Catch-up today on technology and risk management via published webinars by ioMosaic
Why is a Quantitative Risk Assessment (QRA) conducted and how does it result in risk reduction? What are the steps involved and is there an approach that qualifies risk reduction to better manage and mitigate risks at your facility? This complimentary 60-minute webinar will provide an overview on the concept of risk and QRA, outline the main steps in conducting a QRA as well as the type of results generated from this analysis. Learn to quantify risk reduction via QRA with an effective approach developed by ioMosaic, which demonstrates how to calculate specific Risk Reduction Factors (RRFs) to achieve tolerable risk. Additionally, this webinar will address the design of an Independent Protection Layer (IPL) from the reliability point of view with the aim to provide further insight and better inform process design and safety decisions.
This program is designed for process safety professionals or managers who play a key role in managing process safety, especially within oil and gas, petrochemicals, and chemical industries.
Register To Watch Today
Q. For consequence analysis will one use the maximum operating pressure to establish the release rate of a leak size?
A. For consequence analysis typically we use the normal operating process conditions from the process flow diagrams and heat and mass balances. If we have a vessel, for example, that is designed to withstand 150 PSIG and operates at 100 PSIG, for consequence modeling purposes, the 100 PSIG is used, which is the vessel normal operating pressure.
Q. Could you expand your explanation about using QRAs for estimating risk from domino effects? A comparison using your flow diagram may be useful.
A. The potential for domino effect and escalation is typically studied during the risk evaluation step. First, we need to identify the loss of containment scenarios, the main hazards associated with a process or operation. Then, we determine the frequency of occurrence and calculate the consequences of all potential leaks. Next, we estimate the risk which consists of combining and cumulating the frequency and consequences of all identified loss of containment scenarios. During the risk evaluation step, with regards to the domino effect and potential escalation, we typically use cumulative frequency thresholds to identify the impact level to a given process equipment. For example, if we have a storage tank that contains a flammable mixture, we can calculate the impact distances at several thermal radiation thresholds resulting from a loss of containment scenario. The impact distances can then be illustrated in the plot plan so that we can identify what nearby equipment are impacted, and at what thermal radiation threshold. If nearby process equipment is exposed, for example, to a 37.5 kilowatt per square meter threshold and at a cumulative frequency higher than the risk criterion (such as, 1 in 10,000 years), then we can identify the equipment that may fail (the domino effect) as a result of a release from the storage tank. This approach can be also used to determine the domino effect and escalation due to explosions.
Q. What data or method is typically used to determine generic loss of containment frequencies? Several options were provided but what your preferences were was not mentioned.
A. Slide 16 contains several well-known references that contain pre-established frequencies; API Recommended Practice 581 (Risk-Based Inspection Technology), Purple Book, or CPR18E (Guidelines for Quantitative Risk Assessment), HSE (Failure Rate and Event Data for use within Risk Assessments), etc. For example, API RP 581 is a good resource because it gives the likelihood as a function of leak size (small, medium, large, and catastrophic rupture) as well as equipment topology. When considering the same type of equipment, the smallest leak size frequency is higher than the frequency associated with a catastrophic rupture, because it is more likely to happen. With regards to the equipment topology, API RP 581 provides the frequency for pumps, heat exchangers, reactors, pressure vessels, columns, piping of different sizes, etc. For piping, the frequency is a function of diameter and length, and it is given in year per feet. Thus, API RP 581 accounts for the pipe length because a longer pipeline typically presents more “failure points”. For example, considering two pipelines with the same diameter, the leak frequency associated with a 100-foot long pipeline will be 10 times higher than the leak frequency of a pipeline that is 10 feet in length.
Q. In land-use planning what should be the tolerance criteria at different locations? For example, property line and buffer zones. What do you do when the proposed facility exceeds that tolerance criteria and what are the acceptable methods for risk reduction in that case?
A. It will depend on where the facility is located. Some countries and governments have their own risk tolerability criteria / guidelines. If we are evaluating the risk of a facility located in a country where there is no risk tolerability criterion, then the user needs to decide what worldwide recognized criterion can be applied; for example, health, safety, and environment (HSE). Once the risk tolerability criterion is defined and the risk levels are estimated, we will know whether the risk is considered negligible / broadly acceptable, or tolerable if ALARP, or not tolerable. If the risk is not tolerable, the next step will be to calculate the required risk reduction. Using the approach presented during this webinar, we first need to identify the most contributing pieces of equipment and then calculate the required risk reduction so that the risk levels are deemed at least tolerable if ALARP.
Q. How do you determine which risk reduction factor quantity contours require higher safety and integrity layers? For example, how do you determine what is SIL 1 vs SIL 2?
A. Using the table in slide 38, you can observe that the Safety Integrity Level or SIL is directly correlated to the Risk Reduction Factor (RRF) and Probability of Failure on Demand (PFD). Note that the values presented in this table are extracted from IEC 61511 and apply to Safety Instrumented Functions (SIFs) that operate in low-demand mode, which means that the SIF is only performed on demand and the frequency of demands is no greater than one per year. Once you know the required risk reduction factor, the SIL level is calculated using the values on this table. For example, if the RRF is higher than 10 and lower or equal to 100, this is equivalent to SIL 1. If the required risk reduction is greater than 100 and lower or equal than 1,000, this is equivalent to SIL 2, and so on. Note that it is difficult to find layers of protection with a SIL higher than 3 in the chemical industry, and SIL 4 is typically used in the nuclear industry.
Q. Is there any methodology to be able to determine the behavior of ISO risk curves in addition to methods implemented without the need to perform simulations again?
A. Risk is the function of combining and cumulating the frequency of occurrence and consequences of all identified Loss of Containment (LOC) scenarios. Therefore, to calculate new risk profiles, it is necessary to either modify the frequency or the consequences of the impacted scenarios or apply the required Risk Reduction Factors (RRFs) explained during this webinar.
Q. Where can we find the PFD of controls similar to the table you presented for SIL or any reference or standard?
A. The values presented in this webinar are for systems in low-demand mode, and are based on IEC61511, 2016 “Functional Safety – Safety Instrumented Systems for the Process Industry Sector” [slide 38]. In IEC 61511, you can find the Probability of Failure on Demand (PFD), Risk Reduction Factor (RRF), and Safety Integrity Level (SIL) for low-demand, high-demand, and continuous demand modes. Note that a system in low-demand mode refers to where the Safety Instrumented Function (SIF) is only performed on-demand, and the frequency of demands is no greater than one per year.
Q. What if the LOPA for a given process unit contradicts the results, especially when the risk was tolerable within the LOPA but the QRA indicates an ALARP or intolerable risk?
A. A Layer Of Protection Analysis (LOPA) is a different methodology than a QRA. Typically, LOPA is used in conjunction with a Process Hazard Analysis (PHA) or after a PHA is conducted. A PHA is a qualitative technique to estimate risk; LOPA is a semiquantitative technique, which focuses on identifying the existing layers of protection for a given scenario and if necessary, helps the user calculate the required risk reduction (from the frequency point of view) to meet the tolerability criterion (typically in the form of a risk matrix). A Quantitative Risk Assessment (QRA) is a quantitative method to assess the risk levels. In a PHA / LOPA, we study deviations from normal conditions and use guidewords to qualitatively assess the risk. For example, more flow, reverse flow, no flow, etc. In a PHA / LOPA only some scenarios are Loss Of Containment scenarios (LOCs), while in a QRA, the scenarios analyzed are generic and non-generic LOCs. In response to your question, it will depend on the facility federal and jurisdictional requirements, as well as the company guidelines. If the risk can be assessed semi-quantitatively, then the LOPA results may suffice. If not, it is necessary to perform a QRA and then the decision-making process needs to be based on the QRA results and not PHA / LOPA results.
Q. At what stage in a project is a QRA done? Concept or Basic or another stage?
A. It is advised to conduct a first QRA during the conceptual stage because it can help you identify hazards early on. If a QRA is not conducted until the detail design stage, and the risk levels are deemed not tolerable or unacceptable, the options to decrease the risk may be limited; i.e., the facility / user may need to consider the implementation of prevention and/or mitigation measures instead of applying the “inherent safer design concept” (minimize, substitute, moderate, simplify), which is the preferred methodology when trying to reduce risk. Additionally, implementation of preferred prevention and/or mitigation measures may not be possible at a later stage and could result in the need to install / implement costly risk reduction measures to achieve the risk target. However, please note that during the conceptual stage, the data may be limited. Thus, it is advised to update the QRA during the Front-End Engineering Design (FEED) and Detailed stages as more data becomes available.
Q. Are risk criteria (geographical region) charts based on societal risk? Or individual risk?
A. The answer is both. Typically, a QRA consists of calculating the individual and societal risks. Therefore, to define whether the risk levels are acceptable / tolerable or not, it is necessary to define societal risk criteria and individual risk criteria. Note that one of the main differences between individual risk and societal risk is that individual risk does not consider the actual population present, while societal risk does consider the population. As a result, individual risk criteria differ from societal risk criteria, i.e., societal risk criteria are typically presented in the form of an FN curve (frequency or F of accidents involving N or more fatalities), whereas individual risk criteria are not. Note that the ALARP concept typically applies to both societal and individual risk criteria, which means that the three regions are typically defined: not tolerable, tolerable if ALARP, and negligible / broadly acceptable.
Q. Is it standard practice to do a QRA and consider non-normal conditions, like startups, shut-offs, etc.?
A. No. Typically QRAs are conducted considering normal conditions. However, if it is known that a certain process or operation is more hazardous during a non-normal condition such as startup, scenarios can be modeled using startup conditions, and the frequency must be adjusted considering applicable enabling conditions. For example, during a startup, to have a LOC, the process / operation needs to be in startup mode; i.e., we need to consider the amount of time the process / operation is in startup mode, which will result in the scenario frequency being reduced.
Q. What would you suggest would be the best way to attack the highest consequences detected in the facility QRA?
A. When dealing with high consequences, my initial advice would be to make sure that the source term phenomena is properly characterized, because consequence modeling is directly impacted by the calculated release conditions. Additionally, it is important to make sure that when considering release time, we are not releasing more inventory than the available maximum inventory. If the steady-state calculations seem correct, before going into looking at potential prevention / mitigation measures, I would say that in certain cases it may be warranted to conduct dynamic analysis to properly calculate the source term phenomena characteristics. During dynamic analysis, we can better account for inventories, as well as vessel depressurization; i.e., flow rate decreases as the contents of the vessel are emptied, which is not taken into account during a steady-state analysis. If the consequences are still high, at this point, it is advisable to first look to implement prevention measures; i.e., it is preferred to prevent a scenario from happening rather than mitigate the consequences.