IRISK: DEVELOPMENT OF AN INTEGRATED TECHNICAL AND MANAGEMENT RISK METHODOLOGY FOR CHEMICAL INSTALLAT

1

• IRISK DEVELOPMENT OF AN INTEGRATED TECHNICAL AND
  MANAGEMENT RISK METHODOLOGY FOR CHEMICAL
  INSTALLATIONS

O. N. Aneziris
27 May 2004
SLOVAKIA
PRISM SEMINAR
2
EC Contract No ENVA-CT96-0243
I-RISK

Ministry of Social Affairs and Employment (SZW),
The Netherlands (Coordinator) Four Elements Ltd,
UK (Secretariat) Health and Safety Executive,
UK Ministry of Environment (VROM), The
Netherlands NCSR Demokritos, Greece National
Institute for Health and Environment (RIVM), The
Netherlands Norsk Hydro, Norway Safety Science
Group, Delft University of Technology, The
Netherlands SAVE Consulting Scientists, The
Netherlands
3
OUTLINE

• Introduction
• Technical model
• Management model
• Modification of Loss Of Containment frequency,
  according to the Safety Management System
• Case studies

4
I-RISK
5
HAZARD IDENTIFICATION
MODELLING OF ACCIDENTS ACCIDENT SEQUENCES PLANT
DAMAGE STATES
CONSEQUENCE ASSESSMNET
FREQUENCY ESTIMATION
RISK INTEGRATION
6
TECHNICAL MODEL

• MASTER LOGIC DIAGRAM
• EVENT TREE - FAULT TREE ANALYSIS
• CONSEQUENCE ANALYSIS
• RISK INTEGRATION

7
MASTER LOGIC DIAGRAM (MLD)

• MLD FORMS THE BASIS OF THE TECHNICAL MODEL
• MLD IS NOT A FAULT TREE
• MLD PROVIDES THE STARTING POINT FOR DEVELOPING
  PLANT-SPECIFIC MODELS
• MLD IDENTIFIES INITIATING EVENTS

8
MASTER LOGIC DIAGRAM FOR LOSS OF CONTAINMENT
LOSS OF CONTAINMENT
9
EVENT TREE - FAULT TREE EVENTS

• A) INITIATING EVENTS (fi, ?, fHi)
• B) COMPONENT - BASIC EVENTS
• PERIODICALLY TESTED STANDBY COMPONENT
• NONTESTED
• REPAIRABLE ON LINE COMPONENT
• NON REPAIRABLE
• C) HUMAN ACTIONS

10
AVERAGE UNAVAILABILITY FOR DIFFERENT TYPES OF
COMPONENTS
PERIODICALLY TESTED COMPONENTS
i) Unavailability owing to hardware failure
between tests lfailure rate T mean time
between tests
??) Unavailability owing to repair of detected
failures ? failure rate TR duration
of the repair T mean time between tests
??i)Unavailability owing to routine
maintenance fM frequency of maintenance
TM duration of the maintenance
?v)Unavailability owing to maintenance
QM1 prob. of commiting an error QM2 prob.
of not detecting an error
11
PARAMETERS OF TECHNICAL MODEL

• fi FREQUENCY OF INITIATING EVENTS
• ?s FAILURE RATE IN STANDBY MODE
• T PERIOD OF TESTING
• TR DURATION OF REPAIR
• QM1 ERROR IN TEST AND REPAIR
• QM2 FAILURE TO DETECT PREVIOUS ERROR
• fM FREQUENCY OF ROUTINE MAINTENANCE
• TM DURATION (MEAN) OF ROUTINE MAINTENANCE
• ?O FAILURE RATE OF ON-LINE COMPONENTS
• µ REPAIR RATE OF ON-LINE COMPONENT
• QO1 PROBABILITY OF NOT PERFORMING ACTION
• QO2 PROB. OF NOT DETECTING/ RECOVERING ERROR

12
FREQUENCY OF LOSS OF CONTAINMENT
fLOCg(b) bu(q)
b vector of basic events q vector of technical
parameters
13
MODIFICATION OF THE FREQUENCY OF LOC ACCORDING TO
THE SMS

• ln fjln fl (ln fu-ln fl) mj/10
• 
  
  
• fj modified value of the jth technical
  parameter
• fl lower value of each parameter, for the
  instal-
• lation with the poorest SMS in the industry
• fl upper value of each parameter, for the
  instal-
• lation with the best SMS in the industry
• mj modification factor of the jth technical
  parameter

14
MANAGEMENT MODEL

• Major hazard safety management
• systematic control and monitoring of the possible
  failure events (as modelled in the Technical
  Model) leading to Loss Of Containment of
  hazardous substances
• Integrated management system model
• major hazard management is usually part of an
  integrated SHE system
• Management system model structure
• Control and Monitoring (feedback and learning)
  cycles
• 8 management subsystems Delivery systems
• delivering criteria and resources for control of
  major hazards
• Primary business processes considered
• Operations Inspection, Testing and Maintenance
  Emergencies

15
OVERALL STRUCTURE OF MANAGEMENT MODEL
16
DELIVERY SYSTEMS

• Availability of personnel
• Commitment and motivation to carry out the work
  safely
• Internal communication and coordination of people
• Competence of personnel
• Resolution of conflicting pressures antagonistic
  to safety
• Plant Interface
• Plans and procedures
• Delivery of correct spares for repairs

17
DELIVERY SYSTEMS - Personnel
Competence the knowledge, skills and abilities
in the form of first-line and/or back-up
personnel who have been selected and trained for
the safe execution of the critical primary
business functions and activities in the
organisation. This system covers the selection
and training function of the company, which
delivers competent staff for overall manpower
planning. Availability allocating the
necessary time (or numbers) of competent people
to the safety-critical primary business tasks,
which have to be carried out. This factor
emphasises time-criticality, i.e. people
available at the moment (or within the time
frame) when the tasks should be carried out. This
delivery system singles out the manpower planning
aspects, which can include the planning of work
of contractors during major shutdowns and the
availability of staff for repair work on critical
equipment outside normal work hours, including
coverage for absence and holidays. Commitment
the incentives and motivation, which personnel
have to carry out their tasks and activities,
with suitable care and alertness, and according
to the appropriate safety criteria and procedures
specified for the activities by the organisation.
This delivery system is fairly closely related to
the conflict resolution system, in that it deals
with the incentives of individuals carrying out
the primary business activities not to choose
other criteria above safety, such as ease of
working, time saving, social approval, etc.
Organisational aspects of conflicts are dealt
with there and, more personal aspects, such as
violation of procedures here.
18
DELIVERY SYSTEMS - Hardware
Interface The ergonomics of all aspects of the
plant, which are used/operated by operations,
inspection or maintenance. This covers design and
layout of control rooms and manually operated
equipment, location and design of inspection and
test facilities, the maintenance-friendliness of
equipment and the ergonomics of the tools used to
maintain it. This delivery system covers both the
appropriateness of the interface for the activity
and the user-friendliness needed to carry out the
activities. Spares These are the equipment and
spares, which are installed during maintenance.
This delivery system covers both the correctness
of the spares for their use (like with like), and
the availability of spares when and where needed
to carry out the activities.
19
DELIVERY SYSTEMS - Organizational
Internal communication and coordination Internal
communications are communications which occur
implicitly, or explicitly within any primary
business activity, i.e. within one task or
activity linking to a parameter of the technical
model, in order to ensure that the tasks are
coordinated and carried out according to the
relevant criteria. Conflict resolution The
mechanisms (such as supervision, monitoring,
procedures, learning, group discussion) by which
potential and actual conflicts between safety and
other criteria (such as productivity) in the
allocation and use of personnel, hardware and
other resources are recognised, avoided or
resolved if they occur. This delivery system is
closely related to the one concerned with
commitment, which covers the issues of violations
within tasks at an individual level. The conflict
resolution system covers the organisational
mechanisms for resolving conflicts across tasks,
between people at operational level and at
management level. Procedures, Output goals and
Plans Rules and procedures are specific
performance criteria which specify in detail,
usually in written form, a formalised normative
behaviour or method for carrying out an activity
(checklist, task list, action steps, plan,
instruction manual, fault-finding heuristic, form
to be completed, etc.). Output goals are
performance measures for an activity which
specify what the result of the activity should
be, but not how the results should be achieved.
They are objectives, goals or outputs (e.g.
accident/incident targets or trends, exposure of
risk levels, ALARA, safe, numbers of activities
carried out, etc.). It is also convenient to
regard definitions and criteria for choosing one
course of action over another as output criteria.
Plans refer to explicit planning of activities in
time, either how frequently tasks should be done,
or when and by whom they will be done within a
particular time period (month, shutdown period,
etc.). They include the maintenance regime,
maintenance scheduling (including shutdown
planning) and testing and inspection activities,
which need to link to the parameters of
maintenance frequency, test interval and time for
maintenance and repair.
20
MANAGEMENT TASKS

• Deliver the appropriate control or resource to
  the appropriate primary business activity at the
  appropriate time
• Learn and improve on that delivery process over
  time
• These tasks are modelled as processes (boxes)
  linked by inputs, outputs and influences (arrows)
  in loops

21
Management tasks

• Overall management Organization (1)
• Company Risk Control Monitoring System (2)
  (RCMS)
• Evaluate and Propose Chances in RCMS (12)
• Company System for managing and Monitoring System
  (3)
• Control System (Use Delivery System to control
  tasks) (4)
• Evaluate and propose changing delivery system
  (10)
• Record and analyze performance of delivery system
  (9)
• Evaluate and propose changing use of the delivery
  system (11)
• Correct on-line performance (8)

22
SYSTEM CLIMATE WITHIN WHICH THE SITE OPERATES
MANAGEMENT TASKS MODEL
1 Overall management organisation policy/system
adapt to system climate
INTEGRATED (PROBABLY) MANAGEMENT SYSTEM, COMMON
TO ALL LOOPS
12 Evaluate propose changing overall
management /or RCS system/policy
2
Company Risk Control and Monitoring System
Analyse risks design the control and
monitoring system adapt to system climate
3 Company system for managing and monitoring
delivery system adapt to system climate
3
MANAGEMENT SUB-SYSTEMS
Monitoring system
11 Evaluate propose changing delivery system
Control 4 system Use delivery system to
control tasks
10 Evaluate and propose changing the way the
delivery system is used
9 Record and analyse performance, deviations,
incidents etc.
8 Correct on line performance of tasks
Performance (8 delivery systems x number of
common mode management subsystems)
7 Weighted delivery system x parameters matrix
6 Calibration models for converting performance
score to failure data
Technical model parameters from Base Events table
INTERFACE TECHNICAL MODEL
Modified value of task performance per base
event per parameter
Modified values of base event parameters
23
MANAGEMENT MODEL
1 Overall management organisation policy/system
adapt to system climate
INTEGRATED (PROBABLY) MANAGEMENT SYSTEM, COMMON
TO ALL DELIVERY SYSTEMS
12 Evaluate propose changing overall
management /or RCM system
2
Company Risk Control and Monitoring System
Analyse risks design the control and
monitoring system adapt to system climate
24
3 Company system for managing and monitoring
delivery system adapt to system climate
MANAGEMENT SUB-SYSTEMS for each DELIVERY SYSTEM
3
Monitoring system
11 Evaluate propose changing delivery system
Control System 4 Use delivery system to control
tasks
10 Evaluate and propose changing the way the
delivery system is used
AUDIT the BOXES Assess process quality for
each of the 8 Delivery Systems
9 Record and analyse performance, deviations,
incidents etc.
8 Corrections to on line performance of tasks at
the workface
Data collected from equipment, tasks, and other
sources (not delivery specific)
Quality on 0-10 scale of 8 Delivery System
outputs determined from CALCULATION MODEL

• Quality of Procedures is function of
• audited quality of 8 (AUDIT)
• calculated quality of input from 4
• weightings of their relative effects on output
  quality

7 Weighted Delivery System x Parameters Matrix
25
SYSTEM CLIMATE WITHIN WHICH THE SITE OPERATES
MANAGEMENT TASKS MODEL
1 Overall management organisation policy/system
adapt to system climate
INTEGRATED (PROBABLY) MANAGEMENT SYSTEM, COMMON
TO ALL LOOPS
12 Evaluate propose changing overall
management /or RCS system/policy
2
Company Risk Control and Monitoring System
Analyse risks design the control and
monitoring system adapt to system climate
3 Company system for managing and monitoring
delivery system adapt to system climate
3
MANAGEMENT SUB-SYSTEMS
Monitoring system
11 Evaluate propose changing delivery system
Control 4 system Use delivery system to
control tasks
10 Evaluate and propose changing the way the
delivery system is used
9 Record and analyse performance, deviations,
incidents etc.
8 Correct on line performance of tasks
Performance (8 delivery systems x number of
common mode management subsystems)
26
Audit Objectives

• Integrated assessment
• Major hazards as focus for articulation of
  management system
• Modification at technical parameter
• Sensitivity analysis for significantcorrosion
  factors in management system
• Use a microcosm to study the wholemajor hazard
  management system

27
Audit Procedure

• Preparation
• Construct technical model completeness of
  scenarios
• Group basic initiating events into clusters
  with same management
• Link initiating events to management system
  expert judgement
• Map company SMS onto I RISK model who to
  interview / tailoring
• Conduct
• Auditor expertise process management
  benchmarking of industry
• Focus on scenarios
• Prompt lists and recording forms
• Verification across interviews and with checks in
  practice

28
Audit Evaluation

• Assessment per box
• Scale of 1-10 compared to industry average
• anchoring, baseline
• Interrater reliability refinery, av. 0.74,
  range 0.1-0.8
• ammonia, av 0.73,range 0.49-0.96
• Discussion or blind re-rating av. 0.85
• Relative weighting of delivery systems
• per task/parameter

29
MODELING OF THE SAFETY MANAGEMENT SYSTEM

• yi fi(xi,y1,,yj,yI)
• yi output of box i
• fi function of box i
• xi state of box i
• yj (j i) input of box i
• yi kiixi(1-kii)Scijyj yKx(I-K)Cy
• 
  yI-(I-K)C-1Kx

30
Management Technical Interface Model
31
MODIFICATION OF THE FREQUENCY OF LOC ACCORDING TO
THE SMS

• 8
• mjSy8iwij
• i 1
• 
  
• mj modification factor of the jth technical
  parameter
• y8i output of the ith delivery system (box 8)
• wij weighting factor assessing the relative
  importance of the ith management delivery system
  on the influence of the jth technical parameter
• j index running over the basic events of the
  kth group

32
WEIGHTING FACTORS
33
DYNAMIC MODELING

• AxBy (1)
• Aaij influence of state of box j on rate of
  change of state of box i
• Bbij influence of output of box j on rate of
  change of state of box i
• yI-(I-K)C-1Kx (2)
• (1),(2) ABI-(I-K)C -1Kx

34
DYNAMIC MODELING

• iSaijxjSbijyjfi(xi)
• fi(xi) state specific resistance
• F(x)ABI-(I-K)C -1Kx

35
CASE STUDY AMMONIA STORAGE TANK



36
EVENT TREE
(1)
(2)
(3)
8 EVENT TREES 17 FAULT TREES128
BASIC EVENTS
37
GENERIC DELIVERY SYSTEMS
38
MODIFICATION FACTORS
39
Lower and upper values of technical parameters
40
CURRENT, BEST AND WORST CASE FREQUENCIES
41
IMPORTANCE ANALYSIS

• fLOCg(b)
• bu(q)
• qw(q)
• qMy8MHx
• IMPORTANCE MEASURE
• fLOC frequency of Loss of Containment
• b vector of basic events
• q vector of technical parameters
• x vector of state of manegerial tasks

42
GENERIC DELIVERY SYSTEMS
43
MOST IMPORTANT TASKS
44
QUALITY OF DELIVERY SYSTEMS VERSUS TIME
45
PERFORMANCE SCORE VERSUS TIME
46
FREQUENCY OF FAILURE OF LOC VERSUS TIME
47
CASE STUDY LPG SCRUBBER
48
DIRECT CAUSES OF LOC

• TOWER FAILURE FROM OVERPRESSURE CAUSED BY HEAT
  FLUX FROM EXTERNAL SOURCE
• TOWER FAILURE FROM OVERPRESSURE, OWING TO
  OVERFILLING
• TOWER FAILURE OWING TO AGING
• TOWER FAILURE OWING TO FREEZING
• EXTRA LOADS OWING TO A ROAD ACCIDENT

49
INITIATING EVENTS

• EXTERNAL FIRE
• HIGH INLET OF MEA OWING TO VALVE FAILURE
• NO OUTLET OF MEA
• HIGH INLET OF CAUSTIC
• NO OUTLET OF CAUSTIC
• HIGH INLET OF WATER OWING TO VALVE FAILURE
• NO OUTLET OF WATER
• HIGH INLET OF LPG
• NO OUTLET OF LPG
• OPERATING CONDITIONS OFF SPECIFICATIONS

50
SAFETY SYSTEMS

• PRESSURE DETECTION SYSTEM
• FIRE SUPPRESSION SYSTEM
• PRESSURE SAFETY VALVES
• LOW LEVEL PROTECTION SYSTEM IN TOWERS T6654,
  T6655, T6656
• HIGH LEVEL PROTECTION SYSTEM IN TOWER T6654,
  T6655, T6656
• TOWER INTEGRITY

51
EVENT TREE
(1)
(2)
(3)
10 EVENT TREES 9 FAULT TREES41 BASIC EVENTS
52
GENERIC DELIVERY SYSTEMS
53
MODIFICATION FACTORS
54
FAILURE FREQUENCY CATASTROPHIC FAILURE OF TOWER
T6654

• PLANT AS ASSESSED 4.7 x 10-10/hr
• BEST POSSIBLE CASE 1.1 x 10-10/hr
• WORST POSSIBLE CASE 1.2 x 10-4/hr

55
EXTREME PHENOMENA FOLLOWING PLANT DAMAGE STATES

• CATASTROPHIC FAILURE OF TOWER T6654 (2700 Kg
  LPG)
• 1. BLEVE
• 2. FLASH FIRE
• 3. EXPLOSION

56
RISK INTEGRATION
1.0E-01
1.0E-02
Specific
case
1.0E-03
1.0E-04
Worst case
1.0E-05
1.0E-06
Best case
1.0E-07
1.0E-08
0
0.5
1
1.5
2
2.5
3
3.5
AREA (Km2) WHERE INDIVIDUAL RISK IS ABOVE CERTAIN
LEVELS (10-1 - 10-8 /yr)
57
FREQUENCY OF FAILURE VERSUS TIME
58
GENERIC DELIVERY SYSTEMS
59
MOST IMPORTANT TASKS