Is It Really an Independent Protection Layer?
A. M. (Art) Dowell, III, PE
Chemical Process Safety Consultant
Copyright 2011 A M Dowell III PE
�Art Dowell Bio Sketch
Principal, AM Dowell III PE 42 years, Rohm and Haas Company, now Dow BA/BS ChE, Rice University, 1966/1967 Fellow, AIChE. Member, ISA Bill Doyle Award, 1991 2002 Albert F. Sperry Founders Award from ISA for outstanding contribution in the development of layer of protection analysis
2
�Agenda
Why is Independence Important? How LOPA math works IPL Characteristics & Core Attributes Examples Conclusion
�How LOPA Works -- Unmitigated
Freq
Initiating Cause
Consequence
5
�Inherently Safer
Reduce or eliminate hazards Intensify Moderate Apply inherently safer concepts to the process design and chemistry.
LAH 1
LAH 1
�LOPA Model -- Mitigated
Controls SIFs RVs
Potential Consequence Frequencies Reduced
Freq
Freq
Initiating Cause
7
�Event Tree Model
Initiating Event IPL1 success Initiating Event Estimated Frequency fi = x success PFD1 = y1 f1= x * y1 PFD2 = y2 f2=x * y1 * y2 PFD3 = y3
Copyright 2001 by the American Institute of Chemical Engineers, and reproduced by permission of AIChE
IPL1
IPL1
Consequence Safe Outcome Safe Outcome
success
Safe Outcome
Consequence Frequency, f3 = x * y1 * y2 * y3
8
�LOPA Math
The mitigated consequence frequency is given by
f c = f i PFD1 PFD2 PFDn
where
fi is the frequency of the initiating cause, PFDn is the probability of failure on demand of the nth independent protection layer, fc is the mitigated frequency of the consequence. Each protection layer is independent
9
�IPL Characteristics
Independent protection layers (IPLs) should be
unique and applicable, independent, dependable, and auditable
CCPS [2001], Layer of Protection Analysis: Simplified Process Risk Assessment
10
�IPL Core Attributes
Independence Functionality Integrity Reliability Auditability Access Security Management of Change
11
CCPS [2007] Guidelines for Safe and Reliable Instrumented Protective Systems
�Core Attributes
Independence
the performance of a protection layer is not affected by the initiating cause of a hazardous event or by the failure of other protection layers;
Functionality
the required operation of the protection layer in response to a hazardous event;
12
�Core Attributes, Continued
Integrity
related to the risk reduction that can reasonably be expected given the protection layers design and management;
Reliability
the probability that a protection layer will operate as intended under stated conditions for a specified time period;
13
�Core Attributes, Continued
Auditability
ability to inspect information, documents and procedures, which demonstrate the adequacy of and adherence to the design, inspection, maintenance, testing, and operation practices used to achieve the other core attributes;
Access Security
use of administrative controls and physical means to reduce the potential for unintentional or unauthorized changes; and
14
�Core Attributes, Continued
Management of Change
formal process used to review, document, and approve modifications to equipment, procedures, raw materials, processing conditions, etc., other than replacement in kind, prior to implementation.
15
�Keywords
3 Ds
Detect Decide Deflect
4 Enoughs
Big Enough Fast Enough Strong Enough Smart Enough Of Initiating Cause Of Other IPLs
16
The Big I Independent
�3Ds Example
Pressure relief valve
Spring Detects rising pressure Spring Decides to open valve Open valve Deflects overpressure consequence, if sized correctly.
17
�4 Enoughs Examples
Pressure relief valve is
Big Enough Opens Fast Enough
Pressure Isolation valve is
Strong Enough to stop the surge
Purge system is
Smart Enough to purge the vessel and then isolate vessel.
18
�Frequent conflicts with the Big I
Using the initiating cause sensor for the protection layer sensor. Using the same sensor for two protection layers. Using the initiating cause valve for the protection layer final element. Using the same final element for two protection layers. Using the initiating cause controller for the protection layer logic solver. Using the same logic solver for two protection layers (it may be possible to use the same safety-certified PLC as the logic solver for two protection layers if its probability of failure on demand is low enough).
Common Cause
19
�Tank Overflow Example
Consequence: overflow of a flammable material Cause: failure of LIC loop (LT1, LIC1, LV1) LAH Detect? Decide? Deflect?
20
�Tank Overflow with Op Response?
4 Enoughs
Big Enough? Fast Enough? Strong Enough? Smart Enough?
Need 10 minutes
N e
The Big I Independent of Initiating Cause Independent of other IPLs?
Density change?
21
�Op Response NOT Independent
22
�Tank Overflow Example
23
�Auditability
If you never test your IPL, you will find out that it is broken when your plant blows up.
24
�Auditability
Test equipment?
Instr. Air Supply SIF
From process-wetted sensor element to process-wetted final element
SIS Valve A LSH1
25
�Auditability
Test the operator response?
Every shift? Relief operators? Manual valve?
Procedures available & current?
26
�Auditability
Procedures are subject to a form of corrosion more rapid than that which affects steel; they can vanish without a trace once management stops taking an interest in them. . . -- Trevor Kletz
27
�Access Security
Who has access to the configuration of the logic solver that annunciates the high level alarm?
28
�Access Security
What are the procedures to ensure that the set point for an analogue high level alarm is not changed?
29
�Access Security
What are the procedures to ensure that the high level alarm is not disabled or inhibited?
LAH ___ Disabled Inhibited
30
�Management of Change Dont Increase the Risk!
Tank LAH
In future, a process improvement specialist may ask, Why is the set point for this alarm so low? We could be using a lot more of the volume of this tank.
The management of change system must be able
to retrieve the specifications for the operator response to high-level alarm IPL, to recognize that the alarm set point provides sufficient time for the operator to make the response, and to retain the required setting for a manual response or to automate the response for a higher set point.
31
�Spreadsheet to Test IPL Attributes
Do candidate protection layers (safeguards) meet the requirements? Consider a spreadsheet
characteristics of IPLs for each candidate IPL Versus scenarios
Can be useful where
there are a number of existing safeguards, and the historical culture has assumed that the safeguards are sufficient.
32
�Safeguard 1 # of Safeguards that meet IPL criteria Independent of the Initiating Cause?
Safeguard 2 Independent of the Initiating Cause? Y
Independent of other IPLs?
Scenarios LIC loop failure 1 overfills tank with release
N1 Y
N N2
Y Y3 Y
Operator Operator Fluid in tank response response has lighter to alarm to alarm density than from level from fixed specified in control point 2 Y Y Y Y Y3 Y Y 2 level 1 N Y Y Y Y Y N N N loop level transmitter sensor probe design, overfills tank with release Notes: 1. If the LIC loop sensor fails, it cannot detect. If the LIC controller fails, it may not be able to annunciate the alarm. 2. Not independent of the operator response to alarm from the fixed point level probe. 3. Ensure there is at least 10 minutes for the operator to respond to the high level alarm at the maximum fill rate.
Y Y
33
Independent of other IPLs? Y
Strong Enough?
Strong Enough?
Smart Enough?
Smart Enough?
Fast Enough?
Fast Enough?
Big Enough?
Big Enough?
Description
Description
Deflect?
Deflect?
Decide?
Decide?
Detect?
Detect?
�CCPS IPL Book 2011
Its time to take our own data!
Relief valves
Inspect and document inlet and outlet nozzle Pre-pop test before rebuild
SIS: as found, as left
Sensors Valves Logic
Operator Response to Alarm
Annunciation Each operator Final element
34
�CCPS IPL Book 2011
Audit features with potential to disable IPLs
Block valves around relief devices
Tagged, locked, or car sealed
Bypasses around SIF shut-down valves
Tagged, locked, or car sealed
Record deviations from the required configuration Modify the calculated PFD (probability of failure on demand) If needed, add more protection layers.
35
�CCPS IPL Book 2011
Does your experience support the risk reduction assumed in the LOPA?
If no, then add more layers Do root cause analysis to improve the performance of existing layers
36
�CCPS IPL Book 2011
Listen to the voice of the process
Log and investigate every activation of an IPL
Relief valve opening SIF trip Operator response to alarm These are near misses
Modify equipment and procedures to avoid challenges to the IPLs.
37
�CCPS IPL Book 2011
Avoid high demand on the IPLs
That is, challenges to the IPLs of more than once/year, or more than twice in the test interval. In high demand mode, the safety system is being used for basic control. See details in CCPS 2001 LOPA, 2007 IPS, and 2011 IPLs.
38
�Observations on Tsunami vs Nuclear Plant
Nuclear plant shutdown requires active cooling after trip.
We prefer IPLs that are
Passive De-energize to trip Spring to move to trip state
39
�Observations on Tsunami vs Nuclear Plant
Beware of common cause!
Earthquake caused trip of the reactors no power generated Earthquake damaged electric grid no power from off-site Earthquake caused tsunami that damaged backup generators (located in potentially vulnerable area).
40
�Should LOPAs be Revalidated?
US OSHA PSM rule requires PHAs (HAZOPs) to be revalidated every 5 years. What about the LOPA for my plant?
What has changed?
Volume? Frequency? Training? Chemicals? Conditions?
I
I
LAH 1
LAH 1
41
�Conditional Modifiers
Time at risk Probability of Ignition Probability of Person Present Probability of Injury
Easy to double count!
USE WITH GREAT CARE!!
Dont kid yourself!
42
�Conditional Modifiers
CCPS is writing a guidance book this year.
43
�When to go beyond LOPA
Protection Layers and Initiating Cause share common elements. Use Fault Tree Analysis Several safeguards can detect the beginning of a scenario but there is only one safeguard that can prevent the scenario from proceeding to the consequence. Use Event Tree Analysis
44
�References
Center for Chemical Process Safety (CCPS), Layer of Protection Analysis, Simplified Process Risk Assessment, American Institute of Chemical Engineers, New York, NY, 2001.
www.AIChE.org
45
�References
ISA -TR84.00.04, Part 1, Guideline on the Implementation of ANSI/ISA 84.00.01-2004 (IEC 61511 Mod) ISA, 67 Alexander Drive, P.O. Box 12277, Research Triangle Park, North Carolina 27709
www.isa.org
46
�References
Center for Chemical Process Safety (CCPS), Guidelines for Safe and Reliable Instrumented Protective Systems, American Institute of Chemical Engineers, New York, NY, 2007.
www.AIChE.org
47
�References
Center for Chemical Process Safety (CCPS), Title to be Determined: Initiating Event Frequencies and IPL PFDs American Institute of Chemical Engineers, New York, NY, 2011.
www.AIChE.org
48
�Conclusion
Remember the core attributes of IPLs
3Ds 4 Enoughs The Big I
Use the core attributes to test the IPLs to ensure that the desired risk reduction is achieved. Document in the SRS.
49
