Professional Documents
Culture Documents
Flemish Handbook
Flemish Handbook
HANDBOOK FAILURE
F
FREQUENC IES
2009
for drawing up a
SAFETY REPORT
05/05/2009
Flemish Government
LNE Department
Environment, Nature and Energy Policy Unit
Safety Reporting Division
HANDBOOK FAILURE
F
FREQUENC IES
2009
for drawing up a
SAFETY REPORT
Flemish Government
LNE Department
Environment, Nature and Energy Policy Unit
Safety Reporting Division
Table of Contents
Preface
In 2002 the directive ‘Actualisatie van de AMINAL-richtlijn voor het gebruik van
faalkansen bij het opstellen van veiligheidsrapporten’ was published. This directive
only listed the new failure frequencies for a limited number of installation parts.
For the failure frequencies which were maintained reference was made to the
respective remaining chapters of ‘Handboek Kanscijfers’.
In 2004 the 1994 Handboek Kanscijfers and the 2002 directive were joined into one
document, namely the coordinated version ‘Handboek Kanscijfers 2004’
[HBKC2004].
All background information on the failure frequencies listed here can be found in
the accompanying document with background information [AI2009].
Chapter 1
1: Introduction
In the following chapters the types of failure and the generic failure frequencies per
installation (part) within an establishment will be discussed. In the quantitative risk
analysis all these types of failure must be taken into account and the given generic failure
frequencies must be used. The failure frequencies given in this handbook have priority
over all other failure frequencies available in the literature. If other installations than
those included here should turn out to be relevant to external safety, these should be
included in the quantitative risk analysis with a well-founded failure frequency.
For pressure tanks (Chapter 2) and atmospheric tanks (Chapter 4) the handbook describes
instantaneous failure and leakage. What follows is an explanation of how these types of
failure should be included in the risk analysis.
Instantaneous f
f ailure
If one of the leaks to be modelled gives rise to an outflow of the entire content in 10
minutes or less, the type of failure ‘complete outflow in 10 minutes’ should not be
included in the risk assessment, but the failure frequency for this type of failure should be
added to the failure frequency for the type of failure ‘rupture’. Consequently, the total
failure frequency for instantaneous failure will always be applied, either distributed over
the types of failure ‘complete outflow in 10 minutes’ and ‘rupture’, or only under the type
of failure ‘rupture’.
Leakage
The handbook provides for three types of leakage, namely ‘large leak’, ‘medium leak’ and
‘small leak’. The way in which these types of leakage are considered in the risk assessment
depends on the maximum leak diameter.
To determine the maximum leak diameter the minimum of the maximum connection
diameter and the diameter giving rise to an outflow in 10 minutes is taken (D L, max = min
(Dmax, D10)).
If the maximum leak diameter is smaller than or equal to 10 mm, only the type of failure
‘small leak’ is taken into account in the risk assessment, with a failure frequency equal to
the sum of the failure frequencies for the types of failure ‘large leak’, ‘medium leak’ and
‘small leak’. The equivalent leak diameter is equated with 10 mm.
If the maximum leak diameter is situated in the interval of the medium leak (10–50 mm),
the type of failure ‘large leak’ should not be taken into consideration in the risk
assessment, but the failure frequency of the type of failure ‘large leak’ should be added to
that of the type of failure ‘medium leak’. The equivalent leak diameter for the type of
failure ‘medium leak' is equated with the maximum leak diameter.
The type of failure ‘small leak’ is still considered separately in the risk assessment, with
its own failure frequency and an equivalent leak diameter of 10 mm.
If the maximum leak diameter is bigger than or equal to 50 mm, the types of failure ‘large
leak’, ‘medium leak’ and ‘small leak’ are all taken into account in the risk assessment
separately, each with its own failure frequency.
The equivalent leak diameter for the type of failure ‘large leak' is equated with the
maximum leak diameter.
The equivalent leak diameter for the type of failure ‘medium leak’ is equated with 25 mm.
The equivalent leak diameter for the type of failure ‘small leak’ is equated with 10 mm.
The (generic) failure frequencies included in this handbook must obligatorily be used in the
quantitative risk analysis. However, in specific cases deviations from these failure
frequencies may be allowed through failure frequency reduction or increase. For failure
frequency increases no specific guidelines apply. For failure frequency reductions the
guidelines will be explained below. For both, procedure OVR_P10 from the Code OVR must
be followed.
Failure frequency reductions are based on special additional preventative safety measures
surpassing the standard preventative safety measures.
Failure frequency reductions are based on a detailed analysis of the causes which is
publicly available (for instance as included in the document containing background
information [AI2009]). This analysis of causes consists of a table summing up the possible
(partial) causes which (either individually or consecutively) give rise to the failure of the
installation part in question. To each (partial) cause a relative contribution is linked. For
each (partial) cause a safety measure or a package of safety measures is proposed which
can lead to a reduction in the relative contribution of this (partial) cause. A safety
measure can obviously lead to a reduction in the relative contribution of several (partial)
causes.
For the assignment of the reduction factors the following general rules apply:
Analyses of causes often include the category ‘cause unknown’. This category comprises
failures for which no univocal cause is mentioned in the literature, or which were due to a
combination of causes. The relative contribution of this category cannot be reduced.
The safety measures are described in a clear and detailed way. Their availability,
operability, effectiveness, efficiency and reliability must be demonstrated in a way which
is considered adequate.
A reduced failure frequency must never be lower than 10% of the generic failure
frequency.
Chapter 2
2: Pressure ttanks
In Table 1 the generic failure frequencies are given for leaks and instantaneous releases in
pressure tanks. This table applies to all pressurised installation parts, with the exception
of those mentioned elsewhere in the handbook. This table should be read together with
the explanation in paragraph 1.1.
Small leak
0.1 < d ≤ 10 mm 1.2 10-5 1.2 10-4
deq = 10 mm
Medium leak
10 < d ≤ 50 mm 1.1 10-6 1.1 10-5
deq = 25 mm
Large leak
50 < d ≤ Dmax 1.1 10-6 1.1 10-5
deq = DL, max
The installation part ‘pressure tank’ consists of the vessel including the manhole,
instrumentation connections and pipe connections up to the first flange. Leaks in the
corresponding pipe system are not included here.
If the pipe connection up to the first flange is longer than 10 m, the pipe connection must
be regarded as a separate pipe part.
Definitions
Chapter 3
3: Mobile p
pressure c
containers
As generic failure frequencies the figures mentioned in Table 2 apply. These failure
frequencies apply to all mobile pressure containers up to 1,000 litres (gas cylinders and
pressure vessels).
Failure frequency
Type of failure
Gas cylinder [/cylinder.year] Pressure vessel [/vessel.year]
Leak
- 1.1 10-5
deq = Dmax
Definitions
Chapter 4
4: Atmospheric ttanks
In Table 3 the generic failure frequencies are given for leaks and instantaneous releases in
atmospheric tanks. For storage tanks the decision tree in Figure 1 must be used to
determine from which column the failure frequencies should be taken. This table should be
read together with the explanation in paragraph 1.1.
Rupture 5.0 10-6 5.0 10-7 1.2 10-8 1.0 10-8 1.0 10-8 5.0 10-5
* For leaks these failure frequencies apply to the first (inner) shell.
The installation part ‘atmospheric tank’ consists of the tank including the manhole,
instrumentation connections and pipe connections up to the first flange. Leaks in the
corresponding pipe system are not included here.
If the pipe connection up to the first flange is longer than 10 m, the pipe connection must
be regarded as a separate pipe part.
Yes No
Yes No
Yes No
In Table 4 the failure frequency of a tank fire is displayed for the different types of liquids.
Table 4: Failure frequencies [/tank year] for tank fire in atmospheric tanks
Tank with external floating roof 2.5 10-4 7.6 10-5 2.3 10-5
Definitions
Mobile atmospheric Tank for hazardous substances not belonging to ADR category 2.
tank
Fixed atmospheric Tank with a design pressure smaller than 0.5 bar overpressure.
tank
P1 liquids Extremely and highly flammable liquids, in particular liquids
with a flashpoint below 21°C.
P2 liquids Flammable liquids, in particular liquids with a flashpoint equal
to or above 21°C and equal to or below 55°C.
P3 liquids Flammable liquids with a flashpoint higher than 55 °C and equal
to or lower than 100 °C.
P4 liquids Flammable liquids with a flashpoint higher than 100 °C and
equal to or lower than 250 °C.
Chapter 5
5: Heat exchangers
exchangers
Table 5 shows the generic failure frequencies for pipe heat exchangers.
Table 5: Failure frequencies (shell) [/heat exchanger.year] for pipe heat exchangers
Failure frequency
Type of failure - shell
[/heat exchanger.year]
Small leak
0 < d ≤ 25 mm 6.0 10-3
deq = 10 mm
Medium leak
25 < d ≤ 50 mm 3.9 10-3
deq = 35 mm
Large leak
50 < d ≤ 150 1.6 10-5
deq = 100 mm
Rupture 1.3 10-5
Internal pipe rupture will lead to a leak in the shell if the operating pressure in the pipes is
higher than the design pressure of the shell, and there is no or insufficient pressure
evacuation. Depending on the specific situation, it should be verified what the probability
of shell failure (leakage) as a result of pipe rupture is, and this scenario should be taken
into account separately. In this case a failure frequency of 7.1 10 -3/heat exchanger.year is
assumed for pipe rupture.
Table 6 shows the generic failure frequencies for plate heat exchangers with a working
pressure lower than 5 bar, with a working pressure between 5 and 8 bar and with a
working pressure higher than 8 bar.
Failure frequency
Type of failure [/heat exchanger.year]
P < 5 bar 5 bar P < 8 bar 8 bar P
Small leak
0 < d ≤ 25 mm 4.6 10-3 7.0 10-3 1.8 10-2
deq = 10 mm
Medium leak
25 < d ≤ 50 mm 2.0 10-3 3.0 10-3 7.2 10-3
deq = 35 mm
Rupture 5.5 10-6 8.3 10-6 2.0 10-5
P = working pressure (bar)
Chapter 6
6: Pumps a
and c
compressors
The generic failure frequencies for pumps and compressors are displayed in Table 7.
Failure frequency
[/pump year] or [/compressor year]
Type of failure Centrifugal pumps
Reciprocating pumps
With gaskets Without gaskets Compressors
Leak
4.4 10-3 1.0 10-4 4.4 10-3
deq = 0.1 Dmax
Chapter 7
7: Pipe ssystems
In Table 8 the failure frequencies for above ground and underground pipe systems are
displayed.
Chapter 8
8: Loading a
and u
unloading a
activities
For leakage or rupture of the loading/unloading hose and the loading/unloading arm during
loading and unloading activities with road tankers, tankwagons and ships, the values in
Table 9 are used.
Leak
deq = 0.1 D 3 10-7 4 10-5 5.4 10-6
(max. 50 mm)
Chapter 9
9: Fire iin w
warehouses
The generic failure frequencies for a fire in warehouses are listed in Table 10 per fire
compartment.
Failure frequency
Scenario
[/fire compartment.year]
Definitions
Automatic fire fighting A fire fighting system in which both detection and activation
system take place automatically, without human intervention.
Fire compartment The smallest space within which a fire can be isolated for a
certain period of time thanks to fire-resistant materials.
Chapter 1
10: Packaging u
units
The following table gives an overview of the failure frequencies for packaging unit storage
and handling within a company. If several packaging units are possible on a pallet, both
types of failure for packaging unit handling must be included.
Table 11: Failure frequencies for packaging unit storage and handling
Failure frequency
Type of failure Packaging unit storage Packaging unit handling
[/packaging unit year] [/packaging unit handling]
In the case of containers containing multiple packaging units, the failure frequencies must
be applied to all items in the container in question. The container itself is not considered a
packaging unit.
Definitions
Packaging units Mobile recipient with a content not exceeding 3 m³ and which is
suitable for the storage of liquids or solids.
Packaging unit Any activity involved in moving packaging units. The loading or
handling unloading of a pallet of packaging units or of one single
packaging unit is regarded as one packaging unit handling
operation.
Chapter 1
11: Repression ssystems
If active repression systems are taken into consideration in the quantitative risk analysis,
the scenario of the failure of these measures should also always be considered.
Guideline values for the probability of failure and for the response time of some repression
systems have been gathered in Table 12. The quantitative risk analysis, however, starts
from the actual situation. The general procedure from paragraph 11.5 can be applied here
to determine the probability of failure and the response time.
It should also be taken into account that the effectiveness of a repression system can
depend on the release scenario. Small leaks are often difficult or impossible to detect
within a reasonable period of time, which can annul the effectiveness of e.g. a blocking
system (at least from a safety reporting point of view).
Probability
Response
System of failure
time (sec)
per demand
Automatic 0.1 - 0.001 120
Blocking system
Semi-automatic 0.1 - 0.01 600
For the modelling one should also take into account the amount of product which is
present in the pipelines and installation parts and may still be released after the valves
have been closed.
If several active repression systems are in place, the probability of failure of the entire
system must be determined. This should be done paying the necessary attention to the
possible occurrence of ‘common cause failures’.
Passive repression systems are measures which were already in place before the release
took place. Typical passive measures are constructions such as containment systems,
bunkers and firewalls. For the quantitative risk analysis it is assumed that these measures
do not fail and that the response time is 0 sec.
11.1. BLOCKING SYSTEMS
To include the operation of a blocking system in the risk analysis following conditions must
be met:
− an automatic detection system must be present that results in signalling in the
control room or automatic operation of the blocking valves. An example of this is a
gas detection system with sufficiently sensitive monitors and adequate detection
points. In the case of signalling in the control room this room must be continuously
staffed.
− the detection system and the shut-off valves must be regularly tested.
A quantitative risk analysis starts from the actual situation (or the planned situation in
case of a new installation). The probability of failure can be determined according to the
internationally recognised standards [IEC1] and [IEC2].
In a first approach the following guideline values for the probability of failure of a fully
automatic system can be used:
− Simple system: 0.1;
− Redundant system (complex system): 0.01;
− Diversely redundant system (complex system using different physical or technical
modes): 0,001.
If no specific information is available, the upper limit of the given range should be used.
Definitions
The operation of the excess flow valve depends on the ratio between the calculated
outflow rate and the set value of the excess flow valve.
Definitions
Excess flow valve Valve which, via a built-in mechanism, automatically closes
when the flow rate exceeds a set value.
11.3. NON RETURN VALVE
Generally speaking, non-return valves are not very reliable. If they are not regularly
tested, non-return valves are not included in a quantitative risk analysis.
Definitions
During (un)loading operations an operator is often present on-site who supervises the
process and can operate a valve by actuating an emergency stop device. The intervention
of an operator during (un)loading can be included in the quantitative risk analysis,
provided the following conditions are met:
1. From the start to the end of the (un)loading operation the operator present on-site
has a view of the (un)loading and the loading/unloading hose or arm. In particular,
the operator is not sitting in the cabin of the tanker or inside a building during the
(un)loading operation.
2. The on-site presence of the operator is guaranteed by a device such as a dead
man’s handle or by a procedure in the safety management system and is checked
during inspections.
3. The activation of the emergency stop by the operator present in case of leakage
during (un)loading is described in a procedure.
4. The operator present on site is adequately trained and is also familiar with the
applicable procedures.
5. The emergency stop is positioned according to the applicable standards, so that it
can be activated quickly regardless of the direction of the outflow.
Several other repression systems may be in place in order to limit the consequences of an
accidental release as much as possible. These can be rated in the quantitative risk analysis
on condition that the effectiveness of the system is demonstrated, for instance via testing.
The effect of a repression system is recorded in the quantitative risk analysis as follows:
1. Determine the response time of the system, t resp.
2. Determine the effectiveness of the system.
3. Set the source term for the time period 0 to t resp equal to the source term when not
using the repression system.
4. Adjust the source term in the time period following t resp according to the
effectiveness of the repression system.
5. Discount the probability of failure per operation of the repression system. This
probability should be calculated using methods such as a fault tree analysis or a
code of good practice (e.g. IEC1, IEC2). A default value is 0.1 per demand.
Chapter 1
12: Consequential e
events
The generic event tree is shown in Figure 2. Here, the possible effects are shown which
can appear in case of a release of a substance. However, no judgement is made as to the
relevance of the effects. It should be noted that the event tree does not take into account
repression systems either.
direct delayed explosion
ignition
PD
ignition
PV
PE
E1 PD
E0
E 2 ( 1-P
D ) ×PV ×PE
E 3 D ) ×PV ×( 1-P
( 1 -P E )
E4 ( 1-P
D ) ×( 1-P
V )
The hazardous phenomena to be taken into consideration are displayed for the different
product types in Table 13 for rupture and in Table 14 for leakage and 10-minute outflow.
Table 14: Hazardous phenomena for leakage and complete outflow in 10 min.
The generic probabilities of failure for direct and delayed ignition for the different product
groups are reflected in Table 15. In this table, the probability of explosion is also
indicated.
Table 15: Probability of direct and delayed ignition and probability of explosion
Definitions
Chapter 1
13: Ref erences
[HBKC1994], Handboek Kanscijfers ten behoeve van het opstellen van een
veiligheidsrapport, Ministry of the Flemish Community, LIN, AMINAL, Hazardous Substances
and Risk Management Division, 1994
[HBKC2004], Handboek Kanscijfers voor het opstellen van een veiligheidsrapport, Ministry
of the Flemish Community, LIN, AMINAL, Safety Reporting Division, 2004
[IEC2], IEC 61511: Functional safety – Safety instrumented systems for the process industry
sector
[Prugh], Prugh, R,W, Evaluation of unconfined vapor cloud explosion hazards, Proc.
International Conference Vapor Cloud Modelling, AIChE, NY, 1988
Colophon
This document is a translation in English of the Dutch Handboek Faalfrequenties 2009 voor
het opstellen van een veiligheidsrapport. In case of inconsistencies or problems, the
original language document shall take precedence over this translation.
Edited by
Published by
Deposit number
D/2009/3241/355
Edition
May 2009