Impact on People. A minor injury with no permanent health damage

Size: px

Start display at page:

Download "Impact on People. A minor injury with no permanent health damage"

Doris Waters
6 years ago
Views:

1 Practical Experience of applying Layer of Protection Analysis For Safety Instrumented Systems (SIS) to comply with IEC Richard Gowland. Director European Process Safety Centre. In the late 1990s international standards for control systems on computer controlled facilities emerged. The task of compliance with these standards in a consistent manner led to the introduction of Layer of Protection Analysis (LOPA) for determination of Safety Integrity Levels (SILs) for computer operated production facilities. This was conceived and promoted by the Center for Chemical Process Safety (CCPS). My group contributed to this publication. LOPA stated that a properly controlled chemical process has layers of protection that surrounds it. The model was pictured as an Onion that has several skins. In many cases one or more of these layers is provided by Safety Instrumented Systems. The paper describes the LOPA method and the experience of carrying out hundreds of analyses over the last 5 years. These proved the advantages of the method and provided warnings. Deciding on the tolerable frequency targets. It is recommended that a company sets its own criteria where there are none set by the governing authorities. Typically, the target is a frequency for a hazardous event being studied. In the LOPA study, the target frequency (the LOPA Target) is the frequency which the user considers to be entering the tolerable region. Targets should vary according to an estimate of the severity of an unwanted event. The following is an example: Target Frequency/yr Target Factor Impact on People On-site Off-site 1.00E-02 2 Discomfort 1.00E E-04 4 A minor injury with no permanent health damage Serious permanent injury - one or more persons 1.00E-05 5 Single fatality 1.00E fatalities 1.00E-07 7 More than 10 fatalities Nuisance complaint. An event requiring neighbours being told to take shelter indoors An event leading to the need to evacuate neighbours. Minor (recoverable) injury Neighbour serious injury 1.00E fatalities Fatality 1.00E-09 9 Catastrophic event - many fatalities. More than 1 fatality 1

2 How the methodology works: Initiating event frequency (e.g. control system fails) 1e-01 Conditional Modifier (e.g. probability of ignition) 1e-01 Independent Protection Layers: PFD of IPL 1 1e-01 PFD of IPL 2 1e-01 PFD of IPL 3 1e-02 Final event frequency 1e-06 This can be compared with the target (tolerable) frequency selected to see if the target is met or exceeded or a protection gap exists. Conservative assumptions are made on all data used. If the undesired final event is a vessel rupturing as a result of a gassy decomposition during an uncontrolled runaway reaction initiated by a temperature control loop failure occurred at an intolerably high frequency we would add layers of protection to close the protection gap. In such an example, we would consider: Additional high temperature sensing and connection to a trip system Diverse instrumentation loops with safe shut down (e.g. pressure) Trend monitoring of a parameter to show a deviation from normal Relief systems (e.g. Pressure Safety Valves or Rupture Disks) Quench or reaction Kill systems If these measures are effective and independent of each other, they can be considered effectively as ANDs in an event or fault tree. If they are deficient in either effectiveness or independence, further steps are needed. There are also cases where apparent single failures can lead immediately to major events. In cases like these, LOPA may be interesting but may not be the best approach. This is what it looks like as an event tree: Protection Layer Concept IPL 1 IPL 2 IPL 3 Impact Event Occurs PFD 3 = y 3 Impact Event Frequency, f 3 = x * y 1 * y 2 * y 3 PFD 2 = y 2 PFD 1 = y 1 f 2 =x * y 1 * y 2 success Safe Outcome Initiating Event Estimated Frequency f i = x f 1 = x * y 1 success success Safe Outcome Safe Outcome Key: Arrow represents severity and frequency of the Impact Event if later IPLs are not successful Impact Event Severity Frequency IPL - Independent Protection Layer PFD - Probability of Failure on Demand f - frequency, /yr CCPS The impact event frequency is the product of the original event frequency and the PFDs of the 3 layers of protection. As each layer is called upon to function, the failure frequency of the entire system becomes progressively smaller. Each Layer of Protection needs to satisfy the definition: 2

3 A layer of protection that will prevent an unsafe scenario from progressing regardless of the initiating event or the performance of another layer of protection. This is straightforward for many types of IPLs such as Safety Instrumented Systems which take the process to a safe state, but others suffer from the limitation that they may only reduce the scale of the final event. Examples of this are: dikes or bunds, emergency response, fire protection water spray vapour absorption, Some other important definitions: What is a Conditional Modifier? This is something which affects the frequency of the final outcome because it reflects such things as the probability that a hazard will be present at a given time. Examples include: probability that a flammable leak will be ignited hazardous unit operations which are running intermittently. scenarios which involve injury to plant operating staff but which occur in areas which are rarely occupied a probability of exposure. These factors should be allowable since they do affect the frequency of the final outcome in the sense that the hazard is there for less than 12 months a year or that the probability of ignition for fire and explosion cases may not always be 100%. If the latter two examples are considered, it is important to remind users that the patterns of use and exposure may change with time. This is just one reason for periodic review. The Independent Protection Layers described above could be: Basic Process Control (BPCS) Alarm and Operator Response Hard wired independent trips Safety Instrumented Systems Relief systems Other Safety Related Protection Systems The number of layers needed is dictated by: the frequency of the initiating event the Conditional Modifiers (If any) the PFDs of the Independent Protection Layersand the Target frequency LOPA helps you to decide: Do I need a Safety Instrumented System? Are there alternatives? Whatever is decided upon, a basic rule of thumb is that the system chosen needs to be effective, independent and testable. This may be more difficult than it appears. 3

4 Experience of doing many LOPA studies since 1999: A demonstration of software tools is included in the paper presentation. These tools are available free of charge from the presenter. 1) Estimating the consequences of the scenario. LOPA users consider the following factors in consequence estimation Injury to people Quantities of hazardous materials, operating conditions, physical and hazardous properties Economic loss In the first case, modelling is usually done to determine e.g. the extent of a toxic releases or the effect range of a fire or explosion. Estimates of the exposed population need to be done. For on site events it is easy to over-estimate in the cases of fires and toxic releases. Examples I have challenged include the number of persons at risk in an occupied control room when the top event is the rupture of a pressure vessel which is engulfed in fire. Specifically, I was informed that the scenario took more than 40 minutes to develop sufficient pressure in the vessel to reach the relief pressure and that there were up to 8 people in the control room. This gave a very high severity to the target (tolerated) frequency. Factors to consider were the fire detection system and deluge operation, but these were set aside until the whole picture could be examined. On examination, the emergency plan required the operators to evacuate to a remote assembly point if a significant fire occurred. Since a fire lasting more than 40 minutes was certain to be detected and the likelihood of 8 people being exposed to the vessel rupture hazard seemed negligible. However, the effect of the fire hazard itself might be more serious. Realistically, the emergency plan needed to be upgraded and we should take the target frequency on the basis of a single fatality for the rupture event. Other aspects of this particular scenario proved to be more difficult to analyse, but the major outcome was the upgrading of the emergency plan and the effectiveness of the fire protection. In another case we discussed the scenario of a runaway exothermic reaction in a batch reactor. The scenario was proposed as follows: Vessel rupture when a runaway reaction occurs due to temperature control failure and the relief system does not work. This was quickly changed to Vessel rupture when a runaway reaction occurs due to temperature control failure. When the questioner realized that in LOPA the relief system IS considered in the study, but as an Independent Layer of Protection with a probability of failure on demand. A clear definition of the scenario is needed and we must avoid involving simultaneous independent failures in the description. 2) Initiating Events: Failure frequencies cause much debate. There is good generic order of magnitude information about instrument loop failures. Many companies have their own records which support the figure they use. This greatly helps the use of LOPA to design control systems, Safety Instrumented Systems (SIS) and other non SIS layers of protection. I have been confronted with cases where piping system failures have been used as initiating events. These are difficult to deal with, since failure rates vary so much, depending on corrosion, stress and other factors which may be controllable or the subject of effective inspection. The case which seemed to set the tone involved a release of Dimethyl Amine from connections on a storage tank. The user was applying a high failure frequency to this initiating event because the piping was not to a modern specification. Indeed, all joints and connections were screwed. It was obvious that there were no opportunities to close the protection gap. It 4

5 was equally obvious that LOPA was telling us what we already knew. The piping system should be upgraded to a modern suitable specification or subject to frequent X ray. Recognise that some initiating events may cause scenarios where there are no conventional true IPLs available; e.g. vessel rupture for no anticipated reason. If events like this occur, there is no instrumented or any other system which can stop the event once it has occurred. In a sense, this type of event can be predicted, simply because they have happened. It would be wrong to eliminate the possibility. All that you can do is to MITIGATE it. The problem with assessing mitigation systems is that they are difficult to test in a real sense. This led me to recommend against LOPA for Large pressure vessel failures. A more effective way of dealing with the problem was to apply Risk Based Inspection to reduce failure frequencies, whilst allowing for the infrequent major releases to be dealt with by mitigation and the emergency response system. I was asked to study the scenario of a large leak of hazardous material from the base of a reactor after maintenance. The leak would bee caused by failure to re-connect properly after maintenance. What would LOPA tell us? It seemed more appropriate for the user to examine and test his permit to work system and the return to operations testing and acceptance regime since there were no obvious IPLs. Immediately, the fault tree side of the Bow Tie diagram could be examined and a frequency of actual major leak estimated. This proved to be a more appropriate study and revealed deficiencies in the permit system. 3) Conditional Modifiers: Various sources have suggested that quantity of release affecting the probability of ignition flammability time at risk should be considered. These can all be modelled successfully, but need to be well argued. In the case of time at risk, a factor of 10% can be applied to an operation which takes place for less than this proportion of the year. Operations such as unloading often come into this category. A difficulty occurs if sales suddenly improve and the operation becomes significantly more frequent. Such a subtle change could affect the overall unwanted event frequency, but might not be picked up by a Management of Change review. Special care is needed when time at risk is considered. 4) Independent Protection Layers (IPLs): There have been many examples where the independence of a proposed IPL is debatable and thus some claimed IPLs cannot be counted. Operator response is a fruitful area for examination. Is it practical or possible for the operator to act as an IPL? Does he have a written and practised procedure? Do you test him? Is he receiving the warning from a device which is already credited as being independent (If yes, there is a common cause failure) How reliable is the operator in an event where many alarms may become active? Will the operator be present at the location where the alarm is noticeable? If the Basic Process Control System (BPCS) is operating a trip and alarm, it is unlikely that these two functions are independent. Furthermore, Software integrity was often not assured. 5

6 Non SIS layers of protection, e.g. Relief Systems and Management Systems. Opportunities to provide non SIS layers of protection are often missed. It is quite common for the Basic Process Control System (BPCS) to be ignored as a potential protection. Frequently, a simple rearrangement of hardware or software achieves an efficient result. The capability of relief systems becomes a topic of study. It is common for a relief system to be credited with an optimistic probability of failure on demand without any real assurance that it has the capacity to handle the release in the scenario. Furthermore, hazardous downstream events (from venting) may be ignored. This has led to a general improvement in relief capacity calculation and vent capture. In a study of overpressure of a low pressure storage tank which was nitrogen blanketed, concerns were raised that the Nitrogen system itself could cause a hazard and rupture the tank if its pressure control failed. The Pressure/Vacuum relief system (pad-de-pad) did not offer sufficient protection. It was proposed to add a Safety Instrumented System comprising a block valve in the Nitrogen supply which would be closed after a pressure sensor on the tank vapour space detected a high pressure. A much cheaper solution was to add a separate relief valve on a separate independent nozzle. Management systems such as enhanced inspection or double check and signature have been proposed as IPLS. It seems preferable to use them as modifiers of the initiating event frequency, since they do not meet the definition of IPL. 5) Mitigation Systems How to credit mitigation systems water sprays, fire protection, emergency response, shelter in place. We need to recognise that some initiating events may cause scenarios where there are no conventional true IPLs available; e.g. vessel rupture for no anticipated reason. If events like this occur, there is no instrumented or any other system which can stop the event once it has started. In a sense, this type of event can be predicted, simply because they have happened in the past so it would be wrong to eliminate the possibility. All that you can do is to MITIGATE the effects. The problem with assessing mitigation systems is that they are difficult to test in a real sense. My conclusion was that a highly reliable mitigation system would reduce the scale of the top event and thus the severity in the target frequency estimate. The net effect would mean that potential gaps could be closed by subtraction on the left hand side of a LOPA worksheet, thus helping to close protection gaps without compromising principles. References: Guidelines for Quantitative Risk Assessment CPR 18E (Purple Book) Published by the Netherlands Committee for Prevention of Disasters. Layer of Protection Analysis American Institute of Chemical Engineers Center for Chemical Process Safety. (CCPS) ISBN

Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

Identification and Screening of Scenarios for LOPA Ken First Dow Chemical Company Midland, MI 1 Layers of Protection Analysis (LOPA) LOPA is a semi-quantitative tool for analyzing and assessing risk. The