Você está na página 1de 20

The Fundamentals of LOPA and their Practical Implementation

Peter Scantlebury - Principal Consultant, FSE Global - Canada Abstract While Layer of Protection Analysis (LOPA) is becoming the preferred method of Safety Integrity Level (SIL) assignment, there is considerable variation in its practical implementation. In laying out the fundamentals of LOPA, pitfalls, caveats and limitations in the various practical implementations will be discussed. The fundamentals of LOPA will be explained to delegates, along with an examination of the advantages and disadvantages in the various practical implementations. Armed with this knowledge, delegates will then be able to assess their own implementation of LOPA. 1.1. Introduction Layer of Protection Analysis (LOPA) is becoming the preferred method of Safety Integrity Level (SIL) assignment. However, the author has seen considerable variation in the practical implementation of LOPA across different industries and by different companies. Some of the practical implementations of LOPA encountered to date have significant discontinuities when compared with other risk processes such as qualitative risk assessments using risk matrices, and quantitative risk assessments. These discontinuities can result in different residual risks being estimated when analysing the same scenario with the various risk processes. If implemented correctly, analysing the same scenario with qualitative risk assessments methods, LOPA and quantitative risk assessments will result in more refined residual risks being estimated, rather than different residual risks being estimated. To enable analysis of the common implementations of LOPA it is necessary to examine its fundamentals. 1.2. Fundamentals of LOPA Fundamentally LOPA is a methodology that analyses the risk of a scenario. The outcome of this analysis establishes whether the planned or implemented safeguards are adequate. In order to critically understanding LOPA is necessary to critically understand: What is a scenario?; What are the rules to analyse the scenario?; and

What is the risk criteria?.

1.2.1What is a Scenario? The CCPS (2001), describes a scenario as a cause consequence pair. Commonly, a cause is described as an initiating event and a consequence as an unwanted outcome. To illustrate this, consider a scenario where a pressure control failure results in a vessel overpressure, causing vessel rupture and a fatality. In this scenario the cause (or initiating event) is pressure control failure, and the consequence (or unwanted outcome) is a fatality. To enable a deeper analysis of LOPA it is beneficial to break down the cause consequence pair further to include an event. To provide clarity in the discussion, the event will be referred to as an unwanted event. Thus a scenario is now described as a cause unwanted event consequence sequence. This is a similar form to a Bow Tie Analysis, except a Bow Tie Analysis shows all causes of an unwanted event and all consequences which can occur as a result of the unwanted event. Using the above pressure control failure example, the unwanted event could be vessel overpressure or vessel rupture. From a pure risk analysis perspective it is immaterial whether vessel overpressure or vessel rupture is taken as the unwanted event. It is common industry practice to define the unwanted event as the event that led to a release of energy. However, from a legal liability point of view, defining the unwanted event as the event where loss of control occurred, provides a better negligence defence (Anderson & Robinson, 2004). From the example, taking the release of energy approach, the unwanted event would be vessel rupture, while in the loss of control approach, the unwanted event would be vessel overpressure. Throughout this paper the unwanted event will be defined as the event where loss of control occurred. To complete the pressure control failure example, the cause (or initiating event) is pressure control failure, the unwanted event (or loss of control) is vessel overpressure, and the consequence (or unwanted outcome) is a fatality. The scenario sequence needs to be expanded to contain more detail to enable the frequency of a scenarios consequence to be determined. Expanding the scenario sequence to contain all elements needed for analysis results in the scenario sequence shown in , with further explanation of each aspect provided below.

Consequence (or Unwanted Outcome)

Unwanted Event

Cause (or Initiating Event) And Enabling Event or Condition

Outcome Modifiers

Mitigative Safeguards Safeguards

Frequency

Figure 1: Expanded Scenario Sequence An initiating event is the failure or action which starts the scenario sequence and is expressed as a frequency of the initiating event. Sometimes a failure or action (initiating event) does not start the scenario sequence, as other enabling events or conditions must be present. Enabling events or conditions consist of operations or conditions that do not directly cause the scenario, but which must be present or active in order for the scenario to proceed (p67, CCPS 2001). An enabling event or condition is expressed as a probability that at a given point in time the enabling event or condition is present. Typical examples of enabling events are plant states such as start-up, or environmental conditions such as cold weather. A safeguard is a device which prevents the unwanted event from occurring after the initiating event has occurred and is expressed as a probability that at a given point in time the safeguard has failed. Typical examples of a safeguard are Safety Instrumented Functions (SIFs), Pressure Safety Valve (PSV), and alarms with an operator action. A mitigative safeguard is a device which prevents the unwanted outcome from occurring after the unwanted event has occurred, and is expressed as a probability that at a given point in time the mitigative safeguard has failed. A typical example of a mitigative safeguard is a fire and gas shutdown system. An outcome modifier (or modifier), is an element of pure chance that an unwanted event does not result in the unwanted outcome. This is expressed as a probability that given an unwanted event has occurred, the consequence does not occur. Typical examples of a modifier are the probability of a person being present, the probability of ignition of a flammable material, and the probability that a person is injured. Finally, to determine the frequency of the consequence, it is simply a matter of multiplying the frequency of the initiating event by the probabilities of the enabling

event or condition, the safeguards, the mitigative safeguards, and the outcome modifiers. 1.2.2What are the rules to analyse the scenario? There are a number of clauses within IEC 61511-1 which the LOPA process must comply with. The relevant sections within IEC 61511-1 are Section 8: Process Hazard and Risk Assessment, and Section 9: Allocation of Safety Functions to Protection Layers. The pertinent clauses for the LOPA process define rules for initiating event frequency, and for safeguards to be considered protection layers. The pertinent rule for an initiating event frequency is; The dangerous failure rate of a BPCS (which does not conform to IEC 61511) that places a demand on a protection layer shall not be assumed to be better than 10-5 per hour. (8.2.2 IEC 61511-1) The effect of this clause is that the least frequent initiating event frequency that can be claimed for a Basic Process Control Failure (BPCS), for example a pressure control failure, is 1 in 11.4 years. In practice the BPCS failure rate is rounded to 1 in 10 years. For safeguards there are a few more pertinent rules. The first two are; The risk reduction factor for a BPCS (which does not conform to IEC 61511 or IEC 61508) used as a protection layer shall be below 10. (9.4.2 IEC 61511-1) And If a risk reduction factor greater than 10 is claimed for the BPCS, then it shall be designed to the requirements within this standard. (9.4.2 IEC 61511-1) Both of these clauses have the same effect, the best probability of failure that can be claimed for a safeguard implemented in a BPCS is 0.1. If a safeguard has been implemented in a BPCS with a probability of failure less than 0.1, then the safeguard has been designed to the requirements of IEC 61511-1. The safeguard would now be considered a Safety Instrumented Function (SIF) rather than a safeguard implemented in a BPCS. The final pertinent rule for safeguards is;

The design of protection layers shall be assessed to ensure that the likelihood of common cause, common mode and dependent failures between protection layers and between protection layers and the BPCS are sufficiently low in comparison to the overall safety integrity requirements of the protection layers. The assessment may be qualitative or quantitative. (9.5.2 IEC 61511-1) This clause is not as straight forward to comply with as the previous clauses. In practice, compliance with this clause is achieved by defining what is commonly termed Independent Protection Layer (IPL) rules. The IPL rules define when a safeguard can be considered in the calculation of the frequency of a scenarios consequence. Unfortunately there is not a standard set of IPL rules defined. For instance the IPL rules defined by the CCPS are; In order to be considered an IPL, a device, system, or action must be effective in preventing the consequence when it functions as designed, independent of the initiating event and the components of any other IPL already claimed for the same scenario, auditable; the assumed effectiveness in terms of consequence prevention and PFD must be capable of validation in some manner (by documentation, review, testing, etc.) (p80 CCPS 2001) Compared with the IPL rules defined in IEC 61511-3; The criteria to qualify a Protection Layer (PL) as an IPL are: The protection provided reduces the identified risk by a large amount, that is, a minimum of a 100-fold reduction; The protective function is provided with a high degree of availability (0,9 or greater); It has the following important characteristics: a) Specificity: An IPL is designed solely to prevent or to mitigate the consequences of one potentially hazardous event (for example, a runaway reaction, release of toxic material, a loss of containment, or a fire). Multiple causes may lead to the same hazardous event; and, therefore, multiple event scenarios may initiate action of one IPL; b) Independence: An IPL is independent of the other protection layers associated with the identified danger. c) Dependability: It can be counted on to do what it was designed to do. Both random and systematic failures modes are addressed in the design. d) Auditability: It is designed to facilitate regular validation of the protective functions. Proof testing and maintenance of the safety system is necessary. (F.9 IEC 61511-3)

1.2.3What is the Risk Criteria? The risk criteria is the reference against which to assess the significance of a given risk and can be expressed in many ways; qualitative, semi-quantitative, and quantitative. Diagrammatically, the risk criteria defines a target line on the expanded scenario sequence shown in Figure 1. After determining the consequence frequency of a scenario, it is compared with the target frequency. If the consequence frequency is more frequent than the target frequency, then additional risk reduction is required as illustrated in Figure 2. Figure 3 illustrates the situation when the consequence frequency is less frequent than the target frequency and no further risk reduction is required.
Additional Risk Reduction Required Target frequency to meet Risk Criteria Consequence (or Unwanted Outcome) Cause (or Initiating Event) And Enabling Event or Condition

Unwanted Event

Outcome Modifiers

Mitigative Safeguards Safeguards

Frequency

Figure 2: A Scenario Sequence Requiring Additional Risk Reduction


Consequence (or Unwanted Outcome) Target frequency to meet Risk Criteria Unwanted Event Cause (or Initiating Event) And Enabling Event or Condition

Outcome Modifiers

Mitigative Safeguards Safeguards

Frequency

Figure 3: A Scenario Sequence Meeting Target Frequency Qualitative and semi-quantitative risk criteria is commonly expressed as a risk matrix. An example of a typical risk matrix is shown in Figure 4. In this risk matrix the consequence categories are Health and Safety, Financial Loss, and Environmental. However, risk matrices may include other consequence categories such as material release sizes, plant downtime, and public response.

It should be noted that typically qualitative and semi-quantitative risk criteria has been calibrated for assessing the risk of a single scenario.
Low Medical Treatment < $10,000 in damage or loss Minor local environmental effects Minor Disabling Injury < $100k in damage or loss Minor short term environmental damage Consequences Moderate Lost time injury < $1M in damage or loss Serious short term environmental damage Likelihood Possible Happens a couple of times in industry as a whole. 1 in 10 years to 1 in 100 years Major Single fatality < $10M in damage or loss Serious medium term environmental damage Catastrophic Multiple fatality > $10M in damage or loss Serious long term environmental damage

Almost Certain Happens on an annual basis. > 1 per year

Likely Happens a few times in a persons or plants lifetime. 1 in 1 years to 1 in 10 years

Unlikely Has happened in industry, has been heard of. 1 in 100 years to 1 in 1000 years

Rare Has never happened in industry. < 1 in 1000 years

Almost Certain Likely Possible Unlikely Rare

Low High Moderate Low Low Low

Minor High High Moderate Low Low

Consequences Moderate Extreme High High Moderate Low

Major Extreme Extreme Extreme High Moderate

Catastrophic Extreme Extreme Extreme Extreme High

Likelihood

Low Manage by routine procedure and monitoring.

Risk Level Moderate High Implement additional Implement additional methods of risk methods of risk reduction reduction, and Unit and Plant Management Management approval approval and monitoring and monitoring required required to continue to continue activity. activity.

Extreme Cease activity and notify Plant Management.

Figure 4: An Example of a Risk Matrix The risk nomogram is another expression of risk criteria for qualitative and semiqualitative risk assessment. An example is shown in Figure 5. While the risk nomogram is more common in Occupational Health & Safety risk management, the author has encountered the risk nomogram in process risk management.

Figure 5: An Example of a Risk Nomogram Quantitative risk criteria is commonly expressed as an Individual Risk Per Annum (IRPA). Industry quantitative risk criteria is shown in Figure 6. It must be noted that IRPA is the probability that a given person is killed in one year. This implies that IRPA is the sum of all of the frequencies of scenarios leading to a fatality that the given person is exposed to. To enable IRPA to be applied to a single scenario in LOPA, it is common practice to reduce the IRPA value by a factor of 10. This assumes that a person cannot be affected by more than 10 scenarios at the same time in any given location.
Some regulators and major companies that have set risk tolerance criteria Health & Safety Executive, UK (existing industry) VROM, The Netherlands (existing industry) VROM, The Netherlands (new industry) Hong Kong Government (new industry) Santa Barbara County, CA, USA (new industry) Maximum tolerable risk for workforce from all scenarios 103 NA NA NA NA Negligible risk for workforce from all scenarios 106 NA NA NA NA Maximum tolerable risk for public from all scenarios 104 105 106 105 105 Negligible risk for public from all scenarios 106 NA NA NA 107

Shell (onshore and offshore; approx.) BP (onshore and offshore) ICI (onshore) Rohm and Haas Company

103 103

106 106

Note 1 Note 1

Note 2 Note 2

3.3 105 NA 104 NA 5 2.5 10 NA 105 107 Personal risk to specific employee Note 1: Not available, but typically industry uses a value that is an order of magnitude lower than workplace risk Note 2: Not available, but typically industry uses the same value used for workplace risk, since the value is already in the region where risk calculations become meaningless

Figure 6: Typical Industry Individual Risk Per Annum (IRPA) Values (adapted from CCPS 2001 Appendix E) 1.3. LOPA Caveats and Limitations The LOPA process, like all risk assessment processes, has limitations and caveats for use. To ensure that the LOPA results are valid, the following limitations and caveats must be known. The limitations and caveats for use can be grouped into; Multiple scenarios for the same safeguards Independence Density of consequences 1.3.1 Multiple scenarios for the same safeguards The vast majority of implementations of the LOPA process analyse scenarios on a scenario by scenario basis. This is an efficient approach which is valid for the majority of applications. However, when a number of scenarios for the same safeguard are encountered, limitations of LOPA are encountered. A typical example encountered is when LOPA is applied to a burner. With the exception of over firing the burner, virtually all scenarios lead to a flammable mixture in the firebox and subsequent firebox explosion. When a flame scanner is claimed as an IPL in these scenarios a situation is encountered where two or more SIFs are claimed as IPLs with the flame scanner being one of the IPLs. This leads to a difficult analysis and higher required SILs. While it is possible to carefully construct the scenarios and execute a scenario by scenario LOPA, a far more effective and robust approach is to apply basic Fault Tree and Event Tree analyses. This allows the multiple scenarios to be viewed as one analysis with the interrelationship explicitly shown. It maybe argued that a multiple scenario quantitative LOPA such as the IEC 61511-3 method outlined in section 1.4.4, does not have these limitations. While

this argument is partially correct, it is highlighted that multiple scenario quantitative LOPA has a fixed Fault Tree and Event Tree form. Thus a multiple scenario quantitative LOPA analysis will only overcome the single scenario analysis if the assumed Fault Tree and Event Tree form of a multiple scenario quantitative LOPA analysis is the same as the Fault Tree and Event Tree form of the multiple scenarios being analysed. 1.3.2Independence By definition of the IPL rules (see section 1.2.2), LOPA assumes that the common cause, common mode and dependent failures between safeguards, and between safeguards and the initiating event, have a much lower failure rate than the safeguards themselves. Any safeguard which is not considered independent is discounted from the consequence frequency calculation. In the majority of scenarios this approach yields reasonable results. However, due to practical limitations, common instrumentation is often shared between safeguards, or between safeguards and the cause of the initiating event. In these scenarios some of the safeguards will fail the independence requirements and result in a higher required SIL. A commonly encountered example of this is the flow measurement in the air and fuel streams of a burner. The flow measurements in the air and fuel streams use multiple differential pressure sensors across the same flow element. In this arrangement any failure mode that affects the flow element affects all differential pressure sensors across the flow element. Due to space requirements around flow elements it is generally impractical to install a flow element for each differential pressure sensor. It is possible to reduce the risk reduction claimed for safeguards to account for common cause, common mode and dependent failures, or to revert to Fault Tree analysis. Which ever approach is taken the process must be documented. 1.3.3Density of consequences As discussed in section 1.2.3, in LOPA which analyses a single scenario at a time, the quantitative risk criteria for all risks is commonly reduced by a factor of 10 for application to single scenarios. This inherently assumes that for a given area there are no more than 10 scenarios which affect that area. Where this assumption is not correct, the risk criteria for those scenarios need to be revised to ensure the quantitative risk criteria for all risks is not exceeded in that area. 1.4. Common LOPA Implementations To illustrate the application of the LOPA fundamentals, the LOPA fundamentals will be applied to several common implementations found in standards and texts; Matrix as shown in Annex E of IEC 61508-5 Risk Graph as shown in Annex D of IEC 61508-5

Quantitative as shown in Chapter 3 Method 3 of CCPSs LOPA text (p36 CCPS) Quantitative as shown in Annex F of IEC 61511-3

The matrix and risk graph methods are also shown in IEC 61511-3 and are essentially the same as the examples selected, however the IEC 61508-5 versions have been shown due to their more succinct nature. 1.4.1Matrix The matrix LOPA implementation as shown in Annex E of IEC 61508-5 (reproduced in Figure 7) analyses a single scenario at a time. It also assumes that each IPL reduces the risk by a factor of 10 and there are no outcome modifiers.

Figure 7 : SIL Assignment Matrix (Figure E.1 IEC 61508-5) The event severity and likelihood defines the total amount of risk reduction required to meet the target frequency for the consequence severity. For an event severity of extensive and an event likelihood of medium, Figure 8 shows the required risk reduction as the distance between the initiating event likelihood and the target frequency for event severity. For each non SIS IPL the required SIL for SIF is reduced by one. The required SIL for the various number of IPL is shown diagrammatically in Figure 8.

Target frequency for Event Severity

Initiating Event Likelihood

1 IPL 2 IPLs 3 IPLs

SIL 3 SIF SIL 2 SIF SIL 1 SIF Non SIS IPL 1 Frequency Non SIS IPL 1 Non SIS IPL 2

Figure 8: SIL Assignment Matrix Process Shown as a Scenario Sequence The SIL assignment matrix shown in Figure 9 is a common SIL assignment matrix variation which is functionally identical to the SIL assignment matrix shown in Figure 7. In this case the cell numbers refer to the total number of IPLs required. Repeating the previous example, for an event severity of extensive and an event likelihood of medium, 3 IPLs are required. If there is only one non SIS IPL then the required SIL is 2 (3 required, less 1 non SIS IPL). Consequence Severity Minor Serious Extensive LikelihoodEvent Low Med High 1 1 2 1 2 3 2 3 4

Note: Cell numbers refer to number of IPLs Figure 9: Alternative SIL Assignment Matrix

1.4.2Risk graph The risk graph LOPA implementation as shown in Annex F of IEC 61508-5 (reproduced in Figure 10 with the parameters reproduced in Table 1) analyses a single scenario at a time.

Figure 10: Risk Graph (Figure D.1 IEC 61508-5:1998)


Risk parameter Consequence (C) C1 C2 Classification Minor injury Serious permanent injury to one or more persons; death to one person Death to several people Very many people killed Rare to more often exposure in the hazardous zone Frequent to permanent exposure in the hazardous zone Comments 1. The classification system has been developed to deal with injury and death to people. Other classification schemes would need to be developed for environmental or material damage.

C3 C4 Frequency of, and exposure time in, the hazardous zone (F) F1

2. For the interpretation of C1, C2, C3 and C4,


the consequences of the accident and normal healing shall be taken into account.

3. See comment 1 above.

F2

Possibility of avoiding the hazardous event (P)

P1 P2

Possible under certain conditions Almost impossible

Probability of the un-wanted occurrence (W)

W1 W2 W3

A very slight probability that the unwanted occurrences will come to pass and only a few unwanted occurrences are likely A slight probability that the unwanted occurrences wilt come to pass and few unwanted occurrences are likely A relatively high probability that the unwanted occurrences will come to pass and frequent unwanted occurrences are likely

4. This parameter takes into account operation of a process (supervised (i.e. operated by skilled or unskilled persons) or unsupervised); rate of development of the hazardous event (for example suddenly, quickly or slowly); ease of recognition of danger (for example seen immediately, detected by technical measures or detected without technical measures); avoidance of hazardous event (for example escape routes possible, not possible or possible under certain conditions); actual safety experience (such experience may exist with an identical EUC or a similar EUC or may not exist). 5. The purpose of the W factor is to estimate the frequency of the unwanted occurrence taking place without the addition of any safety-related systems (E/E/PE or other technology) but including any external risk reduction facilities. 6. If little or no experience exists of the EUC, or the EUC control system, or of a similar EUC and EUC control system. the estimation of the W factor maybe made by calculation. In such an event a worst case prediction shall be made.

Table 1: Parameters for Risk Graph in Figure 10 (Table D.1 IEC 61508-5:1998) The consequence (C) risk parameter defines the target frequency for the consequence. The exposure time (F) (called occupancy in Figure 11), and possibility of avoiding (P) (called avoidance in Figure 11), are outcome modifiers that define the target unwanted event frequency. The required SIL for the SIF is the difference between the probability of the unwanted occurrence (W) and the target unwanted event frequency. The probability of the unwanted occurrence (W) includes the initiating event frequency, any enabling event, and any non SIS safeguards.

Target frequency for Consequence Severity (C)

Target frequency of Unwanted Event Outcome Modifiers

Probability of unwanted occurrence (W)

Cause (or Initiating Event) And Enabling Event or Condition

Occupancy (F)

Avoidance (P)

Required SIL Frequency

Non SIS Safeguards

Figure 11: Risk Graph Process Shown as a Scenario Sequence A common variation on the implementation of the risk graph process is redefining the probability of the unwanted occurrence (W) to only include the initiating event frequency, and any enabling event. The risk graph cell numbers now refer to the total number of IPLs required. The revised risk graph process is shown in Figure 12.
Target frequency for Consequence Severity (C) Target frequency of Unwanted Event Outcome Modifiers Probability of unwanted occurrence (W) Cause (or Initiating Event) And Enabling Event or Condition

Occupancy (F)

Avoidance Required Number of IPLs (P) Frequency

Figure 12: Common Risk Graph Scenario Sequence Variation 1.4.3Quantitative (CCPS) All quantitative LOPA processes are essentially identical. The key differences tend to be the manner in which the analysis is documented and the intermediate frequencies calculated. The CCPS quantitative LOPA process as shown Table 2 analyses a single scenario at a time. Figure 13 has mapped the parameters from Table 2 onto the scenario sequence.
Scenario Number 1b Date: Equipment Number Scenario Title: Hexane Surge Tank Overflow. Spill contained by the dike Description Probability Frequency (per year)

Consequence Description/Category Risk Tolerance Criteria (Category or Frequency) Initiating Event (typically a frequency) Enabling Event or Condition Conditional Modifiers (if applicable)

Release of hexane inside the dike due to tank overflow with potential for ignition and fatality. Maximum Tolerable Risk of a Serious Fire Maximum Tolerable Risk of a Fatal Injury Loop failure of BPCS LIC. (PFD from Table 5.1) -

<110-4 <110-5 110-1

Probability of ignition 0.1 Probability of personnel in affected area 0.1 Probability of fatal injury 0.5 Others N/A Frequency of Unmitigated Consequence 510-4 -2 SIF (to be addedsee Actions) 1 10 Independent Protection Layers Human action not an IPL as it depends upon BPCS generated alarms. Cannot Safeguards(non-IPLs) be used as BPCS failure is initiating event (Approach A) Total PFD for all IPLs 110-2 Frequency of Mitigated Consequence 510-6 Risk Tolerance Criteria Met? (Yes/No): Yes, with added SIF. Actions Required to Add SIF with PFD of1102. Responsible Group/Person: Plant Meet Risk Tolerance Technical/ J. Doe June 2002 Maintain dike as an IPL (Inspection, Criteria maintenance, etc.) Notes Add action items to action tracking database. References (links to originating hazard review, PFD, P&ID, etc.): LOPA analyst (and team members, if applicable):

Table 2: Quantitative LOPA (Table A.6 CCPS, 2001)


Risk Tolerance Criteria Frequency of Mitigated Consequence IPLs Frequency of Unmitigated Consequence Initiating Event And Enabling Event or Condition Condition Modifiers

Added SIF Frequency

Probability of fatal injury

Probability of personnel in the affected area

Probability of ignition

Figure 13: Quantitative LOPA (CCPS) Shown as a Scenario Sequence

1.4.4Quantitative (IEC 61511-3) The key difference with IEC 61511-3 quantitative LOPA (reproduced in Figure 14 and Figure 15) and the CCPS quantitative LOPA processes is that the IEC 61511-3 quantitative LOPA process sums all of the mitigated event likelihoods for scenarios with the same consequence before comparing against the risk criteria.
# 1 2 3 Initiating cause 4 Initiation likelihood General process design 5 BPCS Alarms, etc. 6 Additional mitigation, restricted access 0,1 7 IPL additional mitigation dikes, pressure relief PRV 01 8 9 10 Mitigated event likelihood 11 Notes Impact Severity event level description Intermediat SIF e integrity event level likelihood 10-7 10-2

Fire from distillation column rupture Fire from distillation column rupture

Loss of cooling water Steam control loop failure

0,1

0,1

0,1

0,1

10-9

0,1

0,1

0,1

0,1

PRV 01

10-6

10-2

10-8

High pressure causes column rupture Same as above

NOTE Severity Level E = Extensive; S = Serious; M = Minor. Likelihood values are events per year, other numerical values are probabilities of failure on demand average.

Figure 14: Quantitative LOPA (Figure F.1 IEC 61511-3) Risk of fatality due to fire = (Mitigated event likelihood of all flammable material releases) X (Probability of fatal injury due to fire) Risk of fatality due to fire = (1.1 10-8) (0.5) = 5.5 10-9 Figure 15: Completion of Quantitative LOPA (p46 IEC 61511-3) 1.5. Common LOPA Implementation Errors Encountered Common LOPA implementation errors encountered by the author can be grouped into the following broad categories; Inconsistencies between LOPA risk criteria and other risk criteria; Inconsistencies between the risk determined by LOPA and LOPA risk criteria; Misuse of enabling events or conditions and outcome modifiers; Common cause failure in IPLs not considered; Unsubstantiated data; and Quantitative LOPA & SIL verification without uncertainty addressed. 1.5.1 Inconsistencies between LOPA risk criteria and other risk criteria Inconsistencies can occur between the LOPA risk criteria and the risk criteria used by other risk assessment processes such as qualitative risk assessments and QRA. This inconsistency can be created in one of two ways.

The first is when the LOPA risk criteria is defined it is inconsistent with the other expressions of risk criteria. This occurs most commonly by adopting a LOPA risk criteria from an external source such as a consultant, standard, text or other company. The second is when other expressions of risk criteria are revised but the LOPA risk criteria is not. This is a direct result of an inadequate change management process. However, the inconsistency originated, the result is the same. The risk assessment results will be different depending on the risk assessment process followed. From a SIS design point of view this can result in the LOPA process SIFs SIL being lower, or SIFs not being required if the LOPA risk criteria is less conservative than the other risk assessment processes. In some implementations of LOPA, the LOPA risk criteria will focus on unwanted event frequency rather than a consequence, such as personnel injury that QRA focuses on. This is not necessarily an inconsistency unless the assumptions used to calibrate the risk criteria for unwanted event frequencies are not embedded into the LOPA process. 1.5.2Inconsistencies between the risk determined by LOPA and LOPA risk criteria Inconsistencies between the risk determined by the LOPA process and the LOPA risk criteria occurs most commonly by adopting a LOPA process and risk criteria from different sources. It seems to occur with the more elaborate quantitative LOPA process and is not generally immediately apparent. An encountered example of this is where the LOPA process grouped scenarios together with the same unwanted event and consequence, and then summed the consequence frequencies. The sum of the consequence frequencies was then compared to a target frequency. So far nothing in itself is incorrect. However, the target frequency was an Individual Risk Per Annum (IRPA). This is where in virtually all practical applications the inconsistency occurs. As discussed previously, IRPA is the probability that a given person is killed in one year and is the sum of all of the frequencies of scenarios leading to a fatality that the given person is exposed to. Hence, if the unwanted event and consequence is the only one that can cause a fatality in a facility, then no inconsistency has occurred. In practice virtually all facilities have multiple unwanted events which can cause a fatality. The effect of this inconsistency is that should a QRA be completed it will be found that the calculated IRPA will exceed the target IRPA. Depending on the circumstance this can result in significant SIS rework.

1.5.3Misuse of enabling events or conditions and outcome modifiers The misuse of enabling events or conditions and outcome modifiers are often encountered when the LOPA assessment group are trying to reduce the resulting SIL of a scenario. The most frequently encountered example is to call a safeguard an enabling event or condition, or outcome modifier. The argument most often used to justify this misuse is that the maths is the same whether it is an enabling event or condition, an outcome modifier or a safeguard. In itself the argument is correct. However, by labelling a safeguard as an enabling event or condition, or outcome modifier the IPL rules have been bypassed. Another less obvious example of misuse is double dipping. The most commonly encountered example of this is where the frequency given for the initiating event includes an enabling event or condition, and an enabling event or condition is claimed. An obvious example of this is an initiating event of Heat tracing failure in winter and where an enabling condition of winter is taken. 1.5.4Common cause failure in IPLs not considered Common cause failure in IPLs not correctly considered, typically occurs when claiming similar types of safeguards as an IPL in the same scenario. A common example of this is when multiple pressure safety valves (PSV) are claimed as individual IPLs. The typical situation is where the LOPA guidance specifies that a PSV has 2 orders of magnitude risk reduction. When assessing a scenario where there are two redundant PSVs which are both online and either one can relieve the scenario, the team will take 2 orders of magnitude risk reduction for the first PSV and another 2 orders of magnitude risk reduction for the second PSV. The common cause failure has not been considered. Typically these valves are identical and are tested at the same time by the same technician using the same test equipment. 1.5.5Unsubstantiated data Unsubstantiated data is typically a problem with quantitative LOPA and outcome modifiers. In the worst cases it has been seen that the LOPA team was reverse engineering values for initiating events and outcome modifiers to give the results they were looking for. Particularly for outcome modifiers, their values should be determined using the same process as consequence analysis in QRA. 1.5.6Quantitative LOPA & SIL verification without uncertainty addressed Quantitative LOPA & SIL verification without uncertainty addressed is seen where the quantitative LOPA process yields a Probability of Failure on Demand

(PFD) for a SIF. Then SIF verification is undertaken and the SIFs PFD is compared to the PFD yielded in the LOPA process. If the SIFs PFD is lower than the PFD yielded in the LOPA process then no further work is required. If the LOPA process and the SIF verification process did not use extremely conservative data then it is very likely that once field data is generated and the LOPA and SIF verification are updated, the actual risk is not acceptable. 1.6. Conclusion LOPA is an excellent process which can be adapted to any organisation by understanding the LOPA fundamentals. When a LOPA process has been correctly implemented it is possible to achieve consistent results for a scenario, whether analysed using a qualitative risk matrix, LOPA or QRA. In addition, it does not matter which LOPA method is implemented. If the LOPA fundamentals have been correctly implemented then the resulting SIF SILs will be approximately the same. 1.7. References Center for Chemical Process Safety (CCPS), 2001 Layer of Protection Analysis: Simplified Process Risk Assessment American Institute of Chemical Engineers, New York, New York Anderson, K. & Robinson, R. M., 2004 Risk & Reliability: An introductory Text, 5th edition, Risk & Reliability Associates Pty Ltd, Melbourne, Australia International Electrotechnical Commission, 2003(a) Functional Safety Safety Instrumented Systems for the process industry sector. Part 1: Framework, definitions, systems, hardware and software requirements, IEC 61511-1:2003 International Electrotechnical Commission, 2003(b) Functional Safety Safety Instrumented Systems for the process industry sector. Part 2: Guidelines for the application of IEC 61511-1, IEC 61511-2:2003 International Electrotechnical Commission, 2003(c) Functional Safety Safety Instrumented Systems for the process industry sector. Part 3: Guidance for the determination of the required safety integrity levels, IEC 61511-3:2003 International Electrotechnical Commission, 1998 Functional safety of electrical/ electronic/ programmable electronic safety related systems Part 5: examples of methods for the determination of safety integrity levels, IEC 61508-5:1998