Implementing LOPA Purpose Is the Company Ready for LOPA?

Transcription

1 9 Implementing LOPA 9.1. Purpose This chapter discusses how to effectively implement LOPA. To achieve the maximum benefit from LOPA, an organization must also implement risk tolerance criteria. Implementation should be throughout an organization, and not limited to a single site or single analyst. Sections 9.2 through 9.7 discuss key questions an organization must address and the background data required before implementing LOPA. Section 9.8 describes typical steps for implementing LOPA once the questions and data needs have been addressed Is the Company Ready for LOPA? A number of factors are part of this question. First, an examination of the overall risk management philosophy within the corporation is needed. Are the organization s values and beliefs compatible with an objective risk management strategy? Does the organization have an effective process safety management system to help control risk? Are there policies and standards that support the reduction of risk to protect assets, productive capacity, and public trust? Will the organization s senior management and attorneys agree to a written risk tolerance criteria? Are the objectives of the risk management staff aligned with those of the organization? 151

2 Implementing LOPA Will the organization really try to reduce risk if judged excessive? Does the risk management staff have the support of upper management? Does plant management support this initiative? If the answer to each of these questions is yes, then the organization is probably supportive to using any risk management tool that can be profitably applied to meet the organization s objectives. If the answer is no to one or two questions, then those hurdles should be addressed aggressively before (or during) implementation of LOPA. If most of the answers are no, then the company is probably not ready for LOPA, and resources would be better allocated to other initiatives. LOPA can be a valuable tool to control risk, but it cannot be effectively implemented if the organization is not suited for this new tool. The second area to examine is the organization s current risk management capability, considering the hazard analysis capability of the organization first. What analysis methods are currently being used? Does the organization have a history of rigorous analysis? Does the organization regularly analyze equipment, systems, procedures, and processes? At what level of sophistication are hazard analysis tools used? If an organization rarely conducts formal hazard analyses on systems, and is driven primarily by law or regulation, then it is unlikely that such an organization could use LOPA with much confidence or success. However, if hazard analyses are a regular part of the engineering, design, procedure validation, and daily management processes of an organization, then LOPA may well provide another cost-effective hazard analysis tool that helps increase the safety and integrity of its systems. LOPA s cornerstone is the organization s policies and practices regarding risk management. Such policies and practices provide safety and reliability professionals the authority to influence and shape the design of processes and systems What Is the Current Foundation for Risk Assessment? Before implementing LOPA, an organization must have certain capabilities and experience in place. A readiness assessment requires an analysis of the current risk management policies, a review of the current hazard analysis methods used, an evaluation of the capabilities within the organization, and an assessment of institutional knowledge related to consequences and failure frequencies (some of these aspects are addressed later in this chapter).

3 9.4. What Data Are Required? 153 If there are clearly articulated policies, are those policies backed up by internal standards and guidelines that are a normal part of day-to-day business? The existence of standards requiring hazard analysis, safety reviews, reliability analysis, root cause/failure analyses, and design checks sets the stage for successful implementation of LOPA. For organizations that are accustomed to performing hazard analyses, LOPA will be accepted as another tool in the hazard review method toolbox. This is particularly true since HAZOP and other qualitative methods are ideally suited for finding potential accident scenarios. The next step in evaluating the current status is to review the hazard analysis methods in use. Determine if the organization is experienced using qualitative and quantitative hazard analysis methods. Because LOPA bridges the gap between qualitative and quantitative methods, the more experience the organization has with quantitative methods the better. Organizations who have used only qualitative methods (e.g., checklist analysis, what-if analysis, or hazard and operability [HAZOP] analysis) are not likely to be experienced with failure rates or probabilities of failure on demand (PFD). Organizations that implement LOPA usually find that it forces analysts and management to recognize where uncertainty in risk exists. In the past, individuals argued qualitatively that the risk is, or is not, tolerable. LOPA helps build consensus because it uses quantitative (order of magnitude) estimates of risk components (initiating event frequency, independent protection layers (IPLs), and consequence) What Data Are Required? While LOPA is a simplified risk assessment technique, it does require data. The data quantify (to a rough order of magnitude) how often equipment fails, how often people err, the consequences of errors and failures, and how likely the safeguards will prevent the outcomes. These data will be used to develop values for consequence severity, initiating event frequency, and PFDs for IPLs. Consequences Consequence categories must be developed for LOPA use. An organization must understand the ranges of severity of consequences, and for the chemical industry, these include the severity of chemical releases, runaway reactions, decompositions, fires, and explosions. Many typical release/event scenarios may need modeling to determine the potential severity of certain types of scenarios. The organization may run their own models, contract others to run the models, or use available look-up tables to establish the range of severity.

4 Implementing LOPA Before implementing LOPA, an organization must have an understanding of the consequences of chemical releases, and should develop guidelines for the LOPA analyst to use when performing an analysis of a scenario. The consequence categorization guidelines should be developed such that the LOPA analyst rarely needs to run a mathematical model. Chapter 3 provides examples of typical consequence lookup tables. Component Failure Data Numerous databases exist that provide ranges of failure rates for almost every conceivable device. This includes relief valves, control loops, and operating procedures (Guidelines for Process Equipment Reliability Data, CCPS 1989b; IEEE 1984; OREDA 1989, 1992, 1997; EuReData 1989). The order-ofmagnitude values from these sources are often accurate enough for LOPA. The sources typically provide a range of failure rates that encompass most facilities. The values are best applied when a company understands the source(s) of the data and knows how their specific processes compare to the data sources. Some processes with standard designs, such as steam systems or propane storage facilities, can be characterized fairly accurately from existing databases. When the process is unique, the likelihood of failure is highly dependent on the particulars of that process and the environment (including climate) in which it operates. The best source of failure rate data for these processes is the actual data from those systems (i.e., from operational-specific sources). Companies or organizations with well developed mechanical integrity and incident investigation procedures, including the ability to collect and analyze the data, are more capable of assigning credible failure rates which strengthens the credibility of their LOPA method. Most chemical companies have only recently developed reliability (mechanical integrity) databases and these databases are still being populated. Therefore, most companies applying LOPA begin with data from external sources and then use subjective judgment to fit the data to their processes. Note that organizational changes can influence the database as well. For instance, an increase in PSV maintenance staff along with a policy change to test and inspect PSVs each year instead of during turnarounds every 2 years, can improve the reliability of PSVs (assuming the test and inspection methods can detect onset of failure). Human Error Rates Company or organization experience includes not only failure data for components in processes, but also softer factors such as knowledge and experi-

5 9.5. Will the IPLs Remain in Place? 155 ence of operators, corporate culture, and behaviors. There are literature sources (Swain and Guttmann, (1983), Guidelines for Preventing Human Error in Process Safety, (CCPS, 1994b)) on human error data that can be used to estimate the likelihood of human errors. Internal company data on actual human error rates is either non-existent or anecdotal at best, therefore, most companies rely on external sources (published data) for human error rates for use in LOPA. Incident Data Incident data from accidents and near misses is another excellent source of data for developing typical values for initiating events, IPLs, and consequences. The chemical industry is just beginning to report near misses (Bridges 2000b). The near miss data will greatly increase the number of data points, further assisting companies to select appropriate failure data, human error data, and consequences. Currently, most companies incident databases do not have sufficient data to allow determination of failure rates and PFDs. Summary of Data Ultimately, the organization will need to establish a succinct set of failure and error data for use in LOPA. This should be a small set of choices, consistent with the self-imposed limitations of LOPA. See Chapters 5 and 6 for examples of LOPA frequency and PFD data Will the IPLs Remain in Place? An organization must establish a system to periodically assess (audit) the elements (components and human interventions) identified as IPLs to ensure that the IPLs remain in service at the anticipated PFD. In some cases this will require functional testing of the devices (SIFs interlocks, relief systems, etc.) or the human interventions. In other cases it could include inspections, such as for passive protections like dikes, drainage systems, fire walls, etc. For some IPLs, replacement or preventive maintenance may be required at a specified frequency. In all cases, the organization must ensure that the testing, inspection, preventive maintenance, procedure drills, etc., are accomplished at the appropriate frequency and with the appropriate amount of rigor. These assurance steps are necessary to achieve the PFD assigned for the IPL. The results of these assurance steps (proof tests) must be recorded, including any corrective actions taken. These records must be available to the LOPA analyst(s).

6 Implementing LOPA 9.6. How Are the Risk Tolerance Criteria Established? Risk tolerance criteria can be explicit or implicit. Explicit criteria include values for tolerable risk and/or values for reducing risk to as low as reasonably practicable (ALARP). These values can be expressed as a single value or as a contour on a graph or risk matrix. Implicit criteria are typically hidden within the procedure for selecting the number of IPLs needed for a given consequence. All organizations use a criteria of some means to make risk judgments, but some companies prefer not to document the risk tolerance criteria. Frequently, organizations have values or slogans that say something like all accidents can be prevented or nothing we do is worth risking injury. However, words like all and risk may not have an organizational meaning. Ultimately, it is a question of what risk the organization is willing to accept. An organization might be willing to accept a fairly frequent occurrence if the consequences are small. For example, first-aid injury rates are generally accepted at a higher frequency than lost workday cases. It is, therefore, a sliding scale. The worse the consequence, the lower the tolerance for the incident. Typically, when qualitative hazard analyses are done, potential risks are qualitatively identified. If the hazard analysis team judges the risk to be intolerable, the team will generate a recommendation that is intended to reduce the risk. That recommendation, however, gives little indication of how much an identified risk will be reduced, but the intent is typically to reduce the risk to a tolerable level. If a similar analysis were done using quantitative methods, the organization might arrive at the same decision reached using the qualitative methods simply using CPQRA methods does not demand or imply that an organization has predefined a tolerable risk criteria. A CPQRA analysis will estimate the risk reduction expected from installing the protective device, but it will not determine if the risk is tolerable. That is a decision the organization must make. To achieve consistent results, the authors strongly advise that organizations define risk tolerance criteria before implementing LOPA. Without a risk tolerance (or risk acceptance) criteria, there is a tendency to keep adding safeguards for each new idea for protection, under the false assumption that safety is continually being improved. However, an organization will eventually add IPLs that are unnecessary and thereby reduce focus on the IPLs that are critical to achieving tolerable risk. Some organizations have implemented risk tolerance criteria, coupled with LOPA, to help them focus their limited resources on the most critical.

7 9.6. How Are the Risk Tolerance Criteria Established? 157 The development of risk tolerance criteria will impact many others in an organization besides those involved in LOPA, because the criteria can and should be used to reach risk-based decisions, regardless of the hazard analysis method used. Each company must define tolerable risk levels. Upper management must buy into what is tolerable, particularly when the loss parameter is human suffering or fatality. This is a very difficult consideration. It is difficult for people to quantify situations they find unthinkable. In the extreme case, no one wants to explain in a court of law that even one fatality is tolerable. However, every individual and every organization (regardless of whether the criteria are documented) uses criteria on risk tolerance related to human suffering. Example 9.1: Has any regulator or community prohibited the use of extreme toxics (such as chlorine)? No! The public (represented and protected by governments) instead require that companies act responsibly to control the risk. And we are still allowed to drive automobiles faster than 5 mph (miles per hour) (8 km/hr) on public roads, even though evidence indicates harm can occur from impacts at speeds much over 5 mph. Again, we recognize the risk of impact/collisions and administer equipment and administration-based safeguards to minimize the risk of these impacts. Similarly, we do not currently require meteor shields over population centers. Such strikes could occur, yet all agree that the likelihood is so remote that shields are not required; in other words, there is agreement throughout our culture to tolerate the risk of death to personnel caused by meteorite strikes. Other examples exist that indicate there is a point at which we believe the risk is negligible (and therefore tolerable). There are benchmarks for establishing risk tolerance criteria. Appendix E provides a sampling of single-value criteria used by industry and regulators for tolerating risk, and for judging that risk is ALARP. Company history can also help define what is acceptable. Frequently an organization may find from a review of its own history that it is actually tolerating a level of uncomfortable risk, but was not aware of this risk. As discussed before, risk is a function of consequence and frequency. The risk tolerance criterion could be simply a single value or it could be represented by an F/N curve (see Chapter 11). This value could be expressed explicitly in a number (value) or implied within a risk judgment tool such as a risk decision matrix. Thus, a company can develop risk tolerance criteria using a variety of data sources and calculations of consequences and frequencies. Effective application of LOPA can help move the risk of each scenario into a tolerable range. This is probably the most important feature of the entire LOPA pro-

8 Implementing LOPA cess. Without risk criteria, no one will know the risk target. Success will not be defined, and it will be impossible for business leaders, LOPA team members, and team leaders to know when they have done what needs to be done When Is LOPA Used? The procedures and practices governing the application of LOPA should outline the process for deciding when to use LOPA. LOPA should be applied in the gray area when the qualitative hazard analysis reveals the need for reduction in risk, but the qualitative team is unsure of the frequency of the final consequences, unsure of the consequences, concerned that the processes or scenarios are too complex to address qualitatively. Here the LOPA method can help the decision-making process. Some companies decide when to use LOPA and when to use CPQRA based on the risk of a scenario, as estimated during a qualitative hazard evaluation. Other companies use only the consequence (or consequence category) to decide when to move beyond qualitative risk judgment. The flowchart shown in Figure 9.1 illustrates one organization s approach for deciding when to use LOPA (and when to use CPQRA as well); this flowchart bases the decision making on the consequences of the scenario and references the consequence categories defined in Table 3.1 in Chapter Typical Implementation Tasks Once the frequency data and consequence data have been documented and the risk matrix and tolerance criteria have been developed, an organization is ready to implement the LOPA approach. Documenting Risk Tolerance Criteria The first step in implementation is to develop a document listing the standards having a bearing on LOPA, including the risk tolerance criteria discussed earlier in this chapter (Section 9.6) and in Chapter 8. This document defines the level of risk an organization is willing to assume in the course of operating its facilities, assuming that all basic standards and practices are applied appropriately. Regardless of the specific risk assessment method or procedure, the risk tolerance criteria must provide quantitative measures to determine the acceptability of the risk associated with a scenario or a facility.

9 9.8. Typical Implementation Tasks 159 FIGURE 9.1. Flowchart for deciding which risk analysis method to use (see Table 3.1 for consequence definitions). In some methods a range of risk is identified (such as between tolerable risk and ALARP ) where a cost benefit study may assist in deciding whether to implement modifications. If this method is used then the basis for the cost benefit analysis should be defined. Sometimes a different approach is used when considering retrofits to an existing facility and the design of a new facility. The difference in approach must be clearly defined. In many companies the development and language of the risk tolerance criteria document requires input from the legal staff and approval of executive management.

10 Implementing LOPA The LOPA Guidance Document This is a high-level document that should define the general process and prerequisites for applying LOPA within an organization. It should address the following topics: The body or group within the organization responsible for the LOPA method. This includes responsibility for the basic assumptions, personnel training, quality control, etc. The risk tolerance criteria (see Section 9.6). Guidance on when to use LOPA (see Section 9.7). Requirements for a LOPA team to proceed independently. Required reviews for the risk results from LOPA by corporate experts and/or local or corporate management. Required reviews of LOPA recommendations by corporate experts and/or local or corporate management. Guidance on cost benefit method and assumptions (if required). Requirements for personnel to lead LOPA studies. Guidelines on when a LOPA study may require a more rigorous analysis (e.g., CPQRA) for all or part of a scenario (see Section 9.7). Developing a Step-by-Step Procedure A step-by-step procedure (protocol) is needed for reference by the user. Earlier chapters in this book contain the details on this procedure these details should be distilled into a set of rules and examples so that LOPA is applied consistently. Essential aspects include: Standardized initiating event frequencies for use throughout the company. A standardized approach for including enabling events or conditions if used by the LOPA method. Standardized PFD values for IPLs. Guidance on establishing the independence, effectiveness and verification of safeguards for consideration of a safeguard as an IPL. This should include specific guidance on whether to consider the BPCS logic solver available for other BPCS/IPLs when the failure of a BPCS loop is the initiating event for a scenario, or what to do when a BPCS loop is already credited as an IPL for the same scenario (see Chapters 6 and 11). Guidance on calculating the PFD for IPLs that have a high challenge frequency (see Chapter 7 and Appendix F) if required by the LOPA method. Guidance on obtaining PFD values for IPLs not listed in the standard tables (calculation method or referenced personnel or group) if required by the LOPA method.

11 9.8. Typical Implementation Tasks 161 Guidance on defining the consequence category. Guidance on calculating the consequence frequency. Guidance on including additional consequence factor probabilities (e.g., probability of ignition) if these are used in the method. Guidance on evaluating risk against the risk tolerance criteria to determine if further action is warranted. Steps to document (including sample forms) the LOPA scenarios, and to communicate the findings for further action and archiving. Steps to close the recommendations from LOPA. Provisions for auditing the system to ensure compliance or to ensure LOPA is used properly. Conducting Pilot Tests Each organization has recommendations from hazard evaluations or investigation teams that have not yet been resolved. Therefore, one good pilot test is to choose the recommendations with the most severe consequences (Category 4 or 5), and see where the related accident scenarios fall on the risk matrix (such as the risk matrix provided in Table 8.1) for mitigated consequences (taking appropriate credit for existing safeguards). If the residual risk is not tolerable, the proposed recommendation is applied to determine if the risk is moved to the tolerable range. As the analyst(s) works through these in-house examples, he or she will begin to understand the value of this approach, and should also see where it may be necessary to modify the approach. Alternatively, if the organization has existing engineering/safeguarding standards or other established requirements, the LOPA process can be used to evaluate the elements of those requirements. This can accomplish two objectives: 1. Calibration of the risk tolerance criteria against perceived acceptable levels of safeguards. 2. Identification of shortfalls (or excesses) in existing protection requirements. The results of the pilot tests mentioned above should be reviewed with experienced risk analysts and design/process experts to ensure that the final risk judgments (and therefore, the LOPA approach and risk tolerance criteria) matches expert opinion. Developing Training Courses and Training the Analysts A short course (2-day, nominal) should be developed or contracted to train analysts on applying this technique. The training could also be done by coaching rather than using classroom instruction. As a prerequisite, all atten-

12 Implementing LOPA dees of the LOPA course should have training and experience in performing qualitative hazard evaluations. Developing Training for Personnel Who Support LOPA In addition to training analysts, an organization may need to: train all hazard review leaders to identify scenarios that warrant LOPA, train managers concerning their role in LOPA and risk judgment, train maintenance and operations personnel on the care and maintenance of IPLs. Developing User Friendly Tools The LOPA method can be implemented using manual or paper methods. Many users may desire to use other tools such as dedicated software or spreadsheets. Typically, these tools help the user select the appropriate initiating event frequency and appropriate IPLs and PFDs and perform the simple math and documentation required for this method. Planned software will allow the analyst to convert data automatically from a qualitative hazard evaluation (such as HAZOP or FMEA tables) into the starting point for a LOPA scenario, and then to complete the LOPA using pulldown data selection. Other proprietary applications have been developed to perform a LOPA for scenario data that are input by the analyst. Dedicated tools such as these can also present the results of a LOPA approach in various formats, including showing the placement on the risk matrix. As of February 2001, to the authors knowledge, software with planned or included LOPA features are HazardReview LEADER (ABS Consulting) and PROBE (exida.com); several companies have developed in-house spreadsheets or applications to aid in LOPA. Click here to go to Chapter 10