As industry becomes more familiar with LOPA and more studies are performed, I frequently run into the same problems with alarming regularity. The usual text books aren’t much help in cleaning these problems up, as they tend to explain how to perform the LOPA task without getting into much detail on how things can go wrong. The most common being the application of “mitigation” layers – which I will get into in my next post, as developing the graphics will require more time than I have today. There are some situations, often presented as examples, in these books that should clearly be labeled with a “Don’t attempt this at home” warning.
Another item that commonly goes wrong when people are “playing the home game” is trying to get LOPA to work in a situation where the initiating event directly results in the consequence. Let me give you two examples to illustrate:
1) Failure of the piping in an air cooler that handles acid gas (mostly hydrogen sulfide which is considered Immediately Dangerous to Life and Health (IDLH) at 100 PPM).
2) Failure of a pump seal releasing flammable or toxic material
While there are some initiating events that can cause of pump seal failure that can be protected against prior to the actual occurrence of the seal failure, what I am talking about here is spontaneous failure of the seal or the pipe itself, outside of any process demand that might cause the situation.
Most LOPA procedures will handle this situation by presenting an analyst with certain failure rates at which the initiating event will occur for use during the study. Common figures might be once in 10 years for the seal failure and once in 100 years for the piping failure.
Let’s focus on the air cooler pipe failure. If a pipe failure occurs that releases materials that is roughly 90% H2S, which is fatal in the low 100 PPM level, I don’t know anyone’s risk tolerance criteria that will accept that event at once in 100 years. As a result, there is always a LOPA gap of 2 or 3 orders of magnitude that needs to be made up with “protection layers”. The problem with this, is that protection layers CAN’T make up this gap! Once the pipe failure occurs – the game is over. There is quite literally nothing that you can do after the pipe has failed that will make this risk tolerable.
The only choice is to prevent the failure from occurring in the first place. You cannot make this risk acceptable while the initiating event frequency is 1 in 100 per year, you have to reduce the initiating event frequency. This type of problem is where LOPA falls flat on its face. There is really no mechanism in LOPA (as per the usual books and resources) to address this other than trying to implement a “mitigation protection layer” which is a ridiculously bad idea, as it will in fact not change the risk at all, which I will demonstrate in my next post.
Protection layers reduce the likelihood that an accident scenario (specifically, the loss of containment event) will occur. They take action after the initiating event has occurred, but before the loss of containment (usually). While things like improved metallurgy selection and good preventive maintenance programs do reduce risk – they are not protection layers and should not be accounted as such. Factors such as metallurgy and preventive maintenance modify the initiating event frequency. So, if a “standard” metallurgy and preventive maintenance program results in a failure rate of 1 in 100 per year, perhaps “better” metallurgy and preventive maintenance will only result in a failure rate of 1 in 10,000 per year.
When doing (or reviewing) LOPA scenarios make sure that initiating event frequency modifiers are not accounted for as protection layers – because they are not, and considering them as such can lead to dangerously flawed results. Also, when a LOPA scenario shows an intolerable level of risk as the result of an initiating event that directly results in loss of containment – review the recommendations to ensure that they address the initiating event frequency, and do not all for the addition of “protection layers” as that will not solve the problem.