DOI: 10.3303/CET2291039 Paper Received: 19 January 2022; Revised: 10 April 2022; Accepted: 14 May 2022 Please cite this article as: Milazzo M.F., Bragatto P., Bartolozzi V., Vairo T., Fabiano B., 2022, Dynamic Assessment of the Probability of Release Caused by Equipment Deterioration, Chemical Engineering Transactions, 91, 229-234 DOI:10.3303/CET2291039 CHEMICAL ENGINEERING TRANSACTIONS VOL. 91, 2022 A publication of The Italian Association of Chemical Engineering Online at www.cetjournal.it Guest Editors: Valerio Cozzani, Bruno Fabiano, Genserik Reniers Copyright © 2022, AIDIC Servizi S.r.l. ISBN 978-88-95608-89-1; ISSN 2283-9216 Dynamic Assessment of the Probability of Release Caused by Equipment Deterioration Maria Francesca Milazzoa,*, Paolo Bragattob, Vincenzo Bartolozzic, Tomaso Vairod, Bruno Fabianoe aDepartment of Engineering, University of Messina, Contrada di Dio, 98166 Messina, Italy bDepartment of Technological Innovation, INAIL, via Fontana Candida, 00078 Monteporzio Catone, Italy cARPA Sicilia, Via S. Lorenzo, 312 G, 90146, Palermo, Italy dARPAL Grandi Rischi, via Bombrini 8, 16149 Genoa, Italy eCivil, Chemical and Environmental Engineering Department, University of Genoa, via Opera Pia 15, 16145 Genoa, Italy *mfmilazzo@unime.it Deterioration due to the corrosion is the cause of undesired consequences in establishments at major accident hazard as it increases the potential for release of hazardous substances. If the damage mechanisms affecting the equipment are not properly managed, these could give severe impacts in terms of safety as well as business interruption. Risk assessment includes the analysis of scenarios due to the deterioration. Generic probabilities associated with this type of leakage are taken from public database and usually adapted to the industrial context by means of some modification factors. In any case probabilities suffer a major shortcoming that are non- specific, therefore, there is the need to update them based on data collected inside the establishment for each specific equipment. In this work, a dynamic approach for the quantification of the probability of release is presented. Dynamism is here intended as a last-minute update that is following the occurrence of a change inside the establishment. The proposed approach is based on the use of a Fault Trees Analyses (FTA), which integrates additional branches accounting for equipment deterioration; then, the Bayes formula is used to update the generic probability connected to the deterioration by using incident and near-miss reports acquired in real- time. A case-study from a refinery shows the application of the approach and an updated probability of release, which account for the plant-specificity, is obtained. 1. Introduction In process safety and risk management, there is a need for dynamic risk assessment (Vairo et al., 2019), as external and internal changes inside major accident hazard establishments could cause perturbations to the processes that lead to modifications of the risk level. Modifications sometimes could be unexpected, as in the case of emerging risks, or could not be captured if a proper process monitoring, combined with the identification of specific indicators, is not adopted. Emerging risks might impact in several ways on the safety, as an example the COVID 19 pandemic highly stressed the safety management system of major accident hazard establishments (Bragatto et al., 2021). Equipment deterioration might lead to dangerous releases; the consequences strongly depend on the damage mechanism affecting the equipment and the deviation of the process variables. This variation from the normal operability causes the damage worsening (i.e. the increase of the propagation rate) or the development of a new damage mechanism (Lagad and Zaman, 2015). To perform a dynamic risk assessment that captures the impacts of perturbations, some efforts have been made by several scholars. A few works attempt to integrate organisational and human factors in a dynamic approach based on the Bayesian approach (Kalantarnia et al., 2009; Shafaghi, 2008), others proposed a methodology for a dynamic safety management by using statistical analyses of near-miss and incidents (Meel and Seider, 2006). A dynamic risk assessment approach has also been proposed by Barua et al. (2016) and Vairo et al. (2019), which makes use of a Bayesian network, constructed from the Fault Trees Analysis (FTA), to integrate information from the system monitoring. 229 This paper proposes a dynamic risk assessment for scenarios triggered by the equipment deterioration, but the dynamism is here intended as a last-minute update that integrates some evidenced changes inside the establishment causing the modification of the risk level. Current standards and practices support the management of the equipment integrity by addressing time-based or risk-based inspection schedules and the use of guidelines to operate equipment in conditions that allow for a tolerable deterioration rate. The adoption of the RBI (risk-based inspection) approach (API, 2016a) and the creation of Integrity Operating Windows (IOW) (API, 2014) support a rigorous integrity management program and also the handling of possible changes/deviations in the process. This work focuses on generic probabilities to be used in risk assessment, these are publicly available in open-access databases but are not plant-specific, on the other hand plant specific data could sometimes be statistically invalid due to a short duration of data collection or to a limited population of equipment (Shafaghi, 2008). In the current practice in major hazard establishments, the generic failure rates, are still used to comply with the requirements of Seveso Legislation but, since a decade, these have been considered misleading (Bragatto et al., 2013) and, for this reason, are corrected by means of data related to the specific context including the actual damage mechanisms and the operational experience. This inevitably leads to the application of a more dynamic approach for the risk analysis. The proposed approach for the quantification of the probability of release due to equipment deterioration makes use of a Fault Trees Analysis (FTA) integrating further branches related to the investigation of the causes of release due to the damage mechanisms affecting the equipment. The Bayes approach is used to update the probability by using incident and near-miss reports collected inside the establishment. The paper is structured in the following sections: Section 2 describes the approach proposed for the dynamic quantification of the probability of release due to equipment deterioration; Section 3 presents the case study used for the validation of the approach; Section 4 presents the results of the study; and Section 5 provides the conclusion and describes future perspectives. 2. Dynamic quantification of the probability of release due to equipment deterioration The proposed dynamic approach is based on an FTA, which integrates additional branches related to the investigation of the causes of release due to the damage mechanisms affecting the equipment. Then, the Bayes formula is used to update the probability of release by integrating incident and near-miss reports collected inside the establishment. It should be observed that the probabilities, used in risk assessment, are commonly obtained from the literature. These are modified by means of factors that take into account the complexity of the system, the damage mechanisms (damage factor) and the safety management system adopted in the company (management factor). The updating is still applied on the basic probabilities in order to be always reflected on the final probabilities of release scenarios. 2.1 Bayes updating methodology The Bayes updating methodology assigns updated probabilities to the scenarios by combining prior judgments and evidences collected inside the establishment (Shafaghi, 2008). The method is articulated in the following three steps: • Definition of a prior distribution for the equipment probability; • Gathering evidences (likelihood function), i.e. plant specific data; • Construction of the posterior distribution by using Bayes’ theorem. The Bayes formula is defined by the following well-known equation: ( ) ( ) ( )posterior priorPr |f X x f  = =  (1) where: λ = equipment probability of release due to deterioration; fprior(λ) = a priori distribution of λ; Pr(X=x|λ) = likelihood function of λ for a given x; fposterior(λ) = posteriori distribution of λ. 2.2 Fault Tree Analysis The Fault Tree Analysis is a widespread technique to identify and assess combinations of events, based on the investigation of system operability and the influence of its environment; the scope is the identification of combinations leading to an undesired state of the system (Haas et la., 1981). The undesired state is represented by a top event. The logical gates integrate the primary events to the top event; primary events are those that are not further developed (e.g. component failures, missed actuation signals, human errors, unavailability due to the test and maintenance activities, common cause contributions). To execute a quantitative assessment with respect to the top event, a probability must be assigned to each event included in the Fault Tree. In this work, the FTA integrates events related to the equipment deterioration and, in order to assign a plant-specific probability to the event and make dynamic the analysis, the Bayes 230 approach updates generic probability by means of plant reports containing incidents and near-misses collected in real-time. 3. Case-study The application of the methodology, described in Section 2, has been carried out for a top event included in a desulphurisation unit of a refinery. The top event is the overpressure in a stabilisation column (T1931) which is upstream to the desulphurisation reactor. The column removes any entrainment of sulphur (hydrogen sulphide) in the naphtha to be sent to the desulphurisation reactor. Before entering the column, the feed undergoes a preheating from the bottom stream of the stabiliser, which then is fed to the reactor as shown in Figure 1. Figure 1: Desulphurisation unit. Figure 2 shows the fault tree related to the top event to be investigated. An overpressure inside the column could be caused by: (i) failures of the protection systems; (ii) the deterioration of the tubes of the heat exchanger (bundle) which determines a random failure and the mixing of the heating stream with the feed to the stabiliser, i.e. an overflow in the column; (iii) other causes of failure (e.g. overfilling of the column, overheating of the feed, blocked column exit). The integration of the second cause in risk assessment allows accounting for the effects of the equipment deterioration. It must be pointed that the overpressure inside the column due to a tube leakage could occur in case of small and medium holes, whereas for large holes or rupture a significant failure of the heat exchanger is likely to occur. Table 1 gives the probabilities of the events included in the FTA. Tables 2-4 show the basic probabilities for random failures of heat exchangers, collected from the most popular databases. Those to be used in calculating the probability of the event of case (ii) have been selected and updated by means of the Bayes formula. The process conditions have been taken from the Safety Report of the establishment and the modification factors (damage factor and managerial factor) have been calculated according to the API (2016b): • in-service year: 1975 • operating pressure: 24.96 barg • operating temperature: 62.78°C • damage mechanism: thinning due to sulphidation • material: carbon steel • inner diameter: 1.092 mm The case study represents an idealized situation, which reports information collected in various refineries. T1931 231 Figure 2: Fault Tree for the investigation of the overpressure inside the stabilisation column. Table 1: Probabilities Event Probability Protection system failures 1.30∙10-8 Causes of failure 1.44∙10-3 Table 2: Probability of random failures of heat exchanger (API; 2016b) (failures/year) Component Small Medium Large Rupture Total Shell (inner wall) 8.00 10-6 2.00 10-5 2.00 10-6 6.00 10-7 3.06 10-5 Shell (outer wall) 8.00 10-6 2.00 10-5 2.00 10-6 6.00 10-7 3.06 10-5 Tubes 8.00 10-6 2.00 10-5 2.00 10-6 6.00 10-7 3.06 10-5 Table 3: Probability of random failures of heat exchanger (Flemish Government LNE Department Environment, Nature and Energy Policy Unit Safety Reporting Division; 2009) (failures/year) Leak size category (mm) Equivalent leak size (mm) Failure range 0-25 10 3.8 10-3 – 6.0 10-3 – 8.6 10-3 25-50 35 2.3 10-3 – 3.9 10-3 – 6.3 10-3 50-150 100 4.1 10-6-1.6 10-5 – 4.6 10-5 Catastrophic Rupture 2.7 10-6 – 1.3 10-5 – 4.1 10-5 Table 4: Probability of random failures of heat exchanger (Uijt de Haag and Ale, 2005) (failures/year) Configuration Instantaneous Continuous Continuous size 10mm Heat exchanger, dangerous substance outside pipes 5.00 10-5 5.00 10-5 5.00 10-3 Heat exchanger, dangerous substance inside pipes, design pressure outer shell less than pressure of dangerous substance 10-5 10-3 10-2 Heat exchanger, dangerous substance inside pipes, design pressure outer shell more than pressure of dangerous substance 10-6 -- -- 232 Concerning the data of Table 3, three values are given but AMINAL suggests using the central value in the safety reports. The extreme values (lower and upper) are reported in background information (appendix of AMINAL). Table 4 classifies failure rate based on amount of loss of containment. By focusing on the heat exchanger used for preheating purpose, data concerning near-misses and tube ruptures occurred within the plant were collected. The observation period runs from the 1st September 2009 to the 31st October 2021 (12 years) and 65 near misses have been gathered, involving different items of the plant. Near misses include failures, ruptures, misuses, misfunctions of technical systems as well as human errors. There are 78 heat exchangers in the unit that were in service during the observation period. 2 minor leakages due to corrosion damages in tube bundle were recorded in the database. In addition, 2 near misses, involving heat exchangers, were related to inappropriate actions during maintenance, but only one of these led to a loss of material, albeit well controlled. 4. Results The gamma distribution (Eq. 2) has been chosen for the prior probability of failure data, whereas the likelihood function is generally well represented by the Poisson distribution (Eq. 3) (Sharaghi, 2008). By updating the prior gamma distribution by the Poisson likelihood model, the posterior distribution is also represented by the gamma distribution (Eq. 4): ( ) 1prior ( 1)! f e       − − = − (2) ( ) ( ) Pr | ! xt e t X x x    − = = (3) ( ) ( )1 posterior ( 1)! ! xt e t f e x        − − − =  − (4) where: α = scale factor; β = shape factor. By comparing Equation 2 and 3, the following can be obtained: posterior prior x = + (5) posterior prior t = + (6) In addition, it must be recalled that the mean of the gamma distribution is α/β = 0.5 and the variance is α/β2. Then, it is possible to derive the parameters of the posterior distribution. The parameters of the posterior distribution have been calculated for the heat exchanger by updating data by accounting for near misses and tube ruptures. The prior probability of release from the tubes has been quantified by using the RBI methodology (API, 2016b): the generic probability is the sum of the failure rate associated to small and medium leakages (from AMINAL, i.e. 9.90∙10-3), the damage factor and the managerial factor have been quantified to be respectively 1.5453 and 0.111. Then, the resulting probability of release was 1.70∙10-3, this value has been updated by the Bayes approach. The results of the Bayesian updating are summarised in Table 5 and compared with the prior data. Table 5: Data updated Small and medium leakage Large leakage and rupture Total failure Prior Posterior Prior Posterior Prior Posterior Scale parameter 0.5 65.5 0.5 2.5 0.5 67.5 Shape parameter 294 1230 1.72∙104 1.82∙104 289 1230 Probability 1.70∙10-3 5.32∙10-2 2.90∙10-5 1.38∙10-4 1.73∙10-3 5.51∙10-2 233 The inclusion of the updated data in the quantitative FTA of Figure 2 allows quantifying the final probability to be assigned to the top event. The probability of the overpressure in the stabiliser column is derived taken into account data of Table 1 and Boolean rules and resulted 5.32∙10-2 that is equal to the probability of failure of the tube bundle due to corrosion. 5. Conclusions Operational experience, which includes the collection of data of accidents, near-misses, use or maintenance errors, breakages, failures, anomalies and malfunctions, is one of the pillars of the management system for the prevention of major accidents in Seveso sites. It is widely recognised as a study of the experience gathered is valuable for continuously improving safety and involving personnel in the management system. Less obvious is the possibility of using the operational experience also to improve reliability data and use them to increase the credibility of the risk analysis used to comply the Seveso legislation. The results presented here show how a quite simple calculation allows to exploit the data of the operational experience to have a refinement of the failure rates to be used in the standard risk analysis to respond to the temporal evolution of the context. Thus, a punctual reporting of operational experience should be highly recommended for both an effective management and a reliable and adaptive risk assessment. The refineries operating in Europe have been operating fifty years or more. While waiting for the new carbon free technologies and to survive in a competitive market, even "difficult" crude oils are processed. The combined effect of ageing and operating conditions, often close to the limit, greatly affects the reliability of the equipment and this must be taken into account in the management, ensuring plant integrity and prevention of major accidents. A continuous updating of the values used in the analysis and assessment of risk is a need to which the results presented here can give a simple practical answer. Acknowledgments This work has been funded by INAIL within the calls BRIC/2019 ID = 02 project DYN-RISK and BRIC/2018 ID = 11 project MAC4PRO. References API (American Petroleum Institute), 2014, Integrity Operating Windows, API RP 584, API Publishing Services, Washington. API (American Petroleum Institute), 2016a, Risk-Based Inspection, API RP 580, 3rd ed. API Publishing Services, Washington. API (American Petroleum Institute), 2016b, Risk-Based Inspection Methodology, API RP 581, 3rd ed. API Publishing Services, Washington. Barua S., Gao X., Pasman H., Mannan M.S., 2016, Bayesian network based dynamic operational risk assessment, Journal of Loss Prevention in the Process Industries, 41, 399 – 410. Bragatto P., Ansaldi S., Delle Site C., 2013, A pooled knowledge basis on pressure equipment failures to improve risk management in Italy, Chemical Engineering Transactions, 33, 433-438. Bragatto P., Vairo T., Milazzo M.F., Fabiano B., 2021, The impact of the COVID-19 pandemic on the safety management in Italian Seveso industries, Journal of Loss Prevention in the Process Industries, 70, 104393. Flemish Government LNE Department Environment, Nature and Energy Policy Unit Safety Reporting Division, 2009, Aminal Handbook Failure Frequencies. Haasl D.F., Roberts N.H., Vesely W.E., Goldberg F.F., 1981, Fault tree handbook. Kalantarnia M., Khan F., Hawboldt K., 2009, Dynamic risk assessment using failure assessment and Bayesian theory, Journal of Loss Prevention in the Process Industries, 22, 600–606. Lagad V., Zaman V., 2015, Utilizing Integrity Operating Windows (IOWs) for enhanced plant reliability & safety, Journal of Loss Prevention in the Process Industries, 35, 352–356. Meel A., Seider W., 2006, Plant-specific dynamic failure assessment using Bayesian theory, Chemical Engineering Science, 61(21), 7036-7056. Shafaghi A., 2008, Equipment failure rate updating—Bayesian estimation, Journal of Hazardous Materials, 159, 87–91. Schmitz P., Swuste P., Reniers G., van Nunen K., 2020, Mechanical integrity of process installations: Barrier alarm management based on bowties, Process Safety and Environmental Protection, 138, 139–147. Uijt de Haag P.A.M., Ale B.J.M., 2005, Guidelines for quantitative risk assessment RIVM Publication Series on Dangerous Substances (PGS 3), Utrecht NL Vairo T., Milazzo M.F., Bragatto P., Fabiano B., 2019, A Dynamic Approach to Fault Tree Analysis based on Bayesian Beliefs Networks, Chemical Engineering Transactions, 77, 829–834. 234 64milazzo.pdf Dynamic Assessment of the Probability of Release Caused by Equipment Deterioration