that has the potential for causing damage to people, property, or the environment.

Incident
The undesired loss of containment of a material or the liberation of energy, resulting from a deviation. Consequences of an incident could reasonably result in, but are not limited to serious injury, chemical exposure, fire, explosion, chemical spill or leak, reportable quantity release, process upset, gas/vapor release, and/or emergency shutdown.

Independent Primary Fault


The beginning of the chain of events which if not stopped will lead to an incident. A fault that actively triggers the process to leave the good range. The initiating event or root cause of a deviation.

Independent Protection Layer (IPL)


An IPL is a device, system, or action that is capable of preventing a scenario from proceeding to its undesired consequence independent of the initiating event or the action of any other layer of protection associated with the scenario. The effectiveness and independence of an IPL must be auditable.

Layers of Protection Analysis (LOPA)


A risk assessment technical that develops an event tree for each scenario then assigns risk reduction values (orders of magnitude) to qualifying IPL (Independent Protection Layers) until reaching the acceptable risk level.

Page 19 of 51

BASF Process Safety

Risk-Based Decision Making Guide


Revision: December 2004

Definitions
Monitoring Device
Typically an I&E device which alerts or takes action at the border between the normal operating range and the permissible error range, in an effort to return the process to the normal operating range.

Probability
A measure of the expected likelihood or frequency of occurrence of the initiating event, that results in an incident.

Protective Device
A mechanical or I&E device intended to prevent severe personal injury and/or significant environmental damage by preventing process values from reaching the non-permissible error range. Within BASF all SIS are designated as SIL-3 or SIL-2.

Risk
A measure of human injury or economic loss in terms of both the probability and the severity of the consequences of an incident.

Root Cause
The primary fault. The event that initiates the event sequence to an incident. An underlying system-related (the most basic) reason why an incident occurred.

Safeguard
Any device, system or action that either would likely interrupt the chain of events following an initiating event or that would mitigate the consequences. Note: A safeguard may not meet the requirements of an IPL.

Severity
The magnitude of the injury or loss.

SIL
Safety Integrity Level a method of expressing the risk (probability) reduction factor associated with a certain control measure. An SIL of 2 denotes a two order-of-magnitude reduction in the probability of the chain-of-events of an incident occurring.

SIS
Safety Instrumented System I&E protective devices. A combination of sensors, logic solver and final elements that performs one or more safety instrumented functions. Within BASF all SIS are designated as SIL-3 or SIL-2. Refer to G-S-EI100-2, Minimum Safety and Health Requirements - Plant Safety by Means of (SIS).

Page 20 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 1 Risk-Based Decision Making Process Map
Revision: December 2004

Start Risk Assessment Process

Yes

2. Is there any potential for Human safety & health hazards? No

Yes

3. The BASF Risk Matrix must be used, then determine if the scenario requires further assessment using other methodologies. No

4. Is there a resource allocation (economic risk) decision needed?


(Consider environmental impact, costbenefit analysis, operability issues, product quality/yield concerns, inspection frequencies, etc. that do not have human safety & health consequences).

Yes End of decision making.

No

Yes

Yes Yes 5. Does the scenario require a cost-benefit evaluation for proposed risk reduction measures? Yes 7. Does the financial risk have an operability, product or cost impact on a BASF site / business unit? Yes 8. A financial risk matrix may be used. 9. Does the financial risk impact BASF due to the frequency of equipment inspections? Yes

No

No

6. The Kinney Method may be used.

10. A risk-based inspection evaluation may be used.

Page 21 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 2 The BASF Risk Matrix


Revision: December 2004

BASF Risk Matrix


Severity Probability P0 P1 P2 P3 P4
Probability:

S1 A A/B* B C E

S2 B B C D F

S3 D E E F F

S4 E E F F F

* Determined on a case-by-case basis decision whether A or B is needed.


P0 P1 P2 P3 P4
Severity:

Happened a couple of times (once per year or more often) Happened once (Approx. once in 10 years) Almost happened, near miss (Approx. once in 100 years) Never happened, but is thinkable (Approx. once in 1,000 years) Not a credible scenario (less than once per 10,000 years)
(On-site & Off-site Health Effects)

S1 S2 S3 S4

On site: Potential for one or more fatalities On site: Potential for one or more serious injuries (irreversible) On site: Potential for one or more lost time injuries On site: Potential for minor injuries, or irritation

Risk Class

Risk Level
Extreme, totally unacceptable risk Very large, unacceptable risk Large, unacceptable risk Medium, acceptable risk, which should be further reduced Small, acceptable risk, which may be further reduced Very small, acceptable risk

Risk Reduction Measures


Process or design change preferred Process or design change, or one protective measure of SIL-3 equivalent (PSV, SIS, etc.) Process or design change, or one protective measure of SIL-2 equivalent (PSV, SIS, etc.) One monitoring device of high quality with documented testing or administrative procedure of high quality One monitoring device or administrative procedure None

A B C D E F

Page 22 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 3 BASF Risk Matrix Quick Reference
Revision: December 2004

This list gives a condensed version of the steps for using a risk matrix. Please refer to the text for additional guidance. 1. 2. 3. 4. 5. 6. 7. 8. 9. Identify the sources of potential danger. (Hazards) Identify what can go wrong. (Deviations) Identify the Root Causes of the Deviation (Independent Primary Faults) in order to be able to determine the likelihood. Determine the result of this Deviation (Incident) in order to be able to determine the severity. For each Root Cause, determine the Probability of the initiating event. Determine the Severity of a particular event and the refine the probability of the initiating event to match the severity. Determine the Level of Risk by locating the intersection of the Probability and Severity values on the Risk Matrix. Determine the Risk Reduction Measures needed to move the risk to the acceptable level (if necessary). Determine if further risk reduction is needed.

10. Repeat as necessary.

Page 23 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 4 BASF Risk Matrix Severity Definitions
Revision: December 2004

Health Scope of Effects


On-site Health (as found on Risk Matrix)

S1

S2
Potential for one or more seriously injured (irreversible)

S3
Potential for one or more lost time injuries

S4
Potential for minor injuries, or irritation

Potential for one or more fatalities

Off-site Health

Potential for one or more fatalities

Potential for one or more injured

Potential for significant inconvenience

Potential for minor inconvenience (odor, smoke)

Note: For evaluation of on-site & off-site safety and health effects the BASF Risk Matrix must be used. For consideration of other effects such as on-site & off-site property damage, environmental damage, publicity and product quality / yield should use the Financial Risk Matrix, which is better suited to address economic risk.

Page 24 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 5 BASF Risk Matrix Frequently Asked Questions and Examples
Revision: December 2004 1. Q: How do I select a probability ranking for an incident that has been reported historically to have happened once every 2-3 years? For one that seems likely to happen, but hasnt in the plants 60-year history? A: The probability rankings are based on orders of magnitude. The numerical values associated with them are only for guidance purposes. It is often easier to estimate a probability based on the verbal description, using the numerical values to check and make sure that the ranking makes sense. Additionally, the probability rankings must be done for a specific consequence of an incident. This is done so that the probability matches with the severity ranking.
For example, if a certain incident has happened once every 2-3 years, it matches most closely with the description Happened a couple of times. Then using the numerical value of once per year, we see that it is a relatively close fit, so a probability of P0 is assigned. In the second case, if the event is likely, but hasnt happened in the 60 year history, it could be described by either Almost happened, near miss or Never happened, but is thinkable. We can either look at historical data from other similar plants to see if it has happened, or to see how many similar near misses have occurred; or we can compare it to the numerical values. From the description, it sounds like this incident would have a probability of closer to 1 in roughly 100 years rather than once in 1000 years. Therefore, we would assign it a probability value of P2.

2. Q: Please explain the Single Failure Rule (Double Jeopardy)? A: The term single failure rule refers to only independent primary faults. The simultaneous occurrence of two independent primary faults (i.e., root causes) is unlikely and need not be considered in moderate risk chemical operations. A primary fault is one which allows a process variable to depart from the safe operating limits. After a primary fault occurs, a sequence of conditions and events (chain-of-events) proceed and other safeguards may come into action to prevent further escalation of the process upset. These safeguards can fail and should be regarded as failed during a safety review or hazard analysis. By allowing these multiple failures within a single chain-of-events, the actual worst case can be defined by the team. If judged significant enough by the team, this worst case must be safeguarded by a process or design change, or by a mechanical or I/E protective device so that an acceptable level of risk is achieved.
The failure of multiple safeguards within a single chain-of-events is not double jeopardy, and these multiple failures must routinely be evaluated. The simultaneous failures of two independent safeguards needed to trigger a chain-of-events is considered double jeopardy and is not considered in most risk assessment efforts. However, what may seem to be two or more independent, simultaneous failures may actually be caused by a common cause failure no longer independent or one or more of the faults might have already occurred and may not be apparent to operations (covert or passive faults) no longer simultaneous. These cases may at first consideration seem to be double jeopardy, but in fact, must be considered as plausible scenarios.
Page 25 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 5 BASF Risk Matrix Frequently Asked Questions and Examples
Revision: December 2004

Example Of A Chain Of Events For A Semi-Batch Reaction


Comp. A added too fast Temperature set point wrong Temperature indicator wrong Not enough cooling Temperature and pressure rise runaway reaction Rupture of the vessel Flying fragments, chemical release, fire

Primary Fault

Chain of Events

Effects

3. Q: What can be done to address the risk associated with environmental or property loss considerations? A: Because environmental impact is influenced by the location of the facility, additional factors such as local, state and regional regulations have to be taken into consideration when establishing the severity axis of the matrix. For example, a facility located adjacent to a river might have a different severity classification for particular events than a facility located in an industrial park and tied to a local sewage disposal system. Customizing the risk matrix for a particular location is necessary.
The same applies to the risk associated with property loss. Different facilities and business groups apply various levels of acceptability to loss. A $5,000 loss to one facility or business may mean the need to provide additional protections, whereas the trigger point for another facility or business group might be $50,000 or $500,000. In both cases (environmental and property), members of the process safety team can assist in developing viable matrices for these factors.

4. Q: Who is to use the risk matrix and how? A: Who uses the risk matrix will depend on when in the project life cycle it is used. This means that during the early phases of a project, a process engineer or process development chemist may use this as a tool to help choose between two process alternatives. During basic engineering, the process engineer may use it to determine where process changes or protective devices are necessary. Later on, the process and I/E engineers may use it to help determine SIL levels of Safety Instrumented Systems. It can be used during the Step 3 or PHA by the study team to determine if the appropriate safeguards are in place. It can by used after startup to help determine if "Process Improvements" will increase or decrease the level of inherent safety of the plant. These are just a few examPage 26 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 5 BASF Risk Matrix Frequently Asked Questions and Examples
Revision: December 2004
ples of when it may be used. The process Safety Team hopes that this will become a tool that can be used easily and often by just about everyone involved with chemical processes.

5. Q: How do I determine the probability of an incident that hasnt happened yet in our plant (P2, P3, or P4)? A: In the course of a risk assessment, many incidents and consequences will be evaluated which have not occurred in the plant being analyzed. It is difficult for the team to theorize whether a specific event, which hasnt yet occurred, might occur within the next 30, 300, or 3000 years. There are several methods of accomplishing this. First, there are published tables of failure rates for every type of instrument and equipment imaginable. However, these are only average values. The actual failure rates vary considerably depending on location (Gulf Coast, Midwest), sheltering (inside, outside, sheltered), maintenance, process chemicals, temperature, and pressures.
More often in BASF, we use the experience from our sister plants to determine likelihood. If a specific failure has not yet occurred, we can look to similar technology plants at other BASF locations. If this still does not uncover a similar incident, we can look to other technologies within BASF or similar technologies outside of BASF. By estimating the years of operating experience and the number of incidents discovered, the team can approximate the probability of failure.

6. Q: When do I use the Risk Matrix during the Step Review Process? A: The risk matrix may be used at several stages of the Step Review process, but the most common timeframe for use is prior to and during the step 2 review. For projects implementing SIS, it will be important for the project team to use the risk matrix to determine a target SIL before the Step 2 review. This determination will be confirmed at the Step 2.
The risk matrix may be used early in the project to determine relative risks when considering different options for processes, locations, etc. The risk matrix is also commonly used during the Step 3 review or an OSHA PHA as part of the HAZOP methodology to assess the risk associated with specific deviation scenarios. This risk assessment can be used to validate the integrity level of existing or proposed safeguards as well as to prioritize recommendations resulting from the study.

7. Q: How can the risk assessment carried out for a specific scenario result in a different risk for a plant in one location as opposed to a similar "sister" plant at a different location? A: The risk assessment must take into account a number of non-process related factors that might vary among locations even if the process is similar.
For example, the likelihood of the initiating event might differ due to the degree of external corrosion experienced by a location or the probability of ambient temperature being below the freezing point of a process material. The likelihood of a specific consequence
Page 27 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 5 BASF Risk Matrix Frequently Asked Questions and Examples
Revision: December 2004
may vary fur to differing siting configurations. A hazardous service pump may be located next to a high traffic area in one plant but in another it is located in a very isolated area.

8. Q: What do I need to do to properly document a risk assessment? A: In order to properly document a risk assessment, one must capture not only the initiating event, the final consequence and the resulting risk, but also the general thought process used by the assessment team to arrive at their conclusions. Proper documentation should include the following:
a) b) c) d) e) The initiating event (root cause) of the scenario Likelihood of that event (failure) occurring A general description of the chain of events leading to the first consequence Any factors which might affect the likelihood of that first consequence occurring Additional consequences that could result from the same incident i) Alternative paths in the chain of events ii) Differing severity levels if multiple outcomes are possible (see FAQ #1) f) The likelihood of each of the alternative consequences taking place and resulting risk g) The highest risk resulting from the initiating event. h) Any additional factors which influenced the evaluation.

9. Q: How do I consider operator response in the risk evaluation process using the risk matrix? A: The first step is to determine whether the operator action / response is considered to be an integral part of the basic plant operation or a result of an alarm or indication given by the Basic Process Control System (typically a DCS).
An operator response can be considered as an integral part of plant operation if the response is triggered by a routine activity or action (typically proceduralized). For example, if as part of the written operating procedures, an operator routinely checks a certain process variable, takes a sample, or reads an instrument in the field (among others) his response to an abnormal reading can be considered as part of normal operations. In order to be considered as an effective part of normal operations, the scenario must meet the criteria below. However, if an operator notices that a valve has failed to open due to an alarm or the upset of other process variables, then his response is considered to be a safeguard. If the response is considered to be part of normal operations, the likelihood of the operator noticing an abnormal event and taking a corrective action can be considered in the assessment of the raw risk for a scenario. However, if the operators response is determined to be a safeguard then it must not be considered as part of the raw risk assessment. There are several conditions to consider in order to determine the likelihood and effectiveness of operator response as a means of breaking the chain of events. The speed of
Page 28 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 5 BASF Risk Matrix Frequently Asked Questions and Examples
Revision: December 2004
the incident development is one factor, but there is no set time limit because the effectiveness depends on a variety of factors. One means of evaluating the effectiveness of operator response is to use the DDR criteria, which stands for Detect, Diagnose and Respond. One must determine if there is sufficient time and means (indications, personnel, etc.) to detect that the process is leaving the "good" operating range. If so, is there enough time, information, and trained personnel to correctly diagnose the problem. Finally, there must also be enough time, personnel and resources to properly execute a response adequate to break the chain of events. Finally, the process must be designed such that an adequate response by personnel is possible. Because the availability of a sufficient quantity of qualified / trained personnel is so critical to the assessment, it is important to document these key factors so that these scenarios can be re-evaluated in case of proposed organizational changes using an Organizational Management of Change assessment.

10. Q: What risk assessment methodologies can be used for SIL determination? A: The Global Competence Center for Engineering in BASF has determined that The BASF risk matrix shall be used for the classification of instrumented systems to assign a target Safety Integrity Level (SIL) as applicable. No other methodologies shall be used for this purpose within BASF. Reference: G-S-EI 100-2, Section 3. 11. Q: What guidance can you give for determining raw risk and severities for various scenarios? A: Consider the following guidance and examples:
Conventions: No credit is taken for existing safeguards when determining the risk class Full credit is taken for normal reliability of instrumented control and operator control when determining the frequency of an event The protective devices listed as risk reduction measures for risk classes B and C are the minimum requirement, the implementation of additional monitoring devices is highly recommended (layers of protection) Use good judgment If using numerical values think of orders of magnitude Use average value if larger number of plants exists

Determination of probability

Page 29 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 5 BASF Risk Matrix Frequently Asked Questions and Examples
Revision: December 2004
Determination of severity Use good judgment Use only likely consequences, form separate pairs for less likely consequences Determine consequence for each area of SHE and select the most severe for determination of the risk class

Dealing with less likely consequences Combining the frequency of an initiating event with the most severe but unlikely consequence would result in the wrong risk class Form separate pairs of severity and corresponding probability and determine the risk class for each pair Use the most severe risk class to represent the scenario

Example (Forming Probability-Severity Pairs):


When considering scenarios that could result in a number of different consequences, one must form separate pairs of severity and corresponding probability and determine the risk class for each pair. Combining the frequency of an initiating event with the most severe but unlikely consequence would result in the wrong risk class. Once all probability-severity pairs are formed and the risk is determined, the most severe risk class is chosen to represent the scenario. The following examples can be used to illustrate the proper use of pairing: Case A: The risk associated with a 75 hp pump system is being started while blocked-in is to be evaluated. In the first case, the system contains demineralized water and is constructed of stainless steel. The team determines that the likelihood of starting the pump while blocked-in would be a P2. As a consequence it was determined that the pump would overpressure and because the casing is made from a ductile material, it would split open causing only potential local damage or injury due small pressure wave resulting in a severity of S3. The resulting risk is P2, S3 E risk class. Case B: Now instead of water, the 75 hp pump system contains a highly toxic and highly volatile fluid and is still constructed of stainless steel. The team determines that the likelihood of starting the pump while blocked-in would be a P2. As a consequence it was determined that the pump would overpressure and because the casing is made from a ductile material, it would split open causing only potential local damage or injury due small pressure wave, but additionally, a rather large toxic vapor cloud would result and the likelihood of a fatality is quite high, resulting in a severity of S1. The resulting risk is P2, S1 B risk class.

Page 30 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 5 BASF Risk Matrix Frequently Asked Questions and Examples
Revision: December 2004
Case C: The 75 hp pump system again contains demineralized water, but now this pump casing is constructed of cast iron. The team determines that the likelihood of starting the pump while blocked-in would be a P2. As a consequence it was determined that the pump would overpressure and because the casing is made from a brittle material, it would rupture causing pump damage and generation of significant local damage due to shrapnel. What would be the resulting severity, S?. Case C.1: The immediate area around the pump has a number of vessels containing a highly toxic, volatile fluid. The likelihood is quite high (>30%) that one of these vessels would be punctured causing a large toxic vapor cloud, S1. The resulting risk is P2, S1 B risk class. Case C.2: Operating personnel are rarely in the area around the pump and nearby vessels are not critical, S?. (Form pairs to determine the Raw Risk). Case C.2.a: Frequency of rupture while no one is present, P2. Consequence: local damage due to flying debris, but no health effects, S4. The resulting risk is P2, S4 F risk class. Case C.2.b: Operating personnel are present in the area about 2 hours each day (10% of the time). Frequency of rupture while someone is present, P3 (decrease probability by one order of magnitude). Consequence: local damage due to flying debris, and potential for serious injury, S2. The resulting risk is P3, S2 D risk class. Case C.2.c: Operating personnel are present in the area about 2 hours each day (10% of the time). Frequency of rupture while someone is present and fatally hit by flying debris, P4 (decrease probability by one additional order of magnitude as compared to Case C.2.b). Consequence: local damage due to flying debris, and potential for fatality, S1. The resulting risk is P4, S1 E risk class. The three pairs yield risk classes of F, D, and E. Design the system to the highest risk class, D.

12. Q: How would one determine the severity of a large toxic gas release? There could be any number of consequences. A: Consider the following example: A certain plant includes a reactor with two reactants being injected into a recirculation flow of raw material and product. The heat of reaction is significant and removed shortly after the injection points in cooling water exchangers. This portion of the plant has a dedicated cooling loop and it was determined that a total loss of cooling could initiate an increase in the system temperature to the point that the recirculating material in the feed
Page 31 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 5 BASF Risk Matrix Frequently Asked Questions and Examples
Revision: December 2004
drum starts to boil. At this point, large quantities of a moderately toxic vapor are given off through a vent located near ground level in the center of the plant. A total loss of cooling was seen as a P2 probability based on the characteristics of the system. It would take approx. 15-20 minutes for the system to heat up to its boiling point (maximum release rate). Release would probably start at a low rate after roughly 10 minutes and build over the next 5-10 minutes. How would one assess the severity of a moderately toxic vapor cloud release for a substance with the following characteristics: ERPG 1 - 3ppm ERPG 2 - 10 ppm ERPG 3 - 30 ppm LC-50 (rat) - 300 ppm (1 hour) The vapor release would be readily visible and has a very low odor threshold. It is estimated that once the release began, it would be detected and an effective response could be accomplished in 20 minutes or less (i.e. the release would be no more than 20 minutes duration). Worst case steady state plume concentrations modeling (conservative) yield a 300 ppm limit at up to 300m from the release point. It would be incorrect to assume that mitigating emergency response actions would reduce the severity/probability as given in the following discussion: Due to the low odor threshold and because a full scale release would not be instantaneous, it is likely that personnel in the area could escape serious harm in the vast majority of cases. The team determined that there would be a moderate to high likelihood (20 - 80%) of a DAFWC injury (minor chemical pneumonia) as a result of the release yielding a P2, S3 E level risk. There would be a lower likelihood of irreversible respiratory damage (5 20%) yielding a P3, S2 - D level risk. Finally, there would be a quite low risk of death associated with the release (< 5%) yielding a P4, S1- E level risk. The worst case is a D level risk, so high quality monitoring measures should be implemented to prevent the release of this vapor. However, this method of categorizing the potential severities and their related probabilities is not appropriate considering the information provided. Generally the raw risk has to be determined, i.e. safeguards and measures are disregarded. To that extent any response to the release has to be disregarded. This is the major difference to the "pump example for forming pairs" where the likelihood of somebody being present or being hit was independent of the event being evaluated. An event where the ERPG 3 value is exceeded more than tenfold in 300 m distance has a considerable potential for fatalities. This leads to a raw risk of "B" (S1, P2), i.e. protective measures of SIL 3 quality are needed. Ideally the scenario should be prevented by a suitable I&E device of SIL 3 quality. If for some reason only mitigation would be considered (evacuation, shelter-in-place, knock-down of vapors) then the detection of a leak must be in SIL 3 quality and the mitigative action itself must be designed in a way that would be equivalent to SIL 3. It would be unlikely to be able to achieve this.

Page 32 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 5 BASF Risk Matrix Frequently Asked Questions and Examples
Revision: December 2004
If it could be reasonably shown that the likelihood of a person being in the affected area is roughly 10% or less, then the probability could be reduced to a P3, but with a moderately large scale gas release and varying wind directions this would be very difficult to rely on.

Page 33 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 6 Operability / Financial Risk Matrix


Revision: December 2004

Operability / Financial Risk Matrix Severity (Financial) Frequency P0 P1 P2 P3 P4 F1


1 1 1 2 3

F2
1 1 2 3 3

F3
2 2 3 3 4

F4
2 3 4 4 4

F5
2 4 4 4 4

Severity: (See Severity Table in Appendix 7) Frequency: P0 P1 P2 P3 P4 Happened a couple of times (Once per year or more often.) Happened once (Approx. once in 10 years.) Almost happened, near miss (Approx. once in 100 years.) Never happened, but is thinkable (Approx. once in 1,000 years.) Not a credible scenario (Less than once per 10,000 years.)

Financial Risk Index


Class 1 2 3 4 Financial Risk Level
Undesirable Undesirable Acceptable Acceptable without review

Approval Requirements
Site Management / Business Director approval required Unit Management / Operations Manager approval required None, however engineering / administrative controls could help to reduce financial impact None

Page 34 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 7 Financial Risk Matrix Severity Definitions
Revision: December 2004

Financial Scope of Effects Off-site Property Environmental Damage

F1

F2

F3

F4

F5

Potential for large property damage Potential for major soil or water contamination with extensive remediation or significant damage to wildlife.

Potential for small property damage Potential for significant soil or water contamination.

Potential for fall-out

Not applicable

Not applicable

Potential for soil Potential for Not applicable or water environmental contamination release within with easy containment remediation and easy cleanup.

Publicity

Potential for Potential for negative press negative press in national or in state media. international Potential for media. multiple law Potential for suits. class action law suit.

Potential for Potential for Potential for evacuation or complaints complaints from shelter in place. from off-site other operating Potential neighborhood. units on-site. for negative press in local media.

Product Quality Product quality Product quality Product quality Product quality Product quality issues resulting issues issues resulting issues resulting issues resulting / Yield in costs > resulting in in costs > $15K in costs > $1K in costs < $600K costs > $150K 150K 15K $1000 600K Note: For evaluation of on-site & off-site safety and health effects the BASF Risk Matrix must be used. For consideration of other effects such as on-site & off-site property damage, environmental damage, publicity and product quality / yield should use the Financial Risk Matrix, which is better suited to address economic risk and cost-benefit analyses.

Page 35 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 8 Financial Risk Matrix - Frequently Asked Questions and Examples
Revision: December 2004

1. Q: When can I use a Financial Risk Matrix? A: A financial or economic risk matrix can be used, when assessing all hazards that do not result in a consequence, which have human health effects. It can be used for assessing hazards, which have a potential to impact a business group, site, plant, or unit financially. This could be from an operability issue, product quality / yield issue, direct / indirect cost, etc. 2. Q: When should I not use a Financial Risk Matrix? A: If the hazard being assessed has any on-site, or off-site human health effect (injury, illness, fatality, etc.), then the BASF Risk Matrix must be used and a financial risk matrix must not be used. A Financial risk matrix must only be used for financial risk to BASF. 3. Q: What if the dollar ranges listed in the severity levels do not represent the severity levels for my group, site, unit, etc.? A: The financial risk matrix severity table found in Appendix 7 may be tailored, or customized to fit the severity level for any business group, site or unit, which the management of that entity deems appropriate. In other words, a financial severity level of F2 (severe - $150K$600K) as presented in the matrix in Appendix 6, may not be representative, or reflect the actual level of severity for a smaller site. Management could modify the dollar amounts higher, or lower, to properly reflect the financial impact for their site, unit, etc. 4 Q: Why would I want to assess financial impacts, with regard to operability, or product quality / yield issues, when assessing potential hazards? A: It has been demonstrated and documented that significant savings, or cost avoidances may be achieved if operability issues are assessed along with hazards during PHAs, HAZOPs, etc. Cost savings / avoidances are another way to help BASFs bottom line. 5. Q: Can the risk grid in PHAWorks be used for a financial risk matrix, as well? A: Yes. The risk grid in PHAWorks can be modified to incorporate the BASF Risk Matrix and a financial risk matrix all into the same grid. This enables the team to assess health hazards and financial impacts in the same review. Note- Contact the Process Safety Center of Excellence (CoE), for help in setting up the risk grid in PHAWorks, if needed.

Page 36 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 8 Financial Risk Matrix - Frequently Asked Questions and Examples
Revision: December 2004

Examples of Use: EXAMPLE #1 CONDENSER LEAK DURING / AFTER TEA CHARGE TO REACTOR:
- Scenario: The cause for this deviation was identified as condenser leak (the condenser for this process vessel was a carbon block heat exchanger), with a consequence of yield loss (loss of batch). Determined to be an F1 severity. Note No safety & health consequences identified, so the financial risk matrix was utilized. The PHA team made the following recommendation: Install water detection instrumentation (conductivity probes) on the condenser seal leg. Note: The conductivity probes played a major role in detecting actual condenser leaks and the ultimate change in material of construction for this process condenser.

- Cost avoidance (per event): - Potentially $128K 200K.


Note: The $128K signifies raw material product loss only to this point in the process (8,000# @ $16.00 / #). Actual cost avoidance could be upwards of 200K, with incineration / disposal cost, utility cost, handling cost, etc. included.

Total potential worst case cost avoidance from this risk assessment$200,000 EXAMPLE # 2 HEAT EXCHANGER LEAK ON FINAL PRODUCT BULK STORAGE TANK:
- Scenario: The cause for this deviation was identified as heater leak with a consequence of potential water contamination in final product bulk storage tank, a quality issue (potential loss of product equivalent to the current level of the storage tank). Determined to be an F2 severity. Note No safety & health consequences identified, so the financial risk matrix was utilized. The revalidation team made the following two (2) recommendations: 1. Verify mechanical integrity program adequacy on storage tank heater. 2. Consider periodic sample and water assay of final product bulk storage tank contents. - Potential cost avoidance (per event): Potentially $ 9.5M (assuming total product loss)
Note: The calculation does not take into account the difference between the product and water, but is general for an overview. Normal batch assays indicate 0.04% water; the lab flags any batch resulting in >0.10% water. The spec. of 0.30% water is equivalent to 3,900 gallons of water, assuming a product volume of 1,300,000 gallons. Baseline quantity of water (0.04%) in that volume would be approximately 520 gallons of water. The product could be out of spec. on water within 113 minutes if we assume a flow-rate of 30 gpm of water through a heater or vent condenser for a catastrophic failure.

The periodic maximum working volume, of 1,300,000 gallons of product x $7.31/gal. = $9.5M.

Total potential worst case cost avoidance from this risk assessment$9,500,000

Page 37 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 9 Kinney Method Probability and Severity Tables
Revision: December 2004

Exposure Factor (E)


FREQUENCY OF EVENT, WHICH CAN LEAD TO INCIDENT
Continuous (many times per day) Frequent (once per day) Regularly (once per week) Occasionally (once per month) Rarely (4 times a year) Very rarely (less than once per year)

Factor
10 6 3 2 1 0.5

Probability Factor (P)


Likelihood of the incident when event occurs
To be expected (1 out of 5 or more frequent) Likely (1 out of 15) Unusual (1 out of 200 Unlikely (1 out of 5000) Thinkable (has happened in industry) Practically impossible (never happened) Virtually impossible (only by sabotage)

Factor
10 6 3 1 0.5 0.2 0.1

Likelihood Factor (L) - Combined Exposure and Probability Factors


Likelihood of the incident
Every day 10 times a year Once a year Every 10 years Every 100 years Every 1,000 years Every 10,000 years Every 100,000 years

Factor
100 30 15 8 4 2 1 0.5

Page 38 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 9 Kinney Method Probability and Severity Tables
Revision: December 2004

Severity Factor (S)


Financial Loss
$ 25 Mio

Customer / Quality
Loss of one major customer Loss of several customers Loss of several customers temporarily Serious customer complaint Internal customer complaint Product out of control limits

Environmental
Release causing serious danger to surrounding communities Level 3 release Level 2 release Level 1 release Level 0 release Emissions exceed normal limits for short time

Safety
N/A

Factor 100

$ 2.5 Mio $ 250 K $ 25 K $ 2.5 K $ 250

Irreversible injury Lost days injury Recordable injury First aid injury Near Miss Incident

40 15 7 3 1

Risk Score Score


> 400 200 - 400 70 - 200 20 - 70 < 20

Risk Rating
Very High Unacceptable Risk High Unacceptable Risk Medium, Acceptable Risk Small Acceptable Risk Acceptable Risk

Recommended Actions
Stop activities Immediate improvement needed Further reduction strongly encouraged May be further reduced None

Page 39 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 10 Kinney Method Frequently Asked Questions and Examples
Revision: December 2004

Q: The Kinney Method has tables giving Factors for different values of Likelihood and severity, but the values given in the table dont match my case exactly. Is it allowed to interpolate the values in the table to arrive at a more accurate solution? A: The Kinney Method includes a number of different tables. The Tables for Likelihood (Probability, Exposure Factor, and Likelihood) are totally numeric and interpolation is allowed to arrive at the Factor that best fits your particular case. For example, based on experience we may see a particular consequence occur one every 2 years. The table gives factors for once a year (15) and once every 10 years (8). Therefore, a value of the factor for a likelihood of once every 2 years can be interpolated (~ 12.5). The data can be converted to graphical format for easier interpolation (Note the log scale on the time/likelihood axis).

100,000,000 10,000,000 1,000,000 100,000 Days 10,000 1,000


2 Years = 730 Days

Figure 1

0.5 1 2 4 8 15 30 100 100

100 10 1 0 10

Factor is approx.

20

30

40

50

60

70

80

90

Likelihood Factor Value

The severity table is a combination of numeric values (dollar value damages) and specific scenarios (a lost time injury). The numeric portion of the severity table may be interpolated, but not the specific scenario portion. For example, the anticipated dollar loss associated with an incident may be $100K, but the table gives values only for $250K and $25K. It is allowable to interpolate between these values to determine the best severity factor (See Figure 3 below). If another possible outcome is a Recordable Injury and possibly a Lost-Time Injury one must determine the likelihood of each type of injury severity taking place. It is not allowable to say that it is possible for both to occur and to interpolate between the Factors given.

Page 40 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 10 Kinney Method Frequently Asked Questions and Examples
Revision: December 2004

Severity Factors
Financial Loss $ 25 Mio $ 2.5 Mio $ 250 K $ 25 K $ 2.5 K $ 250 Customer / Quality Loss of one major customer Loss of several customers Loss of several customers temporarily Serious customer complaint Internal customer complaint Product out of control limits This Column may be interpolated.

Figure 2 Environmental Release causing serious danger to surrounding communities Level 3 release Level 2 release Level 1 release Level 0 release Emissions exceed normal limits for short time N/A Irreversible injury Lost days injury Recordable injury First aid injury Near Miss Incident Safety Factor 100 40 15 7 3 1

These may not be interpolated. Figure 3

$100,000,000 $10,000,000 $1,000,000 $100,000 $10,000 $1,000


Consequence is $100K $100 Factor is Approx. 10.5

100 40 15 7 3 1 0 10 20 30 40 50 60 70 80 90 100

Severity Factor Value

Q: How do I use the Kinney Method together with the Risk Matrix? A: For Scenarios with potential health and safety risks, we must first use the risk matrix. There are a number of ways in which both the BASF Risk Matrix and the Kinney Method may be used together to determine the best, most cost-effective risk reduction strategy.
Page 41 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 10 Kinney Method Frequently Asked Questions and Examples
Revision: December 2004

1) Take a hypothetical case of a scenario for which the Risk Matrix yields a result of a P1, S2 Risk Class B. For a risk class B, the Risk Matrix states that we must institute either a Process Change or a Protective Measure equivalent to a Safety Integrity Level 3 (Likelihood reduction of at least 3 orders of magnitude). In this case, we have the option of either making the vessel in the scenario pressure proof by raising the pressure rating of the vessel from 90 psi to 250 psi (we are still in the design phase) for an additional cost of $100,000 or installing a SIL-3 High Pressure Interlock system to prevent pressures greater than 90 psi, for a cost of $80,000. Which risk reduction measure is more gives a greater cost-benefit for the plant? Based on the risk assessment for the raw risk of P1 (Once every 10 years), S2 (Irreversible Injury), we find that the Kinney method risk is equal to R0 = L0 x S0 = 8 + 40 = 320. For the Pressure Proof design, we eliminate the Risk of overpressure, so the risk effectively goes to 0 (R1 = L1 x S1 = 0 x 40 = 0). For the SIL-3 system, we reduce the likelihood from once every 10 years to once every 10,000 years. The resulting risk would be R2 = L2 x S2 = 1 x 40 = 40. Using the current cost constant of $250, we input our variables into the following Kinney method equation:

eff

Kconst = (R0 R1) Cost

1/ 3

The first case yields a Keff = (320 0)*($250 / $100,000)1/3 = 43.4. This is a very economical step to take to reduce the risk. The second case yields a Keff = (320 40)*($250 / $80,000)1/3 = 41. This is also a quite economical risk reduction measure, but option one is more cost-beneficial even though the cost is higher. Additionally, once lifetime costs are considered, option one likely will cost much less over the average 30 life span of a plant due to much less frequent inspection and testing requirements. 2) A second example is a case where the risk matrix was used and the resulting risk was determined to be a P1, S3 Risk Class E. This risk class is acceptable, but may be further reduced. For a risk class E, the Risk Matrix states that we may institute either one monitoring device or administrative procedure. It is decided that a high level switch/interlock may be added to further reduce the risk with this scenario. A high level switch would cost an additional $2000 to implement and would give a likelihood reduction of roughly one order of magnitude. Based on the risk assessment for the raw risk of P1 (Once every 10 years), S3 (Lost Time Injury), we find that the Kinney method risk is equal to R0 = L0 x S0 = 8 + 15 = 120. A DCS
Page 42 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 10 Kinney Method Frequently Asked Questions and Examples
Revision: December 2004

high level interlock would cost $2500 but would reduce the likelihood to once every 100 years, so the risk is reduced to R2 = L2 x S2 = 4 x 15 = 60. Using the current cost constant of $250, we input our variables into the following Kinney method equation:

eff

Kconst = (R0 R1) Cost

1/ 3

This case yields a Keff = (120 60)*($250 / $2,500)1/3 = 27.8. In this case it is cost beneficial to reduce the risk further through addition of a high level switch. A SIL-2 high level interlock would cost $50,000 but would reduce the likelihood to once every 1000 years, so the risk is reduced to R2 = L2 x S2 = 2 x 15 = 30. This case yields a Keff = (120 30)*($250 / $50,000)1/3 = 15. This case is potentially cost beneficial, but the installation of a simple high level switch in the DCS appears to be a better way to spend our money.

Kinney Method Example Discretionary Maintenance Spending


Situation: Frequent seal failures during start-up of pump Consequences: Switch to 2nd pump Recordable injury possible Level 0 release for sure Level 1 or RQ release possible Severe fire unlikely ($ 1Mio damage/lost production) If 2nd pump fails, shut-down of plant (possible) ($500K damage in lost production)

Pump is started up every few months Seal failure during start-up is quite likely

First Step: Determination of highest current Risk Case R0:


Exposure factor: E = 1.5 (history shows 6 times a year)

Page 43 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 10 Kinney Method Frequently Asked Questions and Examples
Revision: December 2004

Incident
Recordable Injury Level 0 release Level 1 release Fire Loss of 2 pump
nd

Probability Severity*
3 10 3 1 3 7 3 7 28 18

Risk
(E x P x S)

31.5 45 67.5 42

81

Highest Risk Case *Severity and Likelihood values interpolated from tables.

Second Step: Calculate Target Risk value, R1.


Reduce Likelihood with double mechanical seal from 3 (1 in 200) to 0.5 (1 in ~40,000). R1 = E1 x P1 x S1 = 1.5 x 0.5 x 18 = 13.5

Third Step: Substituting the values of R0 and R1 into formula 3 from above, and using a Keff value of 20 to determine the upper limit of an economical modification, we find

81 13.5 Cost = $250 = ~ $10,000 20


Therefore we find that $10,000 is the economical cost threshold to lower the risk through installation of double mechanical seals.

Kinney Method Example Risk Reduction Measure Comparison


An employee sustained a back injury due to loading a Supersack bag using a manual semicontinuous apparatus and a fork truck. The injury was an OSHA recordable injury. The Supersack operation has been running for 12 years and four years ago another back muscle injury occurred requiring first aid. Here we have two back injuries that occurred 4years apart but one injury was an OSHA recordable and the other a first aid. In this case, we have the option of either ranking the likelihood the first injury being a recordable injury or being more conservative by saying the first injury was a recordable injury and the two incidents occurred four years apart. In this example this we have history of four years and we will assume four years between two recordable injuries. Based on the risk assessment for the raw risk of L0 (Once every 4 years), S0 (Recordable Injury), we find that the Kinney method risk is equal to R0 = L0 x S0 = 13 x 12 = 156. In this case the recommended action is that further risk reduction is strongly encouraged.
Page 44 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 10 Kinney Method Frequently Asked Questions and Examples
Revision: December 2004

Two solutions are proposed to reduce the risk. One is to install a scissor lift (S1) and the other to install an automated Supersack bagging station (S2). Before doing the cost estimate the team discusses the probability of a recordable back injury from occurring: Exposure factor for both cases is determine to be 8 due to semi-continuous operation of about 12 hours per day. The Probability Factor for the scissor lift is determined to be unlikely or 1.0. The Probability Factor for the automated Supersack bagger is determine to be virtually impossible or 0.1 L1 = E1 x P1 = 8 x 1 = 8 L2 = E2 x P2 = 8 x 0.1 = 0.8 R1 = L1 x S1 = 12 x 8 = 96 R2 = L2 x S2 = 12 x 0.8 = 9.6

eff

(R

K const R 1 ) Cost

1/3

The cost for the Scissor lift = $25,000 The cost for the Supersack bagging station = $175,000 The case yields a Keff 1 = (156 96)*($250 / $25,000)1/3 = 12.9. (Potentially Cost Effective) The case yields a Keff 2 = (156 9.6)*($250 / $175,000)1/3 = 16.4. (Potentially Cost Effective) Both cases are potentially cost effective but the Supersack reduces the likelihood of the incident from occurring by an additional factor of 10 but costs $150K more. The Kinney method helps to provide the team with more data in order to make the final decision. Different teams in different situation may select one solution over the other due to emotional influence, cost or other reasons.

Page 45 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 11 RBI Examples


Revision: December 2004

Risk Based Inspections Four examples from the Geismar Site Overview Table Risk Based Inspections Four examples from the Geismar Site Evaluation Details Risk Based Inspections Freeport Site Example Toxic Service Risk Based Inspections Freeport Site Example Corrosive Service Risk Based Inspections Freeport Site Example Flammable Service Risk Based Inspections Freeport Site Example Non-Corrosive Service Risk Based Inspections Validation Model (Geismar and Freeport data)

Page 46 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 12 RBI Inspection Frequency Matrix


Revision: December 2004

BASF Inspection Frequency Matrix (with indice values)


RISK LEVEL UNACCEPTABLE MANDATORY REDESIGN

51-75 PROBABILITY/LIKELIHOOD

VH

36-50

VH

VH

26-35

VH

16-25

VL

0 -15 Indicies

VL A

L B

M C CONSEQUENCE 35-49 20-29

M D

H E

Explosion Toxicity

0-19 < 10

20-34 10-19.

50-79 30-39

> 70 > 40

Page 47 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 13 Layers of Protection Analysis (LOPA)


Revision: December 2004

Summary of LOPA Methodology (for reference) The LOPA methodology establishes a well-defined and comprehensive approach for the determination of the scenario, chain of events leading to the scenario and those safeguards that could effectively break the chain of events. Before beginning the assessment, the team must set the design risk tolerance, typically 10-5 or 10-6 fatal incidents per year.
The assessment begins with a detailed definition of the ultimate consequence to be considered and all potential initiating events, which could eventually lead to that consequence. For each initiating event, a likelihood of occurrence is assigned and a chain of events or simplified fault tree is built leading to the final consequence. Next, the safeguards either inherent to or built into the process are identified and positioned in the chain of events where they could effectively break the chain. Each safeguard is then evaluated to determine whether it can be considered to be truly an independent layer of protection. All independent protection layers remaining are assigned an order of magnitude protection factor (generally the Basic Process Control System (BPCS) as a whole is given credit for only 1 order of magnitude of protection. This includes all DCS interlocks and operator responses based on DCS alarms). The determination of the independence of the layers of protection and the magnitude of protection provided are determined based on generally accepted industry practices (CCPS guidelines and IEC 61511 definitions). Definitions used for safeguard acceptability determination are found in Appendix 14. Finally, the levels of protection are added to the probability of the initiating event and compared to the target risk tolerance. If there is a shortfall in the existing layers of protection, then the methodology identifies the magnitude of risk reduction necessary to reach the target level.

LOPA Methodology compared to BASF Risk Matrix Methodology There are various differences between the methodologies using the BASF Risk Matrix and LOPA. The BASF Risk Matrix is used first to evaluate the raw risk and has a degree of credit for various Independent Protection Layers (IPLs) built into the safeguard recommendation(s) based on the determined risk level. If the raw risk is found to be unacceptable, then either a process design change or a high quality protective device / system must be used to reach the tolerable risk threshold. Once this is achieved, additional credit may be taken for IPLs to reach a risk level that is acceptable for daily operations of the plant.
The LOPA methodology takes credit for various IPLs but only those meeting the ISA84.01 / IEC 61511 definition of an IPL during the initial assessment, then compares the resulting probability to the threshold probability for a certain consequence. A raw risk is not calculated. In the strictest usage of the LOPA methodology, the results should resemble those from the BASF Risk Matrix. However, if IPLs that are not truly Independent fail to be excluded, the LOPA methodology takes too much credit for low-level safety systems, indicating a risk lower that the true risk present.

Page 48 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 13 Layers of Protection Analysis (LOPA)


Revision: December 2004

LOPA Methodology Conclusions:


Positives: One of the methodologies recommended by IEC 61511 Standard. Provides for a methodical approach of defining the chain of events from initiating event (Root or Primary Cause) to the ultimate scenario. Generally gives credit (Magnitude of risk reduction and Applicability) for safeguards only in line with CCPS/Industry standards and IEC 61511. Result typically is not significantly different than what would be determined by an experienced team using the Risk Matrix given similar target risk level, problem definition and background details / documentation. Drawbacks: If the system being studied is not fully understood, it is quite possible to take too much credit for measures that could have a common failure mode or undetected passive failures. Highly time / resource intensive Improper use tends to indicate a lower risk than is actually present (over-confidence in lower level safety measures or too much credit for safeguards). Assessment appears rigorous, yet it is based on industry averages and orders of magnitude. It can result in a false sense of precision. Assumptions used for the industry averages have to be validated as applicable for the case(s) being studied.

Page 49 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 13 Layers of Protection Analysis (LOPA)


Revision: December 2004

LOPA Basic Steps


1) 2) 3) 4) 5) 6) 7) 8) Define target or design risk tolerance. Define the ultimate consequence to be considered. Define all potential initiating events, which could eventually lead to that consequence. Determine the probability of the initiating fault or event (ex. 10-2 /yr) For each initiating event (primary cause), map the chain of events or rough fault tree leading to the final consequence. Identify the safeguards either inherent to or built onto the process. Positioned the safeguards in the chain of events where they could effectively break the chain. Evaluate each safeguard to determine whether it can be considered to be truly an independent layer of protection. To be considered an IPL, the protection layer must meet the following requirements:

Independent from other layers. Capable of being evaluated or validated for performance. Must be dependable, i.e. reduce risk by at least a factor of 10. Must completely mitigate the scenario without the assistance of any other protection layer.
9) All independent protection layers (IPLs) remaining are assigned an order of magnitude protection factor (typically 10-1 to 10-3)

10) Sum the IPLs and compare to the design risk tolerance. 11) Determine additional magnitude of additional protection if necessary.

Page 50 of 51

BASF Process Safety

Risk-Based Decision Making Guide Appendix 14 Excerpts from Horizon Presentation on IEC-61511 regarding LOPA
Revision: December 2004

Layer of Protection Analysis (LOPA)

Semi-Quantitative method that provides the performance required for the Safety F u n c ti o n Allows credit for applicable Layers of Protection Consistent method for the application and distribution of risk Simplistic-minimizes the need for complex analysis tools Repeatable conclusions-minimizes subjectivity (rule based) Can utilize risk table or matrix Consequence classification and event severity ranking Cause identification, frequency, Layers of Protection assessment and event likelihood determination Layer of Protection table ranking (Likelihood Reduction) Assignment of risk reduction to layer(s) of protection Iterative design solution utilized when risk target is not met Directly establishes first assignment of safety functions and additional layers of protection requirements

Alarm/Operator Response

Criteria for determining if credit can be taken for an alarm response Alarm independent from other control layers of protection Alarm set point falls within safe upper and lower limits Operator has a response, which prevents process hazard Operator has time to respond and is trained Alarm is not by-passable by operator Is assigned emergency priority Is part of an annual testing program per Mechanical Integrity

Controls As Protection Layers

Criteria for determining if a particular control or monitoring device can be counted as an Independent Layer of Protection Specifically designed as a safeguard for the hazard Designed as a control function-measurement and response Separate from other layers of protection Validated independently from other layers Subjected to periodic calibration and testing Maximum credit (PFD) 1/10 (unless subjected to IEC-61511)

Safety Functions-SIS

Defined in terms of measurement, actions, hazards prevention, and safe state Classified to a Safety Integrity Level with basis Safety function is quantitatively validated Logic solvers should be certified to comply with IEC-61508 for SIL 1-3 use. Variables such as MTTR, TI, PTI-require valid basis Engineering process complying with ISA-S84/IEC-61511

Page 51 of 51