The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

Gary A Fitzgerald, Michael W Stahl, David J Campbell, Farzin Nouri, Randall L

Montgomery
ABSG Consulting, Inc.
14607 San Pedro Suite 215, San Antonio, Texas 78232
210-495-5195, gfitzgerald@absconsutling.com

Abstract

When performing consequence-based facility siting analyses, determining the Maximum

Credible Events (MCEs) to evaluate is one of the most important decisions to make. In defining
MCEs, the assumed leak size is arguably the single most important decision made but also has a
high degree of subjectivity. Various publications and practices provide industry with some
guidance on this matter. Some references recommend leak sizes as a percentage of pipe cross-
sectional area but the most common practice is to use a constant maximum leak size for all
scenarios. These approaches are sound for screening-level analyses if sufficiently large leak
sizes are assumed, but may result in large overestimations of consequences and remedial actions
or conversely run the risk of being unconservative if the leak size is too small. According to API
RP 752, any simplifying assumptions made in facility siting hazard studies should be
conservative, resulting in relatively large leak sizes. Following these studies, more detailed
evaluations are commonplace to remove conservatism and better understand the risks.

One area worthy of more detailed evaluations is the leak size selection. This paper presents a
methodology using existing risk-based tools to determine leak sizes of different MCEs in a
consequence-based study. The resulting leak size is the Maximum Design Leak (MDL) which
would be used in determining potential consequences and remedial actions. This approach
provides much greater confidence that the predicted consequences are realistic to both a specific
industry and plant and that money spent for remedial actions addresses actual risks to that plant.
This is not a new science, but a new application of existing science, providing greater confidence
in the results.

An example case using actual refining industry data is presented in this paper as an example of
its application and how results may appear in a refining application.

Background

Two types of studies are allowed per API RP 752, consequence-based and risk-based.
Consequence-based studies evaluate postulated maximum credible events (MCEs) and
unacceptable results must be remediated. Risk-based studies are a rigorous numerical evaluation
of event frequencies and consequences to determine if risk exceeds a threshold and unacceptable
risk must be remediated. In determining consequence-based MCEs to evaluate, the leak size is
probably the most significant decision to be made.

API RP 752 defines a MCE as A hypothetical explosion, fire, or toxic material release event
that has the potential maximum consequence to the occupants of the building under
 The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

consideration from among the major scenarios evaluated. The major scenarios are realistic and
have a reasonable probability of occurrence considering the chemicals, inventories, equipment
and piping design, operating conditions, fuel reactivity, process unit geometry, industry incident
history, and other factors. Each building may have its own set of MCEs for potential explosion,
fire, or toxic material release impacts.

MCE leak sizes are typically selected based on credible events in industry and for specific plants
based on experience and using limited published guidance. The following list gives the best
guidance for leak size selection:

1. World Bank Technical Paper No. 55, "Techniques for Addressing Industrial Hazards,"
Washington, D.C., 1988.
2. American Institute of Chemical Engineers (AIChE), "Dow's Chemical Exposure Index
Guide," First Edition, New York, 1994.
3. Chemical Center for Process Safety (CCPS), Guidelines for Consequence Analysis of
Chemical Releases, New York, 1999.
4. IChemE, Classification of Hazardous Locations, by A. W. Cox, F. P. Lees, and M. L.
Ang.
5. Process Safety Progress, A Survey of Vapor Cloud Explosions: Second Update, by Eric
M. Lenior and John A. Davenport, 1993.

There is no consensus among these references regarding selection of hole size. However, note
that values of 2 inch, 4 inch and higher are often discussed in many of these references. Hence,
consideration of only small line breaks is not advisable. Based on this information, industry
typically uses of the following approaches to establish MCE leak sizes:

1. Consider full bore ruptures of actual line sizes up to 2 inch diameter lines and use a 2
inch leak size for larger lines, or
2. Evaluating different leak sizes based on the line size as provided in the Dow Chemical
Exposure Index (CEI) guidance (FBR for pipes < 2, 2 leaks for pipes between 2 and
4, 20% of the cross-sectional area for pipes > 4).
3. Evaluate full bore ruptures for all leaks (few follow this approach).

The two inch maximum leak size guidance is based on the criteria provided in the CEI and
World Bank publications, but accepts the risk involved in leaks from pipes greater than 4 inches.

Given the subjective nature of the leak size selection and potential problems in defending a given
leak size less than a full bore rupture, an objective method has been developed by which to
determine the leak sizes to use in a consequence-based study that provides a more defensible
leak size selection than the previous guidance or because a certain size is what everyone else
uses.

The Maximum Design Leak (MDL)

The MDL calculates a leak size that exceeds a tolerable event frequency. In general, one can
look at the MDL as knowing the answer in terms of tolerable risk or tolerable event frequency
 The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

and back-calculating the leak sizes that result in exceeding that criterion using appropriate risk
tools and methods. This leak size is then used in defining MCEs for a consequence-based study.
Intolerable results from that study must be remediated just as in any consequence-based study.

The steps in performing the MDL are listed below:

1. Postulate scenarios
2. Determine tolerable event frequency for each stream with a scenario
3. Calculate frequencies for each scenario
4. Determine what scenarios have frequencies that exceed the tolerable event frequency
criteria.
5. Determine consequences for each scenario using MDL size

Step 1: Postulate Scenarios

The MDL begins by postulating scenarios as is performed in a consequence-based study.

Typically, several scenarios may be postulated in each process area/unit to ensure the worst case
location is identified and to cover both pool fires and jet fires/VCEs and toxic releases.
However, several leak sizes will be considered for each scenario in the MDL approach.

Step 2: Determine tolerable event frequency for each stream with a scenario

Note that discussions that follow are in terms of site, unit and event risk or frequency. The
criteria are usually provided in terms of a site frequency or site risk. The MDL approach needs
this on an event basis. Thus, tolerable event frequency must first be calculated if not already
defined by the owner/operator. If this tolerable event frequency has already been defined, then
the analysis can plot this as a straight line on the y-axis versus leak size on the x-axis and skip to
Step 3.

Since release frequency is the criteria to be used in the MDL, if the owner/operator has
established risk tolerance criteria, then the release frequency (either loaded or unloaded with
probabilities) is determined by solving the risk equation below for frequency as shown:

Risk = Frequency x Vulnerability x Occupancy

or
Frequency = Risk/Vulnerability/Occupancy

Some companies are risk-adverse and do not want to document risk tolerance criteria in terms of
numbers of potential fatalities per year. For them, it is helpful to use the MDL based on a
tolerable event frequency criteria and avoid the documentation of a frequency for tolerable
fatalities. This also simplifies the calculations but inherently increases conservatism (as all
simplifying assumptions should).

What is required to determine a MDL release is a tolerable single event release frequency. This
can be determined through derivation if the facility has site-wide release criteria, site-wide risk
criteria, or single unit/event risk criteria. If site-wide release frequency criteria is available, then
 The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

risk, vulnerability and occupancy has already been considered and will not be factors to include.
However, this is may be a cumulative frequency for all potentially damaging events on the site.
Thus, one must determine the tolerable frequency for a single event. To do that, simply divide
the site frequency by the number of segments in the facility with potentially damaging
consequences. Note that all segments with potentially damaging consequences must either be
evaluated for their tolerable frequency or added to other events being evaluated such that the
summation of all events being evaluated equals the cumulative tolerable event frequency. If the
tolerable site frequency was 1 x 10-4 events/year and the plant has 10 units of similar complexity
with potentially damaging consequences, then each unit has a tolerable unit frequency of 1 x 10-5
events/year (1 x 10-4/10). Then, if Unit A has two scenarios to evaluate while Unit B has 4
scenarios to evaluate, the tolerable event frequency for each Unit A scenario would be 5 x 10-6
events/year (1 x 10-5/2) and the tolerable event frequency for each Unit B scenario would be 2.5
x 10-6 events/year (1 x 10-5/4).

Alternately, if there were a large difference in complexity between the units, one could take the
total number of isolatable segments in the plant and use that as the basis for unit frequencies.
For example, if the plant had a tolerable site frequency of 1 x 10-4 events/year and there were
only 2 units where Unit A had 5 isolatable segments with potentially damaging consequences
and Unit B had 15 isolatable segments with potentially damaging consequences, then Unit A
tolerable unit frequency would be 2.5 x 10-5 (1 x 10-4 x 5/(5+15)) and Unit B tolerable unit
frequency would be 7.5 x 10-5 (1 x 10-4 x 15/(5+15)). If Scenario 1 was the only scenario being
evaluated in Unit A, it would have a tolerable event frequency of 2.5 x 10-5 events/year. If Unit
B had two scenarios being evaluated, each would have a tolerable event frequency of be 3.75 x
10-5 (7.5 x 10-5/2). The summation of all tolerable event frequencies should always equal the
tolerable site event frequency.

Other means of identifying complexity and how to divide site risk may be used. For example,
unit congested volume may be a good indicator of complexity for one plant while the number of
towers or reactors may be a good indicator of complexity for another.

This event frequency can be further refined (unloaded) by considering wind directions, leak
directions, material reactivity and/or ignition probability. Note that wind directions will only be
a factor for low velocity releases or a certain distance away from a high velocity release. Thus, it
can safely be neglected in this analysis. Leak directions can have equal probabilities for
simplicity. Some materials are easier to ignite than others and a reduction in event frequency can
be given to those not easily ignited. Credit can also be given for ignition timing and late ignition
is typically assumed for VCE hazards. Ignition probabilities [1] for various leak rates and
frequencies for delayed versus immediate ignition [2] may also be considered for added
specificity. If the hazard being evaluated is a toxic hazard that is not flammable, ignition factors
do not apply. If the hazard being evaluated is a toxic hazard that is also flammable, consider the
ignition factors in terms of not igniting the release (1 - ignition probability). If the hazard being
evaluated is a jet fire, then ignition timing is not a factor to consider. Although ignition timing

1 Cox, A.W., Lees, F.P., and Ang, M.L., Classification of hazardous Locations, IIGCHL, IChemE, 1990.
2 Risk Assessment Data Directory (RADD) Ignition Probabilities, International Association of Oil & Gas
Producers Report No. 434 6.1, March 2010.
 The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

may affect a pool fire size (depending on the release rate), it can safely be neglected without
inducing much conservatism.

Note that none of these factors can be accounted for in the consequence calculations of the MDL
unless they are also accounted for in the criteria calculations. Also, the criterion is now in terms
of a leak rate but it is needed in terms of a leak size. Since the leak size for any leak rate will be
a function of the process conditions, source term modeling is needed to convert the leak rate into
an equivalent leak size for each scenario and leak rate combination. An example of what the
tolerable event frequency criteria looks like after this step is shown in Figure 1. If the units had
similar complexity and reactivity, they would gravitate towards the same line.

Tolerable Event Frequency Criteria

1.00E-01
Stream A Criteria
Stream B Criteria
Stream C Criteria

1.00E-02

Note: Although tolerable risk is constant and indepentent of

leak size, ignition frequency increases with increasing leak size
and results in a decreasing tolerable frequency with leak size.
1.00E-03 The shape of the curves is dependent on other factors such as
material reactivity and wind direction.
Frequency (events/year)

1.00E-04

1.00E-05

1.00E-06

1.00E-07
0.1 1 10 100

Leak Size(inches)

Figure 1. Example Tolerable Event Frequency Criteria

Step 3: Calculate frequencies for each stream with a scenario

Few owners/operators have sufficient stockpiles of information by which to generate their own
frequencies. Thus, it is typical to use industry published equipment failure data. However, this
data consists of averaged failure frequencies across industries, not accounting for specific plant
conditions or site history and does not reflect potential for operator error. Since this is a
simplifying assumption, it is difficult to show it is a conservative approach when the data is a
compiled average event frequency. This is remedied by accounting for plant specific conditions
and upset event frequencies which are not part of the equipment failure database.
 The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

Equipment failure databases

First, published failure frequencies are used as the foundation of the frequency assessment.
Ignition probabilities [3] for various leak rates and frequencies for delayed versus immediate
ignition [2] may also be considered for added specificity.

A cursory review of various sources shows that pipe loss of containment (LOC) frequencies can
vary, sometimes by one or more orders of magnitude [4, 5, 6, 7, 8, 9]. While some of this
variation is attributable to factors such as substance being conveyed, pipeline age and operating
parameters, Spouge [10] contends that the data, especially the one used for onshore installations,
has become somewhat suspect due to being old, having been subjectively modified by various
authors/analysts, and loss of traceability. According to him, an original source for pipe failure
frequency is WASH-1400 [8], which was published in 1975 and is based on US nuclear industry
data. He follows by stating that newer data from offshore experience shows that onshore failure
frequencies are likely too low.

Plant-specific frequency modification

Factors such as pipe size, age, operating parameters of the contents (e.g., pressure, temperature,
corrosivity), operating environment to which the stream is exposed (e.g., location, including
whether above or in ground, seismicity), the quality of material used, the quality and care of the
installation, frequency and quality of maintenance and more affect its propensity to failure.
Some analysts may account for these facts by assigning qualitative (i.e., subjective) factors and
multiplying the generic pipe failure rate by these factors. Other analysts [7, 9] have proposed
quasi-analytical methods to either fit analytical functions (e.g., polynomials) to existing actual
data or to derive the necessary adjustment factors through a synthesis of observed underlying
failure causes.

The consensus of the authors is that generic frequencies alone may not provide sufficient
accuracy for some industries or facilities. Thus, it is recommended to adjustment these
frequencies to better represent the industry and plant being evaluated. No one approach is
recommended by this paper although the use of qualitative modifiers to generic frequencies is
used for illustration purposes.

3 Cox, A.W., Lees, F.P., and Ang, M.L., Classification of hazardous Locations, IIGCHL, IChemE., 1990.
4 California Department of Education School Facilities Planning Division, Guidance Protocol for School Site
Pipeline Risk Analysis, 2007.
5 Ministerie van Volkshuisvesting, Ruimtelijke Ordening en Milieubeheer (VROM) Publication Series on
Dangerous Substances, Guidelines for Quantitative Risk Assessment (Purple Book), 2005.
6 Rijnmond Public Authority, Risk Analysis of Six Potentially Hazardous Industrial Objects in the Rijnmond Area:
A Pilot Study, COVO Steering Committee (Netherlands), Springer, 1982.
7 UK Health and Safety Executive (HSE), Contract Research Report No. 82/1994 Risks from Hazardous Pipelines
in the United Kingdom, HSE, 1995.
8 EGIG 08.TV-B.0502, Gas Pipeline Incidents, December 2008.
9 UK Health and Safety Executive (HSE), Contract Research Report No. 210/1999 Assessing the Risk From
Gasoline Pipelines in the United Kingdom Based on a Review of Historical Experience, HSE, 1999.
10 Spouge, J. (2005), New generic leak frequencies for process equipment. Process Safety Progress, 24: 249257.
doi: 10.1002/prs.10100.
 The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

Modifiers to the generic failure frequencies can be applied locally to a specific piece of
equipment or a stream or globally to a facility. Modifiers are used to adjust frequency so that the
equipment/facility can be viewed as being equivalent to the situation in which the failure
frequency data was originally derived. The modifiers in question apply to the failure frequency
for random leaks and not to upset conditions. Releases due to upset conditions have their own
methodology for determining the event frequency and should not be modified again by generic
frequency modifiers.

When attempting to define an appropriate generic frequency modifier for a petrochemical

facility, two important questions to ask are: "Is the equipment/facility operating in the conditions
for which it was designed? Is the equipment/facility operating in similar conditions to the
equipment/facility from which the frequencies are being taken?" If the answer is yes, then little
to no frequency modification may be required unless the frequency data is being extrapolated to
fit a process outside of which it was intended (e.g. using standard petrochemical failure
frequencies for cryogenic service). If the answer is no then the out-of-design usage must be
defined in order to try to estimate and quantify its impact on the available failure frequency data.
An example of this is when a facility's process stream changes from sweet to sour service with
no equipment changes. Developing a set of criteria for adjusting the base generic frequencies
can be a daunting task. Simply being "conservative" can fail a facility when the facility's risk
measures are compared to the risk criteria. Documents such as API RP 581 (Risk-Based
Inspection Technology), provide similar methods for adjusting risk-based inspection frequencies
based on modification factors to equipment frequencies. However, care should be taken when
using such methods. This is because while risk assessments and risk-based inspections are both
frequency based, the underlying methods each approach uses to achieve a safe workplace are
different.

One of the better indicators showing the need for frequency modification comes from a review of
past incidents at a facility. Whereas most other modifications will be based on some level of
engineering judgment, modification from past incidents is a Bayesian adjustment. Regardless of
how frequency modification factors are derived, there should be a solid basis for their use. A full
understanding of the frequency database and how it applies to fit the situation being analyzed is
necessary and should not be used just because it is thought to be conservative.

Process upset frequency assessment

A set of scenarios often overlooked during scenario development for consequence-based siting
studies is that caused by process upset conditions. The objective of the process upset frequency
analysis is to determine if there is the potential to cause equipment failure (loss of containment)
not captured by the failure frequency data, and, if so, to estimate the frequency of such upsets.
Conditions leading to these types of equipment failure typically involve extremes of pressure or
temperature (either high or low). Conditions that can significantly exceed the maximum
allowable working pressure/temperature of process equipment can be brought on by exothermic
chemical reactions, over-firing process heaters, reverse flow from high pressure systems to low
pressure systems, failure to let down pressure in the intended direction of flow from high
pressure to low pressure systems, and many other causes. Vacuum collapse of equipment can
 The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

result from condensing steam, pumping liquid from a vessel/tank without supplying blanket gas,
or other causes. Additionally, brittle failure can be caused by inadvertent expansion of low
boiling point materials.

Specific causes of, and defenses against, process upsets are highly dependent on the nature of the
process and details of the plant design. While one plant may be well protected, another may
have significant vulnerabilities. It is not defendable to claim that the estimated frequency of loss
of containment based on generic failure rates, even when modified by plant-specific factors, is
necessarily conservative. It is necessary to perform an evaluation of the potential for significant
process upsets to help ensure no significant risk contributor is overlooked.

Process upsets are identified in PHAs that also list causes of the upsets and safeguards against
the upsets. More and more frequently, plant owners have performed layer of protection analysis
(LOPA) to estimate order-of-magnitude frequencies of high consequence/high risk accident
scenarios. Typical layers of protection credited in these analyses include operator/control system
responses to upset conditions, safety instrumented systems/interlocks, and pressure relief valves.

The MDL approach to process upset frequency analysis varies according to the level of existing
hazard and resulting risk for the plant utilizing any PHAs and LOPAs that may exist. If
comprehensive PHAs and LOPAs exist, the approach may be as simple as reviewing the
documented analyses and listing the highest risk scenarios. Depending on the quality of the
existing analyses, some additional review/analysis may be required. If LOPAs do not exist, the
approach should include review of PHAs, selection of scenarios for LOPA, and performance of
LOPA on those scenarios.

The products of the process upset frequency analysis are:

A list of scenarios that can lead to loss of containment

An estimated frequency for each scenario (based on the frequency of the initiating event
and the failure probabilities of the protection layers)

In each case, the scenario definition identifies the process equipment (i.e., location) where the
release would occur, and the material released.

The release frequencies/rates are then combined with the modified failure rates for the
corresponding equipment to obtain the total failure rate.

It is important to note that if the frequency/risk of a process upset scenario results in an

unacceptable siting risk, corrective actions should first be to consider installing additional layers
of protection to reduce the scenario frequency rather than relocating or hardening occupied
buildings. The MDL approach provides the owner with the tools to know where their highest
frequency events are located so they can easily take such corrective actions.
 The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

Putting it all together

Parts counts for the scenario are then performed to include the piping and equipment in the same
stream since a release anywhere in that stream would have similar consequences. The
frequencies for leaks of various sizes are then compiled and modifiers applied as applicable.
Next, the upset event frequency is added to the scenario frequency. Note that these frequencies
are defined as frequencies for that leak size or greater. Thus, the upset scenario frequency is
applied to all leaks equal to or less than the potential upset scenario leak size. An example of
how to compile this data is shown in Table 1.

Table 1. Example Scenario Frequency Evaluation Data

Part Specific 5mm 25mm 100mm FBR
Equipment Modifier Count Leak Freq/unit Adj Leak Freq Leak Freq/unit Adj Leak Freq Leak Freq/unit Adj Leak Freq Leak Freq/unit Adj Leak Freq
A 1 10 1.20E-08 1.20E-08 6.00E-09 6.00E-09 2.00E-09 2.00E-09 1.00E-09 1.00E-09
B 1 3 1.20E-06 1.20E-06 6.00E-07 6.00E-07 2.00E-07 2.00E-07 1.00E-07 1.00E-07
C 1 2 1.20E-06 1.20E-06 6.00E-07 6.00E-07 2.00E-07 2.00E-07 1.00E-07 1.00E-07
D 1 20 1.20E-08 1.20E-08 6.00E-09 6.00E-09 2.00E-09 2.00E-09 1.00E-09 1.00E-09
E 2 4 2.40E-06 4.80E-06 1.20E-06 2.40E-06 4.00E-07 8.00E-07 2.00E-07 4.00E-07
F 1 4 1.20E-06 1.20E-06 6.00E-07 6.00E-07 2.00E-07 2.00E-07 1.00E-07 1.00E-07
G 1 5 1.20E-08 1.20E-08 6.00E-09 6.00E-09 2.00E-09 2.00E-09 1.00E-09 1.00E-09
H 1 2 1.20E-06 1.20E-06 6.00E-07 6.00E-07 2.00E-07 2.00E-07 1.00E-07 1.00E-07
I 1.5 1 1.80E-06 2.70E-06 9.00E-07 1.35E-06 3.00E-07 4.50E-07 1.50E-07 2.25E-07
J 1 0 1.20E-08 1.20E-08 6.00E-09 6.00E-09 2.00E-09 2.00E-09 1.00E-09 1.00E-09
K 0.5 0 6.00E-07 3.00E-07 3.00E-07 1.50E-07 1.00E-07 5.00E-08 5.00E-08 2.50E-08
L 1 0 1.20E-06 1.20E-06 6.00E-07 6.00E-07 2.00E-07 2.00E-07 1.00E-07 1.00E-07
M 1 1 6.00E-08 6.00E-08 3.00E-08 3.00E-08 1.00E-08 1.00E-08 5.00E-09 5.00E-09
Unit Specific Modifier 1 1 1 1
Plant Specific Modifier 5 5 5 5
Upset Condition Frequency 1.00E-02 1.00E-02 1.00E-02 1.00E-02
Total Freq 1.01E-02 1.00E-02 1.00E-02 1.00E-02
Leak Rate (kg/s) 1 15 55 1000
Size (inches) 0.20 0.98 3.94 7.87

Step 4: Determine what scenarios have frequencies that exceed the tolerable event
frequency criteria.

Plotting the Tolerable Event Frequency Criteria to the Scenario Frequencies, a plot similar to that
shown in Figure 2 results where the intersection of these lines defines the MDL to use in a
consequence analysis. Tolerable leaks will be those below the criteria line and intolerable leaks
will be those above the criteria line. In this illustration, the following conclusions can be made:

Scenario-A frequencies are well above the Stream-A criteria, so all leak sizes have an
intolerable frequency and a full bore rupture of Scenario-A needs to be evaluated in a
consequence analysis. Note that the Scenario-A frequencies are being controlled by the
upset frequency criteria (see Table 1) and if the consequence analysis shows unacceptable
results, corrective actions to reduce this frequency should be considered before any other
actions taken.
All leak sizes for Scenario-B are below the Stream-B criteria, so all leak sizes have a
tolerable frequency and no leaks from Scenario-B should be evaluated in a consequence
analysis.
 The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

Scenario-C frequencies cross the Stream-C criteria at 0.8 inches and all leaks larger than
0.93 inches have a tolerable frequency. Thus, Scenario-C needs to be evaluated in a
consequence analysis for a leak size of 0.93 inches.

Tolerable Event Frequency Criteria vs. Scenario Frequencies

Unacceptable Region
Frequency (events/year)

Acceptable Region
Stream A Criteria
Scenario A Results
Note: Since ignition frequency increases with increasing leak
Stream B Criteria
size, application of ignition frequencies results in a
decreasing tolerable frequency with leak size. The shape of Scenario B Results
the curves is dependent on other factors such as material Stream C Criteria
reactivity and wind direction. Scenario C Results

0.93
0.1 1 10
Leak Size (inches)
Figure 2. Example MDL Plot

Step 5: Determine consequences for each scenario using MDL size

Now a normal consequence analysis is performed using the same scenarios identified in the
MDL together with the leak sizes resulting from the MDL.

Example Application

Note: This example is based on an actual parts count for a single unit of a refinery.

1. Postulate scenarios

A single scenario in the unit is postulated. A parts count for the entire unit is performed and
shown in Table 2. Within this unit, there are approximately 5 streams that could have
damaging consequences if a leak were to occur in them. The scenario selected has the
greatest potential for damaging consequences due to its process conditions.
 The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

Table 2. Example Problem Parts Count for a Process Unit

Feet of Steel Pipe No. of Other Equipment
1"-1 1/2" 0 No. of Actuated Valves 18
2"-4" 2400 No. of Instruments 85
6"-8" 600 No. of Process Vessels 8
8"-12" 150 No. of Storage Vessels 0
Greater than 12" 0 No. of Centrifugal Pumps 8
Flexibile Pipe 10 No. of Reciprocating Pumps 0
No. of Centrifugal Compressors 0
No. of Flanges No. of Reciprocating Compressors 2
1"-1 1/2" 0 No. of Heat Exchagers (Shell) 8
2"-4" 45 No. of Heat Exchagers (Tube) 6
6"-8" 30 No. of Heat Exchangers (Plate) 0
8"-12" 15 No. of Heat Exchangers (Fin Fans) 4
Greater than 12" 0 No. of Filters 6

No. of Manual Valves

1"-1 1/2" 155
2"-4" 110
6"-8" 15
8"-12" 0

2. Determine tolerable event frequency for each stream with a scenario

The plant decided they want to protect against any scenario occurring onsite once every 1000
years or less. This is a tolerable event frequency of 0.001 events/year for all scenarios onsite.
Assuming this process unit has 5 streams with similar complexity to each other within this
unit and there were 5 other process units with similar complexity to this unit, and the site
event frequency were 0.001 events/year, then the chance of any one event occurring would
be 4 x 10-5 (0.001/(5*5), or one in twenty five thousand years). This frequency assumes
ignition occurs for all leak sizes. Once ignition probability is considered, the resulting
tolerable event frequency plot is shown in Figure 3.
 The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

1.0E+00

Tolerable Event Frequency Criteria

1.0E-01
Release Frequency (yr^-1)

Unacceptable Region
1.0E-02

Acceptable Region
1.0E-03

1.0E-04
1 10 Hole Size (mm) 100 1000
Figure 3. Example Problem Tolerable Event Frequency Criteria

3. Calculate frequencies for each scenario

The Spouge [10] frequency database was used to calculate cumulative frequencies for each
part count category. The resulting cumulative frequencies for each part count category and
leak size is shown in Table 3. This process plant was evaluated to be average when
considering the major factors which could influence event frequencies, so frequency
modifiers were not applied. The plant had performed a LOPA study on the segment of the
unit that included the postulated scenario and it resulted in an insignificant upset potential
when compared to the other frequencies and was neglected in this example.

The summation of all frequencies for a hole size is the frequency for that hole size in the
entire unit. Since the stream where the scenario is located represents 1/5th of the unit, the
frequencies for the unit hole sizes are divided by 5 to represent a single event frequency.
 The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

Table 3. Example Problem Cumulative Frequency for a Process Unit

Parts Cumulative Frequecy for Hole Size (mm)
Equipment Count Modifiers 10 50 100 300 600
Meters of 2" Steel Pipe 732 1 1.58E-03 1.60E-04
Meters of 6" Steel Pipe 229 1 1.73E-04 1.76E-05 3.69E-06 5.15E-07 1.92E-07
Meters of 18" Steel Pipe 1
Meters of Flexible Piping 3.0 1 3.18E-04 1.23E-04 6.44E-05 2.84E-05 1.89E-05
No. of 2" Flanged Joints 45 1 8.63E-05 1.21E-05
No. of 6" Flanged Joints 45 1 1.16E-04 1.62E-05 4.23E-06 7.76E-07 3.33E-07
No. of 18" Flanged Joints 1
No. of 2" Manual Valves 265 1 3.21E-04 5.80E-05
No. of 6" Manual Valves 15 1 4.85E-05 7.35E-06 2.03E-06 4.00E-07 1.77E-07
No. of 18" Manual Valves 1
No. of 6" Actuated Valves (nonpipeline) 18 1 2.59E-04 3.42E-05 8.59E-06 1.50E-06 6.29E-07
No. of 0.5" Instruments 85 1 8.19E-04
No. of Process Vessels 8 1 1.64E-03 8.80E-04 5.75E-04 3.36E-04 2.57E-04
No. of Storage Tanks 1
No. of Centrifugal Pumps 8 1 1.13E-03 1.92E-04 5.71E-05 1.24E-05 5.75E-06
No. of Reciprocating Pumps 0 1
No. of Centrifugal Compressors 1
No. of Reciprocating Compressors 2 1 1.41E-04 2.20E-06 1.29E-07 3.58E-09 5.97E-10
No. of Shell HXs (h/c in shell) 8 1 2.76E-03 1.04E-03
No. of Tube HXs (h/c in tube) 6 1 1.02E-03 2.94E-04
No. of Plate HXx 1
No. of Air-Cooled HXs 4 1 8.94E-04 2.76E-04 1.24E-04 4.50E-05 2.71E-05
No. of Filters 6 1 2.92E-04 3.84E-05 9.60E-06 1.67E-06 6.97E-07
Ignition Probability 0.0021 0.0256 0.0716 0.1487 0.1999
Upset Event Frequency 0.00E+00 0.00E+00 0.00E+00 0.00E+00 0.00E+00
Wind Direction, Leak Direction, Early Ignition Factors 10 10 10 10 10
Unit Frequencies per Hole Size 5.49E-01 1.23E-02 1.19E-03 2.87E-04 1.56E-04
Single Event Frequencies per Hole Size 1.10E-01 2.47E-03 2.37E-04 5.74E-05 3.11E-05

4. Determine what scenarios have frequencies that exceed the tolerable event frequency
criteria.

The information resulting from Step 3 is now plotted together with the information resulting
from Step 4 and the plot shown in Figure 4 results. This shows the scenario frequency curve
crosses the tolerable event frequency line at 62 mm. Thus, the leak size for this scenario
should be 62 mm (2.4 inches).
 The Maximum Design Leak (MDL) Approach to Leak Size Selection (corrected)

1.E-01

Tolerable Event Frequency Criteria

Scenario Frequency

1.E-02
Release Frequency (yr^-1)

Unacceptable Region

1.E-03

Acceptable Region

1.E-04

1.E-05
62
10 100 1000
Hole Size (mm)
Figure 4. Example Problem MDL Results

5. Determine consequences for each scenario using MDL size

A consequence analysis is now performed using the 62 mm (2.4) leak size for this
scenario and any unacceptable results are remediated.

Summary

In performing a consequence analysis, the leak size is a highly subjective decision and maybe
difficult to defend if an accident were to occur. The Maximum Design Leak (MDL) approach
provided in this paper provides a means to use risk assessment methodologies to define a leak
size for use, removing subjectivity and providing a more defendable basis for leak size selection.
Additionally, the MDL provides a means by which owners/operators that may be risk adverse to
take advantage of risk tools without documenting an acceptable number of fatalities and without
undertaking a more expensive QRA.

A basic PSM goal is to reduce event likelihood whenever possible instead of remediating the
consequences (proactive versus reactive). Thus, another advantage of the MDL includes
identifying the areas in a facility that drives the risk such that these areas can be remediated to
acceptable tolerance criteria.