Quantitative risk assessment improves refinery safety

Sept. 9, 2002
Risk analysis for installations containing large amounts of flammable substances is important to ensure safety and to meet legal requirements.

Risk analysis for installations containing large amounts of flammable substances is important to ensure safety and to meet legal requirements.

Click here to enlarge image

This article deals with a quantitative risk assessment (QRA) of a typical LPG storage installation that is common in many refineries. An incident in the isobutene tank may cause a "domino effect" due to its location.

QRA allows one to identify and rank incidents that contribute to total risk. A methodology based on the risk concept that considers the dependence between hazard potential and associated safeguards is an effective way to assess plant safety. The proposed methodology allows a calculation of individual and social risk curves.

Plant safety systems consist of multiple layers of a safeguard system in which each layer represents an appropriate risk-reduction level. Semiquantitative methods that use a multilayer risk matrix can help one evaluate the risk-reduction level.

This refinery installation did not meet acceptable risk criteria; a possible domino effect increased individual and societal risk. Proposed adequate safety and protection measures lowered the associated risk.

Refinery risks

Refineries have many dangerous substances and processes that have a high potential for safety hazards. Most refineries are near densely populated, urban residential and industrial areas, and ecosystems.

A risk analysis of the possibility and scale of explosions or fires is important so that operators can provide adequate precautionary, protective, and preventive measures. QRA achieves this task.1

The QRA in this article calculates potential consequences of a flammable substance release and individual and social risk curves.

Refinery LPG storage

LPGs are produced in many refining processes including: atmospheric distillation, vacuum distillation, hydrocracking, catalytic cracking, reforming, and isomerization. These gases usually appear in the light stage (wet gas); after purification and separation they are collected in storage tanks as C3 and C4. They can then be used for other petrochemical processes.

Pumps and a piping system link the storage tanks in a refinery. They are used for temporary storage or as supply sources for the production lines. Tanks usually have a capacity of 200-400 cu m, and are often situated close to the production units and control room. They can cause a domino effect if unexpected developments occur.

The chemical composition of LPG obtained from refining processes varies from location to location and can contain simple alkanes, alkenes, small-molecule olefins, and other cyclical and aromatic hydrocarbons.

When modeling the releases and dispersions of these mixtures, one must therefore consider the specific composition.

Risk management

Click here to enlarge image

Risk management is based on the assessment of relations between existing hazards and applied safety and protection systems. Fig. 1 illustrates the concept.

Many different hazards in refineries represent a relatively fixed fire and explosion potential. They are measured with any semiquantitative technique or full consequence analysis.1-3

Various safety systems help mitigate safety hazards. Guidelines of the Center for Chemical Process Safety (CCPS) of the American Institute of Chemical Engineers (AIChE) organize safety systems into a multi-layer system:4

•Layer 1 is a prevention layer responsible for minimizing chemical releases. This layer consists of basic process control systems, process alarms, and operators and their responses. This layer mainly concerns the likelihood of chemical releases.

•Layer 2 is a protection layer comprising the automatic protection of an installation after releases or after critical alarms. It includes safety instrument systems (safety valves, trips, interlocks, emergency shut-down devices), blowdown systems, emergency cooling, fire fighting, and explosion protection. This layer considers the likelihood and consequences of chemical releases.

•Layer 3 is the response layer. It consists of chemical-release mitigation and includes the actions of firefighters and rescue services.

Characteristic features of multilayer safety systems include:

•The sequential, serial, and independent activities of each safety layer.

•The assumption that each safety layer is a barrier to develop hazards and may consist of sublayers.

•The assumption that the initiating event for the release incident was a failure of elements in the prevention layer.

•Each layer's risk reduction level can be calculated separately based on Bayes theorem.

•The effectiveness of each layer depends on the safety management system and applicability of best available technologies (BAT).

The relation between existing hazards and safeguard system is unique to each installation. A detailed analysis of hazards and connected safety measures, especially the layers of protection, is necessary when one evaluates and assesses risk.

QRA incident selection

The first step in the QRA is to select the most representative set of incidents (RSI). Hazard identification techniques help identify a wide range of incidents that are the basis for selection.

A possible accidental release of chemicals or energy, however, can be large due to a variety of possible ruptures or leaks occurring in different locations and sizes of piping or vessels.

Each release incident can expand into a release incident outcome (RIO) depending on the propagation, safeguards, and mitigation measures. A risk evaluation must account for these outcomes.

There is no well-grounded methodology that satisfies the risk study requirements that also adequately represents all hazards and safeguards.

Click here to enlarge image

Our approach applied the "multi-layer risk matrix" (MRM).5 Fig. 2 shows the matrix in which each layer of protection is represented by a separate risk matrix with a specific categorization of the risk component.

The frequency, consequences, and risk levels include:

  • Frequency. Five categories from very frequent (10-1-year-1) to very rare (> 10-4 year-1).
  • Consequence severity. Five categories from catastrophic to negligible.
  • Risk level, four categories:
  1. Low, acceptable risk (A), no need for further action.
  2. Low, tolerable risk (TA), action based on ALARP principle.
  3. Tolerable risk (TNA), improvements must be made in the long-term.
  4. Unacceptable risk (NA), must reduce immediately.

One can use these steps to evaluate the risk level using MLM:

  1. Identify the safety systems (safety layers).
  2. Determine an initiating event and its frequency (generic).
  3. Determine the initial consequence, C0 (generic).
  4. Evaluate the risk-reduction level for Layer 1.
  5. Evaluate the risk-reduction level for Layer 2.
  6. Evaluate the risk-reduction level for Layer 3.
  7. Evaluate the risk level, RL (Equation 1 in the accompanying equations box).

Scenario for LPG releases

Incidents and types of hazards accompanying gas releases depend on the characteristics of the release source and external conditions in the release area, including:

  • An ignition source, either immediate or delayed.
  • An LPG leakage point; i.e., above the LPG surface (tank's vapor phase) or in the liquid phase.
  • Size of the leakage.
  • Nature of the leakage, continuous or instantaneous.

Storage installations have many potential leak points such as small openings in the wall or faulty seals, as well as catastrophic ruptures like pipeline ruptures or an opening in the tank with a diameter larger than the largest connection.

Publications from the Institute of Chemical Engineers (IChemE) cover standard hole-size guidelines.6

Click here to enlarge image

One can develop different RIOs for a flammable substance release incident (RI) using the event tree in Fig. 3.

It shows that some outcome cases can further develop into different domino events.

It may happen if only the hazard zone, where particular physical effects exceed a threshold value, envelopes adjacent vulnerable objects.

Assessing domino effects

If the domino effects are covered in legal requirements then it is important to include them in final QRA results.7

The European Union (EU) defines "domino effect" as the effect of a major accident in a basic plant causing a release of a dangerous substance from an adjacent plant or nearby site as the result of direct or indirect interrelation.

"Domino" is more serious than an "escalation," which usually refers to one particular plant. There are two types of domino events:

  • A direct domino event caused by the interaction of containment events.
  • An indirect domino event caused by a small leak due to equipment failure, loss of utilities, human error, or an ineffective mitigation system.
Click here to enlarge image

A typical feature of the domino effect is a chain of incidents that may be in series or parallel. Fig. 4 shows a characteristic pattern of domino effects in a chemical plant.

A release incident (RI) can have three different physical effects: shock wave, thermal radiation, and missile projection.

Each of these physical effects generates a hazard zone in which the values of particular effects exceed threshold values; therefore, a particular domino event may occur.

Different factors can influence the domino process, which are specific for each type of event. The most important factors include:

  • Type of equipment.
  • Type of substance involved.
  • Adjacent equipment and its vulnerability.
  • Distance from the RI and arrangement of subsequent equipment.
  • Propagation conditions like ignition sources, wind direction, and mitigation efforts.

The damage level from a domino event depends on the distance involved, propagation conditions, and vulnerability of adjacent equipment.

The impact of various physical effects on humans, buildings, and industrial installations vary according to the source.3 8 9

Click here to enlarge image

Table 1 shows the most common threshold criteria. There is no universal threshold value for missile projection. The Committee for the Prevention of Disasters' Yellow Book provides a calculation procedure for predicting missile range.10

The QRA should consider additional domino event scenarios.

One must calculate the probability of a domino event, PDE, and the consequence of that event using Equations 2 and 3.3

An estimate of P(RI/DE) should account for propagation mechanisms; for a particular type of physical effect, three different approaches apply for this estimate:

  • Based on Probit functions.
  • Based on empirical data.
  • Worst-case scenario.

The last approach assumes that the propagation probability equals 1 if the vulnerable target is inside the hazard zone for the particular physical effect.

Domino-event consequences are catastrophic and calculated similar to release incidents that consider the appropriate conditions: type of the substance, amount, conditions before release, and external propagation conditions.

A domino event can also occur outside the hazard zone of a critical physical effect; however, the probability and consequence of this event is significantly smaller and it was not taken into account.

Click here to enlarge image

Fig. 5 shows the methodology of considering domino top events in calculating individual and societal risk.

Isobutane storage case study

A typical isobutane storage tank was situated within a production installation in a refinery and consisted of: three 300-cu m spherical tanks, a system of pumps, heat exchangers, and appropriate linking pipelines.

Click here to enlarge image

Fig. 6 shows the installation scheme and Fig. 7 shows the location of the storage installation.

We assumed these meteorological conditions: air humidity 70%, dominating class of atmospheric stability was very stable (F) and neutral (D), wind velocity was 2 m/sec and 5 m/sec, respectively, and the dominant wind direction was southwest.

Click here to enlarge image

About 34 m from the installation are two 2,000-cu m cylindrical floating roof tanks that store gasoline.

About 44 m from the isobutane tank are a control room and a production installation.

A flask furnace is a direct ignition source and sits about 100 m from the isobutane storage tank.

Click here to enlarge image

Table 2 shows the installation's safety and protection systems.

RSI identification

We analyzed the principal causes of failures in isobutane and butane tanks using 21 historical data points collected in the Accident Database.11

Overfilling, overpressure, mechanical failure, human error, and external events are the most frequent causes.

When a release and gas dispersion into the atmosphere without ignition was reported, the breakdown of various incidents was: boiling liquid expanding vapor explosions (BLEVEs) 14%, vapor cloud explosions (VCEs) 43%, pool fires (PFs) 19%, and flash fires (FFs) 24%.

In a primary hazard assessment (PHA), we evaluated 17 incidents using a typical four-level risk matrix. We could therefore obtain three RIs representing tolerable risk that still belong to the same group of releases.

Click here to enlarge image

Table 3 shows six RIs that represent two types of seal failures, rupture and leakage. We included domino event incidents because, as later calculations prove, the hazard zone enveloped neighboring objects (Fig. 7).

We used the event tree (Fig. 3) to calculate the outcome incident frequencies for RIDE 7-RIDE 10.

Generic data from literature sources served as the basis for data concerning the frequency of certain RIs.3 6 12 13

Click here to enlarge image

Table 4 shows the propagation functions that we used.

Domino events

A commercial software package helped perform the calculations.14 It enabled the calculation of the potential consequences of releases of flammable substances, and individual and societal risk curves.

The first calculations identified the hazard zone for the release incidents accounting for these threshold criteria:

  • Thermal radiation of 37.5 kw/sq m.
  • Overpressure of 45 kPa.

The radius, based on the distance from release source to the threshold value, forms the hazard zone, which is the impact area where domino effects may occur.

Click here to enlarge image

Table 5 shows the calculated range of hazard zones for all release incidents. These objects, which are possible targets for domino effects, are inside the impact area:

  • Neighboring spherical isobutane tank.
  • Atmospheric gasoline tank.
  • Process piping.
  • Control room with four operators.

Because all these targets are sources of subsequent domino events (RIDE 7-RIDE 10), we calculated similar risk probabilities and consequences.

Table 5 shows the calculation results. Because RIDE 8 and RIDE 9 do not form a hazard zone, they do not contribute to the individual and societal risk estimate.

Calculation option selection

Click here to enlarge image

We considered six options to show the impact of domino effects as well as the effects of RSIs on individual and social risk:

  • Option 1 included six release incidents, RI 1-RI 6.
  • Option 2 eliminated incident RI 2 that led to the BLEVE. A proposal to install a liquid elimination system allowed us to delete incident RI 2 (Fig. 8).
  • Option 3 is similar to Option 1 and includes an additional domino incident, RIDE 7.
  • Option 4 included RI 1-RI 6 and all domino events RIDE 7 - RIDE 10.
  • Option 5 is Option 2 plus an additional domino incident, RIDE 8, due to possible missile projection.
  • Option 6 is Option 4 with a modification to the societal risk; the population density was changed from 0.002 to 0.0005 persons/sq m.

Risk calculation results

Figs. 9 and 10 show the calculation results for Options 1, 2, 4, and 6.

Click here to enlarge image

Individual and social risks vary with the selected RSIs. Different sets of release scenarios generate different risk characteristics. This is a key point in risk analysis.

Only Options 2 and 5 have an acceptable individual risk level of 10-6 year-1 at 110 m because we eliminated the BLEVE factor. The acceptable individual risk level was 350 m from the storage tanks for the other options. All domino events included in Option 4 have a negligible effect on individual risk.

Click here to enlarge image

Fig. 10 presents societal risk as the cumulative risk of multiple fatalities as a function of the number of fatalities.

Most of the societal risk curves are above the recommended limits of maximum risk criteria. Options 2, 5, and 6, which eliminate the BLEVE scenario, give the best results.

The societal risk ranking analysis shows that the major contributors to off-site societal risk are RI 2 and RI 6, which account for over 75% of the fatalities. This knowledge helps target areas for risk mitigation measures.

Additionally, the domino events do not have an appreciable impact on the total societal risk especially for higher number of fatalities. In fact, the increase is just 18% for Option 4, which includes all identified domino events.

RIDE 7 has the greatest impact on social risk, 8.8%. RIDE 8, RIDE 9, and RI 10, in terms of probabilities and consequences, are negligible.

Click here to enlarge image

Table 6 presents total societal risk for entire hazard area.

Option 6, which assumes a smaller population, provides the greatest risk reduction level. Options 2 and 5 also reduce the total risk level that results from the proposal presented in Fig. 8.

Acknowledgment

This article constitutes a part of studies financed by the grant 7 T09C 022 20 of the Polish Committee for Scientific Research.

References

  1. "Guidelines for chemical process quantitative risk analysis," AIChE Center for Chemical Process Safety, New York, 2000.
  2. "Zapobieganie Stratom w Przemysle- cz.III Zarzadzanie bezpieczenstwem procesowym," Markowski, A.S., ed., Wyd. Politechnika Lodzka, 2000.
  3. Lees, F.P., Loss prevention in process industries, Butterworths, London, 1996.
  4. Guidelines for engineering design for process safety, AIChE Center for Chemical Process Safety, New York, 1993.
  5. Markowski, A.S., "Multi-layer risk matrix for process installations," International Conference on Safety and Reliability, KONBiN 2001, ITWL, 2001, pp. 213-22.
  6. Cox, A.W., Lees, F.P., and Ang, M.L., "Classification of hazardous location," IChemE, 1990.
  7. "The control of major-accident hazards involving dangerous substances (COMAH)," 96/82/EC, Official Journal of the European Communities, 1, 1997.
  8. TNO, "Method for the determination of possible damage to people and objects resulting from releases from hazardous materials," 1979.
  9. "The effects of explosion in the process industries-overpressure monographs," IChemE, 1989.
  10. "Methods for the calculation of physical effects," Yellow Book, CPR14E, The Committee for the Prevention of Disasters, The Hague, 1997.
  11. The Accident Database, version 4, IChemE, Rugby, UK, 2000.
  12. Offshore reliability data, 3rd ed., Offshore Reliability Data, SINTEF IM, Norway, 1997.
  13. "Guidelines for quantitative risk assessment," Purple Book, The Committee for the prevention of Disasters, The Hague, 1999.
  14. "SafetiMicro, Software for assessment of fire &toxic impact," DNV, UK, 2001
  15. "Guidelines for engineering design for process safety," CCPS, AIChE, 1993.

The author

Click here to enlarge image

Adam S. Markowski is a senior lecturer in the department of environmental engineering systems at the Technical University of Lodz, Poland. He is also head of its safety and environmental management group. His research interests include industrial process safety, risk and safety management, loss prevention in the process industries, and thermal explosions in the process industries. Markowski holds an MSc (1965) and a PhD (1972), both in chemical engineering from the Technical University of Lodz.

Based on a presentation to the 2001 Annual Symposium of the Mary Kay O'Connor Process Safety Center, Texas A&M University, College Station, Tex., Oct. 30-31, 2001.