Layer of Protection Analysis SIMPLIFIED PROCESS RISK ASSESSMENT
Center for Chemical Process Safety of the
American Ins...
468 downloads
3087 Views
3MB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
Layer of Protection Analysis SIMPLIFIED PROCESS RISK ASSESSMENT
Center for Chemical Process Safety of the
American Institute of Chemical Engineers 3 Park Avenue
New York, New York 10016-5991
Copyright © 2001 American Institute of Chemical Engineers 3 Park Avenue New York, New York 10016-5991 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise without the prior permission of the copyright owner. Library of Congress Cataloging-in-Publication Data CIP Data applied for. ISBN 0-8169-0811-7
It is sincerely hoped that the information presented in this volume will lead to an even more impressive safety record for the entire industry. However, the American Institute of Chemical Engineers, its consultants, CCPS Subcommittee members, their employers, and their employers’ officers and directors disclaim making or giving any warranties or representations, express or implied, including with respect to fitness, intended purpose, use or merchantability, and/or correctness or accuracy of the content of the information presented in this document. As between (1) American Institute of Chemical Engineers, its consultants, CCPS Subcommittee members, their employers, and their employers’ officers and directors and (2) the user of this document, the user accepts any legal liability or responsibility whatsoever for the consequences of its use or misuse.
Acknowledgments
The American Institute of Chemical Engineers and the Center for Chemical Process Safety express their gratitude to all the members of the Layer of Protection Analysis Subcommittee for their generous efforts and technical contributions in the preparation of this Concept Series book. Layer of Protection Analysis: Simplified Process Risk Assessment was written by the Center for Chemical Process Safety Layer of Protection Analysis Subcommittee. Chair: Arthur M. Dowell, III, P.E.
Rohm and Haas Company
The primary authors were William G. Bridges ABS Consulting (includes former JBF Associates) Arthur M. Dowell, III, P.E. Rohm and Haas Company Martin Gollin Consultant, formerly of ARCO Chemical Warren A. Greenfield International Specialty Products John M. Poulson now retired from Union Carbide Corporation William Turetsky International Specialty Products Providing support and valuable contributions throughout the project were John T. Marshall The Dow Chemical Company Stanley A. Urbanik E. I. Du Pont de Nemours and Company Providing important guidance in the conceptual phases of the book were Rodger M. Ewbank Rhodia Inc. Robert J. Gardner now retired from E. I. Du Pont de Nemours and Company Kumar Bhimavarapu Factory Mutual Research John A. McIntosh The Proctor & Gamble Company xiii
xiv
Acknowledgments
R. Peter Stickles A. D. Little Arthur W. Woltman Equilon Enterprises LLC, formerly Shell CCPS Staff Consultant Robert E. Bollinger Center for Chemical Process Safety Editor Dr. Daniel A. Crowl
Michigan Technological University
The Subcommittee acknowledges the support and contributions of their employer organizations in completing this book. Dr. Jack Weaver and Mr. Les Wittenberg of CCPS sponsored and supported this project and provided access to the resources of CCPS and its sponsoring organizations. The authors thank the following for their contributions in creation of figures and tables, setting up committee meetings and teleconferences and other administrative functions that were essential to the completion of this book: Ms. Jill Johnson and Mr. Paul M. Olsen, ABS Consulting; Ms. Sandy Baswell, Ms. Marge Killmeier, Ms. Angella Lewis and Ms. Jackie Rico’t, Rohm and Haas Company. Before publication, all CCPS books are subjected to a thorough peer review process. CCPS also gratefully acknowledges the thoughtful comments and suggestions of the peer reviewers. Their work enhanced the accuracy and clarity of the book. Steve Arendt ABS Consulting (includes former JBF Associates) Helmut Bezecny Dow Deutschland Inc. Alfred W. Bickum Goodyear Tire and Rubber Company Dennis Blowers, C.S.P. Solvay Polymers, Inc. Michael P. Broadribb BP Amoco Company David Campbell Concord Associates Bill Carter CCPS Staff Consultant Curtis Clements E. I. Du Pont de Nemours and Company Kimberly F. Dejmek Wilfred Baker Engineering Richard R. Dunn E. I. Du Pont de Nemours and Company Jim Evans Union Carbide Corporation Rodger M. Ewbank Rhodia Inc. Dave Fontaine Chevron Corporation Raymond A. Freeman ABS Consulting Raymond W. French Exxon Mobil Corporation Dallas L. Green Rohm and Haas Company Dennis C. Hendershot Rohm and Haas Company William H. Johnson E. I. Du Pont de Nemours and Company Peter N. Lodal, P.E. Eastman Chemical Company Donald M. Lorenzo ABS Consulting (includes former JBF Associates)
Acknowledgments
Vic Maggioli Feltronics Corporation Rick Mann Union Carbide Corporation Peter McGrath Olin Corporation Norman McLeod ATOFINA Chemicals, Inc. Steve Metzler Primatech Inc. Dr. Hans Pasman TNO Jack Philley, C.S.P. Det Norske Veritas (DNV) Michael E. G. Schmidt, P.E. Industrial Risk Insurers Art Schwartz Bayer Corporation Adrian Sepeda Occidental Chemical Corporation Bastiaan Schupp Delft University of Technology Robert Stankovich Eli Lilly and Company Peter Stickles A. D. Little Dr. Angela E. Summers, P.E. SIS-Tech Solutions, LLC Clark Thurston Union Carbide Corporation Anthony Torres Eastman Kodak Jan Windhorst NOVA Chemicals
xv
Acronyms and Abbreviations
AIChE ALARP ANSI API ASME BI BLEVE B.P. BPCS C CCF CCPS CEI CPQRA CW D DCS DIERS DOT xvi
American Institute of Chemical Engineers As Low as Reasonably Practicable American National Standards Institute American Petroleum Institute American Society of Mechanical Engineers Business Interruption Boiling Liquid Expanding Vapor Explosion Boiling Point Basic Process Control System Consequence factor, related to magnitude of severity Common Cause Failure Center for Chemical Process Safety, American Institute of Chemical Engineers Dow Chemical Exposure Index Chemical Process Quantitative Risk Assessment Cooling Water Number of times a component or system is challenged (hr–1 or year–1) Distributed Control System Design Institute for Emergency Relief Systems, American Institute of Chemical Engineers Department of Transportation
Acronyms and Abbreviations
EBV ERPG EuReData F f F&EI F/N FCE FMEA FTA HAZOP HE HRA IEC IEEE IPL ISA LAH LI LIC LFL LNG LOPA LOTO LT MAWP MOC N2 OSBL OREDA OSHA P fatality P ignition P person present P P&ID
Emergency Block Valve Emergency Response Planning Guideline European Reliability Data (series of conferences) Failure Rate (hr-1 or year-1) Frequency (hr-1 or year-1) Dow Fire and Explosion Index Fatality Frequency versus Cumulative Number Final Control Element Failure Modes and Effect Analysis Fault Tree Analysis Hazard and Operability Study Hazard Evaluation Human Reliability Analysis International Electrotechnical Commission Institute of Electrical and Electronic Engineers Independent Protection Layer The Instrumentation, Systems, and Automation Society (formerly, Instrument Society of America) Level Alarm—High Level Indicator Level Indicator—Control Lower Flammability Limit Liquefied Natural Gas Layer of Protection Analysis Lock-Out Tag-Out Level Transmitter Maximum Allowable Working Pressure Management of Change Nitrogen Outside Battery Limits The Offshore Reliability Data project Occupational Safety and Health Administration (U.S.) Probability of Fatality Probability of Ignition Probability of Person Present Probability Piping and Instrumentation Diagram
xvii
xviii
PFD PHA PI PL PM PSM PSV R RV SCE SIF SIL SIS T VCE VLE XV
Acronyms and Abbreviations
Probability of Failure on Demand Process Hazard Analysis Pressure Indicator Protection Layer Preventive Maintenance Process Safety Management Pressure Safety Valve (Relief Valve) Risk Relief Valve Safety Critical Equipment Safety Instrumented Function Safety Integrity Level Safety Instrumented System Test Interval for the Component or System (hours or years) Vapor Cloud Explosion Vapor Liquid Equilibrium Remote Activated/Controlled Valve
Preface
For over 40 years the American Institute of Chemical Engineers (AIChE) has been involved with process safety and loss control in the chemical, petrochemical, hydrocarbon process and related industries and facilities. The AIChE publications are information resources for the chemical engineering and other professions on the causes of process incidents and the means of preventing their occurrences and mitigating their consequences. The Center for Chemical Process Safety (CCPS), a Directorate of the AIChE, was established in 1985 to develop and disseminate information for use in promoting the safe operation of chemical processes and facilities and the prevention of chemical process incidents. With the support and direction of its advisory and management boards, CCPS established a multifaceted program to address the need for process safety technology and management systems to reduce potential exposures to the public, the environment, personnel and facilities. This program entails the development, publication and dissemination of Guidelines relating to specific areas of process safety; organizing, convening and conducting seminars, symposia, training programs, and meetings on process safety-related matters; and cooperating with other organizations and institutions, internationally and domestically to promote process safety. Within the past several years CCPS extended its publication program to include a “Concept Series” of books. These books are focused on more specific topics than the longer, more comprehensive Guidelines series and are intended to complement them. With the issuance of this book, CCPS has published 65 books. CCPS activities are supported by the funding and technical expertise of over 80 corporations. Several government agencies and nonprofit and academic institutions participate in CCPS endeavors. xi
xii
Preface
In 1989 CCPS published the landmark Guidelines for the Technical Management of Chemical Process Safety. This book presents a model for process safety management built on twelve distinct, essential, and interrelated elements. The foreword to that book states: For the first time all the essential elements and components of a model of a technical management program have been assembled in one document. We believe the Guidelines provide the umbrella under which all other CCPS Technical Guidelines will be promulgated.
This Concept Series book supports several of the twelve elements of process safety enunciated in the landmark Guidelines for the Technical Management of Chemical Process Safety including Process Risk Management, Incident Investigation, Process Knowledge and Documentation, and Enhancement of Process Safety Knowledge. The purpose of this book is to assist designers and operators of chemical facilities to use Layer of Protection Analysis (LOPA) to evaluate risk and to make rational decisions to manage risk with a simplified methodology.
Contents
Preface
xi
Acknowledgments
xiii
Acronyms and Abbreviations
xvi
1
Introduction 1.1. Audience
1
1.2. History of LOPA
2
1.3. Use of LOPA in the Process Life Cycle
5
1.4. Linkage to Other CCPS Publications
7
1.5. Annotated Outline of the LOPA book
8
2
Overview of LOPA 2.1. Purpose
11
2.2. What Is LOPA?
11
2.3. What LOPA Does
12
2.4. When to Use LOPA
14 v
vi
Contents
2.5. How LOPA Works
16
2.6. How to Implement LOPA
24
2.7. Limitations of LOPA
24
2.8. Benefits of LOPA
26
2.9. Introduction of Continuing Examples
27
3
Estimating Consequences and Severity 3.1. Purpose
31
3.2. Consequences of Interest
31
3.3. Consequence Evaluation Approaches for LOPA
33
3.4. Continuing Examples
40
3.5. Link Forward
42
4
Developing Scenarios 4.1. Purpose
43
4.2. LOPA Scenarios and Components
43
4.3. Identifying and Developing Candidate Scenarios
47
4.4. Continuing Examples
52
4.5. Link Forward
61
5
Identifying Initiating Event Frequency 5.1. Purpose
63
5.2. Initiating Events
63
5.3. Frequency Estimation
68
5.4. Expression of Failure Rates
73
5.5. Continuing Examples
73
5.6. Limitations (Cautions)
74
5.7. Link Forward
74
vii
6
Identifying Independent Protection Layers 6.1. Purpose
75
6.2. Definition and Purpose of an IPL
75
6.3. IPL Rules
80
6.4. LOPA IPL Assessment
88
6.5. Examples of IPLs
90
6.6. Preventive IPLs versus Mitigation IPLs
104
6.7. Continuing Examples
106
6.8. Link Forward
113
7
Determining the Frequency of Scenarios 7.1. Purpose
115
7.2. Quantitative Calculation of Risk and Frequency
115
7.3. Look-up Table Determination of Risk or Frequency
122
7.4. Calculation of Risk or Frequency with Integer Logarithms
124
7.5. Continuing Examples
125
7.6. Link Forward
130
8
Using LOPA to Make Risk Decisions 8.1. Purpose
131
8.2. Introduction
131
8.3. Comparing Calculated Risk to Scenario Risk Tolerance Criteria
133
8.4. Expert Judgment
137
8.5. Using Cost–Benefit to Compare Alternatives
137
8.6. Comparison of Approaches, Pros and Cons
137
8.7. Cumulative Risk Criteria versus Scenario Criteria
139
8.8. Continuing Examples
140
8.9. Cautions
148
8.10. Link Forward
149
viii
Contents
9
Implementing LOPA 9.1. Purpose
151
9.2. Is the Company Ready for LOPA?
151
9.3. What Is the Current Foundation for Risk Assessment?
152
9.4. What Data Are Required?
153
9.5. Will the IPLs Remain in Place?
155
9.6. How Are the Risk Tolerance Criteria Established?
156
9.7. When Is LOPA Used?
158
9.8. Typical Implementation Tasks
158
10
Using LOPA for Other Applications 10.1. Purpose
163
10.2. Using LOPA in Capital Improvement Planning
164
10.3. Using LOPA in Management of Change
165
10.4. Using LOPA in Mechanical Integrity Programs or Risk-Based Inspection/Risk-Based Maintenance Programs
166
10.5. Using LOPA in Risk-Based Operator Training
166
10.6. Using LOPA in Emergency Response Planning
167
10.7. Using LOPA to Determine a Credible Design Basis for Overpressure Protection
167
10.8. Using LOPA in Evaluating Facility Siting Risks
169
10.9. Using LOPA to Evaluate the Need for Emergency Isolation Valves
170
10.10. Using LOPA to Evaluate Taking a Safety System Out of Service
171
10.11. Using LOPA during Incident Investigations
172
10.12. Using LOPA in the Determination of SIL for SIF
172
11
Advanced LOPA Topics 11.1. Purpose
173
11.2. Counting Multiple Functions in One BPCS as IPLs in the Same Scenario
173
Contents
ix
11.3. Summation of Risk for Multiple Scenarios
184
11.4. Using LOPA to Develop F/N Curves
186
11.5. Operator Response Issues
188
11.6. Normal Plant Operations as “Tests” of IPL Components
189
11.7. Focused Fault Tree/Event Tree Analysis of IPL Components
189
APPENDIX A: LOPA Summary Sheets for the Continuing Examples
191
APPENDIX B: Worked Examples from CCPS’s Safe Automation Book
211
APPENDIX C: Documentation for a LOPA Study
231
APPENDIX D: Linkage with Other Publications
237
APPENDIX E: Industry Risk Tolerance Criteria Data
243
APPENDIX F: High Initiating Event Frequency Scenarios
247
APPENDIX G: Additional Reading
251
References
255
Glossary of Terms
259
Index
265
1 Introduction
Layer of protection analysis (LOPA) is a semiquantitative tool for analyzing and assessing risk. This book • describes the LOPA process, • discusses the strengths and limitations of LOPA, • describes the requirements for implementing LOPA in an organization, and • provides worked examples that show how several different companies have applied LOPA. This chapter • • • • •
identifies the audience for this book, provides the history of LOPA, shows the use of LOPA in the process life cycle, discusses the linkage to other publications, and provides an annotated outline for the book.
1.1. Audience This book is intended for: • Executives who are considering expanding their corporate strategy for managing risk by adding LOPA to their existing risk analysis process. For the executive audience, the following chapters are recommended. Chapter 2 summarizes the LOPA method and its benefits. Chapter 9 discusses the questions that an organization must answer when deciding whether to use LOPA and the required steps to implement the pro1
1. Introduction
2
cess effectively. Chapter 10 describes other processes (such as management of change, identification of safety critical equipment, etc.) which can be enhanced by LOPA. The appendices contain summary forms and worked examples that demonstrate the LOPA product. • Safety specialists who are familiar with existing methods (such as HAZOP, fault tree analysis, event tree analysis, etc.) or who may already have some experience with LOPA (analysts, participants, reviewers, auditors, etc.). For this audience, Chapters 3, 4, 5, 6, 7, 8 discuss the steps of the LOPA process in detail, with several continuing examples used to demonstrate the method. The appendices contain additional worked examples and other supporting documentation. • Process and process control engineers, chemists, operations and maintenance personnel, and others who may participate in LOPA reviews or who may be affected by LOPA recommendations. This includes those who implement the recommendations and those who receive the outcomes from LOPA. Chapters 1, 2, and 6 may be helpful for this audience. • Persons around the world who are responsible for compliance with process safety regulations—including the US Process Safety Management rule (OSHA, 1992), Seveso II Regulations in EU member countries—and related standards—including ISA S84.01 (ISA, 1996), IEC 61508 (IEC, 1998) and IEC 61511 (IEC, 2001).
1.2. History of LOPA In a typical chemical process, various protection layers are in place to lower the frequency of undesired consequences: the process design (including inherently safer concepts); the basic process control system; safety instrumented systems; passive devices (such as dikes and blast walls); active devices (such as relief valves); human intervention; etc. There has been much discussion among project teams, hazard analysts, and management about the number of and strength of protection layers (see text box below). Decisions were sometimes made using subjective arguments, emotional appeals, and occasionally simply by the loudness or persistence of an individual. LOPA has its origins in the desire to answer these key questions using a rational, objective, risk-based approach. In LOPA, the individual protection KEY QUESTIONS FOR PROTECTION LAYERS • How safe is safe enough? • How many protection layers are needed? • How much risk reduction should each layer provide?
1.2. History of LOPA
3
LOPA answers the key questions about the number and strength of protection layers by • providing rational, semiquantitative, risk-based answers, • reducing emotionalism, • providing clarity and consistency, • documenting the basis of the decision, • facilitating understanding among plant personnel.
layers proposed or provided are analyzed for their effectiveness. The combined effects of the protection layers are then compared against risk tolerance criteria. Characteristics of the answers provided by LOPA are listed in the text box above. The genesis of this method was suggested in two publications: 1. In the late 1980s, the then Chemical Manufacturers Association published the Responsible Care® Process Safety Code of Management Practices which included “sufficient layers of protection” as one of the recommended components of an effective process safety management system (American Chemistry Council, 2000). The Chemical Manufacturers Association is now the American Chemistry Council. 2. In 1993, CCPS published its Guidelines for Safe Automation of Chemical Processes (CCPS, 1993b). Although it was called the risk-based SIS integrity level method, LOPA was suggested as one method to determine the integrity level for safety instrumented functions (SIFs). (See Table 7.4 in Safe Automation; CCPS, 1993b.) “Interlock” is an older, imprecise term for SIF. The method used was not as fully developed as the LOPA technique described in this book. However, it did indicate a path forward, which was pursued by several companies independently. The reasons for this effort included the desire to • classify SIF to determine the appropriate safety integrity level (SIL) (this was the starting point for some companies), • develop a screening tool to reduce the number of scenarios requiring a full (chemical process) quantitative risk assessment (CPQRA), • develop a tool that would identify “safety critical” equipment and systems to focus limited resources, • develop a semiquantitative tool to make consistent risk based judgments within an organization, • harmonize terminology and methodology with recently developed and developing international process sector standards, and • facilitate communication (e.g., SIS, SIF, SIL, IPL) between the hazard and risk analysis community and the process control community (e.g., integrators, manufacturers, instrument and electrical engineers, plant personnel).
4
1. Introduction
The initial development of LOPA was done internally within individual companies, in some cases focusing on existing processes, e.g., converting a control system to DCS. However, once a method had been developed and refined, several companies published papers describing the driving forces behind their efforts to develop the method, their experience with LOPA, and examples of its use (Dowell, 1997; 1998; 1999a; 1999b; Bridges and Williams, 1997; Fuller and Marszal, 1999; Lorenzo and Bridges, 1997; Ewbank and York, 1997; Huff and Montgomery, 1997). In particular, the papers and discussion among the attendees at the CCPS International Conference and Workshop on Risk Analysis in Process Safety in Atlanta in October 1997 brought agreement that a book describing the LOPA method should be developed. In parallel with these efforts, discussions took place on the requirements for the design of safety instrumented functions (SIF) to provide the required PFDs (probability of failure on demand). United States (ISA S84.01, (ISA, 1996)) and international standards (IEC 61508, (IEC, 1998) and IEC 61511, (IEC, 2001)) described the architecture and design features of SIFs. Informative sections of the ISA and IEC standards suggested methods to determine the required SIL (safety integrity level), but LOPA was not mentioned until the draft of IEC 61511, Part 3 appeared in late 1999. These issues were summarized in the CCPS workshop on the application of ISA S84.01 (CCPS, 2000c). In response to all this activity, CCPS assembled in 1998 a team from A. D. Little, ARCO Chemical, Dow Chemical, DuPont, Factory Mutual, ABS Consulting (includes former JBF Associates), International Specialty Products, Proctor and Gamble (P&G), Rhodia, Rohm and Haas, Shell (Equilon), and Union Carbide to tabulate and present industry practice for LOPA in this book. This book extends the method outlined in Safe Automation of Chemical Processes (CCPS, 1993b) by • developing concepts and definitions for use throughout industry, • showing how numerical risk tolerance criteria have been developed by different companies, • defining the requirements for a safeguard to be considered an independent protection layer (IPL), • demonstrating how LOPA can be used for purposes other than the classification of SIF systems, and • recommending documentation procedures to ensure consistency of application within an organization. While the LOPA methods used by various companies differ, they share the following common features: • a consequence classification method that can be applied throughout the organization; • numerical risk tolerance criteria. Individual companies use different criteria which include:
1.3. Use of LOPA in the Process Life Cycle
5
frequency of fatalities, frequency of fires, G required number of independent protection layers (IPLs), and G maximum frequency for specified categories of consequence based on release size and characteristics or lost production; a method for developing scenarios; specific rules for considering safeguards as IPLs; specified default data for initiating event frequencies and values for IPLs; a specified procedure for performing the required calculations; and a specified procedure for determining whether the risk associated with a scenario meets the risk tolerance criteria for an organization and, if it does not, how this is resolved and documented. G G
• • • • •
1.3. Use of LOPA in the Process Life Cycle LOPA can be effectively used at any point in the life cycle of a process or a facility (see Figure 1.1), but it is most frequently used during: • the design stage when the process flow diagram and the P&IDs are essentially complete. LOPA is used to examine scenarios, often generated by other process hazard analysis (PHA) tools, such as HAZOP, what-if, checklist, etc.; as part of the SIF design; or as part of a design study on a system to classify the various process alternatives and to select the best method; • modifications to an existing process or its control or safety systems (i.e., management of change).
FIGURE 1.1. The process life cycle showing where LOPA is typically used (after Inherently Safer Chemical Processes: A Life Cycle Approach, CCPS 1996b)
6
1. Introduction
However, LOPA can also be used in all phases of the process life cycle: • LOPA can be used during the initial conceptual process design to examine basic design alternatives and provide guidance to select a design that has lower initiating event frequencies, or a lower consequence, or for which the number and type of IPLs are “better” than alternatives. Ideally, LOPA could be used to design a process that is “inherently safer” by providing an objective method to compare alternative designs quickly and quantifiably.
• LOPA can be used during the regular cycle of process hazard analyses (PHAs) performed on a process. Experience with LOPA at several companies has shown that its scenario-focused methodology can reveal additional safety issues in fully mature processes that have previously undergone numerous PHAs. In addition, its objective risk criteria have proven effective in resolving disagreements on PHA findings. • LOPA can readily determine if the risk is tolerable for a process. If an SIF is required, LOPA can determine the required SIL. LOPA can examine alternatives to a SIF (modifying the process, adding other IPLs, etc.). Note that IEC 61508 (IEC, 1998) and IEC 61511 (IEC, 2001) define a safety system life cycle that covers all the activities associated with safety instrumented functions. LOPA can be a valuable tool in that safety system life cycle. • LOPA can be used to identify equipment that, as part of an IPL, is relied upon to maintain the process within the tolerable risk criteria of an organization. Such equipment may be denoted as “safety critical” (ISA S91.01, 1995) and is subjected to specified testing, inspection and maintenance. At least one company has found that LOPA has significantly decreased the number of safety critical equipment items. (The amount of safety critical equipment had erroneously grown over time by adding equipment on a qualitative “better safe than sorry” basis.) • LOPA can be used to identify operator actions and responses that are critical to the safety of the process. This will allow focused training and testing to be performed during the life of the process and for the operating manuals to reflect the importance of a limited number of process variables, alarms and actions. LOPA can also be used for other risk assessment studies within an organization, including transportation studies (road, rail, pipeline), terminal operations, toll conversion operations, auditing of third parties, loss prevention and insurance issues, etc. In some companies LOPA is now used for a wide variety of purposes beyond the initial use for which it was developed (see Chapter 10).
1.4. Linkage to Other CCPS Publications
7
1.4. Linkage to Other CCPS Publications CCPS has published many books dealing with process safety issues in the chemical industry. LOPA depends on techniques described in the following CCPS books. Connections with other publications are cited in Appendix D. A key input to LOPA is scenarios obtained from hazard identification. Guidelines for Hazard Evaluation Procedures, Second Edition with Worked Examples (CCPS, 1992a) describes methods used to identify and assess the significance of hazardous situations found in process operations or activities involving hazardous chemicals. Generally, LOPA uses scenarios developed by hazard identification methods—usually qualitative (HAZOP, what-if, etc). However, companies have found that LOPA will often uncover scenarios overlooked by other methods because of the rigor in applying the concept of IPLs to the scenario. LOPA should be considered an extension to the Guidelines for Hazard Evaluation book as it provides a consistent, objective, semiquantitative method for addressing the issues covered. LOPA is a semiquantitative approach. It can be viewed as a simplification of the quantitative risk analysis methods described in Guidelines for Chemical Process Quantitative Risk Analysis (CCPS, 1989a) and the Second Edition (CCPS, 2000a). CCPS (2000a) builds upon the information contained in CCPS (1989a) to demonstrate how to make quantitative risk estimates for the hazards identified by the techniques described in the Guidelines for Hazard Evaluation book. LOPA adds simplifying assumptions concerning the numerical values for the components of the scenario (initiating event frequency, enabling event/condition, number of IPLs, numerical value for an IPL) and in the calculation techniques employed. The simplifications are intended to be conservative so that, if a study were to be performed using a full quantitative analysis (event tree, fault tree, etc.), the results would show less risk associated with the scenario when compared to the results of an LOPA analysis. In order to ensure this, an analyst must understand the issues involved in performing a full quantitative risk analysis and what issues are important. Chapter 11 describes situations where a focused quantitative study can be performed on one component of a LOPA scenario to provide useful additional confidence in the numerical values used. Evaluating Process Safety in the Chemical Industry: A User’s Guide to Quantitative Risk Analysis CCPS (2000b) is a brief and relatively inexpensive introduction to the concepts of CPQRA. These concepts also apply for using LOPA. The LOPA book is a direct extension to concepts briefly described in Guidelines for Safe Automation of Chemical Processes (CCPS, 1993b). The LOPA book shows how to determine the required safety integrity level (in terms of the
8
1. Introduction
probability of failure on demand or PFD) of safety instrumented functions (SIF) that may be implemented in a safety instrumented system (SIS). LOPA is an alternative method to the techniques described in Tools for Making Acute Risk Decisions with Chemical Process Safety Applications (CCPS, 1995c). CCPS (1995c) discusses methods used for decision making where risks have been assessed. In addition to chemical process risk, other factors, including financial cost, corporate image, employment of workers, etc., may be involved in a decision. The Making Acute Risk Decisions book (CCPS, 1995c) provides a collection of decision aids to assist a company in making a decision. LOPA should be considered an alternate method for making such decisions as it employs objective, quantified risk tolerance criteria. Some of the more qualitative factors (company image, morale, etc.) cannot be directly included, but that is the case for all other objective methodologies. Some LOPA risk tolerance criteria include a range where a cost–benefit study—or another type of judgment—is required to assist in making the decision on whether a risk should be tolerated or mitigated. Analysts using LOPA should be familiar with the techniques in the Making Acute Risk Decisions book (CCPS, 1995c). More detailed links to other CCPS books and other publications are shown in Appendices D and E.
1.5. Annotated Outline of the LOPA book Chapter 1 (this chapter) is an Introduction to the book. Chapter 2 (Overview of LOPA) provides an outline of the LOPA process, discusses concepts and definitions unique to LOPA, and introduces the continuing examples used throughout the book. Chapter 3 (Estimating Consequences and Severity) describes the concept of consequence, and its definition, in the LOPA process and provides examples of consequence categories used by some companies. Chapter 4 (Developing Scenarios) discusses the concept of a scenario as used in LOPA, including the components that comprise a scenario. A format for presenting the results of LOPA studies is presented. Chapter 5 (Identifying Initiating Event Frequency) discusses various initiating and enabling events and summarizes typical frequency data. The importance of using consistent initiating event frequencies for LOPA studies within an organization is emphasized. Chapter 6 (Identifying Independent Protection Layers) discusses independent protection layers (IPLs). The requirements for a device, system, or action to be considered an IPL are defined and the concept of the probability of failure
1.5. Annotated Outline of the LOPA book
9
on demand (PFD) for an IPL is presented and discussed. Examples of active, passive and human IPLs are given together with typical ranges of PFD. Chapter 7 (Determining the Frequency of Scenarios) presents the calculations for the continuing example problems using several methods. These show how different organizations would combine the individual components of a scenario to calculate the frequency of the consequence type specific to their method. Chapter 8 (Using LOPA to Make Risk Decisions) discusses how the results of calculations are used to make decisions on whether the frequency of the consequence for a given scenario meets the risk tolerance criteria for a particular organization. Methods from various companies are used to demonstrate the concepts. Chapter 9 (Implementing LOPA) discusses the implementation of LOPA within an organization. Reference materials, standards, and procedures, together with personnel expertise and training issues, are discussed. Chapter 10 (Using LOPA for Other Applications) discusses other uses, apart from risk assessment, for which LOPA may be considered. Chapter 11 (Advanced LOPA Techniques) discusses advanced LOPA topics. Situations where some of the inherently conservative assumptions made in LOPA may be modified are reviewed. The use of LOPA for other risk assessment applications is discussed. Appendix A (LOPA Summary Sheets for the Continuing Examples) contains the complete LOPA sheets for all of the scenarios in the continuing examples using all of the methodologies discussed in the book. Appendix B (Worked Examples from CCPS’s Safe Automation Book) provides an analysis of the problem discussed in Chapter 7 of CCPS (1993b). Important issues regarding the application of the rules for an IPL are discussed. Appendix C (Documentation for a LOPA Study) summarizes the minimum documentation requirements for a LOPA study and discusses why such information is required, the appropriate level of detail, and other uses of the documentation. Appendix D (Linkage with Other Publications) discusses other publications. Included are the use of LOPA to address regulatory or other process safety issues, and how other publications can assist in the implementation of LOPA. Appendix E (Industry Risk Tolerance Criteria Data) lists typical data related to risk tolerance criteria.
10
1. Introduction
Appendix F (High Initiating Event Frequency Scenarios) describes LOPA calculations when the initiating event frequency is high compared to the test frequency of the independent protection layer. Appendix G (Additional Reading) is a list of other books and articles that may be of interest to the reader.
2 Overview of LOPA
2.1. Purpose The purpose of this chapter is to introduce layer of protection analysis (LOPA) by describing what LOPA is, what it does, when it is used, how it works, and how it is implemented. The limitations and benefits of LOPA are also discussed. This chapter also introduces two example problems used throughout the book to illustrate each step in the LOPA process.
2.2. What Is LOPA? LOPA is a simplified form of risk assessment. LOPA typically uses order of magnitude categories for initiating event frequency, consequence severity, and the likelihood of failure of independent protection layers (IPLs) to approximate the risk of a scenario. LOPA is an analysis tool that typically builds on the information developed during a qualitative hazard evaluation, such as a process hazard analysis (PHA). LOPA is implemented using a set of rules. Like many other hazard analysis methods, the primary purpose of LOPA is to determine if there are sufficient layers of protection against an accident scenario (can the risk be tolerated?). As illustrated in Figure 2.1, many types of protective layers are possible. A scenario may require one or many protection layers depending on the process complexity and potential severity of a consequence. Note that for a given scenario, only one layer must work successfully for the consequence to be prevented. However, since no layer is perfectly effective, sufficient protection layers must be provided to render the risk of the accident tolerable. 11
12
2 . Overview of LOPA
FIGURE 2.1. Layers of defense against a possible accident.
LOPA provides a consistent basis for judging whether there are sufficient IPLs to control the risk of an accident for a given scenario. If the estimated risk of a scenario is not acceptable, additional IPLs may be added. Alternatives encompassing inherently safer design can be evaluated as well. LOPA does not suggest which IPLs to add or which design to choose, but it assists in judging between alternatives for risk mitigation. LOPA is not a fully quantitative risk assessment approach, but is rather a simplified method for assessing the value of protection layers for a well-defined accident scenario.
2.3. What LOPA Does LOPA provides a risk analyst with a method to reproducibly evaluate the risk of selected accident scenarios. A scenario is typically identified during a qualitative hazard evaluation (HE), such as a PHA, management of change evaluation, or design review. LOPA is applied after an unacceptable consequence, and a credible cause for it, is selected. It then provides an order of magnitude approximation of the risk of a scenario. LOPA is limited to evaluating a single cause–consequence pair as a scenario.
Once a cause–consequence pair is selected for analysis, the analyst can use LOPA to determine which engineering and administrative controls (often called safeguards) meet the definition of IPLs, and then estimate the as-is risk
2.3. What LOPA Does
13
of the scenario. The results can then be extended to make risk judgments and to help the analyst decide how much additional risk reduction may be required to reach a tolerable risk level. Other scenarios or other issues may be revealed while performing LOPA on a scenario. Another way to understand LOPA is to view it relative to quantitative risk assessment (CPQRA). In this context, a LOPA scenario represents one path (typically we choose the path to the worst consequence) through an event tree. Figure 2.2 shows an event tree for a given initiating event. An event tree shows all the possible outcomes (consequences) of an initiating event. A comprehensive treatment of the use of event trees and other quantitative risk assessment methods is provided by the CCPS CPQRA books Guidelines for Chemical Process Quantitative Risk Analysis and Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition (CCPS, 1989a, 2000a) and Guidelines for Hazard Evaluation Procedures, Second Edition with Worked Examples (CCPS, 1992a). For LOPA, the analyst (or team) must limit each analysis to a single consequence, paired to a single cause (initiating event). In many applications of LOPA, the goal of the analyst is to identify all cause–consequence pairs that can exceed the organization’s tolerance for risk.
FIGURE 2.2. Comparison of LOPA and event tree analysis.
14
2 . Overview of LOPA
In others, the analyst chooses the cause–consequence pair that likely represents the highest risk scenario from many scenarios that may be similar to the one chosen. The approach taken depends upon the analyst’s experience with LOPA and with the process under consideration - this is not always straightforward. In practice, the analyst who will apply LOPA will not have the benefit of picking a scenario from a fully developed event tree. Instead, LOPA typically begins with scenarios identified by a qualitative hazard review team. As mentioned earlier, LOPA is a method that falls between qualitative and quantitative methods and is applied when the analyst decides it is the best tool for judging risk. The goal is to choose scenarios that the analyst believes represent the most significant risk scenarios, as described in the next section.
2.4. When to Use LOPA LOPA is typically applied after a qualitative hazard evaluation (e.g., PHA) using the scenarios identified by the qualitative hazard review team. However, “typically” means just that—LOPA can also be used to analyze scenarios that originate from any source, including design option analysis and incident investigations. LOPA can also be applied when a hazard evaluation team (or other entity) • believes a scenario is too complex for the team to make a reasonable risk judgment using purely qualitative judgment, or • the consequences are too severe to rely solely on qualitative risk judgment. The hazard evaluation team may judge the “scenario as too complex” if they • do not understand the initiating event well enough, • do not understand the sequence of events well enough, or • do not understand whether safeguards are truly IPLs. LOPA can also be used as a screening tool prior to a more rigorous quantitative risk assessment (CPQRA) method. When used as a screening tool, each scenario above a specified consequence or risk level will first go through LOPA analysis, and then certain scenarios will be targeted for a higher level of risk assessment. The decision to proceed to CPQRA is typically based on the risk level determined by LOPA or based on the opinion of the LOPA analyst (i.e., the scenario is too critical or complex to rely on LOPA for risk assessment). Figure 2.3 depicts the spectrum of risk assessment tools: from purely qualitative to rigorous application of quantitative methods. At the far left are qualitative tools; these are typically used to identify scenarios and qualita-
2.4. When to Use LOPA
15
FIGURE 2.3. Spectrum of tools for risk-based decision making.
tively judge if the risk is tolerable. In the middle are semi-quantitative tools (or simplified quantitative tools); these include LOPA and are used to provide an order-of-magnitude estimate of risk. Finally at the far right are quantitative tools; these allow analysis of more complex scenarios and provide risk estimates for comparison and risk judgment. The percentages shown in Figure 2.3 are for illustration purposes only. Typically all scenarios are identified and evaluated qualitatively, and some that are too onerous or complex proceed to semiquantitative risk assessment, and a few scenarios may need more rigorous evaulation than is than possible with LOPA. Thus, LOPA can be applied to evaluate scenarios that are too complex or consequential for only qualitative review and LOPA can screen which scenarios need more quantitative scrutiny (which need to go beyond LOPA to CPQRA). Later chapters provide examples of how companies have incorporated LOPA into their risk assessment approaches. In general, the writers believe that if the analyst or team can make a reasonable risk decision using only qualitative methods, then LOPA may be overkill. However, LOPA can be much more efficient than qualitative methods for judging the sufficiency of IPLs; in a qualitative hazard review these decisions can quickly digress into shouting matches. LOPA should not be used as a replacement for quantita-
16
2 . Overview of LOPA
tive analysis. If complex human behavior models or equipment failure models are required to understand the risk of a scenario, then quantitative analysis is more appropriate.
2.5. How LOPA Works Like all analytical methods, LOPA has rules that are provided in this book. Like other methods, LOPA can be divided into steps. The LOPA steps are outlined in Figure 2.4 and summarized below. Figure 2.4 also identifies the relevant chapter for each step. The steps below refer to Figures 2.5 through 2.11 and show how the results are selected from the figures. These figures are discussed in detail in later chapters. Step 1: Identify the consequence to screen the scenarios. Since LOPA typically evaluates scenarios that have been developed in a prior study, a first step by the LOPA analyst(s) is to screen these scenarios, and the most
FIGURE 2.4. How LOPA works.
2.5. How LOPA Works
17
common screening method is based on consequence. The consequence is typically identified during a qualitative hazard review (such as a HAZOP study) (see Figure 2.5). Next the analyst evaluates the consequence (including the impact) and estimates its magnitude. Some companies stop at the magnitude of a release (of material or energy), which implies, but does not explicitly state, the impact to people, the environment, and the production system (see Figure 2.6). Other companies will model the release (see Figure 2.7) and more explicitly estimate the risk to people, the environment, and production by accounting for the likelihood of harm resulting from a specific scenario, for instance by also accounting for the probability of operators being in harm’s way during a release scenario. Chapter 3 describes the methods used for consequence estimation within LOPA. Step 2: Select an accident scenario. LOPA is applied to one scenario at a time. The scenario can come from other analyses (such as qualitative analyses), but the scenario describes a single cause–consequence pair (see Figure 2.5). Chapter 4 provides rules and examples for identifying scenarios. Step 3: Identify the initiating event of the scenario and determine the initiating event frequency (events per year). The initiating event must lead to the consequence (given failure of all of the safeguards). The frequency must account for background aspects of the scenario, such as the frequency of the mode of operation for which the scenario is valid. Most companies provide guidance on estimating the frequency to achieve consistency in LOPA results (see Figure 2.8). Chapter 5 provides guidance on selecting an appropriate initiating event and in determining a reasonable frequency in the context of the accident scenario being analyzed. Step 4: Identify the IPLs and estimate the probability of failure on demand of each IPL. Recall that LOPA is short for “layer of protection analysis.” Some accident scenarios will require only one IPL, while other accident scenarios may require many IPLs, or IPLs of very low probability of failure on demand, to achieve a tolerable risk for the scenario. Recognizing the existing safeguards that meet the requirements of IPLs for a given scenario is the heart of LOPA. Most companies provide a predetermined set of IPL values for use by the analyst, so the analyst may pick the values that best fits the scenario being analyzed (see Figure 2.9). Chapter 6 provides the rules (requirements) that are applied to select existing IPLs and also describes how various companies estimate the effectiveness of existing and proposed IPLs. Step 5: Estimate the risk of the scenario by mathematically combining the consequence, initiating event, and IPL data. Other factors may be included during the calculation, depending on the definition of consequence (impact
18
2 . Overview of LOPA
FIGURE 2.5. Choosing the scenario.
19 FIGURE 2.6. Determining the consequence and its severity.
20
2 . Overview of LOPA
Click for high resolution graphic
FIGURE 2.7. Mathematical modeling of consequence. From
FIGURE 2.8. Choosing initiating event frequency.
From
21 FIGURE 2.9. Choosing IPL values.
22
2 . Overview of LOPA
From
FIGURE 2.10. LOPA documentation.
event). Approaches include arithmetic formulae and graphical methods. Regardless of the methods, most companies provide a standard form for documenting the results (see Figure 2.10). Chapter 7 describes how to use LOPA data to estimate risk, using the initiating event frequency (discussed in Chapter 5), the IPL values (discussed in Chapter 6), and the consequence value (discussed in Chapter 3). Chapter 7 also discusses how to include the probability of reaching the impact event, given the stated consequence (such as a release of a hazardous substance) occurs; and how to estimate the frequency of the scenario (by factoring the probability of the presence of people in the vicinity, probability of escape, probability of ignition, etc.).
23 FIGURE 2.11. Estimating the risk and required action.
24
2 . Overview of LOPA
Step 6: Evaluate the risk to reach a decision concerning the scenario. Chapter 8 describes how to make risk decisions with LOPA. This includes comparing the risk of a scenario to a company’s tolerable risk criteria and/or related targets (see Figure 2.11). Chapter 10 describes other uses of LOPA results. Chapters 8 and 10 also describe how the results can be used to prioritize risk management activities, such as identifying which equipment components to focus on within a mechanical integrity program.
2.6. How to Implement LOPA LOPA is most effective when an organization adopts a consistent approach to LOPA and sets criteria for when to use LOPA and who is qualified to use it. Chapter 9 provides general guidance for effective implementation of LOPA and includes lessons learned from several international companies. Training of personnel in LOPA is a key implementation task. Chapter 11 describes advanced LOPA topics. LOPA can be applied in a team setting, such as during or immediately following a HAZOP- or What-If–based review (e.g., PHA) used to identify accident scenarios. LOPA can also be applied by a single analyst; in this case, the scenarios have typically already been identified for the analyst (such as by a hazard evaluation team). Note that a single analyst rarely works in a vacuum and will almost inevitably need to clarify issues with others in the organization. Many companies practice LOPA with a subteam composed of the analyst and a process engineer or production specialist (someone intimately familiar with the process); a larger team or an independent LOPA analyst may review their work.
2.7. Limitations of LOPA LOPA is just another risk analysis tool that must be applied correctly. The limitations imposed on LOPA result in a work process that is much less complex than quantitative risk analysis, while generating useful, somewhat conservative, estimates of risk. LOPA is subject to the following limitations: • Risk comparisons of scenarios are valid only if the same LOPA method (i.e., using the same methods for choosing failure data), and comparisons are based on the same risk tolerance criteria or to the risk of other scenarios determined by LOPA. The numbers generated by a LOPA calculation are not precise values of the risk of a scenario. This is also a limitation of quantitative risk analysis.
2.7. Limitations of LOPA
25
Since LOPA uses numbers, the results express the precise risk of the scenario. REALITY: This is NOT true. Like other techniques, LOPA gives approximations of risk that are useful in making comparisons (which help to allocate limited resources for risk control). For many purposes, LOPA analyses have sufficient precision to adequately quantify the risk of a particular process scenario. MYTH:
• LOPA is a simplified approach and should not be applied to all scenarios. The amount of effort required to implement LOPA may be excessive for some risk-based decisions and is overly simplistic for other decisions. • LOPA requires more time to reach a risk-based decision than qualitative methods such as HAZOP and What-if. This extra time is offset by the improved risk decision compared to using only qualitative methods for moderately complex scenarios. For simple decisions, the value of LOPA is minimal. For more complex scenarios and decisions, LOPA may actually save time compared to using only qualitative methods, because LOPA brings focus to the decision making. Since LOPA provides quantitative results, LOPA is better than HAZOP. The two are different techniques with different goals and cannot be compared directly. MYTH:
REALITY:
• HAZOP is ideally suited for brainstorming or uncovering what could go wrong and at identifying potential accident scenarios; a HAZOP team can also qualitatively judge the risk of a scenario. • LOPA allows the analyst to take a predefined scenario and estimate the risk of the scenario in a consistent and simplified manner. LOPA complements HAZOP or other hazard identification methodologies.
• LOPA is not intended to be a hazard identification tool. LOPA depends on the methods used (including qualitative hazard review methods) to identify the hazardous events and to identify a starting list of causes and safeguards. The more rigorous procedure of LOPA frequently clarifies ill-defined scenarios from qualitative hazard reviews. • Differences in risk tolerance criteria and in LOPA implementation between organizations means the results cannot normally be compared directly from one organization to another. This is true of CPQRA techniques as well.
26
2 . Overview of LOPA
2.8. Benefits of LOPA LOPA has many benefits that justify investment by company management and risk analysts. As with most new tools, however, the benefits often cannot be fully appreciated until LOPA is applied to everyday problems. Some general benefits of LOPA include: • LOPA requires less time than quantitative risk analysis. This benefit applies particularly to scenarios that are too complex for qualitative assessment of risk. • LOPA helps resolve conflicts in decision making by providing a consistent, simplified framework for estimating the risk of a scenario and provides a common language for discussing risk. LOPA provides a better risk decision basis compared to subjective or emotional arguments based on “the risk is tolerable to me.” This is particularly beneficial for organizations making the transition from qualitative to more quantitative risk methods. • LOPA can improve the efficiency of hazard evaluation meetings by providing a tool to help reach risk judgments quicker. • LOPA facilitates the determination of more precise cause–consequence pairs, and therefore improves scenario identification. • LOPA provides a means of comparing risk from unit to unit or plant to plant, if the same approach is used throughout the company. • LOPA provides more defensible comparative risk judgments than qualitative methods due to the more rigorous documentation and the specific values assigned to frequency and consequence aspects of the scenario. • LOPA can be used to help an organization decide if the risk is “as low as reasonably practicable” (ALARP), which may also serve to meet specific regulatory requirements. • LOPA helps identify operations and practices that were previously thought to have sufficient safeguards, but on more detailed analysis (facilitated by LOPA), the safeguards do not mitigate the risk to a tolerable level. • LOPA helps provide the basis for a clear, functional specification for an IPL [ISA S84.01 (ISA, 1996) and IEC 61508 and IEC 61511 (IEC, 1998; 2001)]. • Information from LOPA helps an organization decide which safeguards to focus on during operation, maintenance, and related training. For instance, many companies decide to focus their inspection, test, and preventive maintenance activities on the IPLs identified during LOPA; these companies often decide to run the remaining safeguards (those not identified as IPLs) to failure or subject them to less rigorous test and maintenance schedules. Therefore, LOPA is a tool for
2.9. Introduction of Continuing Examples
27
implementing a wise PSM mechanical integrity or risk-based maintenance system, and it aids in the identification of “safety critical” features and tasks.
2.9. Introduction of Continuing Examples The following two examples will be used to illustrate the concepts of LOPA throughout this book. Note that LOPA methods vary throughout the industry. Each example shows only one of the many approaches. Variations will be shown or discussed in the following chapters and appendices. The solution steps for each example will be shown in each chapter. For each of these examples: • Chapter 3 discusses how to identify consequences and classify them for severity. • Chapter 4 shows how to identify scenarios in LOPA terms. • Chapter 5 shows how to identify the initiating events in a scenario, and how to calculate the initiating event frequency. • Chapter 6 shows how to identify potential Independent Protection Layers (IPLs), how to test for independence, and how to estimate the probability of failure on demand (PFD) for the applicable IPLs. • Chapter 7 shows how to calculate the frequency of the scenario with the IPLs in place. • Chapter 8 describes how to use LOPA to evaluate risk and make decisions.
Continuing Example 1: Hexane Surge Tank Overflow The following process, shown in Figure 2.12, will be used as a continuing example to illustrate the concepts of LOPA throughout this book. Design Hexane flows from another process unit (not shown) into a hexane surge tank. The hexane supply pipeline is always under pressure. The surge tank level is controlled by a level control loop (LIC-90) that senses the level in the tank and throttles a level valve (LV-90) to control the level. Hexane is used by a downstream process (also not shown). The LIC loop includes a high level alarm (LAH-90) to alert the operator. The tank normally operates half full; the total tank capacity is 80,000 lb of hexane. The tank is located in a dike that can contain up to 120,000 lb of hexane. The designs in the examples are for illustrative purposes only. The designs are not necessarily endorsed by the authors. Readers are cautioned to use designs appropriate for their applications.
28
2 . Overview of LOPA
FIGURE 2.12. Continuing Example 1: Hexane surge tank overflow (as is).
Scope This example provides a limited illustration of LOPA for a process safety decision based on the use of a safety instrumented function (SIF) as an independent protection layer (IPL). During the process hazard analysis (PHA), the team discussed the need for a high level SIF to help prevent overfilling accidents. They decided to use LOPA to help structure this process safety decision. The PHA team identified other scenarios that would lead to releases of hexane from the surge tank and related process equipment, but these other scenarios are not modeled here. Hazard Information The hazard information was prepared as part of the PHA, prior to conducting the LOPA. This included identification of the hazards, scenarios, consequences, safeguards, and subsequent recommendations. The consequences identified are: overflow of the tank; possible failure of the dike; and subsequent dispersion of flammable hexane vapors, which if ignited, will result in a pool fire.
Continuing Example 2: Hexane Storage Tank Overflow The following process, shown in Figure 2.13, will be used as a second continuing example to illustrate the concepts of LOPA throughout this book.
2.9. Introduction of Continuing Examples
29
FIGURE 2.13. Continuing Example 2: Hexane storage tank overflow (as is).
Design Hexane is unloaded from a tank truck (50,000 lb) via pump 3-40 into makeup storage tank T-301, which has a capacity of 80,000 lb. The surrounding dike is designed to contain 120,000 lb of hexane. The truck is unloaded once every 4 days or about 90 times per year. The makeup storage tank is equipped with a level indicator (LI-80) and a high level alarm (LAH-80) that annunciates in the control room. Two operators are typically involved in this operation; one in the field who initiates the transfer with the delivery truck driver and one in the control room who monitors and operates various process functions from a computer interface. The driver is required to supervise the transfer. Scope This example provides a limited illustration of LOPA for a process safety decision on the use of a safety instrumented function (SIF), as an independent protection layer (IPL). During the process hazard analysis (PHA), the team discussed the need for a high level SIF to trip the feed pump and close an inlet valve (to be installed) to help prevent overfilling accidents. They decided to use LOPA to help structure this process safety decision. The overflow scenario of concern is initiated by arrival of a truck when there is insufficient
30
2 . Overview of LOPA
room in tank T-301 for the truck contents. This could be due to a number of situations, including an error in ordering, or the unit was shut down after the truck was ordered. The PHA team identified other scenarios that would lead to releases of hexane from the surge tank and related process equipment, but these other scenarios are not analyzed here. Hazard Information The hazard information was prepared as part of the qualitative PHA, prior to conducting the LOPA. This included identification of the hazards, scenario, consequences, safeguards, and subsequent recommendations. The consequences are overflow of the tank; possible overflow of the dike; and subsequent dispersion of flammable hexane vapors, which if ignited, will result in a pool fire. Click here to go to Chapter 3
3 Estimating Consequences and Severity
3.1. Purpose One component of the risk of any accident scenario is its consequence. In LOPA, the consequences are estimated to an order of magnitude of severity, which requires much less effort than mathematical modeling, and yet still facilitates comparison of risk from different scenarios. This chapter describes the various types of consequence analysis used in LOPA. The continuing examples illustrate consequence analysis using the principles outlined in this chapter. This is Step 1 of the LOPA method.
3.2. Consequences of Interest Consequences are the undesirable outcomes of accident scenarios. One of the first decisions an organization must make when choosing to implement LOPA is how to define the consequence endpoint. Some companies stop at loss of containment; others estimate the final impact in terms of harm or damage. The most common scenario of interest for LOPA in the chemical process industry is loss of containment of hazardous material or energy. Loss of containment can occur by a variety of mechanisms such as a leak from a vessel, rupture of a pipeline, and lifting of a relief valve. The typical sequence of consequences of a release of flammable/toxic material is shown in Figure 3.1 and explained below. 31
32
3. Estimating Consequences and Severity
FIGURE 3.1. Potential consequences from a flammable/toxic release.
The material released may be in a liquid, gas, or solid form, or a combination of these. If the released material is flammable, ignition may result in an explosion and/or fire. In case of immediate ignition of a pressurized gas or two-phase release, jet fires may ensue. In the absence of immediate ignition, material may disperse to form a vapor cloud with delayed ignition as a flash fire or explosion. Liquid spills may burn as pool fires if ignited. If the released material is toxic, plant personnel or the public may be exposed to unhealthy concentrations. The radiation flux from fires, overpressures from explosions, and toxic concentrations from toxic releases are called physical effects. The physical effects have “impact” on personnel, environment and property, and may result in losses such as injuries, fatalities, environmental harm, and property damage. In addition to these initial effects, there could be follow-on losses due to business interruption, loss of quality of product, demolition requirements, and loss of credibility with the public, regulators, customers, and stockholders. The range of consequence endpoints for a loss of containment scenario include the release of the hazardous material, the dispersion of the hazardous material, physical effects from fires, explosions and toxic releases; and the losses from the impact of physical effects. All of these consequence endpoints are quantifiable by some estimation method. For example, a release can be measured in terms of the released quantity; the dispersion in terms of dispersion distance/area (for specific concentrations); and the losses in terms of number of injuries and fatalities, property damage, financial losses or indirect losses.
3.3. Consequence Evaluation Approaches for LOPA
33
3.3. Consequence Evaluation Approaches for LOPA Consequence evaluation is an integral part of any risk assessment methodology. What consequences should be evaluated, and how rigorously the consequences are evaluated depend on several factors, including the risk associated with the accident scenarios, and the risk assessment methodology adopted by the organization, and the resources the organization is willing to expend to refine the estimate. These implementation issues are discussed in greater detail in Chapter 9. The different types of consequence evaluation are: • • • •
Release size/characterization Simplified injury/fatality estimates Simplified injury/fatality estimates with adjustments Detailed injury/fatality estimates
Each of these methods has its advantages and disadvantages, which are discussed in the following sections. The method used for consequence categorization should be consistent with the company’s risk tolerance criteria. Any organization implementing LOPA should carefully consider the level of detail for consequence analysis, as this choice can significantly affect the level of effort and training required. Figure 3.1 shows a generic release event and possible outcomes. Some companies choose to stop the analysis at identifying and quantifying the type and size of the release. Their risk tolerance criteria assume that releases of certain magnitudes have a certain likelihood of harming the environment, people, or production/assets. In these companies, the primary risk tolerance criterion is matched to the fact that the consequence categorization stops at the “release.” Other companies choose to explicitly account for the likelihood of some impact event (e.g., employee injury), and therefore their consequence categories are also more explicit in the degree of harm done. It should be noted that either approach can (and typically does) provide comparable risk decisions.
Method 1: Category Approach without Direct Reference to Human Harm This method typically uses matrices to differentiate consequences into various categories. It avoids estimating the number of potential injuries or fatalities, thereby: • avoiding any overt appearance that injuries and fatalities are tolerable, and • helping the team make more accurate judgments about relative risk, since it is very difficult to estimate qualitatively the number of people who might be harmed and how severe the harm might be. For instance, falling down a flight of stairs could result in a spectrum of conse-
34
3. Estimating Consequences and Severity
quences, ranging from a slight bruise to a fatality. Or, a toxic release can result in one or more fatalities or no harm at all, depending on the proximity of people to the release point and the time and capability they have to escape. Table 3.1 is an example that includes a simple approach to categorize the consequences from a chemical release. Each consequence is assigned a numerical category from 1 to 5, with 5 being the most severe. Table 3.1 includes three matrices: • The upper matrix relates release size and the physical and toxicological properties to consequence categories (this avoids the need for quantitative calculations of dispersion, etc.). • The middle matrix relates plant type and type of damage or production loss to consequence categories. • The lower matrix relates equivalent cost factors to consequence categories. Note that the middle and lower matrices are used when • the scenario does not involve a material release, or • the severity category for the scenario is higher on one of the lower matrices than it is on the upper matrix, or • the analyst judges the lower matrices better describe the consequence. [Note that the consequence category for vapor releases can be reduced in severity if dispersion modeling (quantitative analysis) is performed and shows that a lower impact category is warranted.] Once the release category has been assigned, it is combined with the anticipated or calculated frequency (see Chapters 5, 6, and 7) of the consequence to assess whether the risk is tolerable (see Chapter 8). The advantages of this method: • The method is simple and easy to use because the size and properties of the release are relatively easy to assess. No case-by-case modeling is required. A release of a certain size is assigned a certain consequence value independent of the eventual effect (fire, explosion, toxic release, injury, fatality, etc.). The criteria for loss of production are similarly simple to assess. • When combined with a matrix showing the organization’s risk tolerance criteria, the method allows visual assessment of where a given risk lies in relation to the organization’s guidelines. The disadvantages of this method: • It requires either the acceptance of the consequence categorization matrix or the development of such a matrix by baseline modeling. The
TABLE 3.1 Example Consequence Categorization Size of Release (beyond a dike)
Release Characteristic
1- to 10pound release
100- to 1,000pound release
10- to 100pound release
1,000- to 10,000pound release
10,000- to 100,000pound release
>100,000pound release
Extremely toxic above BP*
Category 3 Category 4 Category 5 Category 5 Category 5 Category 5
Extremely toxic below BP or highly toxic above BP
Category 2 Category 3 Category 4 Category 5 Category 5 Category 5
Highly toxic below BP or flammable above BP
Category 2 Category 2 Category 3 Category 4 Category 5 Category 5
Flammable below BP
Category 1 Category 2 Category 2 Category 3 Category 4 Category 5
Combustible liquid
Category 1 Category 1 Category 1 Category 2 Category 2 Category 3
*BP = atmospheric boiling point
Magnitude of Loss
Consequence Characteristic
Spared or nonessential equipment
Plant outage <1 month
Vessel rupture Plant Plant 3,000 to outage 1–3 outage 10,000 gal months >3 months 100–300 psi
Vessel rupture >10,000 gal >300 psi
Mechanical damage to large main product plant
Category 2 Category 3 Category 4 Category 4 Category 4 Category 5
Mechanical damage to small by-product plant
Category 2 Category 2 Category 3 Category 4 Category 4 Category 5
Consequence cost (U.S. dollars) Consequence Characteristic Overall cost of event
$0–$10,000
$10,000– $100,000
$100,000– $1,000,000
$1,000,000– $10,000,000
>$10,000,000
Category 1
Category 2
Category 3
Category 4
Category 5
Note: This table of values is for example only, to indicate what one or more companies use to categorize consequences. CCPS does not endorse one method over another.
35
36
3. Estimating Consequences and Severity
baseline modeling is time consuming and requires a good basic understanding of modeling techniques and physical processes. • The endpoints are not presented in terms of specific injury/fatality/cost figures, which can cause interpretation problems in some organizations.
Method 2: Qualitative Estimates with Human Harm This method uses the final impact to humans as the consequence of interest, but arrives at the value using purely qualitative judgment. For each scenario, the human consequences are estimated directly by the LOPA analyst, using past experience, previously generated look-up tables, or knowledge of prior detailed release modeling of similar releases. Table 3.2 shows the consequence categorization resulting from this method. The resulting risk of an injury/fatality can be compared directly to a fatality risk tolerance criterion (see Chapter 8) for an individual event, or all of the events associated with a process or plant can be summed and then compared to process/plant risk tolerance criteria. The advantages of this method are: • Simplicity of understanding: Many people tend to better understand consequence in terms of harm rather than expressing risk in terms of release size. • Direct comparison with corporate guidelines: Many companies already have established guidelines for risk of a fatality/injury, or for risk of a certain monetary loss. The disadvantages of this method are: • Implicit assumptions for the probability of ignition for flammable releases, for the probability of injury, and the probability that a person is present in the area may over- or underestimate the risk of fatality. • Look-up tables such as Table 3.2 are even less precise (more subjective) than release categorization tables such as Table 3.1. • The estimation of the consequence severity may vary between different analysts, unless some guidance is provided across the company.
Method 3: Qualitative Estimates with Human Harm with Adjustments for Postrelease Probabilities Alternatively, the LOPA analyst can initially estimate the magnitude of a release “qualitatively” similar to Method 2 (but not as subjective as a look-up table similar to Table 3.2), and then later (as described in Chapter 7) adjust the event frequency by the probability that:
3.3. Consequence Evaluation Approaches for LOPA
37
TABLE 3.2 Qualitative Categorization (Combined Loss Categories) Low Consequence Personnel
Minor or no injury; no lost time
Community
No injury, hazard, or annoyance to public
Environment
Recordable event with no agency notification or permit violation
Facility
Minimal equipment damage at an estimated cost of less than $100,000 and with no loss of production Medium Consequence
Personnel
Single injury, not severe; possible lost time
Community
Odor or noise complaint from the public
Environment
Release that results in agency notification or permit violation
Facility
Some equipment damage at an estimated cost greater than $100,000 and with minimal loss of production High Consequence
Personnel
One or more severe injuries
Community
One or more minor injuries
Environment
Significant release with serious offsite impact
Facility
Major damage to process area(s) at an estimated cost greater than $1,000,000 or some loss of production Very High Consequence
Personnel
Fatality or permanently disabling injury
Community
One or more severe injuries
Environment
Significant release with serious offsite impact and more likely than not to cause immediate or long-term health effects
Facility
Major or total destruction of process area(s) at an estimated cost greater than $10,000,000 or a significant loss of production
Note: This table of values is for example only, to indicate what one or more companies use to categorize consequences. CCPS does not endorse one method over another.
38
3. Estimating Consequences and Severity
• • • •
the event will result in a flammable or toxic cloud; for a flammable cloud, an ignition source will be present; an individual will be present in the area when the event occurs; the individual will experience a fatal (or injurious) consequence.
The advantages of this method: • Simplicity of understanding: People tend to better understand consequence in terms of harm rather than expressing risk in terms of release size. • Direct comparison with corporate guidelines: Many companies already have established guidelines for risk of a fatality or injury. • Frequency adjustments: The frequency adjustments may give a better estimate of the risk of human harm. The disadvantages of this method: • The simplifications made in assessing the probabilities of the events subsequent to the release. The results of real-world events have proven to be both significantly less and significantly greater than those calculated by analysts. However, if consistent approaches are used, it is reasonable to expect that this method will highlight scenarios with relatively higher risk. • Extra parameters for the probability of reaching the stated impact or outcome must be included in the risk calculation (described in Chapter 7), and these may change over time (e.g., the number of people or their location changes). • The estimation of the consequence severity may vary between different analysts, unless some guidance is provided across the company. • This method would need to be augmented to address business impact or economic risk.
Method 4: Quantitative Estimates with Human Harm This method is similar to the qualitative estimates with human harm method (Method 3), but uses detailed analyses in determining the effects of a release and its effects upon individuals and equipment. This method involves the use of mathematical models (typically complex computerized models) to simulate the release itself (also called “source term” modeling), the subsequent dispersion, and the toxic or blast/thermal effect. Figure 3.2 illustrates the typical results from detailed modeling of the release of a highly toxic material. Refer to Guidelines for Consequence Analysis of Chemical Releases (CCPS, 1999) for more details on quantitative modeling.
3.3. Consequence Evaluation Approaches for LOPA
39
FIGURE 3.2. Typical vulnerability zone from detailed (mathematical) modeling. ERPG 2 is the maximum airborne concentration below which it is believed that nearly all individuals could be exposed for up to one hour without experiencing or developing irreversible or serious health effects or symptoms which could impair an individual’s ability to take protective action.
The advantages of this method: • A greater degree of certainty concerning the predicted consequences. • Direct comparison with corporate guidelines. The disadvantages of this method: • Although the modeling programs are much more sophisticated than the estimation methods, the results of real-world events have been both significantly less and significantly greater than those calculated by analysts. Modeling results are strongly affected by the exact release conditions (e.g., is the pipe severed or cracked? is the break near the tank or mid-run? is the release oriented up or down?), atmospheric stability, wind direction, time to ignition, etc. There are thousands of possible permutations to consider. Inevitably only a few “representative” cases can be chosen. • The level of sophistication required for modeling the consequence of a scenario is disproportionate to that used to estimate the order of magnitude frequency of the scenario with LOPA. • The training, experience and effort required to perform the modeling can be prohibitive, and such analysis is usually only applied to scenarios that have already been judged to have potentially fatal results.
40
3. Estimating Consequences and Severity
For these reasons, this method is typically used only for compounds that are new to a company, or for scenarios requiring a higher level of scrutiny than LOPA can provide. Modeling is frequently reserved for scenarios that require CPQRA—the step beyond LOPA.
3.4. Continuing Examples In this section, consequences are assessed for the scenarios described in the continuing examples. We will use two methods in this chapter to categorize the consequences to illustrate the concepts used for LOPA. The first (Method 1) will use a category, look-up method, using Table 3.1 as the reference table. For this approach, only the boiling point, flammability data, and total quantity of the material are required. The second (Method 3) will qualitatively estimate the scenario consequences using prior experience of the authors. Method 3 is further addressed in Chapter 7, where we include consideration of the probability of ignition, probability of harm, etc. In writing this book, we also confirmed the consequence severity by a detailed dispersion calculation and flammable effects model (Method 4), but the results are not shown in the book. This method required • flammability data for hexane, • past experience with similar incidents in the industry, and • a general understanding of fires and explosions and the models that describe these phenomena.
Continuing Example 1: Hexane Surge Tank Overflow Scenario 1a: Hexane Surge Tank Overflow—Spill Not Contained by the Dike For this case, we will assume that the total overflow can be as large as 40,000 lb of hexane, and that the dike is present as an IPL (addressed in detail in Chapter 6). The dike has a probability of failure with the release spreading beyond the dike. METHOD 1
Using this method, the consequence category from Table 3.1 for a release of 40,000 lb of a flammable liquid below its boiling point is Category 4. METHOD 3
For this method up to 40,000 lb of hexane is released which could result in a large pool fire. In view of the low volatility of hexane, a flammable cloud is
3.4. Continuing Examples
41
not expected beyond the pool. A flash fire is considered unlikely, based on the flash point of hexane at process temperatures. The fire has the capacity to injure personnel in the immediate area of the spill, which now includes an area beyond the dike. This qualitative interim result will be combined in Chapter 7 with the probability of ignition, probability of personnel present, and probability of harm done to personnel, given they are present. Scenario 1b: Hexane Surge Tank Overflow—Spill Contained by the Dike Given the flow rate into the vessel, the frequency of operator rounds, and the many other upstream limitations and safeguards, the plant engineers estimate that the maximum overflow (after completely filling the vessel) is 40,000 lb of hexane. Scenario 1b assumes that the dike will work perfectly to contain the spill. METHOD 1
Using this method, there is no consequence since the release is completely contained by the dike. Table 3.1 ignores spills of flammable liquid into dikes, if the dikes are assumed not to fail. METHOD 3
For this method we have up to 40,000 lb of hexane in the dike which could result in a contained pool fire. In view of the low volatility of hexane, a flammable cloud is not expected beyond the pool. A flash fire is considered unlikely, based on the flash point of hexane at process temperatures. The fire has the capacity to injure personnel in the immediate area. This qualitative interim result will be combined in Chapter 7 with the probability of ignition, probability of personnel present, and probability of harm done to personnel, given they are present.
Continuing Example 2: Hexane Storage Tank Overflow Scenario 2a: Hexane Storage Tank Overflow—Spill Not Contained by the Dike For this case, we will assume that the total overflow can be as large as 40,000 lb of hexane, and that the dike is present as an IPL (addressed in detail in Chapter 6). The dike has a probability of failure with the release spreading beyond the dike. METHOD 1
Using this method, the consequence category from Table 3.1 for a release of 40,000 lb of a flammable liquid below its boiling point is Category 4.
42
3. Estimating Consequences and Severity
METHOD 3
For this method up to 40,000 lb of hexane are released which could result in a large pool fire. Again, in view of the low volatility of the hexane, a flammable cloud is not expected beyond the pool. A flash fire is considered unlikely, based on the flash point of hexane at process temperatures. The fire has the capacity to injure personnel in the immediate area of the spill, which now includes an area beyond the dike. This qualitative interim result will be combined in Chapter 7 with the probability of ignition, probability of personnel present, and probability of harm done to personnel, given they are present. Scenario 2b: Hexane Storage Tank Overflow—Spill Contained by the Dike For this case, we will assume that the total overflow can be as large as 40,000 lb of hexane, and that the dike will not fail. METHOD 1
Using this method, there is no consequence since the release is completely contained by the dike. Table 3.1 ignores spills of flammable liquid into dikes, if the dikes are assumed not to fail. METHOD 3
For this method up to 40,000 lb of hexane may be present in the dike which could result in a contained pool fire. Again, in view of the low volatility of the hexane, a flammable cloud is not expected beyond the pool. A flash fire is considered unlikely, based on the flash point of hexane at process temperatures. The fire has the capacity to injure personnel in the immediate area. of the spill. This qualitative interim result (a release of 40,000 lb of hexane into the dike) will be combined in Chapter 7 with the probability of ignition, probability of personnel present, and probability of harm done to personnel, given they are present.
3.5. Link Forward Chapter 4 will explain how scenarios are selected and developed for purposes of LOPA. As mentioned earlier, categorizing the consequences is often the screening criteria for selecting the scenarios for LOPA. Other criteria can also be used. Chapters 5 and 6 will complete the data collection and scenario development efforts for a LOPA scenario.
4 Developing Scenarios
4.1. Purpose Scenario development is the LOPA step in which the team or analyst constructs a series of events, including initiating events and the failure of IPLs (independent protection layers), that lead to an undesired consequence. The purpose of this chapter is to describe the components of a scenario and give examples of how scenarios can be developed from hazard evaluations and other sources. This chapter discusses Step 2 of the LOPA process.
4.2. LOPA Scenarios and Components A scenario is an unplanned event or sequence of events that results in an undesirable consequence. Each scenario consists of at least two elements (see Figure 4.1): • an initiating event (e.g., loss of cooling) that starts the chain of events and • a consequence (the potential for overpressuring the system, release of toxic or flammable material to the atmosphere, fatality, etc.) that results if the chain of events continues without interruption. Inherently safer concepts attempt to reduce risk by eliminating scenarios, usually by preventing or reducing the consequence of an initiating event. For 43
44
4. Developing Scenarios
FIGURE 4.1. Minimum requirements for a scenario
example, if a process is modified to significantly reduce the inventory of a toxic material that could be released, the consequence, and thus the risk, associated with a vessel rupture can be significantly reduced. Again, if a vessel is designed to resist an internal explosion, or the shut-off head of a pump, or a relief flow is passed to a flare rather than directly to the atmosphere, the risk associated with scenarios with these consequences may be reduced or eliminated. How inherently safer concepts can be incorporated into LOPA is discussed in more detail in Chapter 6. Each scenario must have a unique initiating event/consequence pair. If the same initiating event can result in different consequences, additional scenarios should be developed. In some cases many scenarios may spring from a common initiating event (e.g., loss of a utility to a facility) and separate scenarios should be developed for individual sections of the plant. In addition to the initiating event and consequence, a scenario may also include • enabling events or conditions that have to occur or be present before the initiating event can result in a consequence (see Figures 4.2 and 4.3). • the failure of safeguards (which may be IPLs), as shown in Figure 4.4. Not all safeguards are IPLs, but all IPLs are safeguards. (See Chapter 6.) Methods that use consequence end-points of fatalities, or harm to business or the environment, may also include some or all of the following factors, or outcome modifiers, in the scenario: • the probability of ignition of a flammable material (liquid or vapor release), • the probability of a person being present in the area affected by the event,
FIGURE 4.2. Coincident initiating and enabling events.
4.2. LOPA Scenarios and Components
45
FIGURE 4.3. Coincident initiating event and enabling condition.
FIGURE 4.4. Effect of IPL failing to operate as intended.
• the probability that a fatal injury will result from exposure to the effects of the fire, explosion, or toxic release—includes evacuation or protective action, or • the probability that an estimated financial loss to the facility of a certain magnitude will result. Other methods may utilize other factors or probabilities. Example 4.1
Loss of cooling (the initiating event) can result in a runaway exothermic reaction in a batch reactor and overpressure, but only during a portion of the reaction (the enabling condition) when the system is in the reaction exotherm phase and thus vulnerable to loss of cooling.
In most scenarios there will be at least one safeguard that can be considered an IPL for the purposes of LOPA. If this IPL operates as intended, it will break the chain of events and prevent the undesired consequence from occurring (see Figure 4.4 and Chapter 6).
46
4. Developing Scenarios
Example 4.2
For the batch reactor of Example 4.1, there may be many safeguards in place against overpressure (alarms, operator interaction, manual venting, SIFs, relief devices, etc.) that may have been identified by a hazard evaluation team. In this case a review of these safeguards might determine that only two of these might be considered as meeting the requirements of an IPL for LOPA.
• a BPCS (basic process control system) function (i.e., interlock) designed
to detect high temperature/pressure and take action to prevent the runaway exothermic reaction; and • a correctly sized and maintained relief valve to prevent the overpressure of the system following an exotherm.
Figure 4.5 shows the scenario for Example 4.2 for loss of cooling leading to overpressure of the reactor: 1. Loss of cooling (Initiating Event) AND 2. Reactor in a condition where exotherm can occur if cooling is lost (Enabling Condition) AND 3. BPCS fails to act correctly (Failure of IPL) AND 4. Relief valve fails to act correctly (Failure of IPL) RESULTING IN: 5. Overpressure of reactor system (Consequence—flange leakage and/or potential rupture with large release of energy and/or hazardous material and potential for fatalities, injuries, or property or environmental damage). As discussed in Chapter 3, the LOPA method used by a particular organization will affect how the consequences of each scenario are developed and completed. The effectiveness of the LOPA method relies heavily on the thoroughness of the detail presented in the scenario. Each scenario must be adequately documented (see Section 4.3 and Appendix C).
FIGURE 4.5. Scenario path for reactor Example 4.2.
4.3. Identifying and Developing Candidate Scenarios
47
4.3. Identifying and Developing Candidate Scenarios This section examines methods for identifying and developing scenarios to the level of detail required for LOPA.
Identifying Candidate Scenarios The most common source of information for identifying scenarios are hazard evaluations (HE) developed and documented for existing processes and performed during the design of new and modified processes. The purpose of an HE is to identify, assess and document the hazards associated with the process (see Guidelines for Hazard Evaluation Procedures, Second Edition with Worked Examples; CCPS, 1992a). Most HE methods are qualitative and do not enable an analyst or team to quantify whether the risk associated with a documented hazard is acceptable (so their judgment may be inconsistent). The HE may have already identified the initiating event for a given scenario, but enabling events and safeguards are often neglected, not included appropriately, or are not fully understood or documented. Figure 4.6 shows how information from a HAZOP type review could be used in developing a scenario for LOPA. HAZOP reports usually contain adequate information to describe the components of a scenario. LOPA can take HAZOP information and assign numeric values for initiating event frequency, failure frequency and probability of failure on demand (PFD), and (using the LOPA rules) determine whether a safeguard is an IPL. Thus, in Figure 4.6, the causes identified in the HAZOP are used to specify the initiating event and the LOPA method will assign a frequency to this event. Similarly, if the HAZOP identifies a safeguard, LOPA will determine whether this is an IPL for the scenario, and if so, what PFD should be assigned. A HAZOP study uses qualitative (voting) judgments of risk whereas LOPA uses order-of-magnitude estimates to make judgments of risk. Other sources for identifying candidate scenarios for LOPA are • issues related to plant operation. This could involve unexpected behavior, or operating conditions outside normal ranges, etc.; • incidents in the process, or from other processes, which reveal an initiating event or scenario not previously considered or which was not considered credible; • the requirement to change the process, which could involve new or modified scenarios; • interlock reviews to assess whether the safety instrumented function (SIF)—interlock—is required and, if so, the type of SIF required to meet the corporate risk guidelines.
48
4. Developing Scenarios
FIGURE 4.6. HAZOP Information and LOPA.
4.3. Identifying and Developing Candidate Scenarios
49
Scenario Development Once a scenario has been identified, it must be developed and documented to the level where a basic understanding of the events and safeguards is achieved. The scenario may not be initially understood completely and may undergo revisions. New scenarios may also be revealed that must be analyzed separately. Table 4.1 shows one method for presenting the information required for full development of a scenario. Table 4.1 is discussed in more detail in Appendix C. Any format is acceptable, provided that it is comprehensive and applied consistently within an organization. Include All Steps of the Scenario A scenario requires identification and documentation of all the important steps required for an event to progress from the initiating event to the consequence. Any factor that could affect the numeric calculation of the consequence frequency or consequence size or type should be included and documented (see Appendix C). It is critically important to maintain the link between a specific initiating event, a specific consequence, and specific IPLs. Otherwise, IPLs may not be credited appropriately. Example 4.3
One scenario for a reactor would be loss of cooling leading to overpressure and possible leakage and rupture. A second scenario would be external fire leading to overpressure and possible leakage and rupture, and a third might be loss of reflux leading to the same consequence. A high temperature trip (a candidate IPL) might protect against the first and third scenarios, but might provide no protection against external fire in the second scenario. While it may be that the relief valve is sized for the largest of these relief loads, each of the scenarios must be examined for appropriate relief protection to ensure the relief valve is an IPL.
Once the initiating event is identified for a specific scenario, the analyst must determine whether any enabling events or conditions are required for the initiating event to lead to the consequence. Again, an understanding of how events could unfold is required. Chapter 5 deals with these issues in greater detail. The next step is to confirm that the consequence is stated using the same criteria as the LOPA method (see Chapter 3). If the LOPA method being applied categorizes the size and type of release or damage (Methods 1 and 2, Chapter 3), then this must be calculated or estimated for each scenario. If the method uses fatality frequency (Methods 3 and 4, Chapter 3), then appropriate probabilities must be assigned before the calculation for the scenario can be completed (see Chapter 7).
50
4. Developing Scenarios TABLE 4.1 Example of Summary Sheet for LOPA Scenario Documentation and Calculations
Scenario Number
Equipment Number
Date:
Scenario Title
Description
Consequence Description/Category Risk Tolerance Criteria (Category or Frequency) Initiating Event (typically a frequency) Enabling Event or Condition Conditional Modifiers (if applicable) Probability of ignition Probability of personnel in affected area Probability of fatal injury Others Frequency of Unmitigated Consequence Independent Protection Layers BPCS Human intervention SIF Pressure relief device Other protection layers (must justify) Safeguards(non-IPLs)
Total PFD for all IPLs Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No): Actions Required to Meet Risk Tolerance Criteria: Notes: References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
Frequency Probability (per year)
4.3. Identifying and Developing Candidate Scenarios
51
The next step in developing the scenario is to identify the safeguards that are in place, which, if they operate as intended, may prevent the scenario from proceeding to the consequence. It is best to list all of the safeguards for a particular scenario before deciding which are truly IPLs. This practice documents the issues considered and enables subsequent reviewers to understand why some safeguards were or were not considered to be IPLs. Chapter 6 describes the requirements for a safeguard to be considered as an IPL in LOPA. Care must be taken in applying these guidelines to ensure that a particular safeguard meets the requirements of an IPL. Example 4.4 demonstrates the development of a scenario for the reactor exotherm discussed in Examples 4.1 and 4.2. Example 4.4
Consider a typical hazard evaluation of the reactor runaway exotherm scenario presented in Examples 4.1 and 4.2:
• The HE team would almost certainly have identified the potential for a runaway exotherm on loss of cooling. However, a qualitative HE might not have documented: G That the potential for a runaway exotherm is only present during a specific portion of the batch cycle; and G The frequency at which loss of cooling is expected to occur.
Thus, the LOPA analyst would need to calculate the effective initiating frequency for this particular scenario. This would require such data as: a history of loss of cooling incidents at the facility, the batch cycle time, the number of batches run in a year for that particular recipe, the reaction kinetics, and the vapor liquid equilibria of the reaction feeds, intermediates and products, etc. • The consequence described by the HE team may not match the classification used within an organization for making risk based judgments. The LOPA analyst must state the consequence in a manner consistent with the method being applied. • The HE team may have listed multiple safeguards against overpressuring the system, but may not have considered whether these safeguards were fully effective and independent of the initiating event and other protection layers. These safeguards might include operator action, alarms, multiple BPCS loops, SIF loops, relief devices, etc. The LOPA analyst should review the list of safeguards generated by the HE to identify those considered as true IPLs in LOPA.
Clarification/Modification of Initial Scenario Regardless of how the initial scenario is generated and developed, the scenario, or the process it relates to, may not be completely understood. Scenario development often clarifies or modifies the initial path(s) by which a given initiating event can result in an undesired consequence. Additional informa-
52
4. Developing Scenarios
tion becomes available as the analysis progresses and questions are often asked concerning the assumptions made earlier. This new information may demonstrate that the consequence is less serious than initially thought, that there are more IPLs than originally included in the analysis, or that the initiating frequency is lower, etc. In other cases the analysis may show that the risk is greater than first thought, due to safeguards not being truly independent or effective, or due to the initiating event frequency or consequence being greater than originally assumed. In some cases this analysis can lead to development of new scenarios as a greater understanding of the system is gained. This new understanding may also affect how similar scenarios are viewed in other processes. This is one of the side benefits of the LOPA process. A documentation and tracking system should be used to ensure that the scenario and associated issues, recommendations, references, assumptions, etc. are fully documented and recommendations are resolved (see Appendix C).
4.4. Continuing Examples Tables 4.2 and 4.3 present the results of a HAZOP for the continuing examples used in this book. Chapter 2 provided the basic problem descriptions together with the P&IDs and other relevant information. Chapter 3 identified the undesired consequences. In some LOPA methods the spill itself is the consequence end-point (the event itself must be prevented and the probabilities of ignition of the flammable material and the presence of personnel are viewed as irrelevant). Other approaches use the fatality frequency due to ignition of the spill inside or outside of the dike, including the various probabilities discussed in Examples 4.1 and 4.2 of Section 4.2. The HAZOP method and results shown in Tables 4.2 and 4.3 are for illustration and use a generic approach with key words for the deviation (low flow or no flow, high temperature, etc.) used to initiate discussion. The HAZOP tables then show whether a cause, or causes, for this deviation are present in the system and what consequences could result. Any safeguards are then listed against the cause leading to the deviation. Finally, any recommendations that are considered appropriate are listed, using a qualitative ranking approach. The results of the HAZOP for both installations indicate that loss of containment from the tank is a significant concern. There are several scenarios relating to loss of containment in Tables 4.2 and 4.3, but the scenarios selected for demonstrating the LOPA methodology in this book involve high liquid level leading to an overflow. Table 4.4 shows Scenario 1a of Example 1 developed using a matrix method for consequence and risk assessment (Method 1 from Chapter 3). In Table 4.5, Scenario 2a of Example 2 is developed using the fatality frequency method for consequence and risk assessment (Method 3 from Chapter 3). These tables only contain information on the consequence
53
4.4. Continuing Examples TABLE 4.2 HAZOP for Hexane Surge Tank Section 1— Line from the “prior process” to Hexane Surge Tank T-401 Drawing: P&ID for Continuing Example 1 Figure 2.12 Item
Deviation
Causes
1.1
High flow
Flow control valve High level—Hexane transfers or fails Surge Tank T-401 open (see 2.1)
1.2
Low flow or no flow
Blocked flow (e.g., plugged line) Downstream manual block valve inadvertently closed or gate falls
Low pressure (see 1.7)
Consequences
Low level—Hexane Surge Tank T-401 (see 2.2)
Potential overheating and failure of upstream pump seal outside battery limit (OSBL) of study
1.3
Reverse flow
Low pressure (see 1.7)
1.4
High temperature
No credible causes identified
1.5
Low temperature
No consequences of interest
1.6
High pressure
No consequences of interest
1.7
Low pressure
1.8
High concentration of contaminants
1.9
Loss of containment
Upstream pump (OSBL) fails off
Safeguards
Possible loss of containment (see 1.9)
Check valve
Low flow or no flow Local pressure (see 1.2) gauge at discharge of Reverse flow (see upstream 1.3) pump (OSBL) No consequence of interest—contamination downstream, possibly resulting in unit upset
Corrosion/ erosion
External fire
External impact
Gasket, packing, or seal failure Hydraulic hammer (continued on next page)
Release of hexane; fire hazard affecting a large area (consequence category 4 or 5)
Operation/ maintenance response as required, including isolation if needed Capability to manually isolate the line (continued on next page)
Recommendations
54 Item
4. Developing Scenarios Deviation
1.9 Loss of cont. containment
Causes
Consequences
Improper maintenance
Instrument or instrument line failure
Corrosion probes
Thermal expansion with equipment blocked in
Periodic nondestructive inspection
Reverse flow (see 1.3) High level
Recommendations
Check valve to prevent a large back-flow through a line breach
Material defect
2.1
Safeguards
High flow—Line from the “prior process” to Hexane Surge Tank T-401 (see 1.1)
High pressure (see 2.5)
No safety consequences—Potential process interruption if not refilled before downstream feed tank is empty
Level indication with high level alarm (audible in control room) Unit operating procedures
2.2
Low level
Low flow or no flow—Line from the “prior process” to Hexane Surge Tank T-401 (see 1.2)
2.3
High temperature
No credible causes identified
2.4
Low temperature
Low ambient temperature while there is water contamination in the tank (see 2.7)
2.5
High pressure
High level (see 2.1) Release of hexane through the relief valve into the tank’s dike; fire hazard affecting a large area if not contained by the dike (consequence category 4 or 5)
Possible freezing of accumulated water in the heel of the tank or in the tank’s drain line or instrument lines, resulting in fracture of the drain line and loss of containment (see 2.8)
Loss of containment (if the overpressure cause exceeds the tank pressure rating) (see 2.8)
Consider installing an SIS to shut off inlet flow on highhigh level in T-401
55
4.4. Continuing Examples Item
Deviation
Causes
Consequences
2.6
Low pressure
Tank blocked in before cool-down, following steamout
Equipment damage resulting from collapse of the tank under vacuum
2.7
High concentration of contaminants
Water not completely drained following a steamout or washout
Possible freezing of accumulated water in the tank during a period of low ambient temperature (see 2.4)
2.8
Loss of containment
Corrosion/erosion Release of hexane; fire hazard affecting External fire a large area, particuExternal impact larly if the capacity Gasket, packing, of the dike is or seal failure exceeded (conseImproper mainte- quence category 4 or 5) nance Instrument or instrument line failure Material defect Sample station valve leaking Vent or drain valve leaking
Low temperature (see 2.4)
High pressure (if the overpressure cause exceeds the equipment pressure rating) (see 2.5)
Safeguards
Recommendations
Standard procedures and checklist for steam-out of vessels
Operation/ maintenance response as required, including isolation if needed
Capability to manually isolate the tank Periodic nondestructive inspection per API recommended practices and ASME code
Relief valve that discharges to the tank’s dike Dike sized for 120,000 lb of hexane (1.5 times capacity of tank) Emergency response procedures
and the initiating event; the remaining fields in the tables, including numeric data, will be completed as the continuing example problems are discussed in the other chapters of this book. Appendix A contains the completed LOPA summary tables for all continuing examples using the risk matrix, fatality frequency, and required number of IPL methods, which are discussed in Chapter 8.
TABLE 4.3A HAZOP for Hexane Storage Tank Section 1—Line from the Tank Truck to Hexane Storage Tank T-301 Through Hexane Unloading Pump 3-40 Drawing: P&ID for Continuing Example 2 Figure 2.13 Item
Deviation
Causes
Consequences
Safeguards
3.1
High flow
No consequences of interest
3.2
Low flow or Blocked flow (e.g., no flow plugged line) Downstream manual block valve inadvertently closed or gate falls Low pressure (see 3.7)
Potential overheating and failure of pump seal (see 3.9) Low level—Hexane Storage Tank T-301 (see 4.2)
3.3
Reverse flow
Drain valve inadverPossible loss of contently left open while tainment (see 3.9) unloading pump is off Low pressure (see 3.7)
3.4
High temperature
No credible causes identified
3.5
Low temperature
No consequences of interest
3.6
High pressure
No consequences of interest
3.7
Low pressure
Unloading pump fails Lowflow or no flow off (see 3.2) Reverse flow (see 3.3)
Local pressure gauge
3.8
High concentration of contaminants
Contamination (organic, moisture, or debris) in flexible unloading lines Contamination in the tank truck Receiving or spotting the wrong tank truck
High concentration of contaminants— Hexane Storage Tank T-301 (see 4.7)
Hexane unloading procedures Caps for flexible unloading line Material testing procedure prior to unloading
3.9
Loss of Corrosion/erosion containment External fire External impact Gasket, packing, or seal failure Hydraulic hammer Improper maintenance Instrument or instrument line failure Material defect Thermal expansion with equipment blocked in Low flow or no flow (see 3.2) Reverse flow (see 3.3)
Release of hexane; fire hazard affecting a large area (consequence category 4 or 5)
Operation/maintenance response as required, including isolation if needed Capability to manually isolate the line Check valve to prevent a large backflow through a line breach Corrosion probes Periodic nondestructive inspection
Check valve
TABLE 4.3B HAZOP for Hexane Storage Tank—Hexane Storage Tank T-301 Drawing: P&ID for Continuing Example 2 Figure 2.13 Item
Deviation
Causes
Consequences
4.1
High level
High pressure (see Flow from tank truck not discon- 4.5) tinued before tank capacity has been reached Inventory control error—Truck arrives before needed
4.2
Low level
No safety consequences— Potential process interruption if not refilled before downstream feed tank is empty
4.3
High temperature
Inventory control error—Truck arrives too late Lowflow or no flow—Line from the Tank Truck to Hexane Storage Tank T-301 Through Hexane Unloading Pump 3-40 (see 3.2)
Low ambient temperature while there is water contamination in the tank (see 4.7)
Possible freezing of accumulated water in the heel of the tank or in the tank’s drain line or instrument lines, resulting in fracture of the drain line and loss of containment (see 4.8)
4.4
4.5
Low temperature
High pressure
No credible causes identified
High level (see 4.1)
Safeguards Level indication with high level alarm (audible in control room) Hexane unloading procedures with checklist that includes checking field reading of tank level before unloading
Recommendations Consider installing an SIS to shut off inlet flow on highhigh level in T-301
Release of hexane through the relief valve into the tank’s dike; fire hazard affecting a large area if not contained by the dike (consequence category 4 or 5) Loss of containment (if the overpressure cause exceeds the tank pressure rating) (see 4.8)
Continued on next page
58 Item
4. Developing Scenarios Deviation
Causes
Consequences
Safeguards Standard procedures and checklist for steam-out of vessels
4.6
Low pressure
Tank blocked in before cooldown, following steam-out
Equipment damage resulting from collapse of the tank under vacuum
4.7
High concentration of contaminants
Water not completely drained following a steam-out or washout
Possible freezing of accumulated water in the tank during a period of low ambient temperature (see 4.4)
Corrosion/ erosion
Release of hexane; fire hazard affecting a large area, particularly if the capacity of the dike is exceeded (consequence category 4 or 5)
High concentration of contaminants—Line from the Tank Truck to Hexane Storage Tank T-301 Through Hexane Unloading Pump 3-40 (see 3.8) 4.8
Loss of containment
External fire
External impact
Gasket, packing, or seal failure Improper maintenance
Instrument or instrument line failure Material defect Sample station valve leaking Vent or drain valve leaking
Low temperature (see 4.4)
High pressure (if the overpressure cause exceeds the equipment pressure rating) (see 4.5)
Operation/ maintenance response as required, including isolation if needed Capability to manually isolate the tank Periodic nondestructive inspection per API recommended practices and ASME code
Relief valve that discharges to the tank’s dike Dike sized for 120,000 lb of hexane (1.5 times capacity of tank) Emergency response procedures
Recommendations
4.4. Continuing Examples
59
To complete the analysis for this system, the LOPA team or analyst would also consider other scenarios (such as rupture of the flexible filling hose, pump seal failure, etc.), develop quantitative values for the various components of the scenario, and determine whether the existing risk meets the relevant criteria. Chapters 5–8 demonstrate this procedure for the continuing examples.
Continuing Example 1: Hexane Surge Tank Overflow As this is a continuous process, the control of the liquid level in the tank is a dynamic process that relies upon instrumentation to take action. The dike has adequate capacity to contain the overflow for a period of time sufficient for the operator to detect the spill for the normal flow rate into the tank. The initiating event for this example is failure of the LIC (a BPCS loop), which includes instrumentation failures and operator errors if the level control is set to manual or is bypassed. This could lead to overfilling of the tank and a spill into the dike surrounding the tank. The size or type of consequence depends on whether this dike contains the spill. The two separate scenarios developed for this case follow. Scenario 1a: Hexane Surge Tank Overflow—Spill Not Contained by the Dike The initiating event is failure of the level loop leading to tank overflow and release outside the dike due to the dike failure. The consequence (depending upon the method adopted) is a release, or fire outside the dike with possible injuries or fatalities. Existing safeguards, which are candidate IPLs for this scenario, include human intervention (operator response to alarms via the BPCS, and procedures), and the dike. The safeguards will be tested in Chapter 6 to determine if they are IPLs. The LOPA summary sheet for this scenario using the risk matrix method is shown in Table 4.4. Summary sheets for the other methods are shown in Appendix A. Scenario 1b: Hexane Surge Tank Overflow—Spill Contained by the Dike The initiating event is failure of the level loop leading to tank overflow with the spill contained by the dike. The consequence (depending upon the method) may be the spill itself or a fire in the dike with possible injuries or fatalities. Existing safeguards, which are candidate IPLs for this scenario, include human intervention (operator response to alarms via the BPCS, and procedures) and the dike. The safeguards will be tested in Chapter 6 to determine if they are IPLs. The LOPA summary sheets for this example for all of the methods are shown in Appendix A. The risk matrix method would not consider this a scenario, since the consequence of a spill inside the dike would not be considered a significant event (see Chapter 3).
TABLE 4.4 Summary Sheet for Continuing Example Scenario 1a—Risk Matrix Consequence Categorization Method (Method 1 of Chapter 3) Scenario Number
Equipment Number
1a
Scenario Title: Hexane Surge Tank Overflow. Spill not contained by dike
Date:
Description
Consequence Description/Category
Release of hexane outside the dike due to tank overflow and spill of hexane Severity Category 4
Frequency Probability (per year)
Risk Tolerance Criteria (Category or Frequency) Initiating Event (typically a frequency)
Loop failure of BPCS LIC.
Enabling Event or Condition Conditional Modifiers (if applicable) Probability of ignition
N/A
Probability of personnel in affected area N/A Probability of fatal injury
N/A
Others
N/A
Frequency of Unmitigated Consequence Independent Protection Layers None identified at this stage of the analysis. See Notes (below) for candidate IPLs Safeguards(non-IPLs) See Notes (below)
Total PFD for all IPLs Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No): Actions Required to Meet Risk Tolerance Criteria: Notes
Consider if the following devices, systems or actions are IPLs: human intervention, other BPCS control loops, dike
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable): 60
4.5 Link Forward
61
Continuing Example 2: Hexane Storage Tank Overflow The potential exists for liquid overflow of the tank if the truck arrives for unloading with insufficient room in the tank. This would result in a spill into the dike. The scenarios developed for this case follow. Scenario 2a: Hexane Storage Tank Overflow— Spill Not Contained by the Dike The initiating event is failure of the inventory control system, allowing the tank truck to arrive with insufficient room in the tank. The result is liquid overflow of the tank with spillage outside the dike. The consequence is a release outside the dike with the potential for fire and/or injury. A candidate IPL is the dike. Other existing safeguards, which are candidate IPLs for this scenario, include human intervention (operator response to alarms via the BPCS, and procedures). The LOPA summary sheet for this scenario using the fatality frequency methodology is shown in Table 4.5. Summary sheets for the other methodologies are shown in Appendix A. Scenario 2b: Hexane Storage Tank Overflow— Spill Contained by the Dike The initiating event is failure of the inventory control system, allowing the tank truck to arrive with insufficient room in the tank. The result is liquid overflow of the tank with spillage inside the dike. The consequence is a release inside the dike with the potential for fire and/or injury. Other existing safeguards, which are candidate IPLs for this scenario, include human intervention (operator response to alarms via the BPCS, and procedures) and the dike. The safeguards will be tested in Chapter 6 to determine if they are IPLs. The LOPA summary sheets for this example, for all of the methods, are shown in Appendix A. The risk matrix method would not consider this as a scenario, since the consequence of a spill inside the dike would not be considered a significant event (see Chapter 3). An issue arising from these scenarios is that some organizations would not evaluate scenarios 1b and 2b for release within the dike, based on their experience of the severity of the consequence. This judgment is dependent upon the material released and the conditions of the release (temperature, pressure, location, etc.). This applies to flammables, but not to materials that could form vapor clouds or for materials with the potential for toxic effects (see Chapter 3).
4.5. Link Forward Chapter 5 discusses initiating events and enabling events/conditions and how to estimate these values accurately.
TABLE 4.5 Summary Sheet for Continuing Example Scenario 2a—Fatality Frequency Criteria Method (Method 3 of Chapter 3) Scenario Number 2a
Equipment Number
Scenario Title: Hexane Storage Tank Overflow. Spill not contained by the dike
Date:
Description
Consequence Description/Category
Tank overflow and spill of hexane outside dike. Potential for flash fire and pool fire with probable ignition, injury, and fatality
Frequency Probability (per year)
Risk Tolerance Criteria (Category or Frequency) Initiating Event (typically a frequency)
Arrival of tank truck with insufficient room in the tank due to failure of the inventory control system. Frequency based upon plant data.
Enabling Event or Condition Conditional Modifiers (if applicable) Probability of ignition Probability of personnel in affected area Probability of fatal injury Others Frequency of Unmitigated Consequence Independent Protection Layers None identified at this stage of the analysis. See Notes (below) Safeguards(non-IPLs)
See Notes (below)
Total PFD for all IPLs Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No): Actions Required to Meet Risk Tolerance Criteria: Notes:
Consider if the following devices, systems or actions are IPLs: human intervention, other BPCS control loops, dike
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable): 62
5 Identifying Initiating Event Frequency
5.1. Purpose The purpose of this chapter is twofold. First, it provides guidance on identifying true initiating causes (called initiating events in LOPA) of incident scenarios, and second, it provides guidance on estimating the frequency of initiating events. This chapter addresses Step 3 of the LOPA methodology described in Chapter 2.
5.2. Initiating Events Expression of Initiating Events For LOPA, each scenario has a single initiating event. The frequency of the initiating event is normally expressed in events per year. Some sources use other units, such as events per 106 hours.
Types of Initiating Events Initiating events are grouped into three general types: external events, equipment failures, and human failures (also called inappropriate actions). These are shown in Figure 5.1. A root cause is defined as “An underlying system-related (the most basic) reason why an incident occurred” (Guidelines for Investigating Chemical Process Incidents; CCPS, 1992b). Initiating events can be the result of various underly63
64
5. Identifying Initiating Event Frequency
FIGURE 5.1. Types of initiating events.
ing root causes such as external events, equipment failures, or human failures, as shown in Figure 5.1. Root causes are not the same as initiating events, and care should be taken to avoid going too far into root causes in identifying initiating events. Root causes can, however, contribute to determining the frequency of occurrence of the initiating event. Therefore, it may be appropriate to consider some root causes (e.g., inadequate procedures and/or training) when estimating the frequency of the initiating events as described in Section 5.3 of this chapter. External Initiating Events As depicted in Figure 5.1, external events include natural phenomena such as earthquakes, tornadoes, or floods, “knock-on” events from fires or explosions in adjacent facilities; and third party intervention such as mechanical impact on equipment or supports by motor vehicles, or construction equipment. Sabotage and terrorism are initiating events that require special treatment, because a true saboteur may defeat, or attempt to defeat, IPLs as well. It may be impossible to protect against sabotage and terrorism. Equipment-Related Initiating Events As depicted in Figure 5.1, equipment-related initiating events can be further classified into control system failures and mechanical failures. Control system failures include, but are not limited to:
5.2. Initiating Events
65
• basic process control system (BPCS) component failures, • software failures or crashes, and • failure of control support systems (e.g., electricity, instrument air). Similarly, mechanical failures include, but are not limited to • vessel or piping failure caused by wear, fatigue, or corrosion; • vessel or piping failure caused by design, specification, or manufacturing/fabrication defects; • vessel or piping failure caused by overpressure (e.g., thermal expansion, pigging/blowing) or underpressure (vacuum collapse); • vibration-induced failures (e.g., in rotating equipment); • failures caused by inadequate maintenance/repair, including substitution of improper materials of construction; • failures resulting from high temperature (e.g., fire exposure, loss of cooling) or low temperature and resulting brittle fracture (e.g., autorefrigeration, low ambient temperature); • failures resulting from flow surge or hydraulic hammer; and • failures resulting from internal explosions or decompositions or other uncontrolled reactions. For a more comprehensive listing of equipment-related initiating causes, refer to Guidelines for Design Solutions for Process Equipment Failures (CCPS, 1998a). Human Failure-Related Initiating Events As depicted in Figure 5.1, causes related to human failures are either errors of omission or errors of commission, and include but are not limited to • failure to execute the steps of a task properly, in the proper sequence or omitting steps (something not done) and • failure to observe or respond appropriately to conditions or other prompts by the system or process (something done wrongly). Management systems are not normally listed as potential initiating events, although ineffective management systems are quite often a root cause of human error. For the purposes of LOPA, a cause-identification methodology stopping at a specific human error as the initiating event is sufficient. The analyst should avoid carrying the initiating event analysis too far into root causes of human error, at least at this stage. However, further analysis may be appropriate at the end of the LOPA, when appropriate means of safeguarding are being considered. For a more comprehensive discussion of human error and procedural causes, refer to Guidelines for Preventing Human Error in Process Safety (CCPS, 1994b), or other public domain sources.
66
5. Identifying Initiating Event Frequency
Verification of Initiating Events Prior to assigning frequencies to initiating events, all causes from the scenario development step should be reviewed and verified as valid initiating events for the consequence identified (i.e., there must be a unique cause–consequence relationship). Any causes that are incorrect or inappropriate should be either discarded or developed into valid initiating events. Examples of inappropriate initiating events include • Inadequate operator training/certification: This is a possible underlying cause of an initiating event (site- or company-specific levels of training and certification are assumed in assigning failure rates). • Inadequate test and inspection: This is a possible underlying cause of an initiating event (site- or company-specific normal levels of test and inspection frequency are assumed in assigning failure rates). • Unavailability of protective devices such as safety valves or overspeed trips (other events must first initiate the scenario before a protective device is challenged). The analyst should also verify that all the potential initiating events were determined by viewing the process from a system perspective, and ensuring that any causes normally generic to this process or similar processes have not inadvertently been excluded. In addition, the analyst should reduce each cause into discrete failure events. For example, the cause “loss of cooling” could be the result of a coolant pump failure, power failure, or control loop failure. Listing these separately is useful, because the existing (and new) potential layers of protection (described in Chapter 6) may be different for each initiating event. In addition, the analyst should ensure that initiating events in all modes of operation (e.g., normal operation, startup, shutdown, utility outages) and equipment states (e.g., standby, under maintenance) have been identified/examined. Any of these may involve discrete failures that could cause loss of cooling and in turn result in the consequence of interest. A spurious trip of a safety instrumented function (SIF), which is an independent protection layer for an accident scenario, is only considered an initiating event for scenarios that result from transitional operating states (e.g., emergency shutdowns) and is not normally a valid initiating event in itself. This is another example of the principle noted in the first paragraph of this section, where failure of a relief device to operate on demand is not a valid initiating event of an “overpressure leads to vessel failure” scenario. However, there are circumstances under which spurious trips of protective systems can affect frequencies of initiating events and result in challenges to other protective layers. This is shown in Example 5.1 below. Example 5.1 A spurious trip of a boiler flame safeguard system can result in the necessity to restart the boiler. This increases the potential for a hazardous event
5.2. Initiating Events
67
involving a possible firebox explosion and its attendant hazards by increasing the frequency of startups (restarts).
Enabling Events/Conditions In some scenarios, the initiating event may not be obvious. As the PHA or LOPA team identifies scenarios that lead to safety consequences, some will be developed where the initiating or triggering event is not clear. In such complex scenarios, there may be other factors that are neither failures nor protection layers. These factors are called enabling events or conditions, and consist of operations or conditions that do not directly cause the scenario, but which must be present or active in order for the scenario to proceed. Enabling events are expressed as probabilities, and can include such things as the mode of operation (startup or shutdown) or the operation being in a specific phase or step. In such cases, the initiating event may be the combination of an enabling event (probability) and a subsequent failure or inappropriate action (frequency). This is shown in Examples 5.2 and 5.3 below. Some companies use enabling events/conditions to modify initiating event frequencies. Some do not because of the resulting complexity and potential for underestimation of initiating event frequency. Example 5.2 At the start of a batch reaction, operator error may result in the addition of twice the correct amount of catalyst. This error will overpressure and possibly rupture the reactor, unless it is prevented by the protection provided by the rupture disc (i.e., the rupture disc must be sized properly for this upset), or an emergency “kill” SIF — safety instrumented function, which will also prevent substantial overpressure. It is assumed that no other protective systems are capable of stopping this upset, once it has started. Solution: The initiating event frequency for this scenario is a function of how frequently a batch is run (an enabling event), and the chance that twice the catalyst is added to this reaction (the initiating event). It is important for the LOPA team to understand that this initiating event is a combination of the number of batches run per year AND the chance that the catalyst double charge mistake is made. This is key to the calculations. The team must note that if the number of batches per year changes, then the risk of reactor rupture also changes.
Example 5.3 While moving cylinders to a phosgene cylinder hookup station, an operator drops an uncapped cylinder, resulting in the valve breaking off and releasing phosgene. Solution: Two approaches are possible for this example. In the first, the initiating event is dropping the uncapped phosgene cylinder during movement; note that the initiating event has two parts, moving the uncapped cylinders and dropping one. Thus, the frequency of the initiating event is
68
5. Identifying Initiating Event Frequency
based on the number of times phosgene cylinders are moved per year, the probability that the cylinder is uncapped, and the subsequent probability that one is dropped. In the second approach, the initiating event frequency is based only on the number of times phosgene cylinders are moved per year and the subsequent probability that one is dropped. Checking that the cylinder is capped before it is moved is considered as a human IPL and would be addressed in the IPL evaluation step of LOPA.
The search for the initiating event involves identifying the hazardous event whose frequency of occurrence is the key factor driving the scenario. The likelihood of an error is dependent on the number of times per year the operation or activity is carried out. However, as a task is done more frequently, many factors influence the likelihood of an error occurring on the task, and any skill improvements as a result of performing the task more frequently may be more than offset by the sheer number of opportunities for error. Therefore, some LOPA analysts use only a few discrete values for human error, rather than adjusting for enabling event frequency. This avoids the underestimation of the likelihood for human error for tasks done only a few times per year. Furthermore, estimation of the error probability for a complex task is often very difficult, and probably outside the scope of LOPA. The organization must develop a consistent set of rules for estimating the likelihood of human error, and then adhere to those rules within LOPA. If the rules do not seem appropriate to a specific LOPA evaluation, then perhaps the analyst should consider performing a quantitative risk analysis for that case.
5.3. Frequency Estimation Failure Rate Data Sources A number of sources of failure rate data are available for assigning consistent values to the initiating event frequency. These include • industry data such as the Guidelines for Chemical Process Quantitative Risk Analysis (CCPS, 1989a) and the Second Edition (CCPS, 2000a), Guidelines for Process Equipment Reliability Data (CCPS, 1989b), and other public domain sources such as IEEE (1984), EuReData (1989), and OREDA (1989, 1992, 1997). CCPS also has a project underway for sharing failure rate data among participating companies. • company experience (including hazard analysis team experience), where enough historical data are available to be statistically significant. (Note: Operator experience is often a better source for specific events, whereas generic industry failure rate data are often better for overall equipment failures, because many companies do not have a good internal database for failure data.)
5.3. Frequency Estimation
69
• vendor data, which are typically optimistic, since the data are developed in clean, well-maintained settings, or may be based on components returned to the vendor—many failed components are thrown away, rather than returned. When a cause may have multiple component failures, use of simplified fault trees or event trees may be appropriate to derive the combined failure frequency (e.g., primary control loop failure). In general, such techniques should only be used selectively to prevent the LOPA process from becoming overly complex. Remember, LOPA is a methodology that falls between simple qualitative and more elaborate quantitative analysis techniques. Selection of Failure Rates Failure rates should be selected with a number of issues in mind: • Failure rates should be consistent with the basic design of the facility and be consistent with the company method for making risk-based decisions. • All the failure rates used should be from the same location in the data range (e.g., upper bound, lower bound, or midpoint), providing a consistent degree of conservatism for the entire process. • The failure rate data selected should be representative of the industry or operation under consideration. If historical data are available, they should be used only if sufficient data are available over an adequate period of time to be statistically significant. If general industry data are used, they should be adjusted (usually by consideration of limited plant data and expert opinion) to reflect local conditions and situations. Where such data may not be directly available, judgment must be used in deciding which data from outside sources are most applicable to the situation (e.g., use of US Department of Transportation pipeline failure data for in-plant piping systems). Many failure rate databases contain data presented with two or more significant places. This is much more precision than required for LOPA (and also often much more precise than the data warrants!). LOPA only requires orderof-magnitude approximation, and such data should be rounded up to the nearest whole order of magnitude. As noted earlier, caution should also be used in applying vendor-supplied data, as such data are often developed from best-achievable or laboratory performance. Underlying assumptions are always involved in selection of failure rate data. These normally include, among others, assumptions on the range of operating parameters, the specific chemicals processed, basic testing and inspection frequency, operator and maintenance training programs, and equipment design quality. It is therefore important to ensure that the failure rate data used for a process is consistent with the basic assumptions inherent
70
5. Identifying Initiating Event Frequency
with the data. (For instance, it would be inappropriate to apply OREDA data developed by the petroleum industry for North Sea off-shore oil rigs directly to chemical operations in Kansas.) These assumptions should be documented so that future data selections are made consistently. The LOPA method also assumes that the failure rate is constant. This is not always true, since equipment failure rates are typically higher when the equipment is new (“infant mortality”) and when it ages (“old age”). However, for most equipment the longest period of operation involves a constant failure rate. For the purposes of LOPA, a constant failure rate is adequate. Failure Rates in LOPA Typically, for LOPA, a company should lump discrete initiating event frequencies into a representative set of initiating event categories. This improves the consistency of risk estimates across an organization. Typical initiating event frequencies used by LOPA analysts in the chemical industry are shown in Table 5.1. For control system failures, the overall loop failure rate typically includes failure of any of several components (transmitter, air supply, DCS, valve, sensor, etc.) and can include other factors such as improper set points, miscalibration, operation on manual or off-cascade. Derivation of Initiating Event Frequency from Failure Data Failure data are sometimes expressed as a probability of failure on demand (PFD). For example, human error to execute a task may be expressed as 1 × 10–1 per opportunity, or a crane load drop may be expressed as 1 × 10–4 per lift (see Table 5.1). When this is the case, the initiating event frequency must be derived. This involves estimating the number of times per year (or times per 106 hours) that a demand is placed on the system (or person). This may be as straightforward as counting the number of times the operation is carried out per year and multiplying by the probability of failure on demand (assuming the two values are not interdependent). Or, it may be as complex as using fault tree techniques to estimate the number of challenges per year to which the system is subjected. LOPA is a simplified approach, and the analyst should move on to more rigorous techniques if the scenario is overly complex or more precision is desired. Time at Risk For systems/operations that are not continuously operated (loading/ unloading, batch processes, etc.) failure rate data must be adjusted to reflect the ‘time at risk’ for the component or operation under consideration. Since
71
5.3. Frequency Estimation TABLE 5.1 Typical Frequency Values, fI, Assigned to Initiating Events Frequency Range Initiating Event
from Literature (per year)
Example of a Value Chosen by a Company for Use in LOPA (per year)
Pressure vessel residual failure
10–5 to 10–7
1 × 10–6
Piping residual failure—100 m—Full Breach
10–5 to 10–6
1 × 10–5
Piping leak (10% section)—100 m
10–3 to 10–4
1 × 10–3
Atmospheric tank failure
10–3 to 10–5
1 × 10–3
Gasket/packing blowout
10–2 to 10–6
1 × 10–2
Turbine/diesel engine overspeed with casing breach
10–3 to 10–4
1 × 10–4
Third party intervention (external impact by backhoe, vehicle, etc.)
10–2 to 10–4
1 × 10–2
Crane load drop
10–3 to 10–4 per lift
1 × 10–4 per lift
Lightning strike
10–3 to 10–4
1 × 10–3
Safety valve opens spuriously
10–2 to 10–4
1 × 10–2
Cooling water failure
1 to 10–2
1 × 10–1
Pump seal failure
10–1 to 10–2
1 × 10–1
Unloading/loading hose failure
1 to 10–2
1 × 10–1
BPCS instrument loop failure Note: IEC 61511 limit is more than 1 × 10–5/hr or 8.76 × 10–2/yr (IEC, 2001)
1 to 10–2
1 × 10–1
Regulator failure
1 to 10–1
1 × 10–1
Small external fire (aggregate causes)
10–1 to 10–2
1 × 10–1
Large external fire (aggregate causes)
10–2 to 10–3
1 × 10–2
LOTO (lock-out tag-out) procedure* failure *overall failure of a multiple-element process
10–3 to 10–4 per opportunity
1 × 10–3 per opportunity
Operator failure (to execute routine procedure, assuming well trained, unstressed, not fatigued)
10–1 to 10–3 per opportunity
1 × 10–2 per opportunity
Note: Individual companies should choose their own values, consistent with the degree of conservatism of the company’s risk tolerance criteria. Failure rates can also be greatly affected by preventive maintenance (PM) routines
72
5. Identifying Initiating Event Frequency
most failure rate data are expressed with units of “per year” (yr–1), it is necessary to adjust the data to reflect that the component or operation is not subject to failure during the entire year, but only that fraction of the year when it is operating or ”at risk.” This is normally done by multiplying the base failure rate by the fraction of the year the component is operating. Example 5.4 Consider a frequently used unloading hose. The hose has an in-service base failure rate of 1 × 10–2/yr, but is only subject to failure and release of hazardous material or energy during unloading. The loading process takes 2 hours and is carried out 40 times per year, so the failure rate becomes: F = (1 × 10–2/yr hose failure rate) × (40/yr × 2 hr) / 8000 hr/yr) = 1 × 10–4/yr This assumes that the hose is physically tested for integrity (e.g., subjected to full operating pressure with air or nitrogen) prior to each unloading to detect out-of-service failures, and there is no common cause dependency between the values. If the base failure rate was developed for intermittent service, then the testing would be built into the failure rate as a basic assumption.
Example 5.5 Consider a batch operation with a flow measurement loop. The loop failure can only be an initiating event for a hazardous release during charging. If the base loop failure rate is 1 × 10–2/year, and the charging operation takes only one hour and is carried out eight times per year, then the failure rate becomes: F = (1 × 10–2/yr base loop failure) × (8 hr/8760 hr, the fraction of the year that the operation is at risk) = 1 × 10–5/yr This adjustment for time at risk will normally be made during the initiating event frequency determination step in the LOPA process.
Adjustment of Frequency Rates Some LOPA methodologies adjust the unmitigated consequence frequency to reflect such factors as probability of personnel being exposed to a hazard, probability of ignition, and probability of injury or fatality should an exposure occur. This adjustment may be made either in the determination of the initiating event frequency, or in the calculation of the final scenario frequency, as described in Chapter 7. Generally, analysts do not go to this level of detail, since LOPA is a simplified technique. If this level of accuracy is necessary, fault trees or event trees may be necessary, and the scenario should be analyzed using those more rigorous methods. Users of LOPA have noted that higher levels of scrutiny do not always provide a better risk decision.
73
5.5. Continuing Examples
High Demand Mode When the initiating event frequency is more than twice the first IPL test frequency, it is called high demand mode. Section 7.2 and Appendix F discuss how to select the initiating event frequency for LOPA calculations for high demand mode.
5.4. Expression of Failure Rates There are several ways of expressing failure rates used in LOPA. The method used should be consistent with the basic criteria and design of the LOPA methodology. The methods include • decimal systems, • scientific notation- or exponent-based systems, and • integer systems. Examples of these types of expression are shown below in Table 5.2. TABLE 5.2 Various Ways to Express Failure Rates Designation
Failure Rate 1
Failure Rate 2
Decimal
0.01 /yr
0.00001 /yr
Scientific notation
1 × 10–2 /yr
1 × 10–5 /yr
Exponent
E-2/yr
E-5 /yr
Integer logarithm
2 /yr
5 /yr
Note: In this book, scientific notation form will normally be used.
Qualitative values, such as low, medium, or high, or Category 1, 2, or 3, are sometimes used in even simpler versions of LOPA, or in situations where more definitive failure rates are not available.
5.5. Continuing Examples Continuing Example 1: Hexane Surge Tank Overflow For the tank overflow scenario resulting from instrument failure, the obvious initiating event is failure of the tank level indicator/controller (LIC). Its initiating event frequency is, from Table 5.1 f I = 1 × 10–1/yr loop failure rate
74
5. Identifying Initiating Event Frequency
Continuing Example 2: Hexane Storage Tank Overflow For this example, the overflow of the hexane storage tank is initially caused by an inventory control error. This results in inadequate room for unloading the truck. The initiating event frequency will be the number of times per year that the inventory control system fails. This has been determined by the PHA team to be once per year. Thus, the initiating event frequency is f I = 1/yr inventory error The probability of failure or error in the inventory control system is a function of the lead time for ordering hexane, the frequency of inventory verification, and the plant shutdown frequency (which would lead to reduction in usage and slower than normal depletion of the hexane inventory).
5.6. Limitations (Cautions) The LOPA method is a simplified (semiquantitative) method, and is not exhaustive (see the risk decision tools spectrum, Figure 2.3). If a more detailed analysis is required, a method such as fault tree or event tree analysis may be more appropriate. Also, LOPA may be inappropriate for very high consequence events since the risk tolerance is significantly lower for these events. It may be necessary to proceed to risk assessment techniques nearer to CPQRA in such cases. One trap to avoid is incorporating an IPL failure into the initiating event frequency. Referring to the phosgene cylinder in Example 5.3, the two approaches treat the probability of the cap being missing differently and must not be intermingled. Either approach works, provided it is applied consistently. The existence, or lack, of a procedure to check that a cylinder is capped before it is moved could affect the probability that a cylinder is uncapped when it is moved. Alternatively, it could affect the PFD for a human IPL in checking that the cylinder is capped before it is moved.
5.7. Link Forward Chapter 6 will discuss the subject of independent protection layers (IPL) and their application in the next step in LOPA. The reader will see how various forms of IPLs are applied and their subsequent reduction of the scenario frequency to the final risk value.
6 Identifying Independent Protection Layers
6.1. Purpose The purpose of this chapter is to discuss the concept of an independent protection layer (IPL) and its use in layer of protection analysis (LOPA). This is Step 4 of the LOPA process. Several examples are used throughout the chapter to illustrate specific points.
6.2. Definition and Purpose of an IPL An IPL is a device, system, or action that is capable of preventing a scenario from proceeding to its undesired consequence independent of the initiating event or the action of any other layer of protection associated with the scenario. The effectiveness and independence of an IPL must be auditable. For example, in Figure 6.1, at point A in a chain of events an installed IPL has the opportunity to act. If it operates as intended the undesired consequence is prevented. If all of the IPLs in a scenario fail to perform their functions then the undesired consequence will occur following the initiating event. The distinction between an IPL and a safeguard is important. A safeguard is any device, system, or action that would likely interrupt the chain of events following an initiating event. However, the effectiveness of some safeguards cannot be quantified due to lack of data, uncertainty as to independence or effectiveness, or other factors. 75
76
6. Identifying Independent Protection Layers
FIGURE 6.1. Event tree showing effect of IPL success or failure when demanded. See Figure 2.2 for the effect of multiple IPLs.
All IPLs are safeguards, but not all safeguards are IPLs.
The effectiveness of an IPL is quantified in terms of its probability of failure on demand (PFD) which is defined as the probability that a system (in this case the IPL) will fail to perform a specified function on demand. The PFD is a dimensionless number between 0 and 1. The smaller the value of the PFD, the larger the reduction in frequency of the consequence for a given initiating event frequency. The “reduction in frequency” achieved by an IPL is sometimes termed the “risk reduction factor.” Figure 2.1 shows the layers of safeguards that can be employed to prevent or minimize the effects of incidents. Safeguards can be classified as • active or passive, • preventive (prerelease) or mitigating (postrelease) for the purpose of considering how they act and how effective they are in reducing the frequency or consequence of an initiating event. The characteristics of these layers, and whether they should be credited as IPLs in the LOPA method, are discussed below.
Process Design In many companies, it is assumed that some scenarios cannot occur because of the inherently safer design of the process equipment. For example, the equipment might be designed to withstand the maximum pressure for a particular scenario, batch size might be limited, inventory lowered, chemistry modified, etc.; i.e., scenarios are eliminated by the inherently safer design.
6.2. Definition and Purpose of an IPL
77
Inherently safer process design features are encouraged to eliminate possible scenarios
—Inherently Safer Chemical Processes: A Life Cycle Approach (CCPS, 1996b).
In other companies, some inherently safer process design features are considered to have a nonzero PFD—that is, they do have possible failure modes that have been observed in industry. These companies consider such inherently safer process design features as IPLs. The design of the IPL is intended to prevent the consequence from occurring. For example, a pump may have an impeller that is too small to generate high pressure in a downstream vessel. The latter approach allows a company to compare the risk between plants designed using different equipment standards; the analysis can result in different failure rates for similar pieces of equipment which in turn might require additional IPLs for the equipment with higher failure rates. The LOPA analyst should be aware that inherently safer process design features may have a PFD and appropriate inspection and maintenance (auditing) might be required (e.g., a small impeller may be replaced with a larger impeller during repair or maintenance, batch size may be changed, etc.). Whether process design should be credited as an IPL, or considered as a method of eliminating a scenario, depends upon the method employed within a particular organization (see also Sections 6.4 and 6.5, and Example 6.5). Either approach can be used, but must be applied consistently within an organization.
Basic Process Control Systems The basic process control system (BPCS), including normal manual controls, is the first level of protection during normal operation. The BPCS is designed to maintain the process in the safe operating region. The normal operation of a BPCS control loop may be credited as an IPL if it meets the appropriate criteria (see Section 6.5). As discussed in Chapter 5, the failure of the BPCS can be an initiating event. When considering using the BPCS as an IPL, the analyst must evaluate the effectiveness of the access control and security systems as human error can degrade the performance of the BPCS.
Critical Alarms and Human Intervention These systems are the second level of protection during normal operation and should be activated by the BPCS. Operator action, initiated by alarms or observation, can be credited as an IPL when various criteria are satisfied to assure the effectiveness of the action (e.g., independence—see Section 6.5). Company procedures and training may improve the performance of humans in the system, but procedures themselves are not an IPL.
78
6. Identifying Independent Protection Layers
Safety Instrumented Function (SIF) A SIF is a combination of sensors, logic solver, and final elements with a specified safety integrity level that detects an out-of-limit (abnormal) condition and brings the process to a functionally safe state. A SIF is functionally independent of the BPCS. A SIF is normally considered to be an IPL and the design of the system, the level of redundancy, and the amount and type of testing will determine the PFD the SIF receives in LOPA (see Section 6.5). “Interlock” is an older, imprecise term for SIF.
Physical Protection (Relief Valves, Rupture Discs, etc.) These devices, when appropriately sized, designed and maintained, are IPLs which can provide a high degree of protection against overpressure in clean services. However, their effectiveness can be impaired in fouling or corrosive services, if block valves are installed under the relief valves, or if the inspection and maintenance activities are of poor quality. If the flow from the relief valves is discharged to the atmosphere, additional consequences may occur which will require examination (see Section 6.5). This could involve the examination of the effectiveness of flares, quench tanks, scrubbers, etc.
Postrelease Protection (Dikes, Blast Walls, etc.) These IPLs are passive devices which provide a high level of protection if designed and maintained correctly. Although their failure rates are low, possibility of failure should be included in the scenarios. Also, if automatic deluge systems, foam systems, or gas detection systems, etc., meet the requirements of IPLs (see Section 6.5), then some credit can be taken for these devices in specific scenarios.
Plant Emergency Response These features (fire brigade, manual deluge systems, facility evacuation, etc.) are not normally considered as IPLs since they are activated after the initial release and there are too many variables (e.g., time delays) affecting their overall effectiveness in mitigating a scenario.
Community Emergency Response These measures, which include community evacuation and shelter-in-place, are not normally considered as IPLs since they are activated after the initial release and there are too many variables affecting their effectiveness in mitigating a scenario. They provide no protection for plant personnel.
79
6.2. Definition and Purpose of an IPL
Table 6.1 is a summary of safeguards that are not normally considered to be IPLs. TABLE 6.1 Examples of Safeguards Not Usually Considered IPLs Safeguards not Usually Considered IPLs
Comments
Training and Certification
These factors may be considered in assessing the PFD for operator action, but are not—of themselves—IPLs.
Procedures
These factors may be considered in assessing the PFD for operator action, but are not—of themselves—IPLs.
Normal Testing and Inspection
These activities are assumed to be in place for all hazard evaluations and form the basis for judgment to determine PFD. Normal testing and inspection affects the PFD of certain IPLs. Lengthening the testing and inspection intervals may increase the PFD of an IPL.
Maintenance
This activity is assumed to be in place for all hazard evaluations and forms the basis for judgment to determine PFD. Maintenance affects the PFD of certain IPLs.
Communications
It is a basic assumption that adequate communications exist in a facility. Poor communications affects the PFD of certain IPLs.
Signs
Signs by themselves are not IPLs. Signs may be unclear, obscured, ignored, etc. Signs may affect the PFD of certain IPLs.
Fire Protection
Active fire protection is often not considered as an IPL as it is post event for most scenarios and its availability and effectiveness may be affected by the fire/explosion which it is intended to contain. However, if a company can demonstrate that it meets the requirements of an IPL for a given scenario it may be used (e.g., if an activating system such as plastic piping or frangible switches are used). Note: Fire protection is a mitigation IPL as it attempts to prevent a larger consequence subsequent to an event that has already occurred.
Fireproof insulation can be used as an IPL for some scenarios provided that it meets the requirements of API and corporate standards. Requirement that Information is Available and Understood
This is a basic requirement.
Note: Poor performance in the areas discussed in this table may affect the process safety of the whole plant and thus may affect many assumptions made in the LOPA process.
80
6. Identifying Independent Protection Layers
6.3. IPL Rules In order to be considered an IPL, a device, system, or action must be • effective in preventing the consequence when it functions as designed, • independent of the initiating event and the components of any other IPL already claimed for the same scenario, • auditable; the assumed effectiveness in terms of consequence prevention and PFD must be capable of validation in some manner (by documentation, review, testing, etc.). (See also Appendix C, Documentation for a LOPA Study.)
Effectiveness If a device, system or action is credited as an IPL it must be effective in preventing the undesired consequence associated with the scenario. To determine whether a safeguard is an IPL, the following questions are used to guide the team or analyst in making the appropriate judgment. Additional discussion of these issues is provided in Section 6.5. • Can the safeguard detect the condition that requires it to act? This may be a process variable, or an alarm, etc. If the safeguard cannot always detect the condition, and generate a specific action, it is not an IPL. • Can the safeguard detect the condition in time to take corrective action that will prevent the undesired consequence? The time required must include G the time to detect the condition, G the time to process the information and make the decision, G the time to take the required action, and G the time for the action to take effect. • Does the IPL have adequate capacity for it to take the required action in the time available? If a specific size (e.g., relief valve orifice, dike volume, etc.) is required, does the installed safeguard meet these requirements? Is the strength of the IPL adequate for the required action? The strength of an IPL might consist of G physical strength (e.g., a blast wall or dike); G the ability of a valve to close under the conditions that would be present for a particular scenario (i.e., strength of valve spring, actuator, or components); G human strength (i.e., is the required task within the physical capabilities of all operators?). If the safeguard cannot meet these requirements it is not an IPL. In LOPA, the effectiveness of an IPL in reducing the frequency of a consequence is quantified using its PFD. Determining, or specifying, the appropri-
6.3. IPL Rules
81
ate value for the PFD of an IPL is an important part of the LOPA process. An IPL is expected to operate as intended, but any system can fail. The lower the value of the PFD for an IPL the greater the confidence that it will operate correctly and interrupt a chain of events. Since LOPA is a simplified method, the values of the PFDs are usually quoted to the nearest order of magnitude. PFD values range from the weakest IPL (1 × 10–1) to the strongest IPL (1 × 10–4 – 1 × 10–5). Section 6.5 discusses appropriate PFD values for various IPLs. The LOPA team or analyst must determine whether a safeguard is an IPL, and then assess the appropriate value of the PFD for the IPL. Caution is required when assigning the PFD for IPLs in scenarios where the initiating event frequency is high, i.e., where the initiating event frequency for a scenario is greater than, or close to, the effective functional test interval for the IPL (see Section 7.2 and Appendix F).
Independence The LOPA method uses independence to assure that the effects of the initiating event, or of other IPLs, do not interact with a specific IPL and thereby degrade its ability to perform its function. Independence requires that an IPL’s effectiveness is independent of • the occurrence, or consequences, of the initiating event; and • the failure of any component of an IPL already credited for the same scenario. It is important to understand when a safeguard can and cannot be claimed as an IPL in LOPA. Example 6.1 shows a safeguard that is an IPL for one scenario, but not for another scenario. Example 6.1 In Figure 6.2, Initiating Event 1 shows a safeguard (high reactor temperature triggers addition of quench) that is an IPL. Initiating Event 2 illustrates that the same safeguard that is not an IPL because it is not independent of the initiating event. In the second scenario, a loss of power (the initiating event) will lead to an exothermic runaway reaction inside a vessel, with the possibility of a pressure rise that might rupture the vessel (the undesired consequence). The exothermic reaction and pressure rise can be prevented by the addition of a material to quench the reaction. The system in place to add the quench material uses electric pumps. During loss of power (the initiating event) the electric pumps are inoperative and, therefore, the quench system is ineffective. Thus, the quench system is not an IPL for the second scenario. Electrical power failure may also be considered as a common-cause failure for both the initiating event and the potential safeguard.
82
6. Identifying Independent Protection Layers
FIGURE 6.2. Example of IPL not independent of initiating event.
COMMON CAUSE FAILURE (CCF) OR COMMON MODE FAILURE Common cause failure is the failure of more than one component, item, or system due to the same cause or initiating event. It is particularly important to look for common cause failure modes when analyzing safeguards to assess whether they are IPLs. CCF can involve the initiating event and one or more safeguards, or the interaction of several safeguards. All of the safeguards affected by the CCF should only be considered as a single IPL (rather than each safeguard being credited as an IPL). See also Table 6.2.
Example 6.2
A BPCS safeguard loop might not be independent of an initiating event. The BPCS level control loop for a tank uses the fill valve to maintain the level at the desired set point (Figure 6.3). One scenario is overflow of the tank with an initiating event of failure of the BPCS level control loop. Safeguards are a high level trip in the BPCS that uses one function to stop the pump feeding the tank and a second function to close the fill valve in the feed line to the tank when high level is detected. However, both functions use the same level sensor and a single failure (failure of the sensor or the BPCS) would prevent both final control elements from acting and the high level BPCS interlock would be ineffective. Therefore, such a safeguard arrangement is not an IPL because the sensor and the BPCS are common to both the initiating event and the high level trip functions.
6.3. IPL Rules
83
Similarly, Figure 6.4 shows two arrangements. In the first there are two final control elements, but the BPCS and the sensor are common. Similarly, in the second, there are two sensors, but the BPCS and the final control element are common. For the reasons discussed above, each arrangement is only considered as a single IPL in LOPA. The redundancy provided by the dual final control elements or the dual sensors will decrease the PFD of these portions of the BPCS loops and, possibly, decrease the overall PFD for the IPLs. IPL CHARACTERISTICS It may be helpful to use the following keywords when considering IPLs. While not every IPL fits the model, the thought process helps to eliminate safeguards that are not IPLs. The “three Ds” help determine if a candidate is an IPL: Detect Most IPLs detect or sense a condition in the scenario. Decide Many IPLs make a decision to take action or not. Deflect All IPLs deflect the undesired event by preventing it. The “three Enoughs” help evaluate the effectiveness of an IPL: Big Enough? Fast Enough? Strong Enough? The “Big I” is a reminder that the IPL must be independent of the initiating event and other IPLs.
Two approaches are used in assessing the independence of IPLs involving BPCS loops or functions to decide how many IPLs exist for a particular scenario. Approach A is generally recommended because its rules are clear and it is conservative. Approach B may be used if the analyst is experienced and adequate data is available on the design and actual performance of the BPCS logic solver. Approach A In order for a device or action to be credited as an IPL, it must be independent of both • the initiating event and any enabling event and • any other device, system, or action that is already being credited as an IPL for the same scenario. Approach A is conservative, since it allows only one IPL in a single BPCS and requires that IPL to be independent of the initiating event. This approach eliminates many common cause failures (see Table 6.2) affecting the PFD for
84
6. Identifying Independent Protection Layers
FIGURE 6.3. Common sensor and logic solver elements in BPCS loop using Approach A.
FIGURE 6.4. Common logic solver and final control elements for BPCS loop using Approach A.
TABLE 6.2 Causes of Dependent Failure in Systems (Including Systematic Failure)* Engineering Design Functional Deficiencies
Realization Faults
Operation Construction Installation and Commissioning
Maintenance and Testing
Operation
Imperfect repair
Operator errors
Temperature
Fire
Imperfect testing
Inadequate procedures
Pressure
Flood
Imperfect calibration
Inadequate supervision
Humidity
Weather
Vibration
Earthquake
Imperfect procedures
Communication errors
Acceleration
Explosion
Stress
Missiles
Corrosion
Electric Power
Channel dependency
Inadequate quality control
Inadequate quality control
Inadequate instrumentation
Common operation and protection components
Inadequate standards
Inadequate standards
Inadequate inspection
Inadequate inspection
Inadequate testing
Inadequate testing and commissioning
Operational deficiencies Inadequate components
Environmental
Manufacture
Hazard undetectable
Inadequate control
Procedural
Inadequate supervision
Normal Extremes
Energetic Events
Contamination
Radiation
Design errors
Interference
Design limitations
Radiation
Chemical sources
*From Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition (CCPS 2000a).
Static charge
85
86
6. Identifying Independent Protection Layers
the IPLs which are claimed. Approach A is more straightforward to apply as its rules are unambiguous and little judgment is left to the analyst or team. Approach A is used for the continuing examples discussed in Chapters 2 through 8. Approach B This approach allows more than one IPL to be in the same BPCS or it allows a BPCS IPL with a BPCS initiating event (with independence required for certain components). This approach is based on the assumption that if a BPCS function fails, it is probable the component that induced the failure is the detection device or the final control element, and that failures of the IPL due to a fault in the logic solver are much less frequent. Industrial experience indicates that the failure rates of the detection devices and the final control elements are usually much higher than the failure rate of the BPCS logic solver. Approach B allows a limited number of other elements of the BPCS to serve as an IPL for the scenario. Details of this approach are discussed in Chapter 11 together with application to the continuing examples. Approach B is less straightforward to apply, since it requires • information on the design and performance of the BPCS, • full understanding of the common cause failure modes on the PFD for an IPL, and • an analyst experienced with the definition and application of the rules for claiming a safeguard as an IPL. Example 6.3 discusses several issues arising from using Approach A or B when deciding to claim an IPL. CAUTION The reader is advised that the draft IEC 61511 standard—dealing with Safety Instrumented Systems for the process industry—Part 1 states “The risk reduction factor for a BPCS [basic process control system] (which does not conform to this standard) used as a layer of protection shall be below 10”(IEC, 2001). This means the PFD of all risk reduction functions in the BPCS is limited to more than 1 × 10–1. The user should provide the analysis to support the risk reduction claimed for multiple BPCS IPLs.
Example 6.3
Consider a situation where the failure of a specific BPCS loop is the initiating event. The operator response that could mitigate the situation relies upon obtaining information from another loop in the same BPCS in which
6.3. IPL Rules
87
the failure has occurred. Using Approach A, LOPA would assume that once a BPCS loop has failed any further information or action that the BPCS logic solver might provide must be viewed as unavailable or ineffective. Therefore, operator action in response to a BPCS alarm could not be credited as an IPL because the information required would be obtained using the failed BPCS logic solver. In Approach B, the ability of the BPCS logic solver to provide information to the operator from a separate loop would be considered unaffected, provided that the design and performance of the logic solver would support this assumption. Approach B would allow crediting the operator action as an IPL, provided that the alarm loop did not use any of the common components (with the exception of the central processing unit) involved in the initiating event for the scenario. Chapter 11 discusses this issue in greater detail. The question of assigning credit for human action is discussed later in this section.
A device, system, or action is not independent of the initiating event and cannot be credited as an IPL for either approach if either of the following are true: • Operator error is the initiating event and the candidate IPL assumes that the same operator must act to mitigate the situation. Human error is equivalent to the failure of a system and once a human has committed an error it is not reasonable to expect the same operator to act correctly later in the sequence of events. This approach is justified because the error may be due to illness, incapacity (drugs or alcohol), distraction, work overload, inexperience, faulty operating instructions, lack of knowledge, etc., that are still present later when the action is required. • Loss of a utility (electricity, air, cooling water, nitrogen, etc.) is the initiating event and a candidate IPL is a system that depends on that utility. Example 6.4 The arrangements shown in Figure 6.4 (discussed in Example 6.2) are not independent of another IPL, using either Approach A or Approach B. In the first arrangement, the logic solver and the sensor are common. If, however, separate sensors are used for the BPCS function that closes the valve and the BPCS function that stops the pump, Approach B might allow each of these functions to be claimed as a separate IPL, despite the BPCS logic solver being common to each (see Chapter 11). Similarly, for the second arrangement of Figure 6.4, the use of dual final control elements, one for each BPCS function, might allow two IPLs to be claimed using Approach B.
As noted earlier, the effect of common cause failures must also be considered. This is particularly important if Approach B is employed. This type of failure can be subtle and requires vigilance in identifying opportunities for its occurrence.
88
6. Identifying Independent Protection Layers
Other examples where the IPL is not independent include • multiple flow meters, analyzers, etc., with a calibration error due to human error, faulty calibration instruments, etc.; • multiple units or SIF systems with a single source of power or a common circuit breaker unless it can be determined that fail safe action will always be initiated in the event of power loss—this is true for any other utility required for an IPL to reach a safe state; • functional deficiency in a type of valve, sensor, etc. used in multiple systems; • assuming that the same operator acts correctly after operator error initiated the event. Additional examples are provided in Table 6.2 for common mode issues for SIFs. See also ISA S84.01 (ISA, 1996), IEC 61508 (IEC, 1998), IEC 61511 (IEC, 2001), Guidelines for Engineering Design for Process Safety (CCPS, 1993a), Guidelines for Safe Automation of Chemical Processes (CCPS, 1993b).
Auditability A component, system or action must be auditable to demonstrate that it meets the risk mitigation requirements of a LOPA IPL. The audit process must confirm that the IPL is effective in preventing the consequence if it functions as designed. The audit should also confirm that the IPL design, installation, functional testing, and maintenance systems are in place to achieve the specified PFD for the IPL. Functional testing must confirm that all the components of an IPL (sensors , logic solver, final elements, etc.) are operational and meet the requirements for LOPA to be applied. The audit process should document the condition of the IPL as found, any modifications made since the last audit, and track to resolution any corrective actions that are required. Chapter 9 (Implementing LOPA) discusses additional information required to support the auditing and validation of IPLs.
6.4. LOPA IPL Assessment This section describes how the LOPA analyst determines • if the safeguard meets the requirements for an IPL and • the appropriate PFD for the IPL.
Safeguard/IPL Assessment The basic requirements of effectiveness, independence and auditability for an IPL are determined by several methods. The simplest is to use a written
6.4. LOPA IPL Assessment
89
design basis, or IPL summary sheet, which must be available for review by the LOPA team or analyst (see Table 4.1). This should include the initiating event considered, the action taken by the system or device, and the effects of these actions. Any assumptions, clarifications or calculations required to support the analysis must be attached or referenced. If this information is not available, or if its validity is questionable, then it must be developed for each scenario and each safeguard reviewed. This will require experts in the process design of the system, the design and installation of the instrumentation and the controls and operation of the process. This analysis should be documented. If a SIF is being considered as an IPL, the documentation should include • a statement of the purpose of the safety instrumented function, • the specification and the installation details of each of its components including the logic solver, and • proof test and validation records of the SIF, or components, having achieved the required or assumed PFD. [See ISA S84.01 (ISA, 1996), IEC 61508 (IEC, 1998), IEC 61511 (IEC, 2001).] Alternatively, if an organization has a published set of specifications for SIF systems, certification that the system meets the requirements for a specified type of SIF would be acceptable. If a pressure relief device is being considered as an IPL, the documentation should include • • • • • •
the design (sizing) basis, design scenarios (all scenarios requiring the valve to open), the valve specification, the required flow at the scenario conditions, the installation details (e.g., piping arrangement), and the test and maintenance procedures, including proof of the valve lifting at the set pressure.
Where human action is credited as an IPL, the following factors should be defined and documented (see the discussion on Human IPLs in Section 6.5): • how the condition will be detected, • how the decision to act will be made, and • what action will be taken to prevent the consequence.
PFD Value for an IPL The PFD for an IPL is the probability that, when demanded, it will not perform the required task. Failure to perform could be caused by • a component of an IPL being in a failed or unsafe state when the initiating event occurs; or
90
6. Identifying Independent Protection Layers
• a component failing during the performance of its task, or • human intervention failing to be effective, etc. The PFD is intended to account for all potential failure to danger modes. (Failure to danger means the IPL fails such that it can not perform the required task on demand.) Thus, it is a simplified concept and must be applied with caution. In particular, the PFD for a BPCS function includes factors such as human error in programming, bypassing interlocks, and the typical security systems that are in place to control access to the BPCS logic solver. The PFD values quoted in this book are for typical systems only. Each organization must satisfy itself that the PFD values used for its method are appropriate. The analyst should evaluate the design of the candidate IPL against the conditions of the scenario to estimate the appropriate PFD for the IPL. The credit taken for an IPL in risk reduction is discussed in detail in Section 6.5. Documentation should be developed to justify or substantiate the PFD claimed for IPLs. This should reference corporate standards or industry norms, or include appropriate calculations. For relief valves claimed as IPLs, justification for the PFD claimed, particularly for polymeric, fouling or corrosive services, is particularly important (see the discussion on Active IPLs in Section 6.5). CAUTIONS Particular care is required when • an IPL will be challenged at a frequency that is high in relation to its effective test frequency (see Section 7.2 and Appendix F), • human action PFDs are outside of industry norms (justification should be included in the documentation), or • frequent testing is required to achieve the claimed PFD value (documentation that such testing has been performed satisfactorily at the required interval must be maintained).
6.5. Examples of IPLs This section describes various types of IPLs, together with information on the PFD values used by various companies. The PFD is the probability that, when challenged, the IPL will fail to perform its required function and, therefore, the scenario will continue toward the undesired consequence despite the presence of that IPL (see Chapter 4). Factors that may influence the selection of PFD values for IPLs are also discussed briefly in this section. Due to different approaches and different operating environments, a range of PFD values is provided in the summary tables 6.3, 6.4, and 6.5. The
6.5. Examples of IPLs
91
PFD values used within an organization should be applied consistently, although variations between different facilities are appropriate if justified by differences in design, construction, installation, inspection or maintenance. The PFD values should also be consistent with the failure rates used to develop initiating event frequencies and risk tolerance criteria. Individual companies or methods may use a different list of IPLs, but these must meet the requirements defined in Section 6.3. When the demand frequency for an IPL is similar to the IPL test or proof test frequency, particular care must be taken in assigning the appropriate PFD (see Section 7.2 and Appendix F). Some companies may use a lower value for an IPL than the typical PFDs in Tables 6.3 to 6.5, but this requires a detailed analysis of the IPL (using fault tree, FMEA, etc.) performed by a qualified analyst. The use of such advanced techniques in IPL analysis is discussed in Chapter 11. The PFD of an IPL is usually related to its test frequency. The longer the period between testing, the higher the PFD. Kletz (1985) and the CCPS CPQRA books (CCPS 1989a, 2000a) discuss this issue. The assumed PFD of an IPL must be consistent with the actual test frequency. CAUTION The discussion in this section and the data provided in the referenced tables are based on “typical” IPLs installed in “typical” services. If the installation or service conditions are atypical for an IPL, the value of its PFD should be carefully reviewed and adjusted for specific conditions. When IPLs are installed in “severe” conditions (e.g., relief valves or sensors in fouling, polymeric, or corrosive services), the use of higher PFD values should be considered.
Passive IPLs A passive IPL is not required to take an action in order for it to achieve its function in reducing risk. Table 6.3 contains examples of IPLs that achieve risk reduction using passive means to reduce the frequency of high consequence events. Table 6.3 also includes a typical range of PFD values for each type of IPL, together with a PFD value used in one method. These IPLs achieve the intended function if their process or mechanical design is correct and if constructed, installed, and maintained correctly. Examples are tank dikes, blast walls or bunkers, fireproofing, flame or detonation arrestors, etc. These devices are intended to prevent the undesired consequence (widespread leakage, blast damage to protected equipment and buildings, failure due to fire exposure to vessels or piping, fire or a detonation wave passing through a piping system, etc.). If designed adequately, such passive systems
92
6. Identifying Independent Protection Layers
can be credited as IPLs with a high level of confidence and will significantly reduce the frequency of events with potentially major consequences. However, there may be other, less serious consequences (such as a fire in dike, blast damage to some equipment) that should be analyzed in other scenarios. Fireproofing is a means of reducing the rate of heat input to equipment (e.g., when considering the sizing basis for relief valves, for preventing a boilTABLE 6.3 Examples of Passive IPLs Comments
PFD Used in This Book
Assuming an adequate design basis and adequate inspection and maintenance procedures
PFD from Literature and Industry
(For screening)
Will reduce the frequency of large consequences (widespread spill) of a tank overfill/rupture/spill/ etc.
1 × 10–2 – 1 × 10–3
1 × 10–2
Underground Drainage System
Will reduce the frequency of large consequences (widespread spill) of a tank overfill/rupture/spill/ etc.
1 × 10–2 – 1 × 10–3
1 × 10–2
Open Vent (no valve)
Will prevent over pressure
1 × 10–2 – 1 × 10–3
1 × 10–2
Fireproofing
Will reduce rate of heat input and provide additional time for depressurizing/firefighting/etc.
1 × 10–2 – 1 × 10–3
1 × 10–2
Blast-wall/ Bunker
Will reduce the frequency of large consequences of an explosion by confining blast and protecting equipment/buildings/etc.
1 × 10–2 – 1 × 10–3
1 × 10–3
“Inherently Safe” If properly implemented can significantly reduce the frequency of Design consequences associated with a scenario. Note: the LOPA rules for some companies allow inherently 1 × 10–1 – 1 × 10–6 safe design features to eliminate certain scenarios (e.g., vessel design pressure exceeds all possible high pressure challenges).
1 × 10–2
IPL Dike
Flame/Detonation Arrestors
If properly designed, installed and maintained these should eliminate the potential for flashback through a piping system or into a vessel or tank.
1 × 10–1 – 1 × 10–3
1 × 10–2
6.5. Examples of IPLs
93
ing liquid, expanding vapor explosion (BLEVE), or for preventing an exothermic runaway reaction due to external heat input). This could mitigate the size of a release or provide additional time to respond to the situation by depressurizing the system, fire fighting, etc. If fireproofing is considered as an IPL it must be shown to be effective in preventing the consequence (a BLEVE, etc.) or provide sufficient time for other action. It should also meet the requirements that the fireproofing remain intact when exposed directly to a fire and that it will not be displaced by the impact of a jet of water from a monitor or hose. Other passive IPLs, such as flame or detonation arrestors, while employing simple physical principles, are susceptible to fouling, plugging, corrosion, unexpected conditions, potential maintenance mistakes, etc. These must be considered when assigning a PFD to such devices. Passive IPLs, such as dikes or blast walls, where the equipment design prevents the consequence can have low PFD values for LOPA purposes, but care must be taken to assess accurately the PFD to be applied. In some companies, process design features (such as special materials and inspection) are considered as IPLs if they can prevent the consequence from occurring. This approach allows an organization to evaluate risk differences between plants that are designed using different equipment standards. With this approach inherently safer process design features also have assigned PFDs requiring appropriate inspection and maintenance (auditing) to ensure that process changes do not change the PFD. In many companies, the approach taken is that inherently safer design features eliminate scenarios rather than mitigate the consequences of a scenario. For example, if equipment is designed to withstand an internal deflagration then all the scenarios that lead to a rupture of a vessel due to an internal explosion have thereby been eliminated. Using this approach, process design is not considered to be an IPL as there are no scenarios or consequences to be considered and, therefore, no IPL is required. However, appropriate inspection and maintenance (auditing) is required to insure that process changes do not change the effectiveness of the inherently safer design feature. This issue is discussed further in the following example. Example 6.5
Consider a system where a pump feeds material to a vessel that has a design pressure greater than the shut-off head of the pump. Some companies might view the rupture of a vessel due to overpressure from a deadheaded feed pump as a feasible scenario. They would then count the inherently safer design feature that the design pressure of the vessel exceeds the deadheaded pump pressure as an IPL. Some LOPA analysts give such an IPL a PFD range of 1 × 10–2 to 1 × 10–4; these PFDs recognize the possibility that there may be errors in fabrication and maintenance and that corrosion could reduce the rupture pressure of the vessel. Additionally the
94
6. Identifying Independent Protection Layers
potential exists for the installation of a different impeller in the pump, use of a different liquid, etc. Other LOPA analysts argue that catastrophic failure of the vessel at a pressure lower than its design pressure (particularly with the large safety factors built into the mechanical design codes) is not a reasonable consequence unless there is evidence of significant corrosion in the system. Such a failure could only occur due to errors in fabrication, or from corrosion, and would be a different scenario from one initiated by deadheading the pump (i.e., the initiating event frequency would be so low as to be negligible assuming the appropriate inspection and maintenance were performed on the vessel). The system would be hydro-tested to the design pressure required by the mechanical code prior to installation. Additionally any failure resulting from deadheading the pump would probably result only in localized leakage, due to failure of the gasketed joints or instrument connections rather than a catastrophic failure. This approach would eliminate catastrophic failure of the vessel due to pump deadheading as a scenario. A truly inherently safe design would have no scenarios for a particular initiating event.
A company must determine the approach to select to achieve consensus and consistent results within its organization. NOTE If it is not possible to use inherently safer design techniques to eliminate scenarios, the authors strongly recommend a design that uses IPLs to reduce the risk associated with a given scenario by lowering the frequency of a consequence. Inherently safer design concepts reduce risk by eliminating scenarios, particularly those with large consequences, and, where practical, should be the preferred option.
Active IPLs Active IPLs are required to move from one state to another in response to a change in a measurable process property (e.g., temperature or pressure), or a signal from another source (such as a push-button or a switch). An active IPL generally comprises (see Figure 6.5) • a sensor of some type (instrument, mechanical, or human), • a decision-making process (logic solver, relay, spring, human, etc.), • an action (automatic, mechanical, or human). Table 6.4 provides examples of active IPLs. Human intervention is discussed later in this section.
95
6.5. Examples of IPLs
FIGURE 6.5. Basic components of active IPL.
Instrumented Systems These systems are a combination of sensors, logic solvers, process controllers, and final elements that work together, either to automatically regulate plant operation, or to prevent the occurrence of a specific event within a chemical manufacturing process. Two types of instrumented systems are considered in the basic LOPA method. Each has its own purposes and characteristics. One, the continuous controller (e.g., the process controller that regulates flow, temperature, or pressure at an operator supplied set-point value) generally provides continuous feedback to the operator that it is functioning normally (although unannounced malfunctions can occur). The second, the state controller (the logic solver which takes process measurements and executes on–off changes to alarm indicators and to process valves) monitors the plant conditions and only takes control actions when predefined trip points are reached. State control actions may be referred to as process interlocks and alarms, such as a reactor high-temperature trip that closes the steam valve. Faults in a state controller (logic solver and the associated field devices) may not be detected until the next manual proof test of the failed safety function. Both continuous and state controllers are found in the BPCS and the SIS. The BPCS and the SIS differ significantly in the level of risk reduction achievable.
Basic Process Control System (BPCS) The BPCS is the control system that continuously monitors and controls the process in day-to-day plant operation. The BPCS may provide three different types of safety functions that can be IPLs: • continuous control action, which keeps the process at set point values within the normal operating envelope and thus attempts to prevent the progression of an abnormal scenario following an initiating event. • state controllers (logic solver or alarm trip units), which identify process excursions beyond normal boundaries and provide this information (typically, as alarm messages) to the operator, who is expected to take a specific corrective action (control the process or shut down). • state controllers (logic solver or control relays), which are intended to take automatic action to trip the process, rather than attempt to return
96
6. Identifying Independent Protection Layers TABLE 6.4 Examples of Active IPLs Comments IPL
Assuming an adequate design basis and inspection/maintenance procedures
PFD Used in This Book
PFD from Literature and Industry
(For screening)
Relief valve
Prevents system exceeding specified overpressure. Effectiveness of this device is sensitive to service and experience.
1 × 10–1 – 1 × 10–5
1 × 10–2
Rupture disc
Prevents system exceeding specified overpressure. Effectiveness can be very sensitive to service and experience
1 × 10–1 – 1 × 10–5
1 × 10–2
Basic Process Control System
Can be credited as an IPL if not asso- 1 × 10–1 – 1 × 10–2 ciated with the initiating event being (>1 × 10–1 allowed considered (see also Chapter 11). (See by IEC) IEC 61508 (IEC, 1998) and IEC 61511 (IEC, 2001) for additional discussion.)
Safety Instrumented Functions (Interlocks)
See IEC 61508 (IEC, 1998) and IEC 61511 (IEC, 2001) for life cycle requirements and additional discussion
SIL 1
Typically consists of:
Single sensor (redundant for fault tolerance )
1 × 10–1
≥1 × 10–2–<1 × 10–1
Single logic processor (redundant for fault tolerance) Single final element (redundant for fault tolerance) SIL 2
Typically consists of:
“Multiple” sensors (for fault tolerance)
≥1 × 10–3–<1 × 10–2
“Multiple” channel logic processor (for fault tolerance)
“Multiple” final elements (for fault tolerance) SIL 3
Typically consists of:
Multiple sensors
This book does not specify a specific SIL level. Continuing examples calculate a required PFD for a SIF
≥1 × 10–4–<1 × 10–3
Multiple channel logic processor Multiple final elements
Note: Multiple includes 1 out of 2 (1oo2) and 2 out of 3 (2oo3) voting schemes
“Multiple” indicates that multiple components may or may not be required depending upon the architecture of the system, the components selected and the degree of fault tolerance required to achieve the required overall PFD and to minimize unnecessary trips caused by failure of individual components (see IEC 61511 (IEC, 2001) for guidance and requirements).
6.5. Examples of IPLs
97
the process to within the normal operating envelope. This action should result in a shutdown, moving the process to a safe state. The BPCS is a relatively weak IPL, as there is usually • little redundancy in the components, • limited built-in testing capability, and • limited security against unauthorized changes to the internal program logic. The limited security arrangements are particularly important when considering the effectiveness of the BPCS as an IPL. Human error (in modifying logic, bypassing alarms and interlocks, etc.) can significantly degrade the anticipated performance of BPCS systems if security is not adequate. IEC 61511 (IEC, 2001) limits the combined PFD to not less than 1 × 10–1 for all the BPCS IPLs that can be applied to a unique initiating event–consequence pair (i.e., combined PFD must be more than 1 × 10–1). For LOPA purposes, some companies use a PFD of 1 × 10–1 for each BPCS IPL that can be applied to a unique initiating event–consequence pair, based on analysis of their system configuration, implementation, maintenance and testing. The following examples demonstrate the types of action taken by the BPCS. Example 6.6: BPCS Normal Control Loop Action as an IPL
Consider the example of an initiating event due to abnormally high pressure of the fuel gas supply to a furnace. An upstream unit causes the high pressure. The consequence is a high temperature in the furnace. If the fuel gas flow control loop is pressure compensated, the normal action of the loop will reduce the volumetric flow as the pressure goes up. This loop could be an IPL if it is capable of preventing the high-pressure upset from becoming the high-temperature consequence in the furnace.
Example 6.7: BPCS Alarm Action as an IPL
In a furnace similar to that of Example 6.6, consider the case where the fuel gas flow control loop is not pressure compensated. However, the BPCS has discrete logic to generate an alarm on high fuel gas pressure. The operator would then be expected to take action to control the gas pressure or shutdown the furnace. This BPCS loop, in conjunction with the operator action, could be an IPL.
Example 6.8: BPCS Logic Action as an IPL
In a furnace similar to that of Example 6.6, consider again the case where the fuel gas flow control loop is not pressure compensated. However, the BPCS has discrete logic to trip (shutdown) the furnace on high fuel gas pressure to prevent the high furnace temperature consequence. This BPCS loop could be an IPL.
98
6. Identifying Independent Protection Layers
Safety Instrumented System (SIS) A safety instrumented system (SIS) is a combination of sensors, logic solvers and final elements that performs one or more safety instrumented functions (SIFs). SIFs are state control functions, sometimes called safety interlocks and safety critical alarms. An assembly of SIFs makes up the SIS (also known as an emergency shutdown system). ISA S84.01 (ISA, 1996), IEC 61508 (IEC, 1998), IEC 61511 (IEC, 2001), and the CCPS Safe Automation book (CCPS, 1993b) discuss the design requirements of SIS and SIF in detail and specify the life cycle requirements (specification, design, commissioning, validation, maintenance and testing) to achieve the desired PFD. Important design details include the following: • SIFs that are functionally independent from the BPCS. Measurement devices, logic processors, and final control elements used for a SIF are isolated from similar devices in the BPCS, except where signals can be shared without sacrificing the PFD of the SIF. • A safety system logic solver (typically comprising multiple redundant processors, redundant power supplies, and a human interface) that processes several (or many) safety instrumented functions. • Extensive use of redundant components and signal paths. Redundancy can be achieved in several ways. The most obvious is to install multiple sensors or multiple final elements (e.g., valves) for the same service. Diverse technologies will reduce common cause failure for redundant components. Examples 6.9 and 6.10 provide methods by which redundancy is added to a system other than by just replicating system components. • Use of voting architectures and logic that are tolerant of failures of some components without the effectiveness of the SIS being compromised and without causing spurious trips of the process. • Use of self-diagnostics to detect and communicate sensor, logic solver, and final control element faults. Such diagnostic coverage can reduce the mean time to repair failed SIFs to only a few hours. Internal testing of the multiple logic solvers can occur many times a second. • A deenergized to trip philosophy where a low PFD is required. Each of the SIFs will have its own PFD value based on • the number and type of sensors, logic solvers, and final control elements; and • the time interval between periodic functional tests of system components. The risk reduction performance of a SIF is defined in terms of its PFD. International standards have grouped SIFs for application in the chemical
6.5. Examples of IPLs
99
process industry into categories called Safety Integrity Levels (SILs). These are defined as: SIL 1 PFD ≥ 1 × 10–2 to <1 × 10–1 [IEC 61511 (IEC, 2001)]. These SIFs are normally implemented with a single sensor, a single SIS logic solver and a single final control element. SIL 2 PFD ≥ 1 × 10–3 to <1 × 10–2 These SIFs are typically fully redundant from the sensor through the SIS logic solver to the final control element. SIL 3 PFD ≥ 1 × 10–4 to <1 × 10–3 These SIFs are typically fully redundant from sensor through the SIS logic solver to the final control element and require careful design and frequent proof tests to achieve low PFD figures. Many companies find that they have a limited number of SIL 3 SIFs due to the high cost normally associated with this architecture. SIL 4 PFD ≥ 1 × 10–5 to <1 × 10–4 These SIFs are included in the IEC 61508 and 61511 standards, but such SIFs are difficult to design and maintain and are not used in LOPA.
Draft ISA TR84.0.02 (ISA, 2001) provides guidance to calculate the PFD for a SIF design or SIF installation. Example 6.9 It is possible to provide redundancy for the detection of the loss of a gas compressor by using single devices to measure gas flow, amps to the compressor motor, gas pressure drop, etc. All of these can detect the same event, but in different ways (i.e., they provide diversity as well as redundancy), and are also used for separate reasons for monitoring the process. However, care must be taken to insure that the signals from these instruments are truly independent (e.g., that they do not all pass through the same input card).
Example 6.10 It is possible to provide redundancy in valving without adding additional valves in the main process piping. Such valves can require the installation of parallel piping for each valve with the associated block valves, etc., to allow on-line testing to be performed. Such piping systems can be extremely expensive to retrofit into existing plants. For example, as shown in Figure 6.6, the heat input to a steam reboiler can be halted either by closing the steam flow control valve (XV-411) or by opening the vent valve (XV-101) to reduce the steam chest pressure below that required for boiling the liquid in the process. The vent valve can be tested on-line by closing the upstream block valve (which is sealed or locked open when not being tested). These valves would qualify as redundant systems if:
100
6. Identifying Independent Protection Layers
FIGURE 6.6. Example of arrangement for providing multiple final elements for halting heat input to column from steam reboiler.
• Each system meets the requirements for an IPL. • The initiating event does not involve the failure of one of these valves. • The vent valve is adequately sized so that the pressure in the reboiler is
lowered to reduce the temperature driving force on the reboiler and eliminate, or adequately reduce, heat input to the unit.
The PFD for this IPL would depend on
• the test frequency of the vent valve, • how the proven operation of the flow control valve could be used to
determine its PFD when required to reduce steam flow when demanded, and • the PFD of the other components comprising the system. An alternative design would be an additional SIF valve in the steam supply line. On-line testing might require additional block valves to isolate the SIF valve and a bypass valve around the SIF valve. It can be seen that the total number of valves required is reduced significantly and only simple modifications are required to the piping system.
6.5. Examples of IPLs
101
Vendor Installed Safeguards Many equipment items are supplied with various safeguards and interlock systems designed by the equipment vendors. Examples include • Fired Equipment—burner management systems including fire-eyes, purging cycles, etc. In a scenario involving a potential explosion in a boiler, if fuel gas were fed to the burners without the pilot lights functioning, the burner management system would be an IPL if designed, installed, maintained, and integrated into the safety system adequately. • Rotating Equipment—vibration switches, high-temperature detection, overspeed protection, antisurge protection, etc. In a scenario where severe production losses could arise as a result of damage to a large compressor, vendor supplied interlocks would be IPLs if designed, installed, maintained, and integrated into the safety system adequately. It is appropriate to consider such devices as IPLs for the purposes of LOPA based on their meeting the LOPA rules. Factors that would influence this decision and the PFD value include • the design of the SIFs (interlocks). • historical data (which should be available from the vendors, but should be reviewed with care). • the integration of the SIFs into the BPCS and/or SIS (see above).
Deluges, Sprays, Foam Systems, and Other Firefighting Mitigation Systems Deluges, water sprays, foam systems may be considered as IPLs for preventing the ultimate release (e.g., a BLEVE, or exothermic runaway reaction initiated by external heat input) if well designed and maintained automatic systems are installed and meet the requirements defined in Section 6.3. Industry experience with these systems indicates that they should usually be considered safeguards rather than IPLs for normal responses to fires, releases, etc., if the possibility of damage from the fire or explosion could render them ineffective.
Pressure Relief Devices Pressure relief valves open when the pressure under the valve exceeds the pressure exerted by the spring holding the valve closed (pilot operated relief valves operate in a slightly different manner—see the Guidelines for Pressure Relief and Effluent Handling Systems; CCPS, 1998b). Some systems use a rupture disc to protect equipment, and the inability of this device to close after it
102
6. Identifying Independent Protection Layers
has ruptured can lead to more complex scenarios. With a relief valve, the material passes from the vessel through the valve, either directly to the atmosphere or to some form of mitigation system (vent stack, flare, quench tank, scrubber, etc.) before passing to the atmosphere. The pressure vessel codes require that relief valves protecting a vessel or system are designed for all anticipated scenarios (fire, loss of cooling, control valve failure, loss of cooling water, etc.) and do not impose any other requirements. This implies that the relief valve is the only IPL needed for overpressure protection. The LOPA team or analyst should evaluate the appropriate value for a relief valve PFD for each service. In particular, relief valves in fouling, corrosive, or two-phase flow, or where freezing of material in the relief header may occur, can experience conditions that would result in the expected flow not being achieved. These potential service problems may be overcome by using nitrogen purges, rupture discs under the valve, heat tracing, installing parallel relief valves to allow on-line inspection and maintenance, and using DIERS methods for sizing devices for two-phase flow cases as shown in the CCPS Pressure Relief book (CCPS, 1998b). The characteristics of each system must be carefully considered when deciding the PFD value claimed for each service. As human action interacts with relief valve installation and maintenance (designing, installing, testing, use of block valves, etc.) and is known to result in error, the effective PFD in a LOPA analysis for these devices is usually higher than might otherwise be anticipated. Relief systems are intended to provide protection against overpressure, but the relief flow is eventually sent to the atmosphere. This may result in additional scenarios (e.g., toxic cloud, flammable cloud, environmental release) depending on the material, the types of control, and environmental protection systems (flares, scrubbers, etc.). The LOPA analyst must determine the frequency of the consequence of the new scenario with the relief device IPL operating as intended and determine if other IPLs may be needed to meet the risk tolerance criteria (see Chapter 8). The risk of overpressure may be tolerable, but the frequency of environmental release from the relief valve may be higher than desired. Additional scenarios could involve leakage of the relief valve or the failure of the relief valve to close after a demand.
For IPLs that mitigate the consequence, consider evaluating the mitigated consequence as a separate scenario. Example: a relief valve reduces the frequency of vessel overpressure but it generates another scenario of release through the relief valve, given that it works as designed. The additional scenario can be compared with risk tolerance criteria.
103
6.5. Examples of IPLs
Human IPLs Human IPLs involve the reliance on operators, or other staff, to take action to prevent an undesired consequence, in response to alarms or following a routine check of the system. The effectiveness of humans in performing routine and emergency tasks has been the subject of several publications (Guidelines for Preventing Human Error in Process Safety; CCPS 1994b, and Swain 1983). Overall, human performance is usually considered less reliable than engineering controls and great care should be taken when considering the effectiveness of human action as an IPL (see Table 6.5). However, not crediting human actions under well-defined conditions is too conservative. The general requirements for crediting human action as an IPL are the same as those discussed in Section 6.3, but are often described in different terms. Human action should have the following characteristics: • The indication for action required by the operator must be detectable. The indication must always be: G available for the operator, G clear to the operator even under emergency conditions, G simple and straightforward to understand. • The time available to take the action must be adequate. This includes the time necessary to decide that action is required and the time necessary to take the action. The longer the time available for action, the
TABLE 6.5 Examples of Human Action IPLs* Comments
IPL
Assuming adequate documentation, training and testing procedures
PFD from Literature and Industry
PFD Used in This Book
(For screening)
Human action with 10 minutes response time.
Simple well-documented action with clear and reliable indications that the action is required
1.0 – 1 × 10–1
1 × 10–1
Human response to BPCS indication or alarm with 40 minutes response time
Simple well-documented action with clear and reliable indications that the action is required. (The PFD is limited by IEC 61511; IEC 2001.)
1 × 10–1
1 × 10–1
Human action with 40 minutes response time
Simple well-documented action with clear and reliable indications that the action is required
1 × 10–1 – 1 × 10–2
1 × 10–1
10–1
(>1 × allowed by IEC)
* Based on Inherently Safer Chemical Processes: A Life Cycle Approach (CCPS 1996b), Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications (Swain 1983).
104
6. Identifying Independent Protection Layers
• •
•
•
lower the PFD given for human action as an IPL. The decision making for the operator should require: G no calculations or complicated diagnostics, G no balancing of production interruption costs versus safety. The operator should not be expected to perform other tasks at the same time as the action required by the IPL, and the normal operator workload must allow the operator to be available to act as an IPL. The operator is capable of taking the action required under all conditions expected to be reasonably present. As an example, consider a proposed IPL where an operator is required to climb a platform to open a valve. If a fire (as the initiating event) could prevent this action, it would not be appropriate to consider the operator action as an IPL. Training for the required action is performed regularly and is documented. This should involve drills in accordance with the written operating instructions and regular audits to demonstrate that all operators assigned to the unit can perform the required tasks when alerted by the specified alarm. The indication, and action, should normally be independent of any alarm, instrument, SIF or other system already credited as part of another IPL or initiating event sequence (see Chapter 11 for additional discussion of this point).
Management practices, procedures, and training may be considered as methods that would assist in establishing the PFD claimed for human action, but should not be considered IPLs by themselves. CAUTION Human action has been shown to be a relatively weak protection layer. Analysts and teams should be cautious about claiming PFD values lower than those recommended in Table 6.5 with the specific qualifications regarding the time available for the action to be taken.
6.6. Preventive IPLs versus Mitigation IPLs When considering how an IPL will reduce the risk associated with a scenario it is important to maintain a clear understanding of what the IPL is intended to do. Some IPLs are intended to prevent the scenario from occurring and may be termed preventive IPLs. Other IPLs may be termed mitigation IPLs and are intended to reduce the severity of the consequence of the initiating event. Mitigation IPLs reduce the frequency of the original high consequence scenario, but permit a less severe consequence to occur, as shown in Example 6.11.
6.6. Preventive IPLs versus Mitigation IPLs
105
Example 6.11 Consider a scenario M1-Original that has a high severity consequence with an unacceptable frequency. Recalling Chapters 4 and 5, Initiating Event A occurs at a certain frequency. The other IPLs reduce the frequency of the high severity consequence, but the consequence can still occur at some frequency as shown below. In the scenario M1-Modified, adding a mitigation IPL prevents (reduces the frequency of) the high severity consequence of the initial scenario. Again, the high severity consequence can still occur if all the IPLs fail, but at a lower frequency than the original scenario. However, the mitigation IPL allows another scenario to proceed towards another (usually less severe) consequence (scenario M2). The frequency of the less severe consequence for M2 is essentially the same as the frequency of the original scenario.
• Scenario M1-Original:
Initiating Event A ⇒ Other IPLs fail ⇒ High Severity Consequence—frequency too high for risk tolerance criteria
• Scenario M1-Modified:
Initiating Event A ⇒ Other IPLs fail ⇒ Mitigation IPL fails ⇒ High Severity Consequence—reduced frequency
• Scenario M2:
Initiating Event A ⇒ Other IPLs fail ⇒ Mitigation IPL successful ⇒ Less Severe Consequence—frequency similar to M1-Original
Each additional less severe scenario resulting from a mitigation IPL would be different from the first scenario and would require its own analysis. The two scenarios of Example 6.11 (M1-Modified and M2) are evaluated separately, assuming the company chooses to study the new scenarios leading to less severe consequences. Frequently, the company has determined that certain types of less severe consequences do not need further study, for example, a spill into a dike of a flammable liquid at a temperature below its normal boiling point. Examples of preventive IPLs are SIFs (e.g., steam valve closure, emergency cooling water flow, inhibitor addition) that would halt a runaway reaction and avoid overpressure. If these work then the reaction will be halted without a vessel rupture or emission to the atmosphere. Examples of mitigation IPLs are pressure relief devices that are intended to prevent the catastrophic rupture of a vessel, but whose satisfactory operation then results in other consequences (another scenario). For example, a relief device that passed a flammable or toxic material to the atmosphere would cause the analyst to consider whether the risk associated with the second scenario was acceptable or not. If the risk was considered unacceptable, then the analyst might examine whether additional IPLs are required to reduce the frequency of the relief valve opening to the atmosphere. Alternatively, an analyst could consider whether the relief flow from the valve
106
6. Identifying Independent Protection Layers
should be passed to a flare, scrubber, quench tank, etc., to reduce the risk. Another example is a dike (release into dike with the potential for evaporation, fire, explosion, etc.). In these two examples the range of scenarios associated with the IPL being effective, partially effective or ineffective can become quite complex. These issues are discussed in greater detail in Dowell (1997) and Dowell (1999a). POTENTIAL PITFALL Does a mitigation IPL reduce the severity of the consequence 100% of the time? Answer: No, every IPL has a nonzero PFD (probability of failure on demand). When it succeeds, a mitigation IPL • reduces the frequency of the severe consequence, and • allows or generates a less severe consequence, therefore, constituting a different scenario and requiring a separate analysis. These are two separate scenarios for the purpose of LOPA.
6.7. Continuing Examples For the continuing example problems introduced in Chapter 2, the various safeguards are reviewed to identify which are IPLs. The reasons for not considering some safeguards as IPLs for the purposes of LOPA are discussed. This section also reviews possible additional IPLs and their appropriate PFD values. Chapter 8 discusses the decision-making process for determining if additional IPLs are required to satisfy risk tolerance criteria. This section discusses candidate safeguards and potential IPLs. In a real-world solution to this problem, the thought process would be iterative and the analyst would move among examination of the current installation, the required risk reduction opportunities, and possible methods of adding additional risk reduction. The solutions in this chapter employ Approach A—that is, only one IPL is allowed in a single BPCS and that IPL must be independent of the initiating event. Solutions using Approach B are presented in Chapter 11. Table 6.6 contains the LOPA summary sheet for Scenario 1a (Hexane Surge Tank Overflow) using the matrix consequence risk assessment method. Table 6.7 contains the LOPA summary sheet for Scenario 2a (Hexane Storage Tank Overflow) using the fatality frequency method. These two tables include information on the safeguards and IPLs for these examples.
TABLE 6.6 Summary Sheet for Continuing Example 1a—Risk Matrix Consequence Categorization Method (Method 1 of Chapter 3) Scenario Number
Equipment Number
1a
Scenario Title: Hexane Surge Tank Overflow. Spill not contained by the dike. Frequency Probability (per year)
Date:
Description
Consequence Description/Category
Release of 10,000–1000,000 lb hexane outside the dike due to tank overflow and spill of hexane Severity Category 4
Risk Tolerance Criteria (Category or Frequency) Initiating Event (typically a frequency)
Loop failure of BPCS LIC. (PFD from Table 5.1)
1 × 10–1
Enabling Event or Condition Conditional Modifiers (if applicable) Probability of ignition
N/A
Probability of personnel in affected area N/A Probability of fatal injury
N/A
Others
N/A 1 × 10–1
Frequency of Unmitigated Consequence Independent Protection Layers Dike (PFD from Table 6.3)
1 × 10–2
SIF Candidate
1 × 10–2
Safeguards(non-IPLs) Human intervention/BPCS
Total PFD for all IPLs
Note: Including added IPL
1 × 10–4
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No): Actions Required to Meet Risk Tolerance Criteria:
Consider adding SIF (see Chapter 8)
Notes References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable): Note: Frequency calculations are presented in Chapter 7 and comparison with risk tolerance criteria is contained in Chapter 8.
107
TABLE 6.7 Summary Sheet for Continuing Example 2a—Fatality Frequency Criteria Method (Method 3 of Chapter 3) Scenario Number
Equipment Number
2a
Scenario Title: Hexane Storage Tank Overflow. Spill not contained by the dike. Frequency Probability (per year)
Date:
Description
Consequence Description/Category
Tank overflow and spill of hexane outside dike. Potential for flash fire and pool fire with probable ignition, injury, and fatality.
Risk Tolerance Criteria (Category or Frequency) Initiating Event (typically a frequency)
Arrival of tank truck with insufficient room in the tank due to failure of the inventory control system. Frequency based on plant data.
1
Enabling Event or Condition Conditional Modifiers (if applicable) Probability of ignition Probability of personnel in affected area Probability of fatal injury Others Frequency of Unmitigated Consequence Independent Protection Layers Dike (PFD from Table 6.3)
1 × 10–2
Human action to check level prior to filling (PFD from Table 6.5)
1 × 10–1
SIF Candidate
1 × 10–2
Safeguards(non-IPLs) BPCS loop Total PFD for all IPLs
Note: Including added IPL
1 × 10–5
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No): Actions Required to Meet Risk Tolerance Criteria:
Consider adding SIF (see Chapter 8)
Notes References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable): Note: Frequency calculations are presented in Chapter 7 and comparisons with risk tolerance criteria are contained in Chapter 8.
108
6.7. Continuing Examples
109
Appendix A contains the completed LOPA summary sheets for all four scenarios and for all the methods discussed in Chapters 7 and 8. In addition, LOPA sheets for a method used by one chemical company are also included.
Continuing Example 1: Hexane Surge Tank Overflow Scenario 1a: Hexane Surge Tank Overflow—Spill Not Contained by the Dike INITIATING EVENT
The initiating event is failure of the BPCS level control loop. This means that no credit can be taken for the BPCS logic solver as part of any other IPL. Alternatively, a common cause failure (loss of power, cable damage, etc.) could be the cause of the failure of the BPCS level control loop and all, or many, other loops associated with the system, again rendering, other potential BPCS based IPLs useless. IPLs IN PLACE
Once the spill has occurred from the tank, the dike is in place to contain it. Only if the dike fails to operate will a widespread spill occur with the potential for fire, damage and fatalities. The dike meets the requirement for an IPL for the following reasons: • It will be effective in containing the spill from the tank if it operates as designed. • It is independent of any other IPL and of the initiating event. • Its design, construction, and present condition can be audited. For the purposes of this example the dike is assigned a PFD of 1 × 10–2 (see Table 6.3); that is, it will fail to contain the spill once in every 100 times it is challenged. Each organization should consider what PFD should be assigned for a particular IPL. SAFEGUARDS THAT ARE NOT IPLs FOR LOPA
A hazard evaluation team may have considered alarms generated by the BPCS and subsequent human actions as safeguards. In this example, no credit is given for human action as an IPL for the following reasons: • The operator is not always in attendance and so it cannot be assumed that operator action would be effective in detecting and preventing a spill, independently of any alarm, before it had reached a stage where a significant release would occur if the dike failed.
110
6. Identifying Independent Protection Layers
• The failure of the BPCS level control loop (initiating event) must be assumed to result in the failure of the system to generate an alarm that would enable the operator to take manual action to stop the flow to the tank. Therefore, any alarm generated by the BPCS would not be fully independent of the BPCS system (using Approach A) and therefore could not be credited as an IPL. Approach B might allow the use of a separate BPCS-generated alarm with human intervention as an IPL (see Chapter 11). The relief valve on the surge tank will not be effective in preventing the spill from the tank and, therefore, is not an IPL for this scenario. IPLs PROPOSED
For methods requiring risk reduction (see Chapter 8) the existing installation does not offer opportunities to develop an IPL with the existing BPCS or operator using Approach A as the existing instrumentation, BPCS and operators are involved with either the initiating event or existing IPLs. Thus, additional equipment must be added to reduce the risk. One approach is to install a SIF with a PFD of 1 × 10–2 to lower the frequency of the consequence as shown in Chapter 8. In order to meet the requirements for an IPL with this PFD the SIF could require • An independent level measurement device, separate from any other existing level measurement devices already in place on the tank. • A logic solver to process the signal from the level switch and send a signal for action if a high level is detected. This logic solver must be independent of the existing BPCS system. It may be appropriate to utilize a safety system logic solver with multiple processors with self-testing capabilities. If this is not selected then the logic solver must be able to achieve the required PFD performance in order for the whole SIF to meet the assumed PFD figure of at least 1 × 10–2. • An additional final element to isolate flow to the tank (pump shut-off, isolation valve, etc.) activated by a logic solver upon receipt of the signal from the new level measurement device. This final element must be independent of any other system in place for halting flow to the tank. • A specified testing protocol for all of the components in the SIF system to enable the overall PFD figure to be achieved. • Documentation of the SIF, the testing requirements and the results of the testing. Note: If Approach B is used it might be possible to add only a single independent sensor and claim operator action in response to a high level alarm as an IPL. The PFD for this IPL would depend upon the time available for the
6.7. Continuing Examples
111
operator to respond to the alarm in order to prevent a significant spill should the dike fail to contain the spill. See Chapter 11. Scenario 1b: Hexane Surge Tank Overflow—Spill Contained by the Dike INITIATING EVENT
The initiating event is failure of the BPCS level control loop. This means that no credit can be taken for any other IPLs associated with the BPCS. IPLs IN PLACE
There are no IPLs in place for this scenario, as the dike cannot be effective as an IPL where, as defined in the scenario description, the spill is contained within the dike. SAFEGUARDS THAT ARE NOT IPLs FOR LOPA
See discussion for Scenario 1a (above) IPLs PROPOSED
For methods that require risk reduction, the use of a SIF with a PFD of 1 × 10–2 is proposed to lower the frequency of the consequence (see Chapter 8). The requirements for this SIF are described in Scenario 1a. Note: If Approach B is used it might be possible to add only a single independent sensor and claim operator action in response to a high level alarm as an IPL. However, the best PFD might be 1 × 10–1 for this scenario if the time for the operator to respond to an alarm and prevent the tank overflowing is short. This might not provide enough risk reduction. See Chapter 11.
Continuing Example 2: Hexane Storage Tank Overflow Scenario 2a: Hexane Storage Tank Overflow—Spill Not Contained by the Dike INITIATING EVENT
For this case, the inventory control system fails and a truck arrives at the tank with insufficient space in the tank for the contents of the truck. This could be due to an error in ordering, or unit shutdown after the truck was ordered. From operating data, the hazard evaluation team estimates this occurs once a year. IPLs IN PLACE
The operator checks the level in the tank on the BPCS LIC before unloading to confirm that there is room in the tank for the contents of the truck, but does no other tasks. The procedure of the operator checking the level in the tank is an IPL because it meets the criteria of:
112
6. Identifying Independent Protection Layers
• Effectiveness—if it is performed correctly, the level is read correctly, and the operator does not initiate loading if a high level is detected, then an overflow will not occur. • Independence—it is independent of any other action, operator action, or initiating event since the failure was in the inventory ordering system. • Auditability—The performance of the instruments and operators can be observed, tested and documented. This IPL includes BPCS level measurement/display loop and the operator performing the required action. The operator has no other indication of the level. From Table 6.5, the PFD for human response to a BPCS loop is 1 × 10–1 as the task is simple and there are no time constraints. The dike can prevent the consequence of a spill outside the dike; thus it is an IPL. The dike has a PFD of 1 × 10–2 (see Table 6.3). Thus the total PFD for the IPLs in place for Scenario 2a is 1 × 10–2 × 1 × 10–1 = 1 × 10–3 as both IPLs must fail before the consequence occurs. SAFEGUARDS THAT ARE NOT IPLs FOR LOPA
The BPCS level control loop detects high level and sounds an alarm. This is not independent from the first safeguard as it uses the same LI sensor and BPCS logic solver as the IPL procedure that the operator follows prior to unloading. Human action other than response to a BPCS alarm is not an IPL for this scenario. IPLs PROPOSED
For methods that require risk reduction, the use of a SIF with a PFD of 1 × 10–2 is proposed to lower the frequency of the consequence (see Chapter 8). The requirements for this SIF are described in Scenario 1a (above). The LOPA Summary Sheet for Scenario 2a is shown in Table 6.7. Note: If Approach B is used it might be possible to add only a single independent sensor and claim operator action as an IPL. Scenario 2b: Hexane Storage Tank Overflow—Spill Contained by the Dike INITIATING EVENT
See Scenario 2a. IPLS IN PLACE
See Scenario 2a. SAFEGUARDS THAT ARE NOT IPLS FOR LOPA
See Scenario 2a. The dike is not an IPL for this scenario since the spill is inside the dike.
6.8. Link Forward
113
IPLS PROPOSED
For methods that require risk reduction an additional IPL as described in Scenario 2a would apply. Note: If Approach B is used it might be possible to add only a single independent sensor and claim operator action as an IPL.
6.8. Link Forward Chapter 7 shows how to calculate the mitigated scenario frequency using the scenarios identified from prior chapters, and Chapter 8 shows how to make risk decisions with the IPLs identified in Chapter 6.
7 Determining the Frequency of Scenarios
7.1. Purpose This chapter shows how to use the identified scenarios and independent protection layers (IPLs) described in prior chapters to calculate the mitigated scenario frequency. This includes calculations for the existing system or design (“as is”) and for the modified system or design after recommended changes are incorporated (“mitigated”). The calculations may be quantitative using numerical estimates or they may use lookup tables. This chapter addresses Step 5 of the LOPA method described in Chapter 2. The mitigated scenario frequency calculated in this chapter is used in decision making in Chapter 8.
7.2. Quantitative Calculation of Risk and Frequency General Calculation The following is the general procedure for calculating the frequency for a release scenario with a specific consequence endpoint. For this scenario, the initiating event frequency from Chapter 5 is multiplied by the product of the IPL PFDs from Chapter 6. J
f iC = f i I × ∏ PFD ij j=1
I
= f i × PFD i 1 × PFD i 2 ×L× PFD ij
(7-1) 115
116
7. Determining the Frequency of Scenarios
where
f iC is the frequency for consequence C for initiating event i f i I is the initiating event frequency for initiating event i PFDij is the probability of failure on demand of the jth IPL that protects against consequence C for initiating event i. Equation (7-1) is applicable for low demand situations—that is, f i I is less than twice the test frequency for the first IPL. The high demand calculation is discussed below. Equations (7-1) through (7-5) assume that all IPLs are truly independent—a basic premise of LOPA. The result of Eq. (7-1) can be used as input for comparing calculated risk to scenario risk tolerance criteria for the decision-making methods in Section 8.3 including matrix, numerical criteria, and number of IPL credits.
Calculating the Frequency of Additional Outcomes Some companies calculate only the frequency of a release. As shown in Figure 3.1, other outcomes of the release are also possible and companies may have risk tolerance criteria for those outcomes. Thus, companies may choose to include the frequency of the other outcomes of the release: • • • •
flammable effects such as fire or explosion, toxic effects where applicable, exposure to flammable or toxic effects, injury or fatality.
To calculate the frequency of such outcomes, Eq. (7-1) is modified by multiplying the frequency of the release scenario by the appropriate probabilities for the outcome of interest. These include • the probability of ignition (Pignition)—for flammable releases, • the probability that personnel are in the affected area (Pperson present )—a precursor parameter for calculating exposures and injuries, and • the probability that injury occurs (Pinjury)— for injury or fatality. Equation (7-2) determines the frequency of a fire for a single scenario for a single system. J (7-2) f i fire = f i I ×∏ PFD ij × P ignition j=1 Equation (7-3) determines the frequency of a person exposed to a fire. fi
fire exposure
J = f i I ×∏ PFD ij × P ignition × P person present j=1
(7-3)
117
7.2. Quantitative Calculation of Risk and Frequency
Equation (7-4) determines the frequency of a person injured in a fire. fi
fire injury
J = f i I ×∏ PFD ij × P ignition × P person present ×P injury j=1
(fire)
(7-4)
Similar equations can be written for toxic effects by omitting the probability of ignition. Both the probability of a person being present and the probability of injury may be different for flammable and toxic effects. For this case, Eq. (7-4) becomes J f i toxic = f i I ×∏ PFD ij × P person present × P injury j=1
(toxic)
(7-5)
Note that the probability of ignition and the probability of a person present are frequently linked with the initiating event—the actions of the person may be the ignition source. The initiating event, by its nature, may increase one or both of these probabilities, as shown in Example 7.1. The LOPA analyst should take care to identify such links. Example 7.1 • If the initiating event for a release in the operating area is an operator
opening a bleed valve in the area, Pperson present is 1 because a person is always present for the scenario to begin. • If the initiating event for a flammable release is a crane dropping a heat exchanger on a tank, Pignition is higher than it would be for a controlled, electrically classified area; the collision of the heat exchanger into the tank provides the release and an ignition source. Also the crane itself may be an ignition source. Pignition is 1 in either case. • For pool fires, Pinjury may be a moderate to low probability. However, for flash fire, the likelihood of injury is high if someone is present. For toxic vapor, Pinjury depends on the vapor concentration, the duration of exposure and the ability of the person to move out of the cloud. The ability to move out of the cloud depends on whether the person detects the vapor, the speed that the vapor incapacitates the person, and the availability of escape routes. Several analysts use 0.5 for most Pinjury situations, and 1.0 for situations in which it is difficult to detect the vapor, or the vapor acts quickly, or escape routes are difficult to use.
The probability of ignition depends on how the release disperses and on the location of ignition sources. An example decision tree is shown in Figure 7.1. Other flammable effects are possible and the probabilities for each branch of the tree may be different for different situations. For the purposes of LOPA, a conservative estimate of the probability of ignition may be used for typical situations. For example, an organization may use
118
7. Determining the Frequency of Scenarios
FIGURE 7.1. Example decision tree for probability of ignition for flammable vapor. Starting on the left, each branch shows the probability of the outcome. (If the release occurs, the probability of immediate ignition is 0.1.)
• • • •
1.0 for releases caused by collision, 1.0 for large releases close to fired equipment, 0.5 for releases in general process areas, 0.1 for releases in remote process areas, like a tank farm.
The different values for general and remote process areas are based on activities in those areas. There is typically more electrical equipment in the general process area and more opportunity for the electrical classification to be compromised (such as a missing cover plate). A company can choose a conservative approach to determine the probabilities of Pinjury, Pperson present, Pignition, or it can establish criteria for different categories for these three probabilities. Alternately, a company can use a method such as the Risk Matrix Consequence Categorization Method described in Chapter 3 (Method 1). The conditional probabilities are included in the consequence lookup table (Table 3.1) and the risk matrix (Table 8.1).
Calculating Risk If a risk index is the desired outcome, the frequency of the outcome of interest is multiplied by a factor related to the magnitude of the consequences R Ck = f kC × C k
(7-6)
7.2. Quantitative Calculation of Risk and Frequency
119
where R Ck is the risk index of incident outcome of interest k, expressed as a magnitude of consequences per unit time. Specific units will vary depending on the risk being estimated. Some examples might include risk of fatality per year, number of fatalities per year, dollars of economic loss per month, pounds of pollutant released per day, f kC is the frequency of the incident outcome of interest k, in inverse time units, e.g., year–1, hour–1, etc., Ck is a specific measurement of the consequences of the incident outcome of interest k . Some measures of the consequences might be an individual fatality, number of fatalities, dollars of economic loss, pounds of release of a pollutant, number of people exposed to a specific concentration of an air pollutant. Ck might be expressed as a category. Note that the consequence of the undesired outcome of interest k must be expressed as a single number measure in order to use Eq. (7-6). If there are a variety of potential consequences or outcomes, the risk calculations are much more complex, and the methods discussed in Chapter 4 of the Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition (CCPS 2000a) should be considered. Equations (7-1) to (7-7) can be used to calculate any desired single number risk index. Examples include process safety, environmental, business impact, quality, etc. Note that risk is a function of the frequency of the scenario and the consequence severity. This book uses a risk index expressed as frequency of an outcome category, thus, the consequence portion of the equation is defined as a constant. The risk index for a category is then expressed as the frequency of that outcome category, such as, releases per year, fires per year, injuries per year, fatalities per year, or consequence category per year.
Summing Up Frequencies For Multiple Scenarios Some companies have geographic risk or personal risk criteria (See Appendix E for examples). To use such risk criteria for risk decision making in Chapter 8, it is necessary to sum up the frequencies (as the risk indices) from all the scenarios that affect the geographic area or the people under consideration: • • • •
in the same geographic area, in the same process unit (e.g., several reactor trains), affecting the same location of interest, in the same consequence severity category (e.g., same material hazards).
120
7. Determining the Frequency of Scenarios
Each scenario should be evaluated individually, using Eq. (7-1), since different IPLs may apply to different scenarios, even if both scenarios result in the same consequence. The frequency of the consequence can then be approximated, if fi are small, using I
f C = ∑ f iC =
i=1 f 1C +
f 2C +L+ f IC
(7-7)
where f iC is the frequency of the Cth consequence for the ith initiating event. Suppose it is desired to estimate the risk from several scenarios in the same geographic area, as shown in Figure 7.2. Note that each of the three scenarios has a different release: from the column, shown by a dashed line; from the reactor, shown by a solid line; and from the tank, shown by a dotted line. These scenarios are not concurrent—they may occur at different times. First, the risk to an exposed individual should be calculated individually for each scenario. Since the individual could be exposed to all three releases, the fre-
FIGURE 7.2. Multiple releases in same geographic area.
7.2. Quantitative Calculation of Risk and Frequency
121
quency can then be totaled for all the scenarios of interest and the risk evaluated. The analyst may encounter processes where the same consequence results from two or more initiating events. Some companies sum the frequencies of all the scenarios that give the same consequence (see Section 11.3). Note: many companies do not sum the individual scenario frequencies for the same consequence, but rather choose the highest scenario frequency for that consequence (high risk initiating event–consequence pair). The company’s LOPA rules should specify which approach to take; the approach must be consistent with company’s risk tolerance criteria. The calculations of Eqs. (7-1)–(7-7) can be used as input for comparing calculated risk to risk tolerance criteria for the decision-making methods in Section 8.3 including matrix and numerical criteria. CALCULATE EACH SCENARIO INDIVIDUALLY An analyst may attempt to combine several initiating events that lead to the same consequence in one calculation step. This calculation assumes that the IPLs apply to each of the initiating events. Such a practice is not LOPA. The authors strongly recommend that each scenario (initiating event–consequence pair) be evaluated separately with its respective IPLs.
Calculations for High Initiating Event Frequency (High Demand Mode) Scenarios Equation (7-1) is applicable to calculate the frequency of the consequence for scenarios in which the initiating event frequency is less than twice the test frequency—also called “low demand mode.” The initiating event frequency is multiplied by the IPL PFDs. “High demand mode” occurs when the challenge frequency to an IPL is higher than twice the test frequency for the IPL (IEC 61511, Part 1; IEC 2001). For example, the IPL is tested once a year and there are more than 2 demands per year. Using Eq. (7-1) results in an unreasonably high frequency for the consequence, as explained in Appendix F. Instead, the frequency of consequence or frequency of challenge to the next IPL is given by 2 × (IPL test frequency, per year) × (IPL PFD).
(7-8)
In other words, in Eq. (7-1) the terms for the initiating event frequency and the first IPL PFD are replaced by the expression above. This approach provides more realistic frequency results. Another approach to high demand is a rule-based lookup table for initiating event frequency (not shown in this book) that limits the initiating event frequency such that Eq. (7-1) gives appropriate frequencies.
122
7. Determining the Frequency of Scenarios
HIGH DEMAND MODE The challenge frequency to an IPL is higher than twice the test frequency for the IPL. The frequency of consequence or frequency of challenge to the next IPL is • Failure frequency of the IPL, or more simply, for the first IPL, • 2 × (IPL test frequency, per year) × (IPL PFD)
7.3. Look-up Table Determination of Risk or Frequency The scenario risk or frequency may be determined qualitatively using lookup tables. Typically, such matrices also include a target (or required) number of IPLs for different risk categories. Some matrices may include the frequency of the consequence. Categories on the matrix may include • the initiating event frequency for the scenario, • the severity of the consequence for the scenario, • the required number of IPLs (or IPL credits) for a given risk category (the risk category is given by the initiating event frequency and the consequence severity for the scenario), • the frequency of the consequence. The calculations from the equations in this chapter and the risk tolerance criteria are embedded in the look-up table. Table 8.2 is presented in Chapter 8 as part of the risk decision making. As the method is usually practiced, a companion look-up table shows the IPL credits for typical IPLs (a sample IPL credit table is shown in Table 7.1). During development of the method, the IPL credit is calculated from the PFD of the IPL (typical values are shown in Tables 6.3, 6.4, and 6.5) using the relationship (consistent within this book): 1 IPL credit ≡ 1 × 10–2 PFD
(7-9)
Two additional examples of this type of calculation are also given in Guidelines for Safe Automation of Chemical Processes (CCPS 1993b, page 313) and ISA S84.01 Sections A.3.1 and A.3.2 (ISA 1996), specifically, for estimating the SIL (safety integrity level) for a SIF (safety instrument function) based on the number of other IPLs. Such matrices could be adapted for the general IPL calculation. Typically, the matrix and calibration for the categories are developed for a corporation as discussed in Chapter 9. An example based on the Safe Automation book is shown in Figure 7.3. In the experience of the authors, such tables are difficult to use and tedious to
123
7.3. Look-up Table Determination of Risk or Frequency TABLE 7.1 Sample IPL Credits Table
Number of IPL Credits
IPL
(subset of Tables 6.3, 6.4, 6.5) Dike Flame/detonation arrestors
(for the method illustrated in this book)
PFD 1 × 10–2–1 × 10–3 1×
10–2–1
Relief valve
1×
10–1–1
Rupture disc
1 × 10–1–1 × 10–5
×
1–1.5
×
10–5
0.5–2.5 0.5–2.5
SIF SIL 1
1×
10–2
0.5–1
SIF SIL 2
1 × 10–2–1 × 10–3
1–1.5
SIF SIL 3 Human action with 10 minutes response time
1×
10–1–1
1–1.5
10–3
10–3–1
1.0–1 ×
× ×
10–4
10–1
1.5–2 0–0.5
FIGURE 7.3. SIL for SIF [from Guidelines for Safe Automation of Chemical Processes (CCPS 1993b)].
124
7. Determining the Frequency of Scenarios
document. We recommend using the other calculation and risk decisionmaking tools illustrated in this book.
7.4. Calculation of Risk or Frequency with Integer Logarithms As a first approximation, the scenario risk or frequency may be calculated using the absolute value of the logarithm of the initiating event frequency and the IPL PFDs. An initiating event frequency of 1 × 10–2/yr becomes 2 and a PFD of 1 × 10–2 becomes 2. Cautions: • The number format must have the structure of a one-digit integer before the decimal, for example, 0.1 × 10–3 must be converted to 1 × 10–4. • The maximum frequency that can be used in this method (as illustrated here) is 1/yr , logarithm = 0. The logarithm is rounded to the nearest integer, thus, 3 × 10–2/yr is expressed as 2 and 4 × 10–2/yr is expressed as 1. For simplification, some organizations take the conservative approach of rounding any coefficient larger than 1 to the next order of magnitude, thus 2 × 10–2 becomes 1. Equation (7-1) would be expressed as J
FiC = Fi I + ∑ Pij′ j=1
where FiC Fi I
(7-10)
is the frequency exponent for consequence C of scenario i, is the absolute value of the log of the frequency of initiating event i, and Pij′ is the absolute value of the log of the PFD of the probability of failure on demand of the jth IPL that protects against scenario i. The greater the frequency exponent calculated by Eq. (7-10), the lower the frequency. Therefore, a frequency exponent of FiC = 1 represents a frequency of 1 × 10–1 /yr; a frequency exponent of FiC = 4 represents a frequency of 1 × 10–4 /yr. Equations (7-2) and (7-3) can be expressed in a similar fashion. This method offers simplicity of calculation with some loss of precision. The lookup tables discussed in Section 7.3 give the same order of conservatism as used in the rounding of the integer logarithm method. This approach is similar to that described in the CCPS Safe Automation book (CCPS 1993b).
125
7.5. Continuing Examples
7.5. Continuing Examples In the continuing examples, consequence categories were determined as • release, by the Risk Matrix Consequence Categorization Method (Method 1 from Chapter 3), or • fire (business loss), • injury, where the severity is taken as fatality, by the Fatality Frequency Criteria Method (Method 3 from Chapter 3). Frequency of fire is calculated below.
Continuing Example 1: Hexane Surge Tank Overflow— Numerical Methods Consider the hexane surge tank problem introduced in Chapter 2. We can now calculate the frequencies of the mitigated scenarios with the existing IPLs in place, using Eq. (7-1). Note that consequence frequencies could be calculated for release, fire, exposure, and injury (in these examples, the severity of the injury is fatality). Scenario 1a: Hexane Surge Tank Overflow—Spill Not Contained by the Dike Frequency of consequences outside the dike due to LIC failure. • Release [Risk Matrix Consequence Categorization Method (Method 1 from Chapter 3)], from Eq. (7-1), fails f 1release = f 1LIC × PFD dike a a
f 1arelease = (1 × 10–1/yr) × (1 × 10–2) = 1 × 10–3/yr • Fire, using Eq. (7-2): LIC fails × PFD dike × P ignition f 1fire a = f 1a
f 1afire = (1 × 10–1/yr) × (1 × 10–2 ) × (1.0) = 1 × 10–3/yr • Fatality due to fire [Fatality Frequency Criteria Method (Method 3 from Chapter 3)], using Eq. (7-4), fire fatality
f 1a
fails = f 1LIC × PFD dike × P ignition × P person ×P fatality a
fire fatality
f 1a
= (1 × 10–1/yr) × (1 × 10–2 ) × (1.0) × (0.5) × (0.5)
= 2.5 × 10–4/yr, rounded to 2 × 10–4/yr
126
7. Determining the Frequency of Scenarios
Scenario 1b: Hexane Surge Tank Overflow—Spill Contained by the Dike Frequency of consequences inside the dike due to LIC failure: • Release [Risk Matrix Consequence Categorization Method (Method 1 from Chapter 3)]. For this case the dike is not considered as an IPL, so the consequence frequency is equal to the initiating event frequency. release = (1 × 10–1/yr LIC fails) = 1 × 10–1/yr f 1b
• Fire, using Eq. (7-2), LIC fails × P ignition f 1fire b = f 1b fire = (1 × 10–1/yr) × (0.1) = 1 × 10–2/yr f 1b
• Fatality due to fire [Fatality Frequency Criteria Method (Method 3 from Chapter 3)]. Equation (7-4) is used: fire fatality
f 1b fire fatality
f 1b
fails = f 1LIC × P ignition × P person × P fatality b
= (1 × 10–1/yr) × (0.1) × (0.1) × (0.5) = 5 × 10–4/yr
Chapter 8 will discuss decision making and adding additional protection layers. Some companies would not perform the LOPA calculations for release leading to fatality from fire within the dike scenario. Their experience is that the probability of ignition and the probability that a person is inside the dike gives a risk that meets the risk tolerance criteria. Other companies would do the calculations and compare against risk tolerance criteria in Chapter 8.
Continuing Example 2: Hexane Storage Tank Overflow— Numerical Methods For the hexane storage tank introduced in Chapter 2, the frequency of the consequences can be calculated with the existing IPLs in place, using Eq. (7-2). Note that consequence frequencies could be calculated for release, fire, exposure, and injury (in these examples, the severity of the injury is fatality). Scenario 2a: Hexane Storage Tank Overflow—Spill Not Contained by the Dike Frequency of several consequences outside the dike due to inventory control failure:
127
7.5. Continuing Examples
• Release [Risk Matrix Consequence Categorization Method (Method 1 from Chapter 3)]. For this case there are two IPLs: the operator and the dike. Equation (7-1) is used: inventory control fails
= f 2a f 2release a
× PFD operator checks LI × PFD dike
release = (1 /yr) × (1 × 10–1 ) × (1 × 10–2 ) = 1 × 10–3/yr f 2a
• Fire. Equation (7-2) is used: inventory control fails
f 2fire a = f 2a
× PFD operator checks LI × PFD dike ×P ignition
fire = (1 /yr) × (1 × 10–1 ) × (1 × 10–2 ) × (1.0) = 1 × 10–3/yr f 2a
• Fatality due to fire [Fatality Frequency Criteria Method (Method 3 from Chapter 3)]. Equation (7-4) is used fire fatality
f 2a
inventory control fails
= f 2a
× PFD operator checks LI × PFD dike
×P ignition × P person × P fatality fire fatality
f 2a
= (1 /yr) × (1 × 10–1 ) × (1 × 10–2 ) × (1.0) × (0.5) × (0.5)
= 2.5 × 10–4/yr, rounded to 2 × 10–4/yr.
Scenario 2b: Hexane Storage Tank Overflow—Spill Contained by the Dike Frequency of several consequences inside the dike due to inventory control failure: • Release [Risk Matrix Consequence Categorization Method (Method 1 from Chapter 3)]. Equation (7-1) is used: inventory control fails
= f2b f 2release b
× PFD operator checks LI
= (1 /yr) × (1 × 10–1 ) = 1 × 10–1/yr f 2release b • Fire. Equation 7-2 is used: inventory control fails
f 2fire b = f2b
× PFD operator checks LI ×P ignition
–1 –2 f 2fire b = (1 /yr) × (1 × 10 ) × (0.1) = 1 × 10 /yr
• Fatality due to fire [Fatality Frequency Criteria Method (Method 3 from Chapter 3)]. Equation (7-4) is used: fire fatality
f2b
inventory control fails
= f2b
× PFD operator checks LI
×P ignition × P person × P fatality fire fatality
f2b
= (1 /yr) × (1 × 10–1 ) × (0.1) × (0.1) × (0.5) = 5 × 10–4/yr
128
7. Determining the Frequency of Scenarios
Continuing Example 1: Hexane Surge Tank Overflow—Number of IPLs Credits Method For the Number of IPLs Credits calculation method, the consequence severity was classified by the Fatality Frequency Criteria Method (Method 3 from Chapter 3). Unlike other methods discussed in this chapter, the IPL PFDs are not used in the calculations here. Instead, the adjusted initiating event frequency is used as input to the lookup Table 8.2. Scenario 1a: Hexane Surge Tank Overflow—Spill Not Contained by the Dike To use the number of IPLs method, the initiating event frequency of 1 × 10–1/yr is adjusted by the probability of ignition, the probability of a person present, and the probability of fatality for a fire outside the dike: I f adjusted ={sELCTION f I×P ignition ×P person present ×P injury
(7-11)
Adjusted Initiating Event Frequency = (1 × 10–1/yr) × (1.0) × (0.5) × (0.5) = 2.5 × 10–2 /yr, rounded to 2 × 10–2/yr The adjusted initiating event frequency and the number of existing IPLs identified in Chapter 6 will be used in the decision making for this example in Section 8.8. The IPL PFD calculations are embedded in Table 8.2. Scenario 1b: Hexane Surge Tank Overflow—Spill Contained by the Dike Similar adjustments are made to the initiating event frequency for a fire inside the dike and resultant fatality: I f adjusted =SSYMBOLFRINTAG f I×P ignition ×P person present ×P injury I = (1 × 10–1/yr) × (0.1) × (0.1) × (0.5) = 5 × 10–4 /yr f adjusted
The adjusted initiating event frequency and the number of existing IPLs identified in Chapter 6 will be used in the decision making for this example in Section 8.8. The IPL PFD calculations are embedded in Table 8.2.
Continuing Example 1: Hexane Surge Tank Overflow—Integer Logarithm Method For the Integer Logarithm Method calculation method, the consequence severity was classified by the Risk Matrix Consequence Categorization Method (Method 1 from Chapter 3).
7.5. Continuing Examples
129
Scenario 1a: Hexane Surge Tank Overflow—Spill Not Contained by the Dike The frequency of the initiating event is 1 × 10–1/yr that the LIC fails; the absolute value of the log is 1. The PFD of the dike is 1 × 10–2. The absolute value of the log of the PFD is 2. The frequency exponent of the mitigated consequence is given by 1 + 2 = 3, equivalent to 1 × 10–3 /yr for release outside the dike.
Continuing Example 2: Hexane Storage Tank Overflow— Number of IPLs Credits Method For the Number of IPLs calculation method, the consequence severity was classified by the Fatality Frequency Criteria Method (Method 3 from Chapter 3). Scenario 2a: Hexane Storage Tank Overflow—Spill Not Contained by the Dike To use the number of IPLs method, the initiating event frequency of 1/yr is adjusted by the probability of ignition, the probability of a person present, and the probability of fatality for a fire outside the dike: I f adjusted = f i I × P ignition × P person present × P injury I = (1/yr) × (1.0) × (0.5) × (0.5) f adjusted = 2.5 × 10–1/yr, rounded to 2 × 10–1/yr
The adjusted initiating event frequency and the number of existing IPLs identified in Chapter 6 will be used in the decision making for this example in Section 8.8. The IPL PFD calculations are embedded in Table 8.2. Scenario 2b: Hexane Storage Tank Overflow—Spill Contained by the Dike Similar adjustments are made to the initiating event frequency for a fire inside the dike: I = f i I × P ignition × P person present × P injury f adjusted I = (1/yr) × (0.1 ignition) × (0.1 person present ) × (0.5 injury) = 5 × 10–3 /yr f adjusted
The adjusted initiating event frequency and the number of existing IPLs identified in Chapter 6 will be used in the decision making for this example in Section 8.8. The calculations are embedded in Table 8.2.
Continuing Example 2: Hexane Storage Tank Overflow—Integer Logarithm Method For the Integer Logarithm Method calculation method, the consequence severity was classified by the Risk Matrix Consequence Categorization Method (Method 1 from Chapter 3).
130
7. Determining the Frequency of Scenarios
Scenario 2a: Hexane Storage Tank Overflow—Spill Not Contained by the Dike The frequency of the initiating event is 1/yr that the inventory control fails; the log is 0. The PFD of the operator checking the LIs is 1 × 10–1 and the PFD of the dike is 1 × 10–2. The absolute value of the log for each PFD is 1 and 2, respectively. The frequency exponent of the mitigated consequence is given by 0 + 1 + 2 = 3, equivalent to 1 × 10–3 /yr for release outside the dike.
7.6. Link Forward The scenario frequencies or risks determined in Chapter 7 are used as a starting point for the decision-making process in Chapter 8.
8 Using LOPA to Make Risk Decisions
8.1. Purpose This chapter presents approaches for using the calculated results from Chapter 7 as input in making risk decisions. All of the methods described in this chapter can be used to make decisions for reaching risk levels that are “as low as reasonably practicable” (ALARP), also defined as the risk level that is tolerable to the organization. Several methods are described using numerical criteria and one which employs expert judgment by an analyst (the latter method is not recommended by the authors, but has been used in industry and is presented for completeness). The methods are compared, and examples are given. This chapter addresses Step 6 of the LOPA method described in Chapter 2. For all of the approaches, cost–benefit analysis may be an additional tool to help make the final risk-reduction decisions.
8.2. Introduction Decision making takes place after the scenarios have been fully developed and the existing risk has been calculated, as described in previous chapters. At the end of any study, whether qualitative or quantitative, the decisions regarding risk normally fall into one of three general categories: 1. Manage the residual risk—continue the management systems that maintain the risk at its current (presumably tolerable) level. 131
132
8. Using LOPA to Make Risk Decisions
2. Modify (mitigate) the risk to make it tolerable. 3. Abandon the risk (businesses, process, etc.) because it is too high. Decisions to abandon operations are normally made as a result of other studies such as quantitative risk assessment (CPQRA). LOPA, on the other hand, is usually applied to determine if a scenario is within the risk tolerance criteria or if its risk must be reduced. Three basic types of risk judgment are used in conjunction with LOPA: 1. The predominant method is to compare the calculated risk with a predetermined risk tolerance criteria through use of various methods, which will be discussed below. 2. The second type is expert judgment by a qualified risk analyst, which as noted above, is not recommended by the authors but is included for completeness. 3. The third type is relative comparison among competing alternatives for risk reduction, using either of the methods described above. Cost–benefit analysis is often also used to compare the value of competing options. This technique supplements the basic risk judgment approaches. Several methods for risk judgment are presented in this chapter. A brief description of each method is provided, with a discussion of the advantages and disadvantages of each method. Examples are provided for each method. Three of the methods are applied to the ongoing example problems. It is also possible to combine features of the different methods in order to facilitate the decision-making process. An important factor in the use of any risk decision method is judgment. Use of judgment requires a good understanding of the process being analyzed and the relative effectiveness of the various protective layers found during the analysis (IPL development). To make quality decisions using judgment, the organization should be aware of, and understand, the potential responses to chemical industry accidents from various groups. Considerations that may cause one to adjust previously defined criteria for specific situations include: • Community Response—The community may or may not be knowledgeable of the potential hazards or the consequences of accidents, or may be particularly sensitive to certain kinds of events, such as chlorine or methyl isocyanate releases. The community may or may not be properly prepared with emergency plans and organizations to deal with a hazardous release if it occurs. These may vary widely from location to location, depending on history, community proximity, and other factors. • Management Reaction—The site and business management should generally be knowledgeable and aware of the hazards associated with the
8.3. Comparing Calculated Risk to Scenario Risk Tolerance Criteria
133
materials and processes at the site, but may not be intimately familiar with process details. • Regulatory Reaction—Some materials are high profile such as chlorine, methyl isocyanate, or hydrofluoric acid. Regulatory interest will be high in the case of release of these materials. • Consistency with Other Practices—Finally, the decision-making process should be consistent with good engineering practices in the industry. For further discussion of such factors, refer to the Chapter 9 discussion on criteria development. Many companies have found a benefit in the objective criteria for risk categories when using LOPA for making risk decisions. The LOPA rules and welldefined criteria reduce subjectivity in the decision-making process, leading to faster, more defensible, and more consistent decisions.
Examples of Criteria Development of specific risk tolerance criteria will be discussed in Chapter 9. It is sufficient to note here that risk tolerance criteria fall into four basic categories: 1. Criteria that place risk characterizations per scenario in matrices, with parameters of frequency and consequence as guides. 2. Criteria that specify a maximum allowable risk (e.g., fatality or dollar loss) per scenario. 3. Criteria that specify a minimum number of IPLs for any specific scenario. 4. Criteria that specify a maximum cumulative risk for a process or geographic area (see Section 8.7). Each of these will be discussed further in Sections 8.3–8.7.
8.3. Comparing Calculated Risk to Scenario Risk Tolerance Criteria For this type of risk decision making, the calculated risk from Chapter 7 is compared to a risk criteria that relates to some measure of maximum risk per scenario that the company will tolerate—this is discussed further in Section 9.6. This can take the form of a matrix, a maximum tolerable risk per scenario, or a requirement for a specific number of IPLs, given the frequency of the initiating event and the severity of the consequences. If the calculated risk is less
134
8. Using LOPA to Make Risk Decisions
than the risk criteria, the scenario is judged to have a sufficiently low risk or have sufficient mitigation (or IPLs), that no further mitigation is needed. If, however, the calculated risk exceeds the risk criteria, the scenario is judged to require additional (or stronger) mitigation (IPLs), or to require changes in the design to make the process inherently safer, thus reducing scenario frequency or consequence, or (preferably) eliminating the scenario. Additional analysis, up to and including CPQRA, may be required when: • “gray” areas exist in the risk criteria, or • the indicated mitigation or changes are highly complex or costly.
Matrix Methods Risk matrices are a generalized method of visually showing the frequency tolerable for a scenario based on the consequence severity (Chapter 3) and the scenario frequency (Chapter 7). An example is presented in Table 3.1 and Table 8.1. In this matrix, each cell is associated with the degree of risk reduction required for a scenario which falls into that cell. For instance, • the “very low” zone (cells on the lower left) may require no further action (this may be the ALARP level noted earlier), • the “low” zone (cells along the diagonal from upper left to lower right) may require management judgment to ascertain whether further mitigation is needed (this is also the zone at which the risk is at the “tolerated” level, but also requires analysis to identify any low cost or easily implemented reduction measures), • the “moderate” zone (cells just above the diagonal) may require further mitigation at the next opportunity, and • the “high” zone (cells in the upper right) may require immediate mitigation or shutdown of the process. It may be necessary to use a different matrix for different sites to recognize the proximity of the site boundary and off-site population. The embedded risk tolerance criteria may also include consideration of business risk as well as injury and fatality. The matrix method may be the most widely used approach for making risk decisions with LOPA.
Numerical Criteria Method (Maximum Tolerable Risk per Scenario) Some companies have developed risk criteria based on a maximum tolerable risk per scenario, based on a variety of consequence categories. For instance, one organization may establish as its criteria a maximum frequency (per year or per 1000 hours) of a single fatality. This may be derived from such criteria
TABLE 8.1 Risk Matrix with Individual Action Zones (see Table 3.1 for Consequence Category descriptions)
135
136
8. Using LOPA to Make Risk Decisions
as maximum individual risk to employees (or to contractors or persons outside the plant). Others may choose frequency of releases of hazardous materials, fires, or property damage dollar loss.
Number of IPL Credits Some companies have embedded the tolerable risk criteria in tables which specify the number of IPL credits for scenarios of certain consequence levels and frequency. Tolerable criteria are not shown explicitly. Typically, tabular values are provided for the number of IPLs required for ranges of initiating event frequency and for IPL credit values for various kinds of protection layers. See Table 8.2 for an example of the first type of table. As noted on the table, the method typically assigns a value of 1 IPL credit to a layer of protection with a PFD of 1 × 10–2, and so on. The values for these credits are normally limited to multiples of whole and half credits, and can be derived from the IPL Tables 6.3, 6.4, and 6.5. Table 8.2 applies to scenarios of a predefined consequence level. For instance, the potential consequence of interest for this table could be one fatality or multiple lost-time injuries. Note also that for this method, adjustment factors such as the probability of ignition and time at risk, among others, are included as well as calculation of the initiating event frequency. More severe consequence categories (e.g., multiple fatalities, facility siting or off-site impact) might have similar tables with increased IPL requirements for each initiating event frequency range. Also, similar tables can be developed for other types of consequences, such as production loss or environmental impact. TABLE 8.2 IPL Credit Requirements Number of IPL Credits Required* Consequence Category IV
Adjusted Initiating Event Frequency**
One Fatality
Consequence Category V
Multiple Fatalities
Frequency ≥ 1 × 10–2
2
2.5
1 × 10–2 > Frequency ≥1 × 10–3
1.5
2
1 × 10–3 > Frequency ≥1 × 10–4
1
1.5
1 × 10–4 > Frequency ≥1 × 10–6
0.5
1
1 × 10–6 > Frequency
0
0.5
*Adjusted Initiating Event Frequency includes adjustments to the initiating event frequency for Pignition Pperson present and Pfatality **An IPL Credit is defined as a reduction in event frequency of 1 × 10–2.
8.6. Comparison of Approaches, Pros and Cons
137
8.4. Expert Judgment Expert judgment is needed when specific risk tolerance criteria are not available or not easily established due to the type of process being analyzed or the hazards involved. The PHA team may use LOPA techniques to determine the scenarios and IPLs, and make frequency calculations. However, decisions regarding the need for additional IPLs, and the nature of such additional protection, will usually be based on the recommendations of a risk evaluation expert. The expert would compare the IPLs and other features of the scenario to industry practice, similar processes, or other points of reference in his or her experience. It should be noted that this should not be a “Lone Ranger” approach. The expert may be a member of a PHA team, which would include normal representation. As with any decision making involving process hazards, decisions should result from group consultations, not from one or two people operating in isolation. The authors do not recommend expert judgment alone for most risk decisions, but it is included for completeness. It is preferred to make risk decisions with established criteria.
8.5. Using Cost–Benefit to Compare Alternatives Cost–benefit analysis compares the cost of the avoided consequence at its frequency versus the cost of the IPL improvements to reduce the risk (Fryman, 1996). Cost–benefit analyses can be applied in all of the decision-making methods. For example, it is common to identify more than one potential IPL to reduce the risk of a scenario. Cost–benefit analysis is generally the method used to select the IPLs for risk reduction from among the candidate IPLs. For further information see “Tools for Making Acute Risk Decisions with Chemical Process Safety Applications” (CCPS 1995c), and Handling Uncertainty: Managing Risk (CCPS, 2001).
8.6. Comparison of Approaches, Pros and Cons This section gives advantages and disadvantages for several methods of risk decision making.
Matrix Method The following are some advantages of the Matrix method for risk decision making:
138
8. Using LOPA to Make Risk Decisions
• This method provides a clear delineation of the risk associated with a scenario. The risk reduction required can be demonstrated visually and numerically and various risk reduction decision areas are easily described. • The actual risk tolerance numerical values used by an organization can be embedded in the matrix, for companies that prefer not to use explicit criteria; disproportionately lower risk tolerance criteria for high consequence events can be included. • The precision of many risk matrix methods (generally to an order of magnitude) makes them well suited for use with the LOPA method with its use of conservative and simplifying assumptions. • It is easy to make decisions since only one scenario at a time is involved in the risk decision. The disadvantage of using a matrix method: • The development of a useful matrix (see Table 8.1) with its associated consequence matrix (see Chapter 3) requires significant resources and technical expertise. In addition, the development of the criteria to be used to assess risk tolerance can be difficult for some organizations. In using this matrix, analysts must fully understand its assumptions and implications.
Numerical Criteria Method The advantages of the numerical criteria method: • Per scenario criteria are easy to understand. • Per scenario criteria are consistent for a given material across a specific site. • It is easy to make decisions since only one scenario at a time is involved in the risk decision. The disadvantages of the numerical criteria method: • There may be a temptation to make too fine or too general a judgment in estimating the ignition probability, the probability of injury, and the probability of a person present, and to place too great a confidence in that judgment. This is also the reason for establishing conservative guidelines for such probabilities, to minimize this potential weakness. • Adjusting frequencies for enabling conditions and the ignition probability, the probability of injury, and the probability of a person present adds complexity.
8.7. Cumulative Risk Criteria versus Scenario Criteria
139
Number of IPL Credits Method The advantages of the number of IPL credits method: • As with the matrix method, the boundaries for frequency and severity categories are easily identified. • It is easy to use. • The risk tolerance criteria can be imbedded, for companies that prefer not to use explicit criteria. • It is easy to make decisions since only one scenario at a time is involved in the risk decision. The disadvantages of the number of IPL credits method: • The gross assumptions made for crediting the mitigation methods may result in requirements for more IPLs than another LOPA method or than FTA. • There may be a temptation to make too fine or too general a judgment in estimating the ignition probability, the probability of injury, and the probability of a person present, and to place too great a confidence in that judgment.
8.7. Cumulative Risk Criteria versus Scenario Criteria Some companies have developed risk criteria based on a maximum tolerable risk per unit, per geographic area, or cumulative risk per person (i.e., risk to a specific worker is less than x for the sum of all scenarios that could affect that person). Evaluating the total risk to a populated building against such a cumulative risk criterion may be used in facility siting decisions. As noted in Section 8.3, the criteria may arise from a single risk tolerance target, such as maximum individual risk to employees (or to contractors or persons outside the plant). The criteria can also be based on a sliding scale that represents less risk tolerance for multiple-impact events than for those which might impact only a single individual. If there is a single risk tolerance criterion for cumulative risk, then single scenario risk criteria can be derived using Equation 8-1: C single scenario = (Risk Criteria)/(No. of Scenarios)
(8-1)
If the risk tolerance criteria have a sliding scale for multiple impact events, determination of single scenario risk criteria is more complex, and will not be discussed here. Refer to Chapter 9 for further guidance. When using cumulative risk tolerance criteria, it is sometimes more difficult to assess each individual scenario, since more scenarios imply lower tolerable risk for each scenario. The number of scenarios may not be known at
140
8. Using LOPA to Make Risk Decisions
the beginning of the assessment. Decision making may be more difficult since total risk from many scenarios is involved in the risk decision. Example 8.1 A site study found that 10 scenarios resulted in fatal consequences for the unit control building. They added the mitigated event frequencies for the 10 scenarios and compared the total with the tolerable risk criteria for fatalities to a single employee.
As noted above, another approach is to develop risk tolerance criteria for consequences other than injuries. For instance, a company might use a criterion representing maximum allowable risk of a release of flammable or toxic material above a certain threshold, one representing maximum allowable risk of a large fire, and yet another for injury or fatality to employees or persons outside the plant. Typically, these will be in decreasing tolerable frequency in the order listed above.
8.8. Continuing Examples The continuing examples will demonstrate three of the risk decision processes practiced by the chemical industry. Each of the decision-making processes has different risk tolerance criteria, either stated explicitly as maximum tolerable frequency for a consequence of a given severity, or implicitly included in the required actions from the decision-making process. Thus, the actions may differ somewhat among the decision-making processes. In the continuing example problem, four scenarios were identified, as described in Chapter 7. Summary sheets for Scenarios 1a and 2a using the numerical criteria method are shown as Tables 8.3 and 8.4. Summary sheets for all the scenarios and several risk decision-making methods are shown in Appendix A.
Continuing Example 1: Hexane Surge Tank Overflow— Matrix Method For the Matrix Method calculation method, the consequence severities were classified by the Risk Matrix Consequence Categorization Method (Method 1 from Chapter 3). Scenario 1a: Hexane Surge Tank Overflow—Spill Not Contained by the Dike The tank LIC fails, the overflow is not contained by the dike, and the spill ignites. As shown in Table 3.1, the release of 40,000 lb of a flammable liquid
8.8. Continuing Examples
141
below its boiling point is consequence Category 4. As shown in Chapter 7, the as-is frequency of release outside the dike is 1 × 10–3 /yr. Looking up the consequence Category 4 and frequency 1 × 10–3/yr on the risk matrix in Table 8.1, action to reduce risk is “optional” and “alternatives should be evaluated.” Scenario 1b: Hexane Surge Tank Overflow—Spill Contained by the Dike The tank LIC fails and the overflow is contained by the dike. As discussed in Chapter 3, a release contained in the dike is not considered to be a consequence of interest in this particular matrix method.
Continuing Example 2: Hexane Storage Tank Overflow—Matrix Method For the Matrix Method calculation method, the consequence severities were classified by the Risk Matrix Consequence Categorization Method (Method 1 from Chapter 3). Scenario 2a: Hexane Storage Tank Overflow—Spill Not Contained by the Dike Failure of the inventory control system results in storage tank overfill, the spill is not contained by the dike, and subsequently ignites. As shown in Table 3.1, the release of 40,000 lb of a flammable liquid below its boiling point is Category 4. As shown in Chapter 7, the as-is frequency of release outside the dike is 1 × 10–3/yr. Looking up the consequence Category 4 and frequency 1 × 10–3/yr on the risk matrix in Table 8.1, action to reduce risk is “optional” and “alternatives should be evaluated.” Scenario 2b: Hexane Storage Tank Overflow—Spill Contained by the Dike Inventory control failure results in storage tank overfill and the hexane is contained by the dike. As discussed in Chapter 3, a release contained in the dike is not considered to be a consequence of interest here.
Decision Process In each scenario above, the next step is to determine if risk reduction actions are needed using the risk matrix. The comparison of the existing risk to the company’s risk tolerance criteria is implicit in the risk matrix. Scenarios 1b and 2b require no action since a spill contained by the dike is not considered to be a consequence of interest by this method. For Scenarios 1a and 2a the risk matrix says action is optional and alternatives should be evaluated. The team explores possible alternatives to reduce risk and decides to install an
142
8. Using LOPA to Make Risk Decisions
independent SIF (safety instrumented function, or interlock) with PFD = 1 × 10–2 to detect and prevent overflow for scenarios 1a and 2a. The selection of the SIF is based on risk reduction, feasibility, and cost. For scenario 1a, the SIF reduces the frequency of release from 1 × 10–3 /yr to 1 × 10–5 /yr. For scenario 2a, the SIF also reduces the frequency of release from 1 × 10–3 /yr to 1 × 10–5 /yr. The risk matrix of Table 8.1, for a Category 4 consequence release frequencies of 1 × 10–5 /yr, gives “No further action.” These frequencies for this consequence severity meet the implicit tolerable risk criteria. (Note that the SIF will also reduce the frequency of the other two scenarios for release contained within the dike, but no decisions are required for those scenarios.)
Continuing Example 1: Hexane Surge Tank Overflow— Numerical Criteria The consequence severities were classified using the Fatality Frequency Criteria Method (Method 3 from Chapter 3). Scenario 1a: Hexane Surge Tank Overflow—Spill Not Contained by the Dike The tank LIC fails, the overflow is not contained by the dike, and the spill spreads and eventually ignites. As shown in Chapter 7, the as-is frequency of fire outside the dike is 1 × 10–3 /yr, and the frequency at which this scenario results in a fatal injury is 2 × 10–4 /yr. Scenario 1b: Hexane Surge Tank Overflow—Spill Contained by the Dike The tank LIC fails, the overflow is contained by the dike, and the spill ignites. As shown in Chapter 7, the as-is frequency of fire inside the dike is 1 × 10–2/yr, and the frequency at which this scenario results in a fatal injury is 5 × 10–4/yr.
Continuing Example 2: Hexane Storage Tank Overflow— Numerical Criteria The consequence severities were classified using the Fatality Frequency Criteria Method (Method 3 from Chapter 3). Scenario 2a: Hexane Storage Tank Overflow—Spill Not Contained by the Dike Failure of the inventory control system results in storage tank overflow, the spill is not contained by the dike, and subsequently ignites. As shown in Chapter 7, the as-is frequency of fire outside the dike is 1 × 10–3 /yr, and the frequency at which this scenario results in a fatal injury is 2 × 10–4 /yr.
8.8. Continuing Examples
143
Scenario 2b: Hexane Storage Tank Overflow—Spill Contained by the Dike Inventory control failure results in storage tank overfill, the hexane is contained by the dike, and subsequently ignites. As shown in Chapter 7, the as-is frequency of fire inside the dike is 1 × 10–2/yr, and the frequency at which this scenario results in a fatal injury is 5 × 10–4/yr.
Decision Process For each scenario above, the next step is to compare the existing risk to the company’s risk tolerance criteria. For the examples, the following have been adopted • Maximum tolerable risk of a serious fire = 1 × 10–4/yr • Maximum tolerable risk of a fatal injury = 1 × 10–5/yr The team then compares the existing risk of the four scenarios to the risk tolerance criteria. None of the scenarios meet the criteria for a fire, nor do any of the scenarios meet the criteria for a fatal injury. Therefore, additional mitigation is required for all four of the scenarios. Several options are available to the team, including addition of one or more BPCS controls (see Approach B, Chapter 6 and Chapter 11), addition of administrative controls, and/or addition of SIF (see Approach A, Chapter 6). Addition of a BPCS control with a failure rate of 1 × 10–1/yr results in scenario 2a meeting the risk tolerance criteria for a serious fire, but would also introduce an element of common cause failure, due to all of the BPCS instruments relying on a single logic solver. The result would also not meet the risk tolerance criteria for a fatal injury. Addition of administrative controls would have similar effects, since an administrative control typically has a PFD of about 1 × 10–1. This would also involve some common cause considerations because of the limited number of personnel available to carry out the administrative controls. To meet the criteria for fatality for scenarios 1a and 1b, the PFD of the added IPL would need to be 4 × 10–2 and 2 × 10–2, respectively. An SIF (interlock) design is available for PFD of 1 × 10–2. Therefore, the team recommends installation of an independent SIF of PFD = 1 × 10–2 for mitigation of all four scenarios (see Figures 8.1 and 8.2). This results in mitigated final frequencies of: 1a. f 1afire = (1 × 10–3 /yr) × (1 × 10–2 SIF PFD) = 1 × 10–5/yr fatality
f 1a
= (2 × 10–4 /yr) × (1 × 10–2 SIF PFD) = 2 × 10–6/yr
fire 1b. f 1b = (1 × 10–2 /yr) × (1 × 10–2 SIF PFD) = 1 × 10–4/yr fatality
f 1b
= (5 × 10–4 /yr) × (1 × 10–2 SIF PFD) = 5 × 10–6/yr
144
8. Using LOPA to Make Risk Decisions
2a. f 2afire = (1 × 10–3 /yr) × (1 × 10–2 SIF PFD) = 1 × 10–5/yr fatality
f 2a
= (2 × 10–4/yr) × (1 × 10–2 SIF PFD) = 2 × 10–6/yr
–2 –2 –4 2b. f 2fire b = (1 × 10 /yr) × (1 × 10 SIF PFD) = 1 × 10 /yr fatality
f2b
= (5 × 10–4 /yr) × (1 × 10–2 SIF PFD) = 5 × 10–6/yr
It should be noted that there are other possible mitigation methods that will reduce the scenarios to below the risk tolerance criteria, but most involve some degree of common cause failure or additional cost. In other cases, it may be appropriate to pursue such alternatives, particularly if they drive the scenarios in the direction of inherent safety or consequence reduction.
Continuing Example 1: Hexane Surge Tank Overflow— Number of IPL Credits Method The consequence severities were classified using the Fatality Frequency Criteria Method (Method 3 from Chapter 3). Scenario 1a: Hexane Surge Tank Overflow—Spill Not Contained by the Dike The tank LIC fails, the overflow is not contained by the dike, and the spill ignites. As shown in Chapter 7, multiplying the initiating event frequency of this scenario (1 × 10–1/yr) by the adjustment factors (probability of ignition, probability of occupancy and probability of fatality) results in an adjusted initiating event frequency of 2 × 10–2/yr. Scenario 1b: Hexane Surge Tank Overflow—Spill Contained by the Dike The tank LIC fails, the overflow is contained by the dike, and the spill ignites. As shown in Chapter 7, multiplying the initiating event frequency of this scenario (1 × 10–1/yr) by the adjustment factors (probability of ignition, probability of occupancy and probability of fatality) results in an adjusted initiating event frequency of 5 × 10–4/yr.
Continuing Example 2: Hexane Storage Tank Overflow– Number of IPL Credits Method The consequence severities were classified using the Fatality Frequency Criteria Method (Method 3 from Chapter 3). Scenario 2a: Hexane Storage Tank Overflow—Spill Not Contained by the Dike Failure of the inventory control system results in storage tank overflow, the spill is not contained by the dike, and subsequently ignites. As shown in
8.8. Continuing Examples
145
Chapter 7, multiplying the initiating event frequency of this scenario (1/yr) by the adjustment factors (probability of ignition, probability of occupancy and probability of fatality) results in an adjusted initiating event frequency of 2 × 10–1/yr. Scenario 2b: Hexane Storage Tank Overflow—Spill Contained by the Dike Inventory control failure results in storage tank overflow, the hexane is contained by the dike, and subsequently ignites. As shown in Chapter 7, multiplying the initiating event frequency of this scenario (1/yr) by the adjustment factors (probability of ignition, probability of occupancy and probability of fatality) results in an adjusted initiating event frequency of 5 × 10–3/yr.
Decision Process The next step is to compare the initiating event frequencies for each scenario above to the values in Table 8.2 to determine the number of IPL credits required. This results in the following requirements: Scenario 1a. Requires 2 IPL credits Scenario 1b. Requires 1 IPL credit Scenario 2a. Requires 2 IPL credits Scenario 2b. Requires 1.5 IPL credits In three of these scenarios, there are already IPLs in place • dike wall in Scenario 1a and Scenario 2a with PFD of 1 × 10–2, or 1 IPL credit; • operator procedure in Scenario 2a and Scenario 2b with PFD of 1 × 10–1, or 0.5 IPL credit, This results in additional IPL requirements of Scenario 1a. 2 – 1 = 1 additional credit required Scenario 1b. 1 – 0 = 1 additional credits required Scenario 2a. 2 –1 .5 = 0.5 additional credit required Scenario 2b. 1.5 – 0.5 = 1 additional credit required Taking all these factors into consideration, the team might recommend a SIF (interlock) with PFD of 1 × 10–2 (on the boundary between SIL 1 and SIL 2) for scenarios 1 and 2. Possible solutions for Continuing Examples 1 and 2 are shown in Figures 8.1 and 8.2, respectively. These figures are compared to the original configuration shown in Figures 2.12 and 2.13. In both cases an independent high level sensor is added that activates an independent block valve. Note the recommendations from this method and the matrix method differ slightly from those of the numerical criteria method, reflecting different approaches and/or different risk tolerance criteria for different companies.
TABLE 8.3 Summary Sheet for Continuing Example 1—Scenario 1a: Numerical Criteria Method [Consequence Severity Using Fatality Frequency Criteria Method (Method 3 of Chapter 3)] Scenario Number
Equipment Number
1a
Scenario Title: Hexane Surge Tank Overflow. Spill not contained by the dike. Frequency Probability (per year)
Date:
Description
Consequence Description/ Category
Release of hexane outside the dike due to tank overflow and failure of dike with potential for ignition and fatality.
Risk Tolerance Criteria (Category or Frequency)
Maximum Tolerable Risk of a Serious Fire
<1 × 10–4
Initiating Event (typically a frequency)
Loop failure of BPCS LIC. (PFD from Table 5.1)
1 × 10–1
<1 × 10–5
Maximum Tolerable Risk of a Fatal Injury
Enabling Event or Condition Conditional Modifiers (if applicable) Probability of ignition
1
Probability of personnel in affected area
0.5
Probability of fatal injury Others
0.5 N/A 2.5 × 10–2
Frequency of Unmitigated Consequence Independent Protection Layers Dike (existing) (PFD from Table 6.3)
1 × 10–2
SIF (to be added—see Actions)
1 × 10–2
Safeguards(non-IPLs) Human action not an IPL as it depends upon BPCS generated alarms. Cannot be used as BPCS failure is initiating event (Approach A in Ch. 6). 1 × 10-4
Total PFD for all IPLs Frequency of Mitigated Consequence
2.5 × 10–6
Risk Tolerance Criteria Met? (Yes/No): Yes, with added SIF. Actions Required to Meet Risk Tolerance Criteria:
Add SIF with PFD of 1 × 10–2. Responsible Group/Person: Plant Technical/ J. Doe June 2002 Maintain dike as an IPL (Inspection, maintenance, etc.)
Notes
Add action items to action tracking database
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
TABLE 8.4 Summary Sheet for Continuing Example 2—Scenario 2a: Numerical Criteria Method [Consequence Severity using Fatality Frequency Criteria Method (Method 3 of Chapter 3)] Scenario Number
Equipment Number
2a
Scenario Title: Hexane Storage Tank Overflow. Spill not contained by the dike.
Date:
Description
Probability
Consequence Description/Category
Release of hexane outside the dike due to tank overflow and failure of dike with potential for ignition and fatality.
Risk Tolerance Criteria Maximum Tolerable Risk of a Serious Fire (Category or Frequency) Maximum Tolerable Risk of a Fatal Injury Initiating Event (typically a frequency)
Frequency (per year)
<1 × 10–4
<1 × 10–5
Arrival of tank truck with insufficient room in the tank due to failure of the inventory control system. Frequency based on plant data.
Enabling Event or Condition
1
N/A
Conditional Modifiers (if applicable) Probability of ignition
1
Probability of personnel in affected area
0.5
Probability of fatal injury Others
0.5 N/A 2.5 × 10–1
Frequency of Unmitigated Consequence Independent Protection Layers Operator checks level before unloading (PFD from Table 6.3)
1 × 10–1
Dike (existing) (PFD from Table 6.5)
1 × 10–2
SIF (to be added—see Actions)
1 × 10–2
Safeguards(non-IPLs) BPCS level control and alarm is not an IPL as it is part of the BPCS system already credited in LI read by operator. Total PFD for all IPLs
Note: Including added IPL
2.5 × 10–6
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
1 × 10–5
Yes, with added SIF.
Actions Required to Meet Risk Tolerance Criteria
Add SIF with PFD of 1 × 10–2. Responsible Group/Person: Plant Technical/ J. Doe June 2002 Maintain dike as an IPL (Inspection, maintenance, etc.)
Notes
Human action at 1 × 10–1 as although actions simple and no time constraints the PFD of the level indication loop sets the overall PFD for this IPL. Add action items to action tracking database.
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
148
8. Using LOPA to Make Risk Decisions
FIGURE 8.1. Continuing Example 1: Hexane Surge Tank Overflow (with added IPL).
8.9. Cautions Since LOPA uses simplifying assumptions and approximations (frequently to the nearest order of magnitude), LOPA is not intended to be either a complex or a high level of detail decision tool. LOPA is most effective for a general approximation of risk and the associated opportunities for mitigation of those risks. Using LOPA to justify significant reductions in protective layers or expenditures of significant amounts of capital is at times not appropriate, due to its approximate nature. For those decisions, it is often more appropriate to perform a more definitive analysis of the scenarios, using more rigorous methods such as FTA and CPQRA. The LOPA method—which includes the frequency estimates in Chapter 5, the PFD estimates in Chapter 6, and the calculations in Chapter 7—is a short cut method that is intended to be conservative. Conservative numbers will usually show a higher frequency or higher risk than more rigorous methods such as fault tree analysis and quantitative risk assessment. Conservative numbers could lead to spending extra money for frequency reduction or to turning away business because of the perceived risk. On the other hand, doing risk studies with the more rigorous methods
8.10. Link Forward
149
FIGURE 8.2. Continuing Example 2: Hexane Storage Tank Overflow (with added IPL).
may require significant expenditures for the studies. More sophisticated applications of LOPA are shown in Chapter 11.
8.10. Link Forward The techniques of LOPA can be extended to most any type of risk reduction decision. There are many different types of risk faced by companies in the chemical industry including: environmental, health, safety and business (i.e., property, reliability, and quality). We have discussed the application of LOPA to process safety risk reduction for the purposes of reducing injury to employees and the community. For other considerations, such as those noted above, analyses must identify the multiple risk aspects for each scenario, and use the consequence that represents the highest risk to the overall business. Alternatively, the consequence can be integrated for each scenario, and the results used to calculate a composite risk for the scenario. For the latter
150
8. Using LOPA to Make Risk Decisions
option, a common value for consequences (such as dollars) must be used. Note that the consequences lookup Table 1 (Method 1, Chaper 3) and its companion risk matrix (Table 8.1) contain all the aspects of business risk and they can be used to make a decision on the tolerance of the integrated risk, more recently termed Enterprise Risk. Chapter 9 discusses implementation of a LOPA system in an organization, including development of risk tolerance criteria. Appendix C discusses documentation of the LOPA calculations and risk decision making.
9 Implementing LOPA
9.1. Purpose This chapter discusses how to effectively implement LOPA. To achieve the maximum benefit from LOPA, an organization must also implement risk tolerance criteria. Implementation should be throughout an organization, and not limited to a single site or single analyst. Sections 9.2 through 9.7 discuss key questions an organization must address and the background data required before implementing LOPA. Section 9.8 describes typical steps for implementing LOPA once the questions and data needs have been addressed.
9.2. Is the Company Ready for LOPA? A number of factors are part of this question. First, an examination of the overall risk management philosophy within the corporation is needed. • Are the organization’s values and beliefs compatible with an objective risk management strategy? • Does the organization have an effective process safety management system to help control risk? • Are there policies and standards that support the reduction of risk to protect assets, productive capacity, and public trust? • Will the organization’s senior management and attorneys agree to a written risk tolerance criteria? • Are the objectives of the risk management staff aligned with those of the organization? 151
152
9. Implementing LOPA
• Will the organization really try to reduce risk if judged excessive? • Does the risk management staff have the support of upper management? • Does plant management support this initiative? If the answer to each of these questions is yes, then the organization is probably supportive to using any risk management tool that can be profitably applied to meet the organization’s objectives. If the answer is no to one or two questions, then those hurdles should be addressed aggressively before (or during) implementation of LOPA. If most of the answers are no, then the company is probably not ready for LOPA, and resources would be better allocated to other initiatives. LOPA can be a valuable tool to control risk, but it cannot be effectively implemented if the organization is not suited for this new tool. The second area to examine is the organization’s current risk management capability, considering the hazard analysis capability of the organization first. • What analysis methods are currently being used? • Does the organization have a history of rigorous analysis? • Does the organization regularly analyze equipment, systems, procedures, and processes? • At what level of sophistication are hazard analysis tools used? If an organization rarely conducts formal hazard analyses on systems, and is driven primarily by law or regulation, then it is unlikely that such an organization could use LOPA with much confidence or success. However, if hazard analyses are a regular part of the engineering, design, procedure validation, and daily management processes of an organization, then LOPA may well provide another cost-effective hazard analysis tool that helps increase the safety and integrity of its systems. LOPA’s cornerstone is the organization’s policies and practices regarding risk management. Such policies and practices provide safety and reliability professionals the authority to influence and shape the design of processes and systems.
9.3. What Is the Current Foundation for Risk Assessment? Before implementing LOPA, an organization must have certain capabilities and experience in place. A readiness assessment requires an analysis of the current risk management policies, a review of the current hazard analysis methods used, an evaluation of the capabilities within the organization, and an assessment of institutional knowledge related to consequences and failure frequencies (some of these aspects are addressed later in this chapter).
9.4. What Data Are Required?
153
If there are clearly articulated policies, are those policies backed up by internal standards and guidelines that are a normal part of day-to-day business? The existence of standards requiring hazard analysis, safety reviews, reliability analysis, root cause/failure analyses, and design checks sets the stage for successful implementation of LOPA. For organizations that are accustomed to performing hazard analyses, LOPA will be accepted as another tool in the hazard review method toolbox. This is particularly true since HAZOP and other qualitative methods are ideally suited for finding potential accident scenarios. The next step in evaluating the current status is to review the hazard analysis methods in use. Determine if the organization is experienced using qualitative and quantitative hazard analysis methods. Because LOPA bridges the gap between qualitative and quantitative methods, the more experience the organization has with quantitative methods the better. Organizations who have used only qualitative methods (e.g., checklist analysis, what-if analysis, or hazard and operability [HAZOP] analysis) are not likely to be experienced with failure rates or probabilities of failure on demand (PFD). Organizations that implement LOPA usually find that it forces analysts and management to recognize where “uncertainty” in risk exists. In the past, individuals argued qualitatively that the risk is, or is not, tolerable. LOPA helps build consensus because it uses quantitative (order of magnitude) estimates of risk components (initiating event frequency, independent protection layers (IPLs), and consequence).
9.4. What Data Are Required? While LOPA is a simplified risk assessment technique, it does require data. The data quantify (to a rough order of magnitude) how often equipment fails, how often people err, the consequences of errors and failures, and how likely the safeguards will prevent the outcomes. These data will be used to develop values for consequence severity, initiating event frequency, and PFDs for IPLs.
Consequences Consequence categories must be developed for LOPA use. An organization must understand the ranges of severity of consequences, and for the chemical industry, these include the severity of chemical releases, runaway reactions, decompositions, fires, and explosions. Many “typical” release/event scenarios may need modeling to determine the potential severity of certain types of scenarios. The organization may run their own models, contract others to run the models, or use available look-up tables to establish the range of severity.
154
9. Implementing LOPA
Before implementing LOPA, an organization must have an understanding of the consequences of chemical releases, and should develop guidelines for the LOPA analyst to use when performing an analysis of a scenario. The consequence categorization guidelines should be developed such that the LOPA analyst rarely needs to run a mathematical model. Chapter 3 provides examples of typical consequence lookup tables.
Component Failure Data Numerous databases exist that provide ranges of failure rates for almost every conceivable device. This includes relief valves, control loops, and operating procedures (Guidelines for Process Equipment Reliability Data, CCPS 1989b; IEEE 1984; OREDA 1989, 1992, 1997; EuReData 1989). The order-ofmagnitude values from these sources are often accurate enough for LOPA. The sources typically provide a range of failure rates that encompass most facilities. The values are best applied when a company • understands the source(s) of the data and • knows how their specific processes compare to the data sources. Some processes with standard designs, such as steam systems or propane storage facilities, can be characterized fairly accurately from existing databases. When the process is unique, the likelihood of failure is highly dependent on the particulars of that process and the environment (including climate) in which it operates. The best source of failure rate data for these processes is the actual data from those systems (i.e., from operational-specific sources). Companies or organizations with well developed mechanical integrity and incident investigation procedures, including the ability to collect and analyze the data, are more capable of assigning credible failure rates which strengthens the credibility of their LOPA method. Most chemical companies have only recently developed reliability (mechanical integrity) databases and these databases are still being populated. Therefore, most companies applying LOPA begin with data from external sources and then use subjective judgment to fit the data to their processes. Note that organizational changes can influence the database as well. For instance, an increase in PSV maintenance staff along with a policy change to test and inspect PSVs each year instead of during turnarounds every 2 years, can improve the reliability of PSVs (assuming the test and inspection methods can detect onset of failure).
Human Error Rates Company or organization experience includes not only failure data for components in processes, but also softer factors such as knowledge and experi-
9.5. Will the IPLs Remain in Place?
155
ence of operators, corporate culture, and behaviors. There are literature sources (Swain and Guttmann, (1983), Guidelines for Preventing Human Error in Process Safety, (CCPS, 1994b)) on human error data that can be used to estimate the likelihood of human errors. Internal company data on actual human error rates is either non-existent or anecdotal at best, therefore, most companies rely on external sources (published data) for human error rates for use in LOPA.
Incident Data Incident data from accidents and near misses is another excellent source of data for developing typical values for initiating events, IPLs, and consequences. The chemical industry is just beginning to report near misses (Bridges 2000b). The near miss data will greatly increase the number of data points, further assisting companies to select appropriate failure data, human error data, and consequences. Currently, most companies’ incident databases do not have sufficient data to allow determination of failure rates and PFDs.
Summary of Data Ultimately, the organization will need to establish a succinct set of failure and error data for use in LOPA. This should be a small set of choices, consistent with the self-imposed limitations of LOPA. See Chapters 5 and 6 for examples of LOPA frequency and PFD data.
9.5. Will the IPLs Remain in Place? An organization must establish a system to periodically assess (audit) the elements (components and human interventions) identified as IPLs to ensure that the IPLs remain in service at the anticipated PFD. In some cases this will require functional testing of the devices (SIFs—interlocks, relief systems, etc.) or the human interventions. In other cases it could include inspections, such as for passive protections like dikes, drainage systems, fire walls, etc. For some IPLs, replacement or preventive maintenance may be required at a specified frequency. In all cases, the organization must ensure that the testing, inspection, preventive maintenance, procedure drills, etc., are accomplished at the appropriate frequency and with the appropriate amount of rigor. These assurance steps are necessary to achieve the PFD assigned for the IPL. The results of these assurance steps (proof tests) must be recorded, including any corrective actions taken. These records must be available to the LOPA analyst(s).
156
9. Implementing LOPA
9.6. How Are the Risk Tolerance Criteria Established? Risk tolerance criteria can be explicit or implicit. Explicit criteria include values for tolerable risk and/or values for reducing risk to “as low as reasonably practicable“ (ALARP). These values can be expressed as a single value or as a contour on a graph or risk matrix. Implicit criteria are typically hidden within the procedure for selecting the number of IPLs needed for a given consequence. All organizations use a criteria of some means to make risk judgments, but some companies prefer not to document the risk tolerance criteria. Frequently, organizations have values or slogans that say something like “all accidents can be prevented” or “nothing we do is worth risking injury.” However, words like “all” and “risk” may not have an organizational meaning. Ultimately, it is a question of what risk the organization is willing to accept. An organization might be willing to accept a fairly frequent occurrence if the consequences are small. For example, first-aid injury rates are generally accepted at a higher frequency than lost workday cases. It is, therefore, a sliding scale. The worse the consequence, the lower the tolerance for the incident. Typically, when qualitative hazard analyses are done, potential risks are qualitatively identified. If the hazard analysis team judges the risk to be intolerable, the team will generate a recommendation that is intended to reduce the risk. That recommendation, however, gives little indication of how much an identified risk will be reduced, but the intent is typically to reduce the risk to a tolerable level. If a similar analysis were done using quantitative methods, the organization might arrive at the same decision reached using the “qualitative” methods—simply using CPQRA methods does not demand or imply that an organization has predefined a tolerable risk criteria. A CPQRA analysis will estimate the risk reduction expected from installing the protective device, but it will not determine if the risk is tolerable. That is a decision the organization must make. To achieve consistent results, the authors strongly advise that organizations define risk tolerance criteria before implementing LOPA.
Without a risk tolerance (or risk acceptance) criteria, there is a tendency to keep adding safeguards for each new idea for protection, under the false assumption that safety is continually being improved. However, an organization will eventually add IPLs that are unnecessary and thereby reduce focus on the IPLs that are critical to achieving tolerable risk. Some organizations have implemented risk tolerance criteria, coupled with LOPA, to help them focus their limited resources on the most critical.
9.6. How Are the Risk Tolerance Criteria Established?
157
The development of risk tolerance criteria will impact many others in an organization besides those involved in LOPA, because the criteria can and should be used to reach risk-based decisions, regardless of the hazard analysis method used. Each company must define tolerable risk levels. Upper management must buy into what is tolerable, particularly when the loss parameter is human suffering or fatality. This is a very difficult consideration. It is difficult for people to quantify situations they find unthinkable. In the extreme case, no one wants to explain in a court of law that even one fatality is tolerable. However, every individual and every organization (regardless of whether the criteria are documented) uses criteria on risk tolerance related to human suffering. Example 9.1:
Has any regulator or community prohibited the use of extreme toxics (such as chlorine)? No! The public (represented and protected by governments) instead require that companies act responsibly to control the risk. And we are still allowed to drive automobiles faster than 5 mph (miles per hour) (8 km/hr) on public roads, even though evidence indicates harm can occur from impacts at speeds much over 5 mph. Again, we recognize the risk of impact/collisions and administer equipment and administration-based safeguards to minimize the risk of these impacts. Similarly, we do not currently require meteor shields over population centers. Such strikes could occur, yet all agree that the likelihood is so remote that shields are not required; in other words, there is agreement throughout our culture to tolerate the risk of death to personnel caused by meteorite strikes. Other examples exist that indicate there is a point at which we believe the risk is negligible (and therefore tolerable).
There are benchmarks for establishing risk tolerance criteria. Appendix E provides a sampling of single-value criteria used by industry and regulators for tolerating risk, and for judging that risk is ALARP. Company history can also help define what is acceptable. Frequently an organization may find from a review of its own history that it is actually tolerating a level of uncomfortable risk, but was not aware of this risk. As discussed before, risk is a function of consequence and frequency. The risk tolerance criterion could be simply a single value or it could be represented by an F/N curve (see Chapter 11). This value could be expressed explicitly in a number (value) or implied within a risk judgment tool such as a risk decision matrix. Thus, a company can develop risk tolerance criteria using a variety of data sources and calculations of consequences and frequencies. Effective application of LOPA can help move the risk of each scenario into a tolerable range. This is probably the most important feature of the entire LOPA pro-
158
9. Implementing LOPA
cess. Without risk criteria, no one will know the risk target. Success will not be defined, and it will be impossible for business leaders, LOPA team members, and team leaders to know when they have done what needs to be done.
9.7. When Is LOPA Used? The procedures and practices governing the application of LOPA should outline the process for deciding when to use LOPA. LOPA should be applied in the gray area when the qualitative hazard analysis reveals the need for reduction in risk, but the qualitative team is • unsure of the frequency of the final consequences, • unsure of the consequences, • concerned that the processes or scenarios are too complex to address qualitatively. Here the LOPA method can help the decision-making process. Some companies decide when to use LOPA and when to use CPQRA based on the “risk” of a scenario, as estimated during a qualitative hazard evaluation. Other companies use only the “consequence” (or consequence category) to decide when to move beyond qualitative risk judgment. The flowchart shown in Figure 9.1 illustrates one organization’s approach for deciding when to use LOPA (and when to use CPQRA as well); this flowchart bases the decision making on the consequences of the scenario and references the consequence categories defined in Table 3.1 in Chapter 3.
9.8. Typical Implementation Tasks Once the frequency data and consequence data have been documented and the risk matrix and tolerance criteria have been developed, an organization is ready to implement the LOPA approach.
Documenting Risk Tolerance Criteria The first step in implementation is to develop a document listing the standards having a bearing on LOPA, including the risk tolerance criteria discussed earlier in this chapter (Section 9.6) and in Chapter 8. This document defines the level of risk an organization is willing to assume in the course of operating its facilities, assuming that all basic standards and practices are applied appropriately. Regardless of the specific risk assessment method or procedure, the risk tolerance criteria must provide quantitative measures to determine the acceptability of the risk associated with a scenario or a facility.
9.8. Typical Implementation Tasks
159
FIGURE 9.1. Flowchart for deciding which risk analysis method to use (see Table 3.1 for consequence definitions).
In some methods a range of risk is identified (such as between “tolerable” risk and “ALARP”) where a cost–benefit study may assist in deciding whether to implement modifications. If this method is used then the basis for the cost–benefit analysis should be defined. Sometimes a different approach is used when considering retrofits to an existing facility and the design of a new facility. The difference in approach must be clearly defined. In many companies the development and language of the risk tolerance criteria document requires input from the legal staff and approval of executive management.
160
9. Implementing LOPA
The LOPA Guidance Document This is a high-level document that should define the general process and prerequisites for applying LOPA within an organization. It should address the following topics: • The body or group within the organization responsible for the LOPA method. This includes responsibility for the basic assumptions, personnel training, quality control, etc. • The risk tolerance criteria (see Section 9.6). • Guidance on when to use LOPA (see Section 9.7). • Requirements for a LOPA team to proceed independently. • Required reviews for the risk results from LOPA by corporate experts and/or local or corporate management. • Required reviews of LOPA recommendations by corporate experts and/or local or corporate management. • Guidance on cost–benefit method and assumptions (if required). • Requirements for personnel to lead LOPA studies. • Guidelines on when a LOPA study may require a more rigorous analysis (e.g., CPQRA) for all or part of a scenario (see Section 9.7).
Developing a Step-by-Step Procedure A step-by-step procedure (protocol) is needed for reference by the user. Earlier chapters in this book contain the details on this procedure—these details should be distilled into a set of rules and examples so that LOPA is applied consistently. Essential aspects include: • Standardized initiating event frequencies for use throughout the company. • A standardized approach for including enabling events or conditions— if used by the LOPA method. • Standardized PFD values for IPLs. • Guidance on establishing the independence, effectiveness and verification of safeguards for consideration of a safeguard as an IPL. This should include specific guidance on whether to consider the BPCS logic solver available for other BPCS/IPLs when the failure of a BPCS loop is the initiating event for a scenario, or what to do when a BPCS loop is already credited as an IPL for the same scenario (see Chapters 6 and 11). • Guidance on calculating the PFD for IPLs that have a high challenge frequency (see Chapter 7 and Appendix F)—if required by the LOPA method. • Guidance on obtaining PFD values for IPLs not listed in the standard tables (calculation method or referenced personnel or group)—if required by the LOPA method.
9.8. Typical Implementation Tasks
161
• Guidance on defining the consequence category. • Guidance on calculating the consequence frequency. • Guidance on including additional consequence factor probabilities (e.g., probability of ignition) – if these are used in the method. • Guidance on evaluating risk against the risk tolerance criteria to determine if further action is warranted. • Steps to document (including sample forms) the LOPA scenarios, and to communicate the findings for further action and archiving. • Steps to close the recommendations from LOPA. • Provisions for auditing the system to ensure compliance or to ensure LOPA is used properly.
Conducting Pilot Tests Each organization has recommendations from hazard evaluations or investigation teams that have not yet been resolved. Therefore, one good pilot test is to choose the recommendations with the most severe consequences (Category 4 or 5), and see where the related accident scenarios fall on the risk matrix (such as the risk matrix provided in Table 8.1) for mitigated consequences (taking appropriate credit for existing safeguards). If the residual risk is not tolerable, the proposed recommendation is applied to determine if the risk is moved to the tolerable range. As the analyst(s) works through these in-house examples, he or she will begin to understand the value of this approach, and should also see where it may be necessary to modify the approach. Alternatively, if the organization has existing engineering/safeguarding standards or other established requirements, the LOPA process can be used to evaluate the elements of those requirements. This can accomplish two objectives: 1. Calibration of the risk tolerance criteria against perceived “acceptable” levels of safeguards. 2. Identification of shortfalls (or excesses) in existing protection requirements. The results of the pilot tests mentioned above should be reviewed with experienced risk analysts and design/process experts to ensure that the final risk judgments (and therefore, the LOPA approach and risk tolerance criteria) matches expert opinion.
Developing Training Courses and Training the Analysts A short course (2-day, nominal) should be developed or contracted to train analysts on applying this technique. The training could also be done by coaching rather than using classroom instruction. As a prerequisite, all atten-
162
9. Implementing LOPA
dees of the LOPA course should have training and experience in performing qualitative hazard evaluations.
Developing Training for Personnel Who Support LOPA In addition to training analysts, an organization may need to: • train all hazard review leaders to identify scenarios that warrant LOPA, • train managers concerning their role in LOPA and risk judgment, • train maintenance and operations personnel on the care and maintenance of IPLs.
Developing User Friendly Tools The LOPA method can be implemented using manual or “paper” methods. Many users may desire to use other tools such as dedicated software or spreadsheets. Typically, these tools help the user • select the appropriate initiating event frequency and appropriate IPLs and PFDs and • perform the simple math and documentation required for this method. Planned software will allow the analyst to convert data automatically from a qualitative hazard evaluation (such as HAZOP or FMEA tables) into the starting point for a LOPA scenario, and then to complete the LOPA using pulldown data selection. Other proprietary applications have been developed to perform a LOPA for scenario data that are input by the analyst. Dedicated tools such as these can also present the results of a LOPA approach in various formats, including showing the placement on the risk matrix. As of February 2001, to the authors’ knowledge, software with planned or included LOPA features are HazardReview LEADER™ (ABS Consulting) and PROBE™ (exida.com); several companies have developed “in-house” spreadsheets or applications to aid in LOPA. Click here to go to Chapter 10
10 Using LOPA for Other Applications
10.1. Purpose LOPA is a tool used to perform risk assessments. Previous chapters described its use in assessing the risk level of process hazards scenarios and in evaluating whether adequate layers of protection exist. The objective of this chapter is to identify and discuss other specific uses of LOPA. This chapter will describe how LOPA is used in: • capital improvement planning • management of change • mechanical integrity programs or risk-based inspection/risk-based maintenance • risk-based operator training • emergency response planning • determining a credible design basis for overpressure protection • evaluating facility siting risks • evaluating the need for emergency isolation valves • evaluating the removal of a safety system from service • incident investigations • determining SIL for SIF. 163
164
10. Using LOPA for Other Applications
10.2. Using LOPA in Capital Improvement Planning Costs are associated with risk mitigation measures. There are also benefits derived from risk mitigation actions. Some companies are using cost–benefit analyses to evaluate the relative merits of alternative risk-reducing cost expenditures. These results are used to prioritize projects. At the completion of a LOPA, a risk level is determined and safeguards to reduce the risk are identified. These safeguards can reduce risk by lowering the frequency of occurrence of a scenario (or, in some cases, by reducing the severity of the consequence). A capital expenditure is usually required to obtain the desired risk reduction. A decision must be made on which safeguard or set of safeguards to select. The LOPA method can be integrated with a cost–benefit method to assist with this decision. Integrating LOPA with a cost–benefit analysis is a tool that • Captures the economic benefit from reducing risk. • Enables decision makers to allocate resources to provide the greatest benefit. This also helps the organization decide on which of several options to pursue to achieve an acceptable risk level for a given project. • Compares the economic attractiveness of different projects. This also helps the organization decide when to further reduce the risk level for several projects which are marginally acceptable versus tolerable risk criteria. The parameters and procedures of this cost–benefit analysis are organization dependent, but the general principle is the same in all cases. Organizations must assign a dollar value to both the unmitigated scenario and mitigated scenario and to the risk reduction effort. Most use a net present value calculation where the time value of money is accounted for as a function of time and interest rate. Tax consequences and inflation can be incorporated into the models, or the models can be kept simple. All of the scenarios evaluated with this procedure are equated to a financial impact, which is defined in terms of what is important to the organization. Financial impact can be identified in many ways. Some of the categories used by companies are the cost of • • • • • • • • •
minor/major injuries/fatalities to employees, minor/major injuries/fatalities to the off-site population, equipment loss/replacement, business loss due to production down time, business loss due to undesirable publicity, productivity loss due to employee morale, legal action, environmental cleanup, regulatory agency fines.
10.3. Using LOPA in Management of Change
165
The benefit of the risk reduction is defined as the difference between the financial impact at the high-risk condition and the financial impact at the lowrisk condition. This difference is divided by the cost of the risk reduction effort and the result is called the benefit to cost ratio. Most companies compare the alternatives on a relative basis rather than expecting the analysis to yield absolute cost savings. The method can be used to compare competing or alternate projects which will reduce the same risk scenario, or can be used to help decide which projects to undertake among all risk reduction projects. The important point is the establishment of the link with the LOPA technique and the use of the LOPA evaluation findings in the cost–benefit analysis.
10.3. Using LOPA in Management of Change LOPA is well suited for use in the management of change (MOC) process to identify the safety issues involved in the modification of a process, procedures, equipment, instrumentation, etc., and whether the modification will meet corporate risk tolerance criteria. The LOPA summary sheet (see Appendices A and C) provides a concise means of documenting the results of the analysis and can be included with the other MOC documentation. A suitably qualified analyst must either perform the LOPA studies or review the results. All referenced documentation must be available to the analyst. A typical procedure for using LOPA in the MOC process, if no previous LOPA analysis has been performed on the system, involves the following steps: 1. Specify the process, procedure, equipment, instrumentation, etc., involved in the change. 2. Develop scenarios for the unmodified process, procedure, equipment, instrumentation, etc., to assess the current risk level using LOPA, and document the results. Effects that may propagate into other parts of the process must also be included in the analysis. 3. Repeat the LOPA analysis using the proposed modification(s) to assess the risk, and document the results. 4. Summarize the findings of the LOPA study and, if appropriate, document that the proposed change meets the corporate risk tolerance criteria. Attach this documentation with the complete MOC documentation. If a LOPA analysis has already been completed, then only steps 3 and 4 must be performed. LOPA studies can help an organization focus on the important issues involved in making a change. LOPA studies are self-documenting, and the MOC documentation should refer to the LOPA documentation.
166
10. Using LOPA for Other Applications
10.4. Using LOPA in Mechanical Integrity Programs or RiskBased Inspection/Risk-Based Maintenance Programs Safety critical equipment (SCE) are engineering controls that provide independent layers of protection to lower the risk category of a specific scenario or scenarios from “unacceptable” to “acceptable” as defined by the organizational risk tolerance criteria. Chapter 6 contains several rules for determining if an engineering control is an IPL. In particular, the engineering control must be independent of other engineering controls, must be specifically designed to prevent or mitigate the consequence of a potentially hazardous event, and must be auditable. It is important to note that some IPLs may not be safety critical equipment because they may simply lower the risk from “acceptable” to even more “acceptable.” LOPA is an excellent way to identify safety critical equipment. Scenario 2a in Section 6.7 identified the dike for the existing hexane storage tank, the tank’s existing BPCS LIC, and the proposed SIF as IPLs whose probabilities of failure on demand were 1 × 10–2, 1 × 10–1, and 1 × 10–2, respectively. If the approach presented in this section is applied, these IPLs would be considered SCEs. After claiming these PFDs, these SCEs must be maintained to insure their effectiveness. For example, they could be placed on a “safety critical equipment list” to insure that they are inspected, tested, and maintained. Many companies use risk-based decision-making tools like LOPA to identify SCEs and to drive risk-based inspection and maintenance programs. For example, one company uses a frequency/consequence tool that is very similar to LOPA to prioritize its inspection and maintenance activities. This company recently reported the following benefits associated with their program (Leonard and Lodal, 1998): • Significant opportunities for improving mechanical integrity of critical safety equipment. • Major improvements in their overall process safety programs. • Improved business results due to higher utilization of existing equipment, fewer unplanned shutdowns due to unexpected failures, and targeting of scarce resources to the most risk-critical processes. • Decreased production costs without adverse affects on the environment, safety, or health.
10.5. Using LOPA in Risk-Based Operator Training LOPA is an excellent tool to identify safety critical actions, such as administrative or human actions that provide independent layers of protection to lower the risk category from “unacceptable” to “acceptable.” An example of a safety critical action is an operator response (e.g, closing a valve) to an alarm.
10.7. Using LOPA for Overpressure Protection
167
A second example is a procedure that ensures that blinds and caps on openended valves or connections are kept in place to prevent release of material if the valve is inadvertently opened. A third example is the wiring of the “ears” on quick-disconnect hose connection fittings to prevent the hose from disconnecting during loading or unloading operations. The safety critical actions identified can be placed on a safety critical action list to insure that the operators receive more frequent and focused training to insure operator knowledge and performance. The amount of training should be commensurate with the assumed PFD. This means that a company can realize significant savings by targeting training resources to the most critical operations. LOPA can also be used to improve operating procedures by highlighting critical operations and consequences of exceeding established operating limits.
10.6. Using LOPA in Emergency Response Planning As discussed in Chapter 4, two important inputs to the LOPA program for a potential accident scenario are the mitigated as is consequence and the mitigated as is frequency of occurrence. A company using LOPA would be able to document a substantial number of estimated mitigated as is offsite consequences. The following benefits would then be realized when this documentation is shared with local emergency planners: • Planners would better understand the community risk. • Local emergency response planning would improve because planners will be able to combine the more likely and significant accidental release information with other local planning. • Coordination would increase between emergency response planners and facility personnel. • Public confidence and acceptance of the emergency response planning process would increase. • Emergency response planners would be able to conduct more effective table top and evacuation drills and develop more effective gas detection monitoring systems to protect human health and the environment. • The chemical industry’s involvement in community response planning would be expanded.
10.7. Using LOPA to Determine a Credible Design Basis for Overpressure Protection In1995/1996, ASME approved Code Case 2211 (ASME, 1995). This allows pressure vessels to be protected by system design in lieu of mechanical relief devices subject to the following conditions (Windhorst, 1998):
168
10. Using LOPA for Other Applications
1. The vessel is not exclusively in air, water or steam service. 2. The decision to provide a vessel with overpressure protection by system design is the responsibility of the user. The manufacturer is only responsible for verifying that the user has specified overpressure protection by system design, and for listing this Code Case on the data report. 3. The user shall ensure that the MAWP (maximum allowable working pressure) of the vessel is greater than or equal to the highest pressure that can reasonably be expected to be achieved by the system. The user shall conduct a detailed analysis, which examines all credible scenarios that can result in an overpressure condition. CAUTION This is a short summary of the results of ASME CODE CASE 2211. The reader is advised to study the code in detail before proceeding with this practice. IPLs used to reduce the frequency of a scenario to the extent that a mechanical relief device is not required must be inspected, maintained, and tested to ensure that the necessary PFDs are achieved.
Some companies apply ASME Code Case 2211 to evaluate critically scenarios that are considered in determining the worst credible relief system design basis. In such evaluations LOPA can be used to determine the existing IPLs and their failure probabilities, and to help define the worst credible event design basis for sizing pressure relief devices. A credible event has been defined in Guidelines for Pressure Relief and Effluent Handling Systems (CCPS, 1998b) as “a scenario or event that has reasonable and sufficient likelihood of occurrence that it should be considered in selecting the design basis for an emergency relief system. This should be based on a risk analysis that includes a careful and thorough review of process characteristics, experience with similar systems, the hazardous nature of the materials handled, and the consequences of an incident.” LOPA provides an organization with a risk assessment tool to help ensure that credible scenarios are determined in a uniform, consistent manner throughout the corporation (see Chapter 4). An important aspect in the selection of the design basis for relief systems is the ability to identify the non-credible scenarios and to document why they were not selected as the design basis. The definition of a non-credible scenario is based on the company’s risk tolerance criteria. LOPA is an effective tool in this type of screening. There are normally many scenarios resulting in overpressure that are considered during the design of emergency relief systems. These scenarios
10.7. Using LOPA for Overpressure Protection
169
include, but are not limited to, runaway reactions, fire exposure, a blocked outlet pipe, utility failures and operational and equipment failures. The relief devices are sized to handle the most severe credible design case. For many exothermic batch reaction systems, the runaway reaction scenario is often the worst case design basis. In many instances the relief device size required to safely handle these exothermic runaway reactions would be so large that it would be impractical/uneconomical to proceed with the required design. LOPA can be used as a screening tool to evaluate if additional layers of protection could be added to reduce the likelihood of the runaway reaction-initiating event to a sufficiently low level so that it would not be considered a credible design basis scenario. In this example, if the likelihood of a runaway reaction is reduced to a noncredible level, then the fire exposure case or other credible scenario would become the design basis. When LOPA screening indicates a sufficiently low scenario frequency, a quantitative risk analysis should be performed to confirm the low occurrence frequency of the undesired scenario. Typical factors that companies use to decide whether a full FTA (fault tree analysis) is required are • the conservatism in the scenario development, and • the magnitude of the difference between the projected mitigated risk level and the maximum tolerable risk level. Under no circumstances should LOPA by itself be used to eliminate relief devices for a specific system. CAUTION When the results of a LOPA screening suggest a sufficiently low frequency of a specific scenario, it is strongly recommended that this be verified by a CPQRA study before removing the scenario from the basis for relief device sizing.
10.8. Using LOPA in Evaluating Facility Siting Risks LOPA is also a useful tool for evaluating facility siting risks within the company’s fence line. This procedure is as follows: 1. Identify and develop credible fire, explosion, and/or toxicity scenarios which could impact occupants in buildings or affect buildings where people congregate or must go for emergency equipment. 2. Use LOPA to estimate the frequency of occurrence, consequence category, and the existing risk level within the existing layers of protection.
170
10. Using LOPA for Other Applications
3. If the existing risk level is deemed “unacceptable” per the organization’s facility siting risk tolerance criteria, LOPA can be used to identify opportunities to reduce these risks and screen out certain scenarios from facility siting consequence analysis by identifying appropriate and additional IPLs. Some companies have obtained significant dollar savings by applying LOPA by avoiding the relocation of occupied buildings, installation of new blast walls, or implementation of other measures. CCPS has issued a detailed eight-step procedure for identifying and reducing facility siting risks. Several application examples are shown in Guidelines for Evaluating Process Plant Buildings for External Explosions and Fires (CCPS, 1996a). All of the CCPS examples use “quantitative” risk decision-making tools. LOPA can be used as a screening tool within the eight-step protocol.
10.9. Using LOPA to Evaluate the Need for Emergency Isolation Valves Isolation valves are used to isolate a process unit if a leak occurs in a piping system or if a fire threatens to cause such a leak. These valves are usually located in a piping system so that, when closed, they prevent the sustained release of a large volume of flammable, toxic, or environmentally detrimental material. Such a release could result in a large widespread fire or the generation of a vapor cloud explosion. Examples include ethylene and propylene pipelines, propylene or LNG storage spheres and large liquid phase reactor systems. Such valves are often designed to be “fire-safe” and can be actuated from the control room or from local panels in the field. They may also have a dedicated air cylinder to provide back-up to the plant air system. These systems are expensive and are normally installed only in selected locations. Another use of LOPA is for evaluating the need/justification for these isolation systems. Once a company has decided which type of consequence analysis to use (see Chapter 3) and how to set its risk acceptance criteria (see Chapters 7 and 8) the method would involve, for each candidate system: 1. Determining the release size that could, as a minimum, produce the consequence(s) of interest. This might be in terms of a given mass of material, a fatality, a certain estimated capital damage, lost production, etc. (see Chapter 3). 2. Creating scenarios that would result in the release of large quantities of toxic or flammable materials assuming no isolation valve is in place. These could include: G An external fire that could cause another release by damaging piping, pumps, instrument lines, etc. G Piping or flange leaks
10.10. Using LOPA to Evaluate Taking a Safety System Out of Service
171
Pump seal failures Third party intervention 3. Calculating the frequency of these initiating events (see Chapter 5). For example, for piping leaks the calculation is done by multiplying the total length of pipe by the expected frequency (per unit length) of the type of leak that leads to the consequence of interest. 4. Determining the risk associated with the system without an isolation valve in place. This could involve using a consequence/frequency matrix, or fatality frequency, or some other method to judge whether the risk associated with the system without isolation valves is acceptable given the particular risk tolerance criteria used. Depending upon the method employed, the frequency associated with each scenario can be examined individually, or the total frequency for all scenarios associated with the system can be calculated. If the risk is acceptable then the installation of an isolation valve is not necessary (see Chapters 6, 7 and 8). 5. Determining viable options if the risk is unacceptable (see Chapter 8): G Installing isolation valves G Examining the mechanical design of the system to make it less susceptible to failures. This might include using welded piping, using a different pipe size, changing the pump seal designs, etc. G Examining the process design of the system to determine if the amount of material released could be reduced. This could involve changing the pipe size, operating conditions, or materials. This is not normally a viable option, especially for existing facilities. G G
CAUTION The design and installation of isolation valve systems is complex and must be considered carefully. If such a system is used to reduce risk it must meet the requirements for an IPL and the appropriate PFD must be applied to assure that the level of risk reduction gained by installing such a system is sufficient. In addition, unless the isolation valves are activated immediately after the leak occurs, they may not prevent a significant vapor cloud formation or a significant toxic release. Therefore, a quick, reliable detection and actuation system is essential.
10.10. Using LOPA to Evaluate Taking a Safety System Out of Service LOPA can be used to determine whether a critical IPL safety system can be bypassed or taken out of service for a short, known time duration and to
172
10. Using LOPA for Other Applications
determine what additional layers of protection would be required in the interim. The procedure for doing this is as follows: 1. Identifying the accident scenarios where the IPL is critical. 2. Identifying alternative safeguards that can take the place of the bypassed IPL to maintain the same risk level. (There may be some cases where an option of increasing the risk level for a short time duration is possible, as long as this new risk level is tolerable by the company’s risk criteria standards.) One example of this type of action is a simple temperature control system that is part of a basic process control system. If high temperature is detected in a reactor system, an automatic control valve in the emergency cooling water line is opened and the emergency cooling water is used to bring the temperature back to the desired level. If this system must be taken off-line for service, it may be acceptable to use an operator to monitor the temperature of the reactor—if the temperature begins to rise, the operator opens a manual valve to allow emergency cooling water flow to the reactor. LOPA performed on this scenario would indicate whether this is acceptable for a given company or whether additional layers of protection are required. There are many other cases where LOPA can be used to evaluate the safeguards utilized by a company when a primary safety system is bypassed.
10.11. Using LOPA during Incident Investigations Several companies have found LOPA to be a useful analysis and communication tool during incident investigations. For example, one company used LOPA to show how additional IPLs could have prevented a recent gas fired spray dryer explosion incident at its chemical plant. LOPA has been used to identify scenarios with a common IPL that was compromised in an incident and to show how to add additional IPLs to reduce the frequency of occurrence.
10.12. Using LOPA in the Determination of SIL for SIF LOPA can be used to determine the required SIL (safety integrity level) for SIFs (safety instrumented functions). See the continuing example in Chapter 8 for more details. In LOPA, the necessary PFD of a SIF is specified to meet the risk tolerance criteria. One form of LOPA for this purpose is referenced in IEC 61511, Part 3 (IEC, 2001). Click here to go to Chapter 11
11 Advanced LOPA Topics
11.1. Purpose The purpose of this chapter is to discuss more complex methods for using the LOPA technique. It is intended for analysts who are competent with applying the basic LOPA methods presented in Chapters 3 through 8 and with event tree/fault tree techniques and methods. The approaches discussed in this chapter will enable an analyst to • determine whether the conservative assumptions used in LOPA can be relaxed in certain cases (Section 11.2); and/or • use LOPA to assist in more refined risk assessment studies (Sections 11.3–11.7). The continuing examples are analyzed using a less conservative approach than employed in earlier chapters.
11.2. Counting Multiple Functions in One BPCS as IPLs in the Same Scenario In this section the basic LOPA assumption of complete independence of IPLs from the initiating event and other IPLs credited in the same scenario is discussed. Situations where it may be appropriate to relax this requirement are presented. Important requirements and cautions are included which the reader is urged to read and understand before using this less conservative approach. 173
174
11. Advanced LOPA Topics
Note: Use of this approach could result in using a PFD for BPCS loop IPLs that is less than the 1 × 10–1 limit required by IEC 61511 (IEC 2001). Such a change should only be made with adequate analysis and documentation.
Comparison of Methods Chapter 6 briefly discussed the differences between the two approaches used for assessing the independence of IPLs involving BPCS loops to decide how many IPLs exist for a particular scenario. Approach A, which was presented in Example 6.2, assumes that a single BPCS loop failure invalidates all other BPCS loops using the same logic solver. It was used in Chapters 2–8 because its rules are clear and it is conservative. Approach B, also presented in Example 6.2, assumes that if a BPCS loop fails, it is more probable that the failed component is the sensor or the final control element, and that the BPCS logic solver remained functional. This approach may be used if the analyst is experienced and adequate data are available on the design and actual performance of the BPCS logic solver. Another approach would be to divide the initiating event (BPCS failure) into three scenarios where the initiating event is alternately the sensor, the logic solver, or the final element. Approach A In order for a device or action to be fully credited as an IPL, it must be independent of both • the initiating event and any enabling event and • any other device, system, or action that is already being credited as an IPL for the same scenario. Approach A is conservative since it assumes that a single BPCS loop failure invalidates all other BPCS loops using the same logic solver. This approach eliminates many common mode failures (see Table 6.2) affecting the PFD for the IPLs which are claimed. Approach A is straightforward to apply since its rules are unambiguous and little judgment is left to the analyst or team. Approach B This approach assumes that if a BPCS loop fails, it is most probable that the failed component is the sensor, the final control element, or another component other than the logic solver itself. The assumptions made in Approach B are exactly the same as those made in Approach A except that Approach B assumes the BPCS logic solver continues to function when the failing loop element is the sensor or final element. Industry experience is that the failure rates of the detection devices and the final control elements are usually much higher than the failure rate of the BPCS logic solver in typical installations.
11.2. Counting Multiple Functions in One BPCS as IPLs in the Same Scenario
175
Approach B allows a limited number of additional elements of the BPCS to serve as IPLs for the same scenario.
Approach B BPCS Loop Failure Concepts Failure Mode of BPCS Loops Figure 11.1 shows the components of a simplified BPCS loop. The final control element could be a valve, solenoid, etc., or it may be an alarm that initiates human intervention. The important point is that if any one of these components fails, then the entire loop is disabled and it will not fulfill its function when challenged. Each component of the BPCS loop has its own failure rate, which is a function of its design, manufacture, installation, maintenance, etc. The probability of a component failing on demand (PFD) is related to its historic failure rate and its effective test rate. In general, for a shorter period between testing, the PFD for a component is lower. The PFD for an entire BPCS loop is approximated by summing the PFDs of all its components. One important point concerning BPCS systems is their susceptibility to human error. In many installations the BPCS is deliberately made accessible to personnel who have the ability to change set-points, bypass alarms, etc. This openness, while providing operational benefits, does leave any BPCS IPLs open to compromise due to human error. The PFD limit stipulated for all IPLs in the BPCS in IEC 61511 does, in a general manner, take account of this factor. Therefore, any method that wishes to take a lower PFD for a BPCS IPL should also consider whether the security of the existing BPCS can support such a change. In some installations it might be necessary to impose greater control over access to the BPCS to justify the use of a lower PFD, with appropriate analysis, but this could impose unacceptable operational constraints. The security constraints for access to an SIS system are usually far more severe than for a BPCS. CAUTION Situations with a high challenge rate (e.g., where the challenge frequency is similar to the effective test interval) must be examined with care (see Section 7.2 and Appendix F).
FIGURE 11.1. Simplified components of a BPCS loop.
176
11. Advanced LOPA Topics
BPCS Logic Solver Failures Historical data from a number of companies suggests that, for typical installations, the effective PFD for the BPCS logic solver is at least two orders of magnitude lower than the sensor or final control element of a BPCS loop. When this is true, the probability that the failure of a BPCS loop involved a failure of the BPCS logic solver is no more than approximately 1 in 100 (1 × 10–2). In other words, in at least 99 cases out of 100, when the BPCS loop fails, the BPCS logic solver remains fully operational. Any claim for a lower PFD must be supported by internal data or certification by a recognized independent third party—see below for important requirements and cautions. As noted above, without adequate access and security controls the potential for human error may prevent additional BPCS functionality being counted as an IPL, even if all the other conditions described in this section are satisfied. If, however, all the conditions are met, it may be justifiable to relax the rule used in the basic LOPA method (Approach A) where the failure of any BPCS loop requires all other BPCS loops using the same logic solver (or any other common component) to be considered ineffective. This is the key difference between Approach B and the basic LOPA method. For example, in Figure 11.2, there are two BPCS loops using the same BPCS logic solver. If both of these loops meet the other requirements for an IPL for the same scenario, the basic, conservative, LOPA method (Approach A) would only allow one of these loops to be credited as an IPL for the same scenario. This is due to the BPCS logic solver serving as a common element to both loops. Approach B would allow both loops to be credited as IPLs for the same scenario, provided the requirements discussed in the following sections are satisfied.
FIGURE 11.2. Typical BPCS logic solver with multiple loops for the same scenario.
11.2. Counting Multiple Functions in One BPCS as IPLs in the Same Scenario
177
Guidelines for Crediting Multiple Functions in One BPCS Logic Solver for the Same Scenario The recommended guidelines for crediting multiple BPCS loops as IPLs for the same scenario are as follows: • Adequate Access and Security Procedures—These are required to provide assurance that the potential for human error in programming, modifying or operating the BPCS is reduced to an acceptable level. • Sensor/Final Control Elements—The sensors and final control elements usually have the highest PFD values of all the components in a BPCS loop and are the most likely to cause the failure of a loop. The following general rules qualify multiple functions on a BPCS logic solver as multiple IPLs: • The sensor for an additional, different BPCS function must be independent of the sensor that is part of the initiating event of the scenario. • The final element used in an additional, different BPCS function must be independent of the final element that is part of the initiating event of the scenario . • The sensor for an additional, different BPCS function must be independent from any other sensor used in an IPL in the scenario. • The final element for an additional, different BPCS function must be independent from any other final element used in an IPL in the scenario. Therefore, no credit can be taken for multiple loops where either the sensor, or the final control element (including action by the same alarm and operator response) are common to loops that could otherwise be IPLs for a given scenario or were part of the initiating or enabling events. This is identical to the approach taken in the basic LOPA method. Thus, as shown in Figure 11.3 since the single sensor is used for both BPCS loops 1 and 2, only a
FIGURE 11.3. Effect of common sensors for the same scenario.
178
11. Advanced LOPA Topics
FIGURE 11.4. Effect of common final control elements (including alarms) for the same scenario.
single BPCS loop can be claimed as an IPL for this scenario. Similarly, in Figure 11.4, the final control element (or the same alarm and operator response) is common to both BPCS loops, and only a single BPCS loop can be claimed as an IPL for this scenario. Input Cards/Logic Solver/Output Cards The input and output cards used for transferring information into and out of the logic solver are components that may fail at a higher rate than the logic solver itself. It is recommended that no additional BPCS loops be counted as IPLs where an input or output card is common unless adequate performance can be demonstrated. In Figure 11.5, A, B, C, D are sensors and 1, 2, 3, 4 are final control elements. Provided all other requirements for an IPL are satisfied, credit would be allowed for a loop with a path of (Sensor A–Input Card 1–Logic Solver–Output Card 1–Final Control Element 1) as an IPL. If the second control loop has a path of (Sensor D–Input Card 2–Logic
FIGURE 11.5. Effect of common input/output cards for the same scenario.
11.2. Counting Multiple Functions in One BPCS as IPLs in the Same Scenario
179
Solver–Output Card 2–Final Control Element 4) then it could also be claimed as an IPL. This assumes that both loops meet all the other requirements for an IPL for the same scenario. However, if the second loop has a path of (Sensor D–Input Card 2–Logic Solver–Output Card 1–Final Control Element 2), no credit would be allowed for the second loop, as output Card 1 is common to both loops. Similarly, no credit would be allowed for a second loop if the path was (Sensor D–Input Card 1–Logic Solver–Output Card 2–Final Control Element 2) as Input Card 1 is common to both. Maximum Number and Type of IPLs Approach B makes the assumption that the failure of a BPCS loop will be due to components other than the BPCS logic solver. Thus, we make the following recommendations: • The total IPL PFD taken, including that which would be taken by strictly applying the basic LOPA method, must be no less than two orders of magnitude, unless the BPCS logic solver has been certified to a higher level of reliability. That is, the additional PFD credited for the BPCS IPL should be no less than 1 × 10–1. This would allow a best case overall failure probability of 1 × 10–2 for the BPCS [(1 × 10–1 as per Approach A) × (1 × 10–1)] if justified by additional analysis as described in this section). Note: This would be outside of IEC 6511 requirements for the PFD for all BPCS IPLs. • No more than a total of two BPCS loops should normally be credited as IPLs for the same scenario if the initiating event does not involve the failure of a BPCS logic solver. Each of these loops must satisfy all of the requirements for an IPL discussed in Chapter 6 and also the rules and guidelines contained in this section. Thus, in Figure 11.6, if all four of the loops individually meet the requirements for an IPL for the same scenario, only two of them would normally be credited as IPLs using
FIGURE 11.6. Maximum number of BPCS loops credited for the same scenario.
180
11. Advanced LOPA Topics
this method (Approach B). Only one would be credited as an IPL using the basic LOPA method (Approach A). The actions of the loops may be either • two mechanical operations (e.g., shutting a valve, starting a pump) or • one mechanical action and one alarm requiring human action. Credit should not be taken for two human actions as IPLs for the same scenario unless detailed analysis shows that complete independence can be achieved and both meet the requirements for human action as an IPL (see Chapter 6). If the initiating or enabling event involves the failure of a BPCS loop, then no more than one BPCS loop should normally be credited as an IPL for the same scenario. If human failure is the initiating event then it is not recommended that a BPCS alarm starting human action be counted as an IPL, unless detailed analysis shows that complete independence can be achieved and the operation meets the requirements for human action as an IPL (see Chapter 6). If the initiating event is human error and the enabling event does not involve the BPCS, then two BPCS loops can be counted as separate IPLs.
Information/Expertise Required to Apply Credits for Multiple BPCS Loops In order to count additional BPCS loops as IPLs, the information and expertise that are required include: Data and Analysis Since this method relies on the assumption that the BPCS logic solver has a PFD at least two orders of magnitude lower than the other components of the BPCS loop (sensor, final control element, etc.), data to support this assumption must be available and analyzed. These data could include • historical performance data for the BPCS logic solver, input/output cards, sensors, final control element, human response, etc.; • data from the manufacturer of the system (such information must be examined critically to ensure that it applies to situations similar to the particular installation, the effective test periods are comparable, and any assumptions made are understood and are applicable to the system under consideration); • inspection, maintenance and test data over a significant period; • instrument diagrams, P&IDs, loop diagrams, standards, specifications, etc., describing the actual installation. • Information on the security of access to the BPCS for programming changes, alarm bypassing, etc.
11.2. Counting Multiple Functions in One BPCS as IPLs in the Same Scenario
181
Analysis of these data could include • calculation of effective failure rates for BPCS loop components for the facility or system; • comparison of PFD data for various components and, particularly, for the BPCS logic solver; • assessment of input/output card logic and associated loop independence. This should result in • assessment of whether the access and security controls are adequate; • assessment of whether the use of multiple BPCS loops as IPLs for the same scenario is appropriate for a particular facility or scenario; • written justification for any assumptions made in the analysis. Analyst Expertise This method should only be attempted if the analyst is fully experienced in the basic LOPA method and has demonstrated expertise in understanding the possible interrelationships among equipment, instrumentation, and humans. Experience with event tree and fault tree techniques is highly desirable, as these use structured approaches which emphasize “cause-and-effect” interrelationships. The analyst must be capable of • judging whether the available data are sufficient and complete and whether they can be used for making the required calculations with adequate accuracy; • understanding whether the design of the instrumentation and BPCS systems provides the required independence; • understanding the effects of the proposed IPLs on the process or system. The analyst may be a single person or a number of people each contributing to the complete analysis, but with no single person performing the whole analysis. For example a qualified independent third party may certify a BPCS logic solver to have a low enough PFD that allows multiple BPCS loops to be used in the same scenario. A skilled instrument designer may analyze historical performance data and maintenance records to establish standard designs that meet the requirements of independence and reliability or establish the reliability of an existing BPCS loop. A process engineer working alone or in a team environment may use a tool, such as LOPA, to determine the combination of layers of protection that are needed to effectively control an undesirable consequence. This analysis may indicate that multiple BPCS loops can work independently to stop the undesired event. The process engineer, process control engineer, and instrument engineer gather all the information regarding BPCS component reliability and process requirements, then collab-
182
11. Advanced LOPA Topics
orate to design and implement a system of multiple BPCS loops that meet the requirements of independence and reliability. The LOPA analyst must work with all of these disciplines to arrive at a final result. If analysts with these skill-sets are not available, then only the basic LOPA method should be used.
Cautions When using Approach B, the restrictions discussed above must be applied. However, this is a less conservative approach to analyzing risk and, by using it, an organization increases the potential for overlooking certain important interactions, in particular common cause failures. This issue is discussed in Section 6.3 and it can be a very subtle factor in increasing risk. The basic LOPA technique is conservative, but does provide a high level of protection against common cause failures. If Approach B is used then the analyst must be especially vigilant in looking for such interactions. This will normally require additional time and resources, which may be justified by the potential for eliminating the need for additional IPL systems. CAUTION: The reader is advised that the draft IEC 61511 standard—dealing with Safety Instrumented Systems for the process industry—Part 1 states “The risk reduction factor for a BPCS [basic process control system] (which does not conform to this standard) used as a layer of protection shall be below 10” (IEC, 2001). This means the PFD of all risk reduction functions in the BPCS must be more than 1 × 10–1, that is, the PFD for all the BPCS risk reduction functions is not allowed to be lower than 1 × 10–1. The user should provide the analysis to support the risk reduction claimed for multiple BPCS IPLs.
Continuing Examples Using Approach B—Crediting Multiple BPCS Loops Two scenarios from the continuing examples used in Chapter 2 through 8 are used to demonstrate the application of Approach B and the issues that can arise. It is assumed for the purposes of this discussion that adequate data and analysis support the use of Approach B for this installation. Scenario 1a: Hexane Surge Tank Overflow—Spill Not Contained by the Dike In this scenario the initiating event is the failure of the BPCS level control loop, leading to a tank overflow which is not contained by the dike and result-
11.2. Counting Multiple Functions in One BPCS as IPLs in the Same Scenario
183
ing in a consequence of a widespread hexane spill. Approach B allows the use of a single additional BPCS loop as an IPL for this scenario (one loop has already been accounted for in the initiating event), provided that this meets all the other requirements for an IPL. Such a BPCS loop could be either • an additional level sensor which would provide a method of stopping flow to the tank (a new separate isolation valve or pump cut-off) or • an additional level sensor that would sound an alarm in the control room and initiate operator action to stop flow to the tank before the tank overflowed. In either case the requirements discussed in this section regarding separate sensors, input and output cards, and final control element apply. If a separate level sensor loop is installed with an additional final control element to stop flow to the tank, the minimum PFD for this IPL would be 1 × 10–1 (see Table 6.4), unless another value was justified. The adequacy of this level of risk reduction would depend on • the security and access controls for the BPCS providing adequate protection against human error, • the risk tolerance criteria used, and • the cost–benefit analysis based on the cost of installing the full SIS recommended in Chapter 8 versus the lower cost of installing only a new BPCS loop and its components and the lower total PFD. Thus, an organization would need to determine whether the increased frequency of the event based on only an additional BPCS loop is justified by the lower cost. A separate level sensor loop with an alarm and operator action to stop filling the tank could be counted as an IPL. This is possible if the rate of feed to the tank, the tank cross-sectional area, the normal level, the level at which the alarm sounded, and the dike volume allowed adequate time for the operators to respond before the tank overflowed (see Chapter 6). If this is the case, and the requirements discussed in Section 6.5 for human action are satisfied, it might be possible to use a PFD of 1 × 10–1 for one separate alarm loop. If two separate sensors and alarm annunciators are used, and the operators are well trained and drilled in the action, a PFD of 1 × 10–2 might be possible. Again, whether this approach would be appropriate would depend upon the risk criteria used and a cost–benefit decision. Scenario 2a: Hexane Storage Tank Overflow—Spill Not Contained by the Dike In this scenario the initiating event is the failure of the inventory control system due to a tank truck arriving at the storage tank with insufficient room in the tank for the contents of the truck. This leads to an overflow of the tank.
184
11. Advanced LOPA Topics
If the inventory control system is part of the BPCS that also monitored the tank, Approach B allows the use of one additional BPCS loop as an IPL for this scenario, provided that this meets all the other requirements for an IPL. If the inventory control system is separate from the BPCS that monitors the tank, Approach B would allow the use of two additional BPCS loops as IPLs for this scenario. Examples of additional BPCS loops include • an additional level sensor and indicator which the operator would use as a check on the tank level prior to unloading or • an additional level sensor providing a method to stop the flow to the tank (separate isolation valve or pump cutoff). In either case, the requirements discussed in this section regarding separate sensors, input and output cards, and final control element apply. The risk reduction adequacy of this approach would depend on • the security and access controls for the BPCS providing adequate protection against human error, • the risk tolerance criteria used, and • the results of a cost–benefit analysis, or similar study, based on the cost of installing the full SIF recommended in Chapter 8 versus the lower cost of installing only new BPCS loop(s) and components. If a separate level sensor loop is installed with an additional final control element to stop flow to the tank, the minimum PFD for this IPL would be 1 × 10–1 (see Table 6.4), unless another value was justified. The adequacy of this level of risk reduction would depend on the risk criteria used and a cost–benefit decision. If the BPCS is separate from the inventory control system both the pump shutoff and operator alarm IPLs could be used, provided that the requirements above were met (e.g., separate sensors, input/output cards, final control element). This approach would require complete separation between the inventory control system and the BPCS system for the tank and no human factor interactions in the facility for these systems. A maximum PFD of 1 × 10–2 for the two BPCS loops as IPLs could be claimed (see above).
11.3. Summation of Risk for Multiple Scenarios In some methods the risk is assessed on a per scenario basis and this is compared with the organization’s risk tolerance criteria to determine whether action is required. In other methods, the risk associated with an entire plant or even an entire complex is combined and compared with the risk tolerance criteria. Either approach can be used, but certain issues arise when calculating the risk associated with an entire plant or complex. These issues are discussed below.
11.3. Summation of Risk for Multiple Scenarios
185
For any facility there will be a range of scenarios which will occur at different frequencies and have a range of outcomes from minor to catastrophic. This method makes an attempt to combine these to produce an overall assessment of the risk.
Applications For this approach, the total risk for a facility is determined to the level of accuracy of the method if all important scenarios have been identified. The total risk is then used to make decisions for each facility on whether it should remain in operation and to determine the priorities for applying resources (if required) to reduce risk to meet the risk tolerance criteria for the facility. However, the additional work may not be justified, since working on the individual scenarios should reveal the scenarios with the highest risk.
Method The consequence categories used for this method must be appropriate for summing between different scenarios. Methods that use a fatality frequency as the risk measure can apply this technique directly by adding together all of the fatality frequencies calculated for a given facility. Methods using consequence categories can also apply this technique, but it is more cumbersome. Example 11.1 shows how to estimate the frequency of a consequence that has more than one initiating event. Example 11.1 The scenario is the catastrophic rupture of a distillation column due to high pressure. There are two initiating events for high pressure: loss of cooling water at the condenser (1 × 10–1/yr), and failure of the steam flow control loop (1 × 10–1/yr). These two scenarios can be prevented by two IPLs, each with a PFD of 1 × 10–2. Equation (7-1) is used to calculate the frequency for the consequence of rupture due to no cooling, 2
f rupture no cooling = f no cooling × ∏ PFD j = f no cooling × PFD IPL1 × PFD IPL2 j=1
f rupture no cooling = (1× 10−1 / yr)×[(1× 10−2 )× (1× 10−2 )] = 1× 10−5 / yr Similarly, for rupture due to steam loop failure, 2
f rupture steam loop = f steam loop × ∏ PFD j = f steam loop × PFD IPL1 × PFD IPL2 j=1
f steam loop = (1× 10−1 / yr)×[(1× 10−2 )× (1× 10−2 )] = 1× 10−5 / yr
186
11. Advanced LOPA Topics
Equation (7-7) is used to determine the consequence frequency for both events, 2
f rupture both = ∑ f C = f rupture no cooling + f rupture steam loop i=1
f rupture both = (1× 10−5 yr )+ (1× 10−5 yr ) = 2× 10−5 yr In LOPA, correction for both events happening simultaneously is not normally done (this correction is called subtracting the event intersection). Omitting this correction—as shown in this example—slightly overestimates the risk, but it is a reasonable, conservative simplification.
Using purely additive methods for combining risk assumes that an organization’s tolerance for risk is linear (e.g., 1 fatality in 100 years is equivalent to 10 fatalities in 1000 years). This is questionable, as most governments that have addressed this issue have produced criteria that are less accepting of high consequence events compared to low consequence events. However, the additive method is appropriate to combine risk of single fatality scenarios.
11.4. Using LOPA to Develop F/N Curves An F/N curve plots the cumulative frequency (F) versus the number of fatalities (N) and is intended to incorporate a number of scenarios into a single figure (see Figure 11.7 for a typical F/N curve). LOPA may be used to generate an F/N curve only when the consequence of each scenario is stated in terms of fatalities or another consequence parameter (such as serious injury, business loss) consistent with the organization’s risk tolerance criteria. The data shown on an F/N curve is only as accurate as the method used. Therefore, F/N curves generated using LOPA should be used with caution.
Uses An F/N curve is useful for visually assessing the risk associated with a scenario or facility and to compare it to risk tolerance criteria that can be plotted on the same graph. The frequency intercept of the line at N = 1 and the shape of the curve provides additional information. The frequency at which the number of fatalities is at least equal to 1 provides a baseline risk for the scenario or facility which can be compared directly. The shape of the curve allows the analyst to assess whether the risk is to a relatively small population, in which case the curve would fall steeply. Alternatively, if the risk were to a large population, the curve would be expected to fall only gradually with increasing values of N. As discussed in Chapter 8, most guidelines that have
11.4. Using LOPA to Develop F/N Curves
187
FIGURE 11.7. Typical F/N curve.
been developed by governmental agencies and individual companies are less tolerant of high consequence events than low consequence events. The F/N curve presents data in a form that allows the direct comparison with such criteria.
Method The method to construct an F/N curve using LOPA is as follows: 1. 2. 3. 4.
Generate all the scenarios for a given facility or complex. Tabulate the mitigated frequency for each scenario. Tabulate the number of fatalities for each scenario. Starting with the largest consequence (number of fatalities), calculate the cumulative frequency of that consequence by adding the frequencies of all scenarios with that number of fatalities. This is the first, and extreme right hand point, on the curve. 5. For the next highest consequence, add the sum of the frequencies of all the scenarios with that consequence to the frequency for the largest consequence. This is the second point on the curve and is located to the left of the point obtained in Step 4. 6. Continue adding the frequencies for each successively lower consequence, until the lowest consequence has been reached. 7. If the lowest consequence is not one fatality, add a point with a consequence of one fatality at the same frequency as that calculated in Step 6.
188
11. Advanced LOPA Topics
11.5. Operator Response Issues Human action as an IPL is discussed in Section 6.5. This section addresses more advanced issues but, as noted previously, extreme care should be used in examining human factors in assigning IPL credits.
Immediate versus Delayed Feedback of an Erroneous Human Action In certain cases an operator receives immediate feedback that an action was in error. In other cases the results of an incorrect human action are not apparent for minutes, or even hours. For both cases, human error is the initiating event, but the question is, if there is immediate feedback, can human action be considered an IPL? If, for example, an operator opened a small quarter-turn valve expecting the line to be depressurized, and material started issuing from the valve, the operator would be immediately aware of the erroneous action. In most cases the operator would immediately close the valve, and no harm would occur. However, the possibility exists that the operator might be disabled, or in a panic, and the valve would remain open. An analyst must consider whether to credit human action as an IPL in such a case and, if it is decided that immediate feedback is an IPL, what PFD should be assigned. Obviously, with delayed indication of an error, no credit can be taken.
Multiple Operator Response In some situations the BPCS alarms, or other systems, may notify multiple operators of a potentially unsafe condition independently (by using multiple sensors, multiple annunciators, etc.). This situation could be credited as multiple IPLs (e.g., one for each separate notification loop); or as a single IPL with a lower PFD, particularly if the time available for action is substantial for all of the operators (see Table 6.5). If one operator has only a short period of time to respond, it would not be appropriate to reduce the PFD for human response. Again, care is required in such an approach, as inadequate training may be a common cause for all operators failing to take the correct action. Example 11.2 For some cases, a scenario may proceed slowly enough that one, or possibly more, shifts of operators may have an opportunity to respond to an alarm and to prevent the consequence. The PFD for such an IPL would be lower if each new shift checks the status of all the alarms upon assuming their duties. It is also possible that inadequate training may be a common cause for several shifts to fail to respond to an alarm.
11.7. Focused Fault Tree/Event Tree Analysis of IPL Components
189
11.6. Normal Plant Operations as “Tests” of IPL Components Many of the components of safety systems, particularly those in BPCS loops, are used during the “normal” operation of the process. Under some conditions the successful performance of normal tasks can be used as an effective test of the device or system and, thereby, potentially decrease the PFD of the device, and possibly the system. Section 6.6 discusses the equations used to calculate the PFD using the historical failure rate data and the effective test period. Generally, if the time between tests is decreased, the PFD for the device or system tested will also be decreased. If, for example, a temperature sensor is monitored on a regular basis and is compared with other sensors (perhaps ones used in a SIS) then the period between comparisons might be used as the effective test period. However, care must be taken with this approach (see below). Another example would be a valve that is cycled regularly so that its shutoff can be confirmed. This could be considered a test of the valve’s capability to provide a tight shut-off. The period between the operation of the valve could be used as the test interval and the PFD of the valve thereby decreased (improved). Such an analysis would normally be applied to the components with the highest PFDs (sensors, valves, etc.), rather that the BPCS logic solver, in order to decrease the PFD for an entire system. Care must be taken in applying this concept to ensure that • the tests are appropriate, complete and are continued on a regular basis for the life of the component while it is part of an IPL system; • full independence is maintained between the testing and other IPL components; • the appropriate calculations are performed to determine the PFD for the component and the BPCS loop or associated SIF; • other reasons why multiple instruments could report similar readings are explored before accepting such readings as the equivalent of a test.
11.7. Focused Fault Tree/Event Tree Analysis of IPL Components In some cases uncertainty may exist as to the appropriate numeric value assigned to a component of a scenario (initiating event frequency, enabling event or condition probability, PFD for an IPL, consequence size or type). Alternatively, it may be desired to reduce the conservatism in the LOPA technique by using numerical values that are more rigorously calculated, rather than the tabulated values used by a given organization. In such cases it may be appropriate to perform a focused fault tree or event tree analysis. Such an analysis can, when applied selectively, improve the confidence in the results
190
11. Advanced LOPA Topics
of the LOPA study and generate support for the conclusions. The Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition (CCPS, 2000a) describes quantitative (CPQRA) techniques.
Effective Initiating Event Frequency An event tree is useful to understand how a scenario is initiated when the initiating event frequency may depend upon one or more enabling events or conditions. For complex scenarios a fault tree may be appropriate.
Common Cause Issues A fault tree can be valuable in clarifying interactions and resolving concerns when common cause issues can interact between initiating events and IPLs, or between several IPLs.
IPL Component/Overall PFD If a question exists on the appropriate PFD to use for the components of an IPL, or of the IPL itself, a fault tree can be used to demonstrate interactions and provide a rigorous calculation of the appropriate PFD value. In certain cases a fault tree is used to demonstrate that a particular IPL has a PFD significantly higher, or lower, than that which would be assigned using an organization’s standard reference tables. This approach is useful if an organization is designing an IPL with a very low PFD to provide the required risk reduction at lower cost or without making major modifications to a process or system. CAUTION The level of accuracy of such quantitative studies should be no greater than that of the LOPA method. Any effort beyond this is wasted for the purposes of LOPA.
APPENDIX A
LOPA Summary Sheets for the Continuing Examples
This appendix contains the completed LOPA sheets for the four continuing examples used in this book using the three decision-making methods discussed in Chapter 8 (risk matrix, fatality frequency, and required number of IPLs). In addition the results of the analysis using the method of a major chemical company are also shown. The solutions presented in this appendix are not necessarily consistent when one method is compared with another, as the methods differ in their assumptions. Other approaches using the LOPA concepts presented in this book or developed by a particular organization can also be used. However, they must be internally consistent and the risk tolerance criteria must be fully developed so that analysts and teams can determine whether the risk associated with a scenario is acceptable for an individual organization. These LOPA sheets contain all the information necessary for understanding the scenario (initiating event, enabling event/condition, consequence, existing IPLs and proposed IPLs to meet the defined risk criteria). The format of these sheets conforms to that discussed in Chapter 4 and in Appendix C (Documentation) for the three methods discussed in this book. The results of the fourth method are shown in the format used by the organization that developed it. Any format containing the required information is acceptable, but it must be adequately maintained and tracked. The solutions contained in these sheets are the result of discussion among individuals from several companies which use different methods. As such there have been some adjustments in the data used for the sake of consistency. Each company participating in the development of this book would not necessarily have reached the same conclusions as those shown in the 191
192
Appendix A. LOPA Summary Sheets for the Continuing Examples
accompanying sheets. Therefore, the examples contained in this appendix must not be considered definitive solutions to the problems discussed. They are, rather, illustrative of the concepts and approaches used. Each company must consider all of the factors that are required to implement LOPA and apply them consistently within their own organization. A comparison of the results of the analysis of these examples using the four methods is shown in Table A.14. List of Summary Sheets for the Continuing Examples
Table No.
Continuing Example
Consequence Categorization Method
Risk Decision Making Method
Table A.1
1a
Risk Matrix (Method 1 of Chapter 3)
Risk Matrix
Table A.2
1b
Risk Matrix (Method 1 of Chapter 3)
Risk Matrix
Table A.3
2a
Risk Matrix (Method 1 of Chapter 3)
Risk Matrix
Table A.4
2b
Risk Matrix (Method 1 of Chapter 3)
Risk Matrix
Table A.5
1a
Fatality Frequency (Method 3 of Chapter 3)
Numerical Criteria
Table A.6
1b
Fatality Frequency (Method 3 of Chapter 3)
Numerical Criteria
Table A.7
2a
Fatality Frequency (Method 3 of Chapter 3)
Numerical Criteria
Table A.8
2b
Fatality Frequency (Method 3 of Chapter 3)
Numerical Criteria
Table A.9
1a
Fatality Frequency (Method 3 of Chapter 3)
Required Number of IPLs
Table A.10
1b
Fatality Frequency (Method 3 of Chapter 3)
Required Number of IPLs
Table A.11
2a
Fatality Frequency (Method 3 of Chapter 3)
Required Number of IPLs
Table A.12
2b
Fatality Frequency (Method 3 of Chapter 3)
Required Number of IPLs
Table A.13
Based on a Method from a Major Chemical Company (includes Continuing Example Scenarios 1a, 1b, 2a, 2b)
Table A.14
Comparison of Results—Required PFD for Added SIF
193
Appendix A. LOPA Summary Sheets for the Continuing Examples
TABLE A.1 Summary Sheet for Continuing Example 1a: Risk Matrix Consequence Categorization Method (Method 1 of Chapter 3) Scenario Number 1a
Equipment Number
Scenario Title: Hexane Surge Tank Overflow. Spill not contained by the dike
Date:
Description
Probability
Consequence Description/Category
Release of hexane (1,000–10,000 lb) outside the dike due to tank overflow and failure of dike Severity Category 4
Risk Tolerance Criteria Action required (Category or Frequency) Tolerable Initiating Event (typically a frequency)
>1 × 10–3
<1 × 10–5
Loop failure of BPCS LIC. (PFD from Table 5.1)
Enabling Event or Condition Conditional Modifiers (if applicable)
Frequency (per year)
1 × 10–1 —
Probability of ignition
N/A
Probability of personnel in affected area
N/A
Probability of fatal injury
N/A
Others
N/A 1 × 10–1
Frequency of Unmitigated Consequence Independent Protection Layers Safeguards(non-IPLs)
Dike (existing) (PFD from Table 6.3)
1 × 10–2
SIF (to be added—see Actions)
1 × 10–2
Human action not an IPL as it depends upon BPCS generated alarms. Cannot be used as BPCS failure is initiating event (Approach A) 1 × 10–4
Total PFD for all IPLs
1 × 10–5
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes, with added SIF.
Actions Required to Meet Risk Tolerance Criteria
Add SIF with PFD of 1 × 10–2. Responsible Group/Person: Plant Technical/ J. Doe June 2002 Maintain dike as an IPL (Inspection, maintenance, etc.)
Notes
Add action items to action tracking database.
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
194
Appendix A. LOPA Summary Sheets for the Continuing Examples
TABLE A.2 Summary Sheet for Continuing Example 1b: Risk Matrix Consequence Categorization Method (Method 1 of Chapter 3) Scenario Number 1b
Equipment Number
Scenario Title: Hexane Surge Tank Overflow. Spill contained by the dike
Date:
Description
Probability
Consequence Description/Category
Tank overflow and spill of hexane into dike. In this method a spill into the tank dike, with little potential for ignition and resulting damage or lost production, is not a consequence of interest.
Frequency (per year)
No Consequence of Interest Risk Tolerance Criteria Action required (Category or Frequency) Tolerable
N/A N/A
Initiating Event (typically a frequency)
Loop failure of BPCS LIC. (PFD from Table 5.1)
Enabling Event or Condition
N/A
Conditional Modifiers (if applicable)
Probability of ignition
N/A
Probability of personnel in affected area
N/A
Probability of fatal injury
N/A
Others
N/A
1 × 10–1 —
N/A
Frequency of Unmitigated Consequence Independent Protection Layers
None existing (as dike is not an IPL for release assumed to be contained in this scenario)
N/A
Safeguards(non-IPLs) N/A
Total PFD for all IPLs
N/A
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
N/A
Actions Required to Meet Risk Tolerance Criteria
None. This is not a consequence of interest for this method.
Notes
The classification of “No consequence of interest” for this scenario depends upon the organization accepting the release of this material into the dike. Other organizations may not accept this risk, or experience may dictate that this risk should be mitigated by the installation of additional IPLs at low cost (see Approach B in Chapter 11)..
See Notes below.
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
195
Appendix A. LOPA Summary Sheets for the Continuing Examples
TABLE A.3 Summary Sheet for Continuing Example 2a: Risk Matrix Consequence Categorization Method (Method 1 of Chapter 3) Scenario Number 2a
Equipment Number
Scenario Title: Hexane Storage Tank Overflow. Spill not contained by the dike
Date:
Description
Probability
Consequence Description/Category
Release of hexane (1,000 – 10,000 lbs.) outside the dike due to tank overflow and failure of dike. Severity Category 4
Risk Tolerance Criteria Action required (Category or Frequency) Tolerable Initiating Event (typically a frequency)
Conditional Modifiers (if applicable)
>1 × 10–3
<1 × 10–5
Arrival of tank truck with insufficient room in the tank due to failure of the inventory control system. Frequency based upon plant data.
Enabling Event or Condition
1
N/A Probability of ignition
N/A
Probability of personnel in affected area
N/A
Probability of fatal injury
N/A
Others
N/A 1
Frequency of Unmitigated Consequence Independent Protection Layers
Safeguards(non-IPLs)
Frequency (per year)
Operator checks level before unloading (existing) (PFD from Table 6.5)
1 × 10–1
Dike (existing) (PFD from Table 6.3)
1 × 10–2
SIF (to be added—see Actions)
1 × 10–2
BPCS level control and alarm is not an IPL as it is part of the BPCS system already credited in LI read by operator. 1 × 10–5
Total PFD for all IPLs
1 × 10–5
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes, with added SIF.
Actions Required to Meet Risk Tolerance Criteria
Add SIF with PFD of 1 × 10–2. Responsible Group/Person: Plant Technical/ J. Doe June 2002 Maintain emphasis on procedure to check level as a critical action. Maintain dike as an IPL (Inspection, maintenance, etc.)
Notes
Human action at 1 × 10–1 since BPCS level indication is part of this IPL Add action items to action tracking database.
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
196
Appendix A. LOPA Summary Sheets for the Continuing Examples
TABLE A.4 Summary Table for Continuing Example 2b: Risk Matrix Consequence Categorization Method (Method 1 of Chapter 3) Scenario Number 2b
Equipment Number
Scenario Title: Hexane Storage Tank Overflow. Spill contained by the dike
Date:
Description
Probability
Consequence Description/Category
Tank overflow and spill of hexane into dike. In this method a spill into the tank dike, with little potential for ignition and resulting damage or lost production, is not a consequence of interest.
Frequency (per year)
No Consequence of Interest Risk Tolerance Criteria Action required (Category or Frequency) Tolerable Initiating Event (typically a frequency)
Arrival of tank truck with insufficient room in the tank due to failure of the inventory control system. Frequency based upon plant data.
Enabling Event or Condition
N/A
Conditional Modifiers (if applicable)
N/A N/A 1
—
Probability of ignition
N/A
Probability of personnel in affected area
N/A
Probability of fatal injury
N/A
Others
N/A N/A
Frequency of Unmitigated Consequence N/A
Independent Protection Layers Safeguards(non-IPLs)
N/A
Total PFD for all IPLs
N/A
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
N/A
Actions Required to Meet Risk Tolerance Criteria
None. This is not a consequence of interest for this method.
Notes
The classification of “No consequence of interest” for this scenario depends upon the organization accepting the release of this material into the dike. Other organizations may not accept this risk, or experience may dictate that this risk should be mitigated by the installation of additional IPLs at low cost (see Approach B in Chapter 11).
See Notes below.
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
197
Appendix A. LOPA Summary Sheets for the Continuing Examples TABLE A.5 Summary Sheet for Continuing Example 1a: Fatality Frequency Method (Method 3 of Chapter 3) Scenario Number 1a
Equipment Number
Scenario Title: Hexane Surge Tank Overflow. Spill not contained by the dike
Date:
Description
Probability
Consequence Description/Category
Release of hexane outside the dike due to tank overflow and failure of dike with potential for ignition and fatality.
Risk Tolerance Criteria Maximum Tolerable Risk of a Serious Fire (Category or Frequency) Maximum Tolerable Risk of a Fatal Injury Initiating Event (typically a frequency)
<1 × 10–4
<1 × 10–5
Loop failure of BPCS LIC. (PFD from Table 5.1)
Enabling Event or Condition Conditional Modifiers (if applicable)
1 × 10–1 —
Probability of ignition
1
Probability of personnel in affected area
0.5
Probability of fatal injury
0.5
Others
N/A 2.5 × 10–2
Frequency of Unmitigated Consequence Independent Protection Layers Safeguards(non-IPLs)
Frequency (per year)
10–2
Dike intended to contain spill (existing) (PFD from Table 6.3)
1×
SIF (to be added—see Actions)
1 × 10–2
Human action not an IPL as it depends upon BPCS generated alarms. Cannot be used as BPCS failure is initiating event (Approach A) 1 × 10–4
Total PFD for all IPLs
2.5 × 10–6
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes, with added SIF.
Actions Required to Meet Risk Tolerance Criteria
Add SIF with PFD of 1 × 10–2. Responsible Group/Person: Plant Technical/ J. Doe June 2002 Maintain dike as an IPL (Inspection, maintenance, etc.)
Notes
Add action items to action tracking database.
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
198
Appendix A. LOPA Summary Sheets for the Continuing Examples TABLE A.6 Summary Sheet for Continuing Example 1b: Fatality Frequency Method (Method 3 of Chapter 3)
Scenario Number 1b
Equipment Number
Scenario Title: Hexane Surge Tank Overflow. Spill contained by the dike
Date:
Description
Probability
Consequence Description/Category
Release of hexane inside the dike due to tank overflow with potential for ignition and fatality.
Risk Tolerance Criteria Maximum Tolerable Risk of a Serious Fire (Category or Frequency) Maximum Tolerable Risk of a Fatal Injury Initiating Event (typically a frequency)
<1 × 10–4
<1 × 10–5
Loop failure of BPCS LIC. (PFD from Table 5.1)
Enabling Event or Condition Conditional Modifiers (if applicable)
Frequency (per year)
1 × 10–1 —
Probability of ignition
0.1
Probability of personnel in affected area
0.1
Probability of fatal injury
0.5
Others
N/A 5 × 10–4
Frequency of Unmitigated Consequence Independent Protection Layers
SIF (to be added—see Actions)
Safeguards(non-IPLs)
Human action not an IPL as it depends upon BPCS generated alarms. Cannot be used as BPCS failure is initiating event (Approach A)
1×
10–2
1 × 10–2
Total PFD for all IPLs
5 × 10–6
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes, with added SIF.
Actions Required to Meet Risk Tolerance Criteria
Add SIF with PFD of 1 × 10–2. Responsible Group/Person: Plant Technical/ J. Doe June 2002 Maintain dike as an IPL (Inspection, maintenance, etc.)
Notes
Add action items to action tracking database.
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
199
Appendix A. LOPA Summary Sheets for the Continuing Examples TABLE A.7 Summary Sheet for Continuing Example 2a: Fatality Frequency Method (Method 3 of Chapter 3) Scenario Number 2a
Equipment Number
Scenario Title: Hexane Storage Tank Overflow. Spill not contained by the dike
Date:
Description
Probability
Consequence Description/Category
Release of hexane outside the dike due to tank overflow and failure of dike with potential for ignition and fatality.
Risk Tolerance Criteria Maximum Tolerable Risk of a Serious Fire (Category or Frequency) Maximum Tolerable Risk of a Fatal Injury Initiating Event (typically a frequency)
Conditional Modifiers (if applicable)
<1 × 10–4
<1 × 10–5
Arrival of tank truck with insufficient room in the tank due to failure of the inventory control system. Frequency based upon plant data.
Enabling Event or Condition
1
N/A Probability of ignition
1
Probability of personnel in affected area
0.5
Probability of fatal injury Others
0.5 N/A 0.25
Frequency of Unmitigated Consequence Independent Protection Layers
Safeguards(non-IPLs)
Frequency (per year)
Operator checks level before unloading (existing) (PFD from Table 6.5)
1 × 10–1
Dike (existing) (PFD from Table 6.3)
1 × 10–2
SIF (to be added—see Actions)
1 × 10–2
BPCS level control and alarm is not an IPL as it is part of the BPCS system already credited in LI read by operator. 1 × 10–5
Total PFD for all IPLs
2.5 × 10–6
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes, with added SIF.
Actions Required to Meet Risk Tolerance Criteria
Add SIF with PFD of 1 × 10–2. Responsible Group/Person: Plant Technical/ J. Doe June 2002 Maintain emphasis on procedure to check level as a critical action. Maintain dike as an IPL (Inspection, maintenance, etc.)
Notes
Human action at 1 × 10–1 since BPCS level indication is part of this IPL Add action items to action tracking database.
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
200
Appendix A. LOPA Summary Sheets for the Continuing Examples TABLE A.8 Summary Table for Continuing Example 2b: Fatality Frequency Method (Method 1 of Chapter 3)
Scenario Number 2b
Equipment Number
Scenario Title: Hexane Storage Tank Overflow. Spill contained by the dike
Date:
Description
Probability
Consequence Description/Category
Release of hexane inside the dike due to tank overflow with potential for ignition and fatality.
Risk Tolerance Criteria Maximum Tolerable Risk of a Serious Fire (Category or Frequency) Maximum Tolerable Risk of a Fatal Injury Initiating Event (typically a frequency)
Conditional Modifiers (if applicable)
<1 × 10–4
<1 × 10–5
Arrival of tank truck with insufficient room in the tank due to failure of the inventory control system. Frequency based upon plant data.
Enabling Event or Condition
1
N/A Probability of ignition
0.1
Probability of personnel in affected area
0.1
Probability of fatal injury
0.5
Others
N/A 5 × 10–3
Frequency of Unmitigated Consequence Independent Protection Layers Safeguards(non-IPLs)
Frequency (per year)
Operator checks level before unloading (existing) (PFD from Table 6.5)
1 × 10–1
SIF (to be added—see Actions)
1 × 10–2
BPCS level control and alarm is not an IPL as it is part of the BPCS system already credited in LI read by operator. 1 × 10–3
Total PFD for all IPLs
5 × 10–6
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes, with added SIF.
Actions Required to Meet Risk Tolerance Criteria
Add SIF with PFD of 1 × 10–2. Responsible Group/Person: Plant Technical/J. Doe June 2002 Maintain emphasis on procedure to check level as a critical action.
Notes
Human action at 1 × 10–1 since BPCS level indication is part of this IPL Add action items to action tracking database.
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
201
Appendix A. LOPA Summary Sheets for the Continuing Examples
TABLE A.9 Summary Sheet for Continuing Example 1a: Required Number of IPLs Method (Consequence severity classified by Fatality Frequency Method (Method 3 of Chapter 3) Scenario Number 1a
Equipment Number
Scenario Title: Hexane Surge Tank Overflow. Spill not contained by the dike
Date:
Description
Probability
Consequence Description/Category
Release of hexane outside the dike due to tank overflow and failure of dike with potential for ignition and fatality.
Frequency (per year)
Risk Tolerance Criteria See Table 8.3 (Category or Frequency) Initiating Event (typically a frequency)
Loop failure of BPCS LIC. (PFD from Table 5.1)
Enabling Event or Condition Conditional Modifiers (if applicable)
1 × 10–1 N/A
Probability of ignition
1
Probability of personnel in affected area
0.5
Probability of fatal injury
0.5
Others
N/A 2.5 × 10–2
Frequency of Unmitigated Consequence Independent Protection Layers Safeguards(non-IPLs)
Dike intended to contain spill (existing) (PFD from Table 6.3)
1 × 10–2
SIF (to be added—see Actions)
1 × 10–2
Human action not an IPL as it depends upon BPCS generated alarms. Cannot be used as BPCS failure is initiating event (Approach A) 1 × 10–4
Total PFD for all IPLs
2.5 × 10–6
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes, with added SIF.
Actions Required to Meet Risk Tolerance Criteria
Add SIF with PFD of 1 × 10–2. Responsible Group/Person: Plant Technical/ J. Doe June 2002 Maintain dike as an IPL (Inspection, maintenance, etc.)
Notes
Add action items to action tracking database.
As Frequency of Unmitigated Consequence is >(1 × 10–2 per year), 2 IPL credits are required (i.e., a total PFD of at least 1 × 10–4 must be in place for IPLs). See Table 8.2. This requirement controls the SIF requirement for this example.
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
202
Appendix A. LOPA Summary Sheets for the Continuing Examples
TABLE A.10 Summary Table for Continuing Example 1b: Required Number of IPLs Method (Consequence severity classified by Fatality Frequency Method (Method 3 of Chapter 3) Scenario Number 1b
Equipment Number
Scenario Title: Hexane Surge Tank Overflow. Spill contained by the dike
Date:
Description
Probability
Consequence Description/Category
Release of hexane inside the dike due to tank overflow with potential for ignition and fatality.
Frequency (per year)
Risk Tolerance Criteria See Table 8.3 (Category or Frequency) Initiating Event (typically a frequency)
Loop failure of BPCS LIC. (PFD from Table 5.1)
Enabling Event or Condition Conditional Modifiers (if applicable)
1 × 10–1 N/A
Probability of ignition
0.1
Probability of personnel in affected area
0.1
Probability of fatal injury
0.5
Others
N/A 5 × 10–4
Frequency of Unmitigated Consequence Independent Protection Layers
SIF (to be added—see Actions)
Safeguards(non-IPLs)
Human action not an IPL as it depends upon BPCS generated alarms. Cannot be used as BPCS failure is initiating event (Approach A)
1 × 10–2
1 × 10–2
Total PFD for all IPLs
5 × 10–6
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes, with added SIF.
Actions Required to Meet Risk Tolerance Criteria
Add SIF with PFD of 1 × 10–2. Responsible Group/Person: Plant Technical/ J. Doe June 2002 Maintain emphasis on procedure to check level as a critical action.
Notes
As Frequency of Unmitigated Consequence is between 1 × 10–3 and 1 × 10–2, 1 IPL credit is required (i.e., a total PFD of at least 1 × 10–2 must be in place for IPLs). See Table 8.2 This requirement controls the SIF requirement for this example.
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
TABLE A.11 Summary Sheet for Continuing Example 2a: Required Number of IPLs Method (Consequence severity classified by Fatality Frequency Method (Method 3 of Chapter 3) Scenario Number 2a
Equipment Number
Scenario Title: Hexane Storage Tank Overflow. Spill not contained by the dike
Date:
Description
Probability
Consequence Description/Category
Release of hexane inside the dike due to tank overflow and failure of dike with potential for ignition and fatality.
Frequency (per year)
Risk Tolerance Criteria See Table 8.2 (Category or Frequency) Initiating Event (typically a frequency)
Arrival of tank truck with insufficient room in the tank due to failure of the inventory control system. Frequency based upon plant data.
Enabling Event or Condition Conditional Modifiers (if applicable)
1
N/A Probability of ignition
1
Probability of personnel in affected area
0.5
Probability of fatal injury Others
0.5 N/A 0.25
Frequency of Unmitigated Consequence Independent Protection Layers
Safeguards(non-IPLs)
Operator checks level before unloading (existing) (PFD from Table 6.5)
1 × 10–1
Dike (existing) (PFD from Table 6.3)
1 × 10–2
SIF (to be added for scenario 2b)
1 × 10–2
BPCS level control and alarm is not an IPL as it is part of the BPCS system already credited in LI read by operator. 1 × 10–5
Total PFD for all IPLs
2.5 × 10–6
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes, with added SIF.
Actions Required to Meet Risk Tolerance Criteria
Add SIF with PFD of 1 × 10–2. Responsible Group/Person: Plant Technical/ J. Doe June 2002 Maintain emphasis on procedure to check level as a critical action. Maintain dike as an IPL (Inspection, maintenance, etc.)
Notes:
Human action at 1 × 10–1 since BPCS level indication is part of this IPL Add action items to action tracking database. As Frequency of Unmitigated Consequence is >(1 × 10–2 per year), 2 IPL credits are required (i.e., a total PFD of at least 1 × 10–4 must be installed). See Table 8.2 As 1 × 10–3 PFD in place only 1 × 10–1 needs to be added, but requirement of Scenario 2b for this system controls the design for the SIF as one with a PFD of 1 × 10–2
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
TABLE A.12 Summary Sheet for Continuing Example 2b: Required Number of IPLs Method (Consequence severity classified by Fatality Frequency Method (Method 3 of Chapter 3) Scenario Number 2b
Equipment Number
Scenario Title: Hexane Storage Tank Overflow. Spill contained by the dike
Date:
Description
Probability
Consequence Description/Category
Release of hexane inside the dike due to tank overflow with potential for ignition and fatality.
Frequency (per year)
Risk Tolerance Criteria See Table 8.2 (Category or Frequency) Initiating Event (typically a frequency)
Arrival of tank truck with insufficient room in the tank due to failure of the inventory control system. Frequency based upon plant data.
Enabling Event or Condition Conditional Modifiers (if applicable)
1
N/A Probability of ignition
0.1
Probability of personnel in affected area
0.1
Probability of fatal injury Others
0.5 N/A 5 × 10–3
Frequency of Unmitigated Consequence Independent Protection Layers Safeguards(non-IPLs)
Operator checks level before unloading (existing) (PFD from Table 6.5)
1 × 10–1
SIF (to be added—see Actions)
1 × 10–2
BPCS level control and alarm is not an IPL as it is part of the BPCS system already credited in LI read by operator. 1 × 10–3
Total PFD for all IPLs
5 × 10–6
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes, with added SIF.
Actions Required to Meet Risk Tolerance Criteria
Add SIF with PFD of 1 × 10–2. Responsible Group/Person: Plant Technical/ J. Doe June 2002 Maintain emphasis on procedure to check level as a critical action.
Notes:
Human action at 1 × 10–1 since BPCS level indication is part of this IPL Add action items to action tracking database. As Frequency of Unmitigated Consequence is between 1 × 10–2 and 1 × 10–3, 1.5 IPL credits are required (i.e., a total PFD of at least 1 × 10–3 must be in place for all of the IPLs). See Table 8.3 As only 0.5 IPL credit exist, an SIF with a PFD of 1 × 10–2 must be added. This controls the design of the SIF system for this example.
References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable): 204
Appendix A. LOPA Summary Sheets for the Continuing Examples
205
Table A. 13 Summary Sheet for Continuing Examples—Based on a Method from a Major Chemical Company The calculations shown on the pages that follow were performed by one company’s proprietary software using the principles described in this book and that company’s IPL PFD data and risk tolerance criteria. That information and the decision-making rules are embedded in the software and may not be explicitly shown in the table.
206
Appendix A. LOPA Summary Sheets for the Continuing Examples
TABLE A.13 SAFETY/ENVIRONMENTAL RISK ASSESSMENT Location:
CCPS
Unit:
Scenario Number:
Continuing Example
1a
Description of PHA Scenario: Hexane surge tank overflow—spill not contained by the dike List of Existing Safeguards Dike Risk Before Likelihood: L
Risk After Likelihood: LL
Consequence: H
Color: Yellow [denotes risk matrix grid]
Consequence: H
Color:
Blue
[denotes risk matrix grid]
Description of Recommended Mitigation Option(s): Install an SIF Mitigation Option(s) Accepted: Date of Analysis:
SIF installation
Participants:
Interlock Tag Number:
Drawing Number:
System Name:
SIF Overview:
Release of hexane (1,000–10,000 lb) outside the dike due to tank overflow and failure of dike. Potentially life-threatening. Severity Category 4
Impact Event:
Potential Consequence:
H
BPCS Loop Failure, Latent Use 10–5 dangerous failures per hour for an operational loop.
Initiating Cause
Enabling Conditions:
Probability of operator being affected by scenario (i.e., in vicinity of spill) is assumed to be 0.5; further, probability of fatal injury is assumed to be 0.5 for affected operator. An ignition is assumed to occur so probability of ignition = 1.
Probability of Enabling Conditions: 2.5000E-01 *If the value is 1.0, NO Enabling Condition is considered. Unmitigated Likelihood:
4.00E+01 Years
M-H
Protection Layers (Not Final Defense) Group Layer Mitigation Systems Dikes—2 credits
Credit 2
PFD 1.00E-02
Protective Layer Descriptive Text: Human action not an IPL as it depends upon BPCS generated alarms. Cannot be used, as BPCS failure is initiating event. Total Credits 2
Intermediate Likelihood
L
4.00E+03 Years
Description SIF Mitigating Actions:
SIF Mitigating Actions (Final Defense Instrumentation) Safety, Proactive Class IC
SIF Class: SIL: 1
IC
Credits 1.0
PFD 0.1
Final Mitigated Likelihood: LL
Minimum Minimum Input Output System Redundancy Redundancy Design 1oo1
4.00E+04 Years
1oo2
DTT
207
Appendix A. LOPA Summary Sheets for the Continuing Examples
TABLE A.13 (continued) Location:
CCPS
Unit:
Continuing Example
Scenario Number:
1b
Description of PHA Scenario: Hexane surge tank overflow—spill contained by the dike List of Existing Safeguards: None Risk Before Likelihood: L
Risk After Likelihood: LL
Consequence: H
Color: Yellow [denotes risk matrix grid]
Consequence: H
Color: Blue [denotes risk matrix grid]
Description of Recommended Mitigation Option(s): Install an SIF Mitigation Option(s) Accepted: Date of Analysis:
Interlock Tag Number:
Drawing Number:
System Name:
SIF Overview:
SIF Installation
Participants:
Tank overflows and spill of hexane into dike. Spill into the tank dike results in less potential for ignition and the resultant potential personnel injury. Potentially life-threatening. Severity Category 4
Impact Event:
Potential Consequence: Initiating Cause:
H
BPCS Loop Failure, Latent Use 10–5 dangerous failures per hour for an operational loop.
Enabling Conditions:
Probability of operator in dike is assumed to be = 0.1; probability of ignition is assumed to be = 0.1; probability of fatal injury is assumed to be = 0.5
Probability of Enabling Conditions: Unmitigated Likelihood
L
5.0000E-03 *If the value is 1.0, NO Enabling Condition is considered.
2.00E+03 Years
Protection Layers (Not Final Defense) Group Layer Credit N/A
None as dike is not an IPL for release within dike. It contains the spill which is specified in the scenario description.
Protective Layer Descriptive Text: Total Credits 0
Intermediate Likelihood
L
PFD
2.00E+03 Years
Description SIF Mitigating Actions:
SIF Mitigating Actions (Final Defense Instrumentation) Safety, Proactive Class IC
SIF Class: SIL: 1
IC
Credits 1.0
PFD 0.1
Final Mitigated Likelihood: LL
Minimum Minimum Input Output System Redundancy Redundancy Design 1oo1
2.00E+04 Years
1oo2
DTT
208
Appendix A. LOPA Summary Sheets for the Continuing Examples
TABLE A.13 (continued) Location:
CCPS
Unit:
Continuing Example
Scenario Number:
2a
Description of PHA Scenario: Hexane storage tank overflow—spill not contained by the dike List of Existing Safeguards: LAHH and Operator check, dike Risk Before Likelihood: L
Risk After Likelihood: LL
Consequence: H
Color: Yellow [denotes risk matrix grid]
Consequence: H
Color: Blue [denotes risk matrix grid]
Description of Recommended Mitigation Option(s): Install an SIF Mitigation Option(s) Accepted: Date of Analysis:
Interlock Tag Number:
Drawing Number:
System Name:
SIF Overview:
SIF Installation
Participants:
Release of hexane (1,000 to 10,000 lbs) outside the dike due to tank overflow and failure of dike. Potentially life-threatening. Severity Category 4
Impact Event:
Potential Consequence: Initiating Cause:
H
Insufficient room in tank, failure of inventory control system. Arrival of tank truck with insufficient room in the tank due to failure of the inventory control system. Frequency of 1 per year based on plant data.
Enabling Conditions:
Probability of ignition is assumed to be = 1; probability of person in affected area is assumed to be = 0.5; probability of fatality given exposure is assumed to be = 0.5
Probability of Enabling Conditions: Unmitigated Likelihood
H
2.5000E-01 *If the value is 1.0, NO Enabling Condition is considered.
4.00E+00 Years
Protection Layers (Not Final Defense) Group Layer Mitigation Systems Dike—2 credits Instrumentation BPCS—Typical DCS Safeguarding
Credit 2 1
PFD 1.00E-02 1.00E-01
Protective Layer Descriptive Text: BPCS level control and alarm is taken as one IPL which includes operator intervention based on the LAHH. Total Credits:
3
Intermediate Likelihood
L
4.00E+03 Years
Description SIF Mitigating Actions:
SIF Mitigating Actions (Final Defense Instrumentation) Safety, Proactive Class IC
SIF Class: SIL: 1
IC
Credits 1.0
PFD 0.1
Final Mitigated Likelihood: LL
Minimum Minimum Input Output System Redundancy Redundancy Design 1oo1
4.00E+04 Years
1oo2
DTT
209
Appendix A. LOPA Summary Sheets for the Continuing Examples
TABLE A.13 (continued) Location:
CCPS
Unit:
Description of PHA Scenario:
Scenario Number:
Continuing Example
Hexane storage tank overflow—spill contained by the dike
2b
List of Existing Safeguards: LAHH and Operator intervention Risk Before Likelihood: L
Risk After Likelihood: LL
Consequence: H
Color: Yellow [denotes risk matrix grid]
Consequence: H
Color: Blue [denotes risk matrix grid]
Description of Recommended Mitigation Option(s): Install an SIF Mitigation Option(s) Accepted: Date of Analysis:
Interlock Tag Number:
Drawing Number:
System Name:
SIF Overview:
SIF Installation
Participants:
Impact Event:
Potentially life-threatening. Severity Category 4
Initiating Cause:
Overfill in dike, administrative failure. Arrival of tank truck with insufficient room in the tank due to failure of the inventory control system. Frequency of 1 per year based on plant data.
Potential Consequence:
Enabling Conditions:
H
Probability of ignition = 0.1; probability of person in affected area = 0.1; probability of fatality given exposure = 0.5
Probability of Enabling Conditions: Unmitigated Likelihood
5.0000E-03 *If the value is 1.0, NO Enabling Condition is considered. 2.00E+02 Years
L-M
Protection Layers (Not Final Defense) Group Layer Instrumentation BPCS—Typical DCS Safeguarding
Credit 1
PFD 1.00E-01
Protective Layer Descriptive Text: BPCS alarm is an IPL. Dike is not an IPL for release within dike. It contains the spill, which is specified in the scenario description. Total Credits:
1
Intermediate Likelihood
L
2.00E+03 Years
Description SIF Mitigating Actions:
SIF Mitigating Actions (Final Defense Instrumentation) Safety, Proactive Class IC
SIF Class: SIL: 1
IC
Credits 1.0
PFD 0.1
Final Mitigated Likelihood: LL
Minimum Minimum Input Output System Redundancy Redundancy Design 1oo1
2.00E+04 Years
1oo2
DTT
210
Appendix A. LOPA Summary Sheets for the Continuing Examples
TABLE A.13 (continued) CUMULATIVE FREQUENCY—CONTINUING EXAMPLE The summed frequency of the four mitigated scenarios is approximately once per 6700 years or an annual frequency of 1.5 × 10–4. This is achieved by the application of a SIFwith PFD of 1 × 10–1 (SIL 1 in this company). The summed frequency is equivalent to the Boolean OR operation on the frequencies of the four scenarios. Although it is recognized that the OR function requires that the intersection of the four frequencies be subtracted from the sum of the frequencies; the difference is very small for numerically small frequencies. Also ignoring the intersection of the frequencies makes the cumulative frequency conservative. 1st Pass Evaluation of Unit Risk Added SIFs with PFD of 1 × 10–1 Scenario
Scenario MTBF, years
Frequency, per year
4.00E+04
2.50E-05
2.00E+04
5.00E-05
4.00E+04
2.50E-05
2.00E+04
5.00E-05
Unit
1.50E-04
Unit MTBF, years
6.67E+03 or 6,667
To meet a risk criteria of 1 × 10–4/yr Added SIFs with PFD of 1 × 10–2 Scenario
Scenario MTBF, years
Frequency, per year
4.00E+05
2.50E-06
2.00E+05
5.00E-06
4.00E+05
2.50E-06
2.00E+05
5.00E-06
Unit
1.50E-05
Unit MTBF, years
6.67E+04 or 66,667
If the requirement is that the potentially life threatening scenarios occur with an annual frequency less than 1 × 10–4, then a SIFwith PFD of 1 x 10–2 (SIL 2 in this company). would be required. The SIF would affect the summed frequency of the four scenarios (each equally) resulting in a mitigated frequency of approximately once every 67,000 years or an annual frequency of 1.5 × 10–5.
TABLE A.14 Comparison of Results—Required PFD for Added SIF
Scenario 1a
Risk Matrix
Fatality Frequency
Required Number of IPLs
Major Chemical Company
1 × 10–2
1 × 10–2
1 × 10–2
1 × 10–1
10–2
10–2
1 × 10–1
Scenario 1b
None—No Consequence
1×
1×
Scenario 2a
1 × 10–2
1 × 10–2
1 × 10–2
1 × 10–1
Scenario 2b
None – No Consequence
1 × 10–2
1 × 10–2
1 × 10–1
APPENDIX B
Worked Examples from CCPS’s Safe Automation Book
B.1. Introduction In Chapter 7 of Guidelines for the Safe Automation of Chemical Processes (CCPS, 1993b), an example of a polymerization process was used to demonstrate some of the principles discussed in CCPS (1993b). This included a prototype analysis of the protection layers in place and proposed SIL levels for automated protective systems. As stated in CCPS (1993b): Because of the amount of detail that is required to achieve a high-integrity, safely automated design, the example used in this chapter necessarily includes a number of simplifications, but is presented to show the application and discussion of the principles described earlier. Further the specific design choices do not reflect practices that are part of a particular company’s standards, but are representative of good practices. It certainly does not represent a complete design for a polymerization process.
This example from CCPS (1993b) will be used to demonstrate the application of the LOPA rules presented in this book. In several instances these rules may indicate that a different design should be selected compared with the solution contained in CCPS (1993b). This is not meant to imply that the design presented in CCPS (1993b) is unsafe, or does not represent good engineering practice; it is only intended as a contrast in methods and risk tolerance endpoints. The reader should judge whether the issues raised by the application of the LOPA method described in this book are appropriate for their own organization and processes, or whether modifications to the rules, assumptions, and data should be made. 211
212
Appendix B. Worked Examples from CCPS’s Safe Automation Book
The major differences between the LOPA method and the risk analysis approach used in CCPS (1993b) are • the concept of an enabling event or condition that could modify the frequency of the initiating event; • the concept and rules for identifying and crediting independent protection layers (IPLs); • the use of a numeric risk tolerance criterion. Section B.2 describes the problem, Section B.3 discusses the application of the LOPA method to the example and Section B.4 discusses various modifications to the design described in CCPS (1993b) and how these affect the PFD for the various IPLs.
B.2. Problem Description Figure B.1 shows the P&ID for the process used in CCPS (1993b) and forms the basis for the analysis in this appendix. A detailed description of the chemicals, reactions, and the batch process are also contained in CCPS (1993b). In summary, the process is a batch polymerization of vinyl chloride monomer (VCM) to polyvinyl chloride (PVC). Water, liquid VCM, initiator, and additives are charged through the same nozzle to the agitated, jacketed reactor. The charge nozzle is also connected to the emergency vent valves and the relief valves (PSVs). Shortstop can be added through the same nozzle. Table B.1 lists the scenarios (denoted as “Events” in CCPS 1993b) that were examined in the original example and are reexamined in this appendix. Tables B.2 through B.9 contain the LOPA summary sheets for these scenarios. Additional scenarios could be generated for this problem, but the discussion will be confined to the eight developed in CCPS (1993b).
B.3. Problem Discussion To demonstrate the self-documenting ability of LOPA, no additional details of the process will be given except for the information contained in the LOPA sheets (Tables B.2–B.9) and the P&ID (Figure B.1). The discussion of the issues follows the LOPA scenario structure to illustrate differences between the approaches. The risk matrix consequence categorization and risk tolerance criteria are used (see Chapters 3 and 8) in analyzing the problem. The use of one of the other methods discussed in these two chapters (fatality frequency and required number of IPLs) would not affect the major findings of the comparison.
213
FIGURE B.1. Simplified flow diagram: the PVC process (from CCPS 1993b).
214
Appendix B. Worked Examples from CCPS’s Safe Automation Book TABLE B.1 Scenarios for Safe Automation Example
Scenario 1: Scenario 2: Scenario 3: Scenario 4: Scenario 5: Scenario 6: Scenario 7: Scenario 8:
Cooling water failure with runaway reaction and potential for reactor overpressure, leakage, rupture, injuries, and fatalities
Agitator motor drive failure with potential for runaway reaction, reactor overpressure, leakage, rupture, injuries and fatalities
Loss of electric power (area wide) with potential for runaway reaction, reactor overpressure, leakage, rupture, injuries and fatalities Cooling water pump failure (electric power loss) with potential for runaway reaction, reactor overpressure, leakage, rupture, injuries and fatalities
Human error—Double charge of catalyst with potential for runaway reaction, reactor overpressure, leakage, rupture, injuries and fatalities BPCS level control failure leading to overfill of reactor with potential for reactor overpressure, leakage, rupture, injuries and fatalities BPCS temperature control failure during heat-up step leading to overheating of the batch with potential for runaway reaction, reactor overpressure, leakage, rupture, injuries and fatalities Agitator seal fails with potential for leakage of VCM with potential for fire, explosion, injuries, and fatalities
Consequence The consequence assessment used in CCPS (1993b) is qualitative, but not inconsistent with the quantitative consequence matrix. For each method the consequence of an exothermic runaway reaction inside the reactor is taken as the most severe that can be assigned.
Risk Tolerance Criteria The risk tolerance criterion used in CCPS (1993b) is qualitative and defines a specific SIL (safety integrity level) that must be installed depending upon the frequency at which the mitigated event will occur with the existing safeguards that are assessed. The SIL level required by the matrix is actually the required additional PFD as the SILs are defined in terms of PFD in CCPS (1993b). The risk tolerance matrix (Table 8.1) is more flexible in assessing the action required. For Category 5 consequences an event frequency greater than 1 × 10–4 per year is unacceptable and action must be taken to correct the situation. Event frequencies equal to or less than 1 × 10–6 per year are tolerable and no action is required. In the range between these two limits there is some flexibility allowed based upon cost, practicality, etc. (see Chapter 8). As a general philosophy the risk tolerance matrix method would require a new facility to meet the most stringent risk tolerance criteria, while an existing unit would be subjected to a cost–benefit analysis if the risk were in the “gray” area.
Appendix B. Worked Examples from CCPS’s Safe Automation Book
215
Other approaches to defining risk tolerance criteria can be used (see Chapter 8) and individual organizations must decide which approach best suits their needs.
Initiating Event The identification of the initiating event and the assumed initiating event frequencies are similar for both approaches.
Enabling Event or Condition The method presented in CCPS (1993b) does not directly modify the initiating event frequencies (loss of cooling, loss of power, etc.) by the probability that the batch reactor is both • in service and • in a condition which, if the initiating event occurred, would result in the consequence (usually exothermic runaway reaction with overpressure for the scenarios examined). In the solution using the LOPA method it is assumed that the probability of both of these conditions existing together is 0.5, which is probably conservative for most batch reactor systems. Similarly, the frequency of a double charge of catalyst being added is equal to the number of batch cycles per year times the probability that an error will occur in this procedure. If we assume a value of 0.01 for the probability that an error will occur in this procedure, then the frequency of a double charge is given by (365 days/yr) × (1 batch/3 days) × (0.01) = 1.21/yr This assumes that only one catalyst addition occurs per batch and one batch is run every three days. Note: The scenario involving this event sets the required PFD for the SIF depressurizing system if the assumed values for catalyst loading and human error are used. In such a situation an organization may elect to examine these assumptions in more detail to determine if they are overly conservative. In some cases neglecting enabling event or condition probabilities can significantly affect the results of risk assessment studies. This issue is discussed in detail in Chapters 4 and 5.
Conditional Modifiers In some methods that use the frequency of fires or fatalities as risk tolerance criteria, conditional modifiers are used to obtain these frequencies from the
216
Appendix B. Worked Examples from CCPS’s Safe Automation Book
initiating event frequency (see Chapter 7). Neither the method used in CCPS (1993b), nor the risk matrix classification method used in this Appendix, uses these modifiers.
Frequency of Unmitigated Consequence The method used in CCPS (1993b) does not show this value. This is useful information as it is the baseline risk associated with the scenario and indicates how much reliance an organization is placing on IPLs to meet the risk tolerance criteria.
IPLs The assessment of what is, and is not, an IPL is the biggest difference between the method used in CCPS (1993b) and the LOPA method described in this book. LOPA (see Chapter 6) requires that an IPL be • effective in preventing the consequence (Section 6.3). • independent of the initiating event and the components of any other IPL already claimed for the same scenario. This is the rule recommended for normal LOPA. Under some circumstances it may be permissible to assume that the BPCS logic solver will not have failed when a BPCS loop failure occurs. This issue is discussed in greater detail in Section 6.3 and Chapter 11. • auditable, that is, the assumed effectiveness in terms of consequence prevention and PFD must be capable of verification in some manner (e.g., by documentation, review, testing, etc.). See Section 6.3 and Appendix C. These requirements will now be discussed in relation to the design shown in Figure B.1 and the IPLs claimed in CCPS (1993b). In some cases more than one of these requirements raises the same issues regarding whether a safeguard is an IPL. The argument is developed for each issue to demonstrate the various paths that can be used to examine whether a safeguard is truly an IPL. Tables B.2 through B.9 contain the detailed LOPA analysis of the system with detailed recommendations. The recommendations are summarized and discussed in Section B.4. Effectiveness The addition of a depressurizing system SIF controlled by an SIS is indicated for most of the scenarios. Figure B.1 shows the proposed arrangement in CCPS (1993b). The nozzle used for the depressurizing valves and for the PSVs is the same nozzle used for adding initiator, water and additives to the reactor and, more importantly, shortstop material. This raises the question as to
Appendix B. Worked Examples from CCPS’s Safe Automation Book
217
whether any one of these streams would, or could, be flowing into the vessel through this nozzle at the same time that the SIF opens the vent valves or the PSV valves open. For some of these streams it might be acceptable to assume that it would be unlikely—although careful study of the runaway VLE and reaction kinetics would be required. However, shortstop addition is an IPL credited for many of the same scenarios where the depressurizing system and PSV are also IPLs. Thus, it might be questionable whether it could be assumed that the addition of shortstop and the venting of the system through the same nozzle would not occur simultaneously. Therefore, a team or analyst using the LOPA method would question the effectiveness of the vent system PSV and shortstop addition systems as configured in Figure B.1 and whether they should all be considered as IPLs with the proposed piping design. A fault tree analysis might be considered for these safeguards with common components (see Chapter 11). Other questions that could be asked are whether two-phase flow would occur during venting of the reactor (using either the PSVs or the vent valves) in the piping and valves. If this were possible, DIERS, or similar technology, should be used to account for this appropriately in regards to sizing, mechanical strength, disposal issues, etc. In CCPS (1993b) for Scenario 4 the operator is credited with taking two actions (turning on the steam driven cooling water pump and adding shortstop). In the LOPA method presented in this book, if the operator is ineffective in performing one of these tasks in response to an alarm, then it is considered unlikely that the second task will be performed correctly. So, in LOPA, only one of these actions would be considered as an effective IPL. In Scenario 8 an IPL is claimed for the process design of a spot ventilation system to protect against the release of VCM due to the failure of the agitator shaft seal. The design of the seal is claimed to limit the maximum amount of VCM that could be released so that the ventilation system is adequate. Whether the design basis for the evacuation system is appropriate depends upon the level of analysis performed on the seal and what historic failure rate is justifiable for the vent system fan, etc. For the purposes of the LOPA analysis shown in Table B.9 it is assumed to be an IPL with a PFD of 1 × 10–1, although a note on the sheet requires further analysis of this IPL. In addition in CCPS (1993b), low occupancy in the reactor area is claimed as an IPL for Scenario 8. This is a qualitative judgment that can be challenged. For example, if a seal is experiencing problems it is likely that personnel would be in the vicinity, either observing and discussing the seal, or actually working on the seal. If a rupture then occurred there could actually be a greater number of people in the area than normal. (Note: At least one major incident resulted in multiple fatalities due to people being in the vicinity of an explosion while investigating equipment problems.) So it might not be appropriate to claim low occupancy rates as an IPL. In the LOPA analysis shown in Table B.9, low
218
Appendix B. Worked Examples from CCPS’s Safe Automation Book
occupancy rate is not considered as an IPL as it cannot be considered effective or independent of the initiating event for the reasons described above; additionally quantification of its PFD is difficult. The effectiveness of human action (see Chapter 6) can also be considered in assessing whether an IPL is present. In some scenarios in CCPS (1993b) where the agitator was not operational, credit was taken for the operator adding shortstop and then mixing the contents by “burping” the reactor by manual action. Whether this combination of actions meets the requirement that human action IPLs have adequate time to analyze and respond to alarms and for the action required to be simple is questionable. In the LOPA tables this action is not considered to be an IPL. Effectiveness can also include consideration of the PFD claimed for the IPL. An example of this is a comparison of the credit taken for the PSVs (PFD = 1 × 10–2) and the vent valve SIF (PFD = 1 × 10–3). The PFD for the PSVs is relatively high for such a device—probably because of concern over the blockage/freezing of the valves or piping due to deposition of polymer or with polymeric material during the venting process. While the SIF will, if designed correctly, detect the condition and send the signal to open the vent valves at a PFD of 1 × 10–3, it would seem unlikely that the valves and piping would be any less susceptible to blockage than the PSVs. If this is correct then it is probable that a PFD of 1 × 10–2 should be assumed for both the PSVs and the vent valves with the design shown in Figure B.1. This is particularly true as, in addition to the common nozzle, the two PSVs share a common inlet line and the two vent valves also share a common inlet line. See Section B.4 for possible modifications to the existing design. Independence A different path to highlight similar issues as those discussed above would be to consider the independence of the IPLs. Thus, the independence of the shortstop addition system, the vent system SIF and the PSVs would be questioned once the use of a common nozzle and piping is identified. This would result in a discussion of whether they should all be considered as IPLs with the design shown in Figure B.1 (due to a potential lack of independence), or whether a different design is required. Another issue in considering independence is whether there is any linkage between the initiating event and a potential IPL, or between an IPL that has already been claimed and another potential IPL for the same scenario. This issue is not addressed directly in CCPS (1993b). Examples of this are: • Scenario 4 where a single low cooling water flow alarm is credited with initiating two operator actions (starting steam driven cooling water pump and the addition of shortstop) which are both credited as IPLs in CCPS (1993b). In LOPA this is not allowed as:
Appendix B. Worked Examples from CCPS’s Safe Automation Book
219
If the single low flow alarm fails then both actions could be ineffective because the operator might not be aware of the lack of cooling water. This is an example of a lack of independence via a common sensor. G If the operator fails to perform one of these tasks successfully it would be unlikely that the second action would be performed correctly. This is an example of a lack of independence via the final control element (operator action). G If the BPCS fails then it would disable both IPL actions in the basic LOPA method. Under certain circumstances, with specific requirements for the BPCS design and performance, this issue can be assessed less conservatively (see Chapter 11). • Scenario 6 where the initiating event is the failure of the level control loop in the BPCS leading to the overfilling of the reactor. In CCPS (1993b) the level and weigh cell alarms are considered to be an IPL for this scenario, as they will initiate an alarm to allow the operator to take action. In LOPA this is not allowed since, if the control system failure is the initiating event, it is not permitted to assume that the BPCS will remain capable of detecting, processing and taking action (initiating an alarm) to allow the operator to take action. Chapter 11 discusses circumstances when this requirement could be relaxed. • Scenario 7 where the initiating event is the failure of the temperature control loop in the BPCS. In CCPS (1993b) it is assumed that the BPCS is still able to detect this situation and alarm the operator to take action, which is credited as an IPL. This approach is not allowed in LOPA; the failure of one part of the BPCS (the initiating event) cannot be assumed to leave another part of the same BPCS in a condition where it can take effective action to detect, process and send information. Thus the initiating event and the corrective action are not independent and the action cannot be considered to be an IPL. Again, Chapter 11 discusses when this requirement might be relaxed. G
Auditable The detailed design of the protection systems is not addressed directly in CCPS (1993b), or in Tables B.2 through B.9. However, verification and auditing might include • the summary sheets for the PSVs showing the design basis, methods of pipe sizing (i.e., DIERS), hydraulic and mechanical calculations (or references to them) (CCPS 1998b); • process design basis demonstrating why the design cases for the scenarios have been selected with the required modeling, VLE, reaction kinetics, etc. (attached or referenced) to support the conclusions; • details of the design of the BPCS and SIS.
220
Appendix B. Worked Examples from CCPS’s Safe Automation Book
• details of the design of SIF to demonstrate that the claimed PFD values are appropriate. • details of the required inspection, testing and maintenance procedures. • documentation of the frequency and results of inspection, testing and maintenance.
Safeguards Safeguards are described and documented in LOPA to explain why protection devices or systems that might, on the surface, appear to be effective, are not considered to be IPLs. This is useful for documenting the thought process and providing an understanding of how much protection might also be available for which partial credit may be taken qualitatively, particularly if the LOPA analysis results in risks that are close to a boundary point. This could alter whether the risk is tolerated or mitigated by the addition of additional IPLs.
Frequency of Mitigated Consequences This shows the calculated frequency at which the consequence will occur for the scenario with all of the IPLs credited.
Risk Tolerance Criteria Met? This section indicates whether the risk criteria are met by the present or proposed design. In many cases the proposed modifications are included to demonstrate that the new design will meet requirements. If this approach is used then the recommendations and notes must make clear what action is required, by whom and by what date.
Actions Required to Meet Risk Tolerance Criteria This section defines the actions required to meet the risk tolerance criteria.
Notes This section includes any clarifications, etc.
B.4. Design Modifications for Consideration In this section modifications to the design shown in Figure B.1 are suggested with the effect these changes would have upon the number of IPLs and their
TABLE B.2 Scenario Number 1
Equipment Scenario Title: Cooling water failure with runaway reaction and potential for reactor overpressure, leakage, rupture, injuries and fatalities. Number Agitation assumed. Frequency Probability (per year)
Date:
Description
Consequence Description/Category
Runaway reaction and potential for reactor overpressure, leakage, rupture, injuries, and fatalities Category 5
Risk Tolerance Criteria Unacceptable (Greater than) (category or frequency) Tolerable (Less than or equal to)
1 × 10–4 1 × 10–6
Initiating Event Loss of cooling water (typically a frequency) Enabling Event or Condition
1 × 10–1
Probability that reactor in condition where run0.5 away reaction can occur on loss of cooling (per reactor) (annual basis)
Conditional Modifiers Probability of ignition (if applicable) Probability of personnel in affected area
N/A N/A
Probability of fatal injury
N/A
Others
N/A 5 × 10–2
Frequency of Unmitigated Consequence Independent Protection Layers BPCS alarm and Human Action
Shortstop addition on BPCS loop high reactor temperature alarm
Pressure Relief Valves With required modifications to system (see Actions) (PFD may be conservative if modifications added) SIF (Req’d PFD = 1 × 10–3) (Part of SIS for all 3 reactors)
SIF to open vent valves (see Actions for design details) Required PFD set by Scenario 5 TO BE ADDED—see Actions/Notes
1 × 10–1 1 × 10–2
1 × 10–3
Safeguards (non-IPLs) Operator action. Other operator actions not independent of the same operator already credited.
Emergency Cooling System (Steam Turbine). Not credited as an IPL as too many common elements (piping, valves, jacket, etc) that could have initiated initial CW failure. 1 × 10–6
Total PFD for all IPLs
5 × 10–8
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes with added SIF
Actions Required to Meet Risk Tolerance Criteria
Add SIS for all 3 reactors. Install SIF with minimum PFD = 1 × 10–3 for opening vent valves on high temperature. Separate nozzles and piping for each vent valve. Install separate nozzle and vent lines for each PSV to minimize blockage and common cause. Consider N2 purges under all vent valves/PSVs. Responsible Group/Person/Date: Plant Technical/J. Doe/ January 20xx
Notes
Ensure operator response to high temperature meets requirements for IPL Ensure RV design, installation, maintenance meet requirements for PFD 1 × 10–2 as a minimum. If determined to be better consider PFD for Vent Valve SIF PFD
222
Appendix B. Worked Examples from CCPS’s Safe Automation Book TABLE B.3
Scenario Number 2
Equipment Scenario Title: Agitator motor drive failure with potential for runaway Number reaction, reactor overpressure, leakage, rupture, injuries and fatalities Frequency Probability (per year)
Date:
Description
Consequence Description/Category
Runaway reaction and potential for reactor overpressure, leakage, rupture, injuries, and fatalities Category 5
Risk Tolerance Criteria Unacceptable (Greater than) (category or frequency) Tolerable (Less than or equal to)
1 × 10–4 1 × 10–6
Initiating Event Agitator motor drive failure (typically a frequency) Enabling Event or Condition
1 × 10–1
Probability that reactor in condition where run0.5 away reaction can occur on loss of cooling (per reactor) (annual basis)
Conditional Modifiers Probability of ignition (if applicable) Probability of personnel in affected area
N/A N/A
Probability of fatal injury
N/A
Others
N/A 5 × 10–2
Frequency of Unmitigated Consequence Independent Protection Layers Pressure Relief Valves With required modifications to system (see Actions) (PFD may be conservative if modifications added) SIF (Req’d PFD = 1 × 10–3) (Part of SIS for all 3 reactors)
SIF to open vent valves (see Actions for design details) Required PFD set by Scenario 5 TO BE ADDED—see Actions/Notes
1 × 10–2
1 × 10–3
Safeguards (non-IPLs) Emergency Cooling System. Not credited as an IPL as no agitation renders it ineffective Operator intervention. Reactor “burping” and inhibitor injection overly complex 1 × 10–5
Total PFD for all IPLs
5 × 10–7
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes with added SIF
Actions Required to Meet Risk Tolerance Criteria
Add SIS for all 3 reactors. Install SIF with minimum PFD = 1 × 10–3 for opening vent valves on high temperature. Separate nozzles and piping for each vent valve. Install separate nozzle and vent lines for each PSV to minimize blockage and common cause. Consider N2 purges under all vent valves/PSVs. Responsible Group/Person/Date: Plant Technical/J. Doe/ January 20xx
Notes
Ensure operator response to high temperature meets requirements for IPL Ensure RV design, installation, maintenance meet requirements for PFD 1 × 10–2 as a minimum. If determined to be better consider PFD for Vent Valve SIF PFD
223
Appendix B. Worked Examples from CCPS’s Safe Automation Book TABLE B.4 Scenario Number 3
Equipment Scenario Title: Loss of electric power (area wide) with potential for runNumber away reaction, reactor overpressure, leakage, rupture, injuries, and fatalities Frequency Probability (per year)
Date:
Description
Consequence Description/Category
Runaway reaction and potential for reactor overpressure, leakage, rupture, injuries, and fatalities Category 5
Risk Tolerance Criteria Unacceptable (Greater than) (category or frequency) Tolerable (Less than or equal to)
1 × 10–4 1 × 10–6
Initiating Event Loss of electric power (area wide) (typically a frequency) Enabling Event or Condition
1 × 10–1
Probability that reactor in condition where run0.5 away reaction can occur on loss of cooling (per reactor) (annual basis)
Conditional Modifiers Probability of ignition (if applicable) Probability of personnel in affected area
N/A N/A
Probability of fatal injury
N/A
Others
N/A 5 × 10–2
Frequency of Unmitigated Consequence Independent Protection Layers Pressure Relief Valves With required modifications to system (see Actions) (PFD may be conservative if modifications added) SIF (Req’d PFD = 1 × 10–3) (Part of SIS for all 3 reactors)
SIF to open vent valves (see Actions for design details) Required PFD set by Scenario 5 TO BE ADDED—see Actions/Notes
1 × 10–2
1 × 10–3
Safeguards (non-IPLs) Emergency Cooling System. Not credited as an IPL as no agitation renders it ineffective Operator intervention. Reactor “burping” and inhibitor injection overly complex for an IPL 1 × 10–5
Total PFD for all IPLs
5 × 10–7
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes with added SIF
Actions Required to Meet Risk Tolerance Criteria
Add SIS for all 3 reactors. Install SIF with minimum PFD = 1 × 10–3 for opening vent valves on high temperature. Separate nozzles and piping for each vent valve. Install separate nozzle and vent lines for each PSV to minimize blockage and common cause. Consider N2 purges under all vent valves/PSVs. Responsible Group/Person/Date: Plant Technical/J. Doe/ January 20xx
Notes
Ensure operator response to high temperature meets requirements for IPL Ensure RV design, installation, maintenance meet requirements for PFD 1 × 10–2 as a minimum. If determined to be better consider PFD for Vent Valve SIF PFD
TABLE B.5 Scenario Number 4
Equipment Scenario Title: Cooling water pump electric power failure with runaway Number reaction and potential for reactor overpressure, leakage, rupture, injuries and fatalities. Agitation assumed. Frequency Probability (per year)
Date:
Description
Consequence Description/Category
Runaway reaction and potential for reactor overpressure, leakage, rupture, injuries, and fatalities Category 5
Risk Tolerance Criteria Unacceptable (Greater than) (category or frequency) Tolerable (Less than or equal to)
1 × 10–4 1 × 10–6
Initiating Event Loss of cooling water pump (electric) (typically a frequency) Enabling Event or Condition
1 × 10–1
Probability that reactor in condition where run0.5 away reaction can occur on loss of cooling (per reactor) (annual basis)
Conditional Modifiers Probability of ignition (if applicable) Probability of personnel in affected area
N/A N/A
Probability of fatal injury
N/A
Others
N/A 5 × 10–2
Frequency of Unmitigated Consequence Independent Protection Layers Inhibitor addition on BPCS high reactor temperature/pressure OR starting of CW steam turbine-drive pump on low cooling water flow.
1 × 10–1
Pressure Relief Valves With required modifications to system (see Actions) (PFD may be conservative if modifications added)
1 × 10–2
BPCS alarm and Human Action
SIF (Req’d PFD = 1 × 10–3) (Part of SIS for all 3 reactors)
SIF to open vent valves (see Actions for design details) Required PFD set by Scenario 5 TO BE ADDED—see Actions/Notes
1 × 10–3
Safeguards (non-IPLs) Operator Intervention. Only one of the two operator actions is an IPL due to common operator, alarms, sensors, etc. 1 × 10–6
Total PFD for all IPLs
5 × 10–8
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes with added SIF
Actions Required to Meet Risk Tolerance Criteria
Add SIS for all 3 reactors. Install SIF with minimum PFD = 1 × 10–3 for opening vent valves on high temperature. Separate nozzles and piping for each vent valve. Install separate nozzle and vent lines for each PSV to minimize blockage and common cause. Consider N2 purges under all vent valves/PSVs. Responsible Group/Person/Date: Plant Technical/J. Doe/ January 20xx
Notes
Ensure operator response to high temperature meets requirements for IPL Ensure RV design, installation, maintenance meet requirements for PFD 1 × 10–2 as a minimum. If determined to be better consider PFD for Vent Valve SIF PFD
225
Appendix B. Worked Examples from CCPS’s Safe Automation Book TABLE B.6 Scenario Number 5
Equipment Scenario Title: Human error—Double charge of catalyst with potential Number for runaway reaction, reactor overpressure, leakage, rupture, injuries and fatalities Frequency Probability (per year)
Date:
Description
Consequence Description/Category
Runaway reaction and potential for reactor overpressure, leakage, rupture, injuries, and fatalities Category 5
Risk Tolerance Criteria Unacceptable (Greater than) (category or frequency) Tolerable (Less than or equal to)
1 × 10–4 1 × 10–6
Initiating Event Loading of catalyst (once every three days—121 (typically a frequency) times per year) Enabling Event or Condition
Probability that operator(s) double charge the reactor with catalyst (per opportunity)
Conditional Modifiers Probability of ignition (if applicable) Probability of personnel in affected area
121 1 × 10–2 N/A N/A
Probability of fatal injury
N/A
Others
N/A
Frequency of Unmitigated Consequence
1.21X10-6
Independent Protection Layers BPCS alarm and Human Action
Inhibitor addition on BPCS high reactor temperature/pressure
Pressure Relief Valves With required modifications to system (see Actions) (PFD may be conservative if modifications added) SIF (Req’d PFD = 1 × 10–3) (Part of SIS for all 3 reactors)
SIF to open vent valves (see Actions for design details) Required PFD set by Scenario 5 TO BE ADDED—see Actions/Notes
1 × 10–1 1 × 10–2
1 × 10–3
Safeguards (non-IPLs) Operator Intervention Not independent of BPCS sensors, alarms, FCE. Operator error is initiating event. 1 × 10–6
Total PFD for all IPLs Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
1.21X10-6 Yes with added SIF
Actions Required to Meet Risk Tolerance Criteria
Add SIS for all 3 reactors. Install SIF with minimum PFD = 1 × 10–3 for opening vent valves on high temperature. Separate nozzles and piping for each vent valve. Install separate nozzle and vent lines for each PSV to minimize blockage and common cause. Consider N2 purges under all vent valves/PSVs. Responsible Group/Person/Date: Plant Technical/J. Doe/ January 20xx
Notes
Ensure operator response to high temperature meets requirements for IPL Ensure RV design, installation, maintenance meet requirements for PFD 1 × 10–2 as a minimum. If determined to be better consider PFD for Vent Valve SIF PFD
TABLE B.7 Scenario Number 6
Equipment Scenario Title: BPCS level control failure leading to overfill of reactor Number with potential for reactor overpressure, leakage, rupture, injuries and fatalities Frequency Probability (per year)
Date:
Description
Consequence Description/Category
Overfill of reactor with potential for reactor overpressure, leakage from flanges, connections (10,000–100,000 lb flammable above atmospheric BP), with injuries and fatalities. Complete rupture not considered feasible. Category 5
Risk Tolerance Criteria Unacceptable (Greater than) (category or frequency) Tolerable (Less than or equal to)
1 × 10–4 1 × 10–6
Initiating Event BPCS failure (typically a frequency) Enabling Event or Condition
1 × 10–1
Probability that reactor in condition where run0.5 away reaction can occur on loss of cooling (per reactor) (annual basis)
Conditional Modifiers Probability of ignition (if applicable) Probability of personnel in affected area
N/A N/A
Probability of fatal injury
N/A
Others
N/A 5 × 10–2
Frequency of Unmitigated Consequence Independent Protection Layers Pressure Relief Valves With required modifications to system (see Actions) (PFD may be conservative if modifications added) SIF (Req’d PFD = 1 × 10–3) (Part of SIS for all 3 reactors)
SIF to open vent valves (see Actions for design details) Required PFD set by Scenario 5 TO BE ADDED—see Actions/Notes
1 × 10–2
1 × 10–3
Safeguards (non-IPLs) BPCS level/weigh cells. Not independent of BPCS involved in initiating event. Operator Intervention. Not independent of BPCS sensors, alarms, FCE. 1 × 10–5
Total PFD for all IPLs
5 × 10–7
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes with added SIF
Actions Required to Meet Risk Tolerance Criteria
Add SIS for all 3 reactors. Install SIF with minimum PFD = 1 × 10–3 for opening vent valves on high temperature. Separate nozzles and piping for each vent valve. Install separate nozzle and vent lines for each PSV to minimize blockage and common cause. Consider N2 purges under all vent valves/PSVs. Responsible Group/Person/Date: Plant Technical/J. Doe/ January 20xx
Notes
Ensure operator response to high temperature meets requirements for IPL Ensure RV design, installation, maintenance meet requirements for PFD 1 × 10–2 as a minimum. If determined to be better consider PFD for Vent Valve SIF PFD
TABLE B.8 Scenario Number 7
Equipment Scenario Title: BPCS temperature control failure during heat-up step Number leading to overheating of the batch with potential for runaway reaction, reactor overpressure, leakage, rupture, injuries and fatalities Frequency Probability (per year)
Date:
Description
Consequence Description/Category
Runaway reaction and potential for reactor overpressure, leakage, rupture, injuries, and fatalities Category 5
Risk Tolerance Criteria Unacceptable (Greater than) (category or frequency) Tolerable (Less than or equal to)
1 × 10–4 1 × 10–6
Initiating Event BPCS temperature control loop (typically a frequency) Enabling Event or Condition
1 × 10–1
Probability that reactor in condition where run0.5 away reaction can occur on loss of cooling (per reactor) (annual basis)
Conditional Modifiers Probability of ignition (if applicable) Probability of personnel in affected area
N/A N/A
Probability of fatal injury
N/A
Others
N/A 5 × 10–2
Frequency of Unmitigated Consequence Independent Protection Layers Pressure Relief Valves With required modifications to system (see Actions) (PFD may be conservative if modifications added) SIF (Req’d PFD = 1 × 10–3) (Part of SIS for all 3 reactors)
SIF to open vent valves (see Actions for design details) Required PFD set by Scenario 5 SIF to add emergency cooling water TO BE ADDED—see Actions/Notes
1 × 10–2
1 × 10–3 1 × 10–1
Safeguards (non-IPLs) BPCS add inhibitor and emergency cooling loops. Not independent of initiating event Operator Intervention Not independent of BPCS sensors, alarms, FCE 1 × 10–6
Total PFD for all IPLs
5 × 10–8
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No):
Yes with added SIF
Actions Required to Meet Risk Tolerance Criteria
Add SIS for all 3 reactors. Install SIF with minimum PFD = 1 × 10–3 for opening vent valves on high temperature. Separate nozzles and piping for each vent valve. Install separate nozzle and vent lines for each PSV to minimize blockage and common cause. Consider N2 purges under all vent valves/PSVs. Responsible Group/Person/Date: Plant Technical/J. Doe/ January 20xx
Notes
Ensure operator response to high temperature meets requirements for IPL Ensure RV design, installation, maintenance meet requirements for PFD 1 × 10–2 as a minimum. If determined to be better consider PFD for Vent Valve SIF PFD
228
Appendix B. Worked Examples from CCPS’s Safe Automation Book TABLE B.9
Scenario Number 8
Equipment Scenario Title: Agitator seal fails with potential for leakage of VCM with Number potential for fire, explosion, injuries and fatalities Frequency Probability (per year)
Date:
Description
Consequence Description/Category
Leakage from agitator seal (100–1000 lb flammable above atmospheric BP), with possible injuries and fatalities Category 3
Risk Tolerance Criteria Unacceptable (Greater than) (category or frequency) Tolerable (Less than or equal to)
1 × 10–1 1 × 10–4
Initiating Event Seal failure (typically a frequency)
1 × 10–1
Enabling Event or Condition Conditional Modifiers Probability of ignition (if applicable) Probability of personnel in affected area
N/A N/A
Probability of fatal injury
N/A
Others
N/A 1 × 10–1
Frequency of Unmitigated Consequence Independent Protection Layers Spot ventilation system at agitator shaft seal SIF (Req’d PFD = 1 × 10–3) (Part of SIS for all 3 reactors)
SIF to open vent valves (see Actions for design details) Required PFD set by Scenario 5 TO BE ADDED—see Actions/Notes
1 × 10–1 1 × 10–3
Safeguards (non-IPLs) Operator Intervention Not independent of action that would be taken by SIS to de-pressure reactor. Fume detection around seal Post event scenario and effectiveness not quantifiable 1 × 10–4
Total PFD for all IPLs
1 × 10–5
Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No): Actions Required to Meet Risk Tolerance Criteria
Notes
Yes with added SIF
Add SIS for all 3 reactors. Install SIF with minimum PFD = 1 × 10–3 for opening vent valves on high temperature. Separate nozzles and piping for each vent valve. Install separate nozzle and vent lines for each PSV to minimize blockage and common cause. Confirm spot ventilation at agitator shaft seal will be effective in removing all leaking materials to prevent fire Consider N2 purges under all vent valves/PSVs. Responsible Group/Person/Date: Plant Technical/J. Doe/ January 20xx
Appendix B. Worked Examples from CCPS’s Safe Automation Book
229
PFD. These are based upon the LOPA analyses shown in Tables B.2 through B.9. As stated earlier, these design modifications are intended for illustrative purposes only and do not imply that the design shown in CCPS (1993b) is unsafe. Other design options could be considered.
Modification of the PSV system It is proposed to modify the piping system so that each of the PSVs is connected to the reactor by its own nozzle and piping system. This will ensure the independence of the PSVs and the shortstop injection system. It will also eliminate the potential for the blockage of a single nozzle by polymer during normal operation, or during a relief event, rendering both PSVs ineffective. Consideration should also be given to adding nitrogen purges under the PSVs to minimize the potential for polymer deposition/freezing in the piping or at the inlet to the valves. If not already considered, DIERS technology should be used to determine if two-phase flow could occur in the piping and valves during a release. If this is feasible the piping and valves should be designed appropriately (Guidelines for Pressure Relief and Effluent Handling Systems, CCPS, 1998b). These changes will allow both the PSVs and the shortstop system to be considered as IPLs. The PFD for the PSV system will probably be improved significantly by the proposed piping changes and the addition of a nitrogen purge—if appropriate and practical. On the other hand, it can be argued that charging the reactants through the common nozzle for the PSVs, the shortstop system, and the vent valve SIF increases the probability that the nozzle will be open to those devices when needed. Chapter 11 offers guidance for fault tree analysis of protection layers that have common components. However, in accordance with the recommendations contained in Chapter 6, a PFD of 1 × 10–2 will be used in the analysis shown in Tables B.2 through B.9. This will affect the required PFD for the SIF to open the vent valves in order to meet the risk tolerance criteria. In a company practicing this technology, testing and data might be available to use a lower PFD for the PSV system. This issue demonstrates that while LOPA is a powerful method, it relies upon good engineering judgment and reliable data in order to make appropriate risk judgments.
Modification of the Vent Valve SIF System The same modifications for the design of the PSV system are also applicable for the vent valve SIF system. Thus, two more new nozzles are required at the top of the reactor. The same design issues regarding two-phase flow, polymerization, etc., must also be addressed. As before, these changes allow both the vent valve SIF system and the shortstop addition system to be considered as IPLs. The assumed PFD of the PSVs (see above) and the risk tolerance crite-
230
Appendix B. Worked Examples from CCPS’s Safe Automation Book
ria set the PFD for the SIF system. The final design of the system (number of sensors, final control elements, type of processor, frequency and type of testing, etc.) would be determined by the required PFD for this IPL. As an example, if the complete vent valve IPL (from signal detection to opening of the vent valves) was tested between each batch, the test period would be short and the PFD, for a given design, would be improved, compared to the same design that was only tested every year. The practicality, cost, and manpower required to perform such frequent testing would be balanced against the lower cost of a simpler system.
Human Action IPLs Only one human action per scenario should be used as an IPL unless the analysis shows there is independence of sensor, alarm, and operator. Adequate training, testing and procedures must be in-place for any human action to be considered as an IPL.
APPENDIX C
Documentation for a LOPA Study
C.1. Documentation to be Developed during LOPA The documentation of the study should be complete and accurate to fully capture the knowledge gained during the evolution of the scenario. It is important to document the full series of events required for the undesired consequence to occur. This allows for a review by a team, or other analysts, to assess the assumptions made and whether other protection layers may be available to interrupt the chain of events and reduce the risk associated with a scenario if it does not meet the corporate risk tolerance guidelines. The documentation of components of a scenario can be presented in any way that an organization prefers. The standardized values for initiating event frequency, PFD for IPLs, etc., specified by an organization should be used unless there is sufficient reason to deviate from them. Any change from these specified values must be documented and approved by the personnel/group responsible for LOPA quality control within an organization. The following guidelines summarize the minimum amount of information that should be included. The LOPA summary sheet used throughout this book (see Table C.1) is used as the basis for this discussion, although any such form is acceptable, provided it contains the required information.
Consequence The consequence should be documented in two ways. First, there should be a description of the final consequence. For example, all of the following might 231
232
Appendix C. Documentation for a LOPA Study TABLE C.1 Summary Sheet for LOPA Method
Scenario Number
Equipment Number
Date:
Scenario Title:
Description
Consequence Description/Category Risk Tolerance Criteria (category or frequency) Initiating Event (typically a frequency) Enabling Event or Condition Conditional Modifiers (if applicable) Probability of ignition Probability of personnel in affected area Probability of fatal injury Others Frequency of Unmitigated Consequence Independent Protection Layers
Safeguards(non-IPLs)
Total PFD for all IPLs Frequency of Mitigated Consequence Risk Tolerance Criteria Met? (Yes/No): Actions Required to Meet Risk Tolerance Criteria: Notes: References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):
Frequency Probability (per year)
C.1. Documentation to be Developed during LOPA
233
be valid descriptions of the consequences of a scenario involving loss of cooling on a column or reactor: • “Pressure greater than MAWP resulting in leakage from flange joints,” or • “Pressure greater than MAWP resulting in vessel rupture,” or • “Pressure greater than MAWP resulting in release of 12,000 lb of propylene,” or • “Pressure greater than MAWP resulting in an explosion with injuries and fatalities.” However, these are very different from one another. It is important to be very clear as to what consequence is being examined. If this is not done, confusion will arise during the analysis. For the examples noted above, there could be significant differences in how the scenario would be developed and examined. Second, the consequence should be stated in terms specific to the risk assessment method being applied by the organization. This could be in terms of the amount of material released and a resulting consequence categorization, or in terms of the potential for injuries or fatalities. Any assumptions should be stated. For example, if an overpressure were to occur, is the consequence a catastrophic rupture, a large leak, or a small leak from a flange? If consequence categorization is employed the release size could be assumed based on the contents of the system, or it could be calculated by modeling. Supporting documentation should be attached or referenced.
Risk Tolerance Criteria The risk tolerance criteria for the method being used should be clearly stated to provide a reference point to judge the status of the scenario. Depending upon the method, the risk criteria may be stated in terms of a frequency range, or a maximum frequency acceptable for the consequence type used in a particular method.
Initiating Event The initiating event for the scenario must be unambiguously described. The frequency of the initiating event must also be stated, together with the basis for this value (standard figure, plant experience, calculation, etc.). Any other relevant information or assumptions should also be noted. Supporting documentation, such as calculations, communications, standards, etc., should be attached or referenced to enable a review of the assumptions or calculations.
234
Appendix C. Documentation for a LOPA Study
Enabling Event or Condition If an enabling event or condition is required in order for the initiating event to proceed, this should be described. Since these situations can be complex, it is recommended that additional documentation explaining how the initiating event and enabling condition interact be attached or referenced. An event tree might be a useful form of documentation. The basis for the probability assumed for the enabling event or condition should be attached or referenced, together with any assumptions and other relevant information.
Conditional Modifiers If the consequence basis is fatality frequency, then additional assumptions may be required to assess the probability that the scenario will result in a fatality. This can involve consequence modeling using probabilities for • ignition, • personnel being in affected area, and • fatal injury given exposure occurs. The basis for these assumed values should be referenced. Any modifications to standard values must be justified and documented.
Frequency of Unmitigated Consequence This is the product of the frequency of the initiating event and the probability of any enabling event or condition, plus any conditional modifiers, if used. It is a measure of the baseline risk associated with this scenario. This result is important, since it provides a basis from which the importance of the IPLs associated with a particular scenario can be assessed.
Independent Protection Layers The existing or proposed IPLs should be stated, together with the assumed PFD for each IPL. Supporting documentation should be attached or referenced. If the PFD is different from the standard value normally used within an organization, the justification should be stated. If additional IPLs are to be installed, this should be cross-referenced to the “Actions Required to Meet Risk Tolerance Criteria” section (see below). If the less conservative Approach B is used when crediting BPCS loops as IPLs, it is particularly important to justify the basis for this approach (see Chapter 11).
Safeguards If an existing safeguard is not claimed as an IPL, the justification should be stated (e.g., it is not independent of an IPL already claimed) so that the basis
C.1. Documentation to be Developed during LOPA
235
for the analysis is fully understood. It is important for the team or analyst to document all safeguards considered, to allow for review and to assist other personnel in understanding LOPA concepts and conclusions.
Frequency of Mitigated Consequences This is the frequency that the consequence is expected to occur with the IPLs in place and with each IPL having the stated PFD value. It may be appropriate to state two figures. The first is the mitigated event frequency with existing IPLs, and the second the mitigated event frequency with any additional IPLs added.
Risk Tolerance Criteria Met? If the risk tolerance of the organization is met, the documentation should state the actual risk and the risk tolerance criteria. The IPLs needed to meet the risk tolerance criteria should be marked in the IPL documentation discussed above. On the other hand, if the result of the analysis is that the current system does not meet the risk tolerance criteria this must be stated. Documentation should be attached or referenced stating the acceptable risk for this scenario, so that the difference between the actual and required risk is clearly delineated and the necessity for remedial action is documented and tracked.
Actions Required to Meet Risk Tolerance Criteria This section should clearly define what actions are required. The specific actions required should be defined together with the responsible person or group and the date when this must be completed. For example: “Add additional independent BPCS loop to trip pump P-311 on Hi-Hi level (14 feet) in tank T-302. Responsibility T. Jones/Operations Supervisor Tank Farm. Completion Date: June 2001.” If a cost–benefit analysis, or similar documentation, has been performed or published to justify accepting a higher risk than specified by the risk tolerance criteria of an organization, this must be attached or referenced. A senior manager may be required to sign-off on such an exception and, in such a case, this must be attached to the documentation. It is also possible that at some stage of a LOPA study, additional information may be required to perform the calculations. All actions must be put into a tracking system that will report any failure to achieve the required actions. All such documentation must be maintained.
Notes This section should contain any background information, or reference such information, relevant to the scenario or the required actions.
236
Appendix C. Documentation for a LOPA Study
References Any relevant process flow diagrams, P&IDs, SIF (interlock) drawings, instrument tags, equipment numbers, operating procedures, test procedures, revision numbers, etc. should be attached or referenced as required, to adequately document the basis for the analysis and to assist in the review or implementation of the study. Revisions to the documents should be recorded on the sheet on a line-by-line basis.
LOPA Analyst and Team Members Names and roles should be listed.
LOPA Documentation and Action Tracking Once this documentation is completed it must be • maintained so that it is available for review. This includes a policy of approving and tracking revisions to the documentation. • tracked so that the recommendations and actions from the study are addressed: either implemented or rejected with adequate documentation of the reasons for their rejection.
C.2. Uses of LOPA Documentation Once the LOPA documentation is complete it can be used for numerous purposes, given its concise format and rigorous basis. Some of these uses are discussed in Chapter 10, but others may include • documentation for meeting OSHA and EPA requirements, • training of engineers and operations staff, • providing a consistent approach to risk management within an organization, • other uses as developed by the organization.
APPENDIX D
Linkage with Other Publications
CCPS has published several books dealing with process safety issues in the chemical industry. LOPA can be usefully applied in several areas to provide an alternate method or to address particular concerns in an objective, costeffective manner. Relevant publications are described below. Guidelines for Technical Management of Chemical Process Safety (CCPS, 1989c) is an expansion of the 12 elements of the CCPS model and provides the framework and detailed components of the CCPS Chemical Process Safety Management System. This book discusses various alternatives for the implementation of each of the elements and components of the CCPS model. LOPA should be viewed as one additional tool that can be employed by management to manage process safety. Its simplified assumptions and calculation methods coupled with the use of objective risk tolerance criteria and self-documentation make it a powerful tool for such a purpose. Chapter 9 outlines the issues that should be addressed by an organization before it decides to use LOPA as part of its process safety management system. Guidelines for Process Safety Documentation (CCPS, 1995b) provides detailed guidance on establishing the type and amount of information to be recorded, various alternatives for developing record management systems and record retention and retrieval programs to ensure a viable corporate memory for PSM relevant information. LOPA is a self-documenting process since the scenario definition, initiating event frequency, number of IPLs, etc. provides a direct documentation trail. The only function not provided by the LOPA method is the closeout of recommendations—these must be effectively managed by the existing process safety management system. 237
238
Appendix D. Linkage with Other Publications
Guidelines for Safe Automation of Chemical Processes (CCPS, 1993b) examines the direct or indirect applications of instrumentation and control devices that can prevent and/or mitigate identified unacceptable process conditions. LOPA can be used directly to determine the required safety integrity level (in terms of the probability of failure on demand (PFD)) of such systems. LOPA cannot be used to determine whether a particular device or system will actually achieve the specified PFD—this requires another tool. LOPA is a semiquantitative technique and its results may be less accurate than a more sophisticated technique, such as fault tree analysis. However, several companies have demonstrated its effectiveness in classifying the required SIL for individual safety functions within an SIS. Guidelines for Hazard Evaluation Procedures, Second Edition with Worked Examples (CCPS, 1992a) describes methods used to identify and assess the significance of hazardous situations found in process operations or activities involving hazardous chemicals. These approaches are not limited in their application to the chemical manufacturing industry; they are also appropriate in any industry where activities create situations that have the potential to harm workers or the pubic; damage equipment, facilities or quality; or threaten the environment through chemical releases, fires or explosions. LOPA should be considered an addition to this book as it provides a consistent, objective, semiquantitative method for addressing the issues covered. Generally LOPA will use scenarios developed by other methods—usually qualitative (HAZOP, What-If, etc.). However, companies have found that LOPA will often uncover scenarios overlooked by other methods because of the rigor in applying the concept of IPLs to the scenario. Guidelines for Chemical Process Quantitative Risk Analysis (CCPS, 1989a); Second Edition (CCPS, 2000a) show how to use the information obtained by the hazard evaluation procedures of CCPS (1992a) to make quantitative risk estimates for the hazards identified by the techniques described in that volume. LOPA should be considered a simplification of the quantitative risk analysis methods described in the CCPS CPQRA book (2000a). The simplification involves making assumptions concerning the numerical values for the components of the scenario (initiating event frequency, enabling event/condition, number of IPLs, numeric PFD for an IPL) and in the calculation techniques employed. The simplifications are intended to be conservative so that, if a study were to be performed using a full quantitative analysis (event tree, fault tree, etc.), the results would show less risk associated with the scenario when compared to the results of a LOPA analysis. For this to be true an analyst must have an understanding of the issues involved when performing a full quantitative risk analysis and what issues are important. Thus, it is highly recommended that this volume be read in conjunction with CCPS (2000a) and that an analyst review the LOPA method developed by an individual organization to ensure that the conservatism intended for the LOPA process is
Appendix D. Linkage with Other Publications
239
maintained. As described in Chapter 11, there are situations when a focused quantitative study can be usefully performed on one component of a LOPA scenario to provide additional confidence in the numerical value used. Guidelines for Engineering Design for Process Safety (CCPS, 1993a) discusses the impact of various engineering design choices on the risk of a catastrophic accident, starting with the initial selection of the process and continuing through its final design. This book is concerned with engineering design for process safety and addresses the need to design safety into the initial design. The book also addresses reducing risk through the use of passive and active devices to prevent and mitigate catastrophic events. LOPA is a useful tool for use in these areas and an understanding of its techniques would be valuable to all engineers involved in design work. Inherently Safer Chemical Processes. A Life Cycle Approach (CCPS, 1996b) develops the concept of a safer initial design discussed in the CCPS Engineering Design book (CCPS, 1993a) and expands the subject. LOPA is an ideal tool to assist in developing designs that have an inherently lower risk associated with them, or which require the minimum number of IPLs to achieve a tolerable risk. Using scenarios and the simplified assumptions and calculation methods allows rapid comparisons to be made between alternative designs and safety philosophies. Tools for Making Acute Risk Decisions with Chemical Process Safety Applications (CCPS, 1995c) discuses methods used for decision making where risks have been assessed. In addition to chemical process risk, other factors, including financial cost, corporate image, employment of workers, etc., may be involved in a decision. This book provides a collection of decision aids to assist a company. LOPA should be considered an alternate method for making such decisions as it employs objective, quantified risk tolerance criteria. Some of the more qualitative factors (company image, morale, etc.) cannot be directly included, but that is also the case for all other objective methods. Some LOPA risk tolerance criteria include a range where a cost–benefit study—or another type of judgment—is required to help decide whether a risk should be tolerated or mitigated. Analysts using LOPA should be familiar with the techniques discussed in this book. Guidelines for Chemical Transportation Risk Analysis (CCPS, 1995a) discusses quantitative assessment of transportation risks. LOPA is ideally suited to such studies provided that the risk tolerance criteria can be specified in a manner consistent with the LOPA technique employed by the company. Guidelines for Pressure Relief and Effluent Handling Systems (CCPS, 1998b) presents background information on pressure relief technology along with guidance for selecting relief devices and effluent handling equipment. This book should be viewed as supporting the application of LOPA particularly when considering the appropriate PFD for relief devices (see Chapter 6). Relief devices in clean, non-fouling, non-corrosive services can have low PFD
240
Appendix D. Linkage with Other Publications
values. Conversely, those in fouling, polymeric, corrosive services can have a high PFD and provide a very limited degree of protection as IPLs. Practitioners of LOPA should be familiar with the issues discussed in this book. Guidelines for Evaluating Process Plant Buildings for External Explosions and Fires (CCPS, 1996a) provides a practical approach to identify, evaluate and manage the process safety considerations associated with process plant building design and siting. This book specifically addresses the explosion and fire impacts to process plant buildings, occupants and function. LOPA is an excellent tool for screening the risk associated with these events, provided the risk tolerance criteria used are stated appropriately. Guidelines for Evaluating the Characteristics of Vapor Cloud Explosions, Flash Fires, and BLEVEs (CCPS, 1994a) provides an overview of the methods for estimating the characteristics of vapor cloud explosions, flash fires, and boiling liquid expanding vapor explosions (BLEVEs). The volume summarizes and evaluates all the current information, identifies areas where information is lacking, and describes current and planned research in this area. This book should be viewed as supporting the application of LOPA by assisting in defining the consequences of a release. Analysts using LOPA should be familiar with the topics and methods discussed in this book. LOPA can be used to assist in implementing the requirements of the US Process Safety Management (PSM) of Highly Hazardous Chemicals (OSHA PSM 1910.119). The rule was developed for “preventing or minimizing the consequences of catastrophic releases of toxic, flammable or explosive chemicals” (OSHA, 1992). The PSM regulation specifies a comprehensive safety management program that integrates technologies, procedures and management practices. The rule addresses process hazard assessment, specification of risk control measures, evaluation of failures of these controls, documentation of engineering controls, and scheduled maintenance to assure the on-going integrity of the protective equipment. LOPA can be applied to meet the requirements of OSHA PSM 1910.119 in the following ways: • Process Safety Information (Section d) can be directly included or referenced on the LOPA sheet for each scenario to justify the values or consequences. Such information could include G hazards of the chemicals, G the technology of the process (particularly in the evaluation of the consequences of deviations), G information pertaining to the equipment in the process (particularly in relation to the relief system design and design basis, safety systems, SIF (interlock), detection and suppression systems, etc.). • Process hazard analysis (Section e) to identify, evaluate and control the hazards of the process by addressing
Appendix D. Linkage with Other Publications
241
the hazards of the process, engineering and administrative controls applicable to the hazards, G consequences of failure of engineering and administrative controls, G facility siting, G human factors. G G
• Operating procedures (Section f) by addressing G emergency shutdown procedures, G emergency operations, G operating limits (consequences of deviation and the steps required to avoid deviation), G safety and health considerations (precautions necessary to prevent exposure including engineering controls and administrative controls), G safety systems and their functions. • Mechanical integrity (Section j) by addressing G emergency shutdown systems, G controls (including monitoring devices, sensors, alarms and SIFs), G written procedures, G training, G inspection and testing, G quality assurance. • Management of change (Section l) by addressing G the technical basis for the proposed change, G impact of change on safety and health, G modifications to existing equipment, G notification and documentation of change, G updating of process safety information, G updating of procedures and practices. All of these functions can be achieved using the LOPA method with documentation similar to that illustrated in this book.
APPENDIX E
Industry Risk Tolerance Criteria Data
CAUTION: The risk tolerance criteria in this appendix are not exhaustive and may be out-of-date. The data were extracted from several sources, each published in different years, and hence individual quoted values may differ. It is provided to show the similarity among risk tolerance criteria around the world. The data shown here are to be used only to provide a benchmark perspective of a range of risk tolerance criteria. These data should not be used for regulatory compliance; contact the appropriate regulatory authority for the applicable current criteria. The sources were BLS (1998), Greenwood (1997), Renshaw (1990), and VROM (1995), and other industry literature sources.
243
244
Appendix E. Industry Risk Tolerance Criteria Data
TYPICAL DATA RELATED TO RISK TOLERANCE CRITERIA
(all values have units of probability of death per year for an individual) Generalized USA Industry Data
Risk for workforce from all scenarios
Risk for public from all scenarios
High risk (e.g., mining, heavy construction)
10–3
10–3 to 10–5
Low risk (e.g., engineering, services)
10–5
10–5 to 10–5
General Industry (chemical, manufacturing, rail, trucking)
10–4
10–4 to 10–5
Risk for workforce from all scenarios; derived by dividing applicable fatalities by the affected population
Risk for public from all scenarios; derived by dividing applicable fatalities by the affected population
Driving accidents
10–4
10–4
Airline accidents
5 × 10–7
4 × 10–6
Work-related accidents in US industry
1.9 × 10–5
NA
All accidents in US (work and nonwork); sometimes called “background” risk
3.5 × 10–4
3.5 × 10–4
Statistical Data from USA
Maximum tolerable risk for workforce from all scenarios
Negligible risk for workforce from all scenarios
Maximum tolerable risk for public from all scenarios
Negligible risk for public from all scenarios
Health & Safety Executive, UK (existing industry)
10–3
10–6
10–4
10–6
VROM, The Netherlands (existing industry)
NA
NA
10–5
NA
VROM, The Netherlands (new industry)
NA
NA
10–6
NA
Hong Kong Government (new industry)
NA
NA
10–5
NA
Santa Barbara County, CA, USA (new industry)
NA
NA
10–5
10–7
Shell (onshore and offshore; approx.)
10–3
10–6
Note 1
Note 2
BP (onshore and offshore)
10–3
10–6
Note 1
Note 2
Some regulators and major companies that have set risk tolerance criteria
245
Appendix E. Industry Risk Tolerance Criteria Data Maximum tolerable risk for workforce from all scenarios
Negligible risk for workforce from all scenarios
Maximum tolerable risk for public from all scenarios
Negligible risk for public from all scenarios
3.3 × 10–5
NA
1 × 10–4
NA
2.5 × 10–5 Personal risk to specific employee
NA
1 × 10–5
1 × 10–7
Maximum tolerable risk for workforce
Negligible risk for workforce
Maximum tolerable risk for public
Negligible risk for public
For ALL scenarios affecting an individual
10–3
10–5
10–3
10–5
For any ONE scenario affecting an individual (most useful for LOPA)
10–4
10–6
10–4
10–6
Some regulators and major companies that have set risk tolerance criteria ICI (onshore) Rohm and Haas Company
Typical criteria used with LOPA (Note 3)
Note 1: Not available, but typically industry uses a value that is an order of magnitude lower than workplace risk Note 2: Not available, but typically industry uses the same value used for workplace risk, since the value is already in the region where risk calculations become meaningless Note 3: Many company criteria require that scenarios capable of causing multiple fatalities or causing greater than US$10 million damage/harm must be evaluated using QRA NA: Means either not available or not applicable.
APPENDIX F
High Initiating Event Frequency Scenarios
Calculations for High Initiating Event Frequency Scenarios Equation (7-1) is applicable to calculate the frequency of the consequence for scenarios in which the initiating event frequency is less than twice the test frequency—also called “low demand mode.” The initiating event frequency is multiplied by the IPL PFDs. “High demand mode” occurs when the challenge frequency to an IPL is higher than twice the test frequency for the IPL (IEC 61511, Part 1; IEC 2001). For example, the IPL is tested once a year and there are more than two demands per year. For high demand mode, a different equation is needed, shown in Equation (F-1) for a scenario with one IPL: f iC = f i
IPL i 1
(F-1)
where is the frequency for consequence C for initiating event i f iC IPL f i i1 is the failure frequency for the one IPL that protects against conse-
quence C for initiating event i. If there are multiple IPLs, the failure frequency for the first IPL should be compared to the test frequency of the second IPL. If it is low demand mode, then Eq. (7-1) can be used, substituting the first IPL failure frequency in place of the initiating event frequency, and omitting the PFD for first IPL. The CCPS CPQRA book (CCPS, 2000a) and Kumamoto and Henley (1996) provide guidance to calculate the IPL failure rate and the IPL PFD. However, for LOPA, the IPL PFD may be known but the IPL failure rate may 247
248
Appendix F. High Initiating Event Frequency Scenarios
not be readily available. A simple approach is to use Eq. (7-1) and to set the initiating event frequency to twice the IPL test frequency. The basis for this approach will be illustrated in Example F.1 and Figure F.1, and is discussed below. Example F.1 A small tank is filled from a large tank 1400 times per year. In the past, the operator watched a local level gauge and closed a manual valve at the right amount. After an overflow incident, a level sensor, logic solver and automatic valve were added as an IPL to detect high level and stop the fill. The IPL is tested annually and has a PFD of 1 × 10–2. It was intended that the operator would continue to monitor the local level gauge and close the manual valve. The demand on the IPL would be 1400 fills/yr × 0.001 probability of operator error/fill = 1.4 demands/yr. Thus the IPL is in low demand mode and the frequency of overflow would be 1.4 demands/yr × 1 × 10–2 PFD = 1.4 × 10–2/yr. Human nature being what it is, the operator found other tasks to do while the tank was filling and relied on the IPL to stop the flow. Now the IPL was in high demand mode with 1400 demands per year. Using the low demand equation (7-1) with the apparent initiating event frequency gives too high a number: 1,400 charges/yr × (IPL PFD 1 × 10–2) = 14 overflows per year per tank (unreasonable)! Actual experience is much less. Instead, the high demand equation (7-8) should be used. The operator starts the flow, and if the IPL fails, the tank will overflow. This IPL has a failure rate (to danger) of 2 × 10–2/yr. Using Eq. (7-8) and setting the LOPA initiating cause frequency to the failure rate of the IPL gives 2 × 10–2 overflows/yr. If there are 100 tanks like this in the organization, an overflow would be expected about twice a year. Alternatively, using Eq. (7-1) with the initiating event frequency set to twice the test frequency gives: 2/yr × (IPL PFD 1 × 10–2) = 2 × 10–2 /yr
The unmodified Eq. (7-1) is not applicable for high demand because the high number of demands on the IPL will detect a failure in the IPL well before the regular test of the IPL. Kletz (1985) provides additional examples, including the source for Example F.2. Example F.2 Consider the brakes on a car. The consequence is that the car does not stop. Kletz (1985) suggests a guessed demand rate (initiating event frequency) of 1 × 104 /yr. The failure rate for the brakes is typically 0.1/yr. The PFD for the
249
Appendix F. High Initiating Event Frequency Scenarios
FIGURE F.1. Calculations for high demand mode. Test frequency of IPL = 1/yr. Note that the low demand equation (7-1) gives the same frequency of consequence as the high demand equation (F-1) when the demand frequency equals twice the test interval.
brakes would be about 2.6 × 10–2. Annual inspection and test of the brakes is required in some locations. Using the low demand equation (7-1) with the apparent initiating event frequency gives 1 x 104 /yr × 2.6 × 10–2 PFD = 2.6 × 102 /yr, or 260/yr! Actually, the frequency of the car not stopping is 0.1/yr, or once in 10 years.
Kletz presents a formula for the frequency of consequence for both low and high demand: f iC = f i
IPL i 1
(1− e −DT 2 )
(F-2)
where is the frequency for consequence C for initiating event i f iC IPL i 1 is the failure frequency for the one IPL that protects against consefi D T
quence C for initiating event i. is the demand rate at which the IPL is required to act (yr–1); for a scenario with one IPL, this is the initiating event frequency. is the test interval for the IPL (year)
250
Appendix F. High Initiating Event Frequency Scenarios
Figure F.1 shows a graph of Eq. (7-1) (low demand), Eq. (F-1) (high demand), and Eq. (F-2) for the scenario in Example F.1. The transition from the low demand equation to the high demand equation occurs at 2 demands per year, or a demand frequency equal to twice the test frequency. This transition illustrates the concept of setting a high demand initiating event to a frequency of twice the IPL test frequency. While Eq. (F-2) can be used for both high and low demand, it underpredicts the consequence frequency near the transition between high and low demand. For some applications of LOPA, this approximation may be close enough. HIGH DEMAND MODE The challenge frequency to an IPL is higher than twice the test frequency for the IPL. The frequency of consequence or frequency of challenge to next IPL is • Failure frequency of the IPL, or more simply, for the first IPL, • 2 × (IPL test frequency, per yr) × (IPL PFD)
APPENDIX G
Additional Reading
G.1. General Risk Bernstein, Peter L. (1998), Against the Gods: The Remarkable Story of Risk, New York: John Wiley and Sons, Inc. Philley, J. O. (1992), “Acceptable Risk—An Overview,” Plant/Operations Progress, 11, 4. Stickles, P. (1998), “How Much Safety Is Enough?,” Hydrocarbon Processing, October.
G.2. Target Risk Alder, W. A. T., and Ashurst, J. A. S. (1992), “The Development of Risk Criteria for Application to New Industries,” International Conference on Hazard Identification and Risk Analysis, Human Factors and Human Reliability in Process Safety, Orlando, FL, January, New York: American Institute of Chemical Engineers. Summers, A. (1997), “Techniques for Assigning a Target Safety Integrity Level,” ISA TECH/EXPO, Anaheim, California, October 7–9.
G.3. General Interest Bhimavarapu, K. R., Stavrianidis, P. (2000), “Safety Integrity Level Analysis for Processes—Issues and Methodologies,” Process Safety Progress, 19, 1. Cheddie, H., and J. A. Cusimano (1997), “Applying a SIS to Fired Heater,” ISA TECH/EXPO, Anaheim, California, October 7–9. Gibson, S. B. (1992), “A Comprehensive Review of Alarm and Interlock Testing,” International Conference on Hazard Identification and Risk Analysis, Human Factors 251
252
Appendix G. Additional Reading
and Human Reliability in Process Safety, Orlando, FL, January, New York: American Institute of Chemical Engineers. Gruhn, P. (1999), “Accidents Lead to Modern Safety Instrumented Systems,” InTech, 46, 1, January. Hill, R. (1991), “The Role of Instrumentation and Process Controls in Minimizing Accidental Releases,” Plant/Operations Progress, 10, 3, July. Langford, C. (1997), “The Control Valve as the Safety Interlock Valve,” ISA TECH/EXPO, Anaheim, California, October 7–9.
G.4. Instruments and Safety Instrumented Systems (Interlocks) Design Beckman, L. V. (1995), “Match Redundant System Architectures with Safety Requirements,” Chemical Engineering Progress, Dec. Beckman, L. (1997), “Determining the Required Safety Integrity Level for Your Process,” ISA TECH/EXPO, Anaheim, California, October 7–9. Dowell, A. M., III, and D. L Green, (1998), “Formulate Emergency Shutdown Systems by Cookbook,” Chemical Engineering Progress, April. Drake, E. M., and C. W. Thurston, (1993), “A Safety Evaluation Frame Work for Process Hazards Management in Chemical Facilities with PES-based Controls,” Process Safety Progress, 12, 2. Gray, J. (1994), “A Design Process for Safety Interlock Systems,” International Symposium and Workshop on Safe Chemical Process Automation, Houston, Texas, September. New York: American Institute of Chemical Engineers. Huff, A. N. and R. L. Montgomery (1997), “A Risk Assessment Methodology for Evaluating the Effectiveness of Safeguards and Determining Safety Instrumented System Requirements,” International Conference and Workshop on Risk Analysis in Process Safety, October 21–24, 1997, Atlanta, GA, pp. 61–74. New York: American Institute of Chemical Engineers. Moosemiller, M., and W. H. Brown (1997), “Finding an Appropriate Level of Safety Guards,” International Conference and Workshop on Risk Analysis in Process Safety, Atlanta, October. New York: American Institute of Chemical Engineers. Stanrianidis, P., and K. Bhimavarapu, (1998), “Safety Instrumented Functions and Safety Integrity Levels (SIL),” ISA Transactions, 37, pp. 337–351. Thurston, C. W. (1994), “Automation in Chemical Plant Safety: A Design Philosophy,” International Symposium and Workshop on Safe Chemical Process Automation, Houston, Texas, September. New York: American Institute of Chemical Engineers.
G.5. International Topics Ale, B. J. M. (1992), “The Implementation of an External Safety Policy in the Netherlands,” International Conference on Hazard Identification and Risk Analysis, Human
Appendix G. Additional Reading
253
Factors and Human Reliability in Process Safety, Orlando, Florida, January. New York: American Institute of Chemical Engineers. Bell, R. (1994), “Safety in Chemical Process Automation: HAS Approach (4),” International Symposium and Workshop on Safe Chemical Process Automation, Houston, Texas, September. New York: American Institute of Chemical Engineers.
G.6. SIS Design as Part of the PHA Process Gardner, R. J. and M. R. Reyne (1994), “Selection of Safety Interlock Integrity Levels as Part of Design Process Hazard Reviews,” International Symposium and Workshop on Safe Chemical Process Automation, Houston, Texas. September. New York: American Institute of Chemical Engineers. Powell, R. L. (1994) “Process Safety and Control Systems Integrity Levels as Part of Design Process Hazard Reviews,” International Symposium and Workshop on Safe Chemical Process Automation, Houston, Texas. September. New York: American Institute of Chemical Engineers.
G.7. Cost–Benefit Analysis—Solution Prioritization Garcia, A. A., and D. E. Lewis (1998), “Safety Instrumented System Design Using Risk—Benefit Evaluation,” International Conference and Workshop on Reliability and Risk Management, San Antonio, TX, September. New York: American Institute of Chemical Engineers. Stevens, G. and R. P. Stickles (1992), “Prioritization of Safety-Related Plant Modifications Using Cost-Risk Benefit Analysis,” International Conference on Hazard Identification and Risk Analysis, Human Factors and Human Reliability in Process Safety, Orlando, Florida, January. New York: American Institute of Chemical Engineers.
References
American Chemistry Council (2000), “Responsible Care® Process Safety Code of Management Practices,” Washington, DC: American Chemistry Council. ASME (1995),“Pressure Vessels with Overpressure Protection by System Design,” Section VIII, Divisions 1 and 2, ASME Code Case 2211, The 1995 Boiler Pressure Vessel Code. New York: American Society of Mechanical Engineers. Bridges, William G., and Tom R. Williams (1997), “Risk Acceptance Criteria and Risk Judgment Tools Applied Worldwide within a Chemical Company,” International Conference and Workshop on Risk Analysis in Process Safety, October 21–24, 1997, Atlanta, GA, pp. 13–28. New York: American Institute of Chemical Engineers. Bridges, William G. (2000a), Course 209, Layer of Protection Analysis. Knoxville, TN: Risk Consulting Division, ABS Consulting. Bridges, William G. (2000b), “Getting Near Misses Reported,” Process Industry Incidents: Investigation Protocols, Case Histories, Lessons Learned, October 3–6, 2000, Orlando, FL, pp. 379–399. New York: American Institute of Chemical Engineers. BLS (1998), Toscano, Guy, and Janice Windau, “Profiles of Fatal Work Injuries in 1996” Washington, DC: Bureau of Labor Statistics. CCPS (1989a), Guidelines for Chemical Process Quantitative Risk Analysis, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety. CCPS (1989b), Guidelines for Process Equipment Reliability Data, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety. CCPS (1989c), Guidelines for Technical Management of Chemical Process Safety, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety. CCPS (1992a), Guidelines for Hazard Evaluation Procedures, Second Edition with Worked Examples, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety. 255
256
References
CCPS (1992b), Guidelines for Investigating Chemical Process Incidents, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety. CCPS (1993a), Guidelines for Engineering Design for Process Safety, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety. CCPS (1993b), Guidelines for Safe Automation of Chemical Processes, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety.
CCPS (1994a), Guidelines for Evaluating the Characteristics of Vapor Cloud Explosions, Flash Fires and BLEVEs, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety. CCPS (1994b), Guidelines for Preventing Human Error in Process Safety, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety. CCPS (1995a), Guidelines for Chemical Transportation Risk Analysis, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety.
CCPS (1995b), Guidelines for Process Safety Documentation, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety.
CCPS (1995c), Tools for Making Acute Risk Decisions with Chemical Process Safety Applications, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety.
CCPS (1996a), Guidelines for Evaluating Process Plant Buildings for External Explosions and Fires, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety. CCPS (1996b), Inherently Safer Chemical Processes: A Life Cycle Approach, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety.
CCPS (1998a), Guidelines for Design Solutions for Process Equipment Failures, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety. CCPS (1998b), Guidelines for Pressure Relief and Effluent Handling Systems, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety. CCPS (1999), Guidelines for Consequence Analysis of Chemical Releases, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety.
CCPS (2000a), Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety.
CCPS (2000b), Evaluating Process Safety in the Chemical Industry: A User’s Guide to Quantitative Risk Analysis. New York: American Institute of Chemical Engineers, Center for Chemical Process Safety. CCPS (2000c), “Workshop: S84, Related Standards, and Layers of Protection Analysis,” January 11, Tampa, FL. New York: American Institute of Chemical Engineers, Center for Chemical Process Safety.
CCPS (2001), Handling Uncertainty: Managing Risk, New York: American Institute of Chemical Engineers, Center for Chemical Process Safety, in preparation.
Dowell, A. M., III (1997), “Layer of Protection Analysis: A New PHA Tool, After Hazop, Before Fault Tree,” International Conference and Workshop on Risk Analysis
References
257
in Process Safety, October 21–24, 1997, Atlanta, GA, pp. 13–28. New York: American Institute of Chemical Engineers. Dowell, A. M., III, (1998), “Layer of Protection Analysis for Determining Safety Integrity Level,” ISA Transactions 37, pp. 155–166. Dowell, A. M., III (1999a), “Layer of Protection Analysis—A Worked Distillation Example,” ISA Tech/1999 Philadelphia, PA. Research Triangle Park, NC: Instrument Society of America. Dowell, A. M., III (1999b), “Layer of Protection Analysis and Inherently Safer Processes,” Process Safety Progress, 18, 4, 214–220. EuReData (1989), Reliability Data Collection and Use in Risk and Availability Assessment, Proceedings of the 5th EuReData Conference, Heidelberg, Germany April 9–11, 1986. Edited by H. J. Wingender. Berlin: Springer-Verlag. Ewbank, Rodger M., and Gary S. York (1997), “Rhône-Poulenc Inc. Process Hazard Analysis and Risk Assessment Methodology,” International Conference and Workshop on Risk Analysis in Process Safety, October 21–24, 1997, Atlanta, GA, pp. 61–74. New York: American Institute of Chemical Engineers. Fryman, C. (1996), “Managing HAZOP Recommendations Using an Action Classification Scheme,” AIChE Spring National Meeting, New Orleans, February 25–29, 1996. New York: American Institute of Chemical Engineers. Fuller, Brad, and Edward M. Marszal (1999), “Quantitative Consequence Analysis for Safety Integrity Level Selection,” ISA Tech/1999 Philadelphia, PA. Research Triangle Park, NC: Instrument Society of America. Greenwood, Brian, et al (1997), “Risk Criteria for Use in Quantitative Risk Analysis,” International Conference and Workshop on Risk Analysis in Process Safety, October 21–24, 1997, Atlanta, GA, pp. 29–40. New York: American Institute of Chemical Engineers. Huff, Andrew M., and Randal L. Montgomery (1997), “A Risk Assessment Methodology for Evaluating the Effectiveness of Safeguards and Determining Safety Instrumented System Requirements,” International Conference and Workshop on Risk Analysis in Process Safety, October 21–24, 1997, Atlanta, GA, pp. 111–126. New York: American Institute of Chemical Engineers. IEC (1998), IEC 61508, Functional Safety of Electrical / Electronic / Programmable Electronic Safety-related Systems, Parts 1–7, Geneva: International Electrotechnical Commission. IEC (2001), IEC 61511, Functional Safety Instrumented Systems for the Process Industry Sector, Parts 1–3. (Draft in Progress), Geneva: International Electrotechnical Commission. IEEE (1984), ANSI/IEEE Standard 500-1994: Guide to the Collection and Presentation of Electrical, Electronic, and Sensing Component Reliability Data For Nuclear-Power Generating Stations. IEEE Standards Association, Piscataway, NJ: Institute of Electrical and Electronic Engineers. ISA (1995), ANSI/ISA-91.01-1995: Identification of Emergency Shutdown Systems and Controls that are Critical to Maintaining Safety in Process Industries, Research Triangle Park, NC: Instrument Society of America.
258
References
ISA (1996), ANSI/ISA-84.01-1996: Application of Safety Instrumented Systems for the Process Industries, Research Triangle Park, NC: Instrument Society of America. ISA (2001), ISA TR84.0.02, draft. Safety Instrumented Systems (SIS)—Safety Integrity Level (SIL) Evaluation Techniques, Research Triangle Park, NC: Instrument Society of America. (Projected 2001.) Kletz, Trevor (1985), “Eliminating Potential Process Hazards,” Chemical Engineering, New York: Chemical Week Publishing, 1985. Kumamoto, Hiromitsu, and Ernest J. Henley (1996), Probabilistic Risk Assessment and Management for Scientists and Engineers, Second Edition, New York: The Institute of Electrical and Electronic Engineers, Inc, 1996. Leonard, C. Ronald, and Peter N. Lodal (1998) “Using Reliability Based Inspection (RBI) as a Means for Safety Data Collection,” CCPS International Conference and Workshop on Reliability and Risk Management, September, 1998, San Antonio, TX, pp. 47–62. New York: American Institute of Chemical Engineers. Lorenzo, Donald M., and William G. Bridges (1997), “Playing the Killer Slot Machine (A Tutorial on Risk),” International Conference and Workshop on Risk Analysis in Process Safety, October 21–24, 1997, Atlanta, GA, pp. 53–60. New York: American Institute of Chemical Engineers, New York, 1997. OREDA (1989), Offshore Reliability Data Handbook, 1st ed., OREDA Participants, Høvik, Norway: Pennwell Books. OREDA (1992), Offshore Reliability Data Handbook, 2nd ed., OREDA Participants, Høvik, Norway: Det Norske Veritas. OREDA (1997), Offshore Reliability Data Handbook, 3rd ed., OREDA Participants, Høvik, Norway: Det Norske Veritas. OSHA (1992), “29 CFR Part 1910: Process Safety Management of Highly Hazardous Chemicals; Explosives; Blasting Agents; Final Rule.” Federal Register 57, 36 (February 24) 6356–6417. Renshaw, F. M. (1990), “A Major Accident Prevention Program,” Plant/Operations Progress, 9 (3), 194–197. Swain, A. D., and H. E. Guttman (1983), Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications. NUREG/CR-1278. Washington, DC: United States Nuclear Regulatory Commission. VROM (1995), Pikan. M. J., and M. A. Seaman “A Review of Risk Control,” Zoetmeer, The Netherlands: Ministerie VROM Directie SVS. Report Number SVS 1994/27. Windhorst, Jan C.A. (1998), “Over-pressure Protection by Means of a Designed System Rather Than Pressure Relief Devices,” CCPS International Conference and Workshop on Risk Analysis in Process Safety, October 21–24, 1997, Atlanta, GA, pp. 191–204. New York: American Institute of Chemical Engineers.
Glossary of Terms
BPCS
Basic Process Control System (BPCS): A system that responds to input signals from the process and/or from an operator, and generates output signals, causing the process to operate in the desired manner. The BPCS consists of a combination of sensors, logic solvers, process controllers, and final control elements which automatically regulate the process within normal production limits. Includes a HMI (human machine interface). Also referred to as process control system. Note 1: BPCS logic solvers execute state control functions (i.e., On–Off) such as alarms and automatic interlocks. Note 2: BPCS process controllers execute continuous control functions such as pressure and flow regulation at a setpoint value. Per IEC 61511, Part 1, (IEC, 2001) the BPCS does not perform any safety instrumented functions with a claimed SIL 1.
Chemical Process Quantitative Risk Assessment
The systematic development of numerical estimates of the expected risk from potential scenarios in a chemical processing facility, including the distribution network, using engineering evaluation and mathematical techniques. The risk assessment may be used to make decisions, particularly when mitigation of risk is considered. Abbreviated as QRA or CPQRA. 259
260
Glossary of Terms
Common Cause or Common Mode Failure
Failure, which is the result of one or more events, causing coincident failures in multiple systems or on two or more separate channels in a multiple channel system, leading to system failure. The source of the common cause failure may be either internal or external to the systems affected. Common cause failure can involve the initiating event and one or more safeguards, or the interaction of several safeguards.
Consequences
A measure of the expected effects of an event.
Enabling Event
An event that makes possible another event.
Event
An occurrence involving the process caused by equipment performance or human action, or by an occurrence external to the risk control system.
Final Control Element
A device that manipulates a process variable to achieve control. Examples are: 1. control valve; 2. emergency block valve (EBV); 3. motor starter of a pump.
Frequency
Number of occurrences of an event per unit time.
Hazard Evaluation
The analysis of the significance of hazardous situations associated with a process or activity. Uses qualitative techniques to pinpoint weaknesses in the design and operation of facilities that could lead to accidents, and to judge risk qualitatively.
Impact
The ultimate potential result of a hazardous event. Impact may be expressed in terms of numbers of injuries or fatalities, environmental or property damage, or business interruption.
Independent A device, system, or action that is capable of preventing Protection Layer a scenario from proceeding to the undesired conse(IPL) quence regardless of the initiating event or the action of any other protection layer associated with the scenario. Independent means the performance of the protection layer is not affected by the initiating event and is not affected by failures of other protection layers. The effectiveness and independence of an IPL should be auditable. Initiating Event
The event that initiates the scenario leading to the undesired consequence.
261
Glossary of Terms
LOPA
Layer of Protection Analysis: A process (method, system) of evaluating the effectiveness of independent protection layer(s) in reducing the likelihood or severity of an undesirable event.
Logic Solver
The portion of the BPCS or SIS (Safety Instrumented System) that performs state control, i.e., executes logic functions. Logic solvers in the SIS are typically fault-tolerant PLCs (programmable logic controllers); a single central processing unit in the BPCS may perform both continuous process control and state control functions.
Mitigation
The act of causing a consequence to be less severe.
PFD
Probability of failure on demand. The probability that a system will fail to perform a specified function on demand.
PHA
Process hazard analysis. A hazard evaluation of broad scope that identifies and qualitatively analyzes the significance of hazardous situations associated with a process or activity.
Prevention
The act of causing an event not to happen.
Probability
The expression for the likelihood of occurrence of an event or an event sequence during an interval of time or the likelihood of the success or failure of an event on test or on demand. Probability is expressed as a dimensionless number ranging from 0 to 1.
Protection Layer A device, system, or action that is capable of preventing a scenario from proceeding to the undesired consequence. Risk
A measure of potential economic loss, human injury or environmental insult in terms of the frequency of the loss or injury occurring and the magnitude of the loss or injury if it occurs.
Risk Analysis
The development of a quantitative estimate of risk based on engineering evaluation and mathematical techniques for combining estimates of initiating event frequency and independent protection layers and consequences. (CCPS 2000a)
Risk Assessment The process by which the results of an analysis are used to make decisions, either through relative ranking of risk reduction strategies or through comparison with risk targets.
262
Glossary of Terms
Root Cause
An underlying system-related (the most basic) reason why an incident occurred.
Safeguard
Any device, system or action that either would likely interrupt the chain of events following an initiating event or that would mitigate the consequences. Note: A safeguard may not meet the requirements of an IPL.
Safety Critical Actions
Specific steps humans take that provide layers of protection to lower the risk category of a specific scenario or scenarios from “unacceptable” to “acceptable” as defined by organizational risk tolerance criteria. Sometimes called “administrative control.” Such steps that further reduce the risk below “acceptable” might not be designated as safety critical actions.
Safety Critical Equipment
Engineering controls that provide layers of protection to lower the risk category of a specific scenario or scenarios from “unacceptable” to “acceptable” as defined by organizational risk tolerance criteria. Engineering controls that further reduce the risk below “acceptable” might not be designated as safety critical equipment.
Scenario
An event or sequence of events that results in undesirable consequences.
Sensor
Field measurement system (instrumentation) capable of detecting the condition of a process. For example, • pressure transmitter; • level transmitter; • toxic gas detectors.
SIF
Safety instrumented function. A combination of sensors, logic solver and final elements with a specified safety integrity level that detects an out-of-limit (abnormal) condition and brings the process to a functionally safe state without human intervention, or by initiating a trained operator response to an alarm. The SIF • protects against a specific hazard, • performs a specific safety function, • has a defined range of probability of failure on demand (PFD) related to a specific SIL, • is independent from other protection or mitigation systems.
263
Glossary of Terms
SIL
Safety integrity level. A performance criterion for a SIF defining the probability of the SIF failing to perform its function on demand. Safety Integrity Level Demand Mode of Operation
Average Probability of Failure on Demand
Risk Reduction
4
≥10–5 to 10–4
>10,000 to ≤100,000
3
≥10–4 to 10–3
>1,000 to ≤10,000
2
≥10–3 to 10–2
>100 to ≤1,000
1
≥10–2 to 10–1
>10 to ≤100
See IEC 61511, Part 1 (IEC 6511) for SILs for Continuous Mode of Operation SIS
Safety instrumented system. A combination of sensors, logic solver and final elements that performs one or more safety instrumented functions.
Validation
The activity of demonstrating that the safety instrumented system under consideration, after installation, meets in all respects the safety requirements specification for that safety instrumented system.
Verification
The activity of demonstrating by analysis and/or test, that, for the specific inputs, the deliverables meet, in all respects, the objectives and requirements set forth by the functional specification.
Index
A
Action tracking, documentation, 236 Active independent protection layer (IPL), 94–95, 96. See also Independent protection layer (IPL) Additional outcomes, scenario frequency determination, 116–118 Adjustments, frequency rates, 72 Advanced topics, 173–190 basic process control system, IPLs and, 173–184 examples hexane storage tank overflow, 183–184 hexane surge tank overflow, 182–183 F/N curve plots, 186–187 focused fault tree/event tree analysis, 189–190 multiple risk summation, 184–186 normal operations as “tests,” 189 operator response issues, 188 Alarms, independent protection layer (IPL), 77 Alternative uses, 163–172 capital improvement planning, 164–165 change management, 165 emergency isolation valve needs, 170–171 emergency response planning, 167 incident investigation, 172 mechanical integrity program/risk-based inspection/risk-based maintenance programs, 166 overpressure protection, design basis for, 167–169 risk-based operator training, 166–167 safety system bypass or removal, 171–172
SIL for SIF determination, 172 siting risks evaluation, 169–170 American Institute of Chemical Engineers (AIChE), xi Assessment, independent protection layer (IPL), 88–90 Auditability independent protection layer (IPL) rules, 88 worked examples, 219–220
B
Basic process control system (BPCS) advanced topics, 173–184 independent protection layer (IPL), 77, 95, 97 Blast walls, independent protection layer (IPL), 78
C
Calculated risk, scenario risk tolerance compared, risk decision making, 133–136 Capital improvement planning, alternative uses, 164–165 Category approach, without human harm, consequence evaluation approaches, 33–36 Cause-consequence pair, LOPA function, 12–13 Center for Chemical Process Safety (CCPS), activities of, xi–xii Change management, alternative uses, 165 Chemical process quantitative risk assessment (CPQRA) 265
266 LOPA function, 13, 15 LOPA limitations, 25 Community emergency response independent protection layer (IPL), 78–79 risk decision making, 132 Component failure data, LOPA implementation, 154 Conditional modifiers documentation, 234 worked examples, 215–216 Consequence and severity estimation, 31–42 consequence endpoints, 31–32 consequence evaluation approaches, 32–40 category approach without human harm, 33–36 qualitative estimates with human harm, 36 qualitative estimates with human harm with adjustments for postrelease probabilities, 36, 38 quantitative estimates with human harm, 38–40 examples, 40–42 hexane storage tank overflow, 41–42 hexane surge tank overflow, 40–41 Consequence data documentation, 231–233 LOPA implementation, 153–154 Consequence endpoints, consequence and severity estimation, 31–32 Consequence evaluation approaches, 32–40 category approach without human harm, 33–36 qualitative estimates with human harm, 36 qualitative estimates with human harm with adjustments for postrelease probabilities, 36, 38 quantitative estimates with human harm, 38–40 Cost-benefit analysis, risk decision making, 132, 137 Cumulative risk criteria, scenario risk criteria compared, risk decision making, 139–140 Current practices, LOPA implementation, 152–153
D
Data requirements, LOPA implementation, 153–155 Decision making. See Risk decision making Deluges, independent protection layer (IPL), 101 Design modifications, worked examples, 229–230 Dikes, independent protection layer (IPL), 78 Documentation action tracking and, 236
Index conditional modifiers, 234 enabling events/conditions, 234 independent protection layer (IPL), 234 LOPA steps, 16–24 LOPA study, 231–236 consequence, 231–233 initiating event, 233 risk tolerance, 233 mitigated consequence frequency, 235 risk tolerance criteria, 235 safeguard, 234–235 scenario development, 49–52 unmitigated consequence frequency, 234 uses of, 236
E
Effectiveness independent protection layer (IPL) rules, 80–81 worked examples, 216–218 Emergency isolation valve needs, alternative uses, 170–171 Emergency response community, 78–79 planning for, alternative uses, 167 plant, 78 Enabling events/conditions documentation, 234 initiating event identification, 67–68 worked examples, 215 Equipment-related initiating event, identification of, 64–65 Event tree/focused fault tree analysis, advanced topics, 189–190 Expert judgment, risk decision making, 137 External initiating event, identification of, 64
F
Facility siting risks evaluation, alternative uses, 169–170 Failure rate data initiating events derived from, frequency estimation, 70 selection of, frequency estimation, 69–70 sources of, frequency estimation, 68–69 Failure rate expression, initiating event identification, 73 Firefighting systems, independent protection layer (IPL), 101 F/N curve plots, advanced topics, 186–187 Foam systems, independent protection layer (IPL), 101 Focused fault tree/event tree analysis, advanced topics, 189–190 Frequency estimation (initiating event identification), 68–73. See also Scenario frequency determination adjustments, 72
267
Index failure rate data sources, 68–69 failure rate selection, 69–70 high demand mode, 73 initiating events derived from failure data, 70 LOPA use, 70, 71 time at risk, 70, 72
H
Hazard and operability study (HAZOP) LOPA implementation, 24, 153 LOPA limitations, 25 scenario development, 52–59 scenario identification, 47–48 Hazard evaluations, scenario identification, 47–48 Hexane storage tank overflow (continuing example) advanced topics, 183–184 consequence and severity estimation, 41–42 example introduced, 28–30 independent protection layer (IPL), 111–113 summary sheets, 106–109 initiating event identification, 74 risk decision making, 141–147 scenario development, 61–62 HAZOP, 52–59 scenario frequency determination, 126–127, 129–130 summary sheets for, 191–210 Hexane surge tank overflow (continuing example) advanced topics, 182–183 consequence and severity estimation, 40–41 example introduced, 27–28 independent protection layer (IPL), 109–111 summary sheets, 106–109 initiating event identification, 73 risk decision making, 140–141, 142, 144 scenario development, 59–60 HAZOP, 52–59 scenario frequency determination, 125–126, 128–129 summary sheets for, 191–210 High demand mode calculations for, 247–250 frequency estimation, 73 scenario frequency determination, 121–122 Human error rates, LOPA implementation, 154–155 Human failure-related initiating event, identification of, 65 Human harm qualitative estimates with adjusted for postrelease probabilities, consequence evaluation approaches, 36, 38 consequence evaluation approaches, 36
quantitative estimates with, consequence evaluation approaches, 38–40 Human intervention alarms and, independent protection layer (IPL), 77 design modification, worked examples, 230 independent protection layer (IPL), 103–104 operator response issues, advanced topics, 188
I
Implementation, 151–162 current practices, 152–153 data requirements, 153–155 component failure data, 154 consequence data, 153–154 human error rates, 154–155 incident data, 155 hazard and operability study (HAZOP), 24 IPL audits, 155 readiness evaluation, 151–152 risk tolerance criteria, 156–158 tasks in, 158–162 LOPA guidance document, 160 pilot tests, 161 risk tolerance criteria documentation, 158–159 software, 162 step-by-step procedure, 160–161 training requirements, 162 timing in use of, 158 Incident data, LOPA implementation, 155 Incident investigation, alternative uses, 172 Independence independent protection layer (IPL) rules, 81–88 worked examples, 218–219 Independent protection layer (IPL) advanced topics, basic process control system, IPLs and, 173–184 alarms and intervention, 77 assessment, 88–90 PFD value, 89–90 safeguard/IPL, 88–89 audits of, LOPA implementation, 156 credit requirements, calculated risk/scenario risk tolerance compared, 136, 139, 144–147 defined, 75 documentation, 234 effectiveness of, 76 emergency response community, 78–79 plant, 78 examples, 90–104
268 active, 94–95, 96 basic process control system (BPCS), 95, 97 human intervention, 103–104 instrumented systems, 95 mitigating systems, 101 passive, 91–94 pressure relief devices, 101–102 safety instrumented system (SIS), 98–100 vendor installed safeguards, 101 examples (continuing), 106–113 hexane storage tank overflow, 111–113 hexane surge tank overflow, 109–111 summary sheets, 106–109 LOPA, 6, 12 physical protection, 78 postrelease protection, 78 preventive/mitigation IPLs compared, 104–106 process control systems, 77 process design, 76–77 rules, 80–88 auditability, 88 effectiveness, 80–81 independence, 81–88 safety instrumented function (SIF), 78 scenario components, 44, 45, 46 scenario development, 49 worked examples, 216–220 Initiating event, documentation, 233 Initiating event identification, 63–74 examples, 73–74 hexane storage tank overflow, 74 hexane surge tank overflow, 73 expression of events, 63 failure rate expression, 73 frequency estimation, 68–73 adjustments, 72 failure rate data sources, 68–69 failure rate selection, 69–70 high demand mode, 73 initiating events derived from failure data, 70 LOPA use, 70, 72 time at risk, 70, 72 limitations, 74 types of events, 63–68 enabling events/conditions, 67–68 equipment-related, 64–65 external, 64 human failure-related, 65 verification, 66–67 worked examples, 215 Instrumented independent protection layer (IPL), 95. See also Independent protection layer (IPL) Integer logarithms, scenario frequency determination, 124, 128–130
Index Interlock. See Safety instrumented function (SIF)
J
Judgment, risk decision making, 137
L
Layer of protection analysis (LOPA) advanced topics, 173–190 (See also Advanced topics) alternative uses of, 163–172 (See also Alternative uses) benefits of, 26–27 consequence and severity estimation, 31–42 (See also Consequence and severity estimation) defined, 1, 11–12 examples hexane storage tank overflow, 28–30 hexane surge tank overflow, 27–28 function of, 12–14 historical perspective on, 2–5 implementation of, 24, 151–162 (See also Implementation) initiating event identification, 63–74 (See also Initiating event identification) limitations of, 24–25 professionals interested in, 1–2 related literature, 7–8, 237–241 risk decision making, 131–150 (See also Risk decision making) scenario development, 43–62 (See also Scenario development) steps and documentation for, 16–24 study documentation, 231–236 (See also Documentation) timing of use, 14–16 use in process life cycle, 5–6 worked examples, 211–230 (See also Worked examples) Look-up table, scenario frequency determination, 122–124 Loop failure concepts, basic process control system, IPLs and, 175–176
M
Management, risk decision making, 132–133 Management of change, alternative uses, 165 Matrix method, calculated risk/scenario risk tolerance compared, 134, 135, 137–138, 140–142 Mechanical integrity program, alternative uses, 166 Mitigated consequence frequency documentation, 235 worked examples, 220 Mitigating systems, independent protection layer (IPL), 101
269
Index Mitigation independent protection layer (IPL), preventive IPL compared, 104–106. See also Independent protection layer (IPL) Multiple risk summation, advanced topics, 184–186 Multiple scenarios, scenario frequency determination, 119–121
N
Numerical criteria method, calculated risk/scenario risk tolerance compared, 134, 136, 138, 142–144
O
Operator response issues, advanced topics, 188 Overpressure protection, design basis for, alternative uses, 167–169
P
Passive independent protection layer (IPL), 91–94. See also Independent protection layer (IPL) Physical protection, independent protection layer (IPL), 78 Pilot tests, LOPA implementation, 161 Plant emergency response, independent protection layer (IPL), 78 Postrelease protection, independent protection layer (IPL), 78 Pressure relief devices design modification, worked examples, 229 independent protection layer (IPL), 101–102 Preventive independent protection layer (IPL), mitigation IPL compared, 104–106. See also Independent protection layer (IPL) Probability of failure on demand (PFD) IPL assessment, 89–90 LOPA, 3 Process control systems, independent protection layer (IPL), 77 Process design, independent protection layer (IPL), 76–77 Process hazard analysis (PHAs), LOPA use, 6 Process life cycle, LOPA use in, 5–6
Q
Qualitative estimates with human harm, consequence evaluation approaches, 36 with human harm with adjustments for postrelease probabilities, consequence evaluation approaches, 36, 38 Quantitative calculations, scenario frequency determination, 115–122. See also Scenario frequency determination
Quantitative estimates, with human harm, consequence evaluation approaches, 38–40
R
Readiness evaluation, implementation, 151–152 Regulatory compliance, LOPA, 2 Relief valves, independent protection layer (IPL), 78 Risk-based inspection/risk-based maintenance programs, alternative uses, 166 Risk-based operator training, alternative uses, 166–167 Risk calculation, scenario frequency determination, 118–119 Risk decision making, 131–150 calculated risk/scenario risk tolerance compared, 133–136 IPL credits, 136 matrix method, 134, 135 numerical criteria method, 134, 136 cost-benefit analysis, 137 criteria in, 131–133 cumulative risk criteria/scenario risk criteria compared, 139–140 examples, 140–147 hexane storage tank overflow, 141–147 hexane surge tank overflow, 140–141, 142, 144 expert judgment, 137 limitations, 148–149 methods compared, 137–139 Risk/frequency calculation. See Scenario frequency determination Risk tolerance criteria data on, 243–245 documentation, 233, 235 LOPA implementation, 158–159 LOPA implementation, 156–158 worked examples, 214–215, 220 Root cause, defined, 63–64 Rupture discs, independent protection layer (IPL), 78
S
Safeguards documentation, 234–235 independent protection layer (IPL) contrasted, 75–76 IPL assessment, 88–89 vendor installed, independent protection layer (IPL), 101 worked examples, 220 Safety instrumented function (SIF) design modification, worked examples, 229–230
270 independent protection layer (IPL), 78 LOPA, 2, 3, 172 Safety instrumented system (SIS), independent protection layer (IPL), 98–100 Safety integrity level (SIL), LOPA use, 6, 172 Safety system bypass or removal, alternative uses, 171–172 Scenario development, 43–62 components of, 43–46 examples, 52–62 HAZOP, 52–59 hexane storage tank overflow, 61–62 hexane surge tank overflow, 59–60 identification of scenario, 47–48 steps in, 49–52 Scenario frequency determination, 115–130 examples, 125–130 hexane storage tank overflow, 126–127, 129–130 hexane surge tank overflow, 125–126, 128–129 integer logarithms, 124 look-up table, 122–124 quantitative calculations, 115–122 additional outcomes, 116–118 general calculation, 115–116 high initiating event frequency, 121–122 multiple scenarios, 119–121 risk calculation, 118–119 Scenario risk criteria, cumulative risk criteria compared, risk decision making, 139–140 Scenario risk tolerance, calculated risk compared, risk decision making, 133–136 Siting risks evaluation, alternative uses, 169–170 Software, LOPA implementation, 162 Sprays, independent protection layer (IPL), 101
Index
T
Time at risk, frequency estimation, 70, 72 Training LOPA implementation, 162 risk-based operator training, alternative uses, 166–167
U
Unmitigated consequence frequency documentation, 234 worked examples, 216
V
Vendor installed safeguards, independent protection layer (IPL), 101 Vent valve SIF system, design modification, worked examples, 229–230 Verification, initiating event identification, 66–67
W
What-If review LOPA implementation, 24 LOPA limitations, 25 Worked examples, 211–230 design modifications, 229–230 independent protection layer (IPL), 216–220 mitigated consequence frequency, 220 problem description, 212 problem discussion, 212–228 conditional modifiers, 215–216 consequence, 214 enabling event, 215 initiating event, 215 risk tolerance criteria, 214–215 unmitigated consequence frequency, 216 risk tolerance criteria, 220 safeguards, 220 tables, 221–228