Global Congress on Process Safety - 2012 __________________________________________________________________________ More LOPA Misapplied: Common Errors and How to Avoid Them John W. Champion The Dow Chemical Company 6519 State Highway 225 Deer Park, Texas 77536 [email protected] Karen A. Study The Dow Chemical Company 6519 State Highway 225 Deer Park, Texas 77536 [email protected] Copyright © Dow Chemical Company, April 2012 UNPUBLISHED Prepared for Presentation at 8th Global Congress on Process Safety Houston, TX April 1-4, 2012 UNPUBLISHED AIChE shall not be responsible for statements or opinions contained in papers or printed in its publications Global Congress on Process Safety - 2012 __________________________________________________________________________ More LOPA Misapplied: Common Errors and How to Avoid Them John W. Champion The Dow Chemical Company 6519 State Highway 225 Deer Park, Texas 77536 [email protected] Karen A. Study The Dow Chemical Company 6519 State Highway 225 Deer Park, Texas 77536 [email protected] Keywords: LOPA, scenario, initiating event, IPL Abstract Layer of Protection Analysis (LOPA) continues to be more and more widely utilized in the Petrochemical and other industries. LOPA is considered a “simplified” tool, which is true relative to tools such as Quantitative Risk Assessment and Fault Tree Analysis. However, simplified does not mean simple on an absolute basis. There are many complicating factors and nuances involved in the proper application of LOPA, which can lead to misapplication of the technique. This paper is a follow-up to the 2008 published paper by the same authors, entitled “LOPA Misapplied: Common Errors Can Lead to Incorrect Conclusions”. In that paper, the authors stated that LOPA “can provide quick and efficient guidance on what additional safeguards are needed, if any, to protect against a given scenario. If misapplied, an overly conservative calculation of risk may result in over-instrumentation, additional life-cycle costs and spurious trips. Even worse, a non-conservative calculation of risk could result in an under-protected system and unacceptable risk of an undesired consequence occurring.” A number of practical examples of misapplication of LOPA were presented in that paper. In this paper, the authors will cover more real-life examples of misapplication and how to avoid those pitfalls. Subjects covered include misuse of the concept of double jeopardy, assuming something will never fail against the “fail-safe” condition, using protective systems to justify scenarios as non-credible, and also several situations that warrant moving beyond LOPA to more sophisticated tools Global Congress on Process Safety - 2012 __________________________________________________________________________ 1. Introduction Layer of Protection Analysis (LOPA) continues to be more and more widely utilized in the Petrochemical and other industries. LOPA is considered a “simplified” tool, which is true relative to tools such as Quantitative Risk Assessment and Fault Tree Analysis. However, simplified does not mean simple on an absolute basis. There are many complicating factors and nuances involved in the proper application of LOPA, which can lead to misapplication of the technique. In our 2008 paper on the same topic, we stated that LOPA “can provide quick and efficient guidance on what additional safeguards are needed, if any, to protect against a given scenario. If misapplied, an overly conservative calculation of risk may result in over-instrumentation, additional life-cycle costs and spurious trips. Even worse, a non-conservative calculation of risk could result in an under-protected system and unacceptable risk of an undesired consequence occurring.” A number of practical examples of misapplication of LOPA were presented in that paper. We intend with this paper to follow up with more practical examples that will hopefully help the reader learn to apply the LOPA principles correctly. The examples are organized roughly along the lines of how the LOPA methodology is presented in the CCPS LOPA book . In the book, four chapters are utilized to cover the following topics: 1. Estimating Consequences and Severity 2. Developing Scenarios 3. Identifying Initiating Event Frequencies 4. Identifying Independent Protection Layers The following examples represent misapplications, as well as the correct applications in each of those steps of the LOPA work process. 2. Estimating Consequences and Severity - Incorrect Use of Consequence Tables A 2010 publication entitled “Consistent Consequence Severity Estimation”  proposed a methodology for establishing a set of consequence tables that provides for more consistent estimation of consequences. As established in that paper, the designation of an impact associated with a scenario can be very subjective and dependent on the team members’ individual biases and experiences. Consequences tables can provide a basis for more consistent and unbiased estimation of the consequences associated with a scenario. There is a caveat, however. The authors caution in their paper that “Where plant conditions are significantly different from the assumptions, additional studies and/or consequence modeling Global Congress on Process Safety - 2012 __________________________________________________________________________ should be considered.” The problem with widespread use of these types of tables is that the caveat that goes along with it can be easily overlooked. Table 1 below presents a hypothetical example of a table that could be developed for use by novice practitioners. Along the top row, the user is to select an estimated unmitigated frequency of the initiating event, such as a control loop failure or operator error. The user then estimates the quantity released and vaporized in fifteen minutes and then selects a value along the lefthand column. Fifteen minutes is used as a reasonable estimation of when the flammable cloud reaches steady-state. The intersection of those two selections on the table represents the amount of risk reduction required for a given scenario, presumably from a table of available Independent Protection Layers. The color coding in the table is intended to help designate the gap in risk tolerance that needs to be addressed. Green represents no additional protection is needed, while yellow indicates some measure is needed, and red indicates that a significant gap exists and that high priority should be placed on closing the gap. Table 1: Consequence Table Example Flammable vapor release quantity (total lbs. in 15 minutes) >10,000 lbs 1,000-10,000 lbs 100-1,000 lbs <100 lbs Unmitigated Initiating Event Frequency 1/1,000 yrs 1/100 yrs 1/10 yrs Once/Yr 100 1,000 10,000 100,000 10 100 1,000 10,000 1 10 100 1,000 1 1 10 100 There are several potential pitfalls with this hypothetical table. First, the concept of an unmitigated initiating event frequency is lost on many outside the world of experienced Process Safety practitioners. The tendency is to underestimate the frequency by incorporating existing protection layers, because that is what their real-world experience is telling them. This experience-based determination is biased by the fact that some of the protection layers are already in place. The best way to overcome this issue is to utilize a standard table of initiating event frequencies, such as the one provided in the CCPS LOPA book . It is also easy for inexperienced practitioners to not understand the differentiation between the amount of material released and the amount vaporized when estimating the release quantity. If the vaporization rate is not taken into account for a flammable release, the risk may be overestimated for a liquid with low volatility. Nomagraphs can be provided relating the liquid vapor pressure at release conditions to the proportion that vaporizes. Alternatively, a simple flash calculation can be performed. Global Congress on Process Safety - 2012 __________________________________________________________________________ Finally, and perhaps most importantly, it is easy to not take into consideration the release point and ultimate destination for the release that leads to a scenario. As an example where this type of misapplication can occur, consider an inventory of liquid propylene handled at ground level. The overpressure scenario that results in catastrophic rupture leads to a ground level release, and the table can be used effectively for that situation. However, the overpressure scenario that results in activation of the emergency relief device can have a different outcome, depending on the discharge location. Figure 1: Flammable Envelope from Ground Level Propylene Release – View from Above Figure 2: Flammable Envelope from Elevated Propylene Release - Sideview Refer to Figures 1 and 2 for a comparison of the consequence analysis for a ground level discharge and an elevated discharge vertically up at the same flowrate. The ground level discharge can have significant impact if an ignition source is found, and the table would be Global Congress on Process Safety - 2012 __________________________________________________________________________ appropriate to use in that case. However, if the elevated discharge does not directly impact a structure above it (as should be the case in a properly designed facility), then there is no impact to personnel. If a LOPA team uses the table for the elevated relief device discharge, they would overestimate the consequences and possibly implement protection layers beyond what is needed to satisfy the risk tolerance criteria. This demonstrates why it is critical to provide tools that are intended to aid in simplification in LOPA, and then thoroughly train LOPA teams on their use. The teams need to understand when the simplifying assumptions break down and more sophisticated tools are needed. 3. Estimating Consequences and Severity – Short Term Exposure to Toxics Leading to Conservative Consequence Estimation One LOPA scenario that often requires careful analysis is related to toxic exposures. As a first pass, a LOPA team can determine if Emergency Response Planning Guideline Level 3 (ERPG 3) levels of a toxic might reach a target population using a toxic dispersion modeling program. However, this may lead to conservative results if the duration of exposure is small or if the population of interest is a long distance away. If the team would like to look at the consequences in more detail, the dispersion model can be modified to include the Probit relationship data. As detailed in S. Dharmavaram and James A. Klein’s 2010 paper, “Preventing Loss of Containment through a Systematic Assessment of Hazards, Consequences, and Risks” , Probit (Pr) relationships are available for some toxic chemicals. The Probability of Fatality can be determined using Equations 1 and 2 below: Pr ln [Eq. 1] C = Concentration in ppm t = time in minutes a, b, and n are constants specific to the chemical of interest 0.5 1 erf . erf = error function [Eq. 2] Since acute toxicity impacts are dependent on both concentration and exposure duration, it is appropriate to consider both when evaluating acute exposures. Probit data is not well defined and available for many chemicals. Also, there can be different public domain Probit values for the same chemical. Some companies might choose to adopt their own values based on analysis and studies which might be different from published values. For chemicals that do have Probit relationship data available, more realistic consequences for toxic releases can be estimated. Public domain sources such as the Dutch “Purple Book”  or a new source from the US Dept. Global Congress on Process Safety - 2012 __________________________________________________________________________ of Homeland Security which established Probit coefficients for chlorine, ammonia, and phosgene (and other chemicals) within the past several years are examples. When using Probit relationships, the user should understand that the toxicology data used to derive the Probit relationship may be different than the data used to establish ERPG levels. Therefore, the results will also be impacted by the differences in toxicology data. Table 2 illustrates an example of how using Probit relationships for a hydrogen cyanide (HCN) release can change the consequences for a given LOPA scenario. Table 2: Dispersion Endpoints for HCN Release Endpoint for Dispersion ERPG 3 (25 ppm) Probit Equivalent Toxic Dose (PFatality = 0.01) Distance from Source to Endpoint (feet) 2,700 1,200 For the example in Table 2, a release of hydrogen cyanide was modeled using dispersion software. The outdoor release included an inventory of 200 pounds HCN at 20°F and 50 psig being released from a 0.1 inch hole. The release duration was approximately 15 minutes and was assumed to be released horizontally at 4 feet elevation. The constants used in the Probit relationship for HCN were obtained from the Dutch “Purple Book” , a = -9.43, b = 1, and n = 2.4 in ppmv. The height used for estimation of the endpoint concentration was 4 feet. The use of a Probit relationship for this scenario would lead to a different conclusion based on the smaller consequence zone for the release. The difference of 1,500 feet can mean the difference between classifying the consequence for a given LOPA scenario as non-fatal versus fatal depending upon the target population location. Note that the use of Probit numbers allows for a more accurate estimation of the impact zone for a toxic release. In this example, the impact zone was notably smaller. However, for other examples, the impact zone may actually be larger than that calculated using ERPG3. 4. Developing Scenarios – The Misuse of Double Jeopardy Although originally a legal term, one place in the Process Safety world that double jeopardy is defined is in API Standard 521 “Pressure Relieving and Depressuring Systems” , describing when consideration should be given to more than one overpressure cause at a time. A similar approach can be applied to LOPA. In API 521, double jeopardy for relief systems is defined in the following manner: The causes of overpressure are considered to be unrelated if no process or mechanical or electrical linkages exist among them, or if the length of time that elapses between Global Congress on Process P Safety - 2012 ________ ____________ ___________ ___________ ___________________________________ _____ possible succcessive occurrrences of th hese causes is sufficientt to make thheir classificcation un nrelated. Th he simultaneo ous occurren nce of two oor more unreelated causess of overpreessure (a also known as a double orr multiple jeo opardy) is noot a basis forr design. In a sim milar mannerr, LOPA teaams can gen nerally dism miss scenarioos that resuult from muultiple unrelated d failures thaat must occu ur at the samee time as noon-credible. However, thhe trap for L LOPA teams can n is to dismiiss all multip ple failure sccenarios as nnon-crediblee, as some off may be creedible as illustraated below. For illusttration, conssider Figure 3 which sho ows a reactioon system w with 2 co-feeeds going thrrough a plug-flo ow reactor. The reactor is equipped d with feed coontrols on eaach of the feeeds, and alsso has a pressurre control valve v on thee outlet to maintain m an intended prressure in thhe system. Heat removal from the exo othermic reaaction is done in a jacketted system suurrounding tthe reactor. Figure 3: Plug Flow w Reactor with w 2 Feeds and Coolin ng System i wh hen “doublee jeopardy” should andd should noot be This sysstem will bee used to illustrate considereed in LOPA. Three scen narios will be b discussedd to illustratee (1) dual faiilure (true doouble jeopardy); (2) common-mode faiilure; (3) duaal failure whhere one failuure is latent. D failure (true doublee jeopardy) 4.1 Dual The LOP PA team is considering c a scenario which w results in overpressure of the rreactor due tto the reactor being b isolateed on both ends with residual reacction continuuing, causinng liquid theermal expansion and eventtually reacto or leak or rupture. r Onne initiatingg event is thhe closure oof the reactor outlet o controll valve, which is caused d by a down stream interrlock to prevvent reactor feeds from goiing forward d. This speecific scenarrio is non-ccredible beccause the coooling systeem is sufficientt to remove any residuaal reaction heat h in this ssituation. B Basically, thee scenario w would require tw wo events to occur at the t same tim me – the cloosure of the reactor outllet valve annd the failure off the cooling g system. Global Congress on Process Safety - 2012 __________________________________________________________________________ This dual failure can truly be considered non-credible most of the time because either failure is obvious and responded to rapidly. If loss of cooling occurs, the feeds should be stopped due to high reactor temperature. If the reactor outlet valve closes, the feeds are tripped automatically, but residual heat of reaction is removed by the cooling system. Both of these single events should be considered in the LOPA as initiating events. But the dual failure scenario does not need to be considered unless there is a common mode failure, as discussed next. 4.2 Common-mode failure Taking the same scenario as above, there is a credible, single-point failure that could cause both the reactor outlet valve to close and loss of cooling to occur simultaneously: a total plant power failure. The power failure would cause loss of cooling due to circulation pump failure and/or cooling media failure. The power failure would also cause the reactor outlet valve to fail closed due to loss of instrument air when the electric air compressor supplying it shuts down. Therefore, this is not a “double jeopardy” scenario, and is a credible scenario that should be considered in LOPA. 4.3 Dual failure where one failure is latent The two situations above are fairly straightforward for most to understand. But what if the dual failures that are required for a LOPA scenario to be credible do not occur simultaneously, but sequentially? And what if the first failure is not obvious to the operating team until some later activity takes place or even until the second failure occurs? This is where more can fall into the trap of dismissing credible LOPA scenarios. In the reaction system previously discussed, a set of Safe Operating Limits (SOLs) have been developed based on various factors. One of the factors is the situation discussed above where it is assured that there is sufficient cooling to remove the residual heat of reaction when a trip occurs that isolates the reactor. One of the SOLs is Reactant feed ratio between Reactants A and B. If the ratio is outside the SOL, there can be enough residual heat of reaction during a reactor isolation that there is insufficient heat removal capability and an overpressure can occur with cooling present. If there is a shift in the flow measurement of either reactant, it can cause the feed ratio to be outside the SOL. Certainly a drastic shift would result in an obvious failure that would be acted on. But a more subtle shift would probably only impact operating performance. If the shift is subtle enough, it could take days, weeks or even months to detect, diagnose and then correct the problem. Should the second failure of the reactor outlet valve occur during that time, the reactor is vulnerable to overpressure. One will need to consider this “mean time to detection” of the first Global Congress on Process Safety - 2012 __________________________________________________________________________ failure in their analysis. Ultimately, this situation is complicated enough that fault-tree analysis may be warranted to establish the initiating event frequency. So this dual failure situation is credible due to the latency of the first failure. The time it takes to identify and correct the first failure in the sequence will determine whether further analysis is needed in LOPA. 5. Scenario Selection - Using Independent Protection Layers (IPLs) to declare a LOPA scenario non-credible For some, it is tempting to declare a LOPA scenario non-credible if there are robust protection layers in place. Here are four examples which illustrate this trap. 5.1 Remote impoundment and sloped drainage for flammable storage Consider a flammable storage tank with remote impoundment and sloped drainage away from the tank. A pool fire at the tank may be considered non-credible due to the sloping and remote impoundment which is designed to collect and direct any spills safely away from the tank. However, the sloping and remote impoundment is actually a protection layer which can fail. The slope may change over time due to accumulation of debris or construction in the area. Similarly, the drainage path to remote impoundment may become clogged resulting in an inability to drain away from the tank. Therefore, a pool fire should be deemed a credible scenario and the sloped drainage to remote impoundment should be evaluated as a protection layer. If deemed an appropriate protection layer, sloped drainage should be inspected and tested periodically. See Robert F. Wasileski and Fred Henselwood’s 2010 paper, “LOPA: Going Down the Wrong Path” for details on the requirements of this type of protection layer .i 5.2 Reverse flow Reverse flow is another common scenario deemed non-credible when it should be included in the Layer of Protection Analysis. Consider a system utilizing redundant check valves as indicated in Figure 4 to prevent reverse flow: Global Congress on Process P Safety - 2012 ________ ____________ ___________ ___________ ___________________________________ _____ Figure 4: 4 Reverse Flow F Examp ple In the ex xample show wn in Figuree 4, if a sign nificant quan antity of monnomer is inttroduced intto the initiator tank, t a runaw way reaction n could poteentially ruptuure the tank. As designned, if both ccheck valves faail, reverse flow f can occcur any timee the pressurre in the moonomer pipinng is higherr than the pressure in the in nitiator pipin ng. Although h having moore than onee check valvee does reducce the risk of reeverse flow, it does not eliminate e thee possibility of reverse fllow. Additioonally, one m might not know w that one of the cheeck valves has malfunnctioned unttil the secoond check vvalve malfuncttions. Therefore, this sceenario should be consideered in the L LOPA. Some do o not use cheeck valves as a IPLs becaause of theirr tendency tto fail over ttime. If theey are used as IPLs, they sh hould be periiodically testted to meet tthe integrityy requiremennts assumed iin the O one o may choose other fo orms of backkflow protecction (that arre not as likeely to LOPA. Otherwise, result in latent failurre), such as a differentiaal pressure (ddP) measureement with llow dP trigggering mated valve to t close. an autom 5.3 Fail-safe F valvve position Another tempting no on-credible scenario s is using u the “F Fail Safe” poosition of a valve. Faill safe n design praactice to specify a valve with the “shelf” (de-ennergized) possition refers to the common osition. Th his is known as de-eneergize to triip or fail saafe. Considder a to be the tripped po on column th hat can overrpressure if a steam conntrol valve faails in the fuull open possition. distillatio If the con ntrol valve has h the “faill safe” posittion specifiedd as closed, that doesn’’t mean the vvalve cannot faail in the fulll open position. For this particular p ex xample, theree are numero ous causes thhat could ressult in the steeam valve faailing in the fu ull open posiition. If thee control vallve set pointt is manuallly entered, tthere could bbe an Global Congress on Process P Safety - 2012 ________ ____________ ___________ ___________ ___________________________________ _____ operator error when selecting th he desired peercent open for the valvve. If the vaalve is part of an automateed temperatu ure control lo oop, anotherr part of thee loop couldd fail which may result iin the valve opeening to the full open po osition. Finaally, there coould be mechhanical reasoons that causse the valve to fail f in the fu ull open posittion. This mecchanical typee of failure was w observed by the autthors during an incident investigatioon. A large valve specified d to “fail clossed” was un nable to closee due to a bolt which looosened whille the valve waas in operatio on. The loosse bolt was integral i to thhe closing acction of the valve. The loose bolt prev vented the vaalve from clo osing in spitte of the “faiil closed” vaalve design. In this insttance, it was lik kely that the bolt was no ot properly to orqued durinng a valve reebuild. This is an exampple of a valve failing f in any y position an nd why scen narios shouldd not be deiggned non-creedible becauuse of the fail-safe position of a valve. R protecction layers 5.4 Robust Robust protection p lay yers may leaad one to dettermine a sccenario is noon-credible. The more robust the proteection layer, the greater the temptatiion. Considder the brinee transfer syystem in Figgure 5 below. In I this system, Brine is transferred from one arrea of a plannt to another utilizing ppiping constructted of High Density Pollyethylene (H HDPE). Inccluded in thee system is a pigging staation. For simp plicity, only one of the pig catcherss is includedd in the figuure. When pigging is bbeing performeed, the pig iss sent down the pipe and captured iin a pig catccher. Once tthe pig arrivves in the pig catcher, c the flow is diverted around d the pig caatcher via thhe bypass vvalve and thhe pig catcher iss isolated ussing the two pig trap block valves. B Based on enggineering caalculations, iit was determin ned that pressure in the HDPE H pipe in i this system m could excceed the maxximum allow wable working pressure (M MAWP) if eitther of the piig trap valvees was closedd prior to oppening the byypass valve due to hydraullic hammer effects. e Eng gineering caalculations allso indicatedd that if a 2”” line nk was added d to the design, this wouuld reduce thhe peak pressure to below w the to the destination tan o the piping g. See Figurre 5 below fo or the propossed design m modification.. MAWP of Global Congress on Process Safety - 2012 __________________________________________________________________________ Figure 5: Brine Transfer System The new 2” bypass line added to direct material to the Brine Storage Tank will help prevent rupture of the HDPE line due to hydraulic hammer events; however, it is a protection layer that must be maintained. If there are valves in the line, there will need to be administrative controls in place to ensure that the valves remain open. Regardless of the presence of valves in the bypass line, flow through the line must be periodically confirmed to ensure that the flow path remains available. Finally, there must be no seal legs in the line if the material in question is subject to freezing at ambient temperatures. 6. Identifying Initiating Events – Protection Layers That Can Cause a New Scenario In the authors’ previous paper on common LOPA errors, an example was presented where a feed system is shut down to prevent overfill, but the consequences upstream needed to be considered as well . The end result was shutdown of the entire facility to prevent a second hazardous event that results from an activation of a protection layer. Here are two more examples of hazardous situations that can be created unintentionally by protective systems. The first case involves a system designed to protect a distillation column from overpressure. The overpressure would result from overheating the material in the base of the column to the point where the material violently decomposes. There were high temperature interlocks on the system that tripped the heat source to the distillation column before the decomposition point. But there was also a protection system that dumped the column contents to an open-roof tank on high-high temperature. The intent here was to provide sufficient area for the decomposition products to vent, protecting the column from rupture. The problem with this protection strategy is that the column contents are moderately toxic and the open-roof tank was located in a work area. So an activation of this system, either due to actual high-high temperature or because of a spurious trip, creates a second scenario that is undesirable. The most elegant solution would be an inherently-safe one, for example by limiting the heating media such that it could not cause decomposition. That was not feasible in this case, so the recommendation was to increase the integrity of the steam shut-down system such that the risk tolerance was met without using the dump system. If the system dynamics were such that the steam shut-off system was not effective and the dump system was necessary, then a system that is fault-tolerant to prevent spurious trips is necessary. That is the situation with the second case. The second case involves an emergency quench system that is present in a gas phase reactor with a liquid cooling media in an external shell. This cooling media has the potential to react with solid deposits from the reaction and form explosive compounds when temperatures are at the normally elevated operating temperature. At cooler temperatures, the reaction is stopped. Global Congress on Process P Safety - 2012 ________ ____________ ___________ ___________ ___________________________________ _____ An inherrently-safe design would d change the cooling meddia to one thhat is not reaactive. How wever, that was not feasible in a retrofit situation. So S a protectiion system w was installedd that consistted of a leak deetection systeem to detectt intrusion of the coolingg medium innto the reacttor. When a leak is detecteed, a water quench systtem is activaated to rapiddly cool thee surfaces w where the reaactive deposits could be present. p Th his action stops s the reaction and prevents thhe scenario from progressiing to an oveerpressure siituation. Howeverr, there is a downside d to this protecttive system. Repeated qquenching w with cool watter on the hot metal m surfacee will causee damage to the reactor . So in thiss situation, w while the quuench system iss still clearly y the best protection p on nce the leak occurs, a syystem desiggn that minim mizes spurious trips was neeeded. See Figure F 6 for the design tthat was impplemented. In this case, twoout-of-th hree (2oo3) voting v on thee sensing eleements was pprovided. F For the outpuuts, the folloowing design was w implemen nted: Iff the quench water supplly is unavailaable, the reaactor can’t ruun 2 parallel queench water su upply lines with w separatee valves Both B quench water valvess were fail-cclosed (energgize to trip) Electrical E pow wer to quencch water valv ves was suppplied by thee Safety Instrrumented Syystem (S SIS). If the SIS S loses pow wer, the reacctor can’t runn. 5. Pneumatic acctuation was supplied by air to one vvalve and nitrrogen to the other 1. 2. 3. 4. Figure 6: 6 Reactor Quench Q Watter System with w Fault-T Tolerant Deesign. he design was w both verry reliable aand fault-tolerant to prevent As a ressult of thesee features, th spurious trips. For th he LOPA teaam, the key is to recognnize the conssequences off activation oof the chosen IP PLs and be prepared p to accept the consequences c s of either a true activattion or a spuurious trip. Global Congress on Process P Safety - 2012 ________ ____________ ___________ ___________ ___________________________________ _____ 7. Id dentifying IPLs I – Prob blems With Alarm A Resp ponse IPLs Figure 7: Chain of events ffor Successfful Response to Alarm A chaiin of eventts must occcur correctlly for an aalarm responsse to be succcessful. The chain is onlyy as strong aas the weakestt link. In m many situatioons, the hum man aspect iis the weak link. l Prevvious publiccations havve describedd the potential problems with w using human h respo onse to alarrms as IPLss in LOPA . Reffer to Figure 7 for a diagraam showing the minimum m steps that are requiredd to be executed successsfully for an alaarm protectiv ve function to work corrrectly. In thhis paper, sevveral case sttudies focuseed on two aspects that can affect the hu uman respon nse will be diiscussed. 7.1 The T alarm reesponse putss the respond der in harm m’s way The first aspect relates to a situattion where the t alarm ressponse couldd put the ressponder in haarm’s way. In one case sttudy, the ressponse to a high temperrature alarm m was to mittigate a reacctivity concern. In this situaation, the op perator needeed to activatte a system tthat adds an agent to stoop the e and d ruptures thhe tank. In some situatiions, the adddition reaction before it beccomes too energetic f the stopp ping agent was w manuallly hooked up to the tannk in the fieeld. If theree was system for insufficieent guidancee on when th he reaction had h progres sed to the ddanger pointt, it is possibble to send the operator dirrectly into th he impact zo one and intoo harm’s waay. In this ccase, becausse the reaction progressed p slowly s enoug gh, it was a simple mattter of providding guidancce in the respponse procedurre to not ap pproach the tank if the temperaturee was abovve a certain point. In some situationss where the potential fo or reaction was w higher, the additionn of the stoopping agentt was automateed so that it could c be don ne from the control c room m. A second d situation was w similar in that it caalled for a rresponse to a high tempperature duee to a reactivity y concern. However, H in this situatio on instead off a stopping agent, auxilliary coolingg was to be add ded to remo ove the addiitional heat of reaction and keep thhe mixture ffrom boilingg and overpresssuring the sy ystem. The auxiliary co ooling was tto be added by the operrator manually in Global Congress on Process Safety - 2012 __________________________________________________________________________ the field by opening several valves around the reaction system. This would again put the operator in harm’s way during the alarm response. In a review of the reaction rate, it was determined that the temperature would rise very fast. So it would not be feasible to implement guidance for a maximum temperature to allow approach to the tank. As a result, it was decided in this instance that the auxiliary cooling must be automated based on high temperature. 7.2 To respond or not to respond? A difficult question With the proper training and periodic drilling, the typical operator can respond reliably to an alarm. However, one situation that can significantly impact the operator’s response reliability is when there are negative consequences associated with a “correct” response. In that case, the operator can be faced with a difficult decision. One example of a tough decision for an operator involves a utility boiler which was not equipped with an automatic low-water cutoff, just an alarm. If the boiler were to shut down, it would take a large industrial complex down due to low steam pressure. Historically, the facility had been hesitant to automate the response due to concerns with spurious trips taking the industrial complex down. So when the low water alarm came in, the operator was faced with the decision of shutting the boiler down to prevent tube rupture or shutting down the large industrial complex. Neither choice results in a good outcome, and to expect an operator to reliably choose correctly between those two situations is too much to ask. In a review of a trend of the level, multiple instances of level below the safe operating limits were observed, so clearly the operators were risking damage to the boiler in order to prevent the steam header from crashing. Although there had been no tube ruptures, during periodic inspection of the boiler, bulging of some of the tubes was observed that required repair. The bottom line is that LOPA teams need to understand how the plant really is operated and incorporate that into their decisions on what protective strategy to take. In this case, the right decision was to automate the shutdown of the boiler and remove the decision from the operator. After the automation of the low level shutdown, several instances occurred where the industrial complex went down due to low pressure. Although this was costly, it forced the facility to address the causes of low level and improve the reliability of the system. Also, at the next boiler inspection, there was no bulging of the tubes found. So the long term reliability of the system was improved, and the operators were not forced to choose between two undesirable outcomes. Global Congress on Process Safety - 2012 __________________________________________________________________________ 8. Conclusions Layer of Protection Analysis is a popular risk analysis tool, and can be an excellent way to evaluate many scenarios efficiently. Although it is a simplified tool, practitioners need to be aware of the potential pitfalls and limitations to effectively use LOPA. The examples illustrated in this paper indicate that errors can be made in all four of the major LOPA steps, 1) Estimating Consequences and Severity, 2) Developing Scenarios, 3) Identifying Initiating Event Frequencies, and 4) Identifying Independent Protection Layers. It is the authors’ hope that providing the case studies of actual plant scenarios in this paper will aid the reader in understanding how to properly use the LOPA methodology. 9. Disclaimer This information was developed solely for The Dow Chemical Company's internal use. The authors are making this information available without any guarantee that it is appropriate for the reader’s purposes as conditions and methods of use of the information are beyond our control. The Dow Chemical Company disclaims any liability for use of this information by persons outside of the Company. 10. References        Layer of Protection Analysis, Simplified Process Risk Assessment, Center for Chemical Process Safety, 2001. Summers, Angela, Voghtman, William and Smolen, Steven, “Consistent Consequence Severity Estimation,” Process Safety Progress Online, December 4, 2011. Dharmavaram, S. and Klein, James A., “Using Hazard Assessments to Prevent Loss of Containment,” Process Safety Progress, Volume 29, Issue 4, December 2010. RIVM, Reference Manual Bevi Risk Assessments, version 3.2, Dutch “Purple Book”, http://www.rivm.nl/milieuportaal/images/Reference-Manual-Bevi-Risk-Assessmentsversion-3-2.pdf. “Pressure-relieving and Depressuring Systems ANSI/API STANDARD 521 FIFTH EDITION, JANUARY 2007 (INCLUDES ERRATA JUNE 2007) ADDENDUM, MAY 2008” API Publishing Services, 1220 L Street, N.W., Washington, D.C. Wasileski, Robert F. and Henselwood, Fred, Process Safety Progress, Volume 30, Issue 2, June 2011. Study, Karen A. and Champion, John W., “LOPA misapplied: Common errors can lead to incorrect conclusions,” Process Safety Progress, Volume 28, Issue 4, December 2009. Global Congress on Process Safety - 2012 __________________________________________________________________________  Guidelines for Hazard Evaluation Procedures, Center for Chemical Process Safety, The American Institute of Chemical Engineers and John Wiley & Sons, Inc., 2008.
© Copyright 2019