Fire Risk Evaluation

Doc. No. P-HSE-H6 Rev.
0 - SEPTEMBER 2009
ESReDA
Working Group on Fire Risk Analysis Fire Risk Analysis Process and Oil & Gas Industries Standard and Regulations, State of the Art & Methodologies D'Appolonia Contribution to ESReDA Report
Doc. No. P-HSE-H6 Rev. 0 - SEPTEMBER 2009
ESReDA
Working Group on Fire Risk Analysis Fire Risk Analysis Process and Oil & Gas Industries Standard and Regulations, State of the Art & Methodologies D'Appolonia Contribution to ESReDA Report
Prepared by
Signature
Date
Stefania Benucci
September 2009
Simone Garrone Verified by Signature
September 2009 Date
Paolo Paci
September 2009
Giovanni Uguccioni Approved by Roberto Carpaneto Rev. 0 Description First Issue Prepared by SFB/SMG Verified by PP/GMU Approved by RC Signature
September 2009 Date September 2009 Date September 2009
All rights, including translation, reserved. No part of this document may be disclosed to any third party, for purposes other than the original, without written consent of D'Appolonia.
Doc. No. P-HSE-H6 Rev. 0 - September 2009
TABLE OF CONTENTS Page

LIST OF TABLES LIST OF FIGURES 1 STANDARD AND REGULATIONS 2 STATE OF THE ART AND METHODOLOGIES 2.1 INTRODUCTION 2.2 DEFINITION OF RISK ASSESSMENT OBJECTIVES 2.3 HAZARDS IDENTIFICATION 2.4 FIRE SCENARIOS IDENTIFICATION 2.5 FREQUENCY ANALYSIS 2.5.1 TOP Events Likelihood of Occurrence 2.5.2 Loss of Containment Events Likelihood of Occurrence 2.5.3 Scenarios Likelihood of Occurrence 2.6 CONSEQUENCES EVALUATION 2.6.1 Semi-empirical models 2.6.2 Field models 2.6.3 Integral models 2.6.4 Zone models 2.7 RISK ASSESSMENT 2.7.1 Risk Matrix 2.7.2 Location Specific Individual Risk 2.7.3 Individual Risk 2.7.4 Societal Risk 2.8 RISK-BASED FIRE PROTECTION 3 DATA FOR FIRE RISK ANALYSIS 3.1 HISTORICAL INCIDENT DATA 3.2 PROCESS AND PLANT DATA 3.2.1 Plant Layout and System Description 3.2.2 Ignition Sources and Data 3.3 CHEMICAL DATA 3.4 ENVIRONMENTAL AND TERRITORIAL DATA 3.4.1 Population Data 3.4.2 Meteorological Data 3.4.3 Territorial Data 3.4.4 External Event Data 3.5 RELIABILITY DATA 3.5.1 Human Reliability Data 3.6 RISK UNCERTAINTY, SENSITIVITY AND IMPORTANCE REFERENCES II III 1 5 5 6 6 9 12 12 13 13 15 16 16 17 18 18 19 20 20 21 22 23 23 25 25 26 27 28 28 28 29 30 30 31 31
ESReDA D'Appolonia Contribution to ESReDA Report
Pag. i
LIST OF TABLES Tables No.

Table 2.1: HAZID categories and guidewords Table 2.2: Typical HAZOP Guidewords/Parameters and Deviations for Continuous Processes Table 2.3: Ignition Probabilities
Page
7 8 14
Pag. ii
LIST OF FIGURES Figure No.

Figure 1.1: Fire Risk Analysis Flow Diagram Figure 2.1: Event Tree Example Figure 2.2: Fault Tree Example Figure 2.3: Risk matrix (Example) Figure 2.4: Local Risk Contour Lines (Example ARIPAR Code) Figure 2.5: F-N Curves (Example ARIPAR Code) Figure 3.1: Wind rose (example)
Page
4 11 12 19 20 21 29
Pag. iii
FIRE RISK ANALYSIS PROCESS AND OIL & GAS INDUSTRIES, STANDARD AND REGULATIONS STATE OF THE ART & METHODOLOGIES D'APPOLONIA CONTRIBUTION TO ESREDA REPORT
STANDARD AND REGULATIONS

Standard and Regulations currently adopted for the design of active Fire Protection Systems are discussed in the following of this document, with a specific emphasis on how they address the Risk Analysis as part of the basis for the systems design. National regulations will be dealt with in Section 1.2 (see contribution by D'Anna and Demichela). It is expected that each member of the WG will contribute with specific information related to her/his Country of origin. This section will specifically focus on active protection in process plants. Fire protection in Civil structures and Buildings are understood to be not covered by the WG activities, and therefore the Eurocode, dealing with structural response in structures, is not considered here. Rules There is no general Rule defining how Risk Analysis Methods shall be adopted in the design of systems. Nevertheless there is a strong trend to move away from prescriptive towards a performance-based design approach, also following the introduction of rules as the ISO TR 13387 (1999), the Regulatory Reform Fire Safety Order (2005), or the Italian DM 9 May 2007. In contrast to the prescriptive approach - which only specifies methods and systems without identifying how these achieve the desired safety goal - performance-based design in the case of fire protection uses an engineering approach based on established fire safety objectives, analysis of fire scenarios and assessment of design alternatives against the objectives. This allow for more design flexibility and innovation in construction techniques and materials, gives equal or better fire safety and maximizes the cost/benefit ratio during design and construction. Designers of fire-fighting systems in process plants adopt either specific Company Standard (e.g. Standard from operators, such as Total, Shell or Standard from the Engineering Companies, such as Saipem/Snamprogetti, etc.) or they follow the NFPA (mainly) or API standard, or the EN standard where present. These standard give technical solutions considered to be adequate for the fire protection and generally adopted in process plant firefighting design (e.g. ISO 13702, API RP 2030, NFPA15 gives the minimum specific flowrate to be adopted for cooling of components). In certain cases, they recommend the use of hazard analysis as a tool for defining the requirements, however this is left at a very general level, not recommending any specific approach to be followed. ASTM E 1776 is a standard for people writing guides for risk assessment of alternative products within a product class. ISO TS 16732 and the SFPE Guide to Fire Risk Assessment are guidelines intended to either replace or complement conventional prescriptive codes. The NFPA 551 code is explicitly designed to assist responsible officials in their duty of confirming (or refuting) the code equivalency of a design proposal justified through a supporting Fire Risk Assessment (FRA); this code is a guidance for those reviewing a Fire Risk Assessment. The International Organization for
D'APPOLONIA S.p.A. Via San Nazaro, 19 - 16145 Genova, Italy Phone +39 010 362 8148 - Fax +39 010 362 1078 e-mail: dappolonia@dappolonia.it - Web Site: http://www.dappolonia.it
Standardization TC 92 SC 4 is working to provide Fire Safety Engineering documents for supporting performance-based design and assessment The previous was only a brief introduction, but a description of the technical solutions given by the most widely applied rules is not part of the WG deliverables. Instead, in section 6 (comparison of methods), a comparison between the design solutions identified using a FRA approach and the design solutions obtained by the deterministic application of the Rules could be of interest.
The case of LNG Installations For LNG installations both applicable NFPA and EN standard require a certain degree of hazard assessment. The standard NFPA 59A for LNG installations states the following very general principle, but no specific methodology or criteria for the hazard analysis is however given: ________________________________________________________________
________________________________________________________________ The EN standard 1473 on LNG installations, point 13.6, states: "Water supply systems shall be able to provide, at fire fighting system operating pressure, a water flow not less than that required by the fire fighting systems involved in the maximum single incident identified in the Hazard Assessment in 4.4 plus an allowance of 100 l/s for hand hoses. The fire water supply shall be sufficient to address this incident, but shall not be less than 2 h." Hazard assessment is also considered as a basis for the design of water curtains. However, the Hazard assessment techniques and methods to be followed are left to national requirements, if any, or to the decision of the designer: "The following methodology and requirements see annexes that show examples of frequency ranges, classes of consequences and levels of risks. However there is a variation in national and company acceptance criteria and the examples given in the informative Annexes J, K and L should be considered as minimum requirements. If more stringent local or national requirements exist they shall supersede these minimum requirements." And, in section 4.4.2.1 (Methodology) it is stated: "The methodology of the hazard assessment can be deterministic and/or probabilistic."
Pag. 2
Standard The need for a plant specific approach for the definition of the fire-fighting system, and therefore the impossibility for a Rule to cover deterministically each case is expressed by the following statement, taken from a Major company internal standard: "It is not possible to define all the fire-fighting requirements applicable to all cases and regardless of circumstances. The factors listed below (and others as applicable) shall be contemplated in the process leading to the decision to install a fire-fighting system, its type and the level of protection it provides...Each case shall be studied during project phase. Equipment size (as an expression of the intrinsic potential hazard e.g. a storage tank); Equipment cost (balanced against the cost of a fire protection system); Applicable codes, regulations, Insurance Company and statutory requirements; Facility geographical location (e.g. onshore versus offshore, populated versus desertic area, etc.); Criticality within the (Operating) COMPANY production scheme (e.g. one out of "n", gathering battery versus main export pump station, local electrical substation versus main switch gear room, etc.); Asset protection policy put in force by the (Operating) COMPANY". Good Practices Information on methods to be used for the simulation of fire and fire damage technical criteria for fire protection are provided by several references used as Best Practice in the modern industry. "The SFPE Handbook of Fire Protection Engineering", by NFPA (National Fire Protection Association), is the most widely used reference: it provides comprehensive coverage of today's best practices in fire protection engineering and performance-based fire safety. Another widely used reference, which also provides deep methodological information is the "Handbook for Fire calculations and Fire risk assessment in the Process Industry" by Sintef / Scandpower. In this Guideline, the section on Risk Analysis (6 pages over a total of 280 approx, excluding appendixes) gives the general flow diagram shown in Figure 1.1, where the main steps of a Fire Risk Analysis are highlighted. The first step should always be the fair understanding of the system design and operational modes (normal operation, start-up, shut-down, inspection, maintenance) through the system documentation. Based on the available information of the system and operational modes, a systematic hazard identification should be performed to list all potential hazardous events (where a hazard could be a situation in which a combustible fluid is in contact with a comburent agent in presence of ignition). Then, for the identified hazardous events, the probability of occurrence has to be evaluated using appropriate tools and mathematical predictive models (e.g. Fault Tree Analysis) and/or statistical data, while the accidental consequences have to be assessed and evaluated in terms of physical effects (heat flux, smoke concentrations, etc.) using fluid dynamics and physical/chemical/mathematical models. Using Event Tree Analysis (analytical and visual model which describes the event chain which develop from an initial scenario), the initial hazardous event can be broken down in
Pag. 3
the several possible occurring scenarios which reflect the possible escalation of the different situations, and taking into account external as well as internal factors such as, for instance, presence of ignition, presence of safety systems, meteorological conditions, etc. From the combination of previous parameters (likelihood of occurrence and severity of consequences) the risk to personnel, to environment, to asset can be evaluated and compared with the established acceptance criteria. Recommendations can be given in order to meet the expected safety levels for the events with intolerable consequences (Residual Accidental Events) and to improve the overall safety performance for the events whose resulting physical effects are accounted for in the design (Design Accidental Events). To optimize the benefit of investing in risk reducing measures, the implementation of additional active/passive fire-protection/detection systems can be calculated in monetary value and compared with the investment and maintenance cost.
Figure 1.1: Fire Risk Analysis Flow Diagram
Pag. 4
2
2.1
STATE OF THE ART AND METHODOLOGIES

INTRODUCTION
In the modern Industry, the different approaches to fire protection are essentially two: the traditional approach, based on prescriptive codes, and the innovative approach, which relies on performance-based tools. A risk-informed, performance-based approach to fire protection offers an increasingly acceptable alternative to strict adherence to code requirements alone. The prescriptive codes supply the minimum requirements for fire protection systems. This is very often used as a pragmatic approach which also resolve satisfactorily insurance requirements with a minimum effort. The risk analysis is done a priori by the legislator, who fixes a safety level and establishes a set of rules able to compensate the existing risk. So the fire protection is not guaranteed on the basis of engineering principles and it is left to the fire engineers a narrow margin of discretion. In addition, codes usually are written to apply to typical configurations: special situations are very often disregarded or generically treated. With the performance-based approach the fire protection is guaranteed by the application of an engineering methodology developed on scientific basis. It allows consideration of a large number of project variables and gives a more deep and often less-expensive engineering solution than the traditional approach. This is even more true when special situation requires a tailored engineering and a fit-for purpose safety approach. The approach is performance-based because it provides solutions based on performance to established goals, rather than on prescriptive requirements with implied goals. The approach is risk-informed because the analysis takes into account not only the severity of the events, but also the likelihood of the hazard and the probability of failure of any present protection system The basic methodology is also known as Quantitative Risk Assessment (QRA), and it allows, among other things: the capability of early identification of weak links in loss prevention and protection systems at design phase, the possibility to optimize loss control investments allowing an intelligent allocation of the resources to the area giving rise to the highest risk. A generalized Fire Risk Analysis passes through the quantification of the consequences and estimation of the probabilities of the identified fire hazards, the individuation of the hazard control options and the evaluation of their impact on the overall risk, ending with the selection - if necessary - of appropriate further protections. The systematic steps of a Fire Risk Assessment are (each step is detailed in the following): Definition of Risk Assessment Objectives; Hazards Identification; Scenarios Identification; Frequency of Occurrence Analysis; Consequences Evaluation; Risk Assessment; Risk-based fire protection analysis and recommendations.
Pag. 5
2.2
DEFINITION OF RISK ASSESSMENT OBJECTIVES

Prior to the start of a Risk Assessment it is imperative to have a clear project scope (conforming to code/insurance requirements for acceptable level of risk, or reduction of human fatalities/injuries, or improving cost-effectiveness of risk prevention, minimizing business interruption, etc.) and to explicitly state and agree upon project objectives and establish management's acceptable risk criteria for risk comparisons. Also, it is necessary to choose/define models and algorithms for the consequences determination (potential sizes of vapour clouds, overpressure from explosions, thermal radiation intensities), select the appropriate weather conditions and finally select appropriate sources of failure rate/reliability data. The ensemble of all the above criteria is normally called "FRA/QRA Rule Sets" and may be contained in a specific document to be issued before the development of the Fire Risk Analysis.
2.3
HAZARDS IDENTIFICATION
Fire Risk Analysis begins with the identification of fire hazards. This is a critical step, since that fire and explosion hazards not properly identified and defined in terms of cause/consequences cannot be properly addressed, or they can be misleading, within the risk assessment framework. Results of the Hazards Identification should include the identification of the physical and chemical properties of materials processed/stored/transported on site that can harm employees/public/property/environment or other selected risk targets, and the identification of weakness in the design/operation/protection of facilities that could lead to toxic exposures, fires or explosions, and the evaluation of the potential hazardous events associated with a process or activity. Accurate information concerning plant processes, operating philosophy, material properties, inventories, processing and storage conditions is required to perform hazard identification. This step of the FRA is focused not only on normal operation, but also start-up, shut-down, inspection, maintenance. When possible, a review of the accidents historically recorded for similar process and installations is important to identify possible hazards, representative failure modes (equipment related, human error, system related), ignition sources, fire propagation contributing factors, duration of the fire and general effect of loss mitigation factors. Accident data from specific plant operations, if available, are usually the best source and probably more accurate for specific equipment and operations, since the data reflect the operating and maintenance practices of the specific facility.
Pag. 6
Along with the historical review, structured analytical methodologies are available for Hazard Identification on any well known or totally new process and installations. The most frequently used structured hazard evaluation techniques include: Hazard Identification (HAZID); Hazard and Operability study (HAZOP); Failure Modes and Effects Analysis (FMEA); Checklists; "What-if" analysis. HAZID is one of the best techniques for early identification of potential hazards and threats, where hazards are any operations that could possibly cause a release of toxic, flammable or explosive chemicals (including oil and gas) or any actions that could result in injury to personnel or harm to the environment. It is commonly carried out in a workshop in which an experienced facilitator leads a team of several competent specialists of different disciplines through the identification process. The system under analysis is divided into sub-systems and for each of these a structured brainstorm is done to identify hazards using a pre-defined checklist (see Table 2.1). Where it is agreed by the Team that a significant hazard exists in a particular area, the risk posed by the hazard is considered, assessed and recorded, along with its expected consequences, safeguards and all possible means of either eliminating the hazard or controlling the risk. When necessary, specific further actions are assigned within the project parties for later follow-up and inclusion in the design. Table 2.1: HAZID categories and guidewords
Pag. 7
The HAZard and OPerability Study (HAZOP) Technique was developed in Britain by ICI (Imperial Chemical Industries, Ltd.) during the 1960s as an engineering tool to overcome the problem of the increasing complexity of modern design and to systematically identify potential issues (safety and/or operability related) in both new or existing designs for chemical and petrochemical plants. The HAZOP Study is a systematic analysis of the Design, developed in order to assess the possible hazards and the operability issues of the system. The methodology relies on a series of guidewords that are applied to each "node" to identify process deviations and to investigate their impact on Safety and Operability performances. Table 2.2: Typical HAZOP Guidewords/Parameters and Deviations for Continuous Processes
PARAMETERS Flow GUIDEWORDS more less none reverse other than more less none more less as well as more less none more less reverse part of as well as other than more as well as other than DEVIATIONS high flow low flow no flow reverse flow loss of containment high pressure low pressure vacuum high temperature low temperature cryogenic high level low level no level additional phase loss of phase change of state off-spec composition contaminants corrosive concentration runaway reaction side reaction explosion loss of difficult hazardous incomplete documentation unclear documentation incorrect documentation
pressure temperature level
state/ composition
reaction
UTILITY: power, air, steam, nitrogen, cooling No water UNSTEADY OPERATION: startup, as well as shutdown, maintenance, sampling, drainage other than part of documentation as well as other than
A "node" is a sub-system or a portion of a systems which can be analyzed alone (e.g. a vessel, a column, a header, a compressor system, even a single line), together with the relevant connections to the interfaces. The totality of the nodes shall cover all the Systems under analysis, without missing any portion of them, until the whole Design is analyzed. The Combination of Guideword and Process Parameter expresses the "Deviation", which is the subject of the discussion. The Guidewords, in a HAZOP Analysis, are the "qualifying words" for the deviation to be analyzed. Guidewords always apply to the parameter under analysis and they express a sort of "change" or "passage" from a parameter desired state to
Pag. 8
an un-desired one. Doing this, they "qualify" the passage of each parameter from the "normal" state to a "deviation condition". In Table 2.2 the typical deviations considered during an HAZOP are listed. For each deviation, the HAZOP Team identifies the possible causes, its consequences (qualitatively) on process and operation and verifies the existence of sufficient systems of prevention, detection and correction/mitigation of the outcomes. When considered necessary, remedial measures are required depending on the expected qualitative likelihood of the event and its consequence; these are recorded in the HAZOP worksheets in the form of recommendations aimed at ensuring a subsequent proper follow-up by the project team. (Ref. EPSC, 2000; CCPS, 1992). Failure Modes and Effects Analysis (FMEA) is a systematic and structured methodology for analyzing potential reliability problems: it is used to identify potential failure modes, to determine their effect on the operation of the product and to identify actions to mitigate the failures and to assure the highest possible yield, quality and reliability. Checklist is a qualitative simplified approach, consisting of a listing of potential hazards, usually with recommended practices. The fire protection engineer must focus on only those points that are applicable to the specific project. Checklists do not capture the interaction of fire risk factors, including the manner in which the importance of one fire risk factor will change as a function of performance on another factor. What-if Analysis is a structured - although simplified - brainstorming method used to define what things can go wrong ("What") under certain circumstances ("If"), and to qualitatively assess the likelihood and consequences of these situations. Results of the analysis form the basis for making judgments on risk acceptability, and if necessary recommend course of actions. Using what-If Analysis, an experienced review team, led by an expert facilitator, can quickly and productively discern major issues concerning a process or system. Team members usually include operating and maintenance personnel, design and/or operating engineers, and a safety representative. As in HAZID and HAZOP, results of the analysis can be expressed in the form of "actions" to be later followed up by the Team.
2.4
FIRE SCENARIOS IDENTIFICATION

Major Accidental Events (MAEs) are defined as those events which have the potential to cause multiple fatalities or extensive asset damage, or that can potentially have massive environmental/socio-cultural effect, or negative impact on Company reputation and its ability to pursue business. MAEs are usually identified within the following categories: Process Deviation Events (Top Events): events occurring as a consequence of a process malfunction or an operating error and the simultaneous failure of the corresponding foreseen process protection (e.g. overpressure in a vessel whilst the PSV is not working properly); Loss of Containment Events ("Random" Ruptures): events randomly occurring as a consequence of an unexpected rupture and/or release from piping/equipment, due to defect, wearing, corrosion or other unforeseeable problems;
Pag. 9
Non-Process Events: events originated by external cause/impacts (e.g. dropped objects or naval impacts). HAZOP Analysis is normally considered the best way to identify all the potential credible causes of release and leak due to Process Deviations (typically: overpressures). As a general rule, all the causes/deviations that can possibly lead to an increase of operating conditions without realistically exceeding the design conditions are not considered as potential Top Events. For example, typically, only deviations leading to an overpressure exceeding 1.5 times the design pressure of a system (i.e. the proven conditions of hydraulic/pressure testing) is considered a potential MAE for further analysis. Loss of containment events (Random Ruptures) are normally identified based on statistical approaches, as suggested by best practice criteria. From the project documents (P&IDs, PFDs, etc.) each unit of the facility is divided into representative sections and the possible release locations are conservatively identified and the associated loss of containment scenarios are analyzed. The loss of containment events from equipment or piping can be caused by unexpected failures due to material defects, fabrication errors, excessive wearing or corrosion, maintenance errors, etc., and they could be of difficult quantification. It is common practice to consider these cases by assuming a set of representative leak diameter for components (vessels, pipework, pumps, compressors, valves, etc.) in each section of the plant. The Loss of Containment Events identification phase is typically carried out in three steps: identification of the existing isolatable sections within the facilities; characterization of the isolatable sections in terms of operating conditions and inventories; characterization of the realistic release point discharge conditions within each identified Isolatable Section. Non-Process events potentially evolving in Major Accidental Events are for example dropped object events or ship impact/collision events. These events, when found to be statistically significant, can lead to similar release scenarios to those previously mentioned for Top Events and Loss of Containment Events. The same modelling applies for characterizing these releases. A fire scenario is a time-sequence-based description of a fire incident. Structuring credible fire and explosion loss scenarios is a fundamental aspect of the Risk Assessment process. The most widely used technique for defining the structure and sequential logic of fire scenarios is the Event Tree Analysis. An Event Tree is a visual model which describes possible event chains developing from hazardous situations, such as fire initiation and propagation. An example of Event Tree is shown in Figure 2.1. Very often the initial hazardous situation (the starting box of the Event Tree) is called "Top Event" and it is in fact identified with HAZOP and then quantitatively characterized with FTA. Potential incidents of primary interest for the Fire Protection Engineer include events of equipment/piping direct flame impingement, radiant heat from a fire (Pool Fire, Flash Fire,
Pag. 10
Fireball), explosion overpressures (VCE: Vapour Cloud Explosion and UVCE: Unconfined Vapour Cloud Explosion) and corrosive smoke/fire products concentration. Previous events are typically associated with leaks and releases of flammable materials from piping and equipment, and the typical initiating failure events generally include mechanical failure (due to fatigue, corrosion, design errors, etc.), failure of Basic Process Control Systems (BPCS), human error, external interactions (flooding, earthquake, etc.). The accident sequence modelling with an Event Tree is - although visually simple - a crucial, challenging and complex task, which present typical difficulties, such as: The process leading to the outcome scenarios is normally highly time-dependent; Escalation involves complex interactions between different equipment and with the surrounding environment; Timing and type of Human intervention may have extensive effects on the scenario development; Small initial differences may lead to greatly different final scenarios. Dynamic situations are probably the main challenge, and ETA is too static to be fully adequate for suitable detailed analysis of accident dynamic sequences. However ETA is defacto the standard tool for scenarios modelling used in QRA and Fire Risk Analysis, and currently no practical valid alternative tools and approaches exist for this purpose.
Figure 2.1: Event Tree Example
Pag. 11
2.5
FREQUENCY ANALYSIS
The main difference between Fire Risk Assessment (FRA) and conventional Fire Protection Engineering Assessment is that with FRA the assessment is not limited to deterministic analysis. In developing a FRA, the uncertainties about whether fire will occur and systems will operate are explicitly addressed.
2.5.1
TOP Events Likelihood of Occurrence
For the identified Top Events, the relevant frequency of occurrence can be evaluated using Fault Tree Analysis techniques. Potential Top Events are first identified with normal Hazard Identification techniques (typically: HAZOP). All causes for each significant Process Deviation identified in the HAZOP are considered together with the applicable safeguards and protections for developing a Fault Tree of the event and then perform the reliability calculations to define the resulting expected frequency of occurrence. FTA is an analytical method for characterizing the occurrence of a specified, undesired event (Top Event) using a graphic model (the Fault Tree) which represents the logical combination of basic (low-level) events resulting in the occurrence of the Top Event. The Fault Tree is a graphic "model" of the potential pathways in a complex system which can lead to a foreseeable undesired event. The pathways interconnect several kind of contributory events and conditions, using the Boolean Algebra logic symbols (AND, OR, etc.). The Fault Tree Analysis uses numerical single probabilities of occurrence of the basic events (Component reliability data, or failure data) to evaluate the propagation through the model and eventually assess the expected frequency of the Top Event. A "typical" Fault Tree is presented in Figure 2.2.
Figure 2.2: Fault Tree Example
Pag. 12
Reliability data considered for the FTA development can be obtained from International Sources databases (e.g. Sintef 1992, Sintef 2006, Exida 2007, Oreda 2002). Fault Tree Analysis is typically performed using specialized computer programs which automatically develop the reliability calculations as well as the graphical representation of the Fault Tree. Among the most commonly used commercial codes are, for instance, ASTRA-Advanced Software Tool of Reliability Analysis (developed by JRC), or Fault Tree+ (developed by Isograph Inc.).
2.5.2
Loss of Containment Events Likelihood of Occurrence
In case of Loss of Containment events (Random Ruptures), historical failure data and/or statistical data are typically used to assess the leak frequency of occurrence. For example, historical failure data from the HSE Hydrocarbons Releases System (for Off-Shore Applications) or from the Standard Reference API RP 581 (for On-Shore Applications) can be assumed as basic failure data. To evaluate the expected likelihood of occurrence for each credible loss of containment event, all passive components identified (piping, vessels, etc.) within a given plant section are considered to calculate the final failure frequency: a "parts count" is performed and the expected frequency of failure of each "part" contributes to the frequency of the event analyzed. Different sizes of leaks are considered and differentiated (e.g. ", 1", 4" and Full Bore for API RP 581), and the "complexity" of the isolatable section is evaluated according to suitable criteria: given similar conditions, a simple, straight pipe with no flanges or other discontinuities has typically a lower leak frequency than a complex piping systems with many flanges, tie-ins and valves along the route. Typically, a threshold frequency value is defined in order to focus on the most significant events and disregard the statistically negligible scenarios. Usually, 1.00 E-06 event/year is considered a reasonable (and institutionally accepted) threshold value: below this expected frequency, the event is not analyzed further being not statistically significant. This applies either to Top Events and Loss of Containment Events or, as it will be discussed below, for a single Scenario among those possible. The cut-off value is defined on the basis of the Risk Acceptance Criteria which is established: This frequency value should represent a limit below which any event, regardless of the severity of the consequences, poses an "Acceptable" Risk.
2.5.3
Scenarios Likelihood of Occurrence
Regardless of the events root causes (process deviation, human error, "random" loss of containment, etc.), once the accident is occurred, and the release has taken place, the dynamic evolution of the event can lead to different potential scenarios. As illustrated earlier, this evolution can be effectively characterized and represented by an Event Tree. It is obviously necessary to differentiate the expected frequency of occurrence of the different possible scenarios, being their respective consequences deeply different (e.g. and explosion versus an harmless atmospheric dispersion). The frequency evaluation of the final accidental scenarios typically accounts for the characteristics of the released fluid (gas/liquid), for the released flow-rate, for the weather
Pag. 13
conditions and flammable mass formation, for the presence of ignition (immediate/delayed), for the presence of Safety Systems (e.g. ESD, fire fighting system), etc. Starting from the initial undesired accidental event (process deviation or loss of containment), the Event Tree displays the sequences of events through binary division at each node (e.g. Immediate Ignition: Yes/No) until all final outcomes are considered. Each binary node division is provided with a probability, therefore allowing the calculation of each final scenario frequency starting from the likelihood of occurrence of the initial event (see example of ET in Figure 2.1). For assigning the correct probabilities to each binary node division, if possible, specific and tailored considerations and assessments shall be made (e.g. from detailed info on the presence of effective potential ignition sources - see Section 3.2.2). Missing project specificdata and info, the applicable probability values to be applied to each of the different branches of the Event Tree can be evaluated from standard literature data and international references (e.g. Lees, 1996; Cox et al., 1990). Typical values from literature are reported in Table 2.3, Table 2.3: Ignition Probabilities
Immediate Ignition Probability Release rate (kg/s) <1 1 50 50 Flammable Mass (kg) < 100 100 1000 1000 Gas/Vapour or Two-Phase Release 0.01 0.07 0.30 Explosion/Flash Fire Probability (Delayed Ignition) Explosion Probability 0 0.001 0.030 Flash Fire Probability 0.01 0.03 0.10 Liquid Release 0.01 0.03 0.08
Immediate Ignition probability is expressed in this case as a step function of the flammable fluid release rate, but better and more sophisticated methodologies are available to evaluate the probability of ignition of flammable releases from onshore and offshore installations. For instance, "IP Ignition Probability Review, model development and look-up correlations" (UKOOA, 2006) provides the findings of a United Kingdom Offshore Operators Association (UKOOA) / Health and Safety Executive (HSE) / Energy Institute (EI) co-sponsored project undertaken by ESR Technology. In this work, look-up correlations in which ignition probability is a continuous function of mass release rate have been derived (continuous on one of three mass flowrate ranges: in any range the function is not yet constant as in the previous step function, but is characterized by the same parameters). The possible resulting scenarios of an immediate ignition are: a Pool Fire for liquid releases; a Jet Fire for gas releases; a combined Pool Fire and Jet fire for two-phase releases.
Pag. 14
Delayed ignition of a gas cloud can generate an explosion (UVCE or VCE) if the mass of gas and the partial confinement of the cloud are sufficiently large; otherwise a simple rapid combustion of the gas cloud enclosed within flammability limits (Flash Fire), without explosion, is more likely to occur. To complete the Event Trees and assess the correct scenarios frequency of occurrence it is necessary also to quantify the probability of Fire Protection System performance success in terms of conditional probabilities. Fire Protection System performance success is the product of three probabilistic success measures (Ref. NFPA, 2002): response effectiveness, correlated to the objectives of minimizing system response time; online availability, correlated to the objectives of minimizing system downtime; operational reliability, correlated to the objectives of minimizing the probability of failure on demand (PFD). Following the analysis with Event Tree, a number of different scenarios in different conditions is obtained, each with its own expected frequency of occurrence. Each scenario is considered credible when its frequency of occurrence (as sum of frequencies for all considered weather conditions) is higher than the defined cut-off frequency for statistically negligible events. Therefore, following ETA, each scenario with associated frequency of occurrence lower than the cut-off frequency is not further analyzed. Consequences of scenarios with significant frequency of occurrence are instead further assessed (see next Paragraph) and they contribute to the final Risk Level.
2.6
CONSEQUENCES EVALUATION
Consequence assessment is the evaluation and measure of the physical outcomes of an event and/or associated scenarios. The evaluation is aimed at assessing the distances at which hazard threshold values are reached. The selected threshold values associated to the damage levels are defined prior to the development of the consequences calculations for heat radiation, overpressure, toxic gas dispersion, domino effects, etc. The values are normally set on the basis of Legislative Requirements, Corporate Policies, Design Requirements or Best Practice. The steps involved in the quantification of a flammable release include the characterization of the release in terms of leak size and associated release rates, the phase(s) of the released fluid, the duration of the event, the formation of flammable mixtures with air and associated masses. Critical steps are the determination of the release rate and duration, and of the dispersion characteristics that dictate the amount of formed flammable material. The duration depends also on the response time and effectiveness of shutdown or isolation and therefore on the position and reliability of gas and flame detectors and on the possibility to manually or automatically activate the emergency shutdown. Flammable outcomes can consist in pool fires, jet fires, BLEVEs (Boiling Liquid Expanding Vapor Explosions - typical of GPL products), Flash Fires and/or vapor cloud explosions. There are several general and specific references for the Mathematical and Physical background of the Consequence Modeling (AIChE-CCPS, 2000; Cremer & Warner, 1981; Prough, 1987; TNO, 1997). From these references, many predictive models have been made available to Engineers and Scientists for the assessment of fire consequence hazards,
Pag. 15
varying from point source techniques to more complex numerical methods based on Computational Fluid Dynamic (CFD) calculations. Such predictive models can be categorized as follows: semi-empirical models; field models; integral models; zone models. Several commercially available Computer Program can be used for the consequence assessment, based on the application of the relevant models, which are normally hard-coded in the Programs. These computer models generally estimate liquid, gas or two-phase discharge rates, vaporization rates of liquid pool, distances to Thermal heat radiation, distances to overpressure levels, distances to concentrations at ground, etc. Consequences results from these commercial codes are normally presented in the form of: Tables: reporting for each scenario analyzed the distances at which are reached threshold values in terms of heat radiation, overpressure, gas concentrations; Contour maps: presenting the hazard distances from the release sources.
2.6.1
Semi-empirical models
In general, semi-empirical models are task-specific, designed to address particular hazard consequences, and provided with embedded correlations fitted to large-scale experimental data. These models are mathematically simple and can be easily computer programmed with short run times. Point source models do not predict the flame geometry, but rather assume that the source of thermal radiation is a single point in the flame and that a selected fraction of the heat of combustion is emitted as radiation. These models generally over-predict the heat flux for near-field conditions; however, they are reasonably reliable beyond a certain distance from the flame. Solid flame surface emitting models model the fire as a solid flame with heat being radiated from the surface of the flame. They rely mainly on correlations for flame geometry estimation, average surface emissive power (SEP) of the flame, atmospheric transmissivity and view factors. The various surface emitting models differ in their methods of assessing atmospheric attenuation of the heat flux, view factors, and the SEP. Well-validated solid flame models provide a better prediction of flame geometry and external thermal radiation than point source models.
2.6.2
Field models
Field models are CFD models based on numerical solutions of the Navier-Stokes equations of fluid flow (i.e. a mathematical description of the conservation of mass, momentum and scalar quantities in flowing fluid with a set of partial differential equations). To predict fire behavior, these models incorporate various sub-models to account for the physical and chemical processes occurring in a fire. All these models require validation against experimental data before their use as predictive tools.
Pag. 16
CFD is a powerful technique that provides an approximate solution to the coupled governing fluid flow equations for mass, momentum and energy transport. The flexibility of the technique allows the numerical solution of these equations in very complex 3-dimensional spaces, unlike simpler modelling methods. CFD is now being increasingly used in fire protection engineering to predict the movement of smoke in complex enclosed spaces. Results of the calculations are the explosive masses, the flames length, the pools diameter and the distances to the values of thermal radiation, peak overpressure and toxic concentrations. The results of the consequence modeling are used as input during Engineering to define fire and explosion protection requirements. Limiting factors in the applicability of these models are related to high CPU requirements and the need of expert users for being functional. Examples of commercially available field models are FDS (Fire Dynamics Simulator - NIST) and FLACS (FLame ACceleration Simulator), briefly presented in the following. Fire Dynamics Simulator (FDS) is a computational fluid dynamics model of fire-driven fluid flow. The software solves numerically a form of the Navier-Stokes equations appropriate for low-speed, thermally-driven flow, with an emphasis on smoke and heat transport from fires. Smokeview (SMV) is a visualization program that is used to display the output of FDS simulations. The Fire Dynamics Simulator and Smokeview applications are developed by the National Institute of Standards and Technology (NIST) of the United States Department of Commerce, in cooperation with VTT Technical Research Centre of Finland. FDS and Smokeview are free software, not subject to copyright protection and in the public domain. FLACS (FLame ACceleration Simulator) is an advanced tool for the modelling of ventilation, gas dispersion, vapour cloud explosions and blast in complex process areas. FLACS is used for the quantification and management of explosion risks in the offshore petroleum industry and onshore chemical industries. It was developed by GexCon AS of Norway.
2.6.3
Integral models
Integral models are a compromise between semi-empirical and field models, and are mathematically similar to field models. In facts, Integral models also solve the conservation of mass and momentum equations and contain sub-models for combustion and heat transfer, however the mathematical approach is simpler than in field models, thus reducing computer running time. Some integral models have been validated against laboratory-scale experimental data and are commercially available, such as PHAST by DNV or EFFECTS by TNO. PHAST (Process Hazard Analysis Software Tools) is a well know computer package developed by DNV which examines the progress of a chemical process incident from initial release through formation of a cloud or pool to final dispersion - calculating concentration, fire radiation, toxicity and explosion overpressure. PHAST is a comprehensive hazard analysis package, applicable to all stages of design and operation across a range of process and chemical industry sectors. It is used to identify situations which present potential hazards to life, property or the environment. Where congested layout or obstacles (e.g. walls/structures) are present, the results of PHAST analysis can
Pag. 17
be considered only an estimation of the actual hazard distance (in these cases a CFD model such as FDS or FLACS should be used for more reliable results). EFFECTS is a computer package developed and distributed by TNO which performs calculations to predict the physical effects of the release of hazardous materials. Embedded in the EFFECTS code are the models developed by TNO for calculating the physical effects for the release of hazardous substances (TNO, 2000, CPR14E "Yellow Book") and for determining possible damage to man and his environment (TNO, 1992, CPR16E "Green Book"). These publications have now been used around the world as a Standard Reference in safety studies for many years. EFFECTS can model a process incident from the initial release to final dispersion, calculating gas concentrations, heath radiation levels, peak overpressures, etc. EFFECTS models are applicable to all stages of design and operation across a range of process and chemical industry sectors. The same limitations already highlighted for the PHAST model apply.
2.6.4
Zone models
Zone models are simplified models where a module/room or a compartment is divided into a number of zones that are assumed physically distinct, but interfaced with each other and modelled with empirical heat and mass transfer equations. Zone models have wide applicability and validity only for the purposes for which they are designed, i.e. buildings with reasonably small rooms and predominantly small vertical vents.
2.7
RISK ASSESSMENT
The Assessment of the Risk is made combining the consequences and likelihood of occurrence of all scenarios considered and evaluating the resulting Risk against one or more measures which represent the Tolerability Criteria. The Ranking of the Risk, and the Assessment of its tolerability is a powerful tool for Engineers for identifying the critical aspects of any design and process, prioritize the available resources and - if needed - identify and define specific prevention or mitigation measures to reduce the scenario risk Acceptable levels. Very often the Risk is evaluated via the definition and calculation of a specific Risk Index, which is calculated for all applicable scenarios and then for the whole area/installation and compared with the acceptable level prior established. The most common Risk Indexes evaluated within a FRA are the following: Qualitative Risk (based on the use of Risk Matrix); Local Risk (LSIR - Location-Specific Individual Risk); Individual Risk (IR, or IRPA - Individual Risk Per Annum); Societal Risk.
Pag. 18
2.7.1
Risk Matrix
A Risk Matrix (or Tolerability Matrix), is a semi-quantitative tool in the form of a matrix that has ranges of consequence severity and likelihood of occurrence as the axes. The combination of a consequence and likelihood range gives an estimate of Risk or a Risk Ranking. an example of Risk Matrix is provided in Figure 2.3. The Risk Matrix represent the Tolerability Criterion for that specific Risk Assessment. The different values and "regions" of the matrix (high, medium, low, tolerable, intolerable, etc) can be based on Legislative and local Requirements, Corporate policies, Site-specific requirements, or simply best practices. The frequency class is attributed on the basis of the accidental scenario frequency calculated by Event Tree Analysis. The consequence class is attributed considering the extension of the hazard areas, defined on the basis of the threshold values defined for the job, and the presence of personnel and/or critical equipment within the hazard ranges. For scenarios classified as 'intolerable' according to the matrix, specific prevention or mitigation measures shall be identified and the scenario risk shall be reduced to Acceptable levels. For scenarios classified as belonging to the 'ALARP' region, prevention or mitigation measures can be identified, if they are economically and technically feasible (ALARP principle - As Low As Reasonably Practicable).
Figure 2.3: Risk matrix (Example)
Pag. 19
2.7.2
Location Specific Individual Risk
Location Specific Individual Risk (LSIR, or LR - Local Risk) is the risk at a particular location for a hypothetical individual who is permanently positioned there for 24 hours per day, 365 days per year, with no possibility of being sheltered or evacuated. LSIR can be graphically represented using risk contours lines. A risk contour line is a closed curve graphically depicting limits at constant potential risk. Points within the contour represent a risk greater than or equal to the risk of the contour edge. The risk contours show the expected frequency of fires and explosions capable of causing a specified level of harm to an individual at a specified location, regardless of whether or not anyone is present at that location to suffer that harm. An example of Local Risk contour lines is provided in the following Figure 2.4.
Figure 2.4: Local Risk Contour Lines (Example ARIPAR Code)
2.7.3
Individual Risk
Individual Risk is the total risk of death for a fixed period of time (usually one year, thus called IRPA - Individual Risk Per Annum) to which a worker or a member of the community may be exposed from all credible hazards and sources of accidents. It is calculated as the multiplication of scenario frequency, portion of time for which the person is present in the specific location and fatality probability (or vulnerability). If there are several locations where the individual could be present, the total risk from the scenario can be summed from the risk at each location. If there are several scenarios that can involve the locations where
Pag. 20
one individual could be present, the total risk is summed from the risk for the single scenario.
2.7.4
Societal Risk
Societal Risk is a measure of Risk to a Group of People. It represents the level of risk experienced by the whole group of people exposed to the potential major accident hazards, and it is most often expressed in terms of the frequency distribution of multiple casualty events. Since this measure of risk is related to the total exposed group, it is dependent on the total number of people of each operators group. Societal Risk takes into account the likelihood of multiple casualties resulting from fires or explosions, and it is normally presented in the form of F/N curves, which are plots of the cumulative frequency of multiple fatalities (F) versus the expected number of fatalities (N). These curves can provide useful insight into the degree of risks from a facility or hazardous process to the employees on the plant site and to the community located beyond the plant boundaries. The ranking of the events that contribute most to the total risk allows the analysts to focus attention on the most critical failures and facilitates efficiency in assessing prevention and mitigation risk reduction options for those events. An example of F/N Curves is presented in the following Figure 2.5.
Figure 2.5: F-N Curves (Example ARIPAR Code)
Generally speaking, specific Software Models (e.g. ARIPAR, by University of Bologna) are available to assess in quantitative terms risks connected with processing, storage and transportation of dangerous substances. They combine the calculated consequences severity and likelihood of all events to produce the risk measures. If the risk is unacceptable according to the applied criteria, cost-effective options for reducing or mitigating risks are identified and selected, by systematically evaluating
Pag. 21
applicable measures to reduce the expected frequency of occurrence and/or to mitigate the severity of the events. Traditional fire protection measures (e.g. detection or sprinkler systems) and management safety controls (such as loss prevention programs and emergency procedures) are typically evaluated to establish if their implementation could reduce the Risk within the applicable parameters.
2.8
RISK-BASED FIRE PROTECTION

In conclusion, Risk-based Analysis can provide a fundamental decision support tool based on the expected outcomes of fire scenarios, through quantification of expected likelihood of occurrence and assessed consequences in terms of people exposure, equipment and structure damage, production down time, etc. On the basis of the Risk Analysis results, different alternatives for Fire prevention and protection are assessed evaluating the potential benefits in terms of risk-reduction versus costs for implementation, providing decision-makers with an effective instrument for prioritization and optimization of budget allocations, therefore aiding the correct installation (technically and cost-wise) of fire detection and protection systems in order to significantly reduce the Risk of Fire.
Pag. 22
DATA FOR FIRE RISK ANALYSIS

This chapter presents an overview of the data typically required to perform a Fire Risk Analysis (FRA). The basic information necessary for performing a FRA on a plant of facility are relevant to Process, Layout, Materials and Substances, Instrumentation and Controls in place and existence of Protection systems. The minimum necessary data from a typical Project Design are 1: Process Flow Diagrams (PFD); Piping and Instrumentation Diagrams (P&ID); Site Layouts/Plot Plans; Material Safety Data Sheets; Heat & Material Balances; Process Control Philosophies; Safety Philosophies; Operation and Maintenance philosophies; Emergency Response Provisions; existing Hazard Identification studies (if any); Environmental and territorial data. As will be explained in the following, previous Plant-Specific data shall be integrated as necessary with literature and statistic data for the full identification of all inputs to the mathematical models which will be applied during the FRA. This Chapter is organized into the following sections: Historical Incident Data; Process and Plant Data; Chemical Data; Environmental and Territorial Data; Reliability Data; Uncertainty, Sensitivity and Importance.
3.1
HISTORICAL INCIDENT DATA

The Historical Review of accidental events recorded for similar installations to the one under analysis is very often the first step performed during Risk Analysis activities. The reasons are immediately obvious: this review is typically simple and relatively quick, it can provide a significant insight on "real" events which happened in the past, it can aid the Lessons Learning process and, through the analysis of the past events initiating causes, it can provide a formidable tool for identifying the typical issues and problems related to a given design.
This is a minimum list and very likely additional information shall be needed according to the specific project.
Pag. 23
Historical incident data may be used to both directly estimate top event frequencies or validate outcomes from frequency analysis model (e.g. FTA, ETA). For being meaningful for frequency assessment, the historical incident data must include sufficient and accurate records applied in a significantly large population. When the population is small, the statistical significance of the recorded events is poor, and no serious frequency assessment can be undertaken with these data 2. Most of the data sources address major events or failures such as pipeline leaks and ruptures, major fires or explosions, accidents causing fatalities or serious injuries, leaks of toxic materials, transportation accidents, i.e. events sufficiently serious to be reported in publicly available sources. very often, though, no or little relevance is given to the so-called "near misses", i.e. events which had the potential for a major effect but which have been somehow "controlled" or "eliminated" thanks to the protections in place. These latter events are too often disregarded, although their statistical significance can be even greater that those actually reported in the databases. According to the type of provided data, data sources can be grouped into three categories: data sources that provide information on failure mechanism and initiating causes; data sources that provide information on consequence effects (i.e. downwind concentration levels, thermal radiation levels, etc.); data sources that provide information on frequencies of certain types of incidents. Granting the completeness and statistical significance of the analyzed data, data sources in the first two categories may be mostly helpful in developing Fault Tree or Event Tree models and in understanding the consequences of a specific incident. Data sources in the third category can be useful for frequency assessment of the events or probabilistic analysis of event types. Data are typically in the form of published statistics or computer databases available for consultation on a fee-paying basis. A not exhaustive list of important available sources of incident data follows: MARS (Major Accident Reporting System) European Commission Joint Research Centre Italy: database on major accidents reported under the Seveso Directives; over 700 accidents and near misses collected since 1982; FACTS (Failure and ACcident Technical information System) - TNO The Netherlands: computerized database for incidents (worldwide) with hazardous materials, near misses also included; MHIDAS (Major Hazard Incident Data Service) Head of Major Hazards and Transport Group - Warrington (UK): computerized major incident database (worldwide); incidents must have had potential for off-site impact to be included; WOAD (World Offshore Accident Databank) DNV Norway: computerized databank for Offshore accidents worldwide; Loss Prevention Bulletin IChemE, UK: Annual survey of chemical industry accidents (worldwide), covering a wide range of accidents and with accident descriptions;
2
However they can be used for Hazard Identification purposes.
Pag. 24
"One Hundred Largest Losses" M&M Protection Consultants New York: Annual review of large losses in the hydrocarbon-chemical industries; Hazardous Cargo Bulletin: Annual Survey; "Loss Prevention in the Process Industries" F. P. Lees: the book contains several case studies of major chemical incidents and a wide chronological listing of accidents; "Major Chemical Hazards" Marshall: contains 40 case studies of major incidents; "A survey on Industrial Accident Databases", Bockholts et al. (1986); HSE Hydrocarbons Releases System: Off-Shore Applications; Standard Reference API RP 581: On-Shore Applications.
3.2
PROCESS AND PLANT DATA

During the development of a Fire Risk Analysis, the designated Analyst must understand and be thoroughly familiar with the plant/facility processes and the interdependence among units and different parts of the plant. He shall also have a clear knowledge of the inventories of substances and conditions of materials. Previous information must be relevant to the plant as it actually operates, which may be different from the original design. Very often, the simple review of the Project design is not sufficient and on-site interview of operating and maintenance personnel and/or on-site inspection are required. In the following, a typical list of data and information relevant to Plant and Process Design necessary for the development of the FRA is described.
3.2.1 Plant Layout and System Description
The following typical list of required data may represent a checklist relevant to Plat/Process Design necessary information: Process Flow Diagrams (PFDs), including process description, Heath and Material Balances for each stream and specific operating parameters (temperature, pressure); Piping and Instrument Diagrams (P&IDs), including utilities; plant layout drawings (plant and immediate surroundings including elevations); process design basis and description, including utilities (cooling, steam, electricity, instrument air, utility back-up systems); physical and chemical properties of all process substances (e.g. with Material Safety Data Sheets - MSDS); process chemistry (including side reactions under normal and abnormal conditions); Process fluids chemical interactions with construction material; Process interfaces (including vents and pressure relief systems); waste treatment and pollution control systems; equipment specifications and detailed drawings; fire water and drainage system drawings; control logics (instrument loop-sheets, relay logic diagrams);
Pag. 25
operating instructions and philosophies (storage inventory levels, operating schedule, start-up and shut-down, operator training, safety policy); protection systems diagrams (fire protection, emergency relief, interlock and alarm systems); maintenance records; maintenance philosophy and programs; emergency response procedures; past hazard identification information (if any).
3.2.2 Ignition Sources and Data
One fundamental step during the development of a Fire Risk Analysis is the identification of all ignition sources that may be reached by any clouds of released flammable material in a concentration within flammable limits. The type of Hazard posed by the ignition of any flammable mixtures depends heavily on the timing of the ignition and on the level of confinement of the released cloud. Major flammable releases may be ignited immediately or far from the leak source; in this latter case the released material can develop into a fully formed flammable cloud before ignition, with the possible occurrence of explosion phenomena. If Ignition occurs relatively fast after release (due, for instance, to immediate contact with a hot surface) the most typical event is a jet/pool fire - depending on the nature of the released fluid - which can directly impinge with flames the near-by equipment and affect the surrounding areas with high thermal radiation levels. If ignition occurs after some time, the released material can accumulate into a flammable cloud (directly if gas or vapor or due to later evaporation if liquid) and this can be then ignited provoking an explosion, especially in case of high congestion of the volumes occupied by the flammable cloud (partial/total confinement). Ignition may be caused by open flames and sparks, hot surfaces, static electricity, mechanical friction, chemical reactions or human activities. Typical sources of ignition include flares, boilers, fired heaters, vehicle traffic, electrical motors, hot works (such as welding or cutting), lightning, overhead high voltage lines. When identifying potential ignition sources, all possible sources on-site are accounted for, starting from the immediate vicinity of the release point and then farther, in the possible direction of the release dispersion. It is evident that as the distance from the release point increases, more and more potential ignition sources can be found on the path, correspondingly reducing the actual likelihood that an "un-disturbed" release somehow travel so far without ignition.
Pag. 26
Calculating ignition probability is a difficult task. Given the presence of a flammable mixture, the probability of ignition is generally a function of two components: The Presence Factor: probability that the ignition source will be present; The Strenght Factor: granted existence of the ignition source, probability that it is capable of actually igniting the cloud in a given time interval (this depend on the energy of the ignition source versus the minimum energy required to ignite the flammable material).
3.3
CHEMICAL DATA
Accurate information concerning material and substance chemical and physical properties is required to perform hazard evaluations. Detailed information is needed on the physical and chemical properties of process materials (from raw materials to intermediates and final products): thermodynamic data (including vapour pressure, boiling point, freezing point, critical temperature and pressure, enthalpies, entropies, specific and latent heats, heats of combustion); flammability data (flash point, lower and upper flammable limits, auto-ignition temperature, minimum ignition energy, burning velocity); dust explosion data (maximum rate of pressure rise, layer ignition temperature, cloud ignition temperature and ignition energy, minimum dust concentration for combustion); industrial hygiene and toxicity data (short-term exposure data, protective equipment needed); chemical interaction and reactivity data (including effect of contaminants). Some of previous information data can be obtained from Material Safety Data Sheets (MSDS), and most other data and Flammability data can be easily obtained from literature references 3 (e.g. Fire Protection Handbook, Cote, 1986). Other suitable data sources for chemical and physical properties are: NFPA 68, 1994, "Guide for Venting of Deflagrations" - Dust data for explosion venting calculations; American Conference of Governmental Industrial Hygienist's, 1996 "Threshold Limit Values for Chemical Substances and Physical Agents" - Industrial hygiene and toxicity data; AIChE's CCPS, 1995, "Guidelines for Chemical Reactivity Evaluation and Application to Process Design" - Information on chemical reactivity hazards.
Available data in the publications are normally given at atmospheric temperature and pressure, however valid data at process conditions can be needed. In such case experimental data campaigns can be found in specialized literature papers and publications.
Pag. 27
3.4
ENVIRONMENTAL AND TERRITORIAL DATA

Fire Risk Analysis require environmental and weather information and data for the prediction models input, and territorial data for the assessment of impacts on the plant surroundings following an event occurrence. Territorial data can heavily affect the outcomes of the Risk assessment: the Risk associated with a plant in a densely populated area is significantly different from the Risk posed by the same plant in a remote location. Important territorial and environmental data include population data, site meteorological conditions, geographic and topographic data, and information on man-made or natural external events.
3.4.1 Population Data
The population distribution (or population density) around the site is one main data for Risk estimation. Sources of population data for an area are census reports, detailed maps, aerial photographs and site inspections by the analyst. Special attention must be given to potential seasonal variations, time variation (day/night), and to the population vulnerability according to the population type and conditions (e.g. children, adults, people with disabilities, etc.).
3.4.2 Meteorological Data
Gas and vapors dispersion in open air, and the transport properties of heath and radiation are strongly affected by weather conditions. Meteorological data, including data on wind speed, temperature and atmospheric stability class, are typically collected in local meteorological station at Plant sites, or they can be easily obtained from civil or military meteorological stations in the vicinity of the site. These data are generally provided in the form of statistical daily, weekly, monthly and annual averages over a long period of time (several years). Available data normally include Wind Speed and direction, Air temperature, Humidity, Solar radiation and cloudiness (from these latter two a significant parameter: the "Atmospheric Stability Class 4" can be calculated). Wind data are typically presented in aggregated form using the "Wind Roses": a circular multiple data graphic tool used to give a summary view of how wind speeds and directions are distributed at a particular location. Wind Rose diagrams normally include 8, 12 or 16 sectors (wind directions), several wind speed "ranges" and Seven Atmospheric Stability Categories. A typical wind rose is shown in Figure 3.1 from which it is possible to infer the percentage frequency of the wind blowing in each direction and the wind speed in each direction. Disaggregated data (e.g. daily or weekly) are typically provided in tabular form.
The most commonly used categorization for this parameter is the Pasquill Stability Class.
Pag. 28
Figure 3.1: Wind rose (example) The degree of aggregation of meteorological data for analysis depends on the resolution and accuracy required by the FRA. A single "representative" weather condition (combination of atmospheric stability and wind speed) can be used for worst case calculations. Most Risk Analyses are carried out considering at least two weather conditions (more if needed): Weather situation representative of Stable Conditions and low wind speed, conservative case for flammable mass accumulation and explosion effects: typically 2F - 2 m/s wind speed and Pasquill Stability Class F (Stable); Weather situation representative of Neutral Conditions and medium wind speed, conservative case for distance to thermal radiation effects: typically 5D - 5 m/s wind speed and Pasquill Stability Class D (Neutral).
3.4.3 Territorial Data
Territorial data are important for the assessment of impacts on the plant surroundings following an event occurrence, and for carrying out the formal Risk assessment considering the "population" (inside the plant or outside the plant fence). Geographic data to be retrieved include territorial and site maps on an adequate scale, or aerial photographs, useful in evaluations of the effects and in the visual presentation of the results of the analysis (e.g. contour plots or dispersion footprints). Local topography is important in the mathematical modelling of the gas/vapor dispersion in air: obstacles need to be taken into account in the dispersion modelling algorithm with a ground average "roughness" parameter.
Pag. 29
3.4.4 External Event Data
Under the category of "External events" fall all those occurrences which are not generated within the plant/facility and whose root causes are not linked in any way with the activities being carried out in the plant/facility. External events are either man-made (e.g. aircraft crashes), or natural (e.g. seismic events, tornadoes, flooding, etc.). Relevant to Natural occurrences, if the plant is built in an area known to be susceptible to such events, it should be designed to withstand them. Design data should be obtained on individual critical items to determine their performance under incident conditions. If applicable, private, Government and/or Military institutions shall be consulted for gaining information on expected likelihood of occurrences of events and their possible outcomes (e.g. expected return times, damage degrees, etc.) For instance, Information on the frequency of seismic events and their effects can be obtained from the National and International Seismological Centre. Other institutions may apply for different scenarios. This is a verification whose benefit is evidently highest when performed at design stage.
3.5
RELIABILITY DATA
In order to estimate equipment reliability parameters and/or calculate incident likelihood of occurrence, failure rate data are needed for all process equipment included in the study. Equipment reliability can be defined as the probability that, when operating under given conditions, process equipment will perform its intended function adequately for a given period of time. Unavailability (or Probability of Failure on Demand - PFD) of a Protective System is the probability that the system is in a failure state when a demand on that system occurs. Tailored and plant-specific data, when available and statistically significant, are the best possible choice. These are very often totally missing, or lacking completeness, or with little statistical significance. In such cases generic average data retrieved from specialized literature and databases can be used. Useful Literature Equipment Reliability Data and Protective Systems Unavailability Resources are: Sintef, "Reliability Data for Safety Instrumented Systems"; Exida, "Safety Equipment Reliability Handbook"; Oreda, "Offshore Reliability Data Handbook 4th Edition". In some instances, the generic average data from literature sources can be conveniently combined with plant-specific Data (e.g. by a Bayesian approach), obtaining more pertinent data for the plant under analysis on the basis of a limited amount of plant reliability information.
Pag. 30
3.5.1
Human Reliability Data
A particular category of Reliability Data is represented by Human reliability information. This is often a major issue when developing a Risk Analysis. In many plants and facilities, in facts, the real bottleneck to safety is represented by the not-instrumented safety functions, i.e. those protections which need operators intervention for being actuated. In a normally maintained modern Plant of average complexity, operators are - by far - the most un-reliable "protection item", as it is can be demonstrated by historical analysis. Human reliability proves to be a most important factor not only during emergency conditions, but also during operation and during maintenance activities. Probability of human error is typically inversely proportional to operator experience and skill, however many are the factors which can affect human reliability: complexity of the task, environmental conditions, ergonomic factors, motivation, level or perceived psychological stress, skill and training, presence and quality of written instructions, sociocultural aspects, etc. To evaluate the probability of failure of a plant operator to carry out a certain task, it is possible to apply qualitative empiric techniques (such as the "TESEO" Method) or, as alternative, techniques based on a Task-Analysis approach. Typically, when developing an FRA, empiric techniques are currently mostly used, however more complex Task-Analyses are increasingly applied in modern engineering.
3.6
RISK UNCERTAINTY, SENSITIVITY AND IMPORTANCE

Uncertainty, sensitivity and importance are central issues in the utilization of risk results (AIChE, CCPS, 2000): Uncertainty analysis is used to estimate the effect of data and model uncertainties on the risk estimate. Sensitivity analysis estimates the effect of varying input to component models or the models themselves, individually or in combination. It can identify which models, assumptions and data are important to the final risk estimate. Importance analysis quantifies and ranks risk estimate contributions from subsystems or components of the complete analysis. Data and input uncertainties arise from both lack of knowledge of specific input values and variations in input values as a function of many factors, such as time, temperature, or region of the country. For example, the rate of heat release may be uncertain due to lack of available data, but also due to the test method by which the heat release rate is measured that could not specify all combinations of ignition source and strength, or due to the inaccuracies inherent in the instrumentation used in the test. Other inputs, such as concentrations of toxic gases, vary with time as the fire develops and are uncertain. The species production rates, used to predict concentrations, are a function of the combinations of materials actually burned, unknown a priori.
Pag. 31
Human behavioural uncertainties concern both the way in which people act in a fire and how these actions should be considered during steps in the design process. Human factors also affect the analysis needed for identifying goals and objectives and developing performance criteria. Sensitivity analysis and Importance analysis can help identifying the major contributors to Risk uncertainty, sort them according to their importance, and then extrapolate the models, assumptions and data which mostly affect the final risk estimate. These analysis are very specialized, and not always they are introduced in a FRA, although they represent essential tools for Decision Makers when considering Risk Analysis results (cfr. AIChE, CCPS, 2000).
SFB/SMG/PP/GMU/RC:pp
Pag. 32
REFERENCES American Conference of Governmental Industrial Hygienists, 1996, "Threshold Limit Values for Chemical Substances and Physical Agents Biological Exposure Indices". AIChE, Center for Chemical Process Safety (CCPS), 1992, "Guidelines for Hazard Evaluation Procedures", USA, 2nd edition. AIChE, CCPS, 1995, "Guidelines for Chemical Reactivity Evaluation and Application to Process Design", Center for Chemical Process Safety, American Institute of Chemical Engineers, New York. AIChE, CCPS, 2000, "Guidelines for Chemical Process Quantitative Risk Analysis (GCPQRA)", 2nd Edition. Cote, 1986, "Fire Protection Handbook", National Fire Protection Association. Cremer & Warner, 1981, "Risk Analysis of Six Potentially Hazardous Industrial Objects in the Rijnmond Area, a Pilot Study". W. Cox, F. P. Lees, M. L. Ang, 1990, Classification of Hazardous Location, IChemE. EPSC, IChemE and Chemical Industries Association, 2000, "HAZOP Guide to Best practice for the process and chemical industries". Exida, 2007, "Safety Equipment Reliability Handbook". Gertman, Blackman, 1993, "Human Reliability and Safety Analysis Data Handbook", WileyInterscience. F.P. Lees, 1996, "Loss prevention in the process industry", 2nd Edition - Butterworth, Heinemann Editors. NFPA (National Fire Protection Association), 2008, "The SFPE Handbook of Fire Protection Engineering". NFPA 68, 1994, "Guide for Venting of Deflagrations", National Fire Protection Association. Oreda, 2002, "Offshore Reliability Data Handbook 4th Edition". Prough, 1987, "Evaluation of Unconfined Vapour Cloud Explosion Hazards", International Conference on Vapour Cloud Modelling, 1987, Cambridge USA Sintef, 1992, "Handbook for Fire Calculations and Fire Risk Assessment in the Process Industry". Sintef, 2006, "Reliability Data for Safety Instrumented Systems". Teseo, The Human Factors in Risk Analyses of Process Plants: the Control Room Operator Model "TESEO". TNO, 1992, CPR 16E - Methods for the Determination of Possible Damage (Green Book), 1st Edition. TNO, 2005, CPR 14E - Methods for the Calculation of Physical Effects (Yellow Book), 3rd Edition, 2nd revised print. UKOOA, 2006, "IP Research Report - Ignition Probability Review, model development and look-up correlations", Energy Institute, London.
Pag. R-1

Fire Risk Evaluation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fire Risk Evaluation

Uploaded by

Copyright:

Available Formats

Doc. No. P-HSE-H6 Rev.

Doc. No. P-HSE-H6 Rev. 0 - SEPTEMBER 2009

Simone Garrone Verified by Signature

September 2009 Date

September 2009 Date September 2009 Date September 2009

Doc. No. P-HSE-H6 Rev. 0 - September 2009

TABLE OF CONTENTS Page

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

LIST OF TABLES Tables No.

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

LIST OF FIGURES Figure No.

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

STANDARD AND REGULATIONS

Doc. No. P-HSE-H6 Rev. 0 - September 2009

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

Figure 1.1: Fire Risk Analysis Flow Diagram

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

STATE OF THE ART AND METHODOLOGIES

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

DEFINITION OF RISK ASSESSMENT OBJECTIVES

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

pressure temperature level

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

FIRE SCENARIOS IDENTIFICATION

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

Figure 2.1: Event Tree Example

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

TOP Events Likelihood of Occurrence

Figure 2.2: Fault Tree Example

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

Loss of Containment Events Likelihood of Occurrence

Scenarios Likelihood of Occurrence

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009

Figure 2.3: Risk matrix (Example)

ESReDA D'Appolonia Contribution to ESReDA Report

Doc. No. P-HSE-H6 Rev. 0 - September 2009