The QRAQ Project Volume 4 Frequency of R PDF [PDF]

Zitiervorschau

Taylor Safety Engineering

The QRAQ Project Volume 4, Frequency of Releases and Accidents Version 1 Issue 1 August 2010 J.R.Taylor

QRAQ 4 Accident frequencies

© J.R.Taylor 2010

i

QRAQ 4 Accident frequencies

The QRAQ project Quality of Risk Assessment for Process Plant Taylor Safety Engineering, Prunusvej 39, 3450 Allerød, Denmark Issue Date Author Approval V1I1 Sept 10 JRT

© J.R.Taylor 2010

Release

ii

QRAQ 4 Accident frequencies

© J.R.Taylor 2010

iii

QRAQ 4 Accident frequencies

Preface This report is the 4th in the series of reports covering various aspects of the quality of process risk assessment studies. It covers the different approaches to calculating accident frequencies, and provides actual data based on observations in over 500 process plants. J.R.Taylor Allerød, 2010

© J.R.Taylor 2010

iv

QRAQ 4 Accident frequencies

© J.R.Taylor 2010

v

QRAQ 4 Accident frequencies

QRAQ publications 1. The QRAQ Project – Introduction 2. Quality and completeness of hazard identification 3. Consequence calculation models 4. Risk assessment frequency data 5. Risk analysis methodologies 6. Risk acceptance criteria 7. Ignition frequency 8. Jet fire models 9. Fire water monitors as a risk reduction measure 10. Boilover and fire induced tank explosion 11. Self evacuation as a risk reduction measure 12. Major hazards scenarios - Model validation against actual accidents 13. In preparation 14. Gas impoundment 15. In preparation 16. In preparation 17. In preparation 18. In preparation 19. In preparation 20. Human error in process plant operations and maintenance 21. SIL assessment using LOPA 22. Assessment of simultaneous operations

© J.R.Taylor 2010

vi

QRAQ 4 Accident frequencies Updating history

Issue Initial version

© J.R.Taylor 2010

Date October 2010

Affected

Change Initial release

vii

QRAQ 4 Accident frequencies

© J.R.Taylor 2010

viii

QRAQ 4 Accident frequencies Contents 1.  Introduction ........................................................................................................................1  1.1  Accident frequency methodologies .............................................................................1  1.2  Latent versus immediate failures.................................................................................4  2.  The Meaning of Frequency Data ........................................................................................7  2.1  The use of “average” data ...........................................................................................7  2.2  Coverage of accident types in data bases ....................................................................9  2.3  Failure rates and standards and assumptions.............................................................18  3.  Failure Rate Datasets for QRA .........................................................................................20  3.1  Data for parts counting ..............................................................................................20  3.2  Data for the unit process approach ............................................................................21  3.3  Own plant data ..........................................................................................................27  3.4  Data for detailed analysis ..........................................................................................27  3.5  Equipment failure data ...........................................................................................3.37  3.6  Human error data ....................................................................................................3.40  4.  Comparison of Approaches ...........................................................................................4.42  4.1  Comparison of QRA’s for a refinery crude unit ....................................................4.42  4.2  Conclusions from the comparison of methods .......................................................4.45  5.  Validation ......................................................................................................................5.46  5.1  Refinery unit UVCE’s and very large fires ............................................................5.46  6.  Overall Conclusions .........................................................................................................53  7.  References ........................................................................................................................55 

© J.R.Taylor 2010

ix

QRAQ 4 Accident frequencies

1. Introduction Figure 1.1 shows the classic model of risk assessment. At the start, three “technical aspects of the assessment are shown, hazard identification, frequency determination and consequence calculation. As can be seen, frequency determination is a central part of the risk assessment process. This volume in the QRAQ series considers the various ways in which frequencies are determined. As will be seen though it is not possible to separate the issue of frequency calculation from that of hazard identification.

Identification

Frequency

Consequence

Risk

Acceptable

No

Risk reduction

Yes Await the next group of problems

Figure 1.1 The risk assessment process

1.1 Accident frequency methodologies Frequency determination in general commercial process plant QRA is made, at the time of writing, using one of several techniques: 1. “Parts counting” is a method which assumes as its basis assumes that accidents arise as a result of release of hazardous materials due to damage of equipment parts (corrosion, fatigue

© J.R.Taylor 2010

1

QRAQ 4 Accident frequencies etc.). The component parts of each section of a plant are counted, and parts failure frequencies are obtained from a data base for the different leak sizes for each part. Parts are typically pipes, flanges, valves, pumps, heat exchangers, vessels etc. The frequencies of occurrence of leaks are determined for sections of the plant, typically “isolatable sections” defined as the sections of a plant which are connected together so that in an accident, the entire inventory of the section will be released. This is often further defined as the volume between emergency shutdown valves (although mor sophisticated approaches may be used, see volume 5 in this series). The frequency of holes of a given size for the sections is determined by adding together the contributions for each part within the section. The main process plant data base for this at present is the UK HSE Hydrocarbon Release Data collection, which provides an extensive and a very rigorous set of data for offshore oil and gas development and production (ref. 1) This approach is one of the most widely used at present for risk assessment (out of 35 onshore QRA’s received for third party review, 33 used this approach alone. 2 supplemented parts counting with component specific accident frequency calculations for tanks). 2. A second approach to component frequency determination is that of “unit process” release frequencies. Here, classic unit process equipments such as heat exchangers, pumps, columns etc. are identified, and accident frequencies are looked up for these. The tabulated frequencies include contributions for all the parts which may be associated with the equipment. For example release and accident frequency data may be given for a distillation column plus its piping, valves and instruments. In unit piping is regarded as part of the unit process, inter unit piping is generally regarded as a separate item of equipment. The basic frequency data can be modified for example to take into account equipment size, process fluid and temperature. This approach is venerable in the history of risk assessment, being used for example in the Canvey Island studies of the 1970’s (ref. 2 and 3). The approach was formalised in the IFAL method (ref. 4), which provided a unit process accident frequency data base. An extensive data collection which is largely arranged in this way is RELBASE (ref. 5) In comparison with parts counting, the unit process approach can take into account more types of accident including ones not related to hazardous substance releases through holes. Failures due to misoperation, runaway reactions, internal explosions, and overflow can be incorporated into analyses. This is hard to do properly just by counting pipes (or pipe lengths), flanges, valves and vessels. In other words, the parts counting approaches do not even attempt to determine comparable frequencies for accidents which do not involve release trough a hole as the initial event. By contrast, it is very natural to include all accident types when using the unit process approach. 3. Frequencies can be determined on the basis of detailed hazard identification, obtained from HAZOP studies, detailed layout safety reviews, fault tree analyses etc. To allow the hazard identification to be used in practice, most “commercial” hazard identifications need to be extended to the stage where fatalities, injuries, and equipment damage is clearly stated. This usually means that the analysis results must be translated to a fault tree/event tree

© J.R.Taylor 2010

2

QRAQ 4 Accident frequencies combination, to safety barrier diagrams, to bow tie diagrams or to layers of protection analysis tables (figure 1.1).

Figure 1.1 a typical in depth bow tie diagram for a single vessel. Clicking on any event or barrier reveals the reveals the PDF or frequency calculation for that item, and its performance standards This approach using a combination of fault tree and event tree analysis is the norm in nuclear power plant QRA’s, and is sometimes used for analysis of offshore oil and gas platforms. It has only rarely been used in everyday commercial risk analyses or in the chemical industry. One reason for this is it costs more in analysis time. Another reason is one of project schedule. HAZOPS are usually made towards the end of front end design, when design detail is available. Waiting for these to complete before carrying out a QRA would generally delay projects. Nevertheless, detailed analysis is considered to be “best practice” for frequency determination, since it is more encompassing, taking more detail and more types of hazards into account account. It allows the QRA to make explicit the detailed performance standards, which are an underlying assumption for any QRA . The improvement obtained is documented in Ch 4 and 5. To allow this approach to be used, much more extensive collections of data are required, covering failure of rotating equipment, failure of valves, control system and instrumentation, and also operational and maintenance faults, as well as data for leaks in piping, flanges, vessels etc. The very fact that this additional data is needed indicates the more complete analysis possible with detailed methods, compared with the parts counting approach. 5. Almost any accident will require for its occurrence and full development both an initiating event and a failure of one or more safety systems. A release of toxic gas may for example be

© J.R.Taylor 2010

3

QRAQ 4 Accident frequencies initiated by a leak caused by corrosion, but for it to become serious, emergency shutdown systems will also need to fail. For this reason, failure rate data for safety equipment is required for QRA.

1.2 Latent versus immediate failures May failures, such as a rupture of a pipe due to overpressuring, have immediate consequences. The consequence follows very shortly after the occurrence of the failure. Quite a few failures however are latent ones. The equipment failure occurs, but nothing happens until a later event triggers the consequence. A few examples give the flavour of latent failures:  A pipe is subject to corrosion so that there is significant wall thinning, but it fails only when a person tries to open a valve, and so imposes a torque on the pipe (figure 1.2)  A tank roof corrodes but fails first when someone walks on it ( figure 1.33)  A drain valve is left open after cleaning a batch reactor, but the release occurs first when the next batch is started.  A level sensor is installed wrongly, so that it works well during the early stages of filling, but sticks when the tank becomes full because the float wire becomes more skewed as the float rises (figure 1.4)  A person puts reactive material in unlabelled sacks. An explosion occurs later when the material is wrongly charged to a reactor. For most QRA purposes it is more or less irrelevant whether a failure is immediate or latent. The distinction becomes important when calculating risk for plant personnel however. Usually the individual risk is derived by calculating the location specific risk (LSR, or “risk map”) and multiplying the LSR by the “exposure factor” for the operator, maintenance artisan or labourer. Usually, operator and maintenance personnel have an exposure factor of about 10% or less in the process area of the plant, when meal times, periods in the control room or workshop, the shit time, week-ends and holidays are taken into account. In any particular plant location, the exposure factor can be as little as 1% or less. The problem is that for human triggered latent failures, the exposure factor is often 100% ! The fraction of failures which are human triggered latent failures is therefore important. For employees it can imply a difference between calculated and actual risk of as much as a factor 100.

© J.R.Taylor 2010

4

QRAQ 4 Accident frequencies

Figure 1.2 Paper thin piping, fortunately detected before it could be broken by an operator turning a valve handle (or a puff of wind).

Figure 1.3, A corroded tank roof, waiting for someone to fall through it, arising from internal corrosion. The trap would have been even more insidious in the period just prior to the holes becoming visible.

© J.R.Taylor 2010

5

QRAQ 4 Accident frequencies

Figure 1.4 Tank level alarm badly installed so that the float wire is skew and sticks on pipe edges. In the actual accident, there was an alternative radar type high level alarm, but the operators had more faith in the float type, and so sent an operator to check. Overflow occurred before the check could be made.

© J.R.Taylor 2010

6

QRAQ 4 Accident frequencies

2. The Meaning of Frequency Data 2.1 The use of “average” data The frequency data collected for risk assessment is “average” data for a selected population of plants from which the data is collected. If a QRA is then carried out, the frequency calculation will be accurate to within the statistical uncertainty bounds if:  The plant analysed belongs to the same population as the plants from which the data was collected.  The plant is an “average plant” for the population, i.e. it has no factors which would make it much more reliable such as a first class inspection programme, and no factors which would make it much worse, such as handling very sour gas, when the population itself largely handles sweet gas. The use of the UK HRDC data, for example, to support risk analyses for British offshore oil and gas installations is by these rules completely appropriate. The plants all have fairly similar operating conditions (at least when compared with, for example, chlorine plants), and the plants are fairly uniform in their operation. There will be some variation from company to company, and between designs, which mean that the population from which data is drawn is not completely homogeneous, but in the difficult world of failure data collection, HRDC data collection is about as good as it gets. Transfer of such data to analyses for other plants involves a large number of assumptions, and is rarely fully justified. In fact, there are great variations between data for different plant populations. Figure 2.1, for example shows the variations in failure rates for cross country pipelines, between western USA, Canada and European gas and oil pipelines, and, to drive the point home, from British water pipelines. Figure 2.2 shows variations in piping failure rates between different process types. The reasons for variations are many, including:      

Differences in age profile of the pipeline population Differences in environmental conditions Differences in the process fluids, temperature and pressure Differences in design standards Differences in operation Differences in inspection programmes

Considering that nearly all oil, gas and chemical industry QRA’s are made using data transferred from some other field, it is clear that the QRA should be accompanied by some kind of health warning. It is clear that “foreign” (i.e. from other plant types) must be used, because there are only three publicly available data bases with “real” data (i.e collected from actual incidents, rather than estimated based on engineering judgement). At least though, the degree of variation in failure rate data should be understood. For example, the failure rate due to corrosion for piping with sour gas is observed to be about five times greater than that for sweet gas, unless either special alloys are used, or an extra corrosion allowance is provided in the pipe wall thickness. Also, failure of high pressure pipes due to vibration fatigue is about

© J.R.Taylor 2010

7

QRAQ 4 Accident frequencies 32 times higher if the piping is associated with a reciprocating compressor, and 7 times higher if it is associated with a centrifugal compressor, than for ordinary process piping (ref. 5). Note that to be able to understand the variation in failure rates, the causes of failure must be recorded. Very few data bases do this, and where it is done, (as for example in the supplements to the OREDA data base (ref 6), an enormous amount of data is required to ensure that there are sufficient entries that the statistical breakdown into causes is meaningful. The RELBASE data base (ref. 5) provides a breakdown by cause. However to do this, data from several sources was needed, rather than the ideal of relying on one homogeneous data base.

Figure 2.1 Pipeline failure rates from various sources (ref. 5)

. Figure 2.2 Pipe failure rates for different process unit types (ref 5)

© J.R.Taylor 2010

8

QRAQ 4 Accident frequencies Failure rates change also with the age of equipment, and with time independently of equipment age. Figure 2.3 shows the development of failure rates for some Canadian pipelines over time.

Figure 2.3 Changes of failure rate with time, from Pipeline Performance in Alberta, 19902005, Alberta Energy and Utilities Board, 2007 Conclusion: Ideally, analyses should use data which is specified by failure mode or hole size, equipment type, service, equipment age and failure cause. Unfortunately, this requires at least 36000 failure incidents for each equipment type in order to give appropriate failure rates in each category with upper and lower confidence bounds within a factor 3 of each other. This is an unrealistic requirement. Many data bases have as few as 20 failures for each equipment type. The OREDA data base(ref. 6), which is one of the oldest and most extensive collections, has generally between 5 and 1000 failures recorded for each equipment type. Equipments and failures must therefore be consolidated in groups to get a reasonable degree of statistical uncertainty. The choice of grouping should be such as to minimise the variations in failure rate within any group. Unfortunately there is no single rule to determine which form for grouping is the best. For example, it appears that there is not much variation in pipeline failure rates in Europe (see Figure 2.1) so that pipeline service does not strictly need to be taken into account (though actually it may be, since for cross country pipelines specifically there is a lot of data, sufficient to allow classification of failures by service, hole size and cause).

2.2 Coverage of accident types in data bases The major hazards most often calculated in QRA’s are incidents arising from:

© J.R.Taylor 2010

9

QRAQ 4 Accident frequencies  Leaks or ruptures in piping  Leaks and ruptures in vessels and tanks The parts count approach described in Ch. 1 considers these initiating events to the exclusion of all others. There are many other major hazards incident types which can be identified during hazop studies:  Overflow from tanks.  Overflows from vents and from flares leading to “burning rain” or fountain type releases.  High pressure ruptures due to pressure regulation failure, dead head pumping, high temperature, expansion of shut in liquid etc.  Thermal runaway explosions in reactors.  Special causes of leaks, such as corrosion due to contamination by highly corrosive fluids, to unexpected high levels of erosion, to improper choice of material or errors in material delivery. These failures are nominally included in the leak and rupture data bases. However, if there is a problem of this kind, the value taken from the leaks and ruptures data base will be wrong, since the contribution in the data base will be the average from many plants i.e. a low number, while the actual value for the specific plant will be a high value. Ideally, HAZOP studies would eliminate all such problems, but as was shown in volume 2 of this report series, HAZOP studies are rarely more than 95% complete, and there are many failure causes which in any case cannot be addressed by HAZOP studies.  Low liquid level events in vessels, which can lead to gas blow-by and overpressure rupturing of downstream equipment.  Incidents due to overheating due to control failures. HAZID and safety layout reviews can often extend this list:    

Releases due to natural events such as flooding, earthquake, landslip or hurricane Releases due to damage by dropped objects Releases due to crashes of cranes, vehicles etc. Aircraft crash

All of these methods, which are relatively routine within the oil and gas industries, still leave a large group of major hazard incident types unaddressed. These are the ones caused by operations and maintenance errors. Examples are:  Repairing or maintaining the wrong equipment, so that a pressurised equipment is opened.  Leaving drain valves open, either deliberately to drain water, but for too long, or by mistake.  Opening equipment believed to be isolated and depressurised, when it is not.  Tank explosions due to sampling with unearthed dip cups.

© J.R.Taylor 2010

10

QRAQ 4 Accident frequencies  Etc. (about 30 types of operations and maintenance related accidents). It is a cause of wonder to this author why so many analysts spend time counting flanges, which only rarely cause major hazards accidents, but almost never count maintenance operations, which are a major cause of accidents. It appears that we spend a long time trying to solve the wrong problem. To illustrate this, Table 2.1 lists the major hazard accidents reported by the UK HSE and the US Chemical Safety Board. Each accident is characterised by whether it would be included in a QRA carried out according to one of the standard guidelines (for example ref. 7, 8 and 9). As can be seen from the table, the majority of the accidents would be identified in a HAZOP study, and would probably be prevented as a result. Many though could not be identified in HAZOP or HAZID studies etc. and require more specific methods such as layout safety reviews, maintenance error analysis and operations error analysis, using methods such as action error analysis or job safety analysis. These omissions cannot in many cases be included into current QRA methodologies, because of timing problems (it is hard to analyse maintenance procedures during the design stage of a plant) and because of the difficulties of data collection. Ref 10 suggests a way around this problem. Essentially, the types of operations and maintenance errors which arise in process plant accidents are relatively well known, and repeat themselves in the same way that equipment failures do. This means that it is possible to review equipment types and the necessary operations and maintenance procedures, and to collect data specifically for the errors in carrying out these procedures which cause accidents. Table 2.1 shows that only about 40% of the major hazards accidents occurring in real life are covered by current commercial QRA consequence calculation methodologies. Only about 10% of the accident types are included in frequency data bases. Only about 35% are identifiable by the HAZID methods typically used in QRA, and only about 15% are identifiable using simple parts counting. This raises the questions “What do we think we are doing when we make a QRA?”. Nearly all the accidents arise from specific design weaknesses or operating errors which have nothing to do with equipment failure rates. Generally, these failures and errors are preventable. We should be engaged in eliminating these weaknesses, not in calculating their frequency. A resolution of this dilemma is possible. QRA’s should not be made for plants unless good HAZOP, HAZID and Operations Hazards Analyses are made first, with good follow up and good management of change. The residual risks should then arise form completely unpredictable events, form oversights in the hazard analyses, and for unavoidable component failures, and unavoidable operating errors and maintenance errors. We should add a step into any safety analysis which asks the question – “If this event is considered possible in the future, why is it unavoidable?”. Frequency data should then only be needed for non-avoidable occurrences and for predicted and accepted accidents. Note that there will still be some risk from unpredictable accidents.

© J.R.Taylor 2010

11

QRAQ 4 Accident frequencies Conclusion: The main conclusion from this section is that current QRA practice seems to be addressing only a subset of the real problems, and that data bases and consequence calculation packages should have a much wider range of capabilities.

© J.R.Taylor 2010

12

QRAQ 4 Accident frequencies Location

Accident description

Type

Penzzoil, Rouseville 1995

Vapour ignition in a tank due to vapour plume at location where welding takes place. Miscalibration of gas tester and poor testing practice. Runaway reaction in kettle reactor due to operator error, too fast heating. Under-dimensioned safety vent.

Tank explosion

Morton International, New Jersey 1998

Reactor runaway explosion

Included in standard QRA consequence calculation No

Included in parts count frequency data bases

Identifiable and predictable

No

By HAZOP

No

No

Yes

Yes

By HAZOP and reactor relief caculation By HAZID

No

Yes, but design error means that standard data is overoptimistic No, dead legs not included

By HAZID

Koch Pipeline Company, Lively, Texas 1996 Olympic Pipe Line Company, Bellingham

Butane pipeline rupture due to corrosion. Corrosion Pipe failure, due to coating failure and poor inspection flash fire and jet fire Gasoline pipeline rupture due to third party damage Running fire and erroneous design of relief systems

El Paso Natural Gas Company, Carlsbad, 2000 Sonat, Temple Common, Louisiana 1998 Powell Duffryn, Georgia, 1995

Natural gas pipeline rupture and large jet fire due to corrosion in a dead leg

Pipeline jet fire

Yes

Vessel overpressuring due to operator error and design error

Vessel rupture explosion

No

No

By HAZOP

Tank fire due to activated carbon auto ignition, hydrogen sulphide generation

Tank fire, reaction

No

No

By HAZOP

© J.R.Taylor 2010

13

Design error by detailed design review By HAZOP

QRAQ 4 Accident frequencies Location

Accident description

Type

Phillips, Houston, 1990

Vapour cloud explosion due to release of ethylene and propane from an improperly reinstalled valve

Vapour cloud explosion

Total, Buncefield, England, 2005

Vapour cloud explosion due to gasoline overflow from tank. Operator error and level switch failure.

Vapour cloud explosion

San Juan, Puerto Rico 1996 Texaco, Milford Haven, 1994

Indoor explosion due to gas leakage. Failure due to third party interference Vessel overflow causing butane to enter flare line, hammer effect ruptured flare line, giving a vapour cloud explosion.

Indoor explosion Vapour cloud explosion

Sierra chemicals, Nevada, 1998

Operator error in starting a part full reactor caused detonation.

Surpass chemicals, New York

Hydrochloric acid tank ruptured during filling due toinadequate venting

Runaway reaction explosion Tank rupture

© J.R.Taylor 2010

14

Included in standard QRA consequence calculation Yes

Included in parts count frequency data bases

Identifiable and predictable

No

By maintenance AEA

No, explosion No was much more violent than calculations show No No

By HAZOP

Yes

No

No

No

No

No

Identifiable in principle by HAZID, but would normally be considered too unlikely (required 3 failures) By Action Error Analysis By HAZOP

By HAZID

QRAQ 4 Accident frequencies Location

Accident description

Type

Tosco Avon Refinery, California, 1997 Shell Deerpark, Texas,1997

Hydrocracker outlet line rupture doe to high temperature, reactor hot spot, giving an explosion.

Reactor runaway

Vapour cloud explosion due to shaft blowout on a butterfly valve, arising due to design error.

Vapor cloud explosion

Yes

Damaged l1” line due to tractor impact caused propane release, fire and BLEVE Overfilling of column, overflow of vent stack, and UVCE. Overflow due to operator error and instrument design error. Operator error in alignment of ¼ turn isolation valve leading to a release of alkylate, fire and subsequent explosions. Valve handle positioning was abnormal.

BLEVE

Operator error (supervisor and operator) and misleading change in design led to overfilling of an oleum tank and oleum mist release Internal ignition in wax vessel due to pressuring with air to clear blockage, also defective weld, leading to vessel rupture and explosion

Herrig Brothers Farm, Iowa, 2001 BP, Texas City, 2005 Giant Industries, Cinzina, 2004

Petrolia, Pennsylvania, 2008 Marcus Oil, Houston 2004

© J.R.Taylor 2010

Included in standard QRA consequence calculation No

Included in parts count frequency data bases

Identifiable and predictable

No

By HAZOP

Yes

Wrong frequency for the actual valve No

UVCE

Yes

No

No practical method to identify this in QRA. By layout safety review By HAZOP

Spray fire, pool fire, secondary vessel explosions

Pool fire, yes Spray fire, no Domino effects, no

No

Pool evaporation

Yes

No

Vessel rupture explosion

No

No

15

By Human Factors Analysis or Safety Design Review By AEA and HFA By AEA

QRAQ 4 Accident frequencies Location

Accident description

Type

DPC Enterprises, Missouri, 2002

Chlorine unloading via a hose connector made of the wrong material led to chlorine release.

Jet release of toxic gas

Partridge, Mississippi, 2006 Synthron Chemicals, North Carolina, 2008 Allied terminals, Virginia, 2008

Tank explosion due to hot work close to a tank containing flammable vapour Runaway reaction and explosion due to scale up of a batch reaction without analysis

Tank explosion

Terra industries, Port Neal, Iowa 1994

Ammonium nitrate explosion and anhydrous ammonia release due to process deviations arising from poor operating practice

© J.R.Taylor 2010

Tank split open due to a defective weld, releasing liquid fertiliser (ammonium hydroxide)

Included in standard QRA consequence calculation Yes In the actual case, impingement and damming caused the release to be wider and shorter than open field plume calculations No

Runaway reaction explosion Tank rupture

Runaway reaction explosion

No

16

Included in parts count frequency data bases

Identifiable and predictable

No, wrong material gives a much higher failure rare than hose failure frequencies in data bases

Positve material identification

No

By HAZID

No

No

Yes

No. This as one of a series of tank ruptures, all in the same manufacture tank No

By HAZOP and reactor analysis Safety Design Review

By AEA or HAZOP

QRAQ 4 Accident frequencies Location

Accident description

Type

Included in parts count frequency data bases

Identifiable and predictable

Tank explosion

Included in standard QRA consequence calculation No

Barton Solvents, Wichita, 2007 Marcus oil, Perth Amboy, 2005 Valero McKee refinery, Sunray Texas, 2007

Static accumulation leading to in tank explosion and rocketing. The spark probably arose from a loose level sensor cable Acetylene explosion in a tank due to reverse flow though a pump and check valve. Freezing of water in a dead leg led to propane release, a jet fire, a manway cover damage and a large secondary jet fire.

No

By HAZOP

Tank explosion

No

No

By HAZOP

Jet fire

Yes, first jet No, dead legs fire, No, not addressed second jet fire

Formosa Plastics, Point Comfort, Texas, 2006

Propylene release and unconfined vapour cloud explosion due to for lift truck cras and damage to a valve.

UVCE

Yes

No

Conoco Phillips Humber Refinery, 2001

Corrosion downstream of an injection point led to an ethane/propane release and an unconfined vapour cloud explosion.

UVCE

Yes

Honeywell, Baton Rouge, Louisiana

Chlorine cooler tube failure leading to overpressuring of coolant side and chlorine release

Toxic plume

Yes

Yes, though failure frequency underestimated Yes Parts count

© J.R.Taylor 2010

17

By dead leg analysis, or piping safety analysis By HAZID or Layout Safety Review

QRAQ 4 Accident frequencies 2.3 Failure rates, standards and assumptions Failure rate data are applicable to equipment which is built to a certain standard. Actually, the equipment being analysed should be built to the same standard as the equipment for which the failure data was collected. This means in practice that failure rate data will generally be pessimistic when applied to new plants, which are generally built to a higher standard than earlier ones. Failure rate data will definitely not be applicable to equipment of low standard, or which are unsuitable for the actual application. As an example, the frequency of centrifugal pump seal failure is given in OREDA as 0.87 per year. Many pump seals have a failure frequency much less than this. In one application though, pumping hot chlorobenzene, the failure rate was 1 per week. No seal suited to the application could be found. Figure 2.4 shows equipment for which failure rate data cannot be expected to apply. In order to provide some degree of order in the assessment of risk, performance standards have been required to be specified for safety critical equipment. These performance standards are assumptions underlying any QRA and are intended to ensure that good engineering is applied. The performance standards cover especially component properties which can be checked directly as a part of design review at the detailed level, and so do not need to be considered in HAZOP studies etc. Table 2.2 shows an example of performance standards. In actual fact, many of the items from which failure rate data have been collected do not satisfy all the usual performance standards, and this can have led to failures. New plants which are designed with careful application of performance standards, will therefore presumably have lower failure rates than older ones. The QRA’s should therefore be conservative. No studies have so far been completed which allow this conservatism to be documented however, and as the previous section shows, any effect of this kind would probably be overshadowed by the unanalysed causes of accidents and poor quality of QRA’s.

Figure 2.4 Equipment for which it is unreasonable to try to give a failure rate

© J.R.Taylor 2010

18

QRAQ 4 Accident frequencies Table 2.2 Example extract of safety critical equipment performance standards

HSECES Goal: Applicable to:

HSECES PERFORMANCE STANDARDS – Piping To provide for performance of basic process operations Piping capable of releasing more than 1 kg/s of flammable material or any highly toxic material.

Title

Piping flow rates

Small bore piping Pocketing

Pipe fittings

Mitre bends Socket welds

Screw fittings

Screwed pipe fittings Flange type

Performance standard Design requirements Piping should be properly dimensioned for the service and flow rate avoiding high flow rates which could cause erosion or cavitation and low flow rates which could cause deposit settlement and increased corrosion. Piping under DN 40 should be avoided for hydrocarbon or toxic service. Gas and steam piping should have straight runs with a drain slope and with no low points or pockets Pipe elbows and tees for flammable, toxic or pressure service should be forged or weldolet type. Socket welds should be avoided Mitre bends shall be avoided Socket-welded construction is not permitted in the following services:  services in which crevice corrosion can occur;  ASME rating class above 900;  lower design temperature below 0 °C; very toxic service;  hydrogen service. Valves for flammable, toxic or pressure service should be welded into pipes in hydrocarbon service, or should be flanged screw fittings shall be avoided. There should be no screwed fittings on hydrocarbon or toxic service piping Recessed flanges should be used where there is a danger if part of a flange packing blows out

© J.R.Taylor 2010

Reference

DEP 31.38.01.11-Gen 2.2

DEP 31.38.01.11-Gen 3.9 DEP 31.38.01.11-Gen 4.3

DEP 31.38.01.11-Gen 8.5

DEP 31.38.01.11-Gen 8.5 DEP 31.38.01.11-Gen 8.3

QRA

QRA QRA

19

QRAQ 4 Accident frequencies

3. Failure Rate Datasets for QRA There are a number of failure rate datasets which have long been used in QRA, notably the data set from the Reactor Safety Study, WASH 1400 (ref. 11) and from the COVO study (ref.12). The data in these studies were to a large extent “engineering judgements. Two semipublic data sets, one published as course notes, from ICI Ltd (ref. 13)., the other available on a subscription basis from SRDS (ref 14) contained data derived form actual experience, but were collected from widely varying sources These data sets served during the early days of risk analysis, but the provenance was quite varied. When the source of data is not known, or is based on “engineering judgement”, its applicability is difficult to judge. The data sets discussed below are all real data, systematically collected from appropriate plant types. .

3.1 Data for parts counting Component based leak and rupture data have been collected systematically by companies operating oil and gas installations in the British North Sea, with the data systematised and published by the UK HSE as the Hydrocarbon Release Data Collection. In its most recent form it covers over 3800 failures, and over 26 million equipment years, allowing classification by over 120 equipment type/sizes and 7 hole size groupings. As can be seen from the number of failures though, many of the classes are unpopulated with data. The data base has very high integrity in the data collection process, due to a rigorous collection process, and a high degree of homogeneity in the data collected. The data base can be expected to be reasonably complete, since reporting is a legal condition for operation of the installations. The raw data are available in a tabulated form, from which it is possible to derive some idea of failure rate age dependence, process fluid dependence, pressure dependence, hydrogen sulphide dependence and a rough causal distribution for some items of equipment for which there is sufficient data. Between 40 and 50% of the releases are classified as arising from operational or maintenance causes. This means that human error is taken into account in the data base, but only for those related to leaks and ruptures. From the source, the data can be determined to be directly relevant for carbon steel equipment, operating with temperatures from below 0 ˚C to 50˚C (except for items which are heated, such as glycol driers and gas turbines), and working with relatively sweet crude oil and natural gas. The underlying assumptions concerning the relevance of the data to other application areas are the standards applicable for North Sea designs. This includes compliance with most API and BS offshore standards covering strength, corrosion, erosion and fatigue resistance and inspection procedures.

© J.R.Taylor 2010

20

QRAQ 4 Accident frequencies Transfer of the data to onshore oil and sweet gas plants should be straightforward, although the range of equipment covered is less than that needed for a refinery for example. Direct application to sour gas plants is not really appropriate because of the widely different corrosion potential. There is enough data in the data base, however, to allow an estimate to be made of the influence of hydrogen sulphide. Application of the data to some kinds of petrochemical plant seems also to be realistic. Application for chemical plant has been found to be less justified (see ref. 5).

3.2 Data for the unit process approach The unit process approach was used informally in many of the early QRA’s such as those for the Canvey Island studies (ref. 2 and 3). The first formal presentation of the concept in database form was for the IFAL method (ref. 18), which was based on data collection from a few British refineries. The US RMP data collection (ref. 15) is a collection of reports for all US process plants and storage terminals handling hazardous materials over a certain threshold. The data includes a considerable amount of information about the plant design and safety systems, Importantly, it contains a five year record of releases of hazardous materials with offsite impact. A total of 23,000 facilities are included in the data base. Only refineries, gas plants, ammonia plants and Chlor-Alkali plants however were sufficiently uniform in design and provided sufficient process data to allow failure rates to be determined The US RMP database itself does not contain sufficient information to determine how much equipment is at risk at the detailed level. It was possible to assemble this information though for a small subset of the plants (767 of them), as given in table 3.1. Data were then processed to give failure rates and hole size distributions, and a cause distribution, and assembled into the RELBASE data base (ref.5). Plant type Count Ammonia distribution 35 Chlor Alkali 51 Fertiliser (ammonia production and usage) 242 Gas refining 26 Petrochemical plant 35 Refineries 272 Water treatment plant 106 Table 3.1 Plants in the RELBASE database. Over 3000 releases with offsite consequences were recorded for these plants. One would expect smaller releases to be underrepresented in this data, but this does not appear to be the case. Inspection of the data reveals very diligent reporting of even small releases, and as will be seen later, the failure rates are at least reasonably consistent with those from other sources, generally giving higher failure rates than other databases..

© J.R.Taylor 2010

21

QRAQ 4 Accident frequencies By definition, the data given in RELBASE covers all the kinds of accidents, not just those arising from leaks and ruptures. With only 3800 plant years covered by the data base, and therefore only about ½ million vessels years. The rarest kinds of accidents are therefore hardly covered by the database. To reduce the uncertainty from this source, large accident data covering a 30 year period were incorporated into the data base. Accident reports were obtained from CSB (ref. 16), US EPA (ref. 17), MHIDAS (ref. 18) and AIChE sources (ref 19), for the same plants as in the RELBASE data base. The US RMP data were also supplemented with data from systems on which the author has worked, including development of maintenance management and RBI systems, a total of 14 plants, which were used to derive failure rate data for small releases of flammable material, i.e. the kind which would not give offsite consequences. The plants were selected to be comparable with the US RMP data in the first instance, but data were added also to cover two chemical waste plants and four fine chemicals plants. Table 3.2 shows an example of the tables, with release size and causal breakdown of the failure rates. The data is in spread sheet form, with an algorithm to help determine susceptibilities of equipment to different failure types, and in this way to determine highly plant specific failure rates. The method has not proved popular, largely because it requires extensive background information about plant design and operation, something which is not available to most risk analysts. (This in itself is an interesting observation since it implies that it will be difficult to get accurate frequency calculations without intimate knowledge of the plants. This is of course obvious to plant managers, supervisors and maintenance technicians, but is rarely obvious to risk analysts). RELBASE in the form shown has been used in five commercial QRA’s and six QRA’s made for study purposes. To overcome the difficulties a simpler approach is used here, where the RELBASE data tables are used to derive failure rates for a number of different service types. The data values are given in table 3.4

© J.R.Taylor 2010

22

QRAQ 4 Accident frequencies Release frequencies per metre year, Pipe < 3 inch Failure cause

Release size

Metres Frequency

Susceptibility

Safety barrier 1

Y/N

Internal corrosion Internal corrosion Internal corrosion External corrosion External corrosion External corrosion Drain lines left open Maintenance error Corrosion, no inspection Corrosive liquid, or sour gas Under lagging corrosion Erosion Wrong material Lining failure Support failure Overheating ++ Overpressure, control failure ++ Overpressure, gas breakthrough ++

small medium large small medium large large small small small large medium large medium large large large large

1 1.37E-05 1 3.78E-05 1 4.08E-06 1 4.07E-06 1 1.15E-05 1 1.18E-06 1 1.60E-05 1 2.61E-05 1 1.11E-04 1 5.56E-04 1 2.27E-04 1 6.75E-04 1 4.54E-06 1 1.35E-04 1 1.6E-05 1 1.9E-03 1 3.1E-04 1 0.00319628

1 1 1 1 1 1 0.2 1 0.05 0 0 0 0.03 0 0.3 0 SV 0 SV 0 SV

0 0 0 0 0 0 0 0 0 0 0 0 0 0

Overpressure, shut in liquid ++ External fire Weld crack Hammer ++ Weather, freezing ++ Crash, impact ++ Vibration fatigue ++ Thermal expansion ++ Wind load ++ Wrong substance ++ Earthquake, landslip, flood ++ Internal explosion ++ Vandalism, third party ++ Low temperature embrittlement ++ Dropped object Design error ++

medium large large large medium large large large large medium large large large large large large

1 0.03093709 1 9.7182E-07 1 3.20E-06 1 0.00016327 1 4.00E-04 1 8.1633E-06 1 2.38E-05 1 2.72E-05 1 3.21E-04 1 6.75E-06 1 1.36E-07 1 9.61E-05 1 1.12E-04 1 2.72E-06 1 2.72E-06 1 1.77E-05

0 SV 1 1 0 0 0 0 0 0 0 0 0 0 0 0 1

Risk reduction

Safety barrier 2

Y/N

Risk Safety reduction barrier 3

Risk Assessed reduction frequency

Justification of suceptibility evaluation

1 1 1

ESD ESD ESD ESD ESD ESD ESD ESD ESD ESD ESD ESD ESD ESD 0.0510798 ESD 0.0510798 ESD 0.0510798 ESD

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

1.37E-05 3.78E-05 4.08E-06 4.07E-06 1.15E-05 1.18E-06 3.20E-06 2.61E-05 5.56E-06 0.00E+00 0.00E+00 ULC and external exclusive 0.00E+00 1.36E-07 0.00E+00 4.76E-06 0.00E+00 0.00E+00 0.00E+00

1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0.0510798 ESD ESD ESD ESD ESD ESD ESD ESD ESD ESD ESD ESD ESD ESD ESD ESD

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01 0.01

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0.00E+00 9.72E-07 OK 3.20E-06 OK 0.00E+00 0.00E+00 0.00E+00 0.00E+00 0.00E+00 0.00E+00 0.00E+00 0.00E+00 0.00E+00 0.00E+00 0.00E+00 0.00E+00 1.77E-05 4.94E-05 4.93E-05 3.52E-05

Total small Total medium Total large/rupture ++ failure rate per pipe section, not per meter

Table 3.2 A typical RELBASE failure rate calculation table

© J.R.Taylor 2010

Y/N

23

1.57E-04 1.11E-04 5.88E-05

QRAQ 4 Accident frequencies # 1.

2

3 4 5

6

7 8 9

10 11 12

13 14 15

Question Is there a pressure specification break and pressure reduction in the pipe. If so, is there a pressure relief on the piping or on a vessel connected

Is the line designed to carry liquid If so, can gas flow enter the pipe Is there a pressure specification break and pressure reduction in the pipe Is there a restriction orifice in the pipe, reducing flow to a safe level

Action if Yes Go to 2

Action if No Go to 3

Overpressuring, control failure susceptibility = 1 Calculate pressure relief reliability Go to 3 Go to 4 Go to 5 Go to 6

Overpressuring, control failure susceptibility = 1 Go to 3

Go to 7

Gas break through susceptibility = 1 Go to 7 Go to 10 Go to 10 Thermal expansion susceptibility = 1 Exit go to 13 Go to 13 Thermal expansion susceptibility = 1 Exit Exit Exit Thermal expansion susceptibility = 1 Exit

Does the pipe transfer liquefied gas? Is the liquid cryogenic? Is there a thermal relief valve on each pipe section which can be isolated or shut in Does the pipe have a large volume? Is it exposed to the sun? Is there a thermal relief on the pipe ?

Go to 8 Go to 9 Go to 10

Is there heat tracing on the pipe? Can the liquid in the pipe be shut in Is there a thermal relief or other relief on the pipe.

Go to 14 Go to 15 Exit

Go to 11 Go to 12 Go to 13

Go to 7 Go to 7 Go to 7

Table 3.3 Example extract from the RELBASE failure rate modification algorithm The database includes between 3 and 12 of these for each equipment type.

© J.R.Taylor 2010

24

QRAQ 4 Accident frequencies Table 3.4. Summary of RELBASE data. Piping data is for inter-unit piping. Data for vessels includes associated piping and instrumentation Equipment type  Piping, general,