Introduciendo factores externos de riesgo en el análisis de riesgo cuantitativo

Ernesto Salzano⁽¹⁾, Valerio Cozzani⁽²⁾

(1) Ph.D. Istituto di Ricerche sulla Combustione, CNR, Napoli, Italy. salzano@irc.cnr.it

(2) Ph.D. Prof. Dipartimento di Ingegneria Civile, Chimica, Ambientale e dei Materiali Alma Mater Studiorum - Università di Bologna, Bologna, Italy.valerio.cozzani@unibo.it

Recibido el 16 de noviembre de 2012, aprobado 30 de noviembre de 2012.

PALABRAS CLAVES

Eventos externos, análisis de riesgos cuantitativos, efecto dominó, NaTech, seguridad.

RESUMEN

El procedimiento convencional para la evaluación cuantitativa de riesgos de instalaciones industriales o áreas industriales, así como la planeación del uso de la tierra en relación a los principales peligros de accidentes deberían incluir escenarios de accidentes generados por factores externos de riesgos. En particular, el efecto dominó (también conocido como escalación o encadenados) debido a i) lugares cercanos, ii) eventos naturales como terremotos o inundaciones, iii) maloperaciones internacionales que, principalmente, se da por la interferencia de actos malintencionados. Una perspectiva de estos problemas se mostrará a continuación y se discutirán los enfoques actuales y futuros disponibles para la evaluación cuantitativa de estos factores externos de riesgo en el marco de la evaluación cuantitativa de riesgos (QRA).

KEY WORDS

External Events, Quantitative Risk Analysis, Domino Effect, NaTech, Security.

ABSTRACT

The conventional procedure for the Quantitative Risk Assessment of industrial installations or industrial areas, as well as for Land Use Planning with respect to major accident hazards should include the accident scenarios triggered by external hazard factors. In particular, domino effects (also known as escalation or knockon) due to i) nearby sites, ii) natural events as earthquakes or fooding; iii) intentional misoperation, due malicious acts of interference. An insight of these issues will be provided in the following, jointly to a discussion of the current and the future approaches available for the quantitative assesment of these external hazard factors in a QRA framework.

INTRODUCTION

Quantitative Risk Analysis is mandatory in good engineering practices for the safe running of chemical/industrial processes where hazardous substances are stored or manipulated. Nevertheless, deep inconsistencies, technical narrowmindedness, or even neglecting possible severe hazardous scenarios emerge when international guidelines, enforced norms, published papers and open or commercial software are analysed in the light of the hazard posed by external factors.

The population and the control authorities are detnitely asking for a comprehensive approach to risk analysis: that calls for multi-disciplinary (multirisk) methods able to consider all risk interdependences [4], [5], [34],[33].

Besides these considerations, specitc tools are necessary to successfully extend the risk assessment to include hazard factors. Quantitative Risk Assessment tools need to be applied to large scale complex systems such as industrial areas, chemical clusters and industrial parks, offshore plants and terminals, large installations, in-town production and storage plants. Indeed, several risk installations often coexist in the same area, thus, possibly leading to hundreds of possible accidental scenarios, which, in turn, may possibly interact with surrounding urban areas and industrial installation.

Within this framework, the present contribution is focused on three specitc external hazard factors that should be considered in the general procedure for risk assessment: i) escalation from nearby plants resulting in the domino effect (also known as cascade events or knock-on) that are catastrophic industrial accidents triggered by a primary escalation vector (a blast wave due to an explosions, radiation caused by fires, fragments projected by a catastrophic vessel failure) originated by a primary accidental scenario; ii) risks due to natural events interacting with industrial equipment; iii) risks related to a voluntary attack of an industrial installation.

DOMINO EFFECT

Domino effects are responsible for several catastrophic accidents that took place in the chemical and process industry. Hence, increasing attention is being paid to the analysis of this phenomenon in the scientitc and technical literature, starting from the pioneering studies carried out in the '90s [6], [12], [25], [27]. Quite obviously, the high severity of domino accidents also caused much concern in the legislation and in the technical standards aimed at the assessment and the prevention of accident escalation. In particular, the European legislation for the control of major accident hazards and for landuse planning in the vicinity of hazardous industrial sites requires that all the possible accidental scenarios caused by the domino effect are taken into account. More specitcally, the industrial sites falling under the obligations of the "Seveso" Directives (96/82/EC, 1996, and 2012/18/EU, 2012) must identify domino scenarios either within the plant boundaries or involving nearby plants. However, the lack of well assessed and widely accepted procedures for the estimation of the probability and even of the possibility of domino effects result in numerous diftculties in the application of these regulations, as well as in the elaboration and in the evaluation of safety reports.

The AIChE-CCPS guidelines [9] for Quantitative Risk Assessment (QRA) detne the domino effect as "an incident which starts in one item and may affect nearby items by thermal, blast, or fragment impact", causing an increase in consequence severity or in failure frequencies. Despite its clarity, the sentence is open to different interpretations and to different assumptions in the analysis of domino accidental scenarios. Thus, a necessary starting point was to detail the detnition of what must be intended as a domino accidental event, at least within the framework of the present study.

The analysis of the technical literature and of case histories concerning past accidents shows that all the accidental sequences where a relevant domino effect took place have at least three common features:

i) A primary accidental scenario, which initiates the domino accidental sequence;

ii)The propagation of the primary event, due to an "escalation vector" generated by the physical effects of the primary scenario that results in the damage of at least one secondary equipment item;

iii) One or more secondary events (i.e. tre, explosion, toxic dispersion), involving the damaged equipment items (the number of secondary events is usually the same of the damaged plant items).

It is important to recognize that, in order to be relevant in a QRA or in a landuse planning framework, the overall severity of the domino accident should be higher or at least comparable to that of the primary event. As a conclusion, for a relevant domino effect to take place, the "propagation" of the primary event has to be associated to an "escalation" of the overall scenario.

The assessment of possible domino scenarios starts with the identitcation of the possible secondary targets that may be damaged by the primary event.

This is usually performed by employing damage thresholds. As a matter of fact, the use of un-necessary conservative assumptions to detne thresholds for ac-cident escalation may turn out to be—in extremely high safety distances—impractical or unacceptable from a technical and economic point of view. Moreover, the use of extremely conservative thresholds for accident propagation results in the need to assess a huge number of possible secondary scenarios, in particular if complex lay-outs are considered. It must be remarked that the possible damage of secondary units by a single primary event results in the possibility of 2ⁿ different domino scenarios to be assessed in a QRA [17]. Therefore, the identitcation of the credible escalation scenarios based on reliable models for equipment damage is a central issue to allow the risk assessment and control of domino accidents.

The analysis of more than 100 domino accidents recorded in a well known data-base [32] allowed the identitcation of the physical effects responsible for the escalation that started the secondary scenarios. These were named "escalation vectors" in the following, and are listed in Table 1.

As shown in Table 1, toxic releases should not be considered a possible escalation vector. Indeed, this type of scenario was excluded from the present analysis because the physical effect (toxic concentration) does not result directly in a loss of containment (LOC) or in the damage of secondary equipment, even if toxic releases may cause escalation effects due to errors in emergency procedures and/or in emergency management following the primary accident (see also [28], for further details).

As a matter of fact, among the factors infuencing the possibility of propagation, the specitc features of the escalation vectors in the scenario considered may play an important role (e.g. the duration of the scenario may infuence the possibility of escalation due to radiation). Furthermore, the design features of the possible target equipment may also result in a quite different resistance to damages caused by the escalation vectors. However, these elements are seldom taken into account in the available escalation criteria reported in the technical literature.

Cozzani and Salzano [15] pointed out that there are many differences among the threshold values for accident escalation reported in the literature. Among the factors which may have caused these apparent inconsistencies, two seem to be the most important: i) the lack of indications on the specitc design and characteristics of process equipment to which the thresholds should be applied; and ii) the ambiguities in the detnition of either damage extension or loss intensity necessary to trigger an escalation.

An extensive work was carried out to obtain more robust values for escalation threshold. Observational data were combined to models developed for the assessment of equipment damage probability. An updated set of threshold values for escalation resulting in domino accidents was proposed by Cozzani in [18].

In the future, inherent safety principles and specitc actions, by means of either passive or active strategies, should be considered for domino effects [21], [41], [20].

The key point in the assessment of escalation is the availability of models for equipment vulnerability. Early approaches were based on yes/no (0/1) damage tables derived from threshold values [6]. More recently, the need for specitc damage models for the different categories of process equipment was recognized by [16]. These authors also introduced damage states and loss intensity categories in the framework of escalation assessment [36, 37]. These results were used by Landucci and coworkers to introduce an approach to damage probability models for equipment involved in fires [31].

The relevant work undertaken over the past decade rendered possible the quantitative risk assessment of domino accidents. Examples of individual and societal risk calculations are reported in the literature [17], [20] based on installation layout and population distribution [7]. Figure 1 reports an example of results obtained in the calculation of individual risk due to domino scenarios in a plant section. The calculations were carried out using the Aripar-GIS tool [19].

INTERACTION OF NATURAL EVENTS WITH INDUSTRIAL EQUIPMENT

When natural events interact with industrial facilities and in particular chemical, petrochemical and oil processing industries, severe releases of hazardous materials may be triggered, possibly resulting in direct damages and injuries to people in the nearby area, as well as in indirect damages due to the delay of rescue operations following the natural event [22], [29], [35]. These technological accidents triggered by natural events are detned as "NaTech" (Natural-Technologic) scenarios [30].

Therefore, Quantitative Risk Analysis (QRA) of industrial facilities has to properly take into account the multiple hazards threatening critical equipments, which may possibly lead to catastrophic accidents. Despite these considerations, engineering procedures able to quantitatively evaluate the effects of natural events on industrial equipment in a QRA framework are not well established, although the deterministic assessment of single case-studies is possible by the use of complex approaches based on tnite element structural analysis.

Thus, the availability of a simplited approach for the risk assessment of accidents triggered by external events in chemical and process plants is of utmost importance for the correct analysis of hazards due to major accidents [3]. In the following, a procedure developed for the quantitative assessment of the hazard due to accidental events triggered by external events in chemical and process plants is presented. The approach developed may be used for any natural event such as food, tornados, hurricanes, volcanoes, lands-lides. In the following, the application of the procedure to earthquake events is only presented for the sake of brevity.

SEISMIC HAZARD

Ground motions generated by seismic waves radiating from the earthquake focus to the site, may be related to three types of mechanisms that interact to generate the overall event: source, path and site. These parameters summarize all the random features of earthquakes, including energy, frequency contents, phases and others which may affect the structural response of process items [38]. Currently, the problem of the definition of good predictors for inelastic seismic behaviour of structures is one of the main topics of earthquake engineering. However, empirical vulnerability analyses are often carried out in terms of Peak Ground Acceleration (PGA), mainly because it is relatively easy to infer (i.e. by earthquake intensity conversion) while other, more complex, seismic intensity variables may not be available at the site of post-earthquake damage observation.

According to Probabilistic Seismic Hazard Analysis (PSHA) [13], the probability of exceedance of any seismic intensity variable IM (e.g. PGA) at any location should be always related to a time interval T – in the present case the service life of the structure. Eventually, a seismic hazard H (or "exceedance probability") is defined through the following equation:

which represents the probability that a given seismic intensity exceeds the constant value a during the time interval T. Local authorities commonly provide tools for PSHA in terms of the intensity measure of interest both in Europe and USA (i.e. http://www.usgs.gov) . If different intensity parameters are used, all ground shaking parameters are related: details of correlation may be found elsewhere [11].

When equipment structural damage probability due to seismic action should be estimated, the probability of the collapse of the system should be evaluated for all possible values of seismic intensity (IM) combined with the probability of occurring of the specific seismic intensity:

Given any value of IM(PGA), and its probability of occurrence, it is, thus, essential to define the probability of structural failure of equipment.

VULNERABILITY: STATISTICAL INFERENCE OF EARTHQUAKE DAMAGE

In [38] and [23], the concept of limit states for the classification of equipment damage following HAZUS damage classification [26] was used. A linguistic term DS was referred to the mechanical (structural) damage, whereas the term RS was used in order to define the loss of containment derived from the DS level of damage to equipment. In the same papers, the probability of occurrence of any limit state PDS or PRS was assessed by the use of fragility curves, starting from a consistent data set describing the behavior of equipment loaded by earthquakes:

where β is respectively the standard deviation of the natural logarithm of PGA for the damage state DS or RS and μ, is the median value of the PGA at which the equipment reaches the threshold of damage state DS or RS.

From the analysis of fragility data, a probit function can be easily developed. This statistical tool is useful to achieve a linearization of the results that allows on one hand the identification of threshold values, on the other an easy implementation of the approach within numerical codes for quantitative risk assessment. Details on these functions are given by Finney in [24].

Quite clearly, fragilities may be evaluated either numerically, by means of appropriate numerical codes, or by experimental data, i.e. using the historical database reporting the damage experienced by similar equipment under the load of earthquakes characterized by similar intensities.

Salzano et al. in [38], and Fabbrocino et al. in [23] analysed existing data concerning post-earthquake damage observations for steel atmospheric tanks containing flammable liquid fuels, in order to optimize the limit state classifications of equipment response. More in detail, five degrees of mechanical damage DS were reviewed to identify three levels of the intensity of loss of containment, defined as RS (Release State): no loss – RS1, moderate loss – RS2, extensive loss of containment – RS3. The probability of occurrence of any limit state was thus assessed by fragility curves, starting from a consistent historical data set describing the behaviour of tanks subjected to earthquakes:

In Eq. 4, PGA represents the seismic intensity (IM) that was assumed to trigger the failure corresponding to the preassigned limit state. As discussed above, experimental lognormal fragility curves for steel storage tanks were converted into probit functions:

where Y is the probit value, and PGA is expressed in terms of gravity acceleration g. As showed in Eq. (5), the probit function Y allows a useful and fast correlation of probit values to a dose (in this case represented by the PGA value) by means of the two constants k₂ and k₂. For any limit state RS, the probit function Y can be related to the probability of occurrence P by means of the following integral:

Numerical or graphical solution of this integral are reported in the literature. Details of the entire statistical procedure are extensively discussed elsewhere [24].

Fabbrocino et al. in [23] report the coefficients calculated for the fragility and probit values for every RS level, for different tank filling levels, for either unanchored atmospheric storage tank or anchored storage tank. These were obtained from a specific statistical analysis based on consistent number of data reported in the literature.

For the same equipment categories, Table 2 reports the minimum threshold value of PGA for loss of containment (PGA_k). Results show that, as expected, PGA_k strongly depends on the filling level. The absolute minimum value for RS3, which is important for risk assessment purposes, since catastrophic releases may trigger accidental scenarios, was reached for near full unanchored storage tanks. This value may be considered as the conservative option in a QRA context, if limited information is available on the type of foundation of tank and on the filling level, which possibly varies with time.

The above approach was further developed by Campedel et al. in [8] and Salzano et al. in [39], that obtained a quantitative assessment of seismic-induced scenarios in process plants using specific software for risk recomposition [1].

SECURITY

After 9/11, the concern for security issues related to process plants and oil & gas installations greatly increased [10]. If security is a concern, ruling out sabotage (internal) and weapon attack (e.g. rifles), an attack using explosives may occur both in the farfield and within the industrial domain, which can be either intended to affect the industrial system or aimed at the urban system or any possible non-industrial target, hence indirectly hitting the installation (Figure 2).

When far-field attacks are considered, some considerations should be addressed to the mass of explosive needed to reach the target (e.g., the primary installation). A minimum pressure of 7kPa [18] is considered as the conservative threshold value for structural damage to process equipment, whatever the primary explosion in terms of duration, and assuming TNT as reference explosive. Thus, by the inverse problem, the minimum amount of TNT needed to cause damage to a reference installation may be calculated with respect to the effective distance for the propagation of shock wave having the necessary intensity to cause damage. The distance can be compared with the radius of protection of the installation, r_max in Figure 2, by using the well-known mass-scaled plot for point-source explosives. This evaluation is plotted in Figure 3, where it is clear that the mass of explosive needed to reach even the very conservative reference threshold value assumed (7kPa) is absolutely out of reach of a terrorist attack for distances over about 250 m, for which 2 tons of TNT are needed. This value can be further limited if considering that the explosive strength is generally evaluated by considering a flat, desert system, which is not the typical situation when either indirect or direct actions are considered. Indeed, buildings, plant walls, urban environment or in many cases the local orography may protect the installation from attack. Finally, taking the industrial domain as the area with r < r_max and the near field as r << r_max, it can be derived that attacks with explosives are unlikely to produce structural damage to industrial installation in the far-field. The industrial installation is inherently safe for distances over 250 m with respect to explosives if loss of containment is considered. This value is absolutely compatible with typical values for VCEs and other industrial scenarios.

CONCLUSIONS

A comprehensive and complete risk assessment of chemical and process plants, as required by modern society, should be addressed to include all type of initiating events in the analysis. Thus, natural events, external attacks, or industrial accidents occurring in surrounding installations should be included in the analysis. Indeed, triggering causes not related to faults or human errors in the system of concern are usually defined as "external events" and may affect the integrity of process installations and of process equipment, giving rise to catastrophic consequences involving the release of large quantities of flammable and/or toxic materials.

The present contribution summarizes the recent results obtained by the authors within this framework. Simplified tools were developed to extend the QRA approach to include the risk due to "external events". Specific external triggering events such as domino effects, earthquakes and attack with explosive were analyzed, mainly aiming to define conservative thresholds for damage and escalation with respect to the identified escalation vectors.

REFERENCES

[1] G. Antonioni, G. Spadoni, V. Cozzani. "A methodology for the quantitative risk assessment of major accidents triggered by seismic events". Journal of Hazardous Materials Vol., 147 No. 1, Aug. 2007, pp. 48-59.         [ Links ]

[2] G. Antonioni, G. Spadoni, V. Cozzani, "Application of Domino Effect Quantitative Risk Assessment to an Extended Industrial Area". Journal of Loss Prevention in the Process Industry Vol. 22 No. 5 Sep, 2009 pp. 463-477.         [ Links ]

[3] G. Antonioni, S. Bonvicini, G. Spadoni, V. Cozzani. "Development of a general framework for the risk assessment of Na-Tech accidents. Reliability Engineering and Safety Systems" Vol., 94 No. 9 Sept. 2009 pp.1442-1450.         [ Links ]

[4] T. Aven. "A unified framework for risk and vulnerability analysis covering both safety and security". Reliability Engineering and System Safety Vol., 92 No. 6 Jun, 2006 pp.745-754.         [ Links ]

[5] T. Aven. "Identification of safety and security critical systems and activities". Reliability Engineering and System Safety. Vol., 94 No. 2 Feb, 2008 pp. 404-411.         [ Links ]

[6] D.F. Bagster, R.M. Pitblado. "The estimation of domino incident frequencies: an approach". Process Safety Environmental Protection. Vol., 69, 1991 196-199.         [ Links ]

[7] S. Bonvicini, S. Ganapini, G. Spadoni, V. Cozzani. "The description of population vulnerability in Quantitative Risk Analysis. Risk Analysis" Vol., 32 No. 9 Feb, 2012 pp.1576-1594.         [ Links ]

[8] M. Campedel, V. Cozzani, A. Garcia-Agreda, E. Salzano. "Extending the Quantitative Assessment of Industrial Risks to Earthquake Effects". Risk Analysis Vol., 28 No. 5 Oct, 2008 pp.1231-1246.         [ Links ]

[9] CCPS. Guidelines for Chemical Process Quantitative Risk Analysis, II Ed., New York: AIChE, 2000.         [ Links ]

[10] CCPS. Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites, AIChE: New York, 2003.         [ Links ]

[11] R.W. Clough, J. Penzien. Dynamics of Structures. New York: McGraw-Hill, 1982.         [ Links ]

[12] S. Contini, S. Boy, M. Atkinson, N. Labath, M. Banca, J.P Nordvik. 1996. "Domino effect evaluation of major industrial installations: a computer aided methodological approach" Presented in: European seminar on domino effects, Leuven.[electronic medium]. Available: http://www.microrisk2001.gr/cozzani1.doc         [ Links ]

[13] C.A. Cornell. "Engineering Seismic Risk Analysis". Bulletin of the Seismological Society of America. Vol., 58 No. 5 Oct, 1968 pp. 1583-1606        [ Links ]

[14] The Council of the European Union. "Council Directive 96/82/EC of 9 December 1996 on the control of major-accident hazards involving dangerous substances". Official Journal of the European Communities. L 10/13, Dec, 1996, 14.1.97.         [ Links ]

[15] V. Cozzani, E. Salzano. "Threshold values for domino effects caused by blast wave interaction with process equipment". J. Loss Prevention in the Process Industries Vol., 17 No. 6 Nov, 2004 pp. 437-447.         [ Links ]

[16] V. Cozzani, E. Salzano. "The quantitative assessment of domino effect caused by overpressure. Part I: probit models". Journal of Hazardous Materials. Vol., 107. No. 3 March, 2004 pp. 67-80        [ Links ]

[17] V. Cozzani, G. Gubinelli, G. Antonioni, G. Spadoni, S. Zanelli. "The assessment of risk caused by domino effect in quantitative area risk analysis". Journal of Hazardous Materials Vol., 127 No. 1-3 Aug, 2005 pp. 14-30.         [ Links ]

[18] V. Cozzani, G. Gubinelli, E. Salzano. "Escalation Thresholds in the Assessment of Domino Accidental Events" Journal of Hazardous Materials Vol.,129 No.1-3 Feb, 2006a pp. 1-21.         [ Links ]

[19] V. Cozzani, G. Antonioni, G. Spadoni. "Quantitative assessment of domino scenarios by a GIS-based software tool". Journal of Loss Prevention in the Process Industry. Vol.,19 No. 5 2006 pp. 463-477.         [ Links ]

[20] V. Cozzani, E. Salzano, A. Tugnoli. "The development of an inherent safety approach to the prevention of domino accidents". Accident Analysis and Prevention. Vol., 41 No. 6 Nov, 2009 pp. 1216-1227.         [ Links ]

[21] V. Cozzani, A. Tugnoli, E. Salzano. "Prevention of domino effect: from active and passive strategies to inherently safe design" Journal of Hazardous Materials. Vol., 139. No. 2, 10 Jan, 2007 pp. 209-19.         [ Links ]

[22] V. Cozzani, M. Campedel, E. Renni, E. Krausmann. "Industrial accidents triggered by flood events: analysis of past accidents". Journal of Hazardous Materials Vol., 175. No 1-3 Mar, 2010 pp. 501-509.         [ Links ]

[23] G. Fabbrocino, I. Iervolino, F. Orlando, E. Salzano. "Quantitative risk analysis of oil storage facilities in seismic areas" Journal of Hazardous Materials Vol., 123 No.1-2 Aug, 2005 pp. 61-69.         [ Links ]

[24] D.J. Finney. Probit analysis. London:Cambridge University Press, 1971.         [ Links ]

[25] J. Gledhill, I. Lines. "Development of methods to assess the significance of domino effects from major hazard sites, CR Report 183", in Health and Safety Executive. New York: 1998.         [ Links ]

[26] HAZUS, 1997. Earthquake Loss Estimation Methodology, National Institute of Building Science, Risk Management Solutions, Menlo Park, CA.         [ Links ]

[27] F.I. Khan, S.A. Abbasi. "Models for domino effect analysis in chemical process industries". Process Safety Progress. Vol.,17 No. 2 Aug, 1998 pp.107-123.         [ Links ]

[28] F.I. Khan, S.A Abbasi. "An assessment of the likelihood of occurrence, and the damage potential of domino effect (chain of accidents) in a typical cluster of industries". Journal of Loss Prevention. Vol., 14 No. 4 July, 2001 pp.283-306.         [ Links ]

[29] E. Krausmann, E. Renni, M. Campedel, V. Cozzani. "Industrial accidents triggered by earthquakes, floods and lightning: lessons learned from a database analysis". Natural Hazards Vol., 59 No. 1 Oct, 2011a. pp.285-300.         [ Links ]

[30] E. Krausmann, V. Cozzani, E. Salzano, E. Renni. "Industrial accidents triggered by natural hazards: an emerging risk issue". Natural Hazards and Earth System Sciences. Vol., 11 March, 2011b pp. 921-929.         [ Links ]