the state of process safety qra and the road to...
TRANSCRIPT
MMI Engineeringwww.mmiengineering.com
The State of Process Safety QRA and The
Road to Meaningful and Actionable Decisions
PERF Workshop – Environmental QRA
June 28-29, 2017 Houston
Andrew StaszakMMI Engineering
Email: [email protected]
Tel: (1) 281-810-5011
Mob: (1) 979-575-1897
Topics Covered:
▪ What is ‘Quantitative Risk Assessment’ in
Process Safety?
▪ Who and What are the/our Drivers?
▪ The Quantitative Risk Assessment Construct
▪ Metrics
▪ QRA in Application – Case Study
▪ Pitfalls / Hotbed Issues
Overview
QRA in Process Safety
Risk in Definition
Quantitative Risk Assessment (QRA)
utilizes a systematic process to identify
potential impacts and consequences of
events, while considering their
likelihood of occurrence; with
cumulative consideration against a pre-
defined set of metrics.
Risk (according to Merriam-Webster)
▪ Possibility of loss or injury
▪ Someone or something that creates or suggests a hazard
▪ The chance of loss or the perils to the subject matter of an insurance contract
▪ Etc., etc., etc…
Pioneered in the nuclear industry in early 1960s.
O&G applications stated in early 1980s.
Driven by large scale incidents:
• Flixborough, UK 1974 (VCE – 28 fatalities)
• Bhopal, India 1984 (Toxic exposure – 4000
fatalities)
• Mexico City, Mexico 1984 (VCE/BLEVE – 650
fatalities)
Globally
▪ Multiple regulatory bodies (UK HSE, New South Wales,
Singapore, Australia, ...)
▪ Long history with strict requirements and specific
methods
United States
▪ No single governing body or driver
▪ Sub-sets have limited but specific requirements (FERC –
LNG, PHMSA)
▪ Multiple regulatory bodies utilize the word and recognize
the practice of risk assessment but have little or no
specifics (OSHA PSM)
▪ Guidance comes from industry bodies – CCPS, API, etc.
Numerous sources with numerous focuses
▪ Corporate policies and requirements:
BP GP and Chevron RiskMan
The Drivers
Who:
Us
• Corp
• Insurance
• People and Cultures
The Drivers Cont.
What:
Best Practices!?!?
• Ever changing and ever argued
• Depends on who you ask
• In many cases swayed by our own biases,
experiences, morals, …
Despite this, there exists a base general method for QRA which falls under generally
accepted and best practices. But, unless driven by an individual company, no two
QRAs will be identical.
The Construct of a QRA
Risk = f (scenario, consequence, frequency)
Construct a quantitative assessment that allows ‘us’ to adequately
evaluate risk; such that safeguards, corrective actions, and/or
engineered modifications can be used for risk reduction.
This function can be EXTREMELY complex, with numerous different
measures and assumptions required to close the equation.
A QRA of a large scale Refinery could have 1000s of base scenarios,
100,000s of end point consequences, and 1,000,000s of historical data
points considered.
Easy Right?
The Construct of QRA
Define
Objectives
Hazard
IdentificationHAZID
Frequency
Assessment
Consequence
Assessment
Risk
Formulation
Risk
EvaluationMitigations
Operations/Design Cont. –
Continuous Evaluation
Acceptable
Intolerable
HazID (Qualitative / Semi-Quantitative):
▪ Conducted to determine what potential upset conditions may
need to be captured
• Natural disasters (tsunami, earthquake, etc.)
• Man-made external causes (airplane, rail, or truck crash)
• Outside of normal operating conditions (human error, runaway
reaction, etc.)
• SIMOPS
▪ Risk rank (qualitative risk matrix) scenario and include in QRA if
necessary (identified as credible ???)
▪ Can include intentional acts – security vulnerability assessment
Hazard Identification - Qual
Process Breakdown:
▪ Scenario Development
• Examine P&IDs, PFDs, H&M Balance sheets, General
Arrangement
• Discretize: Breakdown process based on logical sections
(physical separation, isolation valves, process barriers)
• Determine suite of releases/hole sizes. A representation of
random failures (leaks, breaks, ruptures, manufacturing flaws,
etc..)
3 is usually considered acceptable – but may not be a good representation.
• It is possible to group similar sections; multiplies the risk
• Upset conditions (from HAZID). How will they be represented?
• What operational conditions will be evaluated?
Normal, temporary, batch, emergency, …
Hazard Identification - Quant
Process Breakdown:
▪ Frequency Assessment
• Perform parts count and use appropriate failure frequency
database to determine leak frequency for defined process
sections (on/off-shore, cryogenic, custom)
How will frequencies be discretized (median, log average, upper/lower
biased)
Most release frequency is biased to less than 25mm hole sizes
Are there cases that results in no-consequence and can be filtered (<3mm)
• Perform LOPA style analysis to determine failure frequency for
upset scenarios
• Develop frequencies for “unknown/unique events”, requires
input from industry experts and “best” engineering judgment
• Determine if process is operating as designed?
Hazard Identification – Quant 2
Modeling:
▪ Define outcomes for each scenario – end point consequences –
build event tree
• Careful! – how deep down the rabbit hole do you go?
▪ Determine level of “models” to be used…
▪ Perform consequence analysis to determine extent of impact to
targets of interest
• Toxic lethality
• Blast loadings
• Thermal impacts
• Building damage
• Kinetic impacts
• Dispersion
▪ Exceedance or continual damage model
Consequence Assessment
Consequence Assessment 2
Events and Probabilities:
▪ Apply modifying probabilities
• Weather (direction and speed, seasonal, yearly,
average, …)
• Lethality
• Exposure duration (time discretization)
• Ignition, and so on
Example event tree
Consequence Assessment 3
Two-Phase Release Event Tree
▪ Risk is a relative metric, it means
nothing on its own.
▪ Define risk criteria metrics
Risk Matrix (qualitative)
Individual Risk (IRPA)
Societal Risk (F-N curve)
Fatal Accident Rate (FAR)
Risk Indices
Injury Rate
Potential Loss of Life (PLL)
Cost Analysis…
▪ If possible the criteria should be
selected before the project begins.
▪ Risk is typically defined uniformly for
all hazards and across all business
types.
▪ Define how it will be evaluated and
implemented.
▪ Can the criteria be reached and
maintained?
Risk Criteria
The universal choice
1x10-4
But why?
Individual Risk:
▪ Typically a single value that is defined as: consequence at a
given rate
• Fatalities/year
• Injuries/year
• $ lost/year
• Environmental impact/year
▪ There are multiple indices in which individual risk can be
measured by:
• LSIR (location specific)
• IRPA (per annum)
• PLL (Potential Loss of Life)
• Average IR
• Maximum IR
Risk Criteria 2
Societal Risk:
Risk Criteria 3
Societal Risk Criteria
1.00E-09
1.00E-08
1.00E-07
1.00E-06
1.00E-05
1.00E-04
1.00E-03
1.00E-02
1 10 100 1000
N (Number of Fatalities)
F (
the F
req
uen
cy o
f N
or m
ore F
ata
liti
es)
Intolerable
NegligibleALARP
Intolerable
Negligible
Can and is evaluated for on and off-site.
Alternate Risk Result Applications:
Risk Criteria 4
Risk Interpretation and Mitigation Strategies:
▪ If risk criteria is exceeded, then you must determine what/how to
mitigate:
• Threat (change process, alter scenario, application of
consequence, etc.)
• Target (adjust occupancy, strengthen buildings or equipment,
add shielding, etc.)
• Determine level and priority of required mitigations, may include
quantification for ALARP.
▪ Sensitivity calculations – Do you understand what is driving
the risk.
• Should assumptions, frequency, or consequence be further
investigated?
▪ Is the project / activity / operation still feasible?
▪ What will be the revalidation interval, or what changes (MOC) will
trigger a reval?
Risk Evaluation
Case Study: Asset Protection
▪ Data generated during a QRA can be utilized in risk based design of
asset protection systems.
• Guidance documents provide – prescriptive steps, but significant
cost and operational constraints can be reduced in performance
(risk) based design.
• Quantitative risk analysis allows us to do this.
▪ Using QRA a performance of the system can be evaluated against a
desired criteria.
▪ In this case, setting the survivability of equipment to a return
period (/year selection) and constrained by evacuation time.
▪ The analysis can determine what level of passive fire protection is
required for various elements of the system.
Case Study: Asset Protection 2
Peak Heat Flux
Background Heat Flux
Case Study: Personnel Safety
▪ Individual Risk (IR) is a critical metric in QRA evaluation.
• Allows the identification of risk to specific people and locations on a
site.
• Allows identification of where or what events may be contributing to
risk.
Case Study: Personnel Safety 2
Sensitivity Case
LSIR Category (/yr)
Jet Fire Pool Fire Explosion
/ FF JF + EXP
/ FF Total
BC 4.57E-05 0.00E-00 6.12E-05 3.24E-06 1.10E-04
S-1 5.99E-05 0.00E-00 1.18E-04 4.90E-06 1.83E-04
S-2 5.99E-05 0.00E-00 7.87E-05 4.22E-06 1.43E-04
S-3 4.57E-05 0.00E-00 4.08E-05 2.89E-08 8.94E-05
S-4 5.86E-05 0.00E-00 1.18E-04 4.48E-06 1.82E-04
Percent Change from Base Case
S-1 31% 0% 93% 51% 66%
S-2 31% 0% 29% 30% 30%
S-3 0% 0% -33% -99% -19%
S-4 28% 0% 93% 38% 65%
▪ If risk is identified as unacceptable/ALARP:
• Investigate data to identify best course of mitigation….i.e. “Best Bag
for the Buck”
• Sensitives can confirm reduction to an appropriate level.
Inclusion of
increased detection
capabilities,
improved isolation,
and control room
protection.
Issues that arise…
▪ Which frequency database to use
• Onshore vs. offshore
• Is the data relevant?
• Do incidents need to be filtered or revised?
• What if the frequency does not exist or is limited?
▪ Which modifiers to use
• Assume weather parameters are dependent or treat independently
• Process modifiers (as per API 581)
• Ignition probability (many different models)
• Does the frequency database adequately represent the
equipment/process?
• Is the process operating as designed?
• Should we utilize facility specific data (existing sites) or known
company data?
Pitfalls & Hotbed Issues
Issues that arise…
▪ The calculated risk is based on a snap-shot in time
• How do we account for continued changes during design?
• How do we account for changes/additions to a process or facility?
• What if the location or layout of the facility changes?
• Risk during turn-around?
▪ Risk criteria can vary both intercompany and across countries/
governing bodies, how do we handle this?
▪ In an effort to make risk “As low as reasonably practicable” where do
we stop?
• Analyzing the risk away
• Safety vs Cost
• Perceived Risk…viewed from the public
▪ Mitigations can reduce risk but they can also displace them to
somewhere / something else.
Pitfalls & Hotbed Issues 2