fundamentals of lopa
TRANSCRIPT
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 1/20
The Fundamentals of LOPA and their PracticalImplementation
Peter Scantlebury - Principal Consultant, FSE Global - Canada
Abstract
While Layer of Protection Analysis (LOPA) is becoming the preferred method of Safety Integrity Level (SIL) assignment, there is considerable variation in itspractical implementation. In laying out the fundamentals of LOPA, pitfalls,caveats and limitations in the various practical implementations will be discussed.The fundamentals of LOPA will be explained to delegates, along with anexamination of the advantages and disadvantages in the various practicalimplementations. Armed with this knowledge, delegates will then be able toassess their own implementation of LOPA.
1.1. Introduction
Layer of Protection Analysis (LOPA) is becoming the preferred method of SafetyIntegrity Level (SIL) assignment. However, the author has seen considerablevariation in the practical implementation of LOPA across different industries andby different companies.
Some of the practical implementations of LOPA encountered to date havesignificant discontinuities when compared with other risk processes such asqualitative risk assessments using risk matrices, and quantitative riskassessments. These discontinuities can result in different residual risks beingestimated when analysing the same scenario with the various risk processes. If implemented correctly, analysing the same scenario with qualitative riskassessments methods, LOPA and quantitative risk assessments will result inmore refined residual risks being estimated, rather than different residual risksbeing estimated.
To enable analysis of the common implementations of LOPA it is necessary toexamine its fundamentals.
1.2. Fundamentals of LOPA
Fundamentally LOPA is a methodology that analyses the risk of a scenario. Theoutcome of this analysis establishes whether the planned or implementedsafeguards are adequate.
In order to critically understanding LOPA is necessary to critically understand:
• What is a scenario?;
• What are the rules to analyse the scenario?; and
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 2/20
• What is the risk criteria?.
1.2.1What is a Scenario?
The CCPS (2001), describes a scenario as a cause – consequence pair.
Commonly, a cause is described as an initiating event and a consequence as anunwanted outcome.
To illustrate this, consider a scenario where a pressure control failure results in avessel overpressure, causing vessel rupture and a fatality. In this scenario thecause (or initiating event) is pressure control failure, and the consequence (or unwanted outcome) is a fatality.
To enable a deeper analysis of LOPA it is beneficial to break down the cause –consequence pair further to include an event. To provide clarity in the discussion,the event will be referred to as an unwanted event. Thus a scenario is now
described as a cause – unwanted event – consequence sequence. This is asimilar form to a Bow Tie Analysis, except a Bow Tie Analysis shows all causesof an unwanted event and all consequences which can occur as a result of theunwanted event.
Using the above pressure control failure example, the unwanted event could bevessel overpressure or vessel rupture. From a pure risk analysis perspective it isimmaterial whether vessel overpressure or vessel rupture is taken as theunwanted event.
It is common industry practice to define the unwanted event as the event that led
to a release of energy. However, from a legal liability point of view, defining theunwanted event as the event where loss of control occurred, provides a better negligence defence (Anderson & Robinson, 2004). From the example, taking therelease of energy approach, the unwanted event would be vessel rupture, whilein the loss of control approach, the unwanted event would be vesseloverpressure.
Throughout this paper the unwanted event will be defined as the event whereloss of control occurred.
To complete the pressure control failure example, the cause (or initiating event)
is pressure control failure, the unwanted event (or loss of control) is vesseloverpressure, and the consequence (or unwanted outcome) is a fatality.
The scenario sequence needs to be expanded to contain more detail to enablethe frequency of a scenario’s consequence to be determined. Expanding thescenario sequence to contain all elements needed for analysis results in the
scenario sequence shown in , with further explanation of each aspect providedbelow.
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 3/20
Frequency
SafeguardsMitigativeSafeguards
OutcomeModifiers
Cause (or Initiating Event)
And
Enabling Event or Condition
Unwanted
Event
Consequence
(or Unwanted
Outcome)
Figure 1: Expanded Scenario Sequence
An initiating event is the failure or action which starts the scenario sequence andis expressed as a frequency of the initiating event. Sometimes a failure or action(initiating event) does not start the scenario sequence, as other enabling eventsor conditions must be present.
Enabling events or conditions “consist of operations or conditions that do not directly cause the scenario, but which must be present or active in order for thescenario to proceed ” (p67, CCPS 2001). An enabling event or condition isexpressed as a probability that at a given point in time the enabling event or condition is present. Typical examples of enabling events are plant states suchas start-up, or environmental conditions such as cold weather.
A safeguard is a device which prevents the unwanted event from occurring after the initiating event has occurred and is expressed as a probability that at a given
point in time the safeguard has failed. Typical examples of a safeguard areSafety Instrumented Functions (SIFs), Pressure Safety Valve (PSV), and alarmswith an operator action.
A mitigative safeguard is a device which prevents the unwanted outcome fromoccurring after the unwanted event has occurred, and is expressed as aprobability that at a given point in time the mitigative safeguard has failed. Atypical example of a mitigative safeguard is a fire and gas shutdown system.
An outcome modifier (or modifier), is an element of pure chance that anunwanted event does not result in the unwanted outcome. This is expressed as a
probability that given an unwanted event has occurred, the consequence doesnot occur. Typical examples of a modifier are the probability of a person beingpresent, the probability of ignition of a flammable material, and the probabilitythat a person is injured.
Finally, to determine the frequency of the consequence, it is simply a matter of multiplying the frequency of the initiating event by the probabilities of the enabling
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 4/20
event or condition, the safeguards, the mitigative safeguards, and the outcomemodifiers.
1.2.2What are the rules to analyse the scenario?
There are a number of clauses within IEC 61511-1 which the LOPA process
must comply with. The relevant sections within IEC 61511-1 are Section 8:Process Hazard and Risk Assessment, and Section 9: Allocation of SafetyFunctions to Protection Layers.
The pertinent clauses for the LOPA process define rules for initiating eventfrequency, and for safeguards to be considered protection layers.
The pertinent rule for an initiating event frequency is;
The dangerous failure rate of a BPCS (which does not conform toIEC 61511) that places a demand on a protection layer shall not be
assumed to be better than 10 -5
per hour. (§8.2.2 IEC 61511-1)
The effect of this clause is that the least frequent initiating event frequency thatcan be claimed for a Basic Process Control Failure (BPCS), for example apressure control failure, is 1 in 11.4 years. In practice the BPCS failure rate isrounded to 1 in 10 years.
For safeguards there are a few more pertinent rules. The first two are;
The risk reduction factor for a BPCS (which does not conform to IEC 61511 or IEC 61508) used as a protection layer shall be below 10.
(§9.4.2 IEC 61511-1)
And
If a risk reduction factor greater than 10 is claimed for the BPCS,then it shall be designed to the requirements within this standard.(§9.4.2 IEC 61511-1)
Both of these clauses have the same effect, the best probability of failurethat can be claimed for a safeguard implemented in a BPCS is 0.1. If asafeguard has been implemented in a BPCS with a probability of failure
less than 0.1, then the safeguard has been designed to the requirementsof IEC 61511-1. The safeguard would now be considered a SafetyInstrumented Function (SIF) rather than a safeguard implemented in aBPCS.
The final pertinent rule for safeguards is;
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 5/20
The design of protection layers shall be assessed to ensure that thelikelihood of common cause, common mode and dependent failuresbetween protection layers and between protection layers and theBPCS are sufficiently low in comparison to the overall safety integrity requirements of the protection layers. The assessment may be
qualitative or quantitative. (§9.5.2 IEC 61511-1)
This clause is not as straight forward to comply with as the previous clauses. Inpractice, compliance with this clause is achieved by defining what is commonlytermed Independent Protection Layer (IPL) rules. The IPL rules define when asafeguard can be considered in the calculation of the frequency of a scenario’sconsequence. Unfortunately there is not a standard set of IPL rules defined.
For instance the IPL rules defined by the CCPS are;
In order to be considered an IPL, a device, system, or action must be
•
effective in preventing the consequence when it functions asdesigned,
• independent of the initiating event and the components of any other IPL already claimed for the same scenario,
• auditable; the assumed effectiveness in terms of consequence prevention and PFD must be capable of validation in somemanner (by documentation, review, testing, etc.) (p80 CCPS 2001)
Compared with the IPL rules defined in IEC 61511-3;
The criteria to qualify a Protection Layer (PL) as an IPL are:
– The protection provided reduces the identified risk by a largeamount, that is, a minimum of a 100-fold reduction;
– The protective function is provided with a high degree of availability (0,9 or greater);
– It has the following important characteristics:a) Specificity: An IPL is designed solely to prevent or to mitigatethe consequences of one potentially hazardous event (for example, arunaway reaction, release of toxic material, a loss of containment, or afire). Multiple causes may lead to the same hazardous event; and,therefore, multiple event scenarios may initiate action of one IPL;b) Independence: An IPL is independent of the other protection
layers associated with the identified danger.c) Dependability: It can be counted on to do what it wasdesigned to do. Both random and systematic failures modes areaddressed in the design.d) Auditability: It is designed to facilitate regular validation of the
protective functions. Proof testing and maintenance of the safety systemis necessary. (§F.9 IEC 61511-3)
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 6/20
1.2.3What is the Risk Criteria?
The risk criteria is the reference against which to assess the significance of agiven risk and can be expressed in many ways; qualitative, semi-quantitative,and quantitative.
Diagrammatically, the risk criteria defines a target line on the expanded scenariosequence shown in Figure 1. After determining the consequence frequency of ascenario, it is compared with the target frequency. If the consequence frequencyis more frequent than the target frequency, then additional risk reduction isrequired as illustrated in Figure 2. Figure 3 illustrates the situation when theconsequence frequency is less frequent than the target frequency and no further risk reduction is required.
Frequency
SafeguardsMitigative
SafeguardsOutcomeModifiers
Unwanted
Event
Consequence(or Unwanted
Outcome)
Additional Risk
Reduction Required
Target frequencyto meet Risk
Criteria
Cause (or Initiating Event) And
Enabling Event or Condition
Figure 2: A Scenario Sequence Requiring Additional Risk Reduction
Frequency
SafeguardsMitigative
Safeguards
Outcome
Modifiers
Unwanted
Event
Consequence
(or Unwanted
Outcome)
Target frequency
to meet Risk
Criteria
Cause (or Initiating Event)
And
Enabling Event or Condition
Figure 3: A Scenario Sequence Meeting Target Frequency
Qualitative and semi-quantitative risk criteria is commonly expressed as a riskmatrix. An example of a typical risk matrix is shown in Figure 4. In this risk matrixthe consequence categories are Health and Safety, Financial Loss, andEnvironmental. However, risk matrices may include other consequencecategories such as material release sizes, plant downtime, and public response.
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 7/20
It should be noted that typically qualitative and semi-quantitative risk criteria hasbeen calibrated for assessing the risk of a single scenario.
Consequences
Low Minor Moderate Major Catastrophic
• MedicalTreatment
• < $10,000 indamage or loss
• Minor localenvironmentaleffects
• Disabling Injury• < $100k in
damage or loss
• Minor short termenvironmentaldamage
• Lost time injury• < $1M in
damage or loss
• Serious shorttermenvironmentaldamage
• Single fatality• < $10M in
damage or loss
• Serious mediumtermenvironmentaldamage
• Multiple fatality• > $10M in
damage or loss
• Serious longtermenvironmentaldamage
Likelihood
Almost Certain Likely Possible Unlikely Rare
Happens on anannual basis.
> 1 per year
Happens a fewtimes in a person’sor plant’s lifetime.
1 in 1 years to 1 in10 years
Happens a coupleof times in industryas a whole.
1 in 10 years to 1in 100 years
Has happened inindustry, has beenheard of.
1 in 100 years to 1in 1000 years
Has never happened inindustry.
< 1 in 1000 years
Consequences
Low Minor Moderate Major Catastrophic
L i k e l i h o o d Almost Certain High High Extreme Extreme Extreme
Likely Moderate High High Extreme Extreme
Possible Low Moderate High Extreme Extreme
Unlikely Low Low Moderate High Extreme
Rare Low Low Low Moderate High
Risk Level
Low Moderate High Extreme
Manage by routineprocedure andmonitoring.
Implement additionalmethods of riskreduction, and UnitManagement approvaland monitoring requiredto continue activity.
Implement additionalmethods of risk reductionand Plant Managementapproval and monitoringrequired to continueactivity.
Cease activity and notifyPlant Management.
Figure 4: An Example of a Risk Matrix
The risk nomogram is another expression of risk criteria for qualitative and semi-qualitative risk assessment. An example is shown in Figure 5. While the risknomogram is more common in Occupational Health & Safety risk management,
the author has encountered the risk nomogram in process risk management.
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 8/20
Figure 5: An Example of a Risk Nomogram
Quantitative risk criteria is commonly expressed as an Individual Risk Per Annum(IRPA). Industry quantitative risk criteria is shown in Figure 6. It must be notedthat IRPA is the probability that a given person is killed in one year. This impliesthat IRPA is the sum of all of the frequencies of scenarios leading to a fatality thatthe given person is exposed to.
To enable IRPA to be applied to a single scenario in LOPA, it is common practiceto reduce the IRPA value by a factor of 10. This assumes that a person cannotbe affected by more than 10 scenarios at the same time in any given location.
Some regulators andmajor companies thathave set risk tolerancecriteria
Maximumtolerable riskfor workforce
from allscenarios
Negligible riskfor workforce
from allscenarios
Maximumtolerable risk
for public fromall scenarios
Negligible riskfor public fromall scenarios
Health & SafetyExecutive, UK (existingindustry)
10 –3 10 –6 10 –4 10 –6
VROM, The Netherlands(existing industry)
NA NA 10 –5 NA
VROM, The Netherlands(new industry)
NA NA 10 –6 NA
Hong Kong Government(new industry)
NA NA 10 –5 NA
Santa Barbara County,CA, USA (new industry)
NA NA 10 –5 10 –7
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 9/20
Shell (onshore and off-shore; approx.)
10 –3 10 –6 Note 1 Note 2
BP (onshore andoffshore)
10 –3 10 –6 Note 1 Note 2
ICI (onshore) 3.3 × 10 –5 NA 10 –4 NARohm and Haas
Company
2.5 × 10 –5
Personal riskto specificemployee
NA 10 –5 10 –7
Note 1: Not available, but typically industry uses a value that is an order of magnitude lower thanworkplace riskNote 2: Not available, but typically industry uses the same value used for workplace risk, sincethe value is already in the region where risk calculations become meaningless
Figure 6: Typical Industry Individual Risk Per Annum (IRPA) Values(adapted from CCPS 2001 Appendix E)
1.3. LOPA Caveats and LimitationsThe LOPA process, like all risk assessment processes, has limitations andcaveats for use. To ensure that the LOPA results are valid, the followinglimitations and caveats must be known.
The limitations and caveats for use can be grouped into;
• Multiple scenarios for the same safeguards
• Independence
• Density of consequences
1.3.1 Multiple scenarios for the same safeguards
The vast majority of implementations of the LOPA process analyse scenarios ona scenario by scenario basis. This is an efficient approach which is valid for themajority of applications. However, when a number of scenarios for the samesafeguard are encountered, limitations of LOPA are encountered.
A typical example encountered is when LOPA is applied to a burner. With theexception of over firing the burner, virtually all scenarios lead to a flammablemixture in the firebox and subsequent firebox explosion. When a flame scanner is claimed as an IPL in these scenarios a situation is encountered where two or more SIFs are claimed as IPLs with the flame scanner being one of the IPLs.This leads to a difficult analysis and higher required SILs.
While it is possible to carefully construct the scenarios and execute a scenario byscenario LOPA, a far more effective and robust approach is to apply basic FaultTree and Event Tree analyses. This allows the multiple scenarios to be viewedas one analysis with the interrelationship explicitly shown.
It maybe argued that a multiple scenario quantitative LOPA such as the IEC61511-3 method outlined in section 1.4.4, does not have these limitations. While
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 10/20
this argument is partially correct, it is highlighted that multiple scenarioquantitative LOPA has a fixed Fault Tree and Event Tree form. Thus a multiplescenario quantitative LOPA analysis will only overcome the single scenarioanalysis if the assumed Fault Tree and Event Tree form of a multiple scenarioquantitative LOPA analysis is the same as the Fault Tree and Event Tree form of
the multiple scenarios being analysed.
1.3.2Independence
By definition of the IPL rules (see section 1.2.2), LOPA assumes that thecommon cause, common mode and dependent failures between safeguards, andbetween safeguards and the initiating event, have a much lower failure rate thanthe safeguards themselves. Any safeguard which is not considered independentis discounted from the consequence frequency calculation. In the majority of scenarios this approach yields reasonable results.
However, due to practical limitations, common instrumentation is often shared
between safeguards, or between safeguards and the cause of the initiatingevent. In these scenarios some of the safeguards will fail the independencerequirements and result in a higher required SIL.
A commonly encountered example of this is the flow measurement in the air andfuel streams of a burner. The flow measurements in the air and fuel streams usemultiple differential pressure sensors across the same flow element. In thisarrangement any failure mode that affects the flow element affects all differentialpressure sensors across the flow element. Due to space requirements aroundflow elements it is generally impractical to install a flow element for eachdifferential pressure sensor.
It is possible to reduce the risk reduction claimed for safeguards to account for common cause, common mode and dependent failures, or to revert to Fault Treeanalysis. Which ever approach is taken the process must be documented.
1.3.3Density of consequences
As discussed in section 1.2.3, in LOPA which analyses a single scenario at atime, the quantitative risk criteria for all risks is commonly reduced by a factor of 10 for application to single scenarios. This inherently assumes that for a givenarea there are no more than 10 scenarios which affect that area. Where thisassumption is not correct, the risk criteria for those scenarios need to be revised
to ensure the quantitative risk criteria for all risks is not exceeded in that area.
1.4. Common LOPA Implementations
To illustrate the application of the LOPA fundamentals, the LOPA fundamentalswill be applied to several common implementations found in standards and texts;
• Matrix as shown in Annex E of IEC 61508-5
• Risk Graph as shown in Annex D of IEC 61508-5
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 11/20
• Quantitative as shown in Chapter 3 Method 3 of CCPS’s LOPA text (p36CCPS)
• Quantitative as shown in Annex F of IEC 61511-3
The matrix and risk graph methods are also shown in IEC 61511-3 and are
essentially the same as the examples selected, however the IEC 61508-5versions have been shown due to their more succinct nature.
1.4.1Matrix
The matrix LOPA implementation as shown in Annex E of IEC 61508-5(reproduced in Figure 7) analyses a single scenario at a time. It also assumesthat each IPL reduces the risk by a factor of 10 and there are no outcomemodifiers.
Figure 7 : SIL Assignment Matrix (Figure E.1 IEC 61508-5)
The event severity and likelihood defines the total amount of risk reductionrequired to meet the target frequency for the consequence severity. For an eventseverity of “extensive” and an event likelihood of medium, Figure 8 shows therequired risk reduction as the distance between the initiating event likelihood andthe target frequency for event severity.
For each non SIS IPL the required SIL for SIF is reduced by one. The requiredSIL for the various number of IPL is shown diagrammatically in Figure 8.
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 12/20
Frequency
Target frequency
for Event Severity
Initiating Event
Likelihood
SIL 1 SIF Non SIS IPL 1 Non SIS IPL 2
Non SIS IPL 1SIL 2 SIF
SIL 3 SIF1 IPL
2 IPLs
3 IPLs
Figure 8: SIL Assignment Matrix Process Shown as a Scenario Sequence
The SIL assignment matrix shown in Figure 9 is a common SIL assignmentmatrix variation which is functionally identical to the SIL assignment matrix shownin Figure 7. In this case the cell numbers refer to the total number of IPLsrequired.
Repeating the previous example, for an event severity of extensive and an eventlikelihood of medium, 3 IPLs are required. If there is only one non SIS IPL thenthe required SIL is 2 (3 required, less 1 non SIS IPL).
Consequence Severity
Minor Serious Extensive
E v e n t
L i k e l i h o o d
Low 1 1 2
Med 1 2 3
High 2 3 4
Note: Cell numbers refer to number of IPLs
Figure 9: Alternative SIL Assignment Matrix
1.4.2Risk graph
The risk graph LOPA implementation as shown in Annex F of IEC 61508-5(reproduced in Figure 10 with the parameters reproduced in Table 1) analyses asingle scenario at a time.
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 13/20
Figure 10: Risk Graph (Figure D.1 IEC 61508-5:1998)
Risk parameter Classification Comments
Consequence (C) C1
C2
C3
C4
Minor injury
Serious permanentinjury to one or more
persons; death to oneperson
Death to severalpeople
Very many peoplekilled
1. The classification system has beendeveloped to deal with injury and death topeople. Other classification schemes wouldneed to be developed for environmental or
material damage.
2. For the interpretation of C1, C2, C3 and C4,the consequences of the accident andnormal healing shall be taken into account.
Frequency of, andexposure time in,the hazardouszone (F)
F1
F2
Rare to more oftenexposure in thehazardous zone
Frequent to
permanent exposurein the hazardouszone
3. See comment 1 above.
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 14/20
Possibility of avoiding thehazardous event(P)
P1
P2
Possible under certain conditions
Almost impossible
4. This parameter takes into accountoperation of a process (supervised (i.e.operated by skilled or unskilledpersons) or unsupervised);rate of development of the hazardousevent (for example suddenly, quickly or
slowly);ease of recognition of danger (for example seen immediately, detectedby technical measures or detectedwithout technical measures);avoidance of hazardous event (for example escape routes possible, notpossible or possible under certainconditions);actual safety experience (suchexperience may exist with an identicalEUC or a similar EUC or may notexist).
Probability of the
un-wantedoccurrence (W)
W1
W2
W3
A very slight
probability that theunwantedoccurrences willcome to pass andonly a few unwantedoccurrences are likely
A slight probabilitythat the unwantedoccurrences wiltcome to pass andfew unwantedoccurrences are likely
A relatively highprobability that theunwantedoccurrences willcome to pass andfrequent unwantedoccurrences are likely
5. The purpose of the W factor is to estimatethe frequency of the unwanted occurrencetaking place without the addition of anysafety-related systems (E/E/PE or other technology) but including any external riskreduction facilities.
6. If little or no experience exists of the EUC,or the EUC control system, or of a similar EUC and EUC control system. theestimation of the W factor maybe made bycalculation. In such an event a worst caseprediction shall be made.
Table 1: Parameters for Risk Graph in Figure 10 (Table D.1 IEC 61508-5:1998)
The consequence (C) risk parameter defines the target frequency for the
consequence. The exposure time (F) (called occupancy in Figure 11), andpossibility of avoiding (P) (called avoidance in Figure 11), are outcome modifiersthat define the target unwanted event frequency. The required SIL for the SIF isthe difference between the probability of the unwanted occurrence (W) and thetarget unwanted event frequency. The probability of the unwanted occurrence(W) includes the initiating event frequency, any enabling event, and any non SISsafeguards.
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 15/20
Frequency
OutcomeModifiers
Target frequency
for ConsequenceSeverity (C)
Cause (or Initiating Event)
AndEnabling Event or Condition
Occupancy
(F)
Avoidance
(P)
Non SIS
Safeguards
Probability of
unwantedoccurrence (W)
Required
SIL
Target frequency
of UnwantedEvent
Figure 11: Risk Graph Process Shown as a Scenario Sequence
A common variation on the implementation of the risk graph process is redefiningthe probability of the unwanted occurrence (W) to only include the initiating eventfrequency, and any enabling event. The risk graph cell numbers now refer to the
total number of IPLs required. The revised risk graph process is shown in Figure12.
Frequency
Outcome
Modifiers
Target frequency
for Consequence
Severity (C)
Cause (or Initiating Event)
And
Enabling Event or Condition
Occupancy
(F)
Avoidance
(P)
Probability of
unwanted
occurrence (W)
Required Number of IPLs
Target frequency
of Unwanted
Event
Figure 12: Common Risk Graph Scenario Sequence Variation
1.4.3Quantitative (CCPS)
All quantitative LOPA processes are essentially identical. The key differencestend to be the manner in which the analysis is documented and the intermediatefrequencies calculated.
The CCPS quantitative LOPA process as shown Table 2 analyses a singlescenario at a time. Figure 13 has mapped the parameters from Table 2 onto thescenario sequence.
ScenarioNumber 1b
EquipmentNumber
Scenario Title: Hexane Surge Tank Overflow. Spill contained bythe dike
Date: Description ProbabilityFrequency(per year)
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 16/20
ConsequenceDescription/Category
Release of hexane inside the dike dueto tank overflow with potential for ignition and fatality.
Risk Tolerance Criteria(Category or Frequency)
Maximum Tolerable Risk of a SeriousFire Maximum Tolerable Risk of a FatalInjury
<1×10-4
<1×10-5
Initiating Event(typically a frequency) Loop failure of BPCS LIC. (PFD fromTable 5.1) 1×10-1
Enabling Event or Condition
-
Conditional Modifiers(if applicable)
Probability of ignition 0.1Probability of personnel in affected area 0.1Probability of fatal injury 0.5Others N/A
Frequency of Unmitigated Consequence 5×10-4
Independent ProtectionLayers
SIF (to be added—see Actions) 1 × 10-2
Safeguards(non-IPLs)
Human action not an IPL as it dependsupon BPCS generated alarms. Cannot
be used as BPCS failure is initiatingevent (Approach A)Total PFD for all IPLs 1×10-2
Frequency of Mitigated Consequence 5×10-6
Risk Tolerance Criteria Met? (Yes/No): Yes, with added SIF.Actions Required toMeet Risk ToleranceCriteria
Add SIF with PFD of1×10–2. Responsible Group/Person: PlantTechnical/ J. Doe June 2002 Maintain dike as an IPL (Inspection,maintenance, etc.)
Notes Add action items to action tracking database.References (links to originating hazard review, PFD, P&ID, etc.):
LOPA analyst (and team members, if applicable):
Table 2: Quantitative LOPA (Table A.6 CCPS, 2001)
Frequency
Condition
Modifiers
Frequency of
Unmitigated
Consequence
Risk Tolerance
Criteria
Initiating Event
And
Enabling Event or Condition
Probability
of ignition
Probability of
personnel in the
affected area
Probability of
fatal injury
Added SIF
IPLs
Frequency of
Mitigated
Consequence
Figure 13: Quantitative LOPA (CCPS) Shown as a Scenario Sequence
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 17/20
1.4.4Quantitative (IEC 61511-3)
The key difference with IEC 61511-3 quantitative LOPA (reproduced in Figure 14 and Figure 15) and the CCPS quantitative LOPA processes is that the IEC61511-3 quantitative LOPA process sums all of the mitigated event likelihoods for scenarios with the same consequence before comparing against the risk criteria.
# 1 2 3 4 5 6 7 8 9 10 11
Impacteventdescription
Severitylevel
Initiatingcause
Initiationlikelihood
Generalprocessdesign
BPCS Alarms,etc.
Additionalmitigation,restrictedaccess
IPLadditionalmitigationdikes,pressurerelief
Intermediateeventlikelihood
SIFintegritylevel
Mitigatedeventlikelihood
Notes
1 Fire fromdistillationcolumnrupture
S Loss of coolingwater
0,1 0,1 0,1 0,1 0,1 PRV 01 10-7 10-2 10-9 Highpressurecausescolumnrupture
2 Fire fromdistillationcolumnrupture
S Steamcontrolloopfailure
0,1 0,1 0,1 0,1 PRV 01 10-6 10-2 10-8 Same asabove
NOTE Severity Level E = Extensive; S = Serious; M = Minor.
Likelihood values are events per year, other numerical values are probabilities of failure ondemand average.
Figure 14: Quantitative LOPA (Figure F.1 IEC 61511-3)
Risk of fatality due to fire = (Mitigated event likelihood of all flammable materialreleases) X (Probability of fatal injury due to fire)
Risk of fatality due to fire = (1.1 × 10-8) × (0.5) = 5.5 × 10-9
Figure 15: Completion of Quantitative LOPA (p46 IEC 61511-3)
1.5. Common LOPA Implementation Errors EncounteredCommon LOPA implementation errors encountered by the author can begrouped into the following broad categories;
• Inconsistencies between LOPA risk criteria and other risk criteria;
• Inconsistencies between the risk determined by LOPA and LOPA riskcriteria;
• Misuse of enabling events or conditions and outcome modifiers;
• Common cause failure in IPLs not considered;
• Unsubstantiated data; and
• Quantitative LOPA & SIL verification without uncertainty addressed.
1.5.1 Inconsistencies between LOPA risk criteria and other risk criteria
Inconsistencies can occur between the LOPA risk criteria and the risk criteriaused by other risk assessment processes such as qualitative risk assessmentsand QRA. This inconsistency can be created in one of two ways.
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 18/20
The first is when the LOPA risk criteria is defined it is inconsistent with the other expressions of risk criteria. This occurs most commonly by adopting a LOPA riskcriteria from an external source such as a consultant, standard, text or other company.
The second is when other expressions of risk criteria are revised but the LOPArisk criteria is not. This is a direct result of an inadequate change managementprocess.
However, the inconsistency originated, the result is the same. The riskassessment results will be different depending on the risk assessment processfollowed. From a SIS design point of view this can result in the LOPA processSIFs’ SIL being lower, or SIFs not being required if the LOPA risk criteria is lessconservative than the other risk assessment processes.
In some implementations of LOPA, the LOPA risk criteria will focus on unwanted
event frequency rather than a consequence, such as personnel injury that QRAfocuses on. This is not necessarily an inconsistency unless the assumptionsused to calibrate the risk criteria for unwanted event frequencies are notembedded into the LOPA process.
1.5.2Inconsistencies between the risk determined by LOPA and LOPA riskcriteria
Inconsistencies between the risk determined by the LOPA process and the LOPArisk criteria occurs most commonly by adopting a LOPA process and risk criteriafrom different sources. It seems to occur with the more elaborate quantitativeLOPA process and is not generally immediately apparent.
An encountered example of this is where the LOPA process grouped scenariostogether with the same unwanted event and consequence, and then summed theconsequence frequencies. The sum of the consequence frequencies was thencompared to a target frequency. So far nothing in itself is incorrect. However, thetarget frequency was an Individual Risk Per Annum (IRPA). This is where invirtually all practical applications the inconsistency occurs.
As discussed previously, IRPA is the probability that a given person is killed inone year and is the sum of all of the frequencies of scenarios leading to a fatalitythat the given person is exposed to. Hence, if the unwanted event and
consequence is the only one that can cause a fatality in a facility, then noinconsistency has occurred. In practice virtually all facilities have multipleunwanted events which can cause a fatality.
The effect of this inconsistency is that should a QRA be completed it will befound that the calculated IRPA will exceed the target IRPA. Depending on thecircumstance this can result in significant SIS rework.
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 19/20
1.5.3Misuse of enabling events or conditions and outcome modifiers
The misuse of enabling events or conditions and outcome modifiers are oftenencountered when the LOPA assessment group are trying to reduce the resultingSIL of a scenario.
The most frequently encountered example is to call a safeguard an enablingevent or condition, or outcome modifier. The argument most often used to justifythis misuse is that the maths is the same whether it is an enabling event or condition, an outcome modifier or a safeguard. In itself the argument is correct.However, by labelling a safeguard as an enabling event or condition, or outcomemodifier the IPL rules have been bypassed.
Another less obvious example of misuse is double dipping. The most commonlyencountered example of this is where the frequency given for the initiating eventincludes an enabling event or condition, and an enabling event or condition isclaimed. An obvious example of this is an initiating event of “Heat tracing failure
in winter” and where an enabling condition of “winter” is taken.
1.5.4Common cause failure in IPLs not considered
Common cause failure in IPLs not correctly considered, typically occurs whenclaiming similar types of safeguards as an IPL in the same scenario. A commonexample of this is when multiple pressure safety valves (PSV) are claimed asindividual IPLs.
The typical situation is where the LOPA guidance specifies that a PSV has 2orders of magnitude risk reduction. When assessing a scenario where there aretwo redundant PSVs which are both online and either one can relieve the
scenario, the team will take 2 orders of magnitude risk reduction for the first PSVand another 2 orders of magnitude risk reduction for the second PSV. Thecommon cause failure has not been considered. Typically these valves areidentical and are tested at the same time by the same technician using the sametest equipment.
1.5.5Unsubstantiated data
Unsubstantiated data is typically a problem with quantitative LOPA and outcomemodifiers. In the worst cases it has been seen that the LOPA team was reverseengineering values for initiating events and outcome modifiers to give the results
they were looking for.
Particularly for outcome modifiers, their values should be determined using thesame process as consequence analysis in QRA.
1.5.6Quantitative LOPA & SIL verification without uncertainty addressed
Quantitative LOPA & SIL verification without uncertainty addressed is seenwhere the quantitative LOPA process yields a Probability of Failure on Demand
7/18/2019 Fundamentals of LOPA
http://slidepdf.com/reader/full/fundamentals-of-lopa-56d6ebd67d7ba 20/20
(PFD) for a SIF. Then SIF verification is undertaken and the SIF’s PFD iscompared to the PFD yielded in the LOPA process. If the SIF’s PFD is lower thanthe PFD yielded in the LOPA process then no further work is required.
If the LOPA process and the SIF verification process did not use extremely
conservative data then it is very likely that once field data is generated and theLOPA and SIF verification are updated, the actual risk is not acceptable.
1.6. Conclusion
LOPA is an excellent process which can be adapted to any organisation byunderstanding the LOPA fundamentals. When a LOPA process has beencorrectly implemented it is possible to achieve consistent results for a scenario,whether analysed using a qualitative risk matrix, LOPA or QRA.
In addition, it does not matter which LOPA method is implemented. If the LOPA
fundamentals have been correctly implemented then the resulting SIF SILs willbe approximately the same.
1.7. References
Center for Chemical Process Safety (CCPS), 2001 ‘Layer of Protection Analysis:Simplified Process Risk Assessment’ American Institute of Chemical Engineers,New York, New York
Anderson, K. & Robinson, R. M., 2004 ‘Risk & Reliability: An introductory Text’,5th edition, Risk & Reliability Associates Pty Ltd, Melbourne, Australia
International Electrotechnical Commission, 2003(a) ‘Functional Safety – SafetyInstrumented Systems for the process industry sector. Part 1: Framework,definitions, systems, hardware and software requirements’, IEC 61511-1:2003
International Electrotechnical Commission, 2003(b) ‘Functional Safety – SafetyInstrumented Systems for the process industry sector. Part 2: Guidelines for theapplication of IEC 61511-1’, IEC 61511-2:2003
International Electrotechnical Commission, 2003(c) ‘Functional Safety – SafetyInstrumented Systems for the process industry sector. Part 3: Guidance for thedetermination of the required safety integrity levels’, IEC 61511-3:2003
International Electrotechnical Commission, 1998 ‘Functional safety of electrical/electronic/ programmable electronic safety related systems – Part 5: examples of methods for the determination of safety integrity levels’, IEC 61508-5:1998