Transcript Document

Process Operability Class Materials
Safety: Layer of Protection
Basic flowsheet
LAH
LAL
Design with Operability
L
2
LC
1
LC
1
FC
1
FC
1
TC
2
TC
1
F
4
fuel
T
10
T
12
T
13
Copyright © Thomas Marlin 2013
The copyright holder provides a royalty-free license for use of this material at non-profit
educational institutions
T
11
ACHIEVING ACCEPTABLE RISK
Layer of Protection Analysis
•
HAZARD IDENTIFICATION
1. Check lists
2. Dow Relative Ranking
3. HAZOP - Hazard and Operability
• LAYER OF PROTECTION ANALYSIS
1. Express risk target quantitatively
2. Determine risk for system
3. Reduce risk to meet target
•
•
HAZARD ASSESSMENT
- Fault Tree
More
- Event Tree
accurate
- Consequence analysis
- Human Error Analysis
Semi-quantitative analysis
to give order-of-magnitude
estimate
ACTIONS TO ELIMINATE OR MITIGATE
- Apply all engineering sciences
We will use our group skills
and knowledge of safety
layers in applications.
Safety Layer of Protection Analysis
1. Express risk target quantitatively
• FAR: Fatal Accident Rate - This is the number of
fatalities occurring during 1000 working lifetimes (108
hours). This is used in the U.K.
• Fatality Rate = FAR * (hours worked) / 108
• OSHA Incidence Rate - This is the number of illnesses
and injuries for 100 work-years. This is used in the USA.
Safety Layer of Protection Analysis
1. Express risk target quantitatively
FAR Data for typical Activities
Activity
Chemical Industry
Steel Industry
Coal Mining
Construction
Uranium
Asbestos (old data?)
FAR
4
8
40
67
70
620
Staying home
Traveling by automobile
Traveling by airplane
Cigarette smoking
3
57
240
???
What is FAR for cigarette
smoking?
What is the fatality rate/year for the chemical industry?
Question:
What is the fatality rate (/year) in the
chemical industry?
(4) (8 h/day) (5 day/week) (45 weeks/y) / 108 = 7.2 x 10-5
FAR
FAR
Chemical Industry
Cigarette smoking
FAR = 40 for smoking
T. Kletz, “Eliminating Potential Process Hazards”, Chem. Eng., April 1, 1985
4
???
Safety Layer of Protection Analysis
1. Express risk target quantitatively
• One standard used is to maintain the risk for
involuntary activities less (much less?) than
typical risks such as “staying home”
- Results in rules, such as fatality rate < 10-6/year
- See Wells (1996) Table 9.4
- Remember that many risks exist (total risk is sum)
• Are current risks accepted or merely tolerated?
• We must consider the inaccuracies of the
estimates
• We must consider people outside of the
manufacturing site.
Safety Layer of Protection Analysis
1. Express risk target quantitatively
• People usually distinguish between voluntary and
involuntary risk. They often accept higher risk
for voluntary activities (rock climbing).
• People consider the number of fatalities per
accident
Fatalities = (frequency) (fatalities/accident)
.001 = (.001) (1)
fatalities/time period
.001 = (.0000001)(100,000)
fatalities/time period
We need to consider frequency and consequence
Safety Layer of Protection Analysis
1. Express risk target quantitatively
The decision can be presented in a F-N plot similar to the one below.
(The coordinate values here are not “standard”; they must be selected by the professional.)
Probability or Frequency, F
(events/year)
1.00E-07
“Unacceptable risk”
1.00E-08
“Acceptable risk”
1.00E-09
1
10
100
Deaths per event, N
The design must be enhanced to reduce the likelihood of death (or
serious damage) and/or to mitigate the effects.
Some Published F-N Plots
“Choosing Appropriate Quantitative Safety Risk Criteria Applications from the New CCPS Guidelines” by Walt Frank (Frank Risk
Solutions, Inc.) and Dave Jones (Chevron Energy Technology Company)
Some Published F-N Plots
Lees, F. (1996) Loss Prevention in the Process Industries 2nd Ed., Vol. 1, page 9/83.
Safety Layer of Protection Analysis
2. Determine the risk for system
•
In Layer of Protection Analysis (LOPA), we assume
that the probability of each element in the system
functioning (or failing) is independent of all other
elements.
•
We consider the probability of the initiating event
(root cause) occurring
•
We consider the probability that every independent
protection layer (IPL) will prevent the cause or
satisfactorily mitigate the effect
Safety Layer of Protection Analysis
2. Determine the risk for system
Failure,
PFDn
 
Failure,
PFD2
Failure,
PFD1
Initiating
event, f I
Unsafe!
I
P
L
n
I
P
L
3
I
P
L
2
I
P
L
1
Safe/
tolerable
f I is the probability of the initiating event or root cause
PFDi is the probability of failure on demand (PFD) for each IPL (i)
Safety Layer of Protection Analysis
2. Determine the risk for system
Failure,
PFDn
 
Failure,
PFD2
Recall that the
events are
considered
independent
Failure,
PFD1
Initiating
event, f I
Unsafe!
I
P
L
n
I
P
L
3
I
P
L
2
I
P
L
1
Safe/
tolerable
The probability that the unsafe consequence will occur is the product of the
individual probabilities.
 n

C
I

f i  f i  ( PFD)ij 
 j 1



where
i=
j=
f Ii =
f Ci =
PFDij =
scenario or event
IPL layer
frequency of initiating event I for scenario i
frequency of consequence for scenario i
frequency of failure on demand of layer j in scenario i
Safety Layer of Protection Analysis
2. Determine the risk for system
• How do we determine the initiating
events?
HAZOP
• How do we determine the
probability of the initiating event, X
Company, industry
experience
• How do we determine the
probability that each IPL will
function successfully?
Company, industry
experience
• How do we determine the target
level for the system?
F-N plot, depends
on consequence
Safety Layer of Protection Analysis
2. Determine the risk for system
Data
 The maximum frequency or
probability of an accident,
fi max = F
Source
The F-N plot or similar analysis.
(A sample F-N plot is given in
Figure 5.16.)
 Each event leading to significant
hazard in the process (i)
HAZOP study
 Frequency of each event, fi I
Historical data from a company or from
publications
 The risk that each barrier to the
accident propagation will fail on
demand, PFDij
Historical data from a company or from
publications
Safety Layer of Protection Analysis
2. Determine the risk for system
Table 5.13 Typical Frequencies of Initiating Events (f Ii)
(From CCPS, 2001, Table 5.1)
Initiating Event
Frequency
(events/year)
-5
-7
Pressure vessel failure
10 to 10
Piping failure (full breach)
10-5 to 10-6
Piping failure (leak)
10-3 to 10-4
Atmospheric tank failure
10-3 to 10-5
Turbine/diesel engine overspeed (with
10-3 to 10-4
casing breach)
Third party intervention (impact by
10-2 to 10-4
backhoe, etc.)
Safety valve opens spuriously
10-2 to 10-4
Cooling water failure
1 to 10-2
Pump seal failure
10-1 to 10-2
BPCS loop failure
1 to 10-2
Pressure regulator failure
1 to 10-1
Small external fire
10-1 to 10-2
Large external fire
10-2 to 10-3
Operator failure (to execute routine
10-1 to 10-3 (units are events/procedure)
procedure, assuming well trained,
unstressed, not fatigued)
Safety Layer of Protection Analysis
3. Reduce the risk to achieve the target
The general approach is to
•
Set the target frequency for an event leading to an
unsafe situation (based on F-N plot)
•
Calculate the frequency for a proposed design
•
If the frequency for the design is too high, reduce it
- The first approach is often to introduce or enhance
the safety interlock system (SIS) system
•
Continue with improvements until the target
frequency has been achieved
Safety Layer of Protection Analysis
3. Reduce the risk to achieve the target
Table 5.16 Typical PFD values for safety layers (IPLs)
Safety Layer (IPL)
BPCS (process control)
Alarm
SIS
(safety instrumented system)
Pressure relief
Containment *
Other layers (IPLs) *
Probability of failure of demand
(failure/demand)
10-1
10-1 to 1.0 (depends on stress and time)
10-1 to 10-4
(depends strongly on details of design and maintenance)
10-2
10-2 for dike that will reduce consequences of spill
10-2 for drainage system that will reduce consequences of
spill
-2
10 for fireproofing
10-2 for blast wall
* These layers reduce only the major consequences of an accident. When doing a LOPA, the PFD would
be 1.0 for many consequences; for example, a dike would not prevent a fire. The tabular values would be
applied for only the worst consequences, e.g., for a dike, a spill flowing into the entire facility or the local
community.
Safety Layer of Protection Analysis
3. Reduce the risk to achieve the target
Some surprising data for human reliability in
process operations
PFD
1.0
10-1
10-2
Table 5.14 Human failure data*
Situation description
Rapid action based on complex analysis to prevent
serious accident.
Busy control room with many distractions and other
demands on time and attention
Quiet local control room with time to analyze
*Based on Kletz(1999)
Safety Layer of Protection Analysis
Event Severity
3. Reduce the risk to achieve the target
extensive
serious
minor
Medium
2
Minimal
1
Minimal
1
Major
3
Medium
2
Minimal
1
low
Major
3
Major
3
Medium
2
moderate
high
Event Likelihood
Table entries
word = qualitative risk description
number = required safety integrity
level (SIL)
Safety Integrity Levels
(Prob. Of failure on demand)
1 = .01 to .1
2 = .001 to .01
3 = .0001 to .001
Selection
documented for
legal
requirements
SIS Depends on structure of redundancy
SIS Depends on structure of redundancy
Safety Layer of Protection Analysis
3. Reduce the risk to achieve the target
Often, credit is taken for good design and maintenance
procedures.
•
Proper materials of construction (reduce corrosion)
•
Proper equipment specification (pumps, etc.)
•
Good maintenance (monitor for corrosion, test
safety systems periodically, train personnel on
proper responses, etc.)
A typical value is PFD = 0.10
Safety Layer of Protection Analysis
Worksheet
The Layer of Protection Analysis (LOPA) is performed using a
standard table for data entry.
1
2
3
4
5
6
7
8
9
Additional
mitigation
(safety valves,
dykes, restricted
access, etc.)
Mitigated
event
likelihood
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Likelihood
Mitigated likelihood =
Process
design
BPCS
Alarm
SIS
Probability of failure on demand
fi
C
n

 fi   ( PFD)ij   fi max
 j 1

I
Notes
Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Flash drum for “rough” component separation for this
proposed design.
cascade
PAH
Split range
Feed
Methane
Ethane (LK)
Propane
Butane
Pentane
T1
PC-1
T5
T2
LAL
LAH
FC-1
F2
TC-6
Vapor
product
T3
LC-1
F3
AC-1
Process
fluid
Steam
L. Key
Liquid
product
Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Flash drum for “rough” component separation.
Complete the table with your best estimates of values.
1
2
3
4
5
6
7
8
9
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
1
High
pressure
Connection
(tap) for
pressure
sensor P1
becomes
plugged
Process
design
BPCS
Alarm
SIS
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
Mitigated
event
likelihood
The target mitigated likelihood = 10-5 event/year
The likelihood of the event = 10-1 events/year
Notes
Pressure sensor
does not
measure the
drum pressure
Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Some observations about the design.
•
The drum pressure controller uses only one sensor; when
it fails, the pressure is not controlled.
•
The same sensor is used for control and alarming.
Therefore, the alarm provides no additional protection
for this initiating cause.
•
No safety valve is provided (which is a serious design
flaw).
•
No SIS is provided for the system. (No SIS would be
provided for a typical design.)
Safety Layer of Protection Analysis
When the connection
to the sensor is
plugged, the controller
and alarm will fail to
function on demand
Process examples
Class Exercise 1: Solution: Original design.
cascade
PAH
Split range
Feed
Methane
Ethane (LK)
Propane
Butane
Pentane
T1
PC-1
T5
T2
LAL
LAH
FC-1
F2
TC-6
Vapor
product
T3
LC-1
F3
AC-1
Process
fluid
Steam
L. Key
Liquid
product
Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Solution using initial design and typical published values.
1
2
3
4
5
6
7
8
9
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
BPCS
Alarm
SIS
1
High
pressure
Connection
(tap) for
pressure
sensor P1
becomes
plugged
0.10
0.10
1.
1.0
1.0
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
1.0
Mitigated
event
likelihood
Notes
.01
Pressure sensor
does not
measure the
drum pressure
Much too high! We must make improvements to the design.
Gap = 10-2/10-5 = 103 (sometimes given as the exponent “3”)
Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Improved Design.
cascade
PAH
Split range
TC-6
PC-1
P-2
Feed
Methane
Ethane (LK)
Propane
Butane
Pentane
T1
PAHH
T5
T2
LAL
LAH
FC-1
F2
Vapor
product
T3
LC-1
F3
AC-1
Process
fluid
Steam
L. Key
Liquid
product
Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Solution using improved design and typical published values.
1
2
3
4
5
6
7
8
9
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
BPCS
Alarm
SIS
1
High
pressure
Connection
(tap) for
pressure
sensor P1
becomes
plugged
0.10
0.10
1.0
0.10
1.0
Enhanced design includes
separate P sensor for alarm
and a pressure relief valve.
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
PRV 0.01
Mitigated
event
likelihood
Notes
.00001
Pressure sensor
does not
measure the
drum pressure
The enhanced design achieves
the target mitigated
likelihood.
Verify table entries.
The PRV must
exhaust to a
separation
(knock-out)
drum and fuel or
flare system.
Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Each IPL must be independent.
For the solution in the LOPA table and process sketch,
describe some situations (equipment faults) in which the
independent layers of protection are
-
Independent
-
Dependent
Hints: Consider faults such as sensor, power
supply, signal transmission, computing, and
actuation
For each situation in which the IPLs are dependent, suggest
a design improvement that would remove the common
cause fault, so that the LOPA analysis in the table would be
correct.
Safety Layer of Protection Analysis
Approaches to reducing risk
•
The most common are BPCS, Alarms and Pressure
relief. They are typically provided in the base design.
•
The next most common is SIS, which requires careful
design and continuing maintenance
•
The probability of failure on demand for an SIS
depends on its design. Duplicated equipment (e.g.,
sensors, valves, transmission lines) can improve the
performance
•
A very reliable method is to design an “inherently
safe” process, but these concepts should be applied in
the base case
Safety Layer of Protection Analysis
Approaches to reducing risk
•
The safety interlock system (SIS) must use independent
sensor, calculation, and final element to be independent!
•
We desire an SIS that functions when a fault has
occurred and does not function when the fault has not
occurred.
•
SIS performance improves with the use of redundant
elements; however, the systems become complex,
requiring high capital cost and extensive ongoing
maintenance.
•
Use LOPA to determine the required PFD; then, design
the SIS to achieve the required PFD.
Safety Layer of Protection Analysis
Process examples
Class Exercise 2: Fired heater to low air flow rate.
Flue gas
PIC
1
AT
1
FT
1
PI
4
TI
1
PI
5
TI
5
TI
2
feed
TI
6
PT
1
TI
3
TI
7
TI
4
TI
8
FT
2
PI
2
air
PI
3
TI
9
TI
10
FI
3
TI
11
PI
6
Fuel gas
Safety Layer of Protection Analysis
Process examples
Class Exercise 2: Fired heater to low air flow.
1
2
3
4
5
6
7
8
9
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
1
Combustibles
in stack, fire
or explosion
Limited air
supply
because air
fan/motor
fails
Cause
likelihood
Process
design
BPCS
Alarm
SIS
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
Mitigated
event
likelihood
Notes
Frequency of air fan/motor failure is 0.10 to 1.0 events/year
(Lees and CCPS)
Safety Layer of Protection Analysis
Process examples
Class Exercise 2: Fired heater to low air flow.
1
2
3
4
5
6
7
8
9
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
BPCS
Alarm
SIS
1
No/low air
flow to
heater
burners
Failure of
the air
fan/blower
0.10
0.10
1.0
1.0
1.0
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
------
Mitigated
event
likelihood
Notes
0.01
Much too high! We must make improvements to the design.
Safety Layer of Protection Analysis
Process examples
Class Exercise 2: Fired heater to low air flow rate.
Flue gas
Alarm
PIC
1
AT
1
FT
1
PI
4
TI
1
PI
5
TI
5
TI
2
feed
TI
6
PT
1
TI
3
TI
7
Flow
control
TI
9
TI
4
TI
8
FT
2
PI
2
TI
10
FI
3
PI
3
TI
11
PI
6
air
Fuel gas
F
Alarms
SIS
Redundant air flow and
pressure sensors
Safety Layer of Protection Analysis
Process examples
Class Exercise 2: Fired heater to low air flow.
1
2
3
4
5
6
7
8
9
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
BPCS
Alarm
SIS
1
No/low air
flow to
heater
burners
Limited air
supply
because air
fan/motor
fails
1.0
0.10
1.0
0.10
0.01
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
Reasonable, but a little high.
Mitigated
event
likelihood
0.0001
Notes
Safety Layer of Protection Analysis
Process examples
Class Exercise 3: Fired heater to low feed flow rate.
Flue gas
PIC
1
AT
1
FT
1
PI
4
TI
1
PI
5
TI
5
TI
2
feed
TI
6
PT
1
TI
3
TI
7
TI
4
TI
8
FT
2
PI
2
air
PI
3
TI
9
TI
10
FI
3
TI
11
PI
6
Fuel gas
Safety Layer of Protection Analysis
Process examples
Class Exercise 3: Fired heater to low feed flow rate.
1
2
3
4
5
6
7
8
9
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
1
No process
flow,
equipment
damage,
tube rupture
and fire,
loss of
production
Feed
pump/motor
fauls
Cause
likelihood
Process
design
BPCS
Alarm
SIS
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
Mitigated
event
likelihood
Notes
Probability of feed pump/motor failure is 0.01 events/year
Safety Layer of Protection Analysis
Process examples
Class Exercise 3: Fired heater to low feed flow rate.
1
2
3
4
5
6
7
8
9
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
BPCS
Alarm
SIS
1
Low feed
flow rate to
tubes in
fired heater
Failure of
feed pump
0.010
0.10
1.0
1.0
1.0
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
------
Mitigated
event
likelihood
Notes
0.001
Too high! We must make improvements to the design.
Safety Layer of Protection Analysis
Process examples
Class Exercise 2: Fired heater to low feed flow rate.
Flue gas
PIC
1
To SIS
AT
1
FS
FT
1
FAH
PI
4
TI
1
PI
5
TI
5
F
TI
2
feed
TI
6
PT
1
TI
3
TI
7
TI
9
TI
4
TI
8
FT
2
PI
2
TI
10
FI
3
PI
3
TI
11
PI
6
air
Fuel gas
SIS
Redundant air flow and
pressure sensors
Safety Layer of Protection Analysis
Process examples
Class Exercise 3: Fired heater to low feed flow rate.
1
2
3
4
5
6
7
8
9
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
BPCS
Alarm
SIS
1
Low feed
flow rate to
tubes in
fired heater
Failure of
feed pump
0.010
0.10
1.0
0.10
0.01
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
------
Mitigated
event
likelihood
Notes
0.000001
OK! This is very acceptable for a scenario that is not an
immediate safety concern, although tube rupture could lead to
a fire. Note that the financial loss would be large.
When working on safety, professionals
require an ethical approach!
Kletz (2001) emphasizes the necessity to avoid “jiggling” the values, i.e.,
selecting the values (usually by using lower failure rates) to justify a simpler, less costly
design. Such a practice would be unethical and could lead to serious consequences.
Engineers are urged to, “call them like you see them” (CCPS, 1992), which
means to make your best safety recommendations without being unduly
influenced by cost, project deadlines, management’s preconceived ideas and so
forth.
Set Goals
• Define process scope
• Define data resources
• Define F-N tradeoffs
Hazards and Operability
Analysis
&
Layer of Protection
Analysis
can and should be
integrated for safety
management
Safety study leader
Boss
Assemble Resources
• See Section 5.14
Hazard Identification
• Dow Preliminary Methods
• Check list/ What-if
• HAZOP
Safety study team
Finalize safety design
• LOPA analysis
• Integrated risk determined
LOPA Analyst
Report and Management
acceptance
• Commitment to actions
Let’s not have this result from our work!
BP Deepwater Horizon, April 20, 2010
Safety Layer of Protection Analysis
References
Dowell, A. and D. Hendershoot, Simplified Risk Analysis - Layer of Protection Analysis, AIChE National Meeting, Indianapolis, Paper
281a, Nov. 3-8, 2002
Dowell, A. and T. Williams, Layer of Protection Analysis: Generating Scenarios Automatically from HAZOP Data, Process Safety
Progress, 24, 1, 38-44 (March 2005).
Frederickson A., Layer of Protection Analysis, www.safetyusersgroup.com, May 2006
Gulland, W., Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons,
http://www.chemicalprocessing.com/whitepapers/2005/006.html
Haight, J. and V. Kecojevic, Automation vs. Human Intervantion: What is the Best Fit for the Best Performance?, Process Safety
Progress, 24, 1, 45-51 (March 2005)
Melhem, G. and P. Stickles, How Much Safety is Enough, Hydrocarbon Processing, 1999
Wiegernick, J., Introduction to the Risk-Based Design of Safety Instrumented Systems for the Process Industries, Seventh International
Conference on Control, Automation, Robotics and Vision, Singapore, Dec. 2002.