You are on page 1of 19
A LOPA Implementation Method Breydon G Morton DuPont October 3, 2007 Standards Certification Education & Training
A LOPA Implementation
Method
Breydon G Morton
DuPont
October 3, 2007
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Copyright 2007 by ISA, www.isa.org
Presented at ISA EXPO 2007, 2-4 October 2007, Reliant Center, Houston, Texas
What does LOPA mean to DuPont? • • Before we (DuPont) implemented LOPA? How are we
What does LOPA mean to DuPont?
Before we (DuPont) implemented LOPA?
How are we implementing LOPA ? Tasks?
2
Before implementing LOPA • Questions and Background data – Is Company ready for LOPA? – Current
Before implementing LOPA
Questions and Background data
– Is Company ready for LOPA?
– Current Foundation for Risk Assessment?
– When is LOPA Used?
– Risk Tolerance Established?
– Data Required?
– IPL”s Remain In Place?
3
Risk Management Philosophy? • Values & Beliefs vs. Risk Management Strategy – Core Values (Safety &
Risk Management Philosophy?
Values & Beliefs vs. Risk Management Strategy
– Core Values (Safety & Health, Ethical Behavior, Respect for
People, and Environmental Stewardship )
Process Safety Management
– Control Risk
Standards and Policies
– Risk Reduction > Protect (Assets, People, Environment, Public
Trust)
4
Current Foundation Risk Assessment • Experience & Capabilities Assessment ? – Current Risk Management Policies Policy
Current Foundation Risk Assessment
Experience & Capabilities Assessment ?
– Current Risk Management Policies
Policy Process Safety Management (PSM)
Manual
Standards
S21A (PSM), S25A (PHA)
– Hazard Analysis Methods
Checklists, What-If, HAZOPS, Fault Tree
– Institutional Knowledge (Consequence & Failure
Frequencies)
Specialized Resources from Process Safety
& Fire Protection
(PS &FP)
5
Risk Tolerance Criteria The typical industry risk tolerance for combined events that could result in irreversible
Risk Tolerance Criteria
The typical industry risk tolerance for combined events that
could result in irreversible human health effects, which is
used to make risk reduction decisions, is 10-4.
(Appendix E of CCPS “Layer of Protection Analysis”)
6
When is LOPA used? • Within DuPont, when evaluating risk of process safety scenarios there is
When is LOPA used?
Within DuPont, when evaluating risk of process safety
scenarios there is a need to recommend additional safety
protection for risk mitigation.
When the hazard evaluation analyst determines that a
“Risk Based” approach is required and interlock design is
needed.
When a PHA team believes a scenario is too complex to
make a risk judgment using purely qualitative judgment.
7
From Consequence severity… When is LOPA used? – PHA teams are responsible for assigning worst case
From Consequence severity… When is LOPA used?
PHA teams are responsible for assigning worst case consequence severity (i.e. assuming
loss of all engineering & administrative controls) using the consequence categories as
defined in LOPA guidance document Table 12.2a or S25A.
3. …
4. Conduct an interlock evaluation as follows:
A.
As part of hazard evaluation, identify those events that involve interlocks (existing,
recommended, and being considered)
B.
Evaluate the consequence category for the event
1.
If the consequence category is C1 or C2 then the interlock is a process interlock and should be
documented accordingly in the PHA. If the same interlock is identified as a safeguard against multiple
events then the most severe event will determine the final categorization and SIL.
2.
If the consequence is financial loss only, then the interlock is a process interlock. For process
interlocks mitigating financial loss hazards only, the AIB method may be used to determine the
reliability requirements. See DX3S for a description of AIB method.
3.
If the consequence category is C3, then further evaluation must be done to determined the required
SIL of the interlock. The AIB method may be used to determine the reliability
requirements. See DX3S for a description of AIB method.
4.
If the consequence category is C4 (excluding multiple fatalities) , then further evaluation must be
done to determined the required SIL of the interlock. The AIB method may be used to determine
the reliability requirements. See DX3S for a description of AIB method.
5.
If consequence category is C4 with multiple fatalities , then a risk-based (LOPA, Event Tree,
Fault tree) must be used. Application of a risk-based method requires that personnel trained in
process hazards analysis and the method being used, be involved.
Risk-based methods may also be applied to any hazard where the AIB method is allowed.
8
Data Required • Consequences – Standard S25A Tables 12.2a & b C4 through C1 – Modeling
Data Required
Consequences
Standard S25A
Tables 12.2a & b C4 through C1
– Modeling (Scenario impact ; Potential severity)
Component Failure Data
– DRAFT LOPA Guidance manual Table 10.2 Passive IPL’s and
Table 10.3 Active IPL’s
– DX3S Table 3 MTTFfd device values
– Vendor data
– General industry
Initiating Event
– DRAFT LOPA Guidance manual Table 10.1 Frequency
Initiating Events
9
Table 12.2a Consequence Severity Table 12.2a Consequence Severity Type of Event/ Impact Consequence Category C-1 Minor
Table 12.2a Consequence Severity
Table 12.2a Consequence Severity
Type of Event/
Impact
Consequence
Category C-1
Minor
Consequence
Category C-2
Moderate
Consequence
Category C-3
Consequence
Category C-4
Catastrophic
Major
Employee
Safety and
No Injury of
health impact
Health
Minor (MTC)
injury of
reversible
health effects
Multiple MTC
injuries; 1-2
RWC/LWC’s
One or more
fatalities;
Multiple LWC’s
with irreversible
health effects
Public Safety
and Health
No injury or
health effects
Minor injury of
reversible
health effects
Injury or
moderate health
effects;
Death or
irreversible
heath effects:
Emergency
medical
intervention
and/or
hospitalization
10
Table 10.2 Passive IPL’s IPL Comments PFD for DuPont LOPA Dike Will reduce frequency of large
Table 10.2 Passive IPL’s
IPL
Comments
PFD for DuPont LOPA
Dike
Will reduce frequency of large
consequences (widespread spill)
of a tank overfill/rupture/spill/etc.
10
-2
Underground Drainage
System
Will reduce frequency of large
consequences (widespread spill)
of a tank overfill/rupture/spill/etc.
10
-2
Open Vent (or no valve)
Fireproofing
Will prevent overpressure
10
-2
Will reduce the rate of heat input
and provide additional time for
depressurizing/firefighting
10
-2
Blast Bunker
Will reduce the frequency of
large consequences of an
explosion by configuring blast
and protecting
equipment/buildings/etc.
10
-3
Flame/Detonation Arrestors
If properly designed, installed
and maintained these should
eliminate the potential for
flashback through a piping
system or into a vessel or tank.
10
-2
11
Table 10.3 Active IPL’s IPL Comments PFD for DuPont LOPA Relief Valve Rupture Disc 10 -2
Table 10.3 Active IPL’s
IPL
Comments
PFD for DuPont LOPA
Relief Valve
Rupture Disc
10 -2 (2)
10 -2 (2)
Basic Process Control
System
10
-1
SIL 1
SIL 2
SIL 3
10 -1 (3)
10 -2 (3)
10 -2 (3)
Battery Backup UPS with
periodic inspection
10
-1
Water Scrubber,
maintained and inspected
10
-1
Battery Backup UPS with
periodic inspection
10
-1
Etc…
Etc…
12
Table 3 MTTFd device values Equipment Type Unsafe MTTFd (years) Sensors Current Switch 25 to 35
Table 3 MTTFd device values
Equipment Type
Unsafe MTTFd (years)
Sensors
Current Switch
25
to 35
Flame Detector
15 to 20
Etc…
Etc…
Logic Solvers
Electromechanical relay
per DX8S
1500 to 2500
Pre-configured SIS PEC
logic solver
100 to 120
Etc…
Etc…
Final Elements
Valve positioner
25
to 30
Motor Starter
1000 to 1500
Pilot solenoid
25
to 35
Etc…
Etc…
13
Table 10.1 Frequency of Initiating Events Initiating Event Value for DuPont LOPA (per year) Cooling water
Table 10.1 Frequency of Initiating Events
Initiating Event
Value for DuPont LOPA
(per year)
Cooling water Failure
Regulator Failure
10
-1
10
-1
Operator Failure ( to
execute routine procedure,
assuming well trained,
unstressed, not fatigued
)(PFD)
10 -2 per opportunity
Variable speed motor AC
motor failure
10
-1
Loss of electrical power,
dual feed systems
10
-2
Loss of nitrogen supplied
by pipeline
10
-1
Etc.
Etc.
14
Documentation LOPA Worksheet Intrmd / or Scenario # refres to WHAT-IF Item. Severity Event are events
Documentation LOPA Worksheet
Intrmd
/ or Scenario # refres to WHAT-IF Item.
Severity
Event
are events per year, other numerical values are average probabil
PFD of SIF
Level
Likelihood
1
2 3
4 5
6
7 8
9 10
11
12
13
14 15
16 17
INDEPENDENT PROTECTION LAYERS
Impact
Severity
Initiating
Initiating
Enabling
General
BPCS
Operator
Additional
IPL
Mitigated
Likelihood
Likelihood
Frequency
Notes
Event
Level
Cause
Event
Event
Process
Response
Mitigation,
Additional
Intermedia
Event
of person
of
of
Frequency
Frequenc
Design
to Alarms,
Restricted
Mitigation,
te
SIF ID
Likelihood
in area
Significant
Significant
etc.
Access
Dikes,
Event
PFD
Injury
Injury
y
Pressure
Likelihood
Relief
Overpress
C4
8.backflow
0.100
1
1 1
1 0.01
0.1 1.0E-04
1.00E-01
1.0E-05
Tolerable
ure TC-2,
from A-206
Risk
Criteria of
release of
to TC-2,
XXXX
toxic
P1527
IPL’s
met.
SIL
(HFA,
failure
1
for SIF
HFIP, H2)
needed
material/
and met.
flammable;
catastroph
ic
W932596
No. 8 in
WhaIf
was
analyzed
for
"backflow
DRAFT
Two check
TC-2 PRD
S-1b
rev 42F,
LOPA
valves in
1205
Conceptu
Document-
HFA
0141
set
al Design :
DW 49060
Mitigated
AC Electric
transfer
2460DPG
Rev 2N,
@ 200
motor
line, clean
Low Low
psi; {Has
Event
DW44540
failure)
service.
(2460PT -
Rev 18J
rupture
Will be
1822PT)
Likelihood
" only .
did not
identify
cause for
It
disc]
checked
closes
back to
or
1825HV
"Emergen
replaced
via MLC2.
cy"
on a
"backflow
Scrubber
regular
". LOPA
, SB-126
frequency
identified
operated
so credit
a discrete
as
taken.
cause
"passive"
(P1527
scrubber.
failure).
Initiating Cause
and Frequency
since
pump not
operated,
but
instrumen
ted with
local
temperatu
Impact Event
re
controller,
15
and level
IPL’s Auditing Periodically assess IPL’s Functional testing (SIF’s, Relief valves, etc.) Periodic inspection (Dikes, machine guards
IPL’s Auditing
Periodically assess IPL’s
Functional testing (SIF’s, Relief valves, etc.)
Periodic inspection (Dikes, machine guards etc.)
Preventive or replacement maintenance (Corrosion coupons
and vessel thickness checks)
16
Implementation Tasks • LOPA Guidance Document – ~ 59 pages – Target Audience : PHA Teams/Management,
Implementation Tasks
LOPA Guidance Document
~ 59 pages
Target Audience : PHA Teams/Management, LOPA Analyst &
Corporate
– Purpose : Broad Overview of LOPA; definitions; IPL values; initiating
event frequencies.
LOPA Training Course and Training LOPA Analysts
– 1-1/2 day Training course (In-house)
– For in-house LOPA analyst certification
LOPA analyst in training ( Participate in LOPA’s with experienced, in –
house certified LOPA analyst)
Lead several LOPA’s independently
Present LOPA examples for peer review by team of qualified LOPA analysts
17
Points to Remember… • Are you (organization) ready for LOPA? – Risk Management Philosophy – Current
Points to Remember…
Are you (organization) ready
for LOPA?
– Risk Management Philosophy
– Current Foundation Risk
Assessment
– Risk Tolerance Criteria
– Data Required
Are you (organization) up for
the tasks?
– Training
– Guidance Document
– IPL Auditing
18
19
19