LAYER OF PROTECTION ANALYSIS

Sebuah Risiko..

Protesha Sinergy Copyright 2010

Analisis Risiko

Protesha Sinergy Copyright 2010

Siklus Analisis Risiko

System Description Hazard Identification Scenario Identification

Accident Probability

Accident Consequences

Risk Determination
NO

Risk and/or Hazard Acceptance

YES

Modify Design

Build and/or Operate System

Protesha Sinergy Copyright 2010

Aliran Analisis Risiko

Protesha Sinergy Copyright 2010

Milestone Analisis Risiko

Non-Based Scenario

Based-Scenario

Protesha Sinergy Copyright 2010

HazardScenario

Refer to reactor system shown.

The reaction is exothermic. exothermic A cooling system is provided to remove the excess energy of reaction. In the event of cooling li function f i is i lost, l the h temperature of reactor would increase. This would lead to an increase in reaction rate leading to additional energy release. The result could be a runaway reaction with pressures exceeding the bursting pressure of the reactor. The temperature within i hi the h reactor is measured and is used to control the cooling water flow rate by a valve.
7

Cooling Coils o o e Monomer Feed Cooling Water to Sewer Cooling Water In

T C

Thermocouple

Protesha Sinergy Copyright 2010

HAZOPSuntukHAZARDScenario
Guide Word
NO

Deviation
No cooling

Causes
Cooling water valve malfunction Failure of water source resulting in backward flow Control valve f il failure, operator t fails to take action on alarm More pressure in reactor

Consequences
Temperature increase in reactor Less cooling, possible runaway reaction Too much cooling, reactor t cool l

Action
Install high temperature alarm (TAH) Install check valve

REVERSE

Reverse cooling flow

MORE

More cooling fl flow

Instruct operators on procedures d

AS WELL AS

Reactor product d i in coils Another material besides cooling water

Off-spec product

Check maintenance i procedures and schedules If less cooling, TAH will detect. If detected, isolate water source. Back up water source?
8

OTHER THAN

Water source contaminated

May be cooling inefffective and effect on the reaction

Protesha Sinergy Copyright 2010

Analisis dalam LOPA

Protesha Sinergy Copyright 2010

Definisi
A Simplified Si lifi d f form of f risk i k assessment which hi h uses order of magnitude categories for initiating event frequency, q y, consequence q severity, y, and the likelihood of failure of independent protection layers (IPLs) to approximate the risk of a scenario. an analysis tool that typically builds on the information developed during g a qualitative hazard evaluation, such as a process hazard analysis (PHA)

REDUCE FREQUENCY TO ACHIEVE TOLERABLE RISK

Sumber : CCPS Protesha Sinergy Copyright 2010

Risk of Scenario

Protesha Sinergy Copyright 2010

Tahapan dalam LOPA

1. Pengidentifikasi dan pendefinisian skenario 2. . Penentuan e e tua skenario ske a o insiden s de 3. Identifikasi Initiating Event 4 P 4. Pengidentifikasian id tifik i penyebab b b (I (Initiating iti ti E Event) t) dan penentuan Initiating Event Frequency 5 P 5. Pengidentifikasian id tifik i Protection P t ti Layer L d dan penentuan Probability Failure on Demand (PFD) (PFD) 6. Penentuan Risk Frequency

Protesha Sinergy Copyright 2010

Konsep dasar LOPA

Intiating Event (Cause)

Diagram alir skenario

Independent Protection Layer (IPL) Consequence

Enabling Events & Condition

Conditional Modifier (Condiitional Influence)

1. Initiating Event : Penyebab tunggal pada suatu skenario yang berujung pada terjadinya konsekuensi yang tidak dii diinguinkan i k 2. Enabling Event & Condition : Penyebab lanjutan yang dipicu oleh I iti ti Event Initiating E t 3. Conditional Modifier : Kemungkinan dampak tambahan yang memperparah konsek ensi konsekuensi (Probability of ignition, Probability of fatal injury, etc)
Protesha Sinergy Copyright 2010

Konsep dasar LOPA

Initiating Event IPL1 IPL2 IPL3 Mitigated Risk = reduced frequency * same consequence S Scenario i Consequence

Preventive F Feature Success Initiating Event Success

Preventive F Feature

Preventive F Feature Safe Outcome Safe Outcome

Success Failure Failure Failure

Safe Outcome

Diagram alir cara kerja IPL

Key: Thickness of arrow represents frequency of the consequence if later IPLs are not successful

Consequences exceeding criteria

Impact Event

frequency

Protesha Sinergy Copyright 2010

AnalisisKonsekuensi
Guide Word
NO

Deviation
No cooling

Causes
Cooling water valve malfunction Failure of water source resulting in backward flow Control valve f il failure, operator t fails to take action on alarm More pressure in reactor

Consequences
Temperature increase in reactor Less cooling, possible runaway reaction Too much cooling, reactor t cool l

Action
Install high temperature alarm (TAH) Install check valve

REVERSE

Reverse cooling flow

MORE

More cooling fl flow

Instruct operators on procedures d

AS WELL AS

Reactor product d i in coils Another material besides cooling water

Off-spec product

Check maintenance i procedures and schedules If less cooling, TAH will detect. If detected, isolate water source. Back up water source?
15

OTHER THAN

Water source contaminated

May be cooling inefffective and effect on the reaction

Protesha Sinergy Copyright 2010

AnalisisKonsekuensi
Metode analisis konsekuensi yang sering di pakai dalam LOPA
1 Category 1. C A Approach h without ih di direct reference f to h human h harm 2. Qualitative estimates with human harm 3. Qualitative estimates with human harm with adjustments for postrelease probabilities 4 Quantitative estimates with human harm 4. 5. Overall cost resulting from potential incident (e.g., capital losses, production losses etc.)

Protesha Sinergy Copyright 2010

AnalisisKonsekuensi
1. Category Approach without direct reference to human harm
Fokus pada upaya pencegahan daripada mitigasi Tidak menggunakan ukuran human injury/fatality Menggunakan matrix untuk masing-masing kategori

Protesha Sinergy Copyright 2010

AnalisisKonsekuensi
2 Qualitative estimates with human harm 2.
Fokus pada dampak yang diderita noleh manusia Hasil perhitungan risiko dapat dibandingkan secara langsung dengan Risk Tolerance Criteria

Protesha Sinergy Copyright 2010

AnalisisKonsekuensi
3. Qualitative estimates with human harm with adjustments for postrelease probabilities
Serupa dengan metode no. no 2, namun penekanannya lebih pada setelah penyebab terjadi (misal : release-nya bahan kimia) Memperthitungkan : Probabilitas kejadian yang menjadi penyebab, probabilitas manusia yang ada disekitarnya, probabilitas terjadinya i j /f t lit injury/fatality

Protesha Sinergy Copyright 2010

AnalisisInitiatingEvent
Untuk menentukan suatu penyebab (Initiating Event) dalam skenario selalu didahului pertanyaan : What is the likelihood of the undesired event in the scenario ? What Wh t i is th the risk i k associatedwith i t d ith thi this scenario i ? Are there sufficient risk mitigation measures ?

Protesha Sinergy Copyright 2010

AnalisisInitiatingEvent
Jenis jenis penyebab (Type of Initiating Event) Jenis-jenis
Jenis kejadian Kegagalan bersifat mekanis (Mechanical failures) Kegagalan karena sistem pengendali (Control System Failures) Kegagalan karena sistem penunjang (Utility Failures) Kegagalan karena bencana alam (Natural external events) Kegagalan egaga a karena a e a kondisi o d s eksternal e ste a Kegagalan karena ketidakmampuan kondisi manusia (Human Failures) Contoh Korosi, Vibrasi, Erosi, Fracture, PSV stuck open, fabrication defect, brittle, gas/seal/flange bocor Sensor/Logic/Control Element Failures, Wiring failures, Software crashes, Interface blocked Power failures, Cooling System failure, Instrument air system failure Gempa bumi, Tornado, Banjir, Petir Pabrik ab tetangga teta gga failure, a u e, d ditabrak tab a kendaraan Operational Error, Maintenance Error, Response Error

Protesha Sinergy Copyright 2010

AnalisisInitiatingEvent
Sumber data untuk menentukan Initiating Event Frequency diperoleh dari : 1. Data Industri (biasanya dari lembaga eksternal - contoh : OREDA) ) 2. Pengalaman Perusahaan 3 Data 3. D t vendor d (d (data t d dari i pembuat b t alat) l t)

Protesha Sinergy Copyright 2010

AnalisisIndependentProtectionLayer(IPL)
IPL : Sistem/Alat/Aktifitas Si /Al /Ak ifi yang b bertujuan j mencegah h (preventing) atau memindahkan (mitigate) penyebab (initiating ( g event) ) agar g tidak menjadi j dampak p yang y g tak diharapkan (the undesired consequences) Tipe-tipe p p y yang g tergolong g g IPL : Process Design (Inherently Safer Design) Basic Process Control System Critical C i i l Al Alarm and dH Human I Intervention i Safety Instrumented System Physical y Protection Post-release Protection Plant Emergency Response Community Emergency Response
Protesha Sinergy Copyright 2010

AnalisisIndependentProtectionLayer(IPL)
COMMUNITY EMERGENCY RESPONSE

PLANT EMERGENCY RESPONSE

MITIGATION Mechanical Mitigation Systems Fire and Gas Systems

PREVENTION Safety Critical Process Alarms

Safety Instrumented Systems

Basic Process Control Systems Non-safety Process alarms Operator Supervision Process Design

Protesha Sinergy Copyright 2010

AnalisisIndependentProtectionLayer(IPL)
Agar suatu sistem/alat/tindakan (safeguard) dapat dipertimbangkan sebagai IPL maka harus memenuhi : Efektif dalam mencegah agar tidak terjadi dampak ketika berfungsi Dapat men-detect penyebab Dapat D men-decide d id tindakan i d k yang akan k dilakukan dil k k Dapat men-deflect dampak supaya tidak muncul Independent p dari p penyebab y (Initiating ( g Event) ) dan komponen p IPL lainnya untuk skenario yang sama Auditable dalam hal tingkat efektifannya dalam mencegah dampak, p , terutama dalam hal PFD

Apabila p seluruh IPL dipengaruhi p g oleh Common-Cause Scenario, maka seluruh IPL tersebut dianggap IPL tunggal
Protesha Sinergy Copyright 2010

AnalisisIndependentProtectionLayer(IPL)
P Process Design D i Umumnya ada 2 hal yang terkait dalam Inherently Safer Design dalam IPL IPL-Process Process Design Eliminasi dengan menggunakan metode Inherently Safer g Design Memberikan angka non-zero PFD pada langkah Inherently safer Design yang lain
Nilai PFD Inherently (CCPS,2001)

Protesha Sinergy Copyright 2010

AnalisisIndependentProtectionLayer(IPL)
BPCS adalah sistem yang memonitor, mengendalikan dan mempertahankan proses dalam rentang operasional yang y g aman

Komponen-komponen Komponen komponen sederhana dari Loop BPCS

BPCS memiliki 3 fungsi safety terkait dengan IPL

1. 2. 3. Continuous Control Actions - mempertahankan process dalam rentang operasional yang aman (level controller) Actions Alarm - Adanya Logic Solver/Alarm trips : mempertahankan process dalam rentang operasional normal dan alarm untuk operator Return process to stable state - Adanya Logic Solver/ Control relay : secara otomatis mengembalikan proses kepada keadaan yang aman

Protesha Sinergy Copyright 2010

AnalisisIndependentProtectionLayer(IPL)
BPCS
Failure Rate Data (CCPS, 2001)

PFD dalam BPCS dipengaruhi p g oleh : Adequacy of security and access procedures - terkait dengan manusia Level of redundancy - terkait dengan back-up system Historic failure rate - terkait dengan latar belakang terjadinya terjadin a kerusakan/kegagalan Effective test rate - terkait dengan test Other factors - Other factors to be considered include design design, manufacture manufacture, installation and maintenance.
Protesha Sinergy Copyright 2010

AnalisisIndependentProtectionLayer(IPL)
C i i l Alarm Critical Al and d Human H Intervention I i (CAHI)

PFD dalam da a CAHI C d dipengaruhi pe ga u o oleh e : Detection - Saat alarm berbunyi Decision - Saat response Action A ti - Saat S t tindakan ti d k dilakukan dil k k

Protesha Sinergy Copyright 2010

AnalisisIndependentProtectionLayer(IPL)
SIS adalah Safeguard/IPL yang terdiri atas sensor, logic solver, dan final element Fungsinya adalah hanya hanya membawa kondisi operasi ke Safe Safe State State Dikenal dengan berbagai nama : Safety Interlock System, Emergency Shut-down System, dll PFD dalam SIS dikenal pula sebagai RRF (Risk Reduction Factor) dan secara International Standard (IEC 61511) dikategorikan dalam Safety Integrity Level (SIL)

Protesha Sinergy Copyright 2010

AnalisisIndependentProtectionLayer(IPL)
PFD dalam SIL

Protesha Sinergy Copyright 2010

AnalisisIndependentProtectionLayer(IPL) Physical Protection Relief Valve Rupture R Disc Di

PFD untuk Physical Protection

Protesha Sinergy Copyright 2010

AnalisisIndependentProtectionLayer(IPL) Physical Protection Faktor yang mempengaruhi nilai PFD Sizing alat Design Instalasi I l i Kualitas Inspeksi Kualitas Perawatan Kebersihan cairan proses

Protesha Sinergy Copyright 2010

AnalisisIndependentProtectionLayer(IPL) Post-Release Protection Blast Wall Dike Dik

PFD untuk Post-Release Protection

Protesha Sinergy Copyright 2010

Studi Kasus - 1

Protesha Sinergy Copyright 2010

Format tabel LOPA

1 # Initial Event Description 2 Initiating cause 3 Cause likelihood 4 Process design 5 BPCS 6 Alarm 7 SIS 8 Additional mitigation (safety valves, dykes, restricted access, etc.) 9 Mitigated event likelihood 10 Notes

Protection Layers

Likelihood = X

Probability of failure on demand = Yi

Mitigated likelihood = (X)(Y1)(Y 2) (Yn)

Protesha Sinergy Copyright 2010

Kasus 1: Flash drum for rough component separation for this proposed design.
cascade Vapor product

Split p range g

PAH

TC-6

PC-1

Feed Methane Ethane (LK) Propane Butane Pentane

T1

T2

T5

FC-1

LAL LAH

T3

LC-1

F2

F3 AC-1 Process fluid Steam L. Key Liquid Li id product

Protesha Sinergy Copyright 2010

Kasus 1: Flash drum for rough component separation. Complete the table with your best estimates of values.
1 # Initial E t Event Description 2 Initiating cause 3 Cause lik lih d likelihood 4 Process d i design 5 BPCS 6 Alarm SIS 7 8 Additional mitigation iti ti (safety valves, dykes, restricted access, etc.) 9 Mitigated t event likelihood Notes 10

Protection Layers

High g pressure

Connection (tap) for pressure sensor P1 becomes plugged

Pressure sensor does not measure the drum pressure

Assume that the target mitigated likelihood = 10-5 event/year

Protesha Sinergy Copyright 2010

Kasus 1: Some observations about the design.

The drum pressure controller uses only one sensor; when it fails, the pressure is not controlled. The same sensor is used for control and alarming. Therefore, the alarm provides no additional protection f this for thi initiating i iti ti cause. No safety valve is provided (which is a serious design flaw). flaw) No SIS is provided for the system. (No SIS would be provided for a typical design.)

Protesha Sinergy Copyright 2010

Kasus 1: Solution using initial design and typical published values.

1 # Initial Event Description 2 Initiating cause 3 Cause likelihood 4 Process design 5 BPCS 6 Alarm SIS 7 8 Additional mitigation (safety valves, dykes dykes, restricted access, etc.) 1.0 9 Mitigated event likelihood Notes 10

Protection Layers

High pressure

Connection (tap) for pressure sensor P1 becomes plugged

0.10

0.10

1.

1.0

1.0

.01

Pressure sensor does not measure the drum pressure

Much too high! We must make improvements to the design.

Protesha Sinergy Copyright 2010

Kasus 1: Solution using enhanced design and typical published values.

1 # Initial Event Description 2 Initiating cause 3 Cause likelihood 4 Process design 5 BPCS 6 Alarm SIS 7 8 Additional mitigation (safety valves, dykes, restricted access, etc.) PRV 0.01 9 Mitigated event likelihood Notes 10

Protection Layers

High pressure

Connection (tap) for pressure sensor P1 becomes plugged

0.10

0.10

1.0

0.10

1.0

.00001

Pressure sensor does not measure the drum pressure The PRV must exhaust to a separation (k k t) (knock-out) drum and fuel or flare system.

Enhanced design includes separate P sensor for alarm and a pressure relief valve. Sketch on process drawing.

The enhanced design achieves the target mitigated likelihood. Verify table entries.

Protesha Sinergy Copyright 2010

Studi Kasus - 2

Protesha Sinergy Copyright 2010

Scenario
The two-phase separator V 180 is under level control (Level control LC 213). In case of high high liquid level, the level switch LSHH 214 would close emergency shutdown valve ESDV 172 and shutdown compressor C 130 downstream of V 180. This is to prevent carrying liquid over to the compressor leading to compressor damage.
Protesha Sinergy Copyright 2010

Hasil PHA (HAZOPs)

Protesha Sinergy Copyright 2010

Analisis LOPA

Protesha Sinergy Copyright 2010

Analisis LOPA

Protesha Sinergy Copyright 2010

Evaluasi Risiko

Protesha Sinergy Copyright 2010

Terima Kasih

Protesha Sinergy Copyright 2010