Microsoft Word - 025.docx CHEMICAL ENGINEERING TRANSACTIONS VOL. 48, 2016 A publication of The Italian Association of Chemical Engineering Online at www.aidic.it/cet Guest Editors: Eddy de Rademaeker, Peter Schmelzer Copyright © 2016, AIDIC Servizi S.r.l., ISBN 978-88-95608-39-6; ISSN 2283-9216 Can Process Plant QRA Reduce Risk? – Experience of ALARP from 92 QRA Studies over 36 Years John Robert Taylor Engineering Systems Division, Technical University of Denmark JRT@ITSA.dk Many industry quantitative risk analyses for large oil and gas plants were found to have limited recommendations for risk reduction, and few cost benefit or ALARP analyses. Before recommending improvements in this area, a study was made to determine whether QRA could in fact reduce risk. Study of a large number of risk analyses with follow up of experience over many years showed that QRA can in fact reduce risk, but is more limited than might be imagined. Causes of limited effectiveness of QRA were, failure to implement recommendations, limitations in the range of scenarios studied in the QRAs, limitations in analysis methodology and lack of knowledge of accident phenomena as well as failure to perform a full range of ALARP assessments. Recommendations for improved performance are improved presentation of QRA results, use of systematic lessons learned analysis, and automation of ALARP assessment. 1. Introduction This paper was motivated by observations during Process HSE reviews (PHSERs) and third party reviews of QRAs, showing very limited risk reduction recommendations. 16 recent QRA’s were studied. These were extensive pieces of work between 100 and 400 pages each, covering large installations. The recommendation pages were in some cases less than 1 page long, even though risks were in all cases found to be in the ALARP region. The most common recommendations were to minimise staffing and to reduce the number of flanges – anodyne recommendations based on the assumption that designers would add unnecessary flanges or that operations managers would employ unnecessary staff. Just one analysis, for a pipeline, contained a thorough ALARP assessment with 15 well supported recommendations. Only one of the QRA’s in the reviews included a failure cause analysis (the pipeline study). With no causal analysis the risk analyses are methodologically handicapped, and cannot be used to support recommendations for preventive risk reduction measures. Five of these reference risk analyses were followed by ALARP workshops, in which possible risk reduction measures were discussed systematically between analysts, design and operations engineers. However these were made qualitatively, and mostly did not refer to the QRA except to identify the most significant scenarios. No residual risk analyses were made. 2. Research questions and methodology These observations raise the question – just why are we spending so much time in risk assessment? Before attempting an extensive effort to remediate an obviously bad situation, our group asked a different question – Can QRA in any case help to reduce risk significantly? And if so, how and by how much? As a source for answering these questions, 92 QRA’s carried out over 36 years were available, giving a total of 371 process units and 7134 unit years of experience. During these years, follow-up was made on a regular basis for so that the actual accident experience could be determined and compared with predictions. The QRAs for the 92 plants used a more or less constant methodology. The consequence models were updated during this period, particularly by incorporating models from the Dutch Yellow Book (TNO 1980 and 1997), incorporating improved models from the UK HSE research reports from 1995 and onward, using the Shell explosion models after 2002 (Puttock 1995) and using updated frequency data from the RELBASE DOI: 10.3303/CET1648136 Please cite this article as: Taylor J., 2016, Can process plant qra reduce risk? – experience from 102 qra studies over 36 years, Chemical Engineering Transactions, 48, 811-816 DOI:10.3303/CET1648136 811 (Taylor 2004) database after 2006. RELBASE has been important for the analyses since it gives causal data for release statistics and can be used to support recommendations for preventive measures as well as mitigative measures. Just 40 of the analyses included human error analyses (Taylor 2015). Since the input data files were all backwards compatible, all the analyses from 1987 onward could be repeated and brought up to date and modern ALARP analyses could be made retrospectively. 72 of the plants were existing ones when the analysis was made so that, detailed integrity audits could be carried out as part of the original QRAs. An important aspect of the study is that software was used which allows automation of quantitative ALARP analysis and systematic lessons learned analysis.. 3. Results If you continue to perform QRA long enough, eventually you will have the misfortune of having your predictions proved correct. Follow-up allows investigation of why the accidents occurred and why they were not prevented. Follow up also provides an opportunity to improve analysis methodology. Historically the frequency of major hazards accidents in Europe and USA has been between 10-4 and 10-3 per process unit year (Location Specific Human Risk, LSHR), so some accidents would be expected if the analyses cover a 92 plants over 36 years. Nevertheless, risk analysis is supposed to reduce risk, so it is incumbent on us to investigate whether the work we do is actually effective in reducing risk. The 92 plants represented in all 449 plants units, with a total of 7134 unit years of experience. 26 major hazards accidents occurred in these plants over the 36 years, some of them very large. Many more accidents were calculated to have been prevented. In six incidents, the prevention was confirmed by near misses. This represents a Major Hazards Accident (MHA) frequency of 5.3*10-3 per unit year (Location specific human risk, or LSHR), which is about 10 times that of the QRA predictions. Most of these accidents were predicted and risk reduction recommendations were made. Subtracting the accidents for which risk reductions were not implemented, the MHA frequency was 7*10-4 per unit year, less than a factor 2 from the average frequency prediction in the QRAs. If all the managerial causes of failure to prevent accidents were to be eliminated, the risk reduction attributable to QRA would be by a factor of about 5, to about 1*10-4 per unit year. Five of the accidents were not predicted, with reasons as described in a later section. Reasons for failure to prevent accidents In all there were 16 accidents with fatalities, with a total of 138 persons killed, giving a fatal accident frequency of 2.2*10-3 per process unit year. It is therefore important to understand why the QRA predictions did not prevent the accidents. Figure 1 shows the proximate reasons for failure to prevent the accidents. Underlying reasons for the failure to prevent the accidents are discussed later. Figure 1 Reasons for failure to prevent accidents following QRA supported with hazop and plant audit. In only one case was a risk reduction recommendation explicitly rejected. The recommendation was for a conventional Permit To Work (PTW) system, and the rejection was made because there was not space for a permit office on the gas production platform concerned and no accommodation for PTW officers. There was considerable acrimony after the rejection of the recommendation. Sadly the issue resolved itself six years later when a vapour clouds explosion destroyed the platform and killed 11. The accident was a result of failure by a contractor team to isolate a compressor suction drum prior to performing maintenance on a pressure switch, a problem which would probably been avoided with a well working PTW system. 0 1 2 3 4 5 6 7 8 Not predictable with present techniques Employee ignored safety regulation Recommendation implemented but then removed Hazard introduced after QRA, no MOC Implementation too late Management refused to implement risk reduction Management failed to implement recommendation. 812 Five of the accidents were not predicted. These are discussed in the following section. Additionally there were nine near misses/minor accidents which could not have been predicted with current methodologies. Management failure to implement recommendations occurs in many ways, and occurs especially if some, or even just one of the managers is not convinced that the accident can occur, or is not convinced that the risk is sufficient to justify the effort or expense. The methods by which implementation is avoided are many, but the most frequent are requests for further study, which can drag on until the problem is forgotten; and postponement until the next major turn-round, by which time the problem is forgotten or further postponed because sufficient preparations have not been made. Since 1994, no recommendations have been rejected, and all have eventually been implemented, though some took several years. The reason for the change in “success rate” was a change in presentation technique, After observing too many “failures to protect” all QRAs made were accompanied by case histories of earlier accidents, generally accompanied by photographs, and more recently, by videos of similar accidents. Recommendations were made more specific, including provision of design concept notes. All recommendations were accompanied by a cost benefit analysis. Lesson 1: Always accompany QRAs with a set of relevant accident case histories. Lesson 2: Always make recommendations specific for example naming vessels requiring protection, and giving examples of the risk reduction engineering. Lesson 3: Always make a detailed cost benefit or ALARP analysis. In one case, a clear recommendation was made, but the company organising the analysis was different from the owner of the pipeline, which was in turn different from the telephone company, who’s contractor ruptured the pipeline with a backhoe. After the accident it was concluded that the recommendations would have had to be transmitted through eight layers of management and between three companies in order to be implemented. Lesson 4: Make sure that the lines of communication for risk reduction are clear and that the message can be passed directly to the group with the authority to implement the recommendations. “Not enough time to implement the recommendation” refers to the fact that engineering changes take time. If new valves are to be fitted, new piping made, or even larger changes, a design concept needs to be worked out, a budget made and approved, a detail design and drawings made, and equipment must be acquired or manufactured. Installation often requires a wait until a major turn-round is scheduled. Note that if a recommendation requires a shut-down of a large plant, the cost of lost production will generally be much larger than the cost of the equipment, and achieving a good cost benefit ratio will generally be impossible. In one case, a BLEVE of an LPG truck on a highway, the accident occurred just one day after the risk was calculated and the recommendation to transfer transport to a pipeline through an isolated area was made. It nevertheless took three years to implement the risk reduction. In another case, a recommendation was made to abandon fourteen story engineering office building close to an alkylation plant. Six months after the presentation of the QRA, the author returned to the plant, and was surprised to see that the building no longer existed. The explanation given was “The QRA turned out to be correct. The entire engineering staff was trapped in the building for three days due to a hydrogen fluoride release”. Lesson 5: There is a need to determine urgency of risk reduction recommendations, for example by calculating “interim risk”, and communicate the urgency. Hazards introduced due to design changes after completion of risk assessment are a well-known problem. The companies concerned did have management of change (MOC) systems, but these were not uniformly applied and at the time of the accidents it was very unusual to perform mini-hazop analyses after changes. In three cases the accident occurred because the recommendations were implemented, but afterwards removed or were circumvented. As an example, a water hose was used to cool down melted crystals in a fired melter, operating above 300 degrees. It was recommended that the practice of using water to cool was dropped and the hose removed, and this was done the same day. Six months later, the hose was again in use, a steam explosion occurred, and the foreman using it was killed. 813 The other accidents in this group were also due to the results of the analysis being forgotten or not being communicated to those who need to know. Risk analysis reports should be readable, and should be read by all affected, including supervisors and operators. QRAs should not just sit on a shelf. Lesson 6: It is not sufficient to make a HAZOP, QRA or safety inspection report, and then have it presented. The risk analysis needs to be communicated out to managers, supervisors and operators. The communication needs to be well illustrated, and in a language which operators understand. Acceptance by working staff needs to be achieved. QRA workshops involving management, operations and engineering staffs were found to be the most effective approach for this. Scenarios that were not identified Six accident scenarios were not identified in the QRA, HAZOP, or Safety inspections. Four of these accidents were not predictable with knowledge available at the time of the analysis. One was a release of hydrogen sulphide from drier absorbent due to wetting with rain. Another, involving a runaway reaction is still inexplicable, and cannot be reproduced in the laboratory. The third was an explosion of hydrogen in a diesel storage tank. This accident type was unknown when the explosion occurred, although an earlier occurrence had been published. The fourth unpredicted accident was spontaneous ignition of activated carbon mixed with slaked lime dust, also a problem which could not be reproduced in the laboratory Lesson 7: There will always be some things you cannot predict or prevent, but this set needs to be reduced by assiduous study of accident reports. Lesson8: HAZOP studies and QRA’s should always be followed or accompanied by a study of lessons to be learned from earlier accidents. One of the accidents was not identified because of the identification methodology used. This was primarily due to operator error and maintenance error not being included in the QRA. Lesson 9: Operator and maintenance error should be taken into account in QRAs and HAZOPs. What went right? Trying to find out whether risk analysis, and the resulting recommendations, actually reduced risk is like trying to prove a negative. The risk was presumably reduced by the safety measures introduced, and the risk reduction can be calculated, but the calculations are based on so many assumptions and theories that it is difficult to rely on these. Nevertheless, some positive effects of QRA can be observed directly. After experience of two large accidents in 1994 the approach to QRA presentation was improved and subsequently the implementation performance for recommendations was much improved. After 1994 Management acceptance was 100%. The main changes which were introduced to achieve this result were the use of cost benefit analysis for the risk reduction measures, and the use of case histories and photographs from earlier accidents to illustrate the possible consequences. For a few potential accidents, the problems were found to be imminent, and the plants were shut down quickly. This includes identification of a pipe with a wall thickness reduced to 1.2 mm by under-insulation corrosion and flowing benzene at 260 ˚C and high pressure, and an amine regenerator with a riser swaying more than 1 m from side to side due to two phase vertical flow. These were found during inspection, and so cannot really be credited to QRA, but the QRA’s provided a background for determining the potential size of consequences, in both cases catastrophic, and in determining the urgency of the shutdown. One really demonstrable case was the QRA recommendation of a temporary shelter close to an employee transport queuing area. When a chlorine release occurred five years later, with persons waiting for transport, the plume extended for 5 km. across the waiting area. There were no injuries, because all those waiting were in shelter. One plant showed some indication of the value of QRA and risk reduction cost benefit analysis. In its first 7 years of operation it had a major hazards type accident each year, two of them with offsite impacts. There was an eighth incident, hydrogen cyanide in a release, shortly after the risk assessment was completed. The accident had been predicted. Subsequently, over a period of 30 years, there were no actual major hazards accidents and only limited near misses. The QRA alone could hardly be credited for this significant improvement in performance, but it originated a major effort in improved safety management and safety culture. 814 For other risk reduction cases, demonstrable benefits cannot be determined so readily. What is needed are reports of near misses which were prevented from developing into full scale accidents by the risk reduction measures which were implemented on the basis of the QRA’s. The major hazards accident frequencies should in principle be lower for the plants analysed after 1994, for which all recommendations were implemented. In actuality the frequency of accidents was reduced to 3.3*10-4 per year, about halving the average risk. This performance is hardly as good as one would hope, but the reason can be readily seen from figure 1. The weaknesses are still: • Unusual and hard to predict accidents which are ignored by current QRA methodologies. • Omission of human error analysis from the QRA methodologies in the oil, gas and chemical industries. • Failure to include design error and maintenance accidents into QRA. • Failure to communicate results effectively to supervisors, operators and maintenance staffs. These observations apply to risk analyses which mostly include lessons learned analysis and plant integrity audits, with extended scenario scopes including hazop derived scenarios and with extensive ALARP assessment. These steps go beyond those ordinarily included in commercial QRAs. In order to assess the effectiveness of conventional QRA, the QRA calculations were repeated using a conventional commercial methodology. For these assessments, there are a few more gaps, as discussed in the first section: • Limited use of ALARP assessment. • Lack of linkage between QRA, HAZOPS and mechanical integrity audits. • Limitations in the way recommendations are presented. • Limitation in the scope of analyses to just those accidents arising from holes in pipes and vessels. Systematic Lessons Learned Analysis The accidents and incidents described above indicated a need for convincing support of QRAs, with accident case histories and photographs. This led to the development of a procedure for Systematic Lessons Learned Analysis (SLLAN for short). All QRAs were then accompanied by illustrative cases. In order to do this all of the published accident reports which are accessible via published sources and for which good assessment of causes is available were summarised and indexed by substance, equipment type, threat or deviation, initiating event or threat and plant type, and the original reference given. The case history database covers about 1000 cases by now. The data base was integrated into the HAZOP/HAZID tool used, so that the relevant accidents could be listed quickly during HAZOP workshops, and drawings and photographs shown where possible. Note that several other databases are available for this lessons learned support, but for systematic use the collection needs to have examples for every accident type identified by HAZOPS. In order to achieve this, several hundred HAZOPs were reviewed, and practical examples collected both from open literature and for company experience. Automated ALARP assessment ALARP assessment is one of the methods which help to achieve management acceptance of risk reduction recommendations. However is almost unheard of to perform in depth assessment of the hundred or so loss prevention and risk reduction measures for every relevant location in a plant. It would represent a major effort if it were to be applied manually, in some cases more than for the QRA itself. Software was developed for automatic ALARP assessment. In this approach a baseline QRA is made with a simple underlying event tree including only those safety measures which are obligatory, or already in place. A simple approach to automation of ALARP analysis would then involve making a new risk assessment with more extensive underlying event trees for every possible risk reduction measure, and for reasonable combinations of measures. This approach is very time consuming since typical QRA’s for large process plant take several hours each to compute. A more effective approach is to introduce risk reduction measures during the last stages of QRA calculation when risk mapping and FN curve calculations are made. This approach requires risk analysis results to retain traceability of risk contributions back to initiating event causes. The risk reduction measures are then made by changing the frequency associated with individual causes, or for mitigative measures, by modifying the extent of individual scenario consequences. This approach has the advantage that even for a large plant, the risk reduction for each option selected can be made in a few minutes. It also means that ALARP assessment can be made for individual items of equipment, for example for every ESD valve proposed. Currently a database of 108 loss prevention and mitigation measures is provided, and measures can be selected for application at the unit level and at the individual equipment level. This allows reduced risk to be calculated for each measure, and the risk reduction can be obtained by comparing risk levels before and after. Practicality of risk reduction measures must be assessed manually, but this is made easier with guidelines. 815 Automated ALARP analysis was applied using the enhanced QRA methodology. This included a wide range of scenario types, incorporation results from HAZOP analyses and mechanical integrity audits, and maintenance and operator error analyses. When applied retrospectively to the 92 plants in the reference group, an average of 18 risk reduction recommendations were made automatically per unit and about one half of these were judged to be practical. This was about three times more than were made originally, reflecting the increased modelling capability for risk reduction measures developed over the period of the analyses studied. Automated ALARP analysis was also applied using a standard QRA methodology (OGP data, releases through holes only, no causal analysis). With the standard methodology, only an average of 4 risk reduction measures were made per process unit. Not surprisingly, standard QRA methodology worked well in identifying cost beneficial mitigation measures for accident scenarios involving holes in pipes, but since these only represent a fraction of accidents occurring in practice, only a part of the total risk is reduced. 4. Conclusions QRA can be used as a tool to reduce risk in process plants, but the actual reduction achieved using current QRA approaches will be much less that one would hope. QRAs using current standard methodologies have limited impact on risk. For the plants studied the reduction using current standard QRA methodologies alone would be about a factor 2 in frequency. By including input from safety inspections, HAZOP analyses and systematic use of lessons learned, and from failure cause analysis the performance was improved to about a factor of 10. By using automated ALARP assessment, it was found that additional risk reduction options could be found with a potential for a further risk reduction by a further factor 3, giving an overall risk reduction by a factor of 30. The main reason for limited performance in risk reduction for the 92 QRA’s studied and especially those before 1994 was failure to implement recommendations or failure to ensure that the risk reduction was effectively communicated to staffs. The overriding lessons are that for QRA to be useful, a thorough and systematic risk reduction assessment is needed, and that this must be presented to management in a clear way, with support from accident experience, and must be communicated to operations staff. To answer the question in the title, quantitative risk assessment can be used to reduce risk, but only if it is performed with this in view. By far the most important lessons for the future are that risk analyses should be written for use by those responsible for minimising risk, and should be made available to all involved in this process. Unidentified or unidentifiable accidents appear to place a limit on the effectiveness of conventional QRAs even if all recommendations are properly implemented. References Puttock, J.S. (1995) Fuel gas explosion guideline - the congestion assessment method. Second European conference on major hazards onshore and offshore, ICHEME, RUGB, UK. 1995. 267-276. Taylor, J.R. (2001) Hazardous Materials Release and Accident Frequencies for Process Plant, Taylor Associates 2004, and 7th edition 2009 Taylor,J.R. (2015) Human Error in Process Plant Operations, CRC Press, Taylor and Francis Group TNO (1996), “Yellow Book”, Methods for the Calculation of the Effects of the Escape of Dangerous Materials, Dutch Ministry of Labour, 1978, 1996 816