Risk Assessment of Catastrophic Failures of Pumps Resulting from Isolated Running

1
Risk Assessment of Catastrophic Failures of Pumps
Resulting from Isolated Running

• by
• J. Wayne Chastain

2
Potential Concern

• Centrifugal Pump in Operation
• Full of Fluid
• Suction and Discharge Closed or Plugged
• BLEVE of Pump

3
Pump Isolation Concern

• Risk
• Process Hazard Analysis
• Actual Data at Tennessee Eastman
• Quantitative Risk Assessment
• Additional Controls

4
Typical Spared Pump
5
Pump Isolation Concern

• "The potential exists for operator error to
  result in a pump being started in an isolated
  condition (with suction and discharge valves
  closed). If this occurs, the pump could be
  overpressured and fail causing injury to
  personnel in the area and damage to additional
  equipment."

6
Consequence

• Injury to personnel
• Class B Lost Time Injury
• Class C Hospitalization
• Class D Severe Injury
• Release of Flammable Liquid
• Class B Less than 10,000 lb
• Class C More than 10,000 lb

7
Controls

• Trained Operators
• Operating Procedures
• Emergency Response
• Deluge Protection
• Area Electrical Classification

8
Controls

• Trained Operators
• Operating Procedures
• Emergency Response
• Deluge Protection
• Area Electrical Classification

9
Are the controls adequate?

• Other safeguards
• Likelihood that the seal will fail and relieve
  the pressure
• Likelihood that anyone is in the area when the
  pump fails
• Likelihood that person is injured by shrapnel
• Likelihood that other equipment is damaged and a
  release occurs
• Likelihood that any flammable release is ignited

10
Frequency of Occurrence

• Eastman Chemical Company, Tennessee Eastman
  Division
• 7850 Centrifugal Pumps in Operation
• Sized from lt1 hp to gt500 hp
• 5 events in 14 years
• 10-4.5 BLEVEs / pump-year

11
Quantitative Risk Assessment

• Fault Tree
• Event Tree
• Failure Modes Effects and Criticality Analysis
• Layers of Protection Analysis (LOPA)

12
LOPA Description

• Simplified form of quantitative risk assessment
• Uses order of magnitude categories for
• Consequence severity
• Initiating event frequency
• Likelihood of failure of Independent Protection
  Layers (IPLs)
• Provides a numerical indication of adequacy of
  protective systems

13
Benefits of LOPA

• More objective basis for risk acceptability
  compared to qualitative techniques
• Gives a basis for Safety Integrity Level (SIL)
  determination for Safety Instrumented System
  (SIS) design

14
Tolerable Risk

• Based on the types of consequences evaluated by
  the LOPA
• Varies for different levels of consequence
• May be dictated by governing authority or
  determined by individual companies

15
Tolerable Risk for Life Safety

• Individual Work Accident Risk
• 1.5 x 10-4 per year (BLS 2003)
• One method of determining an acceptable target is
  to provide an order magnitude "better" protection
  than industry average for a particular
  cause-consequence pair

16
Government Tolerable-Risk Criteria Summary
UK Hong Kong Netherlands Australia(New South Wales)
Individual Risk de Minimus (Worker) 1 x 10-5 Not Used Not Used Not Used
Individual Risk de Minimus (Public) 1 x 10-6 Not Used 1 x 10-6 Not Used
Individual Risk de Manifestus (Worker) 1 x 10-3 Not Used Not Used Not Used
Individual Risk de Manifestus (Public) 1 x 10-4 1 x 10-5 1 x 10-6 1 x 10-6
Societal Risk Anchor 10 persons at 1 x 10-4 10 persons at 1 x 10-4 10 persons at 1 x 10-5 Not Used
Societal Risk Aversion Index -1 -1 -2 Not Used
17
Possible Variables

• Non Hazardous vs. Hazardous Materials (Toxic,
  Flammable, Reactive)
• Plugging vs. Clean Services
• Local vs. Remote Start
• Automatic vs. Manual Start

18
Example LOPA Table
Case Isolated running of the pump resulting in BLEVE
Hazard D
Target -5 Single Severe Injury
Initiator -2 Operator error in starting an isolated pump in the field
1 Number of times per year pump is started
Enabling -1 Likelihood that pump is isolated when operator tries to start pump
LOP -0.5 Likelihood that seal failure relieves the building pressure in the pump
Conditions -1.5 Likelihood of personnel in the area
-1 Likelihood of severe injury (from shrapnel from the pump)
Total -5 Sum of Protection Layers
0 Differential
19
Explanation of Values

• Simplification of approach by working in
  logarithmic values
• Log (1 x 10-5) -5
• Working with logs of values allows all
  manipulations to be handled by addition and
  subtraction
• Accuracy is limited to the closest half order of
  magnitude value

20
Explanation of Values
LOPA Value Frequency PFD RRF
1 10 events/year - -
0.5 3 events/year - -
0 1 event/year 100 1
-0.5 3 years/event 30 3
-1 10 years/event 10 10
21
Example LOPA Table
Case Isolated running of the pump resulting in BLEVE
Hazard D
Target -5 Single Severe Injury
Initiator -2 Operator error in starting an isolated pump in the field
1 Number of times per year pump is started
Enabling -1 Likelihood that pump is isolated when operator tries to start pump
LOP -0.5 Likelihood that seal failure relieves the building pressure in the pump
Conditions -1.5 Likelihood of personnel in the area
-1 Likelihood of severe injury (from shrapnel from the pump)
Total -5 Sum of Protection Layers
0 Differential
22
Initiator

• Operator Error
• Initial error is in isolating a pump without
  immediately draining it
• Secondary error is starting a pump that is
  isolated
• Likelihood is increased if pump is started
  remotely
• Accepted failure rate is 1 x 10-2 per opportunity
• Events per year
• Best estimate of opportunities for event to occur
  on a yearly basis
• Only used when the initiating failure is per
  opportunities

23
Example LOPA Table
Case Isolated running of the pump resulting in BLEVE
Hazard D
Target -5 Single Severe Injury
Initiator -2 Operator error in starting an isolated pump in the field
1 Number of times per year pump is started
Enabling -1 Likelihood that pump is isolated when operator tries to start pump
LOP -0.5 Likelihood that seal failure relieves the building pressure in the pump
Conditions -1.5 Likelihood of personnel in the area
-1 Likelihood of severe injury (from shrapnel from the pump)
Total -5 Sum of Protection Layers
0 Differential
24
Enabling Events

• Pump isolated
• Must be expressed as a probability for consistent
  units
• Value may vary depending on actual likelihood

25
Example LOPA Table
Case Isolated running of the pump resulting in BLEVE
Hazard D
Target -5 Single Severe Injury
Initiator -2 Operator error in starting an isolated pump in the field
1 Number of times per year pump is started
Enabling -1 Likelihood that pump is isolated when operator tries to start pump
LOP -0.5 Likelihood that seal failure relieves the building pressure in the pump
Conditions -1.5 Likelihood of personnel in the area
-1 Likelihood of severe injury (from shrapnel from the pump)
Total -5 Sum of Protection Layers
0 Differential
26
Layers of Protection

• Criteria
• Effective
• Independent
• Auditable
• Seal Failure as Relief
• Questionable as to its auditability
• Given minimal credit
• Will vary depending on seal type and maintenance

27
Example LOPA Table
Case Isolated running of the pump resulting in BLEVE
Hazard D
Target -5 Single Severe Injury
Initiator -2 Operator error in starting an isolated pump in the field
1 Number of times per year pump is started
Enabling -1 Likelihood that pump is isolated when operator tries to start pump
LOP -0.5 Likelihood that seal failure relieves the building pressure in the pump
Conditions -1.5 Likelihood of personnel in the area
-1 Likelihood of severe injury (from shrapnel from the pump)
Total -5 Sum of Protection Layers
0 Differential
28
Conditionals

• Probability of ignition
• 0 for releases caused by collision
• 0 for releases close to fired equipment
• -0.5 for releases in general process areas
• -1 for releases in remote process areas
• Probability of personnel in affected area
• Varies depending on event, process, and location
• Probability of severe injury
• -0.5 for personnel in area of fire
• -1 for personnel in area of shrapnel

29
Example LOPA Table
Case Isolated running of the pump resulting in BLEVE
Hazard D
Target -5 Single Severe Injury
Initiator -2 Operator error in starting an isolated pump in the field
1 Number of times per year pump is started
Enabling -1 Likelihood that pump is isolated when operator tries to start pump
LOP -0.5 Likelihood that seal failure relieves the building pressure in the pump
Conditions -1.5 Likelihood of personnel in the area
-1 Likelihood of severe injury (from shrapnel from the pump)
Total -5 Sum of Protection Layers
0 Differential
30
Differential

• If value is 0 or positive then additional risk
  reduction is not needed
• If value is negative, then additional risk
  reduction of that reliability may be warranted

31
Additional Controls
Differential Solution
-0.5 to -1 SIS BPC Remote start to local start
-1.5 SIS SIL 1
-2 to -2.5 SIS SIL 2 Pressure relief
-3 to -3.5 SIS SIL 3
32
Safety Instrumented Systems

• Shutdown pump when an isolated running condition
  is detected
• Low power
• High pressure
• Valve position
• High temperature
• Flow

33
High Pressure SIS
34
Low Power SIS
35
Conclusions

• Qualitative risk assessment techniques like PHA
  can only give a "gut feeling" as to the need for
  controls to prevent pump isolated running and
  prevent the potential for BLEVE
• LOPA can be used to determine when additional
  controls are needed and the required reliability
  of the controls

36
Layers of Protection Analysis

• Additional information on LOPA can be found in
  Layer of Protection Analysis Simplified Process
  Risk Assessment, CCPS, 2001 (www.aiche.org/ccps)
• LOPA class will be offered for Eastman personnel
  in January
• ABS Consulting offers a LOPA class
  (http//www.abs-jbfa.com/lopa.html)