In the CAPECO explosion, the main gasoline storage tank was full, so an additional shipment of gasoline had to be stored in four smaller tanks using a highly manual process. One of the tanks had a broken level transmitter so fill time was manually calculated, and unfortunately overestimated.
The tank overfilled and created a gasoline vapor plume, which found a spark and rapidly exploded. Watch the CSB CAPECO Incident video and view the CSB CAPECO Incident report.
Before completing a LOPA for this example, a HAZOP was completed to expose potential hazards in CAPECO’s facilities. You can view the completed interactive HAZOP worksheet for this scenario.
After determining the main hazards in the system, a LOPA can be conducted as follows. Please click on each step in the LOPA process to see the suggested answer.
Step 1:
Identify a single consequence to a potential process safety hazard
At CAPECO, the potential process safety hazard was the inaccurate filling of gasoline storage tanks. The consequence was overfilling of flammable gasoline which could lead to fire.
Step 2:
Identify an accident scenario and cause associated with the consequence.
The storage tank could overflow due to operator error and lead to a fire.
Step 3:
Identify the initiating event for the scenario and estimate the frequency of initiating event (FOIE). FOIE values can be found in Appendix A
The initiating event would be manual operation leading to an operator error. Let’s assume number of opportunities to be 100/year. According to Appendix A, the frequency of operator error is 1×10-2.
FOIE = 1×10-2 x 100 =1/year
Step 4:
Identify the protection layers that are available for this particular consequence and estimate the probability of failure on demand (PFD) for each protection layer. PFD values can be found in Appendix B.
In this example, only a single layer of protection was available: a dike, which reduces the frequency of large consequences of a tank overfill or spill.
PFD (Dike) = 1×10-2
Step 5:
Combine the frequency of initiating event (FOIE) with the probability of failure (PFD) of the independent protection layer (IPL) to determine the mitigated consequence frequency (MCF) for the given initiating event
MCF = FOIE x PFD (Dike)
𝑀𝐶𝐹 = (1) 𝑥 (1𝑥10−2) = 1𝑥10−2/year
Step 6:
Plot the consequence frequency vs consequence severity to estimate the level of risk as seen in Table 2. Each point will fit somewhere on this risk matrix.
An MCF of 1.0×10-2/year would mean there is 1 event every 100 years, which falls under the label of “Possible”.
In the CAPECO incident, there were no fatalities, but there were minor injuries (CSB report, page 31) corresponding to “Category 2” based on Table 1. The business impact was estimated to be more than $500 million, which corresponds to “Category 5”. So, the severity category will be taken as the higher of the two, which is “Category 5”.
Using the risk matrix in Table 2 above, an “possible” event of “Category 5” falls into an orange box, which corresponds to a major risk.
Step 7:
Compare risk found in step 6 to an acceptable level of risk and evaluate if additional IPLs are necessary
In this case, a major risk would NOT be acceptable. The layer of protection provided by installing a dike would not be adequate to prevent a major disaster.
Since the risk is too high, additional layers of protection are needed. By adding more layers of protection, the MCF can be decreased which can lead to a different location in the risk matrix. In this case, additional layers of protection could decrease the risk of this event to “moderate”, which is more acceptable than “major”.
To do this, iterate back through steps 1-6, but using additional layers and PFD values. Then evaluate again until the risk is at an acceptable level.
Completing a LOPA:
To carry out a LOPA study in the safety modules, a table format (see below) will be used. A LOPA table for the CAPECO explosion is filled out for your reference based on the discussion above. Consider that the facility can only accept a moderate risk.