On the 10th anniversary of the BP Texas City Refinery explosion, let’s pause to reflect on one of the lessons learned from this disaster. The process had multiple layers of protection, including operating procedures, BPCS control and alarms, independent alarms, and relief devices. There was additional instrumentation downstream that could have identified the scenario. Operator action was required for shut-down. The process design apparently included multiple layers of protection, yet there were sufficient failures to allow a major event to occur.
A Layer of Protection Analysis (LOPA) is intended to verify the independence and suitability of layers of protection, yet incident investigations often reveal Independent Protection Layer (IPL) failure plays a significant role in the sequence of events. So what can we do to challenge the LOPA, and improve the long term effectiveness of protection layers?
Operators are awesome, but they are also human. Operator action should only be credited as an IPL when performance of the action is reliable. Are alarms rationalized so that the operator does not have to filter priority before taking action? Is the expected response time reasonable? Are complex decision processes required that could result in incorrect or no action? What is the response track record? Do operators historically respond as desired and within timeline?
Instrument systems are relied upon to deliver control and safety benefit and may represent multiple layers of protection. IPL assessment needs to consider the common cause conditions that could contribute to systemic failure:
- Are the maintenance procedures formalized and repeatable?
- Is maintenance staff well trained?
- Is work assigned based on personnel competency or availability?
- Does the interlock out of service policy allow prolonged un-availability?
- Do instruments have a history of repeated failure?
- Is it customary to run to failure?
Mechanical protections can be highly effective, but only if sized for the event scenario. Have relief device calculations been update incrementally? Were new connections added to a relief header system? If yes, have the devices and header system been re-analyzed to consider the whole system in the current state? Is the specific scenario included in the relief design basis?
LOPA procedures and good engineering practice provide guidance on what can be considered as IPLs and maximum credit that can be assumed. The LOPA team must couple judgements with the guidance to challenge the effective reliability of each protection layer and assign protection credit accordingly.