1.1 Rationale
A liquid fuel offloading pipeline is an asset to a country in many aspects. On the other hand, it comes with an inherent risk at times which can be catastrophic. The risk associated with this can be assessed qualitatively or even quantitatively with numerous available techniques. Most of the risk assessment techniques used in the industry are static in nature though the risk is dynamic in nature, which is an obvious fact. The severity of the risk might depend on weather conditions, natural disasters, political reasons and many more. Therefore, there is a high demand for a dynamic technique to evaluate the risk associated with this kind of key resources of a country.
With reference to (PHMSA, 2017), it is clear that accidents related to hydrocarbon pipelines are not rare. Figure 1 shows a picture of the hydrocarbon pipeline explosion occurred in Milford, USA, in 2013. It was severe enough to make evacuate people from the town. As mentioned in (google.com, 2016), the ‘Ufa train disaster’ is one of the worst pipeline accident occurred in the world’s history. As furtherer explained in (google.com, 2016), sparks from two passing trains has caused gas leaking from an LPG pipeline near Ufa, Russia to explode. Workers with the pipeline noticed pressure dropping in the line, but they increased pressure instead of searching for a leak. Trees up to 4 kilometers away were felled by the blast, and two locomotives and 38 passenger cars on the trains were derailed. Up to 645 people were reported killed on June 4, 1989.
Figure 1: Milford Pipeline Explosion (Heinz, 2013)
As per the information find in literature such as (Anonymous, 2011), most of the accidents were initiated by welding defects, and physical damages to the pipeline during reparations and careless excavations.
Therefore, it is very important to have a methodology developed to analyze the associated risk for these kinds of applications. Although ‘Dynamic Risk Assessment’ is not a totally new research area, there are no Dynamic Risk Assessment studies found in literature specifically done for Liquid Petroleum Gas (LPG) offloading pipelines in Sri Lanka or anywhere of the world. Therefore, as the output of the present study, it provides a complete methodology to determine the Dynamic Risk associated with a given LPG offloading pipeline. The study is performed based on a hypothetical LPG pipelining a which runs from the Port of Colombo to Kerawalapitiya. Similar to the work done by (Aljaroudi
et al., 2015), this riskbased assessment method can be applied to determine the level of risk expressed in Sri Lankan Rupee (LKR) value. Having such information will enable operators to determine when and where to take the appropriate action to mitigate risk.
1.2 Scope
Initially a hypothetical pipe line is defined which runs from Colombo port to the nearest industrial zone. The potential hazards are identified using a Hazard and Operability Study (HAZOP). The identified hazards and safety barriers are illustrated using a Bow Tie (BT) diagram with the use of a trial version of BowTieXP software. Afterwards, a Fault Tree (FT) and an Event Tree (ET) are developed to refine the risk analysis. To introduce the dynamic characteristics to the analysis, the ET and FT are mapped to a Bayesian Network based on the techniques available in literature. For this task, the initial probabilities are derived from the available literature such as Offshore Reliability Data (OREDA). Then the conditional probability tables are developed based on available data and reasonable assumptions. The result is a Bayesian Network Model, which can dynamically calculate the failure probabilities up on the provision of available evidences.
Subsequently, a consequence analysis is done which finally makes the provision to dynamic Risk Assessment. A Computational Fluid Dynamics (CFD) simulation is used to estimate the effect from radiation heat emission due to the most probable accident called Jet Fire. Finally, a dynamic risk assessment is done based on the risk criteria defined for Individual Risk and Social Risk.
1.3 Objectives
The objectives of this study can be listed as follows.
 Identify the potential hazards of the hypothetical LPG transmission pipe line and map them to a Bayesian Network, through FT and ET
 Develop an open model to quantify the Dynamic Failure Probability of the LPG Offloading Pipeline Using Bayesian Network
 Estimate the potential consequences
 Present a methodology to dynamically estimate the risk involved with the LPG transportation pipeline for a given scenario
 Chapters and their respective content
A comprehensive literature review is presented in Chapter 2. Important data, concepts, and techniques are introduced which supports in successful completion of the objectives mentioned in 1.3. Chapter 3 is allocated to elaborate the Methodology used in meeting the objectives of this project. Further, this chapter contains all the sample calculations and information on computer simulations. Chapter 4 is allocated for and Results and Discussion, while Chapter 5 is allocated for Conclusion and Further Work.
Chapter 2: Literature Review
2.1 Current Risk Assessment Techniques Used in The Field for LPG Pipelines
The risk assessments of transmission pipelines, found in literature, are mainly static in nature. As mentioned by (C. T. Yeo
et al., 2016), techniques such as Event Tree Analysis (ETA) is unable to capture the common causes of the failure, nor the conditional dependencies between the safety barriers. It is therefore important to conduct Dynamic Risk Analysis (DRA) for the updating of risks and to allocate proper safety measures.
According to (Aljaroudi
et al., 2015), to estimate risk, two important quantities have to be determined. Namely, the joint probability of failure of the pipeline and its Leak Detection System (LDS), and the consequences of failure. Consequences incorporate the financial losses associated with environmental damage, oil spill cleanup and lost production.
The following methodology is presented by (Aljaroudi
et al., 2015) for assessing pipe line risk.
 Collect the information pertaining to the pipeline Information: For example, pipeline mechanical properties, pipeline operating characteristics and the extent of the corrosion flaws.
 Determine the failure events: The main leakage events are considered as leakage or burst.
 Evaluate corrosion growth: Using mathematical models available in literature
 Determine the pipeline probability of failure: Limit state approach can be used to determine the probability of failure for the pipeline.
 Determine the LDS probability of failure: Probability of LDS failure will be the probability of missed detection.
 Determine joint probability of failure
(P):
P= PLDS×P(PL)
Where,
P(LDS)is the Probability of failure of Leak Detection System
P(PL) is the Probability of failure of Pipe Line.
 Determine the failure consequences: The quantity of leaked products is calculated using mathematical models available in literature. On the other hand, the consequences of failure
(COF)are the financial losses attributable to lost production cost
(LPC), inspection cost
(IC), segment replacement cost
(RC)and environmental consequences cost
(EC).
COF = LPC + IC + RC + EC
For a pipe line accident happening in land area, some additional components will get added up to the above equation. They are
2.2 Dynamic Risk Assessment and its Applications
According to (Villa
et al., 2016), despite the general approach of QRA is static, the Quantitative Risk Assessment (QRA) approach has been developed since early 1980s. Although it was initially introduced for chemical and nuclear process safety applications, nowadays it has crossed the boundaries towards common applications on process design, implementation of safety systems, inspection and maintenance planning as well as operation management. Further, QRA has become an essential tool for the development, day to day operation and expansion of process installations. Although QRA performed better than that of Qualitative Risk Assessment, it had some shortcomings as the risk profile is static and therefore could not provide much accurate predictions.
Nevertheless, the developments done by (Kalantarnia, M, F I Khan, 2009) have made the techniques more accurate and precise by introducing the Bayesian Network approach. In this developed methodology, firstly, potential accident scenarios are identified and represented in terms of an event tree, next, using the event tree and available failure data, endstate probabilities are estimated. Subsequently, using the available accident precursor data, safety system failure likelihood and event tree endstate probabilities are revised.
Further, those techniques have been successfully validated in(Kalantarnia, Khan and Hawboldt, 2010), and (Paltrinieri
et al., 2013) by applying in real scenarios. On the other hand, (C. T. Yeo
et al., 2016) has successfully applied the technique in risk assessment of Liquefied Natural Gas (LNG) offloading process and have been able to determine the most probable accident scenario. Further he mentions that the Bayesian Network can be used to determine the cause of failure of an accident scenario. The method can be used to prognose the potential threats of any process. The challenging part is the development of conditional probability tables (i.e. CPT).
In addition to that, a Principal Component Analysis (PCA) based fault detection and diagnosis technique has been extended to a risk based fault detection and diagnosis framework targeting the safety issues of a process system by (Zadakbar, Imtiaz and Khan, 2013). It was proven that this technique provides a much early warning compared to the univariate methods.
According to (Villa
et al., 2016), the latest trend is to do more refinement on the existing Risk Assessment tools to achieve the maximum potential of applicability. Further they point out that the main development pathway is given by the application of dynamic approaches of risk assessment as there is a considerable development in computer related technologies for realtime monitoring for process facilities. Up on that, the highest potential area to be developed is identified as the system development integrated with dynamic procedure for hazard identification. Considering the methodologies addressing the dynamic risk, (Paltrinieri
et al., 2014) argues that, despite several techniques of HAZard IDentification (HAZID) and Quantified.
Risk Analysis (QRA) have often proven effective in industry, they are generally with lack of ability to dynamically update based on realtime information. They recommend that Dynamic Procedure for Atypical Scenarios Identification (DyPASI), Dynamic Risk Assessment (DRA) and Risk Barometer methodology for dynamic risk assessment based on their potential suitability with Integrated Operations (IO) solutions and related implications.
As argued in (Paltrinieri
et al., 2013), with the increment of the complexity of the process and plant, new hazards may be generated, and those hazards must be detected early. As a method to identify and assess atypical potential accident scenarios related to substances, equipment and plants (Paltrinieri
et al., 2013) introduced DyPASI, which functions based on early warnings or risk notions.
Dynamic Risk Assessment (DRA) technique which was developed by (Kalantarnia, M, F I Khan, 2009), aims to estimate accident scenarios by means of Bayesian inference and on the basis of real time abnormal situations or incident data. Then, the updated frequencies are to be used in the overall risk calculation.
According to (Paltrinieri and Scarponi, 2014), the technique is being developed to continuously monitor risk picture changes and support decision makers in daily operations. According to (Villa
et al., 2016), it has many advantages over other methods such as “drilldown” capability and the use of “transparent box” philosophy.
The development of these techniques would not only cater the nuclear or chemical process industries but also other applications such as highspeed trains, military applications, weather predictions, and aerospace applications etc. In brief, this is applicable in any scenario depending on the effectiveness.
2.3 Safety Analysis Techniques
2.3.1 Hazard and Operability Study (HAZOP)
2.3.2 The Conventional BowTie Model
Among many techniques available, bowtie model (BT) is very popular because it represents the accident scenario altogether including causes and consequences. However, it suffers a static structure limiting its application in realtime monitoring and probability updating which are key factors in dynamic risk analysis (Khakzad, Khan and Amyotte, 2012).
As per (Ferdous
et al., 2013), A bowtie diagram combines a fault tree and an event tree to represent the risk control parameters on a common platform for mitigating an accident. Quantitative analysis of a bowtie is still a major challenge since it follows the traditional assumptions of fault and event tree analyses. The assumptions consider the crisp probabilities and "independent" relationships for the input events. The crisp probabilities for the input events are often missing or hard to come by, which introduces data uncertainty. The assumption of "independence" introduces model uncertainty. Elicitation of expert's knowledge for the missing data may provide an alternative; however, such knowledge incorporates uncertainties and may undermine the credibility of risk analysis.
According to (Badreddine and Amor, 2013) Bow Tie diagrams have become a popular method for risk analysis and safety management. This tool describes the whole scenario of a given risk graphically, and proposes preventive and protective barriers to reduce, respectively, its occurrence and its severity. The weakness of bow tie diagrams is that they are restricted to a graphical representation of different scenarios exclusively designed by experts that ignore the dynamic aspect of real systems. Thus, constructing bow tie diagrams in an automatic and dynamic way remains a real challenge.
2.3.3 Bayes Rule and Bayesian Networks
As described in (Networks, Faltin and Kenett, 2007), Bayesian Networks (BNs), also known as belief networks (or Bayes nets for short), belong to the family of probabilistic graphical models (GMs). These graphical structures are used to represent knowledge about an uncertain domain. Each node in the graph represents a random variable, while the edges between the nodes represent probabilistic dependencies among the corresponding random variables. These conditional dependencies in the graph are often estimated by using known statistical and computational methods. Hence, BNs combine principles from graph theory, probability theory, computer science, and statistics.
Further, as per (Neapolitan, 2010), a Bayesian Network model can be used to study the structures of gene regulatory networks. It has the ability to integrate information from both prior knowledge and experimental data.
2.3.4 Mapping Algorithm of BowTie Diagram to a Bayesian Network
2.3.4.1 Fault Tree Mapping to A Bayesian Network
There are basically two steps involved in this approach namely graphical and numerical. In the graphical step, the structure of BN is developed from the fault tree such that primary events, intermediate events, and the top event of the fault tree are represented as root nodes, intermediate nodes, and the leaf node in the equivalent BN, respectively. The nodes of BN are connected in the same way as the corresponding events in the fault tree (Husmeier, Dybowski and Roberts, 2005).
In the numerical step, occurrence probabilities of the primary events are assigned to the corresponding root nodes as prior probabilities. For each intermediate node as well as the leaf node, a Conditional Probability Table (CPT) is assigned. CPTs illustrate how intermediate nodes are related to precedent intermediate or root nodes (Husmeier, Dybowski and Roberts, 2005).
2.3.4.2 Event Tree Mapping
According to (Husmeier, Dybowski and Roberts, 2005), each safety barrier of the event tree is represented by a safety node having two states, one for the failure and the other for the success of the safety barrier. Also, a consequence node having as many states as the number of the event tree consequences is added to the network.
2.3.4.3 BowTie Mapping
The BowTie diagram developed is to be further processed to map in to Bayesian Networks. Although the Bayesian Network can be developed directly, it is always recommended to develop the BowTie diagram beforehand as it will provide a better background in developing the Conditional Probability tables (CPT). An example for a BowTie Diagram which can later be mapped to a Bayesian Network is shown in Figure 2. Here, PE, IE, TE, SB, and C stand for, Primary Event, Intermediate event, Top Event, Safety Barrier, and Consequences respectively.
Figure 2: A Model Bow Tie Diagram (Khakzad, Khan and Amyotte, 2013)
Figure 3: Mapping algorithm from BT into BN (Khakzad, Khan and Amyotte, 2013)
As shown in the Figure 2, the lefthand side consists of a Fault Tree and the righthand side consists of an Event Tree. The fault Tree is developed with the use of logic gates. (i.e. AND and OR Gates). In the event tree, the safety barriers are considered for success and failure. Subsequently the probabilities for each consequence is determined.
The developed BowTie Diagram can be mapped to a Bayesian Network using the algorithm shown in Figure 3.
2.4 Software Packages
There are a number of software packages available for the assessment of probability of failure and consequences. It can be seen that in most of the applications, Microsoft Excel can be used in numerical calculations. Nevertheless, there are some specialized software for risk assessment available to make the analysis concise and professional. Under this topic, the widely used industrial academic software are introduced. They are used in determining the failure probabilities, consequence analysis, and finally in risk assessment.
2.4.1 BowTie XP Software
2.4.2 Genie Software
2.4.3 Computational Fluid Dynamics (CFD) and Acceleration Simulator (FLACS)
Computational Fluid Dynamics (CFD) is a widely used technique in a range of applications. There are several software packages in use such as OpenFOAM ®, ANSYS Fluent, FLACS, SolidWorks, and AutodeskCFD. FLACS is a specially developed software for simulating fires, explosions, and spills. It also has the following basic characteristics of a CFD software.
2.4.3.1 Preprocessor
The user should effectively use this utility to optimize the computation power and the accuracy of the results. This utility includes the generation of the geometry if any, meshing of the computation domain, introduction of physical properties of the substances, boundary conditions, and initial conditions. CASD serves as the preprocessor for FLACS. (Gexcon AS, 2016)
2.4.3.2 Solver
Basically, in this step, the governing equations are discretized and solved numerically. (i.e. NavierStokes Equations and their derivations). Run manager provides the interface to use the solvers available embedded in FLACS. (Gexcon AS, 2016)
2.4.3.3 Postprocessor
This step is done to visualize data developed through the numerical solving process. It has the capability to display the created geometry and the mesh. It also has the capability to create vectors, contours, 2D and 3D surface plots to enhance the visualization. The utility called Flowis serves as the post processor. (Gexcon AS, 2016)
2.4.3.4 Flammability Diagram for LPG
FLACS needs to define the ignition point in order to continue the simulation with the ignition. Therefore, it is very important to set the ignition point at the correct point at the correct time. For this reason, the flammability of Butane is determined using a Flammability Diagram. And the simulation shows the point where the composition is suitable for an ignition and then the ignition point is located accordingly. (Gexcon AS, 2016). Figure 5 illustrates the flammability of Ethelene. This information can be used to locate the ignition point in FLACS CASD.
Figure 4: Flammability Diagram of Ethane (Ethylene) (Crowl and Joseph, 2009)
2.5 Consequence analysis
2.6 Risk Assessment
2.6.1 Individual Risk
Individual risk defined as the risk to an individual or a person in the surroundings of a hazard which includes the nature of injury to an individual, likelihood of injury and the time period over which an injury can take place. In other words, the individual risk is the probability of fatality to a person at a particular point in hazardous surroundings. It is usually expressed as chances per million per year (pmpy) (Nilsson, 2009). It is also defined as the frequency at which an individual is at particular distance from a pipeline is expected to sustain a particular level of harm from the hazard available in that surroundings (Jonkman, 2011).
The geographical distribution of individual risk around the selected place can be shown by individual risk contours which shows the frequency of an event capable to cause the particular level of harm at a particular location without considering, whether or not any individual present there or not to suffer the harm. Therefore, individual risk contour maps are formed by estimating individual risk at every location assuming that somebody will be there 100% of the (annual exposure of 8760 hours per year). (Jonkman, 2011)
2.1.1 Societal Risk
After the individual risk assessment, societal risk assessment is the other important analysis should be done to know the effect on the society level. So, societal risk measure is a graphical presentation to estimate the risk on group of people located in the effect zone of incident or accident. (Schork, 2012)
Some major incident or catastrophic accident has detrimental effect on property and group of people in past decades. Even, nowadays there are incident and accident which can occur and has potential to affect large number of people. So, societal risk assessment comes in an existence here to calculate the risk on group of people or on society level. Societal risk assessment is usually expressed in terms of frequency distribution of multiple casualty events (FN curve) (Franks, 2004) however, it can also be expressed in terms similar to individual risk assessment because societal risk assessment requires same information (frequency and consequences) as an individual risk assessment as mentioned in furthermore, societal risk assessment also requires the information of people at risk around the effected zone. The information can be of different type for example (residential, industrial or school) likelihood of many people are present at particular location and at which time.
According to (Crowl et al, 2009), individual and societal risks are different presentations for the same input values (frequency and consequences) both these assessments are very important in terms of reducing risk and judging the acceptability of facility in absolute terms.
Chapter 3: Methodology
Figure 5: The methodology
3.1 Definition of the Complete Scenario
Identification of the site location and the analysis of the surrounding land usage is the first step of the methodology. Then the design and operation related details of the site is identified. This information will be used in quantifying the individual and societal risks.
This hypothetical pipeline runs from Colombo Port to Kerawalapitiya through Modara, Mattakkuliya, Hekitta, and Dikkowita. The total length of the pipe line is 10 km from the port to the destination. Nearly 75% of the total pipe length runs through a highly populated area while the rest through medium and low population density regions. Figure 1 illustrates the pipeline route from the port to the hypothetical destination.
Figure 6: Pipeline route (Google Maps, 2017)
As illustrated in figure 2, the population density over the length of the pipe line can be approximated with respect to the location of Port of Colombo. The information is provided based on the most recent census report in Sri Lanka. The pipeline traverses two districts of Sri Lanka (i.e. Colombo and Gampaha) and two Divisional Secretary divisions (i.e. Colombo and Wattala).
Figure 7: Population Density distribution over the length of the pipe (Census, 2011)
3.1.1 Accident Scenario
The following scenario is assumed in order to calculate the probability of consequences. The incident is assumed to be take place in Mattakkuliya area.
It is assumed that, according to the evidences, the Mattakkuliya area is under attack of a terrorist group. (i.e. the probability of a terrorist attack is almost equal to 1). And some nearby explosions are reported which has caused fire. (i.e. the probability of nearby explosion, and probability of ignition are equal to 1). Further, previous quality reports indicate that the pipe line in the same region is corroded due to exposure caused by severe erosion.
Figure 8: The region under terrorist attack
In addition to that the details in
Table 1: Design Information are assumed in order to quantify the consequences due to the above scenario.
Table 1: Design and failure Information
Description 
Details 
Diameter of pipeline 
482 mm (Nominal Bore) 
Thickness 
9 mm 
Crack size 
40 cm 
Design pressure 
2500 kPa 
Delivery pressure 
1500 kPa 
Delivery temp. 
30 (Celsius) (max.) 
Leak duration 
180 s 
The complete analysis is made based on the above assumptions. This scenario can be altered for several probable scenarios and tabulate the results for quick reference.
3.2 Identification of Potential Hazards involved with LPG Pipelines
Under this topic a comprehensive exploration of potential hazards is done. The hazards involved with different pipelines types in the world are considered while the case specific scenarios are also considered. Ideally, a comprehensive Hazard and Operability Study (HAZOP) is recommended for a realworld application.
Table 2: Identified Potential Hazards involved in LPG Pipelines
Event 
Cause 
Possible Consequences 
Prevention/Protection 
Mechanical damage on the LPG pipeline can cause a leakage of LPG 
Due to earth work, such as digging etc. 
 Projection of solid particles with high speed which can cause damage.
 Explosion

 Buried pipeline to meet the standard.
 Rural zoning.
 Accurate drawings and signing.
 Pipeline design with required dimensional properties, correct material quality, and use correct fabrication techniques and standards.
 Proper fencing about MLVs
 Automatic shut down through automatic line break detection and valve closure if large hole in pipe.
 Manual shut down by Network Controller

Corrosion leads to leak of LPG from the gas pipeline. 
Damage of pipeline coating due
to excavation inspection damage leads to corrosion.
Construction damage or coating flaw or faulty materials
Soil condition in the route and the probability for corrosion.
Neighbouring metal burials. (Protective or sacrificing) 
 Release of gas. If ignition, a
 jet fire is possible. Injury and property damage.

 Cathodic protection for external corrosion.
 Internal corrosion virtually absent with clean hydrocarbon.
 Coating on external surfaces of pipelines.
 Routine inspection of pipeline (including regular patrol and pigging). Visual and sound indications if leak.
 Pipeline to be constructed to facilitate internal (pigging) inspection
 Cathodic protection as per the available standards.
 Gas is odourised, allowing for detection and subsequent response in case of a small leak before it can develop into a larger leak.
 QA during production and installation.

Nearby explosion at neighbouring LPG pipeline or tieoffs. 
Incident (wear and tear, mechanical impact, lightning strike etc. etc.) at the parallel LPG pipeline. 
Possible damage to gas pipeline with release of LPG. If ignition, then possibility of flash or jet fire. Injury and property damage. 
 Internal risk management procedures / systems by gas pipeline operator.
 Pipeline integrity plan (incl. protection, pigging etc. to monitor integrity of pipeline and coating inspection).
 24hour monitoring of LPG pipelines.
 DialBeforeYouDig and signposting.
 Buried pipelines.
 Thickness and grade of pipelines.
 Proper fabrication techniques and standards

Pressure excursion leads to failure of the pipeline. 
Operational error upstream or
downstream facility. 
Over pressuring the gas pipeline causing failures, leaks and release of LPG. If ignition, then possibility of fire. Injury and property damage. 
 Pipelines constructed and hydro tested to meet standards.
 Continuous observation of pressure of pipeline from Control Centre
 Highpressure trip and automatic linebreak protection isolating flow of LP gas.
 Mechanical over pressure protection & controls at compressor stations.

Spontaneous loss of integrity of pipe 
Construction defect or
operational error (repeated). 
Massive release of LPG. If ignition, then possibility of flash or jet fire. Injury and property damage. 
 Apply NDT techniques on welds as required.
 Correct welding techniques
 Cathodic protection.
 Design for pipelines to limit crack propagation to about two pipe lengths.

Erosion results in damage to piping and equipment. 
Flooding 
Potential for flood waters to wash away soil cover. May cause pipeline to be exposed. Possibility of damage to coating and subsequent corrosion issues. If not corrected may eventually lead to failure of pipeline. 
 Control of erosion through regular and periodic patrols and inspections (aerial patrols, ground patrols after heavy rain/flooding, landowner liaison).
 Repair to soil cover if erosion.

Land subsidence results in pipeline damage. 
Mining activities in area or earthquake creates. 
Failure of pipeline resulting in potential for rupture or massive leak. Release of natural gas. If ignition, then possibility of flash or jet fire. Injury and property damage. 
 Site is not affected by mine subsidence.
 Pipe to be designed to standards.

Aircraft, train or heavy vehicle crash result in damage to pipeline resulting in hazardous releases. 
Aircraft crash.
Heavy vehicle crash. 
Potential damage to pipeline resulting in hazardous releases, fire / explosion. 
 Buried pipeline unlikely to be susceptible to aircraft, train or heavy vehicle crash.
 MLVs will be located safely away from potential road or train crash locations.
 MLVs will be surrounded by security fencing which will assist in containing a vehicle.
 Automatic line break isolation valves minimises amount of gas released if gas pipe is damaged. Possibility of remote activation of isolation valves by Young Controller.
 Aviation safety standards to apply.

Damage to pipeline through terrorism / vandalism. 
Malicious damage. 
Massive LPG. If ignition, then possibility of flash or jet fire. 
 Buried pipeline.
 MLVs surrounded by security fence.
 Any building doors will be fitted with intruder alarms.

Neighbouring fire. 
Bush / brush fire. 
Possible heat radiation at pipeline. If damage to pipe
and equipment then possibility of release of hazardous material and fire risk. 
 Control of vegetation in easement.
 Buried pipeline is unlikely to be affected by heat radiation.
 Above ground valves are fire safe.

3.3 Determination of The Failure Probability Using the Static Approach
Under this topic, the determination of the failure probability using the conventional static approach is discussed. In other words, the probability of consequences is determined using the conventional BowTie diagram approach. The events identified in HAZOP is systematically divided in to Causes, Safety Barriers, and Consequences. The simplified version is presented in
Figure 8 , while the detailed diagram is presented in figure 9.
3.3.1 Development of The BowTie Diagram Using BowTieXP Software
The following BowTie Diagrams are drawn using BowTieXp software. This is just for the sake of graphical representation of the details gathered in Table 4.3. As mentioned in (RPS, 2018), the strength of a BowTie is that it shows a summary of scenarios in a single picture. In brief, it provides a simple, visual explanation of risk that would be much more difficult to explain otherwise.
For the transparency of the calculations, the analysis part is done using Microsoft Excel package. All the calculations involved with the calculation of failure probability is provided in detail in the following three topics.
Figure 9: The conventional BowTie Diagram with BowTieXP software (Free version)
Figure 10: Teh detailed view of the BowTie diagram using BowTie Xp Software (Free version)
3.3.2 Assigning the Probabilities
In order to make the bowtie diagram presented in
Figure 9 can be used to give a quantitative output, the lefthand side of the diagram should be upgraded as a Fault Tree Diagram and the righthand side as an Event Tree Diagram respectively. Further, to provide the diagram with failure probabilities, the values presented in
Table 2 can be assumed. This can be done based on expert judgement or by referring to sources such as (OREDA, 2002).
Table 3: Assumed Probabilities on respective event

Event 
Code 
Failure Probability 
1 
Corrosion 
CRSN 
0.004 
2 
Nearby Explosion 
EXPN 
0.0001 
3 
Design Error 
DSNE 
0.01 
4 
Over Pressure 
OVPR 
0.07 
5 
Material Flaw 
FLAW 
0.003 
6 
Fabrication Error 
FABE 
0.004 
7 
Erosion 
ERSN 
0.05 
8 
Vehicle Collision 
VEHC 
0.00004 
9 
Terrorist/ Vandalism 
TERR 
0.000001 
10 
Mechanical Damage 
MD 
ORGate 
11 
Pressure Sensing Manual 
PSM 
0.00001 
12 
Human Error (Pressure Reading/Valve operation ) 
HE 
0.02 
13 
Manual Valve 
MV 
0.002 
14 
Manual Valve Operation 
MVO 
ORGate 
15 
Manual Shutdown 
MS 
ORGate 
16 
Pressure Sensing Auto 
PSA 
0.00004 
17 
Auto Valve 
AV 
0.0002 
18 
Valve Controller 
VC 
0.001 
19 
Auto valve Operation 
AVO 
0.00005 
20 
Auto Shutdown 
AS 
ORGate 
21 
Uncontrolled LPG Release 
ULPGR 
ANDGate 
22 
Rural Zoning 
RUZO 
0.000001 
23 
Buried Pipeline 
BURRP 
0.000001 
24 
Automatic Deluge 
AUTDE 
0.001 
25 
Ignition Control 
IGCTRL 
0.003 
26 
Blast Proof 
BLSTPF 
0.00000001 
27 
Personal Protective Equipment 
PPE 
0.000004 
28 
Evacuation and Upwind Mustering 
EVAQ 
0.002 
29 
Emergency Response 
EMRGR 
0.004 
30 
Emergency Respiratory System 
ERESPS 
0.005 
3.3.3 The LeftHand Side of The BowTie Diagram
As shown in
Figure 2, the fault tree is the lefthand side of the BowTie Diagram. For the sake of clarity, it is presented in figure 10 as a regular Fault Tree diagram. The probabilities presented in Table 2 are assigned using an Microsoft Excel Sheet. The mathematical relationship between each event can be presented as follows. Here
Pstands for the probability of failure and
Rstands for reliability.
For an AND Gate;
P=P1×P2×…×Pnwhile for an OR Gate
R=R1×R2×…×Rn. The relationship between
Pand
Rcan be given as
R=1P. In this approach the failure probability (i.e. the reliability) of the Top Event (i.e. Uncontrolled LPG Release) can be determined as follows. This probability is fed in to the Event Tree Diagram in order to calculate the probability of consequences, which is later can be used to calculate the Risk involved with this process.
Figure 11: Fault Tree Diagram (Left hand side of the BowTie Diagram)
3.3.4 The RightHand Side of The BowTie Diagram
As described under 3.1.5, the Event Tree Diagram can be used to determine the probability of consequences. The first column of the Event Tre is allocated for the Top Event while the rest are allocated for the Safety Barriers, Consequence level, and the probability of consequences. Each branch is divided in to two branches to indicate the probability of failure and the probability of success of each safety barrier. The probability of success of a safety barrier is indicated by the upper branch and viseversa. Hence, it is clear that the lower most branch indicates the probability of the most catastrophic event. Using this method, it is determined that the probability of occurrence of the most catastrophic event is
6.4×1038. The consequence column indicates three different types of events. The event ‘safe’ indicates that the process will be safely operating if the sequence of events follows the respective branch. Also ‘I & S’ indicates Inhalation and Skin Contact. The diagram can be developed using Microsoft Excel package.
The strengths and weaknesses of this conventional BowTie Approach is discussed in detail under the Discussion of this project.
From this event tree diagram, it can be deduced that the total probability of consequences is in the range of
4.3×1026. This value can be taken by the addition of I&S values and CA values of probability. This value can be considered when deciding the factor
(f), which is mentioned in
Table 4: Sample calculation of Conditional Probability based on assumptions.
Figure 12: Event Tree Diagram (i.e. RightHand Side of the BowTie Diagram)
3.4 Determination of The Failure Probability Using the Dynamic Approach
Under this topic, the determination of the failure probability using the dynamic approach is discussed. In other words, the probability of consequences is determined using the Bayesian Network approach. The events identified in HAZOP is systematically assigned to a Bayesian Network following the mapping algorithm presented in
Figure 3 along with the respective probabilities presented in
Table 2. By this approach the calculation of the probability of consequences an be made dynamic by providing the evidences and updating the failure probabilities. The most important thing is this system can be made continuously learning by timely updating of failure probabilities and the conditional probabilities. The mathematical base of this method totally depends on the Bayes Rule.
3.4.1 Mapping FT and ET In to Bayesian Network
Based on the mapping algorithm presented in
Figure 3, the Fault Tree and event tree presented, in
Figure 11 and
Figure 12 respectively, can be mapped in to a Bayesian Network as shown in
Figure 13. The diagram was generated by the use of Genie software introduced in Chapter 2. Similarly,
Figure 12 represents the Event Tree part of the BowTie diagram.
Figure 13: Bayesian Network for the fault Tree part (developed sing GeNIe Software)
Figure 14: Application of the defined accident scenario to the Bayesian Network
In this way, the posterior probabilities can be calculated. The following sample work is done to illustrate the procedure for a situation where Corrosion is detected. Both the networks can be combined by connecting consequence Node with the Top even called ‘Uncontrolled LPG release’
3.4.2 Development of Conditional Probability Tables
According to (C. Yeo
et al., 2016), the conditional probability tables can be developed based on expert judgements and the historical data. The Bayesian Belief Network can be updated with experience to increase the performance and reliability. This is a continuously learning process. As an initiation, this study assumes the probability of failure is directly proportional to the number of causes for a given event. For an example, if there are three causes for a given event the following procedure is followed and is adopted in to any number of causes. The probability of failure was calculated using the
Equation 1.
PFailure=1×nN×f
…………………………………….. Equation 1
Where,
P(Failure)is the probability of failure,
nis the number of causes, and
Nis the total number of possible causes. Here
fis a constant (i.e.
1×1025). Following sample calculation for the part of the Bayesian Network in
Figure 11. The
Table 3 provides a Sample calculation of Conditional Probability based on assumptions.
Figure 15: Sample Section of Bayesian Network
Table 4: Sample calculation of Conditional Probability based on assumptions
Possible combinations 
Total Number of Causes (n) 
Probability of failure
PFailure=1×nN×f 
0 
0 
0 
0 
0 
0 
0 
1 
1 
0.3333 
0 
1 
0 
1 
0.3333 
0 
1 
1 
2 
0.6666 
1 
0 
0 
1 
0.3333 
1 
0 
1 
2 
0.6666 
1 
1 
0 
2 
0.6666 
1 
1 
1 
3 
0.9999 
Therefore, it is clear that the Bayesian Network can be used to determine the dynamic failure probability, given the evidences. This probability can be used in calculating the Risk.
3.5 Determination of Dynamic Failure Probability for The Defined Accident Scenario Using Bayesian Network Approach
Chapter 4: QUANTIFICATION OF CONSEQUENCES
Under this chapter, the methodology of calculating the consequences is presented. In this case, the largest possible consequence is considered. As shown in
Figure 10, the worstcase scenario is the Jet Fire. It will include, financial losses attributable to lost production cost (LPC), inspection cost (IC), segment replacement cost (RC) and environmental consequences cost (EC). In addition to that, the impact on people also will be taken in to consideration.
Due to the Jet Fire event, the people will have to evacuate and all the necessary actions for disaster management will be done. The assessment provides an estimate of the risk in monetary values.
Liquid Petroleum Gas (LPG) is considered as nontoxic therefore the most probable accidents will be Jet fire or Explosion. Jet fire will generate a heat radiation while explosion creates pressure pulses. This study assumes the most probable catastrophic event is Jet Fire. The Jet fire will be simulated using the industrial Computational Fluid Dynamics (CFD) software called FLACS. The temperature distribution and heat radiation will be simulated based on the scenario defined. Based on the simulation results, the evacuation and other related costs will be calculated.
4.1 Determination of the Quantity of Leaked Products
4.1.1 Leak Rates
The quantification of leak rate is the first step in this process. It can be determined using the recommended by (Nilsson, 2009). It is valid for gases or vapour flows given that the flow is a choked flow. The choked flow occurs when the internal pressure is nearly two times or more that of the atmospheric pressure.
ṁ=0.8 APMγzRT2γ+1γ+1γ1
Where;
A: Area of hole,
P: Pressure,
M:Molecular weight,
γ: Ratio of specific heats,
z: Gas compressibility factor,
R: Universal gas constant,
T: temperature in Kelvin.
The calculation results of leak rate can be presented as shown in table #. It is assumed that the crack creates a circular shaped opening with a diameter similar to the crack size.
Parameter 
Value 
Unit 
Gas Flow Rate (
ṁ) 
(To be determined) 
kg/s 
R 
8.314 
J.K/mol 
T 
293 
K 
gamma 
1.31 
 
z 
1 
Assume ideal gas 
M 
1.80E02 
g/mol 
P 
1.50E+06 
Pa 
Leak Size (m) 
Cross section (m^{2}) 
Flow rate (kg/s) 
4.0E01 
1.26E01 
2.74E+02 
4.1.2 Duration
The duration of the leak depends on several factors. The nature of the leak, accessibility, and reliability of disaster management system. The duration can be few minutes to few hours. In this study, it is assumed that the leakage rate does not change with time though practically it reduces with time. Further it is assumed that the entire amount of leaked liquid gas is subjected to Jet Fire.
In this scenario, the leak duration is assumed to be 3 hours. It is assumed that this amount is completely burnt during the Jet Fire. Practically this can be much higher than this. Nevertheless, due to the development of communication among the people, and the assumption of auto shutdown and manual shutdown features this may be a reasonable assumption.
Based on the above data, assumptions, and mathematical models, the following quantification can be done.
QLP = 2.74×102 kg s1×60*60*3 s
=2, 959,200 kg
The approximate value of 1 kg of LPG
= LKR 100
Therefore, the total loss from leakage
= LKR 200,959,200
4.2 Quantification of Radiation Effects
The radiation effect is quantified by the FLACS simulation. Following procedure is followed to perform the simulation. This eliminates the manual calculations in determining the temperature distribution about the Jet Fire location. Firstly, the grid was defined using the CASD utility available in FLACS software. An effective grid was defined to optimize the computation power usage and the accuracy of the calculations and visualizations. The
Figure 14 shows the complete set of details and the visualization in CASD utility. Then the parameteres mentioned in
Table 5 to
Table 11 were assigned in the software. The parameters mentioned in Annexure 1 were assigned in CASD.
The simulation was performed using FLACS software to get the following temperature distribution plot shown in figure #. In addition to that, some important parameters such as the Mole Fraction of LPG distribution and the Velocity Distribution were also simulated and presented in Annexure 1.
A sample set of results are presented under this topic. Rest of the results are presented in the Discussion section. Figure 7 shows the temperature distribution due to Jet Fire. It is clear that a severe temperature effect is possible for to the defined scenario.
Figure 7: Isosurface diagram of the temperature distribution due to jet fire
4.3 The Impact Assessment
Methods mentioned under 4.2 provides the radiation effect with respect to the distance from the point of Jet Fire. The effect or impact of heat radiation on people is shown in Table#.
Radiation Heat Level (kW/m^{2}) 
Physical Effect
(Depending on the duration of exposure) 
1.2 
Received from the sun at noon 
2.1 
Minimum to cause pain after 1 minute 
4.7 
Will cause pain in 1520 seconds and injury after 30 seconds’ exposure 
12.6 
Significant chance of fatality for extended exposure High chance of injury 
23 
Likely fatality for extended exposure and chance of fatality for instantaneous (short) exposure 
35 
Significant chance of fatality for people exposed instantaneously 
Plot of heat radiation over distance
4.4 The consequences in terms of currency
Chapter 5: QUANTIFICATION OF RISK
Quantitative Risk Analysis
estimated pipeline replacement cost in the U.S is about $643800 per/km
Risk Criteria
Individual Risk Criteria
Individual risk defined as the risk to an individual or a person in the surroundings of a hazard which includes the nature of injury to an individual, likelihood of injury and the time period over which an injury can take place. In other words, the individual risk is the probability of fatality to a person at a particular point in hazardous surroundings. It is usually expressed as chances per million per year (pmpy) (Nilsson, 2009). It is also defined as the frequency at which an individual is at particular distance from a pipeline is expected to sustain a particular level of harm from the hazard available in that surroundings (Jonkman, 2011).
The geographical distribution of individual risk around the selected place can be shown by individual risk contours which shows the frequency of an event capable to cause the particular level of harm at a particular location without considering, whether or not any individual present there or not to suffer the harm. Therefore, individual risk contour maps are formed by estimating individual risk at every location assuming that somebody will be there 100% of the (annual exposure of 8760 hours per year). (Jonkman, 2011)
Societal Risk Criteria
After the individual risk assessment, societal risk assessment is the other important analysis should be done to know the effect on the society level. Therefore, societal risk measure is a graphical presentation to estimate the risk on group of people located in the effect zone of incident or accident. (Schork, 2012)
Some major incident or catastrophic accident has detrimental effect on property and group of people in past decades. Even, nowadays there are incident and accident which can occur and has potential to affect large number of people. So, societal risk assessment comes in an existence here to calculate the risk on group of people or on society level. Societal risk assessment is usually expressed in terms of frequency distribution of multiple casualty events (FN curve) (Franks, 2004) however, it can also be expressed in terms similar to individual risk assessment because societal risk assessment requires same information (frequency and consequences) as an individual risk assessment as mentioned in furthermore, societal risk assessment also requires the information of people at risk around the effected zone. The information can be of different type for example (residential, industrial or school) likelihood of many people are present at particular location and at which time.
According to (Crowl et al, 2009), individual and societal risks are different presentations for the same input values (frequency and consequences) both these assessments are very important in terms of reducing risk and judging the acceptability of facility in absolute terms.
Reduction of Risk
Dynamic Risk
Get input from the simulation and calculate the consequences. (That equation)
Chapter 6: Results and Discussion
Pros and cons of Bow tie approach. (static)
The probability values are assigned to demonstrate the ability to use the Bow tie method. But the method provides only a static probability of failure. Evidences of the latest situation cannot be introduced to get an updated probability of failure.
Chapter 7: Conclusions
Chapter 8: Suggestions and Future Work
REFERENCES
Aljaroudi, A., Khan, F., Akinturk, A., Haddara, M. and Thodi, P. (2015) ‘Risk assessment of offshore crude oil pipeline failure’,
Journal of Loss Prevention in the Process Industries. Elsevier Ltd, 37, pp. 101–109. doi: 10.1016/j.jlp.2015.07.004.
Anonymous (2011) ‘Investigation report on San Bruno pipeline rupture cites lax safety approach , inadequate oversight as probable causes of accident’,
Materials Performance, 50(August), pp. 18–19.
Badreddine, A. and Amor, N. Ben (2013) ‘A Bayesian approach to construct bow tie diagrams for risk evaluation’,
Process Safety and Environmental Protection, 91(3), pp. 159–171. doi: 10.1016/j.psep.2012.03.005.
Crowl, D. and Joseph, L. (2009)
Chemical Process Safety. 2nd edn. New Jersey: Prentice Hall PTR.
Ferdous, R., Khan, F., Sadiq, R., Amyotte, P. and Veitch, B. (2013) ‘Analyzing system safety and risks under uncertainty using a bowtie diagram: An innovative approach’,
Process Safety and Environmental Protection, 91(1–2), pp. 1–18. doi: 10.1016/j.psep.2011.08.010.
Franks, A. (2004) ‘A Simplified Approach to Estimating Individual Risk A Simplified Approach to Estimating Individual Risk’,
Health and Safety Executive, pp. 3–54.
Gexcon AS (2016)
FLACS v10.5 User’s Manual. Doxygen, Norway. doi: Sunday May 29 2016.
google.com (2016)
ObserverReporter  Google News Archive Search. Available at: https://news.google.com/newspapers?id=9M5dAAAAIBAJ&sjid=UV0NAAAAIBAJ&pg=1104,1780217&dq=propane pipeline leak&hl=en (Accessed: 3 January 2018).
Heinz, F. (2013)
Milford Pipeline Fire May Burn for 36 Hours,
NBCDFW. Available at: http://www.nbcdfw.com/news/.
Husmeier, D., Dybowski, R. and Roberts, S. (2005)
Probabilistic Modeling in Bioinformatics and Medical Informatics. 1st edn. Edited by X. Wu and J. Lakhmi. United States of America: Springer.
Jonkman, S. N. (2011) ‘The Use of Individual and Societal Risk Criteria Within the Dutch Flood Safety PolicyNationwide Estimates of Societal Risk and Policy Applications’,
Risk Analysis, 31(2), pp. 282–300. doi: 10.1111/j.15396924.2010.01502.x.
Kalantarnia, M, F I Khan, and K. H. (2009) ‘isk Assessment and Management Using Accident Precursors Modeling in Offshore Process Operation’, in
International Conference on Offshore Mechanics and Arctic Engineering, pp. 793– 802.
Kalantarnia, M., Khan, F. and Hawboldt, K. (2010) ‘Modelling of BP Texas City refinery accident using dynamic risk assessment approach’,
Process Safety and Environmental Protection. Institution of Chemical Engineers, 88(3), pp. 191–199. doi: 10.1016/j.psep.2010.01.004.
Khakzad, N., Khan, F. and Amyotte, P. (2012) ‘Dynamic risk analysis using bowtie approach’,
Reliability Engineering and System Safety. Elsevier, 104, pp. 36–44. doi: 10.1016/j.ress.2012.04.003.
Khakzad, N., Khan, F. and Amyotte, P. (2013) ‘Dynamic Safety analysis of process systems by mapping bowtie into Bayesian network Dynamic safety analysis of process systems by mapping’,
Process Safety and Environmental Protection, (January). doi: 10.1016/j.psep.2012.01.005.
Neapolitan, R. E. (2010) ‘Learning Bayesian Networks’,
International journal of data mining and bioinformatics, 4, pp. 505–19. doi: 10.1016/j.jbi.2010.03.005.
Networks, B., Faltin, F. and Kenett, R. (2007) ‘Bayesian Networks’,
Encyclopedia of Statistics in Quality & Reliability, 1(1), p. 4. doi: 10.1002/wics.48.
Nilsson, K. (2009)
Preliminary Hazard Analysis of The Natural Gas Delivery Pipeline Between Young And Bomen in NSW.
OREDA (2002)
OREDAOffshore Reliability Data Handbook. 4th edn. OREDA Participants.
Paltrinieri, N., Khan, F., Amyotte, P. and Cozzani, V. (2014) ‘Dynamic approach to risk management: Application to the Hoeganaes metal dust accidents’,
Process Safety and Environmental Protection. Institution of Chemical Engineers, 92(6), pp. 669–679. doi: 10.1016/j.psep.2013.11.008.
Paltrinieri, N. and Scarponi, G. (2014) ‘Addressing Dynamic Risk in the Petroleum Industry by Means of Innovative Analysis Solutions’,
Chemical Engineering Transactions, 36, pp. 451–456. doi: 10.3303/CET1436076.
Paltrinieri, N., Tugnoli, A., Buston, J., Wardman, M. and Cozzani, V. (2013) ‘Dynamic Procedure for Atypical Scenarios Identification (DyPASI): A new systematic HAZID tool’,
Journal of Loss Prevention in the Process Industries. Elsevier Ltd, 26(4), pp. 683–695. doi: 10.1016/j.jlp.2013.01.006.
PHMSA (2017)
Incident Statistics  PHMSA. Available at: https://www.phmsa.dot.gov/hazmatprogrammanagementdataandstatistics/dataoperations/incidentstatistics (Accessed: 3 January 2018).
RPS (2018)
BowtieXP. Available at: http://www.bowtiexp.com.au/software/bowtiexpstandard (Accessed: 10 February 2018).
Schork, J. M. (2012) ‘Summary: Societal risk criteria and pipelines’,
Process Safety Progress, 31(4), pp. 409–410. doi: 10.1002/prs.11522.
Villa, V., Paltrinieri, N., Khan, F. and Cozzani, V. (2016) ‘Towards dynamic risk analysis: A review of the risk assessment approach and its limitations in the chemical process industry’,
Safety Science. Elsevier Ltd, 89, pp. 77–93. doi: 10.1016/j.ssci.2016.06.002.
Yeo, C., Bhandari, J., Abbassi, R., Garaniya, V. and Chai, S. (2016) ‘Journal of Loss Prevention in the Process Industries Dynamic risk analysis of of fl oading process in fl oating lique fi ed natural gas ( FLNG ) platform using Bayesian Network’, 41, pp. 259–269.
Yeo, C. T., Bhandari, J., Abbassi, R., Garaniya, V., Chai, S. and Shomali, B. (2016) ‘Dynamic risk analysis of offloading process in floating liquefied natural gas (FLNG) platform using Bayesian Network’,
Journal of Loss Prevention in the Process Industries, 41, pp. 259–269. doi: 10.1016/j.jlp.2016.04.002.
Zadakbar, O., Imtiaz, S. and Khan, F. (2013) ‘Dynamic Risk Assessment and Fault Detection Using Principal Component Analysis’,
Industrial & Engineering Chemistry Research, 52(2), pp. 809–816. doi: 10.1021/ie202880w.