Pr~,# hncr~ll ( ' . m h u , I S, ~. Vol 6. pp. 167 176.
00/0
Pergamon Press Ltd,, 1~80 Printed in Great Britain
RISK ASSESSMENT METHODS FOR
V A P O U R - C L O U D EXPLOSIONS
L. CAVE
Pollution Prevention Consultants Ltd.,
Crown House, Eridqe, Nr Tunbridye Wells, Enyland
I. RISK A N A L Y S I S A N D RISK A S S E S S M E N T
1.1. Some Definitions
There is a need to distinguish between the use of the
term "risk analysis" in connection with risks arising
from physical phenomena such as vapour-cloud explo-
sions, and the risk analysis of large commercial
ventures or construction projects to estimate the
economic risks--it might be better if we referred to the
former type as risk assessments. This paper is con-
cerned mainly with assessment of the risks of physical
damage, but nevertheless we do need to consider some
economic aspects in order to keep a sense of
perspective.
One other item of nomenclature needs clarification
at the outset, namely the definition of "risk". In
ordinary usage of the English language it can be a
synonym of"chance" or "danger" or it can have a more
specific meaning as a measure of some possible loss. It
is rather unfortunate that in the well known reactor
safety study directed by Professor Rasmussen in the
United States, x risk was used in the narrow sense only.
He defined the risk associated with a number of
possible events "i" by the relationship
all i
Risk = ~ (probability of event i)
× (consequence of event i)
which, in fact, is defined in the older mathematical
textbooks as the "expectation". Nevertheless the
"Rasmussen Report" has been so widely read that in
the nuclear safety field, at least, the use of the word
"risk" in any other sense is likely to lead to confusion. It
is preferable therefore to use "hazard" in the more
general sense and to give "risk" this narrower meaning.
1.2. Deterministic Versus Probabilistic
Assessment
Assessment of some of the hazards in relation to
phenomena such as vapour-cloud explosions can
sometimes be treated in a "deterministic" manner ; i.e.
it may be possible to show that it is physically
impossible for a potential source of hazard to cause
damage to some specific installation. However, in the
great majority of cases the most that can be done is to
estimate the probability of particular types of damage
and then to compare the predicted risks to life and to
property with some generally acceptable standard.
167
0360 1285/80/0701 0167505.
Nevertheless, as discussed below, the difficulties of
demonstrating the adequacy of the probability anal-
ysis and of agreeing on a standard of acceptable risk
are such that it is always worthwhile to examine each
of the potential hazards on a deterministic basis
initially, so that as many as possible can be eliminated
in this way. More generally, the deterministic ap-
proach also serves to bound the physical area in which
the possibility of consequences need be considered.
1.3. Direct and Inverse Risk Assessment
The concept of evaluating technological risks on a
numerical basis goes back to at least 1850, when
George Stephenson sought to show that the railways
of the United Kingdom were adequately safe by
comparing the risks of rail travel with that of other
forms of transport. Nevertheless, Littte use had been
made of this approach prior to about 1960.
Consequently, much of the risk assessment work
which has been carried out so far has been of a direct
nature, in order to estimate the risk presented by an
existing installation. This work is valuable in three
ways :
(1) It shows where improvements to increase the
safety of existing plant could best be made.
(2) It provides an indication as to the most economic
means of achieving greater safety in new plant of a
similar type.
(3) It gives some insight into the standard of safety
which has been achieved in currently operating
plant, and thus provides some guidance as to the
standard of safety which might reasonably be
achieved in future plant.
A further use of risk assessment, which may be called
"inverse risk assessment", is to use similar techniques
to define the reliability required from the main safety-
related features of a new design. This approach can be
particularly useful in cases where the design is rela-
tively novel. However, an essential requirement in this
application, which must be met at the outset of the
design, is the definition in quantitative terms of the
standard of safety which is to be achieved in the design.
This provides the overall "reliability goal", or target,
which serves as a starting point for the analysis needed
to define the reliability which is required from the
individual safety-related systems in order to achieve an
acceptable standard. Although this concept has been
168
used extensively in the aerospace industries, and to a
limited extent in the nuclear power industry (e.g. see
Ref. 2), there has been a marked reluctance on the part
of regulating bodies for other industries in most
countries to define their requirements in this fashion.
For example, in the United Kingdom it has taken some
15 years to get some recognition of the need to define
the requirements for nuclear safety in this way, and
even today those requirements are partially obscured
by references to the need to achieve "that standard of
safety which is reasonably practicable". However, in
the chemical and petrochemical industries it does seem
that the work of the Major Hazards Committee may
lead to some clarification of requirements in the U.K. 3
In Holland, also, this approach has been adopted in
relation to some aspects of the chemical engineering
industry. 4 The problems of defining an acceptable
standard of safety are discussed in Section 8, below.
2. R I S K A S S E S S M E N T P R O C E D U R E S
Although this paper is concerned primarily with the
risks presented by vapour-cloud explosions, it is
desirable to look initially at the overall problem of risk
assessment for complex installations, which could give
rise to a variety of harmful consequences, in order
to put those due to vapour-cloud explosions in
perspective.
The main steps in a risk assessment are as follows :
Step 1. Identify potential sources ofhazard to people,
property and the remainder of the plant. The
more important effects which are likely to
need consideration are as follows:
(1) Blast due to internal explosion;
(2) Missiles ;
(3) Ground shock ;
(4) Fire;
(5) Toxic gases or vapours;
(6) Explosive gases or vapours.
Step 2. Determine the maximum distances at which
the various types of damage could be caused
in the most adverse circumstances, including
the effects of sequential damage to the plant
itself.
Step 3. Evaluate the consequences to people and
property located within the area defined at
Step 2 for a range of accidents of increasing
severity, up to the maximum severity postu-
lated at Step 2. In practice, "severity" can
often be measured in terms of the numbers of
units, such as storage tanks, involved in the
accidents.
Step 4. Estimate the probability of occurrence for
each of the accidents postulated at Step 3.
Step 5. Evaluate the risks to people and to property
for each of the accidents postulated at Step 3,
where "risk" is defined as above; i.e.
all i
Risk = ~ (probability of event i)
x (consequence of event i).
L. CAVE
In this step it will be necessary to consider the
risk to people separately from that to pro-
perty, and it may be desirable to consider the
general public separately from the plant per-
sonnel, and the plant damage separately from
the damage to third-party property.
Step 6. Decide whether the estimated risk is ac-
ceptable, or whether the plant should be
modified.
The methodology for each of these steps exists today
and is outlined in later parts of this paper. However, it
will probably be obvious that for a complex, poten-
tially hazardous plant, the amount of analysis involved
could be very considerable, whereas for a relatively
simple source of risk such as a natural gas pipeline, the
effort required could be less by a factor often or more.
In the nuclear-power field there have been several
studies of this type, some as "direct" risk assessments of
existing plants, such as the Rasmussen report referred
to above; others have been made for nuclear power
stations that have been fully developed without the use
of reliability analysis, but not yet constructed, and
there have been others of the "inverse" type in order to
define the design. The Rasmussen study took some
three years and cost some $3 million. However, a large
proportion of the results can be applied directly to the
evaluation of the risks from other nuclear plant of the
same type.
In the United States, studies of this type have now
become necessary to support planning applications for
potentially hazardous non-nuclear installations such
as L N G terminals: it has been said that risk assess-
ment in the L N G field has now become a multi-million
dollar business. It might be considered that this is
carrying risk assessment to absurd lengths. However, it
can be regarded as some measure of the resistance
mounted by the environmental lobby in the United
States.
In the United Kingdom there has been the major
study carried out by Safety and Reliability Directorate,
for the Health and Safety Executive, on Canvey
Island. 5 This too was in the million-dollar class. Other,
less extensive, studies have been made for installations
such as the proposed petrochemical complex at Moss
Moran, in Fifeshire, and its associated marine ter-
minal. Some interesting studies have also been made of
the interaction of individual complexes, such as re-
fineries and steelworks on nuclear power stations,
since the effects of sequential damage to the nuclear
plant could be particularly serious.
In addition to these very elaborate analyses, using
the approach outlined above, the insurance industry
requires a quick and inexpensive method for estimat-
ing the risk presented by a specific plant. Two methods
for doing this are described in Section 9, below.
3. I D E N T I F I C A T I O N O F P O T E N T I A L S O U R C E S
OF HAZARD
In principle, this should be the simplest part of the
assessment. However, previous accidents such as those
 Risk assessment methods for vapour-cloud explosions
at Flixborough and Seveso have shown that potential
hazards which should be obvious may be overlooked.
No set procedure can be visualized which will
guarantee that all potential sources of hazard will be
recognized--the most that can be done is to apply as
much informed and imaginative thinking as possible in
the design and risk assessment. The structured ap-
proach described in Section 6.1 below is of benefit here.
4. D E T E R M I N A T I O N O F C O N S E Q U E N C E DISTANCE
RELATIONSHIPS
It is convenient to consider separately each of the
main types of consequence defined in Section 2, above.
4.1. Blast from Internal Explosions
For most potential sources of hazard which can give
rise to high explosions, the maximum distances at
which the blast from internal explosions would cause
damage to particular types of property, or to other
plant, are reasonably well known. Window-damage is
a possible exception, as wind, atmospheric conditions
and topography can lead to apparently anomalous
effects at large distances. However, the consequences
are unlikely to be serious.
It is unlikely that additional internal explosions due
to sequential damage within the plant would follow
quickly enough after the first blast-wave for the second
blast-wave to coalesce with the first wave. However,
the effect of a second blast-wave on a structure
weakened by the first could extend the distance to
which blast effects are significant.
4.2. Missiles
As in the case of blast from internal explosives, the
maximum distances at which missile damage is to be
expected are reasonably well known on a historical
basis. In general, the direct consequences of missile
damage outside an installation are relatively small, but
in an industrial area the possibility of sequential
damage must be kept in mind, as this could, in practice,
increase the distance to which the consequences of
missile damage extend.
4.3. Ground-Shock
Correlations between blast overpressure and
ground-shock from high explosives are available
which show that in general the consequences of
ground-shock are less severe at a given distance.
However, it is necessary to consider whether there are
underground pipes--particularly if of cast iron or
concrete--close to the site, and whether the sequential
damage arising from their failure could add signifi-
cantly to the consequences and thus increase the
distance to which the effects of ground-shock could
extend.
169
4.4. Fire
In evaluating the consequences of fire damage it is
necessary to take into account several different situ-
ations. The principal ones are as follows :
(1) Fires in situ within the installation itself. In
addition to the cost of the direct damage to the
plant involved initially, it is necessary to consider
the possibility of sequential damage to other plant
in the same installation and, if the amount of
flammable material is large, the possibility of
damage to people and property outside the site
boundary. In this context it is necessary to con-
sider the effects of both thermal radiation and the
dense smoke typical of hydrocarbon fires. The
latter may cause deposits on the insulation of high-
tension transmission lines that may lead to the loss
of the system ; this effect could extend outside the
site boundary.
(2) The fire may spread in unexpected ways within the
installation, particularly if large quantities of
liquids are involved, as the bund-system may
prove inadequate. In the latter case, if the instal-
lation is adjacent to a river or estuary, the form-
ation of a large burning slick of oil on the water
could extend the fire well beyond the site boun-
dary, and this must be considered.
(3) If the installation has substantial quantities of
flammable gases or readily vaporized flammable
liquids stored on the site, the possibility of a gas- or
vapour-cloud escaping from the site without being
ignited must be considered, as subsequent ignition
could increase greatly the extent of off-site fire
damage. There is also the possibility that ignition
could lead to explosion, as discussed later.
Prediction of the maximum distance to which such
clouds could drift before the concentration ceases
to be flammable is difficult and is currently the
subject of intensive investigation in the U.S. and
other countries.
There is a substantial volume of experience relating
to the effects of fires within chemical plants and oil
refineries, from which the extent of the consequences
can be judged. Less information is available concern-
ing the distances to which off-site fire damage can
extend, particularly in cases where there is a large
escape of flammable vapour, whether it is ignited on or
off the site; this lack of information reflects the
relatively low probability of this type of event.
4.5. Toxic Gases or Vapours
The rates of decrease in concentration with distance
for gases or vapours which have the same density as air
are well established for the near-ideal conditions of a
smooth, fiat plain and a quasi-instantaneous or a
continuous emission from a well defined source.
However, if the ground is hilly or "roughened" by
forests or urban development, or if the gases are
heavier than air, it becomes difficult to predict reliably
170 L. CAVE

the m a x i m u m distances at which dangerous concen- TABLE 1. Maximum distance from site at which significant
trations could arise. A further difficulty is that in most consequences could result from accidents involving 1000 tons
of material
practical cases the vapour will originate from the
flashing-off of superheated liquid due to the fracture of Maximum
a pressure vessel or from the evaporation of liquid spilt Effect distance
into bunds or on the ground. I-a these cases the rate of
emission may be difficult to estimate. In practice, Internal explosion
(causing 1 psi overpressure) about 2000 m
because of the large variation in these distances with Missiles 2000 m
weather conditions and wind direction, it is usually Ground shock less than 2000 m
necessary to treat this type of accident on a prob- Fire :
abilistic basis ; by this means, the difficulty in predict- (i) on site about 0.5 km
(2) drifting vapour-cloud about 5 km
ing the m a x i m u m distance at which dangerous con-
Toxic gases or vapour
centrations could occur becomes less important, since (e.g. Chlorine) over 10 km
it is only one of several uncertainties. Explosive vapour-cloud :
(1) on site about 1500 m
(2) drifting about 5 km
4.6. Explosive Gases or Vapours
Prediction of the m a x i m u m distance at which
significant damage could be caused by vapour-cloud empirically, on the n u m b e r of tank failures, e.g., which
explosions presents more difficulty than for any of the should be considered as the source term in any one
other consequences. Not only are there the same accident. In practice, for a complex installation, such
difficulties in predicting the m a x i m u m distance at as a chemical plant, which has a variety of potential
which dangerous concentrations can arise as are hazards, it is preferable to consider each type of
encountered with toxic gases but, in addition, there are potential hazard separately at this stage, as it is
the uncertainties associated with the magnitudes of the unlikely that there will be significant synergistic effects
blast overpressure and impulse which may be pro- between separate consequences. The question of
duced, their rate of decay with distance and the nature possible sequential effects within the installation, or on
of the target response to a pulse which may be very neighbouring installations, can be treated more satis-
different in shape from that due to a conventional high factorily as part of the probability estimating stage.
explosive.
However, in order to keep these difficulties in
IO
perspective, it should be noted that, so far as off-site
consequences are concerned, the hazards to the public
from burning o f a vapour cloud over a populated area
I
may be almost as severe as from its explosion.
Moreover, if there are moderately toxic chemicals
stored on the site, the hazard from these can extend to
IO-'
much greater distances, as the dangerous concen- ~ ' ~ iX \ % ,
tration may be lower by a factor of 100 or more.

4.7. Relative Importance of the Various

Potential Hazards
The m a x i m u m distances at which significant con-
sequences could arise from the various potential
sources of hazard are summarized in Table l, which is
based on a nominal a m o u n t of I000 tons in each case. o" \ \x\
09
Some further insight into the relative importance of \
the various potential hazards is provided by Figs 1 and \
2, which are based mainly on United States data and
are taken from the Rasmussen Report.

5. EVALUATIONOF CONSEQUENCES FOR

SELECTED ACCIDENTS
io-r/ I I I I I
5.1. Selection of "Accident Spectrum" I0 I00 1,000 I0,000 I00~000 1,00()00
Source Terms N, fatalities
FIG. I. Frequency of man-caused events with fatalities
For each of the potential types of hazard it is greater than N* (from Ref. I). (*Fatalities due to auto-
necessary to examine the design and layout of the accidents are not shown because data are not available. Auto-
installation in detail in order to decide, somewhat accidents cause about 50,000 fatalities per year.)
 Risk assessment methods for vapour-cloud explosions 171

I0 With the understanding of the system gained by the

F.E.M. analysis, it is then possible to quantify the
probability of the various modes of failure by con-
structing "event trees" or "fault trees". In the former,
the effects of successive failures of structures and the
main protection systems can be examined systemati-
cally, starting from some specific event, such as the
failure of a pipe or vessel. An example of a typical
7" \
A~ I0 ~"-- event-tree for an accident to a nuclear reactor is shown
" ~ ~ ~ N ,
in Fig. 3. However, it becomes difficult to construct the
\'~ \ \ \ trees for a greater depth of detail. Nevertheless, when,
..from previous experience, failure rates can be assigned
iO ~._ with reasonable confidence to complete systems, this
>, method is very useful.
It may be necessary in some cases to estimate system
o- 4
a~ IC failure rates by a process of synthesis based on the
LL behaviour of individual components or sub-systems.
~ .%~ 100 Nuclear
" ' "~ % . ~ . power pian,s In such cases the "fault tree" approach can be used. In
i05 ~ this method some specific accident is taken as the "'top
event"; the failure, or combination of failures, in the
various systems which must occur in order that the top
1(3 6 --
event could happen are then determined from con-
sideration of the system characteristics. Each system
failure contributing to the top event can then be
bo ~ I I analysed in the same way, in order to determine the
10 ~00 t.O00 I0.000 100.000 1.000.000
sub-systems which are concerned. The analysis can
N, fal'alilies then be continued at the next level and so on until a
FIG. 2. Frequency of natural events with fatalities greater stage is reached at which the necessary failure-rate
than N (from Ref. 1).
data are available, although the trees may become
extremely complicated. However, methods have been
5.2. Evaluation of Environmental Conditions on developed for computerizing the construction of fault
Consequences of Selected Accidents trees and for evaluating the probability of the top
It follows from the previous brief discussion that the event. A simple example of part of a fault tree for an
consequences of an accident which gives rise to some accident to a nuclear reactor is shown in Fig. 4. This
specific source term will, in the case of vapour- or gas- tree shows that at the lowest level, two, largely
clouds (whether toxic or flammable) be highly de- independent, sources of power would have to fail to
pendent on environmental conditions such as wind, cause the loss of a.c. power, hence the use of the "AND'"
weather, terrain and release conditions. It may be gate. However, at the higher level the loss of either a.c.
necessary, therefore, to evaluate the consequences for or d.c. power is sufficient to make the "engineered
several sets of conditions for each size of release. In the safety features" ineffective, hence the use of the "OR"
case of blast, missile and ground-shock damage due to gate.
internal explosions the consequences are not so sensi-
tive to environmental conditions.
6.2. Some Practical Difficulties in Estimating
Accident Probabilities
6. ESTIMATESOF ACCIDENTPROBABILITIES
The process of estimating the probabilities of ac-
cidents, particularly in complex systems, is made more
6.1. Outline of Method
difficult in practice by three main factors. These are :
In any risk assessment the evaluation of the prob-
(1) The effect of "common mode" faults; i.e. a fault
abilities of the various accidents is often the most
which occurs in redundant protection systems due
difficult part, particularly in installations where a
to a common cause, so that the assumption,
failure of process control systems can lead to severe
frequently made in reliability analysis, that each
accidents.
system is independent of the others becomes
To assess the risks presented by a complex plant it is
untenable.
usually necessary to carry out a "Failure Effects and
(2) The effect of uncertainties in the behaviour of the
Modes (F.E.M.) analysis" initially, in which the effects
human operator.
of all foreseeable failures are systematically examined
(3) Uncertainty in the failure rates for components
in a qualitative manner. An important part of this
and systems.
analysis is the identification of the ways in which a
failure in one part of the plant can interact with other A fourth cause of difficulty which has become of
systems. increasing importance in the last few years is the
172 L. CAVE

olEI
I I
B
Pipe
A
break
Electric
power I
Fission
product
re moral
Contoinmen
integrity l

Base tree P.,

Foils
~ PEr
P~x PE,

Succeeds pEz P'~x Pchx PE2

P~,x PC,
P,~x Pc,x PE3
pE3.
Initiating even' ~4 P~'xPc,'x PDzxPE4
P~
- - P~xPB
- - PAxPB×PE~
- - p~,XPBXP %
Foils - - P~ xPBx%3xP %
PB - - &xPsxPc2
- -
PE, p~xP~xP%~PET
P~xPBXP%xPo4
% PBxP%xPo~x P~
P%
Reduced tree

PE, PAxPo,
pE2 PAxPD,xPEZ
Initiating eventJ I p~xPq
Pc, ! p~x p¢,xpoz
Po P~,%

FIG. 3. Simplified event trees for a large LOCA (from Ref. 1).

question of sabotage on a large scale by terrorist plant such as emergency diesel generator sets suggests
groups. However, this factor is so dissimilar from the that typically the common cause component is be-
remainder of those considered in a reliability analysis tween 0.1 and 1% of the observed failure rate. As the
that it is better to treat it as a separate issue. The other
factors listed above merit some additional comment.
I Loss of electric I
power (EP) to
6.2.1. Common-modefauhs engineered safety
features (ESFs)
Typical causes of c o m m o n - m o d e faults, which may
be encountered, even in systems designed for very high
reliability, are :
(1) Environmental effects (e.g. corrosion due to excess-
ive humidity) affecting all the redundant systems
simultaneously. I I
(2) Mechanical damage (e.g. by missiles generated in Loss of AC Loss of DC
an accident) to all the redundant systems at the power to ESFs power to ESF's
time of the accident.
(3) Systematic errors in maintenance. £
(4) Loss of a c o m m o n electrical or water supply.
Opinion is still divided amongst analysts as to
the best way of identifying and treating potential
c o m m o n - m o d e faults. One method, which has the I I
I
merit of simplicity, is to assume that a proportion ofali Loss of J Loss of
observed faults in a particular type of subsystem are on - site AC [ off-site power
power to ESFs to ESFs
due to potential common causes. Thus, the observed
failure rates which are used in the reliability analysis J. 1
reflect this. Analysis of a substantial amount ofdata for FIG. 4. Illustration of'fault-tree development (from Re['. t).
 Risk assessment methods for vapour-cloud explosions
common-mode fault can be represented by an element
in series with, say, three parallel systems, it establishes
an upper limit to the reliability which can be claimed.
This method is described in detail in Ref. 6.
6.2.2. Faults due to the human operator
Not infrequently the analysis of accidents shows
that the primary cause was a human failure at some
stage in the chain of design, fabrication, inspection,
operation and maintenance.
To a large extent the use of field data as a basis for
the failure rates employed in the reliability analysis
takes the effect of human failures into account.
However, in the analysis ofcomplex systems, where the
response of the plant operator during an accident
sequence may have a major effect on the outcome, it is
necessary to take more direct account of his actions,
bearing in mind that he will be in a state of stress at the
critical time.
This aspect has been given increasing attention
during the past few years, both in the United States and
in Europe. A scheme suggested by one United States
group (SANDIA Laboratory) for operator response to
a severe but unlikely accident (estimated probability
about 10 -4 per year) is given in Ref. 7. This is as
follows :
Chance of operator error
at 5 min after accident = 0.9
Chance of operator error
at 30 min after accident = 0.1
Chance of operator error
at several hours after accident = 0.01
This scheme may be compared with the results of an
evaluation of the ability of merchant marine officers to
take effective avoiding action when the radar display
indicates that their ship is on a collision course. The
investigation showed that successful action based on
the radar observations would be taken in some 85% of
cases if the operator were faced with a single potential
collision course, but his performance would deterio-
rate sharply if there were two or more such courses)
6.2.3. Treatment of uncertainties in failure rates
For the majority of mechanical and electrical sys-
tems and components encountered in the reliability
analysis of installations likely to give rise to major
hazards, the observed failure rates can be represented
by a median value and 90% confidence limits which are
a factor of between 3 and 10 on either side of the
median. The approach usually adopted in analysis of a
complex system is to use the median values alone to
obtain what is described as a "point value" for the
overall failure rate. The overall uncertainty is then
estimated separately. A first approximation can be
obtained by assuming that the underlying probability
distributions for the failure rates are all normal or all
log-normal, so that the resulting distribution are also
normal or log-normal, and the confidence limits can be
173
derived immediately from the combined standard
deviations. More exact estimates can be made by the
use of computer programmes developed specifically
for this purpose (e.g. see Ref. 1).
Overall, it is unlikely that for a complex system the
909/0 confidence limits will be less than a factor of 10 on
either side of the "point value".
6.3. Treatment of the Effects of
Em, ironmental Conditions
Where the consequences for a given accident may
vary substantially with environmental conditions as
well as with the size of the source term, it is desirable to
use a set of simple probability distributions to rep-
resent each of these factors, so that for any one source
term (e.g. amount of vapour released initially) we
obtain a set of consequences, each with an associated
probability. In practice, the consequences may be zero
at most distances for several members of the set.
7. ESTIMATE OF RISK
When the consequences and probabilities have been
evaluated for each of the range of accidents considered
there is, in principle, no difficulty in calculating the
individual risks and summing these to find the total
risk for each type of consequence. However, although
the range of accidents to be considered can be so
chosen that all possible sizes of explosion, or of releases
of toxic or flammable material, are covered, it is not
possible to guarantee that all the possible ways in
which such accidents could occur have been included.
To some undefinable extent therefore, the calculated
overall risk will tend to underestimate the actual risk.
The extent of the error depends on the ability of the
analyst to visualize the various ways in which the sub-
systems can interact to cause accidents. In this respect,
the systematic examination of the design in the failure
modes and effects analysis and in the construction of
event trees and of fault trees serves to reduce the
chance that significant sequences leading to severe
accidents will be overlooked.
By putting a quantitative value on human life, or
loss of expectation of life due to injury, all the
consequences could, if desired, be expressed in mon-
etary terms, so that a single figure could be used to
describe the total risk. This may be useful for com-
parative purposes.
8. ACCEPTABILITY OF RISK
Having completed the assessment of the risk from a
particular plant it may remain to determine whether or
not that risk is acceptable and, if not, how it might be
reduced.
In the absence of any clearly defined standards for
acceptability of risk, the adequacy of a particular plant
in this respect is largely a matter for negotation with
the appropriate Government body and, in a de-
mocratic society, to some extent with groups of private
174 L. CAvE
persons who are put at some additional risk by the
presence of the plant. In principle it should not be
necessary to include in the negotiations pressure
groups whose members are not at risk and whose
opposition is frequently due to ulterior motives (e.g.
resistance to economic growth), but in practice this
tends to become a political problem.
Increased safety may be costly in terms of the
additional material and financial resources required to
achieve an improvement. Thus, ideally society as a
whole should ensure that the benefit, in terms of a
reduction in risks, which would be obtained by the
expenditure of a given amount of resources in one
particular industry is as large, or larger, than could be
obtained by the same expenditure elsewhere; i.e. it
should have the maximum cost-effectiveness.
In practice, of course, there is at present no means by
which the relative cost effectiveness of possible changes
can be judged. Consequently, the present standards of
safety, and the extent of the pressure for improvement,
varies widely from one type of activity to another.
Comparisons of the risks of everyday life and in
different industries have been attempted by various
bodies, notably the International Commission on
Radiological Protection (I.C.R.P.), who have stressed
the need for a cost-benefit approach to proposals for
reducing radiation risks in industry. These com-
parisons show that the average probability of ac-
cidental death in most developed countries is about
10 -4 per year, as compared with an overall risk of
death of about 10 -2 per year and a risk of death at
work in the safer industries of about 10- ~ per year. 9
In the United Kingdom nuclear industry, there is
some degree of agreement that to be acceptable to the
public, the incremental risk of death to those living
near the station should not exceed 10 -6 per year.
Examination of the attitude of those connected profes-
sionally with other potentially hazardous industries
suggests that death risks in the range 10-'*-10 -6 per
year are considered to be acceptable. 1° However, it
should be noted that public reaction to technological
risk varies over a wider range. If one judges by the
extent to which the section of the public directly
concerned campaigns for increased safety, the level of
death risk which is in fact accepted varies from about
10 -3 per year (for dams) to about 10 -8 per year (for
nuclear power in the United States of America). In this
respect, the public's reaction depends largely on the
extent to which the risk is "perceived", in the sense that
information which is, in fact, publicly available in
professional journals and textbooks is more widely
disseminated by "the media". If the media choose to
dramatize their presentation of the information it may
become politically difficult to secure the acceptance of
risks at a level which represents a rational allocation of
resources in limiting the risks from one type of hazard
(e.g. nuclear power) and another (e.g. the use of coal to
generate electricity) to achieve the same end.
In common with some other workers in this field, the
* See "Definitions", p. 175.
author doubts whether arguments as to the accept-
ability of risk of one technology based on comparison
with other risks are likely to convince the public; on
the whole they are much more interested in the benefits
than the attendant risks, but they may also be
concerned about the consequence of the worst fore-
seeable accident. Nevertheless, it does seem to the
author that comparability of risk provides the best
available basis for decision-making, even though the
arguments have got to be put to the public in different
ways.
There will also be some level of risk which should
not be exceeded on purely economic grounds, in the
sense that it is cheaper to reduce the chance of damage
to the plant itself and of consequential damage (includ-
ing the resulting loss of output) by improving its
reliability than to accept the higher risk. Studies of this
aspect for nuclear power plant indicate that the break-
even point, for very severe accidents, which would lead
to the release of large quantities of radioactive ma-
terial, is about 10 -4 per year. 2 This is at least an order
of magnitude greater than the probability of such
accidents which would be considered acceptable from
the public safety point of view.
In the evaluation of the limiting economic risk for
nuclear plant an important factor is the high differen-
tial cost of the fossil fuel which would have to be used
to replace the lost nuclear capacity. In other types of
plant this aspect may be less important ; consequently
the break-even point could be greater than 10 -4 per
year.
9. PROCEDURES FOR RISK ASSESSMENTS IN RELATION
TO VAPOUR-CLOUD EXPLOSIONS
9.1. An Empirical Methodfor Assessment of Plant
Damage
So far as the author is aware, a full quantitative risk
assessment, including an analysis of the process
hazards, has only been carried out for a few specialized
plants (e.g. explosives production 11) and for some new
units in chemical plants, as part of the design process
(e.g. see Ref. 12). In the Canvey study mentioned
above, 5 the probabilities of fires and explosions due to
failures of process control were not evaluated individu-
ally. For insurance purposes, a much simpler method
may be sufficient.
A simple empirical procedure, based on observation
of the damage caused by vapour-cloud explosions at
the Pernis refinery, Flixborough and elsewhere, has
been proposed by International Oil Insurers. t3 The
procedure is as follows :
The procedure is based on a set of datum levels for a
chosen mass of flammable gas* and the observed
extent of damage within two circles of specified radii,
centred about the source position, which can be scaled
as required. In this context, flammable gas includes
flammable vapour and/or aerosol mist.
The datum size of cloud is postulated as that arising
 Risk assessment methods for vapour-cloud explosions 175

from 20 tons of flammable gas which is involved in the (2) less than 100 kg/min for pipework installed with
explosive process. fail-safe remotely operated valves. Where a plato has
The datum circles relating to the size of cloud multiple streams of similar operations, assessment
implied in the previous paragraph are assumed to be should be concentrated on the largest stream.
100 yards and 200 yards in radius respectively. It will be seen that this procedure is, in fact, a method
It is assumed there will be 80~o total loss within the for consequence assessment rather than risk assess-
inner circle and 40~o total loss within the outer ment, and does not extend to evaluation of the
annulus. Assuming that the distribution of building consequences outside the plant. Although it seems
and plant values is uniform across the total area the rather limited in relation to assessment of the sequen-
overall average loss within the 200 yard circle will then tial damage when checked against historical evidence,
be 50~o. Where there is a marked divergence from it is found to allow satisfactorily for fire and other
uniformity in value distribution, adjustments must be damage.
made for the location and content of areas of high and An alternative empirical approach has been de-
low value concentration. scribed by Davenport. 14
This procedure should be repeated using several This procedure, which has been used by Industrial
neighbouring positions for the site of the cloud to Risk Insurers of the United States for some years, is as
ensure that the maximum probable value has been follows :
evaluated. Only circle centres at drift distances up to
(1) The maximum release considered is equal to the
200 yards from the original position need be
contents of the largest process vessel, or train of
considered.
vessels not readily isolated. Storage vessels and
When the datum case quantity of 20 tons is not
pipelines are not considered.
appropriate adjustments to the circle radii are made in
(2) The amount of material vaporized from a hot
accordance with the correlation shown in Table 2.
flashing liquid is estimated on the basis that all the
For the purpose of scaling from the datum case it is
superheat is used to supply heat of vaporization.
assumed that 5~o of the total inventory in a single
However, if the boiling point is below 70°F, 100~o
discrete circuit (defined below) within the area would
vaporization is assumed.
be involved in the explosive process.
(3) It is assumed that 2~o of the theoretical chemical
energy in the cloud appears as explosive energy.
For comparative purposes, this is expressed in
TABLE 2
terms of an equivalent amount of TNT, but the
Weight of flammable Circle radii maximum over-pressure is assumed to be 5 psi and
in mixed cloud (yards) the amount of damage is estimated from the
(tons) Inner Outer information given in.well known sources such as
Brasie and Simpson.i 5
10 79 158
20 100 200 It will be seen, therefore, that there is a degree of
30 114 229 similarity between the two empirical procedures, but
40 126 252
50 135 271 the one proposed by International Oil Insurers is
60 144 288 easier to apply. A less empirical method for assessment
70 152 304 of losses, including those due to vapour-cloud explo-
80 158 317 sions which combines both probability and con-
90 165 330
100 171 342 sequence aspects, is being developed in the U.K. by the
Insurance Technical Bureau. 16 Although more com-
plicated than the methods described above, it should
Definitions: be much simpler, and much less costly, than assess-
Flammable gas. In addition to gases under pressure, ment based on the use of event trees and fault trees.
the term flammable gas is taken to include the vapour
arising from a flammable liquid at or above its
9.2. Assessment of Risks Outside the
atmospheric boiling point, whether or not this point
Parent Installation
lies above or below ambient temperature. The term
also includes the fine mist or aerosol which is produced If the parent installation covers a large area in which
when a liquid under pressure is ejected from its a lot of"active" plant is located, as in the case of Pernis
container at high velocity. and Flixborough, there is a good chance that a
For the simple case of vaporization of a hot liquid potentially explosive vapour-cloud will be ignited
escape, the liquid must be at least 10°C above its within the complex, so that the damage beyond the site
atmospheric boiling point. boundary is relatively small--e.g, at Flixborough,
Single discrete circuits. A single discrete circuit although houses were extensively damaged, there were
consists of the total network of process vessels and no fatal casualties outside the site boundary. However,
pipework defined by a boundary of specified limiting there are other types of installation, such as the storage
line-flow rates. These limiting flow rates are: (1) less area of a refinery (where there will be little "active"
than 10 kg/min of material for normal pipework, and plant), pipelines and other forms of transport which
176 L. CAVE
must be considered. In these cases the potential size
of cloud may be greater by one or two orders of
magnitude and the hazard may be much closer to the
public or to other installations sensitive to explosion
or thermal damage. In addition, ignition near the
source may be less likely, so that the possibility of the
cloud drifting for long distances has to be taken into
account.
An outline of the methods which have been used for
risk assessment in cases such as these will be the subject
of a further paper.
9.3. Validity of the Empirical Methods
As noted above, the methods currently used by the
insurance industry to assess the consequences of
vapour-cloud explosions are of an empirical nature.
However, to carry out a detailed risk analysis in which
the complete spectrum of possible initiating events and
possible consequences were considered, would be
extremely expensive and time-consuming, as shown
e.g., by the scale of effort required for the preparation of
the report on the potential hazards from operations in
the Canvey Island/Thurrock area by the U.K. Health
and Safety Executive, in 1978. That investigation,
which covered four major installations, cost about
£400,000 and took 2 years. 5 Even so, recourse to
empirical data had to be made in several parts of the
investigation. Thus, it is unlikely that the insurance
industry will depart very far from its present practice,
so far as "on-site" damage is concerned, although the
new method described in Ref. 16 offers some prospect
of an improvement in the accuracy and usefulness of
loss assessments at a practicable cost and in a practi-
cable time. Nevertheless, as noted above, a more
fundamental approach to the problem of vapour
clouds which drift away from the site of the spill before
igniting is desirable, in order to improve the accuracy
of assessment of the hazard to the public.
(Manuscript received 17 March 1980)
REFERENCES
1. RASMUSSEN,N., Reactor safety study, U.S. Nuclear
Regulatory Commission Report WASH-1400 (NUREG-
75/014).
2. CAVE,L., The relationship between reliability and safety
in nuclear power plants, Paper SN-195/54, Proc. IAEA
Syrup. on Reliability of Nuclear Power Plants, Innsbruck,
April (1975).
3. Major Hazards Committee (U.K.) First Report, HMSO
(1976).
4. SXCCAMA,E. H., De Ingenieur, 85, 502, 14 June (1973).
5. Health and Safety Executive, Canvey: An investigation
of potential hazards from operations in the Canvey
Island/Thurrock area, HMSO, June (1978).
6. FLEMING,K. N., A reliability model for common mode
failure in redundant safety systems, Proc. 6th Annual
Pittsburgh Conf. on Modeling and Simulation, April
(1975).
7. Ref. 1, ibid. Appendix III, p. 81.
8. Panel Report, Human error in merchant safety, Maritime
Transportation Board (p. 36). Published by U.S. Nat.
Acad. of Sciences,June (1976).
9. International Commission on Radiological Protection,
Publication No. 26, Pergamon Press (1977).
10. Pollution Prevention (Consultants) Ltd., Equating nu-
clear and non-nuclear risks, E.E.C. Study Contract No.
246/76/6/ECIUK, November (1977).
11. Private communication, Dr. H. NAPADENSKY(Illinois
Institute of Technology Research Institute)--L. CAVE,
July (1978).
12. POWERS,G. J. and TOMPKINS,F. C., Fault tree syntheses
for chemical processes, Am. Inst. Chem. Engrs J. 20 (2),
376 (1974).
13. International Oil Insurers, The evaluation of estimated
maximum loss from fire or explosion in oil, gas and
petrochemical industries with reference to percussive
unconfined vapour cloud explosion, IOI, April (1979).
14. DAVENPORT,J. A., A study of vapour cloud incidents,
Proc. 83rd Nat. Meeting Am. Inst. Chem. Engrs, Houston,
March (1977).
15. BaASIE, W. C. and SIMPSON, D. W., Guidelines for
estimating damage explosion, Loss Prevention in the
Chemical Process Industries AICHE, 63rd Nat. Meeting,
St. Louis (1968).
16. MUNDAY,G. et al., Loss assessment, Proc. Workshop on
Risk Analyses and Loss Assessment, The Insurance
Technical Bureau and Riso National Laboratory,
London, October (I 979).