2007-04_NHT_Reformer_LOPA

8/9/2019 2007-04_NHT_Reformer_LOPA

1/195

Protection

NHT Reformer Unit

TOTAL Petrochemicals USA, Inc.Port Arthur Facility

October 2008

Project No. 07-099

6455 South Shore Blvd., Suite 400

League City, Texas 77573

TEL 281.334.4220 FAX 281.334.5809

www.rrseng.com


2/195

TOTAL Petrochemicals NHT Reformer UnitPort Arthur Refinery Layer of Protection Analysis

RRS Engineering, LLC Page i Project No. 07-099October 31, 2008 Revision No. 2

DISCLAIMER RELATING TO THIS REPORT

The work was prepared by Risk, Reliability, and Safety Engineering, LLC (RRS) at the request of TOTAL Petrochemicals. As

a material part of RRS agreeing to perform the work for Client, Client has agreed to the terms of this disclaimer. Specifically,

Client agrees that, to the maximum extent allowable by applicable law, neither RRS, its employees, agents, representatives,

successors, assigns, affiliates, directors, officers, and members, nor any person acting on RRS' behalf in furtherance of its

activities in performing the work for Client:

1. Makes any warranty or representation, express or implied, (all of which are hereby expressly disclaimed) with

respect to the accuracy, completeness, or usefulness of the information contained herein or the work, or that

the use of any information, method, apparatus, or process contained herein, does not infringe on any rights of

others; nor

2. Will have any liability arising by, through, or under Client with respect to the use of, or for special, incidental, or

consequential damages related to or arising directly or indirectly out of the use of any information, method,

apparatus, or process disclosed herein or the work; nor

3. Assumes any liability to client or any third party, with respect to the use of any information, method, apparatus,

or process disclosed herein or in the work.

Client agrees that RRS has made reasonable efforts to perform the Work contained herein in a manner consistent with high

professional standards. However, Client agrees that the Work was conducted on the basis of information made available to

RRS by Client and is dependent on the accuracy of the information provided. Client agrees that all observations, conclusions

and recommendations contained herein are relevant only to this work, and will not be applied to any other facility or operation.

Client agrees that the Work RRS performed is advisory in nature only and that the responsibility for use and implementation

of conclusions and recommendations contained herein rests entirely with Client. Client agrees that it will independently

evaluate any actions taken to address the results of this effort to ensure they will not create unacceptable hazards and that

safe practices are followed when any change is implemented.

Furthermore Client agrees that federal and state regulations are subject to interpretations and no one can guarantee how

they will be interpreted in the future. Client agrees that RRS will have no liability for any incident or regulatory action that

occurs at Client.

Client agrees that it will be solely responsible for disclosure of the Work to any third-party or the use of the work, or any

information or conclusions contained therein.


3/195


RRS Engineering, LLC Page ii Project No. 07-099October 31, 2008 Revision No. 2

T ABLE OF CONTENTS

P AGE

1.0 INTRODUCTION ............................................................................................................................... 1

1.1 Study Team ..................................................................................................................... 1

1.2 Study Dates ..................................................................................................................... 2

2.0 LOPA METHODOLOGY .................................................................................................................. 2

2.1 Scenario Identification ..................................................................................................... 4

2.2 Consequence Severity Evaluation .................................................................................. 4

2.3 Initiating Cause Likelihood Evaluation ............................................................................ 5

2.4 Independent Protection Layers (IPL) Evaluation ............................................................ 7

2.5 Rules for Independent Protection Layers (IPLs) .......................................................... 10

2.5.1 Intermittent Hazard (Not Always Present) .................................................... 10

2.5.2 Mechanical Relief Devices – Relief Valves .................................................. 10

2.5.3 Check Valves ................................................................................................. 11

2.5.4 BPCS ............................................................................................................. 11

2.5.5 Operator Response to Alarm ........................................................................ 11

2.6 Vulnerability Factors ...................................................................................................... 12

2.6.1 Ignition Probability ......................................................................................... 12

2.6.2 Person Present .............................................................................................. 12 2.7 LOPA Calculation .......................................................................................................... 12

3.0 SIS EVALUATION ......................................................................................................................... 13

4.0 RECOMMENDATIONS .................................................................................................................... 15

5.0 LOPA WORKSHEETS .................................................................................................................. 18


4/195


RRS Engineering, LLC Page iii Project No. 07-099October 31, 2008 Revision No. 2

LIST OF T ABLES

P AGE

Table 1. Study Team ..................................................................................................................... 1

Table 2. Review Team ................................................................................................................... 2 Table 3. Hazard Scenario Target Frequencies............................................................................. 4

Table 4. Initiating Causes & Likelihood (ICLs) of Failure ............................................................. 6

Table 5. Examples of Safeguards Not Usually Considered IPLs ................................................ 8

Table 6. Probability of Failure on Demand (PFD) for Independent Protection Layers (IPLs) .... 9

Table 7. Integrity Levels (SILs) for a Safety Instrumented System (SIS) .................................. 13

Table 8. Safety Integrity Level (SIL) Determination .................................................................... 13

Table 9. Recommendations ........................................................................................................ 16

LIST OF FIGURES

P AGE

Figure 1. LOPA Flowchart .............................................................................................................. 3


5/195


RRS Engineering, LLC Page 1 Project No. 07-099October 31, 2008 Revision No. 2

L AYER OF PROTECTION ANALYSIS

NHT REFORMER UNIT

PORT ARTHUR REFINERY

TOTAL PETROCHEMICALS

1.0 I NTRODUCTION

TOTAL Petrochemicals contracted Risk, Reliability and Safety Engineering, LLC (RRS) to conduct

a Layer of Protection Analysis (LOPA) of the NHT Reformer Unit at TOTAL Petrochemicals Port

Arthur Refinery. The LOPA methodology used is defined in the TOTAL Petrochemical LOPA

Procedure 14 and follows the guidance in the Center for Chemical Process Safety (CCPS) book,

Layer of Protection Analysis, 1995. The methodology used in this study meets the requirements of ANSI/ISA S84.00.01, Functional Safety: Safety Instrumented Systems for the Process Industry.

The objectives of the LOPA study were to:

• Review the HAZOP to determine if the safeguards identified were adequate

• Determine the Safety Integrity Level (SIL) for the Safety Instrumented Systems (SIS)

at the plant

1.1 Study Team

The LOPA Study Team is identified in Table 1.

Table 1. Study Team

Name Company Job Title

Norman Borne TOTAL Petrochemicals USA, Inc. Instrument Supervisor

Richard Loupe TOTAL Petrochemicals USA, Inc. NAC Operator

Douglas Dornier TOTAL Petrochemicals USA, Inc. Process Engineer

Ryan Riffer TOTAL Petrochemicals USA, Inc. Ops Superintendent

Roger Allison Olson Engineering Instrument Reliability

Allen Runte TOTAL Petrochemicals USA, Inc. EE & Systems Supervisor

Geoffrey Kret TOTAL Petrochemicals USA, Inc. Rotating Equipment Engineer

David Montondon Gulfcon, Inc. Systems Group

John Darwin TOTAL Petrochemicals USA, Inc. Systems Group

Sheng-Yen Fletcher TOTAL Petrochemicals USA, Inc. PSI/PHA Coordination

Danny Roy TOTAL Petrochemicals USA, Inc. Corrosion Specialist

Dennis Ferrell Olson Engineering Fac. Dev. E&I


6/195



Name Company Job Title

Paul Pardaen TOTAL Petrochemicals USA, Inc. Process Sup. Engineer

Dwayne Austin TOTAL Petrochemicals USA, Inc. Systems Group

Rich Hudgins TOTAL Petrochemicals USA, Inc. Systems Group

John Pruitt RRS Engineering Facilitator

John Alderman RRS Engineering Facilitator

Cassie Slough RRS Engineering Scribe

1.2 Study Dates

The LOPA was conducted onsite at the TOTAL Petrochemicals Port Arthur Refinery on May 3,

2007.

An additional meeting was held on June 21, 2007 to re-evaluate SIL, EIL, and CIL rankings. A

review team was assembled to revisit LOPA scenarios, including 39.1, 72.2, 72.9, and 73.8. Thereview team determined that the commercial severity for these scenarios should be reduced from

catastrophic to major. The review team is identified in Table 2.

Table 2. Review Team

Name Job Title

Ed Bergmann HSEQ

Shen-Yen Fletcher HSEQ

Kelly Nite Operations

Ryan Riffer OperationsGeoff Kret Reliability

Dwayne Austin Systems

John Darwin Systems

Clint Gibbs Systems

Rich Hudgins Systems

Allen Runte Systems

David Montondon Systems

2.0 LOPA M ETHODOLOGY

A Layer of Protection Analysis (LOPA) is a semi-quantitative risk assessment methodology. Put

simply, the method consists of assigning a target frequency based on consequence severity and

comparing it to a simplified prediction of the actual scenario frequency. The method is based on

the AIChE CCPS Concept Book, Layer of Protection Analysis. The steps in the LOPA process are

defined in TOTAL Petrochemical Safety Procedure shown in Figure 1.


7/195



Figure 1. LOPA Flowchart


8/195



2.1 Scenario Identification

The Study Team began by identifying scenarios of concern based on results from the previous

PHA. For an existing PHA, only those scenarios with a shutdown system were reviewed. In some

cases, further definition of the consequence was required. In a LOPA, a scenario is an initiating

cause, a description of the consequence (assuming all safeguards fail), and a list of all protection

layers in place to prevent the consequence from occurring. The LOPA consists of assigning

numerical frequency numbers to the initiating cause and each protection layer, then determining if

protection layers in place are adequate. Additionally, scenarios were added based on shutdowns

in the cause and effect charts.

Some scenarios were reviewed and identified as a moderate severity. Since these scenarios were

considered a moderate severity, they did not meet the criteria for using LOPA. These scenarios

are contained in Appendix A.

Note: A scenario has only one cause and only one consequence. If multiple causes for the same

consequence are identified in the PHAs, then each cause was analyzed separately using LOPA.

2.2 Consequence Severity Evaluation

The Study Team assigned a severity ranking to the consequences. Each consequence severity

was also assigned a Targeted Frequency (TF) based on Table 3.

Table 3. Hazard Scenario Target Frequenc ies

Severity

Level

Safety Environmental Commercial Target

Frequency(1/Yr)

Moderate Onsite:

- Recordable, TRIR

- Medical treatment

Offsite:

- No effect

Not required toconduct LOPA

Serious Onsite:

- Permanent injury

- Lost time accidentOffsite:

- No permanenteffects

Recordable environmentalevent

< $2,000,000 Not required toconduct LOPA


9/195



SeverityLevel

Safety Environmental Commercial TargetFrequency

(1/Yr)

Major Onsite:

- Lethal effect on 1

person- Multiple recordable

injuries

Offsite:

- Shelter in place

Reportable environmentalevent

$2,000,000-$10,000,000

10-4

Catastrophic Onsite:

- Multiple fatalities

Offsite:

- Recordable injuries

Reportable environmentalevent with offsite impact

$10,000,000 -$100,000,000

10-5

Disastrous Onsite:


Offsite:


> 100,000,000 10-6

2.3 Initiating Cause Likelihood Evaluation

The Study Team assigned an Initiating Cause Likelihood (ICL) based on the numerical values

defined in Table 4. These values are based on industry consensus as presented in the CCPS

Concept Book on LOPA. The CCPS Concept Book provides the following guidance on causes:

• Control loop failure - includes all components of the control loop, as well as the

possibility that the control loop could be set in error to a dangerous state by the

operator

• Routine human error - includes a task in the field or at the operator console that is

performed on a routine basis by the operator and that, if done improperly, could

result in the process deviation under review

• Non-routine human error - tasks that are not done on a routine basis but are

possible actions by an operator for some event, such as startup or shutdown that, if

done improperly, could result in the process deviation under review

• Pumps and other rotating equipment - includes any piece of equipment with

normal moving parts

• Fixed equipment - involves failures in non-moving equipment that would lead to the

process condition under review; for example, tube failure on a high-pressure steam

exchanger leading to high process pressure


10/195



Table 4. Initiating Causes & Likelihood (ICLs) of Failure

Initiating Cause (IC) Initiating Cause Likelihood(ICL)

(events per year)

BPCS instrument loop failure 1 x 10-1

Regulator failure 1 x 10-1

Fixed equipment failure (exchanger tube failure, etc.) 1 x 10-2

Pumps and other rotating equipment failure 1 x 10-1

Cooling water failure (redundant CW pumps, diverse drivers, etc.) 1 x 10-1

Loss of power (redundant power supplies) 1 x 10-1

Human error - (routine task, once-per-day opportunity) 1 x 100

Human error - (routine task, once-per-month opportunity) 1 x 10-1

Human error - (non-routine task, low stress) 1 x 10-1

Human error - (non-routine task, high stress) 1 x 100

Gasket / packing blowout 1 x 10-2

Turbine / diesel engine over speed with casing breach 1 x 10-4

Third party intervention (external impact by backhoe, vehicle, etc.) 1 x 10-2

Crane load drop 1 x 10-4 per lift

Lightning strike 1 x 10-3

Safety valve opens spuriously 1 x 10-2

Pump seal failure 1 x 10-1

Unloading / loading hose failure 1 x 10-1

Misalignment of car sealed or locked valve where there is a regularcheck of the alignment of the valves

1 x 10-2 per opportunity

LOTO (lock-out tag-out) procedure failure, e.g.,overall failure of a multiple-element process


Operator failure to execute routine procedure, assuming well trained,unstressed, not fatigued


Other initiating events Develop using experience ofpersonnel

Source: Table 5.1, p 71 of the 2001 CCPS Concept Book “Layers of Protection Analysis”.


11/195



2.4 Independent Protection Layers (IPL) Evaluation

The defining characteristic of a protection layer is that it prevents the consequence from

happening. Each IPL must function such that the defined consequence will not occur. Each

protection layer counted must be independent of other protection layers. That is, there must be nofailure that can deactivate two or more protection layers. If a protection layer is believed to be

more reliable (a lower value for Probability of Failure on Demand - PFD), a quantitative method

should be used to confirm the PFD. For example, if the team desires to improve the unavailability

of risk reduction logic in the Basic Process Control System (BPCS) by adding additional sensors or

final elements, the impact event should be reviewed by a quantitative method such as fault tree.

The protection layer is:

• Specifically designed to prevent or mitigate consequences of a potentially

hazardous event

• Dependable and can be counted on to do what it was intended to do

• Audi tab le and a system to audit and maintain it

The Study Team identified which protection layers meet the definition of IPLs as given in this

section. This is often the most difficult part of LOPA. Table 5 contains safeguards that are not

typically given credit as IPLs.


12/195



Table 5. Examples of Safeguards Not Usually Considered IPLs

Safeguards Not UsuallyConsidered IPLs

Comments

Training and Certification May be considered in assessing the PFD for operator action, but are not, ofthemselves, IPLs

Procedures May be considered in assessing the PFD for operator action, but are not, ofthemselves, IPLs

Normal Testing and Inspection Assumed to be in place for all hazard evaluations and form the basis for judgment to determine IPLs and PFDs; normal testing and inspectionaffects the PFD of certain IPLs, thus, lengthening testing and inspectionintervals may increase the PFD of an IPL

Maintenance Assumed to be in place for all hazard evaluations and forms the basis for judgment to determine the PFDs of IPLs.

Communications Basic assumption that adequate communication exists in a facility; poorcommunications affects the PFD of certain IPLs

Signs Signs, by themselves, are not IPLs; signs may be unclear, obscured,ignored, etc. and may affect the PFD of certain IPLs

Fire Protection Active fire protection often is not considered as an IPL as it is post event formost scenarios and its availability and effectiveness may be affected by thefire / explosion which it is intended to contain; however, if the LOPA teamcan demonstrate it meets the requirements of an IPL for a given scenario, itmay be used (e.g., if an activating system such as plastic piping or frangibleswitches are used)

Note: Fire protection is identified as a “mitigation IPL” as it attempts toprevent a larger consequence subsequent to an event that has alreadyoccurred. This may be considered when assigning cost to commercialseverity levels.

Fireproof insulation can be used as an IPL for some scenarios if it meetsthe requirements of API and corporate standards

Source: Table 6.1, p 79 of the 2001 CCPS Concept Book “Layers of Protection Analysis”


13/195



Table 6. Probabilit y of Failure on Demand (PFD) for

Independent Protection Layers (IPLs)

Independent Protection Layer (IPL) Probability of Failure onDemand (PFD)

Basic process control system, if not associated with the initiating event beingconsidered 1 x 10

-1

Operator response to alarm with at least 10 minutes response time 1 x 10-1

Relief valve 1 x 10-2

Rupture disc 1 x 10-2

Flame / detonation arrestors 1 x 10-2

Tandem seals 1 x 10-1

Dike 1 x 10-2

Underground drainage system 1 x 10-2

Open vent (no valve) 1 x 10-2

Fireproofing 1 x 10-2

Blast-wall / bunker 1 x 10-3

Identical redundant equipment ( e.g., identical relief valves) 1 x 10-1

(max credit)

Diverse redundant equipment (e.g., diverse relief devices) 1 x 10-1 to 1 x 10-2

Fire and gas detection (see Table 6) 1 x 10-1 to 1 x 10-2

Other events Use experience of

personnel

Source: Table 6.3, page 92; Table 6.4, p 96; Table 6.5, page 103 of the 2001 CCPS Concept Book “Layers of Protection

Analysis”.


14/195


15/195



2.5.3 Check Valves

Check valves are notoriously unreliable, but can be considered a LOPA safeguard on a

case-by-case basis. Some of the considerations include:

•

Multiple check valves in series• Clean service

• High differential pressure (< 100 psi) to hold valve closed and prevent leakage

• Defined testing program

2.5.4 BPCS

The Basis Process Control System (BPCS) has several rules associated with their use as IPLs:

• If a BPCS control loop is a cause, the alarms generated by that control loop cannot

be counted as a protection layer. Alarms separate from the control loop may beused as protection for the failure of that control loop if the operator response time is

adequate.

• A control loop in the BPCS, whose normal action would compensate for the initiating

event, can be considered as a protection layer. For example, an initiating cause for

high reactor pressure could be failure of a local upstream pressure regulator; the

normal action of the reactor pressure controller would be to close the inlet PV, thus

providing protection against the impact event.

• Failure mode of the final element is to the safe state

2.5.5 Operator Response to Alarm

Risk reduction for “Operator Response to Alarms” can only be counted once. Alarms are identified

for all causes of the initiating event. The following must be confirmed as true before allowing credit

for operator response:

• Alarm is independent of the cause and BPCS control loop claimed as a protection

layer

• Operator always present and available at the alarm point

• Alarm gives clear indication of the hazard

• Operator will detect the alarm among potentially many other alarms

• Operator has time to diagnose and take corrective action (within 10 minutes)

• Operator is trained in the proper procedures and response associated with the alarm

state and the response steps are identified as critical in the procedure


16/195



2.6 Vulnerability Factors

2.6.1 Ignition Probability

There are many releases that are not ignited. Ignition probabilities used in this study are:

• P ~ 0.3 for flammable liquids and gases

• P ~ 0.1 -> 0.3 for volatile liquids

• P < 0.1 for heavy liquids

Where P = probability of ignition

2.6.2 Person Present

To qualify as a safety related scenario, a person must be in the area where the incident occurs.

Credit is taken for time not in the hazard zone. For example, during operator rounds, if a pumpseal fire were to occur, in order for there to be an injury, the operator must be near the pump. The

operator may only be near the pump for 30 minutes out of his shift.

The following vulnerability factors should be applied when appropriate:

VFp = 1.0 if people are present in the hazard zone all the time

VFp = 0.5 if people are present in the hazard zone for less than 12 hours per day

VFp = 0.1 if people are present in the hazard zone for less than 1-2 hours per day

For environmental and commercial scenarios, the person present is not used.

2.7 LOPA Calculation

Using the numerical values identified in the preceding steps, a simple calculation is performed to

determine the LOPA ratio. LOPA is limited to evaluating a single cause-consequence pair as a

scenario. The numerator of the LOPA ratio is the Target Frequencies (TF), which is the company’s

risk tolerance for that scenario. The denominator of the LOPA ratio is the product of the Initiating

Cause Likelihood (ICL), the Probability of Failure on Demand (PFD) of each Independent

Protection Layer (IPL) identified and the Vulnerability Factor (VF). The formula for calculating the

LOPA ratio is presented below:

VFpVFiPFDPFDPFD ICL

TF Safety Ratio LOPA

Safety

∗∗∗∗∗

=

...)(

321

...)(

321 PFDPFDPFD ICL

TF tal Environmen Ratio LOPA tal Environmen

∗∗∗

=

VFiPFDPFDPFD ICL

TF Commercial Ratio LOPA Commercial

*...)(

321 ∗∗∗

=


17/195



If the LOPA ratio is greater than or equal to one, then the scenario “passes LOPA”. Existing

protection layers in place are adequate.

If the LOPA ratio is less than one, then the scenario “fails LOPA.” Additional protection layers are

needed.

3.0 SIS E VALUATION

LOPA was used to determine the required and Safety Integrity Level (SIL) for a Safety

Instrumented System (SIS). To do this, the LOPA ratio was calculated without giving any credit to

the existing SIS. The required SIL was then found by using Table 7.

Table 7. Integrity Levels (SILs) for a Safety Inst rumented System (SIS)

LOPA Ration Required SIL, EIL, CIL

10-0 -

10-1 No special integrity requirements

10-1 - 10-2 1

10-2 - 10-3 2

10-3 - 10-4 3

The LOPA worksheets for this project are contained in Section 5. The SIL determinations derived

from the study are shown in Table 8.

Table 8. Safety Integrity Level (SIL) Determination

LOPA Ref. SIS Number and Function Required Integrity Level

S E C

2.1 LSHH-592 High high level switch that closes blanket fuel gasvalve PV-593B on high high level in the drum.

0 1 0

4.2 FSLL-915/918 Flow indication with low flow alarms andinterlocks that shutdown the heater on low low flow through aheater pass.

1 2 2

5.8 PSLL-1389 Interlock that isolates the fuel gas from the heateron low low fuel gas pressure.

2 2 2

5.11 PSLL-1379 Interlock that isolates the pilot gas from the heater

on low low pilot gas pressure.

1 2 2

12.2 FSLL-645/647/655 Low flow shutdown Fractionator Reboiler(H-102).

1 2 2

13.8 PSLL-1399 Interlock that isolates the fuel gas from the heateron low low fuel gas.

2 2 2

13.11 PSLL-1393 Interlock that isolates the pilot gas from the heateron low low pilot gas pressure.

0 1 1


18/195




S E C

19.223.225.2

PSL-837 Interlock that stars the spare combustion air blowerfan on low combustion air pressure.

1 1 1

19.223.225.2

SSL-1294 Interlock that shuts down the heater on shutdown ofthe induced draft fan.

1 1 1

19.8 PSLL-1732 Interlock that isolates the fuel gas from the heateron low low fuel gas pressure.

0 1 1

28.1 LSHH-256 Interlock that shuts down the compressors on highhigh level.

2 2 3

29.2 FSLL-106 Interlock that isolates the fuel gas to the chargeheater and interheaters on low low recycle hydrogen flow.

1 2 2

30.9 PDSHH-171 that shuts down compressor C-2A on high high

differential pressure between the suction and discharge of thefirst stage.

1 1 1

30.9 PDSHH-175 that shuts down compressor C-2B on high highdifferential pressure between the suction and discharge of thefirst stage.

1 1 1

32.1 LSHH-179 that shuts down the booster compressor on highhigh level.

2 2 3

33.8 PDSHH-173 that shuts down compressor C-2A on high highdifferential pressure between the suction and discharge lines.

1 1 1

33.8 PDSHH-177 that shuts down compressor C-2B on high highdifferential pressure between the suction and discharge lines.

1 1 1

39.1 LSHH-181 that shuts down the booster compressor on highhigh level.*This scenario was revisited during the June 21

st meeting.

1 2 2

49.2 FSLL-783/784/785/786 Interlocks that isolate the flue gas fromthe charge heater, interheaters, and Depentanizer Reboilertrim heater on low low flow.

1 2 2

72.2 LSLL-38 that shuts down the compressor and prevents restarton low low level in the overhead seal oil tank.*This scenario was revisited during the June 21

st meeting.

1 1 1

72.2 LSL-57 that starts the auxiliary lube oil pump on low level in theoverhead seal oil tank.

*This scenario was revisited during the June 21st

meeting.

2 2 2

72.9 PSL-40 Interlock that starts the spare pump on low lube oilpressure.*This scenario was revisited during the June 21

st meeting.

1 2 2

73.8 PSL-77/78 shuts down the compressor on low lube oilpressure.*This scenario was revisited during the June 21

st meeting.

1 2 1


19/195




S E C

73.12 TSHH-107/108/109/110 shuts down the compressor andprevents compressor restart if there is a high high gasdischarge temperature from the first stage.

0 1 1

80.10 FSL-394 shuts down the CDR on low low nitrogen flow. 1 1 1

4.0 R ECOMMENDATIONS

If during the LOPA study, the LOPA analysis indicated there were not enough safeguards or an

additional SIS was needed, then the Study Team made additional recommendations. Table 9

identifies the recommendations from the LOPA Study.


20/195


21/195


22/195



5.0 LOPA W ORKSHEETS


23/195

TOTAL Petrochemicals - LAYER OF PROTECTION ANALYSIS (LOPA)

PHA Ref. 1.1

ConsequenceDescription

Potential hydrocarbons into process sewer, potential fire/explosion,potential personnel injury.

Initiating Cause Failure of raffinate splitter water boot levelcontrol valve.

Intermittent Hazard P&ID: 3165-1-50-023

Ignition Probability

Person Present 1

Vulnerability Factors

IndependentProtectionLayers

Recommendation 1. Consider adding a tested independent alarm or a SIL 1 shutdown system.

1

SIS No:

SIS Function:

None

1.00E-01

1.00E-04

None

1.00E-01

NoneNone

None

None

0.010LOPA Ratio

Target Frequency Env: 1.00E-03 Com: 1.00E-04Safety:

Com:Safety: Env: 0.010 0.00

Required SIL Level: 1 EIL Level: 1 CIL Level: 2

None

Process DesignBPCS

PSV

Op Response

Other

PHAName TOTAL NHT REVAL


24/195


PHA Ref. 2.1


Overflow of liquid hydrocarbon to the unit flare header, potentiallyresulting in a high level in the Flare Gas KO Drum.

Initiating Cause High flow, naphtha feed from the CrudeUnit or Naphtha Stabilizer. (upstreamflow control failure)

Intermittent Hazard


Person Present



LC-592 opens level control valve.

LAH-910 high level alarm.

Recommendation 2. Ensure that LAH-910 high level alarm is on a routine testing schedule.

3. Ensure that interlock LSHH-592 that closes blanket fuel gas valve PV-593B on highhigh level in the drum is designed for EIL 1.

1

SIS No: LSHH-592

SIS Function: High high level switch LSHH-592 that closes blanket fuel gas valve PV-593B onhigh high level in the drum.

None

1.00E-01

0.00E+00

None

1.00E-01

None

None

1.000LOPA Ratio


Com:Safety: Env: 0.010


None

Process Design

BPCS

PSV

Op Response

Other



25/195


PHA Ref. 4.2


High level in feed surge drum. Tube failure in Charge Heater (H-101)resulting in release of hydrocarbon that could cause (a) a fire and/orexplosion that may injure personnel in a medium-sized area and (b)environmental impact in a small area.

Initiating Cause Operator error, manual valve closed.

Intermittent Hazard P&ID: 3165-1-50-002Loop: F-0915, F-0916, F-0917, F-0918


Person Present 1



Flow indication FC-595 with low flowalarm.

Recommendation 4. Consider adding an additional alarm to indicate loss of hydrogen and hydrocarbonflow to Charge Heater (H-101) on each pass and ensure it is on a routine testingschedule.

5. Ensure that interlocks FSLL-915 through 918 are designed for SIL 1.

1

SIS No: FSLL-915-918

SIS Function: Flow indication FI-915-918 with low flow alarms and interlocks FSLL-915-918 thatshuts down the heater on low low flow through a heater pass.

None

1.00E-01

1.00E-04

None

1.00E-01

None

None

None

None

0.010LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



26/195


PHA Ref. 4.2



Initiating Cause Control valve FV-595 closing too far.



Person Present 1




Recommendation See LOPA Recommendation 4 to consider adding an additional alarm to indicate loss

of hydrogen and hydrocarbon flow to Charge Heater (H-101) on each pass and ensureit is on a routine testing schedule.

See LOPA Recommendation 5 to ensure that interlocks FSLL-915 through 918 aredesigned for SIL 1.

1

SIS No: FI-915-918


None

1.00E-01

1.00E-04

None

1.00E-01

None

None

None

None

0.010LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



27/195


PHA Ref. 4.2



Initiating Cause Pump tripping off.



Person Present 1







1

SIS No: FI-915-918


None

1.00E-01

1.00E-04

None

1.00E-01

None

None

None

None

0.010LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



28/195


PHA Ref. 4.2



Initiating Cause Low level, feed surge drum.



Person Present 1







1

SIS No: FI-915-918


None

1.00E-01

1.00E-04

None

1.00E-01

None

None

None

None

0.010LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



29/195


PHA Ref. 4.2



Initiating Cause Plugged strainer in the pump suction line.



Person Present 1







1

SIS No: FI-915-918


None

1.00E-01

1.00E-04

None

1.00E-01

None

None

None

None

0.010LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



30/195


PHA Ref. 5.2


Potential flameout, potential firebox explosion, potential injury topersonnel in a medium-sized area and environmental impact in asmall area.

Initiating Cause Louver control valve PV-616 closing toofar.

Intermittent Hazard P&ID: 3165-1-50-055ALoop: F-0890


Person Present 1



Blowout doors.

Flue gas analyzer AI-601 with low alarm.

Pressure indication PC-616 with lowpressure alarm on preheated air duct toheater.

Pressure indication PC-615 with lowpressure alarm on the flue gas duct.

Recommendation

1

SIS No: FSLL-890

SIS Function: Interlock FSLL-890 that switches the heater to natural draft operation on low lowcombustion air flow.

None

1.00E-01

1.00E-04

None

1.00E-01

1.00E-02

None

1.00E-01

None

10.000LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



31/195


PHA Ref. 5.2



Initiating Cause Stack damper closing too far.



Person Present 1



Blast doors.




Recommendation

1

SIS No: FSLL-890

SIS Function: Interlock FSLL-890 that switches the heater to natural draft operation on low low

combustion air flow.

None

1.00E-01

1.00E-04

None

1.00E-01

1.00E-02

None

1.00E-01

None

10.000LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



32/195


PHA Ref. 5.2



Initiating Cause Combustion air fan tripping off.



Person Present 1



Blast doors.




Recommendation

1

SIS No: FSLL-890

SIS Function: Interlock FSLL-890 that switches the heater to natural draft operation on low low

combustion air flow.

None

1.00E-01

1.00E-04

None

1.00E-01

1.00E-02

None

1.00E-01

None

10.000LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



33/195


PHA Ref. 5.2



Initiating Cause Induced draft fan tripping off.



Person Present 1



Blast doors.




Recommendation

1

SIS No: SSL-1042

SIS Function: Interlock SSL-1042 that opens the stack damper on shutdown of the induced draft

fan.

None

1.00E-01

1.00E-04

None

1.00E-01

1.00E-02

None

1.00E-01

None

10.000LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



34/195


PHA Ref. 5.2






Person Present 1



Blast doors.




Recommendation

1

SIS No: FSLL-890

SIS Function: Interlock FSLL-890 that switches the heater to natural draft operation on low lowcombustion air flow.

None

1.00E-01

1.00E-04

None

1.00E-01

1.00E-02

None

1.00E-01

None

10.000LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



35/195


PHA Ref. 5.8


Burner/pilot flameout, inability to ignite the burners following aflameout, resulting in a high concentration of combustibles in thefirebox, potential for an explosion that could result in (a) injury topersonnel in a medium-sized area and (b) environmental impacts ina small area.

Initiating Cause Low pressure in fuel gas header.

Intermittent Hazard


Person Present 1



Recommendation 6. Ensure PSLL-1389 is designed for SIL 2.

1

SIS No: PSLL-1389

SIS Function: Interlock PSLL-1389 that isolates the fuel gas from the heater on low low fuel gaspressure.

None

1.00E-01

1.00E-04

None

Present all the Time

None

None

None

None

0.001LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



36/195


PHA Ref. 5.8




Intermittent Hazard


Person Present 1



Recommendation See LOPA Recommendation 6 to ensure PSLL-1389 is designed for SIL 2.

1

SIS No: PSLL-1389


None

1.00E-01

1.00E-04

None

1.00E-01

None

None

None

None

0.010LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



37/195


PHA Ref. 5.8




Intermittent Hazard


Person Present 1




1

SIS No: PSLL-1389


None

1.00E-01

1.00E-04

None


None

None

None

None

0.001LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



38/195


PHA Ref. 5.8



Initiating Cause Isolation valve XV-1382A or B is closed.

Intermittent Hazard


Person Present 1




1

SIS No: PSLL-1389


None

1.00E-01

1.00E-04

None


None

None

None

None

0.001LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



39/195


PHA Ref. 5.11


Inability to ignite the burners following a flameout, resulting in a highconcentration of combustibles in the firebox, potential for anexplosion that could result in (a) injury to personnel in a medium-sized area and (b) environmental impacts in a small area.

Initiating Cause Low fuel pressure.

Intermittent Hazard


Person Present 1



Recommendation 7. Ensure that PSLL-1379 is designed for SIL 2.

1

SIS No:

SIS Function: Interlock PSLL-1379 that isolates the pilot gas from the heater on low low pilot gaspressure.

None

1.00E-01

1.00E-04

None

1.00E-01

None

None

None

None

0.010LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



40/195


PHA Ref. 5.11



Initiating Cause Carryover of liquid as a result of high levelin fuel gas KO drum.

Intermittent Hazard


Person Present 1



Recommendation See LOPA Recommendation 7 to ensure that PSLL-1379 is designed for SIL 2.

1

SIS No: PSLL-1379


None

1.00E-01

1.00E-04

None


None

None

None

None

0.001LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



41/195


PHA Ref. 5.11



Initiating Cause Total loss of combustion air.

Intermittent Hazard


Person Present 1




1

SIS No: PSLL-1379


None

1.00E-01

1.00E-04

None


None

None

None

None

0.001LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



42/195


PHA Ref. 5.11



Initiating Cause Manual valve closed.

Intermittent Hazard


Person Present 1




1

SIS No: PSLL-1379


None

1.00E-01

1.00E-04

None


None

None

None

None

0.001LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



43/195


44/195


PHA Ref. 5.11




Intermittent Hazard


Person Present 1



Recommendation See Recommendation 7 to ensure that PSLL-1379 is designed for SIL 2.

1

SIS No:


None

1.00E-01

1.00E-04

None

1.00E-01

None

None

None

None

0.010LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



45/195


PHA Ref. 5.11



Initiating Cause High pressure transient from the fuel gassupply header.

Intermittent Hazard


Person Present 1




1

SIS No: PSLL-1379


None

1.00E-01

1.00E-04

None


None

None

None

None

0.001LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



46/195


PHA Ref. 12.2


Release of hydrocarbon resulting in (a) a fire in the firebox,potentially causing structural damage (e.g., collapse of the heaterstack) that may injure personnel and rupture process equipment in amedium-sized area around the heater, (b) a fire and/or explosionoutside the heater that may injure personnel in a medium-sized area,and (c) environmental impacts in a small area.

Initiating Cause P-103A/B stops.

Intermittent Hazard P&ID: 3165-1-50-007Loop: F-0645, F-0647, F-0655


Person Present 1Vulnerability Factors


Recommendation 8. Consider adding an additional alarm to indicate loss of hydrocarbon flow toFractionator Reboiler (H-102) on each pass and ensure it is on a routine testingschedule.

9. Ensure that interlocks FSLL-645/647/655 are designed for SIL 1.

1

SIS No: FSLL-645/647/655

SIS Function: Low flow shutdowns FSLL-645/647/655 shuts down Fractionator Reboiler (H-102).

None

1.00E-01

1.00E-04

None

1.00E-01

None

None

None

None

0.010LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



47/195


PHA Ref. 12.2


Release of hydrocarbon resulting in (a) a fire in the firebox,potentially causing structural damage (e.g., collapse of the heaterstack) that may injure personnel and rupture process equipment in amedium-sized area around the heater, (b) a fire and/or explosionoutside the heater that may injure personnel in a medium-sized area,and (c) environmental impacts in a small area.

Initiating Cause Control valve or manual valve closed.

Intermittent Hazard P&ID: 3165-1-50-007Loop: F-0645, F-0647, F-0655


Person Present 1Vulnerability Factors


Recommendation See LOPA Recommendation 8 to consider adding an additional alarm to indicate lossof hydrocarbon flow to Fractionator Reboiler (H-102) on each pass and ensure it is ona routine testing schedule.

See LOPA Recommendation 9 to ensure that interlocks FSLL-645/647/655 aredesigned for SIL 1.

1

SIS No: FSLL-645/647/655

SIS Function: Low flow shutdowns FSLL-645/647/655 shuts down Fractionator Reboiler (H-102).

None

1.00E-01

1.00E-04

None

1.00E-01

None

None

None

None

0.010LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



48/195


PHA Ref. 13.2



Initiating Cause Stack damper closing too far.

Intermittent Hazard P&ID: 3165-1-50-055BLoop: F-0898


Person Present 1



Blast doors.

Flue gas oxygen analyzer AI-664 withlow alarm.

Pressure indication PC-616 with lowpressure alarm on preheated air duct tothe heater.

Pressure indication PC-615 with lowpressure alarm located on the flue gasduct.

Recommendation

1

SIS No: FSLL-898

SIS Function: Interlock FSLL-898 that switches the heater to natural draft on low low combustionair flow.

None

1.00E-01

1.00E-04

None

1.00E-01

1.00E-02

None

1.00E-01

None

10.000LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



49/195


PHA Ref. 13.2






Person Present 1



Blast doors.




Recommendation

1

SIS No: FSLL-898


None

1.00E-01

1.00E-04

None

1.00E-01

1.00E-02

None

1.00E-01

None

10.000LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



50/195


PHA Ref. 13.2



Initiating Cause Combustion air fan tripping off.



Person Present 1



Blast Doors.




Recommendation

1

SIS No: FSLL-898 or SSL-1042


Interlock SSL-1042 that opens the stack damper on shutdown of the induced draftfan.

None

1.00E-01

1.00E-04

None

1.00E-01

1.00E-02

None

1.00E-01

None

10.000LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



51/195


PHA Ref. 13.2



Initiating Cause Louver control valve PC-616 closing toofar.



Person Present 1



Blast Doors.




Recommendation

1

SIS No: FSLL-898


None

1.00E-01

1.00E-04

None

1.00E-01

1.00E-02

None

1.00E-01

None

10.000LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



52/195


PHA Ref. 13.2




Intermittent Hazard


Person Present 1



Blast Doors.




Recommendation

1

SIS No: FSLL-898


None

1.00E-01

1.00E-04

None

1.00E-01

1.00E-02

None

1.00E-01

None

10.000LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



53/195


PHA Ref. 13.8



Initiating Cause Low pressure in fuel gas header.

Intermittent Hazard


Person Present 1



Recommendation 10. Ensure that Interlock PSLL-1399 is designed for SIL 2.

1

SIS No: PSLL-1399


None

1.00E-01

1.00E-04

None


None

None

None

None

0.001LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



54/195


PHA Ref. 13.8




Intermittent Hazard


Person Present 1



Recommendation See LOPA Recommendation 10 to ensure that Interlock PSLL-1399 is designed for SIL

2.

1

SIS No: PSLL-1399


None

1.00E-01

1.00E-04

None


None

None

None

None

0.001LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



55/195


PHA Ref. 13.8




Intermittent Hazard


Person Present 1




2.

1

SIS No: PSLL-1399


None

1.00E-01

1.00E-04

None


None

None

None

None

0.001LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



56/195


PHA Ref. 13.8




Intermittent Hazard


Person Present 1




2.

1

SIS No: PSLL-1399


None

1.00E-01

1.00E-04

None


None

None

None

None

0.001LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



57/195


PHA Ref. 13.11


Inability to ignite the burners following a flameout, resulting in a highconcentration of combustibles in the firebox, potential for anexplosion that could result in potential injury to personnel in amedium-sized area and potential environmental impacts in a smallarea.

Initiating Cause Low pressure from fuel gas supply(OSBL).

Intermittent Hazard


Person Present 1



Blast doors.

Pilots are fueled by Purchased NaturalGas.

Recommendation 11. Review the revalidation from MOC to change pilot gas to Purchased Natural Gas.

1

SIS No: PSLL-1393

SIS Function: Interlock PSLL-1393 that isolates the pilot gas from the heater on low-low pilot gaspressure

None

1.00E-01

1.00E-04

None

1.00E-01

1.00E-02

None

None

None

1.000LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



58/195


PHA Ref. 13.11



Initiating Cause Carryover of liquid as a result of highlevel- fuel gas KO drum that could resultin liquid hydrocarbon pooling and fire inthe bottom of the firebox for the reformercharge heater.

Intermittent Hazard


Person Present 1



Blast doors.

Pressure indication PI-893 with lowpressure alarm


Recommendation See LOPA Recommendation 11 to review the revalidation from MOC to change pilotgas to Purchased Natural Gas.

1

SIS No: PSLL-1393

SIS Function: Interlock PSLL-1393 that isolates the pilot gas from the heater on low-low pilot gas

pressure

None

1.00E-01

1.00E-04

None

1.00E-01

None

None

1.00E-01

None

0.100LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



59/195


PHA Ref. 13.11



Initiating Cause Local control valve PCV-1683 closing toofar.

Intermittent Hazard


Person Present 1



Blast doors.

Pressure indication PI-893 with lowpressure alarm.



1

SIS No: PSLL-1393


None

1.00E-01

1.00E-04

None

1.00E-01

1.00E-02

None

None

None

1.000LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



60/195


PHA Ref. 13.11




Intermittent Hazard


Person Present 1



Blast doors.

Pressure indication PI-893 with lowpressure alarm



1

SIS No: PSLL-1393


None

1.00E-01

1.00E-04

None

1.00E-01

1.00E-02

None

1.00E-01

None

10.000LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



61/195


62/195


PHA Ref. 19.2


Potential flameout H-1, potential firebox explosion, potential injury topersonnel in a medium-sized area and environmental impact in asmall area.




Person Present 1




Pressure indication PC-834 with lowpressure alarm on the preheated air ductto the heater.

Recommendation 12. Ensure that interlock PSL-837 or SSL-1294 are designed for SIL 1.

1

SIS No: PSL-837 & SSL-1294

SIS Function: Interlock PSL-837 that start the spare combustion air blower fan on lowcombustion air pressure.

Interlock SSL-1294 that shuts down the heater on shutdown of the induced draftfan.

None

1.00E-01

1.00E-04

None

1.00E-01

None

None

1.00E-01

None0.100LOPA Ratio




None

Process Design

BPCS

PSV

Op Response

Other



63/195


64/195


PHA Ref. 19.2


Potential flameout H-1, potential firebox explosion, potential injury topersonnel in a medium-sized area and environmental impact in asmall area.

Initiating Cause Control valve FV-862A/B closing too far.



Person Present 1




Pressure indication PC-834 with lowpressure alarm on the preheated air ductto the heater.

Recommendation See LOPA Recommendation 12 to ensure that interlock PSL-837 or SSL-1294 aredesigned for SIL 1.

1

SIS No: PSL-837 & SSL-1294

SIS Function: Interlock PSL-837 that start the spare combustion air blower fan on lowcombustion air pressure.

Interlock SSL-1294 that shuts down the heater on shutdown of the induced dr

2007-04_NHT_Reformer_LOPA

Documents