Process Operability Class Materials Safety: Layer of Protection Basic flowsheet Design with Operability FC 1 LC Copyright © Thomas Marlin 2013 The copyright holder provides a royalty-free license for use of this material at non-profit educational institutions
ACHIEVING ACCEPTABLE RISK Layer of Protection Analysis HAZARD IDENTIFICATION 1. Check lists 2. Dow Relative Ranking 3. HAZOP - Hazard and Operability LAYER OF PROTECTION ANALYSIS 1. Express risk target quantitatively 2. Determine risk for system 3. Reduce risk to meet target HAZARD ASSESSMENT - Fault Tree - Event Tree - Consequence analysis - Human Error Analysis ACTIONS TO ELIMINATE OR MITIGATE - Apply all engineering sciences Semi-quantitative analysis to give order-of-magnitude estimate We will use our group skills and knowledge of safety layers in applications. More accurate
Safety Layer of Protection Analysis 1. Express risk target quantitatively FAR: Fatal Accident Rate - This is the number of fatalities occurring during 1000 working lifetimes (108 hours). This is used in the U.K. Fatality Rate = FAR * (hours worked) / 108 OSHA Incidence Rate - This is the number of illnesses and injuries for 100 work-years. This is used in the USA.
Safety Layer of Protection Analysis 1. Express risk target quantitatively FAR Data for typical Activities What is FAR for cigarette smoking? What is the fatality rate/year for the chemical industry?
Question: What is the fatality rate (/year) in the chemical industry? (4) (8 h/day) (5 day/week) (45 weeks/y) / 108 = 7.2 x 10-5 FAR Chemical Industry 4 FAR Cigarette smoking ??? FAR = 40 for smoking T. Kletz, “Eliminating Potential Process Hazards”, Chem. Eng., April 1, 1985
Safety Layer of Protection Analysis 1. Express risk target quantitatively One standard used is to maintain the risk for involuntary activities less (much less?) than typical risks such as “staying home” - Results in rules, such as fatality rate < 10-6/year - See Wells (1996) Table 9.4 - Remember that many risks exist (total risk is sum) Are current risks accepted or merely tolerated? We must consider the inaccuracies of the estimates We must consider people outside of the manufacturing site.
Safety Layer of Protection Analysis 1. Express risk target quantitatively People usually distinguish between voluntary and involuntary risk. They often accept higher risk for voluntary activities (rock climbing). People consider the number of fatalities per accident Fatalities = (frequency) (fatalities/accident) .001 = (.001) (1) fatalities/time period .001 = (.0000001)(100,000) fatalities/time period We need to consider frequency and consequence
Safety Layer of Protection Analysis 1. Express risk target quantitatively The decision can be presented in a F-N plot similar to the one below. (The coordinate values here are not “standard”; they must be selected by the professional.) 1.00E-07 “Acceptable risk” “Unacceptable risk” The design must be enhanced to reduce the likelihood of death (or serious damage) and/or to mitigate the effects. Probability or Frequency, F (events/year) 1.00E-08 1.00E-09 1 10 100 Deaths per event, N
Some Published F-N Plots “Choosing Appropriate Quantitative Safety Risk Criteria Applications from the New CCPS Guidelines” by Walt Frank (Frank Risk Solutions, Inc.) and Dave Jones (Chevron Energy Technology Company)
Some Published F-N Plots Lees, F. (1996) Loss Prevention in the Process Industries 2nd Ed., Vol. 1, page 9/83.
Safety Layer of Protection Analysis 2. Determine the risk for system In Layer of Protection Analysis (LOPA), we assume that the probability of each element in the system functioning (or failing) is independent of all other elements. We consider the probability of the initiating event (root cause) occurring We consider the probability that every independent protection layer (IPL) will prevent the cause or satisfactorily mitigate the effect
Safety Layer of Protection Analysis 2. Determine the risk for system
Safety Layer of Protection Analysis 2. Determine the risk for system Recall that the events are considered independent The probability that the unsafe consequence will occur is the product of the individual probabilities.
Safety Layer of Protection Analysis 2. Determine the risk for system How do we determine the initiating events? How do we determine the probability of the initiating event, X How do we determine the probability that each IPL will function successfully? How do we determine the target level for the system? HAZOP Company, industry experience Company, industry experience F-N plot, depends on consequence
Safety Layer of Protection Analysis 2. Determine the risk for system
Safety Layer of Protection Analysis 2. Determine the risk for system
Safety Layer of Protection Analysis 3. Reduce the risk to achieve the target The general approach is to Set the target frequency for an event leading to an unsafe situation (based on F-N plot) Calculate the frequency for a proposed design If the frequency for the design is too high, reduce it - The first approach is often to introduce or enhance the safety interlock system (SIS) system Continue with improvements until the target frequency has been achieved
Safety Layer of Protection Analysis 3. Reduce the risk to achieve the target
Safety Layer of Protection Analysis 3. Reduce the risk to achieve the target Some surprising data for human reliability in process operations
Safety Layer of Protection Analysis 3. Reduce the risk to achieve the target extensive serious minor Event Severity low moderate high Event Likelihood Table entries word = qualitative risk description number = required safety integrity level (SIL) Safety Integrity Levels (Prob. Of failure on demand) 1 = .01 to .1 2 = .001 to .01 3 = .0001 to .001 Selection documented for legal requirements
SIS Depends on structure of redundancy
SIS Depends on structure of redundancy
Safety Layer of Protection Analysis 3. Reduce the risk to achieve the target Often, credit is taken for good design and maintenance procedures. Proper materials of construction (reduce corrosion) Proper equipment specification (pumps, etc.) Good maintenance (monitor for corrosion, test safety systems periodically, train personnel on proper responses, etc.) A typical value is PFD = 0.10
Safety Layer of Protection Analysis Worksheet The Layer of Protection Analysis (LOPA) is performed using a standard table for data entry. Likelihood Probability of failure on demand Mitigated likelihood =
Safety Layer of Protection Analysis Process examples Class Exercise 1: Flash drum for “rough” component separation for this proposed design. Feed Methane Ethane (LK) Propane Butane Pentane Vapor product Liquid Process fluid Steam FC-1 F2 F3 T1 T2 T3 T5 TC-6 PC-1 LC-1 AC-1 L. Key Split range PAH LAL LAH cascade
Safety Layer of Protection Analysis Process examples Class Exercise 1: Flash drum for “rough” component separation. Complete the table with your best estimates of values. The target mitigated likelihood = 10-5 event/year The likelihood of the event = 10-1 events/year
Safety Layer of Protection Analysis Process examples Class Exercise 1: Some observations about the design. The drum pressure controller uses only one sensor; when it fails, the pressure is not controlled. The same sensor is used for control and alarming. Therefore, the alarm provides no additional protection for this initiating cause. No safety valve is provided (which is a serious design flaw). No SIS is provided for the system. (No SIS would be provided for a typical design.)
Safety Layer of Protection Analysis Process examples When the connection to the sensor is plugged, the controller and alarm will fail to function on demand Class Exercise 1: Solution: Original design. cascade PAH Vapor product Split range TC-6 PC-1 T5 T1 Feed Methane Ethane (LK) Propane Butane Pentane T2 LAL LAH FC-1 T3 LC-1 F2 F3 Liquid product AC-1 Process fluid Steam L. Key
Safety Layer of Protection Analysis Safety Layer of Protection Analysis Process examples Class Exercise 1: Solution using initial design and typical published values. Much too high! We must make improvements to the design. Gap = 10-2/10-5 = 103 (sometimes given as the exponent “3”)
Safety Layer of Protection Analysis Class Exercise 1: Improved Design. Process examples Class Exercise 1: Improved Design. Feed Methane Ethane (LK) Propane Butane Pentane Vapor product Liquid Process fluid Steam FC-1 F2 F3 T1 T2 T3 T5 TC-6 PC-1 LC-1 AC-1 L. Key Split range LAL LAH cascade P-2 PAHH PAH
Safety Layer of Protection Analysis Process examples Class Exercise 1: Solution using improved design and typical published values. Enhanced design includes separate P sensor for alarm and a pressure relief valve. The enhanced design achieves the target mitigated likelihood. Verify table entries.
Safety Layer of Protection Analysis Process examples Class Exercise 1: Each IPL must be independent. For the solution in the LOPA table and process sketch, describe some situations (equipment faults) in which the independent layers of protection are Independent Dependent For each situation in which the IPLs are dependent, suggest a design improvement that would remove the common cause fault, so that the LOPA analysis in the table would be correct. Hints: Consider faults such as sensor, power supply, signal transmission, computing, and actuation
Safety Layer of Protection Analysis Approaches to reducing risk The most common are BPCS, Alarms and Pressure relief. They are typically provided in the base design. The next most common is SIS, which requires careful design and continuing maintenance The probability of failure on demand for an SIS depends on its design. Duplicated equipment (e.g., sensors, valves, transmission lines) can improve the performance A very reliable method is to design an “inherently safe” process, but these concepts should be applied in the base case
Safety Layer of Protection Analysis Approaches to reducing risk The safety interlock system (SIS) must use independent sensor, calculation, and final element to be independent! We desire an SIS that functions when a fault has occurred and does not function when the fault has not occurred. SIS performance improves with the use of redundant elements; however, the systems become complex, requiring high capital cost and extensive ongoing maintenance. Use LOPA to determine the required PFD; then, design the SIS to achieve the required PFD.
Safety Layer of Protection Analysis Process examples Class Exercise 2: Fired heater to low air flow rate.
Safety Layer of Protection Analysis Process examples Class Exercise 2: Fired heater to low air flow. Frequency of air fan/motor failure is 0.10 to 1.0 events/year (Lees and CCPS)
Safety Layer of Protection Analysis Process examples Class Exercise 2: Fired heater to low air flow. Much too high! We must make improvements to the design.
Safety Layer of Protection Analysis Process examples Class Exercise 2: Fired heater to low air flow rate. Alarm Flow control F SIS Redundant air flow and pressure sensors Alarms
Safety Layer of Protection Analysis Process examples Class Exercise 2: Fired heater to low air flow. Reasonable, but a little high.
Safety Layer of Protection Analysis Process examples Class Exercise 3: Fired heater to low feed flow rate.
Safety Layer of Protection Analysis Process examples Class Exercise 3: Fired heater to low feed flow rate. Probability of feed pump/motor failure is 0.01 events/year
Safety Layer of Protection Analysis Process examples Class Exercise 3: Fired heater to low feed flow rate. Too high! We must make improvements to the design.
Safety Layer of Protection Analysis Process examples Class Exercise 2: Fired heater to low feed flow rate. To SIS FS FAH F SIS Redundant air flow and pressure sensors
Safety Layer of Protection Analysis Process examples Class Exercise 3: Fired heater to low feed flow rate. OK! This is very acceptable for a scenario that is not an immediate safety concern, although tube rupture could lead to a fire. Note that the financial loss would be large.
When working on safety, professionals require an ethical approach!
Hazards and Operability Analysis & Layer of Protection Analysis can and should be integrated for safety management
Let’s not have this result from our work! BP Deepwater Horizon, April 20, 2010
Safety Layer of Protection Analysis References Dowell, A. and D. Hendershoot, Simplified Risk Analysis - Layer of Protection Analysis, AIChE National Meeting, Indianapolis, Paper 281a, Nov. 3-8, 2002 Dowell, A. and T. Williams, Layer of Protection Analysis: Generating Scenarios Automatically from HAZOP Data, Process Safety Progress, 24, 1, 38-44 (March 2005). Frederickson A., Layer of Protection Analysis, www.safetyusersgroup.com, May 2006 Gulland, W., Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons, http://www.chemicalprocessing.com/whitepapers/2005/006.html Haight, J. and V. Kecojevic, Automation vs. Human Intervantion: What is the Best Fit for the Best Performance?, Process Safety Progress, 24, 1, 45-51 (March 2005) Melhem, G. and P. Stickles, How Much Safety is Enough, Hydrocarbon Processing, 1999 Wiegernick, J., Introduction to the Risk-Based Design of Safety Instrumented Systems for the Process Industries, Seventh International Conference on Control, Automation, Robotics and Vision, Singapore, Dec. 2002.