Download - LOPA [Compatibility Mode]
LAYER OFOF
PROTECTION ANALYSIS
Sebuah Risiko…..
Protesha Sinergy – Copyright 2010
Analisis Risiko
Protesha Sinergy – Copyright 2010
System Description
Siklus Analisis RisikoSystem Description
Hazard Identification
Scenario Identification
Accident ConsequencesAccident Probability
Risk Determination
Risk and/or NO
Risk Determination
HazardAcceptance
YES
Modify Design
Protesha Sinergy – Copyright 2010
Build and/or Operate System
Aliran Analisis Risiko
Protesha Sinergy – Copyright 2010
Milestone Analisis Risiko
Based-ScenarioNon-Based Scenario
Protesha Sinergy – Copyright 2010
Refer to reactor system shown.The reaction is exothermic A
Hazard Scenario
Cooling Coils
Monomer
The reaction is exothermic. A cooling system is provided to remove the excess energy of reaction. In the event of
li f i i l h o o eFeed
Cooling Water to Sewer
cooling function is lost, the temperature of reactor would increase. This would lead to an increase in reaction rate
Cooling Water In
an increase in reaction rate leading to additional energy release.
The result could be a runaway The result could be a runaway reaction with pressures exceeding the bursting pressure of the reactor. The
i hi h TC Thermocouple temperature within the
reactor is measured and is used to control the cooling water flow rate by a valve.
Protesha Sinergy – Copyright 20107
water flow rate by a valve.
HAZOPS untuk HAZARD Scenario
Guide Word
Deviation Causes Consequences Action
NO No cooling Cooling water Temperature Install highNO No cooling Cooling water valve malfunction
Temperature increase in reactor
Install high temperature alarm (TAH)
REVERSE Reverse cooling flow
Failure of water source
Less cooling, possible runaway
Install check valvecooling flow water source
resulting in backward flow
possible runaway reaction
MORE More cooling fl
Control valve f il t
Too much cooling, t l
Instruct operators dflow failure, operator
fails to take action on alarm
reactor cool on procedures
AS WELL Reactor d i
More pressure in Off-spec product Check iAS product in
coilsreactor maintenance
procedures and schedules
OTHER Another Water source May be cooling If less cooling, TAH
Protesha Sinergy – Copyright 20108
THAN material besides cooling water
contaminated inefffective and effect on the reaction
will detect. If detected, isolate water source. Back up water source?
Analisis dalam LOPAAnalisis dalam LOPA
Protesha Sinergy – Copyright 2010
Definisi
A Si lifi d f f i k hi h A Simplified form of risk assessment which uses order of magnitude categories for initiating event frequency, consequence severity, and the likelihood q y, q y,of failure of independent protection layers (IPLs) toapproximate the risk of a scenario.
an analysis tool that typically builds on the information developed during a qualitative hazard gevaluation, such as a process hazard analysis (PHA)
REDUCE FREQUENCY TO ACHIEVE TOLERABLE RISK
Protesha Sinergy – Copyright 2010
Sumber : CCPS
TOLERABLE RISK
Risk of Scenario
Protesha Sinergy – Copyright 2010
Tahapan dalam LOPA
1. Pengidentifikasi dan pendefinisian skenario2. Penentuan skenario insiden. e e tua ske a o s de3. Identifikasi “Initiating Event”4 P id tifik i b b (I iti ti E t) 4. Pengidentifikasian penyebab (Initiating Event)
dan penentuan “Initiating Event Frequency”5 P id tifik i “P t ti L ” d 5. Pengidentifikasian “Protection Layer” dan
penentuan “Probability Failure on Demand (PFD)”(PFD)
6. Penentuan “Risk Frequency”
Protesha Sinergy – Copyright 2010
Konsep dasar LOPA
Intiating Event(Cause) Diagram alir skenario
Enabling Events & Condition
Independent Protection Layer
(IPL)Consequence
Conditional Modifier
1. Initiating Event : Penyebab tunggal pada suatu skenario yang berujung pada terjadinya konsekuensi yang tidak dii i kConditional Modifier
(Condiitional Influence) diinguinkan
2. Enabling Event & Condition : Penyebab lanjutan yang dipicu oleh I iti ti E tInitiating Event
3. Conditional Modifier : Kemungkinan dampak tambahan yang memperparah konsek ensi
Protesha Sinergy – Copyright 2010
konsekuensi (Probability of ignition, Probability of fatal injury, etc)
Konsep dasar LOPA
IPL1 IPL2 IPL3
S i
Initiating Event
Mitigated Risk = reduced frequency * same consequence
Scenario Consequence
PreventiveF
PreventiveF
PreventiveF
Success
Initiating Event SuccessSafe Outcome
FeatureFeature Feature
Initiating Event
Failure
Success
Success
Safe Outcome
Safe OutcomeDiagram alir cara
kerja IPLFailure
FailureConsequences exceeding criteria Key:
Thickness of arrow
Protesha Sinergy – Copyright 2010
ImpactEvent
frequencyrepresents frequency of the consequence if later IPLs are not successful
Analisis Konsekuensi
Guide Word
Deviation Causes Consequences Action
NO No cooling Cooling water Temperature Install highNO No cooling Cooling water valve malfunction
Temperature increase in reactor
Install high temperature alarm (TAH)
REVERSE Reverse cooling flow
Failure of water source
Less cooling, possible runaway
Install check valvecooling flow water source
resulting in backward flow
possible runaway reaction
MORE More cooling fl
Control valve f il t
Too much cooling, t l
Instruct operators dflow failure, operator
fails to take action on alarm
reactor cool on procedures
AS WELL Reactor d i
More pressure in Off-spec product Check iAS product in
coilsreactor maintenance
procedures and schedules
OTHER Another Water source May be cooling If less cooling, TAH
Protesha Sinergy – Copyright 201015
THAN material besides cooling water
contaminated inefffective and effect on the reaction
will detect. If detected, isolate water source. Back up water source?
Analisis Konsekuensi
1 C A h i h di f h h
Metode analisis konsekuensi yang sering di pakai dalam LOPA
1. Category Approach without direct reference to human harm
2. Qualitative estimates with human harm
3. Qualitative estimates with human harm with adjustments for post-release probabilities
4 Quantitative estimates with human harm4. Quantitative estimates with human harm
5. Overall cost resulting from potential incident (e.g., capital losses, production losses etc.)
Protesha Sinergy – Copyright 2010
Analisis Konsekuensi
1. Category Approach without direct reference to human harm Fokus pada upaya pencegahan daripada mitigasi Tidak menggunakan ukuran “human injury/fatality” Menggunakan matrix untuk masing-masing kategori
Protesha Sinergy – Copyright 2010
Analisis Konsekuensi2 Qualitative estimates with human harm2. Qualitative estimates with human harm
Fokus pada dampak yang diderita noleh manusia Hasil perhitungan risiko dapat dibandingkan secara langsung
dengan Risk Tolerance Criteriadengan Risk Tolerance Criteria
Protesha Sinergy – Copyright 2010
Analisis Konsekuensi
3. Qualitative estimates with human harm with adjustments for post-release probabilities
Serupa dengan metode no 2, namun penekanannya lebih pada setelah Serupa dengan metode no. 2, namun penekanannya lebih pada setelah penyebab terjadi (misal : release-nya bahan kimia)
Memperthitungkan : Probabilitas kejadian yang menjadi penyebab, probabilitas manusia yang ada disekitarnya, probabilitas terjadinya i j /f t litinjury/fatality
Protesha Sinergy – Copyright 2010
Analisis Initiating Event
Untuk menentukan suatu penyebab (Initiating Event) dalam skenario selalu didahului pertanyaan :
What is the likelihood of the undesired event in the scenario ?
Wh t i th i k i t d ith thi i ? What is the risk associatedwith this scenario ?
Are there sufficient risk mitigation measures ?
Protesha Sinergy – Copyright 2010
Analisis Initiating EventJenis jenis penyebab (Type of Initiating Event)Jenis-jenis penyebab (Type of Initiating Event)Jenis kejadian Contoh
Kegagalan bersifat mekanis Korosi, Vibrasi, Erosi, Fracture, PSV (Mechanical failures) stuck open, fabrication defect, brittle,
gas/seal/flange bocorKegagalan karena sistem pengendali (Control System Failures)
Sensor/Logic/Control Element Failures, Wiring failures, Software crashes,(Control System Failures) Wiring failures, Software crashes, Interface blocked
Kegagalan karena sistem penunjang (Utility Failures)
Power failures, Cooling System failure, Instrument air system failure
Kegagalan karena bencana alam (Natural external events)
Gempa bumi, Tornado, Banjir, Petir
Kegagalan karena kondisi eksternal Pabrik tetangga failure, ditabrak egaga a a e a o d s e ste a ab teta gga a u e, d tab akendaraan
Kegagalan karena ketidakmampuan kondisi manusia (Human Failures)
Operational Error, Maintenance Error, Response Error
Protesha Sinergy – Copyright 2010
Analisis Initiating EventSumber data untuk menentukan Initiating Event FrequencySumber data untuk menentukan Initiating Event Frequency diperoleh dari :
1. Data Industri (biasanya dari lembaga eksternal - contoh : )OREDA)
2. Pengalaman Perusahaan3 D t d (d t d i b t l t)3. Data vendor (data dari pembuat alat)
Protesha Sinergy – Copyright 2010
Analisis Independent Protection Layer (IPL)
IPL Si /Al /Ak ifi b j hIPL : Sistem/Alat/Aktifitas yang bertujuan mencegah (preventing) atau memindahkan (mitigate) penyebab (initiating event) agar tidak menjadi dampak yang tak ( g ) g j p y gdiharapkan (the undesired consequences)
Tipe-tipe yang tergolong IPL :p p y g g g• Process Design (Inherently Safer Design)• Basic Process Control System
C i i l Al d H I i• Critical Alarm and Human Intervention• Safety Instrumented System• Physical Protectiony• Post-release Protection• Plant Emergency Response
Protesha Sinergy – Copyright 2010
• Community Emergency Response
Analisis Independent Protection Layer (IPL)
COMMUNITY EMERGENCY RESPONSE
PLANT EMERGENCY RESPONSE
PREVENTION
MITIGATION
Mechanical Mitigation Systems Fire and Gas Systems
PREVENTION
Safety Critical Process Alarms
Safety Instrumented Systems
Basic Process Control Systems Non-safety Process alarms
Operator Supervision
Process Design
Protesha Sinergy – Copyright 2010
Analisis Independent Protection Layer (IPL)
Agar suatu sistem/alat/tindakan (safeguard) dapat dipertimbangkan sebagai IPL maka harus memenuhi :
• Efektif dalam mencegah agar tidak terjadi dampak ketika • Efektif dalam mencegah agar tidak terjadi dampak ketika berfungsi Dapat men-detect penyebab D d id i d k k dil k k Dapat men-decide tindakan yang akan dilakukan Dapat men-deflect dampak supaya tidak muncul
• Independent dari penyebab (Initiating Event) dan komponen p p y ( g ) pIPL lainnya untuk skenario yang sama
• Auditable dalam hal tingkat efektifannya dalam mencegah dampak, terutama dalam hal PFDp ,
Apabila seluruh IPL dipengaruhi oleh Common-Cause
Protesha Sinergy – Copyright 2010
p p gScenario, maka seluruh IPL tersebut dianggap IPL tunggal
Analisis Independent Protection Layer (IPL)
P D iProcess Design
Umumnya ada 2 hal yang terkait dalam Inherently Safer Design dalam IPL Process Designdalam IPL-Process Design
• Eliminasi dengan menggunakan metode Inherently Safer Designg
• Memberikan angka non-zero PFD pada langkah Inherently safer Design yang lain
Nilai PFD Inherently (CCPS,2001)
Protesha Sinergy – Copyright 2010
Analisis Independent Protection Layer (IPL)
BPCS adalah sistem yang memonitor, mengendalikan dan mempertahankan proses dalam rentang operasional yang amany g
Komponen-komponen sederhana dari Loop BPCSKomponen komponen sederhana dari Loop BPCS
BPCS memiliki 3 fungsi safety terkait dengan IPL
1. Continuous Control Actions - mempertahankan process dalam1. Continuous Control Actions mempertahankan process dalam rentang operasional yang aman (level controller)
2. Actions Alarm - Adanya Logic Solver/Alarm trips : mempertahankan process dalam rentang operasional normal dan alarm untuk operatorprocess dalam rentang operasional normal dan alarm untuk operator
3. Return process to stable state - Adanya Logic Solver/ Control relay : secara otomatis mengembalikan proses kepada keadaan yang aman
Protesha Sinergy – Copyright 2010
Analisis Independent Protection Layer (IPL)BPCSBPCSFailure Rate Data (CCPS, 2001)
PFD dalam BPCS dipengaruhi oleh :p g
• Adequacy of security and access procedures - terkait dengan manusia
• Level of redundancy - terkait dengan back-up system
• Historic failure rate terkait dengan latar belakang terjadin a • Historic failure rate - terkait dengan latar belakang terjadinya kerusakan/kegagalan
• Effective test rate - terkait dengan test
• Other factors Other factors to be considered include design manufacture
Protesha Sinergy – Copyright 2010
• Other factors - Other factors to be considered include design, manufacture, installation and maintenance.
Analisis Independent Protection Layer (IPL)
C i i l Al d H I i (CAHI)Critical Alarm and Human Intervention (CAHI)
PFD dalam CAHI dipengaruhi oleh : da a C d pe ga u o e :
• Detection - Saat alarm berbunyi
• Decision - Saat response
A ti S t ti d k dil k k
Protesha Sinergy – Copyright 2010
• Action - Saat tindakan dilakukan
Analisis Independent Protection Layer (IPL)
SIS adalah Safeguard/IPL yang terdiri atas sensor, logic solver, dan final element
Fungsinya adalah “hanya” membawa kondisi operasi ke “Safe State”Fungsinya adalah hanya membawa kondisi operasi ke Safe State
Dikenal dengan berbagai nama : Safety Interlock System, Emergency Shut-down System, dll
PFD dalam SIS dikenal pula sebagai RRF (Risk Reduction Factor) dan secara International Standard (IEC 61511) dikategorikan dalam Safety Integrity Level (SIL)
Protesha Sinergy – Copyright 2010
Analisis Independent Protection Layer (IPL)
PFD dalam SIL
Protesha Sinergy – Copyright 2010
Analisis Independent Protection Layer (IPL)
Physical Protection Relief Valve R Di Rupture Disc
PFD untuk Physical Protection
Protesha Sinergy – Copyright 2010
Analisis Independent Protection Layer (IPL)
Physical Protection
Faktor yang mempengaruhi nilai PFD Sizing alat Design I l i Instalasi Kualitas Inspeksi Kualitas Perawatan Kualitas Perawatan Kebersihan cairan proses
Protesha Sinergy – Copyright 2010
Analisis Independent Protection Layer (IPL)
Post-Release Protection Blast Wall Dik Dike
PFD untuk Post-Release Protection
Protesha Sinergy – Copyright 2010
Studi Kasus - 1
Protesha Sinergy – Copyright 2010
Format tabel LOPA
4 5 6 7 8 1 2 3
Protection Layers 9 10
# Initial Event
Initiating cause
Cause likelihood
Process design
BPCS Alarm SIS Additional mitigation
Mitigated event
Notes Event Description
cause likelihood design mitigation(safety valves, dykes, restricted access, etc.)
event likelihood
Likelihood = X Probability of failure on demand = Yi
Mitigated likelihood (X)(Y1)(Y 2) (Yn)Mitigated likelihood = (X)(Y1)(Y 2) (Yn)
Protesha Sinergy – Copyright 2010
Kasus 1: Flash drum for “rough” component separation for this proposed design.
VaporproductTC-6 PC-1Split range
PAH
cascade
Feed
product
T1 T5
TC-6 PC-1p g
Feed
MethaneEthane (LK)PropaneButane
FC-1
T1 T2
T3 LC-1
LALLAH
ButanePentane
Li idF2 F3
Liquidproduct
Processfluid
SteamAC-1
L. Key
Protesha Sinergy – Copyright 2010
Kasus 1: Flash drum for “rough” component separation. Complete the table with your best estimates of values.
4 5 6 7 8 1 2 3
Protection Layers 9 10
# Initial E t
Initiating Cause lik lih d
Process d i
BPCS Alarm SIS Additional iti ti
Mitigated t
Notes Event Description
cause likelihood design mitigation(safety valves, dykes, restricted access, etc.)
event likelihood
1 High Connection Pressure sensor
gpressure (tap) for
pressure sensor P1 becomes plugged
does not measure the drum pressure
Protesha Sinergy – Copyright 2010
Assume that the target mitigated likelihood = 10-5 event/year
Kasus 1: Some observations about the design.
• The drum pressure controller uses only one sensor; when it fails, the pressure is not controlled.
• The same sensor is used for control and alarming. Therefore, the alarm provides no additional protection f thi i iti tifor this initiating cause.
• No safety valve is provided (which is a serious design flaw)flaw).
• No SIS is provided for the system. (No SIS would be provided for a typical design.)provided for a typical design.)
Protesha Sinergy – Copyright 2010
Kasus 1: Solution using initial design and typical published values.
4 5 6 7 81 2 3 9 104 5 6 7 8 1 2 3Protection Layers
9 10
# Initial Event Description
Initiating cause
Cause likelihood
Process design
BPCS Alarm SIS Additional mitigation (safety valves, dykes
Mitigated event likelihood
Notes
dykes, restricted access, etc.)
1
High pressure
Connection (tap) for pressure
0.10 0.10 1. 1.0 1.0 1.0 .01 Pressure sensor does not measure the
sensor P1 becomes plugged
drum pressure
Much too high! We must make improvements to the design.
Protesha Sinergy – Copyright 2010
Kasus 1: Solution using enhanced design and typical published values.
4 5 6 7 8 1 2 3 Protection Layers
9 10
# Initial Event Description
Initiating cause
Cause likelihood
Process design
BPCS Alarm SIS Additional mitigation (safety valves,
Mitigated event likelihood
Notes
dykes, restricted access, etc.)
1
High pressure
Connection (tap) for pressure
0.10 0.10 1.0 0.10 1.0 PRV 0.01
.00001 Pressure sensor does not measure the
pressure sensor P1 becomes plugged
measure the drum pressure The PRV must exhaust to a separation (k k t)
(knock-out) drum and fuel or flare system.
Enhanced design includes separate P sensor for alarm and a pressure relief valve.
The enhanced design achieves the target mitigated likelihood.
Sketch on process drawing. Verify table entries.
Protesha Sinergy – Copyright 2010
Studi Kasus - 2
Protesha Sinergy – Copyright 2010
ScenarioThe two-phase separator V 180 is under level control (Level control LC 213). In case of high high liquid level, the level switch LSHH 214 would close emergency shutdown valve ESDV 172 and shutdown compressor C 130
Scenario
Protesha Sinergy – Copyright 2010
emergency shutdown valve ESDV 172 and shutdown compressor C 130 downstream of V 180. This is to prevent carrying liquid over to the compressor leading to compressor damage.
Hasil PHA (HAZOPs)
Protesha Sinergy – Copyright 2010
Analisis LOPA
Protesha Sinergy – Copyright 2010
Analisis LOPA
Protesha Sinergy – Copyright 2010
Evaluasi Risiko
Protesha Sinergy – Copyright 2010
Terima Kasih
Protesha Sinergy – Copyright 2010