Layer of Layer of Protection Analysis Analysis: NHT Reformer Unit

Layer of
Protection
Analysis
NHT Reformer Unit
TOTAL Petrochemicals USA, Inc.

Port Arthur Facility
October 2008
Project No. 07-099
R R S ENGINEERING
6455 South Shore Blvd., Suite 400
League City, Texas 77573
TEL 281.334.4220 FAX 281.334.5809
www.rrseng.com
TOTAL Petrochemicals NHT Reformer Unit
Port Arthur Refinery Layer of Protection Analysis
DISCLAIMER RELATING TO THIS REPORT
The work was prepared by Risk, Reliability, and Safety Engineering, LLC (RRS) at the request of TOTAL Petrochemicals. As
a material part of RRS agreeing to perform the work for Client, Client has agreed to the terms of this disclaimer. Specifically,
Client agrees that, to the maximum extent allowable by applicable law, neither RRS, its employees, agents, representatives,
successors, assigns, affiliates, directors, officers, and members, nor any person acting on RRS' behalf in furtherance of its
activities in performing the work for Client:
1. Makes any warranty or representation, express or implied, (all of which are hereby expressly disclaimed) with
respect to the accuracy, completeness, or usefulness of the information contained herein or the work, or that
the use of any information, method, apparatus, or process contained herein, does not infringe on any rights of
others; nor
2. Will have any liability arising by, through, or under Client with respect to the use of, or for special, incidental, or
consequential damages related to or arising directly or indirectly out of the use of any information, method,
apparatus, or process disclosed herein or the work; nor
3. Assumes any liability to client or any third party, with respect to the use of any information, method, apparatus,
or process disclosed herein or in the work.
Client agrees that RRS has made reasonable efforts to perform the Work contained herein in a manner consistent with high
professional standards. However, Client agrees that the Work was conducted on the basis of information made available to
RRS by Client and is dependent on the accuracy of the information provided. Client agrees that all observations, conclusions
and recommendations contained herein are relevant only to this work, and will not be applied to any other facility or operation.
Client agrees that the Work RRS performed is advisory in nature only and that the responsibility for use and implementation
of conclusions and recommendations contained herein rests entirely with Client. Client agrees that it will independently
evaluate any actions taken to address the results of this effort to ensure they will not create unacceptable hazards and that
safe practices are followed when any change is implemented.
Furthermore Client agrees that federal and state regulations are subject to interpretations and no one can guarantee how
they will be interpreted in the future. Client agrees that RRS will have no liability for any incident or regulatory action that
occurs at Client.
Client agrees that it will be solely responsible for disclosure of the Work to any third-party or the use of the work, or any
information or conclusions contained therein.
RRS Engineering, LLC Page i Project No. 07-099

October 31, 2008 Revision No. 2
TABLE OF CONTENTS
PAGE
1.0 INTRODUCTION............................................................................................................................... 1
1.1 Study Team ..................................................................................................................... 1
1.2 Study Dates ..................................................................................................................... 2
2.0 LOPA METHODOLOGY .................................................................................................................. 2
2.1 Scenario Identification ..................................................................................................... 4
2.2 Consequence Severity Evaluation.................................................................................. 4
2.3 Initiating Cause Likelihood Evaluation ............................................................................ 5
2.4 Independent Protection Layers (IPL) Evaluation............................................................ 7
2.5 Rules for Independent Protection Layers (IPLs) .......................................................... 10

2.5.1 Intermittent Hazard (Not Always Present) .................................................... 10
2.5.2 Mechanical Relief Devices Relief Valves .................................................. 10
2.5.3 Check Valves ................................................................................................. 11
2.5.4 BPCS ............................................................................................................. 11
2.5.5 Operator Response to Alarm ........................................................................ 11
2.6 Vulnerability Factors ...................................................................................................... 12
2.6.1 Ignition Probability ......................................................................................... 12
2.6.2 Person Present .............................................................................................. 12
2.7 LOPA Calculation .......................................................................................................... 12
3.0 SIS EVALUATION ......................................................................................................................... 13
4.0 RECOMMENDATIONS.................................................................................................................... 15
5.0 LOPA WORKSHEETS .................................................................................................................. 18
RRS Engineering, LLC Page ii Project No. 07-099

LIST OF TABLES
PAGE
Table 1. Study Team ..................................................................................................................... 1
Table 2. Review Team................................................................................................................... 2
Table 3. Hazard Scenario Target Frequencies............................................................................. 4
Table 4. Initiating Causes & Likelihood (ICLs) of Failure ............................................................. 6
Table 5. Examples of Safeguards Not Usually Considered IPLs ................................................ 8
Table 6. Probability of Failure on Demand (PFD) for Independent Protection Layers (IPLs) .... 9
Table 7. Integrity Levels (SILs) for a Safety Instrumented System (SIS) ..................................13
Table 8. Safety Integrity Level (SIL) Determination ....................................................................13
Table 9. Recommendations ........................................................................................................16
LIST OF FIGURES
PAGE
Figure 1. LOPA Flowchart .............................................................................................................. 3
RRS Engineering, LLC Page iii Project No. 07-099

LAYER OF PROTECTION ANALYSIS

NHT REFORMER UNIT
PORT ARTHUR REFINERY
TOTAL PETROCHEMICALS
1.0 INTRODUCTION
TOTAL Petrochemicals contracted Risk, Reliability and Safety Engineering, LLC (RRS) to conduct
a Layer of Protection Analysis (LOPA) of the NHT Reformer Unit at TOTAL Petrochemicals Port
Arthur Refinery. The LOPA methodology used is defined in the TOTAL Petrochemical LOPA
Procedure 14 and follows the guidance in the Center for Chemical Process Safety (CCPS) book,
Layer of Protection Analysis, 1995. The methodology used in this study meets the requirements of
ANSI/ISA S84.00.01, Functional Safety: Safety Instrumented Systems for the Process Industry.
The objectives of the LOPA study were to:
Review the HAZOP to determine if the safeguards identified were adequate
Determine the Safety Integrity Level (SIL) for the Safety Instrumented Systems (SIS)
at the plant
1.1 Study Team
The LOPA Study Team is identified in Table 1.
Table 1. Study Team

Name Company Job Title
Norman Borne TOTAL Petrochemicals USA, Inc. Instrument Supervisor
Richard Loupe TOTAL Petrochemicals USA, Inc. NAC Operator
Douglas Dornier TOTAL Petrochemicals USA, Inc. Process Engineer
Ryan Riffer TOTAL Petrochemicals USA, Inc. Ops Superintendent
Roger Allison Olson Engineering Instrument Reliability
Allen Runte TOTAL Petrochemicals USA, Inc. EE & Systems Supervisor
Geoffrey Kret TOTAL Petrochemicals USA, Inc. Rotating Equipment Engineer
David Montondon Gulfcon, Inc. Systems Group
John Darwin TOTAL Petrochemicals USA, Inc. Systems Group
Sheng-Yen Fletcher TOTAL Petrochemicals USA, Inc. PSI/PHA Coordination
Danny Roy TOTAL Petrochemicals USA, Inc. Corrosion Specialist
Dennis Ferrell Olson Engineering Fac. Dev. E&I
RRS Engineering, LLC Page 1 Project No. 07-099

Name Company Job Title

Paul Pardaen TOTAL Petrochemicals USA, Inc. Process Sup. Engineer
Dwayne Austin TOTAL Petrochemicals USA, Inc. Systems Group
Rich Hudgins TOTAL Petrochemicals USA, Inc. Systems Group
John Pruitt RRS Engineering Facilitator
John Alderman RRS Engineering Facilitator
Cassie Slough RRS Engineering Scribe
1.2 Study Dates
The LOPA was conducted onsite at the TOTAL Petrochemicals Port Arthur Refinery on May 3,
2007.
An additional meeting was held on June 21, 2007 to re-evaluate SIL, EIL, and CIL rankings. A
review team was assembled to revisit LOPA scenarios, including 39.1, 72.2, 72.9, and 73.8. The
review team determined that the commercial severity for these scenarios should be reduced from
catastrophic to major. The review team is identified in Table 2.
Table 2. Review Team

Name Job Title
Ed Bergmann HSEQ
Shen-Yen Fletcher HSEQ
Kelly Nite Operations
Ryan Riffer Operations
Geoff Kret Reliability
Dwayne Austin Systems
John Darwin Systems
Clint Gibbs Systems
Rich Hudgins Systems
Allen Runte Systems
David Montondon Systems
2.0 LOPA METHODOLOGY
A Layer of Protection Analysis (LOPA) is a semi-quantitative risk assessment methodology. Put

simply, the method consists of assigning a target frequency based on consequence severity and
comparing it to a simplified prediction of the actual scenario frequency. The method is based on
the AIChE CCPS Concept Book, Layer of Protection Analysis. The steps in the LOPA process are
defined in TOTAL Petrochemical Safety Procedure shown in Figure 1.

Figure 1. LOPA Flowchart

2.1 Scenario Identification
The Study Team began by identifying scenarios of concern based on results from the previous
PHA. For an existing PHA, only those scenarios with a shutdown system were reviewed. In some
cases, further definition of the consequence was required. In a LOPA, a scenario is an initiating
cause, a description of the consequence (assuming all safeguards fail), and a list of all protection
layers in place to prevent the consequence from occurring. The LOPA consists of assigning
numerical frequency numbers to the initiating cause and each protection layer, then determining if
protection layers in place are adequate. Additionally, scenarios were added based on shutdowns
in the cause and effect charts.
Some scenarios were reviewed and identified as a moderate severity. Since these scenarios were
considered a moderate severity, they did not meet the criteria for using LOPA. These scenarios
are contained in Appendix A.
Note: A scenario has only one cause and only one consequence. If multiple causes for the same
consequence are identified in the PHAs, then each cause was analyzed separately using LOPA.
2.2 Consequence Severity Evaluation
The Study Team assigned a severity ranking to the consequences. Each consequence severity
was also assigned a Targeted Frequency (TF) based on Table 3.
Table 3. Hazard Scenario Target Frequencies

Severity Safety Environmental Commercial Target
Level Frequency
(1/Yr)
Moderate Onsite: Not required to
conduct LOPA
- Recordable, TRIR
- Medical treatment
Offsite:
- No effect
Serious Onsite: Recordable environmental < $2,000,000 Not required to
event conduct LOPA
- Permanent injury
- Lost time accident
Offsite:
- No permanent
effects

Severity Safety Environmental Commercial Target

Level Frequency
(1/Yr)
Major Onsite: Reportable environmental $2,000,000- 10-4
event $10,000,000
- Lethal effect on 1
person
- Multiple recordable
injuries
Offsite:
- Shelter in place
Catastrophic Onsite: Reportable environmental $10,000,000 - 10-5
event with offsite impact $100,000,000
- Multiple fatalities
Offsite:
- Recordable injuries
Disastrous Onsite: > 100,000,000 10-6
Offsite:
2.3 Initiating Cause Likelihood Evaluation
The Study Team assigned an Initiating Cause Likelihood (ICL) based on the numerical values
defined in Table 4. These values are based on industry consensus as presented in the CCPS
Concept Book on LOPA. The CCPS Concept Book provides the following guidance on causes:
Control loop failure - includes all components of the control loop, as well as the
possibility that the control loop could be set in error to a dangerous state by the
operator
Routine human error - includes a task in the field or at the operator console that is
performed on a routine basis by the operator and that, if done improperly, could
result in the process deviation under review
Non-routine human error - tasks that are not done on a routine basis but are
possible actions by an operator for some event, such as startup or shutdown that, if
done improperly, could result in the process deviation under review
Pumps and other rotating equipment - includes any piece of equipment with
normal moving parts
Fixed equipment - involves failures in non-moving equipment that would lead to the
process condition under review; for example, tube failure on a high-pressure steam
exchanger leading to high process pressure

Table 4. Initiating Causes & Likelihood (ICLs) of Failure

Initiating Cause (IC) Initiating Cause Likelihood
(ICL)
(events per year)
BPCS instrument loop failure 1 x 10-1
Regulator failure 1 x 10-1
Fixed equipment failure (exchanger tube failure, etc.) 1 x 10-2
Pumps and other rotating equipment failure 1 x 10-1
Cooling water failure (redundant CW pumps, diverse drivers, etc.) 1 x 10-1
Loss of power (redundant power supplies) 1 x 10-1
Human error - (routine task, once-per-day opportunity) 1 x 100
Human error - (routine task, once-per-month opportunity) 1 x 10-1
Human error - (non-routine task, low stress) 1 x 10-1
Human error - (non-routine task, high stress) 1 x 100
Gasket / packing blowout 1 x 10-2
Turbine / diesel engine over speed with casing breach 1 x 10-4
Third party intervention (external impact by backhoe, vehicle, etc.) 1 x 10-2
Crane load drop 1 x 10-4 per lift
Lightning strike 1 x 10-3
Safety valve opens spuriously 1 x 10-2
Pump seal failure 1 x 10-1
Unloading / loading hose failure 1 x 10-1
Misalignment of car sealed or locked valve where there is a regular 1 x 10-2 per opportunity
check of the alignment of the valves
LOTO (lock-out tag-out) procedure failure, e.g., 1 x 10-3 per opportunity
overall failure of a multiple-element process
Operator failure to execute routine procedure, assuming well trained, 1 x 10-2 per opportunity
unstressed, not fatigued
Other initiating events Develop using experience of
personnel
Source: Table 5.1, p 71 of the 2001 CCPS Concept Book Layers of Protection Analysis.

2.4 Independent Protection Layers (IPL) Evaluation
The defining characteristic of a protection layer is that it prevents the consequence from
happening. Each IPL must function such that the defined consequence will not occur. Each
protection layer counted must be independent of other protection layers. That is, there must be no
failure that can deactivate two or more protection layers. If a protection layer is believed to be
more reliable (a lower value for Probability of Failure on Demand - PFD), a quantitative method
should be used to confirm the PFD. For example, if the team desires to improve the unavailability
of risk reduction logic in the Basic Process Control System (BPCS) by adding additional sensors or
final elements, the impact event should be reviewed by a quantitative method such as fault tree.
The protection layer is:
Specifically designed to prevent or mitigate consequences of a potentially

hazardous event
Dependable and can be counted on to do what it was intended to do
Auditable and a system to audit and maintain it
The Study Team identified which protection layers meet the definition of IPLs as given in this
section. This is often the most difficult part of LOPA. Table 5 contains safeguards that are not
typically given credit as IPLs.

Table 5. Examples of Safeguards Not Usually Considered IPLs

Safeguards Not Usually Comments
Considered IPLs
Training and Certification May be considered in assessing the PFD for operator action, but are not, of
themselves, IPLs
Procedures May be considered in assessing the PFD for operator action, but are not, of
themselves, IPLs
Normal Testing and Inspection Assumed to be in place for all hazard evaluations and form the basis for
judgment to determine IPLs and PFDs; normal testing and inspection
affects the PFD of certain IPLs, thus, lengthening testing and inspection
intervals may increase the PFD of an IPL
Maintenance Assumed to be in place for all hazard evaluations and forms the basis for
judgment to determine the PFDs of IPLs.
Communications Basic assumption that adequate communication exists in a facility; poor
communications affects the PFD of certain IPLs
Signs Signs, by themselves, are not IPLs; signs may be unclear, obscured,
ignored, etc. and may affect the PFD of certain IPLs
Fire Protection Active fire protection often is not considered as an IPL as it is post event for
most scenarios and its availability and effectiveness may be affected by the
fire / explosion which it is intended to contain; however, if the LOPA team
can demonstrate it meets the requirements of an IPL for a given scenario, it
may be used (e.g., if an activating system such as plastic piping or frangible
switches are used)
Note: Fire protection is identified as a mitigation IPL as it attempts to
prevent a larger consequence subsequent to an event that has already
occurred. This may be considered when assigning cost to commercial
severity levels.
Fireproof insulation can be used as an IPL for some scenarios if it meets
the requirements of API and corporate standards
Source: Table 6.1, p 79 of the 2001 CCPS Concept Book Layers of Protection Analysis

Table 6. Probability of Failure on Demand (PFD) for

Independent Protection Layers (IPLs)
Independent Protection Layer (IPL) Probability of Failure on
Demand (PFD)
Basic process control system, if not associated with the initiating event being 1 x 10-1
considered
Operator response to alarm with at least 10 minutes response time 1 x 10-1
Relief valve 1 x 10-2
Rupture disc 1 x 10-2
Flame / detonation arrestors 1 x 10-2
Tandem seals 1 x 10-1
Dike 1 x 10-2
Underground drainage system 1 x 10-2
Open vent (no valve) 1 x 10-2
Fireproofing 1 x 10-2
Blast-wall / bunker 1 x 10-3
Identical redundant equipment ( e.g., identical relief valves) 1 x 10-1 (max credit)
Diverse redundant equipment (e.g., diverse relief devices) 1 x 10-1 to 1 x 10-2
Fire and gas detection (see Table 6) 1 x 10-1 to 1 x 10-2
Other events Use experience of

personnel
Source: Table 6.3, page 92; Table 6.4, p 96; Table 6.5, page 103 of the 2001 CCPS Concept Book Layers of Protection
Analysis.

2.5 Rules for Independent Protection Layers (IPLs)
Each protection layer counted must be truly independent of the other protection layers. This
means there must be no failure that can deactivate two or more protection layers.
If a Safety Instrumented System (SIS) is initiated by more than one sensor, the consequence of
failure may be different for each sensor and therefore, each failure is considered separately. If the
consequences are different for each failure, the function is separated into more than one function
and the IPL determined for each.
If an SIS initiates more than one action, the consequences of failure may be different for each final
actuation and therefore, each failure shall be considered separately. If consequences are different
for each failure, the function is separated into more than one function and the IPL determined for
each.
2.5.1 Intermittent Hazard (Not Always Present)
There may be some hazards that are only present during certain job tasks, such as startup,
shutdown, regeneration, etc.
The following equation is used to determine the credit for this type of protection layer:
ICL = ICL x [(time at risk)/(total time)]
2.5.2 Mechanical Relief Devices Relief Valves
The following rules apply to the use of relief valves as protection layers:
Relief system is sized for all reasonably foreseeable failures of process and process
control to completely mitigate the scenario under consideration
Disposal of relieved materials is to a safe location
Relief discharge does not cause significant environmental or commercial

consequences
Operating experience indicates that the relief valves to be used are satisfactory for
the process application with the appropriate test intervals
If PSV is in dirty or plugging service, no credit is allowed
When there are two relief devices, each 100% sized for the scenarios, then an
additional credit can be taken (should be at least an order of magnitude lower than
that used for the first, generally 1x 10-1).

2.5.3 Check Valves
Check valves are notoriously unreliable, but can be considered a LOPA safeguard on a
case-by-case basis. Some of the considerations include:
Multiple check valves in series
Clean service
High differential pressure (< 100 psi) to hold valve closed and prevent leakage
Defined testing program
2.5.4 BPCS
The Basis Process Control System (BPCS) has several rules associated with their use as IPLs:
If a BPCS control loop is a cause, the alarms generated by that control loop cannot
be counted as a protection layer. Alarms separate from the control loop may be
used as protection for the failure of that control loop if the operator response time is
adequate.
A control loop in the BPCS, whose normal action would compensate for the initiating
event, can be considered as a protection layer. For example, an initiating cause for
high reactor pressure could be failure of a local upstream pressure regulator; the
normal action of the reactor pressure controller would be to close the inlet PV, thus
providing protection against the impact event.
Failure mode of the final element is to the safe state
2.5.5 Operator Response to Alarm
Risk reduction for Operator Response to Alarms can only be counted once. Alarms are identified
for all causes of the initiating event. The following must be confirmed as true before allowing credit
for operator response:
Alarm is independent of the cause and BPCS control loop claimed as a protection
layer
Operator always present and available at the alarm point
Alarm gives clear indication of the hazard
Operator will detect the alarm among potentially many other alarms
Operator has time to diagnose and take corrective action (within 10 minutes)
Operator is trained in the proper procedures and response associated with the alarm
state and the response steps are identified as critical in the procedure

2.6 Vulnerability Factors
2.6.1 Ignition Probability
There are many releases that are not ignited. Ignition probabilities used in this study are:
P ~ 0.3 for flammable liquids and gases
P ~ 0.1 -> 0.3 for volatile liquids
P < 0.1 for heavy liquids
Where P = probability of ignition
2.6.2 Person Present
To qualify as a safety related scenario, a person must be in the area where the incident occurs.
Credit is taken for time not in the hazard zone. For example, during operator rounds, if a pump
seal fire were to occur, in order for there to be an injury, the operator must be near the pump. The
operator may only be near the pump for 30 minutes out of his shift.
The following vulnerability factors should be applied when appropriate:
VFp = 1.0 if people are present in the hazard zone all the time
VFp = 0.5 if people are present in the hazard zone for less than 12 hours per day
VFp = 0.1 if people are present in the hazard zone for less than 1-2 hours per day
For environmental and commercial scenarios, the person present is not used.
2.7 LOPA Calculation
Using the numerical values identified in the preceding steps, a simple calculation is performed to
determine the LOPA ratio. LOPA is limited to evaluating a single cause-consequence pair as a
scenario. The numerator of the LOPA ratio is the Target Frequencies (TF), which is the companys
risk tolerance for that scenario. The denominator of the LOPA ratio is the product of the Initiating
Cause Likelihood (ICL), the Probability of Failure on Demand (PFD) of each Independent
Protection Layer (IPL) identified and the Vulnerability Factor (VF). The formula for calculating the
LOPA ratio is presented below:
TFSafety
LOPA Ratio ( Safety) =
ICL PFD1 PFD2 PFD3... VFi VFp
TFEnvironmen tal
LOPA Ratio ( Environmen tal ) =
ICL PFD 1 PFD 2 PFD 3...
TFCommercial
LOPA Ratio (Commercial ) =
ICL PFD1 PFD 2 PFD 3... * VFi

If the LOPA ratio is greater than or equal to one, then the scenario passes LOPA. Existing
protection layers in place are adequate.
If the LOPA ratio is less than one, then the scenario fails LOPA. Additional protection layers are
needed.
3.0 SIS EVALUATION
LOPA was used to determine the required and Safety Integrity Level (SIL) for a Safety
Instrumented System (SIS). To do this, the LOPA ratio was calculated without giving any credit to
the existing SIS. The required SIL was then found by using Table 7.
Table 7. Integrity Levels (SILs) for a Safety Instrumented System (SIS)

LOPA Ration Required SIL, EIL, CIL
10-0 - 10-1 No special integrity requirements
10-1 - 10-2 1
10-2 - 10-3 2
10-3 - 10-4 3
The LOPA worksheets for this project are contained in Section 5. The SIL determinations derived
from the study are shown in Table 8.
Table 8. Safety Integrity Level (SIL) Determination

LOPA Ref. SIS Number and Function Required Integrity Level
S E C
2.1 LSHH-592 High high level switch that closes blanket fuel gas 0 1 0
valve PV-593B on high high level in the drum.
4.2 FSLL-915/918 Flow indication with low flow alarms and 1 2 2
interlocks that shutdown the heater on low low flow through a
heater pass.
5.8 PSLL-1389 Interlock that isolates the fuel gas from the heater 2 2 2
on low low fuel gas pressure.
5.11 PSLL-1379 Interlock that isolates the pilot gas from the heater 1 2 2
on low low pilot gas pressure.
12.2 FSLL-645/647/655 Low flow shutdown Fractionator Reboiler 1 2 2
(H-102).
on low low fuel gas.
13.11 PSLL-1393 Interlock that isolates the pilot gas from the heater 0 1 1
on low low pilot gas pressure.


S E C
19.2 PSL-837 Interlock that stars the spare combustion air blower 1 1 1
23.2 fan on low combustion air pressure.
25.2
19.2 SSL-1294 Interlock that shuts down the heater on shutdown of 1 1 1
23.2 the induced draft fan.
25.2
on low low fuel gas pressure.
28.1 LSHH-256 Interlock that shuts down the compressors on high 2 2 3
high level.
29.2 FSLL-106 Interlock that isolates the fuel gas to the charge 1 2 2
heater and interheaters on low low recycle hydrogen flow.
30.9 PDSHH-171 that shuts down compressor C-2A on high high 1 1 1
differential pressure between the suction and discharge of the
first stage.
30.9 PDSHH-175 that shuts down compressor C-2B on high high 1 1 1
differential pressure between the suction and discharge of the
first stage.
32.1 LSHH-179 that shuts down the booster compressor on high 2 2 3
high level.
33.8 PDSHH-173 that shuts down compressor C-2A on high high 1 1 1
differential pressure between the suction and discharge lines.
33.8 PDSHH-177 that shuts down compressor C-2B on high high 1 1 1
differential pressure between the suction and discharge lines.
39.1 LSHH-181 that shuts down the booster compressor on high 1 2 2
high level.
*This scenario was revisited during the June 21st meeting.
49.2 FSLL-783/784/785/786 Interlocks that isolate the flue gas from 1 2 2
the charge heater, interheaters, and Depentanizer Reboiler
trim heater on low low flow.
72.2 LSLL-38 that shuts down the compressor and prevents restart 1 1 1
on low low level in the overhead seal oil tank.
72.2 LSL-57 that starts the auxiliary lube oil pump on low level in the 2 2 2
overhead seal oil tank.
72.9 PSL-40 Interlock that starts the spare pump on low lube oil 1 2 2
pressure.
73.8 PSL-77/78 shuts down the compressor on low lube oil 1 2 1
pressure.


S E C
73.12 TSHH-107/108/109/110 shuts down the compressor and 0 1 1
prevents compressor restart if there is a high high gas
discharge temperature from the first stage.
80.10 FSL-394 shuts down the CDR on low low nitrogen flow. 1 1 1
4.0 RECOMMENDATIONS
If during the LOPA study, the LOPA analysis indicated there were not enough safeguards or an
additional SIS was needed, then the Study Team made additional recommendations. Table 9
identifies the recommendations from the LOPA Study.

Table 9. Recommendations
Rec. Scenario Recommendation
No. Number
1 1.1 Consider adding a tested independent alarm or a SIL 1 shutdown system.

2 2.1 Ensure that LAH-910 high level alarm is on a routine testing schedule.
3 2.1 Ensure that interlock LSHH-592 that closes blanket fuel gas valve PV-593B
on high high level in the drum is designed for EIL 1.
4 4.2 Consider adding an additional alarm to indicate loss of hydrogen and
hydrocarbon flow to Charge Heater (H-101) on each pass and ensure it is on
a routine testing schedule.
5 4.2 Ensure that interlocks FSLL-915 through 918 are designed for SIL 1.
6 5.8 Ensure PSLL-1389 is designed for SIL 2.
7 5.11 Ensure that PSLL-1379 is designed for SIL 2.
8 12.2 Consider adding an additional alarm to indicate loss of hydrocarbon flow to
Fractionator Reboiler (H-102) on each pass and ensure it is on a routine
testing schedule.
9 12.2 Ensure that interlocks FSLL-645/647/655 are designed for SIL 1.
10 13.8 Ensure that Interlock PSLL-1399 is designed for SIL 2.
11 13.11 Review the revalidation from MOC to change pilot gas to Purchased Natural
Gas.
12 19.2 Ensure that interlock PSL-837 or SSL-1294 are designed for SIL 1.
13 19.8 Ensure that pressure indication PI-868 with low pressure alarm is on a
routine testing schedule.
14 28.1 Ensure that high level alarm LH-257 is on a routine testing schedule.
15 28.1 Ensure that Interlock LSHH-256 that shuts down the compressors on high
high level is designed for SIL 1.
16 28.1 Evaluate if Interlock LSHH-256 should be designed for Environmental EIL 2
and Commercial CIL 3.
17 29.2 Ensure that interlock FSLL-106 is designed for SIL 1.
18 30.9 Ensure that Interlock PDSHH-171 that shuts down compressor C-2A on
high-high differential pressure between the suction and discharge of the first-
stage and/or Interlock PDSHH-175 that shuts down compressor C2-B on
high high differential pressure between the suction and discharge of the first
stage are designed for SIL 1.
19 32.1 Ensure that LH-178 is on a routine testing schedule.
20 32.1 Ensure that LSHH-179 that shuts down the booster compressor on high-high
level is designed for SIL 1.
21 32.1 Evaluate if Interlock LSHH-179 should be designed for an Environmental EIL
2 and/or Commercial CIL 3.

Rec. Scenario Recommendation

No. Number
22 33.8 Ensure that PDSHH-173 that shuts down compressor C-2A on high-high
differential pressure between the suction and discharge lines and/or PDSHH-
177 that shuts down compressor C-2B on high-high differential pressure
between the suction and discharge lines is designed for SIL 1.
23 39.1 Confirm the level alarm for the Unibon Compressor Suction Drum (13C1A/B)
is independent of the level control valve and is on a routine testing schedule.
24 39.1 Ensure that LSH-180 high level alarm is on a routine testing schedule.
25 39.1 Confirm the level alarm for the TDP Compressor Suction Drum is
independent of the level control valve and is on a routine testing schedule.
26 39.1 Ensure that LSH-180 high level alarm is on a routine testing schedule.
27 49.2 Consider adding an additional alarm to indicate loss of hydrogen and
hydrocarbon flow to (H-5) on each pass and ensure it is on a routine testing
schedule.
28 49.2 Ensure that interlocks FSLL-783/784/785/786 are designed for SIL 1.
29 72.2 Consider bringing a low seal oil level alarm into DCS (independent of LV-
1437).
30 72.2 Ensure that Interlock LSLL-38 that shuts down the compressor and prevents
restart on low-low level in the overhead seal oil tank and/or Interlock LSL-57
that starts the auxiliary lube oil pump on low level in the overhead seal oil
tank are designed for SIL 2.
31 72.2 Evaluate if Interlock LSLL-38 and/or LSL-57 should be designed for
Environmental EIL 2 and Commercial CIL 3.
32 72.9 Ensure that PAL-33 low pressure alarm is on a routine testing schedule.
33 72.9 Ensure that Interlock Interlock PSLL-32 shuts down compressor on low lube
oil pressure is designed for SIL 1.
34 72.9 Evaluate if Interlock PSL-40 should be designed for Environmental EIL 2 and
Commercial CIL3.
35 73.8 Ensure that low lube oil pressure alarm PAL-77/78 is on a routine testing
schedule.
36 73.8 Ensure Interlock PSL-79/80 that shuts down Compressor is designed for SIL
1.
37 73.8 Evaluate if PSL-77 should be designed for Environmental EIL 2 and
Commercial CIL 2.
38 73.12 Ensure that jacket water discharge temperature alarms TAH-
85/86/87/88/89/90/91/92 (local compressor panel and TDC) located on the
first-stage compressor are on a routine testing schedule.
39 73.12 Evaluate if TSHH-107/108/109/110 that shut down the compressor and
prevent compressor restart if there is a high-high gas discharge temperature
from the second-stage should be designed for EIL 1 and CIL 1.

5.0 LOPA WORKSHEETS

TOTAL Petrochemicals - LAYER OF PROTECTION ANALYSIS (LOPA)
PHAName TOTAL NHT REVAL PHA Ref. 1.1
Consequence Potential hydrocarbons into process sewer, potential fire/explosion,

Description potential personnel injury.
Target Frequency Safety: 1.00E-04 Env: 1.00E-03 Com: 1.00E-04
Initiating Cause Failure of raffinate splitter water boot level 1 1.00E-01

control valve.
Intermittent Hazard P&ID: 3165-1-50-023 None
Vulnerability Factors Ignition Probability None
Person Present 1 1.00E-01
Independent Process Design None

Protection BPCS None
Layers
PSV None
Op Response None
Other None
LOPA Ratio Safety: 0.010 Env: 0.010 Com: 0.00
Recommendation 1. Consider adding a tested independent alarm or a SIL 1 shutdown system.
SIS No:
SIS Function:
Required SIL Level: 1 EIL Level: 1 CIL Level: 2

Consequence Overflow of liquid hydrocarbon to the unit flare header, potentially

Description resulting in a high level in the Flare Gas KO Drum.
Target Frequency Safety: 0.00E+00 Env: 1.00E-04 Com: 1.00E-02
Initiating Cause High flow, naphtha feed from the Crude 1 1.00E-01
Unit or Naphtha Stabilizer. (upstream
flow control failure)
Intermittent Hazard None
Vulnerability Factors Ignition Probability
Person Present

Protection BPCS LC-592 opens level control valve. 1.00E-01
Layers
PSV None
Op Response LAH-910 high level alarm. None
Other None
LOPA Ratio Safety: 1.000 Env: 0.010 Com:
Recommendation 2. Ensure that LAH-910 high level alarm is on a routine testing schedule.
3. Ensure that interlock LSHH-592 that closes blanket fuel gas valve PV-593B on high
high level in the drum is designed for EIL 1.
SIS No: LSHH-592

SIS Function: High high level switch LSHH-592 that closes blanket fuel gas valve PV-593B on
high high level in the drum.

Consequence High level in feed surge drum. Tube failure in Charge Heater (H-101)
Description resulting in release of hydrocarbon that could cause (a) a fire and/or
explosion that may injure personnel in a medium-sized area and (b)
environmental impact in a small area.
Initiating Cause Operator error, manual valve closed. 1 1.00E-01

Loop: F-0915, F-0916, F-0917, F-0918

Layers
PSV None
Op Response Flow indication FC-595 with low flow None
alarm.
Other None
Recommendation 4. Consider adding an additional alarm to indicate loss of hydrogen and hydrocarbon
flow to Charge Heater (H-101) on each pass and ensure it is on a routine testing
schedule.
5. Ensure that interlocks FSLL-915 through 918 are designed for SIL 1.
SIS No: FSLL-915-918

SIS Function: Flow indication FI-915-918 with low flow alarms and interlocks FSLL-915-918 that
shuts down the heater on low low flow through a heater pass.

Initiating Cause Control valve FV-595 closing too far. 1 1.00E-01


Layers
PSV None
alarm.
Other None
Recommendation See LOPA Recommendation 4 to consider adding an additional alarm to indicate loss
of hydrogen and hydrocarbon flow to Charge Heater (H-101) on each pass and ensure
it is on a routine testing schedule.
See LOPA Recommendation 5 to ensure that interlocks FSLL-915 through 918 are
designed for SIL 1.
SIS No: FI-915-918


Initiating Cause Pump tripping off. 1 1.00E-01


Layers
PSV None
alarm.
Other None
designed for SIL 1.
SIS No: FI-915-918


Initiating Cause Low level, feed surge drum. 1 1.00E-01


Layers
PSV None
alarm.
Other None
designed for SIL 1.
SIS No: FI-915-918


Initiating Cause Plugged strainer in the pump suction line. 1 1.00E-01


Layers
PSV None
alarm.
Other None
designed for SIL 1.
SIS No: FI-915-918


Consequence Potential flameout, potential firebox explosion, potential injury to

Description personnel in a medium-sized area and environmental impact in a
small area.
Initiating Cause Louver control valve PV-616 closing too 1 1.00E-01

far.
Intermittent Hazard P&ID: 3165-1-50-055A None
Loop: F-0890
Independent Process Design Blowout doors. 1.00E-02

Layers
PSV None
Op Response Flue gas analyzer AI-601 with low alarm. 1.00E-01
Pressure indication PC-616 with low

pressure alarm on preheated air duct to
heater.

pressure alarm on the flue gas duct.
Other None
Recommendation
SIS No: FSLL-890

SIS Function: Interlock FSLL-890 that switches the heater to natural draft operation on low low
combustion air flow.


small area.
Initiating Cause Stack damper closing too far. 1 1.00E-01

Loop: F-0890
Independent Process Design Blast doors. 1.00E-02

Layers
PSV None

heater.

Other None
Recommendation
SIS No: FSLL-890



small area.
Initiating Cause Combustion air fan tripping off. 1 1.00E-01

Loop: F-0890

Layers
PSV None

heater.

Other None
Recommendation
SIS No: FSLL-890



small area.
Initiating Cause Induced draft fan tripping off. 1 1.00E-01

Loop: F-0890

Layers
PSV None

heater.

Other None
Recommendation
SIS No: SSL-1042

SIS Function: Interlock SSL-1042 that opens the stack damper on shutdown of the induced draft
fan.


small area.

far.
Loop: F-0890

Layers
PSV None

heater.

Other None
Recommendation
SIS No: FSLL-890


Consequence Burner/pilot flameout, inability to ignite the burners following a

Description flameout, resulting in a high concentration of combustibles in the
firebox, potential for an explosion that could result in (a) injury to
personnel in a medium-sized area and (b) environmental impacts in
a small area.
Initiating Cause Low pressure in fuel gas header. 1 1.00E-01

Person Present 1 Present all the Time

Layers
PSV None
Op Response None
Other None
Recommendation 6. Ensure PSLL-1389 is designed for SIL 2.
SIS No: PSLL-1389

SIS Function: Interlock PSLL-1389 that isolates the fuel gas from the heater on low low fuel gas
pressure.


a small area.


Layers
PSV None
Op Response None
Other None
Recommendation See LOPA Recommendation 6 to ensure PSLL-1389 is designed for SIL 2.
SIS No: PSLL-1389

pressure.


a small area.


Layers
PSV None
Op Response None
Other None
SIS No: PSLL-1389

pressure.


a small area.
Initiating Cause Isolation valve XV-1382A or B is closed. 1 1.00E-01


Layers
PSV None
Op Response None
Other None
SIS No: PSLL-1389

pressure.

Consequence Inability to ignite the burners following a flameout, resulting in a high

Description concentration of combustibles in the firebox, potential for an
explosion that could result in (a) injury to personnel in a medium-
sized area and (b) environmental impacts in a small area.
Initiating Cause Low fuel pressure. 1 1.00E-01


Layers
PSV None
Op Response None
Other None
Recommendation 7. Ensure that PSLL-1379 is designed for SIL 2.
SIS No:
SIS Function: Interlock PSLL-1379 that isolates the pilot gas from the heater on low low pilot gas
pressure.


Initiating Cause Carryover of liquid as a result of high level 1 1.00E-01

in fuel gas KO drum.

Layers
PSV None
Op Response None
Other None
Recommendation See LOPA Recommendation 7 to ensure that PSLL-1379 is designed for SIL 2.
SIS No: PSLL-1379

pressure.


Initiating Cause Total loss of combustion air. 1 1.00E-01


Layers
PSV None
Op Response None
Other None
SIS No: PSLL-1379

pressure.


Initiating Cause Manual valve closed. 1 1.00E-01


Layers
PSV None
Op Response None
Other None
SIS No: PSLL-1379

pressure.


Initiating Cause Local control valve PCV-298 closing too 1 1.00E-01

far.

Layers
PSV None
Op Response None
Other None
SIS No: PSLL-1379

pressure.




Layers
PSV None
Op Response None
Other None
Recommendation See Recommendation 7 to ensure that PSLL-1379 is designed for SIL 2.
SIS No:
pressure.


Initiating Cause High pressure transient from the fuel gas 1 1.00E-01
supply header.

Layers
PSV None
Op Response None
Other None
SIS No: PSLL-1379

pressure.

Consequence Release of hydrocarbon resulting in (a) a fire in the firebox,

Description potentially causing structural damage (e.g., collapse of the heater
stack) that may injure personnel and rupture process equipment in a
medium-sized area around the heater, (b) a fire and/or explosion
outside the heater that may injure personnel in a medium-sized area,
and (c) environmental impacts in a small area.
Initiating Cause P-103A/B stops. 1 1.00E-01

Loop: F-0645, F-0647, F-0655

Layers
PSV None
Op Response None
Other None
Recommendation 8. Consider adding an additional alarm to indicate loss of hydrocarbon flow to

Fractionator Reboiler (H-102) on each pass and ensure it is on a routine testing
schedule.
9. Ensure that interlocks FSLL-645/647/655 are designed for SIL 1.
SIS No: FSLL-645/647/655

SIS Function: Low flow shutdowns FSLL-645/647/655 shuts down Fractionator Reboiler (H-102).

Consequence Release of hydrocarbon resulting in (a) a fire in the firebox,

Description potentially causing structural damage (e.g., collapse of the heater
stack) that may injure personnel and rupture process equipment in a
medium-sized area around the heater, (b) a fire and/or explosion
outside the heater that may injure personnel in a medium-sized area,
and (c) environmental impacts in a small area.
Initiating Cause Control valve or manual valve closed. 1 1.00E-01

Loop: F-0645, F-0647, F-0655

Layers
PSV None
Op Response None
Other None
of hydrocarbon flow to Fractionator Reboiler (H-102) on each pass and ensure it is on
a routine testing schedule.
See LOPA Recommendation 9 to ensure that interlocks FSLL-645/647/655 are

designed for SIL 1.
SIS No: FSLL-645/647/655

SIS Function: Low flow shutdowns FSLL-645/647/655 shuts down Fractionator Reboiler (H-102).


small area.

Intermittent Hazard P&ID: 3165-1-50-055B None
Loop: F-0898

Layers
PSV None
Op Response Flue gas oxygen analyzer AI-664 with 1.00E-01
low alarm.

the heater.

pressure alarm located on the flue gas
duct.
Other None
Recommendation
SIS No: FSLL-898

SIS Function: Interlock FSLL-898 that switches the heater to natural draft on low low combustion
air flow.


small area.

Loop: F-0898

Layers
PSV None
low alarm.

the heater.

duct.
Other None
Recommendation
SIS No: FSLL-898

air flow.


small area.
Initiating Cause Combustion air fan tripping off. 1 1.00E-01

Loop: F-0898
Independent Process Design Blast Doors. 1.00E-02

Layers
PSV None
low alarm.

the heater.

duct.
Other None
Recommendation
SIS No: FSLL-898 or SSL-1042

air flow.
Interlock SSL-1042 that opens the stack damper on shutdown of the induced draft
fan.


small area.
Initiating Cause Louver control valve PC-616 closing too 1 1.00E-01

far.
Loop: F-0898

Layers
PSV None
low alarm.

the heater.

duct.
Other None
Recommendation
SIS No: FSLL-898

air flow.


small area.

far.

Layers
PSV None
low alarm.

the heater.

duct.
Other None
Recommendation
SIS No: FSLL-898

air flow.


a small area.
Initiating Cause Low pressure in fuel gas header. 1 1.00E-01


Layers
PSV None
Op Response None
Other None
Recommendation 10. Ensure that Interlock PSLL-1399 is designed for SIL 2.
SIS No: PSLL-1399

pressure.


a small area.


Layers
PSV None
Op Response None
Other None
Recommendation See LOPA Recommendation 10 to ensure that Interlock PSLL-1399 is designed for SIL
2.
SIS No: PSLL-1399

pressure.


a small area.


Layers
PSV None
Op Response None
Other None
2.
SIS No: PSLL-1399

pressure.


a small area.


Layers
PSV None
Op Response None
Other None
2.
SIS No: PSLL-1399

pressure.


explosion that could result in potential injury to personnel in a
medium-sized area and potential environmental impacts in a small
area.
Initiating Cause Low pressure from fuel gas supply 1 1.00E-01

(OSBL).

Layers
PSV None
Op Response None
Other Pilots are fueled by Purchased Natural None
Gas.
Recommendation 11. Review the revalidation from MOC to change pilot gas to Purchased Natural Gas.
SIS No: PSLL-1393

SIS Function: Interlock PSLL-1393 that isolates the pilot gas from the heater on low-low pilot gas
pressure


area.
Initiating Cause Carryover of liquid as a result of high 1 1.00E-01

level- fuel gas KO drum that could result
in liquid hydrocarbon pooling and fire in
the bottom of the firebox for the reformer
charge heater.
Independent Process Design Blast doors. None

Layers
PSV None
Op Response Pressure indication PI-893 with low 1.00E-01
pressure alarm
Gas.
Recommendation See LOPA Recommendation 11 to review the revalidation from MOC to change pilot
gas to Purchased Natural Gas.
SIS No: PSLL-1393

pressure


area.

far.

Layers
PSV None
Op Response Pressure indication PI-893 with low None
pressure alarm.
Gas.
SIS No: PSLL-1393

pressure


area.


Layers
PSV None
pressure alarm
Gas.
SIS No: PSLL-1393

pressure


area.
supply header (OSBL)

Layers
PSV None
pressure alarm
Gas.
SIS No: PSLL-1393

pressure

Consequence Potential flameout H-1, potential firebox explosion, potential injury to

small area.

Loop: F-0862

Layers
PSV None
low alarm.

pressure alarm on the preheated air duct
to the heater.
Other None
Recommendation 12. Ensure that interlock PSL-837 or SSL-1294 are designed for SIL 1.
SIS No: PSL-837 & SSL-1294

SIS Function: Interlock PSL-837 that start the spare combustion air blower fan on low
combustion air pressure.
Interlock SSL-1294 that shuts down the heater on shutdown of the induced draft
fan.


small area.
Initiating Cause Combustion air blower fan tripping off. 1 1.00E-01

Loop: F-0862

Layers
PSV None
low alarm.

to the heater.
Other None
Recommendation See LOPA Recommendation 12 to ensure that interlock PSL-837 or SSL-1294 are
designed for SIL 1.

fan.


small area.
Initiating Cause Control valve FV-862A/B closing too far. 1 1.00E-01

Loop: F-0862

Layers
PSV None
low alarm.

to the heater.
Other None
designed for SIL 1.

fan.


small area.
Initiating Cause Louver control valve PV-834A/B closing 1 1.00E-01

too far.
Loop: F-0862

Layers
PSV None
low alarm.

to the heater.
Other None
designed for SIL 1.

fan.


small area.

far.

Layers
PSV None
low alarm.

to the heater.
Other None
designed for SIL 1.

fan.


small area.

Loop: F-0858

Layers
PSV None
low alarm.

the heater.
Other None
designed for SIL 1.

SIS Function: Interlock PSL-837 starts the spare combustion air blower fan on low combustion
air pressure.
Interlock SSL-1294 shuts down the heater on shutdown of the induced draft fan.

Consequence Burner/pilot flameout, potential inability to ignite the burners following

Description a flameout, resulting in a high concentration of combustibles in the
firebox, potential for an explosion that could result in potential injury
to personnel in medium-sized area and potential environmental
impacts in a small area.


Layers
PSV None
pressure alarm.
Other None
Recommendation 13. Ensure that pressure indication PI-868 with low pressure alarm is on a routine
testing schedule.
SIS No: PSLL-1732

SIS Function: Interlock PSLL-1732 that isolates the fuel gas from the heater on low-low fuel gas
pressure.


Initiating Cause Low pressure from fuel gas supply 1 1.00E-01

(OSBL).
Independent Process Design Blast doors. None

Layers
PSV None
pressure alarm
Other None
Recommendation See LOPA Recommendation 13 to ensure that pressure indication PI-868 with low
pressure alarm is on a routine testing schedule.
SIS No: PSLL-1732

pressure.




Layers
PSV None
pressure alarm
Other None
Recommendation See LOPA Recommendation 13 to ensure that pressure indication PI-868 with low
pressure alarm is on a routine testing schedule.
SIS No: PSLL-1732

pressure.


explosion that could result in potential injury to personnel in medium-
sized area and potential environmental impacts in a small area
Initiating Cause Carryover of a liquid as a result of high 1 1.00E-01

level-fuel gas KO drum that could result in
liquid hydrocarbon pooling and fire in the
bottom of the firebox for the reformer
charge heater.

Layers
PSV None
Op Response Pilot gas pressure indication PI-869 with None
low pressure alarm.
Other None
SIS No: PSLL-1724

pressure.



far

Layers
PSV None
pressure alarm and local pressure
indication PI-866A.
Other None
SIS No: PSLL-1732

pressure.




Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1732

pressure.



Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1732

pressure.


Initiating Cause Low fuel pressure due to control valve FV- 1 1.00E-01
866 closing too far.

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1732

pressure.


Initiating Cause Low fuel pressure due to low pressure 1 1.00E-01

fuel gas header.

Layers
PSV None
pressure alarm.
Other None
SIS No: PSLL-1732

pressure.


Initiating Cause Low fuel pressure due to isolation valve 1 1.00E-01

XV-1347A or B is closed.

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1732

pressure.

Consequence Potential flameout H-1, potential firebox explosion, potential injury

Description to personnel in a medium-sized area and environmental impact in a
small area.

Loop: F-0862

Layers
PSV None
low alarm.

to the heater.
Other None
Recommendation

fan.


small area.
Initiating Cause Control valves FV-858A/B closing too far. 1 1.00E-01

Loop: F-0858

Layers
PSV None
low alarm.

the heater.
Other None
Recommendation

air pressure.


small area.

far.
Loop: F-0858

Layers
PSV None
low alarm.

the heater.
Other None
Recommendation

air pressure.


small area.


Layers
PSV None
low alarm.

the heater.
Other None
Recommendation

air pressure.


small area.


Layers
PSV None
low alarm.

the heater.
Other None
Recommendation

air pressure.


small area.

far.
Loop: F-0858

Layers
PSV None
low alarm.

to the heater.
Other None
Recommendation

fan.


small area.

too far.
Loop: F-0862

Layers
PSV None
low alarm.

to the heater.
Other None
Recommendation

fan.


firebox, potential for an explosion that could result in injury to
personnel in a medium-sized area and potential environmental

Loop: F-0858

Layers
PSV None
low alarm.

pressure alarm located on the preheated
air duct to the heater.
Other None
Recommendation
SIS No: PSL-837

SIS Function: Interlock PSL-837 that starts the spare combustion air blower fan on low

Consequence Burner/pilot flameout, potential inability to ignite the burners flowing a


Loop: F-0858

Layers
PSV None
low alarm.

to the heater.
Other None
Recommendation
SIS No: PSL-837 and SSL-1294

air pressure.
fan.




Layers
PSV None
low alarm.
Pressure indication PI-861 with low

pressure alarm.
Other None
Recommendation
SIS No: PSLL-1731

pressure.


Initiating Cause Low pressure from fuel gas supply (OSBL)1 1.00E-01

Layers
PSV None
low alarm.

pressure alarm.
Other None
Recommendation
SIS No:
SIS Function:




Layers
PSV None
low alarm.

pressure alarm.
Other None
Recommendation
SIS No:
SIS Function:


Description concentration of the combustibles in the firebox, potential for an
explosion that could result in injury to personnel in a medium-sized
area and potential environmental impacts in a small area.

level- fuel gas KO drum.

Layers
PSV None
low pressure alarm
Other None
SIS No: PSLL-1724

pressure.



far.

Layers
PSV None
low pressure alarm
Other None
SIS No: PSLL-1724

pressure.


Initiating Cause Isolation valve XV01346A or B is closed 1 1.00E-01


Layers
PSV None
low pressure alarm
Other None
SIS No: PSLL-1724

pressure.


supply header

Layers
PSV None
low pressure alarm
Other None
SIS No: PSLL-1724

pressure.

Consequence Potential high firebox pressure if the induced draft fan trips or the
Description stack damper is closed. Burner/pilot flameout.

Loop: F-0840

Layers
PSV None
low alarm.

the heater.
Other None
designed for SIL 1.

air pressure.


too far.
Loop: F-0840

Layers
PSV None
low alarm.

the heater.
Other None
designed for SIL 1.

air pressure.


far.
Loop: F-0840

Layers
PSV None
low alarm.

the heater.
Other None
designed for SIL 1.

air pressure.


Loop: F-0840

Layers
PSV None
low alarm.

the heater.
Other None
designed for SIL 1.

air pressure.


Loop: F-0840

Layers
PSV None
low alarm.

the heater.
Other None
designed for SIL 1.

air pressure.


Loop: F-0840

Layers
PSV None
low alarm.

the heater.
Other None
designed for SIL 1.

air pressure.


Initiating Cause Low pressure- fuel gas header (OSBL) 1 1.00E-01


Layers
PSV None
low alarm.

pressure alarm
Other None
Recommendation
SIS No:
SIS Function:




Layers
PSV None
low alarm.

pressure alarm
Other None
Recommendation
SIS No: PSLL-1729

pressure.




Layers
PSV None
low alarm.

pressure alarm.
Other None
Recommendation
SIS No:
SIS Function:


Initiating Cause Low fuel pressure- fuel gas header 1 1.00E-01


Layers
PSV None
Op Response Pilot gas indication PI-849 with low 1.00E-01
pressure alarm
Other None
SIS No:
SIS Function:



far.

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1724

SIS Function: Interlock PSLL-1724 that isolates the pilot gas form the heater on low-low pilot gas
pressure.



level- fuel gas KO drum

Layers
PSV None
pressure alarm
Other None
SIS No:
SIS Function:




Layers
PSV None
pressure alarm
Other None
SIS No:
SIS Function:



Layers
PSV None
low alarm.

pressure alarm
Other None
SIS No:
SIS Function:


Intermittent Hazard P&ID: 3165-1-50-051-B None
Loop: F-0850

Layers
PSV None
low alarm.

pressure alarm on air duct to the heater.
Other None
designed for SIL 1.

SIS Function: Interlock PSL-837 starts the spare combustion air blower on low combustion air
pressure.

Initiating Cause Louver control valves PV-834A/B closing 1 1.00E-01

too far.
Loop: F-0850

Layers
PSV None
low alarm.

Other None
designed for SIL 1.

pressure.

Initiating Cause Louver control valve PC-829 closing too 1 1.00E-01

far.
Loop: F-0850

Layers
PSV None
low alarm.

Other None
designed for SIL 1.

pressure.


Loop: F-0850

Layers
PSV None
low alarm.

Other None
designed for SIL 1.

pressure.


Loop: F-0850

Layers
PSV None
low alarm.

Other None
designed for SIL 1.

pressure.


Loop: F-0850

Layers
PSV None
low alarm.

Other None
designed for SIL 1.

pressure.


Initiating Cause Low pressure- fuel gas header (OSBL) 1 1.00E-01


Layers
PSV None
low alarm.
Other None
Recommendation
SIS No: PSLL-1730

SIS Function: Interlock PSLL-1730 that isolates the fuel gas from the heaters on low-low fuel gas
pressure.


Initiating Cause Control valve FV-851 closing too far 1 1.00E-01


Layers
PSV None
low alarm.
Other None
Recommendation
SIS No: PSLL-1730

pressure.




Layers
PSV None
low alarm.
Other None
Recommendation
SIS No: PSLL-1730

pressure.



level- fuel gas KO drum.

Layers
PSV None
Op Response Pilot gas pressure indication PI-855 with 1.00E-01
low pressure alarm
Other None
SIS No:
SIS Function:


Initiating Cause Low fuel pressure due to control valve FV- 1 1.00E-01
851 closing to far.

Layers
PSV None
low pressure alarm
Other None
SIS No:
SIS Function:



far

Layers
PSV None
low pressure alarm
Other None
SIS No: PSLL-1724

pressure.




Layers
PSV None
low pressure alarm
Other None
SIS No:
SIS Function:


supply header.

Layers
PSV None
low pressure alarm
Other None
SIS No:
SIS Function:



XV-1347A or B being closed.

Layers
PSV None
low pressure alarm
Other None
SIS No:
SIS Function:

Consequence Overflow of liquid to the booster and/or recycle compressors,

Description resulting in mechanical damage, potentially leading to a release of
hydrogen and hydrocarbon at the compressors that could cause a
fire and/or explosion that may injure personnel in a large area and
potential environmental impacts in a small area.
Initiating Cause Low/no flow- naphtha from the product 1 1.00E-01

separator to the chloride scrubber due to
control valve LV-122 closing too far and/or
the pump tripping off.

Layers
PSV None
Op Response High level alarm LH-257. None
Other None
Recommendation 14. Ensure that high level alarm LH-257 is on a routine testing schedule.
15. Ensure that Interlock LSHH-256 that shuts down the compressors on high high
level is designed for SIL 1.
16. Evaluate if Interlock LSHH-256 should be designed for Environmental EIL 2 and
Commercial CIL 3.
SIS No: LSHH-256

SIS Function: Interlock LSHH-256 that shuts down the compressors on high high level.


Initiating Cause Low/no flow- chloride scrubber. 1 1.00E-01


Layers
PSV None
Other None
Recommendation See LOPA Recommendation 14 to ensure that high level alarm LH-257 is on a routine
testing schedule.
See LOPA Recommendation 15 ensure that Interlock LSHH-256 that shuts down the
compressors on high high level is designed for SIL 2.
See LOPA Recommendation 16 to evaluate if Interlock LSHH-256 should be designed

for Environmental EIL 2 and Commercial CIL 2.
SIS No: LHH-256; LSHH-256

SIS Function: High-high level alarm LHH-256 and interlock LSHH-256 that shuts down the
compressors on high-high level.


Initiating Cause Reverse flow- naphtha from the product 1 None

separator to the chloride scrubber due to
the pump tripping off.
(This consequence was evaluated and

Team agreed that it was not a credible
scenario)

Layers
PSV None
Other None
Recommendation See LOPA Recommendation 14 to ensure that high level alarm LH-257 is on a routine
testing schedule.
See LOPA Recommendation 15 ensure that Interlock LSHH-256 that shuts down the
compressors on high high level is designed for SIL 2.
See LOPA Recommendation 16 to evaluate if Interlock LSHH-256 should be designed

for Environmental EIL 2 and Commercial CIL 2.
SIS No: LSHH-256

SIS Function: High-high level alarm LHH-256 and interlock LSHH-256 that shuts down the
compressors on high-high level.

Consequence Release of hydrocarbon and/or hydrogen resulting in (a) a fire in the

Description firebox, potentially causing structural damage (e.g., collapse of the
heater stack) that may injure personnel and rupture process
equipment in a medium-sized area around the heater, (b) a fire
and/or explosion outside the heater that may injure personnel in a
medium-sized area, and (c) environmental impacts in a small area.
Initiating Cause Compressor tripping off. 1 1.00E-01

Loop: F-0106

Layers
PSV None
Op Response None
Other None
Recommendation 17. Ensure that interlock FSLL-106 is designed for SIL 1.
SIS No: FSLL-106

SIS Function: Interlock FSLL-106 that isolates the fuel gas to the charge heater and interheaters
on low low recycle hydrogen flow.



Loop: F-0106

Layers
PSV None
Op Response None
Other None
Recommendation See LOPA Recommendation 17 to ensure that interlock FSLL-106 is designed for SIL
1.
SIS No: FSLL-106



Initiating Cause Misdirected flow to the flare through 1 1.00E-01

emergency dump valve HV-258.
Loop: F-0106

Layers
PSV None
Op Response None
Other None
Recommendation See LOPA Recommendation 17 to ensure that interlock FSLL-106 is designed for SIL
1.
SIS No: FSLL-106


Consequence Potential loss of containment if the pressure exceeds the pressure

Description rating of the equipment with a potential release of hydrogen that
could result in a potential fire and/or explosion that may injure
personnel in a large area and potential environmental impacts in a
small area.


Layers
PSV PSV-1157 or PSV-1150. 1.00E-02
Op Response None
Other None
Recommendation 18. Ensure that Interlock PDSHH-171 that shuts down compressor C-2A on high-high
differential pressure between the suction and discharge of the first-stage and/or
Interlock PDSHH-175 that shuts down compressor C2-B on high high differential
pressure between the suction and discharge of the first stage are designed for SIL 1.
SIS No: PHH-171; PDSHH-171

SIS Function: High-high differential pressure alarm PHH-171 with Interlock PDSHH-171 that
shuts down compressor C-2A on high-high differential pressure between the
suction and discharge of the first-stage.
High differential pressure alarm PH-174, high high differential pressure alarm PHH-
175 with Interlock PDSHH-175 that shuts down compressor C2-B on high high
differential pressure between the suction and discharge of the first stage.

Consequence Overflow of liquid hydrocarbon to the second-stage of the booster

Description compressor, potentially resulting in mechanical damage and release
of hydrogen and hydrocarbon that could cause a fire and/or
explosion that may injure personnel in a large area and potential
environmental impacts in a small area.
Initiating Cause Bottoms line from the interstage KO drum 1 1.00E-01

to the depentanizer due to operator
error -- manual valve closed.

Layers
PSV None
Op Response LH-178 high level alarm. None
Level indication LC-723 with high level

alarm.
Other None
Recommendation 19. Ensure that LH-178 is on a routine testing schedule.
20. Ensure that LSHH-179 that shuts down the booster compressor on high-high level
is designed for SIL 1.
21. Evaluate if Interlock LSHH-179 should be designed for an Environmental EIL 2

and/or Commercial CIL 3.
SIS No: LSHH-179

SIS Function: LSHH-179 that shuts down the booster compressor on high-high level.

Consequence Potential loss of containment if the pressure exceeds the pressure

Description rating of the equipment, potential release of hydrogen that could
result in potential fire and/or explosion that may injure personnel in a
large area and potential environmental impacts in a small area.
Initiating Cause Manual valve closed 1 1.00E-01


Layers
PSV PSV-1156R or PSV-1149R. 1.00E-02
Op Response None
Other None
Recommendation 22. Ensure that PDSHH-173 that shuts down compressor C-2A on high-high
differential pressure between the suction and discharge lines and/or PDSHH-177 that
shuts down compressor C-2B on high-high differential pressure between the suction
and discharge lines is designed for SIL 1.
SIS No: PDSHH-173/177

SIS Function: PDSHH-173 that shuts down compressor C-2A on high-high differential pressure
between the suction and discharge lines; PDSHH-177 that shuts down
compressor C-2B on high-high differential pressure between the suction and
discharge lines.

Consequence Carryover of liquid hydrocarbon to the TDP Unit, potentially resulting

Description in high level in the compressor suction drum (OSBL).
Initiating Cause Reverse flow due to booster compressor 1 1.00E-01

tripping off.
Intermittent Hazard This scenario was revisited during the None
June 21 meeting.

Protection BPCS TDP Compressor Suction Drum (50C- None
Layers 101) Level Control.
PSV None
Op Response LSH-180 high level alarm. None
Other None
Recommendation See LOPA Recommendation 25 to confirm the level alarm for the TDP Compressor
Suction Drum is independent of the level control valve and is on a routine testing
schedule.
See LOPA Recommendation 26 to ensure that LSH-180 high level alarm is on a

SIS No: LSHH-181


Consequence Carryover of liquid hydrocarbon to the TDP Unit, potentially resulting

Description in high level in the compressor suction drum (OSBL).
Initiating Cause Low/no flow - bottoms from the high 1 1.00E-01

pressure separator to the interstage KO
drum due to operator error -- manual
valve closed.
June 21 meeting.

Protection BPCS TDP Compressor Suction Drum (50C- None
Layers 101) Level Control.
PSV None
Other None
Recommendation 25. Confirm the level alarm for the TDP Compressor Suction Drum is independent of
the level control valve and is on a routine testing schedule.
26. Ensure that LSH-180 high level alarm is on a routine testing schedule.
SIS No: LSHH-181


Consequence Carryover of liquid hydrocarbon to the Unibon Unit, potentially

Description resulting in high level in the compressor suction drum (OSBL).
Initiating Cause Reverse flow due to booster compressor 1 1.00E-01

tripping off.
June 21 meeting.

Protection BPCS Unibon Compressor Suction Drum None
Layers (13C1A/B) Level Control.
PSV None
Other None
Recommendation See LOPA Recommendation 23 to confirm the level alarm for the Unibon Compressor
Suction Drum (13C1A/B) is independent of the level control valve and is on a routine
testing schedule.
See LOPA Recommendation 24 to ensure that LSH-180 high level alarm is on a

SIS No: LSHH-181


Consequence Carryover of liquid hydrocarbon to the Unibon Unit, potentially

Description resulting in high level in the compressor suction drum (OSBL).
Initiating Cause Control valve LV-150 closing too far. 1 1.00E-01

June 21 meeting.

Protection BPCS Unibon Compressor Suction Drum None
Layers (13C1A/B) Level Control.
PSV None
Other None
Recommendation 23. Confirm the level alarm for the Unibon Compressor Suction Drum (13C1A/B) is
independent of the level control valve and is on a routine testing schedule.
24. Ensure that LSH-180 high level alarm is on a routine testing schedule.
SIS No: LSHH-181


Consequence Tube failure in depentanizer reboiler trim heater (H-5) resulting in

Description release of hydrocarbon that could result in (a) fire and/or explosion
that may injure personnel in a medium-sized area and (b)
Initiating Cause Low level, depentanizer. 1 1.00E-01

Intermittent Hazard P&ID:3165-1-50-021 None
Loop: F-0783, F-0784, F-0785, F-0786

Layers
PSV None
Op Response None
Other None
Recommendation 27. Consider adding an additional alarm to indicate loss of hydrogen and hydrocarbon
flow to (H-5) on each pass and ensure it is on a routine testing schedule.
28. Ensure that interlocks FSLL-783/784/785/786 are designed for SIL 1.
SIS No: FSLL-783/784/785/786

SIS Function: Interlocks FSLL-783/784/785/786 isolate the flue gas from the charge heater,
interheaters, and depentanizer reboiler trim heater on low low flow.



Loop: F-0783, F-0784, F-0785, F-0786

Layers
PSV None
Op Response None
Other None
of hydrogen and hydrocarbon flow to (H-5) on each pass and ensure it is on a routine
testing schedule.
See LOPA Recommendation 28 to ensure that interlocks FSLL-783/784/785/786 are

designed for SIL 1.
SIS No: FSLL-783/784/785/786



Initiating Cause Misdirected flow to the raffinate splitter 1 1.00E-01

bottom pump discharge line.
Loop: F-0783, F-0784, F-0785, F-0786

Layers
PSV None
Op Response None
Other None
testing schedule.

designed for SIL 1.
SIS No: FSLL-783/784/785/78



Initiating Cause Control valves FV-783-786 closing too far. 1 1.00E-01

Loop: F-0783, F-0784, F-0785, F-0786

Layers
PSV None
Op Response None
Other None
testing schedule.

designed for SIL 1.
SIS No: FSLL-783/784/785/78




Loop: F-0783, F-0784, F-0785, F-0786

Layers
PSV None
Op Response None
Other None
testing schedule.

designed for SIL 1.
SIS No: FSLL-783/784/785/78



Initiating Cause Plugged strainer in the pump suction line. 1 1.00E-01

Loop: F-0783, F-0784, F-0785, F-0786

Layers
PSV None
Op Response None
Other None
testing schedule.

designed for SIL 1.
SIS No: FSLL-783/784/785/78





Layers
PSV None
Other None
Recommendation
SIS No: PSLL-1350

pressure.




Layers
PSV None
Other None
Recommendation
SIS No: PSLL-1350

pressure.


Initiating Cause Low pressure - fuel gas header 1 1.00E-01


Layers
PSV None

pressure alarm
Other None
Recommendation
SIS No: PSLL-1350

pressure.




Layers
PSV None
Other None
Recommendation
SIS No: PSLL-1350

pressure.



far.

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1351

pressure.



level- fuel gas KO drum due to operator
error -- failure to drain liquids from the
drum when needed

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1351

pressure.




Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1351

pressure.


Initiating Cause Total loss of combustion air due to stack 1 1.00E-01

damper closing too far. Total loss of
combustion air due to combustion air
registers closed too far.

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1351

pressure.




Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1351

pressure.


supply header

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1351

pressure.


Initiating Cause Low fuel pressure due to control valve FV-1 1.00E-01

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1351

pressure.



XV-1360A or B is closed.

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1351

pressure.


to personnel in a medium-sized area and potential environmental
Initiating Cause Manual valve closed 1 1.00E-01


Layers
PSV None

pressure alarm.
Other None
Recommendation
SIS No: PSLL-1361

pressure.


Initiating Cause Control valve FV-822 closing too far 1 1.00E-01


Layers
PSV None

pressure alarm.
Other None
Recommendation
SIS No: PSLL-1361

pressure.


Initiating Cause Low pressure - fuel gas header 1 1.00E-01


Layers
PSV None
Other None
Recommendation
SIS No: PSLL-1361

pressure.




Layers
PSV None
Other None
Recommendation
SIS No: PSLL-1361

pressure.


area.

far.

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1362

pressure.


area.

level - fuel gas KO drum failure to drain
liquids from the drum when needed.

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1362

pressure.


area.
Initiating Cause Low fuel pressure due to operator error -- 1 1.00E-01

manual valve closed.

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1362

pressure.


area.
Initiating Cause Total loss of combustion air due to stack 1 1.00E-01

damper closing too far.

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1362

pressure.


area.
Initiating Cause Isolation valve XV-1367A or B is closed 1 1.00E-01


Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1362

pressure.


area.
supply header

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1362

pressure.


area.
Initiating Cause Low fuel pressure due to control valve FV-1 1.00E-01

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1362

pressure.


area.

XV- 1372A or B is closed.

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1362

pressure.


area.
Initiating Cause Total loss of combustion air due to 1 1.00E-01

combustion air registers closed too far.

Layers
PSV None
pressure alarm
Other None
SIS No: PSLL-1362

pressure.

Consequence Low/no seal oil flow to the compressor, damage to the compressor,
Description potentially leading to a release of hydrogen that could result in
potential fire and/or explosion that may injure personnel in a large
Initiating Cause Control valve LV-1437 closing too far. 1 1.00E-01

June 21 meeting.

Layers
PSV None
Op Response None
Other None
Recommendation 29. Consider bringing a low seal oil level alarm into DCS (independent of LV-1437).
30. Ensure that Interlock LSLL-38 that shuts down the compressor and prevents
restart on low-low level in the overhead seal oil tank and/or Interlock LSL-57 that starts
the auxiliary lube oil pump on low level in the overhead seal oil tank are designed for
SIL 2.
31. Evaluate if Interlock LSLL-38 and/or LSL-57 should be designed for Environmental
EIL 2 and Commercial CIL 3.
SIS No: LSLL-38; LSL-57

SIS Function: Interlock LSLL-38 that shuts down the compressor and prevents restart on low-low
level in the overhead seal oil tank. Interlock LSL-57 that starts the auxiliary lube
oil pump on low level in the overhead seal oil tank.

Consequence Low/no seal oil flow to the compressor, damage to the compressor,
Description potentially leading to a release of hydrogen that could result in
potential fire and/or explosion that may injure personnel in a large

June 21 meeting.

Layers
PSV None
Op Response Local low level alarms LAL-57/58. 1.00E-01
Local low-low level alarm LALL-38
Other None
Recommendation See Recommendation 29 to consider bringing a low seal oil level alarm into DCS
(independent of LV-1437).
See Recommendation 30 to ensure that Interlock LSLL-38 that shuts down the
compressor and prevents restart on low-low level in the overhead seal oil tank and/or
Interlock LSL-57 that starts the auxiliary lube oil pump on low level in the overhead seal
oil tank are designed for SIL 2.
See Recommendation 31 to evaluate if Interlock LSLL-38 and/or LSL-57 should be

designed for Environmental EIL 2 and Commercial CIL 3.
SIS No: LSLL-38; LSL-57

SIS Function: Interlock LSLL-38 that shuts down the compressor and prevents restart on low-low
level in the overhead seal oil tank. Interlock LSL-57 that starts the auxiliary lube
oil pump on low level in the overhead seal oil tank.

Consequence Damage to the compressor, potentially leading to a release of

Description hydrogen that could result in potential fire and/or explosion that may
injure personnel in a large area and potential environmental impacts
in a small area.
Initiating Cause Filter plugging. 1 1.00E-01

June 21 meeting.

Layers
PSV None
Op Response PAL-33 low pressure alarm. None
Other None
Recommendation 32. Ensure that PAL-33 low pressure alarm is on a routine testing schedule.
33. Ensure that Interlock Interlock PSLL-32 shuts down compressor on low lube oil
pressure is designed for SIL 1.
34. Evaluate if Interlock PSL-40 should be designed for Environmental EIL 2 and
Commercial CIL3.
SIS No: PSL-40

SIS Function: Interlock PSL-40 that starts the spare pump on low lube oil pressure.


in a small area.

June 21 meeting.

Layers
PSV None
Other None
Recommendation See Recommendation 32 to ensure that PAL-33 low pressure alarm is on a routine
testing schedule.
See Recommendation 33 to ensure that Interlock Interlock PSLL-32 shuts down

compressor on low lube oil pressure is designed for SIL 1.
See Recommendation 34 evaluate if Interlock PSL-40 should be designed for

Environmental EIL 2 and Commercial CIL3.
SIS No: PSLL-32

SIS Function: Interlock PSLL-32 shuts down compressor on low lube oil pressure.


in a small area.
Initiating Cause Lube/seal oil pump tripping off. 1 1.00E-01

June 21 meeting.

Layers
PSV None
Other None
Recommendation See Recommendation 32 to ensure that PAL-33 low pressure alarm is on a routine
testing schedule.
See Recommendation 33 to ensure that Interlock Interlock PSLL-32 shuts down

compressor on low lube oil pressure is designed for SIL 1.
See Recommendation 34 evaluate if Interlock PSL-40 should be designed for

Environmental EIL 2 and Commercial CIL3.
SIS No: PSL-40

SIS Function: Interlock PSL-40 that starts the spare pump on low lube oil pressure.


in a small area.
Initiating Cause Low level in the lube oil reservoir -- failure 1 1.00E-01
to fill the lube oil tank
June 21 meeting.

Layers
PSV None
Op Response Low lube oil pressure alarm PAL-77/78. None
Other None
Recommendation See LOPA Recommendation 35 to ensure that low lube oil pressure alarm PAL-77/78
is on a routine testing schedule.
See LOPA Recommendation 36 ensure Interlock PSL-79/80 that shuts down

Compressor is designed for SIL 1.
See LOPA Recommendation 37 to evaluate if PSL-77 should be designed for

SIS No: PSL-77/78

SIS Function: Low lube oil pressure alarm PAL-77/78 (local compressor panel and TDC) located
on C-2B with interlock PSL-79/80 that shuts down the Compressor.


in a small area.
Initiating Cause Auxiliary lube oil pumps tripping off. 1 1.00E-01

June 21 meeting.

Layers
PSV None
Other None


SIS No: PSL-77/78



in a small area.
Initiating Cause Filters plugging. 1 1.00E-01

June 21 meeting.

Layers
PSV None
Other None
Recommendation 35. Ensure that low lube oil pressure alarm PAL-77/78 is on a routine testing schedule.
36. Ensure Interlock PSL-79/80 that shuts down Compressor is designed for SIL 1.
37. Evaluate if PSL-77 should be designed for Environmental EIL 2 and Commercial
CIL 2.
SIS No: PSL-77/78



in a small area.
Initiating Cause Lube oil pump stops. 1 1.00E-01

June 21 meeting.

Layers
PSV None
Other None


SIS No: PSL-77/78



in a small area.
Initiating Cause Low level in the jacket water reservoir 1 1.00E-01


Layers
PSV None
Op Response Low pressure alarm PAL-143 (local None
compressor panel and TDC).
High jacket water discharge temperature

alarms TAH-85/86/87/88/89/90/91/92
(local compressor panel and TDC)
located on the first-stage compressor.
Other None
Recommendation 38. Ensure that jacket water discharge temperature alarms TAH-
85/86/87/88/89/90/91/92 (local compressor panel and TDC) located on the first-stage
compressor are on a routine testing schedule.
39. Evaluate if TSHH-107/108/109/110 that shut down the compressor and prevent
compressor restart if there is a high-high gas discharge temperature from the second-
stage should be designed for EIL 1 and CIL 1.
SIS No: TSHH-107/108/109/110

SIS Function: TSHH-107/108/109/110 that shut down the compressor and prevent compressor
restart if there is a high-high gas discharge temperature from the first-stage

Consequence Damage to the compressor, potential flaring.

Description


Layers
PSV None
Op Response Low pressure alarm PAL-143 (local None
compressor panel and TDC).
High jacket water discharge temperature

alarms TAH-85/86/87/88/89/90/91/92
(local compressor panel and TDC)
located on the first-stage compressor.
Other None
Recommendation See LOPA Recommendation 38 to ensure that jacket water discharge temperature
alarms TAH-85/86/87/88/89/90/91/92 (local compressor panel and TDC) located on the
first-stage compressor are on a routine testing schedule.
See LOPA Recommendation 39 to evaluate if TSHH-107/108/109/110 that shut down

the compressor and prevent compressor restart if there is a high-high gas discharge
temperature from the second-stage should be designed for EIL 1 and CIL 1.
SIS No: TSHH-107/108/109/110

SIS Function: TSHH-107/108/109/110 that shut down the compressor and prevent compressor
restart if there is a high-high gas discharge temperature from the second-stage.

Consequence High level in vent drum No. 3 or 4, potentially leading to plugging of

Description the flow orifice in the off-gas line, resulting in high pressure - vent
drum, potential loss of containment if the pressure exceeds the
pressure rating of the equipment, potential release of catalyst,
nitrogen, and/or hydrogen that could result in potential fire and/or
explosion and thermal burn hazard that may injure personnel in a
medium-sized area, potential environmental impacts in a small area.
Initiating Cause Sequence valves BV-4 or 15 opens too 1 1.00E-01

soon or inadvertently opened.

Protection BPCS Master controller verifies valve positions 1.00E-01
Layers and shuts down the CCR if verification is
not obtained.
PSV None
Op Response None
Other None
Recommendation
SIS No: FSH-318; FSH-308

SIS Function: FSH-318 that shuts down the CCR on high off-gas flow from vent drum No. 3;
FSH-308 that shuts down the CCR on high off-gas flow from vent drum No. 4

Consequence Potential hydrogen carry through into the regenerator, resulting in

Description formation of an explosive mixture that could cause a fire and/or
explosion that may injure personnel in a medium-sized area,
Initiating Cause Nitrogen purging in lock hopper No. 1 is 1 1.00E-01

inadequate.
Independent Process Design 3 separate nitrogen purge cycles are 1.00E-01

Protection included in the PLC logic.
Layers BPCS None
PSV None
Op Response Master verify alarm. None
Other None
Recommendation
SIS No: PSH-305-1/305-2

SIS Function: FSL-304 that stops the purge cycle timer on low nitrogen flow to lock hopper No.
1; PSH-305-1/305-2 that shutdown the CCR if purge pressure permissives are not
net.

Consequence Potential backflow of hot combustion products into the Disengaging

Description Hopper from the regenerator, resulting in high temperature in the
Disengaging Hopper.
Initiating Cause Low catalyst level occurs in the 1 1.00E-01

Disengaging Hopper.

Layers
PSV None
Op Response None
Other None
Recommendation
SIS No: PSL-354

SIS Function: PSL-354 that shuts down the regenerator on low differential pressure between the
disengaging hopper and the regenerator.

Consequence Potential backflow of hot combustion products into the disengaging

Description hopper from the regenerator, resulting in high temperature in the
disengaging hopper, potential loss of containment if the temperature
exceeds the temperature limit of the equipment, potential release of
nitrogen and/or catalyst that could result in a thermal burn hazard
that may injure personnel in a small area, potential environmental
Initiating Cause Loss of nitrogen flow from the lift gas 1 1.00E-01
blower occurs.

Layers
PSV None
Op Response Temperature indication TI-370 with high 1.00E-01
temperature alarm will give an early
indication if there is an uncontrolled burn
in the hopper.
Other Master verify alarm. None
Recommendation
SIS No: FSL-396

SIS Function: FSL-396 that shuts down the regenerator on low nitrogen flow from the fines
remover blower.

Consequence Potential loss of containment if the temperature exceeds the

Description temperature limit of the equipment.
Initiating Cause High temperature occurs in the 1 1.00E-01

regeneration zone of the regenerator.

Layers
PSV None
Op Response Temperature indication TI-552-554 with 1.00E-01
high temperature alarms
Other None
Recommendation
SIS No: TSHH-371; TSHL-365

SIS Function: TSHH-371 that shuts down the regenerator on high-high regeneration vapor
temperature; TSHL-365 that shuts down the regenerator on high chlorination gas
temperature.

Consequence Failure to burn coke off of the catalyst in the regeneration zone,
Description potentially leading to a high concentration of coke on the catalyst in
the chlorination zone, which may cause an explosion that may injure
personnel in a medium-sized area, potential environmental impacts
in a small area.
Initiating Cause Low/no flow of regeneration vapor occurs. 1 1.00E-01


Layers
PSV None
Op Response Flow indication FC-379 with low flow 1.00E-01
alarm located on the air line to the
regeneration blower.
Other None
Recommendation
SIS No: FSL-384

SIS Function: FSL-384 located on the outlet of the regenerator heater that shuts down the
regenerator on low regeneration vapor flow.

Consequence Potential high temperature in the regenerator due to localized hot

Description spots, potential loss of containment if the temperature exceeds the
temperature limit f the equipment, potential release of combustion
gases, nitrogen, and/or catalyst that could result in a thermal burn
hazard that may injure personnel in a small area, potential
Initiating Cause The chlorination blower trips off. 1 1.00E-01


Layers
PSV None
Op Response None
Other None
Recommendation
SIS No: FSL-363

SIS Function: FSL-363 that shuts down the regenerator on low flow from the chlorination blower.

Consequence Potential high temperature in the regenerator due to localized hot

Description spots, potential loss of containment if the temperature exceeds the
temperature limit f the equipment, potential release of combustion
gases, nitrogen, and/or catalyst that could result in a thermal burn
hazard that may injure personnel in a small area, potential
Initiating Cause The regeneration cooler blower trips off 1 1.00E-01


Layers
PSV None
Op Response None
Other None
Recommendation
SIS No: XSL-385

SIS Function: XSL-385 that shuts down the CCR if the blower trips.

Consequence Potential high temperature in the regenerator chlorination zone due

Description to localized hot spots, potential loss of containment if the
temperature exceeds the temperature limit f the equipment, potential
release of combustion gases, nitrogen, and/or catalyst that could
result in a thermal burn hazard that may injure personnel in a small
area, potential environmental impacts in a small area.
Initiating Cause Low level occurs in the regenerator. 1 1.00E-01


Layers
PSV None
Op Response None
Other None
Recommendation
SIS No: PDSL-354

SIS Function: PDSL-354 that shuts down the regenerator on low differential pressure between
the disengaging hopper and the regenerator

Consequence Formation of an explosive mixture in the regenerator, leading to an

Description explosion that may injure personnel in a medium-sized area,
Initiating Cause Loss of nitrogen purge occurs during the 1 1.00E-01

black burn mode.

Layers
PSV None
Other None
Recommendation
SIS No: TSH-377; FSL-341

SIS Function: TSH-377 that shuts down the air heaters on high temperature; FSL-341 that shuts
down the CCR on low nitrogen purge gas flow.


Target Frequency Safety: 0.00E+00 Env: 0.00E+00 Com: 0.00E+00
Initiating Cause No credible causes identified. 1 1.00E-01

Independent Process Design 3 separate nitrogen purge cycles are None

Protection included in the PLC logic.
Layers BPCS None
PSV None
Other None
Recommendation
SIS No: PSH-345-1/345-2; FSL-304

SIS Function: PSH-345-1/345-2 that shutdown the CCR if purge pressure permissives are not
met; FSL-304 that stops the purge cycle timer on low nitrogen flow to lock hopper
No. 1


Initiating Cause Loss of nitrogen purge occurs to vent 1 1.00E-01

drum No. 2 off-gas line.

Layers
PSV None
Op Response None
Other None
Recommendation
SIS No: FSL-394

SIS Function: FSL-394 that shuts down the CDR on low-low nitrogen flow.

Consequence Reverse flow occurs in the reduction zone, high temperature,

Description potentially leading to release of hydrogen and catalyst if the
temperature exceeds the temperature limit of the equipment, which
may result in a fire and/or explosion that may injure personnel in a
Team agrees there is no credible consequences identified.
Initiating Cause Loss of hydrogen lift gas occurs. 1 1.00E-01

Intermittent Hazard The Team did not feel that this was a None
credible scenario.

Protection included in the PLC logic
Layers BPCS None
PSV None
Op Response Master verify alarm 1.00E-01
Other None
Recommendation
SIS No: FSL-346

SIS Function: FSL-346 that shuts down the CCR on low hydrogen lift gas flow.

Consequence Reverse flow occurs in the reduction zone, high temperature,

Description potentially leading to release of hydrogen and catalyst if the
temperature exceeds the temperature limit of the equipment, which
may result in a fire and/or explosion that may injure personnel in a
Initiating Cause Low level occurs in reactor No. 1 1 1.00E-01

reduction zone.
credible scenario.

Layers
PSV None
Op Response Level indication LI-309 with low level 1.00E-01
alarm
Other None
Recommendation
SIS No: LSL-309

SIS Function: LSL-309 that shuts down the CCR on low level in the reduction zone of reactor
No. 1

Consequence Potential oxygen carry through from lock hopper No. 2 into the
Description reduction zone of reactor No. 1, resulting in formation of an explosive
mixture in the regenerator, leading to an explosion that may injure
personnel in a medium-sized area, potential environmental impacts
in a small area.
Initiating Cause Nitrogen purging in lock hopper No. 2 is 1 1.00E-01

inadequate.
credible scenario.

Protection included in the PLC logic
Layers BPCS None
PSV None
Op Response Master verify alarm 1.00E-01
Other None
Recommendation
SIS No: FSL-304; PSH-305-1/305-2

SIS Function: FSL-304 that stops the purge cycle timer on low nitrogen flow to lock hopper No.1;
PSH-305-1/305-2 that shutdown the CCR if purge pressure permissives are not
met

Consequence High temperature, potentially leading to release of hydrogen and

Description catalyst if the temperature exceeds the temperature limit of the
equipment, which may result in a fire and/or explosion that may
injure personnel in a medium-sized area, potential environmental
Initiating Cause Reverse flow occurs in the reduction zone.1 1.00E-01

credible scenario.

Layers
PSV None
Op Response Temperature indication TI-500 with high 1.00E-01
temperature alarm
Other None
Recommendation
SIS No: TSH-311

SIS Function: TSH-311 that shuts down the CCR on high reduction zone temperature.

Consequence Potential backflow of hydrogen into the nitrogen system from the
Description nitrogen supply line to lock hopper No. 2, resulting in an explosion
that may injure personnel in a small-sized area, potential
Initiating Cause Loss of nitrogen supply pressure occurs. 1 1.00E-01

Intermittent Hazard This event requires multiple failures and is None
not credible.

Layers
PSV None
Op Response Low nitrogen flow switch FSL-341 that 1.00E-01
alarms and shuts down the CCR
Other None
Recommendation
SIS No: FSL-344

SIS Function: Low nitrogen flow switch FSL-344 that alarms and shuts down the CCR

Layer of Layer of Protection Analysis Analysis: NHT Reformer Unit

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Layer of Layer of Protection Analysis Analysis: NHT Reformer Unit

Uploaded by

Copyright:

Available Formats

Layer of

NHT Reformer Unit

TOTAL Petrochemicals USA, Inc.

Project No. 07-099

DISCLAIMER RELATING TO THIS REPORT

RRS Engineering, LLC Page i Project No. 07-099

1.1 Study Team ..................................................................................................................... 1

1.2 Study Dates ..................................................................................................................... 2

2.0 LOPA METHODOLOGY .................................................................................................................. 2

2.1 Scenario Identification ..................................................................................................... 4

2.2 Consequence Severity Evaluation.................................................................................. 4

2.3 Initiating Cause Likelihood Evaluation ............................................................................ 5

2.4 Independent Protection Layers (IPL) Evaluation............................................................ 7

2.5 Rules for Independent Protection Layers (IPLs) .......................................................... 10

3.0 SIS EVALUATION ......................................................................................................................... 13

5.0 LOPA WORKSHEETS .................................................................................................................. 18

RRS Engineering, LLC Page ii Project No. 07-099

Table 2. Review Team................................................................................................................... 2

Table 3. Hazard Scenario Target Frequencies............................................................................. 4

Table 4. Initiating Causes & Likelihood (ICLs) of Failure ............................................................. 6

Table 5. Examples of Safeguards Not Usually Considered IPLs ................................................ 8

Table 8. Safety Integrity Level (SIL) Determination ....................................................................13

Table 9. Recommendations ........................................................................................................16

Figure 1. LOPA Flowchart .............................................................................................................. 3

RRS Engineering, LLC Page iii Project No. 07-099

LAYER OF PROTECTION ANALYSIS

The objectives of the LOPA study were to:

Review the HAZOP to determine if the safeguards identified were adequate

1.1 Study Team

The LOPA Study Team is identified in Table 1.

Table 1. Study Team

RRS Engineering, LLC Page 1 Project No. 07-099

Name Company Job Title

1.2 Study Dates

Table 2. Review Team

2.0 LOPA METHODOLOGY

A Layer of Protection Analysis (LOPA) is a semi-quantitative risk assessment methodology. Put

RRS Engineering, LLC Page 2 Project No. 07-099

Figure 1. LOPA Flowchart

RRS Engineering, LLC Page 3 Project No. 07-099

2.1 Scenario Identification

2.2 Consequence Severity Evaluation

Table 3. Hazard Scenario Target Frequencies

RRS Engineering, LLC Page 4 Project No. 07-099

Severity Safety Environmental Commercial Target

2.3 Initiating Cause Likelihood Evaluation

RRS Engineering, LLC Page 5 Project No. 07-099

Table 4. Initiating Causes & Likelihood (ICLs) of Failure

RRS Engineering, LLC Page 6 Project No. 07-099

2.4 Independent Protection Layers (IPL) Evaluation

Specifically designed to prevent or mitigate consequences of a potentially

Dependable and can be counted on to do what it was intended to do

Auditable and a system to audit and maintain it

RRS Engineering, LLC Page 7 Project No. 07-099

Table 5. Examples of Safeguards Not Usually Considered IPLs

RRS Engineering, LLC Page 8 Project No. 07-099

Table 6. Probability of Failure on Demand (PFD) for

Relief valve 1 x 10-2

Rupture disc 1 x 10-2

Flame / detonation arrestors 1 x 10-2

Tandem seals 1 x 10-1

Underground drainage system 1 x 10-2

Open vent (no valve) 1 x 10-2