LOPA A Storage Tank Case Study

Karl Watson, ABB Consulting Houston

© ABB Inc. September 20, 2011 | Slide 1

Introduction – Karl Watson

PSM Consultant, ABB Consulting

Based in Houston, US

Chartered Instrument Engineer

24 years experience in Process Industry

ICI Chemical and Polymers, ICI Engineering, ABB

Consulting

Specialist in Functional Safety

Outline of Presentation

� Storage Tank Case Study

� Simplified overview of SIL

� 3 Steps to SIL

� LOPA

� What you should consider

� Establish good practices

� Identification of improvements

Case Study – Gasoline Storage

© ABB Inc. September 20, 2011 | Slide 4

LILHHA

LHA

LIA

LHHH

Manual

ESD

Is this installation Safe ?

TI

Functional Safety Standard - IEC61508

� Simplify the process into 3 steps

� Set the Target Safety Integrity Level (SIL)

� Design to meet the Target SIL

� O&M to continue to meet the Target SIL

IEC61511/ISA84 :

Process Sector

IEC61508

Medical SectorIEC61513 :

Nuclear Sector

IEC62061 :

Machinery Sector

Step 1 Set the Target SILHazardous Event

� Loss of Containment due to overfill

� Flashfire

� No confinement, limited release before detection

� 1 Person in the area – potential single fatality

� Company Tolerable Frequency – 1E-05/yr (example only)

© ABB Inc. September 20, 2011 | Slide 6

LILHHA

LHA

LIA

LHHH

Manual

ESD

TI

What could cause this event?

� Failure of Level Indicator (0.1/yr)

� Maximum by IEC61511

� Operator Error during filling (0.5/yr)

� 50 per year

� HEP 0.01 (from IEC61511)

� Operator Error before filling (0.5/yr)

� 500 per year

� Additional Checks

� HEP 0.001 (from IEC61511)

© ABB Inc. September 20, 2011 | Slide 7

What Safeguards are in Place?

� Alarms (PFD=0.1)

� Local Operator (PFD=0.5 – stressed)

� Ignition (Probability=0.1)

� Occupancy (Probability=0.05)

� Vulnerability (Probability=0.5)

© ABB Inc. September 20, 2011 | Slide 8

LILHHA

LHA

LIA

LHHH

Manual

ESD

TI

LHHA

LHA

LIA

Check for Dependent Failures?

� Failure of LI may prevent alarms from operating

� Double counted occupancy and an local operator

response

© ABB Inc. September 20, 2011 | Slide 9

LILHHA

LHA

LIA

LHHH

Manual

ESD

TI

LOPA SIL Calculation – Example Only

© ABB Inc. September 20, 2011 | Slide 10

Step 2 - Designed to meet the SIL

LevelSwitch

3 InletValves

Relay Logic

PFDavg = ½ * Σλd * Test Interval (in years)

For test interval of 3 months (0.25/yr)

PFDavg = ½ * 0.16 * 0.25 = 0.02

Equipment λd (failures/yr)

Level Switch 0.05 1 failure in 20 yrs

Relay Logic 0.01 1 failure in 100 yrs

Valves 3 * 0.033 = 0.1 1 failure in 30 yrs

Total 0.16

© ABB Inc. September 20, 2011 | Slide 11

(Target 0.02)

Step 3 – O&M to Continue to meet the SIL

© ABB Inc. September 20, 2011 | Slide 12

Gasoline Storage

© ABB Inc. September 20, 2011 | Slide 13

LILHHA

LHA

LIA

LHHH

E-Stop

Is this installation Safe ?

TI

Gasoline Storage

© ABB Inc. September 20, 2011 | Slide 14

LILHHA

LHA

LIA

LHHH

Manual

ESD

Is this installation Safe ?

TI

LOPA – What makes an Effective Risk Assessment

© ABB Inc. September 20, 2011 | Slide 15

LILHHA

LHA

LIA

LHHH

Manual

ESD

TI

� Good method to identify potential causes

� Where do the numbers come from

� Published values

� Operational experiences

Hazardous Event

� Test potential consequence

� VCE not thought credible

� Small release

� Confinement / weather

� Operation data indicates credible scenario

� Fill rates

� Likely duration

© ABB Inc. September 20, 2011 | Slide 16

Initiating Events

� Failure of Level Indication (0.1/yr)

� Actually failed 14 times in the last 4 months.

� No formal systems to record failure.

� Lack of Awareness of Potential Consequence

� Failure of control, generally leads to process alarms

� Bad Practices - Alarms or Fill Setpoints ?

© ABB Inc. September 20, 2011 | Slide 17

LHHA

LHA

LIA

LHHH

Manual

ESD

TI

LILHHA

LHA

LIA

Initiating Events

� Operator Errors

� HEP 0.01-0.0001 (trained, no stress)

� Under stress (0.5 – 1.0)

� ConsiderI.

� Only 1 screen available

� Limited information available

� Which lines flowing

� Flowrate

� Handover

� Operation Pressures

� Reality check against operation experience

© ABB Inc. September 20, 2011 | Slide 18

Protection Layers

� Alarms

� Need for independence

� Indication and filling stops

� Independent alarms

� HEP 0.1 – 1

� For 0.1 we must have

� Clear, identifiable alarm

� Time to respond

� Minimum 30 minutes for field actions

� Clear independent action

� No management of changes for settings

© ABB Inc. September 20, 2011 | Slide 19

Typical LOPA Improvements

� Level Indication

� Unacceptable failure frequency

� Automated stops

� Independent check

� Operating Procedures / Awareness

� Remove the practice to fill to alarms

� Improve filling visualization

� Alarms

� Need to be independent of the filling process

� Must be clear with independent action

� Alarm levels fixed based on maximum fill rate and time

to respond

© ABB Inc. September 20, 2011 | Slide 20

Summary

� Poor application of LOPA can lead to miscomprehension

that you have sufficient safeguards in-place to protect

against your potential hazardous events

� Operational experience should be used as a basis of

decisions

� Applying LOPA effectively should

� Identify weaknesses in your work processes

� Show if your perceived safeguards are adequate

� Identify improvements to reduce areas of higher risk

� LOPA is a good technique – provided it is applied correctly.

� Remember – This is only the first stage in the lifecycle

© ABB Inc. September 20, 2011 | Slide 21

© ABB Inc. September 20, 2011 | Slide 22