MMI Engineeringwww.mmiengineering.com

The State of Process Safety QRA and The

Road to Meaningful and Actionable Decisions

PERF Workshop – Environmental QRA

June 28-29, 2017 Houston

Andrew StaszakMMI Engineering

Email: astaszak@mmiengineering.com

Tel: (1) 281-810-5011

Mob: (1) 979-575-1897

Topics Covered:

▪ What is ‘Quantitative Risk Assessment’ in

Process Safety?

▪ Who and What are the/our Drivers?

▪ The Quantitative Risk Assessment Construct

▪ Metrics

▪ QRA in Application – Case Study

▪ Pitfalls / Hotbed Issues

Overview

QRA in Process Safety

Risk in Definition

Quantitative Risk Assessment (QRA)

utilizes a systematic process to identify

potential impacts and consequences of

events, while considering their

likelihood of occurrence; with

cumulative consideration against a pre-

defined set of metrics.

Risk (according to Merriam-Webster)

▪ Possibility of loss or injury

▪ Someone or something that creates or suggests a hazard

▪ The chance of loss or the perils to the subject matter of an insurance contract

▪ Etc., etc., etc…

Pioneered in the nuclear industry in early 1960s.

O&G applications stated in early 1980s.

Driven by large scale incidents:

• Flixborough, UK 1974 (VCE – 28 fatalities)

• Bhopal, India 1984 (Toxic exposure – 4000

fatalities)

• Mexico City, Mexico 1984 (VCE/BLEVE – 650

fatalities)

Globally

▪ Multiple regulatory bodies (UK HSE, New South Wales,

Singapore, Australia, ...)

▪ Long history with strict requirements and specific

methods

United States

▪ No single governing body or driver

▪ Sub-sets have limited but specific requirements (FERC –

LNG, PHMSA)

▪ Multiple regulatory bodies utilize the word and recognize

the practice of risk assessment but have little or no

specifics (OSHA PSM)

▪ Guidance comes from industry bodies – CCPS, API, etc.

Numerous sources with numerous focuses

▪ Corporate policies and requirements:

BP GP and Chevron RiskMan

The Drivers

Who:

Us

• Corp

• Insurance

• People and Cultures

The Drivers Cont.

What:

Best Practices!?!?

• Ever changing and ever argued

• Depends on who you ask

• In many cases swayed by our own biases,

experiences, morals, …

Despite this, there exists a base general method for QRA which falls under generally

accepted and best practices. But, unless driven by an individual company, no two

QRAs will be identical.

The Construct of a QRA

Risk = f (scenario, consequence, frequency)

Construct a quantitative assessment that allows ‘us’ to adequately

evaluate risk; such that safeguards, corrective actions, and/or

engineered modifications can be used for risk reduction.

This function can be EXTREMELY complex, with numerous different

measures and assumptions required to close the equation.

A QRA of a large scale Refinery could have 1000s of base scenarios,

100,000s of end point consequences, and 1,000,000s of historical data

points considered.

Easy Right?

The Construct of QRA

Define

Objectives

Hazard

IdentificationHAZID

Frequency

Assessment

Consequence

Assessment

Risk

Formulation

Risk

EvaluationMitigations

Operations/Design Cont. –

Continuous Evaluation

Acceptable

Intolerable

HazID (Qualitative / Semi-Quantitative):

▪ Conducted to determine what potential upset conditions may

need to be captured

• Natural disasters (tsunami, earthquake, etc.)

• Man-made external causes (airplane, rail, or truck crash)

• Outside of normal operating conditions (human error, runaway

reaction, etc.)

• SIMOPS

▪ Risk rank (qualitative risk matrix) scenario and include in QRA if

necessary (identified as credible ???)

▪ Can include intentional acts – security vulnerability assessment

Hazard Identification - Qual

Process Breakdown:

▪ Scenario Development

• Examine P&IDs, PFDs, H&M Balance sheets, General

Arrangement

• Discretize: Breakdown process based on logical sections

(physical separation, isolation valves, process barriers)

• Determine suite of releases/hole sizes. A representation of

random failures (leaks, breaks, ruptures, manufacturing flaws,

etc..)

3 is usually considered acceptable – but may not be a good representation.

• It is possible to group similar sections; multiplies the risk

• Upset conditions (from HAZID). How will they be represented?

• What operational conditions will be evaluated?

Normal, temporary, batch, emergency, …

Hazard Identification - Quant

Process Breakdown:

▪ Frequency Assessment

• Perform parts count and use appropriate failure frequency

database to determine leak frequency for defined process

sections (on/off-shore, cryogenic, custom)

How will frequencies be discretized (median, log average, upper/lower

biased)

Most release frequency is biased to less than 25mm hole sizes

Are there cases that results in no-consequence and can be filtered (<3mm)

• Perform LOPA style analysis to determine failure frequency for

upset scenarios

• Develop frequencies for “unknown/unique events”, requires

input from industry experts and “best” engineering judgment

• Determine if process is operating as designed?

Hazard Identification – Quant 2

Modeling:

▪ Define outcomes for each scenario – end point consequences –

build event tree

• Careful! – how deep down the rabbit hole do you go?

▪ Determine level of “models” to be used…

▪ Perform consequence analysis to determine extent of impact to

targets of interest

• Toxic lethality

• Blast loadings

• Thermal impacts

• Building damage

• Kinetic impacts

• Dispersion

▪ Exceedance or continual damage model

Consequence Assessment

Consequence Assessment 2

Events and Probabilities:

▪ Apply modifying probabilities

• Weather (direction and speed, seasonal, yearly,

average, …)

• Lethality

• Exposure duration (time discretization)

• Ignition, and so on

Example event tree

Consequence Assessment 3

Two-Phase Release Event Tree

▪ Risk is a relative metric, it means

nothing on its own.

▪ Define risk criteria metrics

Risk Matrix (qualitative)

Individual Risk (IRPA)

Societal Risk (F-N curve)

Fatal Accident Rate (FAR)

Risk Indices

Injury Rate

Potential Loss of Life (PLL)

Cost Analysis…

▪ If possible the criteria should be

selected before the project begins.

▪ Risk is typically defined uniformly for

all hazards and across all business

types.

▪ Define how it will be evaluated and

implemented.

▪ Can the criteria be reached and

maintained?

Risk Criteria

The universal choice

1x10-4

But why?

Individual Risk:

▪ Typically a single value that is defined as: consequence at a

given rate

• Fatalities/year

• Injuries/year

• $ lost/year

• Environmental impact/year

▪ There are multiple indices in which individual risk can be

measured by:

• LSIR (location specific)

• IRPA (per annum)

• PLL (Potential Loss of Life)

• Average IR

• Maximum IR

Risk Criteria 2

Societal Risk:

Risk Criteria 3

Societal Risk Criteria

1.00E-09

1.00E-08

1.00E-07

1.00E-06

1.00E-05

1.00E-04

1.00E-03

1.00E-02

1 10 100 1000

N (Number of Fatalities)

F (

the F

req

uen

cy o

f N

or m

ore F

ata

liti

es)

Intolerable

NegligibleALARP

Intolerable

Negligible

Can and is evaluated for on and off-site.

Alternate Risk Result Applications:

Risk Criteria 4

Risk Interpretation and Mitigation Strategies:

▪ If risk criteria is exceeded, then you must determine what/how to

mitigate:

• Threat (change process, alter scenario, application of

consequence, etc.)

• Target (adjust occupancy, strengthen buildings or equipment,

add shielding, etc.)

• Determine level and priority of required mitigations, may include

quantification for ALARP.

▪ Sensitivity calculations – Do you understand what is driving

the risk.

• Should assumptions, frequency, or consequence be further

investigated?

▪ Is the project / activity / operation still feasible?

▪ What will be the revalidation interval, or what changes (MOC) will

trigger a reval?

Risk Evaluation

Case Study: Asset Protection

▪ Data generated during a QRA can be utilized in risk based design of

asset protection systems.

• Guidance documents provide – prescriptive steps, but significant

cost and operational constraints can be reduced in performance

(risk) based design.

• Quantitative risk analysis allows us to do this.

▪ Using QRA a performance of the system can be evaluated against a

desired criteria.

▪ In this case, setting the survivability of equipment to a return

period (/year selection) and constrained by evacuation time.

▪ The analysis can determine what level of passive fire protection is

required for various elements of the system.

Case Study: Asset Protection 2

Peak Heat Flux

Background Heat Flux

Case Study: Personnel Safety

▪ Individual Risk (IR) is a critical metric in QRA evaluation.

• Allows the identification of risk to specific people and locations on a

site.

• Allows identification of where or what events may be contributing to

risk.

Case Study: Personnel Safety 2

Sensitivity Case

LSIR Category (/yr)

Jet Fire Pool Fire Explosion

/ FF JF + EXP

/ FF Total

BC 4.57E-05 0.00E-00 6.12E-05 3.24E-06 1.10E-04

S-1 5.99E-05 0.00E-00 1.18E-04 4.90E-06 1.83E-04

S-2 5.99E-05 0.00E-00 7.87E-05 4.22E-06 1.43E-04

S-3 4.57E-05 0.00E-00 4.08E-05 2.89E-08 8.94E-05

S-4 5.86E-05 0.00E-00 1.18E-04 4.48E-06 1.82E-04

Percent Change from Base Case

S-1 31% 0% 93% 51% 66%

S-2 31% 0% 29% 30% 30%

S-3 0% 0% -33% -99% -19%

S-4 28% 0% 93% 38% 65%

▪ If risk is identified as unacceptable/ALARP:

• Investigate data to identify best course of mitigation….i.e. “Best Bag

for the Buck”

• Sensitives can confirm reduction to an appropriate level.

Inclusion of

increased detection

capabilities,

improved isolation,

and control room

protection.

Issues that arise…

▪ Which frequency database to use

• Onshore vs. offshore

• Is the data relevant?

• Do incidents need to be filtered or revised?

• What if the frequency does not exist or is limited?

▪ Which modifiers to use

• Assume weather parameters are dependent or treat independently

• Process modifiers (as per API 581)

• Ignition probability (many different models)

• Does the frequency database adequately represent the

equipment/process?

• Is the process operating as designed?

• Should we utilize facility specific data (existing sites) or known

company data?

Pitfalls & Hotbed Issues

Issues that arise…

▪ The calculated risk is based on a snap-shot in time

• How do we account for continued changes during design?

• How do we account for changes/additions to a process or facility?

• What if the location or layout of the facility changes?

• Risk during turn-around?

▪ Risk criteria can vary both intercompany and across countries/

governing bodies, how do we handle this?

▪ In an effort to make risk “As low as reasonably practicable” where do

we stop?

• Analyzing the risk away

• Safety vs Cost

• Perceived Risk…viewed from the public

▪ Mitigations can reduce risk but they can also displace them to

somewhere / something else.

Pitfalls & Hotbed Issues 2

MMI Engineeringwww.mmiengineering.com

Questions ???

And Thanks!