Professional Documents
Culture Documents
Journal of Loss Prevention in The Process Industries
Journal of Loss Prevention in The Process Industries
Journal of Loss Prevention in The Process Industries
a r t i c l e i n f o a b s t r a c t
Article history: After the disaster of AZF plant in Toulouse on 21 September 2001 (31 people killed, 3000 injured and 3
Received 22 December 2009 billion dollars of damage), France adopted a new law relative to safety reports and land-use planning on
Received in revised form 30 July 2003. This law asks for the investigation of all representative scenarios and the assessment
13 April 2010
of their probabilities to demonstrate the acceptable level of safety of an industrial facility. Therefore
Accepted 14 April 2010
signicant changes were introduced in the way of doing risk analysis in France and some difculties were
found for the implementation of a probabilistic approach.
Keywords:
This paper presents the new approach of risk analysis established by the French Ministry of the
AZF
Land-use planning
Environment, and particularly focuses on:
Risk analysis the benets and limits of the semi-quantitative probabilistic assessment method;
Risk assessment the benets and difculties to use a quantitative probabilistic assessment method;
Semi-quantitative risk assessment some learning from the risk analysis approaches carried out in the nuclear industry;
Quantitative risk assessment (QRA) some discussion about the national matrix to appreciate the gravity of human consequences from an
Probabilistic safety assessment accident outside facilities.
Failure rates 2010 Elsevier Ltd. All rights reserved.
Purple Book
0950-4230/$ e see front matter 2010 Elsevier Ltd. All rights reserved.
doi:10.1016/j.jlp.2010.04.003
814 J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823
Fig. 3. View of the AZF chemical plant after the explosion (3). Fig. 5. Damaged warehouse at 380 m from the explosion center.
J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823 815
quences of the instantaneous release of all the materials in an Thermal effects Overpressure Toxic
equipment (for example: an LPG tank catastrophic rupture, effects effects
a full bore pipe rupture); 5% lethal effects 8 kW/m2 or 200 mbar LC 5%
3. Reduction of the main hazards, which consists of carrying (1800 kW/m2)4/3 s
1% lethal effects 5 kW/m2 or 140 mbar LC 1%
out technical and economical studies to ensure there is no
(1000 kW/m2)4/3 s
possibility of removing or substituting hazardous materials, Irreversible 3 kW/m2 or 50 mbar IET
or reducing as much as possible the quantities of hazardous effects (600 kW/m2)4/3 s
products (for example: using smaller LPG tanks and pipes); LC: lethal concentration (for 1% or 5% of the population exposed).
4. Learning from accidents, i.e. taking into account the feedback IET (irreversible effect threshold): level at which the effects are expected to cause
on accidents in the facility and its branch of activity to show irreversible effects on human health.
the measures taken to counter such accidents (for example,
learning from the Feyzin (1966) and Mexico (1984) accidents in
the LPG industry); 2.2. Probability levels
5. Preliminary risk analysis, by using techniques such as HAZID;
the accidental scenarios are ranked by using a matrix in order Probability is the frequency with which an incident may occur
to select the critical ones (for instance scenarios with offsite during the lifetime of a facility. The probability of an event can be
consequences); assessed:
6. Detailed risk analysis, by using techniques such as HAZOP,
where all the scenarios based on process deviation are inves- qualitatively; the French Ministry of the Environment has
tigated by the analysis of the necessary causes leading to the dened a grid, with ve probability levels, that can be used
accident: failure of a sensor, corrosion, vehicle impact, etc.; during the preliminary risk analysis or for simple facilities
7. Evaluation of the intensity of dangerous phenomena, using (Table 3);
analytical formulae or modelling softwares like PHAST or FLACS quantitatively; in this case, the probability is the result of
(for example: a jet re from a loading/unloading arm for a more detailed risk analysis (see Section 3.2).
a truck, a vapour cloud explosion in a storage area);
8. Assessment of the probability of dangerous phenomena, i.e.
estimating the probability of initiating events, the probability
2.3. Representation of accidental scenarios
of central events, the probability of failure of safety barriers,1
and nally the probability of each dangerous phenomenon
In France, bow-ties have become very popular and largely used
(vapour cloud explosion, jet re, etc.);
in safety reports since 2003. This representation of major accidents,
9. Determination of the potential consequences for people, i.e.
introduced by SHELL, is the combination of a failure tree, on the left,
the number of people killed or injured for each dangerous
and an events tree, on the right.
phenomenon;
Bow-ties have the advantage to show how safety barriers
10. Classication of the scenarios in the national matrix, in
prevent the propagation of initiating events into accidents and
order to evaluate the acceptability of the facilitys global risk.
all the possible ways which lead to a dangerous phenomenon.
According to Duijm (2009), bow-ties are very helpful in
communication with non-experts. An example of bow-tie is
2.1. Gravity levels given in Fig. 6.
J e t f ire
1
Corrosion
Release of 7 Flames at offices
Rupture due to overpressure 2 OR hydrocarbon gas
Vehicle impact 3
OR Jet fire 8
4
Spark from instrument
9 10 Flames at pressure vessel
Spark from electric motor 5 OR Ignition source
Hot work 6
2.4. Acceptability of the risk 2.5. Technological risk prevention plans (PPRT)
The French Ministry of the Environment has dened a national The aim of the technological risk prevention plans (PPRT in
matrix of acceptability of the risk for high-risk facilities (Table 4). French) is to protect the population, through reducing the risk at
Each dangerous phenomenon is associated to one level of gravity its root source or adopting measures such as protective measures,
and one level of probability. The acceptability of the risk depends construction and land-use planning measures, restriction on use of
on the level of risk and the type of facility (new or existing, keeping land, etc.
in mind that criteria are more severe for new facilities). It consists in assessing and prioritising the risk levels associated
For all facilities, it is not allowed to have dangerous phenom- with the activity of a facility on the territory. These levels enable
enon in the red zone (unacceptable risk): the operator must the denition of zones, each having its own land-use planning and
improve the safety of his operation in order to reduce the risk. It is construction rules. For high-risk levels, expropriation and relin-
also not allowed to have more than 5 dangerous phenomena in the quishment may be applied (French Ministry of the Environment,
orange zone. 2006b).
We can already note that for large facilities, like reneries for The rst step consists in mapping aleas (Fig. 7). Alea is dened as
example, it is common to get several tens of dangerous phenomena the probability that a dangerous phenomenon creates effects of
that have to be ranked, and then easy to overpass the limit of 5 a given intensity, and over a determined period of time at a given
dangerous phenomena in the orange zone. point of the territory (French Ministry of the Environment, 2006b).
In addition, new facilities are only authorized if there is no For this purpose, the dangerous phenomena previously ranked into
dangerous phenomenon in the box NO/MMR2, and if the best the national matrix of acceptability of the risk are used for imple-
available technologies (for prevention and protection) are imple- menting PPRT. Table 5 shows the rules applied for combining
mented. MMR means risk reduction measure, and applies to boxes dangerous phenomena probability levels for land-use planning.
where risk reduction measure may be implemented. Then PPRT is nalised.
In the yellow zone, the facility is authorized under the condition
that the operator has taken all safety measures within a reasonable
cost/effectiveness ratio (ALARP).
In the green zone (low risk), the risk is acceptable and the
facilitys operation is authorized.
Table 4
National matrix of acceptability of the risk.
PROBABILITY
E D C B A
Disastrous NO/MMR2 NO NO NO NO
Moderate MMR1
Fig. 9. Bow-tie representation. UE: undesirable event, CuE: current event, IE: initiating
event, CE: critical event, generally dened as a Loss of Containment (LOC), SCE:
Fig. 8. Map of stakes (French Ministry of the Environment, 2006b). secondary critical event, DP: dangerous phenomenon, ME: major event.
818 J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823
Table 6
Benets and limits of the semi-quantitative method.
Benets Limits
Simple and comprehensive method Order of magnitude method
Quick evaluation, prioritisation Lack of justication for the
frequencies of initiating events
Take into account site-specic Ignores the number of equipments,
aspects for detailed analyses their sizes, the activity of the facility
Fig. 11. Mechanisms leading to a pressurized vessel catastrophic failure (Nussey, 2006).
collected by the HSE in the UK offshore industry. This work has values from well-known databases could be greater than 100 for
been updated by Falck (quoted in Pitlabo, Bain, Falck, Litland, & a pressure sensor!
Spitzenberger, 2009). We can note that the report Guidelines for process equipment
Table 8 summarizes the advantages and disadvantages of the reliability data from the Center for Chemical Process Safety is
quantitative probabilistic assessment method. currently under revision, so maybe the new revision will give more
So, nally, we can see that it is not so easy for a practitioner to detailed data for use in quantitative risk assessments.
choose the relevant value for his site.
3.2.2. Human failures
It is widely accepted that a main contributor of major accidents
is human failure. Nevertheless, the assessment of probability of
3.2. Safety barrier failures human failures is even more difcult than for equipments, because
it depends on many factors, such as:
3.2.1. Equipment failures
The failure rate of an equipment can be estimated using the type of task;
a database (CCPS, 1989; Lees, 2005; SINTEF, 2002). the time to complete the task;
As previously mentioned for LoC cases, we can note that it is the adequacy of procedures;
quite difcult to nd some details about the considered equipment the experience level and the skills of the operator performing
in databases, such as the uid considered, the working environ- the task;
ment, the tests frequency, etc., when these factors can greatly the environmental conditions;
modify failure rates. the number of people performing the task (redundancy);
It is also quite difcult to adapt failure rates from one industry to the distractions or other tasks being performed
another: you have to be sure that products have almost the same simultaneously;
physical and chemical characteristics, the working conditions are fatigue, stress, motivation, etc.
equivalent, etc.
Table 9 shows that values concerning equipment failures found A probability between 101/year and 103/year is generally used
in the literature can be quite different. The difference between in safety reports (Hannaman & Spurgin, 1984; Rasmussen, 1975;
Swain & Guttmann, 1983).
Table 8
Benets and limits of the quantitative method.
Tanker moves
Hose failure due to pullaway
Tanker movement results
in a release from hose/coupling
Chlorine liquid
line disconnected
Fig. 12. Fault tree depicting mechanisms leading to a guillotine failure of hose/coupling.
3.3. Adjustment of standard failure and error Rate Modier (ERM), comprised between 0.1 and 10, which allows
rates to a specic facility taking into account criteria such as:
Many operators claim that their facilities are of a higher level of time pressure to complete the task;
safety than the others. So what are the benets of applying generic adequacy of procedures;
failure data? It cant take into account additional safety barriers, fatigue, etc.
new safer technologies (or ageing of installations), process safety
management system efciency, etc. So the Adjusted Error Rate (AER) is calculated by the relation-
There are two mains approaches to obtain plant-specic failure ship: AER4 BER5 ERM.6
rates: It can be argued that the choice of ERM is again mainly based on
expert judgement.
adjusting generic values using criteria (modication factors); An interesting initiative is the work done by Taylor for RIVM
developing specic databases: this point will be developed in (Taylor, 2004). His approach consists to dene baseline failure
Section 3.4.4. frequencies, mainly based on US Risk Management Program data,
and combine these values with modication factors, according to
According to AMINAL (2004), adapted values can be applied for the standards of design, construction, operations, maintenance,
equipment failures. In the case of pressure vessels for example, ten operating conditions, in order to obtain realistic estimates of actual
factors must be reviewed: frequencies (Beerens et al., 2006).
Checklists are provided to identify relevant causes of failure
corrosion; and calculate specic failure rates, in order to avoid different
brittleness of the material; interpretations.
unwanted substances (including erroneous charging); Interests are that failure frequencies are more recent and varied
modication/repair work; and methodology to apply modication factors is clear. Unfortu-
overlling (can vessel rupture be ruled out?); nately, this project has not been nalised for the moment.
fatigue failure (vibration, frequently occurring variations in Recently, DNV (Pitlabo et al., 2009) has presented four
loading and thermal loading); approaches to modify generic failure rates coming from UK HSE
external re (no combustible in the vicinity of the facility); HCRD database: CCPS method based on the report Guidelines for
explosion in the vicinity (no combustible materials with chemical process quantitative risk analysis, MANAGER method,
a potential explosion hazard in the vicinity of the facility); API RP 581 method and barrier based method. One of them, the
mechanical damages due to activities in the vicinity (e.g. MANAGER method, developed by Technica in 80s, uses a site
roads); assessment questionnaire to account for local safety management
external corrosion.
He concludes these works are less elaborate than in the nuclear 3.5. Discussion about the national matrix to appreciate the gravity
industry, but remain of high interest. of human consequences from an accident outside the facilities
3.4.3. IRSN initiative for an LPG plant PSA In the French approach, the risk considered is a global risk for
In 2003, the French Ministry of the Environment asked for the public outside the facility (societal risk). For wide facilities, as
the Institute for Radiological Protection and Nuclear Safety, and in we have seen in Section 2.4, it is very easy to obtain more than 5
particular its Industrial Risks, Fire and Containment Assessment dangerous phenomena in the case NO/MMR2.
and Study (SERIC) and its Systems and Risk Protection Assessment In fact, the E probability level collects dangerous phenomena
(SESPRI) departments, to conduct a PSA study of an LPG distribu- with a probability lower than 105/year, so it makes no difference
tion facility. between unlikely and very unlikely events whereas in some cases,
This study (Baltenneck et al., 2005) presented an overall the differences could be very signicant. This difculty had
analysis of the BLEVE scenario using simplifying assumptions appeared during the testing period of the new approach of risk
(release from the biggest diameter for a family of pipes, liquid analysis on pilot facilities (2004e2006).
release with innite duration, etc.). The analysis was aimed to So the French Ministry of the Environment has proposed the
quantify the contribution of each initiator postulated to occur (e.g. possibility to exclude a dangerous phenomenon with a very low
LPG leaks). probability, and according to a defence in depth approach. The
One of the main interests of a PSA is to dene and prioritise exclusion is subject to a strict rule of double-instrumented barrier
the actions to be carried out to improve safety at the facility: the protection. In addition, the dangerous phenomenon has to remain
sensitivity studies conducted by IRSN (Baltenneck et al., 2005) have in the E probability level in case of failure of the most reliable
showed, for example, that using internal valves for storage
Table 12
Table 10 Generic event frequencies for tank res.
Probability of guillotine hose/coupling release for different types of facilities.
Type of re Basic frequency
Type of facility Failure rate per operation Spill on roof re 3 105/tank year
Basic facilities 4 105 Small bund re (mixers, pipes, valves or anges) 9 105/tank year
Average facilities 4 106 Large bund re (major spillage) 6 105/tank year
Multi-safety system facilities 2 107 Full surface re following sunken roof 3 105/tank year
822 J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823
barrier. Under these conditions, the dangerous phenomenon wont Baltenneck, H., Barrachin, G., Chambon, J.-L., Corenwinder, F., Gomane, C.,
Hernandez, J. L., et al. (2005). Etude Probabiliste de Sret relative une Instal-
appear in the matrix.
lation Industrielle, rapport nal de la phase 2, tome 1. Rapport DSR/SESPRI n 33,
The French Ministry of the Environment also gave the possibility rapport EPS_ININ/PH2/04.
to aggregate BLEVE with the same effects and the same location Barthlmy, F., Hornus, H., Roussot, J., Hufschmitt, J.-P., & Raffoux, J.-F. (2001). Usine
into a single BLEVE with the total probability of occurrence (French de la socit Grande Paroisse Toulouse. Accident du 21 septembre 2001. Rapport
de lInspection Gnrale de lEnvironnement.
Ministry of the Environment, 2007). For example, ten LPG storage Beerens, H. I., Post, J. G., & Uit de Haag, P. A. M. (2006). The use of generic failure
tanks BLEVE with a probability of 107/year can be aggregated into frequencies in QRA: the quality and use of failure frequencies and how to bring
a single BLEVE with a probability of 106/year; the corresponding them up-to-date. Journal of Hazardous Materials, 130(3), 265e270.
Blything, K. W., & Reeves, A. B. (1988). An initial prediction of the BLEVE frequency of
dangerous phenomenon is then the combination of the different a 100 TE butane storage vessel. UKAEA/SRD/HSE/R488.
dangerous area of each BLEVE. Center for Chemical Process Safety. (1989). Guidelines for process equipment
reliability data. American Institute of Chemical Engineers.
COVO Commission. (1981). Risk analysis of six potentially hazardous industrial objects
4. Conclusions in the Rijnmond area, a pilot study. A report to the Rijnmond Public Authority.
Schiedam, The Netherlands: Central Environmental Control Agency.
Duijm, N. J. (2009). Safety barriers diagrams as a safety management tool. Reliability
The new law adopted on 30 July 2003 indisputably led to Engineering and System Safety, 94(2), 332e341.
a better estimate of the risks of industrial facilities. Risk analysis, at Fivez, C., Delvosalle, C., Cornil, N., Katz, T., Servranckx, L., & Tambour, F. (2009).
Inuence of new generic frequencies on the QRA calculations for land use
the heart of the safety report, is now a key element for land-use planning purposes in Walloon Region (Belgium). In Eighth World Congress of
planning and decision making. Chemical Engineering, Symposium on the frequency component used in risk
The set up of working groups, in order to harmonize conse- assessment of major industrial accidents, 23e27 August 2009, Montreal.
French Ministry of the Environment. (2005a). Dcret n 2005-1130 du 7 septembre
quences modelling techniques, has resulted in a strong improve- 2005 relatif aux plans de prvention des risques technologiques.
ment in this eld, even if our knowledge remains quite incomplete. French Ministry of the Environment. (2005b). Arrt du 29 septembre 2005
In the Bunceeld accident for example, it seems overpressures relatif lvaluation et la prise en compte de la probabilit doccurrence, de
la cintique, de lintensit des effets et de la gravit des consquences des
have exceeded several bars at some locations, whereas all experts accidents potentiels dans les tudes de dangers des installations classes
calculations would predict overpressures of about 100 mbar! soumises autorisation.
Uncertainties remain concerning the role of ignition source and French Ministry of the Environment. (2005c). Arrt du 29 septembre 2005 modiant
larrt du 10 mai 2000 modi relatif la prvention des accidents majeurs
vegetation on the level of overpressure observed.
impliquant des substances ou des prparations dangereuses prsentes dans
It seems there is still more work to do to harmonize probabilistic certaines catgories dinstallations classes pour la protection de lenvironnement
assessment methods, mainly because of the lack of accurate data. soumises autorisation.
We have seen the benets, limits and difculties of both semi- French Ministry of the Environment. (2005d). Circulaire du 29 septembre 2005
relative aux critres dapprciation de la dmarche de matrise des risques
quantitative and quantitative probabilistic assessment methods. daccidents susceptibles de survenir dans les tablissements dits SEVESO , viss
We have also seen the potential application of detailed risk par larrt du 10 mai 2000 modi.
assessment methods, like approaches developed for nuclear safety. French Ministry of the Environment. (2005e). Circulaire relative la mise en uvre
des plans de prvention des risques technologiques.
What is sure is that low probability high consequence events French Ministry of the Environment. (2006a). Guide dlaboration et de lecture des
like BLEVEs are still challenging for risk assessment and land-use tudes de dangers pour les tablissements soumis autorisation avec servitudes et
planning. QRA techniques are quite protable for this type of ches dapplication et ches associes.
French Ministry of the Environment. (2006b). Technological risk prevention plan
events, but it requires actual and actualised frequencies to get (PPRT) acting together to control risks.
accurate outcomes. So there is a need to organize operative feed- French Ministry of the Environment. (2007). Circulaire du 23 juillet 2007 relative
back to get plant-specic failure rates. lvaluation des risques et des distances deffets autour des dpts de liquides
inammables et des dpts de gaz inammables liqus.
Anyway, because operative feedback is a long-term work, there French Parliament. (2003). Loi n 2003-699 du 30 juillet 2003 relative la prvention
is also a need to have a better understanding of the generic failure des risques technologiques et naturels et la rparation des dommages.
data and the underlying assumptions to apply it correctly. At the Fullwood, R. R. (2000). Probability safety assessment in the chemical and nuclear
industries. Butterworth-Heinemann.
present time, practitioners dont have sufcient guidelines to use
Gould, J. (1993). Fault tree analysis of the catastrophic failure of bulk chlorine vessels.
and/or adapt generic failure frequencies to real situations. AEA Technology. SRD/HSE R603.
So one improvement proposal could be: Gould, J., & Anderson, M. (2000). Hose and coupling failure rates and the role of human
error e Catastrophic failure rates. Health and Safety Laboratory. HSL/2000/09.
Hannaman, G. W., & Spurgin, A. J. (1984). Systematic human action reliability
to set up an international working group of experts, in order to procedure (SHARP). Electric Power Research Institute. EPRI NP-3583.
organize existing data in a coherent and comprehensive way Harding, A. B. (1995). BLEVE probability of an LPG road tanker during unloading.
for practitioners; AEA/CS/HSE R1043.
Health and Safety Laboratory. Failure rates and event data. http://www.failurerates.
to develop a common methodology to introduce modication info.
factors in order to take into account lacking/additional provi- IPO. (1994). Guidelines for the preparation of off-site safety industrial sites. Report IPO
sions (it supposes that generic fault trees are available): the Project A-73, The Hague.
Keeley, D., & Wilday, J. (2000). Hose or coupling failure events during off-loading
work done by Taylor (2004), who has a long industrial expe- a chlorine road tanker. Final report. Health and Safety Laboratory. RAS/00/11.
rience, could be very useful for this purpose; Keeley, D., & Collins, A. (2004). Hose and coupling: Less than catastrophic failure rates
to organize a coherent feedback through national associations e Milestone 2. Health and Safety Laboratory. RAS/04/03/1.
Lees, F. P. (2005). Loss prevention in the process industries. Butterworth-Heinemann.
(chemical association, LPG association, etc.) to get more accu- LNE. (2009). Handboek faalfrequenties 2009 voor het opstellen van een
rate data: one motivation for operators could be that with veiligheidsrapport.
a better feedback, values will really reect their process safety Logtenberg, M. T. (1998). Derivation of failure frequencies for LOC cases. TNO report,
TNO-MEP e R98/501.
management system efciency.
Nussey, C. (2006). Failure frequencies for major failures of high pressure storage vessels
at COMAH sites: A comparison of data used by HSE and the Netherlands. Health
and Safety Executive.
References Pitlabo, R., Bain, B., Falck, A., Litland, K., & Spitzenberger, C. (2009). Frequency data
and modication factors used in international QRA studies. In Eighth World
AMINAL. (2004). Handboek kanscijfers voor het opstellen van een veiligheidsrapport. Congress of Chemical Engineering, Symposium on the frequency component used in
Co-ordinated Version 2.0, AMINAL Dienst gevaarlijke stoffen en risicobeheer, risk assessment of major industrial accidents, 23e27 August 2009, Montreal.
Brussels. Ramsden, N. (1997). The LASTFIRE project. Loss Prevention Bulletin, 138.
ARIA. (2007). Explosion in a fertilizer plant. September 21st, 2001. Grande Paroisse Rasmussen, N. (1975). Reactor safety study. WASH 1400. US Atomic Energy
Toulouse. http://www.aria.developpement-durable.gouv.fr. Commission.
J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823 823
RE-95-1 (1996). Version 2-2-1996, KO-95, KO-96, KO-100 performed by TKO Swain, A. D., & Guttmann, H. E. (1983). Handbook of human reliability analysis with
Working Group. emphasis on nuclear power plant application. US-NRC-NUREG/CR-1278.
Selway, M. (1988). The predicted BLEVE frequency of a selected 2000 m3 butane sphere Taylor, J. R. (2004). Hazardous materials release and accident frequencies for process
on a renery site. UKAEA/SRD/HSE/R492. plant. Draft version.
SINTEF. (2002). Offshore reliability data Handbook (4th ed.). TNO. (1983). LPG a study. Report for the Public Ministry of Housing Physical
Smith, T. A., & Warwick, R. G. (1981). A survey of defects in pressure vessels in the UK Planning and the Environment. Apeldoorn: TNO.
for the period 1962e1978 and its relevance to nuclear primary circuits. SRD report Uijt De Haag, P. A. M., & Ale, B. J. M. (1999). Guidelines for quantitative risk assessment
R203. (purple book).
Spouge, J. (2005). New generic leak frequencies for process equipment. Process Wincek, J. C., & Haight, J. (2007). Realistic human error rates for process hazard
Safety Progress, 24(4), 249e257. analyses. Process Safety Progress, 26(2), 95e100.