powerpoint presentation - welcome to isnetworld 29-30, 2016 effective layers of protection analysis...

November 29-30, 2016

Effective Layers of Protection AnalysisBuilding upon Qualitative Risk

Assessments

Presenter

Presentation Notes

The objective of LOPA is to enhancing you risk management program. Most companies employ qualitative tools like HAZOP, What-If, even FMEA which are more experiential tools, based on the experience of the team to determine whether initiating events are plausible, or whether there are sufficient protection layers to bring risk within tolerance.


Keith Jackson, Managing DirectorETEC Consulting Group, LLC

• Process Safety and Risk Mgmt• OSHA & EPA Compliance• Operational Improvements• Enhance Mechanical Integrity• 34 yrs industry / 24 yrs PSM• 5 continents / 20 countries• Support clients in Exploration,

Refining, Chemicals, Pipeline sectors.

• BP, ConocoPhillips, Shell, Tesoro, Valero, National Oil Companies worldwide.


Agenda• Workshop Objectives• Inherent hazards of Oil & Gas industry• What is LOPA?• LOPA Overview• Making LOPA more effective• What to do upon return to plant


Presenter

Presentation Notes

To protect Equipment Never assume an alarm is functioning improperly- if nuisance, get it repaired. Review alarm status early in shift PSV/ Vacuum relief are last line of defense – maintain Vent line pluggage can be managed – adjust PM based on actual experience Non routine procedure often have fewer or weaker LOP – all LOP prevting equipment damage should be considered critcal


Pascagoula Gas Plant Explosion & FireJune 27, 2016

Presenter

Presentation Notes

The Pascagoula plant, which processes gas received from third-party pipelines, comprises three trains with about 1.5 Bcf/d total processing capacity. Still under Chemical Safety Board investigation


Elements of Basic Risk Assessment

INITIATING EVENT,Or CAUSE

WORST PLAUSIBLE

CONSEQUENCE.

“IT’S” OCCURRENCE IS BASED ON PROTECTION

LAYERS.

What can go wrong?

What impact is possible?

How likely is “IT” to occur?

Risk Understanding and Analysis

Presenter

Presentation Notes

“IT” referring to the entire scenario, e.g. the likelihood of the cause or IE leading to the consequence defined in this scenario (e.g. worst plausible consequence), based on the safeguards or protection layers in place.

November 29-30, 2016November 29-30, 2016

Qualitative –vs- Semi-Quantitative

Historical Records

Analytics Employed

Knowledge & Experience

HAZOP Med Low High

LOPA High High High

Presenter

Presentation Notes

This compares attributes of a Qualitative RA like HAZOP, What-If, FMEA versus a Semi-Quantitative tool like LOPA.

November 29-30, 2016ETEC Consulting Group 8

What is LOPA?• Semi-quantitative risk assessment method • Adequacy of IPLs to prevent or mitigate consequence • Determine if scenarios are within risk tolerance• Determine the required SIL of a SIF, if required.

Note: The goal is to prevent or mitigate the high severity consequences, and not to implement expensive Safety Instrumented Systems (SIS), unless absolutely required.

Presenter

Presentation Notes

Layer of Protection Analysis (LOPA) is a semi-quantitative risk assessment method used to analyze the adequacy of independent protective layers to prevent or mitigate an event that can lead to a high severity consequence. Determine whether consequences, when factoring in protection layers, are within plant’s risk tolerance. Determine the required Safety Integrity Level (SIL) of a Safety Instrumented Function (SIF), if required. Note: The goal is to prevent or mitigate the high severity consequences, and not to implement expensive Safety Instrumented Systems (SIS), unless absolutely required.


Enhancements with LOPA• Build upon qualitative

analysis• Based on statistical

analytics• Input cause frequency• Use frequency modifiers

– Time at Risk– Occupancy– Ignition Probability

• Validate independence

• Use PFD for LOP• Validate LOP are available• Define Risk Gaps

quantitatively• Close Risk Gaps with an

instrumented device of a specific SIL.

Presenter

Presentation Notes

1. Since typically only scenarios with the most significant consequences, e.g. possible fatalities, are subject to LOPA, so a better assessment of the adequacy of protection layers is desired. 2. Based on statistical analytics from industry experience LOP – independent of Initiating Event and other Layers of Protection 3. Risk gaps are defined quantitatively, after application of validated, qualified LOP.


LOPA Process

ETEC Consulting Group 10

IPL &PFD, with modifiers

Deliverables: Risk Reduction Factor, need for SIS

DetermineTMEL

Define High Severity

Consequences

DefineInitiatingEvents &

Frequency

DetermineRRF

Presenter

Presentation Notes

Define the high severity consequences that fall within the threshold subject to LOPA review, based on the HAZOP review. Define TMEL, which represents the site’s Risk tolerance, for the scenario under review. TMEL is based on Corp requirements. Define initiating events that can lead to the scenario under review. Start with the HAZOP report, then the LOPA team will refine. Quantify frequency based on historical data, published industry data and/or engineering judgment. Determine and list all of the independent protection layers (IPL) that are available to preventing an initiating event from propagating into the unwanted event. Quantify the effectiveness of the layer of protection in terms of probability of failure on demand (PFD), based on same as above


LOPA Resource• CCPS Concept Book• Industry Resource• www.ccpsonline.org

Presenter

Presentation Notes

Center for Chemical Process Safety


LOPA Governing Equation

Risk Reduction Factor = [IEF*PFD1*PFD2*PFD3…]*Ptr*Pp*Pi

TMEL

RRF = Mitigations Frequency / Defined Risk Tolerance

If Risk Reduction Factor > = 1

No special integrity measures required

If Risk Reduction Factor < 1, additional IPLs required Note: Incremental IPL may or may not be SIS


Making LOPA More Effective1. Hazard Scenarios -

What to include or exclude

2. Overstating hazards, protection layers and likelihoods

3. Using Frequency Modifiers effectively

4. Layers of Protection availability via MIP


Consequence Severity• Scenarios developed in

HAZOP or HAZID. • Common Error #1: High

pressure in vessel exceeding MAWP, leading to vessel rupture, loss of containment, fire with possible fatality.

• All pressure excursions do not lead to worst case of vessel rupture & fatality.

• Common Error #2: Pressure excursion in vessel leading to relief valve lifting. No significant safety conseq.

• The relief valve is an active safeguard. It has a certain PFD. For instance, it will not respond when called up 1 out of 100 times.

• The relief valve is a LOP. Consequence is defined based on pressure.

Presenter

Presentation Notes

1. The high consequence scenarios that flow to LOPA are often developed in the HAZOP. 2. Common Error: High pressure in vessel exceeding MAWP, leading to vessel rupture, loss of containment, fire with possible fatality. 3. All pressure excursions do not lead to worst case of vessel rupture & fatality.


Vessel Pressure Excursion

% MAWP Consequence Severity ProbabilityVessel failure

<= 2xMAWP Flange leaks , jet fire Moderate 0%

>2 – 3xMAWP Vessel damage Moderate 1%

3 to 3.5xMAWP Severe Vessel damage High 10%

>3.5xMAWP Catastrophic Vessel rupture Very High 100%

Notes:1. Define max pressure at vessel, due to reverse flow or high pressure blow through.2. Calculate the maximum overpressure and define worst plausible consequence/


Piping Pressure ExcursionANSI

RatingMAOP

Non-shock Hydro

Pressure

150 285 psig 428 psig

300 740 psig 1,110 psig

600 1,480 psig 2,220 psig

Notes:1. From ANSI B16.5 and ASTM A-105, Carbon Steel, Group 1.1 , pipe

flanges and fittings2. Based on temperature up to 100 degF.3. Hydrotest performed at ambient conditions.4. Pressure excursion must exceed maximum allowable non-shock

pressure before any measurable consequence will be seen.

Presenter

Presentation Notes

Similarly, with piping overpressure. Per ANSI tables, ANSI 150 pipe is good for 285 psig at


TMEL and Initiating Events• Acceptable risk tolerance• Defined by Corporate

based on all plants.• For instance:

– An explosion that results in a fatality may have a risk tolerance of 1x10-4 years.

• Initiating Events are identified in the HAZOP.

• Fall into 3 categories:– Equipment failure– Operator Error *– External events

• Actual failure frequency may be used

Presenter

Presentation Notes

1. TMEL is simply the acceptable risk tolerance, based on consequences. 2. Defined by Corporate based on the operations of all plants. The Targeted Mitigated Event Likelihood (TMEL) is based on the cumulative operation of all the plants in the portfolio. So it doesn’t mean 1 in 10k years for each plant, but for the operating history of the entire portfolio of facilities. If there are 100 facilities, then the probability of this type of event that can occur in that one plant, may be 1 in 100 years, which is within the lifetime of the process, which can be imagined.


Not Typically LOPA’ble• Escalation events• General Fires• Escape & Evacuation• Control of Work• Mechanical Integrity • Occupational Safety• Design Errors• “Acts of God”• Terrorism or sabotage

Presenter

Presentation Notes

- Escalation events (e.g. external fire, domino effects from other parts of the unit or adjacent plants). - General fires not associated with a specific process parameter deviation. - Injuries caused during Escape and evacuation events. - Activities governed by Control of Work (e.g., lock out/tag out, confined space entry, crane lifts, and vehicle impacts), where there are procedures in place and personnel either ignore or misapply the procedures. - Occupational Safety hazards (e.g., slips, trips, and falls, pinch points, ergonomics, accessibility, hot surfaces, etc.). - Design error (e.g., wrong sizing, wrong material selection, wrong instrumentation, etc.) as an initiating cause. However, LOPA may be utilized to identify interim risk reduction measures while a design is being corrected. - MIP: General corrosion, erosion, improper maintenance, inspection, or other integrity management issues. - Natural phenomena such as: floods, earthquakes, tornadoes, storms, lightning strikes, etc. - Terrorism and sabotage.


Frequency Modifiers: Ptr &Pp

• Hazard present during certain operation or tasks.

• Ptr = Time at Risk / total time• Example: Reactor batch

operation where heat-up cycle is 2 hours each day. The hazard is potential decomposition during heatup cycle.

Ptr = 2hrs / 24 hrs = 0.0833

• Occupy hazard zone.• Pp=Time in hazard/total time• Example: The operator

may be near the pump for 30 minutes out of their shift. In this case the occupancy factor is:

Pp = 0.5hr/12 hrs = 0.04


Frequency Modifiers: Pi

• A fire or explosion hazard must be ignited.

• The following factors are suggested to used as probability of ignition given a release:

– Pi = 1.0, auto-ignition or pyrophoric materials

– Pi = 0.1, heavy oils– Pi = 0.2, volatile liquids– Pi = 0.3, flammable liquids/

gas

Presenter

Presentation Notes

For a fire or explosion to qualify as a hazard the release must be ignited.


Using Frequency Modifiers

• Be cautious when applying Ptr & Pp. You can understate risk.

• If risk is present during a limited time, and the operator is present all that time, then Pp =1. Don’t double dip!


Identifying IPLsIPL is a device, system or action that is capable of preventing a scenario from progressing to the undesired consequence regardless of the initiating event or the performance of any other protection layer associated with the scenario.

• Two Classes of IPLs– Active: BPCS, human response

to alarm, PSV, SIS.– Passive: Dike, open vent, blast

wall/bunker, flame/detonation arrestors and restriction orifice.

• Start with HAZOP safeguards• Some HAZOP safeguards will

not meet the criteria for IPL’s


Independent Protection Layer Rules• Designed to prevent or

mitigate consequences of hazardous scenario.

• Must be dependable, and can be counted on to perform as intended.

• Can be audited to confirm performance.

• Must be independent of other IPL’s or initiated event.

Presenter

Presentation Notes

“Operator Response to Alarms” included as part of the BPCS can only be counted once.


Types of IPL’s• BPCS• Operator Response to

Alarm• SIS• Relief Devices• NOT >> Check Valves

Presenter

Presentation Notes

Relief Devices to be IPL Sized for any feasible failure scenario Release to a “safe location” Exceptions for relief devices Valves relieving toxic, flammable or environmentally sensitive materials require LOPA Valves in dirty, plugging service cannot be considered an IPL w/o specific preventive measures Systems utilizing two (2) valves each sized for 100% can take credit for 1.5 or 2 IPL’s, depending on company. Operator Response to Alarm Alarm priority, corrective response, set point, and time to act MUST be considered Alarm MUST be independent of the cause, and any claimed IPL An operator must always be present at the alarm point Alarm can be considered as a single IPL if: The alarm clearly ID’s the hazard The alarm can be distinguished among competing alarms time to respond (typically <10 min) operator is trained, and procedures identify alarm as critical Basic Process Control System If control loop is IPL, Operator response cannot be an IPL also. If failure of a control loop is a cause, then the alarms for that loop cannot be an IPL also. A control loop whose normal function compensates for the “initiating event” can be an IPL. Failure mode of the final device must be to the “safe” mode A control valve used for final actuation, the solenoid must be between the I/P and actuator, with no bypass. Check Valves Notoriously unreliable for tight shut off and can only be considered an IPL on a case by case basis, subject to: Slight reverse can be tolerated Multiple valves in series Clean service High differential pressure (>100psig) Since they fail covertly, check valves must be maintained to ensure it is available when called upon. Passive: Dike, open vent, blast wall/bunker, flame/detonation arrestors and restriction orifice.


PFD from Failure Rate• PFD is probability of failure upon demand• PFD depends on failure rate, failure mode and

test interval• Failure rate is divided into failures that cause

failure on demand• Most databases list the failure mode for an

equipment item• An untested device’s PFD gets larger as time

increases at an exponential relationship. −λt

Presenter

Presentation Notes

Refer to Table in CCPS LOPA Book, to get PFD for different type of IPL, based on industry data.


LOPA Governing Equation

Risk Reduction Factor = [IEF*PFD1*PFD2*PFD3…]*Ptr*Pp*Pi

TMEL

TMEL:

High pressure in vessel exceeding MAWP due to pressure regulator malfunctions. Possible vessel rupture, loss of containment, fire with possible fatality.

TMEL = 1x10-4

Mitigations:

IEF = 1x10-1 Instrument (regulator) fails

PDF1 = 1x10-2 Relief Device

Pp = 0.1 Random Occupancy


WHAT TO DO BACK AT YOUR PLANT?

Presenter

Presentation Notes

If you are not using LOPA, look at how you are performing HAZOP and try to make those more effective based on what you learned about LOPA. Resolve to make identified safeguards or critical alarms from HAZOP available by conducting adequate ITPM.


For More Information:Keith M. Jacksonkeith@etecconsulting.comwww.etecconsulting.com909-573-8002

mailto:[email protected]

http://www.etecconsulting.com/

powerpoint presentation - welcome to isnetworld 29-30, 2016 effective layers of protection analysis...

Documents