PHA-LOPA Report Rev 0-2 PDF

Total Automation Solutions
PetroMonagas
Delayed Coker Unit 13 Coke Drum Unheading Upgrade
11S-057
Combined
Process Hazards Analysis (PHA)
and Layer Of Protection Analysis (LOPA)
Report
Performed by
REVISION HISTORY
Revision Description Date By Checked Approved

A Issue for Review 5/6/11 J. Logan G. Palermo
0 Final Issue 6/30/11 J. Logan G. Palermo
Table of Contents
1. Summary ................................................................................................................................................ 4
2. Terminology ............................................................................................................................................ 5
2.1 Acronyms ........................................................................................................................................... 5
2.2 Definitions........................................................................................................................................... 5
3. Unit Process Description ........................................................................................................................ 6
4. Combined PHA and LOPA Methodology ............................................................................................... 6
4.1 Process Hazards Analysis Methodology............................................................................................ 6
4.2 Layer Of Protection Analysis Methodology ........................................................................................ 6
4.3 PHA/LOPA Step by Step Procedure.................................................................................................. 7
5. Sections Studied..................................................................................................................................... 8
6. Compliance with OSHA Process Safety Management and EPA RMP Requirements........................... 8
6.1 Hazards of the Process...................................................................................................................... 8
6.2 Identification of Previous Incidents Which Had a Potential for Catastrophic
Consequences ................................................................................................................................... 8
6.3 Engineering and Administrative Controls and the Consequences of Failure of
Administrative and Engineering Controls........................................................................................... 8
6.4 Qualitative Evaluation...of the Possible Safety and Health Effects of Failure of Controls
on Employees in the Workplace and Including Potential Off-site Consequence............................... 9
6.5 Facility Siting ...................................................................................................................................... 9
6.6 Human Factors................................................................................................................................... 9
6.7 Process Hazards Analysis Team ..................................................................................................... 10
7. Priority Rankings................................................................................................................................... 10
8. Appendices ........................................................................................................................................... 11
Appendix A - List of Participants
Appendix B - Nodes Studied
Appendix C - PHA RecommendationTables
Appendix D - LOPA Claimed IPL Tables
Appendix E - LOPA Recommendation Table
Appendix F - PHA Risk Matrix
Appendix G - LOPA Matrix
Appendix H - LOPA Guidance Tables
Appendix I - PHA Worksheets
Appendix J - LOPA Worksheets
Appendix K - P&IDs
Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

PetroMonagas Unit 13 Coke Drum Unheading Upgrade Project #: 11S-057
DISCLAIMER
NOTICE
This report contains the results of the Process Hazards Analysis and Layer Of Protection Analysis study of
the specified process unit(s) for Total Automation Solutions. Neither SIS-TECH Solutions, LP. Total
Automation Solutions, nor any person acting in their behalf makes any warranty, expressed or implied to any
third party, with respect to the use of the information contained in this report or assumes any liability to any
third party with respect to any use of the information.
SIS-TECH Solutions, LP and its employees, subcontractors, and other assigns cannot individually, or
collectively, predict what will happen in the future. Although the team made a reasonable effort, based on the
information and scope of work provided by Total Automation Solutions, to execute the Process Hazards
Analysis in the specified process unit(s), there are potential incident scenarios that may not have been
addressed in this study. If the recommendations of this study are followed, the frequency and/or
consequences of incidents should be decreased. However, even if all recommendations are implemented,
incidents may still occur in the specified process unit(s). In addition, the physical act of implementing these
recommendations may create hazards for PetroMonagas employees or their assigns. Therefore,
PetroMonagas should independently evaluate the recommendations made in this study to ensure that
implementing them will not create unacceptable hazards and that safe practices are followed when any
change is implemented.
COPYRIGHT NOTIFICATION
All rights reserved. No part of this work covered by the copyright hereon may be reproduced or copied in any
form or by any means—graphic, electronic, or mechanical—without first receiving the written permission of
PetroMonagas, Total Automation Solutions and SIS-TECH Solutions, LP.

1. Summary
In April, 2011, Total Automation Solutions initiated a combined Process Hazards Analysis (PHA)
and Layer Of Protection Analysis (LOPA) for the Delayed Coker Unit 31 Coke Drum Unheading
Upgrade at the PetroMonagas facility as part of the initial PHA/LOPA. PetroMonagas
assembled a multidisciplinary team to perform the PHA and LOPA; this team included personnel
from PetroMonagas who are familiar with the design, operation, and maintenance of the
process and a facilitator from SIS-Tech Solutions, LP. The team met between April 27th and
April 29th, 2011. This analysis focused on 13-D-1301A with the expectation that results from
this exercise would be representative for the other three drums (13-D-1301B, 13-D-1302A, 13-
D-1302B) in the system.
Note that existing hazards associated with Coke Drum switching and cutting operation were not
evaluated and only hazards associated with the addition of the Delta Valve Top Unheading
Device (TUD)/Bottom Unheading Device (BUD) were considered; for example, the scenario of
feed being introduced into an open drum or cutting water to a tool out of the drum were not
considered.
The team's objectives when performing the PHA and LOPA were to (1) identify hazards that
could lead to consequences of interest and (2) recommend ways for reducing the risks
associated with the identified hazards. For this analysis, consequences of interest include but
not limited to (1) events (e.g., a major uncontrolled emission, fire, or explosion) involving one or
more of the highly hazardous chemicals defined in the Occupational Safety and Health
Administration's (OSHA's) regulation 29 CFR 1910.119 that present serious danger to workers
in the workplace and (2) a major uncontrolled emission, fire, or explosion involving one or more
of the regulated substances defined in the Environmental Protection Agency's (EPA's)
regulation 40 CFR 68 that presents imminent and substantial endangerment to public health
and the environment. In addition, environmental and asset based issues were identified.
OSHA acknowledged that ANSI/ISA 84.01 (ISA 84) as important for compliance with the OSHA
process safety management (PSM) regulation, 29 CFR 1910.119, and with the general duty
clause associated with the OSH Act. ANSI/ISA 84.00.01 includes requirements for the
specification, design, implementation, and operation of Protective Instrumented Systems (PIS)
installed to reduce risk from process hazards and/or hazardous events.
The LOPA process is designed as part of the ANSI/ISA 84 requirements to determine risk and
assign risk reduction for hazardous scenarios. The LOPA determines the target Integrity Level
(IL) for the various Protective Instrumented Functions (PIFs) in the facility. This, in turn, impacts
the design of the Protective Instrumented Systems (PIS) and the basic process control system
(BPCS).
The LOPA was utilized to ensure that there are adequate independent layers of protection to
provide the required risk mitigation. While PHA safeguards may reduce risk, LOPA IPL’s have
strict rules as to what can be applied to protect personnel, assets and the environment that are
sufficient to mitigate the risks involved with the process. Additionally, the LOPA helps determine
the functionality of the Protective Instrumented System (PIS) involved and its target Integrity
Levels (ILs). It also defined areas where gaps exist in the existing design and documented
recommendations to remedy these.
Note that the Coke Drum Unheading Upgrade Project will not address LOPA Recommendations
6 and 7.

2. Terminology
2.1 Acronyms
BPCS—Basic Process Control System

HAZOP—Hazards and Operability Study
IL— Integrity Level
IPL—Independent Protection Layer
LI—Likelihood Initial
LOPA—Layer Of Protection Analysis
MAWP—Maximum Allowable Working Pressure
MSDS—Material Safety Data Sheet
P&ID—Piping and Instrumentation Diagram
PFD— Process Flow Diagram
PHA—Process Hazards Analysis
PIF— Protective Instrumented Function
PIS— Protective Instrumented System
PRV—Pressure Relief Valve
2.2 Definitions
Independent Protection Layer (IPL)—“An IPL is a device, system, or action that is capable of
preventing a scenario from proceeding to its undesired consequence independent of the
initiating event or the action of any other layer of protection associated with the scenario.”
(Definition from Layer Of Protection Analysis, Simplified Process Risk Assessment, pg. 75.) The
IPL must have demonstrated dependability, independence, have auditability, access security
and be covered in the MOC process.
IPL Credit—One order of magnitude risk reduction equals an IPL credit. Each safeguard that
qualifies as an IPL is worth a certain number of IPL credits. This number of IPL credits is
determined by examining the qualifications listed in the LOPA Guidance Tables found in the
Appendices.
Layer Of Protection Analysis (LOPA)—a formal structured risk assessment process to

determine if IPLs are required to prevent and mitigate hazardous events in processes and to
classify IPLs.
Node—A subsection of the process under study designed to organize the PHA into manageable
segments.
Process Hazards Analysis (PHA)— “A hazard evaluation of broad scope that identifies and
qualitatively analyzes the significance of hazardous situations associated with a process or
activity.” (Definition from Layer Of Protection Analysis, Simplified Process Risk Assessment, pg.
261.)
Protective Instrumented Function (PIF)—A function that is implemented by a safety

instrumented system which is intended to achieve or maintain a safe state for the process with
respect to a specific hazardous event. Each PIF should be designed and tested to meet its
target IL.
Protective Instrumented System (PIS)—A system consisting of one or more PIFs. Consists of
sensors, logic solver(s), and final elements.

Integrity Level (IL)—“discrete level (one out of four) for specifying the safety integrity
requirements of the safety instrumented functions to be allocated to the safety instrumented
systems. Safety integrity level 4 has the highest level of safety integrity; safety integrity level 1
has the lowest. (Definition from ANSI/ISA-84.00.01-2004)
3. Unit Process Description
Coke Drum Unheading Devices.
4. Combined PHA and LOPA Methodology
The combined PHA and LOPA process has been adopted by Total Automation Solutions and
PetroMonagas to save time, money, effort, and attain quality results from the process.
4.1 Process Hazards Analysis Methodology
The process was analyzed using the What-if technique technique.
The What-if technique is highly dependent on the skill of the PHA team members conducting the
analysis and their expertiese with the process and/or process equipment. This method uses
brainstorming with the question of “What-if” to identify potential causes.
4.2 Layer Of Protection Analysis Methodology
The LOPA process involved reviewing the process deviations or undesirable conditions by node
associated with the unit under review. This process was facilitated by integrating it into the PHA
effort. Once the PHA severity was assigned, any scenario which had a severity of three (3) or
higher was included in the LOPA study.
Using the LOPA methodology, the likelihood of the deviation was determined initially without
the identified safeguards via the PHA. The qualified safeguards were applied independently
and individually as potential IPLs in order to determine if PIS with a target IL or other type of IPL
would be required to mitigate any anticipated residual risk. Where IPLs are claimed as risk
reduction credits, the IPL is assumed to meet all the criteria deemed appropriate per the LOPA
guidance tables (See Appendices). Gaps that result in asset-based consequences should be
subjected to cost-benefit analysis of the expected value added by closing these gaps compared
to the estimated investment required of the potential IPL or other design change.
All Instrumented Functions, if required, should be designed to meet their respective target
Integrity Level and to meet plant uptime requirements (i.e. minimize spurious trips on critical
plant equipment caused by safety related instrumentation failures). This may require installing
redundant instrumentation in a 2oo2 configuration (to reduce spurious trips); in a 1oo2
configuration (to meet target IL = availability) or in a 2oo3 configuration (to meet both target IL
and to reduce spurious trips). The individual recommendations did not specify the level of
redundancy required to meet target IL or plant uptime requirements. Redundant configurations
will be determined during the IL verification of each PIF.

4.3 PHA/LOPA Step by Step Procedure
The specific steps of the Combined HAZOP (PHA) and LOPA methodology used in this analysis
were:
1. Select node
2. Discuss process and design parameters of the section (Design Conditions/Parameters)
3. Apply the What-If technique.
4. Develop each scenario to its global consequence(s)
5. Identify existing systems and procedures (safeguards)
6. Use the Risk-Ranking Matrix (See Appendices) to qualitatively assess the risk of the
scenario (Severity and Likelihood)
7. If the Severity is three (3) or higher the team must perform a LOPA for this scenario.
8. If a LOPA is required, the Severity is assigned per the LOPA procedure.
9. The LOPA “Typical Initiating Causes and Frequency of Occurrence” table is used to
determine the likelihood of the hazardous event happening without any safeguards.
10. The number of IPLs required to mitigate the hazard will be assigned based upon the
LOPA Required Risk Reduction Factor (See Appendices).
11. Review the existing safeguards and determine if any of them meet the requirement of an
IPL.
12. After all of the IPLs have been identified the total number of “Current IPL Credits” is
entered.
13. If there is a “IPL Credit Gap” the team must make LOPA recommendations to close the
gap.
This process is repeated for “What-If” and node until the entire process has been analyzed.

5. Sections Studied
For the purposes of this review, the What-If methodology was applied to the sections (called
nodes). A list of nodes reviewed is included in the Appendices. The PHA worksheets that
document the review of these nodes are included in the Appendices.
6. Compliance with OSHA Process Safety Management and EPA RMP

Requirements
This PHA study complies with the process hazards analysis requirements of the Occupational
Safety and Health Administration's rule "Process Safety Management of Highly Hazardous
Chemicals" (29 CFR 1910.119 (e) and the Environmental Protection Agencies "Risk
Management Program" rule [40 CFR Part 68]) as follows:
6.1 Hazards of the Process
The process was analyzed using any one or a combination of the Guideword HAZOP techinque,
What-if technique or What-if/Checklist technique. These techniques are recognized by OSHA
as an acceptable method of evaluating process hazards. The American Petroleum Institute
(API RP-750) and the American Institute of Chemical Engineers (Hazard Evaluation
Procedures, 2nd Edition, Center for Chemical Process Safety of the American Institute of
Chemical Engineers) also recognize the value of these techniques in analyzing processes for
hazards.
However, these techniques may not document all the general safety issues that affect the health
and safety of the workplace employee and may not address all possible hazardous scenarios.
6.2 Identification of Previous Incidents Which Had a Potential for Catastrophic

Consequences
The PHA team included personnel with experience operating the process. These team
members recounted, for the benefit of the other team members, details of previous incidents for
similar processes so that the team members could make appropriate suggestions for
improvement to prevent recurrence of the events.
6.3 Engineering and Administrative Controls and the Consequences of Failure of

Administrative and Engineering Controls
When determining the consequences of a given event, the PHA team assumed that existing
protection systems would fail to work (e.g., operators are not trained, procedures are not
followed, alarms and other safeguards are not tested and, as a result, may not provide
adequate warning or protection). This technique allowed the team to evaluate the
consequences of a particular event. The PHA team then evaluated each control or safeguard
individually to determine if it is viable and can be claimed as a legitimate safeguard. Adequacy
of procedures and training were reviewed. Maintenance and experience was considered, as
well as alarm and shutdown testing programs. Only those safeguards that the team determined
to be truly effective for risk reduction. The team then determined if additional controls or
safeguards should be considered.

6.4 Qualitative Evaluation...of the Possible Safety and Health Effects of Failure of
Controls on Employees in the Workplace and Including Potential Off-site
Consequence
Throughout the PHA study, the PHA team performed a qualitative evaluation of a failure of
controls, and the judgment of the team is reflected in the Risk-Ranking columns of the various
worksheets. To support management’s objective of prioritizing issues arising from the PHA, the
team used the Risk Matrix to aid in determining if a recommendation was justified based upon
the developed consequences and identified safeguards. After the consequences and
safeguards were developed, the scenario was evaluated based on 1) how severe the potential
consequences were assuming no safeguards were in place (Consequence), and 2) how
probable it was that the scenario would fully develop to those consequences given the identified
safeguards (Likelihood). The ranked severity of the consequences and likelihood that the
postulated consequences would occur were combined using the Risk Matrix to provide a
qualitative risk-ranking. Each developed cause/consequence scenario was ranked for severity,
likelihood, and risk.
6.5 Facility Siting
The PHA team primarily addressed facility siting by qualitatively identifying types and
magnitudes of releases that impact people in the workplace and/or the community.
In determining the consequences of these releases, the PHA team considered the location of
the release point(s), the impact on nearby equipment and/or facilities, and the primary or
secondary effects that may occur as a result of siting. For example, in evaluating the potential
consequence of a hydrocarbon release, siting considerations include degree of confinement in
the release area, locations of control rooms, prevalent wind direction, and locations of furnaces
or other ignition sources. Toxic releases include similar considerations.
6.6 Human Factors
The PHA team addressed human factors by:
Considering potential human errors as causes of “What-If" scenarios
Considering whether operators will have adequate time, information, equipment/controls,

and training/procedures to contribute effectively to reducing the likelihood of catastrophic
releases or mitigating their consequences should they occur. Design or procedural
features that impact human performance, such as equipment accessibility, labeling,
clarity of procedures, simultaneous activities, and operator fatigue, were also weighed
into the final evaluation of risk for those events of concern to which they apply. Specific
discussions on human factors considerations are documented throughout the PHA
worksheets

6.7 Process Hazards Analysis Team
The PHA team consisted of persons with expertise in engineering, operations, and
maintenance. Team members lacking experience in the PHA/LOPA methods were provided
with an overview of the technique prior to beginning the study. A team list is included in the
Appendices.
7. Priority Rankings
The PHA team members used the Risk Ranking method to qualitatively assess the risk
associated with each significant cause/consequence scenario. This Matrix is included in the
Appendices.
After the consequences and safeguards are developed, the scenario is evaluated based on how
serious the potential consequences are (consequences), and how probable it is that the
scenario might fully develop to those consequences (likelihood). The severity ranking (Level 1 to
Level 5, with Level 5 representing the most severe consequences) and likelihood ranking
(Category A to Category E, with Category A representing the highest likelihood of occurrence)
are combined using the risk-ranking matrix to provide a qualitative risk ranking (1 to 5). Each
developed cause/consequence scenario was qualitatively assigned a severity, likelihood, and
risk ranking.
The study team categorized each cause/consequence scenario by noting the area of concern in
the "Severity Category" column in LOPA. The Appendices shows these categories.
In some cases, the PHA team may develop a recommendation to improve the safety or
operability of the unit without fully developing a cause/consequence scenario. This typically
occurs when the severity or likelihood of the consequences is difficult to predict.

8. Appendices

Appendix A - List of Participants
First Name Last Name Company Technical Area

ENVER ARANGUREN PETROMONAGAS PROJECT MECHANICAL ENGINEER
JOSE COLINA PETROMONAGAS COOR CONSTR
PABLO GONZALEZ CURTISS-WRIGHT PROJECT SPONSOR
MIKE KNOWLES FLUOR PROJECT MANAGER
JASON LOGAN SIS-TECH FACILITATOR
LUIMAR MARTINEZ PETROMONAGAS SIAHO
ALOHA PARADA PETROMONAGAS AIT
JESUS R. PERAZA PETROMONAGAS PROCESS ENGINEER
CESAR RIVAS PETROMONAGAS TECHNICAL
ESTEBAN VASQUEZ PETROMONAGAS AIT
NOEL COLINA PETROMONAGAS Operations

Appendix B - Nodes Studied
Node 1: Top Unheading Device (TUD)
Node 2: Bottom Unheading Device (BUD)
Node 3: Steam and cooling water supply to Top Unheading Device (TUD)
Node 4: Steam and cooling water supply to Bottom Unheading Device (BUD)

Appendix C - PHA RecommendationTables
The team made no PHA recommendations.

Appendix D - LOPA Claimed IPL Tables
This section provides a list of those items claimed as existing layers of protection during the study.
These items were used in various scenarios throughout the study and should be reviewed by the
appropriate parties to ensure their suitability.
Lock pin is procedurally moved from the locked closed position is located so operator will note that drum
is hot and will not proceed with unheading (Other)
Lock pin is procedurally moved from the locked open position is located so operator will note that cutting
tool is still in drum and will not proceed with unheading (Other)
TUD position permissive to open BUD (BPCS)

Appendix E - LOPA Recommendation Table
The following table provides listings of recommendations that the team felt could be
implemented to close the risk gaps found in the study. These recommendations should be
reviewed by the appropriate parties to ensure that they are workable solutions
Note that gaps that are based on safety and/or environmental consequences must be
addressed; gaps that exist based only on the asset severity should be subjected to cost-benefit
analysis of the existing design versus the most cost-effective design modification that closes the
gap.
Recommendation Target RRF Place(s) Used

1. Consider ensuring isolation valve position interlock permissive to open 10 LOPA Hazard Scenario
TUD provides one BPCS IPL credit Description: 1.1.1.1,
1.1.2.1, 1.1.3.1
2. Consider ensuring TI-13888, TI-13879 and PI-13016 permissive to open 100 LOPA Hazard Scenario
TUD provides two IPL credits Description: 1.1.1.1,
1.1.2.1, 1.1.3.1, 1.1.4.1
3. Consider ensuring decoking system cutting tool position permissive to 100 LOPA Hazard Scenario
close TUD provides two IPL credits pending cost-benefit analysis Description: 1.1.6.1
4. Consider ensuring isolation valve position interlock permissive to open 10 LOPA Hazard Scenario
BUD provides one BPCS IPL credit Description: 2.1.1.1,
2.1.2.1, 2.1.3.1
5. Consider ensuring TI-13888, TI-13879 and PI-13016 permissive to open 100 LOPA Hazard Scenario
BUD provides two IPL credits Description: 2.1.1.1,
2.1.2.1, 2.1.3.1, 2.1.4.1
6. Consider evaluating whether the design pressure (vacuum) of the drum LOPA Hazard Scenario
prevents this scenario Description: 2.1.5.1
7. Consider installing a low pressure SIS interlock (that includes all three 10000 LOPA Hazard Scenario
pressure transmitters on the drum voting 2-out-of-3) permissive to open Description: 2.1.5.1
BUD that provides three IPL credits and install a vent valve position
permissive to open BUD that provides one IPL pending cost-benefit
analysis. Note that this vent valve permissive to open BUD must be fully
independent of the TUD position permissive to open BUD in order to be
credited.

Appendix F - PHA Risk Matrix

PHA Consequence Severity Rankings
RANKING SAFETY ENVIRONMENTAL ASSET

5 Multiple fatalities across a Catastrophic off-site Expectant loss greater than $10,000,000
facility and/or Injuries or environmental damage with and/or Substantial damage to buildings
fatalities to the public long-term containment and located off-site
clean-up
Hospitalization of three or Significant off-site Expectant loss between $1,000,000 and
4 more personnel (e.g.,, serious environmental damage (e.g., $10,000,000 and/or Extended downtime
burns, broken bones) and/or substantial harm to wildlife) with significant impact to the facility
One or more fatalities within with prolonged containment operation and/or Minor damage (e.g.,
a unit or local area and/or and clean-up broken windows) to buildings located
Injuries to the public off-site
3 Hospitalization injury (e.g.,, On-site release requiring Expectant loss between $100,000 And
serious burns, broken bones) containment and clean-up $1,000,000 and/or Downtime of several
and/or Multiple lost work day and/or Off-site release days severely impacting the facility
injuries and/or Injury to the causing environmental operation
public damage with quick clean-up
2 Lost work day injury and/or On-site release requiring Expectant loss between $10,000 and
recordable injuries (e.g., skin containment and clean-up $100,000 and/or Downtime of more
rashes, cuts, burns) and/or by emergency personnel than day causing impact to facility
Minor impact to public and/or Off-site release (e.g., operation and/or Reportable quantity
odor) but no environmental event
damage
1 Recordable injury and/or No On-site release requiring Expectant loss of less than $10,000
impact to the public containment and clean-up and/or Downtime of less than a day with
by on-site personnel. minor impact to the facility operation
0 No injuries No release No asset loss
LIKELIHOOD DESCRIPTION
4 Very likely to occur at the facility (>1/10)
3 Likely to occur at the facility once every 10 years (1/10 up to 1/100)
2 May occur once in the life of the facility, expected to occur once per year at a refinery
in the USA (1/100 up to 1/1000)
1 Not likely to occur in life of this facility, expected to occur once per year at a refinery
somewhere (1/1000 to 1/10000)
PHA RISK RANK
CONSEQUENC
5 3 4 5 5
E SEVERITY
4 2 3 4 5
3 1 2 3 4
2 1 1 2 3
1 1 1 1 2
1 2 3 4
LIKELIHOOD
PHA
RISK RANK DESCRIPTION
Immediate plant management notification made. Immediate action
required for determining appropriate mitigation requirements.
5
Should be mitigated with engineering and/or administrative controls
to a risk ranking of 2 or less.
Timely plant management notification made. Should be mitigated
4 with engineering and/or administrative controls to a risk ranking of
2 or less within a specified time period.
Should be mitigated with engineering and/or administrative controls

3
to a risk ranking of 2 or less within a specified time period.
Mitigation with engineering and/or administrative controls may be

2
made that reduces risk.
1 No recommendation necessary, acceptable risk.

Appendix G - LOPA Matrix

Jose, Venezuela February 21, 2011
Coker Unheading Valve Installation Project Page 25 of 30
Title: IPL Analysis Procedure
Table A-6 Consequence Severity Decision Table
ASSET
RANKING SAFETY ENVIRONMENTAL
5 Multiple fatalities across a facility Catastrophic off-site Expectant loss greater than $10,000,000
and/or Injuries or fatalities to the environmental damage with and/or substantial damage to buildings
public long-term containment and located off-site
clean-up
Hospitalization of three or more Significant off-site Expectant loss between $1,000,000 and
4 personnel (e.g.,, serious burns, environmental damage (e.g., $10,000,000 and/or extended downtime with
broken bones) and/or one or more substantial harm to wildlife) significant impact to the facility operation
fatalities within a unit or local area with prolonged containment and/or minor damage (e.g., broken windows)
and/or Injuries to the public and clean-up to buildings located off-site
3 Hospitalization injury (e.g.,, On-site release requiring Expectant loss between $100,000 And
serious burns, broken bones) containment and clean-up $1,000,000 and/or downtime of several days
and/or multiple lost work day and/or off-site release causing severely impacting the facility operation
injuries and/or Injury to the public environmental damage with
quick clean-up
2 Lost work day injury and/or On-site release requiring Expectant loss between $10,000 and
recordable injuries (e.g., skin containment and clean-up by $100,000 and/or downtime of more than day
rashes, cuts, burns) and/or minor emergency personnel and/or causing impact to facility operation and/or
impact to public off-site release (e.g., odor) but reportable quantity event
no environmental damage
1 Recordable injury and/or no On-site release requiring Expectant loss of less than $10,000 and/or
impact to the public containment and clean-up by downtime of less than a day with minor
on-site personnel. impact to the facility operation
Table A-7 Risk Reduction Factor Matrix
REQUIRED RISK REDUCTION FACTOR

5 100,000 10,000 1,000 100 10
CONSEQUENCE
4 10,000 1,000 100 10 TR

SEVERITY
3 1,000 100 10 TR TR
2 100 10 TR TR TR
1 10 TR TR TR TR
1 10 100 1,000 10,000
FREQUENCY (1 in x years)
SIS-TECH Version: 9.0

Appendix H - LOPA Guidance Tables

Table A-2 Typical Initiating Causes and Frequency of Occurrence
Initiating Cause Conditions Frequency(1)

(1 in X years)
Basic Process Control Complete instrumented loop, including the sensor, 10
Loop (BPCS) controller, and final element.
Pneumatic Control Loop Complete instrumented loop, including the sensor, 10
(LOCAL) controller, and final element, e.g., a single loop controller.
Pressure Regulator Pressure regulator or pressure reducing valve in a clean 100
(LOCAL) service under periodic maintenance.
Operator Action Action is performed daily or weekly per procedure. The 1
(SOP) operator is trained on the required action.
Action is performed monthly to quarterly per procedure. 10
The operator is trained on the required action.
Action is performed yearly, after turnaround or temporary 100
shutdown per procedure. The operator is trained on the
required action.
Action is not expected, is not part of any procedure, and 1000
would require MOC approval to perform.
Loss of Supply Loss of supply from any cause: e.g., pump failure, 10
(OTHER) accidental block in, or primary supply problem.
Loss of Power Loss of facility power for any cause. 10
(OTHER)
Excess Process Supply Excess supply from any cause: e.g., process upset or 10
(OTHER) primary supply problem.
Inerts in Process Supply Clean service – No history of inerts in supply. High quality 1000
(OTHER) supply of consistent composition and chemical analysis.
Intermediate service – Some history of inerts in supply. No 100

significant flame instability noted.
Dirty service – History of inerts in supply. Flame instability 10

and flame-outs have occurred.
Protective Device Instrumented protective device spuriously operates, e.g., 10
(OTHER) closure of block valve, pump shutdown, and opening of vent
valve.
Relief valve opens early Opens early propagates to an incident 100
(OTHER)
Mechanical Failures No moving parts – no vibration 1000
Metallic Low vibration 100
(OTHER) High vibration 10
Non-metallic Low vibration 10

Initiating Cause Conditions Frequency(1)

(1 in X years)
Hoses Low vibration 10
Electric driven equipment Single pump (or blower or compressor) 10
(OTHER) Two pumps (or blowers or compressors) are available, but Not Applicable
only one is on-line. Manual or auto-start is required to bring
second one on-line. Use the single pump as the initiating
cause. Include the start-up of the second as an IPL.
Two or more pumps (or blowers or compressors). All pumps 10
are on-line and individually provide adequate supply. All
pumps are powered by the same power supply. (e.g., one
bus).
Two or more pumps (or blowers or compressors). All pumps 100
are on-line and individually provide adequate supply.
Pumps are powered by two separate power buses (e.g., two
buses).
Other initiating causes Team must consider the components involved in the Use experience of
(OTHER) initiating cause. personnel or
failure rate data
NOTE 1: The initiating causes listed can be assumed to occur more frequently (e.g., changed from 1 in 100 years to 1 in 10 years based
on process experience. The values cannot be made less frequent without additional justification and approval by process safety.
Additional analysis should be submitted as part of the justification. This would include human factors analysis, failure modes and effects
analysis (FMEA), event tree analysis or fault tree analysis.

Table A-3 Independent Protection Layers (IPL) and Associated Risk Reduction Factors (RRF) and Probability of
Failure on Demand (PFD)
IPL Conditions RRF PFD(1)

Standard An SOP IPL should be supported by procedures, training, testing, and audits, occurring
Operating at intervals necessary to achieve the RRF. In all cases, the operator should have
Procedure sufficient time to recognize the problem, determine the solution, and take action.
Frequency of operator rounds must be sufficient to detect the
Process Related
hazard. Operator is trained to recognize and respond to
Rounds and
unacceptable out-of-range values. If a specific process variable 10 0.1
Inspections
is being monitored, the operator should record the specific value
(SOP)
displayed by devices independent of the initiating cause.
Frequency of operator rounds must be sufficient to detect and
Observational respond to the hazardous event. The need to take response
10 0.1
(SOP) must be obvious to operator through normal visual or hearing
range, e.g., loud noise, high vibration, serious leaking, etc.
Independent inspection/verification and sign-off that required
Review
operator action was performed as intended (e.g., valve line-up is 10 0.1
(SOP)
confirmed as correct).
Action An operator action that uses a different operator, relying on
10 0.1
(SOP) independent observation.
Corrective Propagation is so slow that the operator has sufficient time to
Action gather further information (e.g., laboratory tests, product quality, 10 0.1
(SOP) and material balance) to recognize earlier error and to correct it.
The BPCS IPL should be designed and managed to achieve the
Basic Process
RRF. It is a typically a control loop whose normal action prevent
Control System 10 0.1
the scenario. The BPCS IPL must run in automatic mode during
(BPCS)
all operating phases where the hazard scenario could occur.
Alarm with The Alarm IPL should be designed and managed to achieve the
operator RRF. Its applicability is based on the amount of time available
Table A-4
response for action. See Operator Time Restrictions Table for more
(ALARM) information.
Local The Local IPL should be designed and managed to achieve the RRF.
Single check valve
1 1
Check Valve or
Dual check valves in series
similar 10 0.1
(LOCAL)
High integrity backflow prevention (e.g., pneumatically assisted
10 0.1
check valve or safety check valve)
Mechanical Stop
Mechanical stop that limits valve travel. 100 0.01
(LOCAL)
Car Seal
Car seal must be controlled and tracked. 100 0.01
(LOCAL)
Pneumatic A pneumatic control loop consists of the sensor, controller, and
10 0.1
Control Loop final element, e.g., a single loop controller

IPL Conditions RRF PFD(1)

(LOCAL)
Dual Pump
Alarm when either seal fails and action can be taken prior to
Seals 10 0.1
failure of second seal
(LOCAL)
Restrictive
Orifice Clean non-corrosive service 100 0.01
(LOCAL)
Pressure
Regulator Periodically inspected and maintained 100 0.01
(LOCAL)
Continuous
Continuous pilots provided from reliable fuel source that is
Pilots 10 0.1
independent from the main burner
(LOCAL)
Protective
Instrumented The PIS IPL must be designed and managed per good engineering practices.
Systems
IL 1 (PIS) Integrity Level 1 10 0.1
NOTE 1: The IPLs listed can be assumed to provide less risk reduction (e.g., changed from RRF = 100 to RRF = 10 based on process
experience. The risk reduction cannot be assumed to be better without additional justification and approval by process safety. Additional
analysis should be submitted as part of the justification. This would include human factors analysis, failure modes and effects analysis
(FMEA), event tree analysis or fault tree analysis.

Table A-4 Operator Time Restrictions with Associated Risk Reduction Factors (RRF) and Probability of
Time(1)/Location Conditions (2) RRF PFD

Operator response to alarm The operator has to perform troubleshooting or 1 1
with <10 minutes response diagnostics to determine what the appropriate action is.
time
Operator response to alarm Operator action is complicated, i.e. large number of 1 1
with ≥10 minutes response alarms generated by initiating cause and the response is
time not clear or documented.
Operator response to alarm Drilled and practiced response, also known as a “never 10 0.1
with 2 to 10 minutes response exceed, never deviate” response. If the alarm is
time received, the operator must execute the safe state action
without delay. Alarm is independent of the BPCS.
Operator response to alarm Operator response does not have to perform 10 0.1
with ≥10 minutes response troubleshooting or diagnostics to take the action. Alarm
time may be implemented in the BPCS or independent of
the BPCS.(3)
Operator response to alarm Operator response requires minor troubleshooting or 10 0.1
with ≥40 minutes response diagnostics prior to taking action. Alarm may be
time implemented in the BPCS or independent of the
BPCS.(3)
Operator response to alarm Alarm should be automatically repeated at an interval 100 0.01
with more than 24 hours necessary to ensure that each shift is notified of the
response time; assumes process condition. Minor troubleshooting or diagnostics is
multiple operators have an allowed if needed before taking the action. Alarm is
opportunity to detect the independent of the BPCS.
alarm(s) and take action
NOTE 1: The operator response time should consider the time its takes to recognize the alarm, to diagnose the
problem, and to complete the required action. This is compared to the process safety time which considers how
rapidly the process moves from the alarm condition to the process hazard.
NOTE 2: The required action is clearly indicated by the alarm, the response is covered by a procedure, and the
operator is trained and tested on the procedure.
NOTE 3: As long as independence from the initiating cause and other IPLs is demonstrated, the choice between
implementing the alarm and its display in the BPCS is influenced by the design of the operator HMI and the importance
of the required operator response. It is important that any operator who needs to recognize and respond to the alarm
condition receive the information in a clear and prioritized manner.

Table A-5 Consequence Mitigation System (CMS) with Associated Risk Reduction Factors (RRF) and Probability of
CMS Conditions RRF PFD

Clean Service. PRV must be sized to completely mitigate the scenario. 100 0.01
Multiple full-load PRVs and each are sized sufficiently to mitigate scenario. 1000 0.001
Multiple partial-load PRVs are available and sized such that more than one
100 0.01
PRV would need to fail for the scenario to occur.
Multiple partial-load PRVs are available, but more than one is required to
10 0.1
Pressure Relief mitigate the full load. This includes staged release PRVs.
Valve Plugging Service, i.e. prone to plugging, polymerization, deposition, or has a
(LOCAL) history of failure to operate properly when tested. An unprotected PRV used in 1 1
a plugging service is not considered sufficient for consideration as an IPL.
Plugging Service, but the design and management of the PRV has been
shown to be sufficient for ensuring its RRF. The design is based on prior
history in similar services and may include the use of special designed PRVs,
100 0.01
inlet header purges, and close coupled rupture disks.
If pluggage is due to polymerization occurring during vessel venting, these
special designs should not be considered.
Vessel Rupture Must be designed to mitigate scenario.
Disk 100 0.01
(LOCAL)
Flame Arrester
Designed for the hazard (deflagration or detonation) and inspected periodically 100 0.01
(LOCAL)
Vacuum
Breaker Design for the hazard and inspected periodically 100 0.01
(LOCAL)
Blowout Panels Must be designed to mitigate scenario. 100 0.01
(LOCAL)
Overflow Line Overflow line is designed to discharge to a safe location and is sized to
(LOCAL) address the hazard scenario. Any valves in line must be administratively 100 0.01
controlled to ensure the CMS is available when needed.
Operator initiated response. The RRF is based on operator alarm and
Table A-4
Fire Detection response criteria, as listed in Operator Time Restrictions Table.
with Water Using fire or smoke detectors to automatically activate a system designed to
Deluge System prevent or control a fire. For example wet pipe or dry pipe systems with fusible
(FDS) 10 0.1
links, deluge systems or water curtains applying water, foam Halon, or
chemical fire suppressants.
Operator initiated response. The RRF is based on operator alarm and
Table A-4
Gas Monitors response criteria, as listed in Operator Time Restrictions Table.
with Automated Using mist, vapor, or other detectors to automatically activate a system
Deluge designed to “knock down” a chemical mist or vapor release, or to ventilate a
(GDS) 10 0.1
building, prior to ignition of the release. For example, a deluge system or
emergency ventilation system.

CMS Conditions RRF PFD

Administrative Clearly defined, understood and trained administrative control that restricts
Access Control access to unsafe areas. Restricted access must be strictly enforced during
any operating phase where the hazard scenario exists. There must be a high
10 0.1
expectation that access is restricted. Notification includes signs, flashing
lights, audio signals and/or other means to alert personnel that hazardous
conditions are present or may be present.
Special Special personnel protective equipment that is not normally worn by operation
Personnel or maintenance personnel, but is part of an established procedure. This PPE
Protective would include wire mesh gloves, fire suits, respirators, self-contained breathing 10 0.1
Equipment apparatus, etc. The user of the equipment must be trained in the use of the
PPE.

Appendix I - PHA Worksheets
The following worksheets contain the results of the PHA.

2. PHA Worksheet
4/27/2011
Node Name: 1. Top Unheading Device (TUD)
Types: What If Drawing: 13-62-D108 Rev 9; 13-62-D109 Rev 7; 13-62-D110 Rev 10
Rank Risk
What-if Cause Consequence Consq Safeguards Ranking Recommendations (PHA)
Cat S L RR
1. What If 1. TUD is opened during 1. Loss of hydrocarbon S 4 1. TI-13888, TI-13879 and PI-13016 E TR
backwarm containment at top of permissive to open TUD
drum and fire E 2 E TR
LOPA 2. Isolation valve position interlock
A 4 permissive to open TUD E TR
Consequence1.1.1.1
3. Lock pin is procedurally moved
from the locked closed position is
located so operator will note that
drum is hot and will not proceed
with unheading
4. Operating procedures
2. TUD is opened during 1. Loss of hydrocarbon S 4 1. TI-13888, TI-13879 and PI-13016 E TR
feeding/coking containment at top of permissive to open TUD
Consequence1.1.2.1
with unheading
3. TUD is opened during 1. Loss of hydrocarbon S 4 1. TI-13888, TI-13879 and PI-13016 E TR
stripping containment at top of permissive to open TUD
Consequence1.1.3.1
with unheading
4. TUD is opened during 1. Loss of steam S 3 1. TI-13888, TI-13879 and PI-13016 E TR
quenching containment at top of permissive to open TUD
drum E 2 E TR
LOPA 2. Lock pin is procedurally moved
A 1 from the locked closed position is E TR
Consequence1.1.4.1
4/27/2011
Rank Risk
Cat S L RR
with unheading
5. TUD is opened before 1. Loss of steam S 2 1. TI-13888, TI-13879 and PI-13016 E TR
venting containment at top of permissive to open TUD
drum A 1 E TR
with unheading
6. TUD is closed while 1. Mechanical damage to A 3 1. Decoking system cutting tool E TR
cutting tool is still in TUD and cutting tool position permissive to close TUD
drum LOPA
Consequence1.1.6.1 2. Lock pin is procedurally moved
from the locked open position is
cutting tool is still in drum and will
not proceed with unheading
7. TUD is closed while 1. No significant
draining consequences
8. TUD is open during 1. Loss of steam S 2 1. Lock pin is procedurally moved D TR
steam purge containment at top of from the locked closed position is
drum A 1 located so operator will note that D TR
with unheading
4/27/2011
Node Name: 2. Bottom Unheading Device (BUD)
Rank Risk
Cat S L RR
1. What If 1. BUD is opened during 1. Loss of hydrocarbon S 4 1. TI-13888, TI-13879 and PI-13016 E TR
backwarm containment at bottom of permissive to open BUD
A 4 permissive to open BUD E TR
Consequence2.1.1.1
4/27/2011
Rank Risk
Cat S L RR
with unheading
2. BUD is opened during 1. Loss of hydrocarbon S 4 1. TI-13888, TI-13879 and PI-13016 E TR
feeding/coking containment at bottom of permissive to open BUD
Consequence2.1.2.1
with unheading
3. BUD is opened during 1. Loss of hydrocarbon S 4 1. TI-13888, TI-13879 and PI-13016 E TR
stripping containment at bottom of permissive to open BUD
Consequence2.1.3.1
with unheading
4. BUD is opened during 1. Loss of steam S 3 1. TI-13888, TI-13879 and PI-13016 E TR
quenching containment at bottom of permissive to open BUD
drum E 1 E TR
LOPA 2. Lock pin is procedurally moved
Consequence2.1.4.1 from the locked closed position is
with unheading
5. BUD is opened before 1. Loss of water S 2 1. PI-13016 permissive to open BUD D TR
TUD is opened and containment at bottom of
before vent is open drum E 1 2. TUD position permissive to open D TR
BUD
2. Vacuum on drum, S 1 1. PI-13016 permissive to open BUD D TR
4/27/2011
Rank Risk
Cat S L RR
mechanical damage A 5 2. TUD position permissive to open D 3
LOPA BUD
Consequence2.1.5.1
6. BUD is closed during 1. No significant
cutting operation consequences
7. BUD is open during 1. No significant
steam purge consequences
Node Name: 3. Steam and cooling water supply to Top Unheading Device (TUD)
Types: Drawing: 13-62-D108 Rev 9; 13-62-D110 Rev 10
Rank Risk
Cat S L RR
1. What If 1. Loss of steam supply to 1. Long-term wear to TUD
TUD valve disk, no significant
consequences
2. Loss of cooling water 1. Cylinder damage, A 2 1. High cooling water temperature D TR
supply to TUD hydraulic fluid leak alarm
Node Name: 4. Steam and cooling water supply to Bottom Unheading Device (BUD)
Types: Drawing: 13-62-D108 Rev 9; 13-62-D110 Rev 10
Rank Risk
Cat S L RR
1. What If 1. Loss of steam supply to 1. Long-term wear to TUD A 2 1. Low steam flow/differential D TR
BUD valve disk and pressure alarms
resid/coke to bonnets
2. Loss of cooling water 1. Cylinder damage, A 2 1. High cooling water temperature D TR
supply to BUD hydraulic fluid leak alarm
Appendix J - LOPA Worksheets
The following worksheets contain the results of the LOPA.

4. LOPA Worksheet
Determine Scenario Risk
Determine CMS Risk Gap
Assess Conseq Severity and RRF Evaluate Initiating Event Frequency Identify IPLs and RRF Gap Recommendations (LOPA)
Identify CMS and RRF
What-if CMS Total Total RRF
CMS RRF Scenario
RRF Overall Safeguards CMS Conseq Cat S RRF IPL (IPL+CMS Target
Conseq Cat S Initiating Causes Type Freq IPLs Type RR RRF Gap RQ'D RRF Gap Recommendation
RQ'D Freq (Non-IPL) CMS Type RRF Req'd RRF ) RRF
1. What If 1. Loss of hydrocarbon S 4 10000 1. TUD is opened SOP 1 1 1. TI-13888, TI- 2. Lock pin is procedurally OTH 10 10 10000 10 1000 1. Consider ensuring 10
containment at top of during backwarm 13879 and moved from the locked ER isolation valve
drum and fire E 2 100 PI-13016 closed position is located so 100 10 position interlock
What If A 4 10000 permissive to operator will note that drum 10000 1000 permissive to
Consequence1.1.1.1 open TUD is hot and will not proceed open TUD
with unheading provides one
2. Isolation BPCS IPL credit
valve position
interlock 2. Consider ensuring 100
permissive to TI-13888, TI-
open TUD 13879 and PI-
13016 permissive
3. Operating to open TUD
procedures provides two IPL
credits
1. Loss of hydrocarbon S 4 10000 1. TUD is opened SOP 1 1 1. TI-13888, TI- 3. Lock pin is procedurally OTH 10 10 10000 10 1000 1. Consider ensuring 10
containment at top of during 13879 and moved from the locked ER isolation valve
drum and fire E 2 100 feeding/coking PI-13016 closed position is located so 100 10 position interlock
valve position
13016 permissive
credits
1. Loss of hydrocarbon S 4 10000 1. TUD is opened SOP 1 1 1. TI-13888, TI- 3. Lock pin is procedurally OTH 10 10 10000 10 1000 1. Consider ensuring 10
containment at top of during stripping 13879 and moved from the locked ER isolation valve
drum and fire E 2 100 PI-13016 closed position is located so 100 10 position interlock
valve position
13016 permissive
credits
1. Loss of steam S 3 1000 1. TUD is opened SOP 1 1 1. TI-13888, TI- 2. Lock pin is procedurally OTH 10 10 1000 10 100 2. Consider ensuring 100
containment at top of during quenching 13879 and moved from the locked ER TI-13888, TI-
drum E 2 100 PI-13016 closed position is located so 100 10 13879 and PI-
What If A 1 10 permissive to operator will note that drum 10 TR 13016 permissive
Consequence1.1.4.1 open TUD is hot and will not proceed to open TUD
with unheading provides two IPL
2. Operating credits
procedures
1. Mechanical damage to A 3 1000 1. TUD is closed while SOP 1 1 1. Decoking 2. Lock pin is procedurally OTH 10 10 1000 10 100 3. Consider ensuring 100
TUD and cutting tool cutting tool is still in system moved from the locked open ER decoking system
What If drum cutting tool position is located so cutting tool
Consequence1.1.6.1 position operator will note that cutting position
permissive to tool is still in drum and will permissive to
close TUD not proceed with unheading close TUD
provides two IPL
2. Operating credits pending
procedures
CMS RRF Scenario
cost-benefit
analysis

CMS RRF Scenario
1. What If 1. Loss of hydrocarbon S 4 10000 1. BUD is opened SOP 1 1 1. TI-13888, TI- 3. Lock pin is procedurally OTH 10 10 10000 10 1000 4. Consider ensuring 10
containment at bottom during backwarm 13879 and moved from the locked ER isolation valve
of drum and fire E 2 100 PI-13016 closed position is located so 100 10 position interlock
Consequence2.1.1.1 open BUD is hot and will not proceed open BUD
valve position
open BUD 13879 and PI-
13016 permissive
3. Operating to open BUD
credits
1. Loss of hydrocarbon S 4 10000 1. BUD is opened SOP 1 1 1. TI-13888, TI- 3. Lock pin is procedurally OTH 10 10 10000 10 1000 4. Consider ensuring 10
containment at bottom during 13879 and moved from the locked ER isolation valve
of drum and fire E 2 100 feeding/coking PI-13016 closed position is located so 100 10 position interlock
valve position
13016 permissive
credits
1. Loss of hydrocarbon S 4 10000 1. BUD is opened SOP 1 1 1. TI-13888, TI- 3. Lock pin is procedurally OTH 10 10 10000 10 1000 4. Consider ensuring 10
containment at bottom during stripping 13879 and moved from the locked ER isolation valve
of drum and fire E 2 100 PI-13016 closed position is located so 100 10 position interlock
valve position
13016 permissive
credits
1. Loss of steam S 3 1000 1. BUD is opened SOP 1 1 1. TI-13888, TI- 2. Lock pin is procedurally OTH 10 10 1000 10 100 5. Consider ensuring 100
containment at bottom during quenching 13879 and moved from the locked ER TI-13888, TI-
of drum E 1 10 PI-13016 closed position is located so 10 TR 13879 and PI-
What If permissive to operator will note that drum 13016 permissive
Consequence2.1.4.1 open BUD is hot and will not proceed to open BUD
with unheading provides two IPL
2. Operating credits
procedures
CMS RRF Scenario
1. Vacuum on drum, S 1 10 1. BUD is opened SOP 1 1 1. PI-13016 2. TUD position permissive BPC 10 10 10 10 TR 6. Consider
mechanical damage before TUD is permissive to to open BUD S evaluating
What If A 5 100000 opened and before open BUD 10000 10000 whether the
Consequence2.1.5.2 vent is open 0 design pressure
2. Operating (vacuum) of the
procedures drum prevents this
3. TUD position scenario
permissive to 7. Consider installing 10000
open BUD a low pressure
SIS interlock (that
includes all three
pressure
transmitters on the
drum voting 2-out-
of-3) permissive to
open BUD that
provides three IPL
credits and install
a vent valve
position
permissive to
open BUD that
provides one IPL
pending cost-
benefit analysis.
Note that this vent
valve permissive
to open BUD must
be fully
independent of the
TUD position
permissive to
open BUD in order
to be credited.
Node Name: 3. Steam and cooling water supply to Top Unheading Device (TUD)
CMS RRF Scenario
Node Name: 4. Steam and cooling water supply to Bottom Unheading Device (BUD)
CMS RRF Scenario
Appendix K - P&IDs
Drawing Place(s) Used

13-62-D108 Rev 9 Nodes: 1, 2, 3, 4
13-62-D109 Rev 7 Nodes: 1, 2
13-62-D110 Rev 10 Nodes: 1, 2, 3, 4


PHA-LOPA Report Rev 0-2 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

PHA-LOPA Report Rev 0-2 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Total Automation Solutions

Revision Description Date By Checked Approved

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

BPCS—Basic Process Control System

Layer Of Protection Analysis (LOPA)—a formal structured risk assessment process to

Protective Instrumented Function (PIF)—A function that is implemented by a safety

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

3. Unit Process Description

Coke Drum Unheading Devices.

4. Combined PHA and LOPA Methodology

4.1 Process Hazards Analysis Methodology

The process was analyzed using the What-if technique technique.

4.2 Layer Of Protection Analysis Methodology

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

6. Compliance with OSHA Process Safety Management and EPA RMP

6.1 Hazards of the Process

6.2 Identification of Previous Incidents Which Had a Potential for Catastrophic

6.3 Engineering and Administrative Controls and the Consequences of Failure of

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

6.5 Facility Siting

6.6 Human Factors

The PHA team addressed human factors by:

 Considering potential human errors as causes of “What-If" scenarios

 Considering whether operators will have adequate time, information, equipment/controls,

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

First Name Last Name Company Technical Area

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

The team made no PHA recommendations.

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

TUD position permissive to open BUD (BPCS)

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

Recommendation Target RRF Place(s) Used

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

RANKING SAFETY ENVIRONMENTAL ASSET

Should be mitigated with engineering and/or administrative controls

Mitigation with engineering and/or administrative controls may be

1 No recommendation necessary, acceptable risk.

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

Table A-6 Consequence Severity Decision Table

Table A-7 Risk Reduction Factor Matrix

REQUIRED RISK REDUCTION FACTOR

4 10,000 1,000 100 10 TR

SIS-TECH Version: 9.0

Total Automation Solutions Date: June, 2011 SIS-TECH Solutions,LP

Table A-2 Typical Initiating Causes and Frequency of Occurrence

Initiating Cause Conditions Frequency(1)

Intermediate service – Some history of inerts in supply. No 100

Dirty service – History of inerts in supply. Flame instability 10

SIS-TECH Version: 9.0

Initiating Cause Conditions Frequency(1)

SIS-TECH Version: 9.0

IPL Conditions RRF PFD(1)

SIS-TECH Version: 9.0

IPL Conditions RRF PFD(1)

SIS-TECH Version: 9.0

Time(1)/Location Conditions (2) RRF PFD

Considering potential human errors as causes of “What-If" scenarios

Considering whether operators will have adequate time, information, equipment/controls,