Microsoft Word - 1.docx


 CHEMICAL ENGINEERING TRANSACTIONS  
 

VOL. 77, 2019 

A publication of 

 
The Italian Association 

of Chemical Engineering 
Online at www.cetjournal.it 

Guest Editors: Genserik Reniers, Bruno Fabiano 
Copyright © 2019, AIDIC Servizi S.r.l. 
ISBN 978-88-95608-74-7; ISSN 2283-9216 

Risk-based Vulnerability Analysis of Chemical Facilities   
Affected by Flooding 

Alessio Misuria, Gabriele Landuccib,c, Simone Vivarellia, Sarah Bonvicinia, Valerio 
Cozzania,* 
a
Department of Civil, Chemical, Environmental, and Materials Engineering, University of Bologna, Bologna, Italy 

b
 Department of Civil and Industrial Engineering, University of Pisa, Pisa, Italy 

c
 Institute of Security and Global Affairs, Faculty of Governance and Global Affairs, Leiden University, Den Haag, the 

Netherlands 
valerio.cozzani@unibo.it 

Flooding may affect chemical facilities leading to major accidents (fires, explosions, contamination), following 
damages to structures and equipment. This type of accident is indicated as a “natural-technological” (Natech) 
event and occurred in the past, often leading to severe accidental scenarios. Recent studies allowed 
developing a specific methodology aimed at including Natech scenarios triggered by flooding into Quantitative 
Risk Assessment (QRA) analyses for chemical facilities. The methodology relies on the use of specific fragility 
models for the evaluation of failure probability of process units affected by flooding. Despite these models 
consider different types of equipment geometries and flooding conditions, they do not account for the 
presence of safety barriers (e.g., fire-protection systems, bunds, blanketing system). In the present work, the 
previously developed QRA methodology is improved in order to provide a risk-based vulnerability analysis of 
Natech scenarios induced by severe flooding taking into account the presence of safety barriers. The 
methodology is improved by including the availability assessment of safety barriers based on the possibility 
the systems have been impacted by the flood. A tailored Failure Mode and Effect and Criticality Analysis 
(FMECA) is presented for assessing the damages to safety barriers resulting from flooding events. As an 
example, the analysis of an important safety barrier through the FMECA approach is presented. The study 
shows an example of both risk informed decision-making concerning protection systems and development of 
new criteria for the assessment of safety barrier failure in case of natural hazards. 

1. Introduction 

In recent years, the possibility of natural hazards affecting chemical and process facilities has become of great 
concern among both industry and academia (Showalter, Myers, 1994). The reasons of this growing interest 
are manifold. Chemical and process industries indeed handle significant quantities of hazardous substances, 
which can lead to dangerous outcomes in case of release. Natural events impacting on process facilities may 
cause both direct damages to assets and trigger technological scenarios involving chemical substances. 
These scenarios in technical literature are usually referred to as “natural-technological” (Natech) (Krausmann 
et al., 2017). Natech accidents are characterized by exacerbated consequences possibly caused by multiple 
simultaneous failures and by accident propagation to nearby structures, i.e., domino effect (Cozzani et al., 
2014). For example, during the Tohoku Earthquake that hit Japan in 2011, a disastrous Natech accident 
involved a LPG (liquefied petroleum gas) storage farm: the structural collapse of a tank caused damages to 
nearby tanks, and the release of flammable material led to multiple massive explosions, which in turn triggered 
fires in adjacent petrochemical plants (Krausmann and Cruz, 2013). Floods constitute a potential trigger for 
multiple failures as well. During San Jacinto River flood, US 1994, several hydrocarbon pipelines ruptured and 
multiple severe spills were experienced in the affected area (NTSB, 1996). Operator intervention was 
hampered, and accessing manual interruption valves was impossible because of floodwater.  

                                

 
 

 

 
   

                                                  
DOI: 10.3303/CET1977088 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Paper Received: 31 January 2019; Revised: 14 May 2019; Accepted: 28  June  2019 

Please cite this article as: Misuri A., Landucci G., Vivarelli S., Bonvicini S., Cozzani V., 2019, Risk-based Vulnerability Analysis of Chemical 
Facilities   Affected by Flooding, Chemical Engineering Transactions, 77, 523-528  DOI:10.3303/CET1977088  

523



Moreover, the frequency of such natural hazards (i.e., in particular floods and droughts) is expected to grow 
because of climate change and disaster related economic damages are reported to be increasing, thus the 
likelihood of high magnitude Natech scenarios is consequently expected to grow as well (Cruz et al., 2006).  
A number of methodologies have been proposed for assessing the risk posed by Natech to process facilities. 
Among the others is worth mentioning the methodologies aimed at including Natech assessment into the 
framework of the well-established Quantitative Risk Assessment (QRA). The first attempts have been carried 
out by Antonioni et al. (2007, 2009), based on observational equipment fragility models. Physical models for 
equipment failure in case of flooding have been later developed for atmospheric tanks (Landucci et al., 2012) 
and pressurized vessels (Landucci et al., 2014) and included in the most recent QRA process (Cozzani et al., 
2014). A common gap in current methodologies is that the assessment is usually carried out without 
considering the presence of safety barriers. Safety barriers are devices intended for the prevention or 
mitigation of accident scenarios. Safety barriers have the potential to play a key role in limiting accident 
probability and/or consequences. The aim of the present study is to include the role of safety barriers in 
assessing risk-based vulnerability of chemical and process plants impacted by flooding. The starting point was 
the QRA procedure extended to Natech scenarios caused by flooding proposed by Cozzani et al. (2014). As 
shown in Figure 1, the procedure was modified to include a step dedicated to the specific assessment of 
safety barriers in the presence of a natural event impacting on the facility. 

 

Figure 1: a) Procedure developed by Cozzani et al. (2014). b) Tailored procedure accounting for safety 
barriers. The barrier assessment is carried out in a dedicated parallel node (node 5b). 

This step is needed since floods (as other natural hazards) may heavily affect safety systems and related 
structures, potentially leading to unavailability of protection and to an increased vulnerability of the critical 
equipment. The failure modes of safety barriers are determined by their architecture, their dependence on 
lifelines, as well as by natural hazard features. It is clear the availability assessment needs to account for 

524



specificities related to the site and to the flood scenario. This assessment can be carried out seeking the 
credible failure modes of subsystems composing the safety barrier, as will be described in the following 
sections. 

2. Safety barriers 

In this section concise definitions are provided on safety barriers and safety functions, according to the 
protection layer concept (CCPS, 2001; Delvosalle et al., 2001), in order to provide an unambiguous reference 
for the purposes of the present study. Safety functions are technical solutions to be achieved in order to avoid, 
prevent or mitigate defined events. Safety functions are directly served by physical engineered systems or 
procedures, which are referred to as safety barriers. This definition is quite general, and safety barriers 
embrace a broad set of solutions, from fire protection systems to authority intervention in case of accident. In 
Table 1, a commonly accepted classification is reported, together with some examples. The Failure Mode and 
Effect and Criticality Analysis (FMECA) shown in Section 4 is focused on passive and active barriers, because 
estimating the effect of natural disasters on emergency/procedural barriers would be more complex and 
should consider stress on emergency teams, which is likely to enhance human error during crisis scenarios 
(Steinberg and Cruz, 2004).  

Table 1: Summary of safety barriers types adopted in process facilities. 

Classification  Description  Examples 
Passive barriers  Activation not needed; usually physical 

barriers. 
 PSV, Fireproofing, Catch Basins, Dikes, 

Sumps, Mounds; 
Active barriers  Activation is needed; complex systems

usually composed of detection,
treatment and actuation system. 

 Foam-water system, Firefighting water, 
Emergency Shutdown (ESD), Emergency 
Blowdown (EBD), Manual valves; 

Emergency or
Procedural barriers 

 Actuation of procedures and coordinate
actions by personnel or externals  

 Internal or External Emergency Plan, Fire 
Brigades, Emergency Teams; 

3. Case histories & lessons learned  

From the analysis of past accidents (a selection of events of particular relevance is presented in Table 2) 
some key lessons on safety barrier failure in case of natural hazards can be inferred.  

Table 2: Examples of case histories involving barrier failures 

Natural Event   Barrier Failure  Short Description  Reference 
Koaceli 
Earthquake, 1999 

 Firefighting water was not 
available; 
Foam-water system for 
vapour suppression 
unavailable; 

 Power outage: pumps could not be 
started.  
Water lifeline disruption caused by 
debris impact: water pressure loss, 
water supply unavailable. 

 (Steinberg 
and Cruz, 
2004) 

Koaceli 
Earthquake, 1999 

 Containment dikes failures;  Concrete dikes were damaged: liquid 
hazmat (acrylonitrile) spilt into the sea. 

 (Girgin, 2011)

Vltava River Flood, 
2002 

 Emergency retention sumps 
were flooded 

 Liquid hazmat (chlorine) could not be 
retained and spilt in air and water. 

 (eMars) 

Hurricane Harvey, 
2017 

 Chemical storage 
refrigeration system  
unavailable;  
Backup generators flooded; 
Emergency intervention 
after days; 

 Power outage: loss of refrigeration to 
peroxide storage. 
Backup generators were flooded:  
violent explosions arose.  
Emergency teams were strongly 
hindered by floodwaters. 

 (Additives for 
Polymers,  
2017) 

San Jacinto River 
Flood, 1994 

 Manual interruption valves 
flooded and inaccessible; 

 Floodwater height hampered the 
intervention of operators not allowing 
them reaching manual valves. 

 (NTSB, 1996)

Tohoku 
Earthquake and 
Tsunami, 2011 

 Backup power generators 
flooded; 

 Backup power generators were 
located in a swamped area and were 
flooded during tsunami. 

 (Labib and 
Harris, 2015)

It is worth remarking that unless standard specific requirements, usually barriers are not designed to withstand 
extreme natural events. It is clear from Table 2 that one of the main causes of vulnerability of safety barriers is 

525



power outage. In a recent research, Karagiannis et al. (2017) reported power outage in the totality of analysed 
flooding events, and in most seismic events. Even backup power generation cannot be relied on, according to 
case histories analysis. Location of safety barrier subsystems is fundamental as well: for example, position of 
pumps or backup power generators with respect to floodwater depth may determine their availability.  

4. Methodology 

A methodology was developed to assess the performance of safety barriers in the presence of flood events, in 
order to assess the actual probability of the final scenarios considering the role of safety barriers, as shown in 
Figure 1b. The methodology was based on the combination of FMECA and of past accident analysis. FMECA 
is an equipment-oriented technique for the identification of failures affecting the system capability to operate 
(Lees, 1996). FMECA was chosen compared to other hazard identification tools because it requires more 
limited information, and barrier failure is described qualitatively in the case histories. A flowchart of the 
methodology is shown in Figure 2a, while a Risk Matrix for Criticality evaluation is reported in Figure 2b. 
Failure criticality depends on the plausibility of the scenario and on the severity of damage. 

 

Figure 2: a) Flowchart for tailored FMECA; b) Risk Matrix for failure criticality assessment. 

Considering lessons learnt from past accident analysis, relevant factors were identified for making judgments 
on the impact of natural hazards. A part of the list is reported in the bottom-left node in Figure 2a. Starting 
from the list, failure modes of each subsystem are analysed and assigned of criticality scores. From criticality 
scores it is possible to make risk-informed decision on the state of each barrier. The tailored FMECA is 
conceived for complex systems, but can easily be applied to simpler systems such as passive barriers as well.  

5. Example of application: firefighting water network 

The methodology has been applied to the firefighting water network, which provides water to sprinkler system 
for fire extinguishment, and to water deluge system (WDS) to ensure critical equipment protection from fire 
(e.g., LPG vessels). Figure 3 shows a reference scheme retrieved from the analysis of commercial solutions. 

 

Figure 3: Reference scheme of firefighting water network. The system is connected to sprinklers and to WDS; 
LCP: local control panel. 

The system is composed of a water main feed tank, which is connected to the firefighting water distribution 
pipework. A signal processing unit is provided for triggering the activation of water pump and opening of 
valves in water pipework in case of fire detection. A jockey pump (also called pressurization pump) is installed 
to keep water pipework always in pressure, to ensure appropriate water ejection when nozzles open. It is likely 
that multiple pumps and multiple jockey pumps are present in real systems. However, in the reference scheme 
redundancies are not considered, as a conservative choice. Part of the results obtained through FMECA is 

526



presented in Table 3. It is worth noting that a too detailed decomposition of the system in subsystems is not 
needed for the aim of the present analysis. For each subsystem, plausible failure modes and effects are 
analysed with relative criticality scores, considering a generic flooding event with possible presence of debris. 

Table 3: A part of the table for firefighting water network obtained from FMECA. P = plausibility; S = severity; 
C = criticality. 

Subsystem  Failure mode  Local effect  Global effect  P  S C 
Intermediate 
water tank 

 Displacement  Rupture of connections, water loss  System Unavailable  2  3 6 
 Debris impact  Water loss, tank may remain empty System potentially 

unavailable  
 2  2 4 

Connection 
to water 
main 

 Damaged by
water velocity 

 Failure of connection to tank, water
loss, tank may remain empty 

 System potentially 
unavailable 

 1  3 3 

 Debris impact  Failure of connection to tank, water
loss, tank may remain empty 

 System potentially 
unavailable 

 2  2 4 

Pump  Flooded  Pump not working (electric motor)  System Unavailable  3  3 9 
 Power Outage  No power to pump motor   System Unavailable  4  3 12 

Water 
pipework 

 Damaged by
water velocity 

 Failure of connections, water
pressure loss 

 System potentially 
unavailable 

 2  2 4 

 Debris impact  Failure of connections, water
pressure loss 

 System potentially 
unavailable 

 2  2 4 

Local 
control 
panel (LCP) 

 Flooded  System not working, no signal to
pump 

 System Unavailable 
 2  3 6 

 Power Outage  System not working, no signal to
pump 

 System Unavailable 
 4  3 12 

Jockey 
pump 

 Flooded  Pump not working, water pressure
loss 

 System potentially 
unavailable 

 3  2 6 

 Power Outage  No power to pump motor, water
pressure loss 

 System potentially 
unavailable 

 4  2 8 

Signal 
processing 

 Power outage  System not working  System unavailable 
 4  3 12 

Considering the table obtained, it is clear that the main vulnerability of firefighting water network in case of 
flood is the dependence of pumps and control systems on power connection, which is usually not available in 
case of flood (Karagiannis et al., 2017). Thus, safety barriers connected to firefighting water network (such as 
WDS, sprinklers and foam-water based systems) should be considered unavailable during flooding scenarios: 
e.g., according to Cozzani et al. (2010), pieces of equipment mostly involved in flood-related failure are 
atmospheric tanks, while flammable hydrocarbons are the most frequently released substances. Thus, 
considering a LOC of flammable liquid, pool formation and pool fire over floodwater are possible scenarios 
(Cozzani et al., 2010). Fire has the potential to trigger domino effect, thus nearby LPG vessels are critical 
assets and are usually protected with WDS. As previously said, WDS should be considered unavailable, thus 
escalation of Natech accident is more likely with respect to the case of accident from conventional failure. This 
can be represented through the Event Tree (ET) reported in Figure 4. Conventional WDS Probability of Failure 
on Demand (PFD) and effectiveness (η) are PFD = 4.33e-2 and η=1, respectively (Landucci et al., 2016). 
Gate symbolism is the same as in (Landucci et al., 2016).   

 

Figure 4: Event Tree for Natech-domino accident triggered by flood. PFD for LPG protection WDS is reported 
in black (Landucci et al., 2016), while tailored PFD for WDS in case of flood is in red. BLEVE: boiling liquid 
expanding vapour explosion. See (Landucci et al., 2016) for gates definition. 

527



During flood-triggered scenarios, PFD should be considered unitary since the barrier relies on water supply 
from firefighting water network, which is not available because power outage is extremely likely. It is clear from 
the ET that the worst scenario (catastrophic failure of LPG vessel, with consequent BLEVE and fireball) results 
to be more probable, and that if WDS was evaluated unaffected by flood, the calculation would have led to 
underestimate worst scenario likelihood. 

6. Conclusions 

In the present study, the issue of taking into account safety barriers in Natech risk assessment is introduced 
with specific focus on floods. A short selection of case histories is presented, highlighting that safety barriers 
can be unavailable in case of natural hazards. Some failure patterns have been identified, and FMECA is 
presented for the safety barrier assessment, since they should not be taken for granted in case of complex 
scenarios, such as Natech accidents. In particular, natural hazards are likely to affect lifelines and power grid 
connection, impeding the activation of protection systems. The methodology is applied to the firefighting water 
network, showing its vulnerability to floods. It is demonstrated that considering WDS unaffected by flood would 
lead to underestimation of high consequence scenarios (i.e., domino scenario following Natech accident). 

References 

Additives for Polymers, 2017, Arkema’s Crosby peroxides plant suffers hurricane-related damage, DOI: 
10.1016/S0306-3747(17)30131-8 

Antonioni G., Bonvicini S., Spadoni G., Cozzani V., 2009, Development of a framework for the risk 
assessment of Na-Tech accidental events, Reliability Engineering and System Safety, 94, 1442-1450. 

Antonioni G., Spadoni G., Cozzani V., 2007, A methodology for the quantitative risk assessment of major 
accidents triggered by seismic events, Journal of Hazardous Materials, 147, 48-59. 

CCPS, Centre of Chemical Process Safety, 2001, Layer of protection analysis: simplified process risk 
assessment, AIChE, New York, NY. 

Cozzani V., Antonioni G., Landucci G., Tugnoli A., Bonvicini S., Spadoni G., 2014, Quantitative assessment of 
domino and NaTech scenarios in complex industrial areas, J. Loss Prev. Proc. Industries, 28, 10-22. 

Cruz A.M., Steinberg L.J., Vetere-Arellano A.L., 2006, Emerging Issues for Natech Disaster Risk Management 
in Europe, Journal of Risk Research, 9(5), 483-501. 

Delvosalle C., Fiévez C., Pipart A., 2004, Deliverable D.1.C. Report presenting the final version of the 
methodology for the identification of reference accident scenarios, Major Risk Research Centre, Mons, BE. 

Girgin S., 2011, The Natech events during the 17 August 1999 Koaceli earthquake: aftermath and lessons 
learned, Natural Hazards and Earth System Sciences, 11, 1129-1140. 

Labib A., Harris M.J., 2015, Learning how to learn from failures: The Fukushima nuclear disaster, Engineering 
Failure Analysis, 47, 117-128. 

Landucci G., Antonioni G., Tugnoli A., Cozzani V., 2012, Release of hazardous substances in flood events: 
Damage model for atmospheric storage tanks, Reliability Engineering and System Safety, 106, 200-216. 

Landucci G., Argenti F., Spadoni G., Cozzani V., 2016, Domino effect frequency assessment: The role of 
safety barriers, J. Loss Prev. Proc. Industries, 44, 706-717. 

Landucci G., Necci A., Antonioni G., Tugnoli A., Cozzani V., 2014, Release of hazardous substances in flood 
events: Damage model for horizontal cylindrical vessels, Reliability Eng. and System Safety, 132, 125-145. 

Lees F.P., 1996, Loss prevention in the process industries, 2
nd edition, Butterworth-Heinemann, Oxford, UK. 

Karagiannis G.M., Chondrogiannis S., Krausmann E., Turksezer Z.I., 2017, Power grid recovery after natural 
hazard impact, EUR 28844 EN, European Commission, Luxembourg. 

Krausmann E., Cruz A.M., 2013, Impact of the 11 March 2011, Great East Japan earthquake and tsunami on 
the chemical industry, Natural Hazards, 67, 811-828. 

Krausmann E., Cruz A.M., Salzano E., 2017, Natech Risk Assessment and Management, Reducing the Risk 
of Natural-Hazard Impact on Hazardous Installations, Elsevier, Amsterdam, NL. 

Major Accident Reporting System (eMars), European Commission, Major Accident Hazards Bureau 
<emars.jrc.ec.europa.eu/en/emars> accessed 01.09.2018. 

NTSB, 1996, Evaluation of Pipelines Failures During Flooding and of Spill Response Actions, San Jacinto 
River Near Houston, Texas, October 2014, Pipeline Special Investigation Report, National Transportation 
Safety Board, Washington, DC. 

Showalter P.S., Myers M.F., 1994, Natural Disasters in the United States as Release Agents of Oil, 
Chemicals, or Radiological Materials Between 1980-1989: Analysis and Recommendations, Risk Analysis, 
14(2), 169-182. 

Steinberg L.J., Cruz A.M., 2004, When Natural and Technological Disasters Collide: Lessons from the Turkey 
Earthquake of August 17, 1999, Natural Hazards Review, 2004, 5(3), 121-130. 

528