Fire Risk Evaluation

7/28/2019 Fire Risk Evaluation

1/38

Doc. No. P-HSE-H6Rev. 0 - SEPTEMBER 2009

ESReDAWorking Group on Fire Risk AnalysisFire Risk Analysis Process and Oil & Gas Industries

Standard and Regulations,State of the Art & MethodologiesD'Appolonia Contribution toESReDA Report


2/38

Doc. No. P-HSE-H6Rev. 0 - SEPTEMBER 2009

All rights, including translation, reserved. No part of this document may be disclosed to any third party,for purposes other than the original, without written consent of D'Appolonia.

ESReDAWorking Group on Fire Risk AnalysisFire Risk Analysis Process and Oil & Gas Industries

Standard and Regulations,State of the Art & MethodologiesD'Appolonia Contribution toESReDA Report

Prepared by Signature Date

Stefania Benucci September 2009

Simone Garrone September 2009

Verified by Signature Date

Paolo Paci September 2009

Giovanni Uguccioni September 2009

Approved by Signature Date

Roberto Carpaneto September 2009

Rev. Description Prepared by Verified by Approved by Date0 First Issue SFB/SMG PP/GMU RC September 2009


3/38

Doc. No. P-HSE-H6Rev. 0 - September 2009

ESReDA Pag. iD'Appolonia Contribution to ESReDA Report

TABLE OF CONTENTS

PageLIST OF TABLES II

LIST OF FIGURES III

1 STANDARD AND REGULATIONS 1

2 STATE OF THE ART AND METHODOLOGIES 5

2.1 INTRODUCTION 5

2.2 DEFINITION OF RISK ASSESSMENT OBJECTIVES 6

2.3 HAZARDS IDENTIFICATION 6

2.4 FIRE SCENARIOS IDENTIFICATION 9

2.5 FREQUENCY ANALYSIS 12

2.5.1 TOP Events Likelihood of Occurrence 122.5.2 Loss of Containment Events Likelihood of Occurrence 13

2.5.3 Scenarios Likelihood of Occurrence 13

2.6 CONSEQUENCES EVALUATION 15

2.6.1 Semi-empirical models 16

2.6.2 Field models 16

2.6.3 Integral models 17

2.6.4 Zone models 18

2.7 RISK ASSESSMENT 18

2.7.1 Risk Matrix 19

2.7.2 Location Specific Individual Risk 20

2.7.3 Individual Risk 20

2.7.4 Societal Risk 21

2.8 RISK-BASED FIRE PROTECTION 22

3 DATA FOR FIRE RISK ANALYSIS 23

3.1 HISTORICAL INCIDENT DATA 23

3.2 PROCESS AND PLANT DATA 25

3.2.1 Plant Layout and System Description 25

3.2.2 Ignition Sources and Data 26

3.3 CHEMICAL DATA 27

3.4 ENVIRONMENTAL AND TERRITORIAL DATA 28

3.4.1 Population Data 283.4.2 Meteorological Data 28

3.4.3 Territorial Data 29

3.4.4 External Event Data 30

3.5 RELIABILITY DATA 30

3.5.1 Human Reliability Data 31

3.6 RISK UNCERTAINTY, SENSITIVITY AND IMPORTANCE 31

REFERENCES


4/38


ESReDA Pag. iiD'Appolonia Contribution to ESReDA Report

LIST OF TABLES

Tables No. Page

Table 2.1: HAZID categories and guidewords 7

Table 2.2: Typical HAZOP Guidewords/Parameters and Deviations for Continuous Processes 8

Table 2.3: Ignition Probabilities 14


5/38


ESReDA Pag. iiiD'Appolonia Contribution to ESReDA Report

LIST OF FIGURES

Figure No. Page

Figure 1.1: Fire Risk Analysis Flow Diagram 4

Figure 2.1: Event Tree Example 11

Figure 2.2: Fault Tree Example 12

Figure 2.3: Risk matrix (Example) 19

Figure 2.4: Local Risk Contour Lines (Example ARIPAR Code) 20

Figure 2.5: F-N Curves (Example ARIPAR Code) 21

Figure 3.1: Wind rose (example) 29


6/38


D'APPOLONIA S.p.A. Via San Nazaro, 19 - 16145 Genova, ItalyPhone +39 010 362 8148 - Fax +39 010 362 1078

e-mail: [email protected] - Web Site: http://www.dappolonia.it

FIRE RISK ANALYSISPROCESS AND OIL & GAS INDUSTRIES,

STANDARD AND REGULATIONSSTATE OF THE ART & METHODOLOGIES

D'APPOLONIA CONTRIBUTION TO ESREDA REPORT

1 STANDARD AND REGULATIONS

Standard and Regulations currently adopted for the design of active Fire Protection Systems

are discussed in the following of this document, with a specific emphasis on how they

address the Risk Analysis as part of the basis for the systems design.

National regulations will be dealt with in Section 1.2 (see contribution by D'Anna and

Demichela). It is expected that each member of the WG will contribute with specificinformation related to her/his Country of origin.

This section will specifically focus on active protection in process plants. Fire protection in

Civil structures and Buildings are understood to be not covered by the WG activities, and

therefore the Eurocode, dealing with structural response in structures, is not considered here.

Rules

There is no general Rule defining how Risk Analysis Methods shall be adopted in the design

of systems. Nevertheless there is a strong trend to move away from prescriptive towards a

performance-based design approach, also following the introduction of rules as the ISO TR

13387 (1999), the Regulatory Reform Fire Safety Order (2005), or the Italian DM 9 May

2007. In contrast to the prescriptive approach - which only specifies methods and systems

without identifying how these achieve the desired safety goal - performance-based design in

the case of fire protection uses an engineering approach based on established fire safety

objectives, analysis of fire scenarios and assessment of design alternatives against the

objectives. This allow for more design flexibility and innovation in construction techniques

and materials, gives equal or better fire safety and maximizes the cost/benefit ratio during

design and construction.

Designers of fire-fighting systems in process plants adopt either specific Company Standard

(e.g. Standard from operators, such as Total, Shell or Standard from the Engineering

Companies, such as Saipem/Snamprogetti, etc.) or they follow the NFPA (mainly) or API

standard, or the EN standard where present. These standard give technical solutions

considered to be adequate for the fire protection and generally adopted in process plantfirefighting design (e.g. ISO 13702, API RP 2030, NFPA15 gives the minimum specific

flowrate to be adopted for cooling of components).

In certain cases, they recommend the use of hazard analysis as a tool for defining the

requirements, however this is left at a very general level, not recommending any specific

approach to be followed. ASTM E 1776 is a standard for people writing guides for risk

assessment of alternative products within a product class. ISO TS 16732 and the SFPE

Guide to Fire Risk Assessment are guidelines intended to either replace or complement

conventional prescriptive codes. The NFPA 551 code is explicitly designed to assist

responsible officials in their duty of confirming (or refuting) the code equivalency of a

design proposal justified through a supporting Fire Risk Assessment (FRA); this code is a

guidance for those reviewing a Fire Risk Assessment. The International Organization for


7/38


ESReDA Pag. 2D'Appolonia Contribution to ESReDA Report

Standardization TC 92 SC 4 is working to provide Fire Safety Engineering documents for

supporting performance-based design and assessment

The previous was only a brief introduction, but a description of the technical solutions givenby the most widely applied rules is not part of the WG deliverables. Instead, in section 6

(comparison of methods), a comparison between the design solutions identified using a FRA

approach and the design solutions obtained by the deterministic application of the Rules

could be of interest.

The case of LNG Installations

For LNG installations both applicable NFPA and EN standard require a certain degree of

hazard assessment.

The standard NFPA 59A for LNG installations states the following very general principle,

but no specific methodology or criteria for the hazard analysis is however given:________________________________________________________________

________________________________________________________________

The EN standard 1473 on LNG installations, point 13.6, states:

"Water supply systems shall be able to provide, at fire fighting system operating pressure, a

water flow not less than that required by the fire fighting systems involved in the maximum

single incident identified in the Hazard Assessment in 4.4 plus an allowance of 100 l/s for

hand hoses. The fire water supply shall be sufficient to address this incident, but shall not be

less than 2 h."Hazard assessment is also considered as a basis for the design of water curtains.

However, the Hazard assessment techniques and methods to be followed are left to national

requirements, if any, or to the decision of the designer:

"The following methodology and requirements see annexes that show examples of frequency

ranges, classes of consequences and levels of risks. However there is a variation in national

and company acceptance criteria and the examples given in the informative Annexes J, K

and L should be considered as minimum requirements. If more stringent local or national

requirements exist they shall supersede these minimum requirements."

And, in section 4.4.2.1 (Methodology) it is stated: "The methodology of the hazard

assessment can be deterministic and/or probabilistic."


8/38



Standard

The need for a plant specific approach for the definition of the fire-fighting system, and

therefore the impossibility for a Rule to cover deterministically each case is expressed by the

following statement, taken from a Major company internal standard:

"It is not possible to define all the fire-fighting requirements applicable to all cases and

regardless of circumstances. The factors listed below (and others as applicable) shall be

contemplated in the process leading to the decision to install a fire-fighting system, its type

and the level of protection it provides...Each case shall be studied during project phase.

Equipment size (as an expression of the intrinsic potential hazard e.g. a storage tank);

Equipment cost (balanced against the cost of a fire protection system);

Applicable codes, regulations, Insurance Company and statutory requirements;

Facility geographical location (e.g. onshore versus offshore, populated versus deserticarea, etc.);

Criticality within the (Operating) COMPANY production scheme (e.g. one out of "n",gathering battery versus main export pump station, local electrical substation versus main

switch gear room, etc.);

Asset protection policy put in force by the (Operating) COMPANY".

Good Practices

Information on methods to be used for the simulation of fire and fire damage technical

criteria for fire protection are provided by several references used as Best Practice in the

modern industry. "The SFPE Handbook of Fire Protection Engineering", by NFPA

(National Fire Protection Association), is the most widely used reference: it provides

comprehensive coverage of today's best practices in fire protection engineering and

performance-based fire safety.

Another widely used reference, which also provides deep methodological information is the

"Handbook for Fire calculations and Fire risk assessment in the Process Industry" by Sintef /

Scandpower. In this Guideline, the section on Risk Analysis (6 pages over a total of 280

approx, excluding appendixes) gives the general flow diagram shown in Figure 1.1, where

the main steps of a Fire Risk Analysis are highlighted.

The first step should always be the fair understanding of the system design and operational

modes (normal operation, start-up, shut-down, inspection, maintenance) through the system

documentation. Based on the available information of the system and operational modes, asystematic hazard identification should be performed to list all potential hazardous events

(where a hazard could be a situation in which a combustible fluid is in contact with a

comburent agent in presence of ignition).

Then, for the identified hazardous events, the probability of occurrence has to be evaluated

using appropriate tools and mathematical predictive models (e.g. Fault Tree Analysis) and/or

statistical data, while the accidental consequences have to be assessed and evaluated in terms

of physical effects (heat flux, smoke concentrations, etc.) using fluid dynamics and

physical/chemical/mathematical models.

Using Event Tree Analysis (analytical and visual model which describes the event chain

which develop from an initial scenario), the initial hazardous event can be broken down in


9/38



the several possible occurring scenarios which reflect the possible escalation of the different

situations, and taking into account external as well as internal factors such as, for instance,

presence of ignition, presence of safety systems, meteorological conditions, etc.From the combination of previous parameters (likelihood of occurrence and severity of

consequences) the risk to personnel, to environment, to asset can be evaluated and compared

with the established acceptance criteria. Recommendations can be given in order to meet the

expected safety levels for the events with intolerable consequences (Residual Accidental

Events) and to improve the overall safety performance for the events whose resulting

physical effects are accounted for in the design (Design Accidental Events).

To optimize the benefit of investing in risk reducing measures, the implementation of

additional active/passive fire-protection/detection systems can be calculated in monetary

value and compared with the investment and maintenance cost.

Figure 1.1: Fire Risk Analysis Flow Diagram


10/38



2 STATE OF THE ART AND METHODOLOGIES

2.1 INTRODUCTION

In the modern Industry, the different approaches to fire protection are essentially two: the

traditional approach, based on prescriptive codes, and the innovative approach, which relies

on performance-based tools. A risk-informed, performance-based approach to fire

protection offers an increasingly acceptable alternative to strict adherence to code

requirements alone.

The prescriptive codes supply the minimum requirements for fire protection systems. This is

very often used as a pragmatic approach which also resolve satisfactorily insurance

requirements with a minimum effort. The risk analysis is done a priori by the legislator, who

fixes a safety level and establishes a set of rules able to compensate the existing risk. So the

fire protection is not guaranteed on the basis of engineering principles and it is left to the fireengineers a narrow margin of discretion. In addition, codes usually are written to apply to

typical configurations: special situations are very often disregarded or generically treated.

With the performance-based approach the fire protection is guaranteed by the application of

an engineering methodology developed on scientific basis. It allows consideration of a large

number of project variables and gives a more deep and often less-expensive engineering

solution than the traditional approach. This is even more true when special situation requires

a tailored engineering and a fit-for purpose safety approach.

The approach is performance-based because it provides solutions based on performance to

established goals, rather than on prescriptive requirements with implied goals. The approach

is risk-informed because the analysis takes into account not only the severity of the events,

but also the likelihood of the hazard and the probability of failure of any present protection

system The basic methodology is also known as Quantitative Risk Assessment (QRA), and

it allows, among other things:

the capability of early identification of weak links in loss prevention and protectionsystems at design phase,

the possibility to optimize loss control investments allowing an intelligent allocation ofthe resources to the area giving rise to the highest risk.

A generalized Fire Risk Analysis passes through the quantification of the consequences and

estimation of the probabilities of the identified fire hazards, the individuation of the hazard

control options and the evaluation of their impact on the overall risk, ending with the

selection - if necessary - of appropriate further protections.The systematic steps of a Fire Risk Assessment are (each step is detailed in the following):

Definition of Risk Assessment Objectives;

Hazards Identification;

Scenarios Identification;

Frequency of Occurrence Analysis;

Consequences Evaluation;

Risk Assessment;

Risk-based fire protection analysis and recommendations.


11/38



2.2 DEFINITION OF RISK ASSESSMENT OBJECTIVESPrior to the start of a Risk Assessment it is imperative to have a clear project scope

(conforming to code/insurance requirements for acceptable level of risk, or reduction of

human fatalities/injuries, or improving cost-effectiveness of risk prevention, minimizing

business interruption, etc.) and to explicitly state and agree upon project objectives and

establish management's acceptable risk criteria for risk comparisons.

Also, it is necessary to choose/define models and algorithms for the consequences

determination (potential sizes of vapour clouds, overpressure from explosions, thermal

radiation intensities), select the appropriate weather conditions and finally select appropriate

sources of failure rate/reliability data.

The ensemble of all the above criteria is normally called "FRA/QRA Rule Sets" and may be

contained in a specific document to be issued before the development of the Fire RiskAnalysis.

2.3 HAZARDS IDENTIFICATION

Fire Risk Analysis begins with the identification of fire hazards. This is a critical step, since

that fire and explosion hazards not properly identified and defined in terms of

cause/consequences cannot be properly addressed, or they can be misleading, within the risk

assessment framework.

Results of the Hazards Identification should include the identification of the physical and

chemical properties of materials processed/stored/transported on site that can harm

employees/public/property/environment or other selected risk targets, and the identificationof weakness in the design/operation/protection of facilities that could lead to toxic exposures,

fires or explosions, and the evaluation of the potential hazardous events associated with a

process or activity.

Accurate information concerning plant processes, operating philosophy, material properties,

inventories, processing and storage conditions is required to perform hazard identification.

This step of the FRA is focused not only on normal operation, but also start-up, shut-down,

inspection, maintenance.

When possible, a review of the accidents historically recorded for similar process and

installations is important to identify possible hazards, representative failure modes

(equipment related, human error, system related), ignition sources, fire propagationcontributing factors, duration of the fire and general effect of loss mitigation factors.

Accident data from specific plant operations, if available, are usually the best source and

probably more accurate for specific equipment and operations, since the data reflect the

operating and maintenance practices of the specific facility.


12/38



Along with the historical review, structured analytical methodologies are available for

Hazard Identification on any well known or totally new process and installations. The most

frequently used structured hazard evaluation techniques include: Hazard Identification (HAZID);

Hazard and Operability study (HAZOP);

Failure Modes and Effects Analysis (FMEA);

Checklists;

"What-if" analysis.

HAZID is one of the best techniques for early identification of potential hazards and threats,

where hazards are any operations that could possibly cause a release of toxic, flammable or

explosive chemicals (including oil and gas) or any actions that could result in injury to

personnel or harm to the environment. It is commonly carried out in a workshop in which anexperienced facilitator leads a team of several competent specialists of different disciplines

through the identification process. The system under analysis is divided into sub-systems

and for each of these a structured brainstorm is done to identify hazards using a pre-defined

checklist (see Table 2.1). Where it is agreed by the Team that a significant hazard exists in a

particular area, the risk posed by the hazard is considered, assessed and recorded, along with

its expected consequences, safeguards and all possible means of either eliminating the hazard

or controlling the risk. When necessary, specific further actions are assigned within the

project parties for later follow-up and inclusion in the design.

Table 2.1: HAZID categor ies and guidewords


13/38



The HAZard and OPerability Study (HAZOP) Technique was developed in Britain by ICI

(Imperial Chemical Industries, Ltd.) during the 1960s as an engineering tool to overcome theproblem of the increasing complexity of modern design and to systematically identify

potential issues (safety and/or operability related) in both new or existing designs for

chemical and petrochemical plants.

The HAZOP Study is a systematic analysis of the Design, developed in order to assess the

possible hazards and the operability issues of the system. The methodology relies on a series

of guidewords that are applied to each "node" to identify process deviations and to

investigate their impact on Safety and Operability performances.

Table 2.2: Typical HAZOP Guidewords/Parameters and Deviations forContinuous Processes

PARAMETERS GUIDEWORDS DEVIATIONS

Flow

morelessnonereverseother than

high flowlow flowno flowreverse flowloss of containment

pressuremorelessnone

high pressurelow pressurevacuum

temperaturemorelessas well as

high temperaturelow temperaturecryogenic

levelmoreless

none

high levellow level

no level

state/ composition

morelessreversepart ofas well asother than

additional phaseloss of phasechange of stateoff-spec compositioncontaminantscorrosive concentration

reactionmoreas well asother than

runaway reactionside reactionexplosion

UTILITY: power, air, steam, nitrogen, coolingwater

No loss of

UNSTEADY OPERATION: startup,shutdown, maintenance, sampling, drainage

as well asother than

difficult hazardous

documentationpart ofas well asother than

incomplete documentationunclear documentationincorrect documentation

A "node" is a sub-system or a portion of a systems which can be analyzed alone (e.g. a

vessel, a column, a header, a compressor system, even a single line), together with the

relevant connections to the interfaces. The totality of the nodes shall cover all the Systems

under analysis, without missing any portion of them, until the whole Design is analyzed.

The Combination of Guideword and Process Parameter expresses the "Deviation", which is

the subject of the discussion. The Guidewords, in a HAZOP Analysis, are the "qualifying

words" for the deviation to be analyzed. Guidewords always apply to the parameter under

analysis and they express a sort of "change" or "passage" from a parameter desired state to


14/38



an un-desired one. Doing this, they "qualify" the passage of each parameter from the

"normal" state to a "deviation condition". In Table 2.2 the typical deviations considered

during an HAZOP are listed.For each deviation, the HAZOP Team identifies the possible causes, its consequences

(qualitatively) on process and operation and verifies the existence of sufficient systems of

prevention, detection and correction/mitigation of the outcomes. When considered

necessary, remedial measures are required depending on the expected qualitative likelihood

of the event and its consequence; these are recorded in the HAZOP worksheets in the form

of recommendations aimed at ensuring a subsequent proper follow-up by the project team.

(Ref. EPSC, 2000; CCPS, 1992).

Failure Modes and Effects Analysis (FMEA) is a systematic and structured methodology for

analyzing potential reliability problems: it is used to identify potential failure modes, to

determine their effect on the operation of the product and to identify actions to mitigate thefailures and to assure the highest possible yield, quality and reliability.

Checklist is a qualitative simplified approach, consisting of a listing of potential hazards,

usually with recommended practices. The fire protection engineer must focus on only those

points that are applicable to the specific project. Checklists do not capture the interaction of

fire risk factors, including the manner in which the importance of one fire risk factor will

change as a function of performance on another factor.

What-if Analysis is a structured - although simplified - brainstorming method used to define

what things can go wrong ("What") under certain circumstances ("If"), and to qualitatively

assess the likelihood and consequences of these situations. Results of the analysis form thebasis for making judgments on risk acceptability, and if necessary recommend course of

actions. Using what-If Analysis, an experienced review team, led by an expert facilitator,

can quickly and productively discern major issues concerning a process or system. Team

members usually include operating and maintenance personnel, design and/or operating

engineers, and a safety representative. As in HAZID and HAZOP, results of the analysis can

be expressed in the form of "actions" to be later followed up by the Team.

2.4 FIRE SCENARIOS IDENTIFICATION

Major Accidental Events (MAEs) are defined as those events which have the potential to

cause multiple fatalities or extensive asset damage, or that can potentially have massiveenvironmental/socio-cultural effect, or negative impact on Company reputation and its

ability to pursue business. MAEs are usually identified within the following categories:

Process Deviation Events (Top Events): events occurring as a consequence of a processmalfunction or an operating error and the simultaneous failure of the corresponding

foreseen process protection (e.g. overpressure in a vessel whilst the PSV is not working

properly);

Loss of Containment Events ("Random" Ruptures): events randomly occurring as aconsequence of an unexpected rupture and/or release from piping/equipment, due to

defect, wearing, corrosion or other unforeseeable problems;


15/38



Non-Process Events: events originated by external cause/impacts (e.g. dropped objects ornaval impacts).

HAZOP Analysis is normally considered the best way to identify all the potential credible

causes of release and leak due to Process Deviations (typically: overpressures). As a general

rule, all the causes/deviations that can possibly lead to an increase of operating conditions

without realistically exceeding the design conditions are not considered as potential Top

Events.

For example, typically, only deviations leading to an overpressure exceeding 1.5 times the

design pressure of a system (i.e. the proven conditions of hydraulic/pressure testing) is

considered a potential MAE for further analysis.

Loss of containment events (Random Ruptures) are normally identified based on statistical

approaches, as suggested by best practice criteria. From the project documents (P&IDs,PFDs, etc.) each unit of the facility is divided into representative sections and the possible

release locations are conservatively identified and the associated loss of containment

scenarios are analyzed.

The loss of containment events from equipment or piping can be caused by unexpected

failures due to material defects, fabrication errors, excessive wearing or corrosion,

maintenance errors, etc., and they could be of difficult quantification. It is common practice

to consider these cases by assuming a set of representative leak diameter for components

(vessels, pipework, pumps, compressors, valves, etc.) in each section of the plant. The Loss

of Containment Events identification phase is typically carried out in three steps:

identification of the existing isolatable sections within the facilities;

characterization of the isolatable sections in terms of operating conditions andinventories;

characterization of the realistic release point discharge conditions within each identifiedIsolatable Section.

Non-Process events potentially evolving in Major Accidental Events are for example

dropped object events or ship impact/collision events. These events, when found to be

statistically significant, can lead to similar release scenarios to those previously mentioned

for Top Events and Loss of Containment Events. The same modelling applies for

characterizing these releases.

A fire scenario is a time-sequence-based description of a fire incident. Structuring credible

fire and explosion loss scenarios is a fundamental aspect of the Risk Assessment process.

The most widely used technique for defining the structure and sequential logic of fire

scenarios is the Event Tree Analysis. An Event Tree is a visual model which describes

possible event chains developing from hazardous situations, such as fire initiation and

propagation. An example of Event Tree is shown in Figure 2.1. Very often the initial

hazardous situation (the starting box of the Event Tree) is called "Top Event" and it is in fact

identified with HAZOP and then quantitatively characterized with FTA.

Potential incidents of primary interest for the Fire Protection Engineer include events of

equipment/piping direct flame impingement, radiant heat from a fire (Pool Fire, Flash Fire,


16/38



Fireball), explosion overpressures (VCE: Vapour Cloud Explosion and UVCE: Unconfined

Vapour Cloud Explosion) and corrosive smoke/fire products concentration.

Previous events are typically associated with leaks and releases of flammable materials frompiping and equipment, and the typical initiating failure events generally include mechanical

failure (due to fatigue, corrosion, design errors, etc.), failure of Basic Process Control

Systems (BPCS), human error, external interactions (flooding, earthquake, etc.).

The accident sequence modelling with an Event Tree is - although visually simple - a crucial,

challenging and complex task, which present typical difficulties, such as:

The process leading to the outcome scenarios is normally highly time-dependent;

Escalation involves complex interactions between different equipment and with thesurrounding environment;

Timing and type of Human intervention may have extensive effects on the scenariodevelopment;

Small initial differences may lead to greatly different final scenarios.

Dynamic situations are probably the main challenge, and ETA is too static to be fully

adequate for suitable detailed analysis of accident dynamic sequences. However ETA is de-

facto the standard tool for scenarios modelling used in QRA and Fire Risk Analysis, and

currently no practical valid alternative tools and approaches exist for this purpose.

Figure 2.1: Event Tree Example


17/38



2.5 FREQUENCY ANALYSIS

The main difference between Fire Risk Assessment (FRA) and conventional Fire Protection

Engineering Assessment is that with FRA the assessment is not limited to deterministicanalysis. In developing a FRA, the uncertainties about whether fire will occur and systems

will operate are explicitly addressed.

2.5.1 TOP Events Likelihood of Occurrence

For the identified Top Events, the relevant frequency of occurrence can be evaluated using

Fault Tree Analysis techniques.

Potential Top Events are first identified with normal Hazard Identification techniques

(typically: HAZOP). All causes for each significant Process Deviation identified in the

HAZOP are considered together with the applicable safeguards and protections for

developing a Fault Tree of the event and then perform the reliability calculations to define

the resulting expected frequency of occurrence.

FTA is an analytical method for characterizing the occurrence of a specified, undesired event

(Top Event) using a graphic model (the Fault Tree) which represents the logical combination

of basic (low-level) events resulting in the occurrence of the Top Event.

The Fault Tree is a graphic "model" of the potential pathways in a complex system which

can lead to a foreseeable undesired event. The pathways interconnect several kind of

contributory events and conditions, using the Boolean Algebra logic symbols (AND, OR,

etc.). The Fault Tree Analysis uses numerical single probabilities of occurrence of the basic

events (Component reliability data, or failure data) to evaluate the propagation through the

model and eventually assess the expected frequency of the Top Event. A "typical" Fault

Tree is presented in Figure 2.2.

Figure 2.2: Fault Tree Example


18/38



Reliability data considered for the FTA development can be obtained from International

Sources databases (e.g. Sintef 1992, Sintef 2006, Exida 2007, Oreda 2002). Fault Tree

Analysis is typically performed using specialized computer programs which automaticallydevelop the reliability calculations as well as the graphical representation of the Fault Tree.

Among the most commonly used commercial codes are, for instance, ASTRA-Advanced

Software Tool of Reliability Analysis (developed by JRC), or Fault Tree+ (developed by

Isograph Inc.).

2.5.2 Loss of Containment Events Likelihood of Occurrence

In case of Loss of Containment events (Random Ruptures), historical failure data and/or

statistical data are typically used to assess the leak frequency of occurrence. For example,

historical failure data from the HSE Hydrocarbons Releases System (for Off-Shore

Applications) or from the Standard Reference API RP 581 (for On-Shore Applications) canbe assumed as basic failure data.

To evaluate the expected likelihood of occurrence for each credible loss of containment

event, all passive components identified (piping, vessels, etc.) within a given plant section

are considered to calculate the final failure frequency: a "parts count" is performed and the

expected frequency of failure of each "part" contributes to the frequency of the event

analyzed. Different sizes of leaks are considered and differentiated (e.g. ", 1", 4" and Full

Bore for API RP 581), and the "complexity" of the isolatable section is evaluated according

to suitable criteria: given similar conditions, a simple, straight pipe with no flanges or other

discontinuities has typically a lower leak frequency than a complex piping systems with

many flanges, tie-ins and valves along the route.

Typically, a threshold frequency value is defined in order to focus on the most significant

events and disregard the statistically negligible scenarios. Usually, 1.00 E-06 event/year is

considered a reasonable (and institutionally accepted) threshold value: below this expected

frequency, the event is not analyzed further being not statistically significant. This applies

either to Top Events and Loss of Containment Events or, as it will be discussed below, for a

single Scenario among those possible. The cut-off value is defined on the basis of the Risk

Acceptance Criteria which is established: This frequency value should represent a limit

below which any event, regardless of the severity of the consequences, poses an

"Acceptable" Risk.

2.5.3 Scenarios Likelihood of Occurrence

Regardless of the events root causes (process deviation, human error, "random" loss of

containment, etc.), once the accident is occurred, and the release has taken place, the

dynamic evolution of the event can lead to different potential scenarios. As illustrated

earlier, this evolution can be effectively characterized and represented by an Event Tree.

It is obviously necessary to differentiate the expected frequency of occurrence of the

different possible scenarios, being their respective consequences deeply different (e.g. and

explosion versus an harmless atmospheric dispersion).

The frequency evaluation of the final accidental scenarios typically accounts for the

characteristics of the released fluid (gas/liquid), for the released flow-rate, for the weather


19/38



conditions and flammable mass formation, for the presence of ignition (immediate/delayed),

for the presence of Safety Systems (e.g. ESD, fire fighting system), etc.

Starting from the initial undesired accidental event (process deviation or loss ofcontainment), the Event Tree displays the sequences of events through binary division at

each node (e.g. Immediate Ignition: Yes/No) until all final outcomes are considered. Each

binary node division is provided with a probability, therefore allowing the calculation of

each final scenario frequency starting from the likelihood of occurrence of the initial event

(see example of ET in Figure 2.1).

For assigning the correct probabilities to each binary node division, if possible, specific and

tailored considerations and assessments shall be made (e.g. from detailed info on the

presence of effective potential ignition sources - see Section 3.2.2). Missing project specific-

data and info, the applicable probability values to be applied to each of the different branches

of the Event Tree can be evaluated from standard literature data and international references(e.g. Lees, 1996; Cox et al., 1990). Typical values from literature are reported in Table 2.3,

Table 2.3: Ignition Probabilities

Immediate Ignition Probability

Release rate

(kg/s)

Gas/Vapour orTwo-Phase Release

Liquid Release

< 1 0.01 0.01

1 50 0.07 0.03

50 0.30 0.08

Explosion/Flash Fire Probability (Delayed Ignition)

Flammable Mass

(kg)Explosion Probability Flash Fire Probability

< 100 0 0.01

100 1000 0.001 0.03

1000 0.030 0.10

Immediate Ignition probability is expressed in this case as a step function of the flammable

fluid release rate, but better and more sophisticated methodologies are available to evaluate

the probability of ignition of flammable releases from onshore and offshore installations.

For instance, "IP Ignition Probability Review, model development and look-up correlations"

(UKOOA, 2006) provides the findings of a United Kingdom Offshore Operators Association

(UKOOA) / Health and Safety Executive (HSE) / Energy Institute (EI) co-sponsored projectundertaken by ESR Technology. In this work, look-up correlations in which ignition

probability is a continuous function of mass release rate have been derived (continuous on

one of three mass flowrate ranges: in any range the function is not yet constant as in the

previous step function, but is characterized by the same parameters).

The possible resulting scenarios of an immediate ignition are:

a Pool Fire for liquid releases;

a Jet Fire for gas releases;

a combined Pool Fire and Jet fire for two-phase releases.


20/38



Delayed ignition of a gas cloud can generate an explosion (UVCE or VCE) if the mass of gas

and the partial confinement of the cloud are sufficiently large; otherwise a simple rapid

combustion of the gas cloud enclosed within flammability limits (Flash Fire), withoutexplosion, is more likely to occur.

To complete the Event Trees and assess the correct scenarios frequency of occurrence it is

necessary also to quantify the probability of Fire Protection System performance success in

terms of conditional probabilities. Fire Protection System performance success is the

product of three probabilistic success measures (Ref. NFPA, 2002):

response effectiveness, correlated to the objectives of minimizing system response time;

online availability, correlated to the objectives of minimizing system downtime;

operational reliability, correlated to the objectives of minimizing the probability of failureon demand (PFD).

Following the analysis with Event Tree, a number of different scenarios in different

conditions is obtained, each with its own expected frequency of occurrence.

Each scenario is considered credible when its frequency of occurrence (as sum of

frequencies for all considered weather conditions) is higher than the defined cut-off

frequency for statistically negligible events. Therefore, following ETA, each scenario with

associated frequency of occurrence lower than the cut-off frequency is not further analyzed.

Consequences of scenarios with significant frequency of occurrence are instead further

assessed (see next Paragraph) and they contribute to the final Risk Level.

2.6 CONSEQUENCES EVALUATION

Consequence assessment is the evaluation and measure of the physical outcomes of an event

and/or associated scenarios. The evaluation is aimed at assessing the distances at which

hazard threshold values are reached. The selected threshold values associated to the damage

levels are defined prior to the development of the consequences calculations for heat

radiation, overpressure, toxic gas dispersion, domino effects, etc. The values are normally

set on the basis of Legislative Requirements, Corporate Policies, Design Requirements or

Best Practice.

The steps involved in the quantification of a flammable release include the characterization

of the release in terms of leak size and associated release rates, the phase(s) of the released

fluid, the duration of the event, the formation of flammable mixtures with air and associated

masses. Critical steps are the determination of the release rate and duration, and of the

dispersion characteristics that dictate the amount of formed flammable material. The

duration depends also on the response time and effectiveness of shutdown or isolation and

therefore on the position and reliability of gas and flame detectors and on the possibility to

manually or automatically activate the emergency shutdown.

Flammable outcomes can consist in pool fires, jet fires, BLEVEs (Boiling Liquid Expanding

Vapor Explosions - typical of GPL products), Flash Fires and/or vapor cloud explosions.

There are several general and specific references for the Mathematical and Physical

background of the Consequence Modeling (AIChE-CCPS, 2000; Cremer & Warner, 1981;

Prough, 1987; TNO, 1997). From these references, many predictive models have been

made available to Engineers and Scientists for the assessment of fire consequence hazards,


21/38



varying from point source techniques to more complex numerical methods based on

Computational Fluid Dynamic (CFD) calculations. Such predictive models can be

categorized as follows: semi-empirical models;

field models;

integral models;

zone models.

Several commercially available Computer Program can be used for the consequence

assessment, based on the application of the relevant models, which are normally hard-coded

in the Programs. These computer models generally estimate liquid, gas or two-phase

discharge rates, vaporization rates of liquid pool, distances to Thermal heat radiation,

distances to overpressure levels, distances to concentrations at ground, etc. Consequencesresults from these commercial codes are normally presented in the form of:

Tables: reporting for each scenario analyzed the distances at which are reached thresholdvalues in terms of heat radiation, overpressure, gas concentrations;

Contour maps: presenting the hazard distances from the release sources.

2.6.1 Semi-empir ical models

In general, semi-empirical models are task-specific, designed to address particular hazard

consequences, and provided with embedded correlations fitted to large-scale experimental

data. These models are mathematically simple and can be easily computer programmed with

short run times.

Point source models do not predict the flame geometry, but rather assume that the source of

thermal radiation is a single point in the flame and that a selected fraction of the heat of

combustion is emitted as radiation. These models generally over-predict the heat flux for

near-field conditions; however, they are reasonably reliable beyond a certain distance from

the flame.

Solid flame surface emitting models model the fire as a solid flame with heat being

radiated from the surface of the flame. They rely mainly on correlations for flame geometry

estimation, average surface emissive power (SEP) of the flame, atmospheric transmissivity

and view factors. The various surface emitting models differ in their methods of assessing

atmospheric attenuation of the heat flux, view factors, and the SEP. Well-validated solid

flame models provide a better prediction of flame geometry and external thermal radiationthan point source models.

2.6.2 Field models

Field models are CFD models based on numerical solutions of the Navier-Stokes equations

of fluid flow (i.e. a mathematical description of the conservation of mass, momentum and

scalar quantities in flowing fluid with a set of partial differential equations). To predict fire

behavior, these models incorporate various sub-models to account for the physical and

chemical processes occurring in a fire. All these models require validation against

experimental data before their use as predictive tools.


22/38



CFD is a powerful technique that provides an approximate solution to the coupled governing

fluid flow equations for mass, momentum and energy transport. The flexibility of the

technique allows the numerical solution of these equations in very complex 3-dimensionalspaces, unlike simpler modelling methods. CFD is now being increasingly used in fire

protection engineering to predict the movement of smoke in complex enclosed spaces.

Results of the calculations are the explosive masses, the flames length, the pools diameter

and the distances to the values of thermal radiation, peak overpressure and toxic

concentrations. The results of the consequence modeling are used as input during

Engineering to define fire and explosion protection requirements.

Limiting factors in the applicability of these models are related to high CPU requirements

and the need of expert users for being functional. Examples of commercially available field

models are FDS (Fire Dynamics Simulator - NIST) and FLACS (FLame ACceleration

Simulator), briefly presented in the following. Fire Dynamics Simulator (FDS) is a computational fluid dynamics model of fire-driven

fluid flow. The software solves numerically a form of the Navier-Stokes equations

appropriate for low-speed, thermally-driven flow, with an emphasis on smoke and heat

transport from fires. Smokeview (SMV) is a visualization program that is used to display

the output of FDS simulations. The Fire Dynamics Simulator and Smokeview

applications are developed by the National Institute of Standards and Technology (NIST)

of the United States Department of Commerce, in cooperation with VTT Technical

Research Centre of Finland. FDS and Smokeview are free software, not subject to

copyright protection and in the public domain.

FLACS (FLame ACceleration Simulator) is an advanced tool for the modelling of

ventilation, gas dispersion, vapour cloud explosions and blast in complex process areas.FLACS is used for the quantification and management of explosion risks in the offshore

petroleum industry and onshore chemical industries. It was developed by GexCon AS of

Norway.

2.6.3 Integral models

Integral models are a compromise between semi-empirical and field models, and are

mathematically similar to field models. In facts, Integral models also solve the conservation

of mass and momentum equations and contain sub-models for combustion and heat transfer,

however the mathematical approach is simpler than in field models, thus reducing computer

running time.

Some integral models have been validated against laboratory-scale experimental data and are

commercially available, such as PHAST by DNV or EFFECTS by TNO.

PHAST (Process Hazard Analysis Software Tools) is a well know computer packagedeveloped by DNV which examines the progress of a chemical process incident from

initial release through formation of a cloud or pool to final dispersion - calculating

concentration, fire radiation, toxicity and explosion overpressure. PHAST is a

comprehensive hazard analysis package, applicable to all stages of design and operation

across a range of process and chemical industry sectors. It is used to identify situations

which present potential hazards to life, property or the environment. Where congested

layout or obstacles (e.g. walls/structures) are present, the results of PHAST analysis can


23/38



be considered only an estimation of the actual hazard distance (in these cases a CFD

model such as FDS or FLACS should be used for more reliable results).

EFFECTS is a computer package developed and distributed by TNO which performscalculations to predict the physical effects of the release of hazardous materials.

Embedded in the EFFECTS code are the models developed by TNO for calculating the

physical effects for the release of hazardous substances (TNO, 2000, CPR14E "Yellow

Book") and for determining possible damage to man and his environment (TNO, 1992,

CPR16E "Green Book"). These publications have now been used around the world as a

Standard Reference in safety studies for many years. EFFECTS can model a process

incident from the initial release to final dispersion, calculating gas concentrations, heath

radiation levels, peak overpressures, etc. EFFECTS models are applicable to all stages of

design and operation across a range of process and chemical industry sectors. The same

limitations already highlighted for the PHAST model apply.

2.6.4 Zone models

Zone models are simplified models where a module/room or a compartment is divided into a

number of zones that are assumed physically distinct, but interfaced with each other and

modelled with empirical heat and mass transfer equations. Zone models have wide

applicability and validity only for the purposes for which they are designed, i.e. buildings

with reasonably small rooms and predominantly small vertical vents.

2.7 RISK ASSESSMENT

The Assessment of the Risk is made combining the consequences and likelihood ofoccurrence of all scenarios considered and evaluating the resulting Risk against one or more

measures which represent the Tolerability Criteria.

The Ranking of the Risk, and the Assessment of its tolerability is a powerful tool for

Engineers for identifying the critical aspects of any design and process, prioritize the

available resources and - if needed - identify and define specific prevention or mitigation

measures to reduce the scenario risk Acceptable levels.

Very often the Risk is evaluated via the definition and calculation of a specific Risk Index,

which is calculated for all applicable scenarios and then for the whole area/installation and

compared with the acceptable level prior established.

The most common Risk Indexes evaluated within a FRA are the following:

Qualitative Risk (based on the use of Risk Matrix);

Local Risk (LSIR - Location-Specific Individual Risk);

Individual Risk (IR, or IRPA - Individual Risk Per Annum);

Societal Risk.


24/38



2.7.1 Risk Matrix

A Risk Matrix (or Tolerability Matrix), is a semi-quantitative tool in the form of a matrix

that has ranges of consequence severity and likelihood of occurrence as the axes. Thecombination of a consequence and likelihood range gives an estimate of Risk or a Risk

Ranking. an example of Risk Matrix is provided in Figure 2.3.

The Risk Matrix represent the Tolerability Criterion for that specific Risk Assessment. The

different values and "regions" of the matrix (high, medium, low, tolerable, intolerable, etc)

can be based on Legislative and local Requirements, Corporate policies, Site-specific

requirements, or simply best practices.

The frequency class is attributed on the basis of the accidental scenario frequency calculated

by Event Tree Analysis.

The consequence class is attributed considering the extension of the hazard areas, defined on

the basis of the threshold values defined for the job, and the presence of personnel and/or

critical equipment within the hazard ranges.

For scenarios classified as 'intolerable' according to the matrix, specific prevention or

mitigation measures shall be identified and the scenario risk shall be reduced to Acceptable

levels. For scenarios classified as belonging to the 'ALARP' region, prevention or mitigation

measures can be identified, if they are economically and technically feasible (ALARP

principle - As Low As Reasonably Practicable).

Figure 2.3: Risk matrix (Example)


25/38



2.7.2 Location Specific Individual Risk

Location Specific Individual Risk (LSIR, or LR - Local Risk) is the risk at a particular

location for a hypothetical individual who is permanently positioned there for 24 hours perday, 365 days per year, with no possibility of being sheltered or evacuated.

LSIR can be graphically represented using risk contours lines. A risk contour line is a

closed curve graphically depicting limits at constant potential risk. Points within the contour

represent a risk greater than or equal to the risk of the contour edge. The risk contours show

the expected frequency of fires and explosions capable of causing a specified level of harm

to an individual at a specified location, regardless of whether or not anyone is present at that

location to suffer that harm.

An example of Local Risk contour lines is provided in the following Figure 2.4.

Figure 2.4: Local Risk Contour Lines (Example ARIPAR Code)

2.7.3 Individual Risk

Individual Risk is the total risk of death for a fixed period of time (usually one year, thus

called IRPA - Individual Risk Per Annum) to which a worker or a member of the community

may be exposed from all credible hazards and sources of accidents. It is calculated as the

multiplication of scenario frequency, portion of time for which the person is present in the

specific location and fatality probability (or vulnerability). If there are several locations

where the individual could be present, the total risk from the scenario can be summed from

the risk at each location. If there are several scenarios that can involve the locations where


26/38



one individual could be present, the total risk is summed from the risk for the single

scenario.

2.7.4 Societal Risk

Societal Risk is a measure of Risk to a Group of People. It represents the level of risk

experienced by the whole group of people exposed to the potential major accident hazards,

and it is most often expressed in terms of the frequency distribution of multiple casualty

events. Since this measure of risk is related to the total exposed group, it is dependent on the

total number of people of each operators group.

Societal Risk takes into account the likelihood of multiple casualties resulting from fires or

explosions, and it is normally presented in the form ofF/N curves, which are plots of the

cumulative frequency of multiple fatalities (F) versus the expected number of fatalities (N).

These curves can provide useful insight into the degree of risks from a facility or hazardousprocess to the employees on the plant site and to the community located beyond the plant

boundaries. The ranking of the events that contribute most to the total risk allows the

analysts to focus attention on the most critical failures and facilitates efficiency in assessing

prevention and mitigation risk reduction options for those events.

An example of F/N Curves is presented in the following Figure 2.5.

Figure 2.5: F-N Curves (Example ARIPAR Code)

Generally speaking, specific Software Models (e.g. ARIPAR, by University of Bologna) are

available to assess in quantitative terms risks connected with processing, storage and

transportation of dangerous substances. They combine the calculated consequences severity

and likelihood of all events to produce the risk measures.

If the risk is unacceptable according to the applied criteria, cost-effective options for

reducing or mitigating risks are identified and selected, by systematically evaluating


27/38



applicable measures to reduce the expected frequency of occurrence and/or to mitigate the

severity of the events. Traditional fire protection measures (e.g. detection or sprinkler

systems) and management safety controls (such as loss prevention programs and emergencyprocedures) are typically evaluated to establish if their implementation could reduce the Risk

within the applicable parameters.

2.8 RISK-BASED FIRE PROTECTION

In conclusion, Risk-based Analysis can provide a fundamental decision support tool based

on the expected outcomes of fire scenarios, through quantification of expected likelihood of

occurrence and assessed consequences in terms of people exposure, equipment and structure

damage, production down time, etc.

On the basis of the Risk Analysis results, different alternatives for Fire prevention and

protection are assessed evaluating the potential benefits in terms of risk-reduction versuscosts for implementation, providing decision-makers with an effective instrument for

prioritization and optimization of budget allocations, therefore aiding the correct installation

(technically and cost-wise) of fire detection and protection systems in order to significantly

reduce the Risk of Fire.


28/38



3 DATA FOR FIRE RISK ANALYSIS

This chapter presents an overview of the data typically required to perform a Fire RiskAnalysis (FRA). The basic information necessary for performing a FRA on a plant of

facility are relevant to Process, Layout, Materials and Substances, Instrumentation and

Controls in place and existence of Protection systems. The minimum necessary data from a

typical Project Design are1:

Process Flow Diagrams (PFD);

Piping and Instrumentation Diagrams (P&ID);

Site Layouts/Plot Plans;

Material Safety Data Sheets;

Heat & Material Balances;

Process Control Philosophies;

Safety Philosophies;

Operation and Maintenance philosophies;

Emergency Response Provisions;

existing Hazard Identification studies (if any);

Environmental and territorial data.

As will be explained in the following, previous Plant-Specific data shall be integrated as

necessary with literature and statistic data for the full identification of all inputs to the

mathematical models which will be applied during the FRA.

This Chapter is organized into the following sections:

Historical Incident Data;

Process and Plant Data;

Chemical Data;

Environmental and Territorial Data;

Reliability Data;

Uncertainty, Sensitivity and Importance.

3.1 HISTORICAL INCIDENT DATA

The Historical Review of accidental events recorded for similar installations to the one under

analysis is very often the first step performed during Risk Analysis activities. The reasons

are immediately obvious: this review is typically simple and relatively quick, it can provide

a significant insight on "real" events which happened in the past, it can aid the Lessons

Learning process and, through the analysis of the past events initiating causes, it can provide

a formidable tool for identifying the typical issues and problems related to a given design.

1 This is a minimum list and very likely additional information shall be needed according to the specificproject.


29/38



Historical incident data may be used to both directly estimate top event frequencies or

validate outcomes from frequency analysis model (e.g. FTA, ETA).For being meaningful for frequency assessment, the historical incident data must include

sufficient and accurate records applied in a significantly large population. When the

population is small, the statistical significance of the recorded events is poor, and no serious

frequency assessment can be undertaken with these data2.

Most of the data sources address major events or failures such as pipeline leaks and ruptures,

major fires or explosions, accidents causing fatalities or serious injuries, leaks of toxic

materials, transportation accidents, i.e. events sufficiently serious to be reported in publicly

available sources. very often, though, no or little relevance is given to the so-called "near

misses", i.e. events which had the potential for a major effect but which have been somehow

"controlled" or "eliminated" thanks to the protections in place. These latter events are too

often disregarded, although their statistical significance can be even greater that thoseactually reported in the databases.

According to the type of provided data, data sources can be grouped into three categories:

data sources that provide information on failure mechanism and initiating causes;

data sources that provide information on consequence effects (i.e. downwindconcentration levels, thermal radiation levels, etc.);

data sources that provide information on frequencies of certain types of incidents.

Granting the completeness and statistical significance of the analyzed data, data sources in

the first two categories may be mostly helpful in developing Fault Tree or Event Tree models

and in understanding the consequences of a specific incident. Data sources in the thirdcategory can be useful for frequency assessment of the events or probabilistic analysis of

event types.

Data are typically in the form of published statistics or computer databases available for

consultation on a fee-paying basis. A not exhaustive list of important available sources of

incident data follows:

MARS (Major Accident Reporting System) European Commission Joint ResearchCentre Italy: database on major accidents reported under the Seveso Directives; over

700 accidents and near misses collected since 1982;

FACTS (Failure and ACcident Technical information System) - TNO The Netherlands:

computerized database for incidents (worldwide) with hazardous materials, near missesalso included;

MHIDAS (Major Hazard Incident Data Service) Head of Major Hazards and TransportGroup - Warrington (UK): computerized major incident database (worldwide); incidents

must have had potential for off-site impact to be included;

WOAD (World Offshore Accident Databank) DNV Norway: computerized databankfor Offshore accidents worldwide;

Loss Prevention Bulletin IChemE, UK: Annual survey of chemical industry accidents(worldwide), covering a wide range of accidents and with accident descriptions;

2 However they can be used for Hazard Identification purposes.


30/38



"One Hundred Largest Losses" M&M Protection Consultants New York: Annualreview of large losses in the hydrocarbon-chemical industries;

Hazardous Cargo Bulletin: Annual Survey;

"Loss Prevention in the Process Industries" F. P. Lees: the book contains several casestudies of major chemical incidents and a wide chronological listing of accidents;

"Major Chemical Hazards" Marshall: contains 40 case studies of major incidents;

"A survey on Industrial Accident Databases", Bockholts et al. (1986);

HSE Hydrocarbons Releases System: Off-Shore Applications;

Standard Reference API RP 581: On-Shore Applications.

3.2 PROCESS AND PLANT DATA

During the development of a Fire Risk Analysis, the designated Analyst must understand and

be thoroughly familiar with the plant/facility processes and the interdependence among units

and different parts of the plant. He shall also have a clear knowledge of the inventories of

substances and conditions of materials. Previous information must be relevant to the plant as

it actually operates, which may be different from the original design. Very often, the simple

review of the Project design is not sufficient and on-site interview of operating and

maintenance personnel and/or on-site inspection are required.

In the following, a typical list of data and information relevant to Plant and Process Design

necessary for the development of the FRA is described.

3.2.1 Plant Layout and System Descrip tion

The following typical list of required data may represent a checklist relevant to Plat/Process

Design necessary information:

Process Flow Diagrams (PFDs), including process description, Heath and MaterialBalances for each stream and specific operating parameters (temperature, pressure);

Piping and Instrument Diagrams (P&IDs), including utilities;

plant layout drawings (plant and immediate surroundings including elevations);

process design basis and description, including utilities (cooling, steam, electricity,instrument air, utility back-up systems);

physical and chemical properties of all process substances (e.g. with Material Safety DataSheets - MSDS);

process chemistry (including side reactions under normal and abnormal conditions);

Process fluids chemical interactions with construction material;

Process interfaces (including vents and pressure relief systems);

waste treatment and pollution control systems;

equipment specifications and detailed drawings;

fire water and drainage system drawings;

control logics (instrument loop-sheets, relay logic diagrams);


31/38



operating instructions and philosophies (storage inventory levels, operating schedule,start-up and shut-down, operator training, safety policy);

protection systems diagrams (fire protection, emergency relief, interlock and alarmsystems);

maintenance records;

maintenance philosophy and programs;

emergency response procedures;

past hazard identification information (if any).

3.2.2 Ignit ion Sources and Data

One fundamental step during the development of a Fire Risk Analysis is the identification of

all ignition sources that may be reached by any clouds of released flammable material in aconcentration within flammable limits.

The type of Hazard posed by the ignition of any flammable mixtures depends heavily on the

timing of the ignition and on the level of confinement of the released cloud. Major

flammable releases may be ignited immediately or far from the leak source; in this latter

case the released material can develop into a fully formed flammable cloud before ignition,

with the possible occurrence of explosion phenomena.

If Ignition occurs relatively fast after release (due, for instance, to immediate contact with a

hot surface) the most typical event is a jet/pool fire - depending on the nature of the released

fluid - which can directly impinge with flames the near-by equipment and affect the

surrounding areas with high thermal radiation levels.

If ignition occurs after some time, the released material can accumulate into a flammable

cloud (directly if gas or vapor or due to later evaporation if liquid) and this can be then

ignited provoking an explosion, especially in case of high congestion of the volumes

occupied by the flammable cloud (partial/total confinement).

Ignition may be caused by open flames and sparks, hot surfaces, static electricity,

mechanical friction, chemical reactions or human activities. Typical sources of ignition

include flares, boilers, fired heaters, vehicle traffic, electrical motors, hot works (such as

welding or cutting), lightning, overhead high voltage lines.

When identifying potential ignition sources, all possible sources on-site are accounted for,

starting from the immediate vicinity of the release point and then farther, in the possible

direction of the release dispersion. It is evident that as the distance from the release point

increases, more and more potential ignition sources can be found on the path,

correspondingly reducing the actual likelihood that an "un-disturbed" release somehow

travel so far without ignition.


32/38



Calculating ignition probability is a difficult task. Given the presence of a flammable

mixture, the probability of ignition is generally a function of two components:

The Presence Factor: probability that the ignition source will be present; The Strenght Factor: granted existence of the ignition source, probability that it is

capable of actually igniting the cloud in a given time interval (this depend on the energy

of the ignition source versus the minimum energy required to ignite the flammable

material).

3.3 CHEMICAL DATA

Accurate information concerning material and substance chemical and physical properties is

required to perform hazard evaluations. Detailed information is needed on the physical and

chemical properties of process materials (from raw materials to intermediates and final

products):

thermodynamic data (including vapour pressure, boiling point, freezing point, criticaltemperature and pressure, enthalpies, entropies, specific and latent heats, heats of

combustion);

flammability data (flash point, lower and upper flammable limits, auto-ignitiontemperature, minimum ignition energy, burning velocity);

dust explosion data (maximum rate of pressure rise, layer ignition temperature, cloudignition temperature and ignition energy, minimum dust concentration for combustion);

industrial hygiene and toxicity data (short-term exposure data, protective equipmentneeded);

chemical interaction and reactivity data (including effect of contaminants).

Some of previous information data can be obtained from Material Safety Data Sheets

(MSDS), and most other data and Flammability data can be easily obtained from literature

references3 (e.g. Fire Protection Handbook, Cote, 1986). Other suitable data sources for

chemical and physical properties are:

NFPA 68, 1994, "Guide for Venting of Deflagrations" - Dust data for explosion ventingcalculations;

American Conference of Governmental Industrial Hygienist's, 1996 "Threshold LimitValues for Chemical Substances and Physical Agents" - Industrial hygiene and toxicity

data;

AIChE's CCPS, 1995, "Guidelines for Chemical Reactivity Evaluation and Application toProcess Design" - Information on chemical reactivity hazards.

3 Available data in the publications are normally given at atmospheric temperature and pressure, however validdata at process conditions can be needed. In such case experimental data campaigns can be found inspecialized literature papers and publications.


33/38



3.4 ENVIRONMENTAL AND TERRITORIAL DATA

Fire Risk Analysis require environmental and weather information and data for the

prediction models input, and territorial data for the assessment of impacts on the plantsurroundings following an event occurrence. Territorial data can heavily affect the outcomes

of the Risk assessment: the Risk associated with a plant in a densely populated area is

significantly different from the Risk posed by the same plant in a remote location.

Important territorial and environmental data include population data, site meteorological

conditions, geographic and topographic data, and information on man-made or natural

external events.

3.4.1 Population Data

The population distribution (or population density) around the site is one main data for Risk

estimation. Sources of population data for an area are census reports, detailed maps, aerial

photographs and site inspections by the analyst. Special attention must be given to potential

seasonal variations, time variation (day/night), and to the population vulnerability according

to the population type and conditions (e.g. children, adults, people with disabilities, etc.).

3.4.2 Meteorological Data

Gas and vapors dispersion in open air, and the transport properties of heath and radiation are

strongly affected by weather conditions.

Meteorological data, including data on wind speed, temperature and atmospheric stability

class, are typically collected in local meteorological station at Plant sites, or they can be

easily obtained from civil or military meteorological stations in the vicinity of the site.

These data are generally provided in the form of statistical daily, weekly, monthly and

annual averages over a long period of time (several years). Available data normally include

Wind Speed and direction, Air temperature, Humidity, Solar radiation and cloudiness (from

these latter two a significant parameter: the "Atmospheric Stability Class4" can be

calculated).

Wind data are typically presented in aggregated form using the "Wind Roses": a circular

multiple data graphic tool used to give a summary view of how wind speeds and directions

are distributed at a particular location. Wind Rose diagrams normally include 8, 12 or 16

sectors (wind directions), several wind speed "ranges" and Seven Atmospheric Stability

Categories. A typical wind rose is shown in Figure 3.1 from which it is possible to infer thepercentage frequency of the wind blowing in each direction and the wind speed in each

direction. Disaggregated data (e.g. daily or weekly) are typically provided in tabular form.

4 The most commonly used categorization for this parameter is the Pasquill Stability Class.


34/38



Figure 3.1: Wind rose (example)

The degree of aggregation of meteorological data for analysis depends on the resolution and

accuracy required by the FRA. A single "representative" weather condition (combination of

atmospheric stability and wind speed) can be used for worst case calculations. Most Risk

Analyses are carried out considering at least two weather conditions (more if needed):

Weather situation representative of Stable Conditions and low wind speed, conservative

case for flammable mass accumulation and explosion effects: typically 2F - 2 m/s windspeed and Pasquill Stability Class F (Stable);

Weather situation representative of Neutral Conditions and medium wind speed,conservative case for distance to thermal radiation effects: typically 5D - 5 m/s wind

speed and Pasquill Stability Class D (Neutral).

3.4.3 Territorial Data

Territorial data are important for the assessment of impacts on the plant surroundings

following an event occurrence, and for carrying out the formal Risk assessment considering

the "population" (inside the plant or outside the plant fence).

Geographic data to be retrieved include territorial and site maps on an adequate scale, or

aerial photographs, useful in evaluations of the effects and in the visual presentation of the

results of the analysis (e.g. contour plots or dispersion footprints).

Local topography is important in the mathematical modelling of the gas/vapor dispersion in

air: obstacles need to be taken into account in the dispersion modelling algorithm with a

ground average "roughness" parameter.


35/38



3.4.4 External Event Data

Under the category of "External events" fall all those occurrences which are not generated

within the plant/facility and whose root causes are not linked in any way with the activitiesbeing carried out in the plant/facility. External events are either man-made (e.g. aircraft

crashes), or natural (e.g. seismic events, tornadoes, flooding, etc.). Relevant to Natural

occurrences, if the plant is built in an area known to be susceptible to such events, it should

be designed to withstand them.

Design data should be obtained on individual critical items to determine their performance

under incident conditions. If applicable, private, Government and/or Military institutions

shall be consulted for gaining information on expected likelihood of occurrences of events

and their possible outcomes (e.g. expected return times, damage degrees, etc.)

For instance, Information on the frequency of seismic events and their effects can be

obtained from the National and International Seismological Centre. Other institutions mayapply for different scenarios. This is a verification whose benefit is evidently highest when

performed at design stage.

3.5 RELIABILITY DATA

In order to estimate equipment reliability parameters and/or calculate incident likelihood of

occurrence, failure rate data are needed for all process equipment included in the study.

Equipment reliability can be defined as the probability that, when operating under given

conditions, process equipment will perform its intended function adequately for a given

period of time.

Unavailability (or Probability of Failure on Demand - PFD) of a Protective System is the

probability that the system is in a failure state when a demand on that system occurs.

Tailored and plant-specific data, when available and statistically significant, are the best

possible choice. These are very often totally missing, or lacking completeness, or with little

statistical significance. In such cases generic average data retrieved from specialized

literature and databases can be used. Useful Literature Equipment Reliability Data and

Protective Systems Unavailability Resources are:

Sintef, "Reliability Data for Safety Instrumented Systems";

Exida, "Safety Equipment Reliability Handbook";

Oreda, "Offshore Reliability Data Handbook 4th

Edition".

In some instances, the generic average data from literature sources can be conveniently

combined with plant-specific Data (e.g. by a Bayesian approach), obtaining more pertinent

data for the plant under analysis on the basis of a limited amount of plant reliability

information.


36/38



3.5.1 Human Reliability Data

A particular category of Reliability Data is represented by Human reliability information.

This is often a major issue when developing a Risk Analysis. In many plants and facilities,in facts, the real bottleneck to safety is represented by the not-instrumented safety functions,

i.e. those protections which need operators intervention for being actuated. In a normally

maintained modern Plant of average complexity, operators are - by far - the most un-reliable

"protection item", as it is can be demonstrated by historical analysis. Human reliability

proves to be a most important factor not only during emergency conditions, but also during

operation and during maintenance activities.

Probability of human error is typically inversely proportional to operator experience and

skill, however many are the factors which can affect human reliability: complexity of the

task, environmental conditions, ergonomic factors, motivation, level or perceived

psychological stress, skill and training, presence and quality of written instructions, socio-cultural aspects, etc.

To evaluate the probability of failure of a plant operator to carry out a certain task, it is

possible to apply qualitative empiric techniques (such as the "TESEO" Method) or, as

alternative, techniques based on a Task-Analysis approach. Typically, when developing an

FRA, empiric techniques are currently mostly used, however more complex Task-Analyses

are increasingly applied in modern engineering.

3.6 RISK UNCERTAINTY, SENSITIVITY AND IMPORTANCE

Uncertainty, sensitivity and importance are central issues in the utilization of risk results

(AIChE, CCPS, 2000):

Uncertainty analysis is used to estimate the effect of data and model uncertainties on therisk estimate.

Sensitivity analysis estimates the effect of varying input to component models or themodels themselves, individually or in combination. It can identify which models,

assumptions and data are important to the final risk estimate.

Importance analysis quantifies and ranks risk estimate contributions from subsystems orcomponents of the complete analysis.

Data and input uncertainties arise from both lack of knowledge of specific input values andvariations in input values as a function of many factors, such as time, temperature, or region

of the country. For example, the rate of heat release may be uncertain due to lack of

available data, but also due to the test method by which the heat release rate is measured that

could not specify all combinations of ignition source and strength, or due to the inaccuracies

inherent in the instrumentation used in the test. Other inputs, such as concentrations of toxic

gases, vary with time as the fire develops and are uncertain. The species production rates,

used to predict concentrations, are a function of the combinations of materials actually

burned, unknown a priori.


37/38



Human behavioural uncertainties concern both the way in

Fire Risk Evaluation

Documents