Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
A LOPA Implementation Method
Breydon G MortonDuPontOctober 3, 2007
Copyright 2007 by ISA, www.isa.orgPresented at ISA EXPO 2007, 2-4 October 2007, Reliant Center, Houston, Texas
2
What does LOPA mean to DuPont?
• Before we (DuPont) implemented LOPA?• How are we implementing LOPA ? Tasks?
3
Before implementing LOPA
• Questions and Background data– Is Company ready for LOPA?– Current Foundation for Risk Assessment?– When is LOPA Used? – Risk Tolerance Established?– Data Required?– IPL”s Remain In Place?
4
Risk Management Philosophy?
• Values & Beliefs vs. Risk Management Strategy– Core Values (Safety & Health, Ethical Behavior, Respect for
People, and Environmental Stewardship )
• Process Safety Management– Control Risk
• Standards and Policies– Risk Reduction > Protect (Assets, People, Environment, Public
Trust)
5
Current Foundation Risk Assessment
• Experience & Capabilities Assessment ?– Current Risk Management Policies
Policy Process Safety Management (PSM) ManualStandards S21A (PSM), S25A (PHA)
– Hazard Analysis MethodsChecklists, What-If, HAZOPS, Fault Tree
– Institutional Knowledge (Consequence & Failure Frequencies)
Specialized Resources from Process Safety & Fire Protection (PS &FP)
6
Risk Tolerance Criteria
The typical industry risk tolerance for combined events that could result in irreversible human health effects, which is used to make risk reduction decisions, is 10-4.
(Appendix E of CCPS “Layer of Protection Analysis”)
7
When is LOPA used?
• Within DuPont, when evaluating risk of process safety scenarios there is a need to recommend additional safety protection for risk mitigation.
• When the hazard evaluation analyst determines that a “Risk Based” approach is required and interlock design is needed.
• When a PHA team believes a scenario is too complex to make a risk judgment using purely qualitative judgment.
8
From Consequence severity… When is LOPA used?
– PHA teams are responsible for assigning worst case consequence severity (i.e. assuming loss of all engineering & administrative controls) using the consequence categories as defined in LOPA guidance document Table 12.2a or S25A.
– 3. …– 4. Conduct an interlock evaluation as follows:A. As part of hazard evaluation, identify those events that involve interlocks (existing,
recommended, and being considered)B. Evaluate the consequence category for the event
1. If the consequence category is C1 or C2 then the interlock is a process interlock and should be documented accordingly in the PHA. If the same interlock is identified as a safeguard against multiple events then the most severe event will determine the final categorization and SIL.
2. If the consequence is financial loss only, then the interlock is a process interlock. For process interlocks mitigating financial loss hazards only, the AIB method may be used to determine the reliability requirements. See DX3S for a description of AIB method.
3. If the consequence category is C3, then further evaluation must be done to determined the required SIL of the interlock. The AIB method may be used to determine the reliability requirements. See DX3S for a description of AIB method.
4. If the consequence category is C4 (excluding multiple fatalities) , then further evaluation must be done to determined the required SIL of the interlock. The AIB method may be used to determine the reliability requirements. See DX3S for a description of AIB method.
5. If consequence category is C4 with multiple fatalities , then a risk-based (LOPA, Event Tree, Fault tree) must be used. Application of a risk-based method requires that personnel trained in process hazards analysis and the method being used, be involved.
Risk-based methods may also be applied to any hazard where the AIB method is allowed.
9
Data Required
• Consequences– Standard S25A Tables 12.2a & b C4 through C1 – Modeling (Scenario impact ; Potential severity)
• Component Failure Data– DRAFT LOPA Guidance manual Table 10.2 Passive IPL’s and
Table 10.3 Active IPL’s– DX3S Table 3 MTTFfd device values– Vendor data– General industry
• Initiating Event– DRAFT LOPA Guidance manual Table 10.1 Frequency
Initiating Events
10
Death or irreversible heath effects:
Injury or moderate health effects; Emergency medical intervention and/or hospitalization
Minor injury of reversible health effects
No injury or health effects
Public Safety and Health
One or more fatalities; Multiple LWC’s with irreversible health effects
Multiple MTC injuries; 1-2 RWC/LWC’s
Minor (MTC) injury of reversible health effects
No Injury of health impact
Employee Safety and Health
Consequence Category C-4 Catastrophic
Consequence Category C-3Major
Consequence Category C-2 Moderate
Consequence Category C-1 Minor
Type of Event/Impact
Table 12.2a Consequence Severity
Table 12.2a Consequence Severity
11
10-2If properly designed, installed and maintained these should eliminate the potential for flashback through a piping system or into a vessel or tank.
Flame/Detonation Arrestors
10-3Will reduce the frequency of large consequences of an explosion by configuring blast and protecting equipment/buildings/etc.
Blast Bunker
10-2Will reduce the rate of heat input and provide additional time for depressurizing/firefighting
Fireproofing
10-2Will prevent overpressureOpen Vent (or no valve)
10-2Will reduce frequency of large consequences (widespread spill) of a tank overfill/rupture/spill/etc.
Underground Drainage System
10-2Will reduce frequency of large consequences (widespread spill) of a tank overfill/rupture/spill/etc.
Dike
PFD for DuPont LOPACommentsIPL
Table 10.2 Passive IPL’s
12
10-1Water Scrubber, maintained and inspected
10-1Battery Backup UPS with periodic inspection
10-1Battery Backup UPS with periodic inspection
10-2 (3)SIL 2
10-2 (3)SIL 3
10-1 (3)SIL 1
Etc…Etc…
10-1Basic Process Control System
10-2 (2)Rupture Disc10-2 (2)Relief Valve
PFD for DuPont LOPACommentsIPL
Table 10.3 Active IPL’s
13
Table 3 MTTFd device values
Unsafe MTTFd (years)Equipment Type
Etc…Etc…
25 to 35Pilot solenoid
1000 to 1500Motor Starter
25 to 30Valve positioner Final Elements
Etc…Etc…
100 to 120Pre-configured SIS PEC logic solver
1500 to 2500Electromechanical relay per DX8S
Logic Solvers
Etc…Etc…
15 to 20Flame Detector
25 to 35Current SwitchSensors
14
Etc.Etc.
10-2 Loss of electrical power, dual feed systems
10-1Loss of nitrogen supplied by pipeline
10-1 Variable speed motor AC motor failure
10-2 per opportunityOperator Failure ( to execute routine procedure, assuming well trained, unstressed, not fatigued )(PFD)
10-1 Regulator Failure10-1Cooling water Failure
Value for DuPont LOPA (per year)
Initiating Event
Table 10.1 Frequency of Initiating Events
15
d / or Scenario # refres to WHAT-IF Item.are events per year, other numerical values are average probabil
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
ImpactEvent
SeverityLevel
InitiatingCause
Initiating Event
Frequency
Enabling Event
Frequency
General ProcessDesign
BPCS Operator Response to Alarms,
etc.
AdditionalMitigation, Restricted
Access
IPL Additional Mitigation,
Dikes, Pressure
Relief
Intermediate
EventLikelihood
SIF IDPFD
MitigatedEvent
Likelihood
Likelihood of person
in area
Likelihood of
Significant Injury
Frequency of
Significant Injury
Notes
Overpressure TC-2, release of toxic (HFA, HFIP, H2) material/ flammable; catastrophic
C4 8.backflow from A-206 to TC-2, P1527 failure
0.100 1 1 1 1 0.01 0.1 1.0E-04 1.00E-01 1.0E-05 Tolerable Risk Criteria of XXXX met. SIL 1 for SIF needed and met.
W932596 rev 42F, DW 49060 Rev 2N, DW44540 Rev 18J
No. 8 in WhaIf was analyzed for "backflow" only . It did not identify cause for "backflow". LOPA identified a discrete cause (P1527 failure).
DRAFT LOPA
Document-AC Electric
motor failure)
Two check valves in
HFA transfer
line, clean service. Will be
checked or
replaced on a
regular frequency so credit
taken.
TC-2 PRD 1205 0141 set @ 200 psi; {Has rupture disc] back to "Emergency" Scrubber , SB-126 operated as "passive" scrubber. since pump not operated, but instrumented with local temperature controller, and level
S-1b Conceptual Design : 2460DPG Low Low (2460PT -1822PT) closes
1825HV via MLC2.
INDEPENDENT PROTECTION LAYERS
Documentation LOPA WorksheetSeverity
Level
Impact Event
Initiating Cause and Frequency
IPL’s
PFD of SIFIntrmd Event
Likelihood
MitigatedEvent
Likelihood
16
Periodically assess IPL’sFunctional testing (SIF’s, Relief valves, etc.)Periodic inspection (Dikes, machine guards etc.)Preventive or replacement maintenance (Corrosion coupons and vessel thickness checks)
IPL’s Auditing
17
Implementation Tasks
• LOPA Guidance Document– ~ 59 pages– Target Audience : PHA Teams/Management, LOPA Analyst &
Corporate– Purpose : Broad Overview of LOPA; definitions; IPL values; initiating
event frequencies.
• LOPA Training Course and Training LOPA Analysts– 1-1/2 day Training course (In-house)– For in-house LOPA analyst certification
LOPA analyst in training ( Participate in LOPA’s with experienced, in –house certified LOPA analyst)Lead several LOPA’s independently Present LOPA examples for peer review by team of qualified LOPA analysts
18
Points to Remember…
• Are you (organization) ready for LOPA?– Risk Management Philosophy– Current Foundation Risk
Assessment– Risk Tolerance Criteria– Data Required
• Are you (organization) up for the tasks?– Training– Guidance Document– IPL Auditing
19