a new ccps guideline book

8/20/2019 A New CCPS Guideline Book

1/17

Paper No. 2F

Initiating Events and Independent Protection Layers for LOPA,

A New CCPS Guideline Book

John F. Murphy, PE

CCPS Staff Consultant

[email protected]

Wayne Chastain, P.E.

Engineering Associate

Eastman Chemical [email protected]

William (Bill) Bridges

Process Improvement Institute, Inc.www.piii.com

Prepared for Presentation atAmerican Institute of Chemical Engineers

2009 Spring National Meeting

43rd Annual Loss Prevention SymposiumAIChE 2009 Spring National Meeting

Tampa Convention Center

Tampa, Florida

April 26 -30, 2009

UNPUBLISHED

AIChE shall not be responsible for statements or opinions containedin papers or printed in its publications

206


2/17

LPS 2009 __________________________________________________________________ Paper 2F

1

Initiating Events and Independent Protection Layers for LOPA,

A New CCPS Guideline Book

Abstract

Layer of protection analysis (LOPA) is a semiquantitative tool for analyzing and assessing process risk.

The tool has grown greatly in popularity and usefulness since the publication of the first CCPS/AIChE

guidebook on the subject, Layer of Protection Analysis, Simplified Process Risk Assessment (LOPA) .

CCPS chartered a subcommittee to develop a new text on initiating events failures and independent

protection layers. This paper will discuss the additional guidance provided by this new book including:

• Additional choices and examples of initiating events (IEs).

• Additional choices and examples of independent protection layers (IPLs).

• More complete criteria of how to determine the value of each prospective IE and prospective IPL.

• More elaboration on the practices that an organization should comply with to qualify an IE or IPL at a

given value.•

Example IE and IPL data tables.

This book will be a necessary reference for those applying the LOPA methodology. This paper will

summarize this upcoming textbook, highlight some of the new IPLs and IEs, and highlight some of the

chief concerns the subcommittee wrestled with.

1. Introduction

Layer of protection analysis (LOPA) is a semiquantitative tool for analyzing and assessing risk.

Basic LOPA uses order-of-magnitude estimates of frequency, probability, and consequenceseverity, together with conservative rules related to ensuring all values used in the assessment as

defensible and maintainable. This tool has grown greatly in popularity and usefulness since the publication of the first CCPS/AIChE guidebook on the subject (CCPS, 2001). This book builds

on that important text by

• Providing additional choices and examples of initiating events (IEs) for analysis in tools such

as LOPA and similar approaches up to and including quantitative risk analyses (QRAs), thatuse additional tools such as Fault Tree Analysis (FTA), Event Tree Analysis (ETA), and

Human Reliability Analysis (HRA)

• Providing additional choices and examples of independent protection layers (IPLs)

• Providing more complete criteria of how to determine the value of each prospective IE and

IPL• Providing more elaboration on the limitations that an organization should comply with to

qualify an IE or IPL at a given value; particularly defining the activities and documentation

required for a system feature or action to validate or prove the feature before it can be

credited at a given failure rate (for an IE) or a given probability of failure on demand (PFD)

for an IPL

• Discusses the linkage to other publications.

207


3/17

LPS 2009 __________________________________________________________________ Paper 2F

2

2. Audience

This book is intended for:

• Current practitioners of LOPA. It is assumed that readers of this book have read and

understood the first text (CCPS, 2001) on this topic. These practitioners can include processengineers, risk analysts, and process safety and safety specialists who are also familiar withother risk assessment methods (such as HAZOP, fault tree analysis, event tree analysis, etc.)

and who already have some experience with LOPA (analysts, participants, reviewers,

auditors, etc.). For this audience, Chapters 3 through 6 will provide additional details onrules for LOPA, additional example IEs, and additional example IPLs. Chapter 7 and the

Appendices will contain guidance for analysts who find the need to supplement the basic

LOPA approach with the use of fully quantitative methods such as FTA, ETA, and HRA

(extensions beyond the basic, order of magnitude limits of LOPA).

• Executives who are considering expanding their corporate strategy for managing risk by

adding LOPA to their existing risk analysis process. For the executive audience, Chapter 2

will summarize the LOPA method and its benefits and explain the new limitations andinterpretation of LOPA rules; and what these subtle changes in emphasis from the original

LOPA textbook might mean to the organization.

• Project Managers who want to ensure that a new process or process modification hassufficient layers of protection. LOPA is a tool for selecting and evaluating alternative layers

of protection and can be used in any phase of a capital project.

• Engineers, chemists, operations and maintenance personnel, supervisors, departmentmanagers, and others who must ensure that the technical and administrative requirements for

each IE and IPL are met to assure the risk of the facility is maintained as estimated by LOPA.

The chief ongoing effort is to maintain the IEs and IPLs at the stated failure rates. One goal

of this text is to reinforce the activities and documentation that assist in obtaining the

predicted order of magnitude risk reduction factor for each IE and IPL used by the facility.Chapters 3 through 6 will be useful for this audience, with particular attention to the data

blocks and summary tables of validation criteria necessary for each IE and IPL. If thesevalidation activities (such as proof tests) are not planned for and performed, then the IE and

IPL are not valid.

3. Scope

The initial LOPA textbook (CCPS, 2001) set the guidelines for using LOPA as a middle ground between purely qualitative analysis (also called hazard evaluation) and full quantitative analysis

methods. LOPA allows an order-of-magnitude risk estimate with fairly reproducible results

within an organization. This text builds on the foundation laid by the LOPA textbook byclarifying key concepts and reinforcing limitations and requirements. The main scope of the

book is to provide more examples of IEs and IPLs and to provide more concrete guidance on the

protocols that must be followed to achieve and maintain these risk reduction systems and actions.

This book will not be a second edition of existing CCPS LOPA book and does not intend tochange any criteria established for LOPA in the first textbook on the topic. However, the

industry has developed further knowledge through experience and many practitioners have

208


4/17

LPS 2009 __________________________________________________________________ Paper 2F

3

requested more details on IEs and IPLs and the CCPS has seen the need to better explain the

validations necessary to claim a risk reduction value for an IPL (or for an IE as well).

This book will exclude detailed explanations of Safety Instrumented Systems (SIS) and therelated Safety Integrity Levels (SIL), or analysis of Protective Integrity Levels (PILs) afforded

by these instrumented systems, since the IPL values and requirements for maintenance of thisclass of IPLs is covered in the book Guidelines for Safe and Reliable Instrumented Protective

Systems (IPS) (CCPS, 2007). Just as in the original LOPA text, this book will list the risk

reduction credits (IPL values) that can be obtained for each SIS or BPCS. But the design,

implementation, and mechanical integrity of these systems have to be demonstrated to meet thecriteria in IPS (CCPS, 2007) and the requirements of the related industry codes and standards

(ANSI/ISA 84.00.01 and IEC 61511). Otherwise, as with all other IPLs, the PFD claimed for a

PIL or SIL will not be valid.

This book will also exclude detailed explanations of conditional modifiers, which are probabilityfactors used to estimate likelihood of fires, explosions, and fatality given a release has occurred.

Conditional modifiers were discussed in LOPA (CCPS, 2001), but the topic is complex andapplication specific, which is beyond the scope of this book.

4. Recap of LOPA

What Is LOPA?

LOPA is a simplified form of risk assessment. Risk is a combination of the frequency of the

scenario and the consequence of the scenario. LOPA typically uses order of magnitude estimates

for initiating event frequency, consequence severity, and the likelihood of failure of independent protection layers (IPLs) to approximate the risk of a scenario. LOPA is an analysis tool that

typically builds on the information developed during a qualitative hazard evaluation, such as a process hazard analysis (PHA), for example a hazard and operability analysis (HAZOP); LOPAdoes not identify hazardous scenarios, but it does provide a streamlined method for estimating

the risk of scenarios. LOPA is implemented using a set of criteria that are more restrictive than

those typically used for event trees and fault trees.

LOPA one consequence-cause pair

One limitation of the LOPA technique is its restriction to a single cause – consequence pair. By

comparison, other risk analysis methods such as fault tree or quantitative risk assessment

encompass multiple causes and can address multiple consequences in one analysis.

Like many other risk analysis methods, the primary purpose of LOPA is to determine if there are

sufficient layers of protection to reduce the risk of an accident scenario below the specified riskcriteria. A scenario may require one or many protection layers depending on the complexity of

the scenario and potential severity of the consequence. Note that for a given scenario; only one

layer must work successfully for the consequence being analyzed to be prevented. However,since no layer is perfectly effective, sufficient layers of protection must be provided to lower the

risk below the specified risk criteria (e.g., second and third layer works when first fails).

209


5/17

LPS 2009 __________________________________________________________________ Paper 2F

4

History of LOPA

The initial development of LOPA was done internally within individual companies. However,

once the method had been developed and refined, several companies published papers describingthe driving forces behind their efforts to develop the method, their experience with LOPA, and

examples of its use. In particular, the papers and discussion among the attendees at the CCPSInternational Conference and Workshop on Risk Analysis in Process Safety in Atlanta inOctober 1997 brought agreement that a book describing the LOPA method should be developed.

This led to the LOPA textbook (CCPS, 2001).

Experience and developments while using LOPA over the past 10 years led to the authoring of

the current book with a:

• desire to improve the understanding of when IEs and IPLs are applicable

• desire to provide more examples of IEs and IPLs,

• need for clearer protocols for validating an IPL or IE value.

Common Elements of LOPA

While the LOPA methods used by various organizations differ, they share the following commonfeatures:

• A means to assess or estimate consequence that can be applied throughout the organization.

• Numerical risk criteria. Individual companies use different criteria which may include (but

not limited to):

Frequency of fatalities

Frequency of loss of containment

Economic loss Frequency of a consequence category (which can include damage, fatality, etc.)

Required number of independent protection layer (IPL) credits

• A method for identifying which scenarios require LOPA

• Criteria for crediting safeguards as IPLs

• Specified default data for initiating event frequencies and credits for IPLs.

• A specified procedure for performing the required calculations.

• A specified procedure for determining whether the risk associated with a scenario meets the

risk criteria for an organization and, if it does not, how this is resolved and documented.

5. When to Use LOPA

Hazards and risk are evaluated and judged (assessment) during every phase in the life of a

process. Throughout the process life cycle, there is an effort to choose the inherently safest and

most reliable process technology and an effort to locate the process so as to optimally minimizerisk to people, property, and the environment. Companies use hazard evaluation and risk

judgment as tools in this effort. As the design matures, the understanding of the risk of a process

210


6/17

LPS 2009 __________________________________________________________________ Paper 2F

5

also matures and this learning is in turn applied to the process design and operating philosophy.

In the detailed engineering and construction phases of a project, we further refine the design and

use an assortment of tools to help us determine plausible accident scenarios and judge the risk of

such scenarios. LOPA can help in the risk judgment aspect at any phase of a project (seeBridges, et al, 2008). After a process is started up, the risk of the process must be maintained

and changes must be controlled. LOPA can be used to help make risk judgments of plantmodifications and procedural changes during these ongoing operational phases as well. Refer tothe LOPA Guideline (CCPS, 2001) for details or when and how to use LOPA over the lifecycle

of the process.

Figure 1 Types of Hazard/Risk Reviews (HR) Throughout the Life Cycle of a Process (each

type uses one or more of the HR [PHA] methods)

LOPA can be effectively used at any point in the safety life cycle of a process or a facility

(Figure 1), but it is most frequently used during:

• The detailed design stage when the process flow diagram is essentially complete and the

P&IDs are being developed. LOPA is used to examine scenarios, often generated by other

process hazard assessment (PHA) tools, such as HAZOP, what-if, checklist, etc.; as part of

the SIS design; or as a risk screen; or as part of a design study on a system to classify thevarious process alternatives and to select the best method.

• Modifications to the process or its control or safety systems (i.e. management of change).

However, LOPA can also be used in all phases of the safety life cycle:

• It can be used during the initial conceptual process design to examine basic design

alternatives and provide guidance to select a design that has lower initiating event

frequencies, or a lower consequence, or for which the number and type of IPLs are “better”

211


7/17

LPS 2009 __________________________________________________________________ Paper 2F

6

than alternatives. Ideally, LOPA could be used to design a process which is “inherently

safer” by providing an objective method to compare alternate designs quickly and

quantifiably.• LOPA can be used during the regular cycle of PHAs (process hazard analyses) performed on

a process. Experience with LOPA at several companies has shown that its scenario-focused

methodology can reveal additional safety issues in fully mature processes that have previously undergone numerous qualitative PHAs. In addition, its objective risk criteria have proven effective in resolving disagreements on PHA findings that were based on qualitative

techniques.• If the risk is currently too high, and if an SIS is the chosen risk reduction approach, then

LOPA can readily determine what SIL will be required.

• SIS should not be the first choice in reducing the risk of a process, so LOPA also examines

alternatives to an SIS, such as modifying the process, adding other IPLs, etc.• LOPA can be used to identify equipment that, as part of an IPL, is relied upon to maintain the

process within the tolerable risk criteria of an organization. Such equipment may be denotedas “safety critical” (ISA, 1995) and is subjected to specified testing, inspection and

maintenance. At least one company has found that LOPA has significantly decreased thenumber of safety critical equipment; the list had grown over time by adding equipment on a

qualitative “better safe than sorry” basis, but many of the additional safeguards were notnecessary and diverted limited resources away from more critical risk control measures.

• LOPA can be used to identify operator actions and responses that are critical to the safety of

the process. This will allow focused training and testing to be performed during the life of

the process and for the operating manuals to reflect the importance of a limited number of

process variables, alarms and actions.

• Coordination of set points between various IPLs (e.g., alarms, SIF, relief devices)

LOPA can also be used for other risk assessment studies within an organization, including

terminal operations, tolling operations, auditing of third parties, loss prevention and insuranceissues, etc.

What risk assessment methods are best for helping a company judge risk? There is a spectrum ofanswers to that question:

212


8/17

LPS 2009 __________________________________________________________________ Paper 2F

7

Figure 2 Spectrum of Risk Assessment Methods

The choice and use of the various qualitative to quantitative risk assessment methods vary between organizations (Figure 2). However, best practice is:

• determine (find or identify) accident scenarios using qualitative judgment in a team-based

setting (qualitative hazard evaluation) (PHAs, project risk reviews, HAZOP, etc.)• judge risk as well as possible by voting of the team (this typically completes the risk

judgment for 95% of accident scenarios).

• if the team cannot make a good risk decision (because the scenario is too complex, too new

to them, or because the organization does not want them making the final decision forscenarios with large consequences), then use simplified-quantitative risk judgment

techniques (such as LOPA) to aid in the risk judgment,

• if the site must provide numerical documentation of mitigation of high risk scenarios, then

use simplified-quantitative risk judgment techniques (such as LOPA) to document all aspects

of the order-of-magnitude risk judgment,

• if simplified quantitative analysis (e.g., LOPA) does not provide sufficient information foranalyst or management to make a decision that the company can rely on, then perform a fully

quantitative analysis (e.g., FTA, ETA, HRA) to create a more detailed model of the scenario

and hopefully produce a valid risk judgment.

Note that ALL accident scenarios are identified using a team setting and qualitative hazard

evaluation methods (one primary goal of qualitative hazard evaluation is hazard identification,

which is also accident scenario identification); but occasionally, the teams do not feel capable ofmaking the judgments without more elaborate modeling of the risk.

213


9/17

LPS 2009 __________________________________________________________________ Paper 2F

8

Basic LOPA Steps

As mentioned earlier, it is assumed that readers of this book are familiar (and hopefully

practiced) in the LOPA method (CCPS, 2001). The following is a brief recap of the basic stepsof LOPA; late chapters will expand on the concepts of IEs and IPLs. Like all analytical

methods, LOPA has rules and steps:

Step 1: Select an accident scenario. LOPA is applied to one scenario at a time. The scenario

can come from other analyses (such as qualitative analyses, like a PHA or project risk review),

but the scenario describes a single cause–consequence pair. (From the perspective of QRA, anindividual scenario is analogous to one path through an ETA, usually where all IPLs have

failed.) The scenario is typically selected by the qualitative team because they are uncertain of

the risk (perhaps due to the complexity of the scenario) and therefore they request “further

analysis” (LOPA is typically performed outside of the qualitative team setting or with asomewhat different team). But, a company may also require a LOPA of all scenarios above athreshold consequence/ severity rating.

Step 2: Estimate the consequence of the scenario. The analyst evaluates the consequence(including the impact) and estimates its magnitude. Some companies stop at the magnitude of a

release (of material or energy), which implies, but does not explicitly state, the impact to people,

the environment, the property, or profits. This uses a lookup table to determine the severitycategory of an accident LOPA scenario. A few companies will model the release and more

explicitly estimate the consequence (and thereby the risk) to people, the environment, and

property/profits by accounting for the likelihood of harm resulting from a specific scenario, for

instance by also accounting for the probability of operators being in harm’s way during a releasescenario (this is use of Conditional Modifiers, which is beyond the scope of this book).

Step 3: Identify the initiating event (IE) of the scenario and determine the initiating event

frequency (events per year). The initiating event must lead to the consequence (given failure of

all of the safeguards). The frequency must account for background aspects of the scenario, such

as the frequency of the mode of operation for which the scenario is valid. Most organizations

provide guidance in the form of a lookup table for estimating the frequency of an IE; this helpsachieve consistency in LOPA results and limits overly optimistic risk estimates that may

otherwise occur. If there are multiple IEs for the same deviation or consequence, then multipleLOPA scenarios must be evaluated, since the IPLs that can be credited are dependent on the IE

for the scenario.

Note that LOPA and other risk assessment techniques all are highly dependent onunderstanding of the accident scenario under evaluation. Therefore, as with any riskassessment, improvement in the IE frequency and PFD data described in this book might

NOT result in an increase in the quality of the analysis. It is much better to find all possible

accident scenarios and understand each one as well as possible than it is to become overly

confident in the risk reduction values and risk estimation methods.

214


10/17

LPS 2009 __________________________________________________________________ Paper 2F

9

Step 4: Identify the IPLs and estimate the probability of failure on demand (PFD) of each

IPL. Some accident scenarios will require only one IPL, while other accident scenarios may

require many IPLs, or IPLs of low PFD, to achieve a tolerable risk for the scenario. Recognizing

the existing safeguards that meet or can be made to meet the rules and proof requirements ofIPLs for a given scenario is the heart of LOPA. Most companies provide a predetermined set of

IPL values for use by the analyst, so the analyst may pick the values that best fit the scenario being analyzed. This book builds on this practice and enhances it by illustrating the proofcriteria also necessary to value and maintain an IPL. It should be noted that each safeguard,

while likely to reduce the risk, does not contribute the full IPL risk reduction until it is fully

implemented.

Step 5: Estimate the risk of the scenario by mathematically combining the consequence,

initiating event, and IPL data. Other factors may be included during the calculation,

depending on the definition of consequence (impact event). Approaches include arithmeticformulae and graphical methods. Regardless of the methods, most companies provide a standardform for documenting the results.

Step 6: Evaluate the risk to reach a decision concerning the scenario. This includes

comparing the risk of a scenario to a company’s tolerable risk criteria and/or related targets. Note that organizations may or may not have common risk tolerance criteria. Also, note that in

some cases, the IPL or IE values assigned within a company may be different, but that they may

end up at the same judgment on tolerance of risk for a scenario common to one at your company;this may be due to a risk tolerable criteria that is offset to the same degree as the values they

assign to IPLs and IEs. So, a LOPA from one company cannot be compared to a LOPA from

another company (as a general rule) though perhaps the number and type of IPLs

implemented can be compared.

6. Extensions beyond basic LOPA

LOPA was originally developed as a streamlined, risk quantification method to be used after aqualitative hazard review (such as a HAZOP-based, team oriented analysis). It was developed

because FTA and HRA (full QRA methods, see Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition, CCPS, 1999) (CPQRA) were seen as gross overkill for evaluationof most scenarios that perplexed a qualitative team or a design team. However, the criteria of

basic LOPA are necessarily limiting (which allows the simplification of approach of LOPA) and

this has led some analyst to develop extensions of LOPA beyond the basic rules andrequirements specified in the LOPA book (CCPS, 2001). A first example of this was Approach

B for using a second basic process control loop as an IPL, as described in Chapter 11, Advanced LOPA Topics, in the LOPA book (CCPS, 2001).

This book helps to clarify what fits within the context of the original basic method called LOPA

and what constitutes extensions of that method. It is a responsibility of an organization to define

and defend their risk assessment protocol. Chapter 6 of the new book provides guidance onwhen extensions beyond basic LOPA may be appropriate, and how it may be used in conjunction

with the basic approach.

215


11/17

LPS 2009 __________________________________________________________________ Paper 2F

10

7. Additional guidance provided

7.1 Additional choices and examples of initiating events (IEs).

The book has included a list of additional examples of IEs. The first LOPA book only listed

about a dozen IEs; the new book contains about double that number of IEs. Below is a listing ofIEs that are defined in the new book:

Loss of Containment Events (these are discussed, but for the most part, these will not be used

as IEs, since for most of these IEs there are no valid IPLs against the consequence of interest).

• Atmospheric tank catastrophic (instantaneous or 10 minute release) failure

• Atmospheric tank continuous leak (10 mm diameter)

• Pressure vessel (instantaneous or 10 minute release) failure

• Piping failure, full breach (pipe size less than or equal to 150 mm)

• Piping failure, full breach (pipe size > 150 mm)

•

Piping leak (pipe size less than or equal to 150 mm)

• Piping leak (pipe size > 150 mm)

• Gasket; supported by rings, etc.

• Gasket Packing blowout Boxed flanges, and clamped Pump seal failure (any type)

• Pump seal failure (double mechanical seal failure)

• Catastrophic pump seal failure (any type)

• Hose failure, catastrophic rupture

• Premature opening of spring loaded relief valve

Triggering Events/initiating causes (this list has been expanded since LOPA (CCPS 2001) and

also contains new criteria for when the failure rates provided in the data tables are valid.

• BPCS loop failure (includes pneumatic control loop failure)

• Pressure regulator failure (single stage)

• Temperature control valve failure

• Spurious Failure of Instrumented Protective Device

• Premature opening of spring loaded relief valve

• Pump (typically centrifugal), Electric Driven, Spurious Stop (includes loss of local powercircuit)

• Compressor, Electric Driven, Spurious Stop

• Fan (induced drafted)

•

Fan (Forced draft)• Rotating equipment (pumps, fan, and compressors)

• Screw conveyor failure (premature stoppage)

• Screw conveyor over-heating of materials (and overheating caused by screw rubbing onhousing/barrel)

• Loss of supply

• Excess of supply

• Loss of power (localized)

216


12/17

LPS 2009 __________________________________________________________________ Paper 2F

11

• Loss of power (plant/unit-wide)

• Inerts in Process Supply

• Single Check Valve Fails Open (with scenario related to large backflow, not leakage past

check valve)

• Double Check Valve in series (1oo2) (with scenario related to large backflow, not leakage

past check valve)• Human error for a routine task that is performed once per day or more often, with a checklist

as a memory aid

• Human error for a routine task that is performed once per month or more often, with a

checklist as a memory aid

• Human error for a non-routine task that is performed once per year or more often, with achecklist as a memory aid

• Impact by vehicle, backhoe, crane movement, crane load dropped

• Lightning strike

• Fire, small

•

Fire, large• Loss of agitation

7.2 Additional choices and examples of independent protection layers (IPLs).

The list of IPLs has been expanded about 6 fold. The new list will include:

• Deflagration Flame Arrester or Stable Detonation Arrester installed inline between anignition source (e.g. TOX) and a source of flammable or combustible vapors

• Unstable (overdriven) Detonation Arrester installed inline between an ignition source (e.g.,

TOX) and a source of flammable or combustible vapors• Fire suppression system (water; water and foam; other suppressants); automatic

• Fire suppression system (non-aqueous including dry agent) for room; automatic

• Fire Suppression; Local Application (non-aqueous including dry agent; automatic)

• Explosion suppression system (dry agent) for process equipment; automatic

• Fire proof insulation and cladding on vessel or other equipment

• Gas Monitors with automatic deluge

• Single BPCS loop (no human intervention required)

• BPCS Loop (no human intervention required) as second IPL or as IPL when Initiating Eventis BPCS Failure (Approach B)

• Pneumatic control loop

•

Pressure regulator• Spring-Operated Pressure Relief Valve in clean service with no history of blockage or

fouling and with no block valve upstream or downstream or with a block valve u/s or d/s

with admin control that meets code for ensuring the block valve

• Dual Redundant Spring-Operated Pressure Relief Valve in Clean Service, with each reliefvalve adequately sized for scenario under consideration so that full redundancy is present, the

valves as in clean (non-fouling) service and no extra block valves upstream or downstream.

• Multiple PSVs that all must open to meet relief capacity

217


13/17

LPS 2009 __________________________________________________________________ Paper 2F

12

• Single Spring-Operated Pressure Relief Valve in potential pluggage service

• Pilot-Operated Pressure Relief Valve in clean service, and with no history of fouling or blockage

• PSV protected by RD

• Rupture Disk

•

Emergency pressure relief valve, weight loaded, (also known as a conservation vent) in cleanservice with no history of blockage or fouling [this entry is for non ASME code certified

devices designed to relieve systems at less than 1 barg]

• Emergency pressure relief valve, spring loaded, (also known as a conservation vent) in clean

service with no history of blockage or fouling [this entry is for non ASME code certifieddevices designed to relieve systems at less than 1 barg]

• Buckling pin relief device in clean service with no history of blockage or fouling

• Buckling pin emergency shutdown device

• Vent (explosion) panels for prevention of rupture in low pressure equipment

• Frangible roofs on flat-bottom tank

•

Explosion panels for internal dust or vapor/gas deflagration explosions• Explosion walls/panels for buildings

• Explosion barriers

• Vacuum Breaker

• Continuous Ventilation wo/ performance monitoring capability

• Continuous Ventilation w/ performance monitoring and alarming for diagnosis

• Emergency Ventilation

• Overflow line from tank/vessel/drum with additional hardware with a liquid seal leg.

• Overflow line or roof-top vent lines (and goose necks) from tank/vessel/drum

• Gas Balance/ Adjustable Set Pressure Surge Relief Valve

• Human responds to an annunciation (alarm light and sound) without distractions from other

alarms, and he/she has 10 minutes to accomplish the required action if in field or 5 minutes if by manual mode in the control room

• Human responds to an annunciation (alarm light and sound) and he/she has 24 hours to

accomplish the required action

• Human responds to a field reading or sample analysis where the time between samples or

field readings is at least twice the time expected for a IE to propagate to the consequence

• Human double-check, as specified in a written procedure, independent work group with

incentives

• Car seal

• Chain & lock

• Administrative Access Controls

•

Special Personal Protective Equipment (PPE)

• Pipeline Surge Dampening Vessel

• Double wall piping

• Double wall vessels/tanks (such as ammonia storages tanks, LNG storage tanks, etc.)

• Dike

• Single Check Valve (with scenario related to large backflow, not leakage past check valve)

218


14/17

LPS 2009 __________________________________________________________________ Paper 2F

13

• Single Check Valve - High Test Frequency (with scenario related to large backflow, notleakage past check valve)


past check valve)


past check valve)• Bubble tight check valve (class 5; class 6 tightness)

• Mechanical stop that limits travel (adjustable)

• Mechanical stop that limits travel (non-adjustable, after initial installation)

• Restrictive Orifice in clean service (with scenario related to excess flow rate)

• Excess flow valve

• Mechanical over-speed trip on a turbine

• Emergency scrubber/absorber consumes (removes) components of concern prior to release to

atmosphere

• Flare consumes/combusts components of concern prior to release to atmosphere

•

Generic Emergency effluent/discharge systems• Continuous Pilots; capable of keeping 50% of pilots lit.

• Mechanically-Activated Emergency Shutdown/Isolation Device

• SIL 1 Safety Instrumented Function



• Inerting system.

7.3 More complete criteria of how to determine the value of each prospective IE and

prospective IPL.

Table 1 provides a snippet of the IPL summary tables which will be included in the new

guideline. The criteria that must be met to claim any listed IPL dominates the IPL tables. These

criteria must be met for the PFD for the IPL to be valid.

An example is a flame arrester (see Table 1). There is a full description of the IPL and a value of

0.01 is suggested.

IPL Description

Deflagration Flame Arrester or Stable Detonation Arrester installed inline between an ignition

source (e.g., TOX) and a source of flammable or combustible vapors.

The value is only appropriate if the special conditions are met.

• The piping between the ignition source and arrestor is well below the run-up distance

required to allow a transition to detonation (DDT) for Deflagration type or formation of

Unstable Detonation for a Stable Detonation type.

219


15/17

LPS 2009 __________________________________________________________________ Paper 2F

14

• Location considered (avoid "hot side" on bottom of vertically mounted arrester since thisdecreases endurance burn; avoid accumulation of liquids in arrester, use drains to remove

liquids).

• Device does not impose excessive flow restriction on the process and any fouling issues have

been addressed.

•

Temperature monitoring with a thermocouple directly in contact with the hot side of thedevice is highly recommended to allow operations to recognize when device is beingchallenged.

7.4 More elaboration on the practices that an organization should comply with to qualify an IE

or IPL at a given value.

This is likely the most important improvement over the first LOPA book.

For a flame arrester the following proof methods and frequency requirements must be met:

Proof Method

• Device is included on a routine maintenance schedule which specifies shutting down the line

and opening the device for inspection.

• Device is always inspected if it is suspected to have stopped a flame or if process upset couldcompromise its integrity.

• Inspection includes determining whether the device is plugged and whether corrosion mightcompromise its capability to arrest a flame in accordance with most industry standards.

Proof Frequency

Initially, every 12 months or per vendor recommendation, then adjust the interval to 24, 35, or upto a maximum of 4 years, if no signs of corrosion.

Each IPL listed also has a proof method and frequency requirement.

220


16/17

L P S 2 0 0 9_______________________________________

____________________________

____________________________

____

P a p e r 2 F

T a b l e 1 . E x a m p l e E x t r a c t e d f r o m t

h e I P L / I E G u i d e l i n e ( C C P S , p e n d i n g 2 0 1 0 )

221


17/17

LPS 2009 __________________________________________________________________ Paper 2F

8. Concerns of the committee

There is concern that the data tables will be misused. Users need to understand the backgroundassociated with the data tables to be sure the data is applicable to their situation as discussed

above.

Adherence to the LOPA rules of efficacy, independence, validation, and auditing of safeguards is

required before the safeguard can be considered as an independent protection layer (IPL) for

LOPA. This means that to be an IPL, it must perform the task it was designed to do (e.g., a reliefvalve must relieve at the design pressure and prevent system rupture). An IPL must be validated

to ensure that it works when needed (results of the validation must be recorded). Of course, the

IPL must be independent of other layers of protection (e.g., common cause failure will Not result

in failure of other IPLs). Finally, there must be management systems in place to ensure auditingof the systems to make sure IPLs are only used in LOPA if the meet the criteria and if they arevalidated.

The LOPA method can be misused. LOPA is a risk assessment tool to be used in selecting IPLs

for a single cause-consequence scenario, but LOPA does not identify scenarios or represent theactual risk of a process scenario. It is a tool for assessing the need for additional layers of

protection to prevent the scenario being analyzed.

9. Summary

In summary this new guideline book will be a complement to the original book on LOPA. It will provide examples of initiating events and layers of protection and provide data that can be used

in the LOPA analysis. The book will be a necessary addition to the LOPA users’ library. It will

be available to purchase in early 2010.

10. References

1. Layer of Protection Analysis: Simplified Process Risk Assessment ; (LOPA) CCPS, 2001.

2. Safe and Reliable Instrumented Protective Systems; (IPS), CCPS, 2007.

3. Bridges, WG, et al, Controlling Risk During Major Capital Projects, 24th CCPS InternationalConference and Workshop on Process Safety (CCPS), New Orleans, LA, April 2008.

4.

Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition; (CPQRA),CCPS, 1999.

5. ISA, ANSI 84.00.01-2004 (IEC 61511 modified) Functional Safety: Safety Instrumented

Systems for the Process Industry Sector, Research Triangle Park, NC, 2004.

222

a new ccps guideline book

Documents