In this article:
Process-based facilities potentially causing the release of flammable or toxic fluids that can result in major accidents can benefit greatly from QRA modelling.
Quantitative Risk Analysis (QRA) is a well-established method for quantifying risk to personnel, environment and assets. In this insight, the focus will be on quantifying risk to personnel. There is a big difference in the required resolution of a QRA and therefore in calculation work whether the only risk to 3rd party personnel (civilians outside plant boundary) or risk to 1st and 2nd party personnel working within the plant boundary needs to be assessed. However, the principal methodology is the same in both cases and will be the theme of this insight.
The purpose of a QRA can vary. Typical reasons for performing a QRA are:
Evaluate if the risk is below quantitative risk acceptance criteria (RAC) set out by authorities and/or operators of the facility;
Establish safety distances between the facility and surroundings e.g. for urban planning purposes;
A decision tool during the design of a facility to evaluate various design alternatives from a risk perspective.
The first two bullets represent how QRAs are normally performed in order to prove that the risk of a facility is acceptable. Unfortunately, the third bullet is often overlooked even though much can be gained from an active use of QRA in the design phase. A specific facility can most likely be built in a number of different ways that all result in acceptable risk levels, but some of the design variations will have lower risk than others and should be selected based on the ALARP principle.
The focus of the present insight is to present the typical QRA methodology for evaluating loss of containment (LOC) scenarios. A schematic of the most basic QRA methodology is provided in Figure 1.
Planning
It is very important to establish the context of a QRA in the start of a project. Here it is relevant to determine the purpose and scope of the QRA, risk metrics and associated risk acceptance criteria (RAC) to be applied, and the main QRA methodology.
Information gathering (system description)
All QRAs start out with information gathering in order to understand the facility and how it is operated. For a new facility, this require a close dialogue with the design team. Accident experience from similar facilities needs to be investigated at this stage.
QRAs for existing facilities require a dialogue with the operational team with special emphasis on lessons learned, previous accidents and near misses.
Typical design documentation required for both cases are Piping and Instrumentation Diagrams (P&IDs), Heat & Mass Balances of the process, layout drawings, process simulation data, safety and Operation philosophy of plant etc.
HAZID
Before starting the QRA it is important to identify hazards present at the plant. This is best done by a formal structured multidiscipline HAZID workshop. This step is very important as any hazards not identified will be missing from the subsequent QRA modelling. Even despite what fancy software and mathematics will be applied in the QRA modelling.
It may be more or less straightforward to identify “direct” hazards of the plant. But it can be challenging to identify domino (escalation) effects or new hazards from unwanted or unexpected chemical reactions etc. The risk to 3rd parties outside the fence (or plant boundary) can in many cases be dominated by domino effects and such effects can easily be overlooked unless the HAZID is conducted in a thorough way.
Risk quantification of a specific accident scenario is given by the multiplication of the frequency of the accident occurring and the consequences (e.g. impact on personnel).
Frequency analysis
In the frequency analysis, the accident scenario of a LOC is defined e.g. as a certain leak size (hole diameter) on a certain process system, instantaneous loss of inventory or similar. Many different LOCs for each of the different parts of process systems may need to be defined in order to achieve a sufficient resolution of the risk (e.g. a range of different leak sizes).
When a LOC scenario has been defined the frequency of each of the scenarios are provided normally based on historic accident statistics e.g. from TNO “Purple Book”, IOGP’s Risk Assessment Data Directory or other sources. The frequency assignment may involve parts count based on P&IDs for the process facility. An alternative to using generic historic accident release frequencies is to perform a Fault Tree Analysis (FTA) to determine the frequency based on the potential failure mechanisms leading to the LOC.
The release itself is only the initiating event of a LOC scenario which, depending on the circumstances, often branches into several different accident event outcomes. For instance, the accident outcome may depend on whether ignition occurs or not, whether any ignition is early or delayed, wind direction, wind strength etc. All the different accident event outcomes from a specific LOC scenario are typically modelled by event trees.
The event tree is used to calculate accident event outcome frequencies based on the initiating LOC release frequency and various probabilities such as e.g. ignition probabilities, the wind rose probabilities, safety barrier failure probabilities etc.
Consequence analysis
The different accident event outcomes of a LOC scenario will typically represent different sorts of consequences such as jet fire, pool fire, flash fire, explosion, BLEVE, toxic gas cloud etc.
The effect distances of these consequences can be calculated by empirical formulas, phenomenological models or ultimately by Computational Fluid Dynamics (CFD). Based on the context the consequences can be calculated by either in-house calculation tools or by various commercially available software.
The consequence calculations are based on the release rate of the LOC and fluid type released. Weather conditions and the general surroundings can also impact the consequence outcomes.
Effect distances of heat radiation levels, blast loads, and toxic concentrations resulting in certain probabilities of fatality are calculated.
Risk integration
The final step in risk quantification is to combine accident event outcome frequencies and consequences to establish the risk to personnel. A number of different risk metrics exist, with different merits, to express the risk to personnel. For QRA of onshore plants individual risk (IR) iso contours and societal risk in the form of F-N curves are typically calculated.
In ORS we prefer to use in-house developed tools for the risk integration to be independent of commercial software, avoid “black-box” issues and be able to customize and share the model with plant operators in a more flexible way. The advantage of performing risk integration by the internal tool is that consequences can be calculated by using a mix of in-house and commercial software in the consequence evaluation, and not be stuck with software compatible with the risk integration of specific commercial software.
Assumptions and uncertainties
QRA modelling is not an exact science and will rely on a number of assumptions. As for all other attempts of mathematical modelling of reality “garbage in equal garbage out” no matter the sophistication of the mathematics applied in the modelling. The basic assumptions made for the QRA are therefore essential for the outcome of the analysis. It is important that the assumptions are documented and validated to the extend possible. Critical assumptions with a high degree of uncertainty should be investigated by a series of sensitivity studies. It is very important to understand the uncertainties in QRA modelling and that QRA does not represent absolute truth but should be viewed only as an aid in decision-making.
