QRA of AccidentAl events initiAted by leAks cAusing A fiRe in pRocess industRies ilościowA ocenA RyzykA pRzypAdkowych zdARzeń wywołAnych pRzez nieszczelności powodujące pożARy w pRzemyśle pRzetwóRczym

Process industry, such as an offshore production, exposes personnel to risk of injury or fatality. Probability of fatality in real practical situations depends on many random events that may occur during a potential accident, which are difficult to quantify at a specific time instant or in the course of a time interval. This results in overor under-estimation of risk. After several disasters, Quantitative Risk Assessment methods were applied for evaluation of the risk [13] of injury or fatality due to an accident. All events potentially occurring during the accident are quantified, leading to an estimation of the risk of fatality. The quantification of the risk is very often carried out by the application of Event Trees [6]. Event Trees (ET) are relatively simple and easily understood, but there are some disadvantages of using them, such as: A hydrocarbon-related incident on a processing plant and the response to it by personnel working in the plant are time-dependent events whilst ET is a steady state method. An incident and the subsequent plant response evolve where the branches of the incident and response sub-events are generated throughout the incident. This should be reflected by actions of personnel, with probabilities on both the incident/plant response side and the personnel side. Such interactions in a time-dependent manner are not possible to represent by Event Trees. Radim BRiš Ondřej GRunt


Introduction
Process industry, such as an offshore production, exposes personnel to risk of injury or fatality.Probability of fatality in real practical situations depends on many random events that may occur during a potential accident, which are difficult to quantify at a specific time instant or in the course of a time interval.This results in over-or under-estimation of risk.
After several disasters, Quantitative Risk Assessment methods were applied for evaluation of the risk [13] of injury or fatality due to an accident.All events potentially occurring during the accident are quantified, leading to an estimation of the risk of fatality.The quanti-fication of the risk is very often carried out by the application of Event Trees [6].Event Trees (ET) are relatively simple and easily understood, but there are some disadvantages of using them, such as: A hydrocarbon-related incident on a processing plant and the response to it by personnel working in the plant are time-dependent events whilst ET is a steady state method.An incident and the subsequent plant response evolve where the branches of the incident and response sub-events are generated throughout the incident.This should be reflected by actions of personnel, with probabilities on both the incident/plant response side and the personnel side.Such interactions in a time-dependent manner are not possible to represent by Event Trees.

QRA of AccidentAl events initiAted by leAks cAusing A fiRe in pRocess industRies
ilościowA ocenA RyzykA pRzypAdkowych zdARzeń wywołAnych pRzez nieszczelności powodujące pożARy w pRzemyśle pRzetwóRczym Risk to safety of personnel in process industries is normally modelled by the application of Event Trees, where the risk is defined as a product of event frequency and its consequences.This method is steady state whilst the actual event is time dependent.For example, gas release is an event comprising the size of gas cloud being released, probabilities of ignition, fire or explosion, fatality, escalation to new releases and fire and/or explosion, and the probability of fatality, all varying with time.This paper brings new perspective, how the risk to safety of personnel could be evaluated in dynamic context.A new approach is presented whereby the time-dependent events and the time-dependent probability of fatality are modelled by means of the analytical computation method based on modeling of different accident scenarios by use of the directed acyclic graph (DAG) and Fault Tree Analysis (FTA) method.Using these methods the modeled scenarios change with relevant probabilities at defined times to configurations with appropriate probabilities of fatalities.The paper uses a realistic example from the offshore industry, where different sizes of leak have different probability characteristics.Specifically small, medium and large leaks are evaluated.Based on the dynamic evolution of the probability of fatality, it is concluded that the most dangerous leak is the large one.Probability of fatality caused by the leak increased very rapidly within first 5 minutes.At the end of 5th minute, there is approximately one order of magnitude difference in the probabilities of fatality associated with the respective leak sizes.The main body of the ET is used for probabilities of events, whilst the probabilities of fatalities associated with the events are normally included as one cumulative number at the right hand end of the ET.This causes difficulties in finding contributions and sources of eventrelated fatality probabilities, and, in general, the traceability may be difficult.There is a possibility of constructing an ET which would be large enough to include both the events probabilities and the fatalities probabilities associated with each event, but such an ET would be difficult to modify and manage.
It takes time to build an ET and standard ET are often used.These provide a rapid first application, but tend to be rather coarse and their results may not be of a desired accuracy.ET also tends to be difficult to modify, which makes it time-consuming to explore various design alternatives.
In most cases a method capable of modeling dynamic processes is required.In [1], risk analysis of offshore drilling by using Bow-tie analysis and real time barriers failure probability assessment of offshore drilling operation is shown.The need for better failure analysis of operational barriers in the offshore industry resulted in Barrier and Operational Risk Analysis (BORA) project [16] with methodology of BORA presented in [2].
Risk management by taking into account the time-dependence of the event in the consequence assessment, by means of the application of the approach of the dynamic geoevent was presented in [10].
Another method, Monte Carlo (MC) simulation, was used in [7] to identify the most contributing factors to probability of fatality following hydrocarbon leak occurrence on an offshore platform.In last years, Petri Nets (PN) are frequently used as an alternative to ET method.Given lack of the biggest ET limitation, inability to represent dynamic processes, PN often lead to more desirable model of the risk to personnel in process industries.PN can substitute ET in representation of steady-state system.It is entirely possible to convert ET to PN with little difficulty [11].As probability of event occurrence in PN can be time-dependent, it is also possible to represent a dynamic industry process by PN model based on steady-state representation in form of an ET model [15].In [5], combination of PN and MC simulation was used to evaluate production availability of a multi-state, multi-output offshore installation with operational loops, where PN provided the necessary flexibility to describe the realistic aspects of system behavior.In [14] Reliability Block Diagrams (RBD) are used as guidelines to build large PN.RBD-driven PN are shown to be very effective in modeling safety systems.
This paper presents a method whereby the time-dependent events and the time-dependent probability of fatality are modeled by means of an analytical method.A practical example and data from a typical offshore hydrocarbon production facility are used to quantify risk of injury or fatality of working personnel.A "Leak (Small, Medium, Large) in Zone 8"(see description of Zone 8 in Section 2) of a typical offshore hydrocarbon production installation is used as this event represents the highest frequency of potential hydrocarbon accidents on the typical offshore facility.The objective is quantification of probability of fatality of a person working and escaping from the separation and compression Zone 8.
The subject of this paper is complex.It is based, however, on data and experience from actual installations and life threatening incidents.The reader is therefore suggested to develop a "picture in the mind" of the typical installation as shown in Figure 1, and the "incident examples".The application and incident basis as well as the detailed description of hydrocarbon-related incident with leaks are presented in Section 2. Section 3 focuses on the application of the analytical computation method based on modeling of scenarios by the use of directed acyclic graph (DAG) and Fault Tree (FTA) methods.The results of the quantification are presented in Section 4. Section 5 presents conclusions reached in this paper.

Application example and incident basis
Figure 1 shows an example of typical offshore production installation consisting of a wellhead platform (WHP), production and riser platform (PRP), and accommodation platform (AP), all connected by bridges.The installation is sub-divided into 10 Zones according to the nature of the plant or activities.Hydrocarbons being produced come up from a reservoir onto WHP in the form of multi-phase fluids, which are piped across the bridge to the PRP, where they are separated into oil, gas, and water and sand.Produced oil and gas are piped through risers and pipelines to a terminal located on-shore.Living quarters are provided on the AP, which is connected to PRP by a bridge.The installation is provided with a standby vessel, which would be located 100m away from the installation.
The main risk on the installation is from potential leaks of the produced hydrocarbons on WHP or PRP.The primary escape and evacuation route from the installation is to the AP, where installation personnel evacuate by free-fall lifeboats.The three lifeboats shown in the Figure 1 are of the minimum capacity of the capacity of the installation.The secondary escape and evacuation route is to the WHP, which is equipped with one free-fall lifeboat.The WHP lifeboat capacity would be based on number of personnel on WHP plus PRP at any one time.Tertiary evacuation capacity is provided on WHP and PRP by life rafts.
In case of evacuation the evacuees are transferred by the lifeboats and life-rafts to the standby vessel.There are 36 personnel on the installation working in two 12-hours shifts.26 persons are technical, who work in various areas of WHP and RPP and 10 service personnel such as cooks, cleaners, etc.
This paper focuses on the hydrocarbon-related risk, whereas the highest risk is in the wellheads and manifolds area on the WHP (Zone 3) and then in the separation and compression area on the PRP (Zone 8).The various areas are segregated by firewalls, blast walls, plated decks, various rooms and by distances.
Leak frequencies in Zone 8 based on statistical observations may be estimated as follows: Personnel would make their workplace safe and start to es-g) cape.
These actions normally happen within the first 1 minute on the leak detection.
The probability of ignition of the leaking hydrocarbon would be minimized by the shut-down and blowdown, but the leaking hydrocarbon may still ignite immediately or with some delay.Immediate ignition of leaking pressurised gas would result in jet fire, whilst a relatively large gas cloud may accumulate and explode following a delayed ignition.Explosions or prolonged jet fires may damage the plant and structures of the installation.Calculations and trials show that personnel should be able to escape to the lifeboats and evacuate from the installation to the sea within 30 minutes after the start of the leak.

Problem formulation and application example
It is important to know the possible development/escalation of incidents on the installation, and the implication on escaping personnel in first phases of the accident, as personnel may be trapped or injured by collapsing plant or structures with resultant fatalities.Table 1 summarizes such events with associated probabilities for a person working and escaping from separation and compression Zone 8 on Level 2 of the PRP, related to small, medium and large leaks respectively.P is , P im and P il , P fs , P fm and P fl , and P es , P em and P el , denote the respective probabilities of ignition, hydrocarbon-related fatality and escalation to bridge for small, medium and large releases.P f denotes the probability of fatality related to the escape to sea by jumping into the sea.
In Table 1 composed of data from [12], as for example, an immediate ignition of a medium release with P im = 0.03 may result in an immediate fatality of P fm = 0.1.As an alternative, the person may escape unhurt from the leak area behind the nearest fire/blast wall and continue to the PRP-AP bridge, but the bridge may lose support due to the fire damage of PRP.As a result, the escaping person may be trapped by the PRP on fire and the damaged bridge and he/she may need to escape by jumping into the sea the secondary route to WHP.In this case, P im = 0.03, P em = 0.1 and P f = 0.7.
Personnel escaping on the basis of scenarios described in Table 1 may be exposed to an insufficient condition for evacuation (ICFE), which results in fatality, probability which is to be computed.The objective of this paper is quantification of probability of fatality of a person working and escaping from separation and compression Zone 8.This probability is a time dependent function.We are particularly interested in behavior of the function during initial part of the accident.The initial event of the accident is a hydrocarbon leak and we are considering three sizes of the leak: small, medium and large.As Table 1 illustrates, the leak is detected during the 1 st minute, personnel start to escape, but the time of ignition varies (with associated probability) and so also varies the time of fatality with its associated probability.

Method
One possibility to find the probability of ICFE is the ET method.ET is an inductive logic methods for identifying the various accident sequences [8], which can generate from a single initiating event.The approach is based on the discretization of the real accident evolution in few macroscopic events.The accident sequences which derive are then quantified in terms of their probability of occurrence.But ETs, which are at present widely used for the estimation of risk, are steady state, whilst the configuration and actions of the systems analyzed may change with time, with associated probabilities of the changes and their outcomes.ET is not a good approach for the characterization of dynamic evolution of time dependencies of the probability of ICFE (resulting in fatality).In this paper we use analytical method for this purpose, based on modeling of scenarios by the use of DAG and FTA as well.
Another possibility to solve the problem is using the direct MC simulation method, which is frequently used to solve dynamic problems [9].The MC simulation method has formally existed since early 1940's, but only with increasing computer technology and power became widely used.The MC method enables modelling of complex processes without the need of making unrealistic simplifying assumptions, as is inevitably done when using analytical methods.With the increasing availability of fast computers, MC methods become more powerful and feasible.The above-mentioned offshore problem was successfully solved by the MC method in [6,7].
There are several events which can occur.We do not know when they occur or if they occur at all.But we know probability of their occurrence.We can simulate event occurrence times through these probabilities.It is like we build an offshore platform model and study how the system and personnel reacts on different leak size and different ignition times.As this approach would be obviously too expensive, we construct a virtual model which consists of events and their probabilities and coherences between them.The key part of MC method is to define these events, probabilities and coherences (Table 1).
An example of one MC simulation: Small leak occurred.Alarm was activated.Installation was shut down and depressurization was started.Leak ignited after either 1 or 2 minutes.Person was behind the firewall and survived the explosion.Person started escaping via stairs to the PRP-AP bridge.He succeeded to reach the Accommodation Platform.All events (type of leak, ignition time, persons surviving explosion) which occurred in our example were generated by random from given probabilities.This sequence of events is just one of possible scenarios generated by small leak.We cannot simulate all of them but enough to get sufficiently accurate results obtained by statistical evaluation.But in some cases the application of the direct MC technique however suffers from slow convergence.If possible, analytical method for exact probability quantification may be used.

Analytical method for exact probability quantification
Main objective of the analytic method is to find the time evolution of the probability of occurrence of a TOP event during a mission time.One example of the TOP event to be analyzed is shown in Figure 2. The TOP event which in real emergency dangerous situation may be an event causing the ICFE (resulting in fatality) is demonstrated by the use of a DAG, originally described in [3].A graph is composed of nodes and edges that are numbered.The highest node (TOP node) represents the TOP event, probability of which is to be calculated in a time evolution.Internal and terminal nodes represent source events, which are either sub-events (e.g.failure events on subsystems) or terminal events (input events as random failures or accidents).All of the nodes are bounded by edges.Direction of the graph is not explicitly marked in Figure 2 it is given by itself -by projection to vertical direction.The graph is acyclic which means that two immediately bound nodes are connected just by one edge, i.e. it cannot contain feedback loops.
Nodes are numbered in the increasing order beginning from the highest TOP node.Internal numeration of nodes is such that a node cannot be inferior to a node with a greater number.
As Figure 2 shows, terminal nodes of the DAG are marked by black squares.They represent stochastic behavior of input events mostly given by their probability distribution.Internal nodes (nonterminal) are marked by black circles.They represent stochastic behavior of sub-events.A sub-event occurs in a given time point just in the case when the number of active inferior edges (i.e.number of inferior sub-events or terminal events that occurred at the same time point) reaches at least the number in parentheses, otherwise it does not occur.For example, the sub-event marked by 3(1) occurs just in the case when the number of active inferior edges is at least 1, i.e. when either the terminal event 2 (black square 2) or sub-event 6(3) occurs.
The DAG described above can be compared with Fault Tree (FT) or Success Tree, both are frequently used in PRA (Probabilistic Risk Assessment) methodology, where internal nodes represent logic gates.The DAG is more general representation than FT, because basic gates (AND, OR, etc.) do not require specific description but can be introduced uniformly as internal nodes.Fault tree equivalently constructed to the DAG from Figure 2 is demonstrated in Figure 3.
As a first step of the analysis we have to find the time evolution of the probability of ICFE (TOP event) during a mission time, which was fixed to 300 sec (i.e. 5 min).The ICFE may be reached either by Scenario 1, initiated by ignition within interval 0-1 min (node 2(1) in Figure 2), Scenario 2, initiated by ignition within 1-2 min (node 3(1) in Figure 2), or Scenario 3, initiated by the ignition within 2-5 min  -installation shutdown.
-Fire impinging on flanges and structures.
-Flanges lose their tightness resulting in escalation to additional fire(s).

Person
-Person working in Zone 8.
-Making working area safe.
-Considering the situation, deciding which way to escape and starting to escape.
-Escaping person located behind the nearest fire/blast wall.
-Person escaping via stairs to the PRP-AP bridge.
-Escaping person on the PRP-AP bridge.
-Person trapped because of the PRP-AP bridge damage and the escalating fires in PRP.
-Person escapes to the sea.

Plant
-Leak in Zone 8.
-Fire impinging on flanges and structures.
-Flanges lose their tightness resulting escalation to additional fire(s).

Person
-Person working in Zone 8.
-Making working area safe.
-Considering the situation, deciding which way to escape and starting to escape.
-Escaping person located behind the nearest fire/blast wall.
-Person escaping via stairs to the PRP-AP bridge.
-Escaping person on the PRP-AP bridge.
-Person reaches the AP.
-Embarkation into the lifeboats on the AP.
-Lifeboats launched, sailing away from the AP and reaching the standby vessel.

sciENcE aNd tEchNology
(node 4(1) in Figure 2); see Table 1.All three scenarios are mutually exclusive events.We see further in Figure 2 that terminal nodes 6, 8 and 9 are dependent events, because these events are repeating in both Scenarios 1 and 2 (6 is fatality behind the nearest fire/blast wall, 8 is PRP-AP bridge damage and 9 is fatality caused by escaping person to the sea).Now we use the assumption that all events occurring in Table 1 follow exponential distribution.For example, ignition probability P is = 0.004 from 0 to 1 min means, that the event "ignition at small leak" is exponentially distributed event which occurs within interval (0,1) with probability 0.004, so that corresponding parameter of failure rate is λ=6.68×10 - /s.Table 2 brings failure rates of all events occurring in Table 1 together with their given probabilities.Using the methodology for high-performance computing described in [3], the time evolution of the probability of ICFE (causing fatality) can be computed.
Analytical quantification procedure applied to a graph structure, which considers both independent and dependent (i.e.repeatedly occurring) terminal nodes, is based on combinatorial principle.The probability of TOP event can be obtained upwards resulting from probabilities of inferior terminal nodes.For instance the probability of internal event 3(1) can be computed in two steps: Step 1 -numerical expression of the probability of occurrence of inferior terminal event 2 and sub-event 6(3), i.e. q 2 and q 6 Step 2 -numerical expression of the probability of occurrence of internal node 3(1) is given as follows: q q q q q q q − + − + = In general, we go over all combinations of input events causing occurrence of superior event (here node 3(1)) and summarize probabilities of such combinations.This principle requires summation of numerous different non-negative numbers, which may be one source of inaccuracy.Another source of inaccuracy arises when TOP event is a rare event (e.g.small leak within first minute after the accident appears).In such situation, the algorithm faces the problem of subtraction of two numbers that are very close each to other -an error may be committed at the arithmetic operation.Both these sources of inaccuracy were eliminated in the new computing methodology.Exact quantification procedure for probability of TOP event was developed in [4] displaying very high computational efficiency, as demonstrated in the reference.Original algorithm from [3] based on DAG was radically innovated.The innovative algorithm uses merits of the high-performance language for technical computing -MATLAB.4. Results

Results of method based on DAG
Using the innovative analytic method described above, two different quantitative risk characteristics can be computed for each size of leak: the time-dependent evolution of the probability of the TOP event during selected first stage of the fire accident and average probability of the TOP event during selected consecutive time intervals.The latter characteristics are particularly useful to evaluate critical height of probability jumps within accident evolution.
It can be seen in Figures 4 and 5 that the probability of ICFE at the end of 5 th min is 6.3e-3 for small leak and about one order of magnitude greater for medium leak.There is about 50% chance to survive the fire accident at the same time, for a person exposed to large leak.
Average probabilities of ICFE in the course of consecutive minutes are demonstrated in Figure 6.It may be seen that for small and medium leak the highest jump of probability occurs within 5 th minute in comparison with probability jumps in previous minutes.Conse-quently, we can conclude that 5 th minute is most critical time point for safety of personnel.On the other side the probability of fatality in 5 th minute for small leak is comparable with the probability in 2 nd minute for medium leak and with the probability of fatality in 1 th minute for large leak as well.
A large leak is very dangerous, because its associated probability of fatality increases approximately evenly within each minute very rapidly (at about 0.1 per one minute).

Partial sensitivity analysis
When applying the quantitative risk assessment in practice we often face the problem of lack of data.Using realistic data from [12], shown in Table 1, we were pushed into assuming that all input events follow exponential distribution.Of course, given that used realistic data contain only probability values in prescribed times, the most suitable probability distribution is thus exponential distribution, which is frequently used for modeling of random events in reliability theory.In addition, the source data of Table 1 is unavailable, therefore we are not allowed to verify this assumption.
As an exponential distribution function is determined by its rate parameter λ, we carried out partial sensitivity analysis for small leak to explore to which extent the resulting probability of ICFE is influenced by the parameter.For this reason the qualitative analysis discovering all minimal cuts has been made.Two of them (the most frequent ones) minimal cuts were chosen: C 1 ={IGN 0-1, FAT 0-1} and C 2 ={IGN 1-2, FAT 1-2}, that can be considered the most significant contributions to ICFE, if only because they are disjoint sets.Parameter λ of all basic events contained in C 1 and C 2 was modified into two sided 30% interval of λ.Computational results for probability of ICFE assuming lower and upper bounds of λ were obtained within 300 sec time course.Final bounds of probability of ICFE at 300 sec were computed as follows:

sciENcE aNd tEchNology
As shown in Table 3, change of λ parameter led to significant change of ICFE probability.In case of λ value lowered by 30%, corresponding ICFE probability was also lowered by 47%.In case of λ value raised by 30%, corresponding ICFE probability was raised by 53%.Both these results show high sensitivity of ICFE probability to the value of rate parameter λ, therefore stressing the need of correct choice of λ value in FT and DAG models utilizing exponential distribution.

Conclusions
This paper demonstrates new approach to evaluate risk of fatality of working personnel in process industries from fire caused by hydrocarbon leak ignition occurring at various times following the leak.The new approach is characterized by its ability to compute time-dependent evolution of probability of personnel fatality, which is impossible by applying steady state methods.
Computed results were obtained by the use of analytical method coming from DAG as a system representation, which was fully innovated using merits of the high-performance language MATLAB.
Despite the fact that obtained results are influenced by addition of new assumptions laid on events occurring in Table 1 (putting them into the framework of exponential distribution), we can conclude that good platform for quantification of probability of ICFE is at our disposal.
Factually, data in Table 1 has been used to compute the timedependent probability of ICFE for small, medium and large leaks in Zone 8. Based on the dynamic evolution of the probability of ICFE, it can be concluded that the most dangerous leak is the large leak.
Probability of fatality following large leak increases very rapidly within first 5 minutes.At the end of 5 th minute, person has roughly 50% chance to survive large leak scenario.This can be attributed to ignition of large gas cloud resulting in a fire swiftly escalating outside Zone 8 or outright explosion, both damaging the construction and thus possibly blocking some evacuation routes.On the other hand, small leak scenario is the least dangerous one, as the only danger comes from delayed ignition resulting in an explosion of accumulated gas vapors.The results also demonstrate that at the end of 5th minute, there is approximately one order of magnitude difference in the probabilities of fatality associated with the respective leak sizes.
If we wish to represent the probability for ICFE per annum, we have to multiply these probabilities by leak frequencies in Zone 8 based on statistical observations, see above the Section 2.
Finally, the partial sensitivity analysis showed that the final probability of ICFE is correspondingly influenced by variability of input parameters.Nevertheless by all means the obtained results are of special relevance to draw a comparison between different sizes of leaks.
Future research in this area should be oriented to finding effective measures leading to the risk of personnel fatality reduction, especially in the first minutes after the leak and follow-up fire accident occurrence.
Small leaks 609 per 10000 years, Medium leaks 234 per 10000 years, and Large leaks 216 per 10000 years.A leak in Zone 8 would initiate the following actions: Activation of fire & gas (F&G) system, which in turn would a) simultaneously activate Alarm, b) Emergency shutdown of process and electrical systems, c) Blowdown of hydrocarbon plant inventories (see Note), d) Start of emergency power generation, e) Start of fire pumps, and f)

Fig. 1 .
Figure A: Typical Offshore Production Installation

Fig. 3 .
Fig.3.Fault tree as an equivalent structure to DAG from Fig.2

Table 3 .
Probability of ICFE depending on values of λ of two most frequent minimal cuts: