Safety LOPA

HAZARD IDENTIFICATION
1. Check lists
2. Dow Relative Ranking
3. HAZOP - Hazard and Operability
LAYER OF PROTECTION ANALYSIS
1. Express risk target quantitatively
2. Determine risk for system
3. Reduce risk to meet target
HAZARD ASSESSMENT
- Fault Tree
- Event Tree
- Consequence analysis
- Human Error Analysis
ACTIONS TO ELIMINATE OR MITIGATE
- Apply all engineering sciences
Semi-quantitative analysis
to give order-of-magnitude
estimate
We will use our group skills
and knowledge of safety
layers in applications.
More
accurate
ACHIEVING ACCEPTABLE RISK
Level of Protection Analysis
FAR: Fatal Accident Rate - This is the number of
fatalities occurring during 1000 working lifetimes (10
8

hours). This is used in the U.K.

Fatality Rate = FAR * (hours worked) / 10
8

OSHA Incidence Rate - This is the number of illnesses
and injuries for 100 work-years. This is used in the USA.
Safety Layer of Protection Analysis
Activity FAR
Chemical Industry 4
Steel Industry 8
Coal Mining 40
Construction 67
Uranium 70
Asbestos (old data?) 620
Staying home 3
Traveling by automobile 57
Traveling by airplane 240
Cigarette smoking ???
What is the fatality rate/year for the chemical industry?
What is FAR for cigarette
smoking?
FAR Data for typical Activities
One standard used is to maintain the risk for
involuntary activities less (much less?) than
typical risks such as staying home
- Results in rules, such as fatality rate < 10
-6
/year
- See Wells (1996) Table 9.4
- Remember that many risks exist (total risk is sum)
Are current risks accepted or merely tolerated?
We must consider the inaccuracies of the
estimates
We must consider people outside of the
manufacturing site.
People usually distinguish between voluntary and
involuntary risk. They often accept higher risk
for voluntary activities (rock climbing).
People consider the number of fatalities per
accident
Fatalities = (frequency) (fatalities/accident)
.001 = (.001) (1) fatalities/time period
.001 = (.0000001)(100,000) fatalities/time period
We need to consider frequency and consequence
1.00E-09
1.00E-08
1.00E-07
1 10
100
Deaths per event, N
P
r
o
b
a
b
i
l
i
t
y

o
r

F
r
e
q
u
e
n
c
y
,

F

(
e
v
e
n
t
s
/
y
e
a
r
)

Acceptable risk
Unacceptable risk
The design must be enhanced to reduce the likelihood of death (or
serious damage) and/or to mitigate the effects.
The decision can be presented in a F-N plot similar to the one below.
(The coordinate values here are not standard; they must be selected by the professional.)
2. Determine the risk for system
In Level of Protection Analysis (LOPA), we assume
that the probability of each element in the system
functioning (or failing) is independent of all other
elements.
We consider the probability of the initiating event
(root cause) occurring
We consider the probability that every independent
protection layer (IPL) will prevent the cause or
satisfactorily mitigate the effect
I
P
L
1
Initiating
event, X
I
P
L
2
I
P
L
3
Unsafe,
Y1
Unsafe,
Y2
- -
I
P
L
n
Unsafe,
Yn
Safe/
tolerable
unsafe
X is the probability of the
event
Yi is the probability of
failure on demand (PFD)
for each IPL
Recall that
the events
are
considered
independent
The probability that the unsafe consequence will
occur is the product of the individual probabilities.
|
|
.
|
\
|
=
[
=
n
i
i e consequenc
Y X P
1
) (
I
P
L
1
Initiating
event, X
I
P
L
2
I
P
L
3
Unsafe,
Y1
Unsafe,
Y2
I
P
L
n
Safe/
tolerable
unsafe

How do we determine the initiating
events?
How do we determine the
probability of the initiating event, X
How do we determine the
probability that each IPL will
function successfully?
How do we determine the target
level for the system?
HAZOP
Company, industry
experience
Company, industry
experience
F-N plot, depends
on consequence
Some typical protection layer Probability of Failure on
Demand (PFD)
BPCS control loop = 0.10
Operator response to alarm = 0.10
Relief safety valve = 0.001
Vessel failure at maximum design pressure = 10
-4
or better
(lower)
Source: A. Frederickson, Layer of Protection Analysis, www.safetyusersgroup.com, May 2006
Often, credit is taken for good design and maintenance
procedures.
Proper materials of construction (reduce corrosion)
Proper equipment specification (pumps, etc.)
Good maintenance (monitor for corrosion, test
safety systems periodically, train personnel on
proper responses, etc.)
A typical value is PFD = 0.10
3. Reduce the risk to achieve the target
The general approach is to
Set the target frequency for an event leading to an
unsafe situation (based on F-N plot)
Calculate the frequency for a proposed design
If the frequency for the design is too high, reduce it
- The first approach is often to introduce or enhance
the safety interlock system (SIS) system
Continue with improvements until the target
frequency has been achieved
Process examples
The Layer of Protection Analysis (LOPA) is performed using a
standard table for data entry.
Likelihood = X Probability of failure on
demand = Yi
Mitigated likelihood = (X)(Y1)(Y 2) -- (Yn)

4 5 6 7 8 1 2 3
Protection Layers
9 10
# Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
BPCS Alarm SIS Additional
mitigation
(safety valves,
dykes, restricted
access, etc.)
Mitigated
event
likelihood
Notes

Feed

Methane
Ethane (LK)
Propane
Butane
Pentane
Vapor
product
Liquid
product
Process
fluid
Steam
FC-1
F2 F3
T1
T2
T3
T5
TC-6 PC-1
LC-1
AC-1
L. Key
Split range
PAH
LAL
LAH
cascade
Class Exercise 1: Flash drum for rough component separation for this
proposed design.
Process examples

4 5 6 7 8 1 2 3
Protection Layers
9 10
# Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
mitigation
(safety valves,
dykes,
restricted
access, etc.)
Mitigated
event
likelihood
Notes
1

High
pressure
Connection
(tap) for
pressure
sensor P1
becomes
plugged
Pressure sensor
does not
measure the
drum pressure

Class Exercise 1: Flash drum for rough component separation.
Complete the table with your best estimates of values.
Assume that the target mitigated likelihood = 10
-5
event/year
Process examples
Class Exercise 1: Some observations about the design.
The drum pressure controller uses only one sensor; when
it fails, the pressure is not controlled.
The same sensor is used for control and alarming.
Therefore, the alarm provides no additional protection
for this initiating cause.
No safety valve is provided (which is a serious design
flaw).
No SIS is provided for the system. (No SIS would be
provided for a typical design.)
Process examples
Class Exercise 1: Solution using initial design and typical published values.

4 5 6 7 8 1 2 3
Protection Layers
9 10
# Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
mitigation
(safety valves,
dykes,
restricted
access, etc.)
Mitigated
event
likelihood
Notes
1

High
pressure
Connection
(tap) for
pressure
sensor P1
becomes
plugged
0.10 0.10 1. 1.0 1.0 1.0 .01 Pressure sensor
does not
measure the
drum pressure

Much too high! We must make improvements to the design.
Process examples

4 5 6 7 8 1 2 3
Protection Layers
9 10
# Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
mitigation
(safety valves,
dykes,
restricted
access, etc.)
Mitigated
event
likelihood
Notes
1

High
pressure
Connection
(tap) for
pressure
sensor P1
becomes
plugged
0.10 0.10 1.0 0.10 1.0 PRV 0.01

.00001 Pressure sensor
does not
measure the
drum pressure

The PRV must
exhaust to a
separation
(knock-out)
drum and fuel or
flare system.

Class Exercise 1: Solution using enhanced design and typical published values.
Enhanced design includes
separate P sensor for alarm
and a pressure relief valve.
Sketch on process drawing.
The enhanced design achieves
the target mitigated
likelihood.
Verify table entries.
Process examples
Feed

Methane
Ethane (LK)
Propane
Butane
Pentane
Vapor
product
Liquid
product
Process
fluid
Steam
FC-1
F2 F3
T1
T2
T3
T5
TC-6 PC-1
LC-1
AC-1
L. Key
Split range
LAL
LAH
cascade
P-2
PAH
Class Exercise 1: Solution.
Process examples
Process examples
Class Exercise 1: Each IPL must be independent.
For the solution in the LOPA table and process sketch,
describe some situations (equipment faults) in which the
independent layers of protection are
- Independent
- Dependent
For each situation in which the IPLs are dependent, suggest
a design improvement that would remove the common
cause fault, so that the LOPA analysis in the table would be
correct.
Hints: Consider faults such as power supply,
signal transmission, computing, and actuation
Approaches to reducing risk
The most common are BPCS, Alarms and Pressure
relief. They are typically provided in the base design.
The next most common is SIS, which requires careful
design and continuing maintenance
The probability of failure on demand for an SIS
depends on its design. Duplicated equipment (e.g.,
sensors, valves, transmission lines) can improve the
performance
A very reliable method is to design an inherently
safe process, but these concepts should be applied in
the base case
The safety interlock system (SIS) must use independent
sensor, calculation, and final element to be independent!
We desire an SIS that functions when a fault has
occurred and does not function when the fault has not
occurred.
SIS performance improves with the use of redundant
elements; however, the systems become complex,
requiring high capital cost and extensive ongoing
maintenance.
Use LOPA to determine the required PFD; then, design
the SIS to achieve the required PFD.
Safety Integrity
Level (SIL)
Probability of
Failure on Demand
SIL-1 0.10 to 0.001
SIL-2 0.01 to 0.001
SIL-3 0.001 to 0.0001
SIL-4 Less than 0.0001
Performance for the four SILs levels for a safety interlock
system (SIS)
1 out of 1
must indicate
failure
T100
s
2 out of 3
must indicate
failure
T100
T101
T102
Same variable,
multiple sensors!
s
False
shutdown
Failure
on
demand
5 x 10
-3
5 x 10
-3

2.5 x 10
-6
2.5 x 10
-6

Better
performance,
more expensive
Two common designs for a safety interlock system (SIS)
Process examples
Class Exercise 2: Fired heater to increase streams temperature.
FT
1
FT
2
PT
1
PIC
1
AT
1
TI
1
TI
2
TI
3
TI
4
PI
2
PI
3
PI
4
TI
5
TI
6
TI
7
TI
8
TI
9
FI
3
TI
10
TI
11
PI
5
PI
6
air Fuel gas
feed
Flue gas

4 5 6 7 8 1 2 3
Protection Layers
9 10
# Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
mitigation
(safety valves,
dykes,
restricted
access, etc.)
Mitigated
event
likelihood
Notes
1

Combustibles
in stack, fire
or explosion
Limited air
supply
because air
blower
reaches
maximum
power
All equipment is
functioning
properly in this
scenario. The
feed rate is very
high, beyond its
design value.

Process examples
Class Exercise 2: Fired heater to increase streams temperature.
References

Dowell, A. and D. Hendershoot, Simplified Risk Analysis - Layer of Protection Analysis, AIChE National Meeting, Indianapolis, Paper
281a, Nov. 3-8, 2002

Dowell, A. and T. Williams, Layer of Protection Analysis: Generating Scenarios Automatically from HAZOP Data, Process Safety
Progress, 24, 1, 38-44 (March 2005).

Frederickson A., Layer of Protection Analysis, www.safetyusersgroup.com, May 2006

Gulland, W., Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons,
http://www.chemicalprocessing.com/whitepapers/2005/006.html

Haight, J. and V. Kecojevic, Automation vs. Human Intervantion: What is the Best Fit for the Best Performance?, Process Safety
Progress, 24, 1, 45-51 (March 2005)

Melhem, G. and P. Stickles, How Much Safety is Enough, Hydrocarbon Processing, 1999

Wiegernick, J., Introduction to the Risk-Based Design of Safety Instrumented Systems for the Process Industries, Seventh International
Conference on Control, Automation, Robotics and Vision, Singapore, Dec. 2002.


Safety LOPA

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Safety LOPA

Uploaded by

Copyright:

Available Formats

HAZARD IDENTIFICATION

You might also like