Chapter 1 - Chemical Process QRA

Chemical Process
Quantitative Risk Analysis
Chemical process quantitative risk analysis (CPQRA) is a methodology designed to

provide management with a tool to help evaluate overall process safety in the chemical
process industry (CPI). Management systems such as engineering codes, checklists and
process safety management (PSM) provide layers of protection against accidents.
However, the potential for serious incidents cannot be totally eliminated. CPQRA
provides a quantitative method to evaluate risk and to identify areas for costeffective
risk reduction.
The CPQRA methodology has evolved since the early 1980s from its roots in the
nuclear, aerospace and electronics industries. The most extensive use of probabilistic
risk analysis (PRA) has been in the nuclear industry. Procedures for PBA. have been
defined in the PRA Procedures Guide (NUEJEG, 1983) and the Probabilistic Safety Anal
ysis Procedures Guide (NUREG, 1985).
CPQBA is a probabilistic methodology that is based on the NUBiG procedures.
The term "chemical process quantitative risk analysis" is used throughout this book to
emphasize the features of this methodology as practiced in the chemical, petrochemi
cal, and oil processing industries. Some examples of these features are
• Chemical reactions may be involved
• Processes are generally not standardized
• Many different chemicals are used
• Material properties may be subject to greater uncertainty
• Parameters, such as plant type, plant age, location of surrounding population,
degree of automation and equipment type, vary widely
• Multiple impacts, such as fire, explosion, toxicity, and environmental contamina
tion, are common.
Acute, rather than chronic, hazards are the principal concern of CPQRA. This

places the emphasis on rare but potentially catastrophic events. Chronic effects such as
cancer or other latent health problems are not normally considered in CPQRA.
One objective of this second edition is to incorporate recent advances in the field.
Such advances are necessary and desirable as highlighted by the late Admiral Hyman
Rjckover:
We must accept the inexorably rising standards of technology, and we must relinquish
comfortable routines and practices rendered obsolete because they no longer meet the
new standards.
Many hazards may be identified and controlled or eliminated through use of quali
tative hazard analysis as defined in Guidelines for Hazard Evaluation Procedures., Second
Edition (CCPS, 1992). Qualitative studies typically identify potentially hazardous
events and their causes. In some cases, where the risks are clearly excessive and the exist
ing safeguards are inadequate, corrective actions can be adequately identified with
qualitative methods. CPQRA is used to help evaluate potential risks when qualitative
methods cannot provide adequate understanding of the risks and more information is
needed for risk management. It can also be used to evaluate alternative risk reduction
strategies.
The basis of CPQRA is to identify incident scenarios and evaluate the risk by defin
ing the probability of failure, the probability of various consequences and the potential
impact of those consequences. The risk is defined in CPQRA as a function of probabil
ity or frequency and consequence of a particular accident scenario:
Risk = F(s, c,f)
s = hypothetical scenario
c = estimated consequence(s)
/ = estimated frequency
This "function" can be extremely complex and there can be many numerically dif
ferent risk measures (using different risk functions) calculated from a given set of s, c,f.
The major steps in CPQRA, as illustrated in Figure 1.1 (page 4), are as follows:
Risk Analysis:
1. Define the potential event sequences and potential incidents. This may be based
on qualitative hazard analysis for simple or screening level analysis. Complete
or complex analysis is normally based on a full range of possible incidents for all
sources.
2. Evaluate the incident outcomes (consequences). Some typical tools include
vapor dispersion modeling and fire and explosion effect modeling.
3. Estimate the potential incident frequencies. Fault trees or generic databases
may be used for the initial event sequences. Event trees may be used to account
for mitigation and postrelease events.
4. Estimate the incident impacts on people, environment and property.
5. Estimate the risk. This is done by combining the potential consequence for each
event with the event frequency, and summing over all events.
Risk Assessment:
6. Evaluate the risk. Identify the major sources of risk and determine if there are
costeffective process or plant modifications which can be implemented to
reduce risk. Often this can be done without extensive analysis. Small and inex
pensive system changes sometimes have a major impact on risk. The evaluation
may be done against legally required risk criteria, internal corporate guidelines,
comparison with other processes or more subjective criteria.
7. Identify and prioritize potential risk reduction measures if the risk is considered
to be excessive.
Bisk Management:
Chemical process quantitative risk analysis is part of a larger management system.
Risk management methods are described in the CCPS Guidelines for Implementing Pro
cess Safety Management Systems (AIChE/CCPS, 1994), Guidelines for Technical Manage
ment of Chemical Process Safety (AIChE/CCPS, 1989), andPtow* Guidelines for Technical
Management of Chemical Process Safety (AIChE/CCPS, 1995).
The seven steps in Figure 1.1 are typical of CPQRA. However, it is important to
remember that other risks, such as financial loss, chronic health risks and bad publicity,
may also be significant. These potential risks can also be estimated qualitatively or
quantitatively and are an important part of the management process.
This chapter provides general outlines for the major areas in CPQRA as listed
below. The subsequent chapters provide more detailed descriptions and examples.
1. Definitions of CPQRA terminology (Section 1.1)
2. Elements that form the overall framework (Section 1.2)
3. Scope of CPQRA (Section 1.3)
4. Management of incident lists (Section 1.4)
5. Application of CPQRA (Section 1.5)
6. Limitations of CPQRA (Section 1.6)
7. Current practices (Section 1.7)
8. Utilization of CPQRA results (Section 1.8)
9. Project management (Section 1.9)
10. Maintenance of study results (Section 1.10)
CPQRA provides a tool for the engineer or manager to quantify risk and analyze
potential risk reduction strategies. The value of quantification was well described by
Lord Kelvin. Joschek (1983) provided a similar definition:
a quantitative approach to safety . . . is not foreign to the chemical industry. For every
process, the kinetics of the chemical reaction, the heat and mass transfers, the corrosion
rates, the fluid dynamics, the structural strength of vessels, pipes and other equipment
as well as other similar items are determined quantitatively by experiment or calcula
tion, drawing on a vast body of experience.
CPQBJV enables the engineer to evaluate risk. Individual contributions to the
overall risk from a process can be identified and prioritized. A range of risk reduction
measures can be applied to the major hazard contributors and assessed using
costbenefit methods.
Comparison of risk reduction strategies is a relative application of CPQRA. Pikaar
(1995) has related relative or comparative CPQRA to climbing a mountain. At each
stage of increasing safety (decreasing risk), the associated changes may be evaluated to
see if they are worthwhile and costeffective. Some organizations also use CPQRA in
an absolute sense to confirm that specific risk targets are achieved. Further risk reduc
tion, beyond such targets, may still be appropriate where it can be accomplished in a
costeffective manner. Hendershot (1996) has discussed the role of absolute risk guide
lines as a risk management tool.
CPQRA Steps
Define the potential
accident scenarios
Evaluate the event Estimate the potential
consequences accident frequencies
Estimate the
event impacts
Estimate the
risk
Evaluate the
risks
Identity and prioritize
potential risk reduction
measures
FIGURE 1.1 CPQRA Flowchart
Application of the full array of CPQRA techniques (referred to as component
techniques in Section 1.2) allows a quantitative review of a facility's risks, ranging from
frequent, lowconsequence incidents to rare, major events, using a uniform and consis
tent methodology. Having identified process risks, CPQRA techniques can help focus
risk control studies. The largest risk contributors can be identified, and recommenda
tions and decisions can be made for remedial measures on a consistent and objective
basis.
Utilization of the CPQRA results is much more controversial than the methodol
ogy (see Section 1.8). Watson (1994) has suggested that CPQRA should be consid
ered as an argument, rather than a declaration of truth. In his view, it is not practical or
necessary to provide absolute scientific rigor in the models or the analysis. Rather, the
focus should be on the overall balance of the QBA and whether it reflects a useful mea
sure of the risk. However, Yellman and Murray (1995) contend that the analysis
"should be, insofar as possible, true—or at least a search for truth." It is important for
the analyst to understand clearly how the results will be used in order to choose appro
priately rigorous models and techniques for the study.
1.1. CPQRA Definitions
Table 1.1 and the Glossary define terms as they are used in this volume. Other tabula

tions of terms have been compiled (e.g., IChemE, 1985) and may need to be consulted
because, as discussed below, there currently is no single, authoritative source of accepted
nomenclature and definitions. CPQRA is an emerging technology in the CPI and there
are terminology variations in the published literature that can lead to confusion. For
example, while risk is defined in Table 1.1 as "a measure of human injury, environmental
damage or economic loss in terms of both the incident likelihood and the magnitude of
the loss or injury," readers should be aware that other definitions are often used. For
instance, Kaplan and Garrick (1981) have discussed a number of alternative definitions
of risk. These include:
• Risk is a combination of uncertainty and damage.
• Risk is a ratio of hazards to safeguards.
• Risk is a triplet combination of event, probability, and consequences.
Readers should also recognize the interrelationship that exists between an inci
dent, an incident outcome, and an incident outcome case as these terms are used
throughout this book. An incident is defined in Table 1.1 as "the loss of containment of
material or energy," whereas an incident outcome is "the physical manifestation of an
incident." A single incident may have several outcomes. For example, a leak of flamma
ble and toxic gas could result in
• a jet fire (immediate ignition)
• a vapor cloud explosion (delayed ignition)
• a vapor cloud fire (delayed ignition)
• a toxic cloud (no ignition).
A list of possible incident outcomes has been included in Table 1.2.
The third and often confusing term used in describing incidents is the incident out
come case. As indicated by its definition in Table 1.1, the incident outcome case speci
fies values for all of the parameters needed to uniquely distinguish one incident
outcome from all others. For example, since certain incident outcomes are dependent
on weather conditions (wind direction, speed, and atmospheric stability class), more
than one incident outcome case could be developed to describe the dispersion of a
dense gas.
Frequency: Number of occurrences of an event per unit of time.
Hazard: A chemical or physical condition that has the potential for causing damage to people, property, or the
environment (e.g., a pressurized tank containing 500 tons of ammonia)
Incident: The loss of containment of material or energy (e.g., a leak of 10 Ib/s of ammonia from a connecting
pipeline to the ammonia tank, producing a toxic vapor cloud) ; not all events propagate into incidents.
Event sequence: A specific unplanned sequence of events composed of initiating events and intermediate events
that may lead to an incident.
Initiating event: The first event in an event sequence (e.g., stress corrosion resulting in leak/rupture of the
connecting pipeline to the ammonia tank)
Intermediate event: An event that propagates or mitigates the initiating event during an event sequence (e.g.,
improper operator action fails to stop the initial ammonia leak and causes propagation of the intermediate event
to an incident; in this case the intermediate event could be a continuous release of the ammonia)
Incident outcome: The physical manifestation of the incident; for toxic materials, the incident outcome is a
toxic release, while for flammable materials, the incident outcome could be a Boiling Liquid Expanding Vapor
Explosion (BLEVE), flash fire, unconfined vapor cloud explosion, toxic release, etc. (e.g., for a 10 Ib/s leak of
ammonia, the incident outcome is a toxic release)
Incident outcome case: The quantitative definition of a single result of an incident outcome through
specification of sufficient parameters to allow distinction of this case from all others for the same incident
outcomes. For example,a release of 10 Ib/s of ammonia with D atmospheric stability class and 1.4 mph wind
speed gives a particular downwind concentration profile, resulting, for example, in a 3000 ppm concentration at
a distance of 2000 feet.
Consequence: A measure of the expected effects of an incident outcome case (e.g., an ammonia cloud from a 10
Ib/s leak under Stability Class D weather conditions, and a 1.4mph wind traveling in a northerly direction will
injure 50 people)
Effect zone: For an incident that produces an incident outcome of toxic release, the area over which the airborne
concentration equals or exceeds some level of concern. The area of the effect zone will be different for each
incident outcome case [e.g., given an IDLH for ammonia of 500 ppm (v), an effect zone of 4.6 square miles is
estimated for a 10 Ib/s ammonia leak]. For a flammable vapor release, the area over which a particular incident
outcome case produces an effect based on a specified overpressure criterion (e.g., an effect zone from an
unconfined vapor cloud explosion of 28,000 kg of hexane assuming 1% yield is 0.18 km2 if an overpressure
criterion of 3 psig is established). For a loss of containment incident producing thermal radiation effects, the area
over which a particular incident outcome case produces an effect based on a specified thermal damage criterion
[e.g., a circular effect zone surrounding a pool fire resulting from a flammable liquid spill, whose boundary is
defined by the radial distance at which the radiative heat flux from the pool fire has decreased to 5 kW/m2
(approximately 1600 Btu/hrft2)]
Likelihood: A measure of the expected probability or frequency of occurrence of an event. This may be
expressed as a frequency (e.g., events/year), a probability of occurrence during some time interval, or a
conditional probability (i.e., probability of occurrence given that a precursor event has occurred, e.g., the
frequency of a stress corrosion hole in a pipeline of size sufficient to cause a 10 Ib/s ammonia leak might be
1 x 10"3 per year; the probability that ammonia will be flowing in the pipeline over a period of 1 year might be
estimated to be 0.1; and the conditional probability that the wind blows toward a populated area following the
ammonia release might be 0.1)
Probability: The expression for the likelihood of occurrence of an event or an event sequence during an interval
of time or the likelihood of occurrence of the success or failure of an event on test or demand. By definition,
probability must be expressed as a number ranging from O to 1.
Risk: A measure of human injury, environmental damage or economic loss in terms of both the incident
likelihood and the magnitude of the loss or injury
Risk analysis: The development of a quantitative estimate of risk based on engineering evaluation and
mathematical techniques for combining estimates of incident consequences and frequencies (e.g., an
ammonia cloud from a 10 Ib/s leak might extend 2000 ft downwind and injure 50 people.
For this example, using the data presented above for likelihood, the frequency of injuring 50 people
is given a s l x l O " 3 x 0 . 1 x 0 . 1 = lx 10~5 events per year)
Risk assessment: The process by which the results of a risk analysis are used to make decisions, either through a
relative ranking of risk reduction strategies or through comparison with risk targets (e.g., the risk of injuring 50
people at a frequency of 1 X 10"5 events per year from the ammonia incident is judged higher than acceptable,
and remedial design measures are required)
INCIDENTS INCIDENT OUTCOME INCIDENT OUTCOME CASES
5 mph Wind, Stability Class A
Toxic Vapor 10 mph Wind, Stability Class D
Atmospheric Dispersion 15 mph Wind, Stability Class E
100lb/min etc.
Release of Jet Fire
HCN from
a Tank Vent
Tank Full
BLEVE of Tank 50% Full
HCN Tank
etc.
After 15 min. Release
Unconfined Vapor After 30 min. Release
Cloud Explosion After 60 min. Release
etc.
FIGURE 1.2. The relationship between incident, incident outcome, and incident outcome
cases for a hydrogen cyanide (HCN) release.
The event tree in Figure 1.2 has been provided to illustrate the relationship
between an incident, incident outcomes, and incident outcome cases. Each of these
terms will be developed further in this chapter.
1.2. Component Techniques of CPQRA
It is convenient (for ease of understanding and administration) to divide the complete
CPQRA procedure into component techniques (Section 1.2.1). Many CPQRAs do
not require the use of all the techniques. Through the use of prioritized procedures
(Section 1.2.2), the CPQRA can be shortened by simplifying or even skipping certain
techniques that appear in the complete CPQRA procedure.
1.2.1. Complete CPQRA Procedure
A framework for the complete CPQRA methodology for a process system is given in
Figure 1.3. This diagram shows
• the full logic of a CPQRA in more detail

• the relationship between a CPQRA and a risk assessment
• the interaction of a CPQRA with
the analysis data base
user requirements
user reaction to risk estimates from a CPQRA
FABLE 1 .2. CPQRA Hazards, Event Sequences, Incident Outcomes, and Consequences
Event Sequences
Process hazards Initiating events Intermediate events Incident outcomes
Significant inventories of: Process upsets Propagating factors Risk reduction factors Analysis

Flammable materials Process deviations Equipment failure Control/operator responses Discharge
Combustible materials Pressure safety system failure Alarms Flash and evaporation
Unstable materials Temperature Ignition sources Control system response Dispersion
Corrosive materials Flow rate Furnaces, flares, incinerators Manual and automatic Neutral or positively buoyant
Asphyxiants Concentration Vehicles emergency shutdown gas
Shock sensitive materials Phase/state change Electrical switches Fire/gas detection system Dense gas
Highly reactive materials Impurities Static electricity Safety system responses Fires
Toxic materials Reaction rate/heat of reaction Hot surfaces/cigarettes Relief valves Pool fires
Inciting gases Spontaneous reaction Management systems failure Depressurization systems Jet fires
Combustible dusts Polymerization Human errors Isolation systems BLEVES
Pyrophoric materials Runaway reaction Omission High reliability trips Flash fires
Extreme physical conditions Internal explosion Commission Backup systems Explosions
High temperatures Decomposition Fault diagnosis Mitigation system responses Confined explosions
Cryogenic temperatures Containment failures Decisionmaking Dikes and drainage Vapor cloud explosions
High pressures Pipes, tanks, vessels, Domino effects Flares (VCE)
Vacuum gaskets/seals Other containment failures Fire protection systems Physical explosions
Pressure cycling Equipment malfunctions Other material release (active and passive) Dust explosions
Temperature cycling Pumps, valves, instruments, External conditions Explosion vents Detonations
Vibration/liquid hammering sensors, interlock failures Meteorology Toxic gas absorption Condensed phase detonations
Loss of utilities Visibility Emergency plan responses Missiles
Electrical, nitrogen, water, Sirens/warnings Consequences
refrigeration, air, heat Emergency procedures Effect analysis
transfer fluids, steam, Personnel safety equipment Toxic effects
ventilation Sheltering Thermal effects
Management systems failure Escape and evacuation Overpressure effects
External events Damage assessments
Human error Early detection
Design Community
Early warning Workforce
Construction Specially designed structures
Operations Environment
Maintenance Training Company assets
Testing and inspection Other management systems
External events
Extreme weather conditions
Earthquakes
Nearby accidents' impacts
Vandalism/sabotage
Figure 1.3 also provides crossreferences to other sections of this volume, where
details of the techniques are given. The full logic of a CPQRA involves the following
component techniques:
1. CPQRA Definition
2. System Description
3. Hazard Identification
4. Incident Enumeration
5. Selection
6. CPQRA Model Construction
7. Consequence Estimation
8. Likelihood Estimation
9. Risk Estimation
10. Utilization of Risk Estimates
A brief account of the role of each of the techniques is given below, and more
detailed accounts are given in the sections indicated.
• CPQRA Definition converts user requirements into study goals (Section

1.9.1) and objectives (Section 1.9.2). Risk measures (Section 4.1) and risk pre
sentation formats (Section 4.2) are chosen in finalizing a scope of work for the
CPQRA. A depth of study (Section 1.9.3) is then selected based on the specific
objectives defined and the resources available. The need for special studies (e.g.,
the evaluation of domino effects, computer system failures, or protective system
unavailability) is also considered (Chapter 6). CPQEA definition concludes with
the definition of study specific information requirements to be satisfied through
the construction of the analysis data base.
• System Description is the compilation of the process/plant information needed
for the risk analysis. For example, site location, environs, weather data, process
flow diagrams (PFDs), piping and instrumentation diagrams (PSdDs), layout
drawings, operating and maintenance procedures, technology documentation,
process chemistry, and thermophysical property data may be required. This
information is fed to the analysis data base for use throughout the CPQRA.
• Hazard Identification is another step in CPQEA. It is critical because a hazard
omitted is a hazard not analyzed. Many aids are available, including experience,
engineering codes, checklists, detailed process knowledge, equipment failure
experience, hazard index techniques, whatif analysis, hazard and operability
(HAZOP) studies, failure modes and effects analysis (FMEA), and preliminary
hazard analysis (PHA). These aids are extensively reviewed in the HEP Guide
lines, Second Edition (AIChE/CCPS, 1992). Typical process hazards identified
using these aids are listed in Table 1.2. Additional information on common chemi
cal hazards is given in Bretherick (1983), Lees (1980), and Marshall (1987).
• Incident Enumeration is the identification and tabulation of all incidents with
out regard to importance or initiating event. This, also, is a critical step, as an
incident omitted is an incident not analyzed (Section 1.4.1).
• Selection is the process by which one or more significant incidents are chosen to
represent all identified incidents (Section 1.4.2 .1), incident outcomes are identi
CPQRA DEFINITION
(see below) Goals (§1.9.1)
USER REQUIREMENTS Objectives (§1.92)
Standards. etc. Depth of study (§1.9.3)
Economic criteria Risk measures (§4.1) SYSTEM LOCATION (see below)
Risk targets Risk presentation (§4.2)
Special topics (§6)
Database requirements (§5)
SYSTEM DESCRIPTION EXTERNAL DATA SOURCES (§5)
HAZARD IDENTFICATION
(HEP Guidelines)
INCIDENT ENUMERATION
(§1.4.1)
LEGEND
Methodology Execution
INCIDENT Sequence
SELECTION (§1.4.2) Information Flow
Sequence
CPQRA MODEL
CONSTRUCTION (§1.22)
LIKELIHOOD ESTIMATION ANALYSIS DATABASE CO NSE(3UENCE ESTIMAlDON (2)

(frequencies of Probability)
Process Plant Data (§52) Physical Models Mitigation
Effects Models
Historical Incident Approach (§3.1)
Frequency Modeling
Chemical data
Process description
! Discharge (§2.1.1) Toxic gas (§2.3.1 ) Evasive
Fault tree analysis (§3.2.1) PFD and P&ID Flash & evaporation Thermal (§2.32) Action (§2.4)
Event tree analysis (§3.22) Plant layout (§2.12) Explosion (§2.3.3)
Other techniques (§6.4) Operating procedures Neutral & dense gas
Complementary Modeling Environmental Data (§5.4) dispersion (§2.1 .3)
Common cause failure (§3.3.1) Land use and topography Unconfirmed explosion
Human reliability analysis (§3.32) Population and demography (§22.1)
External events analysis (§3.3.3) Meteorological data Pool & Jet fires (§2.2.5)
Likelihood Data BLEVE (§2.2.3)
Acceptable Historical incident data (§5.1)
Economic
Criteria
Reliability data (§5.5)
ECONOMIC ASSESSMENT Not
Acceptable
SYSTEM COST EVALUATION RISK ESTIMATION
CALCULATION QUALITY
USER REACTION ! Risk calculation Risk uncertainty,
SYSTEM MODIFICATION
(§4.4) sensitivity and
Frequency MODIFICATIONS MENU
importance (§4.5)
Reduction Reduction (D System
@ CPQRA
Design Control © Requirements
Inventory Operation Q Siting Acceptable
Layout Management
© Business strategy UTILIZATION OF RISK ESTIMATE
Isolation procedures NEW/MODIFIED
Not Risk Assessment
SYSTEM DESIGN
(Absolute or Relative)
acceptable (§18)
COMPLETE
Risk targets
REVISE BUSINESS STRATEGY
• ABANDON PROJECT
• SHUT DOWN OPERATIONS
(see above) (see above)
FIGURE 1.3. Framework for CPQRA methodology and chapter/sect/on headings.

fied (Section 1.4.2.2), and incident outcome cases are developed (Section
1.4.2.3).
• CPQKA Model Construction covers the selection of appropriate consequence
models (Chapter 2), likelihood estimation methods (Chapter 3) and their inte
gration into an overall algorithm to produce and present risk estimates (Chapter
4) for the system under study. While various algorithms can be synthesized, a
prioritized form (Section 1.2.2) can be constructed to create opportunities to
shorten the time and effort required by less structured procedures.
• Consequence Estimation is the methodology used to determine the potential
for damage or injury from specific incidents. A single incident (e.g., rupture of a
pressurized flammable liquid tank) can have many distinct incident outcomes
[e.g., unconfmed vapor cloud explosion (UVCE), boiling liquid expanding
vapor explosion (BLEVE), flash fire]. These outcomes are analyzed using source
and dispersion models (Section 2.1) and explosion and fire models (Section
2.2). Effects models are then used to determine the consequences to people or
structures (Section 2.2). Evasive actions such as sheltering or evacuation can
reduce the magnitude of the consequences and these may be included in the anal
ysis (Section 23)
• Likelihood Estimation is the methodology used to estimate the frequency or
probability of occurrence of an incident. Estimates may be obtained from histor
ical incident data on failure frequencies (Section 3.1), or from failure sequence
models, such as fault trees and event trees (Section 3.2). Most systems require
consideration of factors such as commoncause failures [a single factor leading to
simultaneous failures of more than one system, e.g., power failure (Section
3.3.1), human reliability (Section 3.3.2), and external events (Section 3.3.3)].
• Risk Estimation combines the consequences and likelihood of all incident out
comes from all selected incidents to provide one or more measures of risk (Chap
ter 4). It is possible to estimate a number of different risk measures from a given
set of incident frequency and consequence data, and an understanding of these
measures is provided. The risks of all selected incidents are individually estimated
and summed to give an overall measure of risk. The sensitivity and uncertainty of
risk estimates and the importance of the various contributing incidents to esti
mates are discussed in Section 4.5.
• Utilization of Bisk Estimates is the process by which the results from a risk
analysis are used to make decisions, either through relative ranking of risk reduc
tion strategies or through comparison with specific risk targets.
The last CPQBA step (utilization of risk estimates) is the key step in a risk assess
ment. It requires the user to develop risk guidelines and to compare the risk estimate
from the CPQRA with them to decide whether further risk reduction measures are
necessary. This step has been included as a CPQRA component technique to empha
size its overall influence in designing the CPQRA methodology, but it is not discussed
in this book. Guidelines for decision analysis are contained in Tools for Making Acute
Risk Decisions (AlChE/CCPS, 1995).
Before discussing the remaining functions and activities shown in Figure 1.3, it is
important to recognize that all of the component techniques introduced above have
not been developed to the same depth or extent, nor used as widely for the same length
of time. Consequently, it is helpful to classify them according to "maturity," a term
used here to combine the concepts of degree of development of the technique and years
in use in the CPI. Greater confidence and less uncertainty are associated with the more
mature component techniques, such as hazard identification and consequence estima
tion. Discomfort and uncertainty increase as maturity decreases. Frequency estimation
is much less developed and practiced and accordingly classified, along with incident
enumeration and selection techniques, as less mature than hazard identification and
consequence estimation. The most underdeveloped and newest technique to the CPI of
those listed, risk estimation, is the least mature of any of the CPQRA component tech
niques. Accordingly, the most uncertainty associated with any component technique
accompanies risk estimates.
By reviewing the maturity scale, it is easy to rank the component techniques
according to their development potential. While consequence estimation techniques
are fairly sophisticated and some may argue "welldeveloped,35 frequency estimation
techniques offer developmental challenges and enhancement necessities. Risk estima
tion techniques, especially companion methodologies such as uncertainty analysis,
require substantial development and refinement, and much greater exposure before
becoming widely accepted and "user friendly." The subject of the maturity of the tech
niques will be revisited in Section 1.2.2 as one driving force in the precedence ordering
of CPQRA calculations.
While not considered a component technique, the development of the analysis
data base is a critical early step in a CPQBJV. In addition to the data from the system
description, this data base contains various kinds of environmental data (e.g., land use
and topography, population and demography, meteorological data) and likelihood
data (e.g., historical incident data, reliability data) needed for the specific CPQRA.
Much of this information must be collected from external (outside company) sources
and converted into formats useful for the CPQRA. Chapter 5 discusses the construc
tion of the analysis data base, and details the various sources of data available.
As shown in Figure 1.3, user reaction to the results of a risk assessment using the
CPQBA estimate can be summarized as a menu of modification options:
• systems modification through engineering/operational/procedural changes
• amendment of the goals or scope of the CPQBJV
• relaxation of user requirements
• alternative sites
• adjustments to basic business strategy.
Systems modification involves the proposal and evaluation of risk reduction strate
gies by persons knowledgeable in process technology. Bask estimation provides insight
into the degree of risk reduction possible and the areas where risk reduction may be
most effective. Proposed risk reduction strategies can incorporate changes to either
system design or operation, in order to eliminate or reduce incident consequences or
frequencies. As shown in Figure 1.3, such proposals need to be shown to meet all busi
ness needs (e.g., quality, capacity, legality, and cost) before being reviewed by CPQRA
techniques. The other user options are selfexplanatory and are more properly treated
in a discussion of the risk assessment process and related risk management program.
1.2.2. Prioritized CPQRA Procedure
Most applications of the CPQBA methodology will not need to use all of the available
component techniques introduced in Section 1.2.1. CPQBJV component techniques
are flexible and can be applied selectively, in various orders. Consequence estimation
can be used as a screening tool to identify hazards of negligible consequence (and there
fore a negligible risk) to avoid detailed frequency estimation. Similarly, frequency esti
mation can identify hazards of sufficiently small likelihood of occurrence that
consequence estimates are unnecessary. The procedure outlined in Figure 1.4 has been
constructed to illustrate one way to prioritize the calculations. It has been designed to
provide opportunities to shorten the time and effort needed to achieve acceptable
results. These opportunities arise naturally due to the ordering of the calculations. The
criteria for establishing the priority of calculations are based on the maturity of the
component techniques and their ease of use. The more mature consequence estimation
techniques are given highest priority. These techniques are also the most easily exe
cuted. The degree of effort increases through the procedure, along with uncertainties as
the maturity of the component techniques decreases.
The prioritized CPQBA procedure given in Figure 1.4 involves the following steps:
Step 1—Define CPQRA.
Step 2—Describe the system.
Step 3—Identify hazards.
Step 4—Enumerate incidents.
Step 5—Select incidents, incident outcomes, and incident outcome cases
These five steps are the same as the corresponding steps in Figure 1.3, and are dis
cussed in Section 1.2.1.
• Step 6 Estimate Consequences. If the consequences of an incident are accept
able at any frequency, the analysis of the incident is complete. This is a simplifica
tion of the risk analysis, in which the probability of occurrence of the incident
within the time period of interest is assumed to be 1.0 (the incident is certain to
occur). For example, the overflow of an ethylene glycol storage tank to a contain
ment system poses little risk even if the event were to occur. If the consequences
are not acceptable, proceed to Step 7.
• Step 7 Modify System to Reduce Consequences. Consequence reduction
measures should be proposed and evaluated. The analysis then returns to Step 2
to determine whether the modifications have introduced new hazards and to
reestimate the consequences. If there are no technically feasible and economically
viable modifications, or if the modifications do not eliminate unacceptable con
sequences, proceed to Step 8.
• Step 8 Estimate Frequencies. If the frequency of an incident is acceptably low,
given estimated consequences, the analysis of the incident is complete. If not,
proceed to Step 9.
• Step 9 Modify System to Reduce Frequencies. This step is similar in concept
to Step 7. If there are no technically feasible and economically viable modifica
tions to reduce the frequency to an acceptable level, proceed to Step 10. Other
wise, return to Step 2.
STEP1
DEFINE CPQRAGOALS,
OBJECTIVES, DEPTH OF
STUDY, ETC.
EQUIPMENT DESIGN.
CHEMISTRY,
STEP 2 THERMODYNAMICS.
DESCRIBE SYSTEM OPERATING PROCEDURES.
ETC.
STEP 3 EXPERIENCE, CODES
IDENTIFY HAZARDS CHECKLISTS, HAZOPS, ETC.
STEP 4 LIST OF
ENUMERATE INCIDENTS ENUMERATED INCIDENTS
LIST OF SELECTED
STEPS INCIDENTS, INCIDENT
SELECT INCIDENTS OUTCOMES. INCIDENT
OUTCOME CASES
DESIGN ACCEPTABLE
CONSEQUENCE AND STEP 6 (CONSEQUENCES ACCEPTABLY
EFFECT MODELS, ESTIMATE CONSEQUENCES LOW AT ANY FREQUENCY
DECISION CRITERIA OF OCCURRENCE)
CONSEQUENCES ARE TOO HIGH
YES STEP?
MODIFY SYSTEM TO
REDUCE CONSEQUENCES
NO
HISTORICALANALYSIS DESIGN ACCEPTABLE
FAULT TREE ANALYSIS STEPS (FREQUENCIES ACCEPTABLY
EVENTTREE ANALYSIS ESTIMATE FREQUENCIES LOW FOR ANY CONSEQUENCES)
DECISION CRITERIA
FREQUENCIES ARE TOO HIGH
YES STEP 9
MODIFY SYSTEM TO
REDUCE FREQUENCIES
STEP 10 DESIGN ACCEPTABLE
COMBINE FREQUENCIES (COMBINATION OF
DECISION CRITERIA AND CONSEQUENCES TO CONSEQUENCES AND
ESTIMATE RISK FREQUENCIES
ACCEPTABLY LOW)
RISKSARETOOHIGH
YES STEP 11
MODIFY SYSTEM TO LEGEND
REDUCE RISK METHODOLOGY EXECUTION
NO SEQUENCE
INFORMATION FLOW
SEQUENCt
DESIGN UNACCEPTABLE
(COMBINATION OF CONSEQUENCES AND
FREQUENCIES UNACCEPTABLY HIGH)
FIGURE 1.4. One version of a prioritized CPQRA procedure.
• Step 10 Combine Frequency and Consequences to Estimate Risk. If the risk
estimate is at or below target or if the proposed strategy offers acceptable risk
reduction, the CPQRA is complete and the design is acceptable.
• Step 11 Modify System to Reduce Risk. This is identical in concept to Steps 7
and 9. If no modifications are found to reduce risk to an acceptable level, then
fundamental changes to process design, user requirements, site selection, or
business strategy are necessary.
In summary, Figure 1.3 presents the overall structure of CPQRA, and Figure 1.4

illustrates one method of implementation. A complete CPQRA as illustrated in Figure
1.3 may not be necessary or feasible on every item or system in a given process unit.
Guidance on the selection and use of CPQRA component techniques is presented later
in this chapter.
1.3. Scope of CPQRA Studies
It is good engineering practice to pay careful attention to the scope of a CPQRA, in

order to satisfy practical budgets and schedules; it is not unusual for the work load to
"explode" if the scope is not carefully specified in advance of the work and enforced
during project execution. This section introduces the concept of a study cube ( Figure
1.5) to relate scope, work load, and goals (Section 1.3.1) and then gives typical goals
for CPQRAs of various scopes (Section 1.3.2).
1.3.1 The Study Cube
CPQRAs can range from simple, "broad brush" screening studies to detailed risk anal
yses studying large numbers of incidents, using highly sophisticated frequency and
consequence models. Between these extremes a continuum of CPQRAs exists with no
rigidly defined boundaries or established categories. To better understand how the
scope ranges for CPQRAs it is useful to show them in the form of a cube, in which the
axes represent the three major factors that define the scope of a CPQRA: risk estima
tion technique, complexity of analysis, and number of incidents selected for study. This
arrangement also allows us to consider "planes" through the cube, in which the value of
one of the factors is held constant.
1.3.1.1. THE STUDY CUBE AXES
For this discussion, each axis of the Study Cube has been arbitrarily divided into three
levels of complexity. This results in a total of 27 different categories of CPQRA,
depending on what combinations of complexity of treatment are selected for the three
factors. Each cell in the cube represents a potential CPQBA characterization. How
ever, some cells represent combinations of characteristics that are more likely to be
useful in the course of a project or in the analysis of an existing facility.
Risk Estimation Technique. Each of the components of this axis corresponds to a

study exit point in Figure 1.4. The complexity and level of effort necessary increase
RISK ESTIMATION TECHNIQUE
Consequence Frequency Risk
Complex
Intermediate
Simple
ORIGIN
Cube's
Bounding Main
INCREASING NUMBER OF
SELECTED INCIDENTS
Group Diagonal
Representative
Set
Expansive
List
FIGURE 1.5. The study cube. Each cell in the cube represents a particular CPQRA study with a
defined depth of treatment and risk emphasis. For orientation purposes, the shaded cells
along the main diagonal of the cube are described in Table 1.5.
along the axis—from consequence through frequency to risk estimation—but not nec

essarily linearly.
In another sense, the representation of estimation by consequence, frequency, and
risk is indicative of the level of maturity of these techniques. Quantification of the con
sequences from an incident involving loss of containment of a process fluid has been
extensively studied. Once a release rate is established, the development of the resulting
vapor cloud can be fairly well described by various source and dispersion models,
although gaps in our understanding—particularly for flashing or twophase discharges,
nearfield dispersion, and local flow effects—do exist. Quantification of the frequency
of an incident is less well understood. Where historical data are not available, fault tree
analysis (FTA) and event tree analysis (ETA) methods are used. These methods rely
heavily on the judgment and experience of the analyst and are not as widely applied in
the CPI as consequence models. Much remains to be learned about how to produce a
truly representative risk estimate with minimum uncertainty and bias.
Complexity of Study. This axis presents a complexity scale for CPQRAs. Position

along the axis is derived from two factors:
• the complexity of the models to be used in a study
• the number of incident outcome cases to be studied
Model complexity can vary from simple algebraic equations to extremely complex
functions such as those used to estimate the atmospheric dispersion of dense gases. The
number of incident outcome cases to be studied is the product of the number of inci
dent outcomes selected and the number of cases to be studied per outcome. The
number of cases to be studied may range from one—assuming uniform wind direction
and a single wind speed—to many, using various combinations of wind speed, direc
tion, and atmospheric stability for each incident outcome.
Figure 1.6 illustrates how model complexity and the number of incident outcome
cases are combined to produce the simple, intermediate, and complex zones in the
study cube.
Number of Incidents. The three groups of incidents used in Figure 1.5—bounding
group, representative set, and expansive list—can be explained using the three classes of
incidents in Table 1.3.
The bounding group contains a small number of incidents. Members of this group
include those catastrophic incidents sometimes referred to as the worst case. The intent
of selecting incidents for this group is to allow determination of an upper bound on the
estimate of consequences. This approach focuses attention on extremely rare incidents,
rather than the broad spectrum of incidents that often comprises the major portion of
the risk. The representative set can contain one or more incidents from each of the
three incident classes in Table 1.3 when evaluating risks to employees. When evaluat
ing risk to the public, the representative set of incidents would probably only include
selections from the catastrophic class of events because small incidents do not normally
have significant impact at larger distances. The purpose of selecting representative inci
dents is to reduce study effort without losing resolution or adding substantial bias to
the risk estimate. The expansive list contains all incidents in all three classes selected
through the incident enumeration techniques discussed in Section 1.4.1.
NUMBER OF INCIDENTOUTCOME CASES
SMALL MEDIUM LARGE

INCREASING COMPLEXITY
SIMPLE/
ELEMENTARY INTERMEDIATE INTERMEDIATE
OF MODELS
ADVANCED SIMPLE/ INTERMEDIATE/

INTERMEDIATE COMPLEX
SOPHISTICATED INTERMEDIATE/
INTERMEDIATE COMPLEX
FIGURE 1.6. Development of complexity of study axis values for the Study Cube. The main
diagonal values (shaded cells) correspond with the "complexity of study values" used in
Figure 1,5.
1.3.1.2. PLANES THROUGH THE STUDY CUBE
The study cube provides a conceptual framework for discussing factors that influence
the depth of a CPQRA. It is arbitrarily divided into 27 cells, each defined by three fac
tors, and qualitative scales are given for each factor or cube axis.
In addition to considering cells in the study cube, it is convenient to refer to planes
through the cube, especially through the risk estimation technique axis. A separate
plane exists for consequence, frequency, and risk estimation. Anywhere within one of
these planes, the risk estimation technique is fixed. Referring to consequence plane
studies, there are nine combinations of the complexity of study and number of selected
incidents. The use of the plane concept when describing CPQRAs is intended to rein
force the notion that several degrees of freedom exist when defining the scope of a
CPQRA study, and it is not enough to cite only the risk estimation technique to be
used when discussing a specific level of CPQRA.
1.3.2. Typical Goals of CPQRAs

Examples of typical goals of CPQEAs are summarized in Table 1.4, which highlights
incident groupings that are appropriate to achieve each goal. Ideally, all incidents
would be considered in every analysis, but time and cost constraints require optimizing
the number of incidents studied. Consequently, incident groups other than the expan
sive list are preferred.
Goals that are appropriate early in an emerging capital project will be constrained
by available information. However, for a mature operating plant, sufficient informa
tion will usually be available to satisfy any of the goals in Table 1.4. The amount and
quality of information available for a CPQRA depend on the stage in the process' life
when the study is executed. This effect is illustrated conceptually in Figure 1.7. A spe
cific depth of study can be executed only if the process information available equals or
exceeds the information required.
Each of the 27 depths of study shown in the Study Cube has specific information
requirements. The information required for a CPQRA is a function of not only the
position of the corresponding cell in the study cube (depth of study) selected, but also
the specific study objectives. In general, information needs increase as
• the number of incidents increases,
• the complexity of study (number of incident outcome cases and complexity of
models) increases,
• the estimation technique progresses from consequence through frequency to risk
estimation calculations.
TABLE 1.3. Classes of Incidents
Localized incident Localized effect zone, limited to a single plant area (e.g., pump fire, small

toxic release)
Major incident Medium effect zone, limited to site boundaries (e.g., major fire, small

explosion)
Catastrophic incident Large effect zone, off site effects on the surrounding community (e.g., major

explosion, large toxic release)
INFORMATION
AVAILABLE
PROJECT DETAILED COMMISSIONING DEMOLITION

INCEPTION DESIGN
DESIGN CONSTRUCTION DECOMMISSIONING RECORDS
BASIS DESTROYED
SHUTDOWN
NEW PROJECTS EXISTING AND RECORDS
FACILITY FACILITY RETENTION
REMOVAL REOJIRED
PROCESS LIFE CYCLE

FIGURE 1.7. Information availability to CPQRA along the life of a chemical process.
Conceptually, information requirements increase moving from the origin along

the main diagonal of the Study Cube. Specific study objectives are developed from the
CPQRA goals by project management (Section 1.9.2). These specific objectives may
add information requirements (often unique) to those established by the position in
the cube.
In order to discuss important issues of study specification, it is convenient to limit
attention to three of the 27 cells in the cube. These three cells are a simple/consequence
CPQRA, intermediate/frequency CPQRA, and complex/risk CPQRA (Table 1.5).
They occupy the main diagonal of the cube as illustrated in Figure 1.5. The cells are
defined in terms of increasing CPQRA resolution. The choice of these cells in no way
implies that they represent the most common types of risk studies. They are only pre
sented to explain the general parameters of this form of presentation of CPQRA study
depth. Further information on CPQRA studies for different cells in the study cube is
given in Chapter 7, where a number of qualitative examples are presented. Chapter 8
presents more specific, quantitative case studies.
1.4. Management of Incident Lists
Effective management of a CPQRA requires enumeration (Section 1.4.1) and selec

tion (Section 1.4.2) of incidents, and a formal means for tracking (Section 1.4.3) the
incidents, incident outcomes, and incident outcome cases. Enumeration attempts to
ensure that no significant incidents are overlooked; selection tries to reduce the inci
dent outcome cases studied to a manageable number; and tracking ensures that no
selected incident, incident outcome, or incident outcome case is lost in the calculation
procedure.
TABLE 1.4. Typical Goals of CPQRAs
To Screen or Bracket the Range of Risks Present for Further Study. Screening or bracketing

studies often emphasize consequence results (perhaps in terms of upper and lower bounds of effect
zones) without a frequency analysis. This type of study uses a bounding group of incidents.
To Evaluate a Range of Risk Reduction Measures. This goal is not limited to any particular
incident grouping, but representative sets or expansive lists of incidents are typically used. Major
contributors to risk are identified and prioritized. A range of risk reduction measures is applied to the
major contributors, in turn, and the relative benefits assessed. If a risk target is employed, risk
reduction measures would be considered that could not only meet the target, but could exceed it if
available at acceptable cost.
To Prioritize Safety Investments. All organizations have limited resources. CPQRA can be used to
prioritize risks and ensure that safety investment is directed to the greatest risks. A bounding group or
representative set of incidents is commonly used.
To Estimate Financial Risk. Even if there are no hazards that have the potential for injury to people,
the potential for financial losses or business interruption may warrant a CPQEJV. Depending on the
goals, different classes of incidents might be emphasized in the CPQRA. An annual insurance review
might highlight localized and major incidents using a bounding group with consequences specified in
terms of loss of capital equipment and production.
To Estimate Employee Risk. Several companies have criteria for employee risk, and CPQRA is used
to verify compliance with these criteria. In principle, the expansive list of incidents could be
considered, but the major risk contributors to plant employees are localized incidents and major
incidents (Table 1.3). Rare, catastrophic incidents often contribute less than a few percent to total
employee risk. A representative set or bounding group of incidents may be appropriate.
To Estimate Public Risk. As with employee risk, some internalcorporate and regulatory agency
public risk criteria may have been suggested or adopted as "acceptable risk" levels. CPQRA can be
used to check compliance. Where such criteria are not met, risk reduction measures may be
investigated as discussed above. The important contributors to offsite, public risk are major and
catastrophic incidents. A representative set or expansive list of incidents is normally utilized.
To Meet Legal or Regulatory Requirements. Legislation in effect in Europe, Australia, and in some
States (e.g., NJ and CA) may require CPQRAs. The specific objectives of these vary, according to the
specific regulations, but the emphasis is on public risk and emergency planning. A bounding group or
representative set of incidents is used.
To Assist with Emergency Planning. CPQRA may be used to predict effect zones for use in
emergency response planning. Where the emergency plan deals with onsite personnel, all classes of
incidents may need to be considered. For the community, major and catastrophic classes of incidents
are emphasized. A bounding group of incidents is normally sufficient for emergency planning
purposes.
1.4.1. Enumeration
The objective of enumeration is to identify and tabulate all members of the incident
classes in Table 1.3, regardless of importance or of initiating event. In practice, this can
never be achieved. However, it must be remembered that omitting important incidents
from the analysis will bias the results toward underestimating overall risk.
The starting point of any analysis is to identify all the incidents that need to be
addressed. These incidents can be classified under either of two categories, loss of con
tainment of material or loss of containment of energy. Unfortunately, there is an infi
nite number of ways (incidents) by which loss of containment can occur in either
category. For example, leaks of process materials can be of any size, from a pinhole up
to a severed pipe line or ruptured vessel. An explosion can occur in either a small con
tainer or a large container and, in each case, can range from a small ccpufP to a cata
strophic detonation.
TABLE 1.5. Definitions of Cells Along the Main Diagonal of the Study Cube (Figure 1.5)
Simple/Consequence CPQRA
Estimation Technique—Consequence
Complexity of Study
Number of Incident Outcome Cases—Small
Complexity of Model—Elementary
Number of Incidents—Bounding Group
This is a CPQRA that is useful for screening or risk bounding purposes. It requires the least amount
of process definition and makes extensive use of simplified techniques. In terms of Figure 1.4, it
consists of consequence calculations only (Steps I through 7). A Simple/Consequence CPQRA is
suitable for screening at any stage of the project: in the case of an existing plant, screening might
highlight the need to consider further study; at the design stage, it might aid in optimizing siting and
layout.
Intermediate/Frequency CPQRA
Estimation Technique—frequency
Complexity of Study
Number of Incident Outcome Cases—Medium
Complexity of Model—Advanced
Number of Incidents—Representative Set
This is a more detailed CPQRA that corresponds to Steps I through 9 in Figure 1.4. It cannot be
applied until the design is substantially developed, unless historical frequency techniques are applied. It
may be applied at any time after process flow sheet definition. Complete descriptions of the process
and equipment are not usually necessary. A Representative Set of incidents is chosen. In principle, the
results of an Intermediate/Frequency CPQKA should approximate a detailed study, but have less
resolution.
Complex/Risk CPQRA
Estimation Technique—Risk
Complexity of Study
Number of Incident Outcome Cases—Large
Complexity of Model—Sophisticated
Number of Incidents—Expansive List
This is the most detailed CPQRA. It employs the full methodology described in Figure 1.4. It may be
applied to operating plants or to capital projects, but only after detailed design has been completed,
when sufficient information is available. Where appropriate, it would employ the most sophisticated
analytical techniques reviewed in Chapters 2 and 3. However, it would be unlikely to apply the most
sophisticated techniques to all aspects of the study—only to those items that contribute most to the
result. Due to the number of incidents, incident outcomes and incident outcomes cases considered,
this study level provides the highest resolution.
The HEP Guidelines, Second Edition (AIChE/CCPS, 1992) outlines the roles of

HAZOP, FMEA, and WhatIf in hazard assessment. The supplemental "Questions for
Hazard Evaluation" shown in Appendix B of the HEP Guidelines can be helpful for iden
tifying hazards, initiating events, and incidents. While none of these hazard identification
techniques directly produces a list of incidents, each provides a methodology from which
initiating events can be developed. Proper scenario selection is extremely important in
CPQRA and the results of the analysis are no better than the scenarios selected.
In addition to the above techniques, Table 1.2 can be used as a checklist to assist in
further incident enumeration through listing candidate initiating events, intermediate
events, and incident outcomes and consequences. It should be understood that there is
Reality List
(All incidents)
Initial List (All incidents

identified by enumeration)
Revised List (Initial List less

NUMBER OF INCIDENTS
those handled subjectively)
Condensed List (Revised

List without redundancies)
Expansive List (List

from which incidents
for study are selected)
Representative
Set
Bounding
Group
NAME LISTOF INCIDENT^

FIGURE 1.8. Incident lists versus number of incidents (comparison of lists developed through
incident selection to the reality list).
no single technique whose application guarantees the comprehensive listing of all inci
dents (i.e., the reality list of Figure 1.8 is unattainable). Nonetheless, use of hazard
identification techniques and Table 1.2 can lead to the identification of a broad spec
trum of incidents, sufficient for defining even the expansive list of incidents (Section
1.4.2.1).
Other approaches for enumeration of major incidents and their initiating events
have been developed. One of these uses fault tree analysis (FTA). The fault tree is a
logic diagram showing how initiating events, at the bottom of the tree, through a
sequence of intermediate events, can lead to a top event. This analysis requires two
knowledge bases: (1) a listing of major subevents which contribute to a top event of
loss of containment, and (2) the development of each subevent to a level sufficient to
describe the majority of initiating events. For enumeration, this process is executed
without any attempt to quantify the frequency of the top event. However, this fault
tree can serve as a means for obtaining frequencies later in the CPQRA. The success of
this technique is principally dependent on the expertise of the analyst. An example is
given by Prugh (1980).
The "Loss of Containment Checklist53 included in this book as Appendix A can be
applied to enumerate credible incidents. This checklist considers causes arising from
nonroutine process venting, deterioration and modification, external events, and pro
cess deviations. Sample incidents include the following:
• overpressuring a process or storage vessel due to loss of control of reactive mate
rials or external heat input
• overfilling of a vessel or knockout drum
• opening of a maintenance connection during operation
• major leak at pump seals, valve stem packings, flange gaskets, etc.
• excess vapor flow into a vent or vapor disposal system
• tube rupture in a heat exchanger
• fracture of a process vessel causing sudden release of the vessel contents
• line rupture in a process piping system
• failure of a vessel nozzle
• breaking off of a smallbore pipe such as an instrument connection or branch line
• inadvertently leaving a drain or vent valve open.
The reader should note, however, that the loss of containment checklist should not
be considered exhaustive, and other enumeration techniques should be considered in
developing an expansive list of incidents.
Another way to generate an incident list is to consider potential leaks and major
releases from fractures of all process pipelines and vessels. The enumeration of inci
dents from these sources is made easier by compiling pertinent information (listed
below), relevant to all process and storage vessels. This compilation should include all
pipework and vessels in direct communication, as these may share a significant inven
tory that cannot be isolated in an emergency.
• vessel number, description, and dimensions

• materials present
• vessel conditions (phase, temperature, pressure)
• connecting piping
• piping dimensions (diameter and length)
• pipe conditions (phase, pressure drop, temperature)
• valving arrangements (automatic and manual isolation valves, control valves,
excess flow valves, check valves)
• inventory (of vessel and all piping interconnections, etc.)
This approach is discussed in more detail in the Rijnmond Area Risk Study
(Rijnmond Public Authority, 1982) and the Manual of Industrial Hazard Assessment
Techniques (World Bank, 1985). Of necessity, this approach excludes specific incidents
and initiating events that would be generated by hazard identification methods (e.g.,
releases from emergency vents or relief devices). Freeman et al. (1986) describe a
system that addresses both fractures and other initiating events. The list of incidents
can also be expanded by considering each of the incident outcomes presented in Table
1.2 and proposing credible incidents that can produce them. Pool fires might result
from releases to tank dikes or process drainage areas; vapor cloud explosions, flash
fires, and dispersion incidents from other release scenarios; confined explosions (e.g.,
those due to polymerization, detonation, overheating) from reaction chemistry and
abnormal process conditions; or BLEVE, from fire exposure to vessels containing
liquids.
1.4.2. Selection
The goal of selection is to limit the total number of incident outcome cases to be stud
ied to a manageable size, without introducing bias or losing resolution through over
looking significant incidents or incident outcomes. Different techniques are used to
select incidents (Section 1.4.2.1), incident outcomes (Section 1.4.2.2), and incident
outcome cases (Section 1.4.2.3). The risk analyst must be proficient in each of these
techniques if a defensible basis for a representative CPQRA is to be developed.
1.4.2.1. INCIDENTS
The purpose of incident selection is to construct an appropriate set of incidents for the
study from the initial list that has been generated by the enumeration process. An
appropriate set of incidents is the minimum number of incidents needed to satisfy the
requirements of the study and adequately represent the spectrum of incidents enumer
ated, considering budget constraints and schedule.
The effects of selection are shown graphically in Figure 1.8. The reality list con
tains all possible incidents. It approaches infinitely long. The initial list contains all the
incidents identified by the enumeration methods chosen. The remaining lists are
described in this section. Figure 1.8. shows the relative reductions in list size that are
achieved by successive operations on the initial list.
One of the risk analyst's jobs is to select a subset of the Initial List for further analy
sis. This involves several tasks, each resulting in a unique list ( Figure 1.8). Throughout
the selection process, the risk analyst must exercise caution so that critical incidents,
which might substantially affect the risk estimate, are not overlooked or excluded from
the study. The initial list of incidents is reviewed to identify those incidents that are too
small to be of concern (Step 4, Figure 1.4). Removing these incidents from the initial
list produces a revised list (Figure 1.8).
To be cost effective and reduce the CPQRA calculational burden, it is essential to
compress this revised list by combining redundant or very similar incidents. This new
list is termed the condensed list (Figure 1.8). This list can and should be reduced fur
ther by grouping similar incidents into subsets, and, where possible, replacing each
subset with a single equivalent incident. This grouping and replacement can be accom
plished by consideration of similar inventories, compositions, discharge rates, and dis
charge locations.
The list formed in this manner is the expansive list and represents the list from
which the study group is selected. A detailed or complex study would utilize the entire
expansive list of incidents, while a screening study would utilize only one or two inci
dents from this list.
The expansive list can be reduced to one or both of two smaller "lists55: the bound
ing group or the representative set (Section 1.3.1; and Figure 1.5). Selection of a
bounding group of incidents typically considers only the subsets of catastrophic inci
dents on the expansive list. This may be further reduced by selecting only the worst
possible incident or worst credible incident.
Selection of a representative set of incidents from the expansive list should include
contributions from each class of incident, as defined in Table 1.3. This process can be
facilitated through the use of ranking techniques. By allocating incidents into the three
classes presented in Table 1.3, an inherent ranking is achieved. Further ranking of indi
vidual incidents within each incident class is possible. Various schemes can be devised
to rank incidents within each incident class (e.g., preliminary ranking criteria based on
the severity of hazard posed by released chemicals, release rate, and total quantity
released). A ranking procedure is important in the selection of a representative set of
incidents if the study is to minimize bias or loss of resolution.
Ranking can also be a useful tool if the study objectives (Section 1.9.2) exclude
incidents below a specified cutoff value. One example is the establishment of a cutoff
for loss of containment of material events by specifying a limited range of hole sizes for
a wide range of process equipment (e.g., two for process pipework, one representing a
fullbore rupture and the other 10% of a full bore rupture). This approach is presented
in the Manual of Industrial Hazard Assessment Techniques (World Bank, 1985). Such a
cutoff is arbitrary and a more fundamental approach is to identify, from consequence
techniques (Chapter 2), the minimum incident size of importance for each of the mate
rials used onsite. This ensures consistent treatment of materials of different hazards.
Figure 1.9 (Hawksley, 1984) contains data on pipeline failures including the frequency
distributions for holes of various sizes.
1.4.2.2 INCIDENT OUTCOMES
The purpose of incident outcome selection is to develop a set of incident outcomes that
must be studied for each incident included in the finalized incident study list (i.e., the
bounding group, representative set, or expansive list of incidents). Each incident needs
to be considered separately. Using the list of incident outcomes presented in Table 1.2,
the risk analyst needs to deter nine which may result from each incident. This process is
not necessarily straightforward. While the analyst can decide whether an incident
LEGEND
Weep
PIPE FAILURES PER FOOT YEAR
Canadian Atomic
Energy
GuIfOiI
PIPE DIAMETER (INCH)

FIGURE 1.9. Summary of some pipe failure rate data. From Hawksley (1984). Reprinted with
permission.
involving the loss of a process chemical to the atmosphere needs to be examined using
dispersion analysis because of potential toxic gas effects, what happens if the same
material is immediately ignited on release?
Figure 1.2 was presented to illustrate how one incident may create one or more
incident outcomes, using the logical structure of an event tree. More detailed event
trees have been developed in attempts to illustrate the complicated and often interre
lated time series of incident outcomes that can occur. Figure 1.10 presents such an
event tree developed by Mudan (1987) to show all potential incident outcomes from
the release (loss of containment) of a hazardous chemical. Naturally, the properties of
the chemical, conditions of the release, etc., all influence which of the logical paths
shown in Figure 1.10 will apply for any specific incident. All such paths need to be con
sidered in creating the set of outcomes to be studied for each incident included in the
finalized study list. After examination, it soon becomes apparent that even Figure 1.10
is not detailed enough to cover all possible permutations of phenomena that can imme
diately result from a hazardous material release.
Detailed logical structures (see Figures 1.11 and 1.12) have been developed [e.g.,
see UCSIP (1985)] to try to account for the mix of incident outcomes that can result
following an incident. No single comprehensive logic diagram exists. Various com
puter programs have been developed, however, to assist the analyst. Ultimately, the
analyst must be satisfied that the set of outcomes selected for each incident in the final
ized study list adequately represents the range of phenomena that may follow an
incident.
1.4.2.3. INCIDENT OUTCOME CASES
As shown in Figure 1.2, for every outcome selected for study, one or more incident
outcome cases can be constructed. Each case is defined through numerically specifying
sufficient parameters to allow the case to be uniquely distinguished from all other cases
developed for the same outcome.
An easy distinction between incident outcome cases is in the prevailing weather.
When considering the dispersion of a cloud formed from the release of a process chemi
cal to the atmosphere, the analyst must decide how the travel of the cloud "downwind"
is to be studied. Various parameters—wind speed, atmospheric stability, atmospheric
temperature, humidity, etc.—all need to be considered.
Once the risk analyst has identified all of the parameters that influence specification
of an incident outcome, ranges of values for each parameter need to be developed, and
discrete values created within each range. An incident outcome case is specified by the
data set containing the analyst's selection of a unique value within the range developed
for each parameter. The number of outcome cases that can be created equals the
number of possible permutations of this data set using all of the discrete values for each
of the parameters.
As discussed in Section 1.9.3, the combinatorial expansion of incident outcome
cases can adversely affect resource requirements for a CPQRA without substantially
adding to the quality of the resulting risk estimate or insights from the study. An expe
rienced analyst will be able to limit the number of incident outcome cases to be studied.
For example, problem symmetry may be exploited, worst case conditions assumed,
plume centerline concentrations selected rather than developing complete cloud pro
Incident
No Release - Release Tankcar

No Impact Explosion
or BLEVE
Gas Liquid and/or

Liquified Gas
Gas Vents Liquid Flashes

to Vapor
Flame Jet Pool Slowly

Forms (if Evaporates
ignited)
Vapor Cloud
Travels Downwind Pool Fire
(if not ignited) Occurs
Liquid Vapor Plume

Vapor Cloud Travels
Ignites - Rainout Downwind
Explosion
Vapor Cloud Plume Ignites,

Ignites - Explosion and/or
Flashfire Occurs Flashfire Occurs
No Ignition - No Ignition -
Toxic Vapor Toxic Vapor
Exposure Exposure
Pool Fire
Occurs
FIGURE ]. 10. Typical spill event tree showing potential incident outcomes for a hazardous
chemical release.
files, and a directional incident outcome assumed rather than study an omnidirectional

incident. Each decision removes a multiplier from the number of cases to be studied.
It is the analyst's responsibility to ensure that sufficient definition results from the
number of incident outcome cases specified to achieve study objectives. Decisions
made concerning parameter selection and the range of values to be studied within each
parameter need to be challenged through peer review and documented. Likewise the
perceived importance of such parameters and their values can and should be checked
through sensitivity studies following the development of an initial risk estimate. It is
Ie ttw Reletee Ie There Immediate ' U Uw Cloud Ie There Oeleyed
tnetantaneoue? Ignition? I Denser Then Air? Ignition?
Fireball Assess Impacts

yes
Flash Fire
or Explosion
Dense Cloud Yes Assess Impacts
Yes Dispersion
YM No
Adiabatic Harmless
No Expansion Flash Fire
Neutral/ or Explosion Assess Impacts
Buoyant YBS
Incident No Dispersion
Outcome Case No Harmless
Estimated Jet Flames Assess Impacts

Duration Xes
Calculate Flash Fire
Release or Explosion Assess Impacts
No Rate Dense Cloud Y&s
Dispersion
Yes Mo
Jet Harmless
No Dispersion
Flash Fire
Neutral/ or Explosion Assess Impacts
Buoyant Yes
No Dispersion
No
Harmless
FIGURE 1.11. Spill event tree for a flammable gas release.
also the analyst's responsibility to recognize the sensitivity of the cost of the CPQRA to
each parameter and avoid wasting resources.
One effective strategy is to screen the parameter value ranges and select a minimal
number of outcome cases to complete a first pass risk estimate. Using sensitivity meth
ods, the importance of each selected parameter value can be determined, and adjust
ments made in subsequent passes, maintaining control of the growth of the number of
incident outcome cases while observing impacts on resulting estimates.
It is also useful to determine upper and lower bounds for the risk estimate using
the parametervalue range available. This offers the analyst a reference scale against
which to view any single point estimate, along with its sensitivity to changes in any
given parameter. Various mathematical models are available for determining the upper
and lower bounds for the parametervalue ranges available. These include techniques
commonly used in the statistical design of experiments (e.g., see Box and Hunter,
1961; Kilgo, 1988). These methods can be used to identify critical parameters from all
of the parameters identified. Linear programming techniques and min/max search
strategies (e.g., see Carpenter and Sweeny, 1965; Long, 1969; Nelder and Mead,
1964; Spendley et al, 1962) can be used thereafter to find values for these critical
parameters that will produce both the upper and lower bounds (maximum and mini
mum values) for the risk estimate.
I U the ReleaM Ia There Immediate1 Does a Pool Does the Pool
I Instantaneous? Ignition? Form? Ignite?
FIGURE 1.12. Spill event tree for a flammable liquid release.
Since these bounds can be established without exhaustively examining all of the

incident outcome cases possible, the experienced analyst can manage the number of
cases to be examined without compromising the desire to develop a quantitative under
standing of the range—a feel for spread—of the risk estimate.
1.4.3. Tracking
The development of some risk estimates, such as individual risk contours or societal

risk curves requires a significant number of calculations even for a simple analysis. This
can be time consuming if a manual approach is employed for more than a few incident
outcome cases. Chapter 4, Section 4.4, describes risk calculation methods and provides
examples of various simplifiied approaches. The techniques are straightforward, how
ever many repetitive steps are involved, and there is a large potential for error. A com
puter spreadsheet or commercial model is generally useful in manipulating,
accounting, labeling, and tracking this information. The case studies of Chapter 8 illus
trate these grouping, accounting, labeling, and tracking processes.
1.5. Applications of CPQRA
No organization or society has the resources to perform CPQRAs (of any depth) on all

conceivable risks. In order to decide where and how to use the resources that are avail
Next Page
Previous Page
I U the ReleaM Ia There Immediate1 Does a Pool Does the Pool

I Instantaneous? Ignition? Form? Ignite?
FIGURE 1.12. Spill event tree for a flammable liquid release.
Since these bounds can be established without exhaustively examining all of the

incident outcome cases possible, the experienced analyst can manage the number of
cases to be examined without compromising the desire to develop a quantitative under
standing of the range—a feel for spread—of the risk estimate.
1.4.3. Tracking
The development of some risk estimates, such as individual risk contours or societal

risk curves requires a significant number of calculations even for a simple analysis. This
can be time consuming if a manual approach is employed for more than a few incident
outcome cases. Chapter 4, Section 4.4, describes risk calculation methods and provides
examples of various simplifiied approaches. The techniques are straightforward, how
ever many repetitive steps are involved, and there is a large potential for error. A com
puter spreadsheet or commercial model is generally useful in manipulating,
accounting, labeling, and tracking this information. The case studies of Chapter 8 illus
trate these grouping, accounting, labeling, and tracking processes.
1.5. Applications of CPQRA
No organization or society has the resources to perform CPQRAs (of any depth) on all

conceivable risks. In order to decide where and how to use the resources that are avail
able, it is necessary to select specific subjects for study and to optimize the depth of
study for each subject selected. This selection process or screening technique is dis
cussed (Section 1.5.1) along with its use for existing facilities (Section 1.5.2) and new
projects (Section 1.5.3).
1.5.1. Screening Techniques
In creating a screening program, it is helpful to determine the organizational levels that
are most amenable to screening, and those where CPQRAs can be applied most effec
tively. Figure 1.13 illustrates the structure of a typical CPI organization. It shows a
hierarchical scheme, with the organization divided into facilities (plants), the facilities
divided into process units, the process units divided into process systems and the pro
cess systems divided into pieces of equipment. A general observation is that the
number of possible CPQRAs increases exponentially—but that the scope of each one
narrows—moving from the top to the bottom of the hierarchy. Use of CPQRA is typi
cally restricted to the lower levels of the hierarchy, and in those levels it is selectively
applied.
Methods are needed to screen—prioritize and select—process units, systems, and
equipment for selective application of CPQRA. These methods must ensure that all
facilities are considered uniformly in the screening process.
Establishment of a prioritized listing of candidate studies allows efforts to focus on
the most onerous hazards first and, depending on available resources, progress to less
serious hazards. Certain listings are "zoned35 according to high, medium, and low levels
of concerns, and studies placed into the lowest class receive attention only after all stud
ies in higher classes have been executed. If a decision is made to zone a priority list, it is
important to establish zone cutoff criteria prior to screening in order to avoid bias.
Bask estimates can be developed at any level of the typical CPI organization, but
usually focus on specific elements of the lower levels of the hierarchy—for instance, the
COMPANY
HEADQUARTERS
MANUFACTURING
FACILITIES
PROCESS
UNITS
PROCESS
SYSTEMS
PROCESS
EQUIPMENT
FIGURE 1.13. Structure of a typical CPI company.
risk from the rupture of a storage tank. The following discussions of screening methods
show that methods are available to study various levels of the typical CPI organization.
1.5.1.1. PROCESS HAZARD INDICES

Dow Chemical has developed techniques for determining relative hazard indices for
unit operations, storage tanks, warehouses, etc. One generates an index for fire and
explosion hazards (Dow*s Fire & Explosion Index Hazard Classification Guide, 7th ed.,
AIChE 1994), and another an index for toxic hazards (Dow^s Chemical Exposure
Index Guide, 1st ed., AIChE 1994). ICFs Mond Division has developed similar tech
niques (The Mond Index) and has proposed a system for using these indices as a
guide to plant layout (ICI, 1985). A modified Mondlike index has also been pro
posed for evaluation of toxic hazards (Tyler, 1996). These techniques consider the
hazards of the material involved, the inventory, operating conditions, and type of
operation. While the values of the indices cannot be used in an absolute sense as a
measure of risk, they can be used for prioritization, selection, and ranking. The value
of the index may be helpful in deciding whether a CPQRA should be applied, and
the appropriate depth of study.
1.5.1.2. INVENTORYSTUDIES
The inventories of hazardous materials should be itemized (including material in pro
cess, in storage, and in transport containers). The information should include signifi
cant properties of the material (e.g., toxicity, flammability, explosivity, volatility),
normal inventory and maximum potential quantity, and operating or storage condi
tions. In some cases, screening can, or must, be done by means of government specifi
cations (New Jersey, 1988, and EEC's "Seveso Directive,5' 1982).
Major hazards can be identified from an inventory study. Where these are toxic
hazards, simple dispersion modeling—assuming the worst case and pessimistic atmo
spheric conditions—can be performed. Where fires or explosions are the hazards, simi
lar simple consequence studies may be made. Estimated effect zones can be plotted on a
map to determine potential vulnerabilities (population at risk, financial exposure, busi
ness interruption, etc.); for screening purposes, estimates of local populations may be
sufficient. Of course, when significant vulnerabilities are found, more thorough studies
may be required.
1.5.1.3. CHEMICALSCORING
Various systems have been developed to assign a numeric value to hazardous chemicals
using thermophysical, environmental, toxicological, and reactivity characteristics. The
purpose of each system is to provide an objective means of rating and ranking chemi
cals according to a degree of hazard reference scale. Three of these methodologies are
systems proposed by the NFPA 325M (1984), the U.S. EPA (1980, 1981), and
Rosenblum et al. (1983).
NFPA has a rating scheme that assigns numeric ratings, from O to 4, to process
chemicals. These ratings represent increasing health, flammability, and reactivity haz
ards; the fourth rating uses special symbols to denote special hazards (e.g., reactivity
with water). This system is intended to show firefighters the precautions that they
should take in fighting fires involving specific materials; however, it can be used as a
preliminary guide to process hazards. The U.S. EPA has developed methods for rank
ing chemicals based on numerical values that reflect the physical and health hazards of
the substances. Rosenblum et al. (1983) give an index system that assigns numerical
values to the various hazards that chemicals possess and that can be used to prioritize a
list of chemicals. This technique is more complex and lesspracticed than the NFPA
diamond system.
1.5.1.4. FACILITY SCREENING

In addition to the screening techniques presented in previous subsections, other priori
tization and selection approaches have been proposed which focus on facilities as
opposed to chemicals alone. One such approach has been offered by Mudan (1987).
This approach uses mathematical models for blast, fire, and toxicity for screening
chemical facilities. A similar approach has been proposed by Renshaw (1990). Less
sophisticated approaches have also been used to screen facilities. For example, if the
number of facilities to be screened is not too large, and if the organization's safety per
sonnel are sufficiently experienced, it is possible to subjectively rank facilities by con
sensus. Whatever method is used, it is important to apply it consistently and document
the results of its application for future reference and update.
1.5.2. Applications within Existing Facilities
In order to examine process risks from all existing facilities within an organization, it is

essential to develop a study plan. This plan documents the screening methods to be
used to qualitatively or quantitatively rank all facilities within the organization and then
rank all process units within those facilities. These prioritized lists can then be com
pared and a master list developed which can be used to establish the study plan for
CPQRA.
When developing any study plan for existing facilities using a screening method, it
is most cost effective to ensure that the plan is directed at the lowest level of the organi
zation's hierarchy (Figure 1.13). Once the prioritized study plan is developed, the
depth of CPQRA needs to be determined for each candidate study from the top down.
Table 1.6 offers qualitative guidance for determining the depth of CPQRA appropriate
for each of the layers of the organizational hierarchy (Figure 1.13). Recognize that this
is an idealization where a risk estimate plane CPQRA is reserved for process equipment
and system studies only and, even then, only after consequence and frequency plane
studies have been completed and show the need for further study.
1.5.3. Applications within New Projects
The depth of study presented in Table 1.6 directly applies to new projects as well. The
main distinction between new projects and existing facilities (Figure 1.7) is the infor
mation available for use in the CPQRA. Early in a new project, information is con
strained, limiting the depth of the study. This constraint is virtually nonexistent for
existing facilities. As a new project progresses, the information constraint is gradually
removed.
TABLE 1 .6. Applicability and Sequence Order of Depth of Study for Existing Facilities
Risk estimation technique*
Organizational
hierarchy level Depth of study Consequence Frequency Risk
Company Simple/consequence 1 N.A. N.A.

Intermediate/frequency N.A. N.A. N.A.
Complex/risk N.A. N.A. N.A.
Facility Simple/consequence 1 2 N.A.

Intermediate/frequency 1 N.A. N.A.
Complex/risk N.A. N.A. N.A.
Process unit Simple/consequence 1 2 3
Intermediate/frequency 1 2 N.A.
Complex/risk 1 N.A. N.A.
Process system Simple/consequence 1 2 3
Intermediate/frequency 1 2 3
Complex/risk 1 2 3
Equipment Simple/consequence 1 2 3
Intermediate/frequency 1 2 3
Complex/risk 1 2 3
4
NA, not applicable; 1, First task in series; 2, second task in series; 3, third task in series.
1.6. Limitations of CPQRA
CPQEA limitations must be understood by management if sensible goals are to be

established for studies. These limitations must also be understood by the technical per
sonnel responsible for the study. Some references address the potential limitations of
CPQRA (Freeman, 1983; Joschek, 1983; PiIz, 1980).
A summary of technical and management limitations, their implications, and pos
sible means for reducing their impact is provided in Table 1.7. More detailed treatment
of the technical limitations of CPQRA component techniques is provided in Chapters
2 and 3. Technical limitations of the data required for CPQRA and of special topics are
addressed in Chapters 5 and 6, respectively.
From Table 1.7 it is apparent that many of the limitations of CPQRA arise from
uncertainty. The estimation of uncertainty is discussed in Section 4.5. Uncertainty
should decrease in the future, as models become standardized, equipment failure rate
data relevant to the CPI are more fully developed and collected systematically, risk analy
sis expertise becomes more widely disseminated, and human consequence effect data are
more widely developed. Some specific data (e.g., toxicity) are currently incomplete and
inexact and are a major source of uncertainty in CPQBA. Where uncertainty is a major
issue, relative or comparative uses of CPQRA may be preferable to absolute uses.
Where CPQBA risk estimates are to be compared in an absolute sense to risk tar
gets, or risk "acceptability criteria," concern should increase over the issue of absolute
accuracy of these estimates. Unlike process economic studies such as discounted cash
flow analysis that use cost estimate qualities with an accuracy of +15%, CPQBA esti
mates have much greater absolute uncertainty, typically covering one or more orders of
TABLE 1 .7. Limitations of CPQRA and Means to Address Them
Cause of limitation Implication to CPQRA Remedies
TECHNICAL
Incomplete or Underestimate risk for a Require proper documentation

inadequate representative set or Involve experienced CPQRA practitioners
enumeration of expansive list of incidents
incidents Apply alternative enumeration techniques
Peer review/quality control
Review by facility design and operations
personnel
Improper selection of Underestimate risk for all Involve experienced CPQBJV practitioners

incidents incident groupings Apply alternative enumeration techniques
Peer review/quality control
Review by facility design and operations
personnel
Unavailability of Possibility of systematic bias Secure additional resources for data

required data acquisition
Uncertainty in Expert review/judgment
consequences, frequencies, Ensure that knowledgeable people are
or risk estimates involved in assessing available data
Incorrect prioritization of Check results against other models or
major risk contributors historical incident records; evaluate
sensitivities
Consequence or Similar in effect to data Ensure appropriate peer review

frequency model limitations Check results against other models or
assumptions/validity historical incident records
Ensure that models are applied within the
range intended by model developers
Ensure that mathematical or numerical
approximations that may be used for
convenience do not compromise results
Use, if feasible, different models (e.g., a
more conservative and a more optimistic
model) to establish the impact of this type
of uncertainty
MANAGEMENT
Resource limitations Insufficient time to complete Extend schedule

(personnel, time, depth of study
models) Insufficient depth of study Defer study until resources available
Inadequate quality of study Identify major risk contributors and
emphasize these
Skills unavailable Incorrect preparation and Amend scope of work

analysis
Improper interpretation of Acquire expertise through training
results programs, new personnel, or consultants
magnitude. The estimate's uncertainty is directly proportional to the depth and detail
of the calculation and quality of models and data available and used.
Both the Canvey Island (Health & Safety Executive, 1978, 1981) and Rijnmond
Public Authority (1982) studies present discussions of uncertainty and accuracy, and
the reader is referred there for further detail. Two other sources of insight into the issue
of absolute accuracy and uncertainty are also available. Figure 1.14, taken from Ballard
(1987), summarizes data collected by the National Centre of Systems Reliability on a
number of reliability assessments for the period 19721987. The diagram was devel
oped through collecting data on the actual performances of plants and process systems
and prior estimates of the reliability of these same plants and process systems. While
there are a number of uncertainties related to the studies, data collection methods, etc.,
as stated by Ballard, "it is clear [from Figure 1.14] that in an overall sense one can
expect the results of a reliability study to give a very good indication of the likely acci
dent frequency from a plant." The 2:1 and 4:1 ranges shown on Figure 1.14 indicate
that about 60% of the predictions of failure rates were within a factor of two and about
95% were within a factor of four of actual performance data.
While Figure 1.14 presents cause for accepting risk estimates as reasonable, the
second source of insight offers cause for concern. Figure 1.15, taken from Arendt et al.
(1989), summarizes the results of a European benchmark study (see Amendola, 1986)
that showed the difficulty in reproducing CPQEA estimates, and the substantial
dependency of these estimates on the very basic, defendable, but different assumptions
made by various teams of analysts. Each of the teams in the study was given identical
systems to analyze, the component techniques to use, and a common Analysis Data
RATIO Wp°ggg? FAILURE RATE
CUMULATIVE FREQUENCY
FIGURE 1.14. Frequency distribution of the failure rate ratio collected by the National Centre
of Systems Reliability over the period 19721987 From Ballard (1987), reprinted with
permission.
ANNUAL SYSTEM FAILURE PROBABILITY
TEAMS OF CPQRA EXPERTS

FIGURE 1.15. Results of European Benchmark Study. From Arendt et al. (1989), reprinted
with permission.
Base. The teams were also allowed complete freedom in making assumptions, selecting
incidents to study, choosing failure rate data, etc. Figure 1.15 shows that the resulting
estimates ranged over several orders of magnitude, well beyond the range of uncer
tainty calculated by some of the teams. When the teams were subsequently directed to
follow similar assumptions, the resulting estimates converged to a much more accept
able range (i.e., within a factor of 5). This study and its implications is discussed in
more detail in Chapter 4. Consequently, it is important to recognize that along with
the technical uncertainties associated with models and data discussed elsewhere in this
book, the essence of the accuracy and corresponding uncertainty of a risk estimate also
depend heavily upon the expertise and judgment of the analyst. The need to document
and review such assumptions is discussed in depth in Section 1.9.5.3 on Quality
Assurance.
1.7. Current Practices
Safety in design and operation has been important to the CPI since its inception. A

wide range of safety techniques, many of which are currently used by companies and
regulatory agencies, have evolved. In the preparation of the original edition of this
book, a survey was conducted of 29 major chemical and petroleum companies—
believed to represent the majority of companies practicing CPQRA techniques in
1986. The results of the survey are summarized in Table 1.8.
All companies use basic engineering codes and standards as part of their safety
review. Virtually all companies utilize some qualitative methods for hazard identifica
tion. The most common techniques include checklist and index methods. About 60%
of the surveyed companies use structured techniques such as HAZOPs or FMEAs.
Some companies have their own customized or combined versions, which they refer to
as process hazard review techniques. Almost half of these companies are using one of
the risk estimation techniques. Quantitative risk targets are being used by about 10%
TABLE 1.8. Survey of Process Safety Techniques in Use3
Percentage of surveyed

Safety technique companies using technique
Existing techniques
Codes and standards 100
Unstructured hazard identification (e.g., indices, judgment) 95
Structured hazard identification (e.g., HAZOP, FMEA) 60
CPQRA techniques
Consequence estimation 40
Frequency estimation 30
Risk estimation 20
Use of risk targets 10
"Basis: Survey of 29 major U.S. companies (chemical and petroleum) done by Technica in 1986.
of the surveyed companies. Concerns have been expressed over the liability implica

tions of conducting CPQBAs because the existence of these studies implies acceptance
of certain levels of risk. Some companies continue to rely on established practice (as
specified by engineering codes or standard practices). On legal advice, some are reluc
tant to produce CPQRAs, fearing that misinterpretation of risk estimates could be
damaging. The counter argument, expressed by those companies that perform
CPQBAs, is that the expected reduction in frequency of occurrence or consequence of
various incidents more than offsets potential legal difficulties.
A few of the companies surveyed have clear corporate risk policies and targets,
which have strong and active corporate board level support. In these companies, the
application of various CPQBA techniques plays an important part in the deci
sionmaking process. This commitment is reflected in the quality of staff and resources
available to CPQBA.
In the public arena, the U.S. government, and national organizations have
expressed substantial interest in CPQBA techniques. In some states, legislation requir
ing quantitative risk assessment has been considered or enacted. The establishment of
formal risk management programs, which include elements of CPQBA techniques, is a
fundamental requirement for most of the legislation (e.g., New Jersey, California,
etc.). The U.S. Environmental Protection Agency has also included some risk consider
ations in the Risk Management Program (RMP) rule under the Clean Air Act
Ammendments (40CFR68, Risk Management Programs for Chemical Accidental
Release Prevention).
As with any human endeavor, the risk associated with chemical processing facilities
cannot be reduced to zero. Corporate and government approaches to risk management
clearly accept this fact. A number of papers have been published on the application of
CPQRA in the U.S. and overseas, including DeHart and Gaines (1987), Freeman etal.
(1986), Gibson (1980), Goyal (1985), Helmers and Schaller (1982), Hendershot
(1996), Ormsby (1982), Renshaw (1990), Seaman and Pikaar (1995), Van Kuijen
(1987), and Warren Centre (1986).
At the time of the survey in Table 1.8, few companies possessed the technical
resources and expertise required to implement the complete range of CPQBA tech
niques, although most employed some of the techniques. Dow Chemical, Rohm and
Haas, British Petroleum and Union Carbide have published papers describing how
they have implemented elements of CPQEA into formal risk management programs
(Mundt, 1995; Poulson et al., 1991; Renshaw, 1990; and Seaman and Pikaar, 1995).
Many felt that their process safety programs would be substantially enhanced by the use
of appropriate CPQRA techniques in process design and operation, while others did not
see any incremental benefit from implementing CPQRA techniques. The latter believed
that their knowledge and experience already provide for safe plant design and operation.
1.8. Utilization of CPQRA Results
As identified in the management overview section, there are many potential uses of

CPQRA results. All of these are variations of approaches to risk reduction. This section
highlights the relative and absolute application of CPQBA results.
Relative uses of CPQRA results include a comparison and ranking of various risk
reduction schemes based on their competitive effectiveness in reducing risk. A table of
costrisk benefits is constructed (e.g., cost of risk reduction measure vs. reduction in
risk achieved—see Section 4.1). This type of assessment is easier to apply and much less
affected by potential errors in CPQRA than absolute comparisons of risk estimates
with specified targets.
Absolute uses of CPQRA results are usually based on predetermined risk targets.
Several government agencies (e.g., Netherlands—Van Kuijen, 1987) have established
quantitative risk criteria that must be met for planning approvals or for the mainte
nance of existing operations. Figure 1.16 shows some of the risk criteria that have been
used by various organizations. The uncertainty bands for these criteria are generally
plus or minus one order of magnitude. Also, it should be emphasized that the criteria
are dependent upon the method and data specified. CPQBA study results should only
be evaluated against criteria based on the exact methodology used in the study.
A few companies also employ risk targets; however, these are usually for inplant
risks, some of which have been published (Helmers and Schaller, 1982). Targets for
risks to the public are much more difficult to define (e.g., consideration of both indi
vidual and societal risks). Rohm and Haas and British Petroleum are companies that
have established and published risk criteria (Renshaw, 1990). Where targets are being
used, initial risk estimates are compared with these targets. Where the target has not
been achieved, further risk reduction measures are evaluated to reduce the risk estimate
to or below the targeted level. Means to reduce the risk further, below the target, are
usually pursued if the cost of implementing additional risk reduction measures is rea
sonable or the uncertainty of the risk estimate is of substantial concern. For this use,
potential errors in the CPQRA results can be important.
1.9. Project Management
This section offers an overview of the role of CPQRA project management. A CPQRA
must be carefully managed in order to obtain the required results in a timely and cost
effective manner. Project management tasks include study goals (Section 1.9.1), study
Frequency of N or More Fatalities Per Year
Number of Fatalities Per Event
FIGURE 1.16. Acceptable risk criteria. AL>\RA, as low as reasonably achievable.
objectives (Section 1.9.2), depth of study (Section 1.9.3), special user requirements

(Section 1.9.4), project plan (Section 1.9.5), and execution (Section 1.9.6).
Figure 1.17 provides a logic diagram for CPQRA project management. This
figure shows the unique characteristics of a CPQRA, which depart from normal engi
neering project management tasks. These tasks must all be addressed within the bounds
of applicable constraints (risk targets, budget, tools, people, time, and data).
1.9.1. Study Goals
Section 1.3.2 and Table 1.4 describe typical study goals. These can originate from
external sources, such as regulatory agencies, or from internal initiatives (e.g., senior
management).
1.9.2. Study Objectives
It is critical for project management to understand the study goals and to firmly estab
lish study objectives. The study objectives define the project goals in precise terms that
USER DEFINE GOALS OF CPQRA
REQUIREMENTS (TABLE 1.4)
(§1.9-1)
CONVERT GOALS INTO STUDY

OBJECTIVES ANDSECURE
USER ACCEPTANCE
(§1.9.2)
Approved scope of work (initial)
Approved scope of DETERMINE REQUIRED
work (revised) DEPTH OF STUDY TO SATISFY See
OBJECTIVES Figure 1.18
(§1.9.3)
DEFINE DOCUMENTATION
REQUIREMENT TO
SATISFY USER
(§1.9.4)
CONSTRUCT PROJECT PLAN

CONVERT NEW (§1-9.5)
REQUIREMENTS INTO Estimate Resource
REVISED SCOPE OF WORK Requirements (§1.9.5.1)
AND SECURE USER Prepare Schedule (§1.9.5.2)
ACCEPTANCE Establish Quality Assurance
Procedures (§1.9.5.3)
Establish Training
Requirements (§1.9.5.4)
Establish Cost Control
Procedures (§1.9.5.5)
USER REVIEWS DRAFT Draft EXECUTE AND COMPLETE

AND ACCEPTS STUDY OR MODIFIES PROJECT
REQUIREMENTS report (§1.9.6)
STUDY ACCEPTED
FIGURE 1.17. Logic diagram for CPQRA project management.
lead to a project that can be satisfactorily managed to completion. This can best be

accomplished by creating a scope of work document that is reviewed and accepted by
the user. Where user requirements have been defined, in writing, in advance of the
study (e.g., determined by government regulation), this step reduces to interpretation
of the requirements for senior management approval. In converting study goals into
objectives through scope of work documents, project management defines the extent
of study within the organizational hierarchy (Figure 1.13).
Possible study objectives include
• determination of societal risk from company operations that include any of a
specified list of chemicals
• determination of risk to employees from modification to an existing process unit
• identification of cost effective risk reduction measures for achieving target risk
levels for an existing process unit
• evaluation and ranking of competitive process strategies considering impact to
the surrounding community
• determination of relative effectiveness of each of several alternatives to reduce
risk from a single piece of equipment.
1.9.3. Depth of Study
A careful determination of the depth of study is essential if CPQRA goals and objec
tives are to be achieved, adequate resources are to be assigned, and budget and sched
ules are to be controlled. The calculation workload for a given depth of study can
expand factorially as one moves from the origin along any one of the axes of the study
cube (Section 1.3.1). It is essential to estimate this calculation burden prior to finaliz
ing a depth of study so that project costs and schedule requirements can be evaluated. A
risk analyst and a risk methods development specialist can provide project management
with valuable assistance in estimating this workload and with guidance in selecting an
appropriate depth of study.
Figure 1.18 presents a schematic for determining the appropriate depth of study.
Basically, given an approved scope of work, which specifies the risk measures to be cal
culated and presentation formats to be used, the analyst needs to select the following
(Section 1.3.1):
• the appropriate risk estimation technique
• the appropriate complexity of study
• the appropriate number of incidents.
Once values have been assigned to each of these study parameters, the depth of
study—cell within the study cube given in Figure 1.5—has been determined.
SELECTION OF CELL WITHIN CUBE (SECTION 1.3 AND FIGURE 1.5)

APPROVED SCOPE OF WORK
(INITIAL OR REVISED)
Study Objectives SELECT APPROPRIATE RISK
Extent of Study ESTIMATION TECHNIQUE
(See Figure 1.17)
SELECT APPROPRIATE
COMPLEXITY OF STUDY
SELECT APPROPRIATE
NUMBER OF INCIDENTS
Depth of study defined
DEFINE DOCUMENTATION {Figure 1.17)

REQUIREMENTS
FIGURE 1.18. Selection of appropriate depth of study.

Various aids to understanding the depth of study and the sensitivity of each of
these three parameters are provided in this volume. Table 1.5 describes the depths of
study for each of the cells along the main diagonal of the study cube, and Table 1.6
reviews the applicability and sequential order of depth of study for the various levels of
the organizational hierarchy given in Figure 1.13. Table 1.6 shows that if a risk analysis
(as opposed to consequence or frequency analysis) is required for a facility, it is neces
sary to synthesize it from analyses done at the process system or equipment levels.
After a depth of study has been selected, the cost of the study and schedule should
be estimated and presented to the user for approval. At this point, it is often necessary
to revisit study goals and objectives and approved scope of work to see if opportunities
exist for reducing costs or accelerating schedules.
Costs have a direct relationship to each of the three cell parameters. The prioritized
CPQRA Procedure (Section 1.2.2), an illustration of one sequential approach to using
risk estimation techniques, is designed to offer opportunities for cost savings by defer
ring more detailed studies until simple consequence and frequency estimates have been
executed.
Hazard evaluation and consequence calculations are undertaken first to bracket or
bound the risks in a facility or establish the extent of hazard posed by a single piece of
equipment. The depth of consequence studies increases if required at successively
lower levels of the facility's hierarchy (Figure 1.13). Frequency calculations can next be
undertaken for process units, systems, and pieces of equipment; the depth of these
studies follows the same pattern as for consequence studies.
Finally, risk calculations are primarily reserved for process systems and equipment.
The complexity of these calculations and the number of incident outcome cases necessary
for each piece of equipment and associated piping limit use of this technique to screening
or intermediate studies. A decision to select a cell in the risk estimate plane represents a
"quantum jump" in complexity and calculation workload from either the consequence or
frequency planes. To illustrate, consider a system that processes flammable materials that
has 10 incidents selected for study. Suppose these 10 incidents result in 20 separate inci
dent outcomes. If there are 8 wind directions, 3 wind speeds, 3 weather stabilities, and 2
ignition cases for each cloud, there are 144 ( 8 x 3 x 3 x 2 ) incident outcome cases for
each of the 20 incident outcomes. If the calculation grid for a risk contour plot were 10 X
10 (i.e., 100 grid receptor points, which is relatively coarse for drawing risk contours) a
total of 288,000 (20 X 144 X 100) calculations is necessary.
This provides only a basecase estimate of risk. Any evaluation of the range of the
estimate or of risk reduction measures requires multiplication of this burden by another
factor. Such an effort is often impractical for manual implementation. The number of
incident outcome cases to study can expand dramatically based on the depth of study
selected. A single, omnidirectional incident outcome (e.g., BLEVE) produces a single
incident outcome case. A directional toxic incident becomes in effect ^incident out
come cases, where W is the number of weather cases. A flammable directional incident
becomes WI incident outcome cases, where/ is the number of separate cloud ignition
cases. Each incident may lead to several incident outcomes that may lead to many inci
dent outcome cases. In effect, each aspect of the study produces a parameter. The
number of discrete values for this parameter serves as a multiplier in amplifying the
number of cases that need to be constructed and executed by the risk analyst.
TABLE I.9. Parameters Affecting Calculation Burden
Study parameters (XJ* Typical values
/= Number of incident outcomes 530
W Weather stability classes 26
N= Wind direction 816
S= Wind speeds 13
V= Day/night variations 12
E= Number of end points (lethality, serious injury, etc.) 15
T= Ambient temperature cases (season variations) 14
I= Ignition cases 13
P= Population cases 13
G1= Grid points for individual risk contours 1001000
G5= Grid points for societal risk curves 1100
M. = Number of iterations on base case 25
L= Number of risk reduction options to be studied 35
"Parameters listed may or may not apply in the following formula to estimate the study's calculation burden:
Number of calculations = |jX,
i=\
where n = number of applicable parameters and X1 = study parameters from above listing.
Table 1.9 lists typical values for various study parameters and offers a formula for

estimating the number of cases. This listing is not complete, nor are the values offered
applicable to all studies. In fact, a study for a single process unit that considers isolation
and mitigation may have more than 1000 incident outcomes rather than only 5 to 30.
Evaluation of a large facility would require consideration of many such units. Although
the CPQBA methodology presented here applies to these more complex studies,
extensive use of computer models by knowledgeable practitioners is generally recom
mended to provide costeffective results. As with the example presented above, the ana
lyst would develop an estimate by selecting values for those parameters that apply and
multiplying them together. The analyst can also develop estimate sensitivity by varying
parameter values within the ranges given in Table 1.9 and using the resulting variations
to determine confidence limits for the study's cost estimate.
In selecting an appropriate depth of study, balance must be maintained between
trying to construct a representative system model and a manageable CPQRA. Exces
sively realistic scenarios (in terms of the number of incidents considered, the number of
weather and ignition cases, etc.) may result in a study of unacceptable duration or cost,
without providing any significant increase in accuracy or insight into process risk. The
uncertainties in a risk estimate are often such that substantially increasing the number
of incidents considered offers little improvement in estimate quality. A wellselected
CPQRA at a lesser depth of study (for example, one that can exploit symmetry and
restrict weather and ignition cases) may produce very meaningful results at substan
tially reduced computational effort and costs.
1.9.4. Special User Requirements
Before constructing a project plan it is imperative to understand user requirements,

including any special requirements for reporting and documenting study results. Such
special requirements, particularly documentation, may add substantially to project
resource requirements. This is discussed in more detail in Section 4 3.
1.9.5. Construction of a Project Plan
A written project plan should be prepared for every CPQRA, regardless of the scope of
work or depth of study. The circulation and availability of such a plan to members of
the project team provides for communication, team building, and direction. It is only
through the preparation of such a written plan that aspects of the study critical to its
success receive adequate attention.
Various texts on project management offer useful guidance on preparing a project
plan, including suggested plan contents. This material need not be presented here.
However, there are aspects of a project plan for a CPQBA that are unique and these are
discussed in the following sections.
1.9.5.1. ESTIMATION OF RESOURCE REQUIREMENTS

CPQRAs can require considerable resources. However, if the scope of work, depth of
study, and special user requirements are well defined, and if study progress is carefully
monitored, resources can be efficiently managed. Principal resources include people,
time, information, tools, and funding. A typical allocation of these resources for a
CPQBJV of an ordinary process system is shown in Figure 1.19, which is an abbrevi
ated representation of Figure 1.3, through risk estimation. The process system is con
sidered to be of moderate complexity with reactors, distillation train, preheat and heat
recovery systems, and associated daystorage. It is located close to populated areas, but
with no special topographical or other features that might warrant greater depth of
treatment. Resource estimates are provided in Figure 1.19 for the three depths of study
discussed in Table 1.5. Special topics addressed in Chapter 6 are not included in Figure
1.19, as they are not common to all studies. The estimates presented assume a
oncethrough estimate of risk. Further iterations to satisfy acceptability of the risk esti
mate (Figure 1.3) or to satisfy modified user requirements (Figure 1.17) are not
included. The number of iterations can be considered incremental cost multiples of the
oncethrough estimate.
Table 1.10 summarizes the total manpower requirements for the depth of study
alternatives obtained from Figure 1,19. The upper and lower limits are approximations
only. Nonetheless, they are in general agreement with studies conducted by experi
enced companies. The very broad range of time required for frequency estimation
reflects the variation in use of complex tools, such as fault trees. Fault trees are com
monly used in the nuclear industry. As noted on the table, project management activi
INITIAL CPQRA DEPTH OF STUDY ABBREVIATIONS
SELECTED PE PROCESS ENGINEER
SIMPLE/ INTERMEDIATE/ COMPLEX/ RA RISK ANALYST
CONSEQUENCE FREQUENCY RISK MW = PERSON WEEK
PFD PROCESS FLOW DIAGRAM
P&ID = PIPING & INSTRUMENTATION
DIAGRAM
HAZOP = HAZARDS & OPERABILfTY
ANALYSIS DATA BASE DEVELOPMENT STUDY
SIMPLE/ INTERMEDIATE/ COMPLEX/ FMEA = FAILURE MODE 4 EFFECT
DEPTH OF STUDY CONSEQUENCE FREQUENCY RISK ANALYSIS
DATA . PROCESS PLANT ETA . EVENT TREE ANALYSIS
REQUIRED. ENVIRONMENTAL 01. 5 MW 24MW 46 MW FTA FAULT TREE ANALYSIS
LIKELIHOOD
HAZARD IDENTIFICATION & INCIDENT SELECTION
SIMPLE/ INTERMEDIATE/ COMPLEX/
DEPTH OF STUDY CONSEQUENCE FREQUENCY RISK
PEOPLE PE PE PEfRA
EFFORT 0.51. 8 MW 12MW 24MW
TOOLS What if/PHA Course HAZOP HAZOP/FMEA
DATA Concept PFO PFD.P&ID
(Export shown
layout)
INCIDENTS 26 1820 90100
IDENTIFIED
CONSEQUENCE ESTIMATION FREQUENCY ESTIMATION

SIMPLE/ INTERMEDIATE/ COMPLEX/ I SIMPLE/ MODERATE/ COMPLEX/
DEPTH OF STUDY
PEOPLE
ICONSEQUENCE FREQUENCY
PE PE or RA
RISK
PE+RA
DEPTH OF STUDY
PEOPLE
[ CONSEQUENCE FREQUENCY
PE PE or RA
RISK
PE+RA
SIMPLE SPREADSHEET
EFFORT 0.11 MW 23MW 510 MW EFFORT 00.05 MW 0.051 MW 1020 MW
TOOLS SIMPLE DETAILED DETAILED TOOLS HISTORICAL DATA HISTORICAL HISTORICAL
MODELS MODELS MODELS OPTIONAL DATA DATA, SIMPLE
FTA/ETA
DETAILED FTA/ETA
AFTER STUDY
HISTORICAL DATA
PROGRESSION THROUGH DEPTHS OF RISK ESTIMATION
STUDY (REFER TO FIGURE 1.4) SIMPLE/ INTERMEDIATE/ COMPLEX/
DEPTH OF STUDY CONSEQUENCE FREQUENCY RISK
FINDINGSOF INITIALCPQRA REQUIRE PEOPLE PE MW PE+RA RA
INCREASED DEPTH OF STUDY EFFORT 00.05 0.051 MW 25MW
TOOLS MINIMAL MINIMAL OR SIMPLE OR
MODELS SIMPLE DETAILED
COMPUTER COMPUTER
PACKAGE PACKAGE
FIGURE 1.19. Resource allocation guidelines for a process system CPQRA.
ties have not been included in the totals presented. Administration of the project may
require an additional 510% of the total manpower estimates presented.
1.9.5.2. PROJECT SCHEDULING
Table 1.10 provides guidance on the total manpower required for a risk analysis. The
elapsed time is a function, to some degree, of the number of personnel provided, but
there is an inherent task structure in each depth of study that constrains project man
agement from paralleling all individual tasks. Consequence and frequency analyses can
be done in parallel, but must logically follow hazard identification and incident selec
tion. Final risk estimation must await completion of the consequence and frequency
analyses.
TABLE 1.10. Manpower Requirements for Depths of Study of a Single Process
System (UNIT)
Simple/consequence Moderate/frequency Complex/risk

CPQRA CPQRA CPQRA
Activity (personweek)" (personweek)" (personweek)"
Data compilation 0.51.5 24 48

Hazard identification/incident selection 12 24 48
Consequence estimation 0.51 23 310
Frequency estimation 0.51 0.52 320
Risk estimation 0.51 0.52 25
Preparation of final report 0.51.5 24 28
Totals* 3.58 919 1859
"Note that the data presented have units of personweeks. These data also need to be converted to calendar weeks
by the project manager through development of a project schedule. The resulting number of calendar weeks may
be substantially greater than the values shown above, depending on availability of critical personnel, tools, train
ing opportunities, etc.
6
ThC values presented do not include project management activities, which can be estimated as an additional
burden of 510% of the totals shown. Sensitivity studies are also not included and are often required to evaluate
potential risk mitigation measures.
Opportunities to execute tasks in parallel must be* balanced against opportunities

to avoid tasks through following prioritized procedures such as discussed earlier in this
chapter (Section 1.2.2).
In constructing the project schedule, it is important to obtain input and agreement
from the risk analyst and other specialist members or groups. Milestones need to be
established that correlate with the logical end points presented Figure 1.3. Having
welldefined milestones permits meaningful status reports to be issued throughout the
life of the project.
1.9.5.3. QUALITYASSURANCE
The first step in quality assurance is to ensure the adequacy and availability of staff and
resources for the study. Since CPQRA is a relatively new CPI technology, it is likely
that the expertise of staff support will be deficient in certain technology areas. Conse
quently, quality assurance is a critical check and balance procedure of any CPQBA pro
ject plan. Adequate resources need to be assigned to quality assurance as a line item in
the project plan.
Early risk analysis studies (e.g., Rijnmond Public Authority, 1982) were routinely
passed on to independent reviewers. These reviews were budgeted at up to 10% of the
primary budget. Such outside reviews are now less common, but are appropriate for
organizations relatively inexperienced in CPQRA. Alternatively, outside experts may
be commissioned to undertake the study. Their activities can be monitored by com
pany staff. This monitoring may be done by periodic meetings or by a staff member
assigned to the review team.
Such peer reviews or reviews by corporate staff of outsideexpert work products
are only one of several layers of reviews that can be built into the project plan to ensure
TABLE 1.11. CPQRA Reviews and Purposes
Project team internal review

Identify miscommunication; challenge method selections, models used, assumptions, etc. Perform first
complete review of the initial draft report of the study prior to release to the user
Plant staff
Reveal any misrepresentation of plant practices, existing hardware and process configurations, facility
operational data, and site characteristics
Corporate staff
Ensure consistency with previous CPQRA formats, adherence to company CPQKA practices,
adequacy of documentation, etc. If staff includes risk analysts, provide peer review functions to the
project team
Peer or expert review
Review should be carried out by competent risk analysts not involved in the CPQRA. Review should
focus on appropriateness of methods, quality and integrity of the data base used, validity and
reasonableness of assumptions and judgments, as well as recommendations for further study
Management
Assuming the role of user, management should be satisfied that the report meets its requirements
completely, in line with the agreed on scope of work and that all conclusions and recommendations, if
any, are thoroughly understood
quality. The need for reviews by members of the project team, by plant and corporate

staff groups, by peers or experts, and by management should be considered in planning
and scheduling activity. The purposes of these various reviews are given in Table 1.11.
Each of these reviews should produce a written report of findings to the project
team manager. All findings should be formally resolved prior to issuing a final report.
Any report from plant or corporate staff may be useful to add to the study as documen
tation. Reports from peer reviewers or experts should be added to the CPQRA without
alteration to enhance the credibility of the report and to document the performance of
such a critical review.
Even though the component techniques of a CPQRA are rigorous and disciplined,
numerous opportunities exist to introduce uncertainty and error into the study. For
this reason, a formal quality assurance program may be desirable. Such programs have
routinely been developed to assure the quality of probabilistic risk assessments (PRAs)
in the nuclear industry. Such efforts have focused on the following areas of concern
[PRA Procedures Guide (NUREG/CR 2300, 1983)]:
• Completeness. Treatment of the full range of tasks, analyses, and model con
struction and evaluation should be assured. The completeness issue is most sig
nificant in any risk analysis. It includes such diverse concerns as identification of
initiating events, determination of plant and operator responses, specification of
system or component failure modes, physical processes analysis, and application
of numerical input data.
• Comprehensiveness. A probabilistic risk assessment is unlikely to identify every
possible initiating event and event sequence. The aim is to ensure that the signifi
cant contributors to risk are identified and addressed. Assurance must be provided
that comprehensive treatment is given to all phases of the study in a manner that
provides confidence that all significant incidents have been considered.
• Consistency. Consistency in planning, scope, goals, methods, and data within
the study is essential to a credible assessment. Equally important is an attempt to
achieve consistency from one study to another, especially in methodologies and
the application of data, in order to allow comparison between systems or plant
designs. In many cases, the acceptability of an activity is based on its comparabil
ity (risk) with other similar activities. The use of standardized methods and pro
cedures enhance comparability.
• Traceabilily. The ability to retrace the steps taken, that is, reconstruct the
thought process to reproduce an answer, is important not only to the reviewer
and regulator but also to the study team.
• Documentation. The documentation associated with a PRA is substantial.
Large amounts of information are generated during the analysis, and many
assumptions are made. The information must be well documented to permit an
adequate technical review of the work, to ensure reproducible results, to ensure
that the final report is understandable, and to permit peer review and informed
interpretation of the study results.
Identical quality concerns exist in performing CPQEAs. Table 1.12 shows potential
areas within CPQRAs that require attention in the development of specific quality assur
ance procedures. Recognize that this table is not necessarily exhaustive and that any par
ticular CPQRA will have its own quality assurance needs. At the least, planning for every
CPQRA needs to consider how each of the five areas listed above will be addressed.
1.9.5.4. TRAINING REQUIREMENTS

CPQRAs require the use of skilled and experienced personnel. For simpler studies
(consequence or frequency), the skills of the process engineer with some risk analysis
training may be adequate. A CPQBA utilizing the risk plane requires inputs from both
process engineers and risk analysts. A risk analyst without the support of a process engi
neer experienced in the design and operation of the particular process unit, system, or
piece of equipment, is unlikely to understand the process in adequate detail to carry out
the study. Process engineers must be thoroughly trained and have participated in pre
paring risk estimates for real process systems before they undertake CPQRAs without
the assistance of risk analysts.
There are several reference texts and training courses that provide an introduction
to CPQBA (Appendix B). Important skills include knowledge of hazard identification
techniques [reviewed in the HEP Guidelines, Second Edition (AIChE/ CCPS, 1992)]
and the consequence and frequency estimation techniques reviewed in this book.
Useful introductory publications to CPQBA topics include the other texts in the CCPS
Guidelines series, Lees (1980), TNO (1979), and Rijnmond Public Authority (1982).
The technique descriptions in Chapters 2 and 3 identify many useful references specific
to the individual techniques. A topical bibliography that offers numerous references
under many of the topics related to CPQBA is being made available by CCPS on dis
kettes. (Contact CCPS in New York for details.)
TABLE 1.12. Focus of Project Quality Assurance Procedures
Data compilation
• Data, should, be checked as being correct, relevant and uptodate
• Data on chemical toxicity should be reviewed for reasonableness
• Documentation of the sources of data used should be maintained
Incident enumeration and selection

• The historical record should be reviewed
• Incidents should reflect all major inventories of hazardous materials
• Incidents rejected (especially rare, large ones) should be reviewed and documented
• Documentation used for hazard identification and for incident enumeration and selection (HAZOP,
Whatlf. etc.) should be maintained
Consequence estimation
• Models should be well documented
• Trial runs should be compared against known results for validation (to protect against misunderstanding of
model requirements)
• Consequence results should consider all important effects (e.g., explosion analysis should include blast and
thermal radiation effects)
• Effect models should correspond to the study objectives
• Documentation of input data and results should be maintained
Frequency estimation
• Historical data should be confirmed as being applicable
• Fault and event tree model results should be confirmed against the historical record where feasible
• Documentation of the frequency estimation should be maintained
Risk estimation
• Results should be checked against experience for reasonableness
• Audit trail of documentation should he maintained
It is important to note that wellconstructed and wellexecuted CPQRAs rely
heavily on judgment. Short training programs provide users with the necessary tools;
however, judgment can come only from the experience of applying them. Project man
agement must be aware that estimates from inexperienced practitioners need greater
scrutiny than those from accomplished risk analysts.
1.9.5.5. PROJECT COST CONTROL
As CPQBAs can consume substantial resources, attention to cost control in developing
a project plan is essential. Once funding has been approved, it is important to docu
ment the allocation of that funding to accomplish the study. This allocation covers
• manpower costs (internal to the organization)*
• tool acquisition and installation (hardware and software) *
• data acquisition* computer costs
• training costs
• travel
• publication and presentation
• outside consultant services (all types)*
• project overheads
The four starred (*) items above offer unique problems for CPQBA project man
agers. They represent greater uncertainty in preparing project cost estimates than do
the other contributors. Consequently, greater effort to define them for estimate pur
poses is required, and greater attention to them through cost control procedures
during the project is necessary. The project manager must rely on the risk analyst for
estimating model development costs, software acquisition costs, outside consulting
services, and data acquisition expense.
Because of the potential for uncertainty, it is good practice to require that the risk
analyst provide documentation for cost estimates, including statements from any antic
ipated source of outside service (e.g., consultants, data acquisition). For example, if the
scope of work required earthquake analysis and this was beyond the capabilities of the
organization's staff, it would be necessary to provide at least preliminary estimates for
this analysis from outside firms. While this may require additional effort in preparing
resource requirements, this effort should result in better definition of costs prior to
project approvals and the avoidance of cost overruns thereafter. Such documentation
can also be used as input to cost control procedures over the life of the project. Other
wise, routine project cost controls in use for managing capital projects can be applied.
1.9.6. Project Execution
A project manager has successfully completed the project when he has completed his

scope of work. In preparing that scope of work, the project manager should specify the
means of measuring his project's progress in terms of percent completion. To calibrate
the project milestones with completed performance, the project manager needs to
confer with the risk analyst and agree on the assignment of degrees of project comple
tion with logical end points in the CPQRA sequence (Figure 1.3).
The project manager is responsible for providing status reports comparing actual
versus estimated progress presented on the approved project schedule. Causes for
delays or cost overruns need to be investigated and explained, and remedial action iden
tified and implemented where necessary.
1.10. Maintenance of Study Results
CPQRA results should be maintained after the completion of the study as an integral

part of a company's risk management program. Any actions taken as a result of the
study should be documented as well. As discussed in the management overview,
CPQBA results can be important to the company's risk management program (New
Jersey, 1988). Such a program should be kept up to date, and so should the associated
CPQRAs. The CPQEA report should be a living document. As the plant is modified
or as procedures change, the CPQRA should be updated, where relevant, to provide
management with information on the effect of such changes on risk. The CCPS Guide
lines for Process Safety Documentation (1995) describe the documentation in more detail.
It is important to control and monitor the distribution of all copies of a CPQRA
report so that each recipient receives all updates and does not use outdated information
for decisionmaking. Periodically the register of report holders should be used to con
firm location of all report copies and updated throughout the organization.
Documenting the systematic approach followed in performing CPQRAs permits
subsequent readers, perhaps uninvolved with the original work, to follow the analysis.
Each individual stage—hazard and incident identification, consequence and frequency
estimation, and risk estimation—can be important later. The maintenance of CPQRA
results also provides continuity to a risk management program. The importance of
management systems in the reduction of risk is receiving greater attention (Batsone,
1987). Bask management program components discussed by Boyen et al. (1988) are
itemized below, along with their dependencies on maintained CPQRAs:
• Technology
Process Safety Information. The CPQRA provides a current summary of
hazards on the site and a listing and summary of all important relevant docu
ments.
Process Risk Analysis. This is the primary function of the CPQRA, one that
must be kept up to date and made available to new staff.
Management of Change (Technology). All changes/modifications should be
subjected to the same rigor of analysis as the original study.
Rules and Procedures. These should be developed in the context of the
CPQRA results.
• Personnel
Staff Training. The CPQRA presents insights to specific facility risks with all
relevant documents appended or referenced.
Incident Investigation. The CPQRA can be useful in incident investigation,
to check whether the event was properly identified and if protective systems
performed as expected. If not previously identified, it should be added to the
CPQEA and the results recalculated. Additional risk reduction measures may
be suggested.
Auditing. The CPQRA can serve as a guide to the auditor to familiarize the
auditor with major risk contributors and past studies of them.
• Facilities
Equipment Tests and Inspections. The CPQEA highlights the importance
of testing intervals in maintaining protective system reliability. Regular checks
are necessary to ensure these are maintained.
Prestartup Safety Reviews. This function is similar to the auditing role.
Important features are identified for inspection and checking.
Management of Change (Facilities). See Management of Change (Tech
nology).
• Emergencies
CPQEAs can assist in developing a site emergency response plan.
• Some Additional Uses (not specific to the site risk management program)
Community Relations. Discussions with the local community are often aided
by the availability of uptodate CPQRAs.
Plant Comparisons. Many companies operate several plants of similar design.
CPQRA data from one can be used as a guide for new plants or for modifying
other existing plants.
Operating Standards. All the CPQRA component techniques make assump
tions of how the plants should be operated (HAZOP, fault tree failure frequen
cies, consequence calculations, etc.). When documented and kept current, these
can be checked at a later stage for accuracy.
It is important to recognize that a CPQRA shows whether a plant can operate at a
given risk level, but cannot ensure that the plant will operate consistent with the
assumptions used to estimate risk. Naturally, if actual operations differ from study
assumptions, the risk estimates produced cannot be considered representative. Study
assumptions need to reflect reality, and as reality changes, so must study assumptions.
Corresponding risk estimates will need to he undated. Updates can be triggered by
• process changes (e.g., hardware, software, material, procedures), availability of
improved input data (e.g., toxicology data)
• introduction of company risk targets
• advances in CPQRA component techniques
• changes to company property (e.g., neighboring process units, administration
building relocation)
• changes in neighboring property (e.g., expansion of a housing development to
company property limits)
Maintenance of a CPQRA means much more than assuming the availability of a
copy of the original study in an organization's files, though it is important to preserve
and store the results in a secured system. The need to maintain the study should be rec
ognized and accepted at the time the commitment is made to execute the CPQRA. As
with any process documentation, without such commitment, the CPQRA report will
gradually hut assuredly become dated and lose its value to the company's risk manage
ment program.
1,11. References
AIChE/CCPS (1992), Guidelines for Hazard Evaluation Procedures second edition with worked
examples. Center for Chemical Process Safety, American Institute of Chemical Engineers,
New York.
AIChE/CCPS (1995), Tools for Making Acute Risk Decisions, Center for Chemical Process Safety,
American Institute of Chemical Engineers, New York.
AIChE/CCPS (1995), Guidelines for Process Safety Documentation, Center for Chemical Process
Safety, American Institute of Chemical Engineers, New York.
AIChE/CCPS (1994), Guidelines for Implementing Process Safety Management Systems, Center for
Chemical Process Safety, American Institute of Chemical Engineers, New York.
AIChE/CCPS (1989), Guidelines for Technical Management of Chemical Process Safety, Center for
Chemical Process Safety, American Institute of Chemical Engineers, New York.
AIChE/CCPS (1995), Plant Guidelines for Technical Management of Chemical Process Safety,
Center for Chemical Process Safety, American Institute of Chemical Engineers, New York.
AIChE/CCPS (1988a). Guidelines for Safe Storage and Handling of High Toxic Hazard Materials.
Center for Chemical Process Safety. American Institute of Chemical Engineers, New York.
Amendola, A. (1986). "Uncertainties in Systems Reliability Modeling: Insight Gained Through
European Benchmark Exercises," Nuclear Engineering Design 93, 215225, Amsterdam,
The Netherlands: Elsevier Science Publishers.
Arendt, J. S. et al. (1989). ^4 Manager^ Guide to Quantitative Risk Assessment of Chemical Process
Facilities. JBF Associates, Inc., Knoxville, Term., Report No. JBFA11988, prepared for the
Chemical Manufacturers Association, Washington, D.C.; January.
Ballard, G. M. ( I 987). "Reliability Analysis—Present Capability and Future Developments."
SRS Quarterly Digest System Reliability Service, UK Atomic Energy Authority,
Warrington, England, pp. 311, October.
Batsone, R. J. (1987). Proceedings of the International Symposium on Preventing Major Chemical
Accidents. Washington, D.C. (J. L. Woodward, ed.). American Institute of Chemical Engi
neers, New York. Feb. 35.
Box. G. E. P. and Hunter, J. S. (1961). "The 2kp Fractional Factorial Designs. Part 1,"
Technometrics 3(3), 311346.
Boyen, V. E. et al. (1988). "Process Hazards Management." Document developed by Organiza
tion Resource Counselors, Inc. (ORC) [submitted to OSHA for future rulemaking on pro
cess hazards management], Washington, D.C.
Bretherick, L. (1983). Handbook of Reactive Chemical Hazards, 2nd edition. London:
Butterworths.
Carpenter, B. H., and Sweeny, H. C. (1965). "Process Improvement with 'Simplex3
SelfDirecting Evolutionary Operation." Chemical Engineering 72(14), 117126,
DeHart, R., and Gaines, N. ( I 987): "Episodic Risk Management at Union Carbide." AIChE
Spring National Meeting, Symposium on Chemical Risk Analysis, Houston. American
Institute of Chemical Engineers. New York.
Dow3s Fire and Explosion Index—Hazard Classification Guide, 7th edition, 1994. CEP Technical
Manual, American Institute of Chemical Engineers, New York.
Daw's Chemical Exposure Index Guide, 1994 . CEP Technical Manual, American Institute of
Chemical Engineers, New York.
EEC (19X2). "MajorAccident Hazards of Industrial Activities" ("Seveso Directive"). European
Economic Community. Council Directive X2501EEC Official Journal (OJ) Reference
No. L23), 5.8.1982: Amended October 1982. [Available from European Economic Com
munity, Press and Information Services, Delegation of the Commission of European Com
munities, Suite 707, 210OM Street, N.W., Washington, D.C.]
Freeman, R. A. (19X3). "Problems with Risk Analysis in the Chemical Industry." Plant/Opera
tions Progress 2(3), 185190.
Freeman. R. A. et al. (1986). "Assessment of Risks from Acute Hazards at Monsanto." 1986
Annual Meeting, Society for Risk Analysis. Nov. 912, Boston, MA. Society for Risk Analy
sis. 8000 West Park Drive, Suite 400, McLean. VA 2210'.
Gibson, S. B. (1980). "Hazard Analysis and Risk Criteria." Chemical Engineering Progress
(November), 4650.
Goyal, R. K. (19X5). "PRATwo Case Studies from the Oil Industry." Paper presented at Ses
sion 5A of Reliability C85, Symposium Proceedings, July 1012, 1985; VoI 2, p. 5A/3.
Jointly sponsored by National Centre of Systems Reliability. Warrington, England and
Institute of Quality Assurance, London, England.
Hawksley, J. L. (1984). Some Social, Technical and Economical Aspects of the Risks of Large Chemical
Plants. Chemrawn III, World Conference on Resource Material Conversion, The Hague,
June 2529.
Health & Safety Executive (1978). Canvey—An Investigation of Potential Hazards from the Opera
tions in the Canvey Island/Thurrock Area. 195 pp. HMSO. London, UK.
Health & Safety Executive (1981). Canvey—A Second Report, 130 pp. HMSO, London, UK.
Helmers, E. N and L. C. Schaller (1982). "Calculated Process Risk and Hazards Management."
AIChE Meeting, Orlando, FL, Feb. 20Mar. 3. American Institute of Chemical Engineers,
New York.
IChemE (1985). Nomenclature of Hazard and Risk Assessment in the Process Industries. Institution
of Chemical Engineers, UK.
Hendershot, D. C. (1996) "Risk Guidelines as a Risk Management Tool," 1996 Process Plant
Safety Symposium, Houston, TX, April 12, 1996, Session 3
ICI (Imperial Chemical Industries) (1985). TheMondIndex, 2nd edition. ICI PLC, Explosion
Hazards Section. Technical Department. Winnington, Northwick, Cheshire CW8 4DJ,
England.
Joschek K. T. (1983). "Risk Assessment in the Chemical Industry." Plant/Operations Progress
2(1 January), 15.
Kaplan, S., and B. J. Garrick ( 1981). "On the Quantitative Definition of Risk." Risk Analysis
1(1), 1127.
Kilgo, M. B. (1988). "An Application of Fractional Factorial Experimental Designs." Quality
Engineering, \, 1923. American Society for Quality Control and Marcel Dekker, New
York.
Lees, F. P. (1980). Loss Prevention in the Process Industries, 2 Volumes. Butterworths. London
and Boston.
Long, D. E. (1969). "Simplex Optimization of the Response from Chemical Sys terns. "Anal.
Chim. Acta 46,193206.
Marshall, V. C. (1987). Major Chemical Hazards. Wiley, New York.
Mudan, K. S. (1987). "Hazard Ranking for Chemical Processing Facilities." ASME Winter
Annual Meeting, Boston, MA. Dec. 1318. American Society of Mechanical Engineers,
New York.
Nelder, J. A., and Mead, R. (1964). "A Simplex Method for Function Minimization." The Com
puter Journal 7, 308313.
Mundt, A. G. (1995). "Process Risk Management for Facilities and Distribution." AIChE
Summer National Meeting, Boston, July 30Aug 2, American Institute of Chemical Engi
neers, New York.
New Jersey (1983). 'Toxic Catastrophe Prevention Act Program." State of New Jersey,
N.J.A.C. 7: 1, 2, 3, 4 and 6. New Jersey Register, Monday, June 20, 1988, 20 N.J.R. 1402.
NFPA 325M (1984). Fire Hazard Properties of Flammable Liquids, Gases, and Volatile Solids.
National Fire Protection Association, Quincy, MA 02269.
NUREG (1983). PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessment
for Nuclear Power Plants, 2 volumes, NUREG/CR2300, U.S. Nuclear Regulatory Commis
sion, Washington, D.C. (available from NTIS).
NUREG (1984). PZM Status Review in the Nuclear Indusrry, NUREG1050, Nuclear Regula
tory Commission, Washington D.C. September, 1984 (available from NTIS).
NUREG (1985). Probabilistic Safety Analysis Procedures Guide, NUREG/CR2815, Nuclear
Regulatory Commission, Washington D.C. August, 1985 (available from NTIS).
Ormsby, R. W. (1982). "Process Hazards Control at Air Products." Plant/Operations Progress 1,
141144.
Pikaar, J. (1995). "Risk Assessment and Consequence Models." 8th International Symposium on
Loss Prevention and Safety Promotion in the Process Industries^ June 69, 1995, Antwerp, Bel
gium, Keynote lecture on Theme 4.
Pikaar, M. J., and M. A. Seaman (1995). A Review of Risk Control. Zoetermeer, Netherlands:
Ministrie VROM.
PiIz, V. (1980). "What Is Wrong with Risk Analysis?" 3rd International Symposium on Loss
Prevention and Safety Promotion in the Process Industries, Basle, Switzerland, 6/448454.
Swiss Society of Chemical Industries, September 1519.
Poulson, J.M. et al. (1991). "Managing Episodic Incident Risk in a Large Corporation." AIChE
Summer National Meeting, Pittsburgh, Aug 1821, American Institute of Chemical Engi
neers.
Prugh. R. W. (1980). "Application of Fault Tree Analysis." Chemical Engineering Progress July,
5967.
Rijnmond Public Authority (1982). A Risk Analysis of 6 Potentially Hazardous Industrial Objects
in the Rijnmond Area—A Pilot Study. D. Reidel, Dordrecht, the Netherlands and Boston,
MA.
Renshaw, P.M. (1990). "A Major Accident Prevention Program." Plant/Operations Progress
9(3), 194197.
Rosenblum, G. R. et al. (1983). "Integrated Risk Index Systems." Proceedings of the Society for
Risk Analysis. Plenum Press, New York, 1985.
Seaman, M. A., and Pikaar, M. J., "A Review of Risk Control," VROM, 11030/150, June, 1995.
Spendley. W. et al. (1962). "Sequential Application of Simplex Designs in Optimisation and
Evolutionary Operation." TechnomePncs 4(4), November.
TNO (1979). Methods for the Calculation of the Physical Effects of the Escape of Dangerous Materials:
Liquids and Gases, 2 Volumes. P.O. Box 312, 7300 AH Apeldoorn, The Netherlands.
Tyler, B. J. et al. (1996), "A toxicity hazard index," Chemical Health & Safety., January/February,
1996,1925.
USCIP Working Party (1985). "Standard Plan for the Implementation of Hazard Studies 1:
Refineries." Union des Chambres Syndicales de 1' Industrie de Petrole (UCSIP), Paris,
France.
US EPA (1980). "Chemical Selection Method: An Annotated Bibliography": Toxic Integration
Information Series. EPA 560/TTIS80001, November (available from NTIS).
US EPA (1981). "Chemical Scoring System Development," by R. H. Ross and P. Lu, Oak
Ridge National Laboratory. Interagency Agreement No: 79Dx9856, June (available from
NTIS).
Van Kuijen, C. J. ( I 987). "Risk Management in the Netherlands: A Quantitative Approach."
UNIDO Workshop on Hazardous Waste Management and Industrial Safety, Vienna. June
2226.
Warren Centre (1986). Hazard Identification and Risk Control for the Chemical and Related Indus
tries—Major Industrial Hazards Project Report (D. H. Slater, E. R. Corran, and R. M.
Pithlado, eds.). University of Sydney, NSW 2006. Australia.
Watson, S. R. (1994). "The Meaning of Probability in Probabilistic Risk Assessment." Reliabil
ity Engineering and System Safety 45, 261269.
Watson, S. R. (1995). "Response to Yellman andMurray's comment on The meaning of proba
bility in probabilistic risk analysis'." Reliability Engineering and System Safety 49,207209.
World Bank (1985). Manual of* Industrial Hazard AssessmentTechniques. Office of Environmen
tal and Scientific Affairs. World Bank, Washington, D.C.
Yellman, T. W., and Murray, T. M. (1995). "Comment on The meaning of probability in
probabilistic risk analysis'." Reliability Engineering and System Safety 49, 201205.

Chapter 1 - Chemical Process QRA

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 1 - Chemical Process QRA

Uploaded by

Copyright:

Available Formats

Chemical Process

Quantitative Risk Analysis

Chemical process quantitative risk analysis (CPQRA) is a methodology designed to

Acute, rather than chronic, hazards are the principal concern of CPQRA. This

FIGURE 1.1 CPQRA Flowchart

1.1. CPQRA Definitions

Table 1.1 and the Glossary define terms as they are used in this volume. Other tabula­

1.2. Component Techniques of CPQRA

• the full logic of a CPQRA in more detail

Process hazards Initiating events Intermediate events Incident outcomes

Significant inventories of: Process upsets Propagating factors Risk reduction factors Analysis

• CPQRA Definition converts user requirements into study goals (Section

LIKELIHOOD ESTIMATION ANALYSIS DATABASE CO NSE(3UENCE ESTIMAlDON (2)

FIGURE 1.3. Framework for CPQRA methodology and chapter/sect/on headings.

In summary, Figure 1.3 presents the overall structure of CPQRA, and Figure 1.4

1.3. Scope of CPQRA Studies

It is good engineering practice to pay careful attention to the scope of a CPQRA, in

Risk Estimation Technique. Each of the components of this axis corresponds to a

along the axis—from consequence through frequency to risk estimation—but not nec­

Complexity of Study. This axis presents a complexity scale for CPQRAs. Position

NUMBER OF INCIDENTOUTCOME CASES

SMALL MEDIUM LARGE

ADVANCED SIMPLE/ INTERMEDIATE/

1.3.2. Typical Goals of CPQRAs

Localized incident Localized effect zone, limited to a single plant area (e.g., pump fire, small

Major incident Medium effect zone, limited to site boundaries (e.g., major fire, small

Catastrophic incident Large effect zone, off site effects on the surrounding community (e.g., major

PROJECT DETAILED COMMISSIONING DEMOLITION

PROCESS LIFE CYCLE

Conceptually, information requirements increase moving from the origin along

1.4. Management of Incident Lists

Effective management of a CPQRA requires enumeration (Section 1.4.1) and selec­

To Screen or Bracket the Range of Risks Present for Further Study. Screening or bracketing

The HEP Guidelines, Second Edition (AIChE/CCPS, 1992) outlines the roles of

Initial List (All incidents

Revised List (Initial List less

those handled subjectively)

Condensed List (Revised

Expansive List (List

NAME LISTOF INCIDENT^

• vessel number, description, and dimensions

PIPE DIAMETER (INCH)

No Release - Release Tankcar

Gas Liquid and/or

Gas Vents Liquid Flashes

Flame Jet Pool Slowly

Liquid Vapor Plume

Vapor Cloud Plume Ignites,

files, and a directional incident outcome assumed rather than study an omnidirectional

Fireball Assess Impacts

Estimated Jet Flames Assess Impacts

Since these bounds can be established without exhaustively examining all of the

The development of some risk estimates, such as individual risk contours or societal

1.5. Applications of CPQRA

No organization or society has the resources to perform CPQRAs (of any depth) on all

I U the ReleaM Ia There Immediate1 Does a Pool Does the Pool

Since these bounds can be established without exhaustively examining all of the

The development of some risk estimates, such as individual risk contours or societal

1.5. Applications of CPQRA

No organization or society has the resources to perform CPQRAs (of any depth) on all

1.5.1.1. PROCESS HAZARD INDICES

1.5.1.4. FACILITY SCREENING

1.5.2. Applications within Existing Facilities

Table 1.1 and the Glossary define terms as they are used in this volume. Other tabula

along the axis—from consequence through frequency to risk estimation—but not nec

Effective management of a CPQRA requires enumeration (Section 1.4.1) and selec

of the surveyed companies. Concerns have been expressed over the liability implica

/= Number of incident outcomes 530

W Weather stability classes 26

N= Wind direction 816

S= Wind speeds 13

V= Day/night variations 12

E= Number of end points (lethality, serious injury, etc.) 15

T= Ambient temperature cases (season variations) 14

I= Ignition cases 13

P= Population cases 13

G1= Grid points for individual risk contours 1001000

G5= Grid points for societal risk curves 1100

M. = Number of iterations on base case 25

L= Number of risk reduction options to be studied 35

Data compilation 0.51.5 24 48