risk assessment sheet

C. S. Howat & Associates4804 Normandy Park

Lawrence, Kansas 66049-1840785.218.3718 [email protected]

LAYER OF PROTECTION WORKSHEET

Scenario Number Equipment Number Scenario Title

Date Identified Hazard

Scenario DescriptionProbability

Consequence Description

Initiating Event

1)2)3)4)

Frequency of all Conditional Modifiers

Frequency of Unmitigated Consequence

1)2)3)4)1)2)3)4)

PFoD's for IPL's

Frequency of Mitigated Consequence

Risk Tolerance Criteria Met? NO

Notes

References

Analyst or Team Members

Frequency (per year)

Risk Tolerance Criteria Category or Frequency

Enabling Event or Condition

Conditional Modifiers (if applicable)

Independent Protection Layers (IPL's) PFoD

Safeguards (non-IPL's)

Actions Required to Meet Risk Tolerance Criteria



INSTRUCTIONS

Scenario Number

Equipment Number

Scenario Title

Date

Identified Hazard

Scenario Description

The following presents the instructions for the 'Layer of Protection Analysis Worksheet'. The purpose of the worksheet is to evaluate the risk of cause - consequence pairs. Causes (initiating events) are faults that begin a sequence that could lead to a consequence (release, capital loss and/or downtime). The worksheet does all calculations automatically based on the analyst's input. The analyst's focus can be on the process under study. Yellow-highlighted cells require no analyst input. These are either invariant cell titles or are calculated values as the analysis proceeds. The shaded cells imply that the column does not apply for that specific row.


Initiating Event

1)2)3)4)

Risk Tolerance Criteria Category or Frequency



Frequency of all Conditional Modifiers


1)2)3)4)

1)2)3)4)

PFoD's for IPL's




Risk Tolerance Criteria Met?

Notes

References



The number of the specific piece of equipment studied is recorded.

The date that the Scenario was evaluated and approved is recorded.

Identified Hazard

The following presents the instructions for the 'Layer of Protection Analysis Worksheet'. The purpose of the worksheet is to evaluate the risk of cause - consequence pairs. Causes (initiating events) are faults that begin a sequence that could lead to a consequence (release, capital loss and/or downtime). The worksheet does all calculations automatically based on the analyst's input. The analyst's focus can be on the process under study. Yellow-highlighted cells require no analyst input. These are either invariant cell titles or are calculated values as the analysis proceeds. The shaded cells imply that the column does not apply for that specific row.

An index system is required for documentation. The numbering system should be in terminology generally accepted in the plant.

A scenario is a cause - consequence pair. The title should reflect this decision, e.g. 'Release of Reactor Contents into Reactor Room due to Overpressure'.

A hazard is a physical or chemical characteristic of the system under study which, if released, could cause harm to personnel, plant, environment and/or surrounding populations. The hazard under study must be clearly stated.

This is a statement of the scenario as studied by the analysis team. This will include the initiating event and the consequence. As an example, 'The reactor vessel fails because of overpressure due to incomplete mixing of the catalyst and reactants'.

The consequence description is the size of the release, the estimated total cost and the estimated downtime.

There are three types of consequences under this methodology, i.e. release, capital and downtime. Based on the description given above and the tables given in the 'ConsequenceCategories' worksheet, enter the consequence and category for each. For example, 'Release: Category 3', 'Capital: Category 2', and 'Downtime: Category 3'. The worst (highest category) has a corresponding Frequency found in the 'RiskEvaluationTables' worksheet. Enter the highest probability that corresponds to 'Corrections are not required'. For example, for Category 3, the value is 1.0E-5 to be conservative.

The initiating event starts the sequence. The initiating event that is most likely for the consequence is the one studied. For example, incomplete mixing could be due to human error, shaft failure, motor failure etc. Human error is most likely. The recommended practice is to focus on the most conservative but to record all. In this case, human error is the most likely at 1E-2 from the 'InitiatingEventProbabilities' worksheet. This value is recorded in the Probability column.

This accounts for the fraction of time that procedure is being done or the unit is online. It corrects the probability of the initiating event for noncontinuous operation. The value entered is typically rounded up to the nearest order of magnitude. For example, if a procedure is done once per week for eight hours and the enabling probability is 8/(7*24) or 1E-1. This value would be entered under the Probability column.

Conditional modifiers are for special cases to consider. For example, if the study is to go beyond the 'Release' of the chemical and is to look into injury, then a conditional modifier might be the percentage of time that personnel are in the area of the equipment under study. As another example, if the study is to go beyond 'Release' and is to look into fire damage, then a condition modifier is the probability of finding an ignition source. For the programming of the worksheet to function, any conditional modifiers must be entered in order. That is, Conditional Modifier 1 must be present for Conditional Modifier 2 to be included in the total Frequency calculation.

The worksheet calculates the product of all Conditional Modifiers. When the analyst inputs a target Frequency and an Initiating Event Probability, the worksheet will enter 1E+00 for this product

The worksheet calculates the product of the consequence based on the initiating event Frequency, the Enabling Event Probability and the Conditional Modifiers Probability.

This analysis step is critical to the success of the evaluation. An Independent Protection Layer is one that can terminate the cause - consequence sequence. There may be IPL's present which will have no impact on the sequence. These are to be ignored. There are criteria that the IPL must meet to be classified as an IPL. The IPL must detect that the sequence is underway. It must decide that it is underway. It must deflect (terminate) the sequence. The IPL must be fast enough, big enough and strong enough to deflect the sequence. Most importantly, it must be independent. Probabilities of Failure on Demand (PFoD) for IPL's are given in the 'IPLPFoD' worksheet. For the programming of the worksheet to function, any IPL's must be entered in order. That is, IPL 1 must be entered for IPL 2 to be taken into account. It is absolutely critical that the criteria are consistently applied to evaluate whether a system is an IPL.

There may be other systems in place that do not meet the criteria for an IPL. That is, they may not detect, decide deflect, they may not be fast enough, big enough or fast enough or they may not be independent of other systems or the initiating event. These safeguards should be recorded. But, under this procedure they do not affect the risk because they are not a protection layer.

The worksheet calculates the product of all IPL's entered. If not IPL's are entered, the worksheet defaults to 1E+00 for risk assessment.

The worksheet then calculates the Frequency for the Scenario accounting for the Frequency of the Initiating Event, the probabilities associated with all Enabling Events and Conditional Modifiers and the Probability of Failure on Demand for all IPL's. This value is compared against the target value recorded under the consequence.

Risk Tolerance Criteria Met? The comparison is automatically computed and recorded.


The purpose of the worksheet is to document the results of the analysis. There may be instances which fail to meet the target tolerance. These may require corrections depending upon the Frequency of the Mitigated Response. Suggested corrections should be recorded here. For this system to work, the suggested corrections must be evaluated and, if necessary, acted upon. Risk cannot be reduced by merely doing the procedure. Risk is only reduced when modifications, equipment and procedures change to reduce the consequence or the Frequency of the Mitigated Response.

These complete the record keeping. There may be ideas that arise that may need to be considered. They may need to be uncertainties that need further investigation. These should be recorded. If there are specific drawings, photos, operating procedures that were consulted, these should be documented for the likely event when these change which could result in re-analysis of the scenario. Finally, those responsible should sign off.

The number of the specific piece of equipment studied is recorded.

The date that the Scenario was evaluated and approved is recorded.

The following presents the instructions for the 'Layer of Protection Analysis Worksheet'. The purpose of the worksheet is to evaluate the risk of cause - consequence pairs. Causes (initiating events) are faults that begin a sequence that could lead to a consequence (release, capital loss and/or downtime). The worksheet does all calculations automatically based on the analyst's input. The analyst's focus can be on the process under study. Yellow-highlighted cells require no analyst input. These are either invariant cell titles or are calculated

An index system is required for documentation. The numbering system should be in

A scenario is a cause - consequence pair. The title should reflect this decision, e.g. 'Release of Reactor Contents into Reactor Room due to Overpressure'.

A hazard is a physical or chemical characteristic of the system under study which, if released, could cause harm to personnel, plant, environment and/or surrounding

This is a statement of the scenario as studied by the analysis team. This will include the initiating event and the consequence. As an example, 'The reactor vessel fails because of

The consequence description is the size of the release, the estimated total cost and the

There are three types of consequences under this methodology, i.e. release, capital and downtime. Based on the description given above and the tables given in the 'ConsequenceCategories' worksheet, enter the consequence and category for each. For example, 'Release: Category 3', 'Capital: Category 2', and 'Downtime: Category 3'. The

'RiskEvaluationTables' worksheet. Enter the highest probability that corresponds to 'Corrections are not required'. For example, for Category 3, the value is 1.0E-5 to be

The initiating event starts the sequence. The initiating event that is most likely for the consequence is the one studied. For example, incomplete mixing could be due to human error, shaft failure, motor failure etc. Human error is most likely. The recommended practice is to focus on the most conservative but to record all. In this case, human error is the most likely at 1E-2 from the 'InitiatingEventProbabilities' worksheet. This value is

This accounts for the fraction of time that procedure is being done or the unit is online. It corrects the probability of the initiating event for noncontinuous operation. The value entered is typically rounded up to the nearest order of magnitude. For example, if a procedure is done once per week for eight hours and the enabling probability is 8/(7*24) or

Conditional modifiers are for special cases to consider. For example, if the study is to go beyond the 'Release' of the chemical and is to look into injury, then a conditional modifier might be the percentage of time that personnel are in the area of the equipment under study. As another example, if the study is to go beyond 'Release' and is to look into fire damage, then a condition modifier is the probability of finding an ignition source. For the programming of the worksheet to function, any conditional modifiers must be entered in order. That is, Conditional Modifier 1 must be present for Conditional Modifier 2 to be

The worksheet calculates the product of all Conditional Modifiers. When the analyst inputs a target Frequency and an Initiating Event Probability, the worksheet will enter

The worksheet calculates the product of the consequence based on the initiating event Frequency, the Enabling Event Probability and the Conditional Modifiers Probability.

This analysis step is critical to the success of the evaluation. An Independent Protection Layer is one that can terminate the cause - consequence sequence. There may be IPL's present which will have no impact on the sequence. These are to be ignored. There are criteria that the IPL must meet to be classified as an IPL. The IPL must detect that the sequence is underway. It must decide that it is underway. It must deflect (terminate) the sequence. The IPL must be fast enough, big enough and strong enough to deflect the sequence. Most importantly, it must be independent. Probabilities of Failure on Demand (PFoD) for IPL's are given in the 'IPLPFoD' worksheet. For the programming of the worksheet to function, any IPL's must be entered in order. That is, IPL 1 must be entered for IPL 2 to be taken into account. It is absolutely critical that the criteria are consistently

There may be other systems in place that do not meet the criteria for an IPL. That is, they may not detect, decide deflect, they may not be fast enough, big enough or fast enough or they may not be independent of other systems or the initiating event. These safeguards should be recorded. But, under this procedure they do not affect the risk because they are

The worksheet calculates the product of all IPL's entered. If not IPL's are entered, the

The worksheet then calculates the Frequency for the Scenario accounting for the Frequency of the Initiating Event, the probabilities associated with all Enabling Events and Conditional Modifiers and the Probability of Failure on Demand for all IPL's. This value is

The comparison is automatically computed and recorded.

The purpose of the worksheet is to document the results of the analysis. There may be instances which fail to meet the target tolerance. These may require corrections depending upon the Frequency of the Mitigated Response. Suggested corrections should be recorded here. For this system to work, the suggested corrections must be evaluated and, if necessary, acted upon. Risk cannot be reduced by merely doing the procedure. Risk is only reduced when modifications, equipment and procedures change to reduce the

These complete the record keeping. There may be ideas that arise that may need to be considered. They may need to be uncertainties that need further investigation. These should be recorded. If there are specific drawings, photos, operating procedures that were consulted, these should be documented for the likely event when these change which could result in re-analysis of the scenario. Finally, those



EXAMPLE PROBLEM

Scenario Number Equipment Number Scenario Title

1 Reactor Vessel Rupture due to Improper Catalyst Addition

Date Identified Hazard2/28/2005 High Pressure, Flammable Solvent above boiling point

Scenario DescriptionProbability


Catalyst Make-up/Reactor

Operator adds too much catalyst to make up resulting in too much catalyst added to reactor

Runaway reaction leading to high temperature and pressure in reactor

On

Off

WC

Catalyst Added UnderWeight Addtion Set Point

Solid CatalystAddition

Solvent Additionby Weight

Catalyst Pre-MixTank

Local On/Off Switchwith Motor Status Light

Acrylic Resin Reactor

Product Load OutUpon Completionof Reaction

TAH

TT

10,000 gallon of xylene released - Category 5

Initiating Event

Continuous Operation - Once per shift 1E+00

1)2)3)4)

Frequency of all Conditional Modifiers 1E+00


1) Rupture Disk/Safety Valve 1E-022)3)4)1)2)3)4)

PFoD's for IPL's 1E-02


Risk Tolerance Criteria Met?

IPL's are insufficient for Category 5 Release.

Notes

References

Analyst or Team MembersCSH

Runaway reaction leading to high temperature and pressure in reactor such that reactor ruptures releasing contentsRisk Tolerance Criteria Category or Frequency

Human Error - Routine Operation - 10-2 per opportunity -






CSH

Example Problem

Scenario Title

Reactor Vessel Rupture due to Improper Catalyst Addition

Identified HazardHigh Pressure, Flammable Solvent above boiling point

Probability

Pictured at left is a catalyst make up station. An operator adds an appropriate number of bags of catalyst for the reaction. Solvent is then added by weight with the agitator on. At the appropriate time, the solution is moved to the reactor to begin the acrylic resin reaction.

If the catalyst addition is incorrect such that too much catalyst is added, the reaction can run away leading to high temperatures and pressures. The reactor holds 10,000 gallons of xylene

Consequence: Reactor Rupture (Category 5 Release)

Initiating Event: Operator Error in Catalyst Addition (10-2 probability assuming multiple batches per day)

IPL's: Rupture Disk/Safety Valve (10-2 PFoD)


1E-06

1E-02

1E+00

1E+00

1E-02

1E-02

1E-02

1E-04

Risk Tolerance Criteria Met? NO

IPL's are insufficient for Category 5 Release.

Analyst or Team MembersCSH

CSH



RISK EVALUATION/ACTION THRESHOLD TABLE

Action Threshold Color Coding and Definitions

Color Code Threshold ActionCorrections are required immediatelyCorrections are required at next opportunityCorrections may be necessary and should be evaluatedCorrections are not required

Risk Evaluation Table

Consequence (Effect) Category

Category 1 Category 2 Category 3 Category 4 Category 5

>1.0E-01

1.0E-1 - 1.0E-02

1.0E-2 - 1.0E-03

1.0E-03 - 1.0E-04

1.0E-04 - 1.0E-05

1.0E-05 - 1.0E-06

1.0E-06 - 1.0E-07




RELEASE, CAPITAL & DOWNTIME CONSEQUENCE TABLES

Release Risk Categories - Liquids and Vapors

Consequence CharacteristicRelease Consequence

1 to 10 lb 10 to 100 lb 100 to 1,000 lb 1,000 to 10,000 lb >100,000 lb

Category 3 Category 4 Category 5 Category 5 Category 5 Category 5




Combustible Liquid Category 1 Category 1 Category 1 Category 2 Category 2 Category 3

Release Risk Categories - Dusts Dust Explosion Classifications

Consequence CharacteristicRelease Consequence

1 to 10 lb 10 to 100 lb 100 to 1,000 lb 1,000 to 10,000 lb >100,000 lb Characteristics

Extremely Toxic or ST-3 Category 3 Category 4 Category 5 Category 5 Category 5 Category 5 ST-0 No Explosion

Highly Toxic or ST-3 Category 2 Category 3 Category 4 Category 5 Category 5 Category 5 ST-1 Weak Explosion

ST-3 Category 2 Category 2 Category 3 Category 4 Category 5 Category 5 ST-2 Strong Explosion

ST-2 Category 1 Category 2 Category 2 Category 3 Category 4 Category 5 ST-3 Very Strong Explosion

ST-1 Category 1 Category 1 Category 1 Category 2 Category 2 Category 3

Capital Loss Categories

Consequence CharacteristicCapital Loss Consequence

$0-$10,000 $10,000-$100,000 >$10,000,000

Overall Cost of Event Category 1 Category 2 Category 3 Category 4 Category 5

10,000 to 100,000 lb

Extremely Toxic above Boiling Point

Extremely Toxic below Boiling Point or Highly Toxic

above Boiling Point

Highly Toxic below Boiling Point or Flammable above

Boiling Point

Flammable below Boiling Point

10,000 to 100,000 lb

Dust ExplosionClassifications

KST

Measures

KST=0

0<KST<200

200<KST<300

KST>300

KST = (∂P/∂t)maxV1/3 bar m /s

$100,000-$1,000,000

$1,000,000-$10,000,000

Overall Cost of Event Category 1 Category 2 Category 3 Category 4 Category 5

Downtime Loss Categories

Consequence Characteristic

Downtime Consequence

>12 Month Outage

Category 1 Category 2 Category 3 Category 4 Category 5

0 to 1 Month Outage

1 to 2 Month Outage

2 to 6 Month Outage

6 to 12 Month Outage

Mechanical Damage to Main Product Plant



INITIATING EVENT PROBABILITIES

Initiating Event (per year basis)

Pressure Vessel Residual FailurePiping Residual Failure - 100 m - Full BreachPiping Leak (10% Section) - 100 mAtmospheric Tank FailureGasket/Packing BlowoutTurbine/Diesel Engine Overspeed with Casing BreachMechanical Failure Third Party Intervention (External Impact by Backhoe, Vehicle, etc.)Crane Load DropLightning StrikeSafety Valve Opens SpuriouslyCooling Water FailurePump Seal FailureUnloading/Loading Hose FailureBPCS Instrument Loop FailureRegulator FailureSmall External FireLarge External FireOperator Failure - routine, continuous operationLock-out, Tag-out Procedure FailureHuman Error - Routine, once per month opportunityHuman Error - Nonroutine, low stress

Frequency Range from Literature (per year basis)

Proposed Value to be Used in AIC Risk Assessment

10-5 - 10-7 10-6

10-5 - 10-6 10-5

10-3 - 10-4 10-3

10-3 - 10-5 10-3

10-2 - 10-6 10-2

10-3 - 10-4 10-4

10-0 - 10-2 10-2

10-2 - 10-4 10-1

10-3 - 10-4 per lift 10-4 per lift10-3 - 10-4 10-3

10-2 - 10-4 10-2

10-0 - 10-2 10-1

10-1 - 10-2 10-1

10-0 - 10-2 10-1

10-0 - 10-2 10-1

10-0 - 10-1 10-1

10-1 - 10-2 10-1

10-2 - 10-3 10-2

10-0 - 10-3 10-0

10-3 - 10-4 per opportunity 10-3

10-0 - 10-3 10-1

10-0 - 10-3 10-1

Operator Failure (to execute routine procedure, assuming well-trained, unstressed, not fatigued) 10-1 - 10-3 per opportunity 10-2 per opportunity



INDEPDENDENT PROTECTION LAYERS ~ PFoD TABLES

Passive Systems

Independent Protection LayerComments PFOD PFOD

(Screening Value)

Dike

Open Vent (no valve) Will prevent overpressure

Fireproofing

Blast-wall/Bunker

‘Inherently Safe’ Design

Flame/Detonation Arrestors

Active Systems


(Screening Value)

Relief Valve

Rupture Disk

Human Systems


(Screening Value)

(Implicitly assumes adequate design, adequate inspection and adequate maintenance procedures)

(Literature and Industry)

Will reduce the frequency of large consequences (widespread spill) of a tank overfill, rupture, spill etc.

10-2 - 10-3 10-2

Underground Drainage System

Will reduce the frequency of large consequences (widespread spill) of a tank overfill, rupture, spill etc.

10-2 - 10-3 10-2

10-2 - 10-3 10-2

Will reduce rate of heat input and provide additional time for depressurizing, firefighting etc.

10-2 - 10-3 10-2

Will reduce the frequency of large consequence of an explosion by confining blast and protecting equipment, buildings etc.

10-2 - 10-3 10-3

Will significantly reduce the frequency of consequences associated with a scenario

10-1 - 10-6 10-2

Will eliminate the potential for flashback through a piping system into a vessel or tank

10-1 - 10-3 10-2

(Implicitly assumes adequate design, adequate inspection and adequate maintenance procedures)


Prevents system exceeding specified overpressure. Effectiveness of this device is sensitive to service and experience.

10-1 - 10-5 10-2

Prevents system exceeding specified overpressure. Effectiveness can be very sensitive to service and experience.

10-1 - 10-5 10-2

Basic Process Control System

Can be credited as an IPL if not associated with the initiating event being considered.

10-1 - 10-2 10-1

(Implicitly assumes adequate documentation, training and testing procedures)


Human Action with 10 Minutes Response Time

Simple well-documented action with clear and reliable indications that the action is required

10-0 - 10-1 10-1

Human Response to BPCS Indication or Alarm with 40 Minutes Response Time

Simple well-documented action with clear and reliable indications that the action is required.

10-1 10-1

Human Action with 40 Minutes Response Time

Simple well-documented action with clear and reliable indications that the action is required

10-1 - 10-2 10-1



Hazard Identification Worksheet - HazOp

Study Date Process Area Equipment Identification or Tag Number

Process Intent

Process Parameter Guideword Deviation

ID Cause Consequence Pr( ) Safeguards Action Items

Documents

risk assessment sheet