PHA-LOPA Report Rev 0-2 PDF
PHA-LOPA Report Rev 0-2 PDF
PHA-LOPA Report Rev 0-2 PDF
PetroMonagas
Delayed Coker Unit 13 Coke Drum Unheading Upgrade
11S-057
Combined
Process Hazards Analysis (PHA)
and Layer Of Protection Analysis (LOPA)
Report
Performed by
REVISION HISTORY
1. Summary ................................................................................................................................................ 4
2. Terminology ............................................................................................................................................ 5
2.1 Acronyms ........................................................................................................................................... 5
2.2 Definitions........................................................................................................................................... 5
3. Unit Process Description ........................................................................................................................ 6
4. Combined PHA and LOPA Methodology ............................................................................................... 6
4.1 Process Hazards Analysis Methodology............................................................................................ 6
4.2 Layer Of Protection Analysis Methodology ........................................................................................ 6
4.3 PHA/LOPA Step by Step Procedure.................................................................................................. 7
5. Sections Studied..................................................................................................................................... 8
6. Compliance with OSHA Process Safety Management and EPA RMP Requirements........................... 8
6.1 Hazards of the Process...................................................................................................................... 8
6.2 Identification of Previous Incidents Which Had a Potential for Catastrophic
Consequences ................................................................................................................................... 8
6.3 Engineering and Administrative Controls and the Consequences of Failure of
Administrative and Engineering Controls........................................................................................... 8
6.4 Qualitative Evaluation...of the Possible Safety and Health Effects of Failure of Controls
on Employees in the Workplace and Including Potential Off-site Consequence............................... 9
6.5 Facility Siting ...................................................................................................................................... 9
6.6 Human Factors................................................................................................................................... 9
6.7 Process Hazards Analysis Team ..................................................................................................... 10
7. Priority Rankings................................................................................................................................... 10
8. Appendices ........................................................................................................................................... 11
Appendix A - List of Participants
Appendix B - Nodes Studied
Appendix C - PHA RecommendationTables
Appendix D - LOPA Claimed IPL Tables
Appendix E - LOPA Recommendation Table
Appendix F - PHA Risk Matrix
Appendix G - LOPA Matrix
Appendix H - LOPA Guidance Tables
Appendix I - PHA Worksheets
Appendix J - LOPA Worksheets
Appendix K - P&IDs
This report contains the results of the Process Hazards Analysis and Layer Of Protection Analysis study of
the specified process unit(s) for Total Automation Solutions. Neither SIS-TECH Solutions, LP. Total
Automation Solutions, nor any person acting in their behalf makes any warranty, expressed or implied to any
third party, with respect to the use of the information contained in this report or assumes any liability to any
third party with respect to any use of the information.
SIS-TECH Solutions, LP and its employees, subcontractors, and other assigns cannot individually, or
collectively, predict what will happen in the future. Although the team made a reasonable effort, based on the
information and scope of work provided by Total Automation Solutions, to execute the Process Hazards
Analysis in the specified process unit(s), there are potential incident scenarios that may not have been
addressed in this study. If the recommendations of this study are followed, the frequency and/or
consequences of incidents should be decreased. However, even if all recommendations are implemented,
incidents may still occur in the specified process unit(s). In addition, the physical act of implementing these
recommendations may create hazards for PetroMonagas employees or their assigns. Therefore,
PetroMonagas should independently evaluate the recommendations made in this study to ensure that
implementing them will not create unacceptable hazards and that safe practices are followed when any
change is implemented.
COPYRIGHT NOTIFICATION
All rights reserved. No part of this work covered by the copyright hereon may be reproduced or copied in any
form or by any means—graphic, electronic, or mechanical—without first receiving the written permission of
PetroMonagas, Total Automation Solutions and SIS-TECH Solutions, LP.
In April, 2011, Total Automation Solutions initiated a combined Process Hazards Analysis (PHA)
and Layer Of Protection Analysis (LOPA) for the Delayed Coker Unit 31 Coke Drum Unheading
Upgrade at the PetroMonagas facility as part of the initial PHA/LOPA. PetroMonagas
assembled a multidisciplinary team to perform the PHA and LOPA; this team included personnel
from PetroMonagas who are familiar with the design, operation, and maintenance of the
process and a facilitator from SIS-Tech Solutions, LP. The team met between April 27th and
April 29th, 2011. This analysis focused on 13-D-1301A with the expectation that results from
this exercise would be representative for the other three drums (13-D-1301B, 13-D-1302A, 13-
D-1302B) in the system.
Note that existing hazards associated with Coke Drum switching and cutting operation were not
evaluated and only hazards associated with the addition of the Delta Valve Top Unheading
Device (TUD)/Bottom Unheading Device (BUD) were considered; for example, the scenario of
feed being introduced into an open drum or cutting water to a tool out of the drum were not
considered.
The team's objectives when performing the PHA and LOPA were to (1) identify hazards that
could lead to consequences of interest and (2) recommend ways for reducing the risks
associated with the identified hazards. For this analysis, consequences of interest include but
not limited to (1) events (e.g., a major uncontrolled emission, fire, or explosion) involving one or
more of the highly hazardous chemicals defined in the Occupational Safety and Health
Administration's (OSHA's) regulation 29 CFR 1910.119 that present serious danger to workers
in the workplace and (2) a major uncontrolled emission, fire, or explosion involving one or more
of the regulated substances defined in the Environmental Protection Agency's (EPA's)
regulation 40 CFR 68 that presents imminent and substantial endangerment to public health
and the environment. In addition, environmental and asset based issues were identified.
OSHA acknowledged that ANSI/ISA 84.01 (ISA 84) as important for compliance with the OSHA
process safety management (PSM) regulation, 29 CFR 1910.119, and with the general duty
clause associated with the OSH Act. ANSI/ISA 84.00.01 includes requirements for the
specification, design, implementation, and operation of Protective Instrumented Systems (PIS)
installed to reduce risk from process hazards and/or hazardous events.
The LOPA process is designed as part of the ANSI/ISA 84 requirements to determine risk and
assign risk reduction for hazardous scenarios. The LOPA determines the target Integrity Level
(IL) for the various Protective Instrumented Functions (PIFs) in the facility. This, in turn, impacts
the design of the Protective Instrumented Systems (PIS) and the basic process control system
(BPCS).
The LOPA was utilized to ensure that there are adequate independent layers of protection to
provide the required risk mitigation. While PHA safeguards may reduce risk, LOPA IPL’s have
strict rules as to what can be applied to protect personnel, assets and the environment that are
sufficient to mitigate the risks involved with the process. Additionally, the LOPA helps determine
the functionality of the Protective Instrumented System (PIS) involved and its target Integrity
Levels (ILs). It also defined areas where gaps exist in the existing design and documented
recommendations to remedy these.
Note that the Coke Drum Unheading Upgrade Project will not address LOPA Recommendations
6 and 7.
2.1 Acronyms
Independent Protection Layer (IPL)—“An IPL is a device, system, or action that is capable of
preventing a scenario from proceeding to its undesired consequence independent of the
initiating event or the action of any other layer of protection associated with the scenario.”
(Definition from Layer Of Protection Analysis, Simplified Process Risk Assessment, pg. 75.) The
IPL must have demonstrated dependability, independence, have auditability, access security
and be covered in the MOC process.
IPL Credit—One order of magnitude risk reduction equals an IPL credit. Each safeguard that
qualifies as an IPL is worth a certain number of IPL credits. This number of IPL credits is
determined by examining the qualifications listed in the LOPA Guidance Tables found in the
Appendices.
Node—A subsection of the process under study designed to organize the PHA into manageable
segments.
Process Hazards Analysis (PHA)— “A hazard evaluation of broad scope that identifies and
qualitatively analyzes the significance of hazardous situations associated with a process or
activity.” (Definition from Layer Of Protection Analysis, Simplified Process Risk Assessment, pg.
261.)
Protective Instrumented System (PIS)—A system consisting of one or more PIFs. Consists of
sensors, logic solver(s), and final elements.
The combined PHA and LOPA process has been adopted by Total Automation Solutions and
PetroMonagas to save time, money, effort, and attain quality results from the process.
The What-if technique is highly dependent on the skill of the PHA team members conducting the
analysis and their expertiese with the process and/or process equipment. This method uses
brainstorming with the question of “What-if” to identify potential causes.
The LOPA process involved reviewing the process deviations or undesirable conditions by node
associated with the unit under review. This process was facilitated by integrating it into the PHA
effort. Once the PHA severity was assigned, any scenario which had a severity of three (3) or
higher was included in the LOPA study.
Using the LOPA methodology, the likelihood of the deviation was determined initially without
the identified safeguards via the PHA. The qualified safeguards were applied independently
and individually as potential IPLs in order to determine if PIS with a target IL or other type of IPL
would be required to mitigate any anticipated residual risk. Where IPLs are claimed as risk
reduction credits, the IPL is assumed to meet all the criteria deemed appropriate per the LOPA
guidance tables (See Appendices). Gaps that result in asset-based consequences should be
subjected to cost-benefit analysis of the expected value added by closing these gaps compared
to the estimated investment required of the potential IPL or other design change.
All Instrumented Functions, if required, should be designed to meet their respective target
Integrity Level and to meet plant uptime requirements (i.e. minimize spurious trips on critical
plant equipment caused by safety related instrumentation failures). This may require installing
redundant instrumentation in a 2oo2 configuration (to reduce spurious trips); in a 1oo2
configuration (to meet target IL = availability) or in a 2oo3 configuration (to meet both target IL
and to reduce spurious trips). The individual recommendations did not specify the level of
redundancy required to meet target IL or plant uptime requirements. Redundant configurations
will be determined during the IL verification of each PIF.
The specific steps of the Combined HAZOP (PHA) and LOPA methodology used in this analysis
were:
1. Select node
2. Discuss process and design parameters of the section (Design Conditions/Parameters)
3. Apply the What-If technique.
4. Develop each scenario to its global consequence(s)
5. Identify existing systems and procedures (safeguards)
6. Use the Risk-Ranking Matrix (See Appendices) to qualitatively assess the risk of the
scenario (Severity and Likelihood)
7. If the Severity is three (3) or higher the team must perform a LOPA for this scenario.
8. If a LOPA is required, the Severity is assigned per the LOPA procedure.
9. The LOPA “Typical Initiating Causes and Frequency of Occurrence” table is used to
determine the likelihood of the hazardous event happening without any safeguards.
10. The number of IPLs required to mitigate the hazard will be assigned based upon the
LOPA Required Risk Reduction Factor (See Appendices).
11. Review the existing safeguards and determine if any of them meet the requirement of an
IPL.
12. After all of the IPLs have been identified the total number of “Current IPL Credits” is
entered.
13. If there is a “IPL Credit Gap” the team must make LOPA recommendations to close the
gap.
This process is repeated for “What-If” and node until the entire process has been analyzed.
For the purposes of this review, the What-If methodology was applied to the sections (called
nodes). A list of nodes reviewed is included in the Appendices. The PHA worksheets that
document the review of these nodes are included in the Appendices.
This PHA study complies with the process hazards analysis requirements of the Occupational
Safety and Health Administration's rule "Process Safety Management of Highly Hazardous
Chemicals" (29 CFR 1910.119 (e) and the Environmental Protection Agencies "Risk
Management Program" rule [40 CFR Part 68]) as follows:
The process was analyzed using any one or a combination of the Guideword HAZOP techinque,
What-if technique or What-if/Checklist technique. These techniques are recognized by OSHA
as an acceptable method of evaluating process hazards. The American Petroleum Institute
(API RP-750) and the American Institute of Chemical Engineers (Hazard Evaluation
Procedures, 2nd Edition, Center for Chemical Process Safety of the American Institute of
Chemical Engineers) also recognize the value of these techniques in analyzing processes for
hazards.
However, these techniques may not document all the general safety issues that affect the health
and safety of the workplace employee and may not address all possible hazardous scenarios.
The PHA team included personnel with experience operating the process. These team
members recounted, for the benefit of the other team members, details of previous incidents for
similar processes so that the team members could make appropriate suggestions for
improvement to prevent recurrence of the events.
When determining the consequences of a given event, the PHA team assumed that existing
protection systems would fail to work (e.g., operators are not trained, procedures are not
followed, alarms and other safeguards are not tested and, as a result, may not provide
adequate warning or protection). This technique allowed the team to evaluate the
consequences of a particular event. The PHA team then evaluated each control or safeguard
individually to determine if it is viable and can be claimed as a legitimate safeguard. Adequacy
of procedures and training were reviewed. Maintenance and experience was considered, as
well as alarm and shutdown testing programs. Only those safeguards that the team determined
to be truly effective for risk reduction. The team then determined if additional controls or
safeguards should be considered.
Throughout the PHA study, the PHA team performed a qualitative evaluation of a failure of
controls, and the judgment of the team is reflected in the Risk-Ranking columns of the various
worksheets. To support management’s objective of prioritizing issues arising from the PHA, the
team used the Risk Matrix to aid in determining if a recommendation was justified based upon
the developed consequences and identified safeguards. After the consequences and
safeguards were developed, the scenario was evaluated based on 1) how severe the potential
consequences were assuming no safeguards were in place (Consequence), and 2) how
probable it was that the scenario would fully develop to those consequences given the identified
safeguards (Likelihood). The ranked severity of the consequences and likelihood that the
postulated consequences would occur were combined using the Risk Matrix to provide a
qualitative risk-ranking. Each developed cause/consequence scenario was ranked for severity,
likelihood, and risk.
The PHA team primarily addressed facility siting by qualitatively identifying types and
magnitudes of releases that impact people in the workplace and/or the community.
In determining the consequences of these releases, the PHA team considered the location of
the release point(s), the impact on nearby equipment and/or facilities, and the primary or
secondary effects that may occur as a result of siting. For example, in evaluating the potential
consequence of a hydrocarbon release, siting considerations include degree of confinement in
the release area, locations of control rooms, prevalent wind direction, and locations of furnaces
or other ignition sources. Toxic releases include similar considerations.
The PHA team consisted of persons with expertise in engineering, operations, and
maintenance. Team members lacking experience in the PHA/LOPA methods were provided
with an overview of the technique prior to beginning the study. A team list is included in the
Appendices.
7. Priority Rankings
The PHA team members used the Risk Ranking method to qualitatively assess the risk
associated with each significant cause/consequence scenario. This Matrix is included in the
Appendices.
After the consequences and safeguards are developed, the scenario is evaluated based on how
serious the potential consequences are (consequences), and how probable it is that the
scenario might fully develop to those consequences (likelihood). The severity ranking (Level 1 to
Level 5, with Level 5 representing the most severe consequences) and likelihood ranking
(Category A to Category E, with Category A representing the highest likelihood of occurrence)
are combined using the risk-ranking matrix to provide a qualitative risk ranking (1 to 5). Each
developed cause/consequence scenario was qualitatively assigned a severity, likelihood, and
risk ranking.
The study team categorized each cause/consequence scenario by noting the area of concern in
the "Severity Category" column in LOPA. The Appendices shows these categories.
In some cases, the PHA team may develop a recommendation to improve the safety or
operability of the unit without fully developing a cause/consequence scenario. This typically
occurs when the severity or likelihood of the consequences is difficult to predict.
Lock pin is procedurally moved from the locked closed position is located so operator will note that drum
is hot and will not proceed with unheading (Other)
Lock pin is procedurally moved from the locked open position is located so operator will note that cutting
tool is still in drum and will not proceed with unheading (Other)
The following table provides listings of recommendations that the team felt could be
implemented to close the risk gaps found in the study. These recommendations should be
reviewed by the appropriate parties to ensure that they are workable solutions
Note that gaps that are based on safety and/or environmental consequences must be
addressed; gaps that exist based only on the asset severity should be subjected to cost-benefit
analysis of the existing design versus the most cost-effective design modification that closes the
gap.
LIKELIHOOD DESCRIPTION
4 Very likely to occur at the facility (>1/10)
3 Likely to occur at the facility once every 10 years (1/10 up to 1/100)
2 May occur once in the life of the facility, expected to occur once per year at a refinery
in the USA (1/100 up to 1/1000)
1 Not likely to occur in life of this facility, expected to occur once per year at a refinery
somewhere (1/1000 to 1/10000)
PHA RISK RANK
CONSEQUENC
5 3 4 5 5
E SEVERITY
4 2 3 4 5
3 1 2 3 4
2 1 1 2 3
1 1 1 1 2
1 2 3 4
LIKELIHOOD
PHA
RISK RANK DESCRIPTION
Immediate plant management notification made. Immediate action
required for determining appropriate mitigation requirements.
5
Should be mitigated with engineering and/or administrative controls
to a risk ranking of 2 or less.
Timely plant management notification made. Should be mitigated
4 with engineering and/or administrative controls to a risk ranking of
2 or less within a specified time period.
ASSET
RANKING SAFETY ENVIRONMENTAL
5 Multiple fatalities across a facility Catastrophic off-site Expectant loss greater than $10,000,000
and/or Injuries or fatalities to the environmental damage with and/or substantial damage to buildings
public long-term containment and located off-site
clean-up
Hospitalization of three or more Significant off-site Expectant loss between $1,000,000 and
4 personnel (e.g.,, serious burns, environmental damage (e.g., $10,000,000 and/or extended downtime with
broken bones) and/or one or more substantial harm to wildlife) significant impact to the facility operation
fatalities within a unit or local area with prolonged containment and/or minor damage (e.g., broken windows)
and/or Injuries to the public and clean-up to buildings located off-site
3 Hospitalization injury (e.g.,, On-site release requiring Expectant loss between $100,000 And
serious burns, broken bones) containment and clean-up $1,000,000 and/or downtime of several days
and/or multiple lost work day and/or off-site release causing severely impacting the facility operation
injuries and/or Injury to the public environmental damage with
quick clean-up
2 Lost work day injury and/or On-site release requiring Expectant loss between $10,000 and
recordable injuries (e.g., skin containment and clean-up by $100,000 and/or downtime of more than day
rashes, cuts, burns) and/or minor emergency personnel and/or causing impact to facility operation and/or
impact to public off-site release (e.g., odor) but reportable quantity event
no environmental damage
1 Recordable injury and/or no On-site release requiring Expectant loss of less than $10,000 and/or
impact to the public containment and clean-up by downtime of less than a day with minor
on-site personnel. impact to the facility operation
3 1,000 100 10 TR TR
2 100 10 TR TR TR
1 10 TR TR TR TR
1 10 100 1,000 10,000
FREQUENCY (1 in x years)
NOTE 1: The initiating causes listed can be assumed to occur more frequently (e.g., changed from 1 in 100 years to 1 in 10 years based
on process experience. The values cannot be made less frequent without additional justification and approval by process safety.
Additional analysis should be submitted as part of the justification. This would include human factors analysis, failure modes and effects
analysis (FMEA), event tree analysis or fault tree analysis.
Table A-3 Independent Protection Layers (IPL) and Associated Risk Reduction Factors (RRF) and Probability of
Failure on Demand (PFD)
Dual Pump
Alarm when either seal fails and action can be taken prior to
Seals 10 0.1
failure of second seal
(LOCAL)
Restrictive
Orifice Clean non-corrosive service 100 0.01
(LOCAL)
Pressure
Regulator Periodically inspected and maintained 100 0.01
(LOCAL)
Continuous
Continuous pilots provided from reliable fuel source that is
Pilots 10 0.1
independent from the main burner
(LOCAL)
Protective
Instrumented The PIS IPL must be designed and managed per good engineering practices.
Systems
IL 1 (PIS) Integrity Level 1 10 0.1
IL 2 (PIS) Integrity Level 2 100 0.01
IL 3 (PIS) Integrity Level 3 1000 0.001
NOTE 1: The IPLs listed can be assumed to provide less risk reduction (e.g., changed from RRF = 100 to RRF = 10 based on process
experience. The risk reduction cannot be assumed to be better without additional justification and approval by process safety. Additional
analysis should be submitted as part of the justification. This would include human factors analysis, failure modes and effects analysis
(FMEA), event tree analysis or fault tree analysis.
Table A-4 Operator Time Restrictions with Associated Risk Reduction Factors (RRF) and Probability of
Failure on Demand (PFD)
NOTE 1: The operator response time should consider the time its takes to recognize the alarm, to diagnose the
problem, and to complete the required action. This is compared to the process safety time which considers how
rapidly the process moves from the alarm condition to the process hazard.
NOTE 2: The required action is clearly indicated by the alarm, the response is covered by a procedure, and the
operator is trained and tested on the procedure.
NOTE 3: As long as independence from the initiating cause and other IPLs is demonstrated, the choice between
implementing the alarm and its display in the BPCS is influenced by the design of the operator HMI and the importance
of the required operator response. It is important that any operator who needs to recognize and respond to the alarm
condition receive the information in a clear and prioritized manner.
Table A-5 Consequence Mitigation System (CMS) with Associated Risk Reduction Factors (RRF) and Probability of
Failure on Demand (PFD)
4/27/2011
Node Name: 2. Bottom Unheading Device (BUD)
Types: What If Drawing: 13-62-D108 Rev 9; 13-62-D109 Rev 7; 13-62-D110 Rev 10
Rank Risk
What-if Cause Consequence Consq Safeguards Ranking Recommendations (PHA)
Cat S L RR
1. What If 1. BUD is opened during 1. Loss of hydrocarbon S 4 1. TI-13888, TI-13879 and PI-13016 E TR
backwarm containment at bottom of permissive to open BUD
drum and fire E 2 E TR
LOPA 2. Isolation valve position interlock
A 4 permissive to open BUD E TR
Consequence2.1.1.1
3. Lock pin is procedurally moved
from the locked closed position is
4/27/2011
Node Name: 2. Bottom Unheading Device (BUD)
Types: What If Drawing: 13-62-D108 Rev 9; 13-62-D109 Rev 7; 13-62-D110 Rev 10
Rank Risk
What-if Cause Consequence Consq Safeguards Ranking Recommendations (PHA)
Cat S L RR
located so operator will note that
drum is hot and will not proceed
with unheading
4. Operating procedures
2. BUD is opened during 1. Loss of hydrocarbon S 4 1. TI-13888, TI-13879 and PI-13016 E TR
feeding/coking containment at bottom of permissive to open BUD
drum and fire E 2 E TR
LOPA 2. Isolation valve position interlock
A 4 permissive to open BUD E TR
Consequence2.1.2.1
3. Lock pin is procedurally moved
from the locked closed position is
located so operator will note that
drum is hot and will not proceed
with unheading
4. Operating procedures
3. BUD is opened during 1. Loss of hydrocarbon S 4 1. TI-13888, TI-13879 and PI-13016 E TR
stripping containment at bottom of permissive to open BUD
drum and fire E 2 E TR
LOPA 2. Isolation valve position interlock
A 4 permissive to open BUD E TR
Consequence2.1.3.1
3. Lock pin is procedurally moved
from the locked closed position is
located so operator will note that
drum is hot and will not proceed
with unheading
4. Operating procedures
4. BUD is opened during 1. Loss of steam S 3 1. TI-13888, TI-13879 and PI-13016 E TR
quenching containment at bottom of permissive to open BUD
drum E 1 E TR
LOPA 2. Lock pin is procedurally moved
Consequence2.1.4.1 from the locked closed position is
located so operator will note that
drum is hot and will not proceed
with unheading
3. Operating procedures
5. BUD is opened before 1. Loss of water S 2 1. PI-13016 permissive to open BUD D TR
TUD is opened and containment at bottom of
before vent is open drum E 1 2. TUD position permissive to open D TR
BUD
3. Operating procedures
2. Vacuum on drum, S 1 1. PI-13016 permissive to open BUD D TR
4/27/2011
Node Name: 2. Bottom Unheading Device (BUD)
Types: What If Drawing: 13-62-D108 Rev 9; 13-62-D109 Rev 7; 13-62-D110 Rev 10
Rank Risk
What-if Cause Consequence Consq Safeguards Ranking Recommendations (PHA)
Cat S L RR
mechanical damage A 5 2. TUD position permissive to open D 3
LOPA BUD
Consequence2.1.5.1
3. Operating procedures
6. BUD is closed during 1. No significant
cutting operation consequences
7. BUD is open during 1. No significant
steam purge consequences
Node Name: 3. Steam and cooling water supply to Top Unheading Device (TUD)
Types: Drawing: 13-62-D108 Rev 9; 13-62-D110 Rev 10
Rank Risk
What-if Cause Consequence Consq Safeguards Ranking Recommendations (PHA)
Cat S L RR
1. What If 1. Loss of steam supply to 1. Long-term wear to TUD
TUD valve disk, no significant
consequences
2. Loss of cooling water 1. Cylinder damage, A 2 1. High cooling water temperature D TR
supply to TUD hydraulic fluid leak alarm
Node Name: 4. Steam and cooling water supply to Bottom Unheading Device (BUD)
Types: Drawing: 13-62-D108 Rev 9; 13-62-D110 Rev 10
Rank Risk
What-if Cause Consequence Consq Safeguards Ranking Recommendations (PHA)
Cat S L RR
1. What If 1. Loss of steam supply to 1. Long-term wear to TUD A 2 1. Low steam flow/differential D TR
BUD valve disk and pressure alarms
resid/coke to bonnets
2. Loss of cooling water 1. Cylinder damage, A 2 1. High cooling water temperature D TR
supply to BUD hydraulic fluid leak alarm
Appendix J - LOPA Worksheets
1. Mechanical damage to A 3 1000 1. TUD is closed while SOP 1 1 1. Decoking 2. Lock pin is procedurally OTH 10 10 1000 10 100 3. Consider ensuring 100
TUD and cutting tool cutting tool is still in system moved from the locked open ER decoking system
What If drum cutting tool position is located so cutting tool
Consequence1.1.6.1 position operator will note that cutting position
permissive to tool is still in drum and will permissive to
close TUD not proceed with unheading close TUD
provides two IPL
2. Operating credits pending
procedures
Node Name: 1. Top Unheading Device (TUD)
Determine Scenario Risk
Determine CMS Risk Gap
Assess Conseq Severity and RRF Evaluate Initiating Event Frequency Identify IPLs and RRF Gap Recommendations (LOPA)
Identify CMS and RRF
What-if CMS Total Total RRF
CMS RRF Scenario
RRF Overall Safeguards CMS Conseq Cat S RRF IPL (IPL+CMS Target
Conseq Cat S Initiating Causes Type Freq IPLs Type RR RRF Gap RQ'D RRF Gap Recommendation
RQ'D Freq (Non-IPL) CMS Type RRF Req'd RRF ) RRF
cost-benefit
analysis
Node Name: 3. Steam and cooling water supply to Top Unheading Device (TUD)
Determine Scenario Risk
Determine CMS Risk Gap
Assess Conseq Severity and RRF Evaluate Initiating Event Frequency Identify IPLs and RRF Gap Recommendations (LOPA)
Identify CMS and RRF
What-if CMS Total Total RRF
CMS RRF Scenario
RRF Overall Safeguards CMS Conseq Cat S RRF IPL (IPL+CMS Target
Conseq Cat S Initiating Causes Type Freq IPLs Type RR RRF Gap RQ'D RRF Gap Recommendation
RQ'D Freq (Non-IPL) CMS Type RRF Req'd RRF ) RRF
Node Name: 4. Steam and cooling water supply to Bottom Unheading Device (BUD)
Determine Scenario Risk
Determine CMS Risk Gap
Assess Conseq Severity and RRF Evaluate Initiating Event Frequency Identify IPLs and RRF Gap Recommendations (LOPA)
Identify CMS and RRF
What-if CMS Total Total RRF
CMS RRF Scenario
RRF Overall Safeguards CMS Conseq Cat S RRF IPL (IPL+CMS Target
Conseq Cat S Initiating Causes Type Freq IPLs Type RR RRF Gap RQ'D RRF Gap Recommendation
RQ'D Freq (Non-IPL) CMS Type RRF Req'd RRF ) RRF
Appendix K - P&IDs