Jeffery D. Marx and John B. Cornwell
Mary Kay O’Conner Process Safety Center 2001 Annual Symposium Beyond Regulatory Compliance, Making Safety Second Nature College Station, Texas October 30-31, 2001
Over the past ten years, there has been a growing focus on risk analysis and risk assessment in the process safety community. Regulations like the EPA’s Risk Management Program have brought the word risk to the forefront of our discussions. One problem that is apparent during such discussions is the lack of a common frame of reference for terms such as risk analysis, risk assessment, and quantitative risk analysis (QRA). Even if all parties in a discussion agree that risk is the combination of the consequences and probability of occurrence of unwanted events, they might still disagree on what constitutes a QRA. Unfortunately, risk assessments and qualitative or semi-quantitative risk analyses are often referred to as QRAs, as are studies that include the generation of a risk matrix. A true quantitative risk analysis for a process plant is a complex and extensive study that involves consequence modeling, probability data, vulnerability models/ data, local weather and terrain conditions, and possibly local population data. This detailed type of study has many useful applications, but only if done correctly. Without the required tools or data, attempts to perform a QRA generally produce results that have little value. This paper attempts to clarify what a QRA is and what it is not, and to show the types of information that can be generated when (correctly) performing a QRA for a petroleum, petrochemical, or chemical processing facility.
Within the process safety community, the investigation of a facility’s inherent risk has become an increasingly popular task. There has been significant discussion concerning risk assessment, risk reduction, risk management, and risk analysis. While most process safety professionals know (and agree) that risk is a combination of consequence and probability, there is still considerable confusion concerning how risk is to be measured, and what constitutes a quantitative risk analysis (QRA). For this paper, the context of risk analysis is directed to risks resulting from accidental releases of hazardous materials from chemical or petrochemical facilities. This is often referred to as a chemical process quantitative risk analysis (CPQRA). The consequences investigated in this type of analysis are acute hazards in the form of exposure to toxic vapors; vapor cloud explosion overpressure; or thermal radiation from torch fires, pool fires, or flash fires. Workplace injuries and chronic hazards, such as exposure to carcinogens, are quantified in a different manner and so are not addressed in this context.
Many of the problems concerning the content of a true QRA are in the semantics of risk terminology. To help clarify the terminology, the following terms are defined, as found in the online version of Merriam-Webster’s Collegiate Dictionary :
- someone or something that creates or suggests a hazard
- of, relating to, or involving the measurement of quantity or amount
- of, relating to, or involving quality or kind
- separation of a whole into its component parts
- to determine the importance, size, or value of
The CCPS book “Guidelines for Chemical Process Quantitative Risk Analysis”  defines a CPQRA as “¼the process of hazard identification followed by numerical evaluation of incident consequences and frequencies, and their combination into an overall measure of risk when applied to the chemical process industry. It is particularly applied to episodic events.”
To aid in further defining a QRA, the first distinction that must be made is between quantitative and qualitative types of studies. Quantitative work necessarily involves specific numerical quantities of consequence and probability. Qualitative studies simply define the quality, or type, of either the consequence or probability associated with an accident, instead of assigning a numerical value to it. If the consequences of an event are addressed qualitatively, they are simply categorized. For example, the categories may be assigned descriptions such as negligible, minimal, significant, and major. To quantify acute hazards, some type of modeling must predict their consequences. The parameters of each accidental release must be input into a model (usually computerized) for the consequences to be numerically described. This obviously requires much more effort than a qualitative assignment.
The probability of any one accidental release is expressed as either a likelihood of occurrence (a qualitative measure), or specific frequency of failure that results in an undesired condition or set of conditions (a quantitative measure). To assign a qualitative measure to probability is much like the categorization of consequence. For example, the likelihood of any one event may be described as frequent, occasional, infrequent, or rare. These descriptors may even be assigned a semi-quantitative value, such as once a year, once every ten years, or once in the lifetime of the plant. The quantitative measure of a particular set of conditions is most often based on equipment failure rates. These rates come from published databases listing failures of specific equipment types. Accident frequencies are typically derived from equipment failures only, which may incorporate human failures and “domino-effect” failures, but can include conditional probabilities based on equipment usage and other outside factors.
The second major distinction that must be made is the difference between an analysis and an assessment. A risk assessment is a determination of the magnitude or relative importance of the risk. The assessment itself cannot be quantitative or qualitative, although the data that the assessment is based on can be. An analysis is, by definition, the separation of the whole into parts. A risk analysis is then a separation of all the parts of the risk into identifiable pieces. These pieces consist of each potential hazard source, its associated consequence, and its specific probability of occurrence. The risk assessment is performed at the end of the analysis, when all the pieces have been defined and then compiled into a picture of the risk. Risk assessment can not be done without some type of risk analysis preceding it. An assessment of risk without any analysis is not an assessment at all—it is a guess or, at best, an estimate.
To illustrate the variety of tasks that are considered in a QRA, consider three papers that were presented at the International Conference and Workshop on Risk Analysis in Process Safety . This conference was sponsored by AIChE/CCPS and held in October 1997 in Atlanta, Georgia.
Example 1: Using Quantitative Risk Analysis in Decision Making: An Example from Phenol-Formaldehyde Resin Manufacturing
This paper examined the “risk” of workers to a reactor overpressure event. Probabilities of the event occurring were developed using a fault tree. The overpressure hazard was assumed to result in a fatality to one operator (no consequence modeling was done). Several general assumptions were made: The risk of fatality to an operator from a reactor overpressure event was assumed to be one-tenth of the total on-the-job risk, and total risk to an operator was assumed to be ten times that of the average plant employee. Although this analysis has some benefit in examining the risk due to one event (reactor overpressure), it should not be called a quantitative risk analysis.
Example 2: Safe Handling of Flammable Liquids in Process Vessels: A QRA Approach
This example is similar to the first. The objective of the analysis was to examine the risk due to an explosion in a process vessel. Again, fault tree analysis was used to derive a frequency of occurrence. This analysis went one step further than Example 1 and considered whether an operator was near the vessel or not. Although a fatality probability of one was assumed, bringing operator proximity into the calculations is a crude attempt at consequence modeling. In addition, the paper suggests that other vessels were considered in the analysis, although the cumulative risk to operators was not discussed.
Example 3: A Simple Problem to Explain and Clarify the Principles of Risk Calculation
As the title suggests, this paper offers a simple explanation of risk analysis. The example in the paper demonstrates the most basic elements of a QRA. Event trees are used to develop several incident outcomes. The consequence modeling assigns simple geometric shapes to the hazard zones, although they do have a specific size. Frequencies are assigned to each incident and, through probabilities, each outcome receives its own numerical value. Weather conditions are reduced to one wind speed/stability combination and two possible wind directions. Individual risk contours, an f/N curve, and other risk measures are developed. This example intentionally presents the pieces of a QRA in their most simplistic forms so that an example of the QRA methodology can be completed.
These examples show some of the variability in what is labeled a QRA. The first two examples misrepresent themselves by claiming to be QRAs. This does not mean they are in error or do not produce some meaningful information, just that they should not be called a quantitative risk analysis. The third example provides an intentionally simplistic analysis in order to illustrate the QRA methodology. It successfully presents several measures of risk based on the calculated risk values.
What is QRA?
Putting the three words, quantitative, risk, and analysis, together can have very different meanings to different people. The use of the QRA acronym is inherently ambiguous, since it has been used to represent several different terms:
- Quantitative Risk Analysis
- Qualitative Risk Analysis
- Qualitative Risk Assessment
- Quantitative Risk Assessment
The use of qualitative or quantitative to describe a risk assessment is incorrect because an assessment can be neither. The assessment may be based on a qualitative or quantitative analysis but, in the end, it is simply an assessment. Because of the many variations that qualitative risk analyses can have, they would be more appropriately categorized as probabilistic hazards analyses. This type of qualitative (or semi-quantitative) study may or may not be based on specific consequence modeling; likewise, it may or may not be based on specific failure rate data.
The use of the words quantitative and analysis with the word risk is the proverbial case of the whole being greater than the sum of the parts. It is straightforward (but not always easy) to quantify hazards and quantify probabilities. The classification of a risk study as an analysis is almost trivial, provided some thought goes into dividing the elements of risk into defined parts. But by using the three words together, Quantitative Risk Analysis, much more is implied. The task of dividing the risk into many quantified parts, and the subsequent summation into a form that logically expresses the risk, is not a trivial matter. A QRA examines many accident scenarios, each with multiple release conditions; models all plausible hazards and event outcomes from all of the selected releases; calculates hazards for variable weather conditions; and assigns a probability to each combination of conditions. To be a true QRA, the study must use quantitative consequence and probability values, and must provide a detailed division of risk elements in the analysis. This requires numeric (modeling) descriptions of consequence, justifiable numeric values for the probability of each incident outcome, and a thorough review and separation of many potential accident scenarios.
An ideal QRA, although humanly impossible, would require a separation of the risk into an infinite number of parts. It would describe every potential hazard with perfect modeling that accounts for all release parameters, local obstructions, and specific terrain features. The details of separation would include accurate weather data information, all possible accident locations, multiple release orientations, varied hole sizes, and the appropriate measure of the probability for each of these parts. With the realization that this ideal analysis is not feasible, steps must be taken to make the analysis manageable. But at what level does the analysis become manageable? The process of making a QRA manageable begins (conceptually) with the ideal QRA. The detail of the analysis is reduced through assumptions and selected hazard groupings. Too many assumptions (reductions in quantities) result in a non-quantitative analysis. The feasible amount of reduction is dependent on the available resources.
As an example, consider one accident scenario that models the release of a superheated liquid that is both flammable and toxic. An analysis could group accident outcome possibilities by considering three hole sizes, six possible hazard types (e.g., flash fire, toxic cloud, etc.), three potential impact levels, sixteen wind directions, six wind speed categories, six stability classes, and two release orientations. This results in the need for 58,320 consequence calculations (3 x 6 x 3 x 16 x 6 x 6 x 2 = 58,320). Not all of these potential combinations exist, though. For an analysis that considers six wind speed categories and six stability classes, there are approximately twenty valid wind speed/ stability combinations of the thirty-six possible. In addition, some of the impacts may not have three hazard levels (e.g., flash fires). Even then, the thousands of potential calculations remaining for each release scenario require specialized software.
Many of the assumptions in a QRA are contained within the consequence analysis. Simplifications are made to categorize weather conditions and group potential release hole sizes. The complexity of the consequence modeling is reduced by assuming there are no specific terrain features or local obstructions, and directing all releases with the wind. These reductions all make the analysis more manageable. The intent of these simplifications and assumptions is to either group conditions that produce identical (or nearly identical) hazards into specific categories, or to group several similar conditions into one category that is described by the largest hazard found for those conditions. By representing a group of conditions (or variable combinations) with the largest (most severe) hazard, the analysis is biased toward over-predicting the risk. Knowing that an analysis over-predicts the risk is always preferable to either under-predicting it or making so many assumptions that it is unknown whether the risk is under- or over-predicted.
What does QRA tell you?
The most obvious products of a QRA are the two ingredients of risk: consequence and probability. For every accident scenario identified, there will be a specific hazard zone (as defined by the hazard endpoints) and a corresponding probability of occurrence. As separate pieces, the consequence modeling results are often more useful than the probability values. A QRA generates a large amount of consequence information, allowing extensive comparison between the effects of hole size, weather conditions, and many other variables. Although rarely used explicitly, each individual accident outcome has an associated probability of occurrence.
The most common and oftentimes most useful items provided by a QRA are individual risk contours. Individual risk contours provide a graphical representation of the combination of consequence and probability around a facility. A risk contour is the locus of points that geographically describes the location of a specific risk level. This risk will be defined by a pre-determined type of harm (e.g., fatality) at a specific frequency (e.g., 1.0 x 10-6/year). The annual basis is a commonly used time frame and is convenient because most failure rate data is expressed in failures per year. For a chemical or petrochemical facility, risk contours are typically drawn for annual probability of fatal exposure to toxic gases, fire radiation, and explosion overpressure following one of many possible releases from process, storage, or transportation equipment. Figure 1 presents individual risk contours for several process units and LPG storage within a refinery.
As an example, consider the risk contour labeled 10-6 in Figure 1. This contour defines the location where a person has one chance in one million, per year, of being fatally affected by a release of flammable or toxic material from the facility’s process units or LPG storage areas.
Another common measure of risk is societal risk. This is typically expressed as an f/N curve that shows the cumulative probability (f) of accidents that affect N or more people. This method incorporates a detailed description of the population around a facility. Each individual incident outcome, which has its own frequency, is mapped with the population information to determine the number of people fatally affected. This is illustrated in Figure 2a. Each frequency (f) and number of fatalities (N) pair is then put into a “bin” that describes a range of fatalities (e.g., 1 to 3, 3 to 10, 10 to 30, ¼). Each bin contains the summation of all fs in that bin. This step is presented in Figure 2b. The final step involves adding the summed frequencies from the adjacent bin of larger N to the current bin, starting with the highest N values. This produces a cumulative measure of the frequency-fatality relationship. The final f/N curve is presented in Figure 2c. This measure of overall risk demonstrates the progression of low-f (infrequent), high-N events to high-f (more frequent), low-N events.
The most instructive type of risk analysis is found in comparative studies. For example, when evaluating two alternatives for plant expansion, two QRA evaluations can be performed withinone risk study. The results of the two analyses can be compared to each other, or to pre-expansion QRA results, to decide which option poses the lower risk to an offsite population. By comparing two or three QRA studies that were all done using the same methodology and same level of detail, there is much less emphasis on the absolute measure of risk presented. By taking the focus away from the absolute risk value and comparing relative measures of risk, the impact of modeling bias or uncertainty in probabilities is greatly reduced.
Depending on the scope of the analysis, the risk definition may be constrained to hazards from one process unit, one type of chemical, or one specific hazard. In these cases, presentation of the risk must be explicit with respect to the constraints of the analysis. In general, a QRA for a facility can never predict the total risk to a population—only the risk due to the failures of the process, storage, transportation, or transfer equipment included in the analysis. A risk analysis can be tailored to predict public (offsite) risk, onsite personnel risk, equipment damage, or risk to buildings. These are achieved by altering hazard endpoints, hazards modeled, and modeling assumptions. Several difficulties arise when calculating onsite personnel risk due to the inherent mobile nature of plant personnel and the fact that they have been trained to respond to hazardous incidents. Nonetheless, these types of analysis are possible, and can provide meaningful information.
When calculating the risk presented by a large facility or process, the analysis can be divided into areas or sections. By looking at the risk contribution from each individual area within the QRA, it can be seen which specific parts of the process/facility dominate the risk. This approach can highlight specific process units, storage areas, materials, transportation systems, or even specific accident scenarios as major risk factors. If necessary, mitigation measures can then be directed to the higher risk areas. These tasks are part of a comprehensive risk assessment within a facility’s risk management process.
The final task of a quantitative risk analysis is usually risk assessment. This step evaluates the information generated by the analysis and assesses the magnitude or acceptability of the risk posed by the facility. It uses the consequence analysis and probability analysis results, risk contours, f/N curves, or other measures of risk to compare to internal (e.g., corporate) or external (e.g., regulatory) criteria for acceptability. If the facility is under the jurisdiction of a rule-making authority that has risk acceptability criteria, the calculated risk will be compared directly to those criteria. For an analysis performed for a facility in a country that does not have quantitative risk acceptance criteria, such as acceptable individual risk levels or acceptable societal risk (f/N) levels, a comparison to published standards for other countries may help in the assessment of risk. The analyst in this situation should be aware that defined acceptable risk levels in London or Hong Kong might not be deemed acceptable in Sydney or San Paulo. In these cases, corporate risk acceptance criteria can be helpful. Although many corporations promote the use of acceptable risk criteria, few have published their corporate guidelines.
Published international risk criteria address risk to the general public. These criteria require that all types of hazards that could originate from within the facility and impact persons beyond the property line be included in the study. If the results from a risk analysis are to be compared to these criteria, the study must encompass all potential offsite hazards. And because the risk criteria are quantitative in nature, the study must be a QRA.
- Merriam-Webster Collegiate Dictionary, www.yourdictionary.com, 2001.↩
- CCPS, Guidelines for Chemical Process Quantitative Risk Analysis. Center for Chemical Process Safety of the American Institute of Chemical Engineers, 345 East 47th Street, New York, New York, 1989.↩
- Center for Chemical Process Safety, International Conference and Workshop and Risk Analysis in Process Safety. Proceedings from the International Conference and Workshop in Risk Analysis in Process Safety, Atlanta, Georgia, October 21-24, 1997.↩