Microsoft Word - 1.docx CHEMICAL ENGINEERING TRANSACTIONS VOL. 77, 2019 A publication of The Italian Association of Chemical Engineering Online at www.cetjournal.it Guest Editors: Genserik Reniers, Bruno Fabiano Copyright © 2019, AIDIC Servizi S.r.l. ISBN 978-88-95608-74-7; ISSN 2283-9216 Overcoming Risk Assessment Limitations for Potential Fires in a Multi-Occupancy Building Jaime E. Cadenaa,*, Juan Hidalgoa, Cristian Maluka, David Langea, Jose L. Torerob, Andrés F. Osorioa aSchool of Civil Engineering, The University of Queensland, St. Lucia, Queensland, Australia bSchool of Engineering, The University of Maryland, College Park, Maryland, United States je.cadena@uq.edu.au Decision-making under risk has been a key issue in systems with a potential for major losses such as chemical process industries (Bhopal - 1984, Toulouse - 2001) or high occupancy buildings (World Trade Center - 2001, Grenfell Tower - 2017). For the past decades, engineering disciplines have supported risk management decision-making through the implementation of risk assessments using quantitative approaches. The popularity of this approach relates to the quantitative definition of risk given by Kaplan in 1981, who decomposed risk into a set of scenarios, probability of occurrence and consequences. Recently, research on quantitative risk assessments (QRA) has reported key limitations on identifying the set of scenarios and estimating their probability of occurrence. These limitations may lead to uncertainties of up to three orders of magnitude that affect the QRA’s ability of delivering reliable information to stakeholders. This research uses an alternative definition of risk and applies it to a case study of a multi-occupancy building in the event of a fire. The proposed approach quantifies the maximum damage potential (MDP) of the system when all the active safety measures are allowed to fail, even those with low failure frequencies. The system’s MDP is compared to its maximum allowable damage (MAD), which is previously defined by the stakeholders. This approach allows defining design modifications and operational rules aiding the development of the building’s fire safety strategy. Finally, a comparison between the obtained results and a typical QRA is used to comment on the suitability of the proposed approach when evaluating risk in complex systems. 1. Introduction Deviations from normal operation can generate events in which the system’s hazards can lead to loss of life, environmental damage, economical loss and negative reputation among others. In simple terms, risk represents potential losses, the uncertainty associated to them occurring and the extent of their severity. There is no consensus on the definition of risk, resulting in multiple definitions within the engineering context (Aven, 2009). ISO 31000:2018 defines risk as the effect of uncertainty on achieving one’s objectives. A quantitative definition of risk was proposed in 1981 by Kaplan and Garrick (Kaplan, 1981). This definition set the basis for quantitative risk assessments (QRA), which were first used in nuclear safety, later adopted by chemical process safety and nowadays applied to fire safety analyses in the built environment. In order to quantify risk Kaplan decomposed it into three elements: scenarios, consequences and probabilities. The main issue of this quantitative definition is the lack of knowledge in each one of these elements, the failure modes of complex systems, the capacity to accurately estimate the consequences and the lack of statistical data for failure frequencies. This lack of knowledge can include “unknown unknowns” (Beard, 2004), which by definition cannot be identified nor properly managed. An incomplete knowledge of the system and its consequences implies that a numerical measure of risks might not reflect proper uncertainty margins unless when benchmarking exercises are performed. This and other key concerns regarding QRA and the probabilistic framework on which it is built are highlighted by practitioners and researchers (Aven, 2018, Goertland, 2018). Furthermore, benchmarking exercises have revealed margins of two to three orders of magnitude (Goertland et al, 2016). These large margins reflect the potential of QRA to fail at effectively DOI: 10.3303/CET1977078 Paper Received: 31 January 2019; Revised: 14 April 2019; Accepted: 14 July 2019 Please cite this article as: Cadena J., Hidalgo J., Maluk C., Lange D., Torero J., Osorio A., 2019, Overcoming risk assessment limitations for potential fires in a multi-occupancy building, Chemical Engineering Transactions, 77, 463-468 DOI:10.3303/CET1977078 463 supporting the decision-making processes. In some areas, such as fire safety, traditional QRA approaches might be fatally limited by lack of knowledge. This paper comments on the need of an alternative methodology for quantitative risk analysis that can be applied to innovative or highly complex systems in which traditional QRA approach may result in limited applicability and proposes an alternate approach based on the concept of maximum allowable damage. The alternative methodology is illustrated through an evaluation of fire safety risk in a multi-occupancy building. Results from alternative framework are compared to QRA results and are used to comment on the proposed methodology and its future development. 2. The need for an alternative framework Truly Innovative systems are complex and full characterization of their failure modes and associated failure statistics is rarely available in the design stage. The lack of characterization may be a result of lack of knowledge of the system or lack of expertise from designers. Quantitative assessments based on scenarios, probabilities and consequences might be limited at providing information with an acceptable level of uncertainty that effectively supports decision making. To overcome such limitation, an alternative risk definition has been put forward: “risk is the uncertainty about and severity of the events and consequences (or outcomes) of an activity with respect to something that humans value” (Aven, 2009, 2016). With this definition, uncertainty can be described by means that go beyond probability like qualitative descriptions or fuzzy sets (Shortridge et al, 2017, Dubois, 2010). Although these alternatives for describing uncertainty present challenges due to their complexity and their less frequent use compared to probabilities, they offer the possibility of constructing alternative frameworks for generating knowledge about risks. Knowledge generation is the real value and contribution of risk assessment to the decision-making processes, as stated by Aven (Aven, 2018). In this regard systems with limited knowledge of their failure modes and associated frequencies can benefit from an alternative risk quantification approaches that generate knowledge capable of supporting effective risk management. This document presents a framework under current development based on the concept of maximum allowable damage (MAD). The central idea of this framework is that any system has a damage potential related to its nature and hazards. In this work the damage potential does not depend on the probability of a particular sequence of events occurring, but on the variables that define whether the system can withstand the effects of an event. Mapping the damage potential of a system can be used to determine the maximum damage potential (MDP) and an acceptable level of damage (MAD). Acceptance of the system performance is based on the MDP not exceeding MAD. This informs decision making without relying on a probabilistic description. The steps of the methodology are presented in Figure 1. Stakeholders will initially establish safety objectives and the corresponding MAD criteria. The selection of the MAD criteria is not part of this discussion, as this is the result of a socio-technical discussion among stakeholders. The reader is encouraged to consult available research on the matter such as the hierarchical structure of acceptance criteria formulated by Van Coile (Van Coile et al, 2018). Figure 1. Steps of the Maximum Allowable Damage (MAD) methodology Once the MAD criteria is defined by the stakeholders, analysts will determine the performance of the system related to the effects of an event. This implies a systematic process for identifying and analysing the variables related to the system’s performance. This process is called variable classification and yields the variables with the highest impact to the damage potential as well as the nature of the uncertainty associated to them (aleatory or epistemic). The next step consists of performance evaluation by means of a damage function that is specific to the system and the effects of the event. The damage function allows evaluating the system’s performance for any combination of variables. Results from the damage function can then be compared to the MAD criteria to determine which combinations of variables satisfy the MAD criteria. At this point the acceptance criteria may be further restricted depending on the risk aversion of stakeholders. The example in Figure 2 uses a system in which damage is described by a function that depends on two variables (V1 and V2). Evaluation of the system performance is shown in Figure 2a and application of the MAD criteria will result in Figure 2b. The area enclosed in Figure 2b represent the combination of values that will result in an acceptable Safety objectives Maximum Allowable Damage Definition of performance Damage potential assessment Performance evaluation Decision- making Design modification / Operating rules 464 performance. This area will only inform which combination of variables will result in an acceptable level of performance and which ones not. Figure 2. Graphic representation of: a) Damage Potential, b) Maximum Allowable Damage Once the damage potential is assessed and limited using the MAD, the next step is evaluating the system’s performance. To do this, a feasible range for both the variables involved is identified (Figure 3a). In the example, all values of V2 yield an acceptable performance, whereas V1 includes values in which the performance is unacceptable. Identification of the range of values in which V1 does not yield and acceptable performance may be used to support the decision of limiting operation of the system below a certain V1 value. Restricting the value of V1 to those that only result in acceptable criteria is illustrated in Figure 3b. The main output of the methodology is information regarding the damage that the system can effectively withstand. The practice of variables classification step provides a trail of evidence that explicitly presents and describes the uncertainty associated to each variable and its possible values. Variables classification also supports peer review and audit processes that further benefit the decision-making process. Figure 3. Damage potential with a) unacceptable and b) acceptable performance after decision-making 3. Case-study: Fire in a multi-occupancy office building Fires are complex events involving multiple length and time scales. For example, time scales associated with the detection of a fire a much smaller than those associated with the safe evacuation of building and even those are short compared to the periods required for structural performance during a fire. In a typical QRA the fire safety is evaluated using a set of fire scenarios called design fires. Highly standardized systems such as chemical process plants can be reduced to a few scenarios, due to well-known failure modes (and therefore scenarios), making a QRA suitable as long as trusted occurrence frequencies are available. Given the interaction between occupants and the building itself, the set of scenarios that might lead to a fire is vastly larger than in a chemical plant. This complexity means that although the probability of a single scenario might tend to zero, the sum of the probability of all the possible fire scenarios throughout the system’s life-cycle tends to one. The fact that any kind of fire can be expected during the lifetime is the main reason to implement the MAD methodology in the analysis of the fire safety of a multi-occupancy office building. The building has ten levels divided into two carpark levels, a single ground-retail level and seven office levels. The occupancy amounts to 702 people and the features of the building include an entrance for the first carpark level, a ramp that joins the two carpark levels, an atrium joining the top two office levels and a single V2 V1 Damage potential V2 V1 MAD MAD, increased risk aversion , V2 V1 Feasible values of V2 New feasible values of V1 V1-new Acceptable performance V1-init ial V2 V1 Feasible values of V2 Feasible values of V1 Unacceptable Maximum Damage Potential 465 staircase without pressurization. The single exit of the staircase is located in the ground level despite not being connected to it. The ground level works as a single compartment with three different exits independent from the staircase and the rest of compartments in the building. This building was subjected to a typical Quantitative Risk Assessment, using societal risk curves to explicitly demonstrate whether the design is safe or not. The QRA was performed using Event Tree Analyses for each level, based on a set of safety measures which included: 1) Early detection by occupants; 2) Extinguishment by occupants; 3) Smouldering of the fire; 4) Activation of fire alarm (heat detector for carparks); 5) Initiation of evacuation protocol; 6) Operation of the smoke doors in the staircase. The proper function or failure of these measures led to 16 scenarios per level, ranging from minor damage due to early extinguishment to impaired evacuation and major loss of life. Each of the scenarios has its probability quantified based on fire occurrence frequencies in office buildings as reported by Tillander (2004) and the judgment of the probability of the barriers correctly performing. In order to judge these probabilities, the expertise of the authors was used as well as the considerations given by Ramachandran (2011). The consequences of each scenario were estimated using CFAST (Peacock et. al. 2017) for a defined set of fire scenarios. The risk curve (assumption 1) in Figure 4 presents the societal risk curve obtained from the quantification of a total of 45 scenarios that take into account the origination of fire in all the ten levels of the building. This risk curve is compared to the R2P2 societal risk criteria of the UK revealing that the design is not safe enough for its intended use. It must be noted that the result obtained from the QRA follows specific conditions and actions related to the scenarios identified and a set of subjective probabilities used for the failure on demand of the safety measures. The result of the QRA does not reflect uncertainty margins since no benchmarking exercise was conducted. However, the variability of the results can be observed as the assumptions of the fault trees are modified as per Table 1 resulting in the additional risk curves (assumption 2 and 3) presented in Figure 4. With these assumptions, which are at the discretion of the analyst, the individual risk index can vary up to 60%. Figure 4. Societal curve resulting from the quantification of fire scenarios Table 1: Effect of assumptions on resulting risk curve Assumption setEarly detection Correct evacuationFire doors functionIndividual risk [fatalities/year] 1 3.58 2 X X 1.32 (-63%) 3 X X 1.47 (-59%) Following the concerns expressed in Section 1 regarding QRAs and the proposal for an alternative presented in Section 2, the MAD methodology was implemented in the building. The aim was contrasting the results of the QRA with the ones with the MAD methodology and explore the differences on the subsequent decision- making processes. This is of particular interest, since in the latter there is no regard for probabilities of failure and all safety measures are assumed to fail, e.g. all fire doors are considered opened during the occurrence of a fire. Implementing the MAD methodology begins with the safety objective of achieving safe evacuation of occupants in case of a fire. Given the need to ensure the safe evacuation, the MAD criterion is defined based on two quantities: the available safety egress time (ASET) and the required safety egress time (RSET). Although criticism to the ASET/RSET has been reported by Babruskas et. al. (2010), the MAD methodology provides a general framework for assessing risk while explicitly stating the limitations, uncertainties and assumptions. The limitations associated to this approach are recorded during the variables classification step. In this case, the ASET/RSET ratio is initially set to one (1), meaning that evacuation time for occupants from the room of fire origin should be equal to the time to reach untenable conditions within the room of fire origin. Higher risk aversion from the stakeholders will require increasing the ASET/RSET ratio beyond unity. 1.E-05 1.E-04 1.E-03 1.E-02 1.E-01 1 10 100 1000 Fr eq ue nc y [1 /y ea r] Los s [cas ual ties ] Risk curve (assumption 1) Risk curve (assumption 2) Risk curve (assumption 3) ALARP (R2P2 UK) 466 The variable classification step identified 36 variables as shown in Table 2. Identification and classification of the variables also required an iterative peer-reviewed process in order to obtain the relevant variables with an associated least conservative value, as well as the relevant variables that cannot not take a single discrete value. The latter are the heat release rate per unit area (HRRPUA) of the fuel, the fire growth rate given an alpha t-squared type of growth (alpha) and the soot yield. The ranges in which these variables vary define the extent of the damage potential, and were initially defined through literature review of risk assessments of similar systems (M. J. Hurley, 2016). Drawing a parallel to the probabilistic framework, these ranges represent a uniform probability distribution function and allow evaluating the damage potential independent on how likely or unlikely they may be. The damage potential of the system is evaluated using a set of engineering tools to estimate ASET and RSET. A zones model is used to describe the fire and subsequent smoke evolution with time. The model used in this case is the Consolidated Model of Fire and Smoke Transport or CFAST (Peacock, 2017) and the discrete values established for the remaining 23 relevant variables are used to define the simulations. Combinations of HRRPUA, alpha and soot yield were used to assess the damage potential of the building. Model results are used to obtain the ASET/RSET ratios and determine the performance of the system. Following the example presented in Section 2, the damage potential for level B2 corresponding to the first carpark level is plotted for alpha and soot yield, while fixing a value for HRRPUA (Figure 5). In this result, the reference value for a car fire growth rate is also plotted (Nilsson et. al., 2014). Table 2: Variable classification summary Category of variables Number of variables Relevant variables Relevant variables with working range Example Safety goals 2 2 - Vulnerable element(s) Building characteristics 7 4 - Location of fire in the building Fuel 8 4 2 Heat of combustion Fire dynamics 5 2 1 Fire growth type/rate ASET criteria 2 2 - Smoke layer height for zero exposure RSET criteria 12 12 - Occupants displacement speed Total =36 26 3 Figure 5. Damage assessment and performance evaluation 4. Conclusions and perspectives The main issues regarding QRAs and the probabilistic framework on which they depend have been presented through a literature review and the consideration of a wider definition of risk. In this definition uncertainty is described beyond probabilities, which is key for highly complex systems where failure modes and their probabilities are unknown. To deal with these cases, an acceptance criteria for the potential damage within the system is used, called Maximum Allowable Damage (MAD). This acceptance criteria allows evaluating the system’s performance over a wide range of possible conditions and determining whether it is acceptable or not. In order to understand the system’s performance, it is necessary to define the inputs and their role in the uncertainty of the assessment. The proposed methodology does this through a systematic revision of all the variables with the potential to influence the system’s performance in a process called variable classification. From this process, variables are classified in three groups: relevant variables with a possible range of values, Level= B2 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 Ysoot 10-4 10-3 10-2 10-1 100 ASET/RSET = 1 ASET/RSET = 2 ASET/RSET = 3 Car fire (0.017 kW/m2) HRRPUA = 25 kW/m2 467 relevant variables with fixed conservative values and irrelevant variables. Using the relevant variables as inputs for engineering models, the system’s performance is described and can then be evaluated against MAD. Mapping of the system’s performance using the relevant variables is used to identify conditions in which the system’s damage exceeds the MAD. In addition to identifying conditions with unacceptable performance, the MAD methodology also provides information on the variables that need to be modified to achieve an acceptable performance. The MAD methodology through the use of variable classification provides information about the system’s performance and the confidence of the results. The proposed methodology is a consequence-centered conservative approach, which provides clear limits of the damage that the system can withstand. An analysis of the fire safety of a multi-occupancy building was used to exemplify the proposed methodology and compare its outcomes to those of a typical QRA. In this case study the acceptance criteria required guaranteeing the life-safety of the building occupants. In fire safety engineering terms this requires that the time associated with the evacuation of the building is at least equal to the time for reaching untenable conditions, ASET/RSET=1. After variable classification, the system’s performance was mapped using three relevant variables: fire growth rate, heat release rate per unit area and soot yield. Results shows that for the range of conditions considered the system’s performance was satisfactory. However, restrictions to the ratio of the egress time to time to reach untenable conditions, e.g. ASET/RSET>1, will result in unacceptable performance for certain conditions. A direct comparison of a typical QRA to the results of the MAD methodology can be misleading, due to the difference in their nature. QRA allows quantifying a risk index based on safety measures performance, while the MAD methodology seeks understanding the system’s performance assuming a conservative scenario in which all the safety measures that may fail, are allowed to fail. Another reason why the comparison can be misleading is the difference in the definition of the acceptance criteria. Whereas in QRAs the acceptance criteria is provided by regulating bodies, the MAD criteria is based on an explicit quantification of the system’s performance. The MAD methodology is not meant to replace QRAs or other risk assessment methodologies, but instead it complements them. Instead it provides an alternative for generating risk knowledge in complex systems in which failure frequency data or failure modes knowledge is limited. References Aven, T., Renn, O., 2009, On risk defined as an event where the outcome is uncertain, Journal of Risk Research, 12(1), 1-11. Aven, T., 2016, Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), 1-13. Aven, T., 2018, An Emerging New Risk Analysis Science: Foundations and Implications, Risk Analysis, 38(5), 876-888. Babruskas, V., Fleming, J. M., Don Russell, B., 2010, RSET/ASET, a flawed concept for fire safety assessment, Fire and Materials, 34, 341-355. Beard, A.N., 2004, Risk assessment assumptions, Civil Engineering and Environmental Systems, 21(1), 19- 31. Dubois, D., 2010, Representation, Propagation, and Decision Issues in Risk Analysis Under Incomplete Probabilistic Information, Risk Analysis, 30(3), 361-368. Goerlandt, F., N. Khakzad, G. Reniers, 2016, Validity and validation of safety-related quantitative risk analysis: A review. Safety Science, 99B, 127-139. Goerlandt, F., G. Reniers, 2018, Prediction in a risk analysis context: Implications for selecting a risk perspective in practical applications, Safety Science, 101, 344-351. Hurley, M.J., Frantzich, H., 2016, SFPE handbook of fire protection engineering, Chapter 85 - Health Care Application of Quantitative Fire Risk Analysis, Springer, New York, United States Kaplan, S. and B.J. Garrick, 1981, On The Quantitative Definition of Risk, Risk Analysis, 1(1), 11-27 Nilsson, M., N.J., P. Van Hees, 2014, A New Method for Quantifying Fire Growth Rates Using Statistical and Empirical Data – Applied to Determine the Effect of Arson Fire Safety Science-Proceedings of the Eleventh International Symposium,517-530. Richard D. Peacock, P.A.R., Glenn P. Forney, 2017, CFAST – Consolidated Model of Fire Growth and Smoke Transport, Volume 2: User’s Guide. Ramachandran, G., 2011, Quantitative risk assessment in fire safety, Spon Press, London, UK. Shortridge, J., T. Aven, and S. Guikema, 2017, Risk assessment under deep uncertainty: A methodological comparison, Reliability Engineering & System Safety, 159, 12-23. Tillander, K., 2004, Utilisation of statistics to assess fire risks in buildings, V. Publications, VTT: Espoo. Van Coile, R., et al., 2018, The Need for Hierarchies of Acceptance Criteria for Probabilistic Risk Assessments in Fire Engineering. Fire Technology. 468