previous pageftp.feq.ufu.br/luis_claudio/segurança/safety/guidelin… · · 2008-11-20explosion...
TRANSCRIPT
FIGURE 1.12. Spill event tree for a flammable liquid release.
Since these bounds can be established without exhaustively examining all of theincident outcome cases possible, the experienced analyst can manage the number ofcases to be examined without compromising the desire to develop a quantitative under-standing of the range—a feel for spread—of the risk estimate.
1.4.3. Tracking
The development of some risk estimates, such as individual risk contours or societalrisk curves requires a significant number of calculations even for a simple analysis. Thiscan be time consuming if a manual approach is employed for more than a few incidentoutcome cases. Chapter 4, Section 4.4, describes risk calculation methods and providesexamples of various simplifiied approaches. The techniques are straightforward, how-ever many repetitive steps are involved, and there is a large potential for error. A com-puter spreadsheet or commercial model is generally useful in manipulating,accounting, labeling, and tracking this information. The case studies of Chapter 8 illus-trate these grouping, accounting, labeling, and tracking processes.
1.5. Applications of CPQRA
No organization or society has the resources to perform CPQRAs (of any depth) on allconceivable risks. In order to decide where and how to use the resources that are avail-
I U the ReleaMI Instantaneous?
Ia There Immediate1
Ignition?Does a Pool
Form?Does the Pool
Ignite?
Previous Page
able, it is necessary to select specific subjects for study and to optimize the depth ofstudy for each subject selected. This selection process or screening technique is dis-cussed (Section 1.5.1) along with its use for existing facilities (Section 1.5.2) and newprojects (Section 1.5.3).
1.5.1. Screening Techniques
In creating a screening program, it is helpful to determine the organizational levels thatare most amenable to screening, and those where CPQRAs can be applied most effec-tively. Figure 1.13 illustrates the structure of a typical CPI organization. It shows ahierarchical scheme, with the organization divided into facilities (plants), the facilitiesdivided into process units, the process units divided into process systems and the pro-cess systems divided into pieces of equipment. A general observation is that thenumber of possible CPQRAs increases exponentially—but that the scope of each onenarrows—moving from the top to the bottom of the hierarchy. Use of CPQRA is typi-cally restricted to the lower levels of the hierarchy, and in those levels it is selectivelyapplied.
Methods are needed to screen—prioritize and select—process units, systems, andequipment for selective application of CPQRA. These methods must ensure that allfacilities are considered uniformly in the screening process.
Establishment of a prioritized listing of candidate studies allows efforts to focus onthe most onerous hazards first and, depending on available resources, progress to lessserious hazards. Certain listings are "zoned35 according to high, medium, and low levelsof concerns, and studies placed into the lowest class receive attention only after all stud-ies in higher classes have been executed. If a decision is made to zone a priority list, it isimportant to establish zone cutoff criteria prior to screening in order to avoid bias.
Bask estimates can be developed at any level of the typical CPI organization, butusually focus on specific elements of the lower levels of the hierarchy—for instance, the
COMPANYHEADQUARTERS
MANUFACTURINGFACILITIES
PROCESSUNITS
PROCESSSYSTEMS
PROCESSEQUIPMENT
FIGURE 1.13. Structure of a typical CPI company.
risk from the rupture of a storage tank. The following discussions of screening methodsshow that methods are available to study various levels of the typical CPI organization.
1.5.1.1. PROCESS HAZARD INDICESDow Chemical has developed techniques for determining relative hazard indices forunit operations, storage tanks, warehouses, etc. One generates an index for fire andexplosion hazards (Dow*s Fire & Explosion Index Hazard Classification Guide, 7th ed.,AIChE 1994), and another an index for toxic hazards (Dow^s Chemical ExposureIndex Guide, 1st ed., AIChE 1994). ICFs Mond Division has developed similar tech-niques (The Mond Index) and has proposed a system for using these indices as aguide to plant layout (ICI, 1985). A modified Mond-like index has also been pro-posed for evaluation of toxic hazards (Tyler, 1996). These techniques consider thehazards of the material involved, the inventory, operating conditions, and type ofoperation. While the values of the indices cannot be used in an absolute sense as ameasure of risk, they can be used for prioritization, selection, and ranking. The valueof the index may be helpful in deciding whether a CPQRA should be applied, andthe appropriate depth of study.
1.5.1.2. INVENTORYSTUDIESThe inventories of hazardous materials should be itemized (including material in pro-cess, in storage, and in transport containers). The information should include signifi-cant properties of the material (e.g., toxicity, flammability, explosivity, volatility),normal inventory and maximum potential quantity, and operating or storage condi-tions. In some cases, screening can, or must, be done by means of government specifi-cations (New Jersey, 1988, and EEC's "Seveso Directive,5' 1982).
Major hazards can be identified from an inventory study. Where these are toxichazards, simple dispersion modeling—assuming the worst case and pessimistic atmo-spheric conditions—can be performed. Where fires or explosions are the hazards, simi-lar simple consequence studies may be made. Estimated effect zones can be plotted on amap to determine potential vulnerabilities (population at risk, financial exposure, busi-ness interruption, etc.); for screening purposes, estimates of local populations may besufficient. Of course, when significant vulnerabilities are found, more thorough studiesmay be required.
1.5.1.3. CHEMICALSCORINGVarious systems have been developed to assign a numeric value to hazardous chemicalsusing thermophysical, environmental, toxicological, and reactivity characteristics. Thepurpose of each system is to provide an objective means of rating and ranking chemi-cals according to a degree of hazard reference scale. Three of these methodologies aresystems proposed by the NFPA 325M (1984), the U.S. EPA (1980, 1981), andRosenblum et al. (1983).
NFPA has a rating scheme that assigns numeric ratings, from O to 4, to processchemicals. These ratings represent increasing health, flammability, and reactivity haz-ards; the fourth rating uses special symbols to denote special hazards (e.g., reactivitywith water). This system is intended to show firefighters the precautions that theyshould take in fighting fires involving specific materials; however, it can be used as apreliminary guide to process hazards. The U.S. EPA has developed methods for rank-
ing chemicals based on numerical values that reflect the physical and health hazards ofthe substances. Rosenblum et al. (1983) give an index system that assigns numericalvalues to the various hazards that chemicals possess and that can be used to prioritize alist of chemicals. This technique is more complex and less-practiced than the NFPAdiamond system.
1.5.1.4. FACILITY SCREENINGIn addition to the screening techniques presented in previous subsections, other priori-tization and selection approaches have been proposed which focus on facilities asopposed to chemicals alone. One such approach has been offered by Mudan (1987).This approach uses mathematical models for blast, fire, and toxicity for screeningchemical facilities. A similar approach has been proposed by Renshaw (1990). Lesssophisticated approaches have also been used to screen facilities. For example, if thenumber of facilities to be screened is not too large, and if the organization's safety per-sonnel are sufficiently experienced, it is possible to subjectively rank facilities by con-sensus. Whatever method is used, it is important to apply it consistently and documentthe results of its application for future reference and update.
1.5.2. Applications within Existing Facilities
In order to examine process risks from all existing facilities within an organization, it isessential to develop a study plan. This plan documents the screening methods to beused to qualitatively or quantitatively rank all facilities within the organization and thenrank all process units within those facilities. These prioritized lists can then be com-pared and a master list developed which can be used to establish the study plan forCPQRA.
When developing any study plan for existing facilities using a screening method, itis most cost effective to ensure that the plan is directed at the lowest level of the organi-zation's hierarchy (Figure 1.13). Once the prioritized study plan is developed, thedepth of CPQRA needs to be determined for each candidate study from the top down.Table 1.6 offers qualitative guidance for determining the depth of CPQRA appropriatefor each of the layers of the organizational hierarchy (Figure 1.13). Recognize that thisis an idealization where a risk estimate plane CPQRA is reserved for process equipmentand system studies only and, even then, only after consequence and frequency planestudies have been completed and show the need for further study.
1.5.3. Applications within New Projects
The depth of study presented in Table 1.6 directly applies to new projects as well. Themain distinction between new projects and existing facilities (Figure 1.7) is the infor-mation available for use in the CPQRA. Early in a new project, information is con-strained, limiting the depth of the study. This constraint is virtually nonexistent forexisting facilities. As a new project progresses, the information constraint is graduallyremoved.
1.6. Limitations of CPQRA
CPQEA limitations must be understood by management if sensible goals are to beestablished for studies. These limitations must also be understood by the technical per-sonnel responsible for the study. Some references address the potential limitations ofCPQRA (Freeman, 1983; Joschek, 1983; PiIz, 1980).
A summary of technical and management limitations, their implications, and pos-sible means for reducing their impact is provided in Table 1.7. More detailed treatmentof the technical limitations of CPQRA component techniques is provided in Chapters2 and 3. Technical limitations of the data required for CPQRA and of special topics areaddressed in Chapters 5 and 6, respectively.
From Table 1.7 it is apparent that many of the limitations of CPQRA arise fromuncertainty. The estimation of uncertainty is discussed in Section 4.5. Uncertaintyshould decrease in the future, as models become standardized, equipment failure ratedata relevant to the CPI are more fully developed and collected systematically, risk analy-sis expertise becomes more widely disseminated, and human consequence effect data aremore widely developed. Some specific data (e.g., toxicity) are currently incomplete andinexact and are a major source of uncertainty in CPQBA. Where uncertainty is a majorissue, relative or comparative uses of CPQRA may be preferable to absolute uses.
Where CPQBA risk estimates are to be compared in an absolute sense to risk tar-gets, or risk "acceptability criteria," concern should increase over the issue of absoluteaccuracy of these estimates. Unlike process economic studies such as discounted cashflow analysis that use cost estimate qualities with an accuracy of +15%, CPQBA esti-mates have much greater absolute uncertainty, typically covering one or more orders of
TABLE 1 .6. Applicability and Sequence Order of Depth of Study for Existing Facilities
Organizationalhierarchy level
Company
Facility
Process unit
Process system
Equipment
Depth of study
Simple/consequenceIntermediate/frequencyComplex/risk
Simple/consequenceIntermediate/frequencyComplex/risk
Simple/consequenceIntermediate/frequencyComplex/risk
Simple/consequenceIntermediate/frequencyComplex/risk
Simple/consequenceIntermediate/frequencyComplex/risk
Risk estimation technique*
Consequence
1N.A.N.A.
11
N.A.
111
111
111
Frequency
N.A.N.A.N.A.
2N.A.N.A.
22
N.A.
222
222
Risk
N.A.N.A.N.A.
N.A.N.A.N.A.
3N.A.N.A.
333
333
4NA, not applicable; 1, First task in series; 2, second task in series; 3, third task in series.
TABLE 1 .7. Limitations of CPQRA and Means to Address Them
Cause of limitation
Incomplete orinadequateenumeration ofincidents
Improper selection ofincidents
Unavailability ofrequired data
Consequence orfrequency modelassumptions/validity
Resource limitations(personnel, time,models)
Skills unavailable
Implication to CPQRA Remedies
TECHNICAL
Underestimate risk for arepresentative set orexpansive list of incidents
Underestimate risk for allincident groupings
Possibility of systematic bias
Uncertainty inconsequences, frequencies,or risk estimates
Incorrect prioritization ofmajor risk contributors
Similar in effect to datalimitations
Require proper documentation
Involve experienced CPQRA practitioners
Apply alternative enumeration techniques
Peer review/quality control
Review by facility design and operationspersonnel
Involve experienced CPQBJV practitioners
Apply alternative enumeration techniques
Peer review/quality control
Review by facility design and operationspersonnel
Secure additional resources for dataacquisition
Expert review/judgmentEnsure that knowledgeable people areinvolved in assessing available data
Check results against other models orhistorical incident records; evaluatesensitivities
Ensure appropriate peer review
Check results against other models orhistorical incident records
Ensure that models are applied within therange intended by model developers
Ensure that mathematical or numericalapproximations that may be used forconvenience do not compromise results
Use, if feasible, different models (e.g., amore conservative and a more optimisticmodel) to establish the impact of this typeof uncertainty
MANAGEMENT
Insufficient time to completedepth of study
Insufficient depth of study
Inadequate quality of study
Incorrect preparation andanalysis
Improper interpretation ofresults
Extend schedule
Defer study until resources available
Identify major risk contributors andemphasize these
Amend scope of work
Acquire expertise through trainingprograms, new personnel, or consultants
magnitude. The estimate's uncertainty is directly proportional to the depth and detailof the calculation and quality of models and data available and used.
Both the Canvey Island (Health & Safety Executive, 1978, 1981) and RijnmondPublic Authority (1982) studies present discussions of uncertainty and accuracy, andthe reader is referred there for further detail. Two other sources of insight into the issueof absolute accuracy and uncertainty are also available. Figure 1.14, taken from Ballard(1987), summarizes data collected by the National Centre of Systems Reliability on anumber of reliability assessments for the period 1972-1987. The diagram was devel-oped through collecting data on the actual performances of plants and process systemsand prior estimates of the reliability of these same plants and process systems. Whilethere are a number of uncertainties related to the studies, data collection methods, etc.,as stated by Ballard, "it is clear [from Figure 1.14] that in an overall sense one canexpect the results of a reliability study to give a very good indication of the likely acci-dent frequency from a plant." The 2:1 and 4:1 ranges shown on Figure 1.14 indicatethat about 60% of the predictions of failure rates were within a factor of two and about95% were within a factor of four of actual performance data.
While Figure 1.14 presents cause for accepting risk estimates as reasonable, thesecond source of insight offers cause for concern. Figure 1.15, taken from Arendt et al.(1989), summarizes the results of a European benchmark study (see Amendola, 1986)that showed the difficulty in reproducing CPQEA estimates, and the substantialdependency of these estimates on the very basic, defendable, but different assumptionsmade by various teams of analysts. Each of the teams in the study was given identicalsystems to analyze, the component techniques to use, and a common Analysis Data
RATIO
Wp
°gg
g?
FAI
LURE
RAT
E
CUMULATIVE FREQUENCYFIGURE 1.14. Frequency distribution of the failure rate ratio collected by the National Centreof Systems Reliability over the period 1972-1987 From Ballard (1987), reprinted withpermission.
TEAMS OF CPQRA EXPERTSFIGURE 1.15. Results of European Benchmark Study. From Arendt et al. (1989), reprintedwith permission.
Base. The teams were also allowed complete freedom in making assumptions, selectingincidents to study, choosing failure rate data, etc. Figure 1.15 shows that the resultingestimates ranged over several orders of magnitude, well beyond the range of uncer-tainty calculated by some of the teams. When the teams were subsequently directed tofollow similar assumptions, the resulting estimates converged to a much more accept-able range (i.e., within a factor of 5). This study and its implications is discussed inmore detail in Chapter 4. Consequently, it is important to recognize that along withthe technical uncertainties associated with models and data discussed elsewhere in thisbook, the essence of the accuracy and corresponding uncertainty of a risk estimate alsodepend heavily upon the expertise and judgment of the analyst. The need to documentand review such assumptions is discussed in depth in Section 1.9.5.3 on QualityAssurance.
1.7. Current Practices
Safety in design and operation has been important to the CPI since its inception. Awide range of safety techniques, many of which are currently used by companies andregulatory agencies, have evolved. In the preparation of the original edition of thisbook, a survey was conducted of 29 major chemical and petroleum companies—believed to represent the majority of companies practicing CPQRA techniques in1986. The results of the survey are summarized in Table 1.8.
All companies use basic engineering codes and standards as part of their safetyreview. Virtually all companies utilize some qualitative methods for hazard identifica-tion. The most common techniques include checklist and index methods. About 60%of the surveyed companies use structured techniques such as HAZOPs or FMEAs.Some companies have their own customized or combined versions, which they refer toas process hazard review techniques. Almost half of these companies are using one ofthe risk estimation techniques. Quantitative risk targets are being used by about 10%
ANNU
AL S
YSTE
M F
AILU
RE P
ROBA
BILIT
Y
TABLE 1.8. Survey of Process Safety Techniques in Use3
Percentage of surveyedSafety technique companies using technique
Existing techniques
Codes and standards 100Unstructured hazard identification (e.g., indices, judgment) 95Structured hazard identification (e.g., HAZOP, FMEA) 60
CPQRA techniques
Consequence estimation 40Frequency estimation 30Risk estimation 20Use of risk targets 10
"Basis: Survey of 29 major U.S. companies (chemical and petroleum) done by Technica in 1986.
of the surveyed companies. Concerns have been expressed over the liability implica-tions of conducting CPQBAs because the existence of these studies implies acceptanceof certain levels of risk. Some companies continue to rely on established practice (asspecified by engineering codes or standard practices). On legal advice, some are reluc-tant to produce CPQRAs, fearing that misinterpretation of risk estimates could bedamaging. The counter argument, expressed by those companies that performCPQBAs, is that the expected reduction in frequency of occurrence or consequence ofvarious incidents more than offsets potential legal difficulties.
A few of the companies surveyed have clear corporate risk policies and targets,which have strong and active corporate board level support. In these companies, theapplication of various CPQBA techniques plays an important part in the deci-sion-making process. This commitment is reflected in the quality of staff and resourcesavailable to CPQBA.
In the public arena, the U.S. government, and national organizations haveexpressed substantial interest in CPQBA techniques. In some states, legislation requir-ing quantitative risk assessment has been considered or enacted. The establishment offormal risk management programs, which include elements of CPQBA techniques, is afundamental requirement for most of the legislation (e.g., New Jersey, California,etc.). The U.S. Environmental Protection Agency has also included some risk consider-ations in the Risk Management Program (RMP) rule under the Clean Air ActAmmendments (40CFR68, Risk Management Programs for Chemical AccidentalRelease Prevention).
As with any human endeavor, the risk associated with chemical processing facilitiescannot be reduced to zero. Corporate and government approaches to risk managementclearly accept this fact. A number of papers have been published on the application ofCPQRA in the U.S. and overseas, including DeHart and Gaines (1987), Freeman etal.(1986), Gibson (1980), Goyal (1985), Helmers and Schaller (1982), Hendershot(1996), Ormsby (1982), Renshaw (1990), Seaman and Pikaar (1995), Van Kuijen(1987), and Warren Centre (1986).
At the time of the survey in Table 1.8, few companies possessed the technicalresources and expertise required to implement the complete range of CPQBA tech-
niques, although most employed some of the techniques. Dow Chemical, Rohm andHaas, British Petroleum and Union Carbide have published papers describing howthey have implemented elements of CPQEA into formal risk management programs(Mundt, 1995; Poulson et al., 1991; Renshaw, 1990; and Seaman and Pikaar, 1995).Many felt that their process safety programs would be substantially enhanced by the useof appropriate CPQRA techniques in process design and operation, while others did notsee any incremental benefit from implementing CPQRA techniques. The latter believedthat their knowledge and experience already provide for safe plant design and operation.
1.8. Utilization of CPQRA Results
As identified in the management overview section, there are many potential uses ofCPQRA results. All of these are variations of approaches to risk reduction. This sectionhighlights the relative and absolute application of CPQBA results.
Relative uses of CPQRA results include a comparison and ranking of various riskreduction schemes based on their competitive effectiveness in reducing risk. A table ofcost-risk benefits is constructed (e.g., cost of risk reduction measure vs. reduction inrisk achieved—see Section 4.1). This type of assessment is easier to apply and much lessaffected by potential errors in CPQRA than absolute comparisons of risk estimateswith specified targets.
Absolute uses of CPQRA results are usually based on predetermined risk targets.Several government agencies (e.g., Netherlands—Van Kuijen, 1987) have establishedquantitative risk criteria that must be met for planning approvals or for the mainte-nance of existing operations. Figure 1.16 shows some of the risk criteria that have beenused by various organizations. The uncertainty bands for these criteria are generallyplus or minus one order of magnitude. Also, it should be emphasized that the criteriaare dependent upon the method and data specified. CPQBA study results should onlybe evaluated against criteria based on the exact methodology used in the study.
A few companies also employ risk targets; however, these are usually for in-plantrisks, some of which have been published (Helmers and Schaller, 1982). Targets forrisks to the public are much more difficult to define (e.g., consideration of both indi-vidual and societal risks). Rohm and Haas and British Petroleum are companies thathave established and published risk criteria (Renshaw, 1990). Where targets are beingused, initial risk estimates are compared with these targets. Where the target has notbeen achieved, further risk reduction measures are evaluated to reduce the risk estimateto or below the targeted level. Means to reduce the risk further, below the target, areusually pursued if the cost of implementing additional risk reduction measures is rea-sonable or the uncertainty of the risk estimate is of substantial concern. For this use,potential errors in the CPQRA results can be important.
1.9. Project Management
This section offers an overview of the role of CPQRA project management. A CPQRAmust be carefully managed in order to obtain the required results in a timely and costeffective manner. Project management tasks include study goals (Section 1.9.1), study
Number of Fatalities Per Event
FIGURE 1.16. Acceptable risk criteria. AL>\RA, as low as reasonably achievable.
objectives (Section 1.9.2), depth of study (Section 1.9.3), special user requirements(Section 1.9.4), project plan (Section 1.9.5), and execution (Section 1.9.6).
Figure 1.17 provides a logic diagram for CPQRA project management. Thisfigure shows the unique characteristics of a CPQRA, which depart from normal engi-neering project management tasks. These tasks must all be addressed within the boundsof applicable constraints (risk targets, budget, tools, people, time, and data).
1.9.1. Study Goals
Section 1.3.2 and Table 1.4 describe typical study goals. These can originate fromexternal sources, such as regulatory agencies, or from internal initiatives (e.g., seniormanagement).
1.9.2. Study Objectives
It is critical for project management to understand the study goals and to firmly estab-lish study objectives. The study objectives define the project goals in precise terms that
Freq
uenc
y of
N o
r Mor
e Fa
talit
ies P
er Ye
ar
STUDY ACCEPTEDFIGURE 1.17. Logic diagram for CPQRA project management.
lead to a project that can be satisfactorily managed to completion. This can best beaccomplished by creating a scope of work document that is reviewed and accepted bythe user. Where user requirements have been defined, in writing, in advance of thestudy (e.g., determined by government regulation), this step reduces to interpretationof the requirements for senior management approval. In converting study goals intoobjectives through scope of work documents, project management defines the extentof study within the organizational hierarchy (Figure 1.13).
Possible study objectives include
• determination of societal risk from company operations that include any of aspecified list of chemicals
• determination of risk to employees from modification to an existing process unit• identification of cost effective risk reduction measures for achieving target risk
levels for an existing process unit• evaluation and ranking of competitive process strategies considering impact to
the surrounding community
USERREQUIREMENTS
DEFINE GOALS OF CPQRA(TABLE 1.4)
(§1.9-1)
CONVERT GOALS INTO STUDYOBJECTIVES ANDSECURE
USER ACCEPTANCE(§1.9.2)
Approved scope ofwork (revised)
Approved scope of work (initial)
DETERMINE REQUIREDDEPTH OF STUDY TO SATISFY
OBJECTIVES(§1.9.3)
SeeFigure 1.18
DEFINE DOCUMENTATIONREQUIREMENT TO
SATISFY USER(§1.9.4)
CONVERT NEWREQUIREMENTS INTO
REVISED SCOPE OF WORKAND SECURE USER
ACCEPTANCE
CONSTRUCT PROJECT PLAN(§1-9.5)
Estimate ResourceRequirements (§1.9.5.1)
Prepare Schedule (§1.9.5.2)Establish Quality AssuranceProcedures (§1.9.5.3)
Establish TrainingRequirements (§1.9.5.4)
Establish Cost ControlProcedures (§1.9.5.5)
USER REVIEWS DRAFTAND ACCEPTS STUDY OR MODIFIES
REQUIREMENTSDraftreport
EXECUTE AND COMPLETEPROJECT
(§1.9.6)
• determination of relative effectiveness of each of several alternatives to reducerisk from a single piece of equipment.
1.9.3. Depth of Study
A careful determination of the depth of study is essential if CPQRA goals and objec-tives are to be achieved, adequate resources are to be assigned, and budget and sched-ules are to be controlled. The calculation workload for a given depth of study canexpand factorially as one moves from the origin along any one of the axes of the studycube (Section 1.3.1). It is essential to estimate this calculation burden prior to finaliz-ing a depth of study so that project costs and schedule requirements can be evaluated. Arisk analyst and a risk methods development specialist can provide project managementwith valuable assistance in estimating this workload and with guidance in selecting anappropriate depth of study.
Figure 1.18 presents a schematic for determining the appropriate depth of study.Basically, given an approved scope of work, which specifies the risk measures to be cal-culated and presentation formats to be used, the analyst needs to select the following(Section 1.3.1):
• the appropriate risk estimation technique• the appropriate complexity of study• the appropriate number of incidents.
Once values have been assigned to each of these study parameters, the depth ofstudy—cell within the study cube given in Figure 1.5—has been determined.
APPROVED SCOPE OF WORK(INITIAL OR REVISED)
Study ObjectivesExtent of Study
(See Figure 1.17)
SELECTION OF CELL WITHIN CUBE (SECTION 1.3 AND FIGURE 1.5)
SELECT APPROPRIATE RISKESTIMATION TECHNIQUE
SELECT APPROPRIATECOMPLEXITY OF STUDY
SELECT APPROPRIATENUMBER OF INCIDENTS
Depth of study defined
DEFINE DOCUMENTATIONREQUIREMENTS {Figure 1.17)
FIGURE 1.18. Selection of appropriate depth of study.
Various aids to understanding the depth of study and the sensitivity of each ofthese three parameters are provided in this volume. Table 1.5 describes the depths ofstudy for each of the cells along the main diagonal of the study cube, and Table 1.6reviews the applicability and sequential order of depth of study for the various levels ofthe organizational hierarchy given in Figure 1.13. Table 1.6 shows that if a risk analysis(as opposed to consequence or frequency analysis) is required for a facility, it is neces-sary to synthesize it from analyses done at the process system or equipment levels.
After a depth of study has been selected, the cost of the study and schedule shouldbe estimated and presented to the user for approval. At this point, it is often necessaryto revisit study goals and objectives and approved scope of work to see if opportunitiesexist for reducing costs or accelerating schedules.
Costs have a direct relationship to each of the three cell parameters. The prioritizedCPQRA Procedure (Section 1.2.2), an illustration of one sequential approach to usingrisk estimation techniques, is designed to offer opportunities for cost savings by defer-ring more detailed studies until simple consequence and frequency estimates have beenexecuted.
Hazard evaluation and consequence calculations are undertaken first to bracket orbound the risks in a facility or establish the extent of hazard posed by a single piece ofequipment. The depth of consequence studies increases if required at successivelylower levels of the facility's hierarchy (Figure 1.13). Frequency calculations can next beundertaken for process units, systems, and pieces of equipment; the depth of thesestudies follows the same pattern as for consequence studies.
Finally, risk calculations are primarily reserved for process systems and equipment.The complexity of these calculations and the number of incident outcome cases necessaryfor each piece of equipment and associated piping limit use of this technique to screeningor intermediate studies. A decision to select a cell in the risk estimate plane represents a"quantum jump" in complexity and calculation workload from either the consequence orfrequency planes. To illustrate, consider a system that processes flammable materials thathas 10 incidents selected for study. Suppose these 10 incidents result in 20 separate inci-dent outcomes. If there are 8 wind directions, 3 wind speeds, 3 weather stabilities, and 2ignition cases for each cloud, there are 144 ( 8 x 3 x 3 x 2 ) incident outcome cases foreach of the 20 incident outcomes. If the calculation grid for a risk contour plot were 10 X10 (i.e., 100 grid receptor points, which is relatively coarse for drawing risk contours) atotal of 288,000 (20 X 144 X 100) calculations is necessary.
This provides only a base-case estimate of risk. Any evaluation of the range of theestimate or of risk reduction measures requires multiplication of this burden by anotherfactor. Such an effort is often impractical for manual implementation. The number ofincident outcome cases to study can expand dramatically based on the depth of studyselected. A single, omnidirectional incident outcome (e.g., BLEVE) produces a singleincident outcome case. A directional toxic incident becomes in effect ^incident out-come cases, where W is the number of weather cases. A flammable directional incidentbecomes WI incident outcome cases, where/ is the number of separate cloud ignitioncases. Each incident may lead to several incident outcomes that may lead to many inci-dent outcome cases. In effect, each aspect of the study produces a parameter. Thenumber of discrete values for this parameter serves as a multiplier in amplifying thenumber of cases that need to be constructed and executed by the risk analyst.
TABLE I.9. Parameters Affecting Calculation Burden
Study parameters (XJ* Typical values
/= Number of incident outcomes 5-30
W- Weather stability classes 2-6
N= Wind direction 8-16
S= Wind speeds 1-3
V= Day/night variations 1-2
E= Number of end points (lethality, serious injury, etc.) 1-5
T= Ambient temperature cases (season variations) 1-4
I= Ignition cases 1-3
P= Population cases 1-3
G1= Grid points for individual risk contours 100-1000
G5= Grid points for societal risk curves 1-100
M. = Number of iterations on base case 2-5
L= Number of risk reduction options to be studied 3-5
"Parameters listed may or may not apply in the following formula to estimate the study's calculation burden:
Number of calculations = |jX,i=\
where n = number of applicable parameters and X1 = study parameters from above listing.
Table 1.9 lists typical values for various study parameters and offers a formula forestimating the number of cases. This listing is not complete, nor are the values offeredapplicable to all studies. In fact, a study for a single process unit that considers isolationand mitigation may have more than 1000 incident outcomes rather than only 5 to 30.Evaluation of a large facility would require consideration of many such units. Althoughthe CPQBA methodology presented here applies to these more complex studies,extensive use of computer models by knowledgeable practitioners is generally recom-mended to provide cost-effective results. As with the example presented above, the ana-lyst would develop an estimate by selecting values for those parameters that apply andmultiplying them together. The analyst can also develop estimate sensitivity by varyingparameter values within the ranges given in Table 1.9 and using the resulting variationsto determine confidence limits for the study's cost estimate.
In selecting an appropriate depth of study, balance must be maintained betweentrying to construct a representative system model and a manageable CPQRA. Exces-sively realistic scenarios (in terms of the number of incidents considered, the number ofweather and ignition cases, etc.) may result in a study of unacceptable duration or cost,without providing any significant increase in accuracy or insight into process risk. Theuncertainties in a risk estimate are often such that substantially increasing the numberof incidents considered offers little improvement in estimate quality. A well-selected
CPQRA at a lesser depth of study (for example, one that can exploit symmetry andrestrict weather and ignition cases) may produce very meaningful results at substan-tially reduced computational effort and costs.
1.9.4. Special User Requirements
Before constructing a project plan it is imperative to understand user requirements,including any special requirements for reporting and documenting study results. Suchspecial requirements, particularly documentation, may add substantially to projectresource requirements. This is discussed in more detail in Section 4 3.
1.9.5. Construction of a Project Plan
A written project plan should be prepared for every CPQRA, regardless of the scope ofwork or depth of study. The circulation and availability of such a plan to members ofthe project team provides for communication, team building, and direction. It is onlythrough the preparation of such a written plan that aspects of the study critical to itssuccess receive adequate attention.
Various texts on project management offer useful guidance on preparing a projectplan, including suggested plan contents. This material need not be presented here.However, there are aspects of a project plan for a CPQBA that are unique and these arediscussed in the following sections.
1.9.5.1. ESTIMATION OF RESOURCE REQUIREMENTSCPQRAs can require considerable resources. However, if the scope of work, depth ofstudy, and special user requirements are well defined, and if study progress is carefullymonitored, resources can be efficiently managed. Principal resources include people,time, information, tools, and funding. A typical allocation of these resources for aCPQBJV of an ordinary process system is shown in Figure 1.19, which is an abbrevi-ated representation of Figure 1.3, through risk estimation. The process system is con-sidered to be of moderate complexity with reactors, distillation train, preheat and heatrecovery systems, and associated day-storage. It is located close to populated areas, butwith no special topographical or other features that might warrant greater depth oftreatment. Resource estimates are provided in Figure 1.19 for the three depths of studydiscussed in Table 1.5. Special topics addressed in Chapter 6 are not included in Figure1.19, as they are not common to all studies. The estimates presented assume aonce-through estimate of risk. Further iterations to satisfy acceptability of the risk esti-mate (Figure 1.3) or to satisfy modified user requirements (Figure 1.17) are notincluded. The number of iterations can be considered incremental cost multiples of theonce-through estimate.
Table 1.10 summarizes the total manpower requirements for the depth of studyalternatives obtained from Figure 1,19. The upper and lower limits are approximationsonly. Nonetheless, they are in general agreement with studies conducted by experi-enced companies. The very broad range of time required for frequency estimationreflects the variation in use of complex tools, such as fault trees. Fault trees are com-monly used in the nuclear industry. As noted on the table, project management activi-
FIGURE 1.19. Resource allocation guidelines for a process system CPQRA.
ties have not been included in the totals presented. Administration of the project mayrequire an additional 5-10% of the total manpower estimates presented.
1.9.5.2. PROJECT SCHEDULINGTable 1.10 provides guidance on the total manpower required for a risk analysis. Theelapsed time is a function, to some degree, of the number of personnel provided, butthere is an inherent task structure in each depth of study that constrains project man-agement from paralleling all individual tasks. Consequence and frequency analyses canbe done in parallel, but must logically follow hazard identification and incident selec-tion. Final risk estimation must await completion of the consequence and frequency
analyses.
INITIAL CPQRA DEPTH OF STUDYSELECTED
SIMPLE/CONSEQUENCE INTERMEDIATE/
FREQUENCYCOMPLEX/RISK
ABBREVIATIONSPE - PROCESS ENGINEERRA - RISK ANALYSTMW = PERSON WEEKPFD - PROCESS FLOW DIAGRAMP&ID = PIPING & INSTRUMENTATION
DIAGRAMHAZOP = HAZARDS & OPERABILfTY
STUDYFMEA = FAILURE MODE 4 EFFECT
ANALYSISETA . EVENT TREE ANALYSISFTA - FAULT TREE ANALYSIS
ANALYSIS DATA BASE DEVELOPMENTDEPTH OF STUDYDATA . PROCESS PLANTREQUIRED. ENVIRONMENTAL
- LIKELIHOOD
SIMPLE/CONSEQUENCE0-1. 5 MW
INTERMEDIATE/FREQUENCY2-4MW
COMPLEX/RISK4-6 MW
HAZARD IDENTIFICATION & INCIDENT SELECTION
DEPTH OF STUDYPEOPLEEFFORTTOOLSDATA
INCIDENTSIDENTIFIED
SIMPLE/CONSEQUENCEPE0.5-1. 8 MWWhat if/PHAConcept
2-6
INTERMEDIATE/FREQUENCYPE1-2MWCourse HAZOPPFO
18-20
COMPLEX/RISK
PEfRA2-4MWHAZOP/FMEAPFD.P&ID(Export shownlayout)90-100
CONSEQUENCE ESTIMATION
DEPTH OF STUDYPEOPLEEFFORTTOOLS
I SIMPLE/CONSEQUENCEPE0.1-1 MWSIMPLEMODELS
INTERMEDIATE/FREQUENCYPE or RA2-3MWDETAILEDMODELS
COMPLEX/RISK
PE+RASIMPLE5-10 MWDETAILEDMODELS
FREQUENCY ESTIMATION
DEPTH OF STUDYPEOPLEEFFORTTOOLS
I SIMPLE/[ CONSEQUENCEPE0-0.05 MWHISTORICAL DATAOPTIONAL
MODERATE/FREQUENCYPE or RA0.05-1 MWHISTORICALDATA
COMPLEX/RISKPE+RASPREADSHEET10-20 MWHISTORICALDATA, SIMPLEFTA/ETADETAILED FTA/ETAAFTER STUDY
PROGRESSION THROUGH DEPTHS OFSTUDY (REFER TO FIGURE 1.4)
FINDINGSOF INITIALCPQRA REQUIREINCREASED DEPTH OF STUDYDEPTH OF STUDYPEOPLEEFFORTTOOLS
RISK ESTIMATIONSIMPLE/CONSEQUENCEPE0-0.05 MWMINIMALMODELS
INTERMEDIATE/FREQUENCYPE+RA0.05-1 MWMINIMAL ORSIMPLECOMPUTERPACKAGE
COMPLEX/RISKRA2-5MWSIMPLE ORDETAILEDCOMPUTERPACKAGE
HISTORICAL DATA
"Note that the data presented have units of person-weeks. These data also need to be converted to calendar weeksby the project manager through development of a project schedule. The resulting number of calendar weeks maybe substantially greater than the values shown above, depending on availability of critical personnel, tools, train-ing opportunities, etc.
6ThC values presented do not include project management activities, which can be estimated as an additionalburden of 5-10% of the totals shown. Sensitivity studies are also not included and are often required to evaluatepotential risk mitigation measures.
Opportunities to execute tasks in parallel must be* balanced against opportunitiesto avoid tasks through following prioritized procedures such as discussed earlier in thischapter (Section 1.2.2).
In constructing the project schedule, it is important to obtain input and agreementfrom the risk analyst and other specialist members or groups. Milestones need to beestablished that correlate with the logical end points presented Figure 1.3. Havingwell-defined milestones permits meaningful status reports to be issued throughout thelife of the project.
1.9.5.3. QUALITYASSURANCEThe first step in quality assurance is to ensure the adequacy and availability of staff andresources for the study. Since CPQRA is a relatively new CPI technology, it is likelythat the expertise of staff support will be deficient in certain technology areas. Conse-quently, quality assurance is a critical check and balance procedure of any CPQBA pro-ject plan. Adequate resources need to be assigned to quality assurance as a line item inthe project plan.
Early risk analysis studies (e.g., Rijnmond Public Authority, 1982) were routinelypassed on to independent reviewers. These reviews were budgeted at up to 10% of theprimary budget. Such outside reviews are now less common, but are appropriate fororganizations relatively inexperienced in CPQRA. Alternatively, outside experts maybe commissioned to undertake the study. Their activities can be monitored by com-pany staff. This monitoring may be done by periodic meetings or by a staff memberassigned to the review team.
Such peer reviews or reviews by corporate staff of outside-expert work productsare only one of several layers of reviews that can be built into the project plan to ensure
TABLE 1.10. Manpower Requirements for Depths of Study of a Single ProcessSystem (UNIT)
Activity
Data compilation
Hazard identification/incident selection
Consequence estimation
Frequency estimation
Risk estimation
Preparation of final report
Totals*
Simple/consequenceCPQRA
(person-week)"
0.5-1.5
1-2
0.5-1
0.5-1
0.5-1
0.5-1.5
3.5-8
Moderate/frequencyCPQRA
(person-week)"
2-4
2-4
2-3
0.5-2
0.5-2
2-4
9-19
Complex/riskCPQRA
(person-week)"
4-8
4-8
3-10
3-20
2-5
2-8
18-59
TABLE 1.11. CPQRA Reviews and Purposes
Project team internal reviewIdentify miscommunication; challenge method selections, models used, assumptions, etc. Perform firstcomplete review of the initial draft report of the study prior to release to the user
Plant staffReveal any misrepresentation of plant practices, existing hardware and process configurations, facilityoperational data, and site characteristics
Corporate staffEnsure consistency with previous CPQRA formats, adherence to company CPQKA practices,adequacy of documentation, etc. If staff includes risk analysts, provide peer review functions to theproject team
Peer or expert reviewReview should be carried out by competent risk analysts not involved in the CPQRA. Review shouldfocus on appropriateness of methods, quality and integrity of the data base used, validity andreasonableness of assumptions and judgments, as well as recommendations for further study
ManagementAssuming the role of user, management should be satisfied that the report meets its requirementscompletely, in line with the agreed on scope of work and that all conclusions and recommendations, ifany, are thoroughly understood
quality. The need for reviews by members of the project team, by plant and corporatestaff groups, by peers or experts, and by management should be considered in planningand scheduling activity. The purposes of these various reviews are given in Table 1.11.
Each of these reviews should produce a written report of findings to the projectteam manager. All findings should be formally resolved prior to issuing a final report.Any report from plant or corporate staff may be useful to add to the study as documen-tation. Reports from peer reviewers or experts should be added to the CPQRA withoutalteration to enhance the credibility of the report and to document the performance ofsuch a critical review.
Even though the component techniques of a CPQRA are rigorous and disciplined,numerous opportunities exist to introduce uncertainty and error into the study. Forthis reason, a formal quality assurance program may be desirable. Such programs haveroutinely been developed to assure the quality of probabilistic risk assessments (PRAs)in the nuclear industry. Such efforts have focused on the following areas of concern[PRA Procedures Guide (NUREG/CR 2300, 1983)]:
• Completeness. Treatment of the full range of tasks, analyses, and model con-struction and evaluation should be assured. The completeness issue is most sig-nificant in any risk analysis. It includes such diverse concerns as identification ofinitiating events, determination of plant and operator responses, specification ofsystem or component failure modes, physical processes analysis, and applicationof numerical input data.
• Comprehensiveness. A probabilistic risk assessment is unlikely to identify everypossible initiating event and event sequence. The aim is to ensure that the signifi-cant contributors to risk are identified and addressed. Assurance must be provided
that comprehensive treatment is given to all phases of the study in a manner thatprovides confidence that all significant incidents have been considered.
• Consistency. Consistency in planning, scope, goals, methods, and data withinthe study is essential to a credible assessment. Equally important is an attempt toachieve consistency from one study to another, especially in methodologies andthe application of data, in order to allow comparison between systems or plantdesigns. In many cases, the acceptability of an activity is based on its comparabil-ity (risk) with other similar activities. The use of standardized methods and pro-cedures enhance comparability.
• Traceabilily. The ability to retrace the steps taken, that is, reconstruct thethought process to reproduce an answer, is important not only to the reviewerand regulator but also to the study team.
• Documentation. The documentation associated with a PRA is substantial.Large amounts of information are generated during the analysis, and manyassumptions are made. The information must be well documented to permit anadequate technical review of the work, to ensure reproducible results, to ensurethat the final report is understandable, and to permit peer review and informedinterpretation of the study results.
Identical quality concerns exist in performing CPQEAs. Table 1.12 shows potentialareas within CPQRAs that require attention in the development of specific quality assur-ance procedures. Recognize that this table is not necessarily exhaustive and that any par-ticular CPQRA will have its own quality assurance needs. At the least, planning for everyCPQRA needs to consider how each of the five areas listed above will be addressed.
1.9.5.4. TRAINING REQUIREMENTSCPQRAs require the use of skilled and experienced personnel. For simpler studies(consequence or frequency), the skills of the process engineer with some risk analysistraining may be adequate. A CPQBA utilizing the risk plane requires inputs from bothprocess engineers and risk analysts. A risk analyst without the support of a process engi-neer experienced in the design and operation of the particular process unit, system, orpiece of equipment, is unlikely to understand the process in adequate detail to carry outthe study. Process engineers must be thoroughly trained and have participated in pre-paring risk estimates for real process systems before they undertake CPQRAs withoutthe assistance of risk analysts.
There are several reference texts and training courses that provide an introductionto CPQBA (Appendix B). Important skills include knowledge of hazard identificationtechniques [reviewed in the HEP Guidelines, Second Edition (AIChE/ CCPS, 1992)]and the consequence and frequency estimation techniques reviewed in this book.Useful introductory publications to CPQBA topics include the other texts in the CCPSGuidelines series, Lees (1980), TNO (1979), and Rijnmond Public Authority (1982).The technique descriptions in Chapters 2 and 3 identify many useful references specificto the individual techniques. A topical bibliography that offers numerous referencesunder many of the topics related to CPQBA is being made available by CCPS on dis-kettes. (Contact CCPS in New York for details.)
TABLE 1.12. Focus of Project Quality Assurance Procedures
Data compilation
• Data, should, be checked as being correct, relevant and up-to-date
• Data on chemical toxicity should be reviewed for reasonableness
• Documentation of the sources of data used should be maintained
Incident enumeration and selection
• The historical record should be reviewed
• Incidents should reflect all major inventories of hazardous materials
• Incidents rejected (especially rare, large ones) should be reviewed and documented
• Documentation used for hazard identification and for incident enumeration and selection (HAZOP,What-lf. etc.) should be maintained
Consequence estimation
• Models should be well documented
• Trial runs should be compared against known results for validation (to protect against misunderstanding ofmodel requirements)
• Consequence results should consider all important effects (e.g., explosion analysis should include blast andthermal radiation effects)
• Effect models should correspond to the study objectives
• Documentation of input data and results should be maintained
Frequency estimation
• Historical data should be confirmed as being applicable
• Fault and event tree model results should be confirmed against the historical record where feasible
• Documentation of the frequency estimation should be maintained
Risk estimation
• Results should be checked against experience for reasonableness
• Audit trail of documentation should he maintained
It is important to note that well-constructed and well-executed CPQRAs relyheavily on judgment. Short training programs provide users with the necessary tools;however, judgment can come only from the experience of applying them. Project man-agement must be aware that estimates from inexperienced practitioners need greaterscrutiny than those from accomplished risk analysts.
1.9.5.5. PROJECT COST CONTROLAs CPQBAs can consume substantial resources, attention to cost control in developinga project plan is essential. Once funding has been approved, it is important to docu-ment the allocation of that funding to accomplish the study. This allocation covers
• manpower costs (internal to the organization)*• tool acquisition and installation (hardware and software) *• data acquisition* computer costs• training costs• travel• publication and presentation
• outside consultant services (all types)*• project overheads
The four starred (*) items above offer unique problems for CPQBA project man-agers. They represent greater uncertainty in preparing project cost estimates than dothe other contributors. Consequently, greater effort to define them for estimate pur-poses is required, and greater attention to them through cost control proceduresduring the project is necessary. The project manager must rely on the risk analyst forestimating model development costs, software acquisition costs, outside consultingservices, and data acquisition expense.
Because of the potential for uncertainty, it is good practice to require that the riskanalyst provide documentation for cost estimates, including statements from any antic-ipated source of outside service (e.g., consultants, data acquisition). For example, if thescope of work required earthquake analysis and this was beyond the capabilities of theorganization's staff, it would be necessary to provide at least preliminary estimates forthis analysis from outside firms. While this may require additional effort in preparingresource requirements, this effort should result in better definition of costs prior toproject approvals and the avoidance of cost overruns thereafter. Such documentationcan also be used as input to cost control procedures over the life of the project. Other-wise, routine project cost controls in use for managing capital projects can be applied.
1.9.6. Project Execution
A project manager has successfully completed the project when he has completed hisscope of work. In preparing that scope of work, the project manager should specify themeans of measuring his project's progress in terms of percent completion. To calibratethe project milestones with completed performance, the project manager needs toconfer with the risk analyst and agree on the assignment of degrees of project comple-tion with logical end points in the CPQRA sequence (Figure 1.3).
The project manager is responsible for providing status reports comparing actualversus estimated progress presented on the approved project schedule. Causes fordelays or cost overruns need to be investigated and explained, and remedial action iden-tified and implemented where necessary.
1.10. Maintenance of Study Results
CPQRA results should be maintained after the completion of the study as an integralpart of a company's risk management program. Any actions taken as a result of thestudy should be documented as well. As discussed in the management overview,CPQBA results can be important to the company's risk management program (NewJersey, 1988). Such a program should be kept up to date, and so should the associatedCPQRAs. The CPQEA report should be a living document. As the plant is modifiedor as procedures change, the CPQRA should be updated, where relevant, to providemanagement with information on the effect of such changes on risk. The CCPS Guide-lines for Process Safety Documentation (1995) describe the documentation in more detail.
It is important to control and monitor the distribution of all copies of a CPQRAreport so that each recipient receives all updates and does not use outdated informationfor decision-making. Periodically the register of report holders should be used to con-firm location of all report copies and updated throughout the organization.
Documenting the systematic approach followed in performing CPQRAs permitssubsequent readers, perhaps uninvolved with the original work, to follow the analysis.Each individual stage—hazard and incident identification, consequence and frequencyestimation, and risk estimation—can be important later. The maintenance of CPQRAresults also provides continuity to a risk management program. The importance ofmanagement systems in the reduction of risk is receiving greater attention (Batsone,1987). Bask management program components discussed by Boyen et al. (1988) areitemized below, along with their dependencies on maintained CPQRAs:
• Technology-Process Safety Information. The CPQRA provides a current summary of
hazards on the site and a listing and summary of all important relevant docu-ments.
-Process Risk Analysis. This is the primary function of the CPQRA, one thatmust be kept up to date and made available to new staff.
-Management of Change (Technology). All changes/modifications should besubjected to the same rigor of analysis as the original study.
-Rules and Procedures. These should be developed in the context of theCPQRA results.
• Personnel-Staff Training. The CPQRA presents insights to specific facility risks with all
relevant documents appended or referenced.-Incident Investigation. The CPQRA can be useful in incident investigation,
to check whether the event was properly identified and if protective systemsperformed as expected. If not previously identified, it should be added to theCPQEA and the results recalculated. Additional risk reduction measures maybe suggested.
-Auditing. The CPQRA can serve as a guide to the auditor to familiarize theauditor with major risk contributors and past studies of them.
• Facilities-Equipment Tests and Inspections. The CPQEA highlights the importance
of testing intervals in maintaining protective system reliability. Regular checksare necessary to ensure these are maintained.
-Prestartup Safety Reviews. This function is similar to the auditing role.Important features are identified for inspection and checking.
-Management of Change (Facilities). See Management of Change (Tech-nology).
• Emergencies-CPQEAs can assist in developing a site emergency response plan.
• Some Additional Uses (not specific to the site risk management program)-Community Relations. Discussions with the local community are often aided
by the availability of up-to-date CPQRAs.
-Plant Comparisons. Many companies operate several plants of similar design.CPQRA data from one can be used as a guide for new plants or for modifyingother existing plants.
-Operating Standards. All the CPQRA component techniques make assump-tions of how the plants should be operated (HAZOP, fault tree failure frequen-cies, consequence calculations, etc.). When documented and kept current, thesecan be checked at a later stage for accuracy.
It is important to recognize that a CPQRA shows whether a plant can operate at agiven risk level, but cannot ensure that the plant will operate consistent with theassumptions used to estimate risk. Naturally, if actual operations differ from studyassumptions, the risk estimates produced cannot be considered representative. Studyassumptions need to reflect reality, and as reality changes, so must study assumptions.Corresponding risk estimates will need to he undated. Updates can be triggered by
• process changes (e.g., hardware, software, material, procedures), availability ofimproved input data (e.g., toxicology data)
• introduction of company risk targets• advances in CPQRA component techniques• changes to company property (e.g., neighboring process units, administration
building relocation)• changes in neighboring property (e.g., expansion of a housing development to
company property limits)
Maintenance of a CPQRA means much more than assuming the availability of acopy of the original study in an organization's files, though it is important to preserveand store the results in a secured system. The need to maintain the study should be rec-ognized and accepted at the time the commitment is made to execute the CPQRA. Aswith any process documentation, without such commitment, the CPQRA report willgradually hut assuredly become dated and lose its value to the company's risk manage-ment program.
1,11. References
AIChE/CCPS (1992), Guidelines for Hazard Evaluation Procedures second edition with workedexamples. Center for Chemical Process Safety, American Institute of Chemical Engineers,New York.
AIChE/CCPS (1995), Tools for Making Acute Risk Decisions, Center for Chemical Process Safety,American Institute of Chemical Engineers, New York.
AIChE/CCPS (1995), Guidelines for Process Safety Documentation, Center for Chemical ProcessSafety, American Institute of Chemical Engineers, New York.
AIChE/CCPS (1994), Guidelines for Implementing Process Safety Management Systems, Center forChemical Process Safety, American Institute of Chemical Engineers, New York.
AIChE/CCPS (1989), Guidelines for Technical Management of Chemical Process Safety, Center forChemical Process Safety, American Institute of Chemical Engineers, New York.
AIChE/CCPS (1995), Plant Guidelines for Technical Management of Chemical Process Safety,Center for Chemical Process Safety, American Institute of Chemical Engineers, New York.
AIChE/CCPS (1988a). Guidelines for Safe Storage and Handling of High Toxic Hazard Materials.Center for Chemical Process Safety. American Institute of Chemical Engineers, New York.
Amendola, A. (1986). "Uncertainties in Systems Reliability Modeling: Insight Gained ThroughEuropean Benchmark Exercises," Nuclear Engineering Design 93, 215-225, Amsterdam,The Netherlands: Elsevier Science Publishers.
Arendt, J. S. et al. (1989). ̂ 4 Manager^ Guide to Quantitative Risk Assessment of Chemical ProcessFacilities. JBF Associates, Inc., Knoxville, Term., Report No. JBFA-119-88, prepared for theChemical Manufacturers Association, Washington, D.C.; January.
Ballard, G. M. ( I 987). "Reliability Analysis—Present Capability and Future Developments."SRS Quarterly Digest System Reliability Service, UK Atomic Energy Authority,Warrington, England, pp. 3-11, October.
Batsone, R. J. (1987). Proceedings of the International Symposium on Preventing Major ChemicalAccidents. Washington, D.C. (J. L. Woodward, ed.). American Institute of Chemical Engi-neers, New York. Feb. 3-5.
Box. G. E. P. and Hunter, J. S. (1961). "The 2k-p Fractional Factorial Designs. Part 1,"Technometrics 3(3), 311-346.
Boyen, V. E. et al. (1988). "Process Hazards Management." Document developed by Organiza-tion Resource Counselors, Inc. (ORC) [submitted to OSHA for future rulemaking on pro-cess hazards management], Washington, D.C.
Bretherick, L. (1983). Handbook of Reactive Chemical Hazards, 2nd edition. London:Butterworths.
Carpenter, B. H., and Sweeny, H. C. (1965). "Process Improvement with 'Simplex3
Self-Directing Evolutionary Operation." Chemical Engineering 72(14), 117-126,DeHart, R., and Gaines, N. ( I 987): "Episodic Risk Management at Union Carbide." AIChE
Spring National Meeting, Symposium on Chemical Risk Analysis, Houston. AmericanInstitute of Chemical Engineers. New York.
Dow3s Fire and Explosion Index—Hazard Classification Guide, 7th edition, 1994. CEP TechnicalManual, American Institute of Chemical Engineers, New York.
Daw's Chemical Exposure Index Guide, 1994 . CEP Technical Manual, American Institute ofChemical Engineers, New York.
EEC (19X2). "Major-Accident Hazards of Industrial Activities" ("Seveso Directive"). EuropeanEconomic Community. Council Directive X2-501-EEC Official Journal (OJ) ReferenceNo. L23), 5.8.1982: Amended October 1982. [Available from European Economic Com-munity, Press and Information Services, Delegation of the Commission of European Com-munities, Suite 707, 210OM Street, N.W., Washington, D.C.]
Freeman, R. A. (19X3). "Problems with Risk Analysis in the Chemical Industry." Plant/Opera-tions Progress 2(3), 185-190.
Freeman. R. A. et al. (1986). "Assessment of Risks from Acute Hazards at Monsanto." 1986Annual Meeting, Society for Risk Analysis. Nov. 9-12, Boston, MA. Society for Risk Analy-sis. 8000 West Park Drive, Suite 400, McLean. VA 2210'.
Gibson, S. B. (1980). "Hazard Analysis and Risk Criteria." Chemical Engineering Progress(November), 46-50.
Goyal, R. K. (19X5). "PRA-Two Case Studies from the Oil Industry." Paper presented at Ses-sion 5A of Reliability C85, Symposium Proceedings, July 10-12, 1985; VoI 2, p. 5A/3.Jointly sponsored by National Centre of Systems Reliability. Warrington, England andInstitute of Quality Assurance, London, England.
Hawksley, J. L. (1984). Some Social, Technical and Economical Aspects of the Risks of Large ChemicalPlants. Chemrawn III, World Conference on Resource Material Conversion, The Hague,June 25-29.
Health & Safety Executive (1978). Canvey—An Investigation of Potential Hazards from the Opera-tions in the Canvey Island/Thurrock Area. 195 pp. HMSO. London, UK.
Health & Safety Executive (1981). Canvey—A Second Report, 130 pp. HMSO, London, UK.Helmers, E. N and L. C. Schaller (1982). "Calculated Process Risk and Hazards Management."
AIChE Meeting, Orlando, FL, Feb. 20-Mar. 3. American Institute of Chemical Engineers,New York.
IChemE (1985). Nomenclature of Hazard and Risk Assessment in the Process Industries. Institutionof Chemical Engineers, UK.
Hendershot, D. C. (1996) "Risk Guidelines as a Risk Management Tool," 1996 Process PlantSafety Symposium, Houston, TX, April 1-2, 1996, Session 3
ICI (Imperial Chemical Industries) (1985). TheMondIndex, 2nd edition. ICI PLC, ExplosionHazards Section. Technical Department. Winnington, Northwick, Cheshire CW8 4DJ,England.
Joschek K. T. (1983). "Risk Assessment in the Chemical Industry." Plant/Operations Progress2(1 January), 1-5.
Kaplan, S., and B. J. Garrick ( 1981). "On the Quantitative Definition of Risk." Risk Analysis1(1), 11-27.
Kilgo, M. B. (1988). "An Application of Fractional Factorial Experimental Designs." QualityEngineering, \, 19-23. American Society for Quality Control and Marcel Dekker, NewYork.
Lees, F. P. (1980). Loss Prevention in the Process Industries, 2 Volumes. Butterworths. Londonand Boston.
Long, D. E. (1969). "Simplex Optimization of the Response from Chemical Sys terns. "Anal.Chim. Acta 46,193-206.
Marshall, V. C. (1987). Major Chemical Hazards. Wiley, New York.Mudan, K. S. (1987). "Hazard Ranking for Chemical Processing Facilities." ASME Winter
Annual Meeting, Boston, MA. Dec. 13-18. American Society of Mechanical Engineers,New York.
Nelder, J. A., and Mead, R. (1964). "A Simplex Method for Function Minimization." The Com-puter Journal 7, 308-313.
Mundt, A. G. (1995). "Process Risk Management for Facilities and Distribution." AIChESummer National Meeting, Boston, July 30-Aug 2, American Institute of Chemical Engi-neers, New York.
New Jersey (1983). 'Toxic Catastrophe Prevention Act Program." State of New Jersey,N.J.A.C. 7: 1, 2, 3, 4 and 6. New Jersey Register, Monday, June 20, 1988, 20 N.J.R. 1402.
NFPA 325M (1984). Fire Hazard Properties of Flammable Liquids, Gases, and Volatile Solids.National Fire Protection Association, Quincy, MA 02269.
NUREG (1983). PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessmentfor Nuclear Power Plants, 2 volumes, NUREG/CR-2300, U.S. Nuclear Regulatory Commis-sion, Washington, D.C. (available from NTIS).
NUREG (1984). PZM Status Review in the Nuclear Indusrry, NUREG-1050, Nuclear Regula-tory Commission, Washington D.C. September, 1984 (available from NTIS).
NUREG (1985). Probabilistic Safety Analysis Procedures Guide, NUREG/CR-2815, NuclearRegulatory Commission, Washington D.C. August, 1985 (available from NTIS).
Ormsby, R. W. (1982). "Process Hazards Control at Air Products." Plant/Operations Progress 1,141-144.
Pikaar, J. (1995). "Risk Assessment and Consequence Models." 8th International Symposium onLoss Prevention and Safety Promotion in the Process Industries^ June 6-9, 1995, Antwerp, Bel-gium, Keynote lecture on Theme 4.
Pikaar, M. J., and M. A. Seaman (1995). A Review of Risk Control. Zoetermeer, Netherlands:Ministrie VROM.
PiIz, V. (1980). "What Is Wrong with Risk Analysis?" 3rd International Symposium on LossPrevention and Safety Promotion in the Process Industries, Basle, Switzerland, 6/448-454.Swiss Society of Chemical Industries, September 15-19.
Poulson, J.M. et al. (1991). "Managing Episodic Incident Risk in a Large Corporation." AIChESummer National Meeting, Pittsburgh, Aug 18-21, American Institute of Chemical Engi-neers.
Prugh. R. W. (1980). "Application of Fault Tree Analysis." Chemical Engineering Progress July,59-67.
Rijnmond Public Authority (1982). A Risk Analysis of 6 Potentially Hazardous Industrial Objectsin the Rijnmond Area—A Pilot Study. D. Reidel, Dordrecht, the Netherlands and Boston,MA.
Renshaw, P.M. (1990). "A Major Accident Prevention Program." Plant/Operations Progress9(3), 194-197.
Rosenblum, G. R. et al. (1983). "Integrated Risk Index Systems." Proceedings of the Society forRisk Analysis. Plenum Press, New York, 1985.
Seaman, M. A., and Pikaar, M. J., "A Review of Risk Control," VROM, 11030/150, June, 1995.
Spendley. W. et al. (1962). "Sequential Application of Simplex Designs in Optimisation andEvolutionary Operation." TechnomePncs 4(4), November.
TNO (1979). Methods for the Calculation of the Physical Effects of the Escape of Dangerous Materials:Liquids and Gases, 2 Volumes. P.O. Box 312, 7300 AH Apeldoorn, The Netherlands.
Tyler, B. J. et al. (1996), "A toxicity hazard index," Chemical Health & Safety., January/February,1996,19-25.
USCIP Working Party (1985). "Standard Plan for the Implementation of Hazard Studies 1:Refineries." Union des Chambres Syndicales de 1' Industrie de Petrole (UCSIP), Paris,France.
US EPA (1980). "Chemical Selection Method: An Annotated Bibliography": Toxic IntegrationInformation Series. EPA 560/TTIS-80-001, November (available from NTIS).
US EPA (1981). "Chemical Scoring System Development," by R. H. Ross and P. Lu, OakRidge National Laboratory. Interagency Agreement No: 79-D-x9856, June (available fromNTIS).
Van Kuijen, C. J. ( I 987). "Risk Management in the Netherlands: A Quantitative Approach."UNIDO Workshop on Hazardous Waste Management and Industrial Safety, Vienna. June22-26.
Warren Centre (1986). Hazard Identification and Risk Control for the Chemical and Related Indus-tries—Major Industrial Hazards Project Report (D. H. Slater, E. R. Corran, and R. M.Pithlado, eds.). University of Sydney, NSW 2006. Australia.
Watson, S. R. (1994). "The Meaning of Probability in Probabilistic Risk Assessment." Reliabil-ity Engineering and System Safety 45, 261-269.
Watson, S. R. (1995). "Response to Yellman andMurray's comment on The meaning of proba-bility in probabilistic risk analysis'." Reliability Engineering and System Safety 49,207-209.
World Bank (1985). Manual of* Industrial Hazard AssessmentTechniques. Office of Environmen-tal and Scientific Affairs. World Bank, Washington, D.C.
Yellman, T. W., and Murray, T. M. (1995). "Comment on The meaning of probability inprobabilistic risk analysis'." Reliability Engineering and System Safety 49, 201-205.