The Fundamentals of Process Safety Risk

The word 'risk' has a wide range of meanings. In the context of process plant management, it can be categorized in one of three ways.

The first type of risk is to do with catastrophic events and serious safety violations. They can also have a major effect on a company's financial performance to the point where the organization can be driven into bankruptcy. Such events can lead to fatalities, major environmental problems, huge economic losses, bad public relations, civil litigation and even criminal prosecution. Although such events are rare, they have a major impact on the development of management systems and regulations. They area also a driving force for new and updated regulations, as can be seen from the discussion to do with the proposed updates to OSHA Process Safety Standard, and the EPA Risk Management Program.

The second type of process risk is to do with troubleshooting in which equipment items are not operating as they should. Examples of "trouble" are:

• A critical pump breaks down on numerous occasions.

• Steam consumption is up 10%, and no one seems to know why.

• The quality of the final product is erratic.

The risk associated with events such as these is primarily economic. However, if such situations are not taken care of properly, unsafe conditions could develop, not least because workers are required to break down equipment or work on electrical systems, thus exposing them to potential safety problems.

The third type of risk is to do with potential events. It is related to troubleshooting but implies a higher degree of predictability. Items are predicted to fail with a certain frequency, and they are repaired and put back into service in before they actually fail.

The management systems used to control these different types of risk have much in common with one another, but they are not identical, particularly when it comes to the prevention of catastrophic events.

Components of Risk

Risk, which always implies some type of negative outcome, is made up of three components:

1. Hazards;

2. The consequences of the hazards; and

3. The predicted frequency (likelihood) of occurrence of the hazards.

These three terms can be combined as shown in Equation (1).

     Risk(Hazard)  =  Consequence  *  Predicted Frequency . . . . . . (1)

Equation (1) shows that risk can never be zero — a truth not always grasped by members of the general public or the news media. Hazards are always present within all industrial facilities. Those hazards always have undesirable consequences, and their likelihood of occurrence is always finite. The consequence and likelihood terms can be reduced in size, but they can never be eliminated. The only way to achieve a truly risk-free operation is to remove the hazards altogether (or, with respect to safety, to remove personnel from the site).

Hazards

The first term in Equation (1) is the hazard. A hazard is a condition or practice that has the potential to cause harm, including human injury, damage to property, damage to the environment or some combination of these. The key word in the definition is “potential”. Hazards exist in all human activities but rarely result in an incident. For example, walking down a staircase creates the hazard of “falling down stairs”, with the consequence of an injury, ranging from minor first-aid to a broken limb or even death. However most people, most of the time, manage to negotiate a flight of stairs without falling.

Some of the hazards associated with the second standard example that we use in our books and ebooks are:

1. Tank T-100 is pumped dry.

2. Tank T-100 overflows.

3. P-101A seal fails.

4. V-101 is over-pressured.

5. Liquid flows backward from V-101 into T-100.

6. Other.

One of the greatest challenges to do with practical risk analysis is defining the scope of the hazard term. For example, with respect to the second hazard, the overflow of T-100, simply to say that RM-12 overflows from T-100 is not enough. There is an enormous disparity between having a few drops spill into a closed drain system and having thousands of liters of the chemical pour on to the ground and then flow into the local waterways.

Similarly, with regard to the fifth hazard - “Liquid flows backward from V-101 into T-100” - there is a world of difference between a reverse flow of a few milliliters of RM-12 lasting for a few seconds and a reverse flow of thousands of kilograms of material lasting for an hour or more.

The final hazard listed is “Other”. This term is included as a reality check. No risk management team, no matter how well qualified the members may be or how much time they put into the analysis, can ever claim to have identified all hazards. Throughout this book the 'other' term is used in all types of analysis in order to keep everyone on their toes and thinking creatively as to ‘what might be’.

Consequence

Once the hazards associated with a process have been defined, the corresponding consequence and likelihood values can be determined. The consequence of an event usually falls into one of three categories:

• Safety;

• Environmental; and

• Economic

For many companies, safety is the driver; they reason that, if they can avoid people being hurt, then the environmental and economic performance will follow along.

Predicted Frequency

Each event has a predicted frequency of occurrence, such as once in a hundred years.

The word “predicted” is used to point out that the future frequency of an event is not necessarily the same as its historical frequency, particularly if the risk management program is effectively reducing the chance of a failure from occurring.

Nor is frequency the same as probability. An item has a frequency of failure measured in inverse time units. The consequences of that event may be mitigated by a safeguard, which has a (dimensionless) probability of occurrence. For example, high level in a tank may occur once every year. However, the tank has level control instruments that detect high level and stop the flow of liquid into the tank. These instruments may have a probability of failure of 0.01 or 1%. Therefore, the likelihood of a system failure is 0.01 yr-1, i.e., once in 100 years.

Overall Risk

Figure 1 shows that an inverse relationship generally exists between consequence and frequency. For example, in a typical process facility, a serious event such as the failure of a pressure vessel may occur only once every ten years, whereas trips and falls may occur weekly.

Figure 1 Likelihood vs Consequence: Credit: Ian Sutton

FN Curves

The total risk associated with a facility is obtained by calculating the risk value for each hazard, and then adding all the individual risk values together. The result of this exercise is sometimes plotted in the form of an FN curve as shown in Figure 2 in which the ordinate represents the cumulative frequency (F) of fatalities or other serious events, and the abscissa represents the consequence term (usually expressed as N fatalities). In Figure 2 it is projected that the organization will have a fatality about once every fifty years, whereas a major event (say more than 10 fatalities) will occur every thousand years or so.