A LOPA Implementation
Method
Breydon G Morton
DuPont
2
What does LOPA mean to DuPont?
• Before we (DuPont) implemented LOPA?
• How are we implementing LOPA ? Tasks?
Before implementing LOPA
• Questions and Background data
– Is Company ready for LOPA?
– Current Foundation for Risk Assessment?
– When is LOPA Used?
– Risk Tolerance Established?
– Data Required?
4
Risk Management Philosophy?
• Values & Beliefs vs. Risk Management Strategy
– Core Values (Safety & Health, Ethical Behavior, Respect for
People, and Environmental Stewardship )
• Process Safety Management
– Control Risk
• Standards and Policies
– Risk Reduction > Protect (Assets, People, Environment, Public
Trust)
Current Foundation Risk Assessment
• Experience & Capabilities Assessment ?
– Current Risk Management Policies
Policy Process Safety Management (PSM)
Manual
Standards S21A (PSM), S25A (PHA)
– Hazard Analysis Methods
Checklists, What-If, HAZOPS, Fault Tree
– Institutional Knowledge (Consequence & Failure
Frequencies)
Specialized Resources from Process Safety
& Fire Protection (PS &FP)
6
Risk Tolerance Criteria
The typical industry risk tolerance for combined events that
could result in irreversible human health effects, which is
used to make risk reduction decisions, is 10-4.
When is LOPA used?
• Within DuPont, when evaluating risk of process safety
scenarios there is a need to recommend additional safety
protection for risk mitigation.
• When the hazard evaluation analyst determines that a
“Risk Based” approach is required and interlock design is
needed.
• When a PHA team believes a scenario is too complex to
make a risk judgment using purely qualitative judgment.
8
From Consequence severity… When is LOPA used?
– PHA teams are responsible for assigningworst case consequence severity(i.e. assuming
loss of all engineering & administrative controls) using the consequence categories as defined in LOPA guidance document Table 12.2a or S25A.
– 3. …
– 4. Conduct an interlock evaluation as follows:
A. As part of hazard evaluation, identify those events that involve interlocks(existing,
recommended, and being considered)
B. Evaluate the consequence category for the event
1. If the consequence category is C1 or C2 then the interlock is a process interlock and should be
documented accordingly in the PHA. If the same interlock is identified as a safeguard against multiple events then the most severe event will determine the final categorization and SIL.
2. If the consequence is financial loss only, then the interlock is a process interlock. For process interlocks mitigating financial loss hazards only, the AIB method may be used to determine the reliability requirements. See DX3S for a description of AIB method.
3. If the consequence category is C3, then further evaluation must be done to determined the required
SIL of the interlock. The AIB methodmay be used to determine the reliability requirements. See DX3S for a description of AIB method.
4. If the consequence category is C4(excluding multiple fatalities) , then further evaluation must be
done to determined the required SIL of the interlock. The AIB methodmay be used to determine the reliability requirements. See DX3S for a description of AIB method.
5. If consequence category is C4with multiple fatalities, then a risk-based (LOPA,Event Tree,
Fault tree) must be used. Application of a risk-based method requires that personnel trained in process hazards analysis and the method being used, be involved.
Data Required
• Consequences
– Standard S25A Æ
Tables
12.2a & bÆ C4 through C1
– Modeling (Scenario impact ; Potential severity)
• Component Failure Data
– DRAFT LOPA Guidance manual Table 10.2 Passive IPL’s and
Table 10.3 Active IPL’s
– DX3S Table 3 MTTFfd device values
– Vendor data
– General industry
• Initiating Event
10 Death or irreversible heath effects: Injury or moderate health effects; Emergency medical intervention and/or hospitalization Minor injury of reversible health effects No injury or health effects Public Safety and Health One or more fatalities; Multiple LWC’s with irreversible health effects Multiple MTC injuries; 1-2 RWC/LWC’s Minor (MTC) injury of reversible health effects No Injury of health impact Employee Safety and Health Consequence Category C-4 Catastrophic Consequence Category C-3 Major Consequence Category C-2 Moderate Consequence Category C-1 Minor Type of Event/ Impact
Table 12.2a Consequence Severity
10-3 Will reduce the frequency of
large consequences of an explosion by configuring blast and protecting
equipment/buildings/etc.
Blast Bunker
10-2 Will reduce the rate of heat input
and provide additional time for depressurizing/firefighting
Fireproofing
10-2 Will prevent overpressure
Open Vent (or no valve)
10-2 Will reduce frequency of large
consequences (widespread spill) of a tank overfill/rupture/spill/etc.
Underground Drainage System
10-2 Will reduce frequency of large
consequences (widespread spill) of a tank overfill/rupture/spill/etc.
Dike
PFD for DuPont LOPA
Comments
IPL
12
10-1
Water Scrubber,
maintained and inspected
10-1
Battery Backup UPS with periodic inspection
10-1
Battery Backup UPS with periodic inspection 10-2 (3) SIL 2 10-2 (3) SIL 3 10-1 (3) SIL 1 Etc… Etc… 10-1
Basic Process Control System
10-2 (2)
Rupture Disc
10-2 (2)
Relief Valve
PFD for DuPont LOPA
Comments
IPL
Table 3 MTTFd device values
Unsafe MTTFd (years) Equipment Type 1000 to 1500 Motor Starter 25 to 30 Valve positioner Final Elements Etc… Etc… 100 to 120 Pre-configured SIS PEClogic solver 1500 to 2500 Electromechanical relay per DX8S Logic Solvers Etc… Etc… 15 to 20 Flame Detector 25 to 35 Current Switch Sensors
14
Etc. Etc.
10-2
Loss of electrical power, dual feed systems
10-1
Loss of nitrogen supplied by pipeline
10-1
Variable speed motor AC motor failure
10-2 per opportunity
Operator Failure ( to
execute routine procedure, assuming well trained, unstressed, not fatigued )(PFD)
10-1
Regulator Failure
10-1
Cooling water Failure
Value for DuPont LOPA
(per year)
Initiating Event
d / or Scenario # refres to WHAT-IF Item.
are events per year, other numerical values are average probabil
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Impact
Event SeverityLevel InitiatingCause Initiating Event Frequency Enabling Event Frequenc y General Process Design BPCS Operator Response to Alarms, etc. Additional Mitigation, Restricted Access IPL Additional Mitigation, Dikes, Pressure Relief Intermedia te Event Likelihood SIF ID PFD Mitigated Event Likelihood Likelihood of person in area Likelihood of Significant Injury Frequency of Significant Injury Notes Overpress ure TC-2, release of toxic (HFA, HFIP, H2) material/ flammable; catastroph ic C4 8.backflow from A-206 to TC-2, P1527 failure
0.100 1 1 1 1 0.01 0.1 1.0E-04 1.00E-01 1.0E-05 Tolerable Risk Criteria of XXXX met. SIL 1 for SIF needed and met. W932596 rev 42F, DW 49060 Rev 2N, DW44540 Rev 18J No. 8 in WhaIf was analyzed for "backflow " only . It did not identify cause for "backflow ". LOPA identified a discrete cause (P1527 DRAFT LOPA Document-AC Electric motor failure) Two check valves in HFA transfer line, clean service. Will be checked or replaced on a regular frequency so credit taken. TC-2 PRD 1205 0141 set @ 200 psi; {Has rupture disc] back to "Emergen cy" Scrubber , SB-126 operated as "passive" scrubber. S-1b Conceptu al Design : 2460DPG Low Low (2460PT -1822PT) closes 1825HV via MLC2. INDEPENDENT PROTECTION LAYERS
Documentation LOPA Worksheet
Severity Level IPL’s PFD of SIF Intrmd Event Likelihood Mitigated Event Likelihood
16
Periodically assess IPL’s
9
Functional testing (SIF’s, Relief valves, etc.)
9
Periodic inspection (Dikes, machine guards etc.)
9
Preventive or replacement maintenance (Corrosion coupons
and vessel thickness checks)
Implementation Tasks
• LOPA Guidance Document
– ~ 59 pages
– Target Audience : PHA Teams/Management, LOPA Analyst &
Corporate
– Purpose : Broad Overview of LOPA; definitions; IPL values; initiating
event frequencies.
• LOPA Training Course and Training LOPA Analysts
– 1-1/2 day Training course (In-house)
– For in-house LOPA analyst certification
LOPA analyst in training ( Participate in LOPA’s with experienced, in – house certified LOPA analyst)
18
