Layer of protection analysis (LOPA) for determination of safety integrity level (SIL) stud. techn. Christopher A. Lassen
[email protected]
The Norwegian University of Science and Technology Department of Production and Quality Engineering June 2008
Preface This report is the result of the master project executed Spring 2008, and is the final step in graduating as an Engineer with a Msc degree from The Norwegian University of Science and Technology (NTNU). The master project is in collaboration with Aker Subsea AS, which is part of the Subsea Business Area within Aker Solutions. Aker Subsea provides leading oil production systems and equipment located sub-surface, and recent projects are Morvin (North Sea), Kristin (Noth-Sea), Reliance KG-D6 (India) and Dalia (Angola). The work has been performed partly in Trondheim at the facilities of the Department of Production and Quality Engineering (IPK), and at Aker Solutions head quarters outside of Oslo. A very special thanks to my supervisor and professor Marvin Rausand (NTNU) who has been helpful with thorough guidance throughout the master project. Another person that deserves attention is Linn Nordhagen (Aker Engineering and Technology) who has provided helpful information on LOPA from a practical perspective, and given comments to the final product. Gratitude must be expressed toward Aker Subsea and Thor Kjetil Hallan for offering office space, and providing information. Others that should be mentioned are: Katrine Harsem Lund (Scandpower risk management. AS), Bjørn Solheim (BP) and Hanne Rolén (Aker Subsea). Particular gratitude must be expressed to my father, Petter O. Lassen, for advice and support throughout my entire education.
Christopher A. Lassen Snarøya, 19.06.2008
I
Contents List of Tables
IV
List of Figures
V
1 Introduction 1.1 Introduction to LOPA . . . . . . . 1.2 Objectives . . . . . . . . . . . . . 1.3 Limitations and structure . . . . 1.4 Relation to IEC 61508 and 61511
1 1 2 2 3
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
2 Methods in determining SIL 2.1 Quantitative method as described in IEC 61508 2.2 Risk matrix . . . . . . . . . . . . . . . . . . . . . . 2.3 Safety layer matrix . . . . . . . . . . . . . . . . . 2.4 The OLF 070 guideline . . . . . . . . . . . . . . . 2.5 Risk graph . . . . . . . . . . . . . . . . . . . . . . 2.6 Calibrated risk graph . . . . . . . . . . . . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
6 . 6 . 8 . 9 . 11 . 11 . 15
3 LOPA 3.1 What is LOPA? . . . . . . . . . . . . . . . 3.2 Explanation of terms . . . . . . . . . . . 3.3 The LOPA team . . . . . . . . . . . . . . 3.4 LOPA worksheet and the LOPA process 3.5 Different approaches in literature . . . 3.6 Aker E&T methodology . . . . . . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . .
. . . . . .
. . . .
. . . . . .
. . . .
. . . . . .
. . . . . .
18 18 22 25 25 29 30
4 Preferred approach 32 4.1 Flowchart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.2 Comments to the preferred LOPA approach . . . . . . . . . . . . . . 39 5 Interface with HAZOP 5.1 Introduction to HAZOP . . . . . . . . . . 5.2 HAZOP integration . . . . . . . . . . . . . 5.3 Adjustments and transformation of data 5.4 HAZOP / LOPA program specification . . II
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
41 41 41 44 44
5.5 Illustration of software program . . . . . . . . . . . . . . . . . . . . . 46 6 Case study: Applicability of LOPA 6.1 Case text . . . . . . . . . . . . . . 6.2 Introduction to system . . . . . . 6.3 LOPA applied on the case study . 6.4 Comments to the result . . . . . 6.5 Implications during the case . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
49 49 49 52 58 59
7 Conclusions and recommendations for further work
60
A Basic concepts
66
B Software schematic
67
C Case study: Worksheet
73
III
List of Tables 1.1 SIL for safety functions operating in low demand of operation adapted from IEC 61511 (2003) . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1 2.2 2.3 2.4 2.5
Risk classification of accidents adapted from IEC 61508 . . . . . . Frequency of hazardous event likelihood adopted from IEC 61511 SIL requirement table adopted from OLF 070 . . . . . . . . . . . . Classification of risk parameters adopted from IEC 61511 . . . . . Example calibration adapted from IEC 61511 . . . . . . . . . . . .
. . . . .
7 10 12 13 16
3.1 Important columns in the LOPA report / worksheet adapted from IEC 61511 (2003) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.1 Target mitigated event likelihood for safety hazards adapted from Nordhagen (2007) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.2 Typical frequency values assigned to initiating causes adapted from CCPS (2001) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 4.3 PFDs for IPLs adapted from CCPS (2001) and BP (2006) . . . . . . . 37 5.1 Process HAZOP worksheet adopted from Rausand (2005) . . . . . . 42 6.1 Initiating cause frequencies . . . . . . . . . . . . . . . . . . . . . . . . 53 6.2 IPL PFDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
IV
List of Figures 1.1 Safety lifecycle (IEC 61508, 2003) . . . . . . . . . . . . . . . . . . . . .
4
2.1 Typical risk matrix modified for SIL determination adapted from (Marszal and Scharpf, 2002) . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2 Safety layer matrix diagram adapted from IEC 61511 (2003) . . . . . 10 2.3 Typical risk graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.1 Risk analysis procedures adopted from Rausand and Høyland (2004) 3.2 The LOPA onion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Relation between initiating causes, impact event, process deviation and IPLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Extract of SIL determination methodology from Ellis and Wharton (2006) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5 Aker E&T methodology adapted from Nordhagen (2007) . . . . . . .
18 20 24 30 31
4.1 Preferred approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5.1 Relationship between HAZOP and LOPA worksheets . . . . . . . . . 43 6.1 SPS and separator schematic . . . . . . . . . . . . . . . . . . . . . . . 50 6.2 Relation between initiating causes, impact event, process deviation and PLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 B.1 B.2 B.3 B.4 B.5
Step 1 Step 2 Step 3 Step 4 Step 5
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
68 69 70 71 72
C.1 LOPA worksheet: Case study . . . . . . . . . . . . . . . . . . . . . . . 74
V
Abbreviations AIChE Aker E&T AMV BP BPCS CCF CV DHSV ESD EUC FTA FMECA FPSO HAZID HAZOP HCM HIPPS HPU IEL IPL LOPA MEL MV OREDA PCV PFD P&ID PIG PL PSD PSDV PST
American Institute of Chemical Engineers Aker Engineering & Technology annulus master valve British Petroleum basic process control system common cause failures control valve downhole safety valve emergency shutdown equipment under control fault tree analysis failure modes, effects, and criticality analysis floating production, storage and offloading vessel hazard identification study hazard and operability study HIPPS control module high integrity pressure protection system hydraulic pump unit intermediate event likelihood independent protection layer layer of protection analysis mitigated event likelihood master valve (PMV) Offshore Reliability Data production choke valve probability of failure on demand piping and instrumentation diagram pipeline inspection gauge protection layer process shutdown process shutdown valve pressure safety transmitter
VI
PSV PT QRA ROV SCM SEM SIF SIL SIS SPS TMEL TT VB WV XV XT
pressure safety valve pressure transmitter quantitative risk analysis remotely operated vehicle susbea control module electronic control module safety instrumented function safety integrity level safety instrumented system subsea production system target mitigated event likelihood temperature transmitter Visual Basic wing valve (PWV) cross-over valve (XOV) X-mas tree (XMT)
VII
Summary Layer of protection analysis (LOPA) and other safety integrity level (SIL) determination methods have been described, and the terms used in LOPA have been thoroughly defined and clarified. Different views on LOPA found in literature have been presented, and a preferred / recommended LOPA approach has been developed and described. This preferred approach has also been applied on a case study based on systems from Aker Engineering and Technology and Aker Subsea. The interface between LOPA and hazard and operability study (HAZOP) has been discussed, and it has been presented how an integrated software tool could work. The SIL is a measure of the availability of a protection layer or barrier. Protection layers include basic process control system (BPCS), critical alarms and human intervention, safety instrumented functions (SIF), physical protection and emergency response. All these mitigate the frequency of the occurrence of the potential unwanted end-consequence or mitigate the impact the endconsequence represents. LOPA is a tool to determine the SIL of a SIF and evaluates the other protection layers individually by looking at the risk mitigation they lead to. Other tools are the quantitative method described in IEC 61508, the OLF 070 guideline, risk matrix, safety layer matrix, risk graph and the calibrated risk graph. Except from the quantitative method in IEC 61508 and the OLF 070 guideline these are graphical and qualitative methods which are simpler than LOPA. These SIL determination methods do not differentiate between the individual risk mitigation the protection layers lead to. A clear understanding of the terms in LOPA is important, and a clear methodology essential to ensure a strong framework. The following relationship between terms are defined: The initiating causes lead to a process deviation, which again may lead to an impact event that may result in an end-consequence. Protection layers are introduced previously and subsequently to the impact event. An example is the initiating cause slippery road which lead to the impact event car crash. The car crash has an end-consequence of three fatalities. In order to prevent this fatal outcome, protection layers as rigid car body, air-bags, and traction control may serve as protection layers. The preferred LOPA approach developed during the master thesis is based on the one in IEC 61511, taking the views from other methodologies in literature VIII
into account. The impact event is the starting point of the analysis. The frequency of the initiating events are multiplied with the probability of failure on demand for all credited independent protection layers. In addition occupancy and ignition probability (if applicable) is multiplied with the result. The final value is denoted the intermediate event likelihood. This is the frequency of the occurrence of the end-consequence with the existing protection layers in place. By comparing this with a target frequency measure, the needed SIL is estimated. HAZOP is a hazard identification method often applied previously or simultaneously to a LOPA. By integrating HAZOP and LOPA a high quality analysis, requiring less resources, may be the result. HAZOP has information in common with LOPA and some information have to be transformed. A software tool used to combine and integrate the two methods is beneficial. Such a tool is advanced, and must incorporate a complex issue like the implementation of expert judgment, which is important in LOPA. The definition of terms and the preferred approach have proved to be beneficial when applying LOPA during the case study. An extensive issue during this process has been which protection layers that are independent, and which that are not. This requires understanding of basic reliability concepts, but also a great amount of process and system understanding. The concept of independent protection layers should be evaluated further, and together with facilitating expert judgment during LOPA and in eventual software tools, these are considered the main challenges.
IX
Chapter 1
Introduction 1.1 Introduction to LOPA Offshore accidents may result in causalities and economic loss. Determining specific safety requirements of safety systems is an important part in ensuring that accidents are prevented. In the 1990s the standards IEC 61508 and IEC 61511 emerged, and the need for documenting compliance with these in a consistent manner led to the introduction of the layer of protection analysis (LOPA). In chemical processes several protection layers are used, and in LOPA the number and the strength of these protection layers are analyzed. LOPA can be considered as a simplified form of a quantitative risk assessment. It can be used after a hazard and operability analysis (HAZOP), and before a quantitative risk analysis (QRA). A difference between LOPA and other tools is that LOPA analyzes the different protection layers individually, and the mitigation they lead to. LOPA is especially used to determine the safety integrity level (SIL) of safety instrumented functions in conjunction with IEC 61511, but also as a general risk assessment tool to evaluate if the protection layers in a system are satisfactory. In addition, several other applications as capital improvement planning, incident investigation and management of change can be found. The method is not used to a large extent in Norway, but widely implemented internationally. In gas / oil industry LOPA is more frequently applied on topside equipment than subsea equipment The concept of protection layers was first covered in the book Guidelines for Safe Automation of Chemical Processes published by the Center of Chemical Process Safety (CCPS), a section of the American Institute of Chemical Engineers (AIChE), in 1993. These thoughts were developed further by the industry resulting in internal procedures (Dowell, 1998). In 2001 the CCPS published the book Layer of Protection Analysis, Simplified Risk Assessment describing the LOPA method (Gowland, 2006). The method is also described in Part III Annex F of IEC 61511. Extensive literature can be found on LOPA, and stepwise approaches are given both in IEC 61511 and CCPS (2001). The terms vary among
1
different authors, and definitions and interpretations of terms like scenario and independent protection layers (IPL) may be confusing.
1.2 Objectives The objective of the master project is to gain extensive knowledge of various methods to allocate requirements to safety instrumented systems, with focus on layer of protection analysis (LOPA). As a part of this the following aspects shall be covered: • Carry out a literature survey and compare and discuss the different approaches to LOPA found in the literature. • Give a thorough presentation of a recommended LOPA approach. The approach shall be stepwise with a clear description of each step. • Define and clarify all basic concepts of the recommended LOPA approach. • Identify and describe interfaces between LOPA and other risk analysis methods (especially HAZOP) • Discuss pros and cons related to LOPA - and especially the limitations of LOPA. • Define, exemplify, and discuss the independent protection layer (IPL) concept and discuss the applicability of LOPA in cases where the independence is violated. • Compare the applicability of LOPA in determining SIL, and compare LOPA with alternative approaches (incl. risk graphs). If possible, this evaluation should be rooted in a practical case study.
1.3 Limitations and structure A bayesian approach is used in this thesis, which is concerned with the ”degree of belief” compared to a classical approach. The master project is executed in a limited time frame, constraining the coverage of the topic. The reader should have basic understanding of reliability concepts. In addition, knowledge of IEC 61508 and IEC 61511 is an advantage. An introduction to LOPA and the project is given in Chapter 1. In addition, the relation to IEC 61508 and 61511 is described to give the reader complementary background information. In Chapter 2 different methods in determining SIL are presented, including the quantitative method in IEC 61508, the risk matrix, the safety layer matrix, the OLF 070 guideline, the risk graph and the calibrated risk graph. Chapter 3 describes LOPA where important terms are defined and clarified. Further different approaches to LOPA are compared and 2
discussed. A preferred approach is developed, and presented in Chapter 4, including description of each step and the basic concepts that are employed. The interface between HAZOP and LOPA is covered in Chapter 5. In addition the functionality of a software tool integrating LOPA and HAZOP is described. In Chapter 6 the applicability of the preferred LOPA approach suggested in Chapter 4 is evaluated in a case study. Finally, conclusions and recommendations for further work are given in Chapter 7.
1.4 Relation to IEC 61508 and 61511 Requirements to safety instrumented systems (SIS) are given in IEC 61508 and IEC 61511. Rausand and Høyland (2004) describe a SIS as a system comprising sensors, logic solver(s), and actuating (final) items, and can be looked upon as an independent protection shell for machinery or equipment. What the safety systems shall protect is referred to as equipment under control (EUC) and is defined as ”Equipment, machinery, apparatus, or plant used for manufacturing, process, transport, medical, or other activities” (IEC 61508, 2003). A SIS implements the wanted safety function needed to maintain a safe state of the equipment and has the function of achieving the essential risk reduction given by the requirements (IEC 61508, 2003). Subsequently to the SIS-definition a safety instrumented function (SIF) can then be defined as a function implemented by one or more SIS. However, usually a SIS realizes a number of SIFs (IEC 61508, 2003; Schönbeck, 2007). Safety integrity is the probability of the safety related system performing the required safety functions under all conditions, within a period of time. Safety integrity level (SIL) is classified into four levels, and is defined by the probability of failure on demand (PFD). The PFD is the average safety unavailability of an item, thus the mean proportion of time the item does not function as a safety barrier. A protection layer is considered a safety barrier. When evaluating Table 1.1: SIL for safety functions operating in low demand of operation adapted from IEC 61511 (2003) Safety integrity Average probability of faillevel (SIL) ure to perform its design function on demand 4 ≤ 10−5 to < 10−4 3 ≤ 10−4 to < 10−3 2 ≤ 10−3 to < 10−2 1 ≤ 10−2 to < 10−1 the SIL-requirements the system has to be classified either as high demand of operation or low demand of operation. For subsea production equipment low demand would be the most applicable because the systems are not used fre3
quently. The SIL-requirement is then verified by calculating the PFD (Rausand and Høyland, 2004; Schönbeck, 2007). In Table 1.1 the PFD related to the four SILs for low demand of operation is presented. Standards do not require how the SIL should be determined to the SIFs, only that they have to be determined. Figure 1.1 shows the safety lifecycle used as the basic framework in IEC 61508 and IEC 61511. This framework makes it possible
Figure 1.1: Safety lifecycle (IEC 61508, 2003) to deal with requirements and activities in a structured manner. After the two initial phases, "concept" and "overall scope definition", the risk associated with the EUC is analyzed in the "Hazard and risk analysis"- phase. Techniques as checklists, failure modes and effects analysis (FMEA) and HAZOP may be used. The next step, which has a red box in Figure 1.1, is to specify the overall safety requirements in terms of safety functions and safety integrity which are needed to achieve the necessary risk reduction. It is during this activity the SIL is determined, and this activity / phase is of greatest importance. LOPA may be applied 4
during this phase, but other methods like risk graph and safety layer matrix are also applicable. In the next phase, "safety requirements allocation", the safety functions are allocated to one or more SIS. Although phase four is the most interesting in this case, phase three and five will come into play, as they give the input and receive the output from phase four. All of these activities are carried out in the design phase prior to final design and manufacturing (Rausand and Høyland, 2004; IEC 61508, 2003; Schönbeck, 2007).
5
Chapter 2
Methods in determining SIL As mentioned in the previous section various SIL determination methods and tools exist. These may be applied during phase four in Figure 1.1, and in this chapter the most common are presented briefly. Organizations have developed these tools to help engineers to estimate the process risk and convert it to a required SIL (Marszal and Scharpf, 2002). Both qualitative and quantitative approaches may be applied. In qualitative methods the parameters used as decision basis are subjective and estimated by expert judgment. Quantitative methods describe the risk by calculations, and a numerical target value is compared with the result. Which method to apply rely primarily on whether the necessary risk reduction is specified in a numerical manner or qualitative manner. The scope and extent of the analysis would also be an influencing factor. Even if the assignment method is qualitative the SIL is always quantified by a numerical number (IEC 61508, 2003; Marszal and Scharpf, 2002). The methods described in this chapter include the quantitative method in IEC 61511, the risk matrix, the safety layer matrix, the OLF 070 guideline, the risk graph and the calibrated risk graph.
2.1 Quantitative method as described in IEC 61508 The approach starts off with establishing the tolerable risk target, which must be in accordance with the company risk acceptance criteria. This is the acceptable number of times the SIF is allowed to fail, i.e. the tolerable number of times per year the specific unwanted consequence may occur. This can be determined from a table where categories of consequences are assigned acceptable frequencies. Such a classification is shown in Table 2.1. Assigning numerical values in terms of frequencies, defining which classes that are tolerable and plotting the consequence specific to the situation, makes it possible to determine the tolerable risk target. If class III in Table 2.1 is tolerable, a catastrophic consequence has a tolerable risk target of improbable which has an assigned numerical frequency per year (IEC 61508, 2003).
6
Table 2.1: Risk classification of accidents adapted from IEC 61508 Frequency Consequence Catastrophic Critical Marginal Neglible Frequent I I I II Probable I I II III Occasional I II III III Remote II III III IV Improbable III III IV IV Incredible IV IV IV IV
The next step is to determine the EUC-risk. Risk is a measure of probability and consequence. The EUC-risk consists of the unwanted consequence, and the demand rate on the system without protective features, i.e. number of times per year the unwanted consequence occur without the SIF. This can be estimated using quantitative risk assessment methods, e.g. fault tree analysis (FTA) or reliability block diagram (RBD) (IEC 61508, 2003). The final step is to calculate the necessary risk reduction to meet the tolerable risk. This is obtained by dividing the number of times per year the SIF fail by the number of demands per year. The result is ”the acceptable number of times the SIF may fail per demand per year” thus the needed probability of failure per demand, which is the PFD. The SIL requirement could be allocated further down to subsystems, e.g. by expert judgment (IEC 61508, 2003). A separator located topside on a platform or floating production, storage and offloading vessel (FPSO), with a riser down to a subsea production system (SPS) consisting of X-mas tree (XT) and reservoir, could be used as an example. The EUC is in this case defined as the separator. The acceptable frequency of overpressure of the separator could be 10−6 /year, which could answer to category class III with critical consequence. Note that this is the acceptable frequency of a given unwanted consequence, which in this case is overpressure. The consequence could in some cases also be directly related to human harm. From the reservoir the demand rate on the system, without any protection systems, can be found. If this is estimated to be 25 demands/year, the approach gives: PFD ≤
Acceptable no. of times the SIF may fail / year 10−6 = = 4 · 10−7 No. of demands / year 25
This result is the acceptable frequency / demand, hence the probability of failure on demand. The protection system may consist of several sub-systems performing several SIFs, and the PFD may be allocated further down. In this case high integrity pipeline protection system (HIPPS), production shutdown (PSD), emergency shut down (ESD) etc. are such systems or functions.
7
2.2 Risk matrix Risk matrix, or often denoted hazard matrix, is one of the most popular SIL determination methods due to it’s simplicity. The risk matrix takes frequency and consequence into account qualitatively, based on a categorization of the risk parameters. Figure 2.1 shows a typical risk matrix diagram is modified for SIL determination. The consequence and frequency (likelihood) make one axis each, enabling the user to plot the situation under consideration in the diagram. If each box in the diagram has an attached SIL level, the determination process is simple. The consequence categories may be expressed in terms of economic, human or environmental loss. The categories divide the consequences into minor, serious or extensive according to the level of severity. The likelihood categories are divided into low, moderate or high. The categories can be selected either qualitatively, using expert judgment, but quantitative tools can in some cases be utilized to make it easier to determine which category to use. Then the categories may be attached to economic figures, number of fatalities, frequency categories, etc. In Figure 2.1, different SILs are applied. Minor consequence low likelihood lead to no SIL required. This means that the risk is considered tolerable. Minor consequence - moderate likelihood lead to a low SIL, while extensive consequence - high likelihood lead to a high SIL. If a SIL 3 is required, further analysis should be done, as one SIF may not provide sufficient risk reduction (Marszal and Scharpf, 2002).
Figure 2.1: Typical risk matrix modified for SIL determination adapted from (Marszal and Scharpf, 2002) If the consequence is one that could cause any serious injury or fatality on 8
site or off site, it could be categorized as serious. If the frequency of this outcome is expected to be > 10−2 , the assigned category is high. This consequence - likelihood pair would in Figure 2.1 give a SIL 3, but with further analysis required (Marszal and Scharpf, 2002). It is important to emphasize that the categorization and determination may lead to an unrealistic result. Other tools and methods may be used in conjunction with this method to improve the quality of the categories and the accuracy of the plotting (Marszal and Scharpf, 2002; IEC 61511, 2003).
2.3 Safety layer matrix Safety layer matrix is a risk matrix which in addition to frequency and consequence takes the number of protection layers (PL) into account. The resemblance between Figure 2.1 showing a typical risk matrix, and Figure 2.2 which show a typical safety layer matrix, is as expected strong. A PL is according to IEC 61511 a grouping of equipment and / or administrative controls which functioning together with other protection layers mitigate the process risk. A PL must lead to a risk reduction factor of at least 10, and fulfill the following criteria (IEC 61511, 2003): • Specificity (one PL designed to prevent or mitigate the consequences of one potential hazardous event. Multiple causes may initiate action by the PL) • Independence (PL must be independent of other protection layers, no common cause failures (CCF)) • Dependability (PL must act as intended in design) • Audibility (PL must be designed to facilitate validation of function) A SIS is considered a safety instrumented PL (IEC 61511, 2003). Compared to the term safety barrier as presented in Sklet (2006) a PL is a safety barrier with additional requirements. The classification of the consequence severity is almost identical as for the risk matrix, with severity categories minor, serious and extensive. Table 2.2 shows how to estimate the likelihood of the hazardous event which leads to the unwanted consequence or impact. The categorization of likelihood in the risk matrix approach focus on frequency specifically, while the safety layer matrix categorization in IEC 61511 is based on type of events. Plant specific data should be employed, if available, to establish the likelihood. The event classification in IEC 61511 makes it easy to distinguish between the frequency categories, as the frequencies are related to specific events. Note that the categorization of likelihood and consequence is done without considering the PLs (IEC 61511, 2003).
9
Table 2.2: Frequency of hazardous event likelihood adopted from IEC 61511 Type of events Likelihood Qualitative ranking Events such as multiple failures of diverse instruLow ments or valves, multiple human errors in a stress free environment, or spontaneous failures of process vessels Events such as dual instrument, valve failures, or Medium major releases in loading / unloading areas Events such as process leaks, single instrument, High valve failures or human errors that result in small releases of hazardous materials *The system should be in accordance with this standard when a claim that a control function fail less frequently than 10−1 per year is made
Figure 2.2: Safety layer matrix diagram adapted from IEC 61511 (2003)
10
Figure 2.2 shows a typical safety layer matrix. The risk criteria are embedded into the diagram, and the methodology and categorization is similar to the risk matrix. The specific hazardous event likelihood and hazardous event severity classification is plotted. This results in one of the 9 columns in the figure. In order to determine the the final box in the figure that contain the necessary SIL - the number of PLs must identified (IEC 61511, 2003). An example could be a process leak resulting in catastrophic consequence to personnel (several causalities). The hazardous event severity is categorized as serious. In Table 2.2 the occurrence of a process leak is classified with high likelihood. Two mechanical pressure relief devices were identified satisfying the PL criteria. In Figure 2.2 an event with serious consequence - high likelihood rating with two PLs, would require a SIL 2. If the number of PLs had been one, a SIL 3 and additional analysis would be required.
2.4 The OLF 070 guideline OLF 070 was developed by operators and suppliers of services and equipment, to facilitate the implementation of IEC 61508 and IEC 61511 in the Norwegian petroleum industry. The guideline presents conservative minimum SIL requirements. A conservative requirement is a strict requirement which takes uncertainty into consideration. It can be compared to oversizing a beam in order to ensure the rigidity of the construction. The requirements in OLF 070 are given in a set of tables in chapter seven of the guideline. Background information, as definition of function including schematics and assumptions, for the various SIL requirements is documented in appendix A OLF 070. If the tables are not applicable, then a risk based methodology should be used. The guideline makes it possible to skip many of the steps in the determination process, leading to reduced engineering costs. But, the approach is not fully risk based and the results are not as appropriate as quantitative calculations (OLF 070, 2004). Table 2.3 show the table with SIL requirement to a subsea ESD function.
2.5 Risk graph The risk graphs are based on methods described in the German publication DIN 19250 published in 1994, and is a popular approach for determining SIL (Baybutt, 2007). Risk graphs are qualitative and category based. It considers the consequence and frequency of the hazardous event, but also occupancy and the probability of personnel avoiding the hazard (Marszal and Scharpf, 2002; Baybutt, 2007). In Table 2.4 the classification of the risk parameters suggested in IEC 61511 is shown. The consequence parameter (C) describes the likely outcome of the hazardous event, and four categories of consequences are suggested. C A is less severe than C D , ranging from light injury to many fatalities. In this case conse11
Table 2.3: SIL requirement table adopted from OLF 070 Safety function SIL Functional boundaries for given SIL requirement / comments Subsea ESD 3 Shut-in of one subsea well Isolate one subsea well The SIL requirement applies to a conventional system with flowline, riser and riser ESD valve rated for shut-in conditions. Isolation of one well by activating or closing: - ESD node - Topside HPU and / or EPU - WV and CIV including actuators and solenoids - MV - DHSV including actuators and solenoids NOTE: If injection pressure through utility line may exceed design capacity of manifold or flow line, protection against such scenarios must be evaluated specifically NOTE: If a PSD system is specified for a conventional system for safety reasons, the PSD functions shall be minimum SIL 1
12
Ref. A.13
Table 2.4: Classification of risk parameters adopted from IEC 61511 Risk parameter Category Classification Consequence (C) CA Light injury to persons CB Serious injury to one or more persons. Death of one person CC Death of several persons CD Catastrophic effect, very many people killed Frequency of presence in the FA Rare to more frequent exposure hazardous zone (F) (occuin the hazardous zone pancy) FB Frequent to permanent exposure in the hazardous zone Possibility of avoiding the conPA Possible under certain condisequences of the hazardous tions event (P) PB Almost impossible Frequency of the unwanted W1 A very slight probability that consequence (W) the unwanted occurrences occur and only a few occurrences are likely W2 A slight probability that the unwanted occurrences occur and few occurrences are likely W3 A relatively high probability that the unwanted occurrences occur and frequent occurrences are likely
13
quences are measured in the extent of injury to people, but also environmental or financial target measures can be utilized (IEC 61511, 2003; Marszal and Scharpf, 2002). The occupancy parameter (F) indicates the fraction of time the hazardous area is occupied by personnel. F B indicates higher risk than F A , as the area is more frequently exposed. Usually, F A is selected if the hazardous area is occupied less than approximately 10% of the time IEC 61511 (2003). The possibility of personnel avoiding the hazard is incorporated in the parameter P . This parameter reflects what methods the personnel have to identify and escape the hazard. In addition skill and supervision in process operation, and the rate of development of the hazardous event are taken into account. Two categories, P A and P B , are suggested and P B indicates the highest risk. A checklist of statements that must be true in order to select P A , can be utilized in the evaluation. Such statements are suggested in IEC 61511. The final parameter is the demand rate parameter (W), which is the frequency per year of the unwanted consequence without the concerning SIF but with other safeguards operating. Also for this parameter higher parameter indices indicate higher risk, as they take less credit for risk reduction by other safeguards. W1 indicates that only a few occurrences are likely, and a demand rate less than 0.03 per year could fit such description. W2 and W3 indicate that few occurrences or frequent occurrences are likely, and suitable demand rates per year could be 0.03 - 0.3 and more than 3, respectively. The choice of this parameter will affect the result, and care should be taken when selecting category (Baybutt, 2007; IEC 61511, 2003). Figure 2.3 shows a typical risk graph diagram. The path from left to right is decided by the selected risk parameters. The selected consequence, occupancy and possibility of avoidance categories result in an output row X . Each output row corresponds to three values of W . The selection of the demand rate W is the last step in determining the SIL. Higher W -parameter lead to a higher SIL. The tolerable level of risk is embedded in the boxes in the three columns at the right hand side, and the choice of these must support the company risk criteria (Marszal and Scharpf, 2002; IEC 61511, 2003). If the separator example, as explained in section 2.1, is employed - the reasoning will be as follows: If the likely consequence is evaluated to be serious injury to one or more persons, C B is selected. Then, F A is chosen because the area could be rare to more frequent exposed to personnel. It is possible under certain conditions to avoid the consequences, which indicates that parameter P A should be used. The combination of these risk parameters result in output row X 2 . It is a relative high probability that the unwanted occurrence takes place and the demand rate category is set to W3 . In Figure 2.3 this results in a SIL 1 requirement.
14
Figure 2.3: Typical risk graph
2.6 Calibrated risk graph The calibrated risk graph method is a semi-qualitative method, similar to the qualitative risk graph. The same risk parameters are used as for the conventional risk graph approach, and Figure 2.3 is also applicable. Calibration means that numerical values are assigned to the risk graph, and these are assigned to the risk parameters. This allows a more precise determination of the SIL, and making the decisions more objective. The calibration depends on individual and societal risk, and these issues in addition to company criteria and authority regulations, should be considered before assigning the parameter values. Calibration does not need to be carried out every time a SIL need to be determined. The organization only need to do it once for similar hazards(IEC 61511, 2003). The consequence can be quantified by the number of fatalities. But in many instances a failure does not cause immediate fatality, which leads to the introduction of the vulnerability concept. Vulnerability (V) is a function of the concentration of the hazard and the duration of the exposure. In Table 2.5 a vulnerability range is given. By multiplying this measure with the number of people present when the area exposed to hazard is occupied, the number of fatalities is estimated. In the table a range is assigned to each consequence category, making the categorization possible. Note that vulnerability (V) and possibility of avoiding the hazard (P) are two different factors. V concerns the escalation, while P concerns the prevention of the hazard by the operator (IEC 61511, 2003).
15
Table 2.5: Example calibration adapted from IEC 61511 Risk parameter Classification Consequence (C) C A Minor injury Number of fatalities Can be calculated as: ”No. of people present when the area exposed to the hazard is occupied” · ”vulnerability to the identified hazard”
CB
0.01 < No. of fatalities < 0.1
V = 0.01 (small release of flammable toxic material) V = 0.1 (large release of flammable or toxic material) V = 0.5 (As above but also a high probability of catching a fire or highly toxic material) V = 1 (Rupture or explosion) Occupancy (F)
CC
0.1 < No. of fatalities < 1.0
CD
No. of fatalities > 1.0
FA FB
Occupancy < 0.1
PA
Hazard can be prevented by operator taking action, after he realizes SIS has failed to operate. Refer certain conditions (given in IEC 61511-3) Adopted if conditions do not apply Demand rate < 0.1D per year 0.1D < Demand rate < 10D For Demand rate> 10D, higher safety integrity shall be needed
Percentage of time the exposed area is occupied during a normal working period Possibility of avoidance (P)
PB W1
Demand rate (W)
W2 W3
D is the calibration factor
16
According to Marszal and Scharpf (2002) potential loss of life (PLL) ranges could also be used as a measure of the consequence. PLL is the expected number of fatalities within a population during a specified period of time (NORSOK Z-013, 2001). Note that care should be taken if PLL is chosen as a measure, because it incorporates both probability and consequence. When assigning the other risk parameters it is important to make sure that the consequence parameter is considered independent (Marszal and Scharpf, 2002). The parameter F is often measured by the percentage of time the area, that is exposed to hazard, is occupied. F A should be used if the parameter value is less than 0.1 (IEC 61511, 2003; Marszal and Scharpf, 2002). The avoidance factor P A is selected if all conditions stated in IEC 61511-3 are satisfied. P B is selected if not (IEC 61511, 2003). The demand rate (W) is the number of times per year that the hazardous event would occur in the absence of the SIF under consideration. In Table 2.5 ranges to the different categories are assigned. D is a calibration factor that should make the risk graph result in a level of residual risk that is tolerable. It is important that issues not are accounted for several times, making the result erroneous. Documentation of the calibration process with references is necessary, and should be done with care (Marszal and Scharpf, 2002; IEC 61511, 2003). When the calibration process is finished, and the parameters decided. The risk graph is used to determine the SIL. The demand rate, occupancy and possibility of avoiding the consequence of the hazardous event, represents the frequency of the unwanted consequence. In combination with the unwanted consequence the frequency constitutes the risk without the SIF in place. The input in each box in the risk graph must be in accordance with the tolerable risk (IEC 61511, 2003; Marszal and Scharpf, 2002). The separator example as referred to in the previous section could again serve as an illustration. In this case the vulnerability measure is estimated to be equal to 0.5. Overpressure is severe and results in large release of flammable material with a high probability of catching a fire. If the number of people present when the area is occupied is 2, the resulting number of fatalities is 1 and class C C is selected as the consequence severity. One operator does maintenance work or supervision approximately 45 minutes per day, leading to that the exposed area is occupied less than 10% of the time giving the occupancy class F A . The conditions regarding the possibility of avoidance are satisfied and P A is selected. The calibration factor D is set to 4. The demand rate is estimted to 20 demands per year. This is less than 40 and greater than 0.4 which corresponds to W2 . The SIL is determined as for the qualitative risk graph, and results in a SIL 2 requirement.
17
Chapter 3
LOPA 3.1 What is LOPA? LOPA was introduced in the 1990s, and has recently gained international popularity. LOPA is referred to in literature as both a simplified risk assessment technique and a risk analysis tool. Capital improvement planning, incident investigation, and management of change can be found as additional applications. LOPA is a flexible tool which can be used in different contexts and applications making it confusing to understand what it really is. The application under consideration is LOPA as a SIL determination tool.
Figure 3.1: Risk analysis procedures adopted from Rausand and Høyland (2004)
18
According to Marszal and Scharpf (2002) LOPA can be viewed as a special type of event tree analysis (ETA), which has the purpose of determining the frequency of an unwanted consequence, that can be prevented by a set of protection layers. The approach evaluates a worst-case scenario, where all the protection layers must fail in order for the consequence to occur. The frequency of the unwanted consequence is calculated by multiplying the PFDs of the protection layers with the demand on the protection system (represented as a frequency). Comparing the resulting frequency of the unwanted consequence with a tolerable risk frequency, identifies the necessary risk reduction and an appropriate SIL can be selected (Marszal and Scharpf, 2002; CCPS, 2001). LOPA is a semi-quantitative method using numerical categories to estimate the parameters needed to calculate the necessary risk reduction which corresponds to the acceptance criteria (CCPS, 2001). In a quantitative risk assessment (QRA) mathematical models and simulations are often used to estimate the extent or escalation of damage, e.g. toxic diffusion, explosion expansion or fire escalation. In addition, FTA or other methods are used to calculate the frequency of the accidental event (Rausand and Høyland, 2004). In LOPA, simplifications, expert judgment and tables are used to estimate the needed numbers (CCPS, 2001). LOPA usually receives output from a HAZOP or a hazard identification study (HAZID) and often serve as input to a more thorough analysis as a QRA. Figure 3.1 is often referred to as the bow-tie and is a common figure to describe risk analysis. It shows the accidental event which is linked to the causes and the consequences, and the methods which may be applied in the different phases. An ETA focuses on the consequence spectrum not on the causal analysis, implying that LOPA is placed in column (c) to the right in the figure. On the other hand LOPA is not as in-depth as would be expected from a consequence analysis and does have a close interaction with HAZOP suggesting that it should be positioned more to the middle (column b). The final ”position” is somewhere in between. Often, an "onion" as the one in Figure 3.2 is used as an illustration of the protection layers in LOPA. The system or process design has protection layers including basic process control system (BPCS), critical alarms and human intervention, SIFs, physical protection and emergency response. BPCS is the control system used during normal operation and sometimes denoted as the process control system (PCS). Input signals from the process and / or from the operator are generated into output which make the process operate in a desired manner. If the control system discovers that the process is out of control (e.g. high pressure) it may initiate actions to stabilize the temperature (e.g. choking the flow) (CCPS, 2001; IEC 61511, 2003). Alarms monitoring certain parameters (e.g. pressure and temperature) are considered another protection layer. When the alarm is tripped, the operator may intervene to stop the hazardous development. Note that the alarm system has to be wired to another loop than the BPCS in order to be independent (CCPS, 2001; IEC 61511, 2003). 19
Figure 3.2: The LOPA onion
20
Rausand (2004) describes a SIS as a system comprising sensors, logic solver(s), and actuating (final) items, and can be looked upon as an independent protection shell for machinery or equipment. A SIS implements the wanted safety function SIF. In LOPA, SIFs are considered as protection layers. Physical protection include equipment like pressure relief devices. In a separator this may be a rupture disc which blows-off pressure if the pressure is too high. Post release protection is physical protection as dikes, blast walls etc. These have their function after the release or explosion has occurred. Both of these types of physical protection are considered protection layers in LOPA (CCPS, 2001; The Dow chemical company, 2002; ACM Facility Safety, 2006). If an accident occurs, procedures, evacuation plans, equipment and medical treatment help the exposed personnel to escape, or to mitigate damage / injury. Such measures are classified as plant and community emergency response, and are considered the final protection layer (CCPS, 2001; The Dow chemical company, 2002; ACM Facility Safety, 2006). LOPA incorporates the reliability of the existing barriers to determine the reliability of the needed SIF. Note that LOPA does not determine what protection layers to implement, only the needed performance. In some cases, a SIF is already present, and the SIL of an additional SIF shall be determined. How many and which protection layers that are required, depend on the situation at hand (CCPS, 2001; The Dow chemical company, 2002).
21
3.2 Explanation of terms Various authors use different terms in LOPA. Examples are terms like scenario, impact event and initiating event. This makes it confusing to understand what is meant by the different terms and how they are applied. What exactly is an impact event? Does an impact event description include both causes and consequences? What is an impact event compared to an accidental event? What is a scenario? What is an independent protection layer? ”Where” do we start the LOPA analysis? The objective of this section is to clarify these questions, and build the foundation for the further evaluation of LOPA. The relation between the terms is described by Figure 3.3.
Process deviation According to NORSOK Z-013 (2001) an accidental event is defined as ”event or chain of events that may cause loss of life, or damage to health, the environment or assets”. Another definition is ”the first significant deviation from a normal situation that may lead to unwanted consequences” (Rausand and Høyland, 2004). In IEC 60300-3-9 (1995) they use the term hazardous event instead of accidental event. In the HAZOP study the accidental event is referred to as a process deviation. The term process deviation is from now on used and the definition from Rausand and Høyland (2004) is acknowledged as adequate.
Impact event CCPS (2001) describe an impact as: ”The ultimate potential result of a hazardous event. Impact may be expressed in numbers of injuries or fatalities, environmental or property damage, or business interruption.” According to IEC 61511 an impact event is equivalent to the consequence in the HAZOP study. This implies that the impact event is the unwanted consequence of the hazardous event or accidental event which is referred to as a process deviation. Impact event is closely related to the unwanted consequence, and the question which remains is what degree of consequence an impact event represents, e.g. end-consequence or intermediate consequence. From now on it is chosen to define impact event as ”the first sign of harm to people, environment or assets”. Examples are a car crash or an explosion due to overpressure of a separator. The impact event may lead to an end-consequence which may include fatalities / injury, environmental damage or economic loss. For the impact event: car crash, the process deviation could be: car starts to slide. The car is out of control and if not the situation is brought back in control, the impact event occurs. For the impact event: explosion due to overpressure of separator, the process deviation could be high pressure up-stream separator.
22
Initiating cause The initiating causes are the reasons why the process deviation occur, not the most basic underlying root-causes. The initiating causes are the results of the root causes. CCPS presents three types of initiating causes: External events, equipment failures and human failure. External events are earthquakes, hurricanes and other external shocks. Equipment failures are control system failures or mechanical failures. Human failures are either error of commission (failure to observe or respond appropriately) or error of omission (failure to execute the task properly or not doing it at all) (CCPS, 2001). For the car crash example an initiating cause could be slippery road.
Scenario According to CCPS (2001) a scenario describes a single cause - consequence pair from the HAZOP. In LOPA terminology this is a single initiating cause - impact event pair. This implies that a scenario consists of more than just the impact event. But should not a scenario comprise even more? A more appropriate definition of a scenario would include more than one cause. The scenario definition is extended to describing ”the development from a process deviation to an impact event, including the causes leading to the process deviation”.
Protection layers vs. independent protection layers The term protection layer was defined by IEC 61511, and four important characteristics were given in Section 2.3. What is the difference beetween a PL and an IPL, and is the definition appropriate? According to IEC 61511 an IPL must have the same inherent characteristics. In addition it must provide at least 100-fold of risk reduction (not 10 as for a PL) and have functional availability of at least 0.9 (IEC 61511, 2003). These definitions seem confusing. From the point of view of IEC 61511 an IPL is just a PL with stricter requirements to availability and degree of risk reduction. A PL does have the same requirement to independence, and the name is misleading. A more appropriate definition would be to call all PLs as IPLs, and IPLs with high degree of availability and risk reduction as high integrity IPLs. A definition of PL in CCPS (2001) is rewritten to: ”device, system or action that is capable of preventing a process deviation from proceeding to the end consequence”. Subsequently an IPL is defined as ”a PL that is capable of preventing a process deviation from proceeding to the end consequence, regardless of other PLs associated with the same impact event - initiating cause pair, and of the initiating event”. An IPL should fulfill the characteristics presented in Section 2.3. Another issue of interest is whether the PLs are designed to prevent the unwanted consequence from happening, or placed as barriers to mitigate the consequences after the impact event has occurred. PLs mitigate the frequency of the occurrence of the unwanted consequence, or mitigate the consequences. 23
An airbag-system is defined as a SIS. The airbag inflates when a set of sensors send signals to a logic solver which initiates the inflation. If the impact event is a car crash, this protection system will function subsequent to the occurrence of the impact event. It limits the extent of damage rather than mitigating the frequency of the impact event. In other cases SIFs may be placed previous to the impact event. If the impact event is overpressure of separator, SIFs with the intention of closing valves and shutting down the system, are vice. The SIF tries to prevent the impact event from occurring, thus reducing the frequency.
Relation between terms
Figure 3.3: Relation between initiating causes, impact event, process deviation and IPLs Figure 3.3 shows the relation between the initiating causes, impact event, process deviation and the PLs listed in IEC 61511. It shows how all the terms fit together and the figure and the definitions given found the basis of the understanding of LOPA. Initiating causes may be the sources of a process deviation which may lead to an impact event. The impact event may result in an end-consequence. In order to prevent the end-consequence PLs are introduced. Most of these have the objective of limiting the frequency of the impact event, but PLs to minimize the extent of damage may also be put in place. Note that the worst-case scenario is assumed. All the PLs have to fail in order for the endconsequence to occur thus the analogy to a branch in an ETA. The symbol * means that the PL may be credited as a IPL. The concept of IPL is discussed in the case study in Chapter 6. Note that the starting point of the LOPA analysis is the impact event. After this is identified, the causes are identified and the protection layers evaluated.
24
3.3 The LOPA team LOPA is performed by a multi-disciplinary team, which at least should consist of one: • operator • process engineer • process control engineer • manufacturing management representative • instrument / electrical maintenance representative • risk analysis specialist One of the team members should be skilled in LOPA methodology, and it is important that the team has experience with the related process / system. One of the team members should be a skilled meeting facilitator, and one secretary of the team should also be elected. Persons with other expertise may take part in the analysis at different points in the analysis when needed. The meetings are usually run in several sessions, taking basis in process documentation and a spreadsheet report to document the analysis (IEC 61511, 2003; Dowell, 1998; BP, 2006).
3.4 LOPA worksheet and the LOPA process This section describes how LOPA works, and the LOPA process as described in IEC 61511. The terms are adapted to the definitions presented earlier thus somewhat different from the ones in IEC 61511 Note that different approaches and methodologies exists, and these are discussed in Section 3.5. The LOPA report worksheet presented in IEC 61511 is shown in Table 3.1. Further the columns will be explained briefly step by step.
Impact event The potential impact event is described in the first column in the table. This is the consequences determined in the HAZOP study.
Severity Level In the next column the severity level of the impact event is entered, and levels of Minor (M), Serious (S), or Extensive (E) are suggested, which is the same classification as in the risk matrix approach and safety layer matrix approach. Note that in the risk graph approach the consequence levels are ranging from C A to C D where C D is the most severe. 25
26
E
E
Severity level
Impact event description
Pressure above design pressure of separator. Rupture of separator and possible ignition. Leading to the endconsequence: No. of fatalities between 1 to 10. Assuming no slug entering.
2
1
Pressure control failure causing blocked outlet. Spurious trip of the XV in addition to PV control failure
Initiating cause
3
0.001
0.1
1
1
Initiation General likeliprocess hood design
4
1
1
BPCS
5
1
1
Alarms etc.
0.21
0.21
Additional mitigation (restricted access)
Protection layers 6
0.08
0.08
High integrity additional mitigation (dikes, pressure relief)
7
SIL 1
1.717 · 10−3
3.03 · 10−5
3 · 10−7
1.75 · 10−2
1.7 · 10−5
Mitigated event likelihood
10
3 · 10−5
SIF integrity level
9
1.7 · 10−3
Intermediate event likelihood
8
Table 3.1: Important columns in the LOPA report / worksheet adapted from IEC 61511 (2003)
Initiating cause and initiation likelihood All direct initiating causes of the impact event are listed in column 3. In column 4 the likelihood values of the initiating causes occurring, in events per year, are entered. A table showing typical values is shown in IEC 61511, e.g. a failure with a low probability of occurring within the lifetime of the plant (dual instrument or valve failure) is categorized with a frequency between 10−4 and 10−2 per year.
Independent Protection layers If protection layers satisfy the IPL criteria, they are given credit. The PFD value is then added in the worksheet. Process design to reduce the likelihood of an impact event from occurring, when an initiating cause occurs, are listed first in column 5. Jacketed pipe or vessels serve as examples. BPCS is the next to be listed in column 5. If the BPCS prevents the impact event from occurring, when the initiating cause occurs, credit based on its PFD is claimed. The last item in column 5 takes credit for alarms that alert the operator and utilize operator intervention. Additional mitigation layers with associated PFDs are listed in column 6. Mitigation layers are normally mechanical, structural, or procedural and may reduce the severity. However, not prevent the impact event from occurring. Examples of additional mitigation could be pressure relief devices, dikes, restricted access and evacuation procedures. IPLs may be credited as high integrity IPLs, if the functional availability is at least 0.9 and if it provides at least 100-fold risk reduction. They are then listed in column 7. A table in IEC 61511 presents typical PFD values for certain protection layers.
Intermediate event likelihood The intermediate event is the occurrence of the end-consequence with the existing / planned protection layers in place, but without the SIF under consideration. The intermediate event likelihood is the frequency per year of the occurrence the this event. The intermediate event likelihood is entered in column 8. It is calculated by multiplying the initiating event likelihood (column 4) by the PFDs of the protection layers and mitigating layers (column 5, 6 and 7). The calculated number should be in events per year, and compared with the corporate criteria. If the intermediate event likelihood is greater than the corporate criteria, additional mitigation is needed. Inherently safer design should be considered before new SIFs are introduced.
27
Safety integrity level (SIL) If a new SIF is needed, the SIL is calculated by dividing the corporate criteria for this severity level by the intermediate event likelihood. The result is entered in column 9.
Mitigated event likelihood The mitigated event is the occurrence of the end-consequence with all protection layers in place, including the proposed SIF. The mitigated event likelihood is the frequency per year of the occurrence the this event. The mitigated event likelihood is calculated by multiplying columns 8 and 9 and entering the result in column 10. This is step is continued until the team has calculated a mitigated event likelihood for each impact event.
Total risk The last step could be to calculate the total risk with respect to each specific impact event. The mitigated event likelihood for all the events rated as serious or extensive, and that present the same hazard are added up. This step could include additional probabilities, if not accounted for in the previous steps.
Example In Table 3.1 some rows are filled in. The example is overpressure of a topside separator taken from Harsem Lund (2007). The HAZOP identified that pressure above design pressure of the separator could cause rupture and possible ignition, leading to a number of fatalities between 1 and 10. Further, two initiating causes with initiating likelihoods were identified. General process design, BPCS and alarms are not given credit as PLs, thus given the value 1. Additional mitigation (restricted access) is estimated to 0.21, due to an assumed ignition probability of 0.3 and occupancy of 70%. IPL additional mitigation is estimated to 0.08, due to the assumption that 8 PSVs must be running to avoid pressure build-up above test pressure. The intermediate event likelihood is now calculated for the initiating events, and the corporate / company criteria for this severity level (E) is 3 · 10−5 events per year. The sum of the intermediate event likelihoods are 1.717 · 10−3 events per year. Dividing 3 · 10−5 by 1.717 · 10−3 give a necessary risk reduction of 1.75 · 10−2 , which is a SIL 1 requirement. The mitigated event likelihood becomes 3·10−5 and 3·10−7 events per year, which give a total of 3.03·10−5 events per year. Note that both in the table and in the calculations accurate numbers are used with several decimals. This is done for illustration only. Usually, two decimals are appropriate. 28
3.5 Different approaches in literature Many similarities can be found among the approaches and methodologies presented in the literature. Summers (2003), Ellis and Wharton (2006) and Dowell (1998) have presented flowcharts, while IEC 61511 use a worksheet as the basis for their methodology. BP (2006) have their own procedure providing guidance on LOPA which includes a flowchart. CCPS (2001) presents a diagram explaining the LOPA steps, with a chapter explaining each step. But the approach in IEC 61511 is the most prevailing. The essential steps that seem common are: • Documentation of the hazard analysis • Development of scenario or impact event • Identification of initiating causes • Determination of the protection layers including the IPLs • Quantification (cause frequency / likelihood and PFD) • Target risk evaluation / SIL determination As the list indicates the major steps in the SIL determination process are covered. Most approaches take information from previous studies to identify hazards, and to found a basis for the next steps. The initiating causes are identified, and the frequency determined. The most substantial differences between the various approaches are the use of terms, the order of sequence and the intended application. Another distinction is how the SIL is incorporated and evaluated. Often the "as is" process design is evaluated. The existing protection layers are identified and the intermediate event likelihood determined before assigning a SIL level to the SIF. Sometimes the SIF under consideration, with the expected PFD, is implemented implicit in the calculations. This result in a different criterion for acceptability. The mitigated event likelihood is then the calculated frequency that is compared to the acceptance criteria, not the intermediate event likelihood. Some authors use screening tools, and / or suggest LOPA as a part of a total methodology. Ellis and Wharton (2006) suggest such a close interface between LOPA and other methods. Figure 3.4 is an extract of the determination methodology presented in Ellis and Wharton (2006). The consequences of the impact events are classified. A consequence level is chosen for the impact event under consideration, and LOPA used if the most severe category C E is selected. If not a risk graph approach is utilized. If the risk graph results in SIL 1 (or lower) this is documented as the final SIL. The risk graph may result in a high SIL (SIL 2 - 4), and LOPA is suggested in those cases. The LOPA may conclude a SIL 3-4. If this is the case, a fault tree analysis (FTA) is initiated. If the FTA result in SIL 3-4, redesign to eliminate hazard or reduce event severity or event likelihood is needed. Harsem Lund (2007) supports the use of risk graph and QRA in addition to LOPA, depending on the calculated SIL. 29
Figure 3.4: Extract of SIL determination methodology from Ellis and Wharton (2006)
3.6 Aker E&T methodology Aker E&T LOPA methodology is presented in Figure 3.5. The method is modified in contrast to the one given in Nordhagen (2007). Compared to the approaches discussed in Section 3.5, the Aker E&T approach is an overall methodology, not taking the proposed SIF implicit into account. Often the customer methodology (i.e. Statoil, BP) found basis for the analysis. P&IDs are schematic diagrams describing piping, equipment and instrumentation connections within process plants. ISO 10418 (2003) is a technical standard that provides objectives, functional requirements and guidelines for techniques for analysis, design and testing of surface process safety systems. This standard helps the design team to implement safety functions in the P&IDs for the concerning system. A HAZID, HAZOP or WHAT-IF analysis helps to identify process deviations which require additional SIFs. After all information have been gathered and documented in the P&IDs and additional documentation, a LOPA is initiated. The report sheet in Table 3.1 is used, and the steps described in Section 3.4 followed except from the steps where the mitigated event likelihood and the total risk is calculated. An example of acceptance criteria is shown in Table 4.1, and the accepted frequency denoted target mitigated event likelihood (TMEL). The mitigated event likelihood is in the Aker E&T approach equal to the TMEL (Nordhagen, 2007; ISO 10418, 2003).
30
Figure 3.5: Aker E&T methodology adapted from Nordhagen (2007) The SIF under consideration is assumed not in place during the analysis, and Acc. freq the formula used in the evaluation of the LOPA results can be written: Total IEL . If the fraction between the accepted frequency (Acc. freq.) and the calculated total intermediate event likelihood (IEL) is greater or equal to 1, the team shall evaluate whether the SIF shall be removed or not. This implies that the resulting frequency of the end-consequence, without the proposed SIF, is equal or less than the accepted frequency. The analysis team can either remove the SIF, because the system is evaluated safe enough, or keep the SIF but without any reAcc. freq quirements to the safety function. If 1 > Total IEL > 0.1, ”SIL 0” is selected. This implies that the intermediate event likelihood is between 1 and ten times higher than the acceptable value. No further evaluation is necessary, but the SIF is Acc. freq kept in order to achieve some risk reduction. If 0.1 > Total IEL > 0.01, which is equivalent to SIL 1 in IEC 61511, SIL 1 is selected and no further evaluation is Acc. freq done. SIL 2 is selected if 0.01 > Total IEL > 0.001. If the analysis result is SIL 3 Acc. freq
(0.001 > Total IEL > 0.0001), a QRA is initiated to further evaluate the SIF (Nordhagen, 2007).
31
Chapter 4
Preferred approach 4.1 Flowchart When performing LOPA, a clear methodology and approach is needed to make the team focus on the analysis and not on how to do the analysis. The preferred approach is a developed recommended approach based on the worksheet presented in IEC 61511, reproduced in Table 3.1. It is modified taking the views presented in Sections 3.5 and 3.6 into consideration using the terms described in Section 3.2. The steps in Figure 4.1 are described in the paragraphs below.
Step 1: Develop and document the risk acceptance criteria It is of great importance that this step is done with care. The acceptance criteria has to respond to the requirements from the company, authorities and customers. Acceptance criteria should be established for different types of consequences as safety, environmental and economical. In Table 4.1 an example of acceptance criteria for safety hazards are presented. Note that the TMEL is a frequency. For economical / commercial hazards the criteria could consist of target mitigated likelihoods and monetary consequences. If acceptance criteria do already exist, these should be verified before employed.
Step 2: Gather and document data The results from HAZOP, HAZID and WHAT-IF analysis must be gathered and documented. In addition, documentation like equipment data, maintenance plans and operational conditions and procedures are important to obtain. If the data material is not sufficient, further data must be collected. Especially, the need for further hazard identification must be evaluated.
32
Figure 4.1: Preferred approach
33
Table 4.1: Target mitigated event likelihood for safety hazards adapted from Nordhagen (2007) Severity level Safety consequence Target mitigated event likelihood CA Single first aid injury 3 · 10−2 per year CB Multiple first aid injuries 3 · 10−3 per year CC Single disabling injury or mul- 3 · 10−4 per year tiple serious injuries CD Single on-site fatality 3 · 10−5 per year CE More than one and up to three 1 · 10−5 per year on-site fatalities
Step 3: Transform and integrate data The data material have to be adapted to the input that LOPA requires. Acceptance criteria, frequencies and consequence / likelihood ratings may have to be converted. The interface between HAZOP and LOPA is discussed in Chapter 5.
Step 4: Select impact event The impact events should be evaluated separately, one at the time.
Step 5: Screen impact event To each impact event a consequence severity level is determined, and the impact event under consideration is screened by a criterion using these levels. This could have been done already in the HAZOP study, and if applicable these results can be used. In Table 4.1 such severity levels are given. Let C be denoted as the consequence severity level divided into five categories. If an impact event is classified with consequence severity level C > C C (C D or C E ), a QRA has to be performed. This implies that impact event consequences rated as C A , C B , or C C are evaluated with LOPA. Note that the criterion for selecting either QRA or LOPA should be adapted to how the acceptance criteria are expressed and the situation under consideration.
Step 6: Identify initiating causes The initiating causes are most likely identified in the HAZOP study, but these may not include sub-causes. Sub-causes might be beneficial to identify to get understanding of the situation at hand. But also to get an accurate result when it comes to the calculations. Expert judgment and previous studies (as HAZOP) is used in the identification process.
34
Step 7: Establish / determine initiating cause frequencies The initiating cause frequencies must be determined. In Table 4.2 initiating cause frequencies are presented. In addition expert judgment and plant specific data / company data may be helpful in determining the frequencies.
Step 8: Select initiating cause - impact event pair One pair of initiating cause and impact event should be evaluated at the time.
Step 9: Identify IPLs and determine PFDs The IPLs must be identified, and the assumption of independence should be evaluated with care and be thoroughly documented. If the IPL criteria are satisfied the PFDs are added in the LOPA worksheet in 3.1. Estimates of PFDs can be found in tables in CCPS (2001) and OREDA. But company or plant specific data can also be used. Table 4.3 shows some PFDs for different IPLs. If a protection layer can not be given credit as an IPL the PFD value entered in the worksheet is 1. The inherent process design and the reduction factor this gives should be evaluated carefully. This protection layer is difficult to assess, and in most cases no risk reduction is given credit. In addition to the PFDs the following frequency modifiers may be included: • Occupancy • Ignition probability • Time at risk (for systems not continuously in operation) The additional mitigation (restricted access) column shall include ignition probability, in addition to occupancy. The occupancy factor is calculated as for the risk graph (IEC 61511, 2003). For flammable hazards ignition probability shall be considered. If there are many sources of ignition and the release is large, a conservative value should be chosen. A conservative value is in this case a value close to 1. The time at risk factor reflects the time the system is in the hazardous mode, and is evaluated only for systems not in continuous operation. All of the frequency modifiers are are a number between 0 and 1, and it should be taken care in such a way that not too much risk reduction is given credit (BP, 2006; CCPS, 2001; Harsem Lund, 2007). Note that the frequency modifiers are optional and should be seen in relation to the impact event under consideration.
Step 10: Calculate intermediate event likelihood (IEL) f IEL,i = f i ·
J Y j =1
35
P F D ij
(4.1)
Table 4.2: Typical frequency values assigned to initiating CCPS (2001) Initiating event Frequency range from literature (per year) Pressure vessel residual 10−5 to 10−7 failure Piping residual failure- 10−5 to 10−6 100m-full breach Piping leak (10 % section)- 10−3 to 10−4 100m Atmospheric tank failure 10−3 to 10−5 Gasket / packing blowout 10−2 to 10−6 Turbine diesel engine 10−3 to 10−4 overspeed with casing breech Third party intervention 10−2 to 10−4 (external impact by backhoe, vehicle etc.) Crane load drop 10−3 to 10−4 per lift Lightning strike 10−3 to 10−4 Safety valve opens spuri- 10−2 to 10−4 ously Cooling water failure 1 to 10−2 Pump seal failure 10−1 to 10−2 Unloading / loading hose 1 to 10−2 failure BPCS instrument loop 1 to 10−2 failure Regulator failure 1 to 10−1 Small external fire (aggre- 10−1 to 10−2 gate causes) Large external fire (aggre- 10−2 to 10−3 gate causes) LOTO (lock-out tag-out) 10−3 to 10−4 per opporprocedure failure tunity Operator failure (to ex- 10−1 to 10−3 per opporecute routine procedure, tunity assuming well trained, unstressed, not fatigued)
36
causes adapted from Example of a value chosen by a company 1 · 10−6 1 · 10−5 1 · 10−3 1 · 10−3 1 · 10−2 1 · 10−4
1 · 10−2
1 · 10−4 per lift 1 · 10−3 1 · 10−2 1 · 10−1 1 · 10−1 1 · 10−1 1 · 10−1 1 · 10−1 1 · 10−1 1 · 10−2 1 · 10−1 per opportunity 1 · 10−2 per opportunity
Table 4.3: PFDs for IPLs adapted from CCPS (2001) and BP (2006) IPL PFD BPCS, if not associated with the initiating 1 · 10−1 event being considered Operator alarm with sufficient time avail1 · 10−1 able to respond Relief valve 1 · 10−2 Rupture disc 1 · 10−2 Flame / detonation arrestors 1 · 10−2 Dike / bund 1 · 10−2 Underground drainage system 1 · 10−2 Open vent (no valve) 1 · 10−2 Fireproofing 1 · 10−2 Blast-wall / bunker 1 · 10−3 −1 Identical redundant equipment 1 · 10 (max credit) Diverse redundant equipment 1 · 10−1 to 1 · 10−2 Other events Use experience of personnel SIS that typically consist of single sensor, 1 · 10−1 to 1 · 10−2 logic and final element SIL 1 −2 SIS that typically consist of multiple sensors, 1 · 10 to 1 · 10−3 multiple channel logic and multiple final elements (for fault tolerance) SIL 2 −3 SIS that typically consist of multiple sensors, 1 · 10 to 1 · 10−4 multiple channel logic and multiple final elements. Requires careful design and frequent proof tests SIL 3
37
Equation 4.1 shows the formula to calculate the intermediate event likelihood, f IEL,i , for a certain initiating event, i . Let the number of IPLs range from 1 to J, and each IPL have a PFD denoted P F D ij . The product of the PFDs is multiplied by the frequency of initiating event i , f i . The intermediate event likelihood is the expected frequency of the consequence with the credited IPLs in place.
Next initiating cause - impact event pair If there are more initiating event - impact event pairs, they should be evaluated. As shown in Figure 5.1 the analysis team have to go back to the pair selection phase. This process is iterative until all pairs have been evaluated
Step 11: Sum up the intermediate event likelihoods The intermediate event likelihood of all the related initiating cause - consequence pairs have to be summed, in order to identify the total rate of demands that are not eliminated by the system (including planned / existing protection layers and mitigation). Equation 4.2 shows the applied formula to determine the total mitigated event likelihood f IEL,total , for initiating events ranging from i = 1 to i = I . I X
f IEL,total =
f IEL,i
(4.2)
i =1
Target risk measurement Column 3 in Table 4.1 shows the target mitigated event likelihood (TMEL) for different consequence severity levels. The combination of the TMEL and consequence category is in this case the risk acceptance criteria, which is the target risk measure. For the concerning consequence severity level - the total intermediate event likelihood and target mitigated event likelihood are compared. If the total intermediate event likelihood is less than the target mitigated event likelihood, the target risk is acceptable. The next impact event can then be evaluated. If not, a SIL should be determined. Note that even if the target risk is acceptable, introducing a SIL may still be vice due to uncertainty in the calculations. Modifications and changes to planned / existing system should be considered prior to introducing a SIF. Can the risk be reduced by enhancing the existing protection layers, or by changing the design? If the answer is yes, such measures should be evaluated, and the new intermediate event likelihood calculated and compared with the acceptance criteria. If the answer is no, a SIF with an associated SIL have to be implemented.
Step 12: Determine SIL The gap between the acceptable risk (the target mitigated event likelihood corresponding to a specific consequence category) and the current risk (interme38
diate event likelihood) must be eliminated by the SIF, hence the needed SIL. By dividing the target mitigated event likelihood by the total intermediate event likelihood, the PFD responding to the SIL is found. Equation 4.3 show how the acceptable frequency, f Acc , is used to determine the necessary risk reduction. The target mitigated event likelihood is denoted f TMEL . SIL = neccesary risk reduction =
f Acc f IEL,total
=
f TMEL f IEL,total
(4.3)
Screen by SIL If the resulting SIL > SIL 3, a QRA should be initiated. A high SIL requirement is stricter demanding higher reliability and performance of the SIS. LOPA includes uncertainty, and for SIL requiring high integrity a more thorough analysis is recommended. If SIL < SIL 4, the flowchart loop is finished. Note that the screening criterion in this case is SIL > 3, and the criterion should be adapted to the situation at hand. In some cases SIL > SIL 2 is more applicable.
Step 13: Calculate mitigated event likelihood (MEL) The last step is to calculate the mitigated event likelihood, f mit,i . This is the frequency of the consequence in events per year, after the SIF has been implemented. The selected SIL is multiplied with the intermediate event likelihood to obtain the mitigated event likelihood, as Equation 4.4 shows. f MEL,i = f IEL,i · SIL
(4.4)
The calculation is done for all rows in the LOPA worksheet related to the concerning impact event. Note that the mitigated event likelihood is the same as the TMEL if the exact number of the calculated SIL is employed. It then serves as a check whether the acceptable risk is satisfied or not with the current calculated SIL. This is the last step in the LOPA procedure. If there are more impact events, these shall be evaluated. Then, the analysis team go back to the pick impact event - phase. But, this is not implemented in the flowchart. The team usually continue the analysis until all process deviations from the HAZOP are evaluated.
4.2 Comments to the preferred LOPA approach The preferred approach is an overall approach considering the planned / existing system without the proposed SIF. As discussed previously several screening tools exists, but it is chosen to screen by consequence and SIL only. Conducting a risk graph-analysis for then to initiate a LOPA cause extra work and increased engineering cost.
39
Only safety aspects have been considered. Usually economical and environmental issues are also evaluated during a LOPA analysis. Such levels may be determined to the SIF, and the integrity level giving the highest integrity level chosen. Note that this requires additional acceptance criteria (BP, 2006; Nordhagen, 2007). In the approach it is chosen to select an impact event before it is screened by severity level. Another possibility is to do this the other way around. Another issue is how to express and transmit the requirements to the vendors or to the further allocation process. If the LOPA result in a required PFD 8 · 10−3 giving SIL 2, and the suppliers design their product with a designed PFD of 1 · 10−2 the outcome may be that the system do not fulfill requirements. Important issues that must be covered in the interface work packages by the system vendor are: What is the requirement? How is it expressed?
40
Chapter 5
Interface with HAZOP 5.1 Introduction to HAZOP Table 5.1 presents a typical HAZOP worksheet. HAZOP is a structured way of examining the planned or existing process operation. The objective of a HAZOP study is to identify and evaluate problems that may represent risk to personnel or equipment, or prevent efficient operation. The HAZOP is usually performed early in the design stage, in a multidisciplinary team. The HAZOP meetings / sessions are carried out with a leader, a secretary and team members with process experience. The system is divided into nodes, and each node is evaluated by a set of guidewords and parameters. The results are recorded in a report sheet like the one in Table 5.1. A guideword + a parameter lead to a deviation. The causes are the reasons why the deviation occurs, and the consequences are the results of the deviations. Safeguards have the intention of reducing frequency of occurrence and / or mitigate the consequences. During the meeting actions are allocated to the participating parties. This can be technical improvements, but also work tasks (Rausand, 2005). The briefly described HAZOP methodology is close to how HAZOP is performed by Aker Solutions. Note that the experience and knowledge of the participants are vital in getting a thorough examination.
5.2 HAZOP integration Traditionally, HAZOP and SIL-determination have been two separate sessions. They both require much of the same information and a common database is beneficial, as it results in saved time and cost. Performing the analyzes in one session give savings up to 30% and a significant improvement in data integrity and manageability (Bingham and Goteti, 2004; ACM Facility safety, 2004). Software tools to integrate LOPA and HAZOP exist, but Aker Solutions do not employ such programs. Software programs can be used when HAZOP and LOPA are integrated in one session, but also when two sessions are performed. Further, the relationship between the HAZOP output and LOPA input is discussed. 41
42
Separator
No.
High
Guideword
Study title: Drawing no: HAZOP team: Part considered: Design intent:
Element / process parameter pressure Pressure above design pressure
Material: Source: Deviation
Rev. no.:
Failure of BPCS, high level, external fire
Possible causes
Release to environment
Consequences
Alarm, operator, deluge system
Activity: Destination: Safeguards
Table 5.1: Process HAZOP worksheet adopted from Rausand (2005)
Comments
Page: Date: Meeting date:
Evaluate new PLs.
Actions required
Joe Johnson (Aker Solutions)
Actions allocated to
Figure 5.1: Relationship between HAZOP and LOPA worksheets Figure 5.1 shows the interaction between the HAZOP and LOPA worksheets. LOPA is performed from the left to the right in the worksheet and receives input from the HAZOP during the analysis. Note that the HAZOP worksheet in the figure is somewhat different from the one presented in Table 5.1, as it incorporates severity level (S) and likelihood (L) of the HAZOP consequence (IEC 61511, 2003; Dowell and Williams, 2005; CCPS, 2001). If the (process) deviation in the HAZOP is high pressure, the HAZOP consequence could be: release to environment. The impact event would then also be release to environment because the consequence identified in the HAZOP answers to the impact event in LOPA. The possible causes from HAZOP are the initiating causes in LOPA (Dowell, 1998; IEC 61511, 2003). Further transformation or evaluation of causes and subcauses may be necessary and should be expected. The safeguards identified in HAZOP are denoted PLs in LOPA. Note that all IPLs are safeguards, but not all safeguards are IPLs (CCPS, 2001). What IPLs to include and in which column in the LOPA worksheet they should be implemented, requires evaluation. The actions required column in the HAZOP worksheet may include many things, e.g. new recommended safeguards and work tasks. New recommended safeguards could either be modifications to existing PLs and design or new protection layers, e.g. SIFs (CCPS, 2001). In Figure 5.1 the arrows are blue and dotted which indicates that the information from the
43
columns including safeguards and actions required can not be transformed directly. The HAZOP consequence severity ranking (S), and the HAZOP consequence likelihood (L) can be transformed to LOPA, and impact event severity level and initiating cause frequency are the applicable terms in LOPA with associated columns (Dowell and Williams, 2005). The HAZOP worksheet does not necessarily include these columns. There are several views of what columns are included in the HAZOP according to what the organization or author prefer. The HAZOP may either include severity ranking and likelihood of the HAZOP consequence, or just the severity ranking. Another possibility is that HAZOP has none of these, as in Table 5.1. This makes it difficult to know how this part of the interface will be. If the HAZOP worksheet has both the severity and likelihood ranking it is not certain that this categorization is used, adding another issue to the current problem. These issues must be evaluated prior to a LOPA and the blue dotted lines in Figure 5.1 indicate that evaluation is needed when transferring data to LOPA. It is suggested that the same risk matrix is used for HAZOP as for the LOPA with related risk acceptance criteria. At least the severity ranking should be identical, because the initiating cause frequencies in LOPA usually are obtained from tables and / or expert judgment. In BP (2006) such a common risk matrix including risk acceptance criteria is presented.
5.3 Adjustments and transformation of data It might be that only limited data are available to the analysis team. This requires the analysis team to do adjustments. In Section 3.4 and Chapter 4 the initiating cause frequency was represented as a number of occurrences per year. The frequency from the data source may be expressed in occurrences per hour or per minute. Sometimes the data is not even given as a frequency, but as a PFD. Examples are human error to execute a task or a crane load drop. If the frequency is expressed in the wrong unit, the team has to multiply the data to get the correct frequency. When only a PFD is available, the PFD has to be multiplied with the number of demands per year to get the wanted frequency (CCPS, 2001). Another issue is when only general industry data are available. General data should be adjusted to fit the local conditions. This requires understanding of how the local conditions are compared to the general conditions. In LOPA the numbers are often expressed in orders of magnitude. It is important that the team is consistent when rounding the numerical values (CCPS, 2001).
5.4 HAZOP / LOPA program specification It is decided to assume that HAZOP and LOPA are divided into two sessions, but that they are adapted to each other to enable a better interface. If HAZOP and 44
LOPA are performed by using an integrated software tool, several of the phases in Figure 4.1 may be performed almost automatically, e.g. data gathering and documentation and transformation of data. In addition, the calculation phases are performed more efficiently. The objectives of a HAZOP / LOPA tool are: • Reduce the time spent on the analysis (typing / rework, data collection, meeting activity, calculations) • Making it easier to quality check the results as the calculations/analysis are conducted in real time • Increased quality of the analyses Specifications are vital in order to make a consistent and thorough software program. These include what exactly the program has to do, and what characteristics it needs. The basis for the specification is the objectives given above, and the previous section. The specification of the proposed HAZOP / LOPA program is as follows: • HAZOP worksheet cells equal to cells in LOPA report, and automatic transformation of data. This applies to: – HAZOP consequence = LOPA impact event – HAZOP possible causes = LOPA initiating causes – HAZOP consequence likelihood = LOPA initiating cause frequency (Note: may need adjustment) – HAZOP consequence severity level = Severity level (Note: May need adjustment) • Calculate results based on data: – Intermediate event likelihood – Mitigated event likelihood – SIL • Provide database with risk acceptance criteria • Interface with additional databases: – Initiating cause frequency – PFDs of IPLs • Automatically include risk acceptance criteria in the calculations • User interface quality assurance:
45
– Interactive SIL selection which allows the user to select a SIL by clicking and see the impact on the mitigated event likelihood on the screen – Rectify erroneous input from user – Modify input / help to specify the units – Reminders / pop-up boxes • Help function with guidelines describing how to implement LOPA. This should include a flowchart, explanation of terms and examples. The help function database should be searchable. The planned software platform is a Microsoft Excel-workbook in combination with Visual Basic (VB) and macros.
5.5 Illustration of software program To better illustrate how a program could work the execution is divided into 5 steps. It is important to emphasize that a real program has not been created, only a model / illustration of how it could work. The illustration is showed in Appendix B. Note that the suggested program is a simple program, with the purpose of describing the underlying solutions. It is not put emphasis on sophisticated coding.
Step 1 - HAZOP The cells containing the HAZOP consequences are set equal to the ones that shall contain the impact events. In excel this could be done by either creating a VB macro which copies the information, or by defining the cell information equal directly in Excel. The same applies to the possible causes in HAZOP. The risk matrix sheet contains the classification of the HAZOP consequence and impact event severity. The chosen severity level is transferred in the same manner as the HAZOP consequence. To initiate the process of transferring the data, a command button which is constantly visible is placed in the bottom of the LOPA sheet. This is named ”Transfer HAZOP data”, and when clicked the rows containing the data are transferred or copied. After all the cause and impact event data are transferred, the impact events are screened by severity level. Those impact events that are classified above a certain severity level are colored red because the initiation of a QRA is suggested. The encoding solution is VB in addition to macros. Some impact events are similar, and combining several impact events is relevant. This is not taken into account in this program illustration.
46
Step 2 - Retrieve initiating cause frequency Next to the command button proposed in Step 1, a command button named ”implement initiating cause frequency” is placed. When this is clicked the user may choose which cell to implement the value and which value to select in the database sheet. The user may also adjust the numbers. This requires more extensive VB encoding. The initiating cause frequency may be given as a PFD. A pop-up box, which appears after the value has been implemented, asks the user to specify additional information if it is necessary. The number of demands / opportunities per year is such information, this is done to make sure that the correct unit is used. The program adjusts the numbers automatically.
Step 3 - Retrieve IPL PFDs The same method and encoding applies to the IPL PFD selection. When all the PFDs are filled in, the IPL cells that contains no numerical value are given the value 1. This can be realized by a IF sentence checking if the cells have a value or not, and employing the necessary values.
Step 4 - Calculation The intermediate event likelihood is calculated directly in Excel by formulas, i.e. ’cell 10’ = product(’cell 4’;’cell 9’). The TMEL is specified in the risk matrix sheet. Corresponding to which severity level is selected the program implements the correct value of TMEL in the mitigated event likelihood cell in the LOPA sheet. A simple IF sentence could do this automatically. A command button called ”Calculate SIL” initiates the SIL calculation. The IELs for each initiating cause related to the same impact event is added. A set of IF sentences count how many rows that are related to the same impact event and calculate the total IEL for the respective impact event. The value of the total IEL for the impact event is divided by the TMEL value, and the result is the needed SIL. IF sentences containing text strings evaluates the results and prints a message to the user in the cell, i.e. ”SIL 2” or ”No SIS necessary”. This part of the program requires extensive VB encoding. The program has to remember parameters, and use these to calculate the correct columns and implement the results in the correct cells.
Step 5 - SIL selection It is not certain that the calculated SIL is the one the team wants to employ. A command button named ”Change SIL”makes an input box appear if clicked. The user may input the wanted SIL or specify the PFD of the SIS. The mitigated 47
event likelihood is again calculated, and a pop-up box notifies the user if this PFD fulfill the TMEL requirement. A screening process based on the calculated SIL is beneficial, as higher SILs may require the initiation of a QRA. The program may color the entire row in a certain color if the SIL is higher than a specified limit.
Comments to the illustrated software program The illustrated program seems reasonable, as it helps the user to manage data, and do the needed calculations. In addition it supports the user during the analysis. The help function mentioned in the specification in section 5.4 is not treated, but is expected to be a vital part in a program. The illustrated program should be evaluated more in detail, and should be extended from a thought program to a real prototype with more advanced coding and better user interface. Expert judgment make an extensive amount of the analysis, which is difficult to incorporate in a program. A software tool that ”learns by doing” is beneficial. An example is a software program that saves and interprets the possible initiating causes of an HAZOP or LOPA analysis. When a new analysis on a similar system is performed the information from previous studies becomes available to the user. This is an effective way of facilitating the transfer of experience.
48
Chapter 6
Case study: Applicability of LOPA The objective of the study is to apply LOPA to a real system, to illustrate and evaluate the LOPA process described in Chapter 4. First the case and the concerning system is described, before the LOPA approach and results are presented and discussed. Finally, comments and remarks are given.
6.1 Case text It is assumed that a new SIF may have to be implemented, and the LOPA is performed to evaluate if this is necessary, and what SIL to assign. The evaluated SIF is assumed not in place during the analysis. The topside oil/gas/water separator located in the FPSO is defined as the EUC. Overpressure of the topside separator is evaluated in the case, and the source of the pressure build-up is the reservoir. The case has a subsea and topside part combined together, and the case schematic in Figure 6.1 describes a typical SPS and topside separator design. Skarv (BP / Aker E&T) and Morvin (Statoil / Aker Subsea) are two projects that have P&IDs mounted on the same principles as the schematic.
6.2 Introduction to system The production flows from the well through the X-mas tree (XT), the production choke module and the manifold. From the manifold the flow is lead to the riserbase and up to the FPSO and the separator in a production riser. The next paragraphs explain the different parts of the system.
FPSO and topside equipment The flow consists of water, oil and gas which are segregated in the separator located on the FPSO. The separator has three outlets. Two for gas and produced water, and one liquid outlet that goes to the second stage separation process. The topside process control system control the inlet flow to the separator and
49
Figure 6.1: SPS and separator schematic
50
consist of a pressure transmitter (PT) and the control valve (CV). The process shutdown valve (PSDV) and pressure safety transmitter (PST) is the only shutdown possibility topside denoted PSDtopside . When the PST detects high pressure the PSDV closes. The valve is hydraulically or air operated, and a logic solver interprets the signal from the PST. Usually, additional barriers are located in the turret, but for simplicity,these are neglected. A mechanical pressure relief device is placed in the separator called production shutdown valve (PSV). This is either a spring-loaded device or a pilot operated device that allows gas to go to flare if the pressure exceeds a certain limit. The subsea control unit (SCU) and the hydraulic pump unit (HPU) are located topside in the FPSO. The HPU is basically a pump that supplies hydraulic fluid to the subsea control module (SCM) and the HIPPS control module (HCM), which again provides hydraulic pressure to the valve actuators. The SCU includes the logic solver which interprets the signals from the pressure and temperature transmitters, and two surface power and communications units (SPCU) or circuit breakers. In the umbilical electronic signals (to and from the SCU), hydraulics (from the HPU) and scale and hydrate (methanol) inhibitors are transported from the FPSO to the production system on the seabed.
Choke module The production choke valve (PCV) has the objective of throttling the flow to control the temperature and the pressure. The choke module is the process control system located subsea. It is important that the flow from different XTs have the same pressure to prevent one well from producing into another.
X-mas tree The XT is an assembly of valves, spools and fittings for the oil well. The down hole safety valve (DHSV) is the valve closest to the reservoir, but not used as a shutdown o ption in case of overpressure. The production master valve (PMV) and the production wing valve (PWV) are the next two valves in the production pipeline, and possible shutdown options. The crossover valve (XOV) is an annulus service line. It can relief a potential pressure buildup in annulus, by injecting the pressure in the production flow. In addition to the valves described above the XT provides scale inhibitor and / or Methanol inhibitor injection lines. Note that these are neglected in the schematic. The XT valves are hydraulically held. The pressure from the fluid column resist a spring force in the valve actuator to keep the valve open. In order to shut the valve the hydraulics are bled off and the spring makes the valve go to closed position. The valve is fail safe because it goes to a safe position (closed position) in case of a failure (leakage in the hydraulic system, spring collapse etc.). When closing the valve the hydraulics may either be bled off in the subsea
51
control module (SCM) or to sea. Another possibility is to turn down the pump in the HPU in order to create a pressure drop. The subsea control module (SCM) is together with the HPU / SCU the susbea control system. Note that a process control system (like the choke module) controls the flow, while the subsea control system is used to control the valve operation on the XT. The subsea control system contains hydraulics and accommodates two subsea electronic modules (SEMs) which is the electronic part of the control system. When the PTs used as reference detect high pressure, signals are sent to the SEMs which transforms the signals into a rating. This rating (electronic pulse) is sent to the logic solver in the SCU. If the voting in the logic solver (i.e. 2oo4) decides to initiate a shutdown, initiation signals are sent back to the SEMs. The SEMs control change-over valves that are held electrically. When the logic solver commands a shutdown the valves will switch, enabling hydraulics from the actuator to bleed off in an internal loop in the SCM. PSDsubsea is initiated automatically and either the PMV or the PWV and the XOV must be closed. Figure 6.1 shows that the well is isolated by performing at least one of the two shutdown options. Usually, both options are used during a PSDsubsea shutdown. The PT / TT downstream the PCV are used as reference. If high pressure is experienced at this point the PSD is initiated.
HIPPS The HIPPS is located in the manifold. The manifold is an arrangement of piping or valves designed to control, distribute and monitor the flow. Several XTs may be mounted directly on the manifold, or be placed as satellite trees. The manifold has inhibitor injection lines and pipeline inspection gauge (PIG) launch, to prevent hydrate formation. The objective of the HIPPS is to protect the pipeline from the manifold to the FPSO. They have their own control system called the HIPPS control module (HCM). This device is similar to the SCM. Note that the HCM is independent of the SCM. HIPPS shutdown is initiated automatically. The 2 HIPPS valves on the manifold are closed if high pressure is experienced by the PT / TT between the valves or downstream the valves. Another possibility is that one set of transmitter controls one HIPPS and the other the last HIPPS valve.
6.3 LOPA applied on the case study In this section the LOPA procedure based on the system is described, where the process in Figure 4.1 is used as the approach. In Appendix C the spreadsheet used in the study is presented. The acceptance criteria are as in Table 4.1. The severity level is categorized as CC which is 1 to 3 fatalities suffered. The screening criteria give us that the impact event is within the scope of LOPA and no QRA initiated at this stage in the analysis. 52
Experts were involved in the hazard identification study, and all members involved in the LOPA as well as in previous studies fulfill requirements regarding competency. The HAZOP preformed previously to the LOPA is assumed well documented and sufficient, and the data adjusted to fit with the LOPA analysis.
Initiating causes Fluid slug congestion, choke control error due to human error, and choke collapse are the initiating causes identified. Slug congestion is accumulation of fluid / hydrates / scale leading to a blockage and pressure build-up upstream the blockage point. When this substance yields, the fluid accelerates and creates overpressure in the separator. Choke collapse is most likely a hardware valve failure, e.g. fatigue. Choke control error is erroneous operation of the choke control where the operator make the wrong response or fails to act at all. All these initiating causes lead to potential overpressure of the separator. The initiating cause frequencies are found from tables, and the chosen values showed in Table 6.1 The frequency of slug congestion differs from field to field, and deTable 6.1: Initiating cause frequencies Initiating cause Data source Fluid slug congestion Expert judgment / Ormen Lange Choke control, human error BP/CCPS Choke collapse / error
OREDA
Frequency 5 times per year 1·10−1 / per opportunity to act 11.3 per 106 hours
pends on the composition of the fluid and the field construction. In the Ormen Lange project 5 demands was identified by expert judgment, which is assumed applicable. The human error (choke control) is assumed to be a routine task. In order to estimate the frequency the value in the table has to be multiplied with the number of opportunities / demands per year. The choke task is assumed to be executed approximately 20 times per year giving a resulting frequency of 2 times per year for this initiating cause. The OREDA estimate is given in hours, and assuming 8760 hours per year gives a frequency of 9.9 · 10−2 per year.
IPLs - general considerations In the next section it is described and discussed what protections layers that exist, and which of these that can be credited as IPLs. The PL criteria are presented, and the definition of IPL clarified, in Section 3.2. The risk reduction and availability requirements are easy to assess. The four characteristics, especially the independence characteristic, are more difficult to prove. The key issue is to clarify what lies in the term independent. Can the IPLs share components, or do they have to be totally redundant? CCPS (2001) 53
state that the independence requirement claims that the IPL must be independent of the occurrence, consequence of the initiating event, and the failure of any component of an IPL already credited. Two approaches (A and B) are suggested, where B allows IPLs to physically share components and A restrains this configuration. But it is assumed that the logic solver will not be the source of failure, which imply detectors or final element to fail more frequently. If two IPLs share the same sensor(s) or final element(s) neither of the approaches justify more than one IPL given credit. Note that approach A eliminates a larger extent of CCFs.
IPLs in the system The system has the following protection layers: • Topside PSD (closing PSDV) • PSV (mechanical relief device) • HIPPS • Subsea PSD (closing PMV and / or: PWV and XOV) • BPCSsubsea (PCV) • BPCStopside (CV) BPCS is referred to as process control system in the introduction to system paragraph. When and if these can be credited as IPLs must be evaluated. The BPCSsubsea which has the PCV as the actuating item, is not independent when the initiating cause is collapse of this valve. The PCV also share the same PT and TT as the subsea PSD. These are not independent and both cannot be credited as IPL. A question that arises is which system to credit. The most rational is to credit the PSD, but should be evaluated for the different initiating causes. The PSV is credited as an IPL. It is independent as it shares no other components with any other protection layers. It is also independent of the initiating causes, and of high reliability. The requirement and credited risk reduction of the PSD functions may vary. The equipment vendor (e.g. the valve manufacturer) must document the performance of the valves in terms of SIL. This is documented in the safety analysis report (SAR), which is included in an overall document called safety analysis specification (SRS). The contractor (e.g. Aker E&T and Aker Subsea) often present requirements to the equipment vendor which must be verified. In order to save time on documentation the equipment vendor certify the equipment. The equipment then becomes SIL-certified. Usually the PSD functions are given credit within the interval of SIL 1, which is a PFD between 0.1 and 0.01. The conservative choice which is often used, is crediting the PSDs as SIL 1. Another option is to use OLF 070 which requires minimum SIL 2 for PSD functions. It is 54
in the concerning case chosen to credit both PSD topside and subsea as a SIL 1 risk reduction.
IPL PSV Topside PSD (PSDV) Subsea PSD BPCSsubsea (PCV) BPCStopside (CV) HIPPS
Table 6.2: IPL PFDs Data source CCPS table BP / Aker Solutions BP / Aker Solutions CCPS table / BP CCPS table / BP BP / Aker Solutions
PFD 1 · 10−2 0.1 (SIL 1) 0.1 (SIL 1) 1 · 10−1 1 · 10−1 5 · 10−4 (SIL 3)
The HIPPS and the PSD subsea do have different PTs and actuating items, but they do share the same HPU / SCU. The XT and HIPPS valves will go to safe state if the HPU / SCU fails to provide hydraulic pressure. The only way this unit may cause an error is if the logic solver in the SCU fails in such way that the system does not initiate shutdown when a shutdown is needed. The issue that arise is how strict the independence requirement should be, and which of the two approaches presented in the previous paragraph to use. Even if they share logic solver both lead to risk reduction. With this basis approach B, which is described in the previous section, seems fair to use. It is important to emphasize that a PL can be an IPL for one initiating cause - impact event pair, and not for another. The IPL PFDs are from different data sources, and Table 6.2 show the selected values.
Occupancy factor and ignition probability Occupancy and ignition probability is included in the IPL columns in the LOPA worksheet. But they are not per definition considered as IPLs. It is assumed that 3 operators do rounds, and that the area is occupied 30 % of the time, leading to an occupancy factor of 0.3. The ignition probability depends on the pressure and the type of fluid. High pressure applied to a flammable fluid have a higher ignition probability than a low inflammable fluid working under low pressure. A common classification is: 1 if the fluid is self igniting, 0.3 if the fluid is easy ignitable and 0.1 if it is a stable fluid. The fluid is a composition of oil, gas and water. This is assumed to be easy ignitable, but not 100% self ignitable leading to a chosen ignition probability of 0.5.
Analogy to Section 3.2: Relation between terms Figure 6.3 is related to the figure in Section 3.2 and shows the initiating causes, process deviation, impact event and PLs based on the case description.
55
Figure 6.2: Relation between initiating causes, impact event, process deviation and PLs
Initiating cause - impact event pair 1: Choke control human error overpressure The operator controlling the PCV has already failed and the PCV can not be credited. Another question is whether the BPCS topside can be credited if the operator and BPCSsubsea fails. The BPCS topside have sensors and actuating items topside, which is far from the PCV located subsea. It is assumed that even if the operator is involved in the failure of the PCV, the topside BPCS will still function. The credited IPLs are: • Topside PSD (PSDV) • PSV (mechanical relief device) • HIPPS • Subsea PSD • BPCStopside (CV) The formula for calculating the intermediate event likelihood becomes: Initiating cause frequency · PFDCV · PFDHIPPS · PFDPSDV · PFDsubseaPSD · PFDPSV · occupancy · ign. prob. = 2 · 10−1 · 5 · 10−4 · 0.1 · 0.1 · 1 · 10−2 · 0.3 · 0.5 = 1.5 · 10−9
Initiating cause - impact event pair 2: PCV collapse - overpressure When the PCV fails, does this influence the performance of the subsea PSD? If the PCV fails due to a SCU error it is expected that the subsea PSD will not function, as they have this component in common. But it is more likely that the PCV fails due to a valve hardware failure. Another issue is the response time. It is 56
not certain that the PSD is able to prevent a pressure build-up due to the short distance between the XT valves and the choke module. There are several ways to interpret these issues. It is chosen to not give credit to the susbea PSD due to the response time. The following IPLs given credit are: • Topside PSD (PSDV) • PSV (mechanical relief device) • HIPPS • BPCStopside (CV) The formula for calculating the intermediate event likelihood becomes: Initiating cause frequency·PFDCV ·PFDHIPPS ·PFDPSDV ·PFDPSV ·occupancy·ign. prob. = 9.9 · 10−2 · 10−1 · 5 · 10−4 · 0.1 · 10−2 · 0.3 · 0.5 = 7.42 · 10−10
Initiating cause - impact event pair 3: Slug congestion - overpressure What PLs to give credit depends on where the slug congestion occurs. The PLs having actuating items upstream the blockage point have no function. If the blockage point is upstream the PSDV and downstream the riserbase the HIPPS, PCV and PSD will not be able to eliminate the hazard. The fluid column between the blockage point and the valves will still provide pressure even if the valves close. The only way to eliminate pressure would be to have some sort of a bypass line in the system. Another issue is whether the other protection layers downstream have time to act. In the situation described the BPCStopside (CV) does probably not have time to act. The blockage point considered is upstream the PSDV and downstream the riser base, and the only IPLs given credit are: • Topside PSD (PSDV) • PSV (mechanical relief device) The formula for calculating the intermediate event likelihood becomes: Initiating cause frequency· PFDPSDV · PFDPSV · occupancy · ign. prob. = 5 · 10−1 · 0.1 · 10−2 · 0.3 · 0.5 = 7.5 · 10−4
Sum up intermediate event likelihood for all pairs The intermediate event likelihood for the three initiating cause - impact event pairs is summed up. The total intermediate event likelihood is 7.5 · 10−4 . The third initiating cause - impact event pair is the most contributing to the total intermediate event likelihood, and the frequencies associated with the two others have little effect.
57
Target risk measurement, SIL determination and mitigated event likelihood Compared to the TMEL the first two pairs are within the acceptable region because 1.5 · 10−9 and 7.42 · 10−10 is less than 3 · 10−5 . The total intermediate event likelihood is greater than the total TMEL for the entire scenario leading to the end-consequence (7.5 · 10−4 > 3 · 10−5 ). This implies that a SIL must be determined. By using Equation 4.3 the necessary risk reduction corresponding to the needed SIL is calculated: Necessary risk reduction =
3 · 10−5 = 4 · 10−2 7.5 · 10−4
The question is now what SIL to set as the requirement. The necessary risk reduction is between 10−2 and 10−1 , and a SIL 2 is applicable. A conservative approach is chosen and a SIL 2 is set as the requirement. The next question is what PFD value a SIL 2 requirement constitutes, i.e what requirement to pass on to the SIS vendor. If the SIS vendor provides a system fulfilling SIL 2, but which only gives a risk reduction of 5 · 10−2 the system is not safe enough. To solve this potential issue an additional PFD requirement is set to 1·10−2 . The final requirement is SIL 2, where the new safety system must have a specific P F D ≤ 1 · 10−2 . The chosen PFD requirement is implemented in worksheet, and the mitigated event likelihood is calculated. All values are within requirements, and the analysis is finalized.
6.4 Comments to the result The LOPA identified that a SIS performing a new SIF had to be introduced, and assigned a SIL to this function. It might be that improvements could have been done to the existing system, e.g. improving the risk reduction provided by the existing IPLs. Another approach could have been to make some of the PLs not credited as IPLs more independent. Introducing a new SIF could have been avoided. The PSDs were credited as SIL 1 risk reduction. If they had been credited as SIL 2, the final determined SIL of the new SIF would then have been SIL 1. It is discussable whether the topside BPCS should have been included at all. It is not included on the separator in the Skarv project. The contribution this makes on the final LOPA result is neglectable because the specific intermediate event likelihood is well below the TMEL where the topside BPCS is credited as an IPL.
58
6.5 Implications during the case In this section implications during the case is discussed. This throw light on the shortfalls of the preferred approach presented in Chapter 4 illustrated in Figure 4.1, and on LOPA in general. Most of the phases in Figure 4.1 were easy to apply, but there were some implications encountered during the analysis. The initiating cause frequency of the slug congestion was not possible to find from the tables. Expert judgment was necessary which emphasize the need for database and exchange of experience as discussed in Chapter 5.5. Whether the IPLs were independent or not was a considerable issue during the case. This touched deep into the valve control system, and an extensive system understanding seems necessary. The independence requirement is also hard to interpret, because it is difficult to know how strict these requirement should be followed. Exchange of experience and more guidelines are needed in order to make this part of the analysis easier. What value to use as ignition probability was not intuitive, and a classification and guideline in the approach in Chapter 4 should have been included. LOPA requires knowledge, and the team composition is important in getting a satisfying result. When the necessary risk reduction was calculated some effort was required to evaluate the result. This could have led to problems and knowledge of the process, how LOPA works and laws of probability, are essential aspects. During the analysis it was made an error when converting failure data from OREDA. This was corrected, but this incident underlines the importance of quality assurance and transformation process in an eventual software tool as mentioned in Chapter 5.5. The overall impression is that the preferred approach in Chapter 4 is clear and applicable. Linking this together with a software tool as described in Chapter 5.5, makes the LOPA procedure more efficient as well as providing useful features. Process experience, understanding of LOPA and knowledge of general reliability and probability is success factors in making LOPA efficient and robust.
59
Chapter 7
Conclusions and recommendations for further work Both qualitative and quantitative SIL determination methods and tools may be applied during phase four in the IEC safety life cycle (Figure 1.1). The quantitative method in IEC 61508, the OLF 070 guideline, the risk matrix, the safety layer matrix, the risk graph and the calibrated risk graph are SIL determination methods that have been described in addition to LOPA. In qualitative methods the parameters used as decision basis are subjective and estimated by expert judgment. Quantitative methods describe the risk by calculations, and a numerical target value is compared with the result. Which method to apply rely primarily on whether the necessary risk reduction is specified in a numerical manner or qualitative manner. The scope and extent of the analysis would also be an influencing factor. Even if the assignment method is qualitative the SIL is always quantified by a numerical number. The main objective of this thesis has been to gain knowledge of SIL determination tools, with LOPA as the the main focus. This is accomplished, and the sub-objectives of the report is listed below, and the coverage and findings concerning each objective discussed. • Literature survey and different approaches to LOPA found in the literature. A literature survey has been carried out and different methodologies and approaches in literature has been presented and discussed. Especially, the IEC 61511 approach, Aker E&T and the approach in CCPS (2001) have been covered. The guideline in BP (2006) seems reasonable and should have been covered to a greater extent. Most methodologies and approaches have the similar basis, but use different terms and have different sequence. Another distinction is how the SIL is incorporated and evaluated. The process design can be evaluated ”as is”, or with a new protection layer (e.g. SIF) implemented in the evaluation. Some 60
authors also use screening tools, i.e. risk graph, prior to, or embedded in the LOPA-process. Compared to the approaches discussed in Section 3.5, the Aker E&T LOPA approach is an overall methodology, not taking the proposed SIF implicit into account. Often the customer methodology also (e.g. Statoil or BP) found basis for the analysis. ISO 10418 (2003) helps the design team to implement safety functions in the P&IDs for the concerning system, and after all hazard identification is finished the LOPA is initiated. The further approach is similar to the approach presented in IEC 61511 (2003). • Recommended LOPA approach A stepwise preferred (recommended) approach has been developed and each step described. The approach is clear, and all basic concepts clarified. In the case study in Chapter 6 the need for more guidelines on how to credit IPLs has been identified, and this part needs to be improved. The preferred approach is an overall approach considering the planned / existing system without the proposed SIF. Several screening tools exists, but it is chosen to screen by consequence and SIL only. Conducting a risk graph-analysis for then to initiate a LOPA cause extra work and increased engineering cost. The approach is shown in Figure 4.1. • Interfaces between LOPA and other risk analysis methods. Interfaces between LOPA and HAZOP has been identified, but other risk analysis methods have not been covered. Information in columns as consequence and possible causes in the HAZOP worksheet can be directly transferred to the LOPA worksheet. Information in the other columns may require transformation. This includes IPL PFD data and initiating cause frequency. The thoughts behind a software tool transferring, facilitating, and adjusting data have been presented. This includes a program specification and a simple illustration of a thought software program. The illustrated software program takes basis in automatic data transformation from HAZOP, IPL PFD and initiating cause frequency databases, and a risk matrix including the acceptance criteria. Linking all these aspects with a LOPA worksheet give the outline of the program. The illustrated program showed in Annex B seems reasonable, but should be evaluated more in detail. Expert judgment make an extensive amount of the analysis, and a program that ”learns by doing” is beneficial. An example is a program that has a database with previous analyzes, which provides previous information when a new analysis is performed, e.g. possible initiating causes of a specific type of valve. • Discuss pros and cons related to LOPA Advantages and disadvantages of LOPA and especially the limitations of LOPA, have not been covered. 61
• Discussion of the IPL concept and the applicability of LOPA in cases where the independence is violated IPL has been defined, exemplified, and discussed. In the case study the IPL concept has been applied to a practical system. CCFs have not been covered to a great extent, which should have been the case. IPL is defined as: Protection layer that is capable of preventing the process deviation from proceeding to the end-consequence regardless of other protection layers associated with the same impact event - initiating cause pair, and of the initiating event. It must lead to a risk reduction factor of at least 10, and fulfill the specificity, independence, dependability and audibility criteria. The definition is clear, but it is still uncertain how to apply the concept of IPL in practice. • Compare the applicability of LOPA in determining SIL, and compare LOPA with alternative approaches (incl. risk graphs). If possible, this evaluation should be rooted in a practical case study. The preferred approach, based on the literature study, has been applied to a combined system based on real systems by Aker Subsea and Aker E&T. The preferred approach was easy to use, but as mentioned the IPL concept was difficult to apply. Where to draw the line where a component is independent or not was the key issue throughout the case study. The case concluded that process understanding and knowledge of basic reliability concepts are important. This thesis may give some readers a more clear understanding of LOPA. The sections explaining and clarifying terms and the IPL discussion in the case study, may be a contribution to the LOPA discussion. Still, many of the issues need to be clarified, and further work is recommended. Specific recommendations for further work are: • More in depth analyzes of CCFs and IPLs. – What is the effect of not considering CCFs? – Guideline describing concept of IPL for different systems, with extended definition of IPL. • HAZOP integration software tool prototype that includes advanced functions which incorporates expert judgment and previous analyzes. • Combined framework of LOPA and HAZOP including a common terminology and worksheet. • Extend the development of the preferred approach. – Include risk acceptance criteria development. – Comparison with the approach in BP (2006).
62
Bibliography ACM Facility safety (2004). HAZOP / SIL analysis item and cost comparison - Traditional way vs. integrated SILCore approach. Advertorial, Safety Users Group. Retrieved on 03.04.08 from internet address: http://www. safetyusersgroup.com/documents/AD040001/EN/AD040001.pdf. ACM Facility Safety (2006). SIL Determination Techniques Report. "White Paper". Retrieved on 30.02.08 from internet address: http://www.iceweb.com.au/ sis/ACMWhite-PaperSILDeterminationTechniquesReportA4.pdf. Baybutt, P. (2007). An improved Risk Graph Approach for Determination of Safety Integrity Levels (SILs). Process Safety Progress, 26:66–76. Bingham, K. and Goteti, P. (2004). ISA (The Instrumentation, Systems, and Automation Society) 2004. In Integrating HAZOP and SIL / LOPA analysis: Best practice recommendations. BP (2006). Guidance on Practices for Layer of Protection Analysis (LOPA). British Petroleum procedure: Engineering Technical Practice (ETP) GP 48-03, 1st edition. CCPS (2001). Layer of protection analysis - simplified process risk assessment. American Institute of Chemical Engineers (AIChE), Centre for Chemical Process Safety (CCPS). 3 Park Avenue, New York. Dowell, A. (1998). Layer of protection analysis for determining safety integrity level. ISA Transactions, 37:155–165. Dowell, A. and Williams, T. (2005). Layer of Protection Analysis: Generating Scenarios Automatically from HAZOP Data. Process Safety Progress, 24:38–44. Ellis, G. and Wharton, M. (2006). Symposium Series No. 151, IChemE. In Practical experience in determining safety integrity levels for safety instrumented systems. Gowland, R. (2006). The accidental risk assessment methodology for industries (ARAMIS) / layer of protection analysis (LOPA) methodology: A step forward towards convergent practices in risk assessment? Journal of Hazardous Materials, 130:307–310. 63
Harsem Lund, K. (2007). Alternative måter for SIL fastsettelse - en sammenligning (LOPA, Risk graf, OLF 070). In PDS forum, Trondheim. Scandpower, Kjeller. IEC 60300-3-9 (1995). Dependability management- Part 3: application guide section 9: Risk analysis of technological systems. International Electrotechnical Commission, Geneva. IEC 61508 (2003). Functional safety of electrical/electronic/programmable electronic safety-related systems. International Electrotechnical Commission, Geneva. IEC 61511 (1998-2003). Functional safety - safety instrumented systems for the process industry sector. International Electrotechnical Commission, Geneva. ISO 10418 (2003). Petroleum and natural gas industries - offshore installations Basic surface process safety systems. International Organization for Standardization, Geneva. Marszal, E. and Scharpf, E. (2002). Safety Integrity Level Selection - Systematic Methods Including Layer of Protection Analysis. The Instrumentation, Systems and Society (ISA). Research Triangle Park, NC. Nordhagen, L. (2007). Bruk av LOPA ved fastsettelse av IL krav, Aker Kværner Engineering &Technology. In PDS forum, Trondheim. NORSOK Z-013 (2001). Risk and emergency preparedness analysis. Norwegian Technology Centre, Oslo. OLF 070 (2004). Application of IEC 61508 and IEC 61511 in the norwegian petroleum industry. OLF. Rausand, M. (2004). Reliability of safety systems (Slides). Retrieved on 28.02.08 from internet address: http://frigg.ivt.ntnu.no/ross/ slides/chapt10.pdf. Rausand, M. (2005). HAZOP - Hazard and Operability Study (Slides). Retrieved on 28.02.08 from internet address: http://frigg.ivt.ntnu.no/ ross/slides/hazop.pdf. Rausand, M. and Høyland, A. (2004). System Reliability Theory. Models, Statistical Methods, and Applications. 2nd edition John Wiley & Sons. Hoboken, NJ. Schönbeck, M. (2007). Introduction to reliability of safety systems, ROSS (NTNU) report 200702, NTNU, Trondheim. Technical report, NTNU, ROSS. Sklet, S. (2006). 2006:3, Safety Barriers on Oil and Gas Platforms. PhD thesis, NTNU.
64
Summers, A. (2003). Introduction to layers of protection analysis. Journal of Hazardous Materials, 104:163–168. The Dow chemical company (2002). Introducing dow application of layer of protection analysis. In Introducing Dow Application of Layer of Protection Analysis - LOPA.
65
Appendix A
Basic concepts Impact event Independent protection layer
Initiating cause Intermediate event likelihood
Mitigated event likelihood
Process deviation Protection layer
Scenario
The first sign of harm to people, environment or assets Protection layer that is capable of preventing a process deviation from proceeding to the endconsequence, regardless of other protection layers associated with the same impact event - initiating cause pair, and of the initiating event Direct reasons why the process deviation occur, not the most basic underlying root-causes Intermediate event is the occurrence of the endconsequence with the existing / planned protection layers in place, but without the SIF under consideration. The intermediate event likelihood is the frequency per year of the occurrence the this event Mitigated event is the occurrence of the endconsequence with all protection layers in place, including the proposed SIF. The mitigated event likelihood is the frequency per year of the occurrence the this event The first significant deviation from a normal situation that may lead to unwanted consequences Device, system or action that is capable of preventing a process deviation from proceeding to the end consequence The development from a process deviation to an impact event, including the causes leading to the process deviation
66
Appendix B
Software schematic Legend: Black circles Blue Circles Red circles Blue lines Pale yellow box Yellow box
- User input - Data cell - Calculation cell (output cell) - Data path (blue or black circle to red circle) - Button - Clicked button
67
Figure B.1: Step 1
68
Figure B.2: Step 2
69
Figure B.3: Step 3
70
Figure B.4: Step 4
71
Figure B.5: Step 5
72
Appendix C
Case study: Worksheet
73
Figure C.1: LOPA worksheet: Case study
74
