Methods To Analyze LOPC Scenarios in PHA

CCPS Monograph:
Methods to Analyze Loss-of-Containment

Scenarios
Table of Contents
Analyzing Loss-Of-Containment Scenarios with Typical Preventive Safeguards ........................................ 3
Analyzing Loss-Of-Containment Scenarios with No Preventive Safeguards .............................................. 5
Conclusions ............................................................................................................................................... 11
Guidance and Proposed Approach ........................................................................................................... 12
References ................................................................................................................................................ 14
Acknowledgements................................................................................................................................... 15
Appendix A: Survey Results Summary ..................................................................................................... 16
Appendix B: Checklist for Evaluation of Loss of Containment Scenarios ................................................ 21
AIChE 2023. All rights reserved. Reproduction for non-commercial, educational purposes is encouraged.
However, reproduction for any commercial purpose without express written consent of AIChE is strictly prohibited.
2
Analyzing Loss-Of-Containment Scenarios with Typical Preventive Safeguards
In 2008, the Center for Chemical Process Safety (CCPS) published its Third Edition of Guidelines for
Hazard Evaluation Procedures [1]. The Guidelines differentiate between safeguards, containment and
control, as illustrated in Figure 1.5 of that document. In the context of process hazard analyses, a
safeguard is defined as any device, system, or action that would likely interrupt the chain of events
following an initiating cause or mitigate the loss event impact [1].
Many process hazard analysis (PHA) scenarios that could lead to loss of containment focus heavily on
preventive safeguards, as illustrated by the following Hazard and Operability (HAZOP) Study scenario:
Guide
Deviation Cause Consequences Safeguards
word
MORE Fluid pressure Pressure Overpressurize downstream • Vent excess pressure to

> [high limit] to regulator piping and/or vessels; fail flare automatically
downstream fails open primary containment; release • Pressure safety valve sized
process to surroundings for regulator failure
3
Types of process deviations that could lead to loss of primary containment (LOPC) include those that can
exceed design limits, such as:
 Overpressuring of equipment
 Underpressuring of equipment (vacuum)
 Overheating of equipment
 Cooling of equipment (embrittlement)
 Overflow of equipment and tankage (storage vessels, etc.)
 Wrong process materials, reaction products, or by-products
 Abnormal impurities
A more detailed breakdown of such possible deviations is given in Appendix A of Guidelines for Vapor
Release Mitigation [2].
Typical preventive safeguards that may apply to scenarios that involve process deviations include:
 A safety function implemented in the basic process control system (BPCS)

 Operator monitoring, deviation detection, and intervention
 Operator response to a process alarm with adequate time to respond
 Reverse flow protection
 Automatic safety shutdowns (safety instrumented functions independent of the BPCS)
 Emergency relief systems
 Independent verification checks in procedure-based operations
Hazard Identification and Risk Assessment (HIRA) techniques such as HAZOP Studies are well suited to
identifying and evaluating scenarios of this nature.
4
Analyzing Loss-Of-Containment Scenarios with No Preventive Safeguards
By contrast, many LOPC scenarios involve situations where the initiating cause can lead directly to a
material and/or energy release, with no practical intervening preventive safeguards. Examples include:
 Premature opening or failure of a relief device discharging directly to the atmosphere

 Deterioration of the primary containment system to the point of leak or rupture
 Imperfections and/or design deficiencies in the primary containment system significant enough
to result in leak or rupture
 External forces (natural or human-induced) impacting the containment system while
operating within design limits (e.g., earthquake, crane strike).
For these scenarios, the initiating cause leads directly to the release of hazardous material and/or
energy, with no preventive safeguards intervening. The initiating cause (synonymous with initiating
event) is the operational error, mechanical failure, or external event or agency that is the first event in
an incident sequence and marks the transition from a normal situation to an abnormal situation from
the perspective of process operations. An example of such a scenario follows:
Guide
Deviation Cause Consequences Safeguards
word
NONE No flow to Corrosion/erosion Loss of primary [No preventive
[downstream] to point of pipeline containment; release safeguards]
failure process material to
surroundings
It is tempting in such cases to list contain and control measures such as “Mechanical integrity thickness
checks of piping system” as HAZOP Study safeguards for such scenarios. However, contain and control
measures such as thickness checks do not meet the CCPS definition of a safeguard, in that they do not
interrupt the chain of events following the initiating cause. A very important reason for not including
them as safeguards is that, if they are counted on to reduce the scenario frequency in the same way
as independent protection layers are, they would be double-counted if they were already taken into
account when estimating the initiating cause frequency—a non-conservative error that would under-
predict the true scenario risk.
So then, what is the best way to address LOPC scenarios of this nature in a PHA? This document aims to
address this question, with the help of a survey of 77 CCPS member companies in response to questions
related to this topic. A summary of the survey results is available in Appendix A.
Six different approaches are described in the paragraphs that follow. They are not listed in order of
preference or frequency of usage. Rather, they are in general order of complexity, from least to most
complex. Note that respondents were allowed to select more than one approach, so the percentages do
not add up to 100%.
5
How LOPC scenarios are addressed in PHAs may be influenced by location-specific regulatory
requirements; hence, not all of these approaches may be valid in a given context. This issue was not
specifically addressed in the survey or in the approaches listed.
Approach 1: Exclude from PHAs all LOPC scenarios not resulting from process deviations
Sixteen percent of the CCPS member company survey respondents indicated they specifically excluded
scenarios not resulting from process deviations from their PHAs. One argument for this approach may
be that these types of scenarios are not amenable to process hazard analysis and are best managed
through other means. Two possibilities (not mutually exclusive) are:
(a) Managing LOPC risks resulting from something other than the typical process deviations by
executing other Risk Based Process Safety elements [3], particularly Asset Integrity and Reliability
(also known as Mechanical Integrity), but also other elements such as Knowledge Management
(Process Safety Information), Operational Readiness (Pre-Startup Safety Reviews), and
Management of Change. This approach indicates a strong reliance upon equipment inspections
and tests and/or an understanding that PHAs tend to miss such scenarios.
(b) Managing LOPC risks not resulting from process deviations by performing facility siting studies
using approaches such as those in the American Petroleum Institute’s Recommended Practices
752, 753, and 756 [4, 5, 6]. Such studies select “evaluation-case events” such as failure of the
largest connection to a vessel and determine whether personnel in surrounding structures are
adequately protected. For fixed occupied structures, RP 752 also allows a risk-based approach to
be followed.
Approach 2: Qualitatively assess LOPC scenarios not resulting from process deviations
By this approach, the PHA team would likely use team consensus to identify and qualitatively evaluate
weaknesses in the containment of process materials and energies, using a Checklist Analysis, What-If
Analysis, HAZOP Study, and/or Failure Modes and Effects Analysis. Eighteen percent of survey
respondents indicated they include a general loss-of-containment question in a global node to address
this issue. Sixteen percent of respondents indicated they include a parameter of “containment” when
they analyze every node to get the PHA team’s input. This approach may require one or more subject
matter experts to supplement the experience and knowledge of the core PHA team members, as there
is no formal structure for identifying weaknesses. However, this strategy does not necessarily rule out
further analysis using one or more additional approaches.
6
Approach 3: Use likelihood categories to assess LOPC scenarios not resulting from process deviations
With this approach, the PHA team would likely be using descriptive categories to evaluate the frequency
of identified scenarios, then use a risk matrix to combine this with an assessed severity of consequences
to determine the scenario risk. One main drawback of this approach is that if such scenarios get assigned
a “Remote” likelihood (or similar), they may fall into a facility’s tolerable risk range regardless of the
LOPC impact. Fourteen percent of survey respondents indicated that scenarios not resulting from
process deviations fell into this category. A greater number of survey respondents (26%) indicated that
if they assess a remote likelihood but a catastrophic impact, they will perform a more detailed analysis
to determine whether the risk is tolerable. Usage of one or more additional techniques may apply to this
approach as well.
Approach 4: Use data to assess LOPC likelihood

Sixteen percent of respondents indicated they use data to assess an order-of-magnitude or category
likelihood of a LOPC event not resulting from a process deviation. Standard available databases were
used as the basis for determining frequencies. Such data could range from suggested order-of-
magnitude values to more detailed “parts-count” approaches typically used in quantitative risk analyses.
For example, the following order-of-magnitude frequency values are typically used [7]:
Generic Initiating Event Frequencies*
1 / year Pump seal leak
0.1 / year Complete primary pump seal failure
0.1 / year Hose leak

0.01 / year Hose rupture
0.01 / year Premature opening of spring-loaded relief valve
10-5 / year Atmospheric tank: catastrophic failure
10-4 / year Atmospheric tank: continuous 10 mm diameter leak
10-5 / year Pressure vessel; catastrophic failure
10-6 / year per meter Aboveground piping: full breach failure (pipe size ≤ 6 in or 150 mm)
10-5 / year per meter Aboveground piping: leak (pipe size ≤ 6 in or 150 mm)
10-7 / year per meter Aboveground piping: full breach failure (pipe size > 6 in or 150 mm)
10-6 / year per meter Aboveground piping: leak (pipe size > 6 in or 150 mm)
* See Chapter 4 data tables from original text [7] for descriptions, special considerations, initial quality
assurance, generic validation methods and sources of guidance.
7
Quantitative risk analyses may use some of these same values but would typically analyze piping system
failure frequencies in more detail than the above order-of-magnitude frequencies that do not, for
example, make a distinction between an all-welded straight piping run and a complex piping system with
many flanges, valves, etc. One example of more detailed parts-count frequencies is given in
Reference [8]. Other data sources are also available.
A separate survey question asked, “If you do include random mechanical failures (residual failures) as
loss-of-containment initiating causes, what specific scenarios are identified and evaluated? (Choose all
that apply).” The following results were returned, along with the percent of respondents selecting each
item:
a. Catastrophic vessel failure (40%)
b. Failure of the largest connection to a vessel (33%)
c. Full-bore line failures (36%)
d. Major leaks e.g., 10% of effective cross-sectional area of pipe, including cracks as well as holes
(47%)
e. Minor leaks (packing, etc.) (43%)
f. Gasket and seal failures (47%)
g. Gasket and seal leaks (48%)
h. Hose and other flexible connection failures (68%)
i. Indirect release (e.g., tube-to-shell leak [tubesheet leak], other internal heat exchanger failure)
(47%)
Approach 5: Assess specific damage mechanisms

Forty-three percent of survey respondents indicated they only include and analyze LOPC scenarios not
involving process deviations if they can identify a specific damage mechanism (corrosion, erosion,
fatigue, hydrogen embrittlement, etc.) that would cause the failure. A separate survey question asked
for specific damage mechanisms identified and evaluated, with the following results reported:
a. Corrosion under insulation (56%)
b. Erosion (40%)
c. Stress corrosion cracking (47%)
d. Incompatible materials (e.g., carbon steel inappropriately substituted for stainless steel) (56%)
e. Change in process chemistry/product composition (57%)
f. Thermal stress (48%)
g. Other (13%) – Specific responses included external blisters/pitting, high temperature hydrogen
attack, caustic cracking, dew point corrosion, popcorn polymers, low temperature embrittlement,
vibration, and hammering
Some respondents indicated that damage mechanisms were identified and evaluated not in PHAs but
rather at the material selection/design stage or as part of other management systems (mechanical
integrity / integrity operating window program, management of change, etc.). Damage mechanisms
could also be covered in a PHA by a checklist review that includes the appropriate subject matter experts.
8
Approach 6: Take credit for the detection of incipient failures if warranted
A separate survey question asked how often detecting incipient failures (e.g., leak before break) is
considered in the analysis of line/vessel failure scenarios. The following results were returned:
a. Never or rarely (38%)
b. Sometimes (20%)
c. Always or nearly always (5%)
d. We use detection of incipient failures (and correction or shutdown before loss of containment)
as a safeguard in our PHA scenarios where the damage mechanism is such that leak-before-break
is likely (21%)
e. No answer given (16%)
A key question arises as to whether detection of incipient failures should be included as safeguards in
PHAs. The answer to that question hinges on
(1) what is meant by an “incipient failure,”
(2) whether it applies to a given scenario, and
(3) what the organization defines as a “failure”.
These three points will be addressed in the paragraphs that follow.
(1) What is meant by an “incipient failure:

The CCPS Process Safety Glossary [9] gives the following definitions:
Incipient failure - An imperfection in the state or condition of hardware such that a degraded or
catastrophic failure can be expected to result if corrective action is not taken.
Failure - Loss of ability to perform as required.
Degraded failure - A failure which is gradual or partial; it does not cease all function but compromises
that function. It may lower output below a designated point, raise output above a designated point
or result in erratic output. A degraded mode might allow only one mode of operation. If left
unattended, the degraded mode may result in a catastrophic failure.
Catastrophic failure - A failure which is both sudden and causes termination of one or more
fundamental functions.
The above definition of “degraded failure” appears to apply more to instrumentation than to the
integrity of the primary containment system. A concept that more closely ties in with mechanical
integrity is the term deficiency, in the context of managing equipment deficiencies [10]. The following
definitions apply:
Deficiency - A condition that does not meet the acceptance criteria.
Acceptance criterion - Technical basis used to determine whether equipment is deficient
(e.g., when analyzing inspection, testing, and preventive maintenance [ITPM] results).
9
These concepts come together in the following figure [10]:
New
Condition
Acceptable
Acceptance Criterion
Deficient
Loss of Integrity
Degradation, Time
For example, if the acceptance criterion for a vessel is the minimum wall thickness, then if the vessel wall
thins to less than the minimum wall thickness, it is in a deficient condition but not in a failed (LOPC) state.
It is generally possible, for a gradual wall thinning mechanism, to detect the deficient condition and
correct it (or re-rate the vessel) before failure occurs. However, the process can still operate within the
limits of normal process operation with a deficient wall thickness, so in this case realizing a deficient
condition does not meet the definition given above for a scenario initiating cause (which would be at the
mechanical failure point in time).
(2) Whether it applies to a given scenario

Some survey respondents acknowledged that some damage mechanisms may more gradually lead to
LOPC and, for such mechanisms, an incipient failure may be detected and corrected (or the system
brought to a safe state) before LOPC occurs.
(3) What the organization defines as a “failure”

What is considered a containment system “failure” to one company may not be a “failure” to another
organization. For example, for containing a hazardous material, one facility might consider that their
containment system is “performing as required” if it is leak-tight with no measurable or observable leaks.
Thus, for them, a leak of any size would constitute a “loss of ability to perform as required.” For another
facility, a minimum leak size (e.g. one drop per minute or one drop per second, depending on the
material) might be defined, for PHA purposes, not a consequence of concern. Instead, it may be an
“incipient failure” but not a “failure” of the containment system. For this situation, the maximum
acceptable leak size is the “acceptance criterion” for determining an equipment deficiency, and in this
case, a deficient condition is the same as an incipient failure.
10
A more general picture, when a “deficient condition” is different from an “incipient failure,” can be
illustrated as follows:
All criteria within Deficient

Incipient failure Failure (LOPC)
acceptable range condition
For example, gradual wall thinning to below the minimum wall thickness would put the equipment into
a deficient condition, and if the thinning continues, it may result in an incipient failure (minor leak) before
total failure (LOPC). There are two points in this process at which inspections, tests, observations,
condition monitoring, etc. might detect the situation in time to avert a failure: first as a deficient
condition and then as an incipient failure. The PHA initiating cause for this situation is still the LOPC
equipment failure. If the initiating cause frequency is not estimated directly from generic or historical
data, then it may be able to be estimated as follows, in general form:
Probability of
Probability of
not detecting
Deficient not detecting Initiating
and correcting
condition and correcting cause (LOPC)
x deficient x =
frequency incipient failure frequency
condition in time
(per year) in time to avoid (per year)
to avoid incipient
LOPC
failure
Evaluating the situation in this way may result in a better estimate of the LOPC frequency when the
damage mechanism under study involves gradual deterioration in the integrity of the containment
system over time. Of course, if an incipient failure cannot be detected or the transition from an incipient
failure to LOPC happens rapidly, then the “Probability of not detecting and correcting incipient failure in
time to avoid LOPC” would be equal to 1.
Conclusions
The survey results and this monograph have shown that several approaches are available for addressing
potential incident scenarios that are not as easily assessed with traditional PHA techniques. For these
scenarios, the initiating cause directly results in loss of containment, with few or no practical preventive
safeguards. For such scenarios, most risk management strategies focus on measures to keep the
initiating cause from occurring, mitigate the loss-of-containment impact, or both. There is no
intermediate option to react to the initiating event and prevent it from propagating to a LOPC event.
Organizations need to have a defined process for identifying and addressing such loss-of-containment
scenarios. Whether handled in the normal course of a PHA, included as a part of an overall facility siting
study, or addressed in a stand-alone analysis, a process for identifying, assessing, and addressing the risk
from such scenarios is a necessary part of overall risk management. Based on a company’s individual
experience and culture, a multi-pronged approach may be best.
11
Guidance and Proposed Approach
Using the examples presented in this document, as well as the checklist provided in Appendix B, the
following approach might provide all the necessary elements for proper risk management of loss-of-
containment scenarios with no preventive safeguards.
Natural hazards
For naturally occurring hazards (often referred to as Acts of God), an overall approach (such as inclusion
in a global PHA node or as an element of the site’s facility siting assessment) would be prudent, since
such events impact equipment and buildings on a site-wide basis rather than individual unit operations.
Awareness of key data, such as the earthquake zone, maximum expected wind speed, 100- and 500-year
flood levels, and other geological/meteorological data would allow assessment of the strength of site
infrastructure, leading to an overall protective strategy for equipment support, foundation design, and
sewer and runoff drainage, which can significantly reduce the risk from a natural hazards event. A good
reference for this subject is the CCPS monograph on Assessment of and Planning for Natural Hazards
[11].
Human activity hazards (general)

Conversely, human-activity hazards, such as crane drops or forklift strikes, are better addressed on a
system-by-system or location-by-location basis. Contain and control measures (bollards, traffic
restrictions, piping supports) can be identified and implemented on a case-by-case basis, rather than by
a site wide program.
Deterioration of the equipment containment boundary

Equipment degradation (e.g., wall thinning, weld, and joint deterioration) which can ultimately result in
loss of primary containment, may be the result of a number of different factors— including inadequate
design, improper selection of material of construction, improper maintenance, erosion, corrosion,
contamination, and age. Analysis of such factors is strongly dependent upon process- and location-
related factors, and as such, can be handled using the Process Safety Information and Process Knowledge
Management of an individual organization. Subject matter expertise in the process is key to effective
risk management in these cases, combined with a rigorous inspection and testing program (including
initial inspection, which sets the baseline from which all future evaluations are made). As discussed in
Approaches 5 and 6 above, there may be circumstances under which some credit can be claimed for
detecting either a defect or incipient failure. Claiming such credit is based on the combination of deep
understanding of the process, similar processes, and relevant previous incidents, combined with rigid
operational discipline in conducting inspections and tests and acting on their results.
12
Unintended operation of equipment
Vents and drains, by design, are loss-of-containment points, as their normal function is to remove
material (in a controlled, intended fashion) from the process. When vents and drains are activated in a
manner other than intended, they become a source of LOPC events. In particular, pressure relieving
devices (e.g., safety relief valves, rupture discs, conservation vents) that relieve prematurely can be
treated as LOPC events, even if they are not treated as a tiered event (per API RP 754). While testing of
reseating devices (i.e., relief valves) may provide some preventive assurance, most responses to
unintended relief device activation will be mitigative.
Knock-on (domino) effects

For many scenarios considered in this monograph, the potential for significant knock-on or domino
effects is high. Practitioners are encouraged to formally include the potential for such effects in their
PHA or other types of analysis.
13
References
1. Center for Chemical Process Safety, Guidelines for Hazard Evaluation Procedures, Third Edition
(Hoboken, NJ: John Wiley & Sons, 2008)
2. Center for Chemical Process Safety, Guidelines for Vapor Release Mitigation (Hoboken, NJ: John
Wiley & Sons, 1988)
3. Center for Chemical Process Safety, Guidelines for Risk Based Process Safety (Hoboken, NJ: John
Wiley & Sons, 2007)
4. API Recommended Practice 752, Management of Hazards Associated with Location of Process
Plant Buildings (American Petroleum Institute, Washington, DC)
Plant Portable Buildings (American Petroleum Institute, Washington, DC)
Plant Tents (American Petroleum Institute, Washington, DC)
7. Center for Chemical Process Safety, Guidelines for Initiating Events and Independent Protection
Layers in Layer of Protection Analysis (Hoboken, NJ: John Wiley & Sons, 2015)
8. M. Moosemiller, “Development of Algorithms for Predicting Ignition Probabilities and Explosion
Frequencies,” 43rd Annual Loss Prevention Symposium (American Institute of Chemical Engineers,
2009)
9. Center for Chemical Process Safety, Process Safety Glossary,
http://www.aiche.org/ccps/resources/glossary, accessed 20 September 2022
10. Center for Chemical Process Safety, Guidelines for Asset Integrity Management (Hoboken, NJ: John
Wiley & Sons, 2016), Chapter 11
11. Center for Chemical Process Safety, CCPS Monograph: Assessment of and Planning for Natural
Hazards, 2019, https://www.aiche.org/sites/default/files/html/536181/NaturalDisaster-
CCPSmonograph.html
12. API Recommended Practice 571, Damage Mechanisms Affecting Fixed Equipment in the Refining
Industry (American Petroleum Institute, Washington, DC)
14
Acknowledgements
This monograph was created by a sub-committee of CCPS members with Bob Johnson of the Unwin
Company as the primary author of the document and Peter Lodal, D&H Process Safety and CCPS
Contractor providing oversight. It is made available for use with no legal obligations or assumptions.
Corrections, updates, and recommendations should be sent to Dr. Anil Gokhale at ccps@aiche.org. CCPS
acknowledges and thanks the following for their contribution to, and review of this document.
Contributing/ Peer Review Team

Derek Bergeron ABS
Katie Bramhall Parkland Refining
Curtis Clements Chemours
Ramesh Harrylal Natural Gas Co. of Trinidad and Tobago
Scott Link Nova Chemicals
Mohammad Nashwan Saudi Aramco
Irfan Shaikh Chevron
Jerome Taveau Jensen Hughes
John Traynor Evonik
Laura Turci 3M
Jennifer Bitz CCPS Staff
CCPS would also like to thank over 70 individuals who took the time to complete and return the survey,
upon which this document is based.
It is sincerely hoped that the information presented in this document will lead to an even more
impressive record for the entire industry; however, the American Institute of Chemical Engineers, its
consultants, CCPS Subcommittee members, their employers, and their employers’ officers and directors
disclaim making or giving any warranties, expressed or implied, including with respect to fitness,
intended purpose, use or merchantability and/or correctness or accuracy of the content of the
information presented in this document. As between (1) American Institute of Chemical Engineers, its
consultants, CCPS Subcommittee members, their employers, and their employers’ officers and directors
and (2) the user of this document, the user accepts any legal liability or responsibility whatsoever for the
consequence of its use or misuse.
15
Appendix A: Survey Results Summary
There were 77, “unique” surveys, after duplicates were removed.

Questions are listed with the breakdown of the answers received. Each answer has the number of
responses and the percentage of participants making that response (in red). Since multiple answers
were allowed, this was determined to be the best way to display the data.
Many questions include committee comments on the results.
1. How do you generally address loss-of-containment scenarios where the initiating cause is a
random mechanical failure (residual failure) of a line or vessel; i.e., not due to a process deviation
or an external force? (Choose all that apply)
a. We specifically exclude them from HIRAs/PHAs (12, 15.6%)

b. We include them in our HIRAs/PHAs but, since they nearly always get a “Remote”
likelihood (or similar), they fall into our tolerable risk range. (11, 14.3%)
c. We include them in our HIRAs/PHAs, and if they get a remote likelihood but catastrophic
consequence, we perform a more detailed analysis (e.g., LOPA), to determine whether
the risk is tolerable. (20, 26%)
d. We include a parameter of “containment” when we analyze every node and get team’s
input. (12, 15.6%)
e. We include a general loss of containment question in a global node to address this issue
(14, 18.2%)
f. We include them in our HIRAs/PHAs and use data to assess an order-of-magnitude or
category likelihood of the failure (12, 15.6%)
g. We only include and analyze them if we can identify a specific damage mechanism
(corrosion, erosion, fatigue, hydrogen embrittlement, etc.) that would cause the failure.
(33, 42.9%)
h. Other (24, 31.2%)
Comments:
Most of the responses excluding HIRA stated that they felt that their Asset Integrity program
covered the need.
For those who included them, they used standard available databases for determining frequency.
16
2. If you do include random mechanical failures (residual failures) as loss-of-containment initiating
causes, what specific scenarios are identified and evaluated? (Choose all that apply)
a. Catastrophic vessel failure (31, 40.3%)
b. Failure of the largest connection to a vessel (25, 32.5%)
c. Full-bore line failures (28, 36.4%)
d. Major leaks (e.g., 10% of effective cross-sectional area of pipe, including cracks as well as
holes) (36, 46.8%)
e. Minor leaks (packing, etc.) (33, 42.9%)
f. Gasket and seal failures (36, 46.8%)
g. Gasket and seal leaks (37, 48.1%)
h. Hose and other flexible connection failures (52, 67.5%)
i. Indirect release (e.g., Tube-to-Shell leak (tubesheet leak), other internal heat exchanger
failure) (36, 46.8%)
j. Other (20, 26.0%)
Comments:
Many entries checked nearly every box.
3. What specific tools do you use to identify and analyze loss of primary containment scenarios
(Check all that apply)
a. HAZOP (66, 85.7%)
b. Bow-Tie (18, 23.4%)
c. LOPA (43, 55.8%)
d. Checklist (17, 22.1%)
e. What-If (44, 57.1%)
f. FMEA (13, 16.9%)
g. RAST (5, 6.5%)
h. Quantitative Risk Analysis (QRA) (40, 50.9%)
i. Other (please specify) (12, 15.6%)
Comments
HAZOP was the overwhelming answer here. More than half of respondents answered LOPA, but
there were a number of respondents who felt that this topic was not amenable to LOPA.
17
4. Do you generally include premature/spurious (not related to overpressure per se) opening of
relief devices as scenario initiating causes?
a. Yes, under all circumstances (11, 14.3%)
b. Yes, but only if the release is not contained/treated (e.g., flare) (20, 26%)
c. No (34, 44.2%)
d. Sometimes (10, 13.0%)
e. Only in specific services (2, 2.6%)
Comments
Almost half the respondents do not consider relief discharge as a scenario.
5. Do you generally include opening of drain or vent lines during facility operation as scenario
initiating causes (e.g., by human error, by a valve failing open, or by leak-through of a valve)?
a. Yes (48, 62.3%)
b. No (8, 10.4%)
c. Sometimes (18, 23.4%)
d. Only in specific services. (3, 3.9%)
Comments
A much higher percentage of respondents are concerned about drains and/or vents as compared
to relief discharges.
6. How do you generally identify and evaluate scenarios relating to external forces from unintended
mechanical impact (e.g., forklifts, vehicles, cranes, loss of piping support, etc.), or damage from
ill-advised use of mechanical force to address operability issues (e.g., hammering on solids
handling equipment), impacting the primary containment system and causing loss of
containment?
a. They are specifically excluded from our HIRAs/PHAs. (14, 18.2%)
b. They are included, with standard default values used for the likelihood of occurrence. (7,
9.1%)
c. They are included if specific external force(s) are identified that are relevant to the
process being studied. (31, 40.3%)
d. For every node or segment being studied, we use a checklist of possible external forces
to help identify ones that are relevant to the node or segment (5, 6.5%)
e. It is included as a part of the Facility Siting study (9, 11.7%)
f. Other (10, 13%)
Comments
As with previous answers, many who exclude it from HIRA address it through their Asset Integrity
program.
18
7. How do you generally identify and evaluate scenarios relating to external forces from natural
phenomenon (e.g., wind, earthquake, fire, etc.) impacting the primary containment system and
causing loss of containment?
a. They are specifically excluded from our HIRAs/PHAs. (16 .8%)
b. They are included, with standard default values used for the likelihood of occurrence. (2,
2.6%)
c. They are included if specific natural event(s) are identified that are relevant to the process
being studied. (13, 16.9%)
d. For every node or segment being studied, we use a checklist of possible external forces
to help identify ones that are relevant to the node or segment (8, 10.4%)
e. It is included as a part of the Facility Siting study (18, 23.4%)
f. Other (20, 26%)
Comments:
Some responders stated that they have checklists for specific geographical area; e.g., an
earthquake checklist for California facilities.
8. How are specific damage mechanisms identified and evaluated? For example:
a. Corrosion Under Insulation (CUI) (43, 55.8%)
b. Erosion (31, 40.3%)
c. Stress Corrosion Cracking (SCC) (36, 46.8%)
d. Incompatible materials (e.g., carbon steel inappropriately substituted for stainless steel)
(43, 55.8%)
e. Change in process chemistry/product composition (44, 57.1%)
f. Thermal stress (37, 48.1%)
g. Other (21, 27.3%)
Comments:
Most comments here seem to reflect the particular businesses and products made.
19
9. How often do you include consideration of detecting incipient failures (e.g., leak before break) in
your analysis of line/vessel failure scenarios? (Choose all that apply)
a. Never or rarely (29, 37.7%)
b. Sometimes (15, 19.5%)
c. Always or nearly always (4, 5.2%)
d. We use detection of incipient failures (and correction or shutdown before loss of
containment) as a safeguard in our HIRA/PHA scenarios where the damage mechanism is
such that leak-before-break is likely (16 20.8%)
e. Other (13, 16.9%)
Comments:
For those who answered d), it appears that they have a strong evidence-based inspection
program that identifies those areas where the damage mechanism may allow for detection.
Most responders do not do this or do it only occasionally.
10. Are domino/knock-on effects considered?

a. Yes, explicitly in the PHA/HIRA (12, 15.6%)
b. Yes, but as part of the Facility Siting study (19, 24.7%)
c. No, they are not considered (36, 46.8%)
d. Other (9, 11.7%)
11. Anything else related to loss of primary containment scenarios that you would like for the
committee to know/to be addressed as a part of this effort?
Here are a few of the comments made by those surveyed. See survey results for a complete
listing.
Mechanical Integrity scenarios are better handled outside of LOPA due to the administrative
nature of the controls (e.g. inspection methods, frequency, initiating event frequency, design, etc.)
Double jeopardy is not considered while evaluating the failure scenarios. However, incident takes
place when one or more controls fails. The guidance on this aspect shall also be elaborated in the
project.
Our regulator asks us to include mechanical integrity scenarios in our PHA's, but there is no
international accepted standard to follow at this moment. Your project would/could as such be
very helpful!
It would be good to have a discussion on passive scenarios that could be managed in the PHAs
that are independent from the ones covered in facility siting/QRAs
Best wishes, as the industry really needs a simple yet comprehensive technique to account for the
above scenarios.
20
Appendix B: Checklist for Evaluation of Loss of Containment Scenarios
1. Natural hazards
a. Types of Hazards
i. Earthquake
ii. Wind
iii. Fire risk (external)
iv. Flood
v. Lightning
vi. Subsidence; settlement of equipment or structural supports
vii. Other (specify)
b. Assessment Needs
i. Site Infrastructure
1. Electricity
2. Water
3. Steam/other heating medium
4. Instrument air
5. Nitrogen
6. Other (specify)
ii. Equipment Support
1. Foundation design
2. Drainage/runoff
3. Lightning protection
4. Other (specify)
From CCPS Monograph: Assessment of and Planning for Natural Hazards [11]
2. Human activity hazards (general)

a. Types of Hazards
i. Vehicular (forklift, truck, etc.)
ii. Excavator
iii. Crane drop
iv. Improper maintenance or maintenance materials
v. Construction/installation errors
vi. Other (specify)
b. Assessment Needs
i. Traffic Control and Restriction
ii. Physical barriers (bollards, Jersey barriers, etc.)
iii. Quality management; spare parts management
iv. Other (specify)
21
3. Equipment Deterioration
a. Types of Hazards
i. Corrosion
1. General
2. Stress-corrosion cracking (SCC)
3. Microbial induced corrosion (MIC)
4. Corrosion under insulation (CUI)
ii. Erosion
iii. Fatigue
iv. Wear and tear
1. Normal
2. Abnormal
v. Contamination
vi. Hydrogen embrittlement
vii. High temperature hydrogen attack
viii. Support failure
ix. Other (specify)
b. Assessment Needs
i. Asset Integrity Program assessment, testing and inspection Protocol
1. Type
2. Frequency
ii. Online corrosion monitoring
iii. Positive materials identification (PMI)
iv. Expected remaining life methodology
v. Other (Specify)
From API Recommended Practice 571, Damage Mechanisms Affecting Fixed Equipment in the
Refining Industry [12]
4. Unintended operation of equipment

a. Types of Hazards
i. Vent and drain point
1. Automatic
2. Manual
3. Spurious opening of relief device
ii. Misrouting of material
iii. Tank overfill
iv. Premature opening of equipment
v. Other (specify)
22
b. Assessment Needs
i. Conduct of operations assessment
1. Lock-and-tag execution and reversal
2. Permitting system
ii. Leak detection
1. Online
2. Computational (inventory loss calculation)
iii. Other (specify)
5. Knock-on (domino) effects – Specify
23

Methods To Analyze LOPC Scenarios in PHA

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Methods To Analyze LOPC Scenarios in PHA

Uploaded by

Copyright:

Available Formats

CCPS Monograph:

Methods to Analyze Loss-of-Containment

MORE Fluid pressure Pressure Overpressurize downstream • Vent excess pressure to

 A safety function implemented in the basic process control system (BPCS)

 Premature opening or failure of a relief device discharging directly to the atmosphere

Approach 4: Use data to assess LOPC likelihood

Generic Initiating Event Frequencies*

1 / year Pump seal leak

0.1 / year Complete primary pump seal failure

0.1 / year Hose leak

Approach 5: Assess specific damage mechanisms

(1) What is meant by an “incipient failure:

(2) Whether it applies to a given scenario

(3) What the organization defines as a “failure”

All criteria within Deficient

Human activity hazards (general)

Deterioration of the equipment containment boundary

Knock-on (domino) effects

Contributing/ Peer Review Team

There were 77, “unique” surveys, after duplicates were removed.

a. We specifically exclude them from HIRAs/PHAs (12, 15.6%)

10. Are domino/knock-on effects considered?

2. Human activity hazards (general)

4. Unintended operation of equipment

5. Knock-on (domino) effects – Specify

You might also like