Creation of CPQRA Data Base

This chapter presents an overview of the data used in CPQRA. Figure 5.1 illustratesthe types of data required for both frequency and consequence analysis, and shows theinterrelationship among data types.

To apply CPQRA to a specific operation, a specific data base for the study must becreated from new and existing data bases. The scope and goals of the study (Section1.9) significantly impact on the quantity and quality of data required.

The basic information necessary for a CPQRA of either new or existing facilitiesshould include as a minimum:

• material information [e.g., material safety data sheets (MSDS)]• process chemistry—documentation of technology to include information such

as safe operating envelope and pilot plant data• material toxicity—toxicology and related industrial hygiene information• process flow diagrams (PFD), including major inventories and flow data• site layout drawings• control strategies—passive safety systems, containment, isolation, mitigation,

etc.• operations and maintenance philosophy• emergency response considerations• material interactions (including raw materials, intermediates, products, and

materials of construction)• piping and instrumentation diagrams (P&ID)• equipment specifications• operating procedures• maintenance practices (including test and inspection programs)

For an existing facility, additional information to be reviewed includes

• past hazard identification information (HAZOPS, FMEAS, audits, surveys,management of change reviews, etc.)

• process modifications• operational history

FIGURE 5.1. Flow chart for data inputs to risk estimates.

The various types of data that should be considered for use in a CPQRA studyinclude

• equipment failure rate• toxicity• human error• materials of construction• ignition sources• location-specific data for nearby populations (in-plant, off-site, and public

assemblies)• meteorology (atmospheric stability, wind speed, wind direction)• external events (earthquakes, lightning, etc.)• nearby waterways, road, railroads, and airports.

Historical incident data may not be readily available for a new facility, particularlywhen new technology is involved. However, if a new process is similar to an existingprocess, it may be possible to obtain valuable data by extrapolation from the existingprocess. Historical incident data on existing facilities should be available, at least in alimited form, and should be assimilated into a useful data base format for CPQBAapplication. It may be possible to extract plant-specific reliability data for processequipment from plant maintenance records . If this is feasible and the experience base islarge enough, such plant-specific data provide the best possible estimate of equipmentreliability for that plant.

HISTORICALINCIDENT DATASECTION 5.1

PLANT ANDPROCESS DATASECTION 5.2

CHEMICAL DATASECTION 5.3

ENVIRONMENTALDATASECTION 5.4

EXPERT OPINIONSECTION 5.7

HUMANRELIABILITY DATASECTION 5.6

EQUIPMENTRELIABILITY DATASECTION 5.5

RISK ESTIMATECHAPTER 4

CONSEQUENCEANALYSISCHAPTER 2

FREQUENCYANALYSISCHAPTER 3

The chapter is organized into seven sections: historical incident data (5.1), processand plant data (5.2), chemical data (5.3), environmental data (5.4), equipment reliabil-ity data (5.5), human reliability data (5.6), and use of expert opinion (5.7). The appli-cation of each data type to CPQRA is discussed, and selected data sources are provided.Data sources are given particular prominence in Sections 5.1 and 5.5, because of theimportance of having as much information as possible in these areas.

In reality, data available for CPQRAs of new and existing facilities may be incom-plete or inadequate. This is particularly true for equipment failure rates, toxicity, andhuman error data. The data sources cited in this chapter should be consulted andresearched. As mentioned in Section 5.7, a consensus view of experts opinion may benecessary to obtain understanding and agreement on the data bases used and theirimpact on CPQBA results.

5.1 Historical Incident Data

5.1.1. Types of Data

As discussed in Section 3.1, historical incident data may often be used directly to esti-mate top event frequencies for use in CPQRA without the need for detailed frequencymodeling. The historical record can also be used to validate outcomes from other,model based frequency analyses (e.g., FTA/ETA). The reader is again cautioned that anumber of criteria have to be satisfied for the historical estimate to be meaningful.These include sufficient and accurate records of data that are applicable to the particularprocess under review.

A list of some historical incident data sources is provided in Table 5.1. Most ofthese data sources address major events or failures such as

• leaks of toxic materials• major fires or explosions• pipeline leaks and ruptures• transportation accidents• accidents causing fatalities or serious injuries (any cause).

These kinds of events are sufficiently serious to be reported fairly widely in publiclyavailable sources (e.g., regulatory agencies, research organizations, the media).

Data sources can be grouped into three categories, which provide data on

1. failure mechanisms and causes2. consequence effects (e.g., downwind concentrations, radiation levels, and toxic

doses)3. frequencies of certain types of incidents.

Data sources in the first two categories may be helpful in constructing a fault orevent tree model or in understanding the consequences of a specific incident. However,they do not provide information on the frequency of incidents. Data sources in thethird category provide frequency information, but should be used with caution. Inmost cases, frequency data derived from incident reports may not be applicable to

CPQEA. The data are rarely complete or directly pertinent. The equipment and plantpopulation base may not be defined. Minor incidents are sometimes not reported, andtherefore are not included in the data bank. Consequently the analyst must examine thesource of the data carefully. Boykin et al. (1986), when assessing fire risk of transform-ers, illustrate a way of deriving required incident frequency, reliability, and acute effectsinformation from various data sources, for assessing fire risk for transformers.

TABLE 5.1. Some Historical Incident Data Sources

Source

M & M Protection Consultants1221 Avenue of the AmericasNew York, New York 10020

Lees (1980)

V. C. Marshall (1987)

Loss Prevention Bulletin, I.Chem.E.,UK.

J. H. Sorensen (1986)

Office of Radiation Programs, U.S.Environmental Protection Agency

B. J. Robinson (1987)

J. A. Davenport (1983)

K. Gugan (1979)

P. Field (1982)

N. C. Harris (1978)

U.S. Department of Transportation,Research and Special ProgramsAdministration, Office of PipelineSafety, Washington, DC

CONCAWEThe Oil Companies' EuropeanOrganization for Environmental andHealth Protection, The Hague, TheNetherlands

Description/title

"One Hundred Largest Losses"Annual review of large losses in the hydrocarbon-chemicalindustries. Updated yearly. Free

"Loss Prevention in the Process Industries"Appendix 3 contains some case studies of major chemicalincidents and a chronological listing of many more

"Major Chemical Hazards"Contains 40 case studies of major incidents

Annual survey of chemical industry accidents (worldwide),covering a wide range of accidents and with accidentdescriptions

"Evacuations due to Chemical Accidents: Experience from1980 to 1984"

"The Consequences and Frequency of Selected Man-Originated Accident Events" NTIS PB80-211303

"A Three Year Survey of Accidents and World DangerousOccurrences in the UK Chemical Industry" Covers 1982 to1984/5

"A Study of Vapor Cloud Incidents — An Update"Lists UVCE incidents, cross-referenced to Gugan (see below)

"Unconfined Vapor Cloud Explosions"Lists UVCEs; includes some BLEVEs and partially confinedexplosions

Dust ExplosionsLists major incidents of this type

"Analysis of Chlorine Accident Reports"Chlorine Institute, Washington, DC

Pipeline Leak Reports for Onshore Gas Transmission andGathering Lines, and Liquid Lines (see also 3.1)

Annual reports of leaks from cross country pipelines in Europe

Source

R. F. De Ia Mare & O. Andersen, DetNorske Veritas, Oslo, Norway Reportno. 80-0572, Aug. 1980

Minerals Management ServiceGulf of Mexico OCS Region1201 Elmond Park Blvd.New Orleans, LA 70123

Office of Technology AssessmentWashington, DC,March 1986 OTA-SET-301

Office of Technology AssessmentWashington, DCJuly 1986 OTA-SET-340

M. Abkowitz and J. Galarraga (1985)

National Transportation Safety Board(NTSB), U.S. DOT, Washington, DC

Association of American Railroads,Federal Railroad Administration

U.S. DOT, Materials TransportationBureau, Washington, DC

FACTSTNO Division of Technology forSociety, P.O. Box 342, 7300 AHApeldoorn, The Netherlands

MHIDAS (Major Hazard IncidentAnalysis System)Head of Major Hazards & TransportGroup, Safety & ReliabilityDirectorate, Wigshaw Lane, Culcheth,Warrington, WA3 4NE, UK

SONATA (Summary of NotableAccidents in Technical Activities)TEMA, Via Medical de Vascello, 26-Milano, Italy

WOAD (World Offshore AccidentData)Veritec Data, Oslo, Norway

Hazardous Cargo Bulletin

ALK Associates, 1000 HerrentownRoad, Princeton, NJ 08540

Description/title

"Pipeline Reliability Report"Analyzes and compares onshore and offshore pipeline failuredata

Collects data on pipeline leaks in the Gulf of Mexico

"Data on Transportation of Hazardous Materials: state andlocal activities"

"Data on Transportation of Hazardous Materials"

"Tanker Accident Rates and Expected Consequences in USPorts and High Seas Regions"

Accident Reports. A detailed report is produced fortransportation accidents involving hazardous materials

Hazardous Materials Accident Spill Maps. These give a mapshowing the location of the spill, any airborne plume, site offatalities, and injured people, at one or more times after thestart of the incident.

Railroad Facts (Annual Editions)

Accident/Incident Bulletins (Annual)

Annual Reports on Hazardous Materials TransportationIncidents

Computerized data base for incidents (worldwide) withhazardous materials, near misses also included

Computerized major incident data base (worldwide). Incidentsmust have had potential for off-site impact to be included

Computerized data bank for incidents with hazardousmaterials

Computerized data bank for World Offshore

Annual Survey

Computerized data base for U.S. rail accidents for the last 10years. Also computes the accident rate per track section forclasses A through D of track in the United States

Source

ITACA (Industry and TransportAccident Catalog), TRR, TESCA,Risk and Reliability, Italy — Casehistories. Bockholts et al. (1986)

Fire Brigades, Ministry of the Interior,Italy. Bockholts et al. (1986)

ISPEL, Central Institute for Healthand Safety Administration, Italy.Bockholts et al. (1986)

GESIP, France.Bockholts et al. (1986)

IFP (Institute Francois du Petrol),France. Bockholts et al. (1986)

Berufsgenossinschaften, Germany.Bockholts et al. (1986)

DCMR (Central EnvironmentalControl Agency, Rijnmond), TheNetherlands. Bockholts et al. (1986)

BLS (Bureau of Labor Statistics).Bockholts et al. (1986)

OSHA (Occupational Safety andHealth Administration).Bockholts et al. (1986)

NIOSH (National Institute forOccupational Safety and Health).Bockholts et al. (1986)

NFPA (National Fire ProtectionAssociation). Bockholts et al. (1986)

CMA (Chemical ManufacturersAssociation). Bockholts et al. (1986)

IRI (Industrial Risk Insurers).Bockholts et al. (1986)

IOI (Loss Data Base),CWA Information and Research Ltd.,18 Grosvenorblau, London

American Institute of ChemicalEngineers, New York (1995)(ISBN 0-8 169-0626-2)

American Institute of ChemicalEngineers, New York (1989)(ISBN 0-8169-0422-7)

Andersen, T., and A. Misund, Journalof Petroleum Technology, 35(4), 1983

Description/title

Specializes in fires and explosions

Fire incidents. Raw, unprocessed data

Pressure vessel incident data

Industrial accident case histories

Marine transport and offshore operation incidents

Industrial accident data bases

Industrial accident data base

Industrial accident data

Industrial accident data

Industrial accident data

Fire incident data

Accident case histories in the chemical industry to 1979

Fire incident data

Information on over 1500 claims in excess of $10,000 in oil,gas and petrochemical industries

Guidelines for Chemical Transportation Risk Analysis. Contains41 specific sources for transport risk which may be applicableto fixed sites

Guidelines for Process Equipment Reliability Data. Good sourceof equipment reliability data for fixed equipment andinstrumentation used in the chemical process industry.

Pipeline Reliability: An Investigation of Pipeline FailureCharacteristics and Analysis of Pipeline Failure Rates

Source

American Petroleum Institute, APIPublications & Distribution Section,Report No. 855-19990.

Battelle, American Gas Association,Arlington, VAAGA Catalog No. :L5 1499.

Battelle, American Gas Association,Arlington, VAAGA Catalog No.: L51664

Blything, K., and J. Edmondson,Safety and Reliability Directorate,U.K. Atomic Energy Authority,Report No. SRD R292.

Bush (1975) Journal of Pressure VesselTechnology, No. 97, Series J, Feb.1975

de Ia Mare, R., and O. Anderson,DMV Technica,Report No. 80-0572

Hadley, L, R. Phaal, and S.Hurworth, Reliability of LPG BulletsVessles. ImechE Conference Trans.., 4,103-112 (1995)

National Safety Council, Chicago, IL,Product No. 229.27.

Reiter, A.D., W. E. Farager, ReportNo. AD-A077 (available from NTIS)

United Kingdom Atomic EnergyAgency, UKAEDA Safety andReliability Directorate,Report No. NSCR/GR/71;8/87.

Description/title

Summary of Motor Vehicle Accidents in the PetroleumIndustry for 1988

An Analysis of Reportable Incidents for Natural GasTransmission and Gathering, Lines; 1970 through 1984

An Analysis of Reportable Incidents for Natural GasTransmission and Gathering Lines; June 1984 through 1990

Fire/Explosion Probabilities of Liquid Gas Ships

Pressure Vessel Reliability Data

Pipeline Reliability Data

Study of structural integrity of small pressure ("bullets") usedfor storage of LPG in the Hong Kong area.

US fleet accident rates, an annual report

Commercial Vessel Safety Risk Assessment Study, Volume I,"Survey of Data for Marine Risk Assessment"

Performance of Pipework in the British Sector of the NorthSea

5.1.2. Sources

Table 5.1 summarizes some publicly available sources of incident data with briefdescriptions of their contents. Most are collections of data from many incidents. Thedata sources are in the form of published literature, or computer data banks availablefor use on a fee-paying basis.

Consultants and industry groups are two nonpublic sources. Consultants gatherinformation from successive projects and use such information to supplement existinghistorical incident data Such data must be used with particular caution, making suresufficient information about the original sources is available to confirm that the dataare appropriate for use. The most comprehensive data available often come from indus-try groups where information on operating experience is exchanged. However, suchdata may not be presented in a useful or consistent format.

5.2. Process and Plant Data

This section describes the type of specific plant and process data required for aCPQRA. Such data include descriptions of the relevant process systems together withinformation about ignition sources and material properties.

5.2.1. Plant Layout and System Description

The CPQRA analyst must thoroughly understand all plant processes, their interdepen-dence, and the inventories and conditions of materials. This information must describethe plant as it actually operates, which may be different from the original design. It isbest acquired by on-site interview of operating and maintenance personnel and on-siteinspection. The following examples of data required may serve as a checklist to the ana-lyst in a CPQRA:

• process chemistry (including side reactions under normal and abnormal condi-tions)

• physical and chemical properties of all process materials• chemical and material of construction interactions• process flow diagrams (including process description and specific operating

parameters such as flow rates, pressures, temperature, and stream compositions)• process design basis (including external events)• process utilities (cooling, steam, electricity, instrument air, and utility back-up

systems)• waste treatment systems• equipment specifications (including materials of construction)• equipment detail drawings• piping and instrument diagrams (including utilities and relief systems)• plant layout drawings (plant and immediate surroundings including elevations)• firewater and drainage drawings• material properties (including in-process intermediates)• control logic (e.g., instrument loopsheets, relay logic diagrams)• operating instructions• operating philosophy (storage inventory levels, operating schedule, staffing,

start-up and shutdown, operator training, safety policy)• safety equipment (fire protection, emergency relief, interlock and alarm systems;

design bases should also be included)• historical incident and maintenance records (existing process)• maintenance philosophy and program

5.2.2. Ignition Sources and Data

Major flammable releases may be ignited far from the leak source. In a QRA it is neces-sary to identify all ignition sources that may be reached by any cloud of flammable con-centration. The risk from an incident which releases flammable materials is dependenton the chance that the material ignites, the ignition energy, and the level of confine-

ment of the released cloud. Ignition can occur immediately (due to the energy of thefailure event, immediate contact with a hot surface, or a release above a material'sautoignition temperature), or can be delayed until the cloud encounters an ignitionsource. These sources may include: open flames, hot surfaces, sparks, or mechanicalfriction. Ignition may also occur due to human activities. Typical sources of ignitionwhich may be found in process areas and if contacted could ignite a flammable releaseinclude:

• Flares • Hot work: welding and cutting• Boilers • Lightning• Fired heaters • Overhead high voltage lines• Static electricity • Mechanical: sparks, friction, impact, vibration, etc.• Vehicle traffic • Chemical Reactions• Electrical motors

When surveying an area for potential ignition sources one generally identifies all possi-ble sources on-site, in the immediate vicinity of the site, and somewhat less rigorously asthe distance from the site increases. This is due to the fact that as more and more ignitionsources are passed over it becomes much less likely that the cloud still has not ignited. Iden-tified ignition sources must be characterized (e.g., continuous or intermittent, high/lowenergy, etc.) so that appropriate ignition probabilities may be assigned to them.

Calculating ignition probability in CPQRA is a difficult problem as discussed byRijnmond Public Authority (1982) and Health and Safety Executive (1978, 1981).Given the presence of a flammable mixture, the "probability of ignition" is typicallymodeled as a function of two components. The first is the probability the ignitionsource will be present to ignite the mixture. The second is the probability that, giventhe ignition source is present, it actually ignites the cloud in a given time interval. Thesecond factor is much harder to estimate as it is a function of minimum energy requiredto ignite the flammable material and the ignition energy of the source. The first compo-nent is typically referred to as the "Presence Factor" and the second is the "StrengthFactor." Each potential ignition source will have its own unique combination of pres-ence and strength factors. For example, given that a ground flare is operating it willalmost certainly ignite a flammable release (ignition probability approaches 1.0) if it iscontacted by the flammable cloud, but it may only operate 25 percent of the time. Thiswould result in an overall probability of ignition by this source of 0.25.

As mentioned, the presence factor is the probability that the source is present (i.e.,active) when the flammable cloud passes. Since in most instances we cannot predictwhen we will have a flammable cloud, the presence factor is developed by estimating,on average, the percentage of time in which the ignition source will be present. Exam-ples of presence factors include:

• The percent of the time that point sources such as flares or furnaces are lit.• The percent of time people will be in the area.• The percent of the time that cars are present in the area susceptible to ignition

(using traffic densities for roads and railways).• The percent of time during which power lines are active.• The strength factor is the estimated conditional probability of each source caus-

ing ignition. It is a function of the ignition source strength and the minimum

ignition energy of the flammable material. An open flame is considered to be acertain ignition source, and thus the strength factor is set on one (1.0). A furnacewith an enclosed flame, for example, might be assigned a probability slightly lessthan 1.0.

Typical ranges for on-site strength factors for hydrocarbons are:

• Furnaces, boilers, heaters 0.9-1.0• Substations 0.001-0.3• Office Buildings 0.1-0.2• Truck Loading/Unloading Area 0.1-0.5• Cars 0.2-0.4• Construction Fabrication Shop 0.1-0.5

NOTE: The strength factor should be selected only after carefully consider-ing of the properties of the released material and the potential ignition source.

The Gas Research Institute sponsored research (1980-1981) in the identification andquantification of off-site strength factors for LNG vapor cloud (7% methane/air mixture).The final report documents the following off-site ignition probabilities (factors):

• Automobile electrical systems 0.06• Continuously operating traffic signals 0.24• Flashing intermittent signal lights 0.8• Residential gas heating units using outside air 1.0

Hot surfaces can also ignite a flammable mixture of gases and the temperature atwhich ignition occurs is a function of a material's autoignition temperature (AIT)(Zabetakis, 1965; Kuchta, 1985). As can be seen in Table 5.2, autoignition tempera-tures vary widely by material. API (1980) provides a short review of ignition risks ofhot surfaces within a refinery. This study suggests that hot surface ignition in open airshould not be assumed (strength factor = O) unless the surface temperature is at least20O0F above the normally accepted autoignition temperature for the material.

The great majority of ATT data are collected in glass vessels. Use of metal vessels inthe test apparatus introduces catalytic effects which generally lower the ATT. Thesedata are dependent on the test method, particularly the volume of the test vessels; thelarger the test vessel the lower the ATT.

Another factor that affects the ignition probability is the reactivity of the flamma-ble gas-air mixture. As can been seen in Tables 5.2 and 5.3, ethylene has a lower mini-mum ignition energy than methane, thus making it easier to ignite. Additionally, it canbe concluded that combustible dusts suspended in a cloud require 10-100 times moreenergy than a flammable gas mixture to achieve ignition. Increasing the energy of theignition source results in a more vigorous burning of the flammable gases and combus-tible dust clouds, thus increasing the violence of the deflagration. See Lewis and vonElbe (1987) and Bartknecht (1989) for further discussion of this subject.

The presence of a flammable gas, even in small amounts, in a combustible dustcloud (usually termed a hybrid mixture) lowers the energy required for ignition. Thisalso tends to increase the rate of pressure rise, thus requiring greater care in the designof deflagration vents (NFPA 68, 1994).

TABLE 5.2. Ignition Data for Some Gases3

Material Minimum ignition energy (mj) Autoignition temperature (0Q

Carbon disulfide 0.015 100

Hydrogen 0.017 520

Acetylene 0.017 305

Ethylene 0.007 490

Methane 0.30 630

Propane 0.26 450

Acetone 1.15 465

"Kuchta (1985) and Zabetakis (1965) Data in air at 250C.

TABLE 5.3. Ignition Data for Some Dusts3

Minimum cloud Cloud ignition Layer ignitionMaterial ignition energy (mj) temperature (0C) temperature (0C)

Coal, Pittsburgh 30 610 170

Polyethylene 30 450 380

Aluminum (flake) 10 610 326

Sulfur 15 190 220

Adipic acid 60 550 —

"McKinnon (1981).Caution: Dust ignition energies and temperature are a function of the physical characteristics of the dust (i.e., size,

porosity, shape, etc.)

A more qualitative approach which can be used to estimate ignition probability isdocumented in "Canvey—A Second Report" (HSE, 1981). Using this approach onemust first estimate the potential size of the released cloud and, second identify thenumber of ignition sources which could contact the flammable portion of the cloud.The Canvey report utilized the ignition probabilities presented in the Table 5-4.

TABLE 5-4. Canvey Report Ignition Probabilities

Sources of ignition Ignition probability

None 0.1

Very Few 0.2

Few 0.5

Many 0.9

Examples of these include:None: "None readily identifiable" e.g., limited release of liquidhydrocarbon into a bund after overfilling a tank.Very Few: Large release of gas liquified under pressure after acatastrophic failure of a tank in a tank farm.Few: Release of flammable material near noncontinuous opera-tions, e.g., LPG release from a tank near to road/rail facilities.Many: Release of flammable material near a plant or a releaseresulting from a nearby fire or explosion.

Potential for ignition is most appropriately minimized through the design of the facil-ity, including the proper selection of electrical equipment, if the facility is to handle flam-mable materials which can potentially be released. For a detailed discussion of ignitionsources and recommendations for minimizing the probability of ignition through designalternatives, refer to Guidelines for Engineering Design for Process Safety (CCPS, 1993).

5.3. Chemical Data

Data are required on the physical and chemical properties of process materials. Some ofthese data can be obtained from material safety data sheets (MSDS). Other readilyavailable sources include Danner and Daubert (1985). Sax (1992), Perry and Green(1985), CRC (1995), and material suppliers.

5.3.1. Types of Data

A nonexclusive list of chemical data on raw materials, intermediates, and final productsneeded in CPQRA includes:

• thermodynamic data (including vapor pressure, boiling point, freezing point,critical temperature and pressure, enthalpies, entropies, specific and latent heats,heats of combustion)

• flammability-flash point (closed cup) and fire point-lower and upper flammable limits (LFL and UFL) at the appropriate pressure

and temperature-autoignition temperature-maximum allowable oxygen content at the appropriate temperature and pressure-minimum ignition energy-deflagration index for gases (KJ if needed-burning velocity

• dust explosion data (for samples reflecting process conditions)-KST value (deflagration index for dust)-maximum rate of pressure rise-maximum rate in a closed chamber (typically a 20-liter sphere)-layer ignition temperature-cloud ignition temperature and ignition energy-minimum dust concentration for combustion

• industrial hygiene and toxicity data-short-term exposure data such as LD50 LC50 LC10 IDLH, ERPG's, etc.-protective equipment needed

• miscellaneous—peroxide forming materials, susceptibility to spontaneous igni-tion ability to hold static charge, effect of contaminants,

• chemical interaction and reactivity data-shock sensitivity-thermal analysis data from differential scanning calorimetry (DSC)-accelerating rate calorimetry (ARC) data

-vent sizing package (VSP) data-reaction kinetics and thermodynamic models

For further information on chemical interaction and reactivity data refer to Guide-linesfor Chemical Reactivity Evaluation and Application to Process Design (CCPS51995).

5.3.2. Sources

Flammability data can be obtained from various sources such as NFPA 325M (1984),Bulletin 627 (Zabetakis, 1965) andBulletin 690 (Kuchta, 1985) (the last two are publica-tions of the US Bureau of Mines) and the Fire Protection Handbook (Cote, 1986). Muchof the data available in these publications are at atmospheric temperature and pressure.Experimental data appropriate to process conditions will sometimes be needed.

Dust explosion data for explosion venting calculations are presented in NFPA 68(1994), which includes additional references. A considerable amount of dust explosiondata can be obtained from various U.S. Bureau of Mines and NFPA publications; how-ever, these data are not appropriate for explosion venting calculations and are suitableonly for qualitatively evaluating the dust explosion potential.

Banner and Daubert (1985) provide extensive thermodynamic data including vaporpressure, boiling points, freezing points, and flash point data for pure compounds.

INDUSTRIAL HYGIENE AND TOXICITY DATA SOURCESIndustrial hygiene and toxicity data can be found in the American Conference of Gov-ernmental Industrial Hygienist's, Threshold Limit Values for Chemical Substances andPhysical Agents (1996), the American Industrial Hygiene Association's (1988), Emer-gency Response Planning Guidelines) Patty's Industrial Hygiene and Toxicology (1994),The National Institute of Occupational Safety and Health's Pocket Guide to ChemicalHazards (1994), and Sax's, Dangerous Properties of Industrial Materials (1994).

CHEMICAL REACTIVITY HAZARDS DATAInformation on Chemical Reactivity Hazards and suggested methodologies foraddressing those hazards can be found in, Guidelines for Chemical Reactivity Evaluationand Application to Process Design, and Guidelines for Safe Storage and Handling of ReactiveMaterials. Both books were published by AIChFs CCPS in 1995.

5.4. Environmental Data

CPQBAs require information about plant surroundings: The risk associated with aplant in a densely populated area is significantly different from that of the same plant ina remote location. Important environmental data include site meteorological, geo-graphic, and topographic data, population data, and information on man-made or nat-ural external events.

5.4.1. Population Data

It is necessary to know the population distribution on and around the site to estimaterisk. If an individual risk estimate is desired, extensive population data may not be

required. However, it is still necessary to determine the location of the people whoseindividual risk is being estimated.

The population distribution is often defined as population density. Sources of pop-ulation data for an area are census reports, detailed maps, aerial photographs, and siteinspections by the analyst. Special attention must be made to the various types of popu-lation and day/night variations (i.e., residential or industrial), and concentrations ofpeople such as hospitals, churches, or schools. If day/night population variations aresignificant, then separate sets of meteorological data may be developed for daytime andnighttime conditions. Appropriate provision for future development is also important.

Typical population density estimates for different categories of occupancy:

• urban: 19,000-40,000 people/square mile• suburban 5000-19,000 people/square mile• scattered housing: 250-5000 people/square mile

DETAILED POPULATION DATA SOURCESIf detailed United States population data is needed it can be obtained from the follow-ing sources:

U.S. Department of Commerce (Economics and Statistics Administration)Bureau of the Census Publications:

1. 1990 Census of Population and Housing, 1990 CPH-I-15, "What Do I Needto Map Out 1990 Census Data>" June 1992.

2. 1990 Census of Population and Housing, "Census CD-ROM and You", Feb-ruary 1992.

3. 1990 Census of Population and Housing, 1990 CPH-3 Printed Reports andMaps Order form, "Single Publication Sales", October 1992.

4. Census Bureau Geographic Information, Your Guide to Census Bureau Geog-raphy, "Maps and More," July 1992.

5. Census Bureau Geographic Information, "TIGER" The Coast to Coast DigitalMap Data Base," November 1990.

6. Bureau of the Census Statement of Organization, Federal Register, September16, 1975, 40 FR 42765.

U. S. Department of CommerceBureau of the CensusWashington, DC 20233-8300Customer ServicesTelephone: 301-763-4100Fax: 301-763-4794

Regional Offices:Atlanta, GA Room 638, 1365 Peachtree Street, N.E. 30309.

404/347-2274Boston, MA Room 553, Boston Federal Office Bldg., 10 Causeway

Street, 02166. 617/565-7087Charlotte, NC Suite 505, 222 S. Church Street, 28202. 704/371-6144

Chicago, IL Room 557, 175 W. Jackson Boulevard, 60604.313/353-0980

Dallas, TX Room 3C54, 1100 Commerce Street, 75242. 214/767-7105Denver, CO P.O. Box 26750, 7655 W. Mississippi Ave., 80266.

303/969-7750Detroit, MI Room 565, Federal Building and U.S. Courthouse,

231 W. Lafayette Street, 48266. 313/354-4654Kansas City, KS One Gateway Center, Fourth and State Streets, 66101.

816/891-7562Los Angeles, CA Suite 300, 15350 Sherman Way, Van Nuys 91406.

818/892-6674New York, NY Room 37-130, Federal Office Building, 26 Federal Plaza,

10278. 212/264-4730Philadelphia, PA First Floor, 105 South 7th Street, 19106. 215/597-8313Seattle, WA 101 Stewart Street, Suite 500, 98101. 206/728-5314

U.S. Department of Commerce (Economics and Statistics Administration)Bureau of the Census Publications, "TIGER/Line Census Files," 1990, "Digital Datafrom 1990 Census with Geographic and Cartographic Information," Customer Ser-vices Data User Division Bureau of the Census, Washington, DC.

Slater, C., G. Hall; "1992 County and City Extra; Annual Metro, City and CountyData Book", 1990 US Census Based Population Data with local updates, BernanPress, Lanham, MD (ISBN 0-89059-010-9).

Note: All data sources were current at the time of publication but are subjectto change with time.

5.4.2. Meteorological Data

The weather conditions have a major effect on the way a release spreads (Section2.1.3). Meteorological data are readily available from the National Oceanic and Atmo-spheric Administration (NOAA) and from airports in the vicinity of the site. Thesedata include 8, 12, or 16 wind directions, several wind speeds, and several atmosphericstability categories. A typical 16 point wind rose is shown in Figure 5.2, which showsthe percentage frequency of the wind blowing in each direction, wind speeds in eachdirection, and the frequency of calms. Calms may be treated quantitatively as a windspeed of 0.5 m/s. The wind data may also be received in tabular form.

The degree of reduction of meteorological data for analysis depends on the resolu-tion and accuracy required by the CPQRA definition A single weather condition (com-bination of atmospheric stability and wind speed) can be used for worst casecalculations (Case Study 8.1). It is usually impossible to isolate a single average condi-tion that adequately represents all weather conditions, and many risk analyses employat least two weather conditions: one stable (e.g., 2 m/s, Stability F) and the other char-acteristic of average conditions (e.g., 5 m/s, stability D).

METEOROLOGICAL DATA SOURCESMeteorological data including data on wind speed and atmospheric stability class canbe obtained from the National Oceanic and Atmospheric Administration (NOAA)

PERCENT FREQUENCY

FIGURE 5.2. Typical wind rose data.

Environmental Data Service, National Climate Data Center Federal Building,Asheville, NC 288801.

Note: NOAA weather information is also available on-line through:(a) The EPA's CEAM Bulletin Board for the time period 1948-1983, STAR

output only (STAR output is formatted for use by NOAA and includes Atmo-spheric Stability, Windspeed, and Wind Direction) [(706) 546-3402].

(b) The EPA's SCRAM Bulletin Board for the time period 1984-1992, hourlyrecording of atmospheric stability and wind speed [(919) 541-5742].

5.4.3. Geographic Data

Geographic data include local and site maps on a scale adequate to met the CPQRAobjectives. Aerial photographs and on-site tours also provide useful information. Gen-

eral information on local building characteristics (wood vs nonflammable, open vsclosed windows, etc.) may be useful in evaluation of effects (Section 2.3).

5.4.4. Topographic Data

Local topography is important in modeling the dispersion of a gas. In particular, largeobstacles (ranging from trees to mountains and valleys) need to be taken into account,in dispersion modeling algorithms. Unfortunately, most dispersion models are applica-ble only to flat unobstructed terrain, with constant homogenous wind field, and a con-stant atmospheric stability. Additionally, accidental releases of hazardous materials donot restrict themselves to these simplified conditions.

Consider the situation of an accidental release from a source which is located in ariver valley and the bulk population at risk is located on the hills overlooking the valley.The scenario is even more complicated if the release is a large spill of a heavier than airmaterial such as ammonia. The cloud initially slumps due to its dense gas propertiesand is transported along the valley walls. It may even travel upwind as long as the set-tling velocity is greater than the ambient wind speed. There are four types of modelswhich can be used to analyze such release scenarios:

• Standard EPA Gaussian models that are corrected for plume lifting as the plumeapproaches the hill.

• Drainage flow models (for dense gas flow down slopes).• Three dimensional models.• Puff trajectory models for nonhomogenous wind field.

For more information on the models and their applicability refer to Guidelines for Use ofVapor Cloud Dispersion Models (Center for Chemical Process Safety, 1987).

Information on US topography can be obtained from USGS Topographic Maps,available through the U.S. Department of the Interior Geological Survey (Denver Col-orado or Res ton Virginia).

5.4.5. External Event Data

External events are either man-made (e.g., aircraft crashes) or natural (e.g., earth-quakes, floods). If the plant is in an area susceptible to such events, it should bedesigned to withstand these events for an appropriate severity and frequency (Section3.3.3).

In addition to information for the overall plant, design data should be obtained onindividual critical items (e.g., vessels, pipes, control buildings, blast walls) to determinetheir performance under incident conditions. The structural design of such items is ofinterest. However, specialized information provided by materials and structural engi-neers may be required for particular hazards and incident scenarios. For example, asteel vessel may not be designed for low temperatures because it normally contains amaterial at elevated temperature. However, the fracture of another vessel a short dis-tance away may subject it to cryogenic temperatures. The high temperature vessel maythen suffer sufficient embrittlement to cause its fracture, or collapse of its supports,thus releasing its contents and escalating the incident. Or, if a spill from a tank causes a

pool fire involving an adjacent tank, a subsequent failure is likely. A classic case is theCleveland, Ohio LNG disaster described by Marshall (1987).

Information on the frequency of earthquakes and their effects can be obtainedfrom the National Earthquake Information Center in Rockville, Maryland:

Earthquake Investigation in the United States: C&GS Special Publication No. 282 (revised 1969),U. S. Department of Commerce, issued by the National Earthquake Information Center inRockville, MD

Earthquake History of the United States: Publication 41-1 revised edition, U.S. Department ofCommerce (1973), edited by J. L. Coffman and C. A. von Hake

Earthquake History of the United States Part II: Stronger Earthquakes of California and WesternNevada^ by Wood, Heck, and Eppley, U.S. Department of Commerce (1961)

Additional Tornado ReferencesInformation on the historical frequency in the U.S. and the damage potential of torna-does can be obtained from the following references:

Abbey, R. F., "Risk Probabilities Associated with Tornado Wind Speeds55 Symposium on Tor-nadoes, Texas Tech. University (1976).

Anselmo, K. J., et. al, 'Tornado Bisk Analysis." Proceedings of the AIChE 25th Annual Loss Pre-vention Symposium (August 1991).

McDonald, J. R., "A Methodology for Tornado Hazard Probability Assessment,35 United StatesNuclear Regulatory Commission, NUREG/CR-3058, 1984.

McDonald, J. R., "Assessment of Tornado Risks at Site Specific Locations55, ASCE/EMD Spe-cialty Conference, Austin, Texas, 1979, American Society of Civil Engineers, New York, NY,1979.

McDonald, J. R., "Tornado Generated Missiles and Their Effects,55 Proc. Symposium on Tornados:ffAssessment of Knowledge and Implications for Man, Lubbock, Texas, 1976, Institute for DisasterResearch, Texas Tech University, 1976, pp 331-349.

Peters, G. A., and Hansel, J. G., "Risk Assessment of Tornado Wind and Pressure Phenomenaon Storage Tanks55, AIChE, International Symposium on Risk Identification and Risk Analy-sis, Orlando, Florida, 1992.

Tescon, J. J., et al., "Statistics of U.S. Tornadoes Based on the DAPPLE (Damage Area Per PathLength) Tornado Tape,55 Symposium on Tornadoes, University of Chicago (1980).

Thorn, H. C. S., "Tornado Probabilities,55 Printed in the October-December 1963 issue ofMonthly Weather Review.

Twisdale, L. A., 'Tornado Data Characterization and Wind Speed Risk,55 Proc. Amer. Soc. CivilEngineering, 104 (1979).

Additional information on Tornadoes and information on Hurricanes can berequested from:

• Institute of Disaster Research, Texas Technical University, Lubbock, TX• Department of Geophysical Science, University of Chicago, Chicago, IL• National Weather Service, World Health Organization (Publishing Division,

United Nations, New York, NY 10017) publishes Demographic Yearbook annu-ally, which gives the number of deaths or rates of death due to different causesworldwide.

5.5. Equipment Reliability Data

CPQRA requires human and equipment reliability data. This section considers equip-ment reliability data. The complex issues of human reliability are discussed in Section3.3.2, and the availability of human reliability data is reviewed in Section 5.6.

In order to estimate equipment reliability parameters (defined in Appendix E) orprovide incident frequency estimates for a CPQRA, failure rate data are needed for allprocess equipment included in the study. As stated by Blanks (1977):

No matter how excellent the mathematical modeling, how precise the analysis, andhow detailed the resulting formulae, ultimately the prediction can be no more accuratethan the numerical data which are substituted into them.

The dependency of a risk estimate on equipment failure rate data is similar to thedependency of a chemical plant design on physical property data. The differencebetween the availability and quality of the existing data bases in these areas accounts forthe substantial differences in the degree of uncertainty between process design calcula-tions and risk estimates.

Data estimation, as well as raw data collection, analysis, and reduction techniqueshave evolved and generic data bases are being developed to improve on and compen-sate for this shortage. CPQRA methodology does not need equipment specific (i.e.,manufacturer, make, model and serial no.) data to obtain useful results. Kazariansand Boykin (1987) have stated that "a large (plant-specific) data base is not necessaryto obtain useful quantitative risk assessment results that show major contributors torisk.55

In the past, the selection, treatment, and use of equipment failure rate data havebeen more art than science. Wherever such data came from, or however such data aredeveloped, as stated by Blanks (1977), "their applicability is suspect and their accuracydubious.55 No prescription exists for the analyst to follow to assure selection or develop-ment of "correct35 data. Additional efforts are necessary to upgrade and convert currentsubjective practices into more objective procedures. Nevertheless, the reader shouldrecognize that substantial attention has been given to this topic, particularly in PRAstudies and in techniques developed for application in the nuclear industry. Furtherimprovement can be anticipated as CPQRA becomes more commonplace within theCPI.

5.5.1. Terminology

As discussed in Chapter 3, Appendix E introduces various equipment reliability param-eters, presents their basic definitions, explains how these parameters are quantitativelydetermined, and discusses their relationships to CPQRA. In addition, the terminologycommonly used by a reliability analyst is explained. The following sections introducethe basic concepts and terminology necessary to discuss equipment reliability data andunderstand its relationship to CPQRA. The reader is referred to Appendix E and CCPSGuidelines for Process Equipment Reliability Data, or PERD Guidelines (AIChE/CCPS,1989), the companion volume to this text, for additional information.

5.5.1.1. EQUIPMENT RELIABILITYEquipment reliability has been defined as the probability that, when operating understated environmental conditions, process equipment will perform its intended functionadequately for a specified exposure period.

This definition highlights three important points about equipment reliability. It is:

1. a probability2. a function of the exposure period3. a function of the definition of equipment failure.

The exposure period may be expressed in terms of a continuous variable, such astime, or as a function of a discrete variable, such as the number of demands (also calledcycles in some texts) imposed on a piece of equipment.

Consequently, equipment reliability can be expressed as a continuous or discretefunction using terminology developed in the mathematics of probability and statistics.A review of the pertinent mathematical terms, concepts and relationships is presentedin Appendix F. When the exposure period is time-dependent, equipment reliability, orsimply reliability, can be expressed as follows:

R(t) = l-F(t) (5.5.1)

where R(t) is reliability as a function of £; F(t) is a cumulative failure distribution as afunction off; and t is time.

The derivative of the cumulative failure distribution, F(t), with respect to time,dF(t)/dt, gives a probability density function of time, f(t), also called the failure densityfunction or sometimes simply mortality.

dF(t)/W—ST (5.5-2)

or

J7O=J0V(O* (5-5-3)where f(t) is the probability density function. Substituting Eq. (5.5.3) into (5.5.1)gives

R(t) = l-S[f(t)At (5.5.4)

Since the total area under the probability density function,/(f), must be unity, Eq.(5.5.4) can be rewritten as

£(*)=/"/(*)* (5-5-5)Figure 5.3 (Billinton and Allan, 1983) shows the relationship between F(i) and

R(t) for a typical probability density function, f[t).

5.5.1.2. EQUIPMENTFAILURERATESEquipment failure rates can be defined for time-dependent and demand-dependentexposure periods. The time-related equipment failure rate, and instantaneous failurerate function of time, also known as the hazard rate, can be defined as follows:

time to failureFIGURE 5.3. Hypothetical probability density function, f(t), as a function of time, t. F(t), thecumulative failure distribution, is the fractional probability of failure up to t, while R(t) is theprobability of surviving beyond time t. (From Billinton and Allan, 1983.).

_ number of equipment failures per unit time

number of pieces of equipment exposed to failure(5.5.6)

where t is time.Similarly, a demand-related equipment failure rate can be defined as follows:

, _ number of equipment failures per demand (5.5.7)number of pieces of equipment exposed to failure

where nD represents the number of demands.Note: To minimize the uncertainty in failure rate estimates Eqs. (5.5.6) and

(5.5.7) should be only applied to like pieces of equipment operating under similar (ifnot identical) operating and maintenance conditions.

Time-related failure rates, often presented as the number of failures per 106 hr, arefor equipment which is normally functioning, for example, a running pump, a temper-ature or pressure transmitter. Demand-related failure rates, typically given as thenumber of failures per 103 demands, are for equipment that is normally static but iscalled upon at random intervals, for example, a switch or a standby generator.

Both time-related and demand-related equipment failure rates can apply to and bereported for many pieces of equipment (e.g., a pump can be in continuous operation ormay be an emergency backup). Certain equipment in continuous service (e.g., a trans-former) may be dominated by time-related stresses compared to demand-relatedstresses. Likewise, other equipment may have failure rates dominated by demand-related stresses. A piece of copper wire which is repeatedly bent back and forth willeventually fail as the number of bends (i.e., demand-related stresses) increases.

In general, the behavior of a piece of equipment in response to a time-related stress(e.g., corrosion) is independent of the behavior of the same piece of equipment inresponse to a demand-related stress (e.g., an electric impulse). Given that these distinctbehaviors are exhibited by the same device, it is reasonable to assume that some rela-tionship may exist between the failures per time and failures per demand, or

F[(time-related failure rate) x (exposure period)] <xG[(demand-related failure rate) X (total number of demands)] (5.5.8)

Pro

babi

lity d

ensi

ty

where / [ ] and G [ ] are undefined functions and the total number of demands arethose that occurred during the exposure period,

If functions/[ ] and G [ ] were known, then data on the behavior of a piece ofequipment under a time-related stress could conceivably be used to predict the behav-ior of that equipment under demand-related stresses and vice versa. In general, how-ever, there is no known mathematical relationship between these behaviors based onfundamental reliability engineering principles. The availability of a mathematical rela-tionship that defines F [ ] and G [ ] is very uncommon. F [ ] and G [ ] would be uniqueto a specific piece of equipment, its operating and maintenance history, its testing, theaccounting system used to assign and record failures, its failure history, and so on.

In most cases, the failure history available for a CPQRA will summarize the experi-ence of many equipment items. Those items in continuous service will be used to com-pute the time-related equipment failure rate. Those items in a demand type of servicewill be used to compute the demand-related equipment failure rate. The PERD Guide-lines (AIChE/CCPS, 1989) offer further discussion on some of the complicating fac-tors that influence the mathematical relationship proposed in Eq. (5.5.8), and proposeshow both kinds of failure rate data should be handled.

5.5.1.3. FAILURE RATE VERSUS FREQUENCYTime-related equipment failure rates are expressed in units of failure events per unittime, as are time-related equipment failure frequencies. However, different bases areused in their determination. Failure frequency is determined using total elapsed calen-dar time since £0, the beginning of the time-in-service interval, while failure rate is dif-ferentially defined as the number of failure events which occur during the total elapsedoperating time since £0. Frequency is related to rate through the ratio of total elapsedoperating time to total elapsed calendar time for the time-in-service interval from £0 toequipment failure or to some other specified time limit (e.g., 1 year of operating timeor calendar time).

To summarize:

• Time-related equipment failure frequency can be defined as the number of failureevents that occur, divide by the total elapsed calendar time during which theseevents occur.

• Time-related equipment failure rate can be defined as the number of failureevents that occur, divided by the total elapsed operating time during which theseevents occur.

The term "time-related equipment failure rate" in this volume refers to either ofthese definitions. Where necessary for clarity, appropriate units are discussed.

5.5.1.4. PROBABILITY OF FAILURE RATEThere is a fundamental difference between the probability of failure and equipmentfailure rate or frequency. The probability of failure for a piece of equipment can be rep-resented by a probability distribution function (explained in Appendix F). Simplystated, if the independent variable is time, the probability of time-related failure, atsome time-in-service (or equipment age), £, is the probability that the equipment willfail between £0 and t. This probability asymptotically approaches 1.0 (certainty) as the

equipment ages (t ->oo). For the same time-in-service interval, ^0 to t, the time-relatedfailure rate presents an expectation of failure in units of failure events per unit time.

Similarly, if the independent variable is the number of demands, the probability offailure on demand at some number of demands, nD. This probability also asymptoti-cally approaches 1.0 as the number of demands increases (nD -»oo). For the same WD,the demand-related failure rate presents an expectation of failure in units of failureevents per number of demands.

To illustrate how failure rates are converted to probabilities of failure, a continuousprobability distribution can be developed as a function of the instantaneous failure rate,A(£), and time t. Using Eq. (5.5.6), the following equation can be derived (e.g., seeBillinton and Allan, 1983):

F(t)

^=W) (5-5-9)

where A(£) = instantaneous failure ratef(t] = probability density function of £R(f) = reliability as a function oft

t = timeFrom Eqs. (5.5.1), (5.5.2), and (5.5.3),

dR(t)^=W^t ^5-5-10'

This equation can be integrated and solved for R(t):

R(r) = exp-/A(r)rff ( • • )L o

This equation has the functional form:

£(r)=0[A(f),f] (5.5.12)

where $[A(f), t] = probability distribution function of A(f) and t.Equation (5.5.12) illustrates that time-related equipment failure rate data need to

be converted to a probability estimate to determine reliability. It is important to under-stand the fundamental difference between failure rate and the probability of failure.

Similar function to Eq. (5.5.12) can be written for each of the equipment reliabil-ity parameters defined in Appendix E. For example, unreliability, C7(f), is simply thecomplement of reliability or

U(t) = 1 -R(t) = 1 -*[A(*),*] (5.5.13)

where U(t) = unreliability (see Appendix E)While other variables may be needed to define other equipment reliability parame-

ters (e.g., an equipment repair rate), both reliability and unreliability (both probabili-ties) are dependent on equipment failure rates.

5.5.1.5. TIME-IN-SERVICE INTERVALTime, £, was introduced in Eq. (5.5.1) to define ReliabilityR(f), and also used to definethe instantaneous failure rate, A(r), in Eq. (5.5.9). The time that begins the time-in-

service interval, £0, needs to be defined if the interval is to be determined correctly. Sev-eral milestones in the life of a piece of process equipment could be assigned to f0 (e.g.,immediately following shop or field fabrication, immediately following field installa-tion, immediately prior to pressure testing, precommissioning or at commissioningceremonies). Such milestones occur at distinct moments in the life cycle of a piece ofequipment.

Service life is typically defined from that moment in time when equipment installa-tion is complete, and custodial responsibility has been transferred to the start-up team.This precedes any pressure or load testing and inspection. Burn-in or infant mortalityfailures are properly accounted for under this definition. Time-in-service includes atime period for equipment commissioning, and the operating time thereafter. Thedetermination of the time-in-service interval must consider these two periods in the lifecycle of a piece of equipment, as the data needed to define each may come from verydifferent sources in a plant.

5.5.1.6. FAILURE RATE MODELSThe variables normally associated with estimating reliability parameters and equipmentfailure rates are described by discrete and continuous probability distributions. Allpieces of process equipment of a given type, construction, manufacture, and operatingcondition will not fail after the same number of demands or times-in-service. Eachpiece of equipment will exhibit a unique failure history. Using equipment histories fora sample of the equipment population manufactured, a distribution of the probabilityof failure can be constructed as a function of the number of demands or time-in-service.The functional form of the distribution is unique. If the equipment construction oroperating condition changes, the shape of the distribution will also change, reflectingdifferent values of the probability of failure within a specified number of demands ortime-in-service interval. The functional form of the probability distribution cannot bedetermined from a knowledge of the equipment, device, or system, but must bededuced from analyzing equipment failure rate data,

There are several well-known statistical distributions that can be used to modelboth demand-related and time-related equipment failure rate data. These include avariety of discrete and continuous functional forms. Appendix G describes several ofthese models, presents functional forms for A (£), /[#,-), or/(£), and.R(#-) or R(t) for eachmodel, provides statistical measures (i.e., the mean, median, mode, and variance) foreach model, and graphically illustrates the functional forms of various continuousmodels. A more comprehensive summary of the properties of statistical distributionsmay be found in Hastings and Peacock (1974), Papoulis (1965), Feller (1968), Meyer(1965), Drake (1967), Mosteller et al. (1961), Kapur and Lamberson (1977), andHahn and Shapiro (1967). Various ways of modeling behavior are discussed in severalreliability textbooks including Lees (1980), Henley and Kumamoto (1981), andBillinton and Allen (1983).

5.5.1.7. CONSTANT FAILURE RATE MODELSConstant failure rate models are appropriately used to define the reliability of compo-nents which are subject only to failures occurring at random intervals, and the expectednumber of failures (failure rate) is constant for long operating periods.

The most widely used constant failure rate model is that based on the exponentialdistribution, or more strictly speaking the negative exponential distribution. In thismodel, the reliability of a component in the time interval (0/) is give by:

R(t) = e~Xt (5.5.14)

where e = the base of the natural logarithm (2.71828)A = the time constant failure rate (I/mean time between failure)T = operating time for which we want to know the reliability .R of the

componentUsing the exponential distribution it is important to note that reliability R(t) is a

function of operating time for the component and the Mean Time Between Failure(MTBF). The MTBF is an average measure of the time until a component fails. If alarge number of identical components were tested until failure, the MTBF would beobtained by summing the operating times until failure and dividing by the number ofitems tested.

Inspecting Eq. (5.5.14) it can be concluded that for small operating times the reli-ability will approach 1.0. Likewise as the operating time increases, the reliability of thecomponent will approach 0.0.

The complement of the reliability is called the failure probability (or sometimes theunreliability) and is given by

Pf(t) = l-e~** (5.5.15)

where Pf is the probability of failure of the component in the time interval (0/),These equations are applicable as long as the component is the useful life part of its

system life cycle. The useful life of a component is considered to be the time after burn-in failures no longer exist and wear-out failures have not yet begun. In most compkxelectro/mechanical systems, it is reasonable to assume a constant system failure rateover the system's useful life period, regardless of the failure patterns of the individualparts (USAAVSCOM Technical Report 77-16).

Time related equipment failure rates are frequently assumed to be constant becausethere is insufficient information on the actual failure to permit identification and verifi-cation of a more appropriate distribution, and because predicting the reliability param-eters of process equipment is greatly simplified as a result. While such simplification isdesirable, it can introduce errors in estimating failure probabilities and reliabilityparameters. Appendix H presents a discussion by Blanks (1977) on errors resultingfrom assuming that the time-related equipment failure rate is constant over time [i.e.,A( J )=AJ .

Sometimes confusion can also arise as a result of simplification efforts and mixingthe terms Unreliability P^t), and equipment failure rate, Ac. When t = 1 in Eq.(5.5.15):

P f(*)-A£ (Ac«l, f = l) (5.5.16)

This assumption is only valid for nonrepairable operating systems with a one yearrun time and a constant failure rate.

As Lees (1980) points out, if a device has a failure rate of Ac = 0.01 failureevents/year, the Unreliability over the year is also 0.01. This equation is only valid forAc « 1, a n d f = 1.

For demand-related equipment failure rates, the geometric distribution is the "dis-crete analog" of the exponential distribution, according to Rothschild and Logothetis(1986), A single parameter,^?, is used to characterize the discrete distribution. Unlikethe exponential distribution, however, the geometric distribution is little used in mod-eling demand-related equipment failure rate data. The discrete model more often usedis the binomial distribution. Refer to Appendix G for additional information.

5.5.1.8. NONCONSTANT FAILURE RATE MODELSAs mentioned in the previous paragraph, constant failure rate models (i.e., exponentialdistribution-based models) are the most widely used models in failure analysis. Theyare also the most widely misused, as they are often used to estimate the reliability/unre-liability of equipment which does not experience a constant failure rate. Examplesinclude: (a) electronic equipment, which typically has a decreasing failure rate withtime and (b) mechanical equipment which has an increasing failure rate with time dueto wear out failures. If a constant failure rate model is used to model a nonconstant fail-ure rate system, gross inaccuracies could result.

There is a new trend toward the use of nonconstant failure rate models (Raheja1991). The most common are Weibull-distribution-based models. The Weibull distri-bution is not new, it was originally proposed by a Swedish engineer Walodi Weibull inthe early 1950s. Widespread application of Weibull-based models to date have beenlimited to the aerospace and automotive industries. The reason the distribution is gain-ing broader acceptance outside those industries is the wider recognition that failurerates of components are not always constant.

The Weibull distribution is particularly useful in that it can be used to fit both con-stant and nonconstant failure rate data. It can be used to identify the infant mortality,useful life (constant failure rate), and wear-out modes of failure as can be seen in Figure5.4. This information is of used in deciding maintenance policy and in reliability analy-ses, such as availability and hazard frequency calculations.

FIGURE 5.4. Equipment failure rate in service, t (or equipment age)—the "bathtub curve."

Time-in-service (f)

A<f)

Inst

anta

neou

s Fa

ilure

Rat

e

Infantmortality

Useful life(constant failure rate)

Wear-out

RegionRegionRegion

The commonly used Weibull model has two parameters. The beta (/?) parameterwhich is called the shape parameter, as it determines the shape of the Weibull curve.When the value of the shape parameter is greater than 1, the rate of failure increaseswith time. An increasing rate in failure is an indication that a product is in the wear outphase of its life cycle. When the value of the shape parameter is less than 1, the failurerate decreases with time. A decreasing rate in failure is an indication that a product isexperiencing infant mortality type failures. When the shape parameter equals 1, the fail-ure rate is constant, that is, the distribution is exponential.

The amount the curve is spread out along the abscissa depends on the other param-eter, alpha (a), commonly called the scale or characteristic life parameter. The alphaparameter is expressed in units of time, typically hours. It is the time at which 63.2%(one standard deviation) of the components have failed. The reliability formula associ-ated with the Weibull density function is

R(t)=e~(f/ari* (5.5.17)

where t is the operating time.The formula for estimating failure rate associated with a Weibull density function is

Fr(t) = (0/cf)(tf-1 (5.5.18)

Application of these formulas requires an estimation of the values of a and/? fromhistorical data or rest results. The analytical methods used to estimate these parametersinvolve the solution of a system of transcendental equations which are difficult to solvewithout a computer. A faster and more commonly used approach for estimating theparameters is based on a graphical technique. By plotting the data, both failures andnonfailures, on special Weibull probability graph paper one can easily estimate both theshape and scale parameters. Figure 5.5. is an example of Weibull graph paper. TheWeibull plotting procedures is as follows:

1. Rank order the times to failure (lowest to highest)2. Determine median rank (MR)

MR = (i - 0.3)/(» + 0.4)

where i is the sequential number of each failure and n is the populationsize of test

3. Plot data on the Weibull paper:X-zxi s, Time to FailureY-axis, Median Rank

4. Determine/draw best-fit line5. Determine ft and a from Weibull paper

Readers who are interested in the mathematical or graphical estimation methodsin detail should consult Nelson (1983) and Weibull (1951).

Example: Failure data for a motor transmission shows beta (/J) = 1.5 and the charac-teristic life alpha (a) = 7500 hours. Estimate:

1. The reliability in the products initial 7500 hours operating interval.2. The failure rate at 500 hours and 7500 hours.

TimeFIGURE 5.5. Weibull probability graph. (Reproduced from Raheja, D. G., AssuranceTechnologies: Principles and Practices, McGraw-Hill, Inc., New York, 1991.)

Solution1. The reliability is calculated using Eq. (5.5.17)

£(7500) = ^(7500/7500)^1.5

= r1 = 0.3678

2. The 500- and 7500-hour failure rate is calculated using Eq. (5.5.18).

FR(SOQ) = (1.5/7500L5)(500) L5-LO

= (1.5/649,519.05)(22.36)= 0.000052 failure/hr

Per

cent

FR(7500) = (1.5/750O15XJSOO)1 ̂ 10

= (1.5/649,519.05)(86.60)= 0.0002 failure/hr

Example: Recalculate the prior example assuming a constant failure rate distribution(i.e.,/J = 1.0).

Solution:1. The reliability is again calculated using Eq. (5.5.17):

£(7500) = ^7500/7SOO)«1.0= e"1 = 0.3678

2. The 500- and 7500-hour failure rate is calculated using Eq. (5.5.18):

JpR(SOO) = (1.5/7500 LO)(500)L°-LO

= (1.5/750O)(I)= 0.0002 failure/hr

£R(7500) = (1.5/75001-°)(7500)L0-1-0

= (1.5/750O)(I)= 0.0002 failure/hr

Although the Weibull density function is the most frequently used in non-constantfailure rate models there are occasions when other density functions are required. Thisis particularly true when wear out failures are being analyzed. The normal andlognormal density functions may be more appropriate to use for these types of failures.

5.5.2. Types and Sources of Failure Rate Data

It is important to distinguish the types of time-related and demand-related equipmentfailure rate data that can be found and used in a CPQEA. Basically, four types of dataexist. The following four types and corresponding data sources provide both time-related and demand-related failure data:

Data type Data source

Plant-specific data Internal operations

Generic data External data resources

Predicted data (generic quality) Estimation techniques

Judgmental data (crude estimates) Internal expert opinion

Each of these data types is discussed in the following sections.

5.5.2.1. PLANT-SPECIFICDATAFailure rate data generated from collecting information on equipment failure experi-ence at a plant are referred to as plant-specific or field failure rate data. Plant-specificdata will contain failure rates specific to equipment (e.g., a certain valve or pump in useat a facility by manufacturer, make, model, and serial number) and are catalogedaccordingly. The collection of plant specific data from internal operations for use in arisk analysis is desirable because such data reflects the practices, external environmental

factors, and other reliability influences that are specific to equipment under study. Theideal situation is to have valid historical data from the identical equipment, in the iden-tical application, functioning under the identical operating and maintenance condi-tions.

In order for plant specific data to be useable, it must be maintained for a sufficientperiod of time to accurately portray component failure tendencies, and must be storedin a format which is readily accessible and retrievable. Such a format which is used toclassify and store data following a predefined logic and structure is called a taxonomy.A properly developed taxonomy creates categories of equipment having similar failurerates. There are many ways to classify equipment failures systematically and conse-quently structure a taxonomy. Some of the characteristics that can determine these cat-egories are: the equipment, its function, its size, the operating environment, itsoperating mode, and the specific failure mode. Maintaining data by failure mode isimportant as only the probability of a given failure mode may be of interest in theCPQRA. As an example, if you were analyzing the probability of a protective systemnot functioning on demand, you would only be interested in the fail danger failuremodes.

A taxonomy's hierarchy, creates a multitude of data cells, each with a uniqueaddress to house failure rate data for each specifically defined piece of process equip-ment and its service. Such a classification scheme developed by CCPS is presented inChapter 3 of the PERD Guidelines (AIChE/CCPS, 1989). The hierarchical structure ofthe CCPS taxonomy is divided into three major parts: equipment description, servicedescription, and failure description.

In some cases, the failure rate of a subclass (e.g., LPG pumps) may be estimated bymultiplying the ratio of known failures in the subclass relative to all similar equipmentat the facility times the generic failure rate for that type of equipment. Section 5.5.4contains additional information on this type of an approach.

5.5.2.2. GENERIC DATAAlthough plant-specific failure rate data on the specific equipment under study are pre-ferred, often the only way to assemble sufficient data to satisfy study needs is to con-struct a "generic" data set. This data set is built using inputs from all of the plantswithin a company or from various plants within the CPI, from literature sources, pastCPQRA reports, and commercial data bases (collectively termed "data resources35).

This type of equipment failure rate data—generic data—is much less specific anddetailed than the data derived from specific equipment failure history at a given plant.At best, generic data can claim to approximate plant-specific data. Generic failure ratedata are not limited to a specific manufacturer, make, model, and serial number. Forexample, generic data cannot be used to differentiate the future performance of twonew pumps, each designed for the same service but provided by different manufactur-ers. Generic failure rates would probably be the same for both pumps. While losingspecificity, a generic data base can draw on a much larger pool of plants for input, andcan overcome the lack of operating exposure and failure mode bias encountered inworking with plant-specific data.

A substantial amount of generic failure rate data applicable to process equipmentused in the CPI has been identified by CCPS. Over 70 data resources have been identi-

fied and summarized in the companion volume to this text, the PERD Guidelines(AIChE/CCPS, 1989). A sampling of the resources reviewed is presented in Table 5.5for cross-referencing purposes, the data resource numbers used by the PERD Guide-lines are included in Table 5.5.

The PERD Guidelines offer an initial version of a CCPS generic data base of equip-ment failure rate data for use in CPQRA. Figure 5.6 presents a sampling of data fromthis generic data base. Note that the generic data are presented as both time-related fail-ures per 106 operating hours and demand-related failures per 103 demands. The CCPSdata base has been formed from published industry data, the data resources mentionedabove, and data provided by Science Applications International Corporation. It hasbeen developed with the intention of being updated in the future through the collec-tion and integration of new plant data from facilities throughout the CPI. This genericdata base presents a new resource for CPQRA which should grow with time. Detailson the data available from this generic data base can be found in the PERD Guidelines.

CPQBJV5S need for a broader failure rate data base than that available from individ-ual plant's records points to a greater acceptance and use of generic data if the use ofCPQRAs is to expand. Increased dependency on generic data requires user acceptanceof less accurate risk estimates. Since it is derived from equipment from many manufac-turers, a number of processes, and many plants with various operating strategies,generic data must be reviewed for applicability. For example, the risk analyst should (ifpossible) examine the underlying assumptions about maintenance practices, testingintervals, and failure counting methods before using a particular set of generic data fora CPQBA. Unfortunately, most generic data bases including the CCPS data base donot store this information. Some analysts modify generic data by taking local environ-mental and maintenance procedures into account. Modification of generic data toadjust for actual facility conditions is discussed in Section 5.5.4.

5.5.2.3 PREDICTED DATAIncreasing attention is being given to developing methods to predict failure rate datafor process equipment and systems. Such methods are beginning to appear in the pub-lished literature. These methods include corrections, factored estimation procedures,and analogies to predict equipment failure rates. They are desirable as they offer effi-cient means of providing equipment failure rate data to CPQRAs, and they can be con-veniently incorporated into computer software.

These methods include approaches to estimating failure rate data using models orcorrelations developed from an engineering or scientific analysis of the influences onthe reliability of particular types, classes or groups of equipment. Some of these meth-ods can be compared to factored cost estimating procedures. For example, Thomas(1981) provides a factor-based technique for estimating the probability of catastrophicleakage from a pipe or pressure vessel. Factors include size and shape influences, weldzones, plant age, and other quality factors. Thomas compares his approach with pub-lished failure rate data for pipe and vessels.

The UCSIP Working Party (1985) has developed a less rigorous estimation proce-dure based on 12 parameters. This methodology can be applied to process unit sys-tems, equipment, or components. The 12 parameters include equipment age, design,welding conditions, vibration stresses, inspection frequency, and operating cycles per

TABLE 5.5. Selected Equipment Reliability Data Resources from the PERDGuidelines3

Source

Rasmussen (1975)[WASH-1400] ReacatorSafety Study

IEEE Std. 500(1984)

IPRDS In-Plant ReliabilityData System [see drago etal. (1982), Borkowski et al.(1983), and Kahletal.(1987)]

NPRDS Nuclear PlantReliability Data Systemmanaged by INPO(Institute of NuclearPower Operations)1 100 Circle 75 Pkwy., Ste1500, Atlanta, GA 30339

Lees (1980)

Offihore Reliability DataHandbook(ORED&Participants, 1984),1st Edition

OREDA-92, ORED A-97

Systems Reliability Service(SYREL)Data Base, UKAtomic Energy Authority,Culcheth, Warrington,Wigshaw Lane WA3 4NE,England

Rinjmond PublicAuthority (1982)

PERD Guidelinesresource number

4.8-9

4.6-12

4.6-11

4.6-2

4.4-3, 4.4-4

4.6-14

N/A

4.6-9

4.5-2

Availability

Published

Published

Published andcomputerized

On-line accessand dataretrieval;floppy disks;summaryreports

Published

Published

Published

Proprietarydata base

Published

Basis

Nuclear powerplant recordsand otherrelevant data

A largecollection ofcomponentreliability data

Reviews ofnuclear plantmaintenancerecords

Nuclear plantdata in aconsistent andcomprehensiveformat

Data on widerange ofprocessequipment

Reliability datafrom offshoredrilling andproductionplatforms

New andupdatedreliability datafrom offshoredrilling andproductionplatforms

Reliability datafrom nuclear,powergeneration,and otherindustries

Processindustryreliability data

Comments

One of the early,historical sourcesmuch quoted andreferenced.

Supported byLicensee EventReport Analysis

Mainly nuclearsources

Large detailed database on nuclearplants, updatedcontinuously

Failure data on44,000 eventsavailable; but maywell be the mostsignificant nucleardata base in thenear future

Numerous tablesand an index

Concentration onthe NorwegianSector of the NorthSea

Concentrates onthe NorwegianSector of the NorthSea. All threeeditions containsome unique data

Concentrates onUK and Europeandata

Early compilationdirected specificallyto the CPI

• AIChE/CCPS (1989).

FIGURE 5.6. Sample generic failure rate data sheet from PERD Guidelines (AlChE/CCPS, 1989).

CATASTROPHICt. Fails While Runningb. Rupturec. Spurious Start/CommandFaultd. Fails to Start on Demande. Fails to Stop on Demand

DEGRADEDa. External Leakage

Equipment Boundary

POWER SUPPLY PROCESS IN

COMPRESSORINCLUOEOt

SEAL OIL SYSTEMPIPINGINTERSTAGE COOUNGLUBE OIL COOLINGCONTROL UNITBASEPLATE

PROCESS OUT

Fallurt modeFailures (per 10* h ) Failures (per 10* demands)

Lower | Mean | Upper Lower | Mean | Upper

Aggregated If me In service (10* n) No. of DemandsPopulation Samples * . . .

Calendar time Operating time

DATA ON SELECTED PROCESS SYSTEMS AND EQUIPMENT

Taxonomy No. 3.3.2.1 Equipment Description ROTATING EQUIPMENT-COMPRESSORS-I ELECTRIC MOTOR DRIVEN

Operating Mode J Process Severity UNKNOWN

year. This technique produces an order of magnitude probability estimate, which maybe satisfactory for some study data requirements (e.g., screening studies).

MIL-HDBK 217E(1974), a manual issued by the U.S. Department of Defense,provides a method to predict failure rates of electronic modules using basic componentfailure rate data (semiconductors, transistors, capacitors, etc.) contained in the manual.Using adjustment factors defined in the manual, order of magnitude failure rates can becalculated and tailored to a specific installation environment and hardware quality.

5.5.2.4. JUDGMENTAL DATAThis type of equipment failure rate data is derived from expert opinion or judgement.Depending on how it is collected, judgmental data may be more, less, or as accurate, asso called "Generic" data. It's confidence bands are typically much wider than dataderived from plant specific applications. Such large confidence bands are representativeof a high degree of uncertainty. If the judgmental data is derived using a group of indi-viduals with experience with similar equipment, operating under similar conditions, itmay be more accurate than generic data which has been collected using equipmentoperating in different industries or a single industry but operating under a variety ofoperating and maintenance conditions.

The Delphi approach is one method which can be used to improve the accuracy ofjudgmental data estimates generated by a group of experts. The data contained in theInstitute of Electrical and Electronic Engineer's (IEEE) "Guide to the Collection andPresentation of Electrical Electronic, Sensing Component, and Mechanical EquipmentReliability for Nuclear-Power Generating Station" was compiled using this approach.This well cited reference is a good source of failure rate data for electrical, electronic,and mechanical components, if plant specific data is unavailable. The use of expertopinion to develop judgmental data is addressed in more detail in Section 5.7.

5.5.3. Key Factors Influencing Equipment Failure Rates

Various factors can influence equipment failure rates. These include

• Equipment description (type, boundaries, size)• Design standards• Materials of construction• Fabrication techniques• Quality control• Installation techniques• Startup practices• Operating strategy• Process medium• Internal environment• External environment• Maintenance strategy• Failure mode• Equipment age

Next Page