DCMH.

CH4051_Process Safety
Risk Analysis and Assessment

Prepared by:

Dr. Mardhati Zainal Abidin

Universiti Teknologi PETRONAS

AP Ir. Dr. Risza Rusli

University of Doha for Science & Technology

For:
Ho Chi Minh City University of Technology
 Learning Objectives

To learn and understand concepts that are commonly used by industry to

conduct risk analysis and assessment. This includes:

1. Probability theory.

2. Event tree, fault tree analysis and bow-tie analysis.

3. Risk analysis and assessment methods, including quantitative risk

analysis (QRA).

4. Societal and individual risk, and how these are quantified.

5. Risk tolerance criteria.

2
 Introduction

Hazards
Identification

1. What are the hazards?

Hazards
Evaluation
2. What can go wrong and how?
3. How bad could if be?
4. How often could it happen?
5. What is the risk?
6. How do we control and manage this risk?
Risk
Analysis

Risk
Assessment

3
Probability Theory

❑ Probability or likelihood - A quantitative

measure of the certainty or uncertainty in
the occurrence of a value, value range,
event, or an event sequence. Probability is
defined as a number without units within
[0,1].

❑ Frequency (as used in probability theory) -

Number of probable occurrences of an
event per unit time (often year or hour), or
per repeat of number of tests (dice throws),
per distance, area, or volume.

4
 Probability Theory

❑ Frequentist: from observations of event occurrences,

𝑛/𝑁(e.g., red ball sampling from urn with 𝑛 red and 𝑁 red + black ones;
approach is not useful for rare events)
❑ Subjectivist: from the available knowledge (including expert
judgment or belief) about event occurrences, an estimate of
𝑛/𝑁(needed especially for rare or unobserved events or new designs
with no prior history).
❑ Bayesian: based on Bayes’ theorem combines prior information, and
new evidence from expert judgment and/or system observations for
updated posterior probability estimates and for continual updating

5
 Probability Theory
POISSON DISTRIBUTION Probability R(t) component will not fail during (0,t)
This is called the reliability:

R(t ) = e − t P(t ) = 1 − R(t ) = 1 − e − t

R Reliability (no units)
dP(t )
f (t ) = =  e − t  Average failure rate (time-1)
dt
P Failure probability (no units)
t1
P (t0 → t1 ) =  f (t ) = e − t0 − e − t1 f(t) Failure density (time-1)
t0

1
Mean Time Between Failures (MTBF) = E (t ) =  tf (t )dt =
0

Bathtub curve
1 1
=c
R P ƒ Area= 1 

t t t t
6
 Probability Theory
Example: A device is found to fail once every 2 years. What is the failure
rate, the failure probability and the reliability at the end of 1 year, and the
MTBF?

Answer:

The failure rate,  , is given by:  = 1/ 2 years = 0.5 yr −1

The reliability is given by Equation (12-1):

R(t ) = e − t = exp  − ( 0.5 yr −1 ) (1 yr )  = 0.607

The failure probability is given by Equation (12-2):

P(t ) = 1 − R(t ) = 1 − 0.607 = 0.393

The Mean Time Between Failure is given by Equation (12-5):
1 1
MTBF = = = 2 years
 0.5 yr 7
Interaction

8
 Interaction

Example: Compute the overall failure rate, the unreliability, and

the MTBF of the following flow control loop. Assume a 1 year period
of operation:

We have 3 components: the control valve, the controller and the DP

cell. These components are related in series, i.e. if any one component
fails the entire flow control loop fails.
9
 Interaction

Look up the failure rates for these three components from Table 12-1.
Then compute the reliability and failure probability for each
component for 1 year time period.

Component Failure Rate μ Reliability Failure Probability

(faults/yr) P=1-R
Control valve 0.60 0.55 0.45
Controller 0.29 0.75 0.25
DP cell 1.41 0.24 0.76

The overall reliability for components in series is given by Equation 128:

3
R =  Ri = ( 0.55 )( 0.75 )( 0.24 ) = 0.10
i =1
10
 Interaction

The failure probability is then given by Equation (12-2):

P = 1 − R = 1 − 0.1 = 0.90 / year

The overall failure rate is computed from the definition of the

reliability, Equation (12-1):

R = 0.10 = e − 
 = − ln ( 0.10 ) = 2.30 failures/year

The MTBF is given by Equation (12-5):

1 1
MTBF = = = 0.43 yr
 2.30 / yr

11
 (Un)revealed Failures
COMPONENT STATUS
Inspection
Unnoticed
Repaired failure Repaired

Operating → o period operation

r repair time
u unavailability time
Failed → i inspection interval
o u r
i A +U = 1
1 n 1
REVEALED FAILURE u = 0  r   ri MTBF = = o + r
n i 
o r
Availability A= =  o Unavailability U= =  r
o + r o + r

UNREVEALED FAILURE u  0  i  1
u 1
Unavailability ( r ) U=   i Half of inspection interval
i 2
12
(Un)revealed Failures

13
 (Un)revealed Failures

Example: Compute the unavailability and availability for the

previous example. Assume a 1-month inspection interval and
negligible repair time.

From the previous example, the overall failure rate is  = 2.30 / yr

The inspection interval is 1/12 = 0.083 yr. The unavailability is computed
using Equation 12-25 (3rd), 12-26 (4th):

1 1
U =  i =   ( 2.30 / yr )( 0.083 yr ) = 0.0955
2 2
A = 1 − U = 1 − 0.0955 = 0.905

14
 Probability Concept Application
Probability Theory
- Failures in Process Industries

Failure of a single
▪ Failure means any component or
release event caused single action
Single
by failure of Component
Failure
equipment/com Data for
ponents, or The Initiating failure rates
operational failure. event (mostly) are compiled
can be by industry
▪ Assessing risk is an attributed to
integral part of hazard the failures of Failures
management. component in resulting from
process several failures
▪ In general, risk industries: Multiple
Component and/or actions
represents the Failure
likelihood of the level Failure rates
of harm. determined
using FTA

15
 Failures in Process
Probability Industries
Theory
Initiating Event (IE) Outcome
Event
(IE)

Failure of single
component

hazardous events
Catastrophic

16
TABLE 12-1
Failure Rate Data for Various Selected Process Components

Instrument Faults/Year
Controller 0.29
Control valve 0.60
Flow measurement (fluids) 1.14
Flow measurement (solids) 3.75
Flow switch 1.12
Gas–liquid chromatograph 30.6
Hand valve 0.13
Indicator lamp 0.044 Basic Fact:
Level measurement (liquids) 1.70
Level measurement (solids) 6.86 The more complex
Oxygen analyzer 5.65
pH meter 5.88 the device the higher
Pressure measurement 1.41
Pressure relief valve 0.022 the failure rate!
Pressure switch 0.14
Solenoid valve 0.42
Stepper motor 0.044
Strip chart recorder 0.22
Thermocouple temperature measurement 0.52
Thermometer temperature measurement 0.027
Valve positioner 0.44
17
 Types of Failure Rate Data
Probability and Sources
Theory

Failure rate data can be obtained in several ways. The most

common means are:
❑ Historical data: Device, equipment or system specific failure information.
This kind of information is often maintained as internal databases by many
organisations.
❑ Handbooks: Failure data for a range of components and systems
available from government, institutions and commercial sources.
❑ Sample testing: Test samples of actual devices or systems for the purposes of
deriving the failure rate information. Though this option can be the most
accurate, it is not often viable due to the high costs or practical difficulties

18
 Inspection
Probability&Theory
Testing
A test can be performed to estimate its failure rate. Ten identical components
are each tested until they either fail or reach 1000 hours, at which time the test
is terminated for that component. (The level of statistical confidence is not
considered in this example.) The results are as follows:

Component Hours Failure

Component 1 1000 No failure
Component 2 1000 No failure
Component 3 467 Failed
Component 4 1000 No failure
Component 5 630 Failed
Component 6 590 Failed
Component 7 1000 No failure
Component 8 285 Failed
Component 9 648 Failed
Component 10 882 Failed
Total 7520 6 19
 Types of Failure Rate Data
Probability and Sources
Theory
Some of the databases are collected from a particular data range for an
intended field of use such as industry specific and application specific:
Industry specific Application specific Hazardous material
database: database: Data published specific data:
Information for a particular Example for
collected and application, often corrosive materials.
maintained by a legislatively driven.
group of Examples: Failure Rate and
stakeholders of a Event Data (FRED)
particular industry. published by the UK
Examples: Offshore Health and Safety
Reliability Executive (HSE2 ) for use
Data within land use planning
(OREDA), and risk assessments, and
Worldwide Offshore Hydrocarbon
Offshore Accident Release Database also
Databank (WOAD) published by the HSE for
use in offshore risk and
20
integrity management.
Example of Failure
Probability Rate Data
Theory

21
Example of Failure
Probability Rate Data
Theory

Selected data from

OGP: Process
release frequencies
2010

22
 Other Sources – Failure
Probability Rate Data
Theory

❑ Center for Chemical ❑ Institute of Electrical and

Process Safety (CCPS) Electronics Engineers (IEEE)
published guidelines Std. 500, IEEE guide to the
for process equipment collection and presentation of
reliability data. electrical, electronic, sensing
component, and mechanical
❑ SINTEF Industrial equipment reliability data for
nuclear-power generating
• Management’s reliability stations.
data for control and safety
systems.
❑ Reliability Analysis Center,
EPRD- 97 Electronic parts
❑ Reliability Analysis reliability data.
Center, FMD-97, Failure
mode/ Mechanism
Distributions. ❑ US Military Handbook, MIL-
HDBK- 21F Reliability prediction
of electronic equipment. 23
 Analysis Techniques
Probability Theory

Data can be used to calculate the frequency of initiating events (i.e.

component failure), hazard outcomes and the severity of the consequence.

Analysis Techniques
1. Frequency modelling techniques Used to estimate
2. Common-cause failure analysis frequencies or probabilities
3. Human reliability analysis from basic data. Typically
4. External events analysis used when detailed
Used historical data is not
available.
i. EVENT TREES
ii. FAULT TREES

24
 Event Tree Analysis
Probability Theory

❑ An Event Tree:
• Begins with an Initiating Event
• Evaluates the impact of the Safety Function on the accident process
• Allows calculation of Failure
Probability for various scenarios

❑ Typical steps in an Event Tree Analysis:

1. Identify an initiating event of interest
2. Identify the safety function designed to deal with the
initiating event
3. Construct the event tree
4. Describe the resulting accident event sequences

25
 Generic Example
Probability Theory

26
 Computational
Probability sequence
Theory
Example: Brake Fails – Barrier described negatively

Brake fails = 0.005 + 0.015 + 0.045 + 0.135 + 0.02 + 0.06 + 0.18 = 0.46
27
 Computational
Probability sequence
Theory
Example: Brake Fails – Barrier described negatively

Failures and
Successes of
Initiating Event Various Defined
Various Intervening
(Cause) Final Outcomes
Safety
- these have an - These will have
Systems/Actions
associated associated
- These have an
frequency frequencies
average Probability
on Demand

1. Identify an initiating event

2. Identify the safety functions designed to deal with the initiatingevent
3. Construct the event tree
4. Describe the resulting sequence of accidentevents.

When an accident occurs, safety systems can fail or succeed.

Event trees provide information on how a failure can occur. 28
Event Tree Analysis
Example
What happens if there is a
loss of coolant?

Safety operations following

the loss of coolant (the
initiating event)
High temp alarm alerts operator

Operator acknowledges alarm

Operator restarts cooling

system

Operator shuts down reactor

29
 Event Tree Analysis
Example
ID B (High Temp Alarm Alerts Operator)
0.01 failures/demand 1.We’ll call the initiating event A
and also note the occurrence per
year.
Success of
Safety 2.Draw a line from the initiating
Function B event to the first safety function (ID
A B) – a straight line up indicates the
Loss of coolant results for a success in the safety
(initiating event) Failure of function and a failure is represented
Safety by a line drawn down.
1 occurrence/year
Function B 3.We can assume the high temp
alarm will fail to alert the operator
1% of the time when in demand OR
0.01 failure/demand.(This is a
probability of failure on demand)

40
30
 Event Tree Analysis
Example

Safety Function
ID B (High Temp Alarm Alerts Operator)
0.01 failures/demand

Success of Safety Function B

Success 0.99
= (1- 0.01)* 1 occurrence/year
of Safety
A = 0.99 occurrence/year
Function B

Failure 0.01 Failure of Safety Function B

Loss of coolant
of Safety = 0.01 * 1 occurrence/year
(initiating event)
Function B = 0.01 occurrence/year
1 occurrence/year

31
 Event Tree Analysis
Example
• Initiating event: Loss of
Coolant

• Four safety functions to

respond to the initiating event
are written across top of event
tree:
✓ High temperature alarm
✓ Operator identifies high • Loss of cooling: 1 event/year frequency
temperature during • Hardware safety functions: Failure
reactor monitoring. probability on demand = 0.01
✓ Operator adjusts failure/demand
coolant flow to reduce • Operator notices High Temp 3/4 times;
high temperature Operator adjusts coolant flow 3/4 times.
✓ Operator performs an Failure probability (for each)= 0.25 failure/
emergency shutdown. demand
• Operator shuts down system 9/10 times.
Failure probability = 0.10 failure/demand
32
Event Tree Analysis
Example

33
 Evaluate Frequency of Loss Event

• Event tree analysis explores outcome • From the event tree the net failure
severities, probability, and risk frequency is the sum of the unsafe
• Is the risk tolerable? Can it be state frequencies
accepted? • Frequency = ADE +ABDE + ABCDE
• Consider additional safety functions = 0.025 failure/yr
to reduce risk (probability, severity) to = 1 failure every 40 years
tolerable levels.
• The corresponding risk is
• Select safety functions on the basis of considered too high, so the
✓ Effectiveness, operability frequency must be reduced.
✓ Cost, time • Add a high-temp reactor shutdown
✓ Feasibility (including schedule) system. Set the shutdown temp
above the alarm value to allow
operator to adjust coolant flow.

34
 Potential for Reducing Frequency

▪ The event tree analysis shows that a dangerous runaway reaction will
occur on average 0.025 time per year, or once every 40 years. This is
considered too high for this installation.
▪ A possible solution is the inclusion of a high-temperature reactor
shutdown system. This control system would automatically shut down
the reactor in the event that the reactor temperature exceeds a fixed
value.
▪ The emergency shutdown temperature would be higher than the alarm
value to provide an opportunity for the operator to restore the coolant
flow.

35
 Potential for Reducing Frequency

The runaway reaction is now

estimated to occur 0.00025 time
per year, or once every 400 years.
This is a substantial improvement
obtained by the addition of a
simple redundant shutdown
system.
36
 Fault Tree Analysis

• Describes how a hazardous event may occur in terms of

combinations of individual non-hazardous components or operator
failures

• Can evaluate the probability of occurrence of a hazardous event

• The approach starts with a well-defined accident (top event) and

works backward towards the various scenarios that can cause the
accident.

37
 Fault Tree Analysis
DEDUCTIVE METHOD:
• Well-defined accident, top event of interest
• Possible causative hazards
• Quantitative: add failure data to fault tree

Minimal cut set – all possible ways to get to top event Logical functions
AND, OR, INHIBIT
Drawbacks • large trees computers & software
• never sure all failure modes are covered
• no partial failures
• accurate failure data required reference libraries

Additional Comment: The top event of a fault tree becomes the initiating
event of the event tree. This results in a BOW TIE diagram. 19
Fault Tree Symbols

20
 Logical Connection Between Events
AND
C
The resulting output event requires the simultaneous
occurrence of all input event.
e.g., Event C will occur only if both events A and B occur
simultaneously, which is represented (for independent
A B
events, A, B) by
A•B=C AND-gate

OR
C
The resulting output event requires the occurrence of any
individual input event,
e.g., C will occur if either A or B occurs, which is
represented (when A, B each has low probability of A B
occurring) by
A+B=C OR-gate
21
 Preliminary Steps - Fault Tree Construction

❑ Define precisely the top event.

E.g. ‘liquid level too high’
❑ Define the existing event.
E.g. What conditions are
present
❑ Define the un-allowed events.
E.g. tornadoes
❑ Define the physical bounds of
the process.
E.g. Components to
be considered
❑ Define the equipment
configuration.
E.g. Valves open or closed
❑ Define the level of resolution.
E.g. Just a valve or also
valve components 21
 Fault Tree Construction

❑ Put the hazardous event (TOP EVENT) on the left-hand side (or top) of the
page.
❑ All immediate possible causes of the top event are identified and
placed next to it on the tree.
❑ If any of these events can cause the top event, they are joined to it by an
OR gate .
❑ If all are required before the top event occurs, they are
joined to it by an AND gate.
❑ If a combination of gates appears to be necessary at any point, then progress
is too rapid and a suitable intermediate stage should be sought.
❑ Describe these intermediate events in terms of earlier
events, using either AND or OR logic.
❑ Repeat this for each branch of the tree until no further detail is
necessary or possible.

21
 Fault Tree Construction

Put the hazardous event (TOP EVENT) on the left

hand side (or top) of the page.

All immediate possible causes of the top event are

identified and placed next to it on the tree.

If any of these events can cause the top event,they

are joined to it by an OR gate.

If all are required before the top event occurs, they

are joined to it by an AND gate.

Describe these intermediate events in terms of earlier

events, using either AND or OR logic.

Repeat this for each branch of the tree until no further

detail is necessary or possible.

21
Example: Fault tree model for hydride dust
explosion

21
 Unit on Fault Tree Analysis and Rules

Frequency (failure/year) = probability of failure per operation × number

of operation per year

AND GATE rules :

can multiply P and P = unit of probability
can multiply P and F = unit of F
cannot multiply F and F = unit F2 (forexample
failure/yr2)

OR GATE rules :
can add P and P = unit of P
can add F and F = unit F
cannot add F and P =different unit

21
Example Fault Trees Analysis

22
 Relationship between Fault Tree Analysis
and Event Tree Analysis

▪ Event trees
begin with an initiating event and work toward the top event
(induction).
▪ Fault trees
begin with a top event and work backward toward the
initiating events (deduction).
▪ Top events for Fault Trees are initiating events for Event Trees.

▪ Both are used together to produce a complete picture of an incident,

from its initiating causes all the way to its final outcome.

▪ Probabilities and frequencies are attached to the diagrams.

22
 Advantages Of Fault Trees

ADVANTAGES:

• Begins with a top event that is selected by user to be specific to the

failure of interest.
• Can be used to determine minimal cut sets, increases reliability of the
system.

• Can use software to graphically construct, determine minimal cut sets

and calculate failure probabilities.

23
 Disadvantages Of Fault Trees

DISADVANTAGE:

• For any reasonably complicated process, fault tree will be enormous,

involving thousands of gates and intermediate events thus requires
more time (measured in years) to complete.
• User can never be certain that all failure modes have been considered.

• Fault tree only assumes ‘ hard ’ failures. Partial failures are not
considered.

24
 Bow-tie Diagram
The top event from a fault tree becomes the initiating event for an
event tree.

25
 Bow-tie Diagram

Also known as Barrier Analysis – the method identifies safeguards that

can prevent and mitigate hazards

Incident
(Loss Event)
Initiating Events
(Causes)
Outcomes
Preventive Mitigative
Safeguards Safeguards

26
 Bow-tie Diagram
Mitigative
Initiating Events Safeguards
(Causes) Probability Outcomes
of Ignition
Flash Fire
Proactive Probability of
Explosion
Safeguards
Vapor Cloud Explosion
Probability
Control Failure of Ignition
Preventive Building Explosion
Time at Safeguards Probability
Risk of Ignition
Human Error Fireball
Physical Explosion
Incident
Mechanical Failure (Loss Event) Chemical Exposure
Onsite Toxic
Each feasible path between an
Toxic Infiltration
initiating event and an outcome
represents a scenario with Offsite Toxic
applicable protective layers. 27
 Bow-tie Diagram
1) Hazards

2) Initiating Events

3) Enabling Conditions

4) Conditional Modifiers The Advantages

5) Preventative Safeguards
• Clearly displayed
• Easily understood
• Used to effectively
determine the
appropriate safeguards to
achieve the desired
results
6) Incident or Loss Event

7) Mitigating Safeguards

8) Outcomes
28
9) Impacts
QRA: Quantitative Risk Assessment

Hazards
Identification Selection of
Release Incident

Fig. 11-1 Fig. 4-1

Selection of
Source Model
Hazards to Describe
Evaluation Release Incident

Selection of
Dispersion Model

Flammable Toxic
Flammable
Risk and/or Toxic?
Analysis

Selection of Selection of
Fire and Effect Model
Explosion Model

Mitigation
Factors
Risk
Assessment Consequence
Model
29
 QRA: Quantitative Risk Assessment

• Define the initiating events and the incident sequence. For example, a
cooling water failure causes a runaway reaction that overpressures
the reactor vessel, causing the relief to open, discharging the reactor
contents.
• Use source models to estimate the discharge rate. For the reactor
example, this would require a source model to estimate the discharge
rate through the relief. (See Chapter 4.)
• Use a dispersion model to estimate the chemical concentrations
downwind of the release. (See Chapter 5.)
• Estimate the incident consequences for people, environment, and
property using effect models. (See Chapter 3.)
30
 QRA: Quantitative Risk Assessment

• Estimate the potential incident frequencies using event trees and fault
trees.
• Estimate the risk by combining the consequences and frequencies.
• Combine the risk estimates for all the scenarios to estimate the
overall risk.
• Decide if the risk is tolerable. (See Sections 1-9 and 12-7 in 4th edition)

31
 Type of Risk: Definitions

Individual Risk: One person exposed to one or more hazards.

Usually location dependent.

Many Hazards
Individual

Societal Risk: A group of people exposed to one or more hazards.

Hazard and group must be carefully defined.

Single Hazard
People
32
 Voluntary and Involuntary Risk
Voluntary Risk – Risk that is consciously tolerated by someone seeking to
obtain the benefits of the activity that poses the risk.
Examples: Riding a car,
Riding a motorcycle,
Mountain climbing,
Skiing.

Involuntary Risk – Risk that is imposed on someone who does not directly
benefit from the activity that poses the risk.
Examples: Living in the vicinity of a chemical plant,
Riding a train,
Riding an airplane,
Visiting a mall. 33
 QRA: Individual Risk – Risk Contours

Individual risk is the risk to an individual person in the vicinity of a

hazard.
10-7

10-6

10-5

Plant

10-4

Community

34
 QRA: Individual Risk – Risk Contours

The procedure for determining the individual risk contours is as follows:

1. Identify all the incidents and incident outcome cases.

2. Estimate the frequency for all incident outcome cases.
3. Determine the effect zone and probability of fatality at every location
for all incident outcome cases.
4. Estimate the individual risk at every location by summing the risk for
all incident outcome cases.
5. Plot individual risk estimates on the map.
6. Draw individual risk contours connecting points of equal risk.

This is a huge amount of work!

35
 Societal Risk – F-N Curve
Societal risk is a measure of risk to a group of people. An F-N plot is
one way to show societal risk. The F is the cumulative frequency of
experiencing N or more fatalities.
10-1
A
F, Cumulative Frequency of N or More

10-2
Broadly Unacceptable
10 -3
B
This is a plot of the
C
10-4 various societal risk
Fatalities/Year

D
10-5
E curves used throughout
10-6

10-7 the world.

Broadly Tolerable
10-8

10-9
1 10 100 1000
N, Fatalities

• A: United Kingdom’s Health Safety Executive (HSE) Criteria—Maximum tolerable societal risk
• B: Dutch—Maximum tolerable societal risk
• C: U.K. HSE—Negligible risk to workers and public
• D: New South Wales—Negligible societal risk
• E: Hong Kong—Acceptable societal risk 36
 Example: F-N Curve
Use the data provided in Table 12-6 to draw an F-N curve.

TABLE 12-6 Data for an F-N Curve

Incident Outcome Case Frequency, Fi Estimated number of
(per year) fatalities, N
1 1 × 10–6 13
2 1 × 10–3 0
3 1 × 10–5 6
4 1 × 10–5 3
5 1 × 10–4 1

1. The incident outcome case with the smallest number of fatalities is selected
first. This is case 5, which has one fatality. Case 2 is not selected because it has
zero fatalities.

2. All incident outcome cases with one or more fatalities are selected. These are
cases 1, 3, 4, and 5. The frequencies for these cases are added together to
create the plot shown below: 37
 Example: F-N Curve

3. The case with the next highest number of fatalities is selected. This is
case 4, with three fatalities. The frequencies for all cases with three or
more fatalities are added together, as shown in Table 12-7.

4. This procedure is repeated for 6+, 13+, and greater than 13 fatalities.
The results are shown in the table below.

5. The data are plotted in figure below. The results are extrapolated to N =
1. The vertical lines are drawn at the actual number of fatalities. Note
that the results exceed many of the societal risk criteria in Figure 12-20.

38
 Example: F-N Curve

TABLE: F-N Analysis for Example

Estimated Incident Outcome Total Frequency, FN (per year)

Number of Cases Included
Fatalities, N
1+ 1, 3, 4, 5 F1 + F3 + F4 + F5 = 1.2 × 10–4
3+ 1, 3, 4 F1 + F3 + F4 = 2.1 × 10–5
6+ 1, 3 F1 + F3 = 1.1 × 10–5
13+ 1 F1 = 1.0 × 10–6
>13 None 0

39
 Example: F-N Curve

-3
10
Frequency of N or More Fatalities, per year

Note that this exceeds

several of the world societal
-4
10 risk curves!

-5
10

-6
10
1 10 100
Number of Fatalities, N
40
 Definition of Risk Tolerance
• Risk Tolerance or acceptance is defined as “the maximum level of risk of a
particular technical process or activity that an individual or organization
accepts to acquire the benefits of the process or activity”

• People accept risks based on their perceived risk

• The risk accepted is voluntary based on the perceived risk while any
additional actual risk will be involuntary

• Engineers must make every effort to minimize risks within reasonable

constraints
• For chemical plant, at some point in design stage or at every point in the
operation of the plant, the corporation must determine whether the risks
are acceptable.

• Risk tolerance may also change with time as society, regulatory agencies
and individuals come to expect more from the chemical industry.
• As a consequence, a risk that was considered tolerable years ago may now
be deemed unacceptable. 41
 QRA: Risk Tolerance Criteria

The recommended tolerability criteria based on the DOE risk criteria are as
follow (Environment Impact Assessment (EIA) Guidelines for Risk
Assessment, 2004):

The 1 x 10-6 fatalities / person per year individual risk contour should not
encompass involuntary recipients of industrial risks such as residential
area, schools, hospitals and places of continuous occupancy, etc.

The 1 x 10-5 fatalities / person per year individual risk contour should not
extend beyond industrial developments

The tolerability criteria based on the PETRONAS Risk Criteria as follow (PTS
60.2210 Quantitative Risk Assessment, 2006):

The annual risk greater than 1 x 10-3 fatalities / person per year represents
intolerable risk.
42
 Risk Tolerance – Risk Matrix
Risk Matrix Likelihood
1. Select the severity from the highest box in either of columns 1, 2 or 3. Read the 4 5 6 7
Category and Safety Severity Level from the same row. LIKELY UNLIKELY IMPROBABLE IMPROBABLE.
BUT NOT
2. Select the likelihood from columns 4 thru 7. IMPOSSIBLE
3. Read the Risk Level from the intersection of the severity row and the likelihood Expected to
column. Expected to happen Expected to Not expected to
happen possibly happen possibly happen anywhere
TMEF: Target mitigated event frequency several times once over once in the in the division
TQ: Threshold Quantity over the life of the life of the division over the over the life of the
the plant. plant. life of the plant. plant

1 2 3 Safety 0 to 9 10 to 99
Human Health Fire, Explosion Chemical Severity Severity ≥ 100 years > 1000 years
years years
Impact Direct Cost in $ Impact Category Level
Public fatality 4
possible, Greater than Risk Level Risk Level Risk Level Risk Level
$10 MM ≥ 20x TQ CATASTROPHIC TMEF =
employee A A B C
1×10-6
fatalities likely
Severity

Employee fatality From VERY 3

possible. Major $1 MM to < $10 MM 9x to < 20x TMEF = Risk Level Risk Level Risk Level Risk Level
SERIOUS A B C D
injury likely TQ 1×10-5
From 2
Lost time injury Risk Level Risk Level Risk Level Negligible
$100K to < $1 MM 3x to < 9x SERIOUS TMEF =
(LTI) likelya B C D Risk
TQ 1×10-4
Recordable From 1
$25K to < $100K MINOR TMEF = Risk Level Risk Level Negligible Negligible
Injuryb 1x to < 3x
TQ 1×10-3 C D Risk Risk

Risk Level A: Unacceptable risk, additional safeguards must be implemented immediately.

Risk Level B: Undesirable risk, additional safeguards must be implemented within 3 months.
Risk Level C: Acceptable risk, but only if existing safeguards reduces the risk to As Low as Reasonably Practicable (ALARP) levels.
Risk Level D: Acceptable risk, no additional safeguards required.

aLosttime injury (LTI): The injured worker is unable to perform regular job duties, takes time off for recovery, or is assigned modified work duties while
recovering.
bRecordable injury: Death, days away from work (DAW), restricted work or transfer to another job, medical treatment beyond first aid, or loss of

consciousness.

43
Table 1-15: Risk matrix for semi-quantitative classification of incidents.
Table 1-16 Threshold quantities (TQ) for a variety of chemicals. Source: AICHE/CCPS
2,000 kg = 4,400 lbm Ethyl acetate 200 kg = 440 lbm
Acrylamide Ethyl benzene Ammonia, anhydrous
Ammonium nitrate fertilizer Ethylenediamine Carbon monoxide
Amyl acetate Formic acid
Amyl nitrate Heptane 100 kg = 220 lbm
Bromobenzene Hexane Hydrogen bromide, anhydrous
Calcium oxide Methacrylic acid Hydrogen chloride, anhydrous

Threshold Quantities (TQ)

Carbon dioxide Methyl acetate Hydrogen fluoride, anhydrous
Carbon, activated n-Heptene Methyl bromide
Chloroform Nitrobenzene Methyl mercaptan
Copper chloride Nitromethane Sulfur dioxide
Kerosene
Maleic anhydride
Octanes
Phenol, molten or solid
OSHA PSM
n-Decane Propylamine 25 kg = 55 lbm
Nitroethane Pyridine Chlorine
Nitrogen, compressed Silver nitrate Cyanogen
Nitrous oxide Sodium permanganate Germane
Nonanes Tetrahydrofuran Hydrogen sulfide
Oxygen, compressed Toluene Nitric acid, red fuming
Paraldehyde Triethylamine Sulfuric acid, fuming
Phosphoric acid Vinyl acetate
Potassium fluoride Zinc peroxide 5 kg = 11 lbm
Potassium nitrate Acrolein
Sulfur 500 kg = 1,100 lbm Arsine
Tetrachloroethylene
Undecane
Acetaldehyde
Acrylonitrile
Diborane
Dinitrogen tetroxide Complete table and risk matrix
Calcium cyanide Methyl isocyanate

provided in Reference
1,000 kg = 2,200 lbm Carbon disulfide Nitric oxide, compressed
Acetic anhydride Cyclobutane Nitrogen trioxide
Acetone Diethyl ether or Ethyl ether Phosgene
Acetonitrile Ethane Phosphine
Aldol
Ammonium perchlorate
Ethylamine
Ethylene
Stibine
materials on course web page.
Aniline Furan
Arsenic Hydrazine, anhydrous
Barium Hydrogen, compressed
Benzene Lithium
Benzidine Methylamine, anhydrous
Butyraldehyde
Carbon tetrachloride
Potassium
Potassium cyanide
Each company customizes the
Coper chlorate Propylene oxide
Copper cyanide
Cycloheptane
Silane
Sodium
risk matrix for their operation.
Cycloheptene Sodium cyanide
Cyclohexene Sodium peroxide
Dioxane Trichlorosilane 44
Epichlorohydrin
 Example – Risk Matrix

A leak of 1,500 kg of acetone results in an explosion with a financial

loss of $1,500,000. The last incident of this type occurred 15 years
ago. Use the risk matrix to determine the Severity Category, the Safety
Severity Level and the Risk Level.

Solution: The Threshold Quantity (TQ) for acetone from the table is
1,000 kg. The release of 1,500 kg is 1.5 times the TQ. From Column 3
of the Risk Matrix – Chemical Impact - this is a MINOR severity
category. From the financial loss of $1,500,000, under column 2 of the
Risk Matrix – Fire, Explosion Direct Cost in $ - this is VERY SERIOUS.

45
 Risk Tolerance – Risk Matrix
Risk Matrix Likelihood
1. Select the severity from the highest box in either of columns 1, 2 or 3. Read the 4 5 6 7
Category and Safety Severity Level from the same row. LIKELY UNLIKELY IMPROBABLE IMPROBABLE.
BUT NOT
2. Select the likelihood from columns 4 thru 7. IMPOSSIBLE
3. Read the Risk Level from the intersection of the severity row and the likelihood Expected to
column. Expected to happen Expected to Not expected to
happen possibly happen possibly happen anywhere
TMEF: Target mitigated event frequency several times once over once in the in the division
TQ: Threshold Quantity over the life of the life of the division over the over the life of the
the plant. plant. life of the plant. plant

1 2 3 Safety 0 to 9 10 to 99
Human Health Fire, Explosion Chemical Severity Severity ≥ 100 years > 1000 years
years years
Impact Direct Cost in $ Impact Category Level
Public fatality 4
possible, Greater than Risk Level Risk Level Risk Level Risk Level
$10 MM ≥ 20x TQ CATASTROPHIC TMEF =
employee A A B C
1×10-6
fatalities likely
Severity

Employee fatality From VERY 3

possible. Major $1 MM to < $10 MM 9x to < 20x TMEF = Risk Level Risk Level Risk Level Risk Level
SERIOUS A B C D
injury likely TQ 1×10-5
From 2
Lost time injury Risk Level Risk Level Risk Level Negligible
$100K to < $1 MM 3x to < 9x SERIOUS TMEF =
(LTI) likelya B C D Risk
TQ 1×10-4
Recordable From 1
$25K to < $100K MINOR TMEF = Risk Level Risk Level Negligible Negligible
Injuryb 1x to < 3x
TQ 1×10-3 C D Risk Risk

Risk Level A: Unacceptable risk, additional safeguards must be implemented immediately.

Risk Level B: Undesirable risk, additional safeguards must be implemented within 3 months.
Risk Level C: Acceptable risk, but only if existing safeguards reduces the risk to As Low as Reasonably Practicable (ALARP) levels.
Risk Level D: Acceptable risk, no additional safeguards required.

aLosttime injury (LTI): The injured worker is unable to perform regular job duties, takes time off for recovery, or is assigned modified work duties while
recovering.
bRecordable injury: Death, days away from work (DAW), restricted work or transfer to another job, medical treatment beyond first aid, or loss of

consciousness.

46
Table 1-15: Risk matrix for semi-quantitative classification of incidents.
72