C. S.

Howat & Associates

4804 Normandy Park Lawrence, Kansas 66049-1840
785.218.3718 cshowat@ku.edu

LAYER OF PROTECTION WORKSHEET Scenario Number Equipment Number Scenario Title

Date

Identified Hazard

Scenario Description Probability Consequence Description

Frequency (per year)

Risk Tolerance Criteria Category or Frequency Initiating Event Enabling Event or Condition Conditional Modifiers (if applicable) 1) 2) 3) 4)

Frequency of all Conditional Modifiers Frequency of Unmitigated Consequence Independent Protection Layers (IPL's) PFoD Safeguards (non-IPL's) PFoD's for IPL's Frequency of Mitigated Consequence Risk Tolerance Criteria Met? Actions Required to Meet Risk Tolerance Criteria Notes NO 1) 2) 3) 4) 1) 2) 3) 4)

References Analyst or Team Members

C. S. Howat & Associates

4804 Normandy Park Lawrence, Kansas 66049-1840
785.218.3718 cshowat@ku.edu

INSTRUCTIONS

The following presents the instructions for the 'Layer of Protection Analysis Worksheet'. The p (initiating events) are faults that begin a sequence that could lead to a consequence (release, c on the analyst's input. The analyst's focus can be on the process under study. Yellow-highligh values as the analysis proceeds. The shaded cells imply that the column does not apply for tha

Scenario Number

Equipment Number

Scenario Title

Date

Identified Hazard

Scenario Description

Consequence Description

Risk Tolerance Criteria Category or Frequency

Initiating Event

Enabling Event or Condition

Conditional Modifiers (if applicable)

1) 2) 3) 4)

Frequency of all Conditional Modifiers

Frequency of Unmitigated Consequence

Independent Protection Layers (IPL's) PFoD

1) 2) 3) 4)

Safeguards (non-IPL's)

1) 2) 3) 4)

PFoD's for IPL's

Frequency of Mitigated Consequence

Risk Tolerance Criteria Met?

Actions Required to Meet Risk Tolerance Criteria

Notes

References Analyst or Team Members

lysis Worksheet'. The purpose of the worksheet is to evaluate the risk of cause - consequence pairs. Causes consequence (release, capital loss and/or downtime). The worksheet does all calculations automatically based er study. Yellow-highlighted cells require no analyst input. These are either invariant cell titles or are calculated mn does not apply for that specific row.

An index system is required for documentation. The numbering system should be in terminology generally accepted in the plant.

The number of the specific piece of equipment studied is recorded.

A scenario is a cause - consequence pair. The title should reflect this decision, e.g. 'Release of Reactor Contents into Reactor Room due to Overpressure'.

The date that the Scenario was evaluated and approved is recorded.

A hazard is a physical or chemical characteristic of the system under study which, if released, could cause harm to personnel, plant, environment and/or surrounding populations. The hazard under study must be clearly stated.

This is a statement of the scenario as studied by the analysis team. This will include the initiating event and the consequence. As an example, 'The reactor vessel fails because of overpressure due to incomplete mixing of the catalyst and reactants'.

This is a statement of the scenario as studied by the analysis team. This will include the initiating event and the consequence. As an example, 'The reactor vessel fails because of overpressure due to incomplete mixing of the catalyst and reactants'.

The consequence description is the size of the release, the estimated total cost and the estimated downtime.

There are three types of consequences under this methodology, i.e. release, capital and downtime. Based on the description given above and the tables given in the 'ConsequenceCategories' worksheet, enter the consequence and category for each. For example, 'Release: Category 3', 'Capital: Category 2', and 'Downtime: Category 3'. The worst (highest category) has a corresponding Frequency found in the 'RiskEvaluationTables' worksheet. Enter the highest probability that corresponds to 'Corrections are not required'. For example, for Category 3, the value is 1.0E-5 to be conservative.

The initiating event starts the sequence. The initiating event that is most likely for the consequence is the one studied. For example, incomplete mixing could be due to human error, shaft failure, motor failure etc. Human error is most likely. The recommended practice is to focus on the most conservative but to record all. In this case, human error is the most likely at 1E-2 from the 'InitiatingEventProbabilities' worksheet. This value is recorded in the Probability column.

This accounts for the fraction of time that procedure is being done or the unit is online. It corrects the probability of the initiating event for noncontinuous operation. The value entered is typically rounded up to the nearest order of magnitude. For example, if a procedure is done once per week for eight hours and the enabling probability is 8/(7*24) or 1E-1. This value would be entered under the Probability column.

Conditional modifiers are for special cases to consider. For example, if the study is to go beyond the 'Release' of the chemical and is to look into injury, then a conditional modifier might be the percentage of time that personnel are in the area of the equipment under study. As another example, if the study is to go beyond 'Release' and is to look into fire damage, then a condition modifier is the probability of finding an ignition source. For the programming of the worksheet to function, any conditional modifiers must be entered in order. That is, Conditional Modifier 1 must be present for Conditional Modifier 2 to be included in the total Frequency calculation.

Conditional modifiers are for special cases to consider. For example, if the study is to go beyond the 'Release' of the chemical and is to look into injury, then a conditional modifier might be the percentage of time that personnel are in the area of the equipment under study. As another example, if the study is to go beyond 'Release' and is to look into fire damage, then a condition modifier is the probability of finding an ignition source. For the programming of the worksheet to function, any conditional modifiers must be entered in order. That is, Conditional Modifier 1 must be present for Conditional Modifier 2 to be included in the total Frequency calculation. The worksheet calculates the product of all Conditional Modifiers. When the analyst inputs a target Frequency and an Initiating Event Probability, the worksheet will enter 1E+00 for this product

The worksheet calculates the product of the consequence based on the initiating event Frequency, the Enabling Event Probability and the Conditional Modifiers Probability.

This analysis step is critical to the success of the evaluation. An Independent Protection Layer is one that can terminate the cause - consequence sequence. There may be IPL's present which will have no impact on the sequence. These are to be ignored. There are criteria that the IPL must meet to be classified as an IPL. The IPL must detect that the sequence is underway. It must decide that it is underway. It must deflect (terminate) the sequence. The IPL must be fast enough, big enough and strong enough to deflect the sequence. Most importantly, it must be independent. Probabilities of Failure on Demand (PFoD) for IPL's are given in the 'IPLPFoD' worksheet. For the programming of the worksheet to function, any IPL's must be entered in order. That is, IPL 1 must be entered for IPL 2 to be taken into account. It is absolutely critical that the criteria are consistently applied to evaluate whether a system is an IPL.

There may be other systems in place that do not meet the criteria for an IPL. That is, they may not detect, decide deflect, they may not be fast enough, big enough or fast enough or they may not be independent of other systems or the initiating event. These safeguards should be recorded. But, under this procedure they do not affect the risk because they are not a protection layer.

The worksheet calculates the product of all IPL's entered. If not IPL's are entered, the worksheet defaults to 1E+00 for risk assessment.

The worksheet then calculates the Frequency for the Scenario accounting for the Frequency of the Initiating Event, the probabilities associated with all Enabling Events and Conditional Modifiers and the Probability of Failure on Demand for all IPL's. This value is compared against the target value recorded under the consequence.

The worksheet then calculates the Frequency for the Scenario accounting for the Frequency of the Initiating Event, the probabilities associated with all Enabling Events and Conditional Modifiers and the Probability of Failure on Demand for all IPL's. This value is compared against the target value recorded under the consequence.

The comparison is automatically computed and recorded.

The purpose of the worksheet is to document the results of the analysis. There may be instances which fail to meet the target tolerance. These may require corrections depending upon the Frequency of the Mitigated Response. Suggested corrections should be recorded here. For this system to work, the suggested corrections must be evaluated and, if necessary, acted upon. Risk cannot be reduced by merely doing the procedure. Risk is only reduced when modifications, equipment and procedures change to reduce the consequence or the Frequency of the Mitigated Response.

These complete the record keeping. There may be ideas that arise that may need to be considered. They may need to be uncertainties that need further investigation. These should be recorded. If there are specific drawings, photos, operating procedures that were consulted, these should be documented for the likely event when these change which could result in re-analysis of the scenario. Finally, those responsible should sign off.

nce pairs. Causes automatically based es or are calculated

m should be in

decision, e.g. '.

tudy which, if urrounding

his will include the ssel fails because of

his will include the ssel fails because of

total cost and the

lease, capital and in the gory for each. For Category 3'. The

orresponds to s 1.0E-5 to be

ost likely for the d be due to human ecommended ase, human error is . This value is

he unit is online. It on. The value example, if a bability is 8/(7*24) or

f the study is to go onditional modifier quipment under is to look into fire on source. For the ust be entered in Modifier 2 to be

f the study is to go onditional modifier quipment under is to look into fire on source. For the ust be entered in Modifier 2 to be

en the analyst sheet will enter

e initiating event rs Probability.

endent Protection There may be IPL's gnored. There are st detect that the ect (terminate) the gh to deflect the Failure on Demand mming of the 1 must be entered ia are consistently

n IPL. That is, they gh or fast enough or These safeguards sk because they

are entered, the

ting for the Enabling Events and PL's. This value is

ting for the Enabling Events and PL's. This value is

s. There may be orrections d corrections should must be evaluated g the procedure. hange to reduce the

ere may be ideas ed. They may need estigation. These c drawings, photos, ed, these should be ese change which o. Finally, those

C. S. Howat & Associates

4804 Normandy Park Lawrence, Kansas 66049-1840
785.218.3718 cshowat@ku.edu

EXAMPLE PROBLEM

Solvent Addition by Weight

Local On/Off Switch with Motor Status Light

On Off

Solid Catalyst Addition

Catalyst Pre-Mix Tank

Catalyst Added Under Weight Addtion Set Point

WC

Acrylic Resin Reactor H TT TA

Product Load Out Upon Completion of Reaction

Scenario Number 1

Equipment Number Catalyst Makeup/Reactor

Scenario Title

Reactor Vessel Rupture due to Improper Cataly

Date Identified Hazard 2/28/2005 High Pressure, Flammable Solvent above boiling point Scenario Description Operator adds too much catalyst to make up resulting in too much catalyst added to reactor Consequence Description Runaway reaction leading to high temperature and pressure in reactor such that reactor ruptures releasing contents Risk Tolerance 10,000 gallon of xylene released - Category 5 Criteria Category or Frequency

Probability

Risk Tolerance Criteria Category or Frequency Initiating Event Enabling Event or Condition Conditional Modifiers (if applicable) Human Error - Routine Operation - 10-2 per opportunity -

Continuous Operation - Once per shift 1) 2) 3) 4)

1.E+00

Frequency of all Conditional Modifiers Frequency of Unmitigated Consequence Independent Protection Layers (IPL's) PFoD Safeguards (non-IPL's) PFoD's for IPL's Frequency of Mitigated Consequence Risk Tolerance Criteria Met? Actions Required to Meet Risk Tolerance Criteria Notes IPL's are insufficient for Category 5 Release. 1) Rupture Disk/Safety Valve 2) 3) 4) 1) 2) 3) 4)

1.E+00

1.E-02

1.E-02

References Analyst or Team Members CSH

Pictured at left is a catalyst make up station. An operator adds an appropriate number of bags of catalyst for the reaction. Solvent is then added by weight with the agitator on. At the appropriate time, the solution is moved to the reactor to begin the acrylic resin reaction. If the catalyst addition is incorrect such that too much catalyst is added, the reaction can run away leading to high temperatures and pressures. The reactor holds 10,000 gallons of xylene Example Problem Consequence: Reactor Rupture (Category 5 Release) Initiating Event: Operator Error in Catalyst Addition (10-2 probability assuming multiple batches per day)

IPL's: Rupture Disk/Safety Valve (10-2 PFoD)

cenario Title

e due to Improper Catalyst Addition

zard point Frequency (per year)

Probability

1.E-06

1.E-06

1.E-02

1.E+00

1.E+00 1.E-02 1.E-02

1.E-02 1.E-04 NO

C. S. Howat & Associates

4804 Normandy Park Lawrence, Kansas 66049-1840
785.218.3718 cshowat@ku.edu

RISK EVALUATION/ACTION THRESHOLD TABLE

Action Threshold Color Coding and Definitions Color Code Threshold Action Corrections are required immediately Corrections are required at next opportunity Corrections may be necessary and should be evaluated Corrections are not required

Risk Evaluation Table Frequency (per year) >1.0E-01 1.0E-1 - 1.0E-02 1.0E-2 - 1.0E-03 1.0E-03 - 1.0E-04 1.0E-04 - 1.0E-05 1.0E-05 - 1.0E-06 1.0E-06 - 1.0E-07 Consequence (Effect) Category Category 1 Category 2 Category 3 Category 4 Category 5

C. S. Howat & Associates

4804 Normandy Park Lawrence, Kansas 66049-1840
785.218.3718 cshowat@ku.edu

RELEASE, CAPITAL & DOWNTIME CONSEQUENCE TABLES

Release Risk Categories - Liquids and Vapors Release Consequence Consequence Characteristic Extremely Toxic above Boiling Point Extremely Toxic below Boiling Point or Highly Toxic above Boiling Point Highly Toxic below Boiling Point or Flammable above Boiling Point Flammable below Boiling Point Combustible Liquid 1 to 10 lb Category 3 10 to 100 lb Category 4 100 to 1,000 lb Category 5 1,000 to 10,000 lb Category 5 10,000 to 100,000 lb Category 5 >100,000 lb Category 5

Category 2

Category 3

Category 4

Category 5

Category 5

Category 5

Category 2

Category 2

Category 3

Category 4

Category 5

Category 5

Category 1

Category 2

Category 2

Category 3

Category 4

Category 5

Category 1

Category 1

Category 1

Category 2

Category 2

Category 3

Release Risk Categories - Dusts Release Consequence Consequence Characteristic 1 to 10 lb Category 3 10 to 100 lb Category 4 100 to 1,000 lb Category 5 1,000 to 10,000 lb Category 5 10,000 to 100,000 lb Category 5 >100,000 lb Category 5

Dust Explosion Classifications Dust Explosion Classifications ST-0 KST Measures KST=0 Characteristics No Explosion

Extremely Toxic or ST-3

Highly Toxic or ST-3

Category 2

Category 3

Category 4

Category 5

Category 5

Category 5

ST-1

0<KST<200

Weak Explosion

ST-3

Category 2

Category 2

Category 3

Category 4

Category 5

Category 5

ST-2

200<KST<300

Strong Explosion

ST-2

Category 1

Category 2

Category 2

Category 3

Category 4

Category 5

ST-3

KST>300

Very Strong Explosion

ST-1

Category 1

Category 1

Category 1

Category 2

Category 2

Category 3

K ST = (P/t) max V 1/3 bar m /s

Capital Loss Categories Consequence Characteristic $0-$10,000 Category 1 $10,000-$100,000 Category 2 Capital Loss Consequence $100,000$1,000,000$1,000,000 $10,000,000 Category 3 Category 4 >$10,000,000 Category 5

Overall Cost of Event

Downtime Loss Categories Downtime Consequence Consequence Characteristic 0 to 1 Month Outage Category 1 1 to 2 Month Outage Category 2 2 to 6 Month Outage Category 3 6 to 12 Month Outage Category 4 >12 Month Outage

Mechanical Damage to Main Product Plant

Category 5

C. S. Howat & Associates

4804 Normandy Park Lawrence, Kansas 66049-1840
785.218.3718 cshowat@ku.edu

INITIATING EVENT PROBABILITIES

Initiating Event (per year basis) Pressure Vessel Residual Failure Piping Residual Failure - 100 m - Full Breach Piping Leak (10% Section) - 100 m Atmospheric Tank Failure Gasket/Packing Blowout Turbine/Diesel Engine Overspeed with Casing Breach Mechanical Failure Third Party Intervention (External Impact by Backhoe, Vehicle, etc.) Crane Load Drop Lightning Strike Safety Valve Opens Spuriously Cooling Water Failure Pump Seal Failure Unloading/Loading Hose Failure BPCS Instrument Loop Failure Regulator Failure Small External Fire Large External Fire Operator Failure - routine, continuous operation Lock-out, Tag-out Procedure Failure Human Error - Routine, once per month opportunity Human Error - Nonroutine, low stress Operator Failure (to execute routine procedure, assuming well-trained, unstressed, not fatigued)

Frequency Range from Literature (per year basis) 10-5 - 10-7 10-5 - 10-6 10-3 - 10-4 10-3 - 10-5 10-2 - 10-6 10-3 - 10-4 10-0 - 10-2 10-2 - 10-4 -3 10 - 10-4 per lift 10-3 - 10-4 10-2 - 10-4 10-0 - 10-2 10-1 - 10-2 10-0 - 10-2 10-0 - 10-2 10-0 - 10-1 10-1 - 10-2 10-2 - 10-3 10-0 - 10-3 -3 10 - 10-4 per opportunity 10-0 - 10-3 10-0 - 10-3 10-1 - 10-3 per opportunity

Proposed Value to be Used in AIC Risk Assessment 10-6 10-5 10-3 10-3 10-2 10-4 10-2 10-1 -4 10 per lift 10-3 10-2 10-1 10-1 10-1 10-1 10-1 10-1 10-2 10-0 10-3 10-1 10-1 10-2 per opportunity

C. S. Howat & Associates

4804 Normandy Park Lawrence, Kansas 66049-1840
785.218.3718 cshowat@ku.edu

INDEPDENDENT PROTECTION LAYERS ~ PFoD TABLES

Passive Systems Independent Protection Layer Dike Underground Drainage System Open Vent (no valve) Comments (Implicitly assumes adequate design, adequate inspection and adequate maintenance procedures) Will reduce the frequency of large consequences (widespread spill) of a tank overfill, rupture, spill etc. Will reduce the frequency of large consequences (widespread spill) of a tank overfill, rupture, spill etc. Will prevent overpressure Will reduce rate of heat input and provide additional time for depressurizing, firefighting etc. Will reduce the frequency of large consequence of an explosion by confining blast and protecting equipment, buildings etc. Will significantly reduce the frequency of consequences associated with a scenario Will eliminate the potential for flashback through a piping system into a vessel or tank PFOD (Literature and Industry) 10 - 10
-2 -3

PFOD (Screening Value) 10

-2

10-2 - 10-3
-2 -3

10-2
-2

10 - 10

10

Fireproofing

10-2 - 10-3 10-2 - 10-3

-1 -6

10-2 10-3
-2

Blast-wall/Bunker Inherently Safe Design

10 - 10
-1

10

Flame/Detonation Arrestors

10 - 10

-3

10

-2

Active Systems Independent Protection Layer Relief Valve Comments (Implicitly assumes adequate design, adequate inspection and adequate maintenance procedures) Prevents system exceeding specified overpressure. Effectiveness of this device is sensitive to service and experience. Prevents system exceeding specified overpressure. Effectiveness can be very sensitive to service and experience. Can be credited as an IPL if not associated with the initiating event being considered. PFOD (Literature and Industry) 10 - 10
-1 -5

PFOD (Screening Value) 10

-2

Rupture Disk Basic Process Control System

10-1 - 10-5 10-1 - 10-2

10-2 10-1

Human Systems Independent Protection Layer Human Action with 10 Minutes Response Time Human Response to BPCS Indication or Alarm with 40 Minutes Response Time Human Action with 40 Minutes Response Time Comments (Implicitly assumes adequate documentation, training and testing procedures) Simple well-documented action with clear and reliable indications that the action is required Simple well-documented action with clear and reliable indications that the action is required. Simple well-documented action with clear and reliable indications that the action is required PFOD (Literature and Industry) 10-0 - 10-1 10-1 10-1 - 10-2 PFOD (Screening Value) 10-1 10-1 10-1

C. S. Howat & Associates

4804 Normandy Park Lawrence, Kansas 66049-1840
785.218.3718 cshowat@ku.edu

Hazard Identification Worksheet - HazOp

Study

Date

Process Area Process Intent

Equipment Identification or Tag Number

Process Parameter ID Cause Consequence

Guideword Pr( ) Safeguards

Deviation Action Items