Professional Documents
Culture Documents
The QRAQ Project Volume 4 Frequency of R
The QRAQ Project Volume 4 Frequency of R
Version 1 Issue 1
August 2010
J.R.Taylor
QRAQ 4 Accident frequencies
© J.R.Taylor 2010 i
QRAQ 4 Accident frequencies
© J.R.Taylor 2010 ii
QRAQ 4 Accident frequencies
Preface
This report is the 4th in the series of reports covering various aspects of the quality of process
risk assessment studies. It covers the different approaches to calculating accident
frequencies, and provides actual data based on observations in over 500 process plants.
J.R.Taylor
Allerød, 2010
© J.R.Taylor 2010 iv
QRAQ 4 Accident frequencies
© J.R.Taylor 2010 v
QRAQ 4 Accident frequencies
QRAQ publications
1. The QRAQ Project – Introduction
2. Quality and completeness of hazard identification
3. Consequence calculation models
4. Risk assessment frequency data
5. Risk analysis methodologies
6. Risk acceptance criteria
7. Ignition frequency
8. Jet fire models
9. Fire water monitors as a risk reduction measure
10. Boilover and fire induced tank explosion
11. Self evacuation as a risk reduction measure
12. Major hazards scenarios - Model validation against actual accidents
13. In preparation
14. Gas impoundment
15. In preparation
16. In preparation
17. In preparation
18. In preparation
19. In preparation
20. Human error in process plant operations and maintenance
21. SIL assessment using LOPA
22. Assessment of simultaneous operations
© J.R.Taylor 2010 vi
QRAQ 4 Accident frequencies
Updating history
Contents
© J.R.Taylor 2010 ix
QRAQ 4 Accident frequencies
1. Introduction
Figure 1.1 shows the classic model of risk assessment. At the start, three “technical aspects of
the assessment are shown, hazard identification, frequency determination and consequence
calculation. As can be seen, frequency determination is a central part of the risk assessment
process. This volume in the QRAQ series considers the various ways in which frequencies
are determined. As will be seen though it is not possible to separate the issue of frequency
calculation from that of hazard identification.
Identification
Frequency Consequence
Risk
Yes
1. “Parts counting” is a method which assumes as its basis assumes that accidents arise as a
result of release of hazardous materials due to damage of equipment parts (corrosion, fatigue
© J.R.Taylor 2010 1
QRAQ 4 Accident frequencies
etc.). The component parts of each section of a plant are counted, and parts failure
frequencies are obtained from a data base for the different leak sizes for each part. Parts are
typically pipes, flanges, valves, pumps, heat exchangers, vessels etc. The frequencies of
occurrence of leaks are determined for sections of the plant, typically “isolatable sections”
defined as the sections of a plant which are connected together so that in an accident, the
entire inventory of the section will be released. This is often further defined as the volume
between emergency shutdown valves (although mor sophisticated approaches may be used,
see volume 5 in this series). The frequency of holes of a given size for the sections is
determined by adding together the contributions for each part within the section.
The main process plant data base for this at present is the UK HSE Hydrocarbon Release
Data collection, which provides an extensive and a very rigorous set of data for offshore oil
and gas development and production (ref. 1)
This approach is one of the most widely used at present for risk assessment (out of 35
onshore QRA’s received for third party review, 33 used this approach alone. 2 supplemented
parts counting with component specific accident frequency calculations for tanks).
This approach is venerable in the history of risk assessment, being used for example in the
Canvey Island studies of the 1970’s (ref. 2 and 3). The approach was formalised in the IFAL
method (ref. 4), which provided a unit process accident frequency data base. An extensive
data collection which is largely arranged in this way is RELBASE (ref. 5)
In comparison with parts counting, the unit process approach can take into account more
types of accident including ones not related to hazardous substance releases through holes.
Failures due to misoperation, runaway reactions, internal explosions, and overflow can be
incorporated into analyses. This is hard to do properly just by counting pipes (or pipe
lengths), flanges, valves and vessels. In other words, the parts counting approaches do not
even attempt to determine comparable frequencies for accidents which do not involve release
trough a hole as the initial event. By contrast, it is very natural to include all accident types
when using the unit process approach.
3. Frequencies can be determined on the basis of detailed hazard identification, obtained from
HAZOP studies, detailed layout safety reviews, fault tree analyses etc. To allow the hazard
identification to be used in practice, most “commercial” hazard identifications need to be
extended to the stage where fatalities, injuries, and equipment damage is clearly stated. This
usually means that the analysis results must be translated to a fault tree/event tree
© J.R.Taylor 2010 2
QRAQ 4 Accident frequencies
Figure 1.1 a typical in depth bow tie diagram for a single vessel. Clicking on any event or
barrier reveals the reveals the PDF or frequency calculation for that item, and its performance
standards
This approach using a combination of fault tree and event tree analysis is the norm in nuclear
power plant QRA’s, and is sometimes used for analysis of offshore oil and gas platforms. It
has only rarely been used in everyday commercial risk analyses or in the chemical industry.
One reason for this is it costs more in analysis time. Another reason is one of project
schedule. HAZOPS are usually made towards the end of front end design, when design detail
is available. Waiting for these to complete before carrying out a QRA would generally delay
projects.
To allow this approach to be used, much more extensive collections of data are required,
covering failure of rotating equipment, failure of valves, control system and instrumentation,
and also operational and maintenance faults, as well as data for leaks in piping, flanges,
vessels etc. The very fact that this additional data is needed indicates the more complete
analysis possible with detailed methods, compared with the parts counting approach.
5. Almost any accident will require for its occurrence and full development both an initiating
event and a failure of one or more safety systems. A release of toxic gas may for example be
© J.R.Taylor 2010 3
QRAQ 4 Accident frequencies
initiated by a leak caused by corrosion, but for it to become serious, emergency shutdown
systems will also need to fail. For this reason, failure rate data for safety equipment is
required for QRA.
Quite a few failures however are latent ones. The equipment failure occurs, but nothing
happens until a later event triggers the consequence. A few examples give the flavour of
latent failures:
A pipe is subject to corrosion so that there is significant wall thinning, but it fails only
A tank roof corrodes but fails first when someone walks on it ( figure 1.33)
when a person tries to open a valve, and so imposes a torque on the pipe (figure 1.2)
A drain valve is left open after cleaning a batch reactor, but the release occurs first
A level sensor is installed wrongly, so that it works well during the early stages of
when the next batch is started.
filling, but sticks when the tank becomes full because the float wire becomes more
A person puts reactive material in unlabelled sacks. An explosion occurs later when
skewed as the float rises (figure 1.4)
For most QRA purposes it is more or less irrelevant whether a failure is immediate or latent.
The distinction becomes important when calculating risk for plant personnel however.
Usually the individual risk is derived by calculating the location specific risk (LSR, or “risk
map”) and multiplying the LSR by the “exposure factor” for the operator, maintenance
artisan or labourer. Usually, operator and maintenance personnel have an exposure factor of
about 10% or less in the process area of the plant, when meal times, periods in the control
room or workshop, the shit time, week-ends and holidays are taken into account. In any
particular plant location, the exposure factor can be as little as 1% or less. The problem is that
for human triggered latent failures, the exposure factor is often 100% !
The fraction of failures which are human triggered latent failures is therefore important. For
employees it can imply a difference between calculated and actual risk of as much as a factor
100.
© J.R.Taylor 2010 4
QRAQ 4 Accident frequencies
Figure 1.2 Paper thin piping, fortunately detected before it could be broken by an
operator turning a valve handle (or a puff of wind).
Figure 1.3, A corroded tank roof, waiting for someone to fall through it, arising from
internal corrosion. The trap would have been even more insidious in the period just
prior to the holes becoming visible.
© J.R.Taylor 2010 5
QRAQ 4 Accident frequencies
Figure 1.4 Tank level alarm badly installed so that the float wire is skew and sticks on
pipe edges. In the actual accident, there was an alternative radar type high level alarm,
but the operators had more faith in the float type, and so sent an operator to check.
Overflow occurred before the check could be made.
© J.R.Taylor 2010 6
QRAQ 4 Accident frequencies
The plant analysed belongs to the same population as the plants from which the data
The plant is an “average plant” for the population, i.e. it has no factors which would
was collected.
make it much more reliable such as a first class inspection programme, and no factors
which would make it much worse, such as handling very sour gas, when the
population itself largely handles sweet gas.
The use of the UK HRDC data, for example, to support risk analyses for British offshore oil
and gas installations is by these rules completely appropriate. The plants all have fairly
similar operating conditions (at least when compared with, for example, chlorine plants), and
the plants are fairly uniform in their operation. There will be some variation from company to
company, and between designs, which mean that the population from which data is drawn is
not completely homogeneous, but in the difficult world of failure data collection, HRDC data
collection is about as good as it gets.
Transfer of such data to analyses for other plants involves a large number of assumptions,
and is rarely fully justified. In fact, there are great variations between data for different plant
populations. Figure 2.1, for example shows the variations in failure rates for cross country
pipelines, between western USA, Canada and European gas and oil pipelines, and, to drive
the point home, from British water pipelines. Figure 2.2 shows variations in piping failure
rates between different process types. The reasons for variations are many, including:
Differences in age profile of the pipeline population
Differences in environmental conditions
Differences in the process fluids, temperature and pressure
Differences in design standards
Differences in operation
Differences in inspection programmes
Considering that nearly all oil, gas and chemical industry QRA’s are made using data
transferred from some other field, it is clear that the QRA should be accompanied by some
kind of health warning. It is clear that “foreign” (i.e. from other plant types) must be used,
because there are only three publicly available data bases with “real” data (i.e collected from
actual incidents, rather than estimated based on engineering judgement). At least though, the
degree of variation in failure rate data should be understood. For example, the failure rate due
to corrosion for piping with sour gas is observed to be about five times greater than that for
sweet gas, unless either special alloys are used, or an extra corrosion allowance is provided in
the pipe wall thickness. Also, failure of high pressure pipes due to vibration fatigue is about
© J.R.Taylor 2010 7
QRAQ 4 Accident frequencies
32 times higher if the piping is associated with a reciprocating compressor, and 7 times
higher if it is associated with a centrifugal compressor, than for ordinary process piping (ref.
5).
Note that to be able to understand the variation in failure rates, the causes of failure must be
recorded. Very few data bases do this, and where it is done, (as for example in the
supplements to the OREDA data base (ref 6), an enormous amount of data is required to
ensure that there are sufficient entries that the statistical breakdown into causes is
meaningful. The RELBASE data base (ref. 5) provides a breakdown by cause. However to do
this, data from several sources was needed, rather than the ideal of relying on one
homogeneous data base.
.
Figure 2.2 Pipe failure rates for different process unit types (ref 5)
© J.R.Taylor 2010 8
QRAQ 4 Accident frequencies
Failure rates change also with the age of equipment, and with time independently of
equipment age. Figure 2.3 shows the development of failure rates for some Canadian
pipelines over time.
Figure 2.3 Changes of failure rate with time, from Pipeline Performance in Alberta, 1990-
2005, Alberta Energy and Utilities Board, 2007
Conclusion: Ideally, analyses should use data which is specified by failure mode or hole
size, equipment type, service, equipment age and failure cause. Unfortunately, this requires at
least 36000 failure incidents for each equipment type in order to give appropriate failure rates
in each category with upper and lower confidence bounds within a factor 3 of each other.
This is an unrealistic requirement. Many data bases have as few as 20 failures for each
equipment type. The OREDA data base(ref. 6), which is one of the oldest and most extensive
collections, has generally between 5 and 1000 failures recorded for each equipment type.
Equipments and failures must therefore be consolidated in groups to get a reasonable degree
of statistical uncertainty. The choice of grouping should be such as to minimise the variations
in failure rate within any group. Unfortunately there is no single rule to determine which
form for grouping is the best. For example, it appears that there is not much variation in
pipeline failure rates in Europe (see Figure 2.1) so that pipeline service does not strictly need
to be taken into account (though actually it may be, since for cross country pipelines
specifically there is a lot of data, sufficient to allow classification of failures by service, hole
size and cause).
© J.R.Taylor 2010 9
QRAQ 4 Accident frequencies
The parts count approach described in Ch. 1 considers these initiating events to the exclusion
of all others.
There are many other major hazards incident types which can be identified during hazop
studies:
High pressure ruptures due to pressure regulation failure, dead head pumping, high
releases.
Low liquid level events in vessels, which can lead to gas blow-by and overpressure
cannot be addressed by HAZOP studies.
HAZID and safety layout reviews can often extend this list:
Releases due to natural events such as flooding, earthquake, landslip or hurricane
Releases due to damage by dropped objects
Releases due to crashes of cranes, vehicles etc.
Aircraft crash
All of these methods, which are relatively routine within the oil and gas industries, still leave
a large group of major hazard incident types unaddressed. These are the ones caused by
operations and maintenance errors. Examples are:
Leaving drain valves open, either deliberately to drain water, but for too long, or by
opened.
© J.R.Taylor 2010 10
QRAQ 4 Accident frequencies
It is a cause of wonder to this author why so many analysts spend time counting flanges,
which only rarely cause major hazards accidents, but almost never count maintenance
operations, which are a major cause of accidents. It appears that we spend a long time trying
to solve the wrong problem. To illustrate this, Table 2.1 lists the major hazard accidents
reported by the UK HSE and the US Chemical Safety Board. Each accident is characterised
by whether it would be included in a QRA carried out according to one of the standard
guidelines (for example ref. 7, 8 and 9).
As can be seen from the table, the majority of the accidents would be identified in a HAZOP
study, and would probably be prevented as a result. Many though could not be identified in
HAZOP or HAZID studies etc. and require more specific methods such as layout safety
reviews, maintenance error analysis and operations error analysis, using methods such as
action error analysis or job safety analysis. These omissions cannot in many cases be
included into current QRA methodologies, because of timing problems (it is hard to analyse
maintenance procedures during the design stage of a plant) and because of the difficulties of
data collection. Ref 10 suggests a way around this problem. Essentially, the types of
operations and maintenance errors which arise in process plant accidents are relatively well
known, and repeat themselves in the same way that equipment failures do. This means that it
is possible to review equipment types and the necessary operations and maintenance
procedures, and to collect data specifically for the errors in carrying out these procedures
which cause accidents.
Table 2.1 shows that only about 40% of the major hazards accidents occurring in real life are
covered by current commercial QRA consequence calculation methodologies. Only about
10% of the accident types are included in frequency data bases. Only about 35% are
identifiable by the HAZID methods typically used in QRA, and only about 15% are
identifiable using simple parts counting.
This raises the questions “What do we think we are doing when we make a QRA?”. Nearly
all the accidents arise from specific design weaknesses or operating errors which have
nothing to do with equipment failure rates. Generally, these failures and errors are
preventable. We should be engaged in eliminating these weaknesses, not in calculating their
frequency.
A resolution of this dilemma is possible. QRA’s should not be made for plants unless good
HAZOP, HAZID and Operations Hazards Analyses are made first, with good follow up and
good management of change. The residual risks should then arise form completely
unpredictable events, form oversights in the hazard analyses, and for unavoidable component
failures, and unavoidable operating errors and maintenance errors. We should add a step into
any safety analysis which asks the question – “If this event is considered possible in the
future, why is it unavoidable?”.
Frequency data should then only be needed for non-avoidable occurrences and for predicted
and accepted accidents. Note that there will still be some risk from unpredictable accidents.
© J.R.Taylor 2010 11
QRAQ 4 Accident frequencies
Conclusion:
The main conclusion from this section is that current QRA practice seems to be addressing
only a subset of the real problems, and that data bases and consequence calculation packages
should have a much wider range of capabilities.
© J.R.Taylor 2010 12
QRAQ 4 Accident frequencies
Location Accident description Type Included in Included in Identifiable
standard parts count and
QRA frequency data predictable
consequence bases
calculation
Penzzoil, Vapour ignition in a tank due to vapour plume at Tank explosion No No By HAZOP
Rouseville 1995 location where welding takes place. Miscalibration
of gas tester and poor testing practice.
Morton Runaway reaction in kettle reactor due to operator Reactor No No By HAZOP
International, New error, too fast heating. Under-dimensioned safety runaway and reactor
Jersey 1998 vent. explosion relief
caculation
Koch Pipeline Butane pipeline rupture due to corrosion. Corrosion Pipe failure, Yes Yes By HAZID
Company, Lively, due to coating failure and poor inspection flash fire and
Texas 1996 jet fire
Olympic Pipe Line Gasoline pipeline rupture due to third party damage Running fire No Yes, but By HAZID
Company, and erroneous design of relief systems design error
Bellingham means that Design error
standard data by detailed
is design
overoptimistic review
El Paso Natural Natural gas pipeline rupture and large jet fire due Pipeline jet fire Yes No, dead legs By HAZOP
Gas Company, to corrosion in a dead leg not included
Carlsbad, 2000
Sonat, Temple Vessel overpressuring due to operator error and Vessel rupture No No By HAZOP
Common, design error explosion
Louisiana 1998
Powell Duffryn, Tank fire due to activated carbon auto ignition, Tank fire, No No By HAZOP
Georgia, 1995 hydrogen sulphide generation reaction
© J.R.Taylor 2010 13
QRAQ 4 Accident frequencies
Location Accident description Type Included in Included in Identifiable
standard parts count and
QRA frequency data predictable
consequence bases
calculation
Phillips, Houston, Vapour cloud explosion due to release of ethylene Vapour cloud Yes No By
1990 and propane from an improperly reinstalled valve explosion maintenance
AEA
Total, Buncefield, Vapour cloud explosion due to gasoline overflow Vapour cloud No, explosion No By HAZOP
England, 2005 from tank. Operator error and level switch failure. explosion was much
more violent
than
calculations
show
San Juan, Puerto Indoor explosion due to gas leakage. Failure due to Indoor No No By HAZID
Rico 1996 third party interference explosion
Texaco, Milford Vessel overflow causing butane to enter flare line, Vapour cloud Yes No Identifiable
Haven, 1994 hammer effect ruptured flare line, giving a vapour explosion in principle
cloud explosion. by HAZID,
but would
normally be
considered
too unlikely
(required 3
failures)
Sierra chemicals, Operator error in starting a part full reactor caused Runaway No No By Action
Nevada, 1998 detonation. reaction Error
explosion Analysis
Surpass chemicals, Hydrochloric acid tank ruptured during filling due Tank rupture No No By HAZOP
New York toinadequate venting
© J.R.Taylor 2010 14
QRAQ 4 Accident frequencies
Location Accident description Type Included in Included in Identifiable
standard parts count and
QRA frequency data predictable
consequence bases
calculation
Tosco Avon Hydrocracker outlet line rupture doe to high Reactor No No By HAZOP
Refinery, temperature, reactor hot spot, giving an explosion. runaway
California, 1997
Shell Deerpark, Vapour cloud explosion due to shaft blowout on a Vapor cloud Yes Wrong No practical
Texas,1997 butterfly valve, arising due to design error. explosion frequency for method to
the actual identify this
valve in QRA.
Herrig Brothers Damaged l1” line due to tractor impact caused BLEVE Yes No By layout
Farm, Iowa, 2001 propane release, fire and BLEVE safety review
BP, Texas City, Overfilling of column, overflow of vent stack, and UVCE Yes No By HAZOP
2005 UVCE. Overflow due to operator error and
instrument design error.
Giant Industries, Operator error in alignment of ¼ turn isolation Spray fire, pool Pool fire, yes No By Human
Cinzina, 2004 valve leading to a release of alkylate, fire and fire, secondary Spray fire, no Factors
subsequent explosions. Valve handle positioning vessel Domino Analysis or
was abnormal. explosions effects, no Safety
Design
Review
Petrolia, Operator error (supervisor and operator) and Pool Yes No By AEA and
Pennsylvania, 2008 misleading change in design led to overfilling of an evaporation HFA
oleum tank and oleum mist release
Marcus Oil, Internal ignition in wax vessel due to pressuring Vessel rupture No No By AEA
Houston 2004 with air to clear blockage, also defective weld, explosion
leading to vessel rupture and explosion
© J.R.Taylor 2010 15
QRAQ 4 Accident frequencies
Location Accident description Type Included in Included in Identifiable
standard parts count and
QRA frequency data predictable
consequence bases
calculation
DPC Enterprises, Chlorine unloading via a hose connector made of Jet release of Yes No, wrong Positve
Missouri, 2002 the wrong material led to chlorine release. toxic gas In the actual material gives material
case, a much higher identification
impingement failure rare
and damming than hose
caused the failure
release to be frequencies in
wider and data bases
shorter than
open field
plume
calculations
Partridge, Tank explosion due to hot work close to a tank Tank explosion No No By HAZID
Mississippi, 2006 containing flammable vapour
Synthron Runaway reaction and explosion due to scale up of Runaway No No By HAZOP
Chemicals, North a batch reaction without analysis reaction and reactor
Carolina, 2008 explosion analysis
Allied terminals, Tank split open due to a defective weld, releasing Tank rupture Yes No. This as Safety
Virginia, 2008 liquid fertiliser (ammonium hydroxide) one of a series Design
of tank Review
ruptures, all in
the same
manufacture
tank
Terra industries, Ammonium nitrate explosion and anhydrous Runaway No No By AEA or
Port Neal, Iowa ammonia release due to process deviations arising reaction HAZOP
1994 from poor operating practice explosion
© J.R.Taylor 2010 16
QRAQ 4 Accident frequencies
Location Accident description Type Included in Included in Identifiable
standard parts count and
QRA frequency data predictable
consequence bases
calculation
Barton Solvents, Static accumulation leading to in tank explosion Tank explosion No No By HAZOP
Wichita, 2007 and rocketing. The spark probably arose from a
loose level sensor cable
Marcus oil, Perth Acetylene explosion in a tank due to reverse flow Tank explosion No No By HAZOP
Amboy, 2005 though a pump and check valve.
Valero McKee Freezing of water in a dead leg led to propane Jet fire Yes, first jet No, dead legs By dead leg
refinery, Sunray release, a jet fire, a manway cover damage and a fire, No, not addressed analysis, or
Texas, 2007 large secondary jet fire. second jet fire piping safety
analysis
Formosa Plastics, Propylene release and unconfined vapour cloud UVCE Yes No By HAZID
Point Comfort, explosion due to for lift truck cras and damage to a or Layout
Texas, 2006 valve. Safety
Review
Conoco Phillips Corrosion downstream of an injection point led to UVCE Yes Yes, though
Humber Refinery, an ethane/propane release and an unconfined failure
2001 vapour cloud explosion. frequency
underestimated
Honeywell, Baton Chlorine cooler tube failure leading to Toxic plume Yes Yes Parts count
Rouge, Louisiana overpressuring of coolant side and chlorine release
© J.R.Taylor 2010 17
QRAQ 4 Accident frequencies
Failure rate data will definitely not be applicable to equipment of low standard, or which are
unsuitable for the actual application. As an example, the frequency of centrifugal pump seal
failure is given in OREDA as 0.87 per year. Many pump seals have a failure frequency much
less than this. In one application though, pumping hot chlorobenzene, the failure rate was 1
per week. No seal suited to the application could be found. Figure 2.4 shows equipment for
which failure rate data cannot be expected to apply.
In order to provide some degree of order in the assessment of risk, performance standards
have been required to be specified for safety critical equipment. These performance standards
are assumptions underlying any QRA and are intended to ensure that good engineering is
applied. The performance standards cover especially component properties which can be
checked directly as a part of design review at the detailed level, and so do not need to be
considered in HAZOP studies etc. Table 2.2 shows an example of performance standards.
In actual fact, many of the items from which failure rate data have been collected do not
satisfy all the usual performance standards, and this can have led to failures. New plants
which are designed with careful application of performance standards, will therefore
presumably have lower failure rates than older ones. The QRA’s should therefore be
conservative. No studies have so far been completed which allow this conservatism to be
documented however, and as the previous section shows, any effect of this kind would
probably be overshadowed by the unanalysed causes of accidents and poor quality of QRA’s.
Figure 2.4 Equipment for which it is unreasonable to try to give a failure rate
© J.R.Taylor 2010 18
QRAQ 4 Accident frequencies
Design requirements
Piping flow Piping should be properly dimensioned for the DEP 31.38.01.11-Gen 2.2
rates service and flow rate avoiding high flow rates
which could cause erosion or cavitation and low
flow rates which could cause deposit settlement and
increased corrosion.
Small bore Piping under DN 40 should be avoided for DEP 31.38.01.11-Gen 3.9
piping hydrocarbon or toxic service.
Pocketing Gas and steam piping should have straight runs DEP 31.38.01.11-Gen 4.3
with a drain slope and with no low points or
pockets
Pipe fittings Pipe elbows and tees for flammable, toxic or DEP 31.38.01.11-Gen 8.5
pressure service should be forged or weldolet type.
Socket welds should be avoided
Mitre bends Mitre bends shall be avoided DEP 31.38.01.11-Gen 8.5
Socket welds Socket-welded construction is not permitted in the DEP 31.38.01.11-Gen 8.3
© J.R.Taylor 2010 19
QRAQ 4 Accident frequencies
These data sets served during the early days of risk analysis, but the provenance was quite
varied. When the source of data is not known, or is based on “engineering judgement”, its
applicability is difficult to judge.
The data sets discussed below are all real data, systematically collected from appropriate
plant types. .
The raw data are available in a tabulated form, from which it is possible to derive some idea
of failure rate age dependence, process fluid dependence, pressure dependence, hydrogen
sulphide dependence and a rough causal distribution for some items of equipment for which
there is sufficient data.
Between 40 and 50% of the releases are classified as arising from operational or maintenance
causes. This means that human error is taken into account in the data base, but only for those
related to leaks and ruptures.
From the source, the data can be determined to be directly relevant for carbon steel
equipment, operating with temperatures from below 0 ˚C to 50˚C (except for items which are
heated, such as glycol driers and gas turbines), and working with relatively sweet crude oil
and natural gas.
The underlying assumptions concerning the relevance of the data to other application areas
are the standards applicable for North Sea designs. This includes compliance with most API
and BS offshore standards covering strength, corrosion, erosion and fatigue resistance and
inspection procedures.
© J.R.Taylor 2010 20
QRAQ 4 Accident frequencies
Transfer of the data to onshore oil and sweet gas plants should be straightforward, although
the range of equipment covered is less than that needed for a refinery for example.
Direct application to sour gas plants is not really appropriate because of the widely different
corrosion potential. There is enough data in the data base, however, to allow an estimate to be
made of the influence of hydrogen sulphide.
Application of the data to some kinds of petrochemical plant seems also to be realistic.
Application for chemical plant has been found to be less justified (see ref. 5).
The US RMP data collection (ref. 15) is a collection of reports for all US process plants and
storage terminals handling hazardous materials over a certain threshold. The data includes a
considerable amount of information about the plant design and safety systems, Importantly, it
contains a five year record of releases of hazardous materials with offsite impact. A total of
23,000 facilities are included in the data base. Only refineries, gas plants, ammonia plants
and Chlor-Alkali plants however were sufficiently uniform in design and provided sufficient
process data to allow failure rates to be determined
The US RMP database itself does not contain sufficient information to determine how much
equipment is at risk at the detailed level. It was possible to assemble this information though
for a small subset of the plants (767 of them), as given in table 3.1. Data were then processed
to give failure rates and hole size distributions, and a cause distribution, and assembled into
the RELBASE data base (ref.5).
Over 3000 releases with offsite consequences were recorded for these plants.
One would expect smaller releases to be underrepresented in this data, but this does not
appear to be the case. Inspection of the data reveals very diligent reporting of even small
releases, and as will be seen later, the failure rates are at least reasonably consistent with
those from other sources, generally giving higher failure rates than other databases..
© J.R.Taylor 2010 21
QRAQ 4 Accident frequencies
By definition, the data given in RELBASE covers all the kinds of accidents, not just those
arising from leaks and ruptures. With only 3800 plant years covered by the data base, and
therefore only about ½ million vessels years. The rarest kinds of accidents are therefore
hardly covered by the database. To reduce the uncertainty from this source, large accident
data covering a 30 year period were incorporated into the data base. Accident reports were
obtained from CSB (ref. 16), US EPA (ref. 17), MHIDAS (ref. 18) and AIChE sources (ref
19), for the same plants as in the RELBASE data base.
The US RMP data were also supplemented with data from systems on which the author has
worked, including development of maintenance management and RBI systems, a total of 14
plants, which were used to derive failure rate data for small releases of flammable material,
i.e. the kind which would not give offsite consequences. The plants were selected to be
comparable with the US RMP data in the first instance, but data were added also to cover two
chemical waste plants and four fine chemicals plants.
Table 3.2 shows an example of the tables, with release size and causal breakdown of the
failure rates. The data is in spread sheet form, with an algorithm to help determine
susceptibilities of equipment to different failure types, and in this way to determine highly
plant specific failure rates. The method has not proved popular, largely because it requires
extensive background information about plant design and operation, something which is not
available to most risk analysts. (This in itself is an interesting observation since it implies that
it will be difficult to get accurate frequency calculations without intimate knowledge of the
plants. This is of course obvious to plant managers, supervisors and maintenance technicians,
but is rarely obvious to risk analysts). RELBASE in the form shown has been used in five
commercial QRA’s and six QRA’s made for study purposes.
To overcome the difficulties a simpler approach is used here, where the RELBASE data
tables are used to derive failure rates for a number of different service types. The data values
are given in table 3.4
© J.R.Taylor 2010 22
QRAQ 4 Accident frequencies
Release frequencies per metre year, Pipe < 3 inch
Failure cause Release Metres Frequency Susceptibility Safety Y/N Risk Safety Y/N Risk Safety Y/N Risk Assessed Justification of suceptibility evaluation
size barrier 1 reduction barrier 2 reduction barrier 3 reduction frequency
© J.R.Taylor 2010 23
QRAQ 4 Accident frequencies
© J.R.Taylor 2010 24
QRAQ 4 Accident frequencies
Table 3.4. Summary of RELBASE data. Piping data is for inter-unit piping. Data for vessels includes associated piping and instrumentation
FailureRates Leaks and Ruptures
Equipment type < 10 mm 10‐50 mm >50 mm Rupture Fire Explosion
Piping, general, <3" per m. yr. 4.94E‐05 4.93E‐05 4.48E‐05
Piping, general, 3‐11 " per m. yr. 8.68E‐04 1.62E‐03 2.85E‐04 1.25E‐05
Crude unit piping, <3" per m. yr. 1.58E‐04 2.60E‐05 1.60E‐05 ‐
Crude unit piping, 3‐11" per m. yr. 4.00E‐05 3.00E‐06 2.50E‐06 6.00E‐06
Crude unit piping, >11" per m. yr. 3.50E‐05 4.40E‐06 ‐ 9.30E‐06
Chlorine piping, <3" per m. yr. 1.47E‐04 7.82E‐05 5.98E‐05
Alkylation plant piping 3‐11" per m. yr. 4.33E‐05 2.51E‐05 4.50E‐06 5.20E‐06
LPG piping, <3" per m. yr. 1.58E‐04 2.60E‐05 1.60E‐05
LPG piping, 3‐11" per m. yr. 2.13E‐05 9.69E‐06 4.24E‐06 3.13E‐05
LPG pipe, >11" per m. yr. 3.50E‐05 4.40E‐06 ‐ 9.30E‐06
Ammonia piping, 3‐11" per m. yr. 2.13E‐05 7.55E‐06 6.65E‐06 6.89E‐06
Ammonia piping, <3" per m. yr. 5.46E‐04 3.60E‐05 5.31E‐05
Refinery small piping <3" per m. yr. 1.47E‐04 9.26E‐05 6.38E‐05
Fine chemicals SS piping 3‐11" per m. yr. 5.05E‐05 1.41E‐05 4.25E‐06 1.01E‐05
Fine chemicals SS piping <3" per m. yr. 2.16E‐05 4.40E‐06 2.32E‐05
Flange 4.70E‐06 2.93E‐05 1.09E‐04 2.80E‐03
Large flange, >11" 4.70E‐05 2.80E‐07 2.80E‐07 3.60E‐07
Manual valve 4.60E‐03 4.60E‐04
Control valve 6.90E‐03 6.90E‐04
Closed roof tank, chemical + 5.33E‐03 2.35E‐03 2.94E‐03 9.60E‐04 1.56E‐04 6.55E‐04
Closed roof tank, acid + 2.95E‐03 3.86E‐03 2.18E‐02 8.97E‐03 6.48E‐04 1.13E‐02
Closed roof tank, flammables 3.73E‐03 9.20E‐04 6.05E‐04 4.00E‐03 3.01E‐03 6.18E‐04
Floating roof tank 3.25E‐03 8.36E‐03 2.37E‐03 5.09E‐04 1.35E‐04 4.61E‐04
Loading arm, ship 2.12E‐04 1.50E‐04 1.48E‐04
Loading arm, truck 2.13E‐04 1.52E‐04 1.37E‐04
Loading hose, Ship 3.18E‐03 1.10E‐03 1.17E‐03
© J.R.Taylor 2010 25
QRAQ 4 Accident frequencies
FailureRates Leaks and Ruptures
Equipment type < 10 mm 10‐50 mm >50 mm Rupture Fire Explosion
Loading hose, truck 8.35E‐05 1.21E‐05 5.75E‐05
Centrifugal pump # 6.81E‐03 5.00E‐03 2.05E‐04 1.27E‐04 2.93E‐04 2.74E‐06
Reciprocating compressor 5.30E‐02 1.20E‐02 9.30E‐03 1.20E‐02
Centrifugal and axial compressors 6.70E‐03 1.76E‐03 8.30E‐04 7.60E‐06
Process vessel ++ 1.48E‐03 3.12E‐04 1.02E‐05 9.79E‐05 1.8E‐05
Storage vessel ++ 8.20E‐04 1.43E‐04 6.20E‐04 1.36E‐05 2.45E‐05
Gas /oil separator 1.49E‐03 3.66E‐04 2.73E‐05 3.30E‐04 1.22E‐05
Knock out drum 1.48E‐03 3.36E‐04 1.36E‐05 1.50E‐06
Distillation column ++ 2.50E‐03 3.00E‐04 1.00E‐05 2.00E‐04 5.00E‐05
Amine absorber column 1.20E‐02 7.00E‐04 3.20E‐04 1.10E‐04
Amine regenerator column 1.70E‐02 9.20E‐03 1.28E‐03 1.70E‐04
Heat exchanger, internal leak 3.40E‐02
Heat exchanger external leak 1.10E‐02 3.72E‐03 7.20E‐04
Heat exchanger stainless, internal leak 4.9E‐03 2.20E‐03
Heat exchanger stainless external leak 5.80E‐03
Continuous reactor * 2.76E‐03 5.81E‐04 9.77E‐04 2.65E‐03 5.46E‐03
Reformer 8.37E‐04 6.73E‐04 3.14E‐04 4.19E‐04 1.20E‐04
Hydrotreater 1.48E‐02 1.32E‐02 1.19E‐02 3.10E‐04 2.30E‐04
Hydrocracker 1.70E‐02 1.64E‐02 1.82E‐02 5.70E‐04 4.70E‐04
Batch reactor (kettle type) * 5.17E‐02 1.31E‐02 6.09E‐03 0.00E+00 4.51E‐03 2.13E‐03
Scrubber (chemical plant) ** 2.43E‐03 6.00E‐05 1.22E‐01 1.00E‐03 1.00E‐04
* Explosion only if reaction is exothermic
** Explosion if there are flammable gases or vapour
+ Explosion or fire only if there is flammable present or can enter the tank
++ Explosion is BLEVE type
# Fire actually caused by the pump
© J.R.Taylor 2010 26
QRAQ 4 Accident frequencies
Figure 3.1 Typical data which can be extracted from a well operated maintenance data base
Much more precise analyses can be made for specific plants if a detailed hazard identification
is performed, and detailed quantification of frequencies is made the significant accident
© J.R.Taylor 2010 27
QRAQ 4 Accident frequencies
scenarios. For petroleum and chemical plant, this generally means using HAZOP, HAZID,
safety layout review and a human error analysis method such as action error analysis (AEA).
These allow accidents arising from deviations in raw materials, process flow disturbances,
utility failures, external event, control failures, operation errors and maintenance errors to be
taken into account, as well as leaks and ruptures from pipes and vessels.
Such analyses are typically carried out in parallel with QRA in current commercial practice,
partly because full HAZOP and AEA analyses are quite time consuming and because
quantification is even more time consuming, and partly because in design studies, the timing
of projects is disturbed if the QRA must wait for completion of HAZOP’s.
In the present project, these problems were overcome by use of advanced HAZOP and
human reliability analysis tools, which allow rapid and highly systematic HAZOP and Action
Error Analyses to be carried out (ref. 20) and quantified. The approach also allows generic
HAZOP studies to be customised at the early design stages according to the design and safety
systems philosophy chosen for the new plant
Data is needed for this kind of study. The most readily available source is OREDA database.
This does not give very much data on release frequencies, but it does give good data for
failures of pumps, valves, compressors, control instruments and safety systems. The data is
directly applicable for North Sea oil and gas applications, but comparison studies show that it
is reasonably applicable for other areas as well (ref. 5). Unfortunately, the original data
collection did not use a systematic failure mode and affected part classification, and mixed
degree of failure with mode class. Since the fourth edition, the original data set has been
supplemented by a failure mode distribution and an affected equipment part classification for
groupings of similar components. This allows the kind of information needed for HAZOP
and FMEA to be retrieved.
The OREDA data for safety systems is somewhat out of date now, at least for new
equipment, since the requirements of the IEC 61508 standard have led to significant
improvements in reliability. Up to date data can be obtained from manufacturers SIL
qualification certificates, many of which are openly published. The EXIDA data collection
provides a systematic record for this data (ref. 21).
There is a need, in detailed analysis, for information about leaks and ruptures. The parts
count data described in section 3.1 or the unit process level data described in section 3.2 can
be used for this, but the data is not pure “component leakage and rupture data”. The HRDC
data includes releases caused by operator error, and the RELBASE data includes releases due
to all kinds of causes including overpressuring, external fire, earthquake etc. It is possible to
“clean” this data, by going back to the source in the case of HRDC data and by selecting
susceptibilty values appropriately for the RELBASE data. This has been done in the
HAZLOG system used to assess the detailed analysis approach in this study.
A very wide range of data is needed in order to be able to analyse process plant accident
frequencies at the detailed level. Types of data include:
Data on disturbance in the process itself such as filter clogging, variations in raw
materials or feed, foaming
© J.R.Taylor 2010 28
QRAQ 4 Accident frequencies
Data on component failures. For the process equipment, this is the same kind of data
Data on plant disturbances arising from control failures, safety instrument spurious
as for parts counting and unit process data.
Data on human error leading to plant disturbances (such as closing the wrong valve)
Data on human error in not responding correctly or quickly enough to plant
Data on safety system failure rates (this is needed for all kinds of accident frequency
disturbances
Data on the frequency of external events such as crane ands truck crashes, internal
latent failures.
Data on construction errors, such as using the wrong materials or installing a valve the
transport spills and dropped objects
This list covers the types data which is needed. Whether all this data can be supplied is
another question, but table 3.5 should go some way to filling the gaps.
Table 3.5 gives a fairly broad range of data for detailed analysis. The data were derived from
maintenance data for nine plants which were subject to in depth HAZOP analysis and
subsequent monitoring of failure rates for safety critical equipment. The HAZOP’s, design
review and historical studies which were used as a basis for the data table are listed in ref. 22.
The values are given according to HAZOP key words and causes.
Table 3.5 does not completely cover the range of problems which can be identified at the
detailed level. Design errors leading to equipment weaknesses or latent failures are not
covered. II have never been able to discover a way of including these properly into a QRA. If
you can identify them, you should be able to eliminate them, but even with all the safety
analyses performed today, they still seem to persist.
One thing which must be realised about detailed data for HAZOP quantification is that it is
extremely difficult to give precise values for event frequencies. The difficulty goes far
beyond that of the difficulties of data collection and of statistical uncertainty. There is a very
large variation in the actual values themselves. As an example, what is the frequency of raw
materials being contaminated when delivered? The answer depends on what raw material,
and what physical possibilities there are for contamination and on what quality control
procedures are in place. Add to this the problem that the extent of the problem may depend
on the degree of contamination, and the quantification exercise has developed into a nice
little research project.
Nevertheless, it is possible to give some guideline values for event frequencies, provided that
these are hedged with conditions and cautions about the data use. For operating plant,
operators and maintenance crews can often confirm or correct values, even though it is
extremely challenging to try to extract values from them directly.
© J.R.Taylor 2010 29
QRAQ 4 Accident frequencies
The data in table 3.5 were derived from follow up of hazop studies on 32 plants, for which
hazops were made between 1980 and 1998, and for which follow up data is available for
between 10 and 30 years. The plants include fine chemicals, bulk chemicals, refineries, oil
and gas terminals, soya oil extraction, petrochemical and chemical waste plants. The hazops
were made on individual plant units, but over time came to cover the complete plants, so that
in all some 250 hazop studies were made. The follow ups were made by interviews with
operators and maintenance crews, review of incident and near miss reports, and in some cases
by review of maintenance and operations logs (not too many of these, they take a long time)
Why bother with such detail? The fact is that for an actual plant, the risk level can deviate
enormously from the values calculated in a parts count based QRA. Operators know this, and
generally have much more respect for a well carried out hazop study than they do for a QRA.
It is of little help if the QRA indicates that the frequency of large releases is 1*10-3 per year,
and the company can show several incidents which have occurred over the last 10 years. This
has happened to the author quite frequently before starting to combine hazops and QRA. It is
of no help at all to explain that the QRA “does not cover that kind of accident”. If QRA is to
be used as a risk reduction and safety engineering tool, then it should deal with the problems
which exist, not just those which are easy to identify and calculate. (In the authors own
country (Denmark) regulations and regulatory practice require a combination of hazops and
QRA, but making the link between them seems to be rare in QRA practice elsewhere.)
© J.R.Taylor 2010 30
QRAQ 4 Accident frequencies
Table 3.5 Frequencies for detailed (hazop based) QRA (examples only)
Disturbance Cause Sub cause Precondition for application No of Items at Units Observ‐ Frequency py. Examples, Basis
of the data failures risk ation (per km yr for
observed Period, pipes in some
yr. cases)
Pipe
High pressure Shut in and solar Large pipes, with no relief, or 2 12.4 km. 32 0.005040323 Oil and product transfer
heat failed relief, esp. with light pipes in two oil terminals
products two ruptures, one OP
relief
Cryogenic lines, shut Pipes with no thermal relief 1 0.65 km. 1 Failed at first
down and ambient (design error) shutdown
heating
Shut in and fire Pipes exposed in the fire zone 5 pipe Frequency of Large fire in one solvent
fire tank farm. Pipes on raks
above the edge of the
bund were not damaged
by the fire.
Shut in and reaction pipes with dilute acid, 7 37 pipe 12 0.015765766 Fretiliser plant acid pipes,
between acid ans incompatible with steel. due to lining failure
steel
Dicharge valve Only if the drain line is 1 22 pipe 7 0.006493506 One case, operator closed
closure on drain line specced for low pressure and pipe to API separator
on live separator the line because too much oil was
coming through, one
plant
Dead head pumping closure of discharge Only if there is no pump 1 98 pipe 12 0.00085034
valve. bypass or relief or if this fails
Plugging of discharge Plugging must be possible. 2 24 pipe 16 0.005208333 Ammonium nitrate plant
The pump usually ruptures and pitch plant
too
Low Cold weather Cold enough to freeze Possible forgetting to 17 320 km. 12 0.004427083 Water supply and steam
temperature water, and no water circulate in vulnerable pipes, condensate lines on 6
circulation including steam condensate plants
line
© J.R.Taylor 2010 31
QRAQ 4 Accident frequencies
Table 3.5 Frequencies for detailed (hazop based) QRA (examples only)
Disturbance Cause Sub cause Precondition for application No of Items at Units Observ‐ Frequency py. Examples, Basis
of the data failures risk ation (per km yr for
observed Period, pipes in some
yr. cases)
Pressure reduction Expansion cooling, JT Only if expansion can take 1 17 km. 24 0.00245098 Relief lines on LPG plant
cooling the temperature below the
brittle transition point
Flashing LPG, 3 642 km. 24 0.000194704 Observed via accident
Propane, butane, investigations, 3 LPG
ethylene, HC terminals
condensate etc.
Low pressure Vapour Vapour such as steam or 0 240 km. 12 < 0.000347 2 BTX plants, 4 gas
condensation on pentane, solvent vapour etc condensate plants.
shut in vapour line which can condense. Be wary
of "atmospheric" piping.
Rapid shutdown or Only on large pipes e.g. plant 1 16 km. 2 0.03125 Two large plant cooling
pump trip cooling systems which cannot water systems
tolerate vacuum and which
have under‐dimensioned or
failed vacuum valves. Analyse
also vacuum valve failure
Rapid upstream Only on large pipes e.g. plant 1 16 km. 2 0.03125 Two large plant cooling
valve closure cooling systems which cannot water systems
tolerate vacuum and which
have under‐dimensioned or
failed vacuum valves. Analyse
also vacuum valve failure
No flow, low plugging pipes with sludge, solutions 74 146 pipe 12 0.042237443 Fertiliser plant, refinery
flow susceptible to plugging, with and 2 ethylene plants.
wax or napthenic acids, Much higher rate for
carbonate or silica deposits. polyethylene loop
reactors (one per year
highest observed).
Probably better
calculated as "time to
plugging"
© J.R.Taylor 2010 32
QRAQ 4 Accident frequencies
Table 3.5 Frequencies for detailed (hazop based) QRA (examples only)
Disturbance Cause Sub cause Precondition for application No of Items at Units Observ‐ Frequency py. Examples, Basis
of the data failures risk ation (per km yr for
observed Period, pipes in some
yr. cases)
Pipe leak or Generic See HRDC or RELBASE
rupture
Hammer Rapid filling against a Long pipes 2 65 pipe 14 0.002197802 Cubatao, 1985
partially closed valve
Rapid filling of pipe Primarily a problem on longer 0 65 pipe 22 0.000699301
with an elbow pipes
Overflow of liquid 1 36 pipe 5 0.005555556 Milford Haven, 1994
into a gas pipe or
flare header
Pick up of a slug of Large steam condensate lines 2 4 pipe 12 0.041666667 fertiliser plant and
condensate in a and wet HC gas lines ethylene plant
vapour flow
Filling of a gas filled Filling against a closed valve, 1 14 pipe 18 0.003968254 Pesticide plant using
pipe with liquefied with no nitrogen cushion chlorine
gas
Rapid closing of a Check the possibility using 1 17 pipe 24 0.00245098
valve while liquid is the hammer equation
flowin g
Pumping of a liquid Only if vapour pocket is 1 17 pipe 24 0.00245098 One oil terminal with
with a vapour pocket possible e.g. due tu solar many incoming lines. Did
through a constriction heating of unstable crude in a not actually rupture but
pipe, or poor flow measurement orifice
was dished
Collapse of a flow Pipelines which are routed 1 12 pipe 32 0.002604167 One very long pipeline
separation pocket over a mountain pass
Filling a pipeline in Run down from elevated 1 7 pipe 14 0.010204082 Fertiliser plant
which there is a vessel
Pig trap Opening under Failure of pressure 2 69 12 0.002415459 Eight oil fields
pressure indicator
Block valve passing 1 69 12 0.001207729 Eight oil fields
© J.R.Taylor 2010 33
QRAQ 4 Accident frequencies
Table 3.5 Frequencies for detailed (hazop based) QRA (examples only)
Disturbance Cause Sub cause Precondition for application No of Items at Units Observ‐ Frequency py. Examples, Basis
of the data failures risk ation (per km yr for
observed Period, pipes in some
yr. cases)
Pig jammed in pipe or 3 32 12 0.0078125 Eight oil fields
valve
Error, inadequate 1 32 12 0.002604167 Eight oil fields
venting
High outflow Upstream blockage 2 32 12 0.005208333 Eight oil fields
which suddenly clears
Liquid not effectively 0 69 12 0.000603865 Eight oil fields
drained from trap due
to drain blockage
Liquid not effectively 0 69 12 0.000603865 Eight oil fields
drained from trap due
to operator error
Pyrophoric iron Forgetting to wet 2 69 12 0.002415459 Eight oil fields
sulphide scale down the scale
ignition
Not expecting 69 12 0.000603865 Eight oil fields
pyrophoric scale
Rupture Door failure 1 69 12 0.001207729 Eight oil fields
Hammer due to Gas pipelines or pipelines 69 12 0.000603865 Eight oil fields
arrival of a which have been air or
condensate slug nitrogen filled
Eight oil fields
manifold Overpressuring Failure of upstream 1 79 1 0.012658228 Eight oil fields
pressure regulation
© J.R.Taylor 2010 34
QRAQ 4 Accident frequencies
Table 3.5 Frequencies for detailed (hazop based) QRA (examples only)
Disturbance Cause Sub cause Precondition for application No of Items at Units Observ‐ Frequency py. Examples, Basis
of the data failures risk ation (per km yr for
observed Period, pipes in some
yr. cases)
High pressure source Evaluate high pressure 2 79 1 0.025316456 Eight oil fields
upstream possibilty upstream
Oil and gas or Twelve oil fields
three phase
separator
High Fire Evaluate fire Determine fro fire risk 2 168 per 10 0.001190476
temperature frequency assessment. 0.01 per year for vessel
an oil plant unit is typical
Low Cold weather Quite unlikely to be 1 34 per 10 0.002941176 One water drain froze
temperature significant except in arctic vessel and cracked
conditions
High pressure High pressure on Analyse upstream systems 0 per
inflow line vessel
High pressure in Analyse level control fail high, 2 168 per 10 0.001190476
second stage lower valve fail open, and failure of vessel
pressure separator any LSLL if installed. Typical
due to blow by assumes LSLL is provided.
High pressure due to Only if the discharge (gas) per 0.00001 RELBASE, Cox, Lees and
fire manifold can be vessel Ang
overpressurised, BLEVE due
to jet fire
High pressure due Only if the discharge Only if the oil high pressure 0 per
back flow fromgas manifold can be and low pressure separators vessel
discharge overpressurised have a common gas
discharge line or common
drain.
High pressure due to Only if the oil hig Rarely a hazard. Back flow per
oil back flow from pressure and low can occur to a shut down vessel
discharge pressure separators separator if it is not properly
have a common isolated and there is a
discharge line or passing valve. See valve
© J.R.Taylor 2010 35
QRAQ 4 Accident frequencies
Table 3.5 Frequencies for detailed (hazop based) QRA (examples only)
Disturbance Cause Sub cause Precondition for application No of Items at Units Observ‐ Frequency py. Examples, Basis
of the data failures risk ation (per km yr for
observed Period, pipes in some
yr. cases)
common drain. failure rates.
© J.R.Taylor 2010 36
QRAQ 4 Accident frequencies
3.5 Equipment failure data
As described above, there are several accident types which are caused by failures of
control systems, cooling pumps for batch reactors, etc. and most involve some
failures of safety measures Some data for this is given in table 3.6. and 3.7. The data
are derived from plant maintenance data bases for 7 installations over 4 years.
Exposure data are from field observations and evacuation data are from observations
of well organised emergency exercises in refineries and gas processing plants, plus
one petrochemical complex.
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
Table 3.7. Control failures as initiating events
Failure modes for control equipment OREDA pr. yr. Rule of thumb fr.
pr.yr.
Level control valve failure, failure to regulate 0.10836 0.1
Level control valve failure, failure to close on 0.00639 0.01
Level control valve failure, failure to open on 0.00639 0.01
Level control valve failure, fail open 0.06824 0.01
Level control valve failure, fail closed 0.06824 0.01
Level control failure, leak over seat 0.02208 0.02
level control valve, Plugged 0.00639 0.01
Level sensor, float, fail hi 0.01367 0.01
Level sensor, float, fail lo 0.01367 0.01
Level sensor, float, fail stuck 0.0078 0.01
Control valve, globe, all, External leak 0.00797 0.01
Control valve, globe, all, Fail to close 0.02199 0.02
Control valve, globe, all, Fail to open 0.01051 0.01
Control valve, globe, all, Fail to regulate 0.04065 0.04
Control valve, globe, all, Passing 0.00613 0.01
Control valve, globe, all, Spurious operation 0.00219 0.002
Control valve, globe, all, Structural defect 0.00315 0.003
Control valve, globe, all, Plugged 0.00245 0.002
Control valve, globe, air, Fail to close 0.01962 0.02
Control valve, globe, air, Fail to regulate 0.11765 0.1
Control valve, globe, air, Passing 0.00981 0.01
Control valve, globe, condensate, Fail to close 0.33288 0.3
Control valve, globe, condensate, Fail to regulate 0.33288 0.3
Control valve, globe, flare, Fail to close 0.04774 0.05
Control valve, globe, flare, Fail to open 0.02383 0.02
Control valve, globe, flare, Fail to regulate 0.04432 0.04
Control valve, globe, flare, Spurious operation 0.02383 0.02
Control valve, globe, gas, External leak 0.01349 0.01
Control valve, globe, gas, Fail to close 0.04538 0.05
Control valve, globe, gas, Fail to open 0.02111 0.02
Control valve, globe, gas, Fail to regulate 0.05493 0.05
Control valve, globe, gas, Spurious operation 0.00315 0.003
Control valve, globe, gas, Passing 0.00245 0.002
Control valve, globe, crude oil, Fail to close 0.00639 0.006
Control valve, globe, crude oil, Fail to open 0.00639 0.006
Control valve, globe, crude oil, Fail to regulate 0.10836 0.1
Control valve, globe, crude oil, Structural defect 0.0099 0.01
Control valve, globe, crude oil, Passing 0.01953 0.02
Control valve, globe, crude oil, Plugged 0.00639 0.006
Control valve, globe, crude oil, Spurious operation 0 0.01
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
Table A 3. Failure rates and PDF for SIL certified equipment (typical)
DC % Failure rates FITS
L Ls Lsd Lsu Ldd Ldu
Rosemount, level switch, SIL 2 suitable 303 663 66
Rosemount radar level sensor 1262 775 492
Rosemount pressure xmtr 227 351 126
GM, High integrity relay 198.6 1.6
GM, Trip amplifier 11 772 28 25
GM, Trip amplifier, relay and 4‐20 ma
out 53 60 89
GM, isolating repeater 201 201 47
Stahl
Detcon, IR 700 IR flammable gas
detector 1087 363 112
Detcon, DM 700 Oxygen detector 242 4768 553
Detcon, FP 700 Flammable gas detector 383 4738 559
Detcon, DM 700 H2S gas detector 405 387 83
Micromotion coriolis flow sensor 700 2494 593
E&H HART temp xmtr. 136 183 128 117
E&H dP xmtr. 52 to 928 175 0 to 876 57
Neles ESD valves
D1F series ball valves
D2 series ball valves 240 Metal seated
MBV 4” 77
D2D 16” ESD 76 75
D2D 16” ESV 91 75
X series ball valves 70 Metal seated 1630
X series ball valves 30 Soft seated 3800
VG valve controller 55,3 Certified by
TUV
Fisher Vee ball 1401 765
Fisher Vee ball with partial stroke test 1827 180 159
Flo Serve maxflo 3 2664 1334
Virgo N series Trunnion ball valve 604
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
Earlier that morning, under the direction of a Tosco maintenance supervisor, workers had
removed a section of corroded naphtha piping 112 feet up the tower, near where the piping
joined the fractionator. But things had not been going as planned. When a second cut was
made 26 feet below the first, petroleum naphtha – a volatile hydrocarbon mixture that ignites
spontaneously at 450°F – began to ooze out and workers had to immediately reseal the pipe.
After breaking for lunch, the workers climbed 40 to 100 feet up scaffolding alongside the
tower. They tried to drain the piping system of naphtha by opening a pipe flange 36 feet up
and directing the leaking fuel into a vacuum truck using makeshift plastic sheeting and a
bucket.
The operation proceeded without apparent problem for 30 minutes, when suddenly a large
volume of naphtha, propelled by vapor pressure from the operating fractionator, shot out of
the open pipe overhead, spraying the workers. For the five men high on the scaffold, there
were few avenues of escape as the hot surface of the fractionator ignited the naphtha,
engulfing them in flames.
Almost two weeks before the accident, on February 10, operators had observed a naphtha leak
coming off the fractionator, which they treated as an emergency at the time. Workers located
a pinhole leak in the naphtha piping 112 feet up and closed a series of valves in an effort to
eliminate it. But the leaks kept recurring. In succeeding days, one attempt after another failed
to completely staunch the flow of naphtha. Shut-off valves malfunctioned repeatedly, and
drain valves were found to be clogged beyond use or repair.
Ultrasound and X-ray tests were ordered, and these revealed that both the piping and the
valves were severely corroded and needed to be replaced. Although the unit operator
argued for shutting down the process before attempting to replace the deteriorated piping, a
maintenance supervisor decided to do the job while the hot fractionator continued to run. This
fateful decision did not receive any oversight or scrutiny from the facility’s management.”
[Investigation Digest, Tosco Avon Refinery Fire, 1999, Chemical Safety Board]
This accident is fairly typical of a number of refinery accidents which have dominated
the major hazard event frequencies in recent years. It describes a case of “risk
blindness”, one of about 30 characteristic patterns in human contributions to
accidents. There have been about 10 major hazards accidents in US refineries since
2005, giving a frequency of 3*10-3 or one per 300 years per refinery, most involving
human error of one kind or another. Some of the refineries have very good
performance, so overall there are probably some refineries with a major hazards event
frequency of 1 per 50 to 100 years. The Chemical Safety Board has commented on
this.
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
reasons for this are twofold. Firstly, no human error analysis is generally made (in
contrast, for example, to the nuclear industry). Secondly, major hazards events of
these types are not included in the data bases used to derive event frequencies. There
are a few such accidents in unit process failure frequency databases such as the
RELBASE data set, but they do not figure largely the frequency data. Although the
human error events are rare when compared for example with pump leaks, they
dominate the major accidents because they often bypass the safety measures which
cover accidents are caused by equipment failure.
In actual fact, even if such accidents were included into QRA data bases, the QRA
results would not be correct, because the data comes from companies with poor
operational, maintenance and integrity procedures, while high quality QRA’s are
usually made by companies with good procedures. Such companies would only
experience events of the kind described above as a result of mistakes rather than
continuing bad performance i.e. at a much lower frequency than the 1 per 300 years
calculated above. It seems likely though, from personal experience, that the majority
of major hazards accidents would arise from human error, even on well managed
plant (of some 50 major accidents investigated, one did not involve human error).
Lack of human error analysis renders QRA results suspect. A separate report in this
series is intended to provide a reasonably effective approach to such assessments (ref.
23). The report takes into account defects in process safety management, as well as
operator and maintenance error.
One thing is underlined by the example - QRA results do not apply to process plant
which is badly operated, has poor maintenance practices, or has poor integrity
management. The only way the author can see around this difficulty is to require
good safety management, as a precondition for belief in the QRA results. This may
not remove the need for human error and safety management analysis, but it would at
least make the need less critical.
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
4. Comparison of Approaches
4.1 Comparison of QRA’s for a refinery crude
unit
In order to investigate whether the different approaches to setting frequencies are
significant, the three approaches, parts counting, unit process, and hazop based were
tried on a type of unit for which overall event frequencies are well known. The type of
unit selected is a refinery main crude distillation unit. All refineries have at least one
of these, some (the largest) have as many as six.
A typical design was chosen, and a risk assessment was made for the units in a
“virtual refinery”, NATREF, which exists only on computer for the purposes of
evaluating risk analysis methods. The design is bases on an actual refinery. Two crude
units were assumed.
Some readers may be surprised by the proximity of residential areas to the refinery in
the figures in this chapter. The location is typical of many in the Los Angeles area.
Other virtual refinery locations have been considered, but this one is convenient for
assessing third party impacts.
In setting up the data for the analyses, it was found that the parts count data, based on
HRDC data base, gave a frequency of releases quite similar to the unit process
approach. The risk as calculated turned out to be higher for the unit process approach
because of the wider range of accident types taken into account, such as pump
explosions, overpressuring explosions etc., which are not included in the HRDC
database.
The hazop based assessment is based on detailed hazop analyses which were carried
out on the original crude units carried out by a team including operators, the unit
supervisors, and safety specialists. It includes accidents caused by process
disturbances as well as ones caused by releases. The data for releases themselves were
based on the parts count data, so the risk as calculated is by definition higher than for
the parts count approach. The accident frequencies were calculated using the
HAZLOG approach (ref.24) which allows HAZID and HAZOP results to be recorded,
and bow tie diagrams to be drawn automatically. Quantification of frequencies is also
automatic, based on the bow tie diagrams.
Three scenarios leading to major hazard events were identified by the hazop and
which are not included in any of the parts count frequency databases:
Escape of oil spray from an overpressure vent (with knock out drum)
disposing of relief from each of two desalters. The desalters are large vessel
(24 m3) containing heated crude oil and water, under pressure (in the actual
case 11 bar). In the actual design these were not relieved to flare because of
Jet fires can occur from the fire heaters, located alongside the crude units, with
the large liquid content.
a safety distance of 18 m.
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
Overpressuring of the flash drum due to failure of the flow control and failure
of the relief.
Results of the calculations are shown as iso-risk plots (location specific human risk)
in figure 4.1 to 4.3.
Figure 4.1 Fire and explosion risk as calculated by the parts count approach.
Table 4.1 shows some parameters of the results. The more refined methods obviously
give higher frequencies because they include more scenarios, and because the
frequencies for the scenarios which are common to the assessments are identical, or
nearly so. In many cases, the distances to the isorisk curves are similar, or even
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
identical, because the dominating scenarios at the risk level are the same and the
frequencies are the same.
Figure 4.2 Fire and explosion risk as calculated by the unit process approach
The main differences in the isorisk curves are the size of the area inside the 10-5 per
year curve is underestimated for the parts count method because of underestimation of
the BLEVE risk, and underestimation of the 10-2 per year area in the parts count and
the unit process approaches due to missing scenarios at pumps, the desalter vent, and
fired heater accidents. The range of these scenarios is only up to 300 m. so that the
effect is largely within the plant itself.
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
Figure 4.3 Fire and explosion risk as calculated by the hazop approach
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
5. Validation
This validation exercise is reproduced from the RELBASE report, volume 2, Issue 7
2009. The purpose is to compare the degree of agreement between QRA approaches
and world experience of actual accident frequencies. This is possible because of work
performed by UK HSE (ref. 25, Cox lees and Ang (ref.), and particularly, by Fryman
(ref.26) who determined accident frequencies for refinery units. The RELBASE
report gives results from several other validation studies in addition to the one
reproduced here.
Making predictions which can be compared with the whole plant statistics is more
problematic, because it involves:
Estimating the probability that a vapour cloud ignition will lead to a UVCE
In effect, a full quantitative risk assessment must be made for each type of process
plant considered. The prediction will depend on the UVCE model and the ignition
probability model.
In order to make the predictions here a hig quality GIS based process plant risk
assessment package (ref. 8), has been applied to an example refinery (based on actual
refinery experience, with a few simplifications, and with a layout specified for
simplicity, but following good plant layout practice. The UVCE model used is the
TNO multi energy model with the GAMES empirically based parameter selection,
using a map of congested refinery areas. Three ignition probability models were
investigated, the Purple Book values (ref 10.), the Atkins/HSE ignition source density
model (ref. 11) which is a forerunner for the Energy Institute JIP method, and a model
based on data originally developed for the IFAL method (ref. 12).
Manual application of the release data given in Ch. 7 to 21 would be far too heavy for
practical risk analyses of the scale of a refinery (194 vessels and tanks and 240 inter
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
equipment pipe sections are included in the analysis). Instead software for scenario
management (HAZLOG) was developed. This draws on the above data, and allows
scenarios to be generated and release frequency values to be allocated automatically
for vesssls, tanks, pumps and piping etc. Default values for susceptibilities and safety
measure unavailabilities can be set on the basis of plant type, unit type, equipment
type, service type (fluid, temperature, pressure). Each value can also be set manually.
The program allows the questions given in the earlier chapters to be displayed and
answers recorded, so that the assumptions underlying the calculations can be
documented. Full details of the calculation are given in ref. 13 .
In order to be able to provide some details here, an approximate calculation was made
for some of the refinery units. For presentation purposes, the calculation was
performed by:
2. Calculating release frequencies using the RELBASE values from the earlier
chapters.
3. Estimating the fraction of releases that could give releases large and hot enough to
give a vapour cloud (using the analysis in ref 13 as a basis)
4. Making an overall event tree for the releases, using probability data from the
literature to determine probabilities for ignition, fire fighting success etc
The assumptions underlying the event tree probabilities are standards from the 1980’s
and early 1990’s, so that, for example, very few emergency shutdown valves exist in
the units, just those at the battery limits. In the full analyses in ref 13, several event
trees are given for each vessel and all the larger pipes. Here, for brevity, just a single
summary event tree is given here. This means that some fairly large averaging
approximations are made here. The results are nevertheless reasonably compatible
with those in ref. 13.
For the crude unit, the event tree is given in figure 5.3 (see below). The unit
considered is just the atmospheric column, a prior flash column, a kerosene and gas
oil column, three receivers, a fired heater, eleven heat recovery/cooler heat
exchangers, three fin fan coolers, associated transfer and reflux pumps, and piping.
No desalters are included in the analysis, which may affect the large fire frequencies,
but is unlikely to affect the UVCE frequency
.
For the alkylation unit, a UOP style design is assumed, with an isobutane and propane
feed drum, a reactor vessel, a hydroflouric acid settler vessel, unreacted naphta
stripper column, product receiver, HF stripper column, KOH treater, and associated
piping and pumps. Details of hydrogen fluoride handling equipment have been
omitted here, because the only validation base available. A very high standard of
maintenance and inspection is assumed for the plant, even when the standard is
assumed to be from the 1980’s. The reason for this is that hardly any alkylation plant
has ever been operated with a poor standard, staffs who do not maintain a high
standard on these plants do not live long. There is a possibility of thermal runaway in
an alkylation reactor, due to cooling failure. The probability of this was assessed
separately, in a fault tree analysis.
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
The resulting frequencies for UVCE are compared in table 5.1 with those derived by
Fryman in ref. 6. The two sets of results are more or less completely independent
because the Fryman data was collected before the USRMP data period, and because
two different populations of refineries were considered. Note that the comparison is
very dependent on assumptions about ESD provision, on layout of the plants, and on
the ignition model used. Precise correspondence is therefore not to be expected, and
one of the values must be regarded as coincidentally very good.
As a cross check, the frequency for a major (prolonged) fire in a refinery crude unit is
calculated in the fault tree to be 1.05*10-3 per year. Cox, Ang and Lees (ref. 28 ) give
values for large fires, with over $1 million in losses, of 6*10-2 per refinery year. With
typically 10 to 20 units in a refinery, the resulting frequency for fire in a single unit is
4*10-3 per year. This comparison is not good, but not surprising considering the
number of differences in assumption involved, and the differences in definition of
“large fire”.
Comparing the results above from the RELBASE report with those in this report (Ch.
4), figure 5.1 shows the calculated UVCE risk for the two crude units from Ch. 4. As
can be seen the peak risk from UVCE’s is about 5*10-4 per year (with the calculation
being completely automated), with results very close to those of Fryman. The
agreement is much closer than could be justified by the known uncertainties, and is
certainly to some extent coincidental. Comparisons for other unit types in the
RELBASE report show discrepancies of typically a factor 2, sometimes by a factor 3,
(see table 5.2 below).
What can be concluded is that predictions can be made with much better accuracy
than for the order of magnitude seen in earlier benchmark studies, and this improved
accuracy can be achieved using a fixed, and therefore repeatable, analysis algorithm.
Comparing the fire risk in figures 5.2 and 5.3, with the Cox, Lees and Ang statistics,
The peak of about 1*10-2 per year per crude unit seems compatible with 6*10-2 major
fires per year for a refinery, but the uncertainties in defining the size of a refinery, and
determining damage cost, means that consistency can only be confirmed to within a
factor of 3 or so..
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
Figure 5.1 UVCE risk for the two crude units, calculated by the unit process approach
Table 5.2, an extended list of comparisons between QRA predictions and USA and
European statistics (ref. )
Unit type Frequency of UVCE, per year
Statistics from Fyman, ref 7 Predicted Ratio
and from ref. 6 Predicted/observed
Crude unit 4.9*10-4 5.45E-04 1.1
Alkylation unit 5.1*10-4 1.56E-04 0.31
Ammonia 0.21, all sources 0.036 0.051
synthesis unit, 0.12, excluding the 3 worst
ammonia plant
release 0.07 excluding 3 worst plant
and ammonia truck loading
Ammonia 0.057 0.04 0.70
synthesis unit,
releases, large
Ammonia 0.053 0.033 0.62
synthesis unit,
explosions
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
Figure 5.2 Fire risk for the crude units derived using the unit process method
Figure 5.3 Fire risk for the two crude units derived using the hazop method.
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
Medium or Release hot ESD Early Delayed Transition to Fire Impingement Consequence Frequency
large enough to give ignition ignition UVCE fighting on vessel
release, or vapour cloud effective
rupture
Frequency Fraction of No ESD Probability, Probability, Probability from Review of Geometric
per year total assumed for from IFAL from Games model cases in probability
80's, 90's unit Purple QRAQ 9 (estimate)
PFD Book, IFAL
0.065 0.16 1 0.22 0.28 0.24 0.95 0.2
Release N N N No fire
Y Y Short interval fire 1.13E-02
N N Prolonged fire 4.77E-04
Y BLEVE 1.19E-04
Y N N No fire
Y N Y Short interval fire 1.64E-03
N N Prolonged fire 6.90E-05
Y BLEVE 1.73E-05
Y UVCE 5.45E-04
Figure 5.4 Event tree for crude unit large fires and UVCE
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
Medium or Release hot ESD Early Delayed Transition to Fire fighting Impingement on Consequence Frequency
large enough to give ignition ignition UVCE effective vessel
release, or vapour cloud
rupture
Frequency Fraction of ESD on all Probability, Probability, Probability from Review of Geometric
per year total vessels with from IFAL from Purple Games model cases in ref probability
light naphtha Book, IFAL used in ref. 13 (estimate)
SIL1
9.26E-02 0.5 0.1 0.22 0.18 0.24 0.95 0.2
Release N N N N No fire
Y Y Short interval fire 6.17E-04
N N Prolonged fire 2.60E-05
Y BLEVE 6.50E-06
Y N N N No fire
Y N Y Short interval fire 4.69E-04
N N Prolonged fire 1.98E-05
Y BLEVE 4.94E-06
Y UVCE 1.56E-04
Figure 5.5 Event tree for large fires and UVCE in an alkylation unit
© J.R.Taylor 2010
QRAQ 4 Accident frequencies
6. Overall Conclusions
Sufficient risk analysis data exist today to allow quite high quality risk assessments. Some
lacunae exist in the available data, in particular for analysing the impact of human error. Data
for this does actually exist, buried in the data bases which use the unit process approach to
frequency calculation, but this data is averaged over many installations from which data was
obtained. This means that while the QRA results may be accurate on average, they may not
be accurate for a specific case where there are specific operational or maintenance
weaknesses.
It appears that good results, to within a factor of 2 or 3 of historical results, can be obtained in
QRA, using standard data and fixed, automated, and therefore repeatable risk analysis
algoritms.
To do this requires an upgrade in methodology from the simple parts counting approach
which is widely used in present day. The parts counting method was found to seriously
underestimate risk, and particularly to underestimate risk of large explosions. The reason for
the underestimate is the assumption that all major hazards accidents derive from leaks and
pipe ruptures. This is certainly far from the case. There are many scenarios which are not
addressed by the parts count method. In the review of 30 recent major hazards accidents in
table 2.1, only 40% were of types covered by the parts count methodology. Scenarios such as
overflow, tank explosion, vessel overpressuring explosion, reactor runaway, and liquid spray
from flares and vents are among the 20 or so types of scenarios which do not arise in parts
count based QRA’s.
It is worth reflecting why these kinds of accidents do not appear in parts count data bases. It
is largely because the accidents are much rarer than leaks. That they are nevertheless
important is because they are themselves much more violent than a leak alone. Leaks require
several more conditions to arise before they develop into a major accident. Rasmussen
described the occurrence of major hazard accidents as arising when all the holes in a stack of
Swiss cheese slices became aligned i.e. when all safety barriers were out of function.
Accidents such as vessel overpressure rupturing are important because although rare as
events in themselves, the “blast through all the slices of Swiss cheese “ in one go.
It would of course be possible to extend the parts count data bases to derive a more complete
form of analysis. This is effectively what has been done in the unit process approach.
Even the unit process approach though only allows “accuracy on average” to be achieved in
QRA, that is, accurate results provided you have a completely average plant. Hazop analyses,
and similar analyses such as layout safety reviews, operations safety analyses etc. allow
calculations to be far more precise for the specific plant, and can begin to approach “plant
specific accuracy”. One way of achieving this is to base all QRA calculations on hazop
results, as was done as one approach for the examples in Ch. 4. The cost of doing this could
be high, but can be reduced significantly if the quantification of the hazops is made
automatically, as in Ch. 4.
© J.R.Taylor 2010 53
QRAQ 4 Accident frequencies
Basing QRA’s on hazop and similar studies represents an ideal. As a simpler interim
measure, QRA’s should at least take account of all major hazards scenarios identified in
hazop studies, instead of these two kinds of studies being carried out without reference to
each other, as is common practice today.
In other words, the current most accurate and practical approach is to use the unit process
method, but to supplement it by adding plant specific scenarios from hazard and operability
studies.
Summary:
1. The parts count method needs to be upgraded to include accident scenarios which do
not involve leaks and pipe ruptures, such as overpressuring explosions and tank
overflows.
2. If this is done, the uncertainty in major accident frequency calculations can be
reduced on average, to a factor of about 2 or 3.
3. The frequency determination methods need to be extended to include input from
HAZOP studies. This will make the frequency calculations correspond more
accurately with the true risk for the specific plant.
4. Human error risks arising during operations and maintenance need to be accounted
for in QRA in order for the frequency calculations to be fully applicable for a specific
plant.
5. Data should distinguish between latent and immediate causes of accidents. When
calculating risk to operators and maintenance crews, different and generally much
higher exposure factors should be used than for immediate causes which are
independent of operator or maintenance crew presence.
© J.R.Taylor 2010 54
QRAQ 4 Accident frequencies
7. References
1. HSE (2002), “Offshore Hydrocarbon Release Statistics 2001”, HID Statistics Report
HSR 2001 002, Health & Safety Executive, and later web site publications at
www.hse.gov.uk
2. UK HSE, First Canvey Report, An Investigation of the Potential Hazards from
Operations in the Canvey Island/ West Thurrock Area, 1978, HMSO
3. UK HSE, Second Canvey Report, A Review of the Potential Hazards from Operations
in the Canvey Island/ West Thurrock Area Three Years After Publications of the
Canvey Report, 1981, HMSO
4. Munday, G. Phillips, H., Singh, J., Windebank, C.S. Instantaneous Fractional Annual
Loss, Basilea, 1980
5. J.R.Taylor, Hazardous Materials Release and Accident Frequencies for Process Plant,
Taylor Associates 2004, and 7th edition 2009
6. OREDA participants, SINTEF, Offshore Reliability Data Handbook, 5th edition, 2009
7. Chemical Safety Board, BP America Refinery Explosion, report 2007
8. Chemical Safety Board, Formosa Plastics Vinyl Chloride explosion, report 2007
9. Chemical Safety Board, Valero refinery propane Fire, report 2008
10. J.R.Taylor, Human Error in Process Plant Operations and Maintenance, 2010
11. N. Rasmussen, Reactor Safety Study, WASH 1400, 1974
12. Rijnmond public Authority Risk Analysis of Six Potentially Hazardous Objects in
The Rijnmond Area, Reidel, 1982
13. ICI Ltd. Process Plant falure and Accident Frequencies, Course Notes, 1982
14. National Centre for Systems Reliability, MAGPIE database, 1978-84
15. J.C. Belke, Chemical accident risks in US Industry. Int Conf. Loss prevention and
safety promotion in the Process Industries, Stockholm, 2000
16. US Chemical Safety Board, www.CSB.gov
17. US EPA, Chemical Emergency Preparedness and Prevention,
www.yosemite.epa.gov/oswer/ceppoweb.nsf
18. UK AEA, Major Hazardous Incident Data Service
19. AIChE, Loss Prevention Symposia, 1967-2010 and Ammonia Safety, Symposia 1970-
2010
20. J.R.Taylor, Risk Analysis for process plant, Pipelines and Transport, Spon, 1994
21. Exida, Safety Equipment Reliability Handbook - 3rd Edition, 2009
22. J.R.Taylor, Frequency data for HAZOP Quantification, 2009
23. J.R.Taylor, Human Error in Process Plant Operations and maintenance, To Be
published
24. J.R.Taylor, HAZLOG Software Users Manual, Version 7, 2010
25. Fryman, C.E., A Screening Methodology for Assessing Adequacy of Blast Protection
for Control Rooms and Other Onsite Buildings, Report No. 1993, 221031, BP
International Ltd, Sunbury, 1993, cited in Guidelines for Evaluating Process Plant
Buildings for External Explosions and Fires, CCPS, 1996
26. API, Reported Fire Losses in the Petroleum Industry for 1998
27. Pape, R.P. and Nussey, C. A Basic Approach to the Analysis of Risk from Major
Toxic Hazards, In The Assessment and Control of major hazards, I Chem E 1985
28. Cox, A.W., Lees, F.P. and Ang, M.L. Classification of Hazardous Locations, I Chem
E 1990
© J.R.Taylor 2010 55
QRAQ 4 Accident frequencies
29. Marsh & McClennan Protection Consultants (M&M PC), Large Property Damage
Losses in the Hydrocarbon Chemical Industries. A Thirty Year Review, 14th Edition,
M&M PC, 1992.
30. Dennis P. Nolan, Handbook Of Fire And Explosion Protection Engineering Principles
For Oil, Gas, Chemical, And Related Facilities, Noyes Publications, 1996
31. Davenport, J.A. A study of vapour cloud incidents, Loss Prevention and Safety
Promotion, Vol 4, I Chem E
32. J.R.Taylor, Accuracy in Quantitative Risk Assessment? 13th International Symposium
on Loss Prevention, Bruges, 2010
© J.R.Taylor 2010 56