LOPA Implementation

A LOPA Implementation Method

Standards Certification

Breydon G Morton DuPont October 3, 2007

Education & Training Publishing Conferences & Exhibits

Copyright 2007 by ISA, www.isa.org Presented at ISA EXPO 2007, 2-4 October 2007, Reliant Center, Houston, Texas

What does LOPA mean to DuPont? • Before we (DuPont) implemented LOPA? • How are we implementing LOPA ? Tasks?

2

Before implementing LOPA • Questions and Background data – – – – – –

Is Company ready for LOPA? Current Foundation for Risk Assessment? When is LOPA Used? Risk Tolerance Established? Data Required? IPL”s Remain In Place?

3

Risk Management Philosophy? • Values & Beliefs vs. Risk Management Strategy – Core Values (Safety & Health, Ethical Behavior, Respect for People, and Environmental Stewardship )

• Process Safety Management – Control Risk

• Standards and Policies – Risk Reduction > Protect (Assets, People, Environment, Public Trust)

4

Current Foundation Risk Assessment

• Experience & Capabilities Assessment ? – Current Risk Management Policies ‰Policy Process Safety Management (PSM) Manual ‰Standards S21A (PSM), S25A (PHA) – Hazard Analysis Methods ‰Checklists, What-If, HAZOPS, Fault Tree – Institutional Knowledge (Consequence & Failure Frequencies) ‰Specialized Resources from Process Safety & Fire Protection (PS &FP)

5

Risk Tolerance Criteria

The typical industry risk tolerance for combined events that could result in irreversible human health effects, which is used to make risk reduction decisions, is 10-4. (Appendix E of CCPS “Layer of Protection Analysis”)

6

When is LOPA used?

• Within DuPont, when evaluating risk of process safety scenarios there is a need to recommend additional safety protection for risk mitigation. • When the hazard evaluation analyst determines that a “Risk Based” approach is required and interlock design is needed. • When a PHA team believes a scenario is too complex to make a risk judgment using purely qualitative judgment.

7

From Consequence severity… When is LOPA used? –

PHA teams are responsible for assigning worst case consequence severity (i.e. assuming loss of all engineering & administrative controls) using the consequence categories as defined in LOPA guidance document Table 12.2a or S25A. – 3. … – 4. Conduct an interlock evaluation as follows: A. As part of hazard evaluation, identify those events that involve interlocks (existing, recommended, and being considered) B. Evaluate the consequence category for the event 1. If the consequence category is C1 or C2 then the interlock is a process interlock and should be documented accordingly in the PHA. If the same interlock is identified as a safeguard against multiple events then the most severe event will determine the final categorization and SIL. 2. If the consequence is financial loss only, then the interlock is a process interlock. For process interlocks mitigating financial loss hazards only, the AIB method may be used to determine the reliability requirements. See DX3S for a description of AIB method. 3. If the consequence category is C3, then further evaluation must be done to determined the required SIL of the interlock. The AIB method may be used to determine the reliability requirements. See DX3S for a description of AIB method. 4. If the consequence category is C4 (excluding multiple fatalities) , then further evaluation must be done to determined the required SIL of the interlock. The AIB method may be used to determine the reliability requirements. See DX3S for a description of AIB method. 5. If consequence category is C4 with multiple fatalities , then a risk-based (LOPA, Event Tree, Fault tree) must be used. Application of a risk-based method requires that personnel trained in process hazards analysis and the method being used, be involved. Risk-based methods may also be applied to any hazard where the AIB method is allowed.

8

Data Required • Consequences – Standard S25A Æ Tables 12.2a & bÆ C4 through C1 – Modeling (Scenario impact ; Potential severity)

• Component Failure Data – DRAFT LOPA Guidance manual Table 10.2 Passive IPL’s and Table 10.3 Active IPL’s – DX3S Table 3 MTTFfd device values – Vendor data – General industry

• Initiating Event – DRAFT LOPA Guidance manual Table 10.1 Frequency Initiating Events

9

Table 12.2a Consequence Severity Table 12.2a Consequence Severity Type of Event/ Impact

Consequence Category C-1 Minor

Consequence Category C-2 Moderate

Consequence Category C-3 Major

Consequence Category C-4 Catastrophic

Employee Safety and Health

No Injury of health impact

Minor (MTC) injury of reversible health effects

Multiple MTC injuries; 1-2 RWC/LWC’s

One or more fatalities; Multiple LWC’s with irreversible health effects

Public Safety and Health

No injury or health effects

Minor injury of reversible health effects

Injury or Death or moderate health irreversible effects; heath effects: Emergency medical intervention and/or hospitalization 10

Table 10.2 Passive IPL’s IPL

Comments

PFD for DuPont LOPA

Dike

Will reduce frequency of large consequences (widespread spill) of a tank overfill/rupture/spill/etc.

10-2

Underground Drainage System

Will reduce frequency of large consequences (widespread spill) of a tank overfill/rupture/spill/etc.

10-2

Open Vent (or no valve)

Will prevent overpressure

10-2

Fireproofing

Will reduce the rate of heat input and provide additional time for depressurizing/firefighting

10-2

Blast Bunker

Will reduce the frequency of large consequences of an explosion by configuring blast and protecting equipment/buildings/etc.

10-3

Flame/Detonation Arrestors

If properly designed, installed and maintained these should eliminate the potential for flashback through a piping system or into a vessel or tank.

10-2

11

Table 10.3 Active IPL’s IPL

Comments

PFD for DuPont LOPA

Relief Valve

10-2

(2)

Rupture Disc

10-2

(2)

Basic Process Control System

10-1

SIL 1

10-1 (3)

SIL 2

10-2 (3)

SIL 3

10-2 (3)

Battery Backup UPS with periodic inspection

10-1

Water Scrubber, maintained and inspected

10-1

Battery Backup UPS with periodic inspection

10-1

Etc…

Etc… 12

Table 3 MTTFd device values Equipment Type Unsafe MTTFd (years) Sensors

Logic Solvers

Final Elements

Current Switch

25 to 35

Flame Detector

15 to 20

Etc…

Etc…

Electromechanical relay per DX8S

1500 to 2500

Pre-configured SIS PEC logic solver

100 to 120

Etc…

Etc…

Valve positioner

25 to 30

Motor Starter

1000 to 1500

Pilot solenoid

25 to 35

Etc…

Etc… 13

Table 10.1 Frequency of Initiating Events Initiating Event

Value for DuPont LOPA (per year)

Cooling water Failure

10-1

Regulator Failure

10-1

Operator Failure ( to execute routine procedure, assuming well trained, unstressed, not fatigued )(PFD)

10-2 per opportunity

Variable speed motor AC motor failure

10-1

Loss of electrical power, dual feed systems

10-2

Loss of nitrogen supplied by pipeline

10-1

Etc.

Etc.

14

Documentation LOPA Worksheet Intrmd

d / or Scenario # refres to WHAT-IF Item. are events per year, other numerical values are average probabil

Severity Level

1

2

3

Impact Event

Severity Level

Initiating Cause

4

5

Initiating Enabling Event Event Frequency Frequenc

y

Overpress ure TC-2, release of toxic (HFA, HFIP, H2) material/ flammable; catastroph ic

W932596 rev 42F, DW 49060 Rev 2N, DW44540 Rev 18J

C4

8.backflow from A-206 to TC-2, P1527 failure

1

0.100

PFD of SIF

12 7 10 11 13 14 15 16 17 INDEPENDENT PROTECTION LAYERS General BPCS Operator Additional IPL Mitigated Likelihood Likelihood Frequency Notes Process Response Mitigation, Additional Intermedia Event of person of of Design to Alarms, Restricted Mitigation, te SIF ID Likelihood in area Significant Significant etc. Access Dikes, Event PFD Injury Injury Pressure Likelihood Relief 1.0E-04 1.00E-01 1.0E-05 Tolerable 1 1 1 0.01 0.1 Risk Criteria of XXXX met. SIL 1 for SIF needed and met. 6

IPL’s

DRAFT No. 8 in LOPA WhaIf Documentwas analyzed AC Electric motor for failure) "backflow " only . It did not identify cause for "backflow ". LOPA identified a discrete cause (P1527 failure).

Initiating Cause and Frequency

Impact Event

Event Likelihood 8 9

Two check valves in HFA transfer line, clean service. Will be checked or replaced on a regular frequency so credit taken.

TC-2 PRD 1205 0141 set @ 200 psi; {Has rupture disc] back to "Emergen cy" Scrubber , SB-126 operated as "passive" scrubber. since pump not operated, but instrumen ted with local temperatu re controller, and level

S-1b Conceptu al Design : 2460DPG Low Low (2460PT 1822PT) closes 1825HV via MLC2.

Mitigated Event Likelihood

15

IPL’s Auditing

Periodically assess IPL’s 9 Functional testing (SIF’s, Relief valves, etc.) 9 Periodic inspection (Dikes, machine guards etc.) 9 Preventive or replacement maintenance (Corrosion coupons and vessel thickness checks)

16

Implementation Tasks •

LOPA Guidance Document – ~ 59 pages – Target Audience : PHA Teams/Management, LOPA Analyst & Corporate – Purpose : Broad Overview of LOPA; definitions; IPL values; initiating event frequencies.

•

LOPA Training Course and Training LOPA Analysts – 1-1/2 day Training course (In-house) – For in-house LOPA analyst certification ‰ LOPA analyst in training ( Participate in LOPA’s with experienced, in – house certified LOPA analyst) ‰ Lead several LOPA’s independently ‰ Present LOPA examples for peer review by team of qualified LOPA analysts

17

Points to Remember… • Are you (organization) ready for LOPA? – Risk Management Philosophy – Current Foundation Risk Assessment – Risk Tolerance Criteria – Data Required

• Are you (organization) up for the tasks? – Training – Guidance Document – IPL Auditing

18

19