Professional Documents
Culture Documents
a b s t r a c t
Quantitative Risk Assessment (QRA) has been a very popular and useful methodology which is widely accepted
by the industry over the past few decades. QRA is typically carried out at a stage where complete plant has been
designed and sited. At that time, the opportunity to include inherent safety design features is limited and may
incur higher cost. This paper proposes a new concept to evaluate risk inherent to a process owing to the chemical
it uses and the process conditions. The risk assessment tool is integrated with process design simulator (HYSYS) to
provide necessary process data as early as the initial design stages, where modifications based on inherent safety
principles can still be incorporated to enhance the process safety of the plant. The risk assessment tool consists of two
components which calculate the probability and the consequences relating to possible risk due to major accidents. A
case study on the potential explosion due to the release of flammable material demonstrates that the tool is capable
to identify potential high risk of process streams. Further improvement of the process design is possible by applying
inherent safety principles to make the process under consideration inherently safer. Since this tool is fully integrated
with HYSYS, re-evaluation of the inherent risk takes very little time and effort. The new tool addresses the lack of
systematic methodology and technology, which is one of the barriers to designing inherently safer plants.
© 2009 The Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved.
Keywords: Quantitative Risk Assessment; Inherent risk; Inherent safety; Consequence estimation; Inherently safer
design
1. Quantitative Risk Assessment (QRA) ber to be applied and comparisons to be made in quantitative
manner.
Quantitative Risk Assessment or commonly known as QRA Many governments and local authorities require industries
has gained a wide acceptance as a powerful tool to identify and which are hazardous in nature to produce a document to
assess the significant sources of risk and evaluate alternative demonstrate that risks are as-low-as-reasonably-practicable
risk control measures in chemical process industries. QRA is (ALARP). In the UK, the QRA found its principal application in
a part of Process Safety Management System (CCPS, 2000) and process industries safety cases (Lees, 1996). In Malaysia, the
considered as a valuable tool in decision-making processes, industries classified as Major Hazard Installation as defined
to communicate among the experts involved, to quantify by the Control of Industrial Major Accident and Hazards
opinions and to combine them effectively with available sta- (CIMAH) Regulations, 1996, are required to submit a written
tistical data. Shell International Exploration and Production Safety Report to the Director General at least 3 months before
B.V. (1995) views this technique as a systematic approach commencing the industrial activity (or before introducing haz-
to identify hazards, potentially hazardous events and esti- ardous substances into the plant). QRA is a component of
mate likelihood and consequences to people, environment the Safety Report and it can be prepared using any suitable
and assets, of incidents developing from these events. Lees method (International Law Book Services, 2000).
(1996) in his review of various studies, concluded that QRA is Lees (1996) noted that there are considerable variations
an element that cannot be ignored in decision making about between one QRA to another mainly due to the specific prob-
risk as it is the only discipline capable of enabling a num- lems they try to address and the boundaries of the problems.
∗
Corresponding author. Tel.: +60 05 3687570; fax: +60 05 3656176.
E-mail address: azmish@petronas.com.my (A.M. Shariff).
Received 15 September 2008; Received in revised form 24 April 2009; Accepted 14 August 2009
0957-5820/$ – see front matter © 2009 The Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved.
doi:10.1016/j.psep.2009.08.004
372 Process Safety and Environmental Protection 8 7 ( 2 0 0 9 ) 371–376
Arising from such factors, Shell International Exploration and difference is the stage when the methods are applied. Tra-
Production (1995) noted QRA studies can take between 40 and ditional QRA is applied after a detailed engineering design
1500 manhours depending on the level of details. Despite has been completed when Process & Instrumentation Diagram
the manhours spent, it is important to understand that the (P&ID) is fully available. QRA also takes into considera-
methods like QRA cover only specific elements of the aspects tion the historical site-specified weather condition and plant
involved in the safety of a plant. layout. In contrast to this, the IRA technique that was
CCPS (2000) established a general guideline for QRA. Indi- developed in this research can be used as early as pro-
vidual organizations and companies may have procedures cess simulation begins during the preliminary design stage
that are specific to their respective needs. Generally for a QRA in parallel with the selection of process route and develop-
to be meaningful, it is carried out after significant process ment of heat and material balances. Unlike QRA, the IRA
design and main equipment layout tasks have been com- does not account for safety control measures such as pro-
pleted. cedures and instrumented protective functions. It merely
reflects the inherent risk due to the inherent properties
of the chemicals involved and process conditions of the
2. Inherent risk assessment (IRA)
design.
Owing to the different timing that the two assessments are
From the above deliberation, it has been observed that by the
carried out, the results are used for different purposes. More
time QRA is carried out, much of the design work has been
often than not, QRA results are used for reasons presented in
completed. For example, equipment layout has been deter-
Section 1 above, while results for IRA can be used to provoke
mined and to a large extent, some already have the operating
design modifications for inherently safer design options dur-
philosophy been set. At this juncture, one of the most com-
ing process simulation stages. Process design engineers have
mon methods to mitigate risk and its consequences is by
considerable flexibility to improve the design in simulation
means of adding protection devices such as instrumented pro-
stage as the manhours and cost to do so are relatively small.
tective functions or mechanical protection devices such as
IRA results are suitable to be used as a quantitative method to
relief valves, etc. These protective measures which are added
screen processes and provide judgments for design improve-
late in the design often require regular preventive mainte-
ments at early design stage.
nance to detect revealed failures. The preventive maintenance
Since QRA exercise is very extensive in nature and requires
throughout the life of the plant, adds to the operating cost as
significant amount of time to produce; only few selected cred-
well as necessitating repetitive training and documentation
ible cases are studied and documented. Due to the lack of
upkeep. The lifetime preventive maintenance coupled with
integration between risk assessment software and process
good plant operation and management could prevent catas-
design simulator, all the information for process conditions
trophic events. Even though the added protective functions
needs to be manually transferred. The IRA can be effectively
can reduce the risk, the hazards still exist.
implemented using risk models if it is fully integrated with
In order to detect hazards proactively early in the design
process design simulator such as HYSYS. Data is automatically
stage and to allow for the opportunity to proactively reduce
transferred from the process design simulator to the risk mod-
their magnitude or likelihood of occurrence, this paper pro-
els hence reducing the chances of error. With the integrated
poses a new concept to evaluate inherent risk. This technique
model, inherently safer design options can be quickly eval-
is possible by utilizing the integrated risk quantification tool
uated in a short time. For instance, inherent risk before and
with process design simulator. With the integration, process
after pressure modification of a unit operation can be promptly
design engineers can assess the risk which is inherent to their
assessed. Due to the different requirements and purpose, IRA
design from the beginning of the design stages. With the early
cannot be used to replace QRA but they are meant to comple-
detection, proactive measures to eliminate or minimize risk
ment each other and are used in different timing along with
based on inherent safety principles can be implemented. This
the process design stages. Table 1 summarizes key distinction
new concept is named as inherent risk assessment (IRA) which
between QRA and IRA.
adopts similar approach to the conventional QRA for easy
The inherent risk level calculated by IRA needs to be pre-
adaptation by the industries.
sented in a comprehensive and easily understood manner to
Inherent safety is a proactive approach for hazard/risk
promote its adoption by the industries. Since the 3-region FN
management during process plant design and operation.
curve has commonly accepted criteria against which the result
Inherent safety aims to reduce or eliminate the root causes
of a QRA is judged, the same concept is used in IRA to repre-
of the hazards by modifying the design (hardware, controls,
sent the inherent risk. A 3-region FN curve based on Malaysian
and operating conditions) of the plant itself instead of rely-
limits is shown in Fig. 1. However, for IRA, a slight modifica-
ing on additional engineered safety systems and features, and
tion is proposed in which the FN curve uses only two regions
procedural controls which can and do fail. Kletz (1991) for-
instead of three regions. It can be noted that the region below
malized several principles defining inherent safety (IS) which
the diagonal line in Fig. 2 covers the two regions on “Tolerable
include intensification, substitution, attenuation, simplifica-
if ALARP” and “Tolerable” of Fig. 1. These two regions are not
tion, limitation of effects and error tolerance. Inherent safety
separately represented in an IRA result because during this
has become an important aspect and is recognized as the best
stage, safety measures and control mechanisms are not yet in
method to design a plant safe for operation while minimizing
place to reduce risk to ALARP.
impact to the environment and health.
Fig. 2 is developed based on the numerical limits dividing
intolerable and tolerable regions set by the Malaysian author-
2.1. Similarity and comparison with QRA ities. Should the inherent risk of a process route fall above the
top diagonal line, then it is clear that the route is not accept-
Even though IRA adopts the structured approach from QRA, able unless subsequent modifications can bring it below the
the two methodologies have fundamental differences. The key line. For designs that have risk level below the line initially,
Process Safety and Environmental Protection 8 7 ( 2 0 0 9 ) 371–376 373
Stage to be applied After completion of detailed engineering design During preliminary design/simulation stage
Purpose To demonstrate or prove “safety case” as required by To proactively identify risk inherent to the design
regulatory agencies and guide its reduction by adopting inherent safety
principles
Regulatory requirements Required by regulatory agencies, for example Presently, there is no regulatory requirement
Department of Occupational Safety & Health in
Malaysia and the Health and Safety Executive in the
UK
Information required Process & instrumentation diagrams (P&ID), detailed Simulation data and predicted piping and
historical weather data equipment sizing
Scenario Only few credible scenario to be studied in detail Basic scenario such as pipe or equipment leak
Duration of analysis Relatively long. Ranging from 40 to 1500 manhours Relatively quick as it is carried out in parallel with
simulation work
Result representation 3-Region frequency–number (FN) curve 2-Region frequency–number (FN) curve
Fig. 3 – ETA for potential explosion due to the release of flammable gas from pipe rupture.
model used in the IRA for the selected case study illustrated where
in this paper.
The two most popular methodologies to determine proba- Pex = probability of explosion.
bility of accident are Event Tree Analysis (ETA) and Fault Tree mf = mass of combustible material.
Analysis (FTA). In this work, the ETA is chosen over FTA due
to its advantages in modeling events like explosion, which are In this illustration, 100 tons of flammable material deter-
sequential in nature. FTA implies sequence of event as irrele- mined from HYSYS is used to estimate the probability of
vant and has less obvious logic (Smith, 2003) compared to ETA. explosion. The probability of the explosion is calculated as
Furthermore, ETA has been used by many authoritative publi- 0.15. The frequency of an explosion resulting from an event
cations in this area of research including Lees (1996) and CCPS due to operator failure to respond and probability of explosion
(2000) to describe fire and explosion events. is 3.4 × 10−7 per year as given in Fig. 3.
In order to ensure consistency in terms of factors being
considered in one case to another, this paper applies the 2.4. The integrated consequence estimation tool
Event Tree Analysis (ETA) shown in Fig. 3 in all its analyses.
It presents a simplified basis to describe the probability of Following Eq. (1), another component to determine risk is the
an explosion in the event of loss of containment. However, consequence aspect. In order to quantify inherent risk, it is
it is important to note the possibility for mechanisms in any therefore crucial to estimate the consequence of an incident.
other explosion case to deviate from the one presented here. An explosion consequence model is developed in a spread-
Consistency is important so that various process options and sheet which is integrated with HYSYS for ease of data transfer
modifications can be compared on equal basis from the event and to reap benefits of the built-in database within HYSYS.
sequence aspect leaving only the chemical and process condi- The steps taken to estimate the consequences of an explosion
tion aspects as variables in the IRA. The sequence used in the adopted in the tool are provided in Fig. 4. A detailed explana-
ETA blocks in Fig. 3 is unsuitable for modeling of other forms tion of the explosion consequence model used in this tool is
of hazards. available from Leong (2008).
The frequency and probability data shown in Fig. 3 is only
for illustrative purposes and are based on information in 3. Case study
example described here. It is important to note that during
the simulation stage, the actual sizing of pipe diameter and This case study aims to evaluate inherent risk from all streams
length is not yet available. Therefore, a good engineering judg- within a simulation of a hydrocarbon fractionation plant. The
ment and estimation is required to determine the length and simulation is at the initial stage of a design where a series
diameter to be used in the simulation. of distillation columns are used to separate different compo-
A case of a rupture in a 25 m long 300 mm diameter pipe is nents of hydrocarbons as given in Fig. 5. This simulation has
used here as an illustration. Base failure frequency is referred 27 process streams that undergo a screening process to rel-
from database provided by Allen (1998) and CCPS (1989). From atively rank streams according to their potential of causing
the calculation below, the exposure frequency is expected to damages in cases of explosion. The top five streams from that
be 2.5 × 10−6 per year. rank are further analyzed for their respective inherent risk
based on the inherent properties of the chemicals used and
Exposure frequency = base failure frequency × length
process conditions of the design.
= 1 × 10−7 failure year−1 m−1 × 25 m The same potential accident scenario is selected as a
= 2.5 × 10−6 per year basis to evaluate the inherent risk, which in this case is a
catastrophic rupture of a 300 mm diameter pipe resulting in
Cox et al. (1990) concluded that there is a 0.9 chance for
hydrocarbon leakage for 1 min. Owing to the different process
operator failure to respond within 5 min. The probability of
parameters such as pressure and composition of each stream,
explosion in Fig. 3 is calculated from Eq. (2), based on data
the amount of hydrocarbon leaked differs. This in turn influ-
provided by Withers (1988) on ignition and explosion of leaked
ences the probability, the consequence (overpressure) of the
hydrocarbon.
explosion incident and the overall event frequency (F) calcu-
lations. The number of fatality (N) can be obtained by further
mf 0.4582
Pex = 0.00175 × (0.9999) × (mf ) (2) assuming that 100 workers are exposed to the hazard due to
Process Safety and Environmental Protection 8 7 ( 2 0 0 9 ) 371–376 375