Journal of Risk Research Vol. 9, No.

5, 583600, July 2006

ARTICLE

ARAMIS Project: Reference Accident Scenarios Definition in SEVESO Establishment

CHRISTIAN DELVOSALLE, CECILE FIEVEZ & AURORE PIPART
Faculte Polytechnique de Mons, Mons, Belgium

ABSTRACT ARAMIS (Accidental Risk Assessment Methodology for IndustrieS) is an European project aiming to build up a new integrated risk assessment method that will be used as a supportive tool to speed up the harmonized implementation of Seveso II Directive. A part of ARAMIS is devoted to the identification of accident scenarios in process industries. First, a Methodology for the Identification of Major Accident Hazards (MIMAH) is defined. According to a bow-tie approach, the major accidents are identified through generic fault and event trees. The term Major Accidents must be understood as the worst accidents likely to occur on an installation, assuming that no safety systems are installed. Second, a Methodology for the Identification of Reference Accident Scenarios (MIRAS) studies the influence of safety systems placed on the branches of generic trees. The deep study of causes of accidents, probability levels, safety systems effectiveness and safety management efficiency allows us to define Reference Accident Scenarios, representing the real hazardous potential of the installation. This approach is intended to give an acute estimation of the risk level and to promote the implementation of safety systems. Test cases were carried out in five companies across Europe in order to validate the application of ARAMIS. KEY WORDS: ARAMIS project, Seveso Directive, accident scenarios

Introduction ARAMIS, Accidental Risk Assessment Methodology for IndustrieS, is a European project (Hourtolou and Salvi, 2003) aiming to build up a new integrated risk assessment method that will be used as a supportive tool to
Correspondence Address: Christian Delvosalle, Faculte Polytechnique de Mons, Major Risk Research Centre, 56 rue de le pargne, 7000 Mons, Belgium. Tel.: + 32 65 37 44 03; Fax: + 32 65 37 44 07; Email: [email protected] 1366-9877 Print/1466-4461 Online/06/05058318 # 2006 Taylor & Francis DOI: 10.1080/13669870500419529

584 Christian Delvosalle et al. speed up the harmonized implementation of Seveso II Directive. A part of the work carried out for the ARAMIS project is devoted to the identification of accident scenarios in process industries. In these industries, the identification of accident scenarios is a key-point in risk assessment. However, especially in a deterministic approach, mainly worst case scenarios are considered, often without taking into account safety devices used and safety policy implemented. One of the aims of the ARAMIS project is to develop a methodology able to focus on the influence of safety systems and safety management in the definition of accident scenarios. This approach is intended to give an acute estimation of the risk level and to promote the implementation of safety systems. This article gives an overview of some methods and tools developed during the ARAMIS project. Two main complementary methods are presented. The first one is the Methodology for the Identification of Major Accident Hazards (MIMAH) (Delvosalle et al., 2003). This methodology defines the maximum hazardous potential of an installation. The term MIMAH must be understood as the worst accidents likely to occur on this installation, assuming that no safety systems are installed or that they are ineffective. The second method is called Methodology for the Identification of Reference Accident Scenarios (MIRAS). This method studies the influence of safety devices and policies on the scenarios identified with MIMAH (Debray et al., 2004). The deep study of the causes of accidents, probability levels (Delvosalle et al., 2004), safety systems effectiveness and safety management efficiency allows to define scenarios more realistic than MIMAH. These Reference Accident Scenarios (RAS) represent the real hazardous potential of the installation, taking into account the safety systems (including safety management system). The RAS have then to be modelled to obtain the severity mapping (Planas et al., 2004), which has in turn to be compared with the vulnerability mapping of the surroundings of the plant (Tixier et al., 2004). The aspects of management, severity and vulnerability are dealt with in other parts of the ARAMIS project. In addition to the identification of RAS, they constitute the risk assessment methodology called ARAMIS. MIMAH (Methodology for the Identification of Major Accident Hazards) Introduction to MIMAH The objective of MIMAH is to predict which major accidents are likely to occur on a chemical plant. A first step aims to identify relevant hazardous equipment in the considered plant. Then, in a second step, bow-ties are built for each equipment studied. MIMAH offers tools to construct the bow-ties, centred on a critical event and developed through a fault tree on the left-side (causes) and an event tree on the right-side (consequences).

ARAMIS Project Selection of Relevant Hazardous Equipment

585

The purpose of the method for the selection of relevant hazardous equipment is to select equipment on which the identification of major accident scenarios will be performed. The selection of relevant hazardous equipment is a critical step in any risk analysis. If too many equipment are selected, the analysis will be unnecessarily time-consuming. On the contrary, if too few equipment are selected, the risk could be under-estimated. In the ARAMIS project, the equipment containing potentially hazardous substances (flammable, explosive, oxidising, toxic, dangerous for the environment) are selected if the mass of the hazardous substance in the equipment is higher or equal to a mass threshold. The threshold depends on the hazardous properties of the substance, its physical state, its possibility of vaporisation and eventually its location with respect to another hazardous equipment in case of possible domino effects. Development of Bow-ties The main tool on which MIMAH is based, is the bow-tie (see Figure 1). A bow-tie, which represents a major accident scenario, is centred on a critical event. The left part of the bow-tie, named fault tree, identifies the possible causes of a critical event. The right part, named event tree, identifies the possible consequences of a critical event. Association of critical events with relevant hazardous equipment. The center of the bow-tie, the critical event, is defined as a loss of containment or a loss of physical integrity. Twelve critical events are defined. Two matrices, one crossing the type of equipment and the 12 potential critical events and an other one crossing the physical state of the substance handled and the 12 potential critical events, allow to associate a list of critical events with each selected hazardous equipment.

Figure 1. Bow-tie (UE: Undesirable Event; DDC: Detailed Direct Cause; DC: Direct cause; NSC: Necessary and Sufficient Cause; CE: Critical Event; SCE: Secondary Critical Event; TCE: Tertiary Critical Event; DP: Dangerous Phenomenon; ME: Major Effect)

586 Christian Delvosalle et al. Event tree. The right part of the bow-tie, the event tree, represents the possible consequences of the critical event studied. The structure of the event tree is the following one: the Critical Event CE, such as a pipe failure, leads to Secondary Critical Events SCE (e.g., a pool formation, a jet,), which lead to Tertiary Critical Events TCE (e.g., a cloud following a jet), which in turn lead to Dangerous Phenomena DP such as fire, explosion, dispersion of a toxic cloud,On the basis of the equipment type, the handled substance, its physical state and hazardous properties, the event trees are built with an automatic matrix-based method. An extensive description of the method can be found in Delvosalle et al. (2003). Fault tree. The left part of the bow-tie is a fault tree. MIMAH provides generic fault trees for each critical event. These generic fault trees can be used as a basis in order to identify the potential causes of critical events and to develop plant-specific fault trees, which take into account the specificity of installations. The generic fault trees proposed by MIMAH were built following a deductive sequence. For each event of the tree, at any level, the procedure involved the identification of its potential immediate causes taking into account the functions or elements usually present in the system or its surroundings. The first step led to the identification of necessary and/or sufficient causes (NSC) of the critical event. Only physical phenomena were considered at this stage. The second step involved the identification of direct causes (DC) that could lead to the occurrence of NSCs. The causes at this level were, for most of them, the causes usually considered in the accident databases such as erosion, corrosion, overpressure. The next level is called detailed direct causes (DDC). This detailed level permits the identification of most of the main safety systems. In the last level it was tried to propose as much as possible very generic causes, called undesirable events (UE) making the link with human behaviour and organisational deficiencies which are potential causes for a very large variety of events (Debray et al., 2004). The result consists of 14 generic fault trees. The complete bow-tie. MIMAH ends with the construction of complete bow-ties for each selected equipment. Each bow-tie is obtained by the association of a critical event, its corresponding fault tree on the left and its corresponding event tree on the right, according to the scheme shown in Figure 1. Each bow-tie represents a major accident hazard which could occur on the selected equipment. MIRAS (Methodology for the Identification of Reference Accident Scenarios) The objective of the Methodology for the Identification of Reference Accident Scenarios (MIRAS) is to choose RAS among the Major Accident

ARAMIS Project

587

Hazards identified with MIMAH. These RAS give an acute estimation of the risk level, because they take into account the safety systems implemented on the equipment. They will have to be modelled in order to calculate the Severity, which in turn will be compared with the Vulnerability of the surroundings of the plant. The RAS are chosen on the basis of a Risk Matrix crossing the level of consequences of dangerous phenomena and their frequency per year. According to its position in the matrix, each dangerous phenomenon is retained or not as a RAS. To achieve this goal, it is necessary, for each bow-tie built with MIMAH, to: - take into account the safety systems, the safety management and their effects, in terms of frequency of the accident and also in terms of level of consequences; - obtain the frequency per year of the critical event, either by an analysis of the fault tree or by using generic critical events frequencies; - complete the event tree built with MIMAH to take into account the safety systems and the transmission probabilities (e.g. the probabilities of ignition); - classify the possible consequences of dangerous phenomena identified in the event tree. These steps will be detailed hereunder. Identification of Safety Barriers and Assessment of Their Performances Identification of safety functions and safety barriers. In order to identify the safety systems which have an influence on the possibility of occurrence and on the consequences of the accident, the concept of safety functions and safety barriers has to be introduced. The safety functions are technical or organisational functions, and not objects. They are expressed in terms of actions to be achieved. Four main verbs of action are defined: to avoid, to prevent, to control and to limit. These actions have to be realised thanks to safety barriers. The safety barriers are physical and engineered systems or human actions. The safety function is the what needed to assure, increase and/or promote safety. The safety barrier is the how to implement safety functions. A typology of safety functions and barriers was defined and served as a basis for an inventory of the most used safety functions and barriers in association with the events in the bow-ties (Delvosalle et al., 2004). This inventory constitutes a useful result of ARAMIS. Thus, it is possible to identify the safety functions and the safety barriers related to the bow-tie being analysed and to place these barriers at the right place in the tree. The principle in order to achieve this goal is to review

588 Christian Delvosalle et al. systematically the bow-tie. Each event of a tree, branch per branch, must be examined and the following question should be asked: Is there a safety barrier which avoids, prevents, controls or limits this event ? If yes, this safety barrier must be placed on the branch. The barrier will be placed upstream of an event if it avoids or prevents this event. If it controls or limits this event, it has to be placed downstream. This approach has some common points with the LOPA method (CCPS, 2001). Assessment of performances of safety barriers. Once the safety barriers have been identified and placed on the bow-tie, it is necessary to assess the influence of these barriers on the frequency and on the consequences of the accident, depending on their performances. The performance of a safety barrier is defined according to three parameters:

Its level of confidence (LC) linked to its probability of failure on demand (PFD). The level of confidence of a safety barrier is the probability of failure on demand to perform properly a required safety function according to a given effectiveness and response time under all the stated conditions within a stated period of time. Actually, this notion is similar to the notion of Safety Integrity Level (SIL) defined in IEC 61511 for Safety Instrumented Systems (IEC, 2001) but applies here to all types of safety barriers. Its effectiveness (E) or adequate capacity to take the required action (specific size or volume, physical strength, etc.). The effectiveness is the ability for a technical safety barrier to perform a safety function for a given duration, in a non-degraded mode and in specified conditions. The effectiveness is either a percentage or a probability of success of the defined safety function. Its response time (RT). The response time is the duration between the straining of the safety barrier and the complete achievement of the safety function performed by the safety barrier.

According to the type of safety barriers (passive, activated barriers or human actions), the assessment of their performance are quite different. Explanations are given hereunder. The passive barriers are defined as functioning in permanence, not requiring any human actions, energy sources or information sources to achieve their function. In the ARAMIS project, it has been decided to allot to any passive barrier a generic Probability of Failure on Demand (PFD), which is a value comparable to an LC but taken out of some accident databases and learnt from accidents. Some examples are given in Table 1. The activated barriers are composed of three subsystems in chain: a detection system, a treatment system (logic solver, relay, mechanical device, interlock, human,) and an action (mechanical, instrumented, human,). The level of confidence is determined for the whole activated safety barrier (and not for a single device). Indeed, for each subsystem, level of

ARAMIS Project
Table 1. Examples of Level of Confidence (LC) for passive barriers Probability Failure on Demand (no dimension) 10221023 10221023 10211023

589

Passive safety barriers Dike Fire-proofed wall/blast wall/ bunker Flame/detonation arrestors

LC LC2 LC2 LC1

confidence, effectiveness and response time are estimated and combined to calculate the global level of confidence of the barrier. Figure 2 gives a generic example of combination of LC for one specific safety barrier. Moreover, examples of level of confidence, effectiveness and response time for some subsystems are given in Table 2. For the human actions (as for the passive barriers), the principles of IEC 61508/61511 standards for the assessment of level of confidence cannot, therefore, be applied. In the ARAMIS project, it has been decided to associate with human actions a generic PFD taken out from the literature, which is derived in an equivalent LC (see Table 3).

Figure 2. Generic configuration for Level of Confidence combinations (D: Detection system; T: Treatment system; A: Action; LC: Level of confidence; E: Effectiveness; RT: Response time)

590 Christian Delvosalle et al.

Table 2. Examples of Level of Confidence (LC), Effectiveness (E) and Response Time (RT) for subsystems Subsystems Safety shut-off valve Safety relief valve Pressure switch Extraction fan Gas sensor in confined zone Classical relay LC LC1 LC1 (b) LC1 LC1 / LC1 RT 10 to 50 s (a) ,5 s ,30 s 15 s to 1,5 min (c) ,5 s E 100%

100% 100%

(a) The value depends on the type and on the operating conditions of the system (b) For safety relief valve, the value of 2 is generally adopted (c) The value depends on the type of gas

Table 3. Examples of Level of Confidence (LC) for human actions Probability Failure on Demand (no dimension) 1022 1022 1021

Human actions Prevention Normal operation Intervention

LC LC2 LC2 LC1

Design and Operational level of confidence. In a first step, the level of confidence assessed is the design level of confidence. This means that the barrier is supposed to be as efficient as when it was installed, to have the same response time and the same level of confidence or probability of failure on demand. But the performance of the safety barrier could decrease when time is going. This could occur for multiple reasons; for example a bad inspection program, a loss of knowledge of the operators, the clogging up of some device. All these reasons can be related to the quality of the safety management system. In a second step, it is thus needed to assess the quality of the safety management system and its influence on the performances of safety barriers. The tools for the safety management audit are described in another part of the ARAMIS project (Duijm et al., 2004). One of the aims of the audit is to verify if the safety barriers are enough inspected and maintained. If it is not the case, the level of confidence of safety barriers will be decreased according to the results of the audit. This will give the operational level of confidence of the safety barrier.

ARAMIS Project Calculation of the Frequency of the Critical Event

591

The frequencies of critical events can be estimated either by the analysis of the fault tree or by using generic critical events frequencies. In the first approach, the frequency of the critical event is calculated from an analysis by a gate-to-gate method of the fault tree taking into account the identification of safety barriers and their performances. The gate-by-gate method starts with the initiating events frequencies of the fault tree and proceeds upward toward the critical event. All inputs to a gate must be evaluated before calculating the gate output. All the bottom gates must be computed before proceeding the next higher level. Detailed explanations about these calculations can be found in the literature (CCPS, 1989). In parallel, the influence of safety barriers on the accident scenario (the bow-tie) is taken into account. The avoid barrier implies that the event located just downstream is supposed impossible. The corresponding branch will thus not influence the critical event frequency anymore. The prevention and control barriers decrease the transmission probabilities between two events in the fault tree and influence the critical event frequency. Indeed, if the LC of a barrier on a branch is equal to n, then the frequency of the downstream event on the branch is multiplied by a factor 102n (Delvosalle et al., 2004). A fault tree with the calculation of the critical event frequency is presented as example in Figure 3. The frequency of the critical event Breach on shell in liquid phase on a pressure storage of ethylene oxide is calculated from the analysis of the plant-specific fault tree, taking into account the estimation of initiating events frequencies (the events placed the most on the

Figure 3. Fault tree with the calculation of the critical event frequency (frequency per year)

592 Christian Delvosalle et al. left of the bow-tie), the identification of safety barriers and the evaluation of their levels of confidence. In the second approach, the critical event frequency can be obtained from a review of generic frequencies of critical events found in the literature. For each kind of equipment and each kind of critical event, data have been collected, giving as result a range of frequency values. An extract of this review is presented in Figure 4. The idea proposed in our approach is to obtain first the critical event frequency derived from the fault tree analysis. In case of lack of data, the critical event frequency can be taken in the range issued from the literature review. The safety systems and management influencing the events in the fault tree allow a choice of a low or a high value in this range. Calculation of the Frequency of Dangerous Phenomena As the selection of RAS is based on the evaluation of the frequency of dangerous phenomena, together with their potential consequences, the frequencies of dangerous phenomena have to be calculated by processing step by step in the event tree. First, binary choices in the trees need to be numbered in terms of probabilities: is there an immediate ignition or not? If not, is there a delayed ignition or not? In case of delayed ignition of a vapour cloud, will it end in a vapour cloud explosion (VCE) or a flashfire? All these transmission or conditional probabilities resulting from binary choices were the subject of a data review, giving synthesis tables of probabilities depending on safety measures taken onsite, type of equipment, size of release, and so on. Some examples are given in Table 4 and Table 5. Second, safety barriers related to the event tree side have to be taken into account, both in terms of consequences and frequencies of dangerous phenomena, as explained in Delvosalle et al. (2004). Briefly, it can be pointed out that the prevention and control barriers decrease the transmission probability between two events and influence the dangerous phenomena frequencies. The limitation barriers reduce the consequences of dangerous phenomena in limiting the source term or in limiting their effects. In the event tree when a limitation barrier is met, two branches appear, one if the barrier fails with a probability equal to the PFD of the barrier and the other if the barrier succeeds with a probability equal to (1-PFD). The PFD of a safety barrier is equal to 102n, n being the level of confidence of the barrier. Thanks to these various types of probabilities, the frequency of dangerous phenomena associated to each critical event identified by MIMAH can be calculated. An example of an event tree following the critical event Breach on shell in liquid phase on methanol storage is shown in Figure 5. In this figure, the frequencies of dangerous phenomena are calculated and the limitations of the source term and/or

ARAMIS Project

593

Figure 4. Extract of the review of generic critical events frequencies

594 Christian Delvosalle et al.

Table 4. Probability of immediate ignition Source term Substance Gas, average/high reactive 0.2 0.5 0.7

Continuous (gas jet) ,10 kg/s 10100 kg/s .100 kg/s

Instantaneous (gas puff) ,1000 kg 100010000 kg .10000 kg

Gas, low reactive 0.02 0.04 0.09

Table 5. Probability of VCE (Vapour Cloud Explosion) according to the obstruction when the delayed ignition occurs Probability of VCE Low obstruction Medium obstruction Strong obstruction 0.1 0.5 2/3

Figure 5. Event tree starting from a breach on shell of methanol storage with the frequencies of dangerous phenomena (frequency per year) (Pii: Probability of immediate ignition; Pdi: Probability of delayed ignition; Pvce: Probability of Vapour Cloud Explosion; VCE: Vapour Cloud Explosion)

ARAMIS Project

595

effects of dangerous phenomena by the limiting safety barriers are also specified. Estimation of the Class of Consequences of Dangerous Phenomena In order to select the RAS, the potential consequences of dangerous phenomena must be estimated. At this stage, the evaluation is only qualitative. A quantitative assessment will be made in the ARAMIS part devoted to the calculation of the Severity, but this step is made after the selection of RAS. The qualitative assessment of consequences of dangerous phenomena is based on four classes of consequences, defined according to potential consequences in term of effects on human targets, effects on the environment and domino effects (see Figure 6). Thus, for each dangerous phenomenon

Figure 6. Definition of classes of consequences

596 Christian Delvosalle et al. identified during the development of event trees, a class of consequences must be chosen according to these definitions. The choice of the class of consequences is made in taking into account the fact that the dangerous phenomenon is fully developed or limited due to the presence of safety barriers. Selection of RAS with the help of the Risk Matrix For the selection of RAS, the tool used is a Risk Matrix (see Figure 7). The X-axis corresponds to the four consequence classes, and the Y-axis corresponds to the frequency of dangerous phenomena. Three zones are defined in this matrix: 3 The lower green zone (Negligible effects zone) corresponds to dangerous phenomena with a low enough frequency and/or consequences which will probably have no actual effects on the severity. 3 The intermediate yellow zone (Medium effects zone) corresponds to dangerous phenomena which will probably have actual effects on the severity and will then be selected to be modelled for the severity calculations. These dangerous phenomena correspond to RAS. 3 The upper red zone (High effects zone) corresponds to very dangerous phenomena which will surely have actual effects on the severity. Corresponding accident scenarios should be revisited in order to put additional safety systems in place. However, if nothing is changed, these dangerous phenomena shall be selected, in their present state, to be modelled for the severity calculations. Of course, these dangerous phenomena correspond to RAS. It should be remembered that this risk matrix is actually not a guide for the acceptability of risk, but it is only a guidance to select reference accident scenarios which have to be modelled for the calculation of the severity. Finally, each dangerous phenomenon resulting from bow-ties must be placed in the risk matrix, according its frequency and its class of consequences. Dangerous Phenomena in yellow and red zones are the RAS

Figure 7. Risk matrix (Frequency of dangerous phenomena5f (class of consequences))

ARAMIS Project

597

and have to be modelled for the severity calculations. However, one can always choose to model a scenario located in the green zone if it is believed necessary to do so. For illustration, the Risk Matrix with the dangerous phenomena from the critical event Breach on shell in liquid phase (see the event tree in Figure 5) is presented in Figure 8. So, the dangerous phenomena retained as reference accident scenarios are the poolfire with a limited source term (the bund limits the extend of the pool) and a class of consequences C2, and the flashfire with a limited source term, limited effects (gas dispersion limited by foam injection) and a class of consequences C2. ImplicationsPractical Significance These methods have been tested in five chemical plants across Europe. Feedback from these case studies is included in the tools presented in this article and thus the method is believed to be consistent and applicable. Moreover, besides the final objective which is to identify RAS, the ARAMIS project offers a great number of parallel outcomes resulting from the wide variety of tools mentioned above. For example, the bow-tie approach with the concept of safety functions and safety barriers should lead to promising applications in other fields, like the occupational safety or the hazardous substances transportation safety.

Figure 8. Risk matrix with the dangerous phenomena from the event tree shown in Figure 5

598 Christian Delvosalle et al. Limitations The probabilities (frequencies/probabilities of initiating events, frequencies of critical events, transmission probabilities) have been used all along the branches of fault and event trees. Even if some results can be obtained from the literature, this part of ARAMIS shows that, on one hand, there is a lack of reliable data and, on the other hand, coupling between the available data and the generic trees is a major difficulty. A European data collection program should be really interesting and would propose a truly ARAMIS compatible database. For the safety barriers, even if the IEC 61508 and 61511 standards give the criteria to assess the level of confidence of safety instrumented systems (activated barriers), it is difficult to determine the parameters, like Safe Failure Fraction and Fault Tolerance, for a subsystem. Concrete data on equipment or methods in order to determine these parameters have to be established. Moreover, some activated safety barriers are not purely automated and require a human intervention or a human diagnosis. So, there is a need for clear criteria in order to take into account this human factor in the evaluation of parameters of these barriers. Finally, ARAMIS has also shown the need to harmonize the rules for the selection of relevant equipment and the risk acceptation criteria in the different countries of the European Union. Some scientific criteria have to be determined in order to harmonize the different approaches to judge the acceptability of risk. Conclusion One part of the ARAMIS project is the development of a full methodology for the identification of RAS. Two complementary approaches are used, first MIMAH and second the MIRAS. The MIMAH part allows to draw a list of all potential hazardous equipment on the plant, and to select the relevant ones, which are likely to influence the global risk level of the plant. This methodology also led us to obtain a tool able to identify major accidents likely to occur on a chemical plant, based on a bow-tie analysis, starting from the basic causes and defining a succession of events leading to major effects. On the basis of the equipment type, the substance handled, its physical state and hazardous properties, a matrix-based method allows to select appropriate critical events (centre of the bow-tie) and to build event trees (right part of bow-tie). On the other hand, for each critical event, guidelines help to identify possible causes of accidents and to structure them in a fault tree (left part of the bowtie). In the second part, called MIRAS, safety devices and safety management are taken into account to identify scenarios more realistic than the major accident hazards, the RAS. These scenarios recognise the efforts made by industrialists and promote investment in safety systems.

ARAMIS Project

599

It was decided to apply a barrier approach on the bow-ties describing major hazards. This gives the opportunity to identify and deeply analyse the safety systems present in equipment. Everywhere in the bow-tie, the development of an accident can be prevented, stopped, and controlled with the help of safety barriers, technical and management ones. MIRAS proposes precise definitions of what are safety barriers, how they can be placed on a bow-tie, how to assess their efficiency and what is their influence on the development of an accident, in terms of both frequency and consequences. In parallel, probabilities have been studied all along the branches of the fault and event trees. The calculation of the frequency of scenarios starts from the estimation of the frequency/probability of initiating events at the left of the fault tree. In moving to the right in the bow-tie, tools and figures are also provided to evaluate some transmission probabilities, i.e., ignition probabilities. Finally, the RAS are selected on the basis of their frequency and their potential consequences, evaluated qualitatively and in taking into account the influence of safety barriers. The selection of reference accident scenarios is obtained thanks to the Risk Matrix tool crossing the frequency and the potential consequences of accidents and defining three zones: the lower green zone (Negligible effects zone), the intermediate yellow zone (Medium effects zone) and the upper red zone (High effects zone). The risk matrix offers the possibility to identify accident scenarios with actual effects on the severity, the reference accident scenarios in the red and yellow zones, and to point out accident scenarios not adequately protected and needing additional safety systems, accidents in the red zone. These methods are being reviewed currently by a panel of European experts, from both Competent Authorities and industry. Their first comments are really positive, and the question to be examined is how the methods could be used or recommended in their respective country. Acknowledgements The results presented in this publication have been elaborated in the frame of the EU project ARAMIS (Accidental Risk Assessment Methodology for IndustrieS), contract no EVG1-CT-2001-00036, co-ordinated by INERIS (F) and including EC-JRC-IPSC-MAHB (I), Faculte Polytechnique de Mons MRRC (B), Universitat Politecnica de CatalunyaCERTEC (SP), ARSMINES (F), Ris National Laboratory (DK), Univertsita di Roma Dipartimento Ingegneria Chimica (I), CMISafety Management and Technical Hazards (PL), Delft University of TechnologySafety Science Group (NL), European Process Safety Centre (UK), Ecole des Mines de ParisPoles Cindyniques (F), Ecole des Mines de St EtienneSITE (F), Ecole des Mines dAlesLGEI (F). ` The programme is organised within the Energy, Environment and Sustainable Development Programme in the 5th Framework Programme for

600 Christian Delvosalle et al. Science Research and Technological Development of the European Commission. References
CCPS (1989) Guidelines for Chemical Process Quantitative Analysis (New York: American Institute of Chemical Engineers, Center for Chemical Process Safety). CCPS (2001) Layer of Protection Analysis: Simplified Process Risk Assessment (New York: American Institute of Chemical Engineers, Center for Chemical Process Safety). Debray, B., Delvosalle, C., Fie vez, C., Pipart, A., Londiche, H. and Hubert, E. (2004) Defining safety functions and safety barriers from fault and event trees analysis of major industrial hazards, Proceedings ESREL, Berlin, Germany, 1418 June. Delvosalle, C., Fie vez, C., Pipart, A., Casal Fabrega, J., Planas, E., Christou, M. and Mushtaq, F. (2003) ARAMIS project: Identification of Reference Accident Scenarios in SEVESO establishments, Proceedings ESREL, pp. 479487, Maastricht, Netherlands, 1618 June 2003. Delvosalle, C., Fie vez, C., Pipart, A., Debray, B. and Londiche, H. (2004) ARAMIS project: Effect of safety systems on the definition of Reference Accident Scenarios in SEVESO establishments, Proceedings Loss Prevention, Prague, Czech Republic, 31 May3 June. Duijm, N. J., Andersen, H. B., Goossens, L., Hale, A., Guldenmund, F. and Hourtolou, D. (2004) ARAMIS project: Effect of safety managements structural and cultural factors on barrier performance, Proceedings Loss Prevention, Prague, Czech Republic, 31 May3 June. Hourtolou, D. and Salvi, O. (2003) ARAMIS Project: Development of an integrated Accidental Risk Assessment Methodology for IndustrieS in the framework of SEVESO II directive, Proceedings ESREL, pp. 829836, Maastricht, Netherlands, 1618 June. IEC (1998) IEC 61508, Functional safety of electrical, electronic and programmable electronic safetyrelated systems, parts 17, International Electrotechnical Commission, Geneva. IEC (2001) IEC 61511, Functional safety instrumented systems for the process industry sector, parts 13, International Electrotechnical Commission, Geneva. Planas, E., Ronza, A. and Casal, J. (2004) ARAMIS project: The risk severity index, Proceedings Loss Prevention, Prague, Czech Republic, 31 May3 June. Tixier, J., Dandrieux, A., Dusserre, G., Bubbico, R., Luccone, L. G., Mazzarotta, B., Silvetti, B., Hubert, E., Rodrigues, N., Salvi, O. and Didier, G. (2004) Vulnerability of the environment in the proximity of an industrial site, Proceedings Loss Prevention, Prague, Czech Republic, 31 May3 June.