Journal of Loss Prevention in the Process Industries 23 (2010) 813e823

Contents lists available at ScienceDirect

Journal of Loss Prevention in the Process Industries

journal homepage: www.elsevier.com/locate/jlp

Risk assessment and land-use planning regulations in France

following the AZF disaster
Jrme Taveau
Institut de Radioprotection et de Sret Nuclaire, IRSN/DSU/SERIC/BAIN, 31, avenue de la Division Leclerc, 92 260 FONTENAY AUX ROSES cedex, France

a r t i c l e i n f o a b s t r a c t

Article history: After the disaster of AZF plant in Toulouse on 21 September 2001 (31 people killed, 3000 injured and 3
Received 22 December 2009 billion dollars of damage), France adopted a new law relative to safety reports and land-use planning on
Received in revised form 30 July 2003. This law asks for the investigation of all representative scenarios and the assessment
13 April 2010
of their probabilities to demonstrate the acceptable level of safety of an industrial facility. Therefore
Accepted 14 April 2010
signicant changes were introduced in the way of doing risk analysis in France and some difculties were
found for the implementation of a probabilistic approach.
Keywords:
This paper presents the new approach of risk analysis established by the French Ministry of the
AZF
Land-use planning
Environment, and particularly focuses on:
Risk analysis
the benets and limits of the semi-quantitative probabilistic assessment method;
Risk assessment
the benets and difculties to use a quantitative probabilistic assessment method;
Semi-quantitative risk assessment
some learning from the risk analysis approaches carried out in the nuclear industry;
Quantitative risk assessment (QRA)
some discussion about the national matrix to appreciate the gravity of human consequences from an
Probabilistic safety assessment accident outside facilities.
Failure rates 2010 Elsevier Ltd. All rights reserved.
Purple Book

1. Introduction This accident highlighted some deciencies in land-use plan-

At 10:15 am on 21 September 2001, a huge explosion occurred at
the AZF (Azote de France) fertiliser factory of Grande Paroisse
rm, located about 3 km outside the city of Toulouse in France. The
explosion was measured 3.4 on the Richter scale and let a crater of
65 m  54 m  8 m. 31 people were killed (21 people killed onsite
and 10 people killed offsite) and about 3000 were injured (ARIA,
2007; Barthlmy, Hornus, Roussot, Hufschmitt, & Raffoux, 2001).
The explosion shattered shops, car windows, and tore doors from
their hinges in the city center. Over 500 houses became unin-
habitable. The overall damages are estimated to be 3 billion dollars
(Figs. 1e5). Various hypotheses have been proposed, but the exact
cause of the explosion remains unclear. What is known is at the
time of the explosion, 200e300 tons of ammonium nitrate were
being stored in the warehouse. This material had been classed
as unsaleable because it included off-spec product. It seems to
have been contaminated with sodium salt of dichloroisocyanuric
acid (SDIC), increasing the susceptibility of ammonium nitrate to
explosive initiation. A public lawsuit was led on 24 February 2009.
E-mail address: jerome.taveau@irsn.fr
ning (proximity of dwellings, lack of communication with inhabi-
tants) and risk control (accidental scenario not taken into account
in safety report, inefcient management of subcontractors).
In the aftermath of this disaster, the approaches of land-use
planning and risk analysis in safety reports were entirely revised.
Before 2003, only worst-case scenarios were examined without
quantied probability assessment. A new law was adopted on 30
July 2003 (French Parliament, 2003), asking for the investigation
of all representative scenarios, and the assessment of the proba-
bility of the resulting dangerous phenomena, to demonstrate an
acceptable level of safety. So any accident is now examined from
a global perspective, according to its gravity and its probability
(French Ministry of the Environment, 2005a, 2005b, 2005c, 2005d,
2005e, 2006a). This new statutory approach had in particular three
main targets:

harmonization of risk analysis approaches;

implementation of a probabilistic approach in order to better
appreciate the risks as a complement of the deterministic
approach used so far;

action on existing urbanization and control of the future
land-use planning in the vicinity of high-risk facilities.

0950-4230/$ e see front matter 2010 Elsevier Ltd. All rights reserved.
doi:10.1016/j.jlp.2010.04.003
814 J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823

Fig. 4. Damaged warehouse at 320 m from the explosion center.

Fig. 1. View of the AZF chemical plant after the explosion (1).

The requirements of this new law were translated into techno-

logical risk prevention plans (PPRT in French), which is a new
tool for managing land-use planning in the vicinity of facilities
(described in Section 2.5).
This paper presents the new approach of risk analysis established
after the AZF disaster and some issues found for its application,
based on the work conducted by the author in the Safety Analysis
Section for Non Nuclear Facilities of the Institute for Radiological
Protection and Nuclear Safety (IRSN) as a peer-reviewer for the
French Ministry of the Environment.

2. Principles of the new approach of risk analysis in France

The French Ministry of the Environment produced guidelines to

implement the new approach of risk analysis, described in a docu-
ment entitled General Principles for the Elaboration of Safety
Reports (French Ministry of the Environment, 2006a).
After a description of the environment of the site, a description
of the process and the equipments, safety reports have to deal with
Fig. 2. View of the AZF chemical plant after the explosion (2).
the following stages:

Fig. 3. View of the AZF chemical plant after the explosion (3). Fig. 5. Damaged warehouse at 380 m from the explosion center.
 J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823 815

1. Identication of hazards (for example: an LPG tank, a pipe); Table 1

2. Characterisation of main hazards, by estimating the conse- Intensity of effects on humans.

quences of the instantaneous release of all the materials in an Thermal effects Overpressure Toxic
equipment (for example: an LPG tank catastrophic rupture, effects effects
a full bore pipe rupture); 5% lethal effects 8 kW/m2 or 200 mbar LC 5%
3. Reduction of the main hazards, which consists of carrying (1800 kW/m2)4/3 s
1% lethal effects 5 kW/m2 or 140 mbar LC 1%
out technical and economical studies to ensure there is no
(1000 kW/m2)4/3 s
possibility of removing or substituting hazardous materials, Irreversible 3 kW/m2 or 50 mbar IET
or reducing as much as possible the quantities of hazardous effects (600 kW/m2)4/3 s
products (for example: using smaller LPG tanks and pipes); LC: lethal concentration (for 1% or 5% of the population exposed).
4. Learning from accidents, i.e. taking into account the feedback IET (irreversible effect threshold): level at which the effects are expected to cause
on accidents in the facility and its branch of activity to show irreversible effects on human health.
the measures taken to counter such accidents (for example,
learning from the Feyzin (1966) and Mexico (1984) accidents in
the LPG industry); 2.2. Probability levels
5. Preliminary risk analysis, by using techniques such as HAZID;
the accidental scenarios are ranked by using a matrix in order Probability is the frequency with which an incident may occur
to select the critical ones (for instance scenarios with offsite during the lifetime of a facility. The probability of an event can be
consequences); assessed:
6. Detailed risk analysis, by using techniques such as HAZOP,
where all the scenarios based on process deviation are inves-
qualitatively; the French Ministry of the Environment has
tigated by the analysis of the necessary causes leading to the dened a grid, with ve probability levels, that can be used
accident: failure of a sensor, corrosion, vehicle impact, etc.; during the preliminary risk analysis or for simple facilities
7. Evaluation of the intensity of dangerous phenomena, using (Table 3);
analytical formulae or modelling softwares like PHAST or FLACS
quantitatively; in this case, the probability is the result of
(for example: a jet re from a loading/unloading arm for a more detailed risk analysis (see Section 3.2).
a truck, a vapour cloud explosion in a storage area);
8. Assessment of the probability of dangerous phenomena, i.e.
estimating the probability of initiating events, the probability
2.3. Representation of accidental scenarios
of central events, the probability of failure of safety barriers,1
and nally the probability of each dangerous phenomenon
In France, bow-ties have become very popular and largely used
(vapour cloud explosion, jet re, etc.);
in safety reports since 2003. This representation of major accidents,
9. Determination of the potential consequences for people, i.e.
introduced by SHELL, is the combination of a failure tree, on the left,
the number of people killed or injured for each dangerous
and an events tree, on the right.
phenomenon;
Bow-ties have the advantage to show how safety barriers
10. Classication of the scenarios in the national matrix, in
prevent the propagation of initiating events into accidents and
order to evaluate the acceptability of the facilitys global risk.
all the possible ways which lead to a dangerous phenomenon.
According to Duijm (2009), bow-ties are very helpful in
communication with non-experts. An example of bow-tie is
2.1. Gravity levels given in Fig. 6.

The risk is dened as a function of gravity, probability and

kinetics.2 Table 2
Gravity is the combination of two parameters: Gravity levels.

5% lethal effects 1% lethal effects Irreversible effects

the intensity of the effects: the three types of effects on people Disastrous >10 >100 >1000
are dened and mapped according to three intensity levels Catastrophic 1e10 10e100 100e1000
(Table 1); indirect effects such as injuries due to broken windows Major 1 1e10 10e100
Serious 0 1 1e10
are also considered;
Moderate 0 0 <1

the number of people in each dangerous area outside the
facility: the French Ministry of the Environment has estab-
lished some guidelines (French Ministry of the Environment,
2006a) to count people outside the facility (houses, roads,
venues for sporting or cultural events). Table 3
Probability levels.
E D C B A
The French Ministry of the Environment has also dened ve Extremely Realistic Improbable Probable Usual
gravity levels: moderate, serious, major, catastrophic and disastrous unlikely but unlikely scenario scenario scenario
scenario scenario
(Table 2), based on the number of people in each dangerous area. Not impossible Not impossible Already Already Already
considering the but it hasnt happened happened happened
current happened in a similar (or supposed (possibly
knowledge, in a similar industry to have several times)
1
Physical and/or non-physical means planned to prevent, control, or mitigate but it hasnt industry in the world happened) during
happened during the lifetime
undesired events or accidents. anywhere the lifetime of the facility
2
The kinetics of a dangerous phenomenon is the speed at which this phenom- in the world of the facility
enon happens and the speed at which its effects reach the population; it can be
< 10 /year > 10 /year > 10 /year > 10 /year > 10 /year
considered if the evacuation of the public is possible.
816 J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823

J e t f ire

1
Corrosion
Release of 7 Flames at offices
Rupture due to overpressure 2 OR hydrocarbon gas

Vehicle impact 3
OR Jet fire 8

4
Spark from instrument
9 10 Flames at pressure vessel
Spark from electric motor 5 OR Ignition source

Hot work 6

1 : selection of appropriate materials 6 : permit to work system

2 : design pressure > maximum pressure 7 : gas detection causes automatic shutdown
3 : traffic restrictions 8 : flame detection causes automatic shutdown
4 : intrinsically safe equipment 9 : water deluge cools pressure vessel
(for non impacting jet fire)
5 : protected equipment
10 : thermal insulation on pressure vessel

Fig. 6. A simple example of bow-tie.

2.4. Acceptability of the risk 2.5. Technological risk prevention plans (PPRT)

The French Ministry of the Environment has dened a national
matrix of acceptability of the risk for high-risk facilities (Table 4).
Each dangerous phenomenon is associated to one level of gravity
and one level of probability. The acceptability of the risk depends
on the level of risk and the type of facility (new or existing, keeping
in mind that criteria are more severe for new facilities).
For all facilities, it is not allowed to have dangerous phenom-
enon in the red zone (unacceptable risk): the operator must
improve the safety of his operation in order to reduce the risk. It is
also not allowed to have more than 5 dangerous phenomena in the
orange zone.
We can already note that for large facilities, like reneries for
example, it is common to get several tens of dangerous phenomena
that have to be ranked, and then easy to overpass the limit of 5
dangerous phenomena in the orange zone.
In addition, new facilities are only authorized if there is no
dangerous phenomenon in the box NO/MMR2, and if the best
available technologies (for prevention and protection) are imple-
mented. MMR means risk reduction measure, and applies to boxes
where risk reduction measure may be implemented.
In the yellow zone, the facility is authorized under the condition
that the operator has taken all safety measures within a reasonable
cost/effectiveness ratio (ALARP).
In the green zone (low risk), the risk is acceptable and the
facilitys operation is authorized.
The aim of the technological risk prevention plans (PPRT in
French) is to protect the population, through reducing the risk at
its root source or adopting measures such as protective measures,
construction and land-use planning measures, restriction on use of
land, etc.
It consists in assessing and prioritising the risk levels associated
with the activity of a facility on the territory. These levels enable
the denition of zones, each having its own land-use planning and
construction rules. For high-risk levels, expropriation and relin-
quishment may be applied (French Ministry of the Environment,
2006b).
The rst step consists in mapping aleas (Fig. 7). Alea is dened as
the probability that a dangerous phenomenon creates effects of
a given intensity, and over a determined period of time at a given
point of the territory (French Ministry of the Environment, 2006b).
For this purpose, the dangerous phenomena previously ranked into
the national matrix of acceptability of the risk are used for imple-
menting PPRT. Table 5 shows the rules applied for combining
dangerous phenomena probability levels for land-use planning.
Then PPRT is nalised.

Table 4
National matrix of acceptability of the risk.

PROBABILITY
E D C B A

Disastrous NO/MMR2 NO NO NO NO

Catastrophic MMR1 MMR2 NO NO NO

GRAVITY

Major MMR1 MMR1 MMR2 NO NO

Serious MMR1 MMR2 NO

Moderate MMR1

Fig. 7. Map of aleas (French Ministry of the Environment, 2006b).

 J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823 817

Table 5 of the Environment, the assessment of probabilities needs some

Rules for combining dangerous phenomena probability levels for land-use planning. development, because it is quite new.
Maximal level
of intensity on Indirect
Two different approaches are mainly used in French safety
5% lethal effects 1% lethal effects Irreversible effects
people at a effects reports: semi-quantitative and quantitative probabilistic assess-
given point
Dangerous ment methods. This paragraph gives some ndings on benets, limits
phenomena
probability >D
5E to
< 5E >D
5E to
< 5E >D 5E to D < 5E All
and difculties of applying such approaches.
D D
levels at a given
point
Very 3.1.1. Semi-quantitative probabilistic assessment method
Very High Medium
Alea level High High Medium Low
(+)
High (+) (+) There are different variations for the semi-quantitative method,
depending on the operators practices, but it generally consists
in estimating the probability of initiating events (IE) and the
probability of failure of prevention barriers, in order to obtain the
The second step is the analysis of interaction between aleas and
probability of the central event (CE), by using the probability levels
stakes (Fig. 8), such as dwellings, shops, public buildings, transport
(dened by the French Ministry of the Environment) and a level of
infrastructures, outdoor public spaces, public utilities, etc. (French
condence approach for safety barriers derived from IEC 61508
Ministry of the Environment, 2006b).
criteria. So it can be dened as an order of magnitude method
Then measures are dened to protect population from dangerous
(Fig. 9).
phenomena previously identied. Before being approved, the PPRT
If correctly applied, this method can give a quick evaluation of
gathers the state, regulatory bodies, operators and the population
the probabilities of dangerous phenomenon, and hence help to
into a Local Information and Dialogue Committee.
prioritise loss prevention recommendations. It can be very useful
According to the French Ministry of the Environment, 225
for simple facilities and simple accidental scenarios.
PPRT were nalised (i.e. map of aleas achieved) and 20 approved
On the other hand, this method is often misused: frequency of
(i.e. land-use areas dened and enforced) on 3 December 2009, for
initiating events are generally difcult to justify and doesnt
a total of 421 PPRT.
take into account the number of equipments, the length of pipes,
the frequency of maintenance, etc.
3. Findings from the application of the new Moreover, this approach is not sufcient for complex facilities,
approach of risk analysis because it is too imprecise to study escalation events, which
unfortunately are those which can lead to the biggest consequences.
After the disaster of AZF plant, the French Ministry of the For example, an LPG tank BLEVE could be the consequence
Environment set up national working groups in order to harmonize of many accidental scenarios (Fig. 10). Most of the time, there are
the risk analysis and consequences modelling approaches. Many several equipments on the site, several roads tankers, etc., and
working groups were formed concerning ammonia, chlorine, fer- nally several LPG tanks, so uncertainties are added, and nally
tilisers, grain silos, reneries, fuel depots, explosives. There are also it can lead to a wrong probability of BLEVE, and then the imple-
transverse working groups, working on the evolution of risk anal- mentation of expensive additional safety measures.
ysis methodologies: safety reports, acute toxic thresholds, PPRT. Table 6 summarizes the advantages and disadvantages of the
These working groups, composed with regulator bodies, semi-quantitative probabilistic assessment method.
operators and experts (like IRSN), compare the know-how and
the different approaches used in risk analysis. The deliverable is 3.1.2. Quantitative probabilistic assessment method
a common denition of consequences modelling, gathering the main The quantitative method generally used in France consists
assumptions about atmospheric dispersion of ammable and toxic in considering the central event as a point of departure, associated
materials, vapour cloud explosions, BLEVE, etc. (French Ministry of with an events tree. The probability of loss of containment is
the Environment, 2006a). generally estimated thanks to generic failure databases (Fivez

3.1. Assessment of the probability of dangerous phenomena

Whereas consequences modelling has received much attention,

and some guidelines have been established by the French Ministry

Fig. 9. Bow-tie representation. UE: undesirable event, CuE: current event, IE: initiating
event, CE: critical event, generally dened as a Loss of Containment (LOC), SCE:
Fig. 8. Map of stakes (French Ministry of the Environment, 2006b). secondary critical event, DP: dangerous phenomenon, ME: major event.
818 J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823

Table 6
Benets and limits of the semi-quantitative method.

Benets
Simple and comprehensive method
Quick evaluation, prioritisation
Take into account site-specic
aspects for detailed analyses
Limits
Order of magnitude method
Lack of justication for the
frequencies of initiating events
Ignores the number of equipments,
their sizes, the activity of the facility

probability of a leak. So it is not obvious that the probability of failure

of chlorine pipes would be lower or higher than the generic ones in
this case.
Some differences exist between the databases used in Europe
for QRA. Table 7 compares generic failure data from three main
databases (Fivez et al., 2009; Health and Safety Executive; LNE,
2009; Uijt De Haag & Ale, 1999).
We can see that the Purple Book default value for the catastrophic
rupture of a pressurized vessel is ten times lower than the corre-
sponding HSE value. Moreover, Logtenberg (1998) has reviewed
values ranging from 5.1  104/year (TNO, 1983) to 5  107/year
(IPO, 1994) for the catastrophic rupture of a pressurized vessel; so it
seems that the Purple Book default value is quite optimistic.
In his paper (Nussey, 2006), Nussey gives an overview of the
Fig. 10. Example of a bow-tie for an LPG storage tank BLEVE. databases used in the Purple Book and in the Failure Rate and Event
Data HSE module, and explains the main differences between the
English and Dutch approaches:
et al., 2009; Health and Safety Executive; LNE, 2009; Uijt De Haag &
Ale, 1999). Using this approach, it is assumed that the facility has all
HSE values are based on a global consideration of failure
the standard prevention barriers taken into account in the mechanisms (Fig. 11);
databases.
Purple Book references are older (1968, 1974, 1975) than HSE
In France, operators widely use generic failure data from (1981);
the Purple Book (Uijt De Haag & Ale, 1999). The Purple Book is very
some Purple Book values are based on expert judgement.
practical, because it includes standard scenarios and failure
frequencies for use in QRA.3 The paper from Beerens, Post, & Uit de It is also interesting to see that FRED and LNE databases use the
Haag (2006) gives an overview of the origins of the values used in same references (Smith & Warwick, 1981) to establish the pressure
the Purple Book, and lists some issues: vessel catastrophic failure rate, but dont interpret them the same
way, or with the same safety margins.

many of the failure values are based on old data and/or expert Recently, Spouge (2005) has published a paper in which he sets
judgement; up common failure rates using the hydrocarbon release database

terms (e.g. catastrophic failure) are not well dened, which
makes comparisons of failure frequencies with other databases
Table 7
difcult; Probabilities of catastrophic ruptures for three different databases.

information in the data sets is often limited and does not
Equipment Purple book Failure rates and Handboek
always give an indication of the kind of failure causes included
(RIVM) event data (HSE) kanscijfers
or the level of condence attached to values (lower, median or (LNE)
upper failure rates); Pipe 106/m year 106/m year (d < 50 mm) 2.2  108 (L/D)

description of the same event between the Purple Book data (d < 75 mm) 5  107/m year
and its sources (COVO, 1981; IPO, 1994; RE-95-1, 1996) is not 3  107/m year
(75 mm < d < 150 mm)
really clear, which makes a comparison difcult. (75 mm < 2  107/m year
d < 150 mm) (150 mm < d < 299 mm)
107/m year 7  108/m year
There is also a lack of detail concerning the prevention barriers in (150 mm < d) (300 mm < d < 499 mm)
place, which makes the interpretation of such values quite delicate. 4  108/m year
So, from a practical point of view, even if lower or higher frequencies (500 mm < d < 1000 mm)
Pump 104e105/year 3  105/year e
could be used, depending on site maintenance and working envi-
(depending (failure of casing)
ronment (for example: corrosion, vibrations, etc.), it is quite difcult on the type)
to apply different values than the generic ones. For example, if we Pressure vessel 5  107/year 4  106/year 3.2  107/year
consider a chlorine distribution facility: on one hand, chlorine could 105/year (BLEVE)
be corrosive if water is present, which increases the probability for Atmospheric 5  106/year 5  106/year 5  106/year
tank
a leak; on the other hand, chlorine pipes have a special design, such
Compressor 104e105/year e 104/year
as special valves, limited number of anges and connections, double (depending
packed anges, carbon steel pipes, etc., which decrease the on the type)
Chemical 5  106/year 105/year 5  105/year
reactor 5  105/year (with
3
runaway potential)
Quantitative risk assessment.
 J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823 819

Fig. 11. Mechanisms leading to a pressurized vessel catastrophic failure (Nussey, 2006).

collected by the HSE in the UK offshore industry. This work has
been updated by Falck (quoted in Pitlabo, Bain, Falck, Litland, &
Spitzenberger, 2009).
Table 8 summarizes the advantages and disadvantages of the
quantitative probabilistic assessment method.
So, nally, we can see that it is not so easy for a practitioner to
choose the relevant value for his site.
3.2. Safety barrier failures
3.2.1. Equipment failures
The failure rate of an equipment can be estimated using
a database (CCPS, 1989; Lees, 2005; SINTEF, 2002).
As previously mentioned for LoC cases, we can note that it is
quite difcult to nd some details about the considered equipment
in databases, such as the uid considered, the working environ-
ment, the tests frequency, etc., when these factors can greatly
modify failure rates.
It is also quite difcult to adapt failure rates from one industry to
another: you have to be sure that products have almost the same
physical and chemical characteristics, the working conditions are
equivalent, etc.
Table 9 shows that values concerning equipment failures found
in the literature can be quite different. The difference between
Table 8
Benets and limits of the quantitative method.
values from well-known databases could be greater than 100 for
a pressure sensor!
We can note that the report Guidelines for process equipment
reliability data from the Center for Chemical Process Safety is
currently under revision, so maybe the new revision will give more
detailed data for use in quantitative risk assessments.
3.2.2. Human failures
It is widely accepted that a main contributor of major accidents
is human failure. Nevertheless, the assessment of probability of
human failures is even more difcult than for equipments, because
it depends on many factors, such as:

the type of task;

the time to complete the task;

the adequacy of procedures;

the experience level and the skills of the operator performing
the task;

the environmental conditions;

the number of people performing the task (redundancy);

the distractions or other tasks being performed
simultaneously;

fatigue, stress, motivation, etc.
A probability between 101/year and 103/year is generally used
in safety reports (Hannaman & Spurgin, 1984; Rasmussen, 1975;
Swain & Guttmann, 1983).

Benets Limits Table 9

Simple and comprehensive method Old values of probability Probabilities of failure for sensors.
Take into account the number Ignores the inuence of lacking/
of equipments, their sizes, additional prevention barriers Equipment Red Book LEES OREDA
the activity of the facility Temperature sensor 0.018/year 0.88/year 0.1/year
Precise values Ignores the specic environment Pressure sensor 0.0055/year 1.4/year 0.019/year
of the facility Level sensor 0.0042/year 0.02e0.002/year 0.055/year
820 J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823

Tanker moves
Hose failure due to pullaway
Tanker movement results
in a release from hose/coupling

Defect to hose occurs

during transfer of chlorine
Hose fails catastrophically
Defect to hose existed (break before leak) Guillotine failure
prior to the transfer Hose burst of hose/coupling
Hose fails due to escalation
of a pinhole leak
(leak before break)

Coupling failure given that hoses

are inadequately connected
and transfer commenced

Transfer commenced given that

the chlorine liquid hose Coupling/connection failure
is not connected

Chlorine liquid
line disconnected

Fig. 12. Fault tree depicting mechanisms leading to a guillotine failure of hose/coupling.

3.3. Adjustment of standard failure and error Rate Modier (ERM), comprised between 0.1 and 10, which allows
rates to a specic facility taking into account criteria such as:

Many operators claim that their facilities are of a higher level of
safety than the others. So what are the benets of applying generic
failure data? It cant take into account additional safety barriers,
new safer technologies (or ageing of installations), process safety
management system efciency, etc.
There are two mains approaches to obtain plant-specic failure
rates:

adjusting generic values using criteria (modication factors);

developing specic databases: this point will be developed in
Section 3.4.4.
According to AMINAL (2004), adapted values can be applied for
equipment failures. In the case of pressure vessels for example, ten
factors must be reviewed:

corrosion;

brittleness of the material;

unwanted substances (including erroneous charging);

modication/repair work;

overlling (can vessel rupture be ruled out?);

fatigue failure (vibration, frequently occurring variations in
loading and thermal loading);

external re (no combustible in the vicinity of the facility);

explosion in the vicinity (no combustible materials with
a potential explosion hazard in the vicinity of the facility);

mechanical damages due to activities in the vicinity (e.g.
roads);

external corrosion.

time pressure to complete the task;

adequacy of procedures;

fatigue, etc.
So the Adjusted Error Rate (AER) is calculated by the relation-
ship: AER4 BER5  ERM.6
It can be argued that the choice of ERM is again mainly based on
expert judgement.
An interesting initiative is the work done by Taylor for RIVM
(Taylor, 2004). His approach consists to dene baseline failure
frequencies, mainly based on US Risk Management Program data,
and combine these values with modication factors, according to
the standards of design, construction, operations, maintenance,
operating conditions, in order to obtain realistic estimates of actual
frequencies (Beerens et al., 2006).
Checklists are provided to identify relevant causes of failure
and calculate specic failure rates, in order to avoid different
interpretations.
Interests are that failure frequencies are more recent and varied
and methodology to apply modication factors is clear. Unfortu-
nately, this project has not been nalised for the moment.
Recently, DNV (Pitlabo et al., 2009) has presented four
approaches to modify generic failure rates coming from UK HSE
HCRD database: CCPS method based on the report Guidelines for
chemical process quantitative risk analysis, MANAGER method,
API RP 581 method and barrier based method. One of them, the
MANAGER method, developed by Technica in 80s, uses a site
assessment questionnaire to account for local safety management

However, AMINAL does not give practical examples to illustrate

this possibility. 4
Adjusted Error Rate.
In his paper, Wincek & Haight (2007) proposed a method to 5
Base Error Rate.
adjust human failure rates. He dened a coefcient called Error 6
Error Rate Modier.
 J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823
systems and technical safeguards, which seems to be a good tool to
take into account site specicities.
3.4. Learning from the nuclear industry
3.4.1. Quantitative risk assessment (QRA)
There are several levels of detail in which a quantitative risk
assessment can be carried out.
Some detailed QRA studies have also been conducted by the
Health and Safety Laboratory (HSL) and the Health and Safety
Executive (HSE) about chlorine road tanker off-loading and LPG
BLEVE frequencies (Blything & Reeves, 1988; Gould, 1993; Gould &
Anderson, 2000; Harding, 1995; Keeley & Collins, 2004; Keeley &
Wilday, 2000; Selway, 1988). Using a detailed fault tree (Fig. 12),
it quanties the effect of additional measures for chlorine guillotine
hose/coupling release (the same work has been done for less than
catastrophic releases), as we can see in Table 10.
HSL also determines the contribution of each intermediate event,
and initiating event, to the probability of the central event (Table 11).
3.4.2. Probabilistic safety assessment (PSA) for a chemical plant
In the French nuclear industry, probabilistic safety assessment
(PSA) is used to complete the deterministic approach, for example
for PWR reactors.
In this method, the possibility of having an accidental scenario is
developed from the failure frequencies of the basic system
components like level gauges, pressure sensors and pumps.
According to Fullwood (2000), there are few examples of
chemical process PSAs. He mentions 3 main tentatives of PSA in the
chemical industry:

the Canvey Island study, conducted by the United Kingdom
Atomic Energy Authority (70s);

a PSA of a butane storage facility, conducted by Oliveira (90s);

a PSA of an ammonia storage plant, conducted by Papazoglou
(90s).
He concludes these works are less elaborate than in the nuclear
industry, but remain of high interest.
3.4.3. IRSN initiative for an LPG plant PSA
In 2003, the French Ministry of the Environment asked for
the Institute for Radiological Protection and Nuclear Safety, and in
particular its Industrial Risks, Fire and Containment Assessment
and Study (SERIC) and its Systems and Risk Protection Assessment
(SESPRI) departments, to conduct a PSA study of an LPG distribu-
tion facility.
This study (Baltenneck et al., 2005) presented an overall
analysis of the BLEVE scenario using simplifying assumptions
(release from the biggest diameter for a family of pipes, liquid
release with innite duration, etc.). The analysis was aimed to
quantify the contribution of each initiator postulated to occur (e.g.
LPG leaks).
One of the main interests of a PSA is to dene and prioritise
the actions to be carried out to improve safety at the facility: the
sensitivity studies conducted by IRSN (Baltenneck et al., 2005) have
showed, for example, that using internal valves for storage
Table 10
Probability of guillotine hose/coupling release for different types of facilities.
Type of facility Failure rate per operation
Basic facilities 4  105
Average facilities 4  106
Multi-safety system facilities 2  107
821
Table 11
Contributions to a guillotine failure of hose/coupling.
Intermediate event Failure rate Contribution
Pullaway 1.2  108 24%
Hose burst 2.4  108 49%
Coupling failure 1.3  108 27%
capacities is more effective than focusing on the reliability of the
programmable safety controller.
The PSA study conducted by IRSN also showed the importance
of conducting more detailed work on some safety issues, like
a more detailed characterisation of the phenomena conducting to
a BLEVE. PSA enables to give the main contributions to a global
risk, so it is a very powerful tool for plants safety improvement.
However, this method requires credible data for reliability and
failure of the components, and much more time to be correctly
applied.
3.4.4. Development of industrial databases
One of the main conclusions of the PSA conducted by IRSN is
the lack of plant-specic reliability data for probabilistic safety
assessments: so there is a need to organize feedback to improve
quantitative accident and equipment/human failure databases.
Several confederations, like OREDA and EIREDA, have organized
feedback with companies at a national and international level to
have more reliable equipment failure data.
Some operators have attempted to organize a feedback. For
example, the LASTFIRE (Ramsden, 1997) project (Large Atmospheric
Storage Tank FIREs), involving 16 major oil companies, has quan-
tied the probability of tank re scenarios (Table 12).
At the present time, the Systems and Risk Protection Assessment
Department of IRSN is assisting French LPG operators in developing
a national database to provide more precise and representative
failure rates for main safety equipments, ready to use in future
probabilistic safety assessments relative to LPG plants.
3.5. Discussion about the national matrix to appreciate the gravity
of human consequences from an accident outside the facilities
In the French approach, the risk considered is a global risk for
the public outside the facility (societal risk). For wide facilities, as
we have seen in Section 2.4, it is very easy to obtain more than 5
dangerous phenomena in the case NO/MMR2.
In fact, the E probability level collects dangerous phenomena
with a probability lower than 105/year, so it makes no difference
between unlikely and very unlikely events whereas in some cases,
the differences could be very signicant. This difculty had
appeared during the testing period of the new approach of risk
analysis on pilot facilities (2004e2006).
So the French Ministry of the Environment has proposed the
possibility to exclude a dangerous phenomenon with a very low
probability, and according to a defence in depth approach. The
exclusion is subject to a strict rule of double-instrumented barrier
protection. In addition, the dangerous phenomenon has to remain
in the E probability level in case of failure of the most reliable
Table 12
Generic event frequencies for tank res.
Type of re Basic frequency
Spill on roof re 3  105/tank year
Small bund re (mixers, pipes, valves or anges) 9  105/tank year
Large bund re (major spillage) 6  105/tank year
Full surface re following sunken roof 3  105/tank year
822 J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823
barrier. Under these conditions, the dangerous phenomenon wont
appear in the matrix.
The French Ministry of the Environment also gave the possibility
to aggregate BLEVE with the same effects and the same location
into a single BLEVE with the total probability of occurrence (French
Ministry of the Environment, 2007). For example, ten LPG storage
tanks BLEVE with a probability of 107/year can be aggregated into
a single BLEVE with a probability of 106/year; the corresponding
dangerous phenomenon is then the combination of the different
dangerous area of each BLEVE.
4. Conclusions
The new law adopted on 30 July 2003 indisputably led to
a better estimate of the risks of industrial facilities. Risk analysis, at
the heart of the safety report, is now a key element for land-use
planning and decision making.
The set up of working groups, in order to harmonize conse-
quences modelling techniques, has resulted in a strong improve-
ment in this eld, even if our knowledge remains quite incomplete.
In the Bunceeld accident for example, it seems overpressures
have exceeded several bars at some locations, whereas all experts
calculations would predict overpressures of about 100 mbar!
Uncertainties remain concerning the role of ignition source and
vegetation on the level of overpressure observed.
It seems there is still more work to do to harmonize probabilistic
assessment methods, mainly because of the lack of accurate data.
We have seen the benets, limits and difculties of both semi-
quantitative and quantitative probabilistic assessment methods.
We have also seen the potential application of detailed risk
assessment methods, like approaches developed for nuclear safety.
What is sure is that low probability high consequence events
like BLEVEs are still challenging for risk assessment and land-use
planning. QRA techniques are quite protable for this type of
events, but it requires actual and actualised frequencies to get
accurate outcomes. So there is a need to organize operative feed-
back to get plant-specic failure rates.
Anyway, because operative feedback is a long-term work, there
is also a need to have a better understanding of the generic failure
data and the underlying assumptions to apply it correctly. At the
present time, practitioners dont have sufcient guidelines to use
and/or adapt generic failure frequencies to real situations.
So one improvement proposal could be:

to set up an international working group of experts, in order to
organize existing data in a coherent and comprehensive way
for practitioners;

to develop a common methodology to introduce modication
factors in order to take into account lacking/additional provi-
sions (it supposes that generic fault trees are available): the
work done by Taylor (2004), who has a long industrial expe-
rience, could be very useful for this purpose;

to organize a coherent feedback through national associations
(chemical association, LPG association, etc.) to get more accu-
rate data: one motivation for operators could be that with
a better feedback, values will really reect their process safety
management system efciency.
References
AMINAL. (2004). Handboek kanscijfers voor het opstellen van een veiligheidsrapport.
Co-ordinated Version 2.0, AMINAL Dienst gevaarlijke stoffen en risicobeheer,
Brussels.
ARIA. (2007). Explosion in a fertilizer plant. September 21st, 2001. Grande Paroisse
Toulouse. http://www.aria.developpement-durable.gouv.fr.
Baltenneck, H., Barrachin, G., Chambon, J.-L., Corenwinder, F., Gomane, C.,
Hernandez, J. L., et al. (2005). Etude Probabiliste de Sret relative une Instal-
lation Industrielle, rapport nal de la phase 2, tome 1. Rapport DSR/SESPRI n 33,
rapport EPS_ININ/PH2/04.
Barthlmy, F., Hornus, H., Roussot, J., Hufschmitt, J.-P., & Raffoux, J.-F. (2001). Usine
de la socit Grande Paroisse Toulouse. Accident du 21 septembre 2001. Rapport
de lInspection Gnrale de lEnvironnement.
Beerens, H. I., Post, J. G., & Uit de Haag, P. A. M. (2006). The use of generic failure
frequencies in QRA: the quality and use of failure frequencies and how to bring
them up-to-date. Journal of Hazardous Materials, 130(3), 265e270.
Blything, K. W., & Reeves, A. B. (1988). An initial prediction of the BLEVE frequency of
a 100 TE butane storage vessel. UKAEA/SRD/HSE/R488.
Center for Chemical Process Safety. (1989). Guidelines for process equipment
reliability data. American Institute of Chemical Engineers.
COVO Commission. (1981). Risk analysis of six potentially hazardous industrial objects
in the Rijnmond area, a pilot study. A report to the Rijnmond Public Authority.
Schiedam, The Netherlands: Central Environmental Control Agency.
Duijm, N. J. (2009). Safety barriers diagrams as a safety management tool. Reliability
Engineering and System Safety, 94(2), 332e341.
Fivez, C., Delvosalle, C., Cornil, N., Katz, T., Servranckx, L., & Tambour, F. (2009).
Inuence of new generic frequencies on the QRA calculations for land use
planning purposes in Walloon Region (Belgium). In Eighth World Congress of
Chemical Engineering, Symposium on the frequency component used in risk
assessment of major industrial accidents, 23e27 August 2009, Montreal.
French Ministry of the Environment. (2005a). Dcret n 2005-1130 du 7 septembre
2005 relatif aux plans de prvention des risques technologiques.
French Ministry of the Environment. (2005b). Arrt du 29 septembre 2005
relatif lvaluation et la prise en compte de la probabilit doccurrence, de
la cintique, de lintensit des effets et de la gravit des consquences des
accidents potentiels dans les tudes de dangers des installations classes
soumises autorisation.
French Ministry of the Environment. (2005c). Arrt du 29 septembre 2005 modiant
larrt du 10 mai 2000 modi relatif la prvention des accidents majeurs
impliquant des substances ou des prparations dangereuses prsentes dans
certaines catgories dinstallations classes pour la protection de lenvironnement
soumises autorisation.
French Ministry of the Environment. (2005d). Circulaire du 29 septembre 2005
relative aux critres dapprciation de la dmarche de matrise des risques
daccidents susceptibles de survenir dans les tablissements dits SEVESO , viss
par larrt du 10 mai 2000 modi.
French Ministry of the Environment. (2005e). Circulaire relative la mise en uvre
des plans de prvention des risques technologiques.
French Ministry of the Environment. (2006a). Guide dlaboration et de lecture des
tudes de dangers pour les tablissements soumis autorisation avec servitudes et
ches dapplication et ches associes.
French Ministry of the Environment. (2006b). Technological risk prevention plan
(PPRT) acting together to control risks.
French Ministry of the Environment. (2007). Circulaire du 23 juillet 2007 relative
lvaluation des risques et des distances deffets autour des dpts de liquides
inammables et des dpts de gaz inammables liqus.
French Parliament. (2003). Loi n 2003-699 du 30 juillet 2003 relative la prvention
des risques technologiques et naturels et la rparation des dommages.
Fullwood, R. R. (2000). Probability safety assessment in the chemical and nuclear
industries. Butterworth-Heinemann.
Gould, J. (1993). Fault tree analysis of the catastrophic failure of bulk chlorine vessels.
AEA Technology. SRD/HSE R603.
Gould, J., & Anderson, M. (2000). Hose and coupling failure rates and the role of human
error e Catastrophic failure rates. Health and Safety Laboratory. HSL/2000/09.
Hannaman, G. W., & Spurgin, A. J. (1984). Systematic human action reliability
procedure (SHARP). Electric Power Research Institute. EPRI NP-3583.
Harding, A. B. (1995). BLEVE probability of an LPG road tanker during unloading.
AEA/CS/HSE R1043.
Health and Safety Laboratory. Failure rates and event data. http://www.failurerates.
info.
IPO. (1994). Guidelines for the preparation of off-site safety industrial sites. Report IPO
Project A-73, The Hague.
Keeley, D., & Wilday, J. (2000). Hose or coupling failure events during off-loading
a chlorine road tanker. Final report. Health and Safety Laboratory. RAS/00/11.
Keeley, D., & Collins, A. (2004). Hose and coupling: Less than catastrophic failure rates
e Milestone 2. Health and Safety Laboratory. RAS/04/03/1.
Lees, F. P. (2005). Loss prevention in the process industries. Butterworth-Heinemann.
LNE. (2009). Handboek faalfrequenties 2009 voor het opstellen van een
veiligheidsrapport.
Logtenberg, M. T. (1998). Derivation of failure frequencies for LOC cases. TNO report,
TNO-MEP e R98/501.
Nussey, C. (2006). Failure frequencies for major failures of high pressure storage vessels
at COMAH sites: A comparison of data used by HSE and the Netherlands. Health
and Safety Executive.
Pitlabo, R., Bain, B., Falck, A., Litland, K., & Spitzenberger, C. (2009). Frequency data
and modication factors used in international QRA studies. In Eighth World
Congress of Chemical Engineering, Symposium on the frequency component used in
risk assessment of major industrial accidents, 23e27 August 2009, Montreal.
Ramsden, N. (1997). The LASTFIRE project. Loss Prevention Bulletin, 138.
Rasmussen, N. (1975). Reactor safety study. WASH 1400. US Atomic Energy
Commission.
 J. Taveau / Journal of Loss Prevention in the Process Industries 23 (2010) 813e823
RE-95-1 (1996). Version 2-2-1996, KO-95, KO-96, KO-100 performed by TKO
Working Group.
Selway, M. (1988). The predicted BLEVE frequency of a selected 2000 m3 butane sphere
on a renery site. UKAEA/SRD/HSE/R492.
SINTEF. (2002). Offshore reliability data Handbook (4th ed.).
Smith, T. A., & Warwick, R. G. (1981). A survey of defects in pressure vessels in the UK
for the period 1962e1978 and its relevance to nuclear primary circuits. SRD report
R203.
Spouge, J. (2005). New generic leak frequencies for process equipment. Process
Safety Progress, 24(4), 249e257.
823
Swain, A. D., & Guttmann, H. E. (1983). Handbook of human reliability analysis with
emphasis on nuclear power plant application. US-NRC-NUREG/CR-1278.
Taylor, J. R. (2004). Hazardous materials release and accident frequencies for process
plant. Draft version.
TNO. (1983). LPG a study. Report for the Public Ministry of Housing Physical
Planning and the Environment. Apeldoorn: TNO.
Uijt De Haag, P. A. M., & Ale, B. J. M. (1999). Guidelines for quantitative risk assessment
(purple book).
Wincek, J. C., & Haight, J. (2007). Realistic human error rates for process hazard
analyses. Process Safety Progress, 26(2), 95e100.