GCPS 2013 __________________________________________________________________________

New CCPS Guideline Book: Guidelines for Enabling Conditions and Conditional Modifiers in LOPA
J. Wayne Chastain Plant Protection Technical Services, Eastman Chemical Company 200 South Wilcox Drive Kingsport, TN 37660 chastain@eastman.com Stanley A. Urbanik DuPont Corporation Wilmington, DE Stanley.A.Urbanik@dupont.com Robert W. Johnson Unwin Company Columbus, OH rjohnson@unwin-co.com John F. Murphy Process Safety Services Punta Gorda, FL hamjfm@embarqmail.com Prepared for Presentation at American Institute of Chemical Engineers 2013 Spring Meeting 9th Global Congress on Process Safety San Antonio, Texas April 28 May 1, 2013

GCPS 2013 __________________________________________________________________________

UNPUBLISHED

AIChE shall not be responsible for statements or opinions contained in papers or printed in its publications

GCPS 2013 __________________________________________________________________________

New CCPS Guideline Book: Guidelines for Enabling Conditions and Conditional Modifiers in LOPA
J. Wayne Chastain Plant Protection Technical Services, Eastman Chemical Company 200 South Wilcox Drive Kingsport, TN 37660 chastain@eastman.com Stanley A. Urbanik DuPont Corporation Robert W. Johnson Unwin Company John F. Murphy Process Safety Services Keywords: Layers of Protection Analysis, LOPA, conditional modifier, enabling condition

Abstract
This paper outlines the content of a new CCPS book entitled Guidelines for Enabling Conditions and Conditional Modifiers in LOPA. An enabling condition is a condition that is not a failure, error or a protection layer but makes it possible for an incident sequence to proceed to a consequence of concern. It consists of an operating phase or condition that does not directly cause the scenario, but that must be present or active in order for the scenario to proceed to a loss event; expressed as a dimensionless probability. A conditional modifier is one of several probabilities included in scenario risk calculations, generally when risk criteria endpoints are expressed in impact terms (e.g., fatalities) instead of in primary loss event (e.g., release, vessel rupture). Conditional modifiers include, but are not limited to: probability of a hazardous atmosphere, probability of ignition, probability of explosion, probability of personnel presence, probability of injury or fatality, and probability of equipment damage or other financial impact. These Guidelines for Enabling Conditions and Conditional Modifiers in LOPA contain information useful to the experienced analyst and accomplished practitioner. In this book, various kinds of enabling conditions and conditional modifiers are defined and illustrated as they might be used in Layer of Protection Analyses (LOPAs). There is a discussion on how enabling conditions and conditional modifiers can be used in other risk analysis applications. The appendices discuss double jeopardy and simultaneous failures, peak risk, and example rules for enabling conditions and conditional modifiers.

GCPS 2013 __________________________________________________________________________

1. Introduction
Enabling conditions and conditional modifiers are two types of factors that have long been used in quantitative risk analysis. Both of these factors were introduced for use in LOPA in Layer of Protection Analysis: Simplified Process Risk Assessment [1]. Enabling conditions are conditions that generally influence the initiating events for scenarios. They are conditions that do not directly cause the scenario, but which must be active in order for the scenario to proceed to a loss event. Enabling conditions are generally included in a LOPA independent of the type of endpoint used in the analysis. Conditional modifiers are probabilities included in LOPA when the risk criteria endpoints are expressed in terms of impact as opposed to primary loss event terms. Neither enabling conditions nor conditional modifiers are independent protection layers and do not typically meet all of the criteria used to qualify an independent protection layer (IPL). The development of enabling conditions and conditional modifiers in Layer of Protection Analysis: Simplified Process Risk Assessment was sparse given that the major foci of the book were the overall methodology, initiating events, and independent protection layers [1]. Guidelines for Enabling Conditions and Conditional Modifiers in LOPA provides a more indepth treatment of these two important factors used in LOPA. Although these factors are used in other types of risk analysis, the focus of this text is on their use in LOPA. The text provides suggested values or means of obtaining appropriate values for these factors, and also provides guidance on when the values should and should not be used. Misuse of these factors can result in an analysis that can significantly under-predict or over-predict the actual risk of a scenario.

2. LOPA Overview
Layer of Protection Analysis is a simplified form of quantitative risk analysis that uses order-ofmagnitude categories for initiating event frequency, consequence severity and probability of failure of independent protection layers (IPLs) to analyze and assess the risk of one or more incident scenarios. LOPA is a risk analysis method that was developed to answer questions such as what layers of protection are needed to meet our risk goals? and how much risk reduction does each layer provide or need to provide? LOPA can help to answer these questions with less time and effort than more complex methods such as quantitative risk analysis. LOPAs are typically conducted after a qualitative hazard evaluation has been used to identify the hazard scenarios of the process. Often only a subset of the identified hazard scenarios from a qualitative study is evaluated using LOPA. Likewise, LOPA can be used as an endpoint for risk analysis or can be used as a screening tool to determine scenarios that should be evaluated using more detailed quantitative risk analysis techniques. LOPA is applied to a selected incident scenario. For the scenario being evaluated the initiating event and the frequency associated with that initiating event must be determined. The safeguards that are present to prevent the scenario are then evaluated to determine if they meet the requirements to be used as an independent protection layer. Each safeguard should meet seven key attributes in order to qualify as an IPL. These attributes are:

GCPS 2013 __________________________________________________________________________

Independence Functionality Integrity Reliability Validation, maintenance, and auditing Access security Management of change

For each IPL, the probability of failure on demand must be determined. By combining the initiating event frequency with the probability of failure on demand for each IPL, the scenario frequency can be determined. This predicted frequency can be compared to an established risk criterion. Enabling conditions and conditional modifiers are additional factors that are included by some organizations in their LOPAs. Enabling conditions can be required for the evaluation of some scenarios in order to obtain an accurate evaluation of the risk of a scenario. Their exclusion from a LOPA can result in overestimation of the risk of an event. Conditional modifiers are used when the risk criteria associated with the LOPA process have been selected based on their use in the analysis. When risk criteria used in the analysis are based on releases from primary containment, conditional modifiers are typically not applicable. However, if the risk criteria selected are based on the potential ultimate consequences associated with an event, the use of conditional modifiers may be warranted. Enabling conditions and conditional modifiers have associated probabilities, similar to IPLs.

3. Enabling Conditions
Enabling conditions make the initiation of a scenario possible. Enabling conditions are not initiating events, but for a given scenario, if the enabling condition is not true, the scenario will not progress from the initiating event to the hazardous outcome under consideration. Mitigating factors such as probability of personnel presence and probability of ignition, which come into play after the primary loss event, are not enabling conditions but conditional modifiers. Enabling conditions generally fall into one of several categories. 3.1 Time At Risk

Time-at-risk enabling conditions come into play when an incident sequence may only be realized a certain fraction of time when the conditions are right for the event sequence to proceed to a loss event. One of the most important considerations about time-at-risk enabling conditions is that they only apply to revealed failures. A revealed failure is one that becomes apparent and will be corrected after its occurrence. In contrast, an unrevealed failure can occur at any time, but only becomes apparent when a specific event occurs that reveals it or a test reveals that the failure has occurred.

GCPS 2013 __________________________________________________________________________

3.1.1 Seasonal Effects One group of common time-at-risk enabling conditions are various seasonal effects. For example, low ambient temperatures that can cause freezing of process or utility lines may only be present for a certain amount of time during the year. Likewise, sufficiently high ambient temperatures to effect cooling capacity or cause excessive vapor pressure of some process components may only be present during a portion of the year. Seasonal enabling conditions can typically be characterized by climatological data available for the site. When the seasonal effect itself is the initiating event, then it is not also an enabling condition. 3.1.2 Process State Risks Another type of time-at-risk enabling condition is process state risks that express the probability that the process is in a certain state. These enabling conditions apply when an initiating failure only has the undesired impact when the process is in the particular state. Process state time-atrisk can apply to batch processes where the risk being evaluated is only present during certain periods of the batch cycle, or to scenarios that are only applicable during the startup, shutdown, or clean-out of the process. 3.1.3 Situations Where Time-at-Risk Should Not be Used as an Enabling Conditions Time-at-risk enabling conditions are not appropriate in all situations. Some examples where time-at-risk enabling conditions are not appropriate include: 3.1.4 Continuous operations where hazards are constant over time Infrequent short-duration operating modes with high potential severity Procedure-based operations involving human error in the execution of a stepwise procedure Continuous or procedure-based operations involving any combination of factors that are failure or fault conditions, regardless of whether these conditions are revealed or latent Incident sequences where time-at-risk applies to the severity of consequences of the loss event rather than its likelihood of occurrence Campaign Enabling Conditions

Campaign enabling conditions reflect different conditions that are present due to changes in processes from batch to batch or from time to time. In a production facility where some batches pose certain hazards while other batches do not because of the presence of certain raw materials, final products, catalysts, or operating conditions, campaign enabling conditions may be appropriate in a LOPA. Campaign enabling conditions may also apply to operations with certain modes that are present for limited periods of time such as recycle or a final control element being down in an effluent handling system or a process that only operates a limited portion of the year due to low demand. Campaign enabling conditions may potentially provide high levels of risk reduction. When evaluating the use of campaign enabling conditions several factors must be considered.

GCPS 2013 __________________________________________________________________________

Campaign enabling conditions may change over time as the production needs of a facility change. Campaign enabling conditions are not appropriate to be used in situations where there is the potential for an unrevealed failure that only becomes apparent with the initiation of the loss event sequence when the condition is true. An example of an unrevealed failure that would prevent the use of a campaign enabling condition is a level control loop on a weigh tank that is only used during a particular campaign. If the level control loop failure could occur at any point in time but would only be revealed during the hazardous campaign, the campaign enabling condition could not be applied. If the level transmitter is checked prior to the campaign being started and the failure can only occur during the campaign, then the campaign enabling condition could be properly applied. Because of the high levels of risk reduction that may be claimed with a campaign enabling condition, caution must be used. In certain cases, the application of an enabling condition can result in a risk that meets the criteria being evaluated, but for brief periods of time exposes personnel to very high risks. This concept is called peak risk and is evaluated in the text as a special case.

4. Conditional Modifiers
Conditional modifiers are probabilities included in a LOPA or other risk analysis when risk criteria are expressed in impact terms (e.g. fatalities) as opposed to loss of primary containment. These modifiers include: Probability of a hazardous atmosphere Probability of ignition or initiation Probability of explosion Probability of personnel presence Probability of injury or fatality Probability of equipment damage or other financial impact.

Although conditional modifiers have the same effect on the predicted frequency for an event in a LOPA as independent protection layers, they differ significantly since IPLs are engineered or administrative controls that are capable of responding to a process deviation to either avoid or mitigate a loss event. Conditional modifiers, by contrast, are not response actions but relate to the condition that the facility is likely to be in at a particular point or period of time in the incident sequence. The conditional modifier indicates that probability that the condition is true at any time. Even though conditional modifiers are not engineered and administrative controls, the probability that a conditional modifier is true can be impacted by the way that the facility is managed. As an example, access control procedures and training can have an impact on the probability of personnel presence. Conditional modifiers, like IPLs, need to meet the basic requirement of independence; i.e. independent of other considerations and factors in the scenario risk calculations. Particular care needs to be taken to ensure that conditional modifiers are independent of the severity of the event.

GCPS 2013 __________________________________________________________________________

The improper use of conditional modifiers in a LOPA can result in an underestimation of the risk of an event. Because of this, their use needs to be intentional, disciplined, and consistent. To ensure appropriate application, a good approach is to develop a standardized baseline set of conditional modifiers and the rules for their use. Common pitfalls that exist in the use of conditional modifiers are: Using more conditional modifiers than an incident scenario warrants Being overly optimistic in estimating conditional modifier probabilities Including more additional modifiers until a desired risk level is reached Using conditional modifiers to justify avoiding a standard practice Using conditional modifiers in situations where the risk criteria are based solely on loss of primary containment or implicitly assume conditional modifiers

When selecting a conditional modifier for use in a LOPA, the value ought to be expected to remain relatively constant over time. A change to the process that results in a change to probability of a conditional modifier can invalidate the risk decision made using LOPA unless such a change is properly accounted. A companys management of change process may need to be expanded to capture the potential impacts to conditional modifiers that a process change may entail. 4.1 Probability of a Hazardous Atmosphere

Probability of a hazardous atmosphere is a conditional modifier that may be applied to loss of primary containment events with the potential to cause harm, but may not depending on the specific situation. A loss-of-containment event of an ignitable material may form a flammable atmosphere or not depending on the ambient temperature. When evaluating the use of a probability of hazardous atmosphere, care needs to be taken to ensure that the conditional modifier is independent of other aspects of the LOPA that may reflect a similar effect such as time-at-risk or procedural controls that may be counted as IPLs. 4.2 Probability of Ignition or Initiation

When a flammable atmosphere is present, there is a potential that it will be ignited. The probability that ignition will occur is a affected by a broad range of factors that have made detailed treatment of this topic beyond the scope of Guidelines for Enabling Conditions and Conditional Modifiers in LOPA; however, several pages are devoted to providing initial guidance for the LOPA practitioner in dealing with this important conditional modifier. A closely related event is the initiation of an uncontrolled reaction in a reactive material mixture. There are three basic scenarios in which probability of ignition needs to be determined if it is going to be included in a LOPA. Ignition of a flammable atmosphere inside process equipment Ignition of a flammable vapor, gas, or dust cloud external to process equipment Initiation of uncontrolled reaction in a reactive material or mixture.

GCPS 2013 __________________________________________________________________________

Each of these is given some level of attention in the text. Probability of ignition inside process equipment is applicable whenever a flammable or combustible atmosphere exists normally or can be formed as the result of a process upset condition in process equipment. Each situation needs to be evaluated carefully, taking into account a broad range of process parameters, details about the equipment and its operating and upset conditions, the properties of the materials being processed, historical data, and other applicable data in reaching the determination of the value to be used for conditional modifier. Many of the same considerations that are pertinent to the probability of ignition inside process equipment also apply when determining an appropriate value for the probability of ignition of a flammable or combustible atmosphere outside process equipment. Other ignition mechanisms that are not applicable to flammable and combustible atmospheres inside process equipment must also need to be considered such as traffic, hot work, personnel with cell phones or other non-classified equipment, personnel smoking, etc. The size of the flammable cloud outside equipment and the duration of release are also significant factors in determining the probability of ignition. The potential for immediate vs. delayed ignition is a factor to be considered, since delayed ignition can potentially pose a more hazardous situation than immediate ignition. The probability of initiation of an uncontrolled reaction is a function of the different mechanisms that are available for imparting the necessary energy to begin the reaction. These mechanisms may include shock or impact, friction, electrostatic discharge, and heat. The effect and probability of contamination of the process material needs to be accounted for, since contamination can result in significantly lower levels of energy required to cause the reaction to begin. 4.3 Probability of Explosion

Several different conditional modifiers can be applied to situations in which an explosion could potentially occur. Some of the conditional modifiers related to probability of explosions that are evaluated in the text are the probability of dust explosion, probability of a vessel rupture, probability of a vapor cloud explosion, and probability of a deflagration-to-detonation transition. 4.4 Probability of Personnel Presence

Probability of personnel presence is one of the most commonly used conditional modifiers within LOPA. This conditional modifier reflects the probability that one or more people are in the affected area when a loss event occurs. Several key considerations for using (or not using) probability of personnel presence as a conditional modifier include: When using the conditional modifier in conjunction with the probability of injury, the LOPA practitioner needs to ensure that the factors are not double-counted Using probability of personnel presence may require a more detailed evaluation of the incident sequence which may require source term calculations and dispersion modeling

GCPS 2013 __________________________________________________________________________

Probability of personnel presence needs to take into account all potentially impacted personnel including not only operations personnel, but also maintenance workers, and any other personnel that may be in the area The probability of personnel presence needs to be independent of the scenario being evaluated which will often not be the case when operator response to an alarm will take personnel into the field Probability of personnel presence should not be credited when the initiating event is an operator error that immediately results in the loss of containment When personnel presence is embedded in the determination of the severity of consequences, a conditional modifier should not be used Probability of personnel presence should not be credited when the corporate risk criteria are not based on personnel presence

An alternate approach to using probability of personnel presence as a conditional modifier is to use access control as independent protection layer. Administrative access control should only be used as an IPL when it will effectively limit access and the control meets all of the requirements of an IPL. When administrative controls are used as an IPL to limit the access of personnel to an area, it would be incorrect to also use probability of personnel presence as a conditional modifier. The effect area determination is an important part of the probability of personnel presence. Effect areas can be determined from dispersion modeling, the determination of toxic release effect areas, fire and explosion effect areas. Once the effect area has been determined, the sum of the time that personnel are going to be in the effect area can be determined. In the event that more than one person can be present in the effect area, corporate risk criteria may require that a different severity category be used in the analysis. 4.5 Probability of Injury or Fatality

The probability of injury or fatality is a conditional modifier that reflects the probability that personnel that are present in the effect area will suffer the consequence being evaluated. Four approaches are presented in the text for addressing the probability of injury or fatality. Approach #1: Use P=1 for the probability of injury or fatality conditional modifier, because of how the effect boundary is defined. Approach #2: Apply the same probability of injury or fatality conditional modifier (P<1) to everyone in the effect area. Approach #3: Estimate the probability of serious injury or fatality conditional modifier for individual(s) inside the effect area. Approach #4: Use of a combined approach of the first three in the evaluation.

There are several notes and cautions when using the probability of injury or fatality. More than one consequence may need to be evaluated. The conditional modifier needs to apply to the entire effect area, not just at the outside boundary of the effect area.

GCPS 2013 __________________________________________________________________________

Controls that limit personnel from entering a dangerous area that has been created can be addressed as independent protection layers. The characteristics of the particular chemical involved in the release may impact the probability of injury or fatality.

Probability of equipment damage or other financial impact as a possible conditional modifier is also discussed in the text.

5. Application to Other Methods

Guidelines for Enabling Conditions and Conditional Modifiers in LOPA briefly addresses the use of these factors in other types of risk analyses. The applicability and use of these factors in the various types of quantitative risk analysis is discussed included their use in fault tree analysis, event tree analysis, and quantitative impact analysis. The use of the factors is also discussed as they might apply to scenario identification methods such as Hazard and Operability Studies and What-If Analysis. Finally the text includes a brief discussion of the applicability to barrier analysis and diagrams.

6. Appendices
The first two appendices of the text address two common issues that arise in LOPA when using enabling conditions or conditional modifiers; namely, simultaneous failures and the concept of double jeopardy and peak risk concepts. The last appendix in the text provides an example rule set for LOPA enabling conditions. 6.1 Simultaneous Failure and Double Jeopardy The first appendix describes what is meant by double jeopardy in the scope of risk analysis. Specifically double jeopardy is the concurrent incidence of two independent initiating events or other revealed failures. Per this definition, the text points out that the true incidence of double jeopardy events is very small. It is important to note that the text draws a firm distinction between revealed and unrevealed failures. If any of the failures in the double jeopardy case being evaluated are unrevealed failures, then the scenario is not a case of double jeopardy. 6.2 Peak Risk

The second appendix deals with the concept of peak risk. Peak risk was developed to help address situations in which a relatively high risk is present in a facility for a very short period of time. When this type of risk is annualized, as would be done when an enabling condition is added to the scenario LOPA indicating the amount of time the process is in the state where the event can occur, the risk can be shown to be low enough. Peak risk is a means of setting a limit on the risk that personnel may be exposed to without consideration being given to the duration of the event.

GCPS 2013 __________________________________________________________________________

6.3

Example Rule Set

The final appendix in the text provides an example rule set for LOPA enabling conditions. This example is not meant to provide recommended guidance, but simply a possible path forward for what guidance on the topic might look like.

7. Conclusions
Guidelines for Enabling Conditions and Conditional Modifiers in LOPA is a text that will move the understanding and consistent application of these important LOPA factors forward in the industry. The warnings and caveats given in the text will help to prevent the misuse of these factors that can result in under-prediction of the risk being evaluated in LOPA. The text gives an overview of the major types of enabling conditions and conditional modifiers being used by LOPA practitioners.

8. References
[1] Layer of Protection Analysis: Simplified Process Risk Assessment; American Institute of Chemical Engineers, Center for Chemical Process Safety: New York, New York, 2001.