fundamentals of lopa

7/18/2019 Fundamentals of LOPA

http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 1/20

The Fundamentals of LOPA and their PracticalImplementation

Peter Scantlebury - Principal Consultant, FSE Global - Canada

Abstract

While Layer of Protection Analysis (LOPA) is becoming the preferred method of Safety Integrity Level (SIL) assignment, there is considerable variation in itspractical implementation. In laying out the fundamentals of LOPA, pitfalls,caveats and limitations in the various practical implementations will be discussed.The fundamentals of LOPA will be explained to delegates, along with anexamination of the advantages and disadvantages in the various practicalimplementations. Armed with this knowledge, delegates will then be able toassess their own implementation of LOPA.

1.1. Introduction

Layer of Protection Analysis (LOPA) is becoming the preferred method of SafetyIntegrity Level (SIL) assignment. However, the author has seen considerablevariation in the practical implementation of LOPA across different industries andby different companies.

Some of the practical implementations of LOPA encountered to date havesignificant discontinuities when compared with other risk processes such asqualitative risk assessments using risk matrices, and quantitative riskassessments. These discontinuities can result in different residual risks beingestimated when analysing the same scenario with the various risk processes. If implemented correctly, analysing the same scenario with qualitative riskassessments methods, LOPA and quantitative risk assessments will result inmore refined residual risks being estimated, rather than different residual risksbeing estimated.

To enable analysis of the common implementations of LOPA it is necessary toexamine its fundamentals.

1.2. Fundamentals of LOPA

Fundamentally LOPA is a methodology that analyses the risk of a scenario. Theoutcome of this analysis establishes whether the planned or implementedsafeguards are adequate.

In order to critically understanding LOPA is necessary to critically understand:

• What is a scenario?;

• What are the rules to analyse the scenario?; and



• What is the risk criteria?.

1.2.1What is a Scenario?

The CCPS (2001), describes a scenario as a cause – consequence pair.

Commonly, a cause is described as an initiating event and a consequence as anunwanted outcome.

To illustrate this, consider a scenario where a pressure control failure results in avessel overpressure, causing vessel rupture and a fatality. In this scenario thecause (or initiating event) is pressure control failure, and the consequence (or unwanted outcome) is a fatality.

To enable a deeper analysis of LOPA it is beneficial to break down the cause –consequence pair further to include an event. To provide clarity in the discussion,the event will be referred to as an unwanted event. Thus a scenario is now

described as a cause – unwanted event – consequence sequence. This is asimilar form to a Bow Tie Analysis, except a Bow Tie Analysis shows all causesof an unwanted event and all consequences which can occur as a result of theunwanted event.

Using the above pressure control failure example, the unwanted event could bevessel overpressure or vessel rupture. From a pure risk analysis perspective it isimmaterial whether vessel overpressure or vessel rupture is taken as theunwanted event.

It is common industry practice to define the unwanted event as the event that led

to a release of energy. However, from a legal liability point of view, defining theunwanted event as the event where loss of control occurred, provides a better negligence defence (Anderson & Robinson, 2004). From the example, taking therelease of energy approach, the unwanted event would be vessel rupture, whilein the loss of control approach, the unwanted event would be vesseloverpressure.

Throughout this paper the unwanted event will be defined as the event whereloss of control occurred.

To complete the pressure control failure example, the cause (or initiating event)

is pressure control failure, the unwanted event (or loss of control) is vesseloverpressure, and the consequence (or unwanted outcome) is a fatality.

The scenario sequence needs to be expanded to contain more detail to enablethe frequency of a scenario’s consequence to be determined. Expanding thescenario sequence to contain all elements needed for analysis results in the

scenario sequence shown in , with further explanation of each aspect providedbelow.



Frequency

SafeguardsMitigativeSafeguards

OutcomeModifiers

Cause (or Initiating Event)

And

Enabling Event or Condition

Unwanted

Event

Consequence

(or Unwanted

Outcome)

Figure 1: Expanded Scenario Sequence

An initiating event is the failure or action which starts the scenario sequence andis expressed as a frequency of the initiating event. Sometimes a failure or action(initiating event) does not start the scenario sequence, as other enabling eventsor conditions must be present.

Enabling events or conditions “consist of operations or conditions that do not directly cause the scenario, but which must be present or active in order for thescenario to proceed ” (p67, CCPS 2001). An enabling event or condition isexpressed as a probability that at a given point in time the enabling event or condition is present. Typical examples of enabling events are plant states suchas start-up, or environmental conditions such as cold weather.

A safeguard is a device which prevents the unwanted event from occurring after the initiating event has occurred and is expressed as a probability that at a given

point in time the safeguard has failed. Typical examples of a safeguard areSafety Instrumented Functions (SIFs), Pressure Safety Valve (PSV), and alarmswith an operator action.

A mitigative safeguard is a device which prevents the unwanted outcome fromoccurring after the unwanted event has occurred, and is expressed as aprobability that at a given point in time the mitigative safeguard has failed. Atypical example of a mitigative safeguard is a fire and gas shutdown system.

An outcome modifier (or modifier), is an element of pure chance that anunwanted event does not result in the unwanted outcome. This is expressed as a

probability that given an unwanted event has occurred, the consequence doesnot occur. Typical examples of a modifier are the probability of a person beingpresent, the probability of ignition of a flammable material, and the probabilitythat a person is injured.

Finally, to determine the frequency of the consequence, it is simply a matter of multiplying the frequency of the initiating event by the probabilities of the enabling



event or condition, the safeguards, the mitigative safeguards, and the outcomemodifiers.

1.2.2What are the rules to analyse the scenario?

There are a number of clauses within IEC 61511-1 which the LOPA process

must comply with. The relevant sections within IEC 61511-1 are Section 8:Process Hazard and Risk Assessment, and Section 9: Allocation of SafetyFunctions to Protection Layers.

The pertinent clauses for the LOPA process define rules for initiating eventfrequency, and for safeguards to be considered protection layers.

The pertinent rule for an initiating event frequency is;

The dangerous failure rate of a BPCS (which does not conform toIEC 61511) that places a demand on a protection layer shall not be

assumed to be better than 10 -5

per hour. (§8.2.2 IEC 61511-1)

The effect of this clause is that the least frequent initiating event frequency thatcan be claimed for a Basic Process Control Failure (BPCS), for example apressure control failure, is 1 in 11.4 years. In practice the BPCS failure rate isrounded to 1 in 10 years.

For safeguards there are a few more pertinent rules. The first two are;

The risk reduction factor for a BPCS (which does not conform to IEC 61511 or IEC 61508) used as a protection layer shall be below 10.

(§9.4.2 IEC 61511-1)

And

If a risk reduction factor greater than 10 is claimed for the BPCS,then it shall be designed to the requirements within this standard.(§9.4.2 IEC 61511-1)

Both of these clauses have the same effect, the best probability of failurethat can be claimed for a safeguard implemented in a BPCS is 0.1. If asafeguard has been implemented in a BPCS with a probability of failure

less than 0.1, then the safeguard has been designed to the requirementsof IEC 61511-1. The safeguard would now be considered a SafetyInstrumented Function (SIF) rather than a safeguard implemented in aBPCS.

The final pertinent rule for safeguards is;



The design of protection layers shall be assessed to ensure that thelikelihood of common cause, common mode and dependent failuresbetween protection layers and between protection layers and theBPCS are sufficiently low in comparison to the overall safety integrity requirements of the protection layers. The assessment may be

qualitative or quantitative. (§9.5.2 IEC 61511-1)

This clause is not as straight forward to comply with as the previous clauses. Inpractice, compliance with this clause is achieved by defining what is commonlytermed Independent Protection Layer (IPL) rules. The IPL rules define when asafeguard can be considered in the calculation of the frequency of a scenario’sconsequence. Unfortunately there is not a standard set of IPL rules defined.

For instance the IPL rules defined by the CCPS are;

In order to be considered an IPL, a device, system, or action must be

•

effective in preventing the consequence when it functions asdesigned,

• independent of the initiating event and the components of any other IPL already claimed for the same scenario,

• auditable; the assumed effectiveness in terms of consequence prevention and PFD must be capable of validation in somemanner (by documentation, review, testing, etc.) (p80 CCPS 2001)

Compared with the IPL rules defined in IEC 61511-3;

The criteria to qualify a Protection Layer (PL) as an IPL are:

– The protection provided reduces the identified risk by a largeamount, that is, a minimum of a 100-fold reduction;

– The protective function is provided with a high degree of availability (0,9 or greater);

– It has the following important characteristics:a) Specificity: An IPL is designed solely to prevent or to mitigatethe consequences of one potentially hazardous event (for example, arunaway reaction, release of toxic material, a loss of containment, or afire). Multiple causes may lead to the same hazardous event; and,therefore, multiple event scenarios may initiate action of one IPL;b) Independence: An IPL is independent of the other protection

layers associated with the identified danger.c) Dependability: It can be counted on to do what it wasdesigned to do. Both random and systematic failures modes areaddressed in the design.d) Auditability: It is designed to facilitate regular validation of the

protective functions. Proof testing and maintenance of the safety systemis necessary. (§F.9 IEC 61511-3)



1.2.3What is the Risk Criteria?

The risk criteria is the reference against which to assess the significance of agiven risk and can be expressed in many ways; qualitative, semi-quantitative,and quantitative.

Diagrammatically, the risk criteria defines a target line on the expanded scenariosequence shown in Figure 1. After determining the consequence frequency of ascenario, it is compared with the target frequency. If the consequence frequencyis more frequent than the target frequency, then additional risk reduction isrequired as illustrated in Figure 2. Figure 3 illustrates the situation when theconsequence frequency is less frequent than the target frequency and no further risk reduction is required.

Frequency

SafeguardsMitigative

SafeguardsOutcomeModifiers

Unwanted

Event

Consequence(or Unwanted

Outcome)

Additional Risk

Reduction Required

Target frequencyto meet Risk

Criteria

Cause (or Initiating Event) And


Figure 2: A Scenario Sequence Requiring Additional Risk Reduction

Frequency

SafeguardsMitigative

Safeguards

Outcome

Modifiers

Unwanted

Event

Consequence

(or Unwanted

Outcome)

Target frequency

to meet Risk

Criteria


And


Figure 3: A Scenario Sequence Meeting Target Frequency

Qualitative and semi-quantitative risk criteria is commonly expressed as a riskmatrix. An example of a typical risk matrix is shown in Figure 4. In this risk matrixthe consequence categories are Health and Safety, Financial Loss, andEnvironmental. However, risk matrices may include other consequencecategories such as material release sizes, plant downtime, and public response.



It should be noted that typically qualitative and semi-quantitative risk criteria hasbeen calibrated for assessing the risk of a single scenario.

Consequences

Low Minor Moderate Major Catastrophic

• MedicalTreatment

• < $10,000 indamage or loss

• Minor localenvironmentaleffects

• Disabling Injury• < $100k in

damage or loss

• Minor short termenvironmentaldamage

• Lost time injury• < $1M in

damage or loss

• Serious shorttermenvironmentaldamage

• Single fatality• < $10M in

damage or loss

• Serious mediumtermenvironmentaldamage

• Multiple fatality• > $10M in

damage or loss

• Serious longtermenvironmentaldamage

Likelihood

Almost Certain Likely Possible Unlikely Rare

Happens on anannual basis.

> 1 per year

Happens a fewtimes in a person’sor plant’s lifetime.

1 in 1 years to 1 in10 years

Happens a coupleof times in industryas a whole.

1 in 10 years to 1in 100 years

Has happened inindustry, has beenheard of.

1 in 100 years to 1in 1000 years

Has never happened inindustry.

< 1 in 1000 years

Consequences

Low Minor Moderate Major Catastrophic

L i k e l i h o o d Almost Certain High High Extreme Extreme Extreme

Likely Moderate High High Extreme Extreme

Possible Low Moderate High Extreme Extreme

Unlikely Low Low Moderate High Extreme

Rare Low Low Low Moderate High

Risk Level

Low Moderate High Extreme

Manage by routineprocedure andmonitoring.

Implement additionalmethods of riskreduction, and UnitManagement approvaland monitoring requiredto continue activity.

Implement additionalmethods of risk reductionand Plant Managementapproval and monitoringrequired to continueactivity.

Cease activity and notifyPlant Management.

Figure 4: An Example of a Risk Matrix

The risk nomogram is another expression of risk criteria for qualitative and semi-qualitative risk assessment. An example is shown in Figure 5. While the risknomogram is more common in Occupational Health & Safety risk management,

the author has encountered the risk nomogram in process risk management.



Figure 5: An Example of a Risk Nomogram

Quantitative risk criteria is commonly expressed as an Individual Risk Per Annum(IRPA). Industry quantitative risk criteria is shown in Figure 6. It must be notedthat IRPA is the probability that a given person is killed in one year. This impliesthat IRPA is the sum of all of the frequencies of scenarios leading to a fatality thatthe given person is exposed to.

To enable IRPA to be applied to a single scenario in LOPA, it is common practiceto reduce the IRPA value by a factor of 10. This assumes that a person cannotbe affected by more than 10 scenarios at the same time in any given location.

Some regulators andmajor companies thathave set risk tolerancecriteria

Maximumtolerable riskfor workforce

from allscenarios

Negligible riskfor workforce

from allscenarios

Maximumtolerable risk

for public fromall scenarios

Negligible riskfor public fromall scenarios

Health & SafetyExecutive, UK (existingindustry)

10 –3 10 –6 10 –4 10 –6

VROM, The Netherlands(existing industry)

NA NA 10 –5 NA

VROM, The Netherlands(new industry)

NA NA 10 –6 NA

Hong Kong Government(new industry)

NA NA 10 –5 NA

Santa Barbara County,CA, USA (new industry)

NA NA 10 –5 10 –7



Shell (onshore and off-shore; approx.)

10 –3 10 –6 Note 1 Note 2

BP (onshore andoffshore)

10 –3 10 –6 Note 1 Note 2

ICI (onshore) 3.3 × 10 –5 NA 10 –4 NARohm and Haas

Company

2.5 × 10 –5

Personal riskto specificemployee

NA 10 –5 10 –7

Note 1: Not available, but typically industry uses a value that is an order of magnitude lower thanworkplace riskNote 2: Not available, but typically industry uses the same value used for workplace risk, sincethe value is already in the region where risk calculations become meaningless

Figure 6: Typical Industry Individual Risk Per Annum (IRPA) Values(adapted from CCPS 2001 Appendix E)

1.3. LOPA Caveats and LimitationsThe LOPA process, like all risk assessment processes, has limitations andcaveats for use. To ensure that the LOPA results are valid, the followinglimitations and caveats must be known.

The limitations and caveats for use can be grouped into;

• Multiple scenarios for the same safeguards

• Independence

• Density of consequences

1.3.1 Multiple scenarios for the same safeguards

The vast majority of implementations of the LOPA process analyse scenarios ona scenario by scenario basis. This is an efficient approach which is valid for themajority of applications. However, when a number of scenarios for the samesafeguard are encountered, limitations of LOPA are encountered.

A typical example encountered is when LOPA is applied to a burner. With theexception of over firing the burner, virtually all scenarios lead to a flammablemixture in the firebox and subsequent firebox explosion. When a flame scanner is claimed as an IPL in these scenarios a situation is encountered where two or more SIFs are claimed as IPLs with the flame scanner being one of the IPLs.This leads to a difficult analysis and higher required SILs.

While it is possible to carefully construct the scenarios and execute a scenario byscenario LOPA, a far more effective and robust approach is to apply basic FaultTree and Event Tree analyses. This allows the multiple scenarios to be viewedas one analysis with the interrelationship explicitly shown.

It maybe argued that a multiple scenario quantitative LOPA such as the IEC61511-3 method outlined in section 1.4.4, does not have these limitations. While



this argument is partially correct, it is highlighted that multiple scenarioquantitative LOPA has a fixed Fault Tree and Event Tree form. Thus a multiplescenario quantitative LOPA analysis will only overcome the single scenarioanalysis if the assumed Fault Tree and Event Tree form of a multiple scenarioquantitative LOPA analysis is the same as the Fault Tree and Event Tree form of

the multiple scenarios being analysed.

1.3.2Independence

By definition of the IPL rules (see section 1.2.2), LOPA assumes that thecommon cause, common mode and dependent failures between safeguards, andbetween safeguards and the initiating event, have a much lower failure rate thanthe safeguards themselves. Any safeguard which is not considered independentis discounted from the consequence frequency calculation. In the majority of scenarios this approach yields reasonable results.

However, due to practical limitations, common instrumentation is often shared

between safeguards, or between safeguards and the cause of the initiatingevent. In these scenarios some of the safeguards will fail the independencerequirements and result in a higher required SIL.

A commonly encountered example of this is the flow measurement in the air andfuel streams of a burner. The flow measurements in the air and fuel streams usemultiple differential pressure sensors across the same flow element. In thisarrangement any failure mode that affects the flow element affects all differentialpressure sensors across the flow element. Due to space requirements aroundflow elements it is generally impractical to install a flow element for eachdifferential pressure sensor.

It is possible to reduce the risk reduction claimed for safeguards to account for common cause, common mode and dependent failures, or to revert to Fault Treeanalysis. Which ever approach is taken the process must be documented.

1.3.3Density of consequences

As discussed in section 1.2.3, in LOPA which analyses a single scenario at atime, the quantitative risk criteria for all risks is commonly reduced by a factor of 10 for application to single scenarios. This inherently assumes that for a givenarea there are no more than 10 scenarios which affect that area. Where thisassumption is not correct, the risk criteria for those scenarios need to be revised

to ensure the quantitative risk criteria for all risks is not exceeded in that area.

1.4. Common LOPA Implementations

To illustrate the application of the LOPA fundamentals, the LOPA fundamentalswill be applied to several common implementations found in standards and texts;

• Matrix as shown in Annex E of IEC 61508-5

• Risk Graph as shown in Annex D of IEC 61508-5



• Quantitative as shown in Chapter 3 Method 3 of CCPS’s LOPA text (p36CCPS)

• Quantitative as shown in Annex F of IEC 61511-3

The matrix and risk graph methods are also shown in IEC 61511-3 and are

essentially the same as the examples selected, however the IEC 61508-5versions have been shown due to their more succinct nature.

1.4.1Matrix

The matrix LOPA implementation as shown in Annex E of IEC 61508-5(reproduced in Figure 7) analyses a single scenario at a time. It also assumesthat each IPL reduces the risk by a factor of 10 and there are no outcomemodifiers.

Figure 7 : SIL Assignment Matrix (Figure E.1 IEC 61508-5)

The event severity and likelihood defines the total amount of risk reductionrequired to meet the target frequency for the consequence severity. For an eventseverity of “extensive” and an event likelihood of medium, Figure 8 shows therequired risk reduction as the distance between the initiating event likelihood andthe target frequency for event severity.

For each non SIS IPL the required SIL for SIF is reduced by one. The requiredSIL for the various number of IPL is shown diagrammatically in Figure 8.



Frequency

Target frequency

for Event Severity

Initiating Event

Likelihood

SIL 1 SIF Non SIS IPL 1 Non SIS IPL 2

Non SIS IPL 1SIL 2 SIF

SIL 3 SIF1 IPL

2 IPLs

3 IPLs

Figure 8: SIL Assignment Matrix Process Shown as a Scenario Sequence

The SIL assignment matrix shown in Figure 9 is a common SIL assignmentmatrix variation which is functionally identical to the SIL assignment matrix shownin Figure 7. In this case the cell numbers refer to the total number of IPLsrequired.

Repeating the previous example, for an event severity of extensive and an eventlikelihood of medium, 3 IPLs are required. If there is only one non SIS IPL thenthe required SIL is 2 (3 required, less 1 non SIS IPL).

Consequence Severity

Minor Serious Extensive

E v e n t

L i k e l i h o o d

Low 1 1 2

Med 1 2 3

High 2 3 4

Note: Cell numbers refer to number of IPLs

Figure 9: Alternative SIL Assignment Matrix

1.4.2Risk graph

The risk graph LOPA implementation as shown in Annex F of IEC 61508-5(reproduced in Figure 10 with the parameters reproduced in Table 1) analyses asingle scenario at a time.



Figure 10: Risk Graph (Figure D.1 IEC 61508-5:1998)

Risk parameter Classification Comments

Consequence (C) C1

C2

C3

C4

Minor injury

Serious permanentinjury to one or more

persons; death to oneperson

Death to severalpeople

Very many peoplekilled

1. The classification system has beendeveloped to deal with injury and death topeople. Other classification schemes wouldneed to be developed for environmental or

material damage.

2. For the interpretation of C1, C2, C3 and C4,the consequences of the accident andnormal healing shall be taken into account.

Frequency of, andexposure time in,the hazardouszone (F)

F1

F2

Rare to more oftenexposure in thehazardous zone

Frequent to

permanent exposurein the hazardouszone

3. See comment 1 above.



Possibility of avoiding thehazardous event(P)

P1

P2

Possible under certain conditions

Almost impossible

4. This parameter takes into accountoperation of a process (supervised (i.e.operated by skilled or unskilledpersons) or unsupervised);rate of development of the hazardousevent (for example suddenly, quickly or

slowly);ease of recognition of danger (for example seen immediately, detectedby technical measures or detectedwithout technical measures);avoidance of hazardous event (for example escape routes possible, notpossible or possible under certainconditions);actual safety experience (suchexperience may exist with an identicalEUC or a similar EUC or may notexist).

Probability of the

un-wantedoccurrence (W)

W1

W2

W3

A very slight

probability that theunwantedoccurrences willcome to pass andonly a few unwantedoccurrences are likely

A slight probabilitythat the unwantedoccurrences wiltcome to pass andfew unwantedoccurrences are likely

A relatively highprobability that theunwantedoccurrences willcome to pass andfrequent unwantedoccurrences are likely

5. The purpose of the W factor is to estimatethe frequency of the unwanted occurrencetaking place without the addition of anysafety-related systems (E/E/PE or other technology) but including any external riskreduction facilities.

6. If little or no experience exists of the EUC,or the EUC control system, or of a similar EUC and EUC control system. theestimation of the W factor maybe made bycalculation. In such an event a worst caseprediction shall be made.

Table 1: Parameters for Risk Graph in Figure 10 (Table D.1 IEC 61508-5:1998)

The consequence (C) risk parameter defines the target frequency for the

consequence. The exposure time (F) (called occupancy in Figure 11), andpossibility of avoiding (P) (called avoidance in Figure 11), are outcome modifiersthat define the target unwanted event frequency. The required SIL for the SIF isthe difference between the probability of the unwanted occurrence (W) and thetarget unwanted event frequency. The probability of the unwanted occurrence(W) includes the initiating event frequency, any enabling event, and any non SISsafeguards.



Frequency

OutcomeModifiers

Target frequency

for ConsequenceSeverity (C)


AndEnabling Event or Condition

Occupancy

(F)

Avoidance

(P)

Non SIS

Safeguards

Probability of

unwantedoccurrence (W)

Required

SIL

Target frequency

of UnwantedEvent

Figure 11: Risk Graph Process Shown as a Scenario Sequence

A common variation on the implementation of the risk graph process is redefiningthe probability of the unwanted occurrence (W) to only include the initiating eventfrequency, and any enabling event. The risk graph cell numbers now refer to the

total number of IPLs required. The revised risk graph process is shown in Figure12.

Frequency

Outcome

Modifiers

Target frequency

for Consequence

Severity (C)


And


Occupancy

(F)

Avoidance

(P)

Probability of

unwanted

occurrence (W)

Required Number of IPLs

Target frequency

of Unwanted

Event

Figure 12: Common Risk Graph Scenario Sequence Variation

1.4.3Quantitative (CCPS)

All quantitative LOPA processes are essentially identical. The key differencestend to be the manner in which the analysis is documented and the intermediatefrequencies calculated.

The CCPS quantitative LOPA process as shown Table 2 analyses a singlescenario at a time. Figure 13 has mapped the parameters from Table 2 onto thescenario sequence.

ScenarioNumber 1b

EquipmentNumber

Scenario Title: Hexane Surge Tank Overflow. Spill contained bythe dike

Date: Description ProbabilityFrequency(per year)



ConsequenceDescription/Category

Release of hexane inside the dike dueto tank overflow with potential for ignition and fatality.

Risk Tolerance Criteria(Category or Frequency)

Maximum Tolerable Risk of a SeriousFire Maximum Tolerable Risk of a FatalInjury

<1×10-4

<1×10-5

Initiating Event(typically a frequency) Loop failure of BPCS LIC. (PFD fromTable 5.1) 1×10-1


-

Conditional Modifiers(if applicable)

Probability of ignition 0.1Probability of personnel in affected area 0.1Probability of fatal injury 0.5Others N/A

Frequency of Unmitigated Consequence 5×10-4

Independent ProtectionLayers

SIF (to be added—see Actions) 1 × 10-2

Safeguards(non-IPLs)

Human action not an IPL as it dependsupon BPCS generated alarms. Cannot

be used as BPCS failure is initiatingevent (Approach A)Total PFD for all IPLs 1×10-2

Frequency of Mitigated Consequence 5×10-6

Risk Tolerance Criteria Met? (Yes/No): Yes, with added SIF.Actions Required toMeet Risk ToleranceCriteria

Add SIF with PFD of1×10–2. Responsible Group/Person: PlantTechnical/ J. Doe June 2002 Maintain dike as an IPL (Inspection,maintenance, etc.)

Notes Add action items to action tracking database.References (links to originating hazard review, PFD, P&ID, etc.):

LOPA analyst (and team members, if applicable):

Table 2: Quantitative LOPA (Table A.6 CCPS, 2001)

Frequency

Condition

Modifiers

Frequency of

Unmitigated

Consequence

Risk Tolerance

Criteria

Initiating Event

And


Probability

of ignition

Probability of

personnel in the

affected area

Probability of

fatal injury

Added SIF

IPLs

Frequency of

Mitigated

Consequence

Figure 13: Quantitative LOPA (CCPS) Shown as a Scenario Sequence



1.4.4Quantitative (IEC 61511-3)

The key difference with IEC 61511-3 quantitative LOPA (reproduced in Figure 14 and Figure 15) and the CCPS quantitative LOPA processes is that the IEC61511-3 quantitative LOPA process sums all of the mitigated event likelihoods for scenarios with the same consequence before comparing against the risk criteria.

# 1 2 3 4 5 6 7 8 9 10 11

Impacteventdescription

Severitylevel

Initiatingcause

Initiationlikelihood

Generalprocessdesign

BPCS Alarms,etc.

Additionalmitigation,restrictedaccess

IPLadditionalmitigationdikes,pressurerelief

Intermediateeventlikelihood

SIFintegritylevel

Mitigatedeventlikelihood

Notes

1 Fire fromdistillationcolumnrupture

S Loss of coolingwater

0,1 0,1 0,1 0,1 0,1 PRV 01 10-7 10-2 10-9 Highpressurecausescolumnrupture

2 Fire fromdistillationcolumnrupture

S Steamcontrolloopfailure

0,1 0,1 0,1 0,1 PRV 01 10-6 10-2 10-8 Same asabove

NOTE Severity Level E = Extensive; S = Serious; M = Minor.

Likelihood values are events per year, other numerical values are probabilities of failure ondemand average.

Figure 14: Quantitative LOPA (Figure F.1 IEC 61511-3)

Risk of fatality due to fire = (Mitigated event likelihood of all flammable materialreleases) X (Probability of fatal injury due to fire)

Risk of fatality due to fire = (1.1 × 10-8) × (0.5) = 5.5 × 10-9

Figure 15: Completion of Quantitative LOPA (p46 IEC 61511-3)

1.5. Common LOPA Implementation Errors EncounteredCommon LOPA implementation errors encountered by the author can begrouped into the following broad categories;

• Inconsistencies between LOPA risk criteria and other risk criteria;

• Inconsistencies between the risk determined by LOPA and LOPA riskcriteria;

• Misuse of enabling events or conditions and outcome modifiers;

• Common cause failure in IPLs not considered;

• Unsubstantiated data; and

• Quantitative LOPA & SIL verification without uncertainty addressed.

1.5.1 Inconsistencies between LOPA risk criteria and other risk criteria

Inconsistencies can occur between the LOPA risk criteria and the risk criteriaused by other risk assessment processes such as qualitative risk assessmentsand QRA. This inconsistency can be created in one of two ways.



The first is when the LOPA risk criteria is defined it is inconsistent with the other expressions of risk criteria. This occurs most commonly by adopting a LOPA riskcriteria from an external source such as a consultant, standard, text or other company.

The second is when other expressions of risk criteria are revised but the LOPArisk criteria is not. This is a direct result of an inadequate change managementprocess.

However, the inconsistency originated, the result is the same. The riskassessment results will be different depending on the risk assessment processfollowed. From a SIS design point of view this can result in the LOPA processSIFs’ SIL being lower, or SIFs not being required if the LOPA risk criteria is lessconservative than the other risk assessment processes.

In some implementations of LOPA, the LOPA risk criteria will focus on unwanted

event frequency rather than a consequence, such as personnel injury that QRAfocuses on. This is not necessarily an inconsistency unless the assumptionsused to calibrate the risk criteria for unwanted event frequencies are notembedded into the LOPA process.

1.5.2Inconsistencies between the risk determined by LOPA and LOPA riskcriteria

Inconsistencies between the risk determined by the LOPA process and the LOPArisk criteria occurs most commonly by adopting a LOPA process and risk criteriafrom different sources. It seems to occur with the more elaborate quantitativeLOPA process and is not generally immediately apparent.

An encountered example of this is where the LOPA process grouped scenariostogether with the same unwanted event and consequence, and then summed theconsequence frequencies. The sum of the consequence frequencies was thencompared to a target frequency. So far nothing in itself is incorrect. However, thetarget frequency was an Individual Risk Per Annum (IRPA). This is where invirtually all practical applications the inconsistency occurs.

As discussed previously, IRPA is the probability that a given person is killed inone year and is the sum of all of the frequencies of scenarios leading to a fatalitythat the given person is exposed to. Hence, if the unwanted event and

consequence is the only one that can cause a fatality in a facility, then noinconsistency has occurred. In practice virtually all facilities have multipleunwanted events which can cause a fatality.

The effect of this inconsistency is that should a QRA be completed it will befound that the calculated IRPA will exceed the target IRPA. Depending on thecircumstance this can result in significant SIS rework.



1.5.3Misuse of enabling events or conditions and outcome modifiers

The misuse of enabling events or conditions and outcome modifiers are oftenencountered when the LOPA assessment group are trying to reduce the resultingSIL of a scenario.

The most frequently encountered example is to call a safeguard an enablingevent or condition, or outcome modifier. The argument most often used to justifythis misuse is that the maths is the same whether it is an enabling event or condition, an outcome modifier or a safeguard. In itself the argument is correct.However, by labelling a safeguard as an enabling event or condition, or outcomemodifier the IPL rules have been bypassed.

Another less obvious example of misuse is double dipping. The most commonlyencountered example of this is where the frequency given for the initiating eventincludes an enabling event or condition, and an enabling event or condition isclaimed. An obvious example of this is an initiating event of “Heat tracing failure

in winter” and where an enabling condition of “winter” is taken.

1.5.4Common cause failure in IPLs not considered

Common cause failure in IPLs not correctly considered, typically occurs whenclaiming similar types of safeguards as an IPL in the same scenario. A commonexample of this is when multiple pressure safety valves (PSV) are claimed asindividual IPLs.

The typical situation is where the LOPA guidance specifies that a PSV has 2orders of magnitude risk reduction. When assessing a scenario where there aretwo redundant PSVs which are both online and either one can relieve the

scenario, the team will take 2 orders of magnitude risk reduction for the first PSVand another 2 orders of magnitude risk reduction for the second PSV. Thecommon cause failure has not been considered. Typically these valves areidentical and are tested at the same time by the same technician using the sametest equipment.

1.5.5Unsubstantiated data

Unsubstantiated data is typically a problem with quantitative LOPA and outcomemodifiers. In the worst cases it has been seen that the LOPA team was reverseengineering values for initiating events and outcome modifiers to give the results

they were looking for.

Particularly for outcome modifiers, their values should be determined using thesame process as consequence analysis in QRA.

1.5.6Quantitative LOPA & SIL verification without uncertainty addressed

Quantitative LOPA & SIL verification without uncertainty addressed is seenwhere the quantitative LOPA process yields a Probability of Failure on Demand



(PFD) for a SIF. Then SIF verification is undertaken and the SIF’s PFD iscompared to the PFD yielded in the LOPA process. If the SIF’s PFD is lower thanthe PFD yielded in the LOPA process then no further work is required.

If the LOPA process and the SIF verification process did not use extremely

conservative data then it is very likely that once field data is generated and theLOPA and SIF verification are updated, the actual risk is not acceptable.

1.6. Conclusion

LOPA is an excellent process which can be adapted to any organisation byunderstanding the LOPA fundamentals. When a LOPA process has beencorrectly implemented it is possible to achieve consistent results for a scenario,whether analysed using a qualitative risk matrix, LOPA or QRA.

In addition, it does not matter which LOPA method is implemented. If the LOPA

fundamentals have been correctly implemented then the resulting SIF SILs willbe approximately the same.

1.7. References

Center for Chemical Process Safety (CCPS), 2001 ‘Layer of Protection Analysis:Simplified Process Risk Assessment’ American Institute of Chemical Engineers,New York, New York

Anderson, K. & Robinson, R. M., 2004 ‘Risk & Reliability: An introductory Text’,5th edition, Risk & Reliability Associates Pty Ltd, Melbourne, Australia

International Electrotechnical Commission, 2003(a) ‘Functional Safety – SafetyInstrumented Systems for the process industry sector. Part 1: Framework,definitions, systems, hardware and software requirements’, IEC 61511-1:2003

International Electrotechnical Commission, 2003(b) ‘Functional Safety – SafetyInstrumented Systems for the process industry sector. Part 2: Guidelines for theapplication of IEC 61511-1’, IEC 61511-2:2003

International Electrotechnical Commission, 2003(c) ‘Functional Safety – SafetyInstrumented Systems for the process industry sector. Part 3: Guidance for thedetermination of the required safety integrity levels’, IEC 61511-3:2003

International Electrotechnical Commission, 1998 ‘Functional safety of electrical/electronic/ programmable electronic safety related systems – Part 5: examples of methods for the determination of safety integrity levels’, IEC 61508-5:1998

fundamentals of lopa

Documents