ITSA.

DK

The QRAQ Project

Volume 27
Risk Based Safety Management and Living
Risk Analysis – Closing the Gaps
Version 1 Issue 1
June 2014

J.R.Taylor
 QRAQ 27 Closing QRA Gaps

The QRAQ project

Quality of Risk Assessment for Process Plant
Risk Based Safety Management and Living Risk
Analysis – Closing the Gaps

ITSA
Prunusvej 39,
3450 Allerød,
Denmark
Issue Date Author Approval Release
V1I1 June JRT
2014

© J.R.Taylor 2014 i
 QRAQ 27 Closing QRA Gaps

QRAQ publications
1. The QRAQ Project – Introduction
2. Quality and completeness of hazard identification
3. Consequence calculation models
4. Risk assessment frequency data
5. Risk analysis methodologies
6. Risk acceptance criteria
7. Ignition frequency
8. Jet fire models
9. Fire water monitors as a risk reduction measure
10. Boilover and fire induced tank explosion
11. Self evacuation as a risk reduction measure
12. Major hazards scenarios - Model validation against actual accidents
13. In preparation
14. Gas impoundment
15. Domino effects and escalation
16. Momentum jets
17. Fire and Gas Detection Mapping
18. In preparation
19. In preparation
20. Human error in process plant operations and maintenance
21. SIL assessment using LOPA
22. Assessment of simultaneous operations
23. Dispersion calculations for hydrogen sulphide releases
24. Systematic ALARP Analysis
25. Safety Barrier and Bow Tie Diagrams
26. Lessons Learned Analysis
27. Closing the gaps in QRA

© J.R.Taylor 2014 ii
 QRAQ 27 Closing QRA Gaps

Preface
This report is the 27th in the series of reports covering various aspects of the quality of
process risk assessment studies. It was written because of the increasing problems in
performing practical QRA.

J.R.Taylor
Abu Dhabi 2014

© J.R.Taylor 2014 iii

 QRAQ 27 Closing QRA Gaps

Updating history

Issue Date Affected Change

Initial version June 2014 Initial release

© J.R.Taylor 2014 iv
 QRAQ 27 Closing QRA Gaps

Contents

1. Introduction ........................................................................................................................1
2. History of Process Plant Risk Analysis - What Has Been Acheived .................................3
3. Gaps in methodology ..........................................................................................................6
4. Hazard identification ........................................................................................................11
5. Gaps in Consequence Modelling ......................................................................................20
References ................................................................................................................................24

© J.R.Taylor 2014 v
 QRAQ 27 Closing QRA Gaps

1. Introduction
Since the occurrence of the Piper Alpha platform accident, and the following Cullen Enquiry
and its recommendations, there has been an increasing emphasis on carrying out detailed risk
analyses for petroleum and chemical plant and in basing safety management on the results of
risk analysis processes such as HAZOP and HAZID. This has especially been true for British
offshore activities, and for national oil and gas companies in the middle and far east.

When a large part of safety activities are to be based on hazard and risk analysis results, the
results had better be both complete and correct. There are unfortunately already several major
accidents resulting from inadequate analyses and from inadequate communication of analysis
results.

One of the problems causing this is that most risk analyses produced to date are based on
methodologies originally intended for land use planning. They do not go deep enough, and
are not sufficiently informed about the realities of operation, maintenance and onsite safety
management, to appeal to safety and operations professionals. The reports are largely written
by consultants, and are aimed at achieving authority approvals. Most are read by authority or
third party verification reviewers, the recommendations are acknowledged and for the most
part implemented (which is a success), and are then archived (which is a failure, in that the
results are hardly communicated to those responsible for day to day safety management).
This can be seen readily in most safety cases, COMAH reports and the like, which often do
not even contain proper accident scenario descriptions, which give calculation results in
tabular form in unreadable appendices if at all, and do not allow company safety, operations
and maintenance professional to access the results which affect their own areas of
responsibility.

The situation is worsened by the fact that most of these studies, being made for regulatory
purposes, are forced into a standard methodology. Any deviation from that methodology is
penalised by project delays and approval difficulties, even if they are intended to improve the
safety of the plant and the persons in and around it.

That this situation can be changed is illustrated by recent projects in which company
operations, maintenance and inspection teams have been directly involved in the risk
analysis activity, and have used these to support preparation of standard operating
procedures, operations and maintenance manuals, and inspection plans prior to
commissioning. It is also evidenced by the use of “living risk analyses” during the design
stage, to help solve safety engineering problems as they arise. It is also evidenced by the
active use of detailed hazard and effects registers prepared by operations and maintenance
teams, based on actual plant experience and on lessons learned from accidents reported
around the world.

To make this transition from “risk analysis as a licensing requirement” to “risk analysis as a
safety management tool”, a number of upgrades in methodology need to be made:

• Hazard identification for risk analysis needs to be much more thorough, going to the
root cause level. It is not sufficient to regard accidents as being caused by randomly

© J.R.Taylor 2014 1
 QRAQ 27 Closing QRA Gaps

arising leaks and ruptures, with dropped objects and vehicle collisions being added as
an afterthought. Most accidents arise through a combination of fairly minor events,
which can only be identified at the detailed level, and currently, this type of analysis
does not contributes to risk assessments
• Risk analyses need to take account of the results of HAZOP studies.
• Only generic frequencies are used to determine the frequency for accident initiating
events. Special efforts in design and operations, intended to reduce risk, such as the
use of corrosion resistant alloy, use of inherent safety approaches, use of advanced
alarm management etc. are ignored in risk analysis.
• The range of consequences included in the risk analysis methodologies needs to be
extended. At present, the range of accidents covered by standard methodologies and
risk analysis support tools covers less than a third of the major accidents occurring in
plants around the world.
• Most consequence modelling carried out today is reasonably accurate outside plant
fence lines (to within a factor of about 2 for safety distance ). Accuracy at short
distances, where employees can be affected, is much poorer.
• Many important aspects of risk, such as escalation and domino effects, evacuation and
rescue, emergency response, human error in accident causation and human response
in accident prevention, are not taken into account.
• Risk analyses are not presented in a form which is readily useable for operations,
safety, maintenance, QC and inspection professionals.

All of these problems have solutions, many of them demonstrated in recent large scale
projects. The presentation will describe these efforts to make risk assessment into a full
working tool. An interim assessment of the success and the limitations so far will be
presented.

© J.R.Taylor 2014 2
 QRAQ 27 Closing QRA Gaps

2. History of Process Plant Risk

Analysis - What Has Been Acheived
Risk analysis concepts were developed during the late 1960's, but the first applications to
process plants were made in the early 1970's (see side bar, page xx). Initially the methods
were met with great skepticism by industry, but were gradually adopted by forward thinking
companies, and then were mandated by autorities, via the Seveso directives in Europe, via
offshore regulations in Europe, and via the process safety management and RMP regulations
in USA.

By now, many design standards require risk analysis, an especially for offshore installations
and in countries where there is large scale development, risk assessment has become the core
of safety management.

Figure 2.1 shows typical process for safety management in modern practice

Some of the major achievements have been:

• Hazard and operability analysis has been more or less universally accepted, and is
now an essential part of the design process. They are generally manned by
experienced engineers and operators. The recommendations from hazop are now
regarded as mandatory unless strong counter arguments are be made.
• The bow tie process, identification of safety critical equipment, and systematic
specification of safety critical activities and critical equipment performance standards
have become the main approach to achieving safety in a design. (Efforts to transfer
this information to the operations phase are beginning to be successful).
• QRA's are required as standard during all stages of design construction and operation
• A reasonable amount of experimental data has been achieved for consequence
modelling.
• A very limited amount of data for determining accident frequencies has been
obtained, but at least data is now available. There is no longer any need to guess the
frequencies of accident causes.
• Task Risk Assessments or Job Safety Assessments are performed routinely at the final
stages of plant construction, and during plant operations. In a recent study in one
company, all operations professionals, including operators and maintenance
technicians knew how to use risk matrices as a route to decision making.
• Formal risk tolerance criteria have been adopted by many countries (over 50 at the
most recent count).

© J.R.Taylor 2014 3
 QRAQ 27 Closing QRA Gaps
Select
Concept Select
Plan for integrity
Facility Layout HSE Review
Inherently Safer Design
Review
HAZID
HAZOP(PFD's)
OHRA / QRA / EIA
Safety Case
HSE Philosophy
HSE Strategy
HSE Plan
Emergency Response
Philosophy
BAT Report
Operating Philosophy
SCE Identification
HSE-MS
Decision Dossier
Develop/Update Industry Best
Practice Bowtie based on BAT
check each concept against
industry best practice bowtie -
produce concept 'mother'
bowtie ensure sufficient and
robust barriers exist in concept
design
How to design for HSE
Integrity
When Concept has sufficient
definition an HSE Review of
facility layouts to be
completed next an Inherently
Safer Review of the concept
Following this an HAZID
exercise to be completed
Anticipated HSE Hazards
Must identify HSE issues to be
addressed in subsequent
project phases
Decisions Dossier must record
reasons for choice of systems
and / or equipment and any
subsequent changes to this
must be recorded here (This is
a pre-cursor to the MOC
process that will come into
force following the HAZOPs in
FEED that will be 'freezing'
design)
Figure 2.1 A fully developed safety management programme, from concept to operations
© J.R.Taylor 2014
Define
FEED Detailed Engineering
Design for Integrity
REVISION of:
Independent Layout Review
Inherently Safer Design
Review (ISR)
HAZID
MAH Bowtie(s)
Develop FEED Mother
Bowties from the concept
mother bowtie (add detail
as FEED progresses) Register of Safety Critical Equipment
Identify SCE's at System /
Sub-System Level Register of SCE's pass to QA/QC ---
Performance Standards for
SCE's
At this stage this can be
Process Data sheets
Though PS should be
complete for System/ sub- placing orders for SCE's - PS should
system or major equipment form the basis of the purchase order
Priority given to PS's for
LLI's
HSE Philosophy
HSE Strategy
HSE Plan
HAZID / HAZOP / FEHA /
BRA
OHRA / EERA / QRA / SIL
Constructability Review
Safety Case
(c/w Demonstration that
risk are 'acceptable or an
ALARP demonstration) Based on detailed design / include all
EIA (c/w Baseline study)
BAT Report
Operating Philosophy performance testing / demobilization
HSECES Identification
Report
HSE-MS
Decision Dossier from Phase 1 Safety Case and Safety
Hazard and Effects Register
ESHIA
PHASE (1) Safety Case
Execute
Build for Integrity
REVISION of:
HAZID
MAH Bowtie(s)
Develop Detailed Design Mother
Bowties from the FEED Mother
Bowties the level of detail is now
completed in detailed engineering
and makes this Mother Bowtie
specific to the facility
and Systems (SCE's)
QA to ensure highest quality
criticality rating includes all SCE's
Performance Standards(PS) for
SCE's
PS must be developed prior to
scope of supply HAZID / HAZOP /
OHRA / QRA / FEHA / BRA
EERA / SIL / Safety Case
(c/w Demonstration that risk are
"acceptable" or an ALARP
demonstration)
EIA / EIS / FRP(ER) / BAT Report
Operating Philosophy
Constructability Review
SCE Identification Register
HSE-MS
Decision Dossier
Management of Change Process
Hazard and Effects Register
Must Be:
HSE considerations of project for
construction / commissioning /
of contractors
Must demonstrate close out of all
recommendations
Studies
Phase (2) Safety Case
(Revision of Phase 1)
Build for Integrity
Construction HSE Plan and Quality
Plan
Quality must apply highest quality
criticality rating on all SCE's
4
Execute Operate
Construction /
Operations
Commissioning
Construction HAZID
Operate to Maintain Integrity
REVISION of:
Construction HAZEER
HAZID - ENVID
Construction OHRA
MAH Bowtie(s) -
Identification of
Develop Operational Mother
Occupational Safety
Bowties from the Detailed Design
MAH's
Mother Bowtie SCE's identified
Bowties for Occupational
down to an operational level of
Safety MAH's
granularity (Tag item level)
Develop Welfare
Develop Operational Daughter
Guidelines to ensure all
Bowties from Operational Mother
Camps meet the
Bowties down to a system / sub-
required minimum
system or area level
standards
Convert/revise design bowties to
Construction HSE
'operationalise' them. Develop
Plan
"Daughter Bowties" by system.
Emergency Response
HAZOP / OHRA / QRA
Plan for Construction
Revise QRA or run sensitivity
HAZID
studies to cover any changes
Environmental
inclusions or omissions from
Management Plan
original detailed design
Waste Management Plan
Safety Case
HSE-MS
(c/w Demonstration ALARP)
OHRA
EIA / EERA / FRP
BAT Report
Revise Operating Philosophy
SCE Identification Report
HSE-MS
Commissioning HSE
Management of Change Process
Plan
This MOC process must include a
Commissioning
review/revision of Bowties related
HAZID(s)
to any change to process systems
HAZOP(s)
or their supporting systems.
SWIFT (What If
Hazard and Effects Register
Workshop)(s)
Revise Safety Case
Operations Bowtie
Develop Electronic Safety Case
Reviews (Review steady
tie e Safety Case to maintenance
state bowties against
Management System and develop
changes - barriers
plant wide view of barriers out for
removed / not present
service or repair
or bypassed - for
Operations Phase (3) Safety
commissioning)
Case
IV Audit of SCE's
(Revision of the Phase 2 Safety
HAZID for Start-Up
Case)
Pre Start-Up Safety
Review / Revise HSE-IA after 1
Review (PSSR)
year
reviewed as part of the MOC
process and as a minimum once
every 3 years in line with revisions
of the Safety Case
 QRAQ 27 Closing QRA Gaps

Overall, the frequency of major accidents does not seen to have reduced by much (Figure
2.2), but reviewing major accident reports and root cause analyses, two significant groups of
accidents can be identified: Those where risk analysis concepts had not been adopted, or only
adopted as a regulatory requirement, and those where the accident causes were outside the
scope of current risk assessment methodology i.e due to gaps in methodology.

Figure 2.2 Major hazards accident since 1985

(Large fires > $100 m., Vapour cloud explosions and large toxic releases)

The current (2014) gaps which have been identified in risk assessment practice are described
in the following chapters, but for quick reference are listed here:

• Hazard and accident scenario identification for risk analysis uses very limited HAZID
methodologies. Results from HAZOP methodologies are generally ignored in QRA.
Human error analysis is largely ignored.
• The representation using bow tie diagrams is limited because of the diagramming
methodology does not allow proper description of parallel defences, .
• Methodologies for consequence calculation were originally developed for regulatory
purposes, and concern risk outside the plant fence line. Many scenarios which have
only in plant consequences are ignored.
• Consequence models are often inaccurate at short distances suiltable for in plant
safety assessment and design.
• Mitigation, such as from deluge systems, fire fighting, and self evacuation are largely
not considered in the risk analysis.
• The ALARP principle (essentally a cost benefit approach) has been adopted widely in
regulations and guidelines, and is actually the most important approach to risk
reduction in most practical cases. However in practice the approach is almost never
implemented properly. Typically a full range of risk reduction alternatives is never
considered, and cost benefit calculations are rarely carried out. Many analysts
consider that if the risk is in the ALARP region, the risk is acceptable provided that
some loosely specified recommendations to reduce risk are made.

© J.R.Taylor 2014 5
 QRAQ 27 Closing QRA Gaps

3. Gaps in methodology
Most of the modelling experimentation and data collection work done so far in the field of
process plant risk analysis has been aimed at regulatory risk assessment, and at protection of
persons outside the fence line (there is an exception, for offshore risk assessment, where
much good work has been done for example on jet fire impingement on equipment, and on
gas plume explosions).

The scenarios included in guidelines such as the Yellow Book (ref. 3.1 ) and the Purple Book
(ref. 3.2) cover the following phenomena:

• Toxic gas and liquefied gas release and toxic gas plumes and clouds
• Toxic liquid release and toxic plumes
• Flammable liquids release and pool fire
• Flammable gas and liquids release and flash fire
• Flammable gas and liquids release and jet fire
• Flammable gas and liquids release and vapour cloud explosion
• Flammable liquid release and pool fire (which extends to tank top fire)
• BLEVE (Though this is ambiguously stated in most guidelines)

All of these are assumed to occur as a result of equipment or piping leaks or ruptures
Consequences not covered by standard guidelines are:

• Overpressuring explosions, such as from pressure regulator failure or blow by

• Tank explosions due to vapour ignition
• Confined explosions in buildings
• Runaway reactions
• Explosions due to unintended mixing of substances in tanks
• Sewer explosions
• Dust explosions
• Toxic and hot liquid exposure due to overflow
• Domino effects and escalation

Table 3.1 illustrates the gaps in methodology and modelling. The performance of current
QRA methodologies, with only 4 or 5 out of 15 accident phenomena actually modelled in 11
of the most severe major accidents, is not good. The situation is even more grotesque when it
is realised that virtually all of the accidents can be modelled with currently available models.
The gap lies in the distance between guidelines made for land use planning regulations,
which must be stable and consistent, and the need for modelling and methodologies which
will actually help reduce risk.

© J.R.Taylor 2014 6
 QRAQ 27 Closing QRA Gaps

Accident Mechanisms Included in standard Models

methodologies/ available ?
software?
Texas City 2005 KO drum overflow, spraying vent, N Y
HSCE
Tosco Avon 1997 Hydrocracker reactor runaway, HSCE N Y
Valero Sunray Dead leg, jet fire Jet fire Y Y
2008 Dead leg N Y
Impingement N Y
Formosa Plastics Fork lift truck crash, UVCE Frequency N Y
2005 Consequence Y
Buncefied 2005 Overflow, HSCE, splashing flow, UVCE N Y
Conoco Phillips, Injection point corrosion, RBI, UVCE Frequency N Y
Humber Consequence Y
CAI, Danvers 2006 Confined VCE N Y
Texaco, Milford HMI, KO drum overflow, hammer, Hammer N Y
Haven, 1994 UVCE UVCE Y Y
Giant Industries, HMI on valving, flash fire, jet fire Frequency N Y
Jamestown Consequence Y Y
Motiva Enterprises, Acid tank explosion N Y
Delaware
Pennzoil, Vapour release near hot work, tank N Y
Rouseville, 1995 explosion
Total Yesses (5) 14

Table 3.1 Methodologies needed for analysis of 11 major hazards accidents

Frequencies used in risk assessments are currently either "expert judgment" values, or are
derived for British offshore installations in the North Sea (Hydrocarbon Release Data
Collection, ref. 3.3 or secondary sources based on this). These data cover releases from
carbon steel equipment in marine applications. It is tacitly assumed that these will be relevant
for all plants, even those made with stainless steel or other resistant alloys, for plants that
handle highly corrosive materials, and for all operating temperatures and pressures. This is
obvious nonsense, but acceptable for the coarsest regulatory land use planning analyses. The
approach is pernicious in application to design, since it does not provide any information
about the possible risk reduction which can be derived by using higher quality construction
materials. Neither does it encourage the use of better design practices. The use of just a single
set of generic failure data causes considerable contempt when professional materials
engineers and metallurgists contribute to safety design.

This issue is an important one. Careful approaches to frequency reduction can reduce risk by
at least an order of magnitude (ref. 3.4)

One of the biggest gaps in setting accident frequencies though is that accidents which do not
arise through leaks and ruptures in pipes and equipments are virtually ignored. These include
over-pressuring explosions, runaway reaction explosions and accidents due to human error.
One of the biggest unknowns in risk analysis methodology is that latent hazards are not
currently taken into account. Latent hazards, arising for example from trapped pressure
released during maintenance, are currently not just ignored, there is little realisation that such
hazards even exist.

Again, this is not a small gap. BP (ref. 3.5) surveyed accidents for refinery distillation
columns. Their assessment of causes is shown in figure 3.1.

© J.R.Taylor 2014 7
 QRAQ 27 Closing QRA Gaps

Figure 3.1 Distribution of causes for 148 refinery distillation column accidents

It has been said that since the data bases include all the most common releases of hazardous
materials, then it is not necessary to consider the rare types. This is simply not true. Firstly,
many of the accident scenarios on list 2 above are not so rare. Almost all are much more
common than the scenario "spontaneous vessel rupture", and from figure 3.1, are more
common than “pipe leak”. The other point is that many of the list 2 scenarios are not
amenable to risk reduction measures which are applicable to leaks and pipe such as the use of
emergency shut down valves. As a result, ignoring "special" scenarios can quickly lead to
lack of risk reduction for these scenarios, so that they come to dominate the pattern of risk.

A weakness of methodologies applied for onshore risk analyses is that there is rarely, if ever,
any modelling for risk reduction measures. This leads to difficulties because it then becomes
difficult to justify the more effective risk measures, especially if these are expensive. It
makes ALARP analysis almost meaningless.

ALARP analysis is required in most regulatory regimes which require risk analysis for all
risks which lie within the band between "acceptable" and "unacceptable". The methodology
for the calculations is well described and well known (ref. 3.6 and 3.7). However A full
ALARP analysis is hardly ever carried out in QRA's. Where it is, the ALARP assessment is
generally qualitative. The problem seems to be that very few risk analysts have training in
loss prevention engineering, as well as the limitations in modelling of mitigation measures
described above.

Possible improvements in methodology

There is really no reason why the range of scenarios considered in risk assessments should
not be extended to cover all of those contributing to major accidents worldwide. There are

© J.R.Taylor 2014 8
 QRAQ 27 Closing QRA Gaps

models available for all of the accident scenarios mentioned above. The main obstacle
preventing a full treatment of the hazards involved is the slavish adherence to regulatory risk
analysis methodologies, even when these are not particularly relevant. Also ignorance of
other accident types is a problem. It does not help that most university and post experience
courses tend to ignore scenarios which are not on the first scenario list. It is much easier to
teach what is standard practice than to try to be on the forefront of development.

Closure 1: simple extension of the list of scenarios to be covered in risk analyses.

Making plant specific and equipment specific risk analyses which take into account materials
quality is difficult at present, because there has been little data collected. The only openly
published database which actually provides a causal analysis along with failure frequencies is
RELBASE (ref. 3.8). This is a good dataset for overall frequencies, and the only one
validated for correspondence between results and world major accident experience.

It would be quite straightforward for large oil companies to collect better data concerning
equipment failure and leakage frequencies. Most have more data flowing into their
maintenance data bases each year than has so far been collected into risk analysis data bases.
Another approach to making plant and equipment specific is via the theory of structural
reliability and risk based inspection (RBI). This theory already provides a way 0f calculating
the reduction in risk provided by improved materials and improved inspection programs.

Possible closure 2: Investigate the ways of apply causal data and structural reliability theory
to QRA, in order to determine thr risk reduction effect of improved design and improved
inspection. This is a research field.

For the accidents which do not arise from simple leaks and pipe ruptures, frequencies can be
determined from simple fault tree analysis, or even simpler layers of protection analysis. An
example is frequency determination for blow by overpressuring. This requires a failure rate
for level control, multiplied buy a probability of failure on demand for the emergency
shutdown system. The only thing that is needed is the transfer of scenario descriptions from
hazop to QRA and simple calculations. Data for these is readily available (ref. 3.9 and 3.10).

Closure 3: Apply simple fault tree analysis for overpressuring rupture risks, runaway
reaction risks etc.)

Considerable effort has been made to develop human error analysis methods which are easy
and efficient to apply (ref. 3.11, 3.12). Their application has been limited, but the methods
are definitely ready for industrial trial. (There are many older methods for HRA, their
problem is that they require a lot of data and a lot of specialist effort, which is acceptable for
nuclear industry applications which have long project time scales. Oil and chemical industry
applications have design time scales in the order of months, so long analysis times present
difficulties.

Closure 4: Introduce human reliability analysis methods into QRA and process safety
management.

© J.R.Taylor 2014 9
 QRAQ 27 Closing QRA Gaps

Closure 5: The limitations of regulatory risk analyses has led to the development of "living
risk analyses. These are intended to support design and operations, rather than the regulatory
process, and differ from regulatory analyses in that:

• The range of scenarios covered includes all those which can affect the public,
employees, environment and assets.
• Models which are more accurate at short distances are used (see Ch. 4)
• Mitigation modelling and emergency response are supported.
• Facilities are provided which directly support ALARP analysis

© J.R.Taylor 2014 10
 QRAQ 27 Closing QRA Gaps

4. Hazard identification
HAZOP
The main hazard identification technique in use for process plant today is hazard and
operability analysis (HAZOP). In present practice for large installations, it is carried out
sometimes at 60% completion of front end engineering, always at 90% completion and
towards the end of detail engineering, at which stage HAZOP of vendor equipment packages
is also carried out. HAZOP refresher studies are also carried out every five years, to take into
account changes made in the plant over a period. (Note that mini hazops should also have
been done as part of the management of change process, but the 5 year renewal generally
provides a better overview).

A large HAZOP study can generate many recommendations for design change, usually
several hundred for a large plant, typically 10 to 50 for a single plant unit such as a
distillation stage. Often the detail design HAZOPs produce just as many recommendations as
the FEED stage.

From this it can be seen that HAZOP has become an important part of the overall design
process. Increasingly in modern practice HAZOP is being supplemented by 3D model
reviews or buildability reviews, safety design reviews and inherent safety workshops. At its
best, HAZOP is now a well developed, robust and reliable method. It is still possible to see
bad hazops performed however. Some of the flaws which have been observed in practice (ref
4.1) are:

• Insufficient experience on part of the participants in the HAZOP meetings. It is often

stated that the facilitator or chairman of the HAZOP does not need to know much
about the hazards, only how to run the meeting, but this is an error. Designers and
operators in the HAZOP teams can be expected to know about simple accidents such
as overflow of oil from a tank, and experienced operators can be expected to know
about the more complicated accidents which have occurred on their own plants.
Designers and operators generally do not know about many of the more complex
accident mechanisms. The safety engineering professionals are needed to supplement
the designers and operators knowledge.
• The use of risk matrices in assessing risk is generally not well understood. Very few
know how to calibrate a matrix in order to satisfy an overall risk acceptance goal, and
there is generally and error of using a matrix calibrated for a whole plant in order to
assess the risk for a single scenario.
• When HAZOP scenarios are risk assessed this is often done badly. This is sometimes
due to the assumption made in many guidelines that operators participating will have
sufficient experience to be able to estimate frequencies. It is in fact very rare for
operators to have sufficient experience to be able to estimate frequencies or the extent
of consequences for more than a fraction of the accident scenarios identified.
• Sometimes the HAZOP meetings are not well staffed, and project managers
sometimes pressure HAZOP leaders to move fast. This can lead to poor quality in the
results. In some cases it has led to a requirement for HAZOP studies to be redone,
with a very heavy impact on project schedule. See ref. 4.1 for some horror stories.

© J.R.Taylor 2014 11
 QRAQ 27 Closing QRA Gaps

• In todays practice, HAZOP results are taken into account in improving designs, bu the
results, including the residual risk estimates, are almost never carried forward to the
quantitative risk assessment. (This is generally not the case in Denmark, because risk
assessments were from the beginning based on HAZOP studies)

One of the main reasons for the decoupling of HAZOP and QRA is that of timing. The
HAZOP studies run parallel with or even after the QRA studies, so that benefit cannot be
taken by uniting the studies. The other main reason is that with accident frequencies fixed by
the required data base (such as the Purple Book ref. 3.2, the UK HRDC (ref. 3.3 ) or OGP
(ref. 14 ) by regulatory requirement, there is little incentive to use HAZOP results in the QRA
in regulatory QRA’s, it just gives more problems.

Possible improvements in methodology

The most worrying defects in most HAZOPs are serious failure phenomena which are not
recognised. A few examples will illustrate this: vertical two phase flow caused by flow
disturbance can generate vibration which will rupture piping; liquid overflow from a vessel to
a gas line can cause hammering which can rupture a line; channeling in a catalyst bed due to
coking can lead to temperature runaway and explosion. In all over 150 physical phenomena
have been identified which are important for process plant accident causation, only about
30% of which are well known. Also, even when effects are known it is often difficult to
determine the extent or impact of the accidents in the absence of good guidance documents.

Possible closure 6: It was noticed that although there are many publications which describe
lessons to be learned from earlier accidents, these were often forgotten when it came to
completing HAZOP studies. To counter this, a systematic "Lessons learned analysis" method
was developed. This uses a large collection of accident case histories, indexed so that they
are accessible by substance, equipment type, and hazop disturbance type. The list is used
during or after a HAZOP study to ensure that no lesson will be forgotten. This is still an
experimental method. (Note: something like this was made a requirement in the Danish
implementation of the Seveso directive, and has been applied in a less systematic way since
1987)

Possible closure 7: Evaluation of the severity of physical phenomena is often difficult in a

hazop study. For example: will blowby resulting from failure of a level control valve on a
separator really lead to an overpressure rupture on the downstream vessel; will opening of a
high pressure gas valve cause sufficient Joule Thomson cooling to cause low temperature
embrittlement in piping. Process simulation modelling can answer such questions. This can
be done using programs such as HYSIM or ASPEN for dynamic modelling. Dynamic
modelling is often not carried out though, because of cost, and using advanced modelling
takes time. Collections of small "rule of thumb" models and simplified models have been
developed which can provide quick answers and indicate areas where more detailed
modelling is needed. These are still not widely used, and there is a need for a wider range of
such models.

Possible closure 8: Guidance is needed on how to calibrate and to apply risk matrices.

© J.R.Taylor 2014 12
 QRAQ 27 Closing QRA Gaps

Possible closure 9: Frequency data have been collected for us particularly in HAZOP
studies, but more work is needed in this area.

HAZID

The other main hazard identification method in use today is the HAZID method. This is a top
down analysis which, in modern practice, starts with a list of hazards i.e. hazardous materials
or energy sources which if not kept under control, will lead to an accident.

Once hazards are identified, the "threats" which could lead to the triggering or release of the
hazards are identified, and the consequences of the release of the hazards are also tabulated.
For each of the threats, the safety barriers which prevent the release of the hazard are
tabulated, as are the safety barriers which mitigate the consequences.

The risk involved for each threat is typically calculated, with best practice being layers of
protection analysis.

In modern practice defects and deficiencies in safety barriers (also, strangely, called
"escalation factors") are identified. These are the phenomena which can lead to failure of the
safety barriers. For each of these defects, "safety critical activities" are identified which are
needed to maintain the safety integrity of the plant. Finally, the persons responsible for each
"safety critical activity" are identified (generally by staff position, sometimes by name) and
the competencies required of this person are identified.

Typically, all of this information is recorded both in tabular form, and graphically by means
of "bow tie diagrams", which are a kind of simplified safety barrier diagram. The entirety
forms the risk register for the plant.

The HAZID in this way provides a basis for a full safety management system (see figure 4.1).
There are many gaps in current practice which mean that the practice has generally fallen far
short of the ideal described above.

The range of threats identified has generally been very limited. A typical list is:

• Internal corrosion
• External corrosion
• Erosion
• Fatigue
• Collision
• Dropped objects
• Natural events (storm, flooding, earthquake, tsunami etc.)

The problem with this is that the list is not sufficiently detailed to allow anything more than
the most superficial identification of safety critical activities. The analysis does not provide
sufficient detail to support integrity professionals, maintenance and operating teams anything
that they do not already know extremely well, since these things are at the core of their daily
work. It makes little sense to explain to an inspection specialist who is employed full time on
inspecting piping that corrosion is a threat, and could lead to an accident.

© J.R.Taylor 2014 13
 QRAQ 27 Closing QRA Gaps
Inspection and Risk based
Design corrosion/erosion repair and Descriptions too
management maintenance generic
Internal/ not specific
external
corrosion
Inspection and Risk based Repair is not
Design fatigue and stress repair and
management maintenance
Independent of
Fatigue, Inspection, both are
fretting, stress needed to form one
barrier
induced failure
Risk based Operating
Design Inspection repair and procedures
program maintenance
Flange, valve
seal, rotating
equipment seal
Plant Driving
access speed Crash Leak
control restrictions barrier

Vehicle impact

Restriction Lifting gear Not an effective barrier

on lifting
over live
inspection,
certification
Physical
protection
for human safety in fire
plant – typical response time
Dropped
object for detection and closure
2 minutes, and
Design Process Emergency Emergency Mechanical thereafter inventory
Operating control sutdown depressur- safety
Operating
envelope (DCS) (ESD) isation (EDP) devices release
outside
design
envelope

Not an effective barrier

Not a safety critical (30 minute response)
system

Figure 4.1 Some examples of weaknesses in hazard identification by HAZID, taken from an
actual (approved) safety report.

Bow tie diagrams are currently widely used for more detailed hazard identification and
especially for development of safety critical activity registers. However the currently
available software is very deficient:

• A fully detailed bow tie diagram is often unreadable unless printed in A0 or A1

format. When originally creating such diagrams, these large drawing can be used,
provided that a suitable blank wall is available on which to hang the drawings, but
they become difficult to deal with when required to be used on a daily basis for safety
management. Software allows for quick expansion and contraction of diagrams, but
for licensing reasons, such software is often unavailable except to a limited number of
users. Also, it is not certain that this is the ideal approach.

• Long lists of safety barriers are often registered for a single high level threat. It is not
unusual for a threat to have ad s many as 12 barriers. These are never complete
protections. Each barrier may protect only a small subset of the threat cases. This

© J.R.Taylor 2014 14
 QRAQ 27 Closing QRA Gaps

makes safety assessment meaningless, whether by layers of protection analysis

(LOPA) or by barrier counting. The barriers should actually be shown in parallel
rather than in series, or alernatively more detailed "sub-threats" should be recorded, at
least to the level of detail which allows a full range of safety critical activities.

Figure 4.2 A detailed bow tie diagram with many barriers in series. The diagram implies that
the frequency for these scenarios is less than 1*10-18 per year, but this is the result of
recording all possible barriers, whether they are 100% effective for the threat or not. The
correct frequency for this case is about 1*10-5 per year giving an error of about 13 orders of
magnitude.

Possible improvements in methodology

Possible closure 10: One method which has been tried, with success, is to take an initial set
of bow tie diagrams and for the operations phase technical authorities to work on them
consistently, as a tool in preparing safty critical systems data bases. Preparation of this kind
may take a year or more in any case for a large plant (all the safety critical equipment needs
to be identified, and then inspection and maintenance plans need to be developed for them.
Properly developed bow tie diagrams at the equipment level have proved to be effective in
supporting this work..

© J.R.Taylor 2014 15
 QRAQ 27 Closing QRA Gaps
Materials Corrosion Corrosion
selection allowance inhibitor
for service injection
General and
pitting
corrosion
Materials Self
selection draining Connections
for service piping for flushing
Low
point
pitting
corrosion
Corrosion
Dead leg Connections inhibitor
avoidance for flushing injection

Dead leg
corrosion

Compatible
Internal
materials Leak
corrosion
selected

Galvanic
corrosion
Insulating
bushings
Examples of safety critical activities
for this barrier
Materials
Stress
limitation
selected
for service Dead leg elimination workshops
Stress
corrosion
cracking
Criteria for T junction length
Design
cladding
for water Procedures for cross coupling
Under
tightness
protection
insulation
corrosion
Inspection
point
plugs

Figure 4.3 Part of a detailed bow tie/safety barrier diagram at a level where safety
management is possible. Drawn for design phase only.

Possible closure 11: There is a need for improvement both in software and in display
technology in order to make this kind of work convenient. Possible ideas are:

• Use of safety barrier diagrams rather than bow tie diagrams, so that threats can be
expanded to show subthreats.
• Use of hierarchical diagrams, so that more detailed analyses can be made without
making diagrams too big to display
• Facility for recording safety barriers in parallel, not just in series.
• Facility for representing dependencies between barriers, so that common cause failure
effects can be represented

© J.R.Taylor 2014 16
 QRAQ 27 Closing QRA Gaps

• Use of larger resolution displays. Display technology, for tablet computers, for desk
top displays and for projection, is improving rapidly at present. As just one example,
A3 size tablet PC's with four times HD resolution have become available.

Human error analysis

Human error analysis is not currently used as a standard technique in process plant risk
analysis. There have been some studies, largely independent of risk analysis efforts. Statoil
have announced their approach to human error analysis for offshore installations.

Two obstacles incorporating human error analysis have been identified from follow up
studies and PHSER’s for project COMAH reports.

The first obstacle is that operating procedures are generally made late in a new project
development, often still being under completion while the plant is being commissioned. This
makes inclusion of human error analysis into Phase II risk analyses difficult, since they
should be completed at about the stage of commissioning completion.

The second obstacle is that most current methods for human error analysis are intended to be
used by specialists, and are not easy to integrate into process plant safety analyses.

Two measures have been taken to overcome these obstacles. One has been to develop the
action error analysis method which marries easily with HAZOP and HAZID analyses . The
second has been to develop generic human error analyses for typical plant operations. These
can be used as a basis for hazard identification and risk assessment already at the FEED
stage, and can be quite rapidly updated when the operating procedures are finalised.

Figure 4.4 shows such an analysis for one step in a typical operating procedure, and figure
4.5 shows a summary cause consequence diagram for a complete procedure.

Possible closure See 4 above

© J.R.Taylor 2014 17
 QRAQ 27 Closing QRA Gaps
Distraction Misremember
Cue:Closure of Procedure: Pig receiving Date: 1/5/2001
Input not visible Mistaught
receiver main
Complex Erroneous procedure block valve(s)
Confusing Erroneous knowledge
Notes: Context is generally an experienced team of 4 to 6
Poor or no label Mental process error
with possibly one of the team being a trainee or novice.
Instrument error Dysfunction
Action:
Erroneous info Overload Recommendation 7: Receiver door to have pressurised
Depressurise
Forget LTA feedback pig receiver opening mechanical interlock
Mistake Other

Too early Too late/ Too much/ Too fast/ Too hard/ Wrong object/ Wrong Latent hazard:
Omission Too little Too slow Too soft action direction vent line
block ed

Effect:Continu Effect: Jet Effect: lncom- Effect:NA Effect:NA Effect:Wrong Effect: NA Effect: Venting
ous flow from release of plete cosure valve closed fails, jet release
vent line hydrocarbon on due to stiffness (very inlik ely) of hydrocarbon
opening door or sand on opening

Safety: Shut Safety: Safety: Check Safety: Safety: Safety: Safety: Safety:
main valve if Mechanical pressure gauge Mechanical
possible interlock on during depress- interlock on
door urisation door

Y N Y N Y N Y N Y N Y N Y N Y N

Consequence: Consequence: Consequence: Consequence: Consequence: Consequence: Consequence: Consequence:

Hydrocarbon Hydrocarbon Hydrocarbon Hydrocarbon
release release, release when release,
possible fire, door opened possible fire,
Injury to Injury to
operator operator

Figure 4.4 Example action error analysis, for one task step

© J.R.Taylor 2014 18
 QRAQ 27 Closing QRA Gaps

Figure 4.5, Human error

Cause consequence diagram
For a complete procedure

© J.R.Taylor 2014 19
 QRAQ 27 Closing QRA Gaps

5. Gaps in Consequence Modelling

Many models of different physical phenomena were deveoped during the early years of
process plant risk analysis. These were based on a general background of physics developed
over the previous century, but few of the models could be said to have been validated against
a good experimental basis. During the second half of the 1980's and through the 1990's, a
very lage effort was made to provide a good experimental basis for modelling.

Also during the 1990's and into this century, UK HSE, and their contractor W.S Atkins, along
with others, made a concerted effort to review and validate models.

Unfortunately, current QRA modelling makes only limited use of this development. One of
the reasons is the need for consistency in regulatory analysis. Most of the currently available
software adheres quite rigidly to the Dutch Yellow Book.

In order to evaluate the importance of this a review of models was made (ref 5.1 and 5.2).
Modelling results were compared with published experimental results, both from the point of
view of the immediate output of the single model, and the impact on overall risk analysis
results, expressed in the form of the distance to the "acceptable risk" level, for typical process
plants. In this way, the initial uncertainty or each model and the overall impact of this
uncertainty on risk analysis results could be determined. Table 4.1 shows the uncertainties for
different models, the impact of this uncertainty on risk, and compares them with the UK HSE
estimates of uncertainty based on expert judgement. As can be seen, most models are found
to agree with experiment to within a factor of two, although there are some outliers with
models published from respected sources diverging widely from observation. The overall
impact of this on risk outside the fence line deriving from modelling uncertainty, is about a
factor of 2.5. It should be noted that the larger the number of scenarios calculated, the smaller
the divergence from the "best modelling practice" i.e. from the models with best agreement
with experiment. This is not as good as the usual expectation for engineering modelling,
where safey margins as low as 10% are sometimes accepted, but it seems good enough for
general land use planning purposes.

This level of agreement though hides a degree of uncertainty which is more important
however, expecially for risk levels at shorter distances. These uncertainties arise where the
models are simply unsuitable for actual circumstances in the plant.

The simplest cases of this arise in pool fire and jet fire modelling. For pool fires, two zone
models, with the loware zone representing bright flame and the upper zone representing sooty
flame, were developed by UK HSE/W.S.Atkins during the late 1990's. Most current software
though uses the older single zone models. The difference is negligible at distances greater
than 5 pool diameters, but becomes very large (up to a factor 8) at distances under one pool
diameter. This is a dangerous discrepancy, because the simpler model underestimates risk to
firemen and risk for escalation of fires between tanks.

This example introduces a theme which will be repeated through this chapter - many of the
models which have acceptable accuracy at distances of several hundred meters have very

© J.R.Taylor 2014 20
 QRAQ 27 Closing QRA Gaps

poor accuracy at short distances which are relevant for determining employee and plant
safety.

A second example is that of currently used jet fire models. These typically assume that heat
radiation from the jet is uniform. In actual fact the maximum heat intensity generally arises at
about two thirds of the length of the jet.This means, for example, that radiation levels at
ground level close to a vertical jet flame are much higher than those calculated. Also, models
take little account of the substance which burns in the flame, although heat radiation fraction
varies by as much as a factor 3 depending on substance.

For gas dispersion, great efforts have been made over the years to provide a good
experimental basis, and most of the experimental results have been collected in a
consolidated library, so that models can be readily validated. However, there is only limited
data available for the worst case low wind speed stable atmosphere conditions which give the
largest accidents.

Most heavy gas dispersion models are semi empirical, and rely on two or three empirical
parameters - for jet entrainment of air, for top entainment of air into a plume and for side
entrainment of air into a plume. However, there are at least four, sometimes five flow
regimes involved in a gas plume, and it is difficult to make a model which fits all phases
well, with just two or thre parameters to adjust in fitting to experimental results. The models
must predict pume height, width, temperature and concentration, and achieve a reasonable
degree of matching accross each of the flow regimes. As a result of this, the "best" gas
dispersion model is that which is tuned to a release experiment which is closest to your actual
scenario.

A further problem is thata large part of the gas and vapour releases which actually occur
impinge on or flow through process equipment. The amount of experimental work on
impinging jets and plume flows is very limited.

Gas dispersion experimentation is expensive, and generally not very well instrumented.
There is a real need to improve the situation. One possibility for the future is the use of much
better instrumentation, for example using LIDAR which allows a complete cross section of a
gas plume to be measured (This kind of instrumentation is already used for smoke pollution
monitoring). Another possibility is to improve the use of computational fluid dynamics
(CFD) in modelling, as a basis for developing better analytic models.

Explosion modelling has received a good deal of attention, with several large scale and a few
full scale experiments. Most analytic models available at present (multi - energy, CAM2) are
purely empirical, with the minimum of theoretical basis. They are bound to a certain concept
of how a vapour cloud explosion develops, namely by generation of turbulence as expanding
gas flows across pipes, and a corresponding increase in flame speed as a result. The number,
spacing and diameter of pipes defines the degree of congestion for the area containing gas.

Users of such models generally find that they are easy to use for the cases which correspond
to the concept, but are often difficult to use in other cases. A summary of required
applications and the ease of application of the models is as follows:

© J.R.Taylor 2014 21
 QRAQ 27 Closing QRA Gaps

• Determining the degree of congestion beneath pipe racks surrounded by equipment is

fairly straightforward - the models were made for this case.

• Determining the degree of congestion for a process module for an offshore

installation is fairly straightforward unless there are large vessels in the module.

• Determining the degree of congestion for places such as compressor houses with large
objects occupying a good deal of the volume is not possible - there is no guidance and
no experimental data or even accident case histories on which to base the calculations.

• Determining the degree of congestion for relatively open areas is not possible - the
models were not made for this kind of situation.

• The models are not suitable for enclosed or almost enclosed spaces (except SCOPE,
see below).

Despite the problems listed here the models are often used uncritically in unsuitable
applications.

"Phenomenological models", notably SCOPE (ref. 16), were developed to overcome some of
the limitations of the purely empirical models. An attempt is made to model the physical
phenomena in the explosion, that is the gas expansion, the flow, the turbulence and the effect
of turbulence on flame speed. Phenomenological models are nevertheless still limited to
fairly simple geometries.

All of the analytic models in use at present require selection of a discrete parameter,
representing either the degree congestion or the "complexity" of the piping and equipment.
The span of results between the individual values is quite large (figure. xx) which means that
the models cannot be very accurate. A model which has an input parameter which can only
take values "low" "medium" or "high" cannot give results accurate to better than one third of
the range of reasult values. This means in effect the accuracy can be no better than about a
factor of 2. This level of inaccuracy must be added to the uncertainty in the model itself.

Because of the difficulties in applying analytic models, computer fluid dynamics (CFD) is
being increasingly used.

It is important to realise that CFD models are not necessarily more accurate than analytic
models. It is not practically possible to model at the level of resolution which allows a priori
calculations (i.e. ones based on theoretical models only). This would require modelling on the
1 mm scale. In practice CFD calculations are typically made on grids of 1 m. or 10 m. that is
with 1 billion times larger calculation resolution, or worse. The gap is bridged by using "sub
grid models" to represent the flow of turbulence, mass and energy within a grid cell. These
are empirical or semi empirical, so the models must be tuned to give results which coincide
with the same experiments used to tune the analytic models. In comparisons the SCOPE
model was found to predict explosion pressures better than the leading CFD software for the
major experiments.

© J.R.Taylor 2014 22
 QRAQ 27 Closing QRA Gaps

What CFD does do is to allow modelling of cases which are far beyond those covered by
analytic models. CFD opens a whole new world of physical phenomena. Figure xx for
example shows the dynamics of downdrafts of behind a building, figure yy shows the effect
of jet impingement on plant equipment.

CFD therefore provides a flexible method to calculate cases which cannot be handled by
existing QRA analytic model sets. The problem with CFD models is primarily that they take
days to weeks to calculate a single process plant scenario on an ordinary PC, and hours to
days even on powerful computer clusters. For this reason, where CFD is used in QRA, it is
usual to calculate just a few scenarios, then to interpolate between them to cover other cases.
This contrasts with high quality QRA's using consequence calculation packages, which will
usually calculate tens or hundreds of thousands of scenarios.

Possible improvements in methodology

Closure 12: Models used in QRA should be updated to use the latest and best validated
models.

Possible closure 13: After som 30 years of experimentation there is still a need for better
experiments in gas and vapour dispersion, but this would require major improvements in
instrumentation to be worthwhile. For experiments so far completed it is not possible to
calculate model parameters directly. One additional possibility is to link experiments to very
high quality CFD calculations

Possible closure 14: There is an urgent need for a wider range of analytic models which take
into account a wider range of cases, including impinging and semi confined gas release
models, and models for vapour cloud explosions with piping, vessels and buildings, i.e.
obstructions of different scales, within a single congested area.

© J.R.Taylor 2014 23
 QRAQ 27 Closing QRA Gaps

References
1. TNO (1996), “Yellow Book”, Methods for the Calculation of the Effects of the Escape of
Dangerous Materials, Dutch Ministry of Labour, 1978, 1996

2. B Ale et al. Guidelines for quantitative risk assessment, Purple Book, Director General for
Social Affairs and Employment 1999

3. HSE (2002), “Offshore Hydrocarbon Release Statistics 2001”, HID Statistics Report
HSR 2001 002, Health & Safety Executive, and later web site publications at
www.hse.gov.uk

4. J.R. Taylor Effectiveness of Risk Analysis as a Safety Procedure QRAQ report 30, ITSA
2014

5. BP, Hazards of Oil refining Distillation Units, I Chem E, 2008

6. UK HSE HSE principles for Cost Benefit Analysis (CBA) in support of ALARP decisions,
/www.hse.gov.uk/risk/theory/alarpcba.htm, downloaded 12/12/2012

7. J.R.Taylor Systematic ALARP analysis, QRAQ report 28, 2014

8. J.R.Taylor, RELBASE, Hazardous Materials Release and Accident Frequencies for

Process Plant, Taylor Associates 2004, and 7th edition 2009

9. OREDA participants, SINTEF, Offshore Reliability Data Handbook, 5th edition, 2009

10. Exida, Safety Equipment Reliability Handbook - 3rd Edition, 2009

11. Kirwan B., A Guide to Practical Human Reliability Assessment, Taylor and Francis,
England, 1994

12. Rasmussen J., Taylor J.R., 1976, Notes on Human Factors Problems in Process Plant
Reliability and Safety Prediction, Risø-M-1894, www.risoe.dk/rispubl/reports/ris-m-1894.pdf
And Taylor J R, 1978, A Background to Risk Analysis, Risø National Laboratory, Denmark

13.Taylor, J.R., 40 years of HAZOP, Loss Prevention Bulletin, 2012

14. OGP report 434-201 Guide to finding and using reliability data for QRA, 2010
15. J S Puttock, M R Yardley, T M Cresswell “Prediction of vapour cloud explosions using
the SCOPE model” J. Loss Prevention in the Process Industries 13, 419

© J.R.Taylor 2014 24