Tower Overfill Hazard A Program Approach to Reducing Risk

By William (Bill) L. Mostia, Jr. PE, SIS-TECH Solutions, LP

Abstract
This paper describes a systematic program approach to reducing the risk of tower overfills in process units. This approach was taken on large project in a U.S. refinery which had embedded within its scope a program to reduce the risk due to tower overfill hazards. This program was tasked with analyzing and evaluating the risk due to tower overfills for 176 towers in over 25 operating units. This included consequence and severity identification, risk assessment, and identification of risk reduction means using Layer of Protection Analysis (LOPA) to reduce the tower overfill risk to the corporate risk reduction criteria. The program also identified the minimum tower instrumentation required for tower overfill protection. Each tower in the program was subject to a consequence based screening which identified and prioritized the towers for further analysis. Seven standard LOPA tower overfill scenarios were applied to each tower and project scope was identified based the LOPA recommendations.

Introduction
Overfill is a potential serious hazard that exists in all types of plants in the process industry. Examples of incidents that resulted from overfill are ESSO Longford (Australia, 1998), BP Texas City Refinery (US, 2005), and Buncefield (UK, 2005). [1,2,3] Tower overfill is a subset of the general overfill hazard, however, many of the same basic principles that apply to tower overfill also apply to the more general overfill hazard. While tower overfill cases maybe relatively common, they are not always identified in the process hazards analysis as a creditable hazard generally because there was an expectation that the operator handled this as a matter of course or the hazard was considered minimal.[1] This tower overfill program was initiated as part of a large project at a U.S. refinery in 2006. The project utilized Layer of Protection Analysis (LOPA) as its risk assessment methodology.[8] The project supplemented the site LOPA practice with additional guidelines such as criteria for determining the hazard severity from the hazard consequence for tower overfill based on estimated leak size, process pressures and temperatures, material state and composition, and

for event frequency modifiers such as occupancy, probability of ignition, time at risk, and other relevant factors. A project LOPA manual was compiled as criteria and guidelines were developed for the project. An atmospheric relief valve (ARV) evaluation program as part of the overall project developed a LOPA methodology where standard atmospheric relief valve LOPA scenarios for identified hazards were developed and used (flammables, H2S, and Benzene dispersion (100% & 25% flow), rainout, thermal radiation, and the overfill case) and applied to ARVs in hydrocarbon, flammable, and/or toxic service in the refinery. This general LOPA methodology approach of standard hazard scenarios was also applied to tower overfill hazards. While environmental and asset risks were also evaluated as a part of this program, only the safety aspect is discussed in this paper. The use of any information in this paper for any other applications should follow due diligence and recognized and generally accepted good engineering practice and understand that the conditions, applications, arrangements, and considerations of this program may not apply elsewhere. The site LOPA practice used in this project has since been superseded by the companys current corporate LOPA engineering technical practice and current site LOPA policies.

Tower Overfill
A traditional approach to hazard identification and evaluation is to apply a process hazards analysis (PHA) methodology (commonly a HAZOP or What-If) where the tower overfill hazards would be identified (typically using too much or too little flow or too much level guidewords) with the severity assessed, a risk assessment done, recommendations made, and projects initiated to mitigate the risk gaps identified. The program approach differs because the program was initiated under a project umbrella on the premises that the tower overfill hazard was assumed to exist for every tower in the program and a risk assessment was done for each tower. Initially only towers were done but later some drums (feed surge drums, as an example) were added to the scope. Because there were 176 towers in the refinery identified for the program, a method was needed to prioritize which towers needed to be done first. A consequence based screening method was developed based on tower process materials, pressure, and temperature, which ranked all towers into high, medium, and low risk categories. The high and medium towers were done first on a per unit basis (part of a sub project per unit). A tower liquid overfill protection guideline was developed by the project which detailed the methodology, minimum instrumentation, and the LOPA guidelines based on corporate engineering practices at that time adapted to the local site practices and the project.

Level Instrumentation
For each tower in hydrocarbon and/or toxic service, the minimum recommended instrumentation was defined by the program and included an independent high level critical alarm (with adequate operator response time, written procedure, training, and periodic testing and auditing), which typically utilized a diverse measurement technology (commonly a guided wave radar type), with a level deviation alarm between the alarm and control transmitters. In addition, two pressure transmitters, one installed on the top of the level instrumentation bridle typically and one on the top of the tower were provided and fed into a DCS difference calculation block to provide the differential pressure across the tower. This provided a gross level indication for the operator during abnormal operations when the level was above the upper limit of the bottoms level transmitters as to whether the level is going up, down, or staying the same. In addition to the minimum level instrumentation, additional instrumentation and/or independent protection layer (IPL) requirements would be determined using a LOPA.

Layer of Protection Analysis (LOPA)

Layer of protection analysis (LOPA) is a structured, rule based methodology for analysis of identified risk. The type of LOPA methodology applied for this project was an order of magnitude type (all factors are applied as order of magnitudes of 10, e.g. 1/1, 1/10, 1/100, etc) to provide a conservative accounting for uncertainties associated with the frequency data and typical order of magnitude ranges used in a LOPA. Normally LOPA is a drill down from a process hazards analysis, typically a hazard and operability study (HAZOP) or a What If analysis. A different approach was taken for this project where the starting point was that each tower in the refinery had a tower overfill hazard without having a separate PHA team evaluating the hazard. As a result, the hazard description, the propagation path(s) of the hazard, consequence, and the hazard severity would be determined by the LOPA team. The LOPA process for the program consisted of a two step process. The first step was a preliminary LOPA, called a Design LOPA, which was performed to evaluate tower overfill hazards early in the design process and to help determine the scope of the unit sub-project. The second step in the LOPA process was an official LOPA, called a PSM LOPA, which was a combination of the Design LOPA and a project HAZOP/LOPA. The recommendations of the Design LOPA were not binding (i.e. could be changed by a design change); however, all recommendations from the Design LOPA had to be reconciled with the official PSM LOPA. The Design LOPA was filed with the project design documentation while the PSM LOPA was filed with the PSM Department as the official project LOPA.

The LOPA team make-up can vary based on different company staffing requirements for personnel participation and expertise requirements. While there are no specific regulatory staffing requirements for LOPAs, the minimum requirements would be similar to requirements in OSHA 1910.119(e)(4) which requires, The process hazard analysis shall be performed by a team with expertise in engineering and process operations, and the team shall include at least one employee who has experience and knowledge specific to the process being evaluated. Also, one member of the team must be knowledgeable in the specific process hazard analysis methodology being used. This is, however, not very specific about exact level of expertise required. For example, the phrase one employee who has experience and knowledge specific to the process being evaluated is very fuzzy in that an operator with five years experience appears to qualify as does one with 25 years experience. Many times HAZOP/LOPA attendance requirements lack specific requirements for experience and engineering expertise (horsepower), and sometimes substitute quantity for quality. This can lead to inconsistent, incomplete, and/or incorrect results from the PHA/LOPA teams. For this project, the LOPA team had the following staffing requirements: 1. Experienced third party LOPA facilitator (SIS-TECH) 2. Project assigned Senior Process Engineer >30 years refinery experience (Company) 3. Project assigned Process Safety Expert - > 30 years experience (Company) 4. Experienced Unit Operator (> 5 years experience) for a Design LOPA; Senior Unit Operator (>15 years unit experience) and experienced Unit Supervisory level person (>15 years unit experience) for PSM LOPAs. (Company) 5. Project Engineer (Engineering Contractor) 6. Process Engineer (Engineering Contractor) 7. Project assigned Process Engineering Lead Engineer > 25 years experience (as needed) (Engineering Contractor) 8. Control Engineer (as needed) (Company) 9. I&E Engineer (as needed) (Company & Engineering Contractor) 10. Mechanical Engineer (as needed) (Company & Engineering Contractor) 11. Specialists Rotating Equipment, RV, etc. (as needed) (Company) A strength of this program was that an assigned core team was available for all the LOPAs, which provided a high level of expertise and consistency to the program LOPA process. Training on LOPA principles were provided for operations and other personnel who were unfamiliar with LOPA principles. As this was a multi-year program and had other associated programs, the familiarity of the LOPA process and risk assessment principles became more prevalent in the refinery as time progressed. This also had a positive spillover effect by

spreading risk identification and assessment principles to the whole refinery for all projects and other plant practices (HAZOP, MOC, relief valve risk assessments, etc.)

Resources for LOPAs

The availability of technical resources and information can have a significant impact on the success a LOPA. The personnel assigned to the LOPAs on an on-going basis, off-line engineering capability, documentation availability and ease of access, expertise access, and the requirements for experience and diversity from refinery personnel led to considerable technical and experience horsepower being applied in the LOPA process for tower overfills. This tower overfill program had considerable off-line engineering capability readily available at its beck and call from the engineering contractor in the form of modeling, calculations, engineering studies, and engineering discipline expertise and through the companys process safety expert (dispersion modeling, fire and explosion expertise). The team also had ready access to other company experts, both on-site and at the corporate level. Initially supplemental and reference information for use in the LOPA decision process was mostly limited to hard paper access but as time went on, more and more of the companys process safety, engineering, and related information came on-line. During tail end of the project, the LOPA team had on-line access to engineering drawings, RV folders, procedures, policies, HYSIS process modeling, real-time and historical process trend data, process safety information, operating limits, and information from the Internet (Bing Maps birds eye view in particular was useful by allowing a much better location and distance perspective than a unit plot plan drawing). This multi-media access later developed into a multi-media LOPA process that used of two projectors, one for the scribe and one to project useful information simultaneously, with a multi-gang video switch, which allowed access to multiple computers for project and plant information from multiple LOPA team and on-line sources. It also became readily apparent early on that there needed to be data gathered and calculations made prior to the LOPA meeting(s) to help facilitate the LOPA process. This information, which was compiled by the engineering contractor, consisted of overfill times, flare system backpressures, pump deadhead pressures, process pressures and temperatures, specific gravities, material compositions, etc.

Tower Overfill LOPA Scenarios

Initially the only tower LOPA scenarios were for tower overfill which went out an atmospheric relief valve or that which went to a closed flare system. When the relief went out an ARV, the ARV LOPA study scenario for tower overfill (from another part of the overall project) was used (dispersion modeling, rain-out, toxic, etc.). When the relief went to a flare system, the back pressure due to filling up the flare (as high as 350) was calculated and the effect on the pressure accumulation verses MAWP on the relieving vessel, the pressure ratings of the vessels in the relief path (which included flare knock drums and vessels connected to the flare), and the effect of the liquid going out the flare were considered. It became clear relatively quickly that these scenarios needed to be expanded. The following scenarios were added blocked outlet overpressure, flow forward, mechanical integrity (tower full up to relief valve pressure with other defined ambient conditions), and foundation integrity liquid full. As a result, seven standard LOPA scenarios for tower overfill were developed: 1. 2. 3. 4. 5. 6. 7. Atmospheric relief valve (if applicable) Flare system liquid head backpressure Hazard out of the flare Blocked outlet overpressure (limited forward flow capacity) Flow forward (off-node and sometimes off unit) Vessel mechanical integrity Foundation integrity

The LOPA scenarios were applied to all tower overfill cases and were compiled in a Microsoft Access Database commercially available from SIS-TECH. A generic example LOPA datasheet is given in Appendix B. These scenarios were modified or scenarios added as appropriate for each application.

Risk Identification and Categorization

One of the most important aspects in developing a LOPA scenario is the hazard development and propagation to a consequence. Since the project did not have a PHA feed-in, the LOPA team was also required to clearly identify the hazard and its propagation in order to classify the hazards severity ranking and frequency. For the LOPA team to assess the risk (severity and frequency) of the tower overfill hazard, guidelines were needed in evaluating the hazards severity and frequency to insure a consistent, conservative approach that met company site practices while providing a reasonably simple approach for the LOPA team in evaluating risk and utilizing the LOPA process. The risk matrix from the LOPA site practice illustrated in Table A.1 in Appendix A was used as a basis for a severity ranking verses defined people hazards This was combined with the

event frequency decision table shown in Table A.2 and calibrated to a LOPA risk matrix given in Table A.3, which connected severity and event frequency to required risk reduction criteria. Note that these project tables have since been supplanted by later company standards and Table A.1, A.2, & A.3 do not reflect the current companys corporate risk criteria. The use of a consequence severity-frequency matrix which relates the severity and the initiating event frequency to the amount of frequency reduction required to reduce the frequency of the hazard to an acceptable level is commonly used in industry. While these matrices provided the underlying basis for the LOPA process, the shortcoming of this type of basic matrix approach is that it does not always provide the connection between the hazard consequence and the consequence to people that leads to the severity ranking, i.e. People Consequence Severity Ranking (Risk Matrix)

But what is needed is for the LOPA team for this program (which is also applicable to a PHA team) to connect the dots is: Hazard Consequence People Consequence Severity Ranking

For example, if one looks at a Level 4 (fatality) hazard, there are a number of ways that a hazard could reach that level, i.e. vapor cloud explosion, flash fire, jet fire, toxic release, etc and each of these have conditions relating their occurrence. Due to the sheer quantity of risk evaluations for this program and the project, the LOPA team needed efficient but conservative approach to connecting the hazards physical manifestation (e.g. fire, explosion, toxic) to the severity of the hazard to people. This simplified approach used by the LOPA team for flammables is illustrated in Table 1.

Consequence
Small Fire (e.g. small flange leak) Pool Fire Small to Medium Pool Fire - Large Flash Fire - Small Flash Fire Medium to Large Jet Fire Explosion

Material
Liquid/Gas Liquid Liquid Gas/Vapor Gas/Vapor Gas Gas

Risk Ranking
S=2 S=3 S = 3-4 S=3 S = 3-4 S=4 S = 4-5

Table 1 - Hazard Consequence vs. Severity Ranking1

For other hazards such as toxic release and thermal radiation, similar tables relating hazard consequence to severity ranking were developed by the project. Application of this simplified table approach still requires that good engineering judgment be applied to the use of the tables for specific applications. A key process safety principle is that if there is no loss of containment, there is no hazard. [4] Past that, knowledge of the leak size, material state (liquid, flashing liquid, high vapor pressure liquid, gas/vapor, etc.), material properties (composition, flammability, specific gravity, reactivity, etc), process conditions (pressure, temperature, reactions, etc), and post release conditions is required in properly evaluating the hazards propagation once you have a loss of containment. Frequency reduction modifiers may also be considered such as enabling events or conditions, occupancy, probability of ignition, time at risk, and other factors that may reduce the frequency of the event or mitigate the consequence. Evaluating all of this and achieving consistent results can be a daunting task for LOPA teams. Even large companies with resources that can provide extensive analysis capabilities can find the cost, resource levels, and sheer time prohibitive in doing a large number of LOPA scenarios (over 1300 in

this case). The project recognized these issues and took a conservative approach which was easily understood by the LOPA teams, which minimized the amount of quantitative work, though did not eliminate all of it. This approach essentially developed guidelines for relationships between loss of containment and severity, frequency modifiers relationship to the hazard, and other modifiers that affect a hazard consequence or frequency. These guidelines combined with application specific information and good engineering practices were applied to the LOPA scenarios by the LOPA teams. This approach also helped to achieve consistency across LOPAs done by teams with different memberships based on the unit being evaluated. Loss of Containment For the tower overfill hazard, loss of containment is primarily due to overpressure. It was necessary to establish for the tower overfill hazard a relationship between overpressure and the expected loss of containment (limits and size of leak). This was developed by a literature search and in consultation with companys mechanical experts. [5,6,7] The overpressure criteria based on percent overpressure were developed and are given in Table 2. A basic assumption is made here that none of the towers were past their discard time (i.e. that they were in good condition), which none were. Maintenance of tower condition is part of the plant mechanical integrity program and is not directly a LOPA consideration as it is based on periodic program controls (i.e. testing, inspection, and replacement program).

Percent Overpressure (%)

0-150% 150%-200% 200%-350% >350%

Loss of Containment Type

None Expected Flange Leak, Small Leak Seam Leak (equivalent to 2 hole) Vessel Rupture

Table 2 - Overpressure Loss of Containment Criteria1

Note that these overpressure tables and other tables are specific to this project and application to the towers analyzed in this program and the reader is warned that this may not generally applicable to other applications, especially to new towers after 1999 (where the pressure hydrotest vessel code changed to allow 130% for vessels designed to 1999 code or later).

Loss of containment can also occur due to a loss of tower mechanical integrity based on vessel design (cans and heads) under tower overfill conditions (liquid full up to the relief valve setting) and this was evaluated as part of the LOPA process. Foundation integrity was also evaluated for a liquid full tower. As it turned out, the material composition and physical state (e.g. gas explosion, flash fire, or jet fire or liquid pool fire) had a stronger effect on the hazard evaluation based on the severity ranking used than the size of the loss of containment based on Table 2 (See Table 1). Initiating Event Frequencies Given the severity ranking as determined above, we then need to determine the estimated frequency of the hazardous event by evaluating potential initiating cause frequencies. The initiating frequency determination was rule based on identified failure frequencies given in the site LOPA practice and a sample is given in Table A.4 (Appendix A). Since we are interested in the hazardous events frequency (not just initiating cause frequencies which are not necessarily the same), but our initiating frequencies are given in conservative terms, we needed some form of cumulative measure of initiating cause frequencies. As it is generally possible to find a multitude of causes for an event (which can skew determination of a reasonable event frequency if considered together), a simple rule based method was employed. The rule was that if there are three or less highest frequency initiating causes, that frequency was used, else if more, consideration was given to increasing the frequency, i.e. three 1/10 frequencies gets you 1/10, while a fourth one gets 1/1 (obviously there is some engineering judgment by the LOPA Team involved here and plant past experiences play a part in the consideration). Once the severity and hazardous events initiating frequency were determined, the number of IPLs or equivalent frequency modifications/reductions needed was determined by the matrix given in Table A.3 (Appendix A) (the number of zeros is important, i.e. number of layers needed or number of reductions provided). This then allowed applying mitigating factors, enabling events or condition, frequency modifiers, and independent protection layers (IPLs) to determine if there were any remaining gaps in meeting then companys risk criterion and provided recommendations as to how those gaps may be closed if needed. For tower overfill, initiating causes (i.e. failure of level control, loss of bottom pumps, etc.) were considered in aggregate, e.g. loss of bottoms pump was the initiating cause which had failure modes of loss of power, pump failure, operator error, strainer plugged, etc., which were balanced with a historical perspective.

Enabling Conditions
Enabling conditions are operating conditions necessary for an initiating cause to propagate to a hazardous event. Consideration of enabling conditions generally results in a reduction of the initiating event frequency. Enabling conditions were not used very much in this program as most tower overfill initiating causes were primary causes (higher frequency, direct causes).

Frequency Modifiers
Initially frequency modifiers such as time at risk, occupancy, probability of ignition, and others, which can be used modify (reduce or increase) the estimated frequency of the hazardous event, were not used. It became apparent that there were some cases where use of frequency modifiers was appropriate e.g. reduced occupancy for OSBL flare yards and tank yards, reduced probability of ignition when dealing with an ambient or low temperature heavy crude oil leak, etc. As a result, the program established criteria for the use of these frequency modifier factors for tower overfill LOPA scenarios. When these factors were applied, they were indicated separately as part of the initiating frequency section on the LOPA form. Obviously there is some engineering judgment is required in the application of these factors. Time at Risk For tower overfill, time at risk was generally considered not an appropriate frequency reduction. See Table A.6 (Appendix A). Occupancy Occupancy consists of two general considerations: 1.) How many people total can be in the area that can be affected by the hazard including reasonable hazard escalation and how frequent can they be in the expected hazards effective area. The project took a simplified approach to occupancy by defining the normal occupancy as a person was considered to be present when the hazard was present within the unit ISBL limits. If there was a consideration of higher occupancy such as being close to operator shelters, control rooms, maintenance buildings, TAR activities nearby, close to roads, etc., the severity of the hazard may have been raised by one level if appropriate (for example from a Level 4 single fatality to a Level 5 multiple fatality) to account for an increase in occupancy. If the hazard happens in the OSBL area such as a flare yard or tank field, the occupancy was generally modified to provide a frequency reduction of 1/10, unless there are other occupancy considerations. One other occupancy consideration is the operator swarm effect where when a problem occurs operators may swarm into the area without concern for the potential risk to fix the problem, which can raise the immediate occupancy. Occupancy at

elevation was also considered. Criteria for occupancy are given in Table A.7 (Appendix A). Probability of Ignition Probability of ignition was assumed to be 1 at grade in the unit ISBL areas (always present). For other areas and at elevation, criteria was developed which is given in Table A.7 (Appendix A).

Independent Protection Layers (IPLs)

The application of independent layers of protections (IPLs) was based the rules and tables in the site LOPA practice. All IPLs must meet the requirements of specificity, independence, dependability, auditability, MOC, and security. Typical IPLs are given in Table A.9 (Appendix A). For IPLs not in the site LOPA practice, a safety case was typically written to justify their use as an IPL.

Time
Except for minimum required operator response time related to tower overfill for a critical alarm; time was not taken into account. Credit was also not given for flare knock drum fill time for shared flares where the owner of the flare could not directly do anything about the overfill (calling around did not count), nor for knock out drum bottoms pumps which were typically designed for 2-3 hour pump out time per API 521.

Reconciliation
Once the program risk assessments was essentially complete, a reconciliation was done to help insure consistency and standardization of similar LOPA scenarios, which looked at similar towers in different units, i.e. Crude/Atmospheric towers, Main Fractionators, Debutanizers, Depropanizer, Gasoline Splitters, etc. The project LOPA scenarios were eventually used in the company development of corporate wide generic LOPAs.

Conclusions
This program was applied across a large refinery to reduce the hazard of tower overfill. It provided a conservative, simplified approach for a large number of risk assessments, which resulted in a consistent application of risk reduction principles to meet company risk criteria. Since the implementation of this project, there has been no reported tower overfill incident for a tower in this program.

Some of the major benefits of this program are: 1. Operators will have an independent high level critical alarm with appropriate defined actions on each tower. 2. Operators will have differential pressure instrumentation which will indicate the level trend during abnormal situations when the level is above the upper level control and alarm taps. 3. SIS protective systems were employed for tower overfill hazardous situations where critical level alarms were not enough. 4. Relief valves that could potentially see tower overfill liquid services were required to be liquid certified. 5. Tower mechanical and foundation integrity under tower overfill conditions were evaluated and in some cases required further mitigations. 6. Hazards that were off-node or off unit were evaluated. 7. Increased awareness by Operations of the tower overfill hazard and new tools to help prevent the hazard. 8. The tower overfill LOPAs helped justify the routing of a number of atmospheric relief valves to a closed flare system thus relocating the hazard to the flare yard and reducing its severity and occupancy.

References:
1. Overfill Protective Systems Complex Problem, Simple Solution, Angela E. Summers Ph.D. & William Hearn, Mary Kay OConner Safety 2009 International Symposium 2. CSB Investigation of the Explosion and Fire at the Company Texas City Refinery on March 23, 2005, Don Holmstron, Francisco Altamirano, et. al., AIChem. E. 2006 Spring National Meeting, 40th Annual Loss Prevention Symposium. 3. Buncefield Major Incident Investigation, Buncefield Major Incident Investigation Board, UK 7/06. 4. Got a Risk Reduction Strategy, William L. Mostia, Jr. PE, Mary Kay OConner Safety Symposium, October 2008 Published in Journal of Loss Prevention in the Process Industries 22 (2009) 778782. 5. Maximize the Use of Your Existing Flare Structures, G.A. Melhem, PhD, ioMosaic Corporation.

6. ASME 31.3 Process Piping - ASME Code for Pressure Piping, B31 2006, American Society for Mechanical Engineers. 7. Pressure Vessel Inspection Code: In-Service Inspection, Rating, Repair, and Alteration, Ninth Edition, API 510,June 2006. 8. Layer of Protection Analysis, Simplified Process Risk Assessment, Center for Chemical Process Safety (CCPS), American Society of Chemical Engineers, 2001

Appendix A
Consequence Category Safety

Multiple on site fatalities; multiple off-site permanent injuries

Single on-site fatality, multiple on-site permanent injury; multiple off-site non-permanent injuries

Single on-site permanent injury; multiple DAFWC injuries; single off-site non-permanent injury

Single on-site DAFWC; multiple on-site first aids (recordables); off-site exposure likely but no effects

Single on-site first aid (recordable); no off-site impact

TABLE A.1 Severity Decision Table1

DESCRIPTIVE WORD
Theoretically possible, but not expected Remote, but expected Probable Likely Frequent

FREQUENCY OF OCCURRENCE
1 in 10,000 years 1 in 1000 years 1 in 100 years 1 in 10 years 1 or more per year

Table A.2 - Frequency Decision Table1

FREQUENCY REDUCTION FACTOR MATRIX 5 4 3 CONSEQUENCE 2 1 10 NR NR NR NR 10000 100 10 NR NR NR 1000 1000 100 10 NR NR 100 10000 1000 100 10 NR 10 100000 10000 1000 100 10 1

FREQUENCY (1 in x years)

Table A.3 Risk Reduction Matrix1

Typical Initiating Cause Frequencies [8] (Enabling events and/or conditions may modify the frequencies shown in this table.)
Initiating Cause Conditions Frequency (1 in X years)

The BPCS consists of the complete instrumented loop, including the sensor, controller, and final element. This limitation is Basic Process established in IEC 61511, which states that Control Loop the dangerous failure rate of the BPCS that is (BPCS) not designed in compliance with IEC 61511 cannot be assumed to be lower than 10-5 per hour. Pressure Regulator Loss of Process Supply (OTHER) Relief valve opens early (OTHER) Local pressure regulator or pressure reducing valve in a clean service under periodic maintenance. Loss of Supply from all causes: e.g., pump failure, accidental block in, or primary supply problem

10

100

10

Opens early propagates to an incident

100

Table A.4 Sample Equipment Initiating Frequencies1

Condition/Action
Operator Error Routine Task Operator Error Non-Routine Task Operator Error High Stress Operator Error Closing a main process line valve with no similar valves in area Operator Error Closing a main process line valve with similar valves in area non-routine task General Operator/Human Error Tube Rupture (no history, normal corrosion rate) Tube Rupture (no history, high corrosion rate) Tube Rupture (history, high corrosion rate) Spontaneous Rupture of Well Maintained Pressure or New Vessel

Frequency
1/10 1/100 1/10 1/1

1/100

1/10

1/10 1/100 1/10 1/1 1/1000

Table A.5 Example of Other Initiating Frequencies1

Condition
< 87.6 hrs per year > 87.6 and < 876 hrs per year > 876 hrs per year

Time at Risk Frequency

1/100 1/10 1

Table A.6 Time at Risk1

Condition
At Grade Above grade, routine tasks regularly performed or regular occupancy above grade for operational reasons Above grade (>50<100), non-routine tasks, limited routine tasks (maximum of 876 hours per year occupancy) Above grade (> 100), rare event (maximum of 87.6 hours per year occupancy) Remote Areas, limited routine tasks (maximum of 876 hours per year occupancy) LDAR Monitoring TAR (in Unit or Close By)

Occupancy Frequency
1

1/10

1/100

1/10

1/100 1

Table A.7 - Occupancy1

Condition
At Grade, ISBL or OSBL At Grade, OSBL Limited Number of Electrically Classified Ignition Sources ARV - Above Autoignition Temperature (>80% of AIT) ARV - Below Autoignition Temperature (80% of AIT) Static Electricity Ignition Source ARV - Below Autoignition Temperature (80% of AIT) Liquid Droplets Cold Flammable Liquid with High Flash Point (no mechanical ignition sources available) Significant amount of dry H2 >50% Wet material (contains a significant amount of water)

Probability of Ignition
1

1/10

1/10

1/10

1/10

1 1/10

Table A.8 - Probabilityncy of Ignition1

Attachment to Procedure Independent Protection Layers (IPL) and Associated Frequency Reduction Factor [8] IPL Further Restrictions on Considering as IPL FRF

Critical Alarm with operator response

The alarm with operator response must be examined to ensure that it is independent from the initiating cause and any other IPL. This includes not only independent field instrumentation but also an independent channel in the BPCS and independence of the operator (different operator). Only one BPCS-based alarm or BPCS function can be used as an IPL. Requires adequate operator response time > 10 minutes, written procedure, training, periodic inspection, testing, and auditing The IPL must be independent of initiating cause and any other IPL. It must be designed to mitigate the scenario. Single check valve.
1 10 100 100 100

Other/Local

Check Valve Dual check valves in series. Flame Arrester Vacuum Breaker Restrictive Orifice Must be designed to mitigate the scenario. Must be designed to mitigate the scenario. Must be designed to mitigate the scenario.

Basic Process Control Loop

The BPCS IPL must be independent of the initiating cause and any other IPL. If the initiating cause is a BPCS control loop, another control loop within the BPCS can not be designated as a BPCS IPL, unless a detailed study of the BPCS is performed to ensure sufficient independence and redundancy in order to address common cause failure. The FRF associated with a BPCS IPL is limited to 10 per IEC 61511. Must be independent of the BPCS. FRF is based on the SIL that is achieved by the complete functional loop. SIL 1 SIL 2 SIL 3 10 100 1000

Safety Instrumented System (SIS)

Table A.9 IPLS1

1. All information provided in this paper is specific to the project described and the associated applications and is provided for informational purposed only. The use of any information in this paper for any other applications should follow due diligence and recognized and generally accepted good engineering practice and understand that the conditions, applications, arrangements, and considerations of this projects program may not apply elsewhere.

Appendix B

Figure B.1