Fundamentals of LOPA

The Fundamentals of LOPA and their Practical Implementation Peter Scantlebury - Principal Consultant, FSE Global - Canada Abstract While Layer of Protection Analysis (LOPA) is becoming the preferred method of Safety Integrity Level (SIL) assignment, there is considerable variation in its practical implementation. In laying out the fundamentals of LOPA, pitfalls, caveats and limitations in the various practical implementations will be discussed. The fundamentals of LOPA will be explained to delegates, along with an examination of the advantages and disadvantages in the various practical implementations. Armed with this knowledge, delegates will then be able to assess their own implementation of LOPA. 1.1. Introduction Layer of Protection Analysis (LOPA) is becoming the preferred method of Safety Integrity Level (SIL) assignment. However, the author has seen considerable variation in the practical implementation of LOPA across different industries and by different companies. Some of the practical implementations of LOPA encountered to date have significant discontinuities when compared with other risk processes such as qualitative risk assessments using risk matrices, and quantitative risk assessments. These discontinuities can result in different residual risks being estimated when analysing the same scenario with the various risk processes. If implemented correctly, analysing the same scenario with qualitative risk assessments methods, LOPA and quantitative risk assessments will result in more refined residual risks being estimated, rather than different residual risks being estimated. To enable analysis of the common implementations of LOPA it is necessary to examine its fundamentals. 1.2. Fundamentals of LOPA Fundamentally LOPA is a methodology that analyses the risk of a scenario. The outcome of this analysis establishes whether the planned or implemented safeguards are adequate. In order to critically understanding LOPA is necessary to critically understand: • What is a scenario?; • What are the rules to analyse the scenario?; and

•

What is the risk criteria?.

1.2.1What is a Scenario? The CCPS (2001), describes a scenario as a cause – consequence pair. Commonly, a cause is described as an initiating event and a consequence as an unwanted outcome. To illustrate this, consider a scenario where a pressure control failure results in a vessel overpressure, causing vessel rupture and a fatality. In this scenario the cause (or initiating event) is pressure control failure, and the consequence (or unwanted outcome) is a fatality. To enable a deeper analysis of LOPA it is beneficial to break down the cause – consequence pair further to include an event. To provide clarity in the discussion, the event will be referred to as an unwanted event. Thus a scenario is now described as a cause – unwanted event – consequence sequence. This is a similar form to a Bow Tie Analysis, except a Bow Tie Analysis shows all causes of an unwanted event and all consequences which can occur as a result of the unwanted event. Using the above pressure control failure example, the unwanted event could be vessel overpressure or vessel rupture. From a pure risk analysis perspective it is immaterial whether vessel overpressure or vessel rupture is taken as the unwanted event. It is common industry practice to define the unwanted event as the event that led to a release of energy. However, from a legal liability point of view, defining the unwanted event as the event where loss of control occurred, provides a better negligence defence (Anderson & Robinson, 2004). From the example, taking the release of energy approach, the unwanted event would be vessel rupture, while in the loss of control approach, the unwanted event would be vessel overpressure. Throughout this paper the unwanted event will be defined as the event where loss of control occurred. To complete the pressure control failure example, the cause (or initiating event) is pressure control failure, the unwanted event (or loss of control) is vessel overpressure, and the consequence (or unwanted outcome) is a fatality. The scenario sequence needs to be expanded to contain more detail to enable the frequency of a scenario’s consequence to be determined. Expanding the scenario sequence to contain all elements needed for analysis results in the scenario sequence shown in , with further explanation of each aspect provided below.

Consequence (or Unwanted Outcome)

Outcome Modifiers

Unwanted Event

Cause (or Initiating Event) And Enabling Event or Condition

Mitigative Safeguards Safeguards

Frequency

Figure 1: Expanded Scenario Sequence An initiating event is the failure or action which starts the scenario sequence and is expressed as a frequency of the initiating event. Sometimes a failure or action (initiating event) does not start the scenario sequence, as other enabling events or conditions must be present. Enabling events or conditions “consist of operations or conditions that do not directly cause the scenario, but which must be present or active in order for the scenario to proceed” (p67, CCPS 2001). An enabling event or condition is expressed as a probability that at a given point in time the enabling event or condition is present. Typical examples of enabling events are plant states such as start-up, or environmental conditions such as cold weather. A safeguard is a device which prevents the unwanted event from occurring after the initiating event has occurred and is expressed as a probability that at a given point in time the safeguard has failed. Typical examples of a safeguard are Safety Instrumented Functions (SIFs), Pressure Safety Valve (PSV), and alarms with an operator action. A mitigative safeguard is a device which prevents the unwanted outcome from occurring after the unwanted event has occurred, and is expressed as a probability that at a given point in time the mitigative safeguard has failed. A typical example of a mitigative safeguard is a fire and gas shutdown system. An outcome modifier (or modifier), is an element of pure chance that an unwanted event does not result in the unwanted outcome. This is expressed as a probability that given an unwanted event has occurred, the consequence does not occur. Typical examples of a modifier are the probability of a person being present, the probability of ignition of a flammable material, and the probability that a person is injured. Finally, to determine the frequency of the consequence, it is simply a matter of multiplying the frequency of the initiating event by the probabilities of the enabling

event or condition, the safeguards, the mitigative safeguards, and the outcome modifiers. 1.2.2What are the rules to analyse the scenario? There are a number of clauses within IEC 61511-1 which the LOPA process must comply with. The relevant sections within IEC 61511-1 are Section 8: Process Hazard and Risk Assessment, and Section 9: Allocation of Safety Functions to Protection Layers. The pertinent clauses for the LOPA process define rules for initiating event frequency, and for safeguards to be considered protection layers. The pertinent rule for an initiating event frequency is; The dangerous failure rate of a BPCS (which does not conform to IEC 61511) that places a demand on a protection layer shall not be assumed to be better than 10-5 per hour. (§8.2.2 IEC 61511-1) The effect of this clause is that the least frequent initiating event frequency that can be claimed for a Basic Process Control Failure (BPCS), for example a pressure control failure, is 1 in 11.4 years. In practice the BPCS failure rate is rounded to 1 in 10 years. For safeguards there are a few more pertinent rules. The first two are; The risk reduction factor for a BPCS (which does not conform to IEC 61511 or IEC 61508) used as a protection layer shall be below 10. (§9.4.2 IEC 61511-1) And If a risk reduction factor greater than 10 is claimed for the BPCS, then it shall be designed to the requirements within this standard. (§9.4.2 IEC 61511-1) Both of these clauses have the same effect, the best probability of failure that can be claimed for a safeguard implemented in a BPCS is 0.1. If a safeguard has been implemented in a BPCS with a probability of failure less than 0.1, then the safeguard has been designed to the requirements of IEC 61511-1. The safeguard would now be considered a Safety Instrumented Function (SIF) rather than a safeguard implemented in a BPCS. The final pertinent rule for safeguards is;

The design of protection layers shall be assessed to ensure that the likelihood of common cause, common mode and dependent failures between protection layers and between protection layers and the BPCS are sufficiently low in comparison to the overall safety integrity requirements of the protection layers. The assessment may be qualitative or quantitative. (§9.5.2 IEC 61511-1) This clause is not as straight forward to comply with as the previous clauses. In practice, compliance with this clause is achieved by defining what is commonly termed Independent Protection Layer (IPL) rules. The IPL rules define when a safeguard can be considered in the calculation of the frequency of a scenario’s consequence. Unfortunately there is not a standard set of IPL rules defined. For instance the IPL rules defined by the CCPS are; In order to be considered an IPL, a device, system, or action must be • effective in preventing the consequence when it functions as designed, • independent of the initiating event and the components of any other IPL already claimed for the same scenario, • auditable; the assumed effectiveness in terms of consequence prevention and PFD must be capable of validation in some manner (by documentation, review, testing, etc.) (p80 CCPS 2001) Compared with the IPL rules defined in IEC 61511-3; The criteria to qualify a Protection Layer (PL) as an IPL are: – The protection provided reduces the identified risk by a large amount, that is, a minimum of a 100-fold reduction; – The protective function is provided with a high degree of availability (0,9 or greater); – It has the following important characteristics: a) Specificity: An IPL is designed solely to prevent or to mitigate the consequences of one potentially hazardous event (for example, a runaway reaction, release of toxic material, a loss of containment, or a fire). Multiple causes may lead to the same hazardous event; and, therefore, multiple event scenarios may initiate action of one IPL; b) Independence: An IPL is independent of the other protection layers associated with the identified danger. c) Dependability: It can be counted on to do what it was designed to do. Both random and systematic failures modes are addressed in the design. d) Auditability: It is designed to facilitate regular validation of the protective functions. Proof testing and maintenance of the safety system is necessary. (§F.9 IEC 61511-3)

1.2.3What is the Risk Criteria? The risk criteria is the reference against which to assess the significance of a given risk and can be expressed in many ways; qualitative, semi-quantitative, and quantitative. Diagrammatically, the risk criteria defines a target line on the expanded scenario sequence shown in Figure 1. After determining the consequence frequency of a scenario, it is compared with the target frequency. If the consequence frequency is more frequent than the target frequency, then additional risk reduction is required as illustrated in Figure 2. Figure 3 illustrates the situation when the consequence frequency is less frequent than the target frequency and no further risk reduction is required. Additional Risk Reduction Required Target frequency to meet Risk Criteria

Consequence (or Unwanted Outcome)

Outcome Modifiers

Unwanted Event

Cause (or Initiating Event) And Enabling Event or Condition

Mitigative Safeguards Safeguards

Frequency

Figure 2: A Scenario Sequence Requiring Additional Risk Reduction Consequence (or Unwanted Outcome)

Target frequency to meet Risk Criteria

Outcome Modifiers

Unwanted Event

Cause (or Initiating Event) And Enabling Event or Condition

Mitigative Safeguards Safeguards

Frequency

Figure 3: A Scenario Sequence Meeting Target Frequency Qualitative and semi-quantitative risk criteria is commonly expressed as a risk matrix. An example of a typical risk matrix is shown in Figure 4. In this risk matrix the consequence categories are Health and Safety, Financial Loss, and Environmental. However, risk matrices may include other consequence categories such as material release sizes, plant downtime, and public response.

It should be noted that typically qualitative and semi-quantitative risk criteria has been calibrated for assessing the risk of a single scenario.

• • •

Low Medical Treatment < $10,000 in damage or loss Minor local environmental effects

Almost Certain Happens on an annual basis.

Consequences Moderate • Lost time injury • < $1M in damage or loss • Serious short term environmental damage

Major • Single fatality • < $10M in damage or loss • Serious medium term environmental damage

Catastrophic • Multiple fatality • > $10M in damage or loss • Serious long term environmental damage

Likely Happens a few times in a person’s or plant’s lifetime.

Likelihood Possible Happens a couple of times in industry as a whole.

Unlikely Has happened in industry, has been heard of.

Rare Has never happened in industry.

1 in 1 years to 1 in 10 years

1 in 10 years to 1 in 100 years

1 in 100 years to 1 in 1000 years

< 1 in 1000 years

Minor • Disabling Injury • < $100k in damage or loss • Minor short term environmental damage

Likelihood

> 1 per year

Almost Certain Likely Possible Unlikely Rare

Low Manage by routine procedure and monitoring.

Low High Moderate Low Low Low

Minor High High Moderate Low Low

Consequences Moderate Extreme High High Moderate Low

Major Extreme Extreme Extreme High Moderate

Risk Level Moderate High Implement additional Implement additional methods of risk methods of risk reduction reduction, and Unit and Plant Management Management approval approval and monitoring and monitoring required required to continue to continue activity. activity.

Catastrophic Extreme Extreme Extreme Extreme High

Extreme Cease activity and notify Plant Management.

Figure 4: An Example of a Risk Matrix The risk nomogram is another expression of risk criteria for qualitative and semiqualitative risk assessment. An example is shown in Figure 5. While the risk nomogram is more common in Occupational Health & Safety risk management, the author has encountered the risk nomogram in process risk management.

Figure 5: An Example of a Risk Nomogram Quantitative risk criteria is commonly expressed as an Individual Risk Per Annum (IRPA). Industry quantitative risk criteria is shown in Figure 6. It must be noted that IRPA is the probability that a given person is killed in one year. This implies that IRPA is the sum of all of the frequencies of scenarios leading to a fatality that the given person is exposed to. To enable IRPA to be applied to a single scenario in LOPA, it is common practice to reduce the IRPA value by a factor of 10. This assumes that a person cannot be affected by more than 10 scenarios at the same time in any given location. Some regulators and major companies that have set risk tolerance criteria

Maximum tolerable risk for workforce from all scenarios 10–3

Negligible risk for workforce from all scenarios

Maximum tolerable risk for public from all scenarios

Negligible risk for public from all scenarios

10–6

10–4

10–6

NA

NA

10–5

NA

VROM, The Netherlands (new industry)

NA

NA

10–6

NA

Hong Kong Government (new industry) Santa Barbara County, CA, USA (new industry)

NA

NA

10–5

NA

NA

NA

10–5

10–7

Health & Safety Executive, UK (existing industry) VROM, The Netherlands (existing industry)

Shell (onshore and offshore; approx.) BP (onshore and offshore) ICI (onshore) Rohm and Haas Company

10–3

10–6

Note 1

Note 2

10–3

10–6

Note 1

Note 2

3.3 × 10–5 NA 10–4 NA –5 2.5 × 10 NA 10–5 10–7 Personal risk to specific employee Note 1: Not available, but typically industry uses a value that is an order of magnitude lower than workplace risk Note 2: Not available, but typically industry uses the same value used for workplace risk, since the value is already in the region where risk calculations become meaningless

Figure 6: Typical Industry Individual Risk Per Annum (IRPA) Values (adapted from CCPS 2001 Appendix E) 1.3. LOPA Caveats and Limitations The LOPA process, like all risk assessment processes, has limitations and caveats for use. To ensure that the LOPA results are valid, the following limitations and caveats must be known. The limitations and caveats for use can be grouped into; • Multiple scenarios for the same safeguards • Independence • Density of consequences 1.3.1 Multiple scenarios for the same safeguards The vast majority of implementations of the LOPA process analyse scenarios on a scenario by scenario basis. This is an efficient approach which is valid for the majority of applications. However, when a number of scenarios for the same safeguard are encountered, limitations of LOPA are encountered. A typical example encountered is when LOPA is applied to a burner. With the exception of over firing the burner, virtually all scenarios lead to a flammable mixture in the firebox and subsequent firebox explosion. When a flame scanner is claimed as an IPL in these scenarios a situation is encountered where two or more SIFs are claimed as IPLs with the flame scanner being one of the IPLs. This leads to a difficult analysis and higher required SILs. While it is possible to carefully construct the scenarios and execute a scenario by scenario LOPA, a far more effective and robust approach is to apply basic Fault Tree and Event Tree analyses. This allows the multiple scenarios to be viewed as one analysis with the interrelationship explicitly shown. It maybe argued that a multiple scenario quantitative LOPA such as the IEC 61511-3 method outlined in section 1.4.4, does not have these limitations. While

this argument is partially correct, it is highlighted that multiple scenario quantitative LOPA has a fixed Fault Tree and Event Tree form. Thus a multiple scenario quantitative LOPA analysis will only overcome the single scenario analysis if the assumed Fault Tree and Event Tree form of a multiple scenario quantitative LOPA analysis is the same as the Fault Tree and Event Tree form of the multiple scenarios being analysed. 1.3.2Independence By definition of the IPL rules (see section 1.2.2), LOPA assumes that the common cause, common mode and dependent failures between safeguards, and between safeguards and the initiating event, have a much lower failure rate than the safeguards themselves. Any safeguard which is not considered independent is discounted from the consequence frequency calculation. In the majority of scenarios this approach yields reasonable results. However, due to practical limitations, common instrumentation is often shared between safeguards, or between safeguards and the cause of the initiating event. In these scenarios some of the safeguards will fail the independence requirements and result in a higher required SIL. A commonly encountered example of this is the flow measurement in the air and fuel streams of a burner. The flow measurements in the air and fuel streams use multiple differential pressure sensors across the same flow element. In this arrangement any failure mode that affects the flow element affects all differential pressure sensors across the flow element. Due to space requirements around flow elements it is generally impractical to install a flow element for each differential pressure sensor. It is possible to reduce the risk reduction claimed for safeguards to account for common cause, common mode and dependent failures, or to revert to Fault Tree analysis. Which ever approach is taken the process must be documented. 1.3.3Density of consequences As discussed in section 1.2.3, in LOPA which analyses a single scenario at a time, the quantitative risk criteria for all risks is commonly reduced by a factor of 10 for application to single scenarios. This inherently assumes that for a given area there are no more than 10 scenarios which affect that area. Where this assumption is not correct, the risk criteria for those scenarios need to be revised to ensure the quantitative risk criteria for all risks is not exceeded in that area. 1.4. Common LOPA Implementations To illustrate the application of the LOPA fundamentals, the LOPA fundamentals will be applied to several common implementations found in standards and texts; • Matrix as shown in Annex E of IEC 61508-5 • Risk Graph as shown in Annex D of IEC 61508-5

• •

Quantitative as shown in Chapter 3 Method 3 of CCPS’s LOPA text (p36 CCPS) Quantitative as shown in Annex F of IEC 61511-3

The matrix and risk graph methods are also shown in IEC 61511-3 and are essentially the same as the examples selected, however the IEC 61508-5 versions have been shown due to their more succinct nature. 1.4.1Matrix The matrix LOPA implementation as shown in Annex E of IEC 61508-5 (reproduced in Figure 7) analyses a single scenario at a time. It also assumes that each IPL reduces the risk by a factor of 10 and there are no outcome modifiers.

Figure 7 : SIL Assignment Matrix (Figure E.1 IEC 61508-5) The event severity and likelihood defines the total amount of risk reduction required to meet the target frequency for the consequence severity. For an event severity of “extensive” and an event likelihood of medium, Figure 8 shows the required risk reduction as the distance between the initiating event likelihood and the target frequency for event severity. For each non SIS IPL the required SIL for SIF is reduced by one. The required SIL for the various number of IPL is shown diagrammatically in Figure 8.

Target frequency for Event Severity

Initiating Event Likelihood

SIL 3 SIF

1 IPL

SIL 2 SIF

2 IPLs 3 IPLs

SIL 1 SIF

Non SIS IPL 1

Non SIS IPL 1

Non SIS IPL 2

Frequency

Figure 8: SIL Assignment Matrix Process Shown as a Scenario Sequence The SIL assignment matrix shown in Figure 9 is a common SIL assignment matrix variation which is functionally identical to the SIL assignment matrix shown in Figure 7. In this case the cell numbers refer to the total number of IPLs required. Repeating the previous example, for an event severity of extensive and an event likelihood of medium, 3 IPLs are required. If there is only one non SIS IPL then the required SIL is 2 (3 required, less 1 non SIS IPL).

LikelihoodEvent

Consequence Severity Minor Serious Extensive Low

1

1

2

Med

1

2

3

High

2

3

4

Note: Cell numbers refer to number of IPLs Figure 9: Alternative SIL Assignment Matrix

1.4.2Risk graph The risk graph LOPA implementation as shown in Annex F of IEC 61508-5 (reproduced in Figure 10 with the parameters reproduced in Table 1) analyses a single scenario at a time.

Figure 10: Risk Graph (Figure D.1 IEC 61508-5:1998) Risk parameter Consequence (C) C1

Frequency of, and exposure time in, the hazardous zone (F)

Classification Minor injury

C2

Serious permanent injury to one or more persons; death to one person

C3

Death to several people

C4

Very many people killed Rare to more often exposure in the hazardous zone

F1

F2

Frequent to permanent exposure in the hazardous zone

Comments 1. The classification system has been developed to deal with injury and death to people. Other classification schemes would need to be developed for environmental or material damage.

2. For the interpretation of C1, C2, C3 and C4, the consequences of the accident and normal healing shall be taken into account.

3. See comment 1 above.

Possibility of avoiding the hazardous event (P)

P1

Possible under certain conditions

P2

Almost impossible

Probability of the un-wanted occurrence (W)

W1

A very slight probability that the unwanted occurrences will come to pass and only a few unwanted occurrences are likely

W2 W3

A slight probability that the unwanted occurrences wilt come to pass and few unwanted occurrences are likely

4. This parameter takes into account operation of a process (supervised (i.e. operated by skilled or unskilled persons) or unsupervised); rate of development of the hazardous event (for example suddenly, quickly or slowly); ease of recognition of danger (for example seen immediately, detected by technical measures or detected without technical measures); avoidance of hazardous event (for example escape routes possible, not possible or possible under certain conditions); actual safety experience (such experience may exist with an identical EUC or a similar EUC or may not exist). 5. The purpose of the W factor is to estimate the frequency of the unwanted occurrence taking place without the addition of any safety-related systems (E/E/PE or other technology) but including any external risk reduction facilities. 6. If little or no experience exists of the EUC, or the EUC control system, or of a similar EUC and EUC control system. the estimation of the W factor maybe made by calculation. In such an event a worst case prediction shall be made.

A relatively high probability that the unwanted occurrences will come to pass and frequent unwanted occurrences are likely

Table 1: Parameters for Risk Graph in Figure 10 (Table D.1 IEC 61508-5:1998) The consequence (C) risk parameter defines the target frequency for the consequence. The exposure time (F) (called occupancy in Figure 11), and possibility of avoiding (P) (called avoidance in Figure 11), are outcome modifiers that define the target unwanted event frequency. The required SIL for the SIF is the difference between the probability of the unwanted occurrence (W) and the target unwanted event frequency. The probability of the unwanted occurrence (W) includes the initiating event frequency, any enabling event, and any non SIS safeguards.

Target frequency for Consequence Severity (C)

Target frequency of Unwanted Event

Probability of unwanted occurrence (W)

Cause (or Initiating Event) And Enabling Event or Condition

Outcome Modifiers

Occupancy (F)

Avoidance (P)

Required SIL

Non SIS Safeguards

Frequency

Figure 11: Risk Graph Process Shown as a Scenario Sequence A common variation on the implementation of the risk graph process is redefining the probability of the unwanted occurrence (W) to only include the initiating event frequency, and any enabling event. The risk graph cell numbers now refer to the total number of IPLs required. The revised risk graph process is shown in Figure 12. Target frequency for Consequence Severity (C)

Target frequency of Unwanted Event

Probability of unwanted occurrence (W)

Cause (or Initiating Event) And Enabling Event or Condition

Outcome Modifiers

Occupancy (F)

Avoidance Required Number of IPLs (P) Frequency

Figure 12: Common Risk Graph Scenario Sequence Variation 1.4.3Quantitative (CCPS) All quantitative LOPA processes are essentially identical. The key differences tend to be the manner in which the analysis is documented and the intermediate frequencies calculated. The CCPS quantitative LOPA process as shown Table 2 analyses a single scenario at a time. Figure 13 has mapped the parameters from Table 2 onto the scenario sequence. Scenario Number 1b Date:

Equipment Number

Scenario Title: Hexane Surge Tank Overflow. Spill contained by the dike Description

Probability

Frequency (per year)

Consequence Description/Category Risk Tolerance Criteria (Category or Frequency) Initiating Event (typically a frequency) Enabling Event or Condition

Release of hexane inside the dike due to tank overflow with potential for ignition and fatality. Maximum Tolerable Risk of a Serious Fire Maximum Tolerable Risk of a Fatal Injury Loop failure of BPCS LIC. (PFD from Table 5.1)