Process Operability Class Materials Safety: Layer of Protection Copyright © Thomas Marlin 2013 The copyright holder provides a royalty-free license for

Process Operability Class MaterialsSafety: Layer of Protection

Copyright © Thomas Marlin 2013The copyright holder provides a royalty-free license for use of this material at non-profit

educational institutions

FC1

LC1

FC

1

TC

1

TC

2

T

10

T

12

T

11

T

13

fuel

LC

1

L2

LAHLAL

F

4

Basic flowsheet Design with Operability

• HAZARD IDENTIFICATION1. Check lists2. Dow Relative Ranking3. HAZOP - Hazard and Operability

• LAYER OF PROTECTION ANALYSIS1. Express risk target quantitatively2. Determine risk for system3. Reduce risk to meet target

• HAZARD ASSESSMENT- Fault Tree- Event Tree- Consequence analysis- Human Error Analysis

• ACTIONS TO ELIMINATE OR MITIGATE - Apply all engineering sciences

Semi-quantitative analysis to give order-of-magnitude estimate

We will use our group skills and knowledge of safety layers in applications.

More accurate

ACHIEVING ACCEPTABLE RISK

Layer of Protection Analysis

• FAR: Fatal Accident Rate - This is the number of fatalities occurring during 1000 working lifetimes (108 hours). This is used in the U.K.

• Fatality Rate = FAR * (hours worked) / 108

• OSHA Incidence Rate - This is the number of illnesses and injuries for 100 work-years. This is used in the USA.

Safety Layer of Protection Analysis1. Express risk target quantitatively

Activity FARChemical Industry 4Steel Industry 8Coal Mining 40Construction 67Uranium 70Asbestos (old data?) 620

Staying home 3Traveling by automobile 57Traveling by airplane 240Cigarette smoking ???

What is the fatality rate/year for the chemical industry?

What is FAR for cigarette smoking?


FAR Data for typical Activities

Question: What is the fatality rate (/year) in the chemical industry?

(4) (8 h/day) (5 day/week) (45 weeks/y) / 108 = 7.2 x 10-5

FAR Chemical Industry4

FAR Cigarette smoking???

FAR = 40 for smoking

T. Kletz, “Eliminating Potential Process Hazards”, Chem. Eng., April 1, 1985

• One standard used is to maintain the risk for involuntary activities less (much less?) than typical risks such as “staying home”

- Results in rules, such as fatality rate < 10-6/year- See Wells (1996) Table 9.4- Remember that many risks exist (total risk is sum)

• Are current risks accepted or merely tolerated?

• We must consider the inaccuracies of the estimates

• We must consider people outside of the manufacturing site.


• People usually distinguish between voluntary and involuntary risk. They often accept higher risk for voluntary activities (rock climbing).

• People consider the number of fatalities per accident

Fatalities = (frequency) (fatalities/accident)

.001 = (.001) (1) fatalities/time period

.001 = (.0000001)(100,000) fatalities/time period

We need to consider frequency and consequence


1.00E-09

1.00E-08

1.00E-07

1 10 100

Deaths per event, N

Pro

bab

ility

or

Fre

qu

ency

, F

(ev

ents

/yea

r)

“Acceptable risk”

“Unacceptable risk”

The design must be enhanced to reduce the likelihood of death (or serious damage) and/or to mitigate the effects.

The decision can be presented in a F-N plot similar to the one below. (The coordinate values here are not “standard”; they must be selected by the professional.)


“Choosing Appropriate Quantitative Safety Risk Criteria Applications from the New CCPS Guidelines” by Walt Frank (Frank Risk Solutions, Inc.) and Dave Jones (Chevron Energy Technology Company)

Some Published F-N Plots

Some Published F-N Plots

Lees, F. (1996) Loss Prevention in the Process Industries 2nd Ed., Vol. 1, page 9/83.

Safety Layer of Protection Analysis2. Determine the risk for system

• In Layer of Protection Analysis (LOPA), we assume that the probability of each element in the system functioning (or failing) is independent of all other elements.

• We consider the probability of the initiating event (root cause) occurring

• We consider the probability that every independent protection layer (IPL) will prevent the cause or satisfactorily mitigate the effect


IPL1

Initiating event, f I

IPL2

IPL3Failure,

PFD1

Failure, PFD2

IPLn

Failure, PFDn

Safe/tolerable

Unsafe!

f I is the probability of the initiating event or root cause

PFDi is the probability of failure on demand (PFD) for each IPL (i)


Recall that the events are considered independent

The probability that the unsafe consequence will occur is the product of the individual probabilities.

ijPFDn

jI

ifCif )(

1

w here i = scenario or event j = IPL layer f I

i = frequency of initiating event I for scenario i f C

i = frequency of consequence for scenario i PFD ij = frequency of failure on dem and of layer j in scenario i

IPL1

Initiating event, f I

IPL2

IPL3Failure,

PFD1

Failure, PFD2

IPLn

Failure, PFDn

Safe/tolerable

Unsafe!


• How do we determine the initiating events?

• How do we determine the probability of the initiating event, X

• How do we determine the probability that each IPL will function successfully?

• How do we determine the target level for the system?

HAZOP

Company, industry experience

Company, industry experience

F-N plot, depends on consequence


Data Source

The maximum frequency or probability of an accident, fi

max = F

The F-N plot or similar analysis. (A sample F-N plot is given in Figure 5.16.)

Each event leading to significant hazard in the process (i)

HAZOP study

Frequency of each event, fi I Historical data from a company or from

publications

The risk that each barrier to the accident propagation will fail on demand, PFDij

Historical data from a company or from publications


Table 5.13 Typical Frequencies of Initiating Events (f Ii) (From CCPS, 2001, Table 5.1)

Initiating Event

Frequency (events/year)

Pressure vessel failure 10-5 to 10-7 Piping failure (full breach) 10-5 to 10-6 Piping failure (leak) 10-3 to 10-4 Atmospheric tank failure 10-3 to 10-5 Turbine/diesel engine overspeed (with casing breach)

10-3 to 10-4

Third party intervention (impact by backhoe, etc.)

10-2 to 10-4

Safety valve opens spuriously 10-2 to 10-4 Cooling water failure 1 to 10-2 Pump seal failure 10-1 to 10-2 BPCS loop failure 1 to 10-2 Pressure regulator failure 1 to 10-1 Small external fire 10-1 to 10-2 Large external fire 10-2 to 10-3 Operator failure (to execute routine procedure, assuming well trained, unstressed, not fatigued)

10-1 to 10-3 (units are events/procedure)

Safety Layer of Protection Analysis3. Reduce the risk to achieve the target

The general approach is to

• Set the target frequency for an event leading to an unsafe situation (based on F-N plot)

• Calculate the frequency for a proposed design

• If the frequency for the design is too high, reduce it

- The first approach is often to introduce or enhance the safety interlock system (SIS) system

• Continue with improvements until the target frequency has been achieved


Table 5.16 Typical PFD values for safety layers (IPLs) Safety Layer (IPL) Probability of failure of demand

(failure/demand) BPCS (process control) 10-1 Alarm 10-1 to 1.0 (depends on stress and time) SIS (safety instrumented system)

10-1 to 10-4

(depends strongly on details of design and maintenance) Pressure relief 10-2 Containment * 10-2 for dike that will reduce consequences of spill

10-2 for drainage system that will reduce consequences of spill

Other layers (IPLs) * 10-2 for fireproofing 10-2 for blast wall

* These layers reduce only the major consequences of an accident. When doing a LOPA, the PFD would be 1.0 for many consequences; for example, a dike would not prevent a fire. The tabular values would be applied for only the worst consequences, e.g., for a dike, a spill flowing into the entire facility or the local community.


Table 5.14 Human failure data* PFD Situation description 1.0 Rapid action based on complex analysis to prevent

serious accident. 10-1 Busy control room with many distractions and other

demands on time and attention 10-2 Quiet local control room with time to analyze

*Based on Kletz(1999)

Some surprising data for human reliability in process operations


Medium2

Major3

Major3

Minimal1

Medium2

Major3

Minimal1

Minimal1

Medium2

low moderate high

Event Likelihood

Eve

nt

Sev

erit

y

extensive

serious

minor

Table entries

word = qualitative risk description

number = required safety integrity level (SIL)

Safety Integrity Levels(Prob. Of failure on demand)

1 = .01 to .1

2 = .001 to .01

3 = .0001 to .001

Selection documented for legal requirements

SIS Depends on structure of redundancy

SIS Depends on structure of redundancy


Often, credit is taken for good design and maintenance procedures.

• Proper materials of construction (reduce corrosion)

• Proper equipment specification (pumps, etc.)

• Good maintenance (monitor for corrosion, test safety systems periodically, train personnel on proper responses, etc.)

A typical value is PFD = 0.10

Safety Layer of Protection AnalysisWorksheet

The Layer of Protection Analysis (LOPA) is performed using a standard table for data entry.

Likelihood Probability of failure on demand

Mitigated likelihood =

4 5 6 7 8 1 2 3

Protection Layers 9 10

# Initial Event Description

Initiating cause

Cause likelihood

Process design

BPCS Alarm SIS Additional mitigation (safety valves, dykes, restricted access, etc.)

Mitigated event likelihood

Notes

max

1)( iij

n

j

Ii

Ci fPFDff

Feed

MethaneEthane (LK)PropaneButanePentane

Vaporproduct

Liquidproduct

Processfluid

Steam

FC-1

F2 F3

T1 T2

T3

T5

TC-6 PC-1

LC-1

AC-1

L. Key

Split rangePAH

LALLAH

cascade

Class Exercise 1: Flash drum for “rough” component separation for this proposed design.

Safety Layer of Protection AnalysisProcess examples

4 5 6 7 8 1 2 3



Initiating cause

Cause likelihood

Process design



Notes

1

High pressure

Connection (tap) for pressure sensor P1 becomes plugged

Pressure sensor does not measure the drum pressure

Class Exercise 1: Flash drum for “rough” component separation. Complete the table with your best estimates of values.

The target mitigated likelihood = 10-5 event/year

The likelihood of the event = 10-1 events/year


Class Exercise 1: Some observations about the design.

• The drum pressure controller uses only one sensor; when it fails, the pressure is not controlled.

• The same sensor is used for control and alarming. Therefore, the alarm provides no additional protection for this initiating cause.

• No safety valve is provided (which is a serious design flaw).

• No SIS is provided for the system. (No SIS would be provided for a typical design.)


Class Exercise 1: Solution: Original design.


Feed


Vaporproduct

Liquidproduct

Processfluid

Steam

FC-1

F2 F3

T1 T2

T3

T5

TC-6 PC-1

LC-1

AC-1

L. Key

Split range

LALLAH

cascade

PAH

When the connection to the sensor is plugged, the controller and alarm will fail to function on demand

Class Exercise 1: Solution using initial design and typical published values.

4 5 6 7 8 1 2 3



Initiating cause

Cause likelihood

Process design



Notes

1

High pressure


0.10 0.10 1. 1.0 1.0 1.0 .01 Pressure sensor does not measure the drum pressure

Much too high! We must make improvements to the design.

Gap = 10-2/10-5 = 103 (sometimes given as the exponent “3”)


Class Exercise 1: Improved Design.


Feed


Vaporproduct

Liquidproduct

Processfluid

Steam

FC-1

F2 F3

T1 T2

T3

T5

TC-6 PC-1

LC-1

AC-1

L. Key

Split range

LALLAH

cascade

P-2PAHH

PAH

4 5 6 7 8 1 2 3



Initiating cause

Cause likelihood

Process design



Notes

1

High pressure


0.10 0.10 1.0 0.10 1.0 PRV 0.01

.00001 Pressure sensor does not measure the drum pressure The PRV must exhaust to a separation (knock-out) drum and fuel or flare system.

Class Exercise 1: Solution using improved design and typical published values.

Enhanced design includes separate P sensor for alarm and a pressure relief valve.

The enhanced design achieves the target mitigated likelihood.

Verify table entries.



Class Exercise 1: Each IPL must be independent.

For the solution in the LOPA table and process sketch, describe some situations (equipment faults) in which the independent layers of protection are

- Independent

- Dependent

For each situation in which the IPLs are dependent, suggest a design improvement that would remove the common cause fault, so that the LOPA analysis in the table would be correct.

Hints: Consider faults such as sensor, power supply, signal transmission, computing, and actuation

Safety Layer of Protection AnalysisApproaches to reducing risk

• The most common are BPCS, Alarms and Pressure relief. They are typically provided in the base design.

• The next most common is SIS, which requires careful design and continuing maintenance

• The probability of failure on demand for an SIS depends on its design. Duplicated equipment (e.g., sensors, valves, transmission lines) can improve the performance

• A very reliable method is to design an “inherently safe” process, but these concepts should be applied in the base case

Safety Layer of Protection AnalysisApproaches to reducing risk

• The safety interlock system (SIS) must use independent sensor, calculation, and final element to be independent!

• We desire an SIS that functions when a fault has occurred and does not function when the fault has not occurred.

• SIS performance improves with the use of redundant elements; however, the systems become complex, requiring high capital cost and extensive ongoing maintenance.

• Use LOPA to determine the required PFD; then, design the SIS to achieve the required PFD.


Class Exercise 2: Fired heater to low air flow rate.

FT1

FT2

PT1

PIC

1

AT1

TI1

TI2

TI3

TI4

PI2

PI3

PI4

TI5

TI6

TI7

TI8

TI9

FI3

TI10

TI11

PI5

PI6

air Fuel gas

feed

Flue gas


Class Exercise 2: Fired heater to low air flow.

4 5 6 7 8 1 2 3



Initiating cause

Cause likelihood

Process design



Notes

1

Combustibles in stack, fire or explosion

Limited air supply because air fan/motor fails

Frequency of air fan/motor failure is 0.10 to 1.0 events/year(Lees and CCPS)



4 5 6 7 8 1 2 3



Initiating cause

Cause likelihood

Process design



Notes

1

No/low air flow to heater burners

Failure of the air fan/blower

0.10 0.10 1.0 1.0 1.0 ------ 0.01

Much too high! We must make improvements to the design.


Class Exercise 2: Fired heater to low air flow rate.

FT1

FT2

PT1

PIC

1

AT1

TI1

TI2

TI3

TI4

PI2

PI3

PI4

TI5

TI6

TI7

TI8

TI9

FI3

TI10

TI11

PI5

PI6

air Fuel gas

feed

Flue gas

Flow control

FAlarms

Alarm

SIS Redundant air flow and pressure sensors



4 5 6 7 8 1 2 3



Initiating cause

Cause likelihood

Process design



Notes

1

No/low air flow to heater burners

Limited air supply because air fan/motor fails

1.0 0.10 1.0 0.10 0.01 0.0001

Reasonable, but a little high.


Class Exercise 3: Fired heater to low feed flow rate.

FT1

FT2

PT1

PIC

1

AT1

TI1

TI2

TI3

TI4

PI2

PI3

PI4

TI5

TI6

TI7

TI8

TI9

FI3

TI10

TI11

PI5

PI6

air Fuel gas

feed

Flue gas



4 5 6 7 8 1 2 3



Initiating cause

Cause likelihood

Process design



Notes

1

No process flow, equipment damage, tube rupture and fire, loss of production

Feed pump/motor fauls

Probability of feed pump/motor failure is 0.01 events/year



4 5 6 7 8 1 2 3



Initiating cause

Cause likelihood

Process design



Notes

1

Low feed flow rate to tubes in fired heater

Failure of feed pump

0.010 0.10 1.0 1.0 1.0 ------ 0.001

Too high! We must make improvements to the design.



FT1

FT2

PT1

PIC

1

AT1

TI1

TI2

TI3

TI4

PI2

PI3

PI4

TI5

TI6

TI7

TI8

TI9

FI3

TI10

TI11

PI5

PI6

air Fuel gas

feed

Flue gas

FFAH

FS

To SIS

SIS Redundant air flow and pressure sensors



4 5 6 7 8 1 2 3



Initiating cause

Cause likelihood

Process design



Notes

1

Low feed flow rate to tubes in fired heater

Failure of feed pump

0.010 0.10 1.0 0.10 0.01 ------ 0.000001

OK! This is very acceptable for a scenario that is not an immediate safety concern, although tube rupture could lead to

a fire. Note that the financial loss would be large.

Kletz (2001) emphasizes the necessity to avoid “jiggling” the values, i.e.,

selecting the values (usually by using lower failure rates) to justify a simpler, less costly design. Such a practice would be unethical and could lead to serious consequences.

Engineers are urged to, “call them like you see them” (CCPS, 1992), which means to make your best safety recommendations without being unduly influenced by cost, project deadlines, management’s preconceived ideas and so forth.

When working on safety, professionals require an ethical approach!

BossSafety study leader

Safety study team

LO PA A nalyst

Set G oals

• D efine process scope• D efine data resources• D efine F-N tradeoffs

A ssem ble R esources

• See Section 5.14

H azard Identification

• D ow Prelim inary M ethods• Check list/ W hat-if• H A ZO P

Finalize safety design

• LO PA analysis• Integrated risk determ ined

R eport and M anagem ent acceptance

• Com m itm ent to actions

Hazards and Operability Analysis

&

Layer of Protection Analysis

can and should be integrated for safety

management

BP Deepwater Horizon, April 20, 2010

Let’s not have this result from our work!

References Dowell, A. and D. Hendershoot, Simplified Risk Analysis - Layer of Protection Analysis, AIChE National Meeting, Indianapolis, Paper 281a, Nov. 3-8, 2002 Dowell, A. and T. Williams, Layer of Protection Analysis: Generating Scenarios Automatically from HAZOP Data, Process Safety Progress, 24, 1, 38-44 (March 2005). Frederickson A., Layer of Protection Analysis, www.safetyusersgroup.com, May 2006

Gulland, W., Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons, http://www.chemicalprocessing.com/whitepapers/2005/006.html

Haight, J. and V. Kecojevic, Automation vs. Human Intervantion: What is the Best Fit for the Best Performance?, Process Safety Progress, 24, 1, 45-51 (March 2005)

Melhem, G. and P. Stickles, How Much Safety is Enough, Hydrocarbon Processing, 1999

Wiegernick, J., Introduction to the Risk-Based Design of Safety Instrumented Systems for the Process Industries, Seventh International Conference on Control, Automation, Robotics and Vision, Singapore, Dec. 2002.

Safety Layer of Protection Analysis

http://www.chemicalprocessing.com/whitepapers/2005/006.html

Documents

Process Operability Class Materials Safety: Layer of Protection Copyright © Thomas Marlin 2013 The copyright holder provides a royalty-free license for