Do Not believe the math as black and white or as accurate. When we accept a risk of 10-3 per year per facility, we are not necessarily saying we accept 1/10 deaths per year for the facility… we are actually guessing at both factors.

1) The factors we use for LOPA (and for SIF need identification and SIL
determination) have plus and minus an order of magnitude on either side of
the mean. So, a factor of 0.01 could in reality be 0.1 to 0.001… and
nearly all of this variability is controlled by human error controls in
maintenance, engineering, warehouse receiving, and engineering… and those
factors in turn are controlled by management decision on time to do job,
competency requirements for staff, etc., etc.. So, when LOPA gives us a
resulting frequency of 10-3 (average), it could mean almost anything. We
believe all of the factors are conservative values. We have seen 10-3 for
identical scenarios achieved in real plants.

2). When you sum (OR gate math) a lot of similar scenarios together, the
simple sum of the probabilities is not an accurate estimate of the risk, as
there are other terms in Fault Tree math that would have to be ignored and
that reduce those summed likelihoods.

3). In site models we have done (decades ago) and what appears to work out
about right in real plant histories, is if we use 10-3 as the tolerable
risk per scenario, then actual accident rates appear to be 10-2 for the
site, even if there are 1000 scenarios per site. Most organizations and
companies use two risk tolerance criteria for the same reason (i.e., 10-3
for a scenario risk and 10-2 for a site risk)

4). We have never seen an accident that had two IPLs that were properly
designed and maintained. We have never seen vessel rupture occur for a
pressure vessel that had a PSV sized properly for the event (if applicable)
and that was properly maintained. These two facts are based upon millions
of scenario-years.

5). Our focus should be on meeting the definition of an IPL, including how
to maintain these. This is Key.

6). The math should not be believed as no one can properly define the error
bands on these low frequency calculations and we do not seem to able to
reliably achieve targets of less than 10-3 per year. I understand the
statistical math very well, and I understand the failure rate data better
than most (including the human factors underneath all), and I have chatted
with numerous others (including the inventors of the rules that allowed
Fault Trees to be solved in real time (Fussell and Montaque; these were my
bosses and mentors for 8 years) who do not believe the low frequency
probabilistic math results below 10-3 (or 10-4, depending on who answers)
per year are valid, except in a purely theoretical discussion…. there is
not enough practical data to support these low estimates…. IN OTHER WORDs,
what we think is “independent” is not truly independent… the most common
core is the humans in the worksite.

The companies that have LOW process safety accident rates are the ones that
have great control on human factors, solid engineering standards,
enforcement of standards, excellent PHAs, and high reporting of near misses.
It is not the ones who spend a lot of time on statistical estimation of