When I am running a LOPA workshop (or the preceding HAZOP), I have regularly come across the issue of reverse flow through a compressor when the compressor stops or trips. The issue is particularly severe with a multi-stage compressor with a large pressure differential between suction and discharge.
In many cases, the suction KO Drum design pressure is less than the discharge operating pressure of the compressor, but is still greater than the settle-out pressure when the compressor is stopped. The compressor is normally designed to minimise the settle-out pressure by reducing the piping distances to the final discharge non-return valve (NRV) and shut-down valve (SDV) on the HP side.
This is all fine as long as the final NRV and shut-down valve(s) shut when stopping or tripping the compressor. If they don’t close (failure on demand), then the far larger HP gas inventory downstream of the compressor (or the continuing flow if multiple compressors are in parallel), can flow back through the stopped compressor to the suction KO drum and may overpressure the vessel.
If the Suction KO Drum overpressures and ruptures, you are likely to have a significant release of flammable/toxic gas, flying parts and potentially one or more fatalities. The anti-surge valve is also designed to open if the compressor stops, which gives a direct path back to the suction. Any PRV on the suction drum is unlikely to protect the vessel, as it will normally only be sized for the fire case.
The key safeguards are obviously the discharge NRV and SDVs. Given that a typical compressor will have a planned shutdown at least once per year, and unplanned trips also in that order (or monthly for a new system!), how do you build the LOPA cause-consequence scenarios, and what IPLs do you need? For the discharge SDV, what is the sensor for the SIF?
My approach
The approach I normally use for these scenarios, is to assume that the initiating event is the failure of the discharge NRV. Stopping or tripping the compressor itself is clearly not a deviation, as it is a design case, and hence cannot be considered as an initiating event. You can compare this with a pair of duty/standby pumps, where the stopped pump relies on the NRV on the discharge to prevent reverse flow.
The closing of the discharge SDV is difficult to define as a SIF. Generally it closes as part of the programmed stop sequence, and is normally also included in any external trip sequence. But to calculate the PFD and get a SIL level for this SIF is difficult, as it is not clear what the initiating sensor is. It is unlikely that you will be able to show more than a SIL 1, given the unknowns around the initiating sensor. Remember that there are failure modes causing the machine to stop, such as power failure, which will only provide a relay contact as input. In practise, I usually use the power fail case as the worst case. If you use the power failure as the initiating event, I assume at least once in 10 years as a frequency based on extensive experience across many sites.
One option we often use is to add a high-high pressure trip on the suction KO drum to close the discharge SDVs (and trip the compressor), as this can be designed to give at least SIL2. I also recognise that we have to add multiple conditional modifiers to bring the risk gap down to an acceptable level.
