Microsoft Word - 1.docx


CHEMICAL ENGINEERING TRANSACTIONS 

VOL. 77, 2019 

A publication of 

The Italian Association 
of Chemical Engineering 
Online at www.cetjournal.it 

Guest Editors: Genserik Reniers, Bruno Fabiano
Copyright © 2019, AIDIC Servizi S.r.l. 
ISBN 978-88-95608-74-7; ISSN 2283-9216

Semiquantitative Risk Analysis – An EPSC Working Group 
Hans V. Schwarza, Tijs Koertsb, Ulrich Hörchera,* 
aBASF SE, 67056 Ludwigshafen, Germany 
bEPSC c/o Dechema e.V., 60486 Frankfurt am Main, Germany 
ulrich.hoercher@basf.com        

Semiquantitative Risk Analysis (SQRA) tools like e.g. LOPA were developed for the assessment of scenarios 
which have previously been identified with Process Hazard Analysis (PHA) tools like e.g. HAZOP. These 
SQRA tools represent a scenario as chain of events with barriers preventing the propagation of the chain of 
events towards the final accident. Orders of magnitude are used to express frequencies, failure rates and 
consequences. 
The risk acceptance criteria are a central element of each SQRA tool and are typically represented in a matrix 
having an axis for frequency and one for severity. These risk matrices are defined individually by each 
company as part of its SQRA tool. 
Though some countries have defined risk acceptance criteria for individual or societal risk as part of 
Quantitative Risk Analysis (QRA), there is no generally accepted standard for SQRA applied to single cause – 
single consequence scenarios. The focus of the working group was therefore a comparison of the risk 
matrices of the participating companies with their individual risk acceptance criteria and application rules. 
These application rules – e.g. the use of modifiers or the assumed frequencies for initial events – have a 
significant influence on the risk level obtained by use of a risk matrix. 
Key results of the discussion and comparison within the working group are: 

 Risk acceptance criteria for 1 fatality as reference scenario differ only by one order of magnitude
 Companies using or not using modifiers are equally represented
 Criteria used for ALARP are similar for most companies
 In some cases differences in use of modifiers and risk acceptance criteria compensate resulting in a

comparable risk level
 Application of company-specific risk matrices to an example case gave the same results for most

participants, thus demonstrating that most risk matrices of working group members will arrive at a
comparable risk level

While individual companies will often not share their risk matrix in public, the results of the working group can 
be shared, as the comparisons have been anonymized. 
The matrices discussed in this study were submitted by major European companies from the chemical and oil 
& gas industries. As these companies are the leaders in their industries, the study will be of interest to others 
to compare and assess their practice. 

1. Introduction

It is a standard procedure in the process industries to ensure the safety of plants and processes by performing 
Process Hazard Analyses (PHA) during the design of new plants and during the operating phase of existing 
plants. Semiquantitative Risk Assessment (SQRA) tools are widely used for assessing the risks of the 
scenarios identified by PHA. Typically these SQRA tools use orders of magnitudes for frequencies and 
severities, thus limiting the effort required for performing SQRA (compared with Quantitative Risk Assessment, 
QRA). This limited effort required for SQRA in combination with the validity of the results is the reason for its 
popularity and widespread use. The validity of the results obtained with SQRA is in accordance with the 
semiquantitative approach and is an important condition for making decisions on the quality of safeguards and 
need for risk reduction. 

 

   

DOI: 10.3303/CET1977007 

 
 
 
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Paper Received: 22 February 2019; Revised: 24 April 2019; Accepted: 1  July  2019 

Please cite this article as: Schwarz H., Koerts T., Hoercher U., 2019, Semiquantitative Risk Analysis – An EPSC Working Group, Chemical 
Engineering Transactions, 77, 37-42  DOI:10.3303/CET1977007  

37



LOPA is the most frequently used SQRA tool and was developed in the 1990s and propagated by CCPS 
(CCPS 2001) and other organizations. It is characterized by detailed procedures, a specific terminology and 
use of worksheets for documentation of the results. Among the SQRA approaches found in practice there are 
many varieties of LOPA, often not using the specific LOPA terminology and procedures, but based upon the 
same principles as LOPA. These basic principles of SQRA can best be described with the model of a chain of 
events as shown in Figure 1. 

Figure 1: Chain of Events as Basis for Semiquantitative Risk Assessment 

The frequency of an accident F(A) is the product of the following values: 
 Frequency of the Initial Event F(i)
 PFD of safeguards
 Probability factor P(m) for modifiers (see chapter 3.4 for an explanation of this term)

From this chain of events the following steps can be derived which are the basis of every SQRA approach: 
1. Describe a scenario as chain of events and determine the severity of final consequence
2. Determine the frequency of the initiating event and further factors influencing the frequency of the

scenario like modifiers
3. Determine the existing countermeasures and their PFD
4. Using the results from step 2 – 3, calculate the scenario frequency
5. Using frequency and severity of the scenario, determine the risk of the scenario
6. Determine whether the risk is acceptable by applying company specific risk acceptance criteria

There may be variations in the detailed design of these steps. E.g. some companies start with determination 
of the risk without countermeasures/safeguards (raw risk) and the required total orders of magnitude of 
improvement by safeguards. This is then compared with the existing safeguards to determine if additional 
protection layers are needed. But in some way the steps listed above are included in every SQRA approach, 
no matter whether it operates under the name of LOPA or not. 
The company specific risk acceptance criteria used in the last step to determine whether additional risk 
reduction is required, are in the participating companies documented in a risk matrix. The design and 
comparison of these risk matrices including the associated risk assessment procedures were the main topic of 
the EPSC working group. 

2. The EPSC Working Group

The EPSC working group on SQ Risk Analysis was active from 2015 – 2018. The discussions started with a 
collection of risk matrices submitted in an anonymous survey conducted among EPSC members before the 
start of the working group. After some changes in organization and membership composition of the working 
group, a second survey was conducted exclusively among group members. The reason for this survey was to 
have updated versions of all matrices and to use only data from matrices of known origin from current working 
group members. 

Table 1: List of companies represented in the EPSC working group 

AkzoNobel BG RCI DSM OMV Petrom 

Baker Risk Centrica Dupont Sasol 

BASF Clariant Evonik TÜV Austria 

Bayer Covestro Lyondell Basell TÜV Süd 

38



Table 1 shows the list of organizations represented in the working group. Besides major companies from 
chemical and petrochemical industry also some consulting companies participated in the group. 

3. Comparison of Risk Matrices

It was agreed within the working group not to disclose existing matrices which can be attributed to a company. 
Therefore Figure 2 shows a “synthetic” risk matrix which is best suited as starting point for the discussion of 
the risk matrices shared within the working group and the variations of the essential features like severity 
categories, frequency categories and risk levels. The features of this matrix were chosen so that they 
represent the “average” or most typical characteristics of the matrices shared within the working group. One of 
these features, the limit between the red (“unacceptable”) and yellow (“tolerable”) range, was for some 
matrices shifted by one order of magnitude to lower frequencies (see also chapter 3.5, risk acceptance 
criteria). It should be emphasized that the intention of this matrix is not to establish a standard, but to facilitate 
the discussion of the matrices in the working group. 

<10-5/yr 10-5/yr –
10-4/yr

10-4/yr –
10-3/yr

10-3/yr –
10-2/yr

10-2/yr –
10-1/yr

10-1/yr –
1/yr

> 1/yr

Catastrophic C C B B B A A

Severe D C C B B B A

Serious D D C C B B B

Significant D D D D C C B

Minor D D D D D C C

Consequence
category

Effect on Human 
Health

Catastrophic Multiple fatalities

Severe 1 fatality / several
severe injuries

Serious Severe injury

Significant Lost time injury

Minor Minor injury without
lost time

Risk level Action required

A: very large, unacceptable risk Process or design change
required

B: Large, unacceptable risk Risk reduction to reach at least 
risk level C

C: Undesirable Risk
(tolerable if ALARP)

Check if further risk reduction is
possible („ALARP“) 

D: Acceptable risk Ensure that risk is maintained at 
this low level

Figure 2: Synthetic Risk Matrix with typical features from matrices shared in the working group 

3.1 Consequence Categories 

Though some companies define consequence categories for the fields of human health, environmental 
damage, financial loss and publicity, the example in figure 2 is limited to definitions in the field of human health 
because this field is the lead category and represented in every risk matrix shared in the working group. The 
matrices discussed in the group had between 3 – 6 consequence categories. A lower number is the result of a 
lower degree of differentiation, e.g. one or more fatalities condensed into one category. A higher number is 
achieved by a stronger differentiation, e.g. between onsite and offsite effects. In this case the same effect 
occurring offsite is classified one level more severe compared to the same effect occurring onsite. 

3.2 Frequency Categories 

The example matrix has 7 frequency categories, while for the matrices in the working group this number 
varied from 5 to 7. Each category comprises one order of magnitude. The most typical definition is the range 
between 2 powers of 10, as shown in the example matrix (e.g. 10-4/yr – 10-3/yr). The definition as full power of 

39



10, e.g. 10-3/yr or 10-2/yr with rounding of all intermediate values is also occasionally used. Mathematically this 
means a shift of half an order of magnitude on the frequency scale. 3 of the matrices represented in table 2 
(chapter 3.5) use full powers of 10 for definition of frequency categories. Due to this shift of the frequency 
scale the variation of the limit values in the “Unacceptable above” column (between 10-4/yr and 10-3/yr) is 
reduced for these 3 matrices from one order of magnitude to half an order of magnitude. 

3.3 Risk Levels 

3 risk levels are required as minimum to allow classification of a risk as “acceptable”, “tolerable/ALARP” or 
“unacceptable”. Due to additional differentiation within the “tolerable” and “unacceptable” range the matrices 
discussed in the working group had between 3 and 6 risk levels. An integral element of each risk matrix is a 
description of the risk levels with definition of the required measures for risk reduction. In most cases the 
required measures were described in a general way (e.g. starting in the “unacceptable” range, reduce the risk 
to reach at least the “tolerable/ALARP” range). This general requirement leaves flexibility in the selection of 
the risk reduction measures. A few companies define the required quality of the safeguards very precisely for 
each risk level (e.g. SIL 2 or SIL 3). 
For the ALARP level, most of the participating companies did not have clear financial criteria for ALARP being 
fulfilled or not fulfilled. 

3.4 Modifiers and Enabling Condition 

A conditional modifier is a probability factor expressing the possibility that a chain of events can end up with 
different consequences, e.g. probability of presence of people or ignition source (CCPS 2014). In a similar 
way enabling conditions reflect that some scenarios can only occur under special operating conditions or 
circumstances. E.g. a cooling failure during a batch process can only lead to a runaway, if it occurs during the 
exothermic reaction step, but not during the less hazardous workup. Though originally introduced as element 
of LOPA, conditional modifiers and enabling conditions are also applied by other SQRA approaches. 
These tools allow a higher accuracy in the assessment of frequency and risk of a scenario. But if applied 
incorrectly, there is the possibility of assessing a risk as too low. For this reason conditional modifiers and 
enabling conditions are used only by part of the participating companies. See also Gowland 2009 in a critical 
review on the Buncefield fire. 
We conducted a survey among the members of the working group on the use of modifiers and enabling 
conditions with the following results: 

 8 companies participated in the survey
 4 companies use modifiers and enabling conditions
 4 companies do not use these tools

The most frequent applications of these tools are: 
 Presence of people
 Probability of ignition
 Campaign production of different products with higher and lower risk

Reasons given for not using these tools are: 
 Be on the conservative side
 Keep SQ risk assessment as simple as possible

3.5 Risk Acceptance Criteria 

A key factor for the risk level obtained by application of a risk matrix are the risk acceptance criteria. 
Considering one specific consequence category of a matrix, the risk acceptance criteria can be described as 
the limit between the “Unacceptable” and “Tolerable/ALARP” and between the “Tolerable/ALARP” and 
“Acceptable” region. To facilitate a comparison of different matrices of the working group, a reference scenario 
involving 1 fatality as consequence category was chosen. The frequencies defining the “Unacceptable” (red) 
and “Acceptable” (green) range for all matrices shared in the working group were compiled in table 2. The 
“Tolerable” (yellow) range is simply the area between the red and green range, therefore no column for these 
values was included into the table. 
Table 2 shows that the “Unacceptable” range for most matrices starts at 10-4/yr with 2 exceptions at 10-3/yr 
and one matrix with limits of 10-4/yr or 10-5/yr depending on the raw risk. Considering the risk levels obtained 
by use of the matrices, this variation is further decreased by the application rules, mainly the use of modifiers 
and assumptions for initial event frequencies. These factors and the target frequencies in table 2 often act in 
opposite directions. This can be illustrated in an example: 

 Matrix A: Unacceptable range above 10-4/yr (conservative), use of modifiers allowed (less
conservative) 

 Matrix B: Unacceptable range above 10-3/yr (less conservative), no use of modifiers (conservative)

40



For both matrices A and B the two factors “target frequency” and “use of modifiers” are a combination of one 
conservative and one less conservative design element, so that the gap which must be closed by a safeguard 
(i.e. the required quality of the countermeasure), is very similar or equal for both matrices.  
It should be noted that 3 matrices do not give a value for the “Acceptable” (green) range, thus expressing that 
fatalities are never acceptable. The values given in bracket either indicate the limit of the matrix on the low 
frequency side or a value used for practical application. 

Table 2: Frequencies for “Acceptable” and “Unacceptable” range in the matrices of the working group for a 
reference scenario “1 Fatality” 

Matrix No. Acceptable at or below 
(1/yr) 

Unacceptable above 
 (1/yr) 

Remarks 

1 10-6 10-4

2 10-4 10-3

3 (10-6) 10-4 No Acceptable range for fatalities. 
4 10-7 10-4

5 (10-6) 10-4 No Acceptable range for fatalities 
6 (10-5) 10-4 or 10-5 No acceptable range for fatalities. 

Unacceptable limit depends upon raw risk. 
7 10-6 10-4

8 10-6 10-3

4. Example for Risk Assessment and SIL Rating

All members of the working group were asked to apply their company specific risk matrix to an example case 
for risk assessment and SIL rating. The objective was to get a realistic information on the risk levels obtained 
by application of the matrices with the influence of the various factors discussed in chapter 3.5. The process 
section used for this purpose is represented in figure 3. It had been used previously by the ProcessNet 
working group for a similar purpose (ProcessNet 2017). 

Figure 3: Example for Risk Assessment and SIL-Rating used for comparison of risk matrices 

Short process description: 
Feed (C1 – C5 hydrocarbons, 26 barg, -50 °C, 100 t/h) is heated and transferred into separation vessel D01 (7 
barg and 5 °C). The gas phase leaves the vessel via PC01, the liquid phase via LC01. 

41



Hazards: 
• TS02 (LL) protects D01 from too low temperature (brittleness, loss of containment)
• PS03 (HH) protects D01 from too high pressure (loss of containment)
• 2 design cases for PSV:

o Variant 1: PSV is sized for maximum feed
o Variant 2: PSV is sized only for fire case and leaking XV01

The results of the SIL rating of the E&I devices TS02 and PS03 (variant 1 and 2) are shown in Table 3. 

Table 3: Results of SIL rating for Example case represented in figure 3 

Results for TS02(LL)  Results for PS03 (HH) 
Variant 1 

Results for PS03 (HH) 
Variant 2 

SIL 1 /No SIL 0 SIL 1/No SIL 5 SIL 1/No SIL 0 
SIL 2 1 SIL 2 1 SIL 2 1 
SIL 3 6 SIL3 1 SIL3 6 

7 companies participated in the survey. The numbers in the table indicate how many participants required the 
respective qualities of the safeguards. As some companies use DCS based interlocks instead of SIL 1 
devices, both categories were counted in one group.  
Most participants arrived at the same results. For TS02(LL) and PS03(HH) variant 2 there was only one 
exception differing by one order of magnitude. For PS03(HH) variant 1 there were 2 deviating results. The 
prominent SIL 3 requirement could be explained by the fact that the participant preferred an inherently safe 
approach for this kind of process. The high proportion of consistent results confirms that the factors discussed 
in chapter 3.5 in many cases compensate each other while the remaining differences can be explained by 
assumptions required for the risk assessment (e.g. number of fatalities as consequence of the scenario, initial 
event frequency etc.). 
The results in Table 2 allow the summarizing assessment that the safety levels obtained with the risk matrices 
of the working group members are comparable and differ only to an extent that can be expected by application 
of a semiquantitative tool. 

5. Conclusions

Comparison of the risk matrices shared by working group members showed that the risk acceptance criteria 
for one fatality as reference scenario differed only by one order of magnitude. The degree of agreement was 
still greater with the application of the matrices to an example case for risk assessment and SIL rating. The 
reason for this is that the other important factors influencing the risk level – use of modifiers and assumptions 
for initial event frequencies – often act in opposite directions. Thus design and application rules of most 
matrices are an interaction of more and less conservative elements which balance out to consistent risk levels 
differing only by one order of magnitude. These remaining differences are limited to an extent that can be 
expected with a semiquantitative tool. This allows the conclusion that use of semiquantitative risk analysis as 
described in chapter 1 and practised by the working group members yields a consistent risk level and is well 
suited for risk assessment in the chemical and petrochemical industry. 

References 

CCPS (Center for Chemical Process Safety), 2001, Layer of Protection Analysis – Simplified Process Risk 
Assessment, AIChE, New York, NY 

CCPS (Center for Chemical Process Safety), 2014, Guidelines for Enabling Conditions and Conditional 
Modifiers in Layer of Protection Analysis, Wiley, New York, NY 

ProcessNet, 2017, Ergebnispapier “Methodenvergleich zur SIL-Klassifizierung”, DECHEMA, Frankfurt am 
Main 

Gowland R., 2009, The Buncefield Fire and Explosion: Improving Layer of Protection Analysis Practise to 
Determine the Required Degree of Protection to Meet Regulator Requirements, Conference Paper AIChE 
Spring National Meeting 

42