A potential pitfall in LOPA and in the management of IPLs identified in LOPA is misunderstanding the boundary of the IPL.
For example, LOPA might identify a pressure relief valve as an IPL to prevent the consequence of catastrophic rupture of the vessel with potential for fatality. In reality, for the pressure relief valve to prevent vessel rupture, the inlet piping from the vessel to the relief valve and the outlet piping from the relief valve to the ultimate destination must provide sufficient flow capability. For the initial design, the relief calculations must include the pressure drop in the inlet and outlet piping. During the operational phase of the lifecycle, the inspection and testing of the relief valve IPL must include inspection of the inlet and outlet piping, including any devices such as flame arrestors or back pressure controllers. This inspection and testing is in addition to the inspection and testing of the relief valve itself. Moreover, the management system for any block valves in the inlet or outlet must be evaluated and audited to confirm that the relief path is not compromised by human error that blocks the path. The paper includes diagrams to illustrate the concept.
A dike may be identified as an IPL to prevent flow of liquid throughout the facility in case of a leak or overflow of a tank. The size of the dike is based on the volume of the tank. If the initiating cause is, for example, failure of the tank level control loop, then continuing flow from the pipeline supplying the tank could easily lead to an overflow from the tank into the dike. In many LOPAs, the analyst simply writes âIPL: Dike, sized for 1.x * tank volumeâ. In order for the dike to be an effective IPL, the overflow must be detected and the pipeline flow must be stopped, before the dike overflows. What is the mechanism to detect and stop the flow before dike overflow? Is there instrumentation with operator response to alarm? Will operator rounds detect the flow into the dike in time? In the middle of the night? In a snowstorm? If someone sees the overflow, how is the flow stopped? For this scenario, the IPL must include the dike itself, AND the detection of flow into the dike AND the action to stop the flow into the tank. The probability of failure on demand (PFD) for detecting the flow into the dike and stopping the flow into the tank must be added to the PFD for the dike itself. The periodic inspection and testing of the dike must include verification and testing of the system to detect flow into the dike and to stop flow into the tank. The paper includes sketches that show the issue.
If the materials of construction of the dike are not compatible with the overflow, then the dike may be effective as an IPL only for a brief interval. For example, an acidic solution might attack the concrete dike wall. A corrosive liquid could destroy the carbon steel bolts securing the tank to its foundation. The corrosive liquid could consume the flange bolts on piping and other vessels in the dike, leading to additional loss of containment.
If the IPL boundaries are not correctly understood, the LOPA is not correct and the organization is deluding itself on the risk reduction.
Additional examples and illustrations for other IPLs will be shown in the paper.
Presenter(s)
Language
Pricing
Individuals
AIChE Member Credits | 0.5 |
AIChE Pro Members | $19.00 |
Employees of CCPS Member Companies | Free |
AIChE Graduate Student Members | Free |
AIChE Undergraduate Student Members | Free |
AIChE Explorer Members | $29.00 |
Non-Members | $29.00 |