For this spotlight, users of this material are expected to discuss the questions amongst themselves and formulate a written, in-depth response.
Subsequently, they may click on the content to reveal example answers
In order to access the article, please click HERE. Note: To access this article free of charge, you must be a member of AIChE.
Which safety model (from the home page
of the SafeChemE site) does the LOPA system relate to most and why? Outline at least one similarity and one difference between the two safety models.
The LOPA relates most to the Swiss Cheese Model. Both process safety models assess the risk of an incident as the consequence of an operational failure, such as a human error, and assesses the extent to which the layers of protection will prevent/mitigate the incident should the causal failure occur. Whereas the Swiss Cheese model serves to visualize how a hazard/preventable action may cause an incident, the LOPA is used for an order-of-magnitude estimate of a process safety risk.
An experienced chemical engineer, you are tasked with assessing the likelihood of an explosion resulting from thermal runaway as a consequence of human error in a concept batch operation. Such an incident would be very catastrophic indeed, costing the company millions of dollars in damages, halting production, claiming the lives of operators, and adversely affecting neighboring businesses and communities. Thus, your company determines that this incident should be unlikely to occur more frequently than once every 100,000 years. You elect to use a LOPA to obtain an initial estimate of the risk. The company runs 200 batches per year, and human error is likely to occur once in every 100 batches. A basic process control loop is in place to regulate the temperature of the reactor. Should that fail, a critical alarm—which signals that the rate of temperature increase has overshot a predetermined value—will go off, triggering an operator response. Provided this response is unsuccessful, the reactor will be charged with diluent for absorption of excess heat. If the diluent quenching system fails, then a relief system will likely be triggered to handle the ensuing overpressure, as a final layer of protection. Assume all layers of protection are independent, and will function properly 80 out of every 100 demands for action. Estimate the frequency of the runaway. Does your design require improved protection? If yes, suggest at least one measure for improving the safety of the system.
Clearly, human error is likely to occur every 1/100 ✕ 200 = 2 times per year. There are four layers of protection (control loop, critical alarm, diluent, relief system), each likely to fail (100-80)%=20% of the time, so that the probability of failure on demand is 0.20. Since the four layers operate independently, their failures are independent events, so that the probability that all protective layers fail simultaneously is 0.204 = 1.6 ✕ 10-3. So the mitigated frequency of the explosion is 2 /yr ✕ 1.6 ✕ 10-3 = 3.2 ✕ 10-3/yr. This implies that the explosion is likely to occur approximately once every 300 years. Thus, the design requires improved protection. The likelihood of failure on demand of any protective layer can be reduced with proper maintenance and regular replacement of all control systems, installing a backup cooling system which can quench the reaction, and installation of a level alarm which initiates whenever the reactor is overcharged with reactants. Note: To achieve the company incident frequency goal of once every 100,000 years, you would not just need one additional safety measure on top of the existing four. You would need 4 additional measures.
Outline, in 3-4 sentences, the limitations of LOPA. Suggest measures for resolving these limitations.
LOPA provides only a summary order-of-magnitude estimate of a process safety risk and failure rates of independent protection layers. Additionally, the method evaluates only single process safety scenarios, i.e. single cause-consequence pairs. Established risk assessment methods (such as RAGAGEPs) should be used to compute the actual safety risk of an engineering process or a given hazard.