You are on page 1of 28

ACHIEVING ACCEPTABLE RISK

Level of Protection Analysis


• HAZARD IDENTIFICATION
1. Check lists
2. Dow Relative Ranking
3. HAZOP - Hazard and Operability

• LAYER OF PROTECTION ANALYSIS


1. Express risk target quantitatively
2. Determine risk for system
3. Reduce risk to meet target
• HAZARD ASSESSMENT
- Fault Tree Semi-quantitative
More
- Event Tree analysis to give order-
- Consequence analysis accurat
of-magnitude estimate
- Human Error Analysis e
• ACTIONS TO ELIMINATE OR MITIGATE We will use our group
- Apply all engineering sciences skills and knowledge of
safety layers in
Safety Layer of Protection Analysis
1. Express risk target quantitatively

• FAR: Fatal Accident Rate - This is the number of


fatalities occurring during 1000 working lifetimes (108
hours). This is used in the U.K.

• Fatality Rate = FAR * (hours worked) / 108

• OSHA Incidence Rate - This is the number of illnesses


and injuries for 100 work-years. This is used in the USA.
Safety Layer of Protection Analysis
1. Express risk target quantitatively
FAR Data for typical Activities
Activity FAR
Chemical Industry 4
Steel Industry 8
Coal Mining 40
Construction 67
What is FAR for cigarette
Uranium 70 smoking?
Asbestos (old data?) 620

Staying home 3
Traveling by automobile 57
Traveling by airplane 240
Cigarette smoking ???
What is the fatality rate/year for the chemical industry?
Safety Layer of Protection Analysis
1. Express risk target quantitatively

• One standard used is to maintain the risk for


involuntary activities less (much less?) than
typical risks such as “staying home”
- Results in rules, such as fatality rate < 10-6 /year
- See Wells (1996) Table 9.4
- Remember that many risks exist (total risk is sum)

• Are current risks accepted or merely tolerated?


• We must consider the inaccuracies of the
estimates
• We must consider people outside of the
manufacturing site.
Safety Layer of Protection Analysis
1. Express risk target quantitatively

• People usually distinguish between voluntary and


involuntary risk. They often accept higher risk
for voluntary activities (rock climbing).
• People consider the number of fatalities per
accident
Fatalities = (frequency) (fatalities/accident)
.001 = (.001) (1) fatalities/time period

.001 = (.0000001)(100,000) fatalities/time period

We need to consider frequency and consequence


Safety Layer of Protection Analysis
1. Express risk target quantitatively
The decision can be presented in a F-N plot similar to the one below.
(The coordinate values here are not “standard”; they must be selected by the professional.)
1.00E-07
Probability or Frequency, F

“Unacceptable risk”
(events/year)

1.00E-08

“Acceptable risk”

1.00E-09
1 10 100

Deaths per event, N

The design must be enhanced to reduce the likelihood of death (or


serious damage) and/or to mitigate the effects.
Safety Layer of Protection Analysis
2. Determine the risk for system

• In Level of Protection Analysis (LOPA), we assume


that the probability of each element in the system
functioning (or failing) is independent of all other
elements.
• We consider the probability of the initiating event
(root cause) occurring
• We consider the probability that every independent
protection layer (IPL) will prevent the cause or
satisfactorily mitigate the effect
Safety Layer of Protection Analysis
2. Determine the risk for system

X is the probability of
the event Unsafe,
Yn
Yi is the probability of unsafe
failure on demand
I
(PFD) for each IPL
• • P
L
n
Unsafe,
I
Y2 P
L
3
Unsafe,
I
Y1 P
L
2
Initiating I Safe/
event, X P tolerable
L
1
Safety Layer of Protection Analysis
2. Determine the risk for system

unsafe

… I
P

Recall that Unsafe,


Y2
I
P
L
n

the events Unsafe,


Y1
I
P
L
3

are Initiating
event, X
I
P
L
2
Safe/
tolerable
considered L
1

independent

The probability that the unsafe consequence


will occur is the product of the individual
probabilities.
 n 
Pconsequence = ( X )
 ∏ Yi 

 i =1 
Safety Layer of Protection Analysis
2. Determine the risk for system

• How do we determine the initiating


HAZOP
events?
• How do we determine the Company, industry
probability of the initiating event, X experience
• How do we determine the
Company, industry
probability that each IPL will
experience
function successfully?
• How do we determine the target F-N plot, depends
level for the system? on consequence
Safety Layer of Protection Analysis
2. Determine the risk for system

Some typical protection layer Probability of Failure on


Demand (PFD)
• BPCS control loop = 0.10
• Operator response to alarm = 0.10
• Relief safety valve = 0.001
• Vessel failure at maximum design pressure = 10-4 or
better (lower)

Source: A. Frederickson, Layer of Protection Analysis, www.safetyusersgroup.com, May 2006


Safety Layer of Protection Analysis
2. Determine the risk for system

Often, credit is taken for good design and maintenance


procedures.
• Proper materials of construction (reduce corrosion)
• Proper equipment specification (pumps, etc.)
• Good maintenance (monitor for corrosion, test
safety systems periodically, train personnel on
proper responses, etc.)

A typical value is PFD = 0.10


Safety Layer of Protection Analysis
3. Reduce the risk to achieve the target

The general approach is to


• Set the target frequency for an event leading to an
unsafe situation (based on F-N plot)
• Calculate the frequency for a proposed design
• If the frequency for the design is too high, reduce it
- The first approach is often to introduce or enhance
the safety interlock system (SIS) system
• Continue with improvements until the target
frequency has been achieved
Safety Layer of Protection Analysis
Process examples

The Layer of Protection Analysis (LOPA) is performed using a


standard table for data entry.
1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes, restricted
access, etc.)

Likelihood = X Probability of failure


on demand = Yi

Mitigated likelihood = (X)(Y1)(Y 2) •• (Yn)


Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Flash drum for “rough” component separation for this
proposed design.
cascade

PAH Vapor
Split range TC-6 PC-1 product

T1 T5
Feed T2

Methane LAL
Ethane (LK) LAH
Propane FC-1
T3 LC-1
Butane
Pentane

F2 F3
Liquid
AC-1 product
Process Steam L. Key
fluid
Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Flash drum for “rough” component separation.
Complete the table with your best estimates of values.
1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes,
restricted
access, etc.)
1 High Connection Pressure sensor
pressure (tap) for does not
pressure measure the
sensor P1 drum pressure
becomes
plugged

Assume that the target mitigated likelihood = 10-5 event/year


Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Some observations about the design.

• The drum pressure controller uses only one sensor; when


it fails, the pressure is not controlled.
• The same sensor is used for control and alarming.
Therefore, the alarm provides no additional protection
for this initiating cause.
• No safety valve is provided (which is a serious design
flaw).
• No SIS is provided for the system. (No SIS would be
provided for a typical design.)
Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Solution using initial design and typical published values.
1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes,
restricted
access, etc.)
1 High Connection 0.10 0.10 1. 1.0 1.0 1.0 .01 Pressure sensor
pressure (tap) for does not
pressure measure the
sensor P1 drum pressure
becomes
plugged

Much too high! We must make improvements to the design.


Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Solution using enhanced design and typical published values.

1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes,
restricted
access, etc.)
1 High Connection 0.10 0.10 1.0 0.10 1.0 PRV 0.01 .00001 Pressure sensor
pressure (tap) for does not
pressure measure the
sensor P1 drum pressure
becomes
plugged The PRV must
exhaust to a
separation
(knock-out)
Enhanced design includes The enhanced design achieves drum and fuel or
flare system.
separate P sensor for alarm the target mitigated
and a pressure relief valve. likelihood.
Sketch on process drawing. Verify table entries.
Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Solution.

cascade

Vapor
Split range TC-6 PC-1 product

PAH
P-2
T1 T5
Feed T2

Methane LAL
Ethane (LK) LAH
Propane FC-1
T3 LC-1
Butane
Pentane

F2 F3
Liquid
AC-1 product
Process Steam L. Key
fluid
Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Each IPL must be independent.

For the solution in the LOPA table and process sketch,


describe some situations (equipment faults) in which the
independent layers of protection are
- Independent Hints: Consider faults such as power supply,
signal transmission, computing, and actuation
- Dependent
For each situation in which the IPLs are dependent, suggest
a design improvement that would remove the common
cause fault, so that the LOPA analysis in the table would be
correct.
Safety Layer of Protection Analysis
Approaches to reducing risk

• The most common are BPCS, Alarms and Pressure


relief. They are typically provided in the base design.
• The next most common is SIS, which requires careful
design and continuing maintenance
• The probability of failure on demand for an SIS
depends on its design. Duplicated equipment (e.g.,
sensors, valves, transmission lines) can improve the
performance
• A very reliable method is to design an “inherently
safe” process, but these concepts should be applied in
the base case
Safety Layer of Protection Analysis
Approaches to reducing risk

• The safety interlock system (SIS) must use independent


sensor, calculation, and final element to be independent!
• We desire an SIS that functions when a fault has
occurred and does not function when the fault has not
occurred.
• SIS performance improves with the use of redundant
elements; however, the systems become complex,
requiring high capital cost and extensive ongoing
maintenance.
• Use LOPA to determine the required PFD; then, design
the SIS to achieve the required PFD.
Safety Layer of Protection Analysis
Approaches to reducing risk
Performance for the four SIL’s levels for a safety interlock
system (SIS)

Safety Integrity Probability of


Level (SIL) Failure on Demand

SIL-1 0.10 to 0.001

SIL-2 0.01 to 0.001

SIL-3 0.001 to 0.0001

SIL-4 Less than 0.0001


Safety Layer of Protection Analysis
Approaches to reducing risk
Two common designs for a safety interlock system (SIS)
Failure
False on
shutdown demand
T100 1 out of 1
s
must indicate
failure
Better 5 x 10-3 5 x 10-3
performance,
more expensive

T100 2 out of 3
s
T101 must indicate
T102 failure 2.5 x 10-6 2.5 x 10-6
Same variable,
multiple sensors!
Safety Layer of Protection Analysis
Process examples
Class Exercise 2: Fired heater to increase stream’s temperature.
Flue gas

PIC
1

AT PI
1 4

FT
1 TI
PI
1
5
TI
5
TI
2

feed
TI
6
PT
1

TI
3
TI
7 TI TI
TI 9 10
4

FT TI
FI
2 8 TI
3
11

PI PI PI
2 3 6

air Fuel gas


Safety Layer of Protection Analysis
Process examples
Class Exercise 2: Fired heater to increase stream’s temperature.
1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes,
restricted
access, etc.)
1 Combustibles Limited air All equipment is
in stack, fire supply functioning
or explosion because air properly in this
blower scenario. The
reaches feed rate is very
maximum high, beyond its
power design value.
Safety Layer of Protection Analysis

References

Dowell, A. and D. Hendershoot, Simplified Risk Analysis - Layer of Protection Analysis, AIChE National Meeting, Indianapolis, Paper
281a, Nov. 3-8, 2002

Dowell, A. and T. Williams, Layer of Protection Analysis: Generating Scenarios Automatically from HAZOP Data, Process Safety
Progress, 24, 1, 38-44 (March 2005).

Frederickson A., Layer of Protection Analysis, www.safetyusersgroup.com, May 2006

Gulland, W., Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons,
http://www.chemicalprocessing.com/whitepapers/2005/006.html

Haight, J. and V. Kecojevic, Automation vs. Human Intervantion: What is the Best Fit for the Best Performance?, Process Safety
Progress, 24, 1, 45-51 (March 2005)

Melhem, G. and P. Stickles, How Much Safety is Enough, Hydrocarbon Processing, 1999

Wiegernick, J., Introduction to the Risk-Based Design of Safety Instrumented Systems for the Process Industries, Seventh International
Conference on Control, Automation, Robotics and Vision, Singapore, Dec. 2002.

You might also like