fire risk evaluation
TRANSCRIPT
-
7/28/2019 Fire Risk Evaluation
1/38
Doc. No. P-HSE-H6Rev. 0 - SEPTEMBER 2009
ESReDAWorking Group on Fire Risk AnalysisFire Risk Analysis Process and Oil & Gas Industries
Standard and Regulations,State of the Art & MethodologiesD'Appolonia Contribution toESReDA Report
-
7/28/2019 Fire Risk Evaluation
2/38
Doc. No. P-HSE-H6Rev. 0 - SEPTEMBER 2009
All rights, including translation, reserved. No part of this document may be disclosed to any third party,for purposes other than the original, without written consent of D'Appolonia.
ESReDAWorking Group on Fire Risk AnalysisFire Risk Analysis Process and Oil & Gas Industries
Standard and Regulations,State of the Art & MethodologiesD'Appolonia Contribution toESReDA Report
Prepared by Signature Date
Stefania Benucci September 2009
Simone Garrone September 2009
Verified by Signature Date
Paolo Paci September 2009
Giovanni Uguccioni September 2009
Approved by Signature Date
Roberto Carpaneto September 2009
Rev. Description Prepared by Verified by Approved by Date0 First Issue SFB/SMG PP/GMU RC September 2009
-
7/28/2019 Fire Risk Evaluation
3/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. iD'Appolonia Contribution to ESReDA Report
TABLE OF CONTENTS
PageLIST OF TABLES II
LIST OF FIGURES III
1 STANDARD AND REGULATIONS 1
2 STATE OF THE ART AND METHODOLOGIES 5
2.1 INTRODUCTION 5
2.2 DEFINITION OF RISK ASSESSMENT OBJECTIVES 6
2.3 HAZARDS IDENTIFICATION 6
2.4 FIRE SCENARIOS IDENTIFICATION 9
2.5 FREQUENCY ANALYSIS 12
2.5.1 TOP Events Likelihood of Occurrence 122.5.2 Loss of Containment Events Likelihood of Occurrence 13
2.5.3 Scenarios Likelihood of Occurrence 13
2.6 CONSEQUENCES EVALUATION 15
2.6.1 Semi-empirical models 16
2.6.2 Field models 16
2.6.3 Integral models 17
2.6.4 Zone models 18
2.7 RISK ASSESSMENT 18
2.7.1 Risk Matrix 19
2.7.2 Location Specific Individual Risk 20
2.7.3 Individual Risk 20
2.7.4 Societal Risk 21
2.8 RISK-BASED FIRE PROTECTION 22
3 DATA FOR FIRE RISK ANALYSIS 23
3.1 HISTORICAL INCIDENT DATA 23
3.2 PROCESS AND PLANT DATA 25
3.2.1 Plant Layout and System Description 25
3.2.2 Ignition Sources and Data 26
3.3 CHEMICAL DATA 27
3.4 ENVIRONMENTAL AND TERRITORIAL DATA 28
3.4.1 Population Data 283.4.2 Meteorological Data 28
3.4.3 Territorial Data 29
3.4.4 External Event Data 30
3.5 RELIABILITY DATA 30
3.5.1 Human Reliability Data 31
3.6 RISK UNCERTAINTY, SENSITIVITY AND IMPORTANCE 31
REFERENCES
-
7/28/2019 Fire Risk Evaluation
4/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. iiD'Appolonia Contribution to ESReDA Report
LIST OF TABLES
Tables No. Page
Table 2.1: HAZID categories and guidewords 7
Table 2.2: Typical HAZOP Guidewords/Parameters and Deviations for Continuous Processes 8
Table 2.3: Ignition Probabilities 14
-
7/28/2019 Fire Risk Evaluation
5/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. iiiD'Appolonia Contribution to ESReDA Report
LIST OF FIGURES
Figure No. Page
Figure 1.1: Fire Risk Analysis Flow Diagram 4
Figure 2.1: Event Tree Example 11
Figure 2.2: Fault Tree Example 12
Figure 2.3: Risk matrix (Example) 19
Figure 2.4: Local Risk Contour Lines (Example ARIPAR Code) 20
Figure 2.5: F-N Curves (Example ARIPAR Code) 21
Figure 3.1: Wind rose (example) 29
-
7/28/2019 Fire Risk Evaluation
6/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
D'APPOLONIA S.p.A. Via San Nazaro, 19 - 16145 Genova, ItalyPhone +39 010 362 8148 - Fax +39 010 362 1078
e-mail: [email protected] - Web Site: http://www.dappolonia.it
FIRE RISK ANALYSISPROCESS AND OIL & GAS INDUSTRIES,
STANDARD AND REGULATIONSSTATE OF THE ART & METHODOLOGIES
D'APPOLONIA CONTRIBUTION TO ESREDA REPORT
1 STANDARD AND REGULATIONS
Standard and Regulations currently adopted for the design of active Fire Protection Systems
are discussed in the following of this document, with a specific emphasis on how they
address the Risk Analysis as part of the basis for the systems design.
National regulations will be dealt with in Section 1.2 (see contribution by D'Anna and
Demichela). It is expected that each member of the WG will contribute with specificinformation related to her/his Country of origin.
This section will specifically focus on active protection in process plants. Fire protection in
Civil structures and Buildings are understood to be not covered by the WG activities, and
therefore the Eurocode, dealing with structural response in structures, is not considered here.
Rules
There is no general Rule defining how Risk Analysis Methods shall be adopted in the design
of systems. Nevertheless there is a strong trend to move away from prescriptive towards a
performance-based design approach, also following the introduction of rules as the ISO TR
13387 (1999), the Regulatory Reform Fire Safety Order (2005), or the Italian DM 9 May
2007. In contrast to the prescriptive approach - which only specifies methods and systems
without identifying how these achieve the desired safety goal - performance-based design in
the case of fire protection uses an engineering approach based on established fire safety
objectives, analysis of fire scenarios and assessment of design alternatives against the
objectives. This allow for more design flexibility and innovation in construction techniques
and materials, gives equal or better fire safety and maximizes the cost/benefit ratio during
design and construction.
Designers of fire-fighting systems in process plants adopt either specific Company Standard
(e.g. Standard from operators, such as Total, Shell or Standard from the Engineering
Companies, such as Saipem/Snamprogetti, etc.) or they follow the NFPA (mainly) or API
standard, or the EN standard where present. These standard give technical solutions
considered to be adequate for the fire protection and generally adopted in process plantfirefighting design (e.g. ISO 13702, API RP 2030, NFPA15 gives the minimum specific
flowrate to be adopted for cooling of components).
In certain cases, they recommend the use of hazard analysis as a tool for defining the
requirements, however this is left at a very general level, not recommending any specific
approach to be followed. ASTM E 1776 is a standard for people writing guides for risk
assessment of alternative products within a product class. ISO TS 16732 and the SFPE
Guide to Fire Risk Assessment are guidelines intended to either replace or complement
conventional prescriptive codes. The NFPA 551 code is explicitly designed to assist
responsible officials in their duty of confirming (or refuting) the code equivalency of a
design proposal justified through a supporting Fire Risk Assessment (FRA); this code is a
guidance for those reviewing a Fire Risk Assessment. The International Organization for
-
7/28/2019 Fire Risk Evaluation
7/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 2D'Appolonia Contribution to ESReDA Report
Standardization TC 92 SC 4 is working to provide Fire Safety Engineering documents for
supporting performance-based design and assessment
The previous was only a brief introduction, but a description of the technical solutions givenby the most widely applied rules is not part of the WG deliverables. Instead, in section 6
(comparison of methods), a comparison between the design solutions identified using a FRA
approach and the design solutions obtained by the deterministic application of the Rules
could be of interest.
The case of LNG Installations
For LNG installations both applicable NFPA and EN standard require a certain degree of
hazard assessment.
The standard NFPA 59A for LNG installations states the following very general principle,
but no specific methodology or criteria for the hazard analysis is however given:________________________________________________________________
________________________________________________________________
The EN standard 1473 on LNG installations, point 13.6, states:
"Water supply systems shall be able to provide, at fire fighting system operating pressure, a
water flow not less than that required by the fire fighting systems involved in the maximum
single incident identified in the Hazard Assessment in 4.4 plus an allowance of 100 l/s for
hand hoses. The fire water supply shall be sufficient to address this incident, but shall not be
less than 2 h."Hazard assessment is also considered as a basis for the design of water curtains.
However, the Hazard assessment techniques and methods to be followed are left to national
requirements, if any, or to the decision of the designer:
"The following methodology and requirements see annexes that show examples of frequency
ranges, classes of consequences and levels of risks. However there is a variation in national
and company acceptance criteria and the examples given in the informative Annexes J, K
and L should be considered as minimum requirements. If more stringent local or national
requirements exist they shall supersede these minimum requirements."
And, in section 4.4.2.1 (Methodology) it is stated: "The methodology of the hazard
assessment can be deterministic and/or probabilistic."
-
7/28/2019 Fire Risk Evaluation
8/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 3D'Appolonia Contribution to ESReDA Report
Standard
The need for a plant specific approach for the definition of the fire-fighting system, and
therefore the impossibility for a Rule to cover deterministically each case is expressed by the
following statement, taken from a Major company internal standard:
"It is not possible to define all the fire-fighting requirements applicable to all cases and
regardless of circumstances. The factors listed below (and others as applicable) shall be
contemplated in the process leading to the decision to install a fire-fighting system, its type
and the level of protection it provides...Each case shall be studied during project phase.
Equipment size (as an expression of the intrinsic potential hazard e.g. a storage tank);
Equipment cost (balanced against the cost of a fire protection system);
Applicable codes, regulations, Insurance Company and statutory requirements;
Facility geographical location (e.g. onshore versus offshore, populated versus deserticarea, etc.);
Criticality within the (Operating) COMPANY production scheme (e.g. one out of "n",gathering battery versus main export pump station, local electrical substation versus main
switch gear room, etc.);
Asset protection policy put in force by the (Operating) COMPANY".
Good Practices
Information on methods to be used for the simulation of fire and fire damage technical
criteria for fire protection are provided by several references used as Best Practice in the
modern industry. "The SFPE Handbook of Fire Protection Engineering", by NFPA
(National Fire Protection Association), is the most widely used reference: it provides
comprehensive coverage of today's best practices in fire protection engineering and
performance-based fire safety.
Another widely used reference, which also provides deep methodological information is the
"Handbook for Fire calculations and Fire risk assessment in the Process Industry" by Sintef /
Scandpower. In this Guideline, the section on Risk Analysis (6 pages over a total of 280
approx, excluding appendixes) gives the general flow diagram shown in Figure 1.1, where
the main steps of a Fire Risk Analysis are highlighted.
The first step should always be the fair understanding of the system design and operational
modes (normal operation, start-up, shut-down, inspection, maintenance) through the system
documentation. Based on the available information of the system and operational modes, asystematic hazard identification should be performed to list all potential hazardous events
(where a hazard could be a situation in which a combustible fluid is in contact with a
comburent agent in presence of ignition).
Then, for the identified hazardous events, the probability of occurrence has to be evaluated
using appropriate tools and mathematical predictive models (e.g. Fault Tree Analysis) and/or
statistical data, while the accidental consequences have to be assessed and evaluated in terms
of physical effects (heat flux, smoke concentrations, etc.) using fluid dynamics and
physical/chemical/mathematical models.
Using Event Tree Analysis (analytical and visual model which describes the event chain
which develop from an initial scenario), the initial hazardous event can be broken down in
-
7/28/2019 Fire Risk Evaluation
9/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 4D'Appolonia Contribution to ESReDA Report
the several possible occurring scenarios which reflect the possible escalation of the different
situations, and taking into account external as well as internal factors such as, for instance,
presence of ignition, presence of safety systems, meteorological conditions, etc.From the combination of previous parameters (likelihood of occurrence and severity of
consequences) the risk to personnel, to environment, to asset can be evaluated and compared
with the established acceptance criteria. Recommendations can be given in order to meet the
expected safety levels for the events with intolerable consequences (Residual Accidental
Events) and to improve the overall safety performance for the events whose resulting
physical effects are accounted for in the design (Design Accidental Events).
To optimize the benefit of investing in risk reducing measures, the implementation of
additional active/passive fire-protection/detection systems can be calculated in monetary
value and compared with the investment and maintenance cost.
Figure 1.1: Fire Risk Analysis Flow Diagram
-
7/28/2019 Fire Risk Evaluation
10/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 5D'Appolonia Contribution to ESReDA Report
2 STATE OF THE ART AND METHODOLOGIES
2.1 INTRODUCTION
In the modern Industry, the different approaches to fire protection are essentially two: the
traditional approach, based on prescriptive codes, and the innovative approach, which relies
on performance-based tools. A risk-informed, performance-based approach to fire
protection offers an increasingly acceptable alternative to strict adherence to code
requirements alone.
The prescriptive codes supply the minimum requirements for fire protection systems. This is
very often used as a pragmatic approach which also resolve satisfactorily insurance
requirements with a minimum effort. The risk analysis is done a priori by the legislator, who
fixes a safety level and establishes a set of rules able to compensate the existing risk. So the
fire protection is not guaranteed on the basis of engineering principles and it is left to the fireengineers a narrow margin of discretion. In addition, codes usually are written to apply to
typical configurations: special situations are very often disregarded or generically treated.
With the performance-based approach the fire protection is guaranteed by the application of
an engineering methodology developed on scientific basis. It allows consideration of a large
number of project variables and gives a more deep and often less-expensive engineering
solution than the traditional approach. This is even more true when special situation requires
a tailored engineering and a fit-for purpose safety approach.
The approach is performance-based because it provides solutions based on performance to
established goals, rather than on prescriptive requirements with implied goals. The approach
is risk-informed because the analysis takes into account not only the severity of the events,
but also the likelihood of the hazard and the probability of failure of any present protection
system The basic methodology is also known as Quantitative Risk Assessment (QRA), and
it allows, among other things:
the capability of early identification of weak links in loss prevention and protectionsystems at design phase,
the possibility to optimize loss control investments allowing an intelligent allocation ofthe resources to the area giving rise to the highest risk.
A generalized Fire Risk Analysis passes through the quantification of the consequences and
estimation of the probabilities of the identified fire hazards, the individuation of the hazard
control options and the evaluation of their impact on the overall risk, ending with the
selection - if necessary - of appropriate further protections.The systematic steps of a Fire Risk Assessment are (each step is detailed in the following):
Definition of Risk Assessment Objectives;
Hazards Identification;
Scenarios Identification;
Frequency of Occurrence Analysis;
Consequences Evaluation;
Risk Assessment;
Risk-based fire protection analysis and recommendations.
-
7/28/2019 Fire Risk Evaluation
11/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 6D'Appolonia Contribution to ESReDA Report
2.2 DEFINITION OF RISK ASSESSMENT OBJECTIVESPrior to the start of a Risk Assessment it is imperative to have a clear project scope
(conforming to code/insurance requirements for acceptable level of risk, or reduction of
human fatalities/injuries, or improving cost-effectiveness of risk prevention, minimizing
business interruption, etc.) and to explicitly state and agree upon project objectives and
establish management's acceptable risk criteria for risk comparisons.
Also, it is necessary to choose/define models and algorithms for the consequences
determination (potential sizes of vapour clouds, overpressure from explosions, thermal
radiation intensities), select the appropriate weather conditions and finally select appropriate
sources of failure rate/reliability data.
The ensemble of all the above criteria is normally called "FRA/QRA Rule Sets" and may be
contained in a specific document to be issued before the development of the Fire RiskAnalysis.
2.3 HAZARDS IDENTIFICATION
Fire Risk Analysis begins with the identification of fire hazards. This is a critical step, since
that fire and explosion hazards not properly identified and defined in terms of
cause/consequences cannot be properly addressed, or they can be misleading, within the risk
assessment framework.
Results of the Hazards Identification should include the identification of the physical and
chemical properties of materials processed/stored/transported on site that can harm
employees/public/property/environment or other selected risk targets, and the identificationof weakness in the design/operation/protection of facilities that could lead to toxic exposures,
fires or explosions, and the evaluation of the potential hazardous events associated with a
process or activity.
Accurate information concerning plant processes, operating philosophy, material properties,
inventories, processing and storage conditions is required to perform hazard identification.
This step of the FRA is focused not only on normal operation, but also start-up, shut-down,
inspection, maintenance.
When possible, a review of the accidents historically recorded for similar process and
installations is important to identify possible hazards, representative failure modes
(equipment related, human error, system related), ignition sources, fire propagationcontributing factors, duration of the fire and general effect of loss mitigation factors.
Accident data from specific plant operations, if available, are usually the best source and
probably more accurate for specific equipment and operations, since the data reflect the
operating and maintenance practices of the specific facility.
-
7/28/2019 Fire Risk Evaluation
12/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 7D'Appolonia Contribution to ESReDA Report
Along with the historical review, structured analytical methodologies are available for
Hazard Identification on any well known or totally new process and installations. The most
frequently used structured hazard evaluation techniques include: Hazard Identification (HAZID);
Hazard and Operability study (HAZOP);
Failure Modes and Effects Analysis (FMEA);
Checklists;
"What-if" analysis.
HAZID is one of the best techniques for early identification of potential hazards and threats,
where hazards are any operations that could possibly cause a release of toxic, flammable or
explosive chemicals (including oil and gas) or any actions that could result in injury to
personnel or harm to the environment. It is commonly carried out in a workshop in which anexperienced facilitator leads a team of several competent specialists of different disciplines
through the identification process. The system under analysis is divided into sub-systems
and for each of these a structured brainstorm is done to identify hazards using a pre-defined
checklist (see Table 2.1). Where it is agreed by the Team that a significant hazard exists in a
particular area, the risk posed by the hazard is considered, assessed and recorded, along with
its expected consequences, safeguards and all possible means of either eliminating the hazard
or controlling the risk. When necessary, specific further actions are assigned within the
project parties for later follow-up and inclusion in the design.
Table 2.1: HAZID categor ies and guidewords
-
7/28/2019 Fire Risk Evaluation
13/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 8D'Appolonia Contribution to ESReDA Report
The HAZard and OPerability Study (HAZOP) Technique was developed in Britain by ICI
(Imperial Chemical Industries, Ltd.) during the 1960s as an engineering tool to overcome theproblem of the increasing complexity of modern design and to systematically identify
potential issues (safety and/or operability related) in both new or existing designs for
chemical and petrochemical plants.
The HAZOP Study is a systematic analysis of the Design, developed in order to assess the
possible hazards and the operability issues of the system. The methodology relies on a series
of guidewords that are applied to each "node" to identify process deviations and to
investigate their impact on Safety and Operability performances.
Table 2.2: Typical HAZOP Guidewords/Parameters and Deviations forContinuous Processes
PARAMETERS GUIDEWORDS DEVIATIONS
Flow
morelessnonereverseother than
high flowlow flowno flowreverse flowloss of containment
pressuremorelessnone
high pressurelow pressurevacuum
temperaturemorelessas well as
high temperaturelow temperaturecryogenic
levelmoreless
none
high levellow level
no level
state/ composition
morelessreversepart ofas well asother than
additional phaseloss of phasechange of stateoff-spec compositioncontaminantscorrosive concentration
reactionmoreas well asother than
runaway reactionside reactionexplosion
UTILITY: power, air, steam, nitrogen, coolingwater
No loss of
UNSTEADY OPERATION: startup,shutdown, maintenance, sampling, drainage
as well asother than
difficult hazardous
documentationpart ofas well asother than
incomplete documentationunclear documentationincorrect documentation
A "node" is a sub-system or a portion of a systems which can be analyzed alone (e.g. a
vessel, a column, a header, a compressor system, even a single line), together with the
relevant connections to the interfaces. The totality of the nodes shall cover all the Systems
under analysis, without missing any portion of them, until the whole Design is analyzed.
The Combination of Guideword and Process Parameter expresses the "Deviation", which is
the subject of the discussion. The Guidewords, in a HAZOP Analysis, are the "qualifying
words" for the deviation to be analyzed. Guidewords always apply to the parameter under
analysis and they express a sort of "change" or "passage" from a parameter desired state to
-
7/28/2019 Fire Risk Evaluation
14/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 9D'Appolonia Contribution to ESReDA Report
an un-desired one. Doing this, they "qualify" the passage of each parameter from the
"normal" state to a "deviation condition". In Table 2.2 the typical deviations considered
during an HAZOP are listed.For each deviation, the HAZOP Team identifies the possible causes, its consequences
(qualitatively) on process and operation and verifies the existence of sufficient systems of
prevention, detection and correction/mitigation of the outcomes. When considered
necessary, remedial measures are required depending on the expected qualitative likelihood
of the event and its consequence; these are recorded in the HAZOP worksheets in the form
of recommendations aimed at ensuring a subsequent proper follow-up by the project team.
(Ref. EPSC, 2000; CCPS, 1992).
Failure Modes and Effects Analysis (FMEA) is a systematic and structured methodology for
analyzing potential reliability problems: it is used to identify potential failure modes, to
determine their effect on the operation of the product and to identify actions to mitigate thefailures and to assure the highest possible yield, quality and reliability.
Checklist is a qualitative simplified approach, consisting of a listing of potential hazards,
usually with recommended practices. The fire protection engineer must focus on only those
points that are applicable to the specific project. Checklists do not capture the interaction of
fire risk factors, including the manner in which the importance of one fire risk factor will
change as a function of performance on another factor.
What-if Analysis is a structured - although simplified - brainstorming method used to define
what things can go wrong ("What") under certain circumstances ("If"), and to qualitatively
assess the likelihood and consequences of these situations. Results of the analysis form thebasis for making judgments on risk acceptability, and if necessary recommend course of
actions. Using what-If Analysis, an experienced review team, led by an expert facilitator,
can quickly and productively discern major issues concerning a process or system. Team
members usually include operating and maintenance personnel, design and/or operating
engineers, and a safety representative. As in HAZID and HAZOP, results of the analysis can
be expressed in the form of "actions" to be later followed up by the Team.
2.4 FIRE SCENARIOS IDENTIFICATION
Major Accidental Events (MAEs) are defined as those events which have the potential to
cause multiple fatalities or extensive asset damage, or that can potentially have massiveenvironmental/socio-cultural effect, or negative impact on Company reputation and its
ability to pursue business. MAEs are usually identified within the following categories:
Process Deviation Events (Top Events): events occurring as a consequence of a processmalfunction or an operating error and the simultaneous failure of the corresponding
foreseen process protection (e.g. overpressure in a vessel whilst the PSV is not working
properly);
Loss of Containment Events ("Random" Ruptures): events randomly occurring as aconsequence of an unexpected rupture and/or release from piping/equipment, due to
defect, wearing, corrosion or other unforeseeable problems;
-
7/28/2019 Fire Risk Evaluation
15/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 10D'Appolonia Contribution to ESReDA Report
Non-Process Events: events originated by external cause/impacts (e.g. dropped objects ornaval impacts).
HAZOP Analysis is normally considered the best way to identify all the potential credible
causes of release and leak due to Process Deviations (typically: overpressures). As a general
rule, all the causes/deviations that can possibly lead to an increase of operating conditions
without realistically exceeding the design conditions are not considered as potential Top
Events.
For example, typically, only deviations leading to an overpressure exceeding 1.5 times the
design pressure of a system (i.e. the proven conditions of hydraulic/pressure testing) is
considered a potential MAE for further analysis.
Loss of containment events (Random Ruptures) are normally identified based on statistical
approaches, as suggested by best practice criteria. From the project documents (P&IDs,PFDs, etc.) each unit of the facility is divided into representative sections and the possible
release locations are conservatively identified and the associated loss of containment
scenarios are analyzed.
The loss of containment events from equipment or piping can be caused by unexpected
failures due to material defects, fabrication errors, excessive wearing or corrosion,
maintenance errors, etc., and they could be of difficult quantification. It is common practice
to consider these cases by assuming a set of representative leak diameter for components
(vessels, pipework, pumps, compressors, valves, etc.) in each section of the plant. The Loss
of Containment Events identification phase is typically carried out in three steps:
identification of the existing isolatable sections within the facilities;
characterization of the isolatable sections in terms of operating conditions andinventories;
characterization of the realistic release point discharge conditions within each identifiedIsolatable Section.
Non-Process events potentially evolving in Major Accidental Events are for example
dropped object events or ship impact/collision events. These events, when found to be
statistically significant, can lead to similar release scenarios to those previously mentioned
for Top Events and Loss of Containment Events. The same modelling applies for
characterizing these releases.
A fire scenario is a time-sequence-based description of a fire incident. Structuring credible
fire and explosion loss scenarios is a fundamental aspect of the Risk Assessment process.
The most widely used technique for defining the structure and sequential logic of fire
scenarios is the Event Tree Analysis. An Event Tree is a visual model which describes
possible event chains developing from hazardous situations, such as fire initiation and
propagation. An example of Event Tree is shown in Figure 2.1. Very often the initial
hazardous situation (the starting box of the Event Tree) is called "Top Event" and it is in fact
identified with HAZOP and then quantitatively characterized with FTA.
Potential incidents of primary interest for the Fire Protection Engineer include events of
equipment/piping direct flame impingement, radiant heat from a fire (Pool Fire, Flash Fire,
-
7/28/2019 Fire Risk Evaluation
16/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 11D'Appolonia Contribution to ESReDA Report
Fireball), explosion overpressures (VCE: Vapour Cloud Explosion and UVCE: Unconfined
Vapour Cloud Explosion) and corrosive smoke/fire products concentration.
Previous events are typically associated with leaks and releases of flammable materials frompiping and equipment, and the typical initiating failure events generally include mechanical
failure (due to fatigue, corrosion, design errors, etc.), failure of Basic Process Control
Systems (BPCS), human error, external interactions (flooding, earthquake, etc.).
The accident sequence modelling with an Event Tree is - although visually simple - a crucial,
challenging and complex task, which present typical difficulties, such as:
The process leading to the outcome scenarios is normally highly time-dependent;
Escalation involves complex interactions between different equipment and with thesurrounding environment;
Timing and type of Human intervention may have extensive effects on the scenariodevelopment;
Small initial differences may lead to greatly different final scenarios.
Dynamic situations are probably the main challenge, and ETA is too static to be fully
adequate for suitable detailed analysis of accident dynamic sequences. However ETA is de-
facto the standard tool for scenarios modelling used in QRA and Fire Risk Analysis, and
currently no practical valid alternative tools and approaches exist for this purpose.
Figure 2.1: Event Tree Example
-
7/28/2019 Fire Risk Evaluation
17/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 12D'Appolonia Contribution to ESReDA Report
2.5 FREQUENCY ANALYSIS
The main difference between Fire Risk Assessment (FRA) and conventional Fire Protection
Engineering Assessment is that with FRA the assessment is not limited to deterministicanalysis. In developing a FRA, the uncertainties about whether fire will occur and systems
will operate are explicitly addressed.
2.5.1 TOP Events Likelihood of Occurrence
For the identified Top Events, the relevant frequency of occurrence can be evaluated using
Fault Tree Analysis techniques.
Potential Top Events are first identified with normal Hazard Identification techniques
(typically: HAZOP). All causes for each significant Process Deviation identified in the
HAZOP are considered together with the applicable safeguards and protections for
developing a Fault Tree of the event and then perform the reliability calculations to define
the resulting expected frequency of occurrence.
FTA is an analytical method for characterizing the occurrence of a specified, undesired event
(Top Event) using a graphic model (the Fault Tree) which represents the logical combination
of basic (low-level) events resulting in the occurrence of the Top Event.
The Fault Tree is a graphic "model" of the potential pathways in a complex system which
can lead to a foreseeable undesired event. The pathways interconnect several kind of
contributory events and conditions, using the Boolean Algebra logic symbols (AND, OR,
etc.). The Fault Tree Analysis uses numerical single probabilities of occurrence of the basic
events (Component reliability data, or failure data) to evaluate the propagation through the
model and eventually assess the expected frequency of the Top Event. A "typical" Fault
Tree is presented in Figure 2.2.
Figure 2.2: Fault Tree Example
-
7/28/2019 Fire Risk Evaluation
18/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 13D'Appolonia Contribution to ESReDA Report
Reliability data considered for the FTA development can be obtained from International
Sources databases (e.g. Sintef 1992, Sintef 2006, Exida 2007, Oreda 2002). Fault Tree
Analysis is typically performed using specialized computer programs which automaticallydevelop the reliability calculations as well as the graphical representation of the Fault Tree.
Among the most commonly used commercial codes are, for instance, ASTRA-Advanced
Software Tool of Reliability Analysis (developed by JRC), or Fault Tree+ (developed by
Isograph Inc.).
2.5.2 Loss of Containment Events Likelihood of Occurrence
In case of Loss of Containment events (Random Ruptures), historical failure data and/or
statistical data are typically used to assess the leak frequency of occurrence. For example,
historical failure data from the HSE Hydrocarbons Releases System (for Off-Shore
Applications) or from the Standard Reference API RP 581 (for On-Shore Applications) canbe assumed as basic failure data.
To evaluate the expected likelihood of occurrence for each credible loss of containment
event, all passive components identified (piping, vessels, etc.) within a given plant section
are considered to calculate the final failure frequency: a "parts count" is performed and the
expected frequency of failure of each "part" contributes to the frequency of the event
analyzed. Different sizes of leaks are considered and differentiated (e.g. ", 1", 4" and Full
Bore for API RP 581), and the "complexity" of the isolatable section is evaluated according
to suitable criteria: given similar conditions, a simple, straight pipe with no flanges or other
discontinuities has typically a lower leak frequency than a complex piping systems with
many flanges, tie-ins and valves along the route.
Typically, a threshold frequency value is defined in order to focus on the most significant
events and disregard the statistically negligible scenarios. Usually, 1.00 E-06 event/year is
considered a reasonable (and institutionally accepted) threshold value: below this expected
frequency, the event is not analyzed further being not statistically significant. This applies
either to Top Events and Loss of Containment Events or, as it will be discussed below, for a
single Scenario among those possible. The cut-off value is defined on the basis of the Risk
Acceptance Criteria which is established: This frequency value should represent a limit
below which any event, regardless of the severity of the consequences, poses an
"Acceptable" Risk.
2.5.3 Scenarios Likelihood of Occurrence
Regardless of the events root causes (process deviation, human error, "random" loss of
containment, etc.), once the accident is occurred, and the release has taken place, the
dynamic evolution of the event can lead to different potential scenarios. As illustrated
earlier, this evolution can be effectively characterized and represented by an Event Tree.
It is obviously necessary to differentiate the expected frequency of occurrence of the
different possible scenarios, being their respective consequences deeply different (e.g. and
explosion versus an harmless atmospheric dispersion).
The frequency evaluation of the final accidental scenarios typically accounts for the
characteristics of the released fluid (gas/liquid), for the released flow-rate, for the weather
-
7/28/2019 Fire Risk Evaluation
19/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 14D'Appolonia Contribution to ESReDA Report
conditions and flammable mass formation, for the presence of ignition (immediate/delayed),
for the presence of Safety Systems (e.g. ESD, fire fighting system), etc.
Starting from the initial undesired accidental event (process deviation or loss ofcontainment), the Event Tree displays the sequences of events through binary division at
each node (e.g. Immediate Ignition: Yes/No) until all final outcomes are considered. Each
binary node division is provided with a probability, therefore allowing the calculation of
each final scenario frequency starting from the likelihood of occurrence of the initial event
(see example of ET in Figure 2.1).
For assigning the correct probabilities to each binary node division, if possible, specific and
tailored considerations and assessments shall be made (e.g. from detailed info on the
presence of effective potential ignition sources - see Section 3.2.2). Missing project specific-
data and info, the applicable probability values to be applied to each of the different branches
of the Event Tree can be evaluated from standard literature data and international references(e.g. Lees, 1996; Cox et al., 1990). Typical values from literature are reported in Table 2.3,
Table 2.3: Ignition Probabilities
Immediate Ignition Probability
Release rate
(kg/s)
Gas/Vapour orTwo-Phase Release
Liquid Release
< 1 0.01 0.01
1 50 0.07 0.03
50 0.30 0.08
Explosion/Flash Fire Probability (Delayed Ignition)
Flammable Mass
(kg)Explosion Probability Flash Fire Probability
< 100 0 0.01
100 1000 0.001 0.03
1000 0.030 0.10
Immediate Ignition probability is expressed in this case as a step function of the flammable
fluid release rate, but better and more sophisticated methodologies are available to evaluate
the probability of ignition of flammable releases from onshore and offshore installations.
For instance, "IP Ignition Probability Review, model development and look-up correlations"
(UKOOA, 2006) provides the findings of a United Kingdom Offshore Operators Association
(UKOOA) / Health and Safety Executive (HSE) / Energy Institute (EI) co-sponsored projectundertaken by ESR Technology. In this work, look-up correlations in which ignition
probability is a continuous function of mass release rate have been derived (continuous on
one of three mass flowrate ranges: in any range the function is not yet constant as in the
previous step function, but is characterized by the same parameters).
The possible resulting scenarios of an immediate ignition are:
a Pool Fire for liquid releases;
a Jet Fire for gas releases;
a combined Pool Fire and Jet fire for two-phase releases.
-
7/28/2019 Fire Risk Evaluation
20/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 15D'Appolonia Contribution to ESReDA Report
Delayed ignition of a gas cloud can generate an explosion (UVCE or VCE) if the mass of gas
and the partial confinement of the cloud are sufficiently large; otherwise a simple rapid
combustion of the gas cloud enclosed within flammability limits (Flash Fire), withoutexplosion, is more likely to occur.
To complete the Event Trees and assess the correct scenarios frequency of occurrence it is
necessary also to quantify the probability of Fire Protection System performance success in
terms of conditional probabilities. Fire Protection System performance success is the
product of three probabilistic success measures (Ref. NFPA, 2002):
response effectiveness, correlated to the objectives of minimizing system response time;
online availability, correlated to the objectives of minimizing system downtime;
operational reliability, correlated to the objectives of minimizing the probability of failureon demand (PFD).
Following the analysis with Event Tree, a number of different scenarios in different
conditions is obtained, each with its own expected frequency of occurrence.
Each scenario is considered credible when its frequency of occurrence (as sum of
frequencies for all considered weather conditions) is higher than the defined cut-off
frequency for statistically negligible events. Therefore, following ETA, each scenario with
associated frequency of occurrence lower than the cut-off frequency is not further analyzed.
Consequences of scenarios with significant frequency of occurrence are instead further
assessed (see next Paragraph) and they contribute to the final Risk Level.
2.6 CONSEQUENCES EVALUATION
Consequence assessment is the evaluation and measure of the physical outcomes of an event
and/or associated scenarios. The evaluation is aimed at assessing the distances at which
hazard threshold values are reached. The selected threshold values associated to the damage
levels are defined prior to the development of the consequences calculations for heat
radiation, overpressure, toxic gas dispersion, domino effects, etc. The values are normally
set on the basis of Legislative Requirements, Corporate Policies, Design Requirements or
Best Practice.
The steps involved in the quantification of a flammable release include the characterization
of the release in terms of leak size and associated release rates, the phase(s) of the released
fluid, the duration of the event, the formation of flammable mixtures with air and associated
masses. Critical steps are the determination of the release rate and duration, and of the
dispersion characteristics that dictate the amount of formed flammable material. The
duration depends also on the response time and effectiveness of shutdown or isolation and
therefore on the position and reliability of gas and flame detectors and on the possibility to
manually or automatically activate the emergency shutdown.
Flammable outcomes can consist in pool fires, jet fires, BLEVEs (Boiling Liquid Expanding
Vapor Explosions - typical of GPL products), Flash Fires and/or vapor cloud explosions.
There are several general and specific references for the Mathematical and Physical
background of the Consequence Modeling (AIChE-CCPS, 2000; Cremer & Warner, 1981;
Prough, 1987; TNO, 1997). From these references, many predictive models have been
made available to Engineers and Scientists for the assessment of fire consequence hazards,
-
7/28/2019 Fire Risk Evaluation
21/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 16D'Appolonia Contribution to ESReDA Report
varying from point source techniques to more complex numerical methods based on
Computational Fluid Dynamic (CFD) calculations. Such predictive models can be
categorized as follows: semi-empirical models;
field models;
integral models;
zone models.
Several commercially available Computer Program can be used for the consequence
assessment, based on the application of the relevant models, which are normally hard-coded
in the Programs. These computer models generally estimate liquid, gas or two-phase
discharge rates, vaporization rates of liquid pool, distances to Thermal heat radiation,
distances to overpressure levels, distances to concentrations at ground, etc. Consequencesresults from these commercial codes are normally presented in the form of:
Tables: reporting for each scenario analyzed the distances at which are reached thresholdvalues in terms of heat radiation, overpressure, gas concentrations;
Contour maps: presenting the hazard distances from the release sources.
2.6.1 Semi-empir ical models
In general, semi-empirical models are task-specific, designed to address particular hazard
consequences, and provided with embedded correlations fitted to large-scale experimental
data. These models are mathematically simple and can be easily computer programmed with
short run times.
Point source models do not predict the flame geometry, but rather assume that the source of
thermal radiation is a single point in the flame and that a selected fraction of the heat of
combustion is emitted as radiation. These models generally over-predict the heat flux for
near-field conditions; however, they are reasonably reliable beyond a certain distance from
the flame.
Solid flame surface emitting models model the fire as a solid flame with heat being
radiated from the surface of the flame. They rely mainly on correlations for flame geometry
estimation, average surface emissive power (SEP) of the flame, atmospheric transmissivity
and view factors. The various surface emitting models differ in their methods of assessing
atmospheric attenuation of the heat flux, view factors, and the SEP. Well-validated solid
flame models provide a better prediction of flame geometry and external thermal radiationthan point source models.
2.6.2 Field models
Field models are CFD models based on numerical solutions of the Navier-Stokes equations
of fluid flow (i.e. a mathematical description of the conservation of mass, momentum and
scalar quantities in flowing fluid with a set of partial differential equations). To predict fire
behavior, these models incorporate various sub-models to account for the physical and
chemical processes occurring in a fire. All these models require validation against
experimental data before their use as predictive tools.
-
7/28/2019 Fire Risk Evaluation
22/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 17D'Appolonia Contribution to ESReDA Report
CFD is a powerful technique that provides an approximate solution to the coupled governing
fluid flow equations for mass, momentum and energy transport. The flexibility of the
technique allows the numerical solution of these equations in very complex 3-dimensionalspaces, unlike simpler modelling methods. CFD is now being increasingly used in fire
protection engineering to predict the movement of smoke in complex enclosed spaces.
Results of the calculations are the explosive masses, the flames length, the pools diameter
and the distances to the values of thermal radiation, peak overpressure and toxic
concentrations. The results of the consequence modeling are used as input during
Engineering to define fire and explosion protection requirements.
Limiting factors in the applicability of these models are related to high CPU requirements
and the need of expert users for being functional. Examples of commercially available field
models are FDS (Fire Dynamics Simulator - NIST) and FLACS (FLame ACceleration
Simulator), briefly presented in the following. Fire Dynamics Simulator (FDS) is a computational fluid dynamics model of fire-driven
fluid flow. The software solves numerically a form of the Navier-Stokes equations
appropriate for low-speed, thermally-driven flow, with an emphasis on smoke and heat
transport from fires. Smokeview (SMV) is a visualization program that is used to display
the output of FDS simulations. The Fire Dynamics Simulator and Smokeview
applications are developed by the National Institute of Standards and Technology (NIST)
of the United States Department of Commerce, in cooperation with VTT Technical
Research Centre of Finland. FDS and Smokeview are free software, not subject to
copyright protection and in the public domain.
FLACS (FLame ACceleration Simulator) is an advanced tool for the modelling of
ventilation, gas dispersion, vapour cloud explosions and blast in complex process areas.FLACS is used for the quantification and management of explosion risks in the offshore
petroleum industry and onshore chemical industries. It was developed by GexCon AS of
Norway.
2.6.3 Integral models
Integral models are a compromise between semi-empirical and field models, and are
mathematically similar to field models. In facts, Integral models also solve the conservation
of mass and momentum equations and contain sub-models for combustion and heat transfer,
however the mathematical approach is simpler than in field models, thus reducing computer
running time.
Some integral models have been validated against laboratory-scale experimental data and are
commercially available, such as PHAST by DNV or EFFECTS by TNO.
PHAST (Process Hazard Analysis Software Tools) is a well know computer packagedeveloped by DNV which examines the progress of a chemical process incident from
initial release through formation of a cloud or pool to final dispersion - calculating
concentration, fire radiation, toxicity and explosion overpressure. PHAST is a
comprehensive hazard analysis package, applicable to all stages of design and operation
across a range of process and chemical industry sectors. It is used to identify situations
which present potential hazards to life, property or the environment. Where congested
layout or obstacles (e.g. walls/structures) are present, the results of PHAST analysis can
-
7/28/2019 Fire Risk Evaluation
23/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 18D'Appolonia Contribution to ESReDA Report
be considered only an estimation of the actual hazard distance (in these cases a CFD
model such as FDS or FLACS should be used for more reliable results).
EFFECTS is a computer package developed and distributed by TNO which performscalculations to predict the physical effects of the release of hazardous materials.
Embedded in the EFFECTS code are the models developed by TNO for calculating the
physical effects for the release of hazardous substances (TNO, 2000, CPR14E "Yellow
Book") and for determining possible damage to man and his environment (TNO, 1992,
CPR16E "Green Book"). These publications have now been used around the world as a
Standard Reference in safety studies for many years. EFFECTS can model a process
incident from the initial release to final dispersion, calculating gas concentrations, heath
radiation levels, peak overpressures, etc. EFFECTS models are applicable to all stages of
design and operation across a range of process and chemical industry sectors. The same
limitations already highlighted for the PHAST model apply.
2.6.4 Zone models
Zone models are simplified models where a module/room or a compartment is divided into a
number of zones that are assumed physically distinct, but interfaced with each other and
modelled with empirical heat and mass transfer equations. Zone models have wide
applicability and validity only for the purposes for which they are designed, i.e. buildings
with reasonably small rooms and predominantly small vertical vents.
2.7 RISK ASSESSMENT
The Assessment of the Risk is made combining the consequences and likelihood ofoccurrence of all scenarios considered and evaluating the resulting Risk against one or more
measures which represent the Tolerability Criteria.
The Ranking of the Risk, and the Assessment of its tolerability is a powerful tool for
Engineers for identifying the critical aspects of any design and process, prioritize the
available resources and - if needed - identify and define specific prevention or mitigation
measures to reduce the scenario risk Acceptable levels.
Very often the Risk is evaluated via the definition and calculation of a specific Risk Index,
which is calculated for all applicable scenarios and then for the whole area/installation and
compared with the acceptable level prior established.
The most common Risk Indexes evaluated within a FRA are the following:
Qualitative Risk (based on the use of Risk Matrix);
Local Risk (LSIR - Location-Specific Individual Risk);
Individual Risk (IR, or IRPA - Individual Risk Per Annum);
Societal Risk.
-
7/28/2019 Fire Risk Evaluation
24/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 19D'Appolonia Contribution to ESReDA Report
2.7.1 Risk Matrix
A Risk Matrix (or Tolerability Matrix), is a semi-quantitative tool in the form of a matrix
that has ranges of consequence severity and likelihood of occurrence as the axes. Thecombination of a consequence and likelihood range gives an estimate of Risk or a Risk
Ranking. an example of Risk Matrix is provided in Figure 2.3.
The Risk Matrix represent the Tolerability Criterion for that specific Risk Assessment. The
different values and "regions" of the matrix (high, medium, low, tolerable, intolerable, etc)
can be based on Legislative and local Requirements, Corporate policies, Site-specific
requirements, or simply best practices.
The frequency class is attributed on the basis of the accidental scenario frequency calculated
by Event Tree Analysis.
The consequence class is attributed considering the extension of the hazard areas, defined on
the basis of the threshold values defined for the job, and the presence of personnel and/or
critical equipment within the hazard ranges.
For scenarios classified as 'intolerable' according to the matrix, specific prevention or
mitigation measures shall be identified and the scenario risk shall be reduced to Acceptable
levels. For scenarios classified as belonging to the 'ALARP' region, prevention or mitigation
measures can be identified, if they are economically and technically feasible (ALARP
principle - As Low As Reasonably Practicable).
Figure 2.3: Risk matrix (Example)
-
7/28/2019 Fire Risk Evaluation
25/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 20D'Appolonia Contribution to ESReDA Report
2.7.2 Location Specific Individual Risk
Location Specific Individual Risk (LSIR, or LR - Local Risk) is the risk at a particular
location for a hypothetical individual who is permanently positioned there for 24 hours perday, 365 days per year, with no possibility of being sheltered or evacuated.
LSIR can be graphically represented using risk contours lines. A risk contour line is a
closed curve graphically depicting limits at constant potential risk. Points within the contour
represent a risk greater than or equal to the risk of the contour edge. The risk contours show
the expected frequency of fires and explosions capable of causing a specified level of harm
to an individual at a specified location, regardless of whether or not anyone is present at that
location to suffer that harm.
An example of Local Risk contour lines is provided in the following Figure 2.4.
Figure 2.4: Local Risk Contour Lines (Example ARIPAR Code)
2.7.3 Individual Risk
Individual Risk is the total risk of death for a fixed period of time (usually one year, thus
called IRPA - Individual Risk Per Annum) to which a worker or a member of the community
may be exposed from all credible hazards and sources of accidents. It is calculated as the
multiplication of scenario frequency, portion of time for which the person is present in the
specific location and fatality probability (or vulnerability). If there are several locations
where the individual could be present, the total risk from the scenario can be summed from
the risk at each location. If there are several scenarios that can involve the locations where
-
7/28/2019 Fire Risk Evaluation
26/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 21D'Appolonia Contribution to ESReDA Report
one individual could be present, the total risk is summed from the risk for the single
scenario.
2.7.4 Societal Risk
Societal Risk is a measure of Risk to a Group of People. It represents the level of risk
experienced by the whole group of people exposed to the potential major accident hazards,
and it is most often expressed in terms of the frequency distribution of multiple casualty
events. Since this measure of risk is related to the total exposed group, it is dependent on the
total number of people of each operators group.
Societal Risk takes into account the likelihood of multiple casualties resulting from fires or
explosions, and it is normally presented in the form ofF/N curves, which are plots of the
cumulative frequency of multiple fatalities (F) versus the expected number of fatalities (N).
These curves can provide useful insight into the degree of risks from a facility or hazardousprocess to the employees on the plant site and to the community located beyond the plant
boundaries. The ranking of the events that contribute most to the total risk allows the
analysts to focus attention on the most critical failures and facilitates efficiency in assessing
prevention and mitigation risk reduction options for those events.
An example of F/N Curves is presented in the following Figure 2.5.
Figure 2.5: F-N Curves (Example ARIPAR Code)
Generally speaking, specific Software Models (e.g. ARIPAR, by University of Bologna) are
available to assess in quantitative terms risks connected with processing, storage and
transportation of dangerous substances. They combine the calculated consequences severity
and likelihood of all events to produce the risk measures.
If the risk is unacceptable according to the applied criteria, cost-effective options for
reducing or mitigating risks are identified and selected, by systematically evaluating
-
7/28/2019 Fire Risk Evaluation
27/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 22D'Appolonia Contribution to ESReDA Report
applicable measures to reduce the expected frequency of occurrence and/or to mitigate the
severity of the events. Traditional fire protection measures (e.g. detection or sprinkler
systems) and management safety controls (such as loss prevention programs and emergencyprocedures) are typically evaluated to establish if their implementation could reduce the Risk
within the applicable parameters.
2.8 RISK-BASED FIRE PROTECTION
In conclusion, Risk-based Analysis can provide a fundamental decision support tool based
on the expected outcomes of fire scenarios, through quantification of expected likelihood of
occurrence and assessed consequences in terms of people exposure, equipment and structure
damage, production down time, etc.
On the basis of the Risk Analysis results, different alternatives for Fire prevention and
protection are assessed evaluating the potential benefits in terms of risk-reduction versuscosts for implementation, providing decision-makers with an effective instrument for
prioritization and optimization of budget allocations, therefore aiding the correct installation
(technically and cost-wise) of fire detection and protection systems in order to significantly
reduce the Risk of Fire.
-
7/28/2019 Fire Risk Evaluation
28/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 23D'Appolonia Contribution to ESReDA Report
3 DATA FOR FIRE RISK ANALYSIS
This chapter presents an overview of the data typically required to perform a Fire RiskAnalysis (FRA). The basic information necessary for performing a FRA on a plant of
facility are relevant to Process, Layout, Materials and Substances, Instrumentation and
Controls in place and existence of Protection systems. The minimum necessary data from a
typical Project Design are1:
Process Flow Diagrams (PFD);
Piping and Instrumentation Diagrams (P&ID);
Site Layouts/Plot Plans;
Material Safety Data Sheets;
Heat & Material Balances;
Process Control Philosophies;
Safety Philosophies;
Operation and Maintenance philosophies;
Emergency Response Provisions;
existing Hazard Identification studies (if any);
Environmental and territorial data.
As will be explained in the following, previous Plant-Specific data shall be integrated as
necessary with literature and statistic data for the full identification of all inputs to the
mathematical models which will be applied during the FRA.
This Chapter is organized into the following sections:
Historical Incident Data;
Process and Plant Data;
Chemical Data;
Environmental and Territorial Data;
Reliability Data;
Uncertainty, Sensitivity and Importance.
3.1 HISTORICAL INCIDENT DATA
The Historical Review of accidental events recorded for similar installations to the one under
analysis is very often the first step performed during Risk Analysis activities. The reasons
are immediately obvious: this review is typically simple and relatively quick, it can provide
a significant insight on "real" events which happened in the past, it can aid the Lessons
Learning process and, through the analysis of the past events initiating causes, it can provide
a formidable tool for identifying the typical issues and problems related to a given design.
1 This is a minimum list and very likely additional information shall be needed according to the specificproject.
-
7/28/2019 Fire Risk Evaluation
29/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 24D'Appolonia Contribution to ESReDA Report
Historical incident data may be used to both directly estimate top event frequencies or
validate outcomes from frequency analysis model (e.g. FTA, ETA).For being meaningful for frequency assessment, the historical incident data must include
sufficient and accurate records applied in a significantly large population. When the
population is small, the statistical significance of the recorded events is poor, and no serious
frequency assessment can be undertaken with these data2.
Most of the data sources address major events or failures such as pipeline leaks and ruptures,
major fires or explosions, accidents causing fatalities or serious injuries, leaks of toxic
materials, transportation accidents, i.e. events sufficiently serious to be reported in publicly
available sources. very often, though, no or little relevance is given to the so-called "near
misses", i.e. events which had the potential for a major effect but which have been somehow
"controlled" or "eliminated" thanks to the protections in place. These latter events are too
often disregarded, although their statistical significance can be even greater that thoseactually reported in the databases.
According to the type of provided data, data sources can be grouped into three categories:
data sources that provide information on failure mechanism and initiating causes;
data sources that provide information on consequence effects (i.e. downwindconcentration levels, thermal radiation levels, etc.);
data sources that provide information on frequencies of certain types of incidents.
Granting the completeness and statistical significance of the analyzed data, data sources in
the first two categories may be mostly helpful in developing Fault Tree or Event Tree models
and in understanding the consequences of a specific incident. Data sources in the thirdcategory can be useful for frequency assessment of the events or probabilistic analysis of
event types.
Data are typically in the form of published statistics or computer databases available for
consultation on a fee-paying basis. A not exhaustive list of important available sources of
incident data follows:
MARS (Major Accident Reporting System) European Commission Joint ResearchCentre Italy: database on major accidents reported under the Seveso Directives; over
700 accidents and near misses collected since 1982;
FACTS (Failure and ACcident Technical information System) - TNO The Netherlands:
computerized database for incidents (worldwide) with hazardous materials, near missesalso included;
MHIDAS (Major Hazard Incident Data Service) Head of Major Hazards and TransportGroup - Warrington (UK): computerized major incident database (worldwide); incidents
must have had potential for off-site impact to be included;
WOAD (World Offshore Accident Databank) DNV Norway: computerized databankfor Offshore accidents worldwide;
Loss Prevention Bulletin IChemE, UK: Annual survey of chemical industry accidents(worldwide), covering a wide range of accidents and with accident descriptions;
2 However they can be used for Hazard Identification purposes.
-
7/28/2019 Fire Risk Evaluation
30/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 25D'Appolonia Contribution to ESReDA Report
"One Hundred Largest Losses" M&M Protection Consultants New York: Annualreview of large losses in the hydrocarbon-chemical industries;
Hazardous Cargo Bulletin: Annual Survey;
"Loss Prevention in the Process Industries" F. P. Lees: the book contains several casestudies of major chemical incidents and a wide chronological listing of accidents;
"Major Chemical Hazards" Marshall: contains 40 case studies of major incidents;
"A survey on Industrial Accident Databases", Bockholts et al. (1986);
HSE Hydrocarbons Releases System: Off-Shore Applications;
Standard Reference API RP 581: On-Shore Applications.
3.2 PROCESS AND PLANT DATA
During the development of a Fire Risk Analysis, the designated Analyst must understand and
be thoroughly familiar with the plant/facility processes and the interdependence among units
and different parts of the plant. He shall also have a clear knowledge of the inventories of
substances and conditions of materials. Previous information must be relevant to the plant as
it actually operates, which may be different from the original design. Very often, the simple
review of the Project design is not sufficient and on-site interview of operating and
maintenance personnel and/or on-site inspection are required.
In the following, a typical list of data and information relevant to Plant and Process Design
necessary for the development of the FRA is described.
3.2.1 Plant Layout and System Descrip tion
The following typical list of required data may represent a checklist relevant to Plat/Process
Design necessary information:
Process Flow Diagrams (PFDs), including process description, Heath and MaterialBalances for each stream and specific operating parameters (temperature, pressure);
Piping and Instrument Diagrams (P&IDs), including utilities;
plant layout drawings (plant and immediate surroundings including elevations);
process design basis and description, including utilities (cooling, steam, electricity,instrument air, utility back-up systems);
physical and chemical properties of all process substances (e.g. with Material Safety DataSheets - MSDS);
process chemistry (including side reactions under normal and abnormal conditions);
Process fluids chemical interactions with construction material;
Process interfaces (including vents and pressure relief systems);
waste treatment and pollution control systems;
equipment specifications and detailed drawings;
fire water and drainage system drawings;
control logics (instrument loop-sheets, relay logic diagrams);
-
7/28/2019 Fire Risk Evaluation
31/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 26D'Appolonia Contribution to ESReDA Report
operating instructions and philosophies (storage inventory levels, operating schedule,start-up and shut-down, operator training, safety policy);
protection systems diagrams (fire protection, emergency relief, interlock and alarmsystems);
maintenance records;
maintenance philosophy and programs;
emergency response procedures;
past hazard identification information (if any).
3.2.2 Ignit ion Sources and Data
One fundamental step during the development of a Fire Risk Analysis is the identification of
all ignition sources that may be reached by any clouds of released flammable material in aconcentration within flammable limits.
The type of Hazard posed by the ignition of any flammable mixtures depends heavily on the
timing of the ignition and on the level of confinement of the released cloud. Major
flammable releases may be ignited immediately or far from the leak source; in this latter
case the released material can develop into a fully formed flammable cloud before ignition,
with the possible occurrence of explosion phenomena.
If Ignition occurs relatively fast after release (due, for instance, to immediate contact with a
hot surface) the most typical event is a jet/pool fire - depending on the nature of the released
fluid - which can directly impinge with flames the near-by equipment and affect the
surrounding areas with high thermal radiation levels.
If ignition occurs after some time, the released material can accumulate into a flammable
cloud (directly if gas or vapor or due to later evaporation if liquid) and this can be then
ignited provoking an explosion, especially in case of high congestion of the volumes
occupied by the flammable cloud (partial/total confinement).
Ignition may be caused by open flames and sparks, hot surfaces, static electricity,
mechanical friction, chemical reactions or human activities. Typical sources of ignition
include flares, boilers, fired heaters, vehicle traffic, electrical motors, hot works (such as
welding or cutting), lightning, overhead high voltage lines.
When identifying potential ignition sources, all possible sources on-site are accounted for,
starting from the immediate vicinity of the release point and then farther, in the possible
direction of the release dispersion. It is evident that as the distance from the release point
increases, more and more potential ignition sources can be found on the path,
correspondingly reducing the actual likelihood that an "un-disturbed" release somehow
travel so far without ignition.
-
7/28/2019 Fire Risk Evaluation
32/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 27D'Appolonia Contribution to ESReDA Report
Calculating ignition probability is a difficult task. Given the presence of a flammable
mixture, the probability of ignition is generally a function of two components:
The Presence Factor: probability that the ignition source will be present; The Strenght Factor: granted existence of the ignition source, probability that it is
capable of actually igniting the cloud in a given time interval (this depend on the energy
of the ignition source versus the minimum energy required to ignite the flammable
material).
3.3 CHEMICAL DATA
Accurate information concerning material and substance chemical and physical properties is
required to perform hazard evaluations. Detailed information is needed on the physical and
chemical properties of process materials (from raw materials to intermediates and final
products):
thermodynamic data (including vapour pressure, boiling point, freezing point, criticaltemperature and pressure, enthalpies, entropies, specific and latent heats, heats of
combustion);
flammability data (flash point, lower and upper flammable limits, auto-ignitiontemperature, minimum ignition energy, burning velocity);
dust explosion data (maximum rate of pressure rise, layer ignition temperature, cloudignition temperature and ignition energy, minimum dust concentration for combustion);
industrial hygiene and toxicity data (short-term exposure data, protective equipmentneeded);
chemical interaction and reactivity data (including effect of contaminants).
Some of previous information data can be obtained from Material Safety Data Sheets
(MSDS), and most other data and Flammability data can be easily obtained from literature
references3 (e.g. Fire Protection Handbook, Cote, 1986). Other suitable data sources for
chemical and physical properties are:
NFPA 68, 1994, "Guide for Venting of Deflagrations" - Dust data for explosion ventingcalculations;
American Conference of Governmental Industrial Hygienist's, 1996 "Threshold LimitValues for Chemical Substances and Physical Agents" - Industrial hygiene and toxicity
data;
AIChE's CCPS, 1995, "Guidelines for Chemical Reactivity Evaluation and Application toProcess Design" - Information on chemical reactivity hazards.
3 Available data in the publications are normally given at atmospheric temperature and pressure, however validdata at process conditions can be needed. In such case experimental data campaigns can be found inspecialized literature papers and publications.
-
7/28/2019 Fire Risk Evaluation
33/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 28D'Appolonia Contribution to ESReDA Report
3.4 ENVIRONMENTAL AND TERRITORIAL DATA
Fire Risk Analysis require environmental and weather information and data for the
prediction models input, and territorial data for the assessment of impacts on the plantsurroundings following an event occurrence. Territorial data can heavily affect the outcomes
of the Risk assessment: the Risk associated with a plant in a densely populated area is
significantly different from the Risk posed by the same plant in a remote location.
Important territorial and environmental data include population data, site meteorological
conditions, geographic and topographic data, and information on man-made or natural
external events.
3.4.1 Population Data
The population distribution (or population density) around the site is one main data for Risk
estimation. Sources of population data for an area are census reports, detailed maps, aerial
photographs and site inspections by the analyst. Special attention must be given to potential
seasonal variations, time variation (day/night), and to the population vulnerability according
to the population type and conditions (e.g. children, adults, people with disabilities, etc.).
3.4.2 Meteorological Data
Gas and vapors dispersion in open air, and the transport properties of heath and radiation are
strongly affected by weather conditions.
Meteorological data, including data on wind speed, temperature and atmospheric stability
class, are typically collected in local meteorological station at Plant sites, or they can be
easily obtained from civil or military meteorological stations in the vicinity of the site.
These data are generally provided in the form of statistical daily, weekly, monthly and
annual averages over a long period of time (several years). Available data normally include
Wind Speed and direction, Air temperature, Humidity, Solar radiation and cloudiness (from
these latter two a significant parameter: the "Atmospheric Stability Class4" can be
calculated).
Wind data are typically presented in aggregated form using the "Wind Roses": a circular
multiple data graphic tool used to give a summary view of how wind speeds and directions
are distributed at a particular location. Wind Rose diagrams normally include 8, 12 or 16
sectors (wind directions), several wind speed "ranges" and Seven Atmospheric Stability
Categories. A typical wind rose is shown in Figure 3.1 from which it is possible to infer thepercentage frequency of the wind blowing in each direction and the wind speed in each
direction. Disaggregated data (e.g. daily or weekly) are typically provided in tabular form.
4 The most commonly used categorization for this parameter is the Pasquill Stability Class.
-
7/28/2019 Fire Risk Evaluation
34/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 29D'Appolonia Contribution to ESReDA Report
Figure 3.1: Wind rose (example)
The degree of aggregation of meteorological data for analysis depends on the resolution and
accuracy required by the FRA. A single "representative" weather condition (combination of
atmospheric stability and wind speed) can be used for worst case calculations. Most Risk
Analyses are carried out considering at least two weather conditions (more if needed):
Weather situation representative of Stable Conditions and low wind speed, conservative
case for flammable mass accumulation and explosion effects: typically 2F - 2 m/s windspeed and Pasquill Stability Class F (Stable);
Weather situation representative of Neutral Conditions and medium wind speed,conservative case for distance to thermal radiation effects: typically 5D - 5 m/s wind
speed and Pasquill Stability Class D (Neutral).
3.4.3 Territorial Data
Territorial data are important for the assessment of impacts on the plant surroundings
following an event occurrence, and for carrying out the formal Risk assessment considering
the "population" (inside the plant or outside the plant fence).
Geographic data to be retrieved include territorial and site maps on an adequate scale, or
aerial photographs, useful in evaluations of the effects and in the visual presentation of the
results of the analysis (e.g. contour plots or dispersion footprints).
Local topography is important in the mathematical modelling of the gas/vapor dispersion in
air: obstacles need to be taken into account in the dispersion modelling algorithm with a
ground average "roughness" parameter.
-
7/28/2019 Fire Risk Evaluation
35/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 30D'Appolonia Contribution to ESReDA Report
3.4.4 External Event Data
Under the category of "External events" fall all those occurrences which are not generated
within the plant/facility and whose root causes are not linked in any way with the activitiesbeing carried out in the plant/facility. External events are either man-made (e.g. aircraft
crashes), or natural (e.g. seismic events, tornadoes, flooding, etc.). Relevant to Natural
occurrences, if the plant is built in an area known to be susceptible to such events, it should
be designed to withstand them.
Design data should be obtained on individual critical items to determine their performance
under incident conditions. If applicable, private, Government and/or Military institutions
shall be consulted for gaining information on expected likelihood of occurrences of events
and their possible outcomes (e.g. expected return times, damage degrees, etc.)
For instance, Information on the frequency of seismic events and their effects can be
obtained from the National and International Seismological Centre. Other institutions mayapply for different scenarios. This is a verification whose benefit is evidently highest when
performed at design stage.
3.5 RELIABILITY DATA
In order to estimate equipment reliability parameters and/or calculate incident likelihood of
occurrence, failure rate data are needed for all process equipment included in the study.
Equipment reliability can be defined as the probability that, when operating under given
conditions, process equipment will perform its intended function adequately for a given
period of time.
Unavailability (or Probability of Failure on Demand - PFD) of a Protective System is the
probability that the system is in a failure state when a demand on that system occurs.
Tailored and plant-specific data, when available and statistically significant, are the best
possible choice. These are very often totally missing, or lacking completeness, or with little
statistical significance. In such cases generic average data retrieved from specialized
literature and databases can be used. Useful Literature Equipment Reliability Data and
Protective Systems Unavailability Resources are:
Sintef, "Reliability Data for Safety Instrumented Systems";
Exida, "Safety Equipment Reliability Handbook";
Oreda, "Offshore Reliability Data Handbook 4th
Edition".
In some instances, the generic average data from literature sources can be conveniently
combined with plant-specific Data (e.g. by a Bayesian approach), obtaining more pertinent
data for the plant under analysis on the basis of a limited amount of plant reliability
information.
-
7/28/2019 Fire Risk Evaluation
36/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 31D'Appolonia Contribution to ESReDA Report
3.5.1 Human Reliability Data
A particular category of Reliability Data is represented by Human reliability information.
This is often a major issue when developing a Risk Analysis. In many plants and facilities,in facts, the real bottleneck to safety is represented by the not-instrumented safety functions,
i.e. those protections which need operators intervention for being actuated. In a normally
maintained modern Plant of average complexity, operators are - by far - the most un-reliable
"protection item", as it is can be demonstrated by historical analysis. Human reliability
proves to be a most important factor not only during emergency conditions, but also during
operation and during maintenance activities.
Probability of human error is typically inversely proportional to operator experience and
skill, however many are the factors which can affect human reliability: complexity of the
task, environmental conditions, ergonomic factors, motivation, level or perceived
psychological stress, skill and training, presence and quality of written instructions, socio-cultural aspects, etc.
To evaluate the probability of failure of a plant operator to carry out a certain task, it is
possible to apply qualitative empiric techniques (such as the "TESEO" Method) or, as
alternative, techniques based on a Task-Analysis approach. Typically, when developing an
FRA, empiric techniques are currently mostly used, however more complex Task-Analyses
are increasingly applied in modern engineering.
3.6 RISK UNCERTAINTY, SENSITIVITY AND IMPORTANCE
Uncertainty, sensitivity and importance are central issues in the utilization of risk results
(AIChE, CCPS, 2000):
Uncertainty analysis is used to estimate the effect of data and model uncertainties on therisk estimate.
Sensitivity analysis estimates the effect of varying input to component models or themodels themselves, individually or in combination. It can identify which models,
assumptions and data are important to the final risk estimate.
Importance analysis quantifies and ranks risk estimate contributions from subsystems orcomponents of the complete analysis.
Data and input uncertainties arise from both lack of knowledge of specific input values andvariations in input values as a function of many factors, such as time, temperature, or region
of the country. For example, the rate of heat release may be uncertain due to lack of
available data, but also due to the test method by which the heat release rate is measured that
could not specify all combinations of ignition source and strength, or due to the inaccuracies
inherent in the instrumentation used in the test. Other inputs, such as concentrations of toxic
gases, vary with time as the fire develops and are uncertain. The species production rates,
used to predict concentrations, are a function of the combinations of materials actually
burned, unknown a priori.
-
7/28/2019 Fire Risk Evaluation
37/38
Doc. No. P-HSE-H6Rev. 0 - September 2009
ESReDA Pag. 32D'Appolonia Contribution to ESReDA Report
Human behavioural uncertainties concern both the way in