Impact on People. A minor injury with no permanent health damage

Similar documents
Identification and Screening of Scenarios for LOPA. Ken First Dow Chemical Company Midland, MI

Using LOPA for Other Applications

Advanced LOPA Topics

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

A large Layer of Protection Analysis for a Gas terminal scenarios/ cause consequence pairs

Every things under control High-Integrity Pressure Protection System (HIPPS)

innova-ve entrepreneurial global 1

Expert System for LOPA - Incident Scenario Development -

VALIDATE LOPA ASSUMPTIONS WITH DATA FROM YOUR OWN PROCESS

HOW LAYER OF PROTECTION ANALYSIS IN EUROPE IS AFFECTED BY THE GUIDANCE DRAWN UP AFTER THE BUNCEFIELD ACCIDENT

QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS

MAHB. INSPECTION Process Hazard Analysis

Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons

SAFETY SEMINAR Rio de Janeiro, Brazil - August 3-7, Authors: Francisco Carlos da Costa Barros Edson Romano Marins

Knowledge, Certification, Networking

Session One: A Practical Approach to Managing Safety Critical Equipment and Systems in Process Plants

Understanding safety life cycles

SIL Allocation. - Deterministic vs. risk-based approach - Layer Of Protection Analysis (LOPA) overview

General Duty Clause. Section 112(r)(1) of CAA. Chris Rascher, EPA Region 1

FUNCTIONAL SAFETY: SIL DETERMINATION AND BEYOND A CASE STUDY FROM A CHEMICAL MANUFACTURING SITE

Improving Accuracy of Frequency Estimation of Major Vapor Cloud Explosions for Evaluating Control Room Location through Quantitative Risk Assessment

BROCHURE. Pressure relief A proven approach

Section 1: Multiple Choice

Quantitative Risk Analysis (QRA)

AUSTRALIA ARGENTINA CANADA EGYPT NORTH SEA U.S. CENTRAL U.S. GULF. SEMS HAZARD ANALYSIS TRAINING September 29, 2011

PSM TRAINING COURSES. Courses can be conducted in multi-languages

I. CHEM. E. SYMPOSIUM SERIES NO. 85 MULTI-STAGE OVER PRESSURE PROTECTION AND PRODUCT CONTAINMENT ON HIGH PRESSURE POLYMERISATION REACTORS

The Risk of LOPA and SIL Classification in the process industry

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

Proposal title: Biogas robust processing with combined catalytic reformer and trap. Acronym: BioRobur

Application of fuzzy logic to explosion risk assessment

Safety in Petroleum Industry

Solenoid Valves used in Safety Instrumented Systems

INHERENTLY SAFER DESIGN CASE STUDY OF RAPID BLOW DOWN ON OFFSHORE PLATFORM

The Relationship Between Automation Complexity and Operator Error

COMMON MISUNDERSTANDINGS ABOUT THE PRACTICAL APPLICATION OF IEC 61508

Risk reducing outcomes from the use of LOPA in plant design and operation

6.6 Relief Devices. Introduction

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Engineering Safety into the Design

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

Title: Pressure Relieving and Venting Devices Function: Ecology & Safety No.: BC Page: 1 of 7 Reviewed: 6/30/12 Effective: 7/1/12 (Rev.

Process Safety Management Of Highly Hazardous Chemicals OSHA 29 CFR

USING HAZOP TO IDENTIFY AND MINIMISE HUMAN ERRORS IN OPERATING PROCESS PLANT

High Integrity Pressure Protection Systems HIPPS

PREDICTING HEALTH OF FINAL CONTROL ELEMENT OF SAFETY INSTRUMENTED SYSTEM BY DIGITAL VALVE CONTROLLER

SEMS II: BSEE should focus on eliminating human error

Implementing IEC Standards for Safety Instrumented Systems

Best Practice RBI Technology Process by SVT-PP SIMTECH

4-sight Consulting. IEC case study.doc

Section 1: Multiple Choice Explained EXAMPLE

Inherently Safer Design Analysis Approaches

Codex Seven HACCP Principles. (Hazard Identification, Risk Assessment & Management)

SPR - Pneumatic Spool Valve

DeZURIK. KSV Knife Gate Valve. Safety Manual

Solenoid Valves For Gas Service FP02G & FP05G

Marine Risk Assessment

Reliability engineering is the study of the causes, distribution and prediction of failure.

Using Consequence Modeling to Help Make Emergency Decisions

A quantitative software testing method for hardware and software integrated systems in safety critical applications

SYMPOSIUM SERIES NO 160 HAZARDS ABB

Ultima. X Series Gas Monitor

Proposed Abstract for the 2011 Texas A&M Instrumentation Symposium for the Process Industries

Understanding IPL Boundaries

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Frequently Asked Questions Directive 056 Facilities Technical

Abstract. 1 Introduction

Major Hazard Facilities. Major Accident Identification and Risk Assessment

Safety-Critical Systems

Risks Associated with Caissons on Ageing Offshore Facilities

FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY CHAPTER P: REFERENCE OPERATING CONDITION STUDIES (PCC)

Process Safety and the Human Factor

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

The IEC61508 Operators' hymn sheet

Partial Stroke Testing. A.F.M. Prins

Bespoke Hydraulic Manifold Assembly

Hydraulic (Subsea) Shuttle Valves

Health and Safety Executive. Key aspects of HS(G) 253. Andrew Hall HID CI 1G. HM Specialist Inspector (Mechanical)

Designing to proposed API WHB tube failure document

Safety Engineering - Hazard Identification Techniques - M. Jahoda

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

SAFETY TRAINING LEAFLET 06 CARBON DIOXIDE

2600T Series Pressure Transmitters Plugged Impulse Line Detection Diagnostic. Pressure Measurement Engineered solutions for all applications

Safe management of industrial steam and hot water boilers A guide for owners, managers and supervisors of boilers, boiler houses and boiler plant

1.8 INDUSTRIAL PROCESS WEIGHING IN HAZARDOUS AREAS

PRAGMATIC ASSESSMENT OF EXPLOSION RISKS TO THE CONTROL ROOM BUILDING OF A VINYL CHLORIDE PLANT

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

Instrumented Safety Systems

Learning from Dangerous Occurrences in the Chemical Industries

DIGITAL SOLUTIONS TRAINING CATALOGUE. QRA and CFD simulation. Phast, Safeti and KFX SAFER, SMARTER, GREENER

ANNEX AMENDMENTS TO THE INTERNATIONAL CODE FOR FIRE SAFETY SYSTEMS (FSS CODE) CHAPTER 15 INERT GAS SYSTEMS


BSR GPTC Z TR GM References and Reporting Page 1 of 8

Faculty/School: Pharmacy Initial Issue Date: Oct Dr. Alpesh Patel and Padmaja Dhanvate

Review and Assessment of Engineering Factors

BPZM-MRD Nitrogen Injection System

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

Proof Testing A key performance indicator for designers and end users of Safety Instrumented Systems

Managing for Liability Avoidance. (c) Lewis Bass

Introduction to Emergency Response & Contingency Planning

Transcription:

Practical Experience of applying Layer of Protection Analysis For Safety Instrumented Systems (SIS) to comply with IEC 61511. Richard Gowland. Director European Process Safety Centre. (Rtgowland@aol.com, rgowlandepsc@icheme.org.uk) In the late 1990s international standards for control systems on computer controlled facilities emerged. The task of compliance with these standards in a consistent manner led to the introduction of Layer of Protection Analysis (LOPA) for determination of Safety Integrity Levels (SILs) for computer operated production facilities. This was conceived and promoted by the Center for Chemical Process Safety (CCPS). My group contributed to this publication. LOPA stated that a properly controlled chemical process has layers of protection that surrounds it. The model was pictured as an Onion that has several skins. In many cases one or more of these layers is provided by Safety Instrumented Systems. The paper describes the LOPA method and the experience of carrying out hundreds of analyses over the last 5 years. These proved the advantages of the method and provided warnings. Deciding on the tolerable frequency targets. It is recommended that a company sets its own criteria where there are none set by the governing authorities. Typically, the target is a frequency for a hazardous event being studied. In the LOPA study, the target frequency (the LOPA Target) is the frequency which the user considers to be entering the tolerable region. Targets should vary according to an estimate of the severity of an unwanted event. The following is an example: Target Frequency/yr Target Factor Impact on People On-site Off-site 1.00E-02 2 Discomfort 1.00E-03 3 1.00E-04 4 A minor injury with no permanent health damage Serious permanent injury - one or more persons 1.00E-05 5 Single fatality 1.00E-06 6 5 fatalities 1.00E-07 7 More than 10 fatalities Nuisance complaint. An event requiring neighbours being told to take shelter indoors An event leading to the need to evacuate neighbours. Minor (recoverable) injury Neighbour serious injury 1.00E-08 8 100 fatalities Fatality 1.00E-09 9 Catastrophic event - many fatalities. More than 1 fatality 1

How the methodology works: Initiating event frequency (e.g. control system fails) 1e-01 Conditional Modifier (e.g. probability of ignition) 1e-01 Independent Protection Layers: PFD of IPL 1 1e-01 PFD of IPL 2 1e-01 PFD of IPL 3 1e-02 Final event frequency 1e-06 This can be compared with the target (tolerable) frequency selected to see if the target is met or exceeded or a protection gap exists. Conservative assumptions are made on all data used. If the undesired final event is a vessel rupturing as a result of a gassy decomposition during an uncontrolled runaway reaction initiated by a temperature control loop failure occurred at an intolerably high frequency we would add layers of protection to close the protection gap. In such an example, we would consider: Additional high temperature sensing and connection to a trip system Diverse instrumentation loops with safe shut down (e.g. pressure) Trend monitoring of a parameter to show a deviation from normal Relief systems (e.g. Pressure Safety Valves or Rupture Disks) Quench or reaction Kill systems If these measures are effective and independent of each other, they can be considered effectively as ANDs in an event or fault tree. If they are deficient in either effectiveness or independence, further steps are needed. There are also cases where apparent single failures can lead immediately to major events. In cases like these, LOPA may be interesting but may not be the best approach. This is what it looks like as an event tree: Protection Layer Concept IPL 1 IPL 2 IPL 3 Impact Event Occurs PFD 3 = y 3 Impact Event Frequency, f 3 = x * y 1 * y 2 * y 3 PFD 2 = y 2 PFD 1 = y 1 f 2 =x * y 1 * y 2 success Safe Outcome Initiating Event Estimated Frequency f i = x f 1 = x * y 1 success success Safe Outcome Safe Outcome Key: Arrow represents severity and frequency of the Impact Event if later IPLs are not successful Impact Event Severity Frequency IPL - Independent Protection Layer PFD - Probability of Failure on Demand f - frequency, /yr CCPS The impact event frequency is the product of the original event frequency and the PFDs of the 3 layers of protection. As each layer is called upon to function, the failure frequency of the entire system becomes progressively smaller. Each Layer of Protection needs to satisfy the definition: 2

A layer of protection that will prevent an unsafe scenario from progressing regardless of the initiating event or the performance of another layer of protection. This is straightforward for many types of IPLs such as Safety Instrumented Systems which take the process to a safe state, but others suffer from the limitation that they may only reduce the scale of the final event. Examples of this are: dikes or bunds, emergency response, fire protection water spray vapour absorption, Some other important definitions: What is a Conditional Modifier? This is something which affects the frequency of the final outcome because it reflects such things as the probability that a hazard will be present at a given time. Examples include: probability that a flammable leak will be ignited hazardous unit operations which are running intermittently. scenarios which involve injury to plant operating staff but which occur in areas which are rarely occupied a probability of exposure. These factors should be allowable since they do affect the frequency of the final outcome in the sense that the hazard is there for less than 12 months a year or that the probability of ignition for fire and explosion cases may not always be 100%. If the latter two examples are considered, it is important to remind users that the patterns of use and exposure may change with time. This is just one reason for periodic review. The Independent Protection Layers described above could be: Basic Process Control (BPCS) Alarm and Operator Response Hard wired independent trips Safety Instrumented Systems Relief systems Other Safety Related Protection Systems The number of layers needed is dictated by: the frequency of the initiating event the Conditional Modifiers (If any) the PFDs of the Independent Protection Layersand the Target frequency LOPA helps you to decide: Do I need a Safety Instrumented System? Are there alternatives? Whatever is decided upon, a basic rule of thumb is that the system chosen needs to be effective, independent and testable. This may be more difficult than it appears. 3

Experience of doing many LOPA studies since 1999: A demonstration of software tools is included in the paper presentation. These tools are available free of charge from the presenter. 1) Estimating the consequences of the scenario. LOPA users consider the following factors in consequence estimation Injury to people Quantities of hazardous materials, operating conditions, physical and hazardous properties Economic loss In the first case, modelling is usually done to determine e.g. the extent of a toxic releases or the effect range of a fire or explosion. Estimates of the exposed population need to be done. For on site events it is easy to over-estimate in the cases of fires and toxic releases. Examples I have challenged include the number of persons at risk in an occupied control room when the top event is the rupture of a pressure vessel which is engulfed in fire. Specifically, I was informed that the scenario took more than 40 minutes to develop sufficient pressure in the vessel to reach the relief pressure and that there were up to 8 people in the control room. This gave a very high severity to the target (tolerated) frequency. Factors to consider were the fire detection system and deluge operation, but these were set aside until the whole picture could be examined. On examination, the emergency plan required the operators to evacuate to a remote assembly point if a significant fire occurred. Since a fire lasting more than 40 minutes was certain to be detected and the likelihood of 8 people being exposed to the vessel rupture hazard seemed negligible. However, the effect of the fire hazard itself might be more serious. Realistically, the emergency plan needed to be upgraded and we should take the target frequency on the basis of a single fatality for the rupture event. Other aspects of this particular scenario proved to be more difficult to analyse, but the major outcome was the upgrading of the emergency plan and the effectiveness of the fire protection. In another case we discussed the scenario of a runaway exothermic reaction in a batch reactor. The scenario was proposed as follows: Vessel rupture when a runaway reaction occurs due to temperature control failure and the relief system does not work. This was quickly changed to Vessel rupture when a runaway reaction occurs due to temperature control failure. When the questioner realized that in LOPA the relief system IS considered in the study, but as an Independent Layer of Protection with a probability of failure on demand. A clear definition of the scenario is needed and we must avoid involving simultaneous independent failures in the description. 2) Initiating Events: Failure frequencies cause much debate. There is good generic order of magnitude information about instrument loop failures. Many companies have their own records which support the figure they use. This greatly helps the use of LOPA to design control systems, Safety Instrumented Systems (SIS) and other non SIS layers of protection. I have been confronted with cases where piping system failures have been used as initiating events. These are difficult to deal with, since failure rates vary so much, depending on corrosion, stress and other factors which may be controllable or the subject of effective inspection. The case which seemed to set the tone involved a release of Dimethyl Amine from connections on a storage tank. The user was applying a high failure frequency to this initiating event because the piping was not to a modern specification. Indeed, all joints and connections were screwed. It was obvious that there were no opportunities to close the protection gap. It 4

was equally obvious that LOPA was telling us what we already knew. The piping system should be upgraded to a modern suitable specification or subject to frequent X ray. Recognise that some initiating events may cause scenarios where there are no conventional true IPLs available; e.g. vessel rupture for no anticipated reason. If events like this occur, there is no instrumented or any other system which can stop the event once it has occurred. In a sense, this type of event can be predicted, simply because they have happened. It would be wrong to eliminate the possibility. All that you can do is to MITIGATE it. The problem with assessing mitigation systems is that they are difficult to test in a real sense. This led me to recommend against LOPA for Large pressure vessel failures. A more effective way of dealing with the problem was to apply Risk Based Inspection to reduce failure frequencies, whilst allowing for the infrequent major releases to be dealt with by mitigation and the emergency response system. I was asked to study the scenario of a large leak of hazardous material from the base of a reactor after maintenance. The leak would bee caused by failure to re-connect properly after maintenance. What would LOPA tell us? It seemed more appropriate for the user to examine and test his permit to work system and the return to operations testing and acceptance regime since there were no obvious IPLs. Immediately, the fault tree side of the Bow Tie diagram could be examined and a frequency of actual major leak estimated. This proved to be a more appropriate study and revealed deficiencies in the permit system. 3) Conditional Modifiers: Various sources have suggested that quantity of release affecting the probability of ignition flammability time at risk should be considered. These can all be modelled successfully, but need to be well argued. In the case of time at risk, a factor of 10% can be applied to an operation which takes place for less than this proportion of the year. Operations such as unloading often come into this category. A difficulty occurs if sales suddenly improve and the operation becomes significantly more frequent. Such a subtle change could affect the overall unwanted event frequency, but might not be picked up by a Management of Change review. Special care is needed when time at risk is considered. 4) Independent Protection Layers (IPLs): There have been many examples where the independence of a proposed IPL is debatable and thus some claimed IPLs cannot be counted. Operator response is a fruitful area for examination. Is it practical or possible for the operator to act as an IPL? Does he have a written and practised procedure? Do you test him? Is he receiving the warning from a device which is already credited as being independent (If yes, there is a common cause failure) How reliable is the operator in an event where many alarms may become active? Will the operator be present at the location where the alarm is noticeable? If the Basic Process Control System (BPCS) is operating a trip and alarm, it is unlikely that these two functions are independent. Furthermore, Software integrity was often not assured. 5

Non SIS layers of protection, e.g. Relief Systems and Management Systems. Opportunities to provide non SIS layers of protection are often missed. It is quite common for the Basic Process Control System (BPCS) to be ignored as a potential protection. Frequently, a simple rearrangement of hardware or software achieves an efficient result. The capability of relief systems becomes a topic of study. It is common for a relief system to be credited with an optimistic probability of failure on demand without any real assurance that it has the capacity to handle the release in the scenario. Furthermore, hazardous downstream events (from venting) may be ignored. This has led to a general improvement in relief capacity calculation and vent capture. In a study of overpressure of a low pressure storage tank which was nitrogen blanketed, concerns were raised that the Nitrogen system itself could cause a hazard and rupture the tank if its pressure control failed. The Pressure/Vacuum relief system (pad-de-pad) did not offer sufficient protection. It was proposed to add a Safety Instrumented System comprising a block valve in the Nitrogen supply which would be closed after a pressure sensor on the tank vapour space detected a high pressure. A much cheaper solution was to add a separate relief valve on a separate independent nozzle. Management systems such as enhanced inspection or double check and signature have been proposed as IPLS. It seems preferable to use them as modifiers of the initiating event frequency, since they do not meet the definition of IPL. 5) Mitigation Systems How to credit mitigation systems water sprays, fire protection, emergency response, shelter in place. We need to recognise that some initiating events may cause scenarios where there are no conventional true IPLs available; e.g. vessel rupture for no anticipated reason. If events like this occur, there is no instrumented or any other system which can stop the event once it has started. In a sense, this type of event can be predicted, simply because they have happened in the past so it would be wrong to eliminate the possibility. All that you can do is to MITIGATE the effects. The problem with assessing mitigation systems is that they are difficult to test in a real sense. My conclusion was that a highly reliable mitigation system would reduce the scale of the top event and thus the severity in the target frequency estimate. The net effect would mean that potential gaps could be closed by subtraction on the left hand side of a LOPA worksheet, thus helping to close protection gaps without compromising principles. References: Guidelines for Quantitative Risk Assessment CPR 18E (Purple Book) Published by the Netherlands Committee for Prevention of Disasters. Layer of Protection Analysis American Institute of Chemical Engineers Center for Chemical Process Safety. (CCPS) ISBN 0-8169-0811-7 6

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback