Applicability of Layer of Protection Analysis to determine Safety Integrity Levels in the Process Industry
Stud. techn. Anniken Reusch Berg Department of Production and Quality Engineering, Norwegian University of Science and Technology, Norway
@I\TI\TJ
1of2 Date
Our reference
2007-09-13
MAR/LMS
Facultyof Engineering Scienceand Technology Department of Production andQualityEngineering
MASTER THESIS Autumn2007 for stud. techn. Anniken ReuschBerg
DETERMINATION OF SAFETYINTEGRITY LEVEL BY LAYER OF PROTECTTONANALYSTS(LOPA) (Bestemmelse av SIL-nivi ved LoPA-analyse) Various approacheshave been suggestedto determine the appropriate safety integrity level (SL) for safety instrumentedfunctions (SIFs). Some of these approachesare indicated in the internationalstandardsIEC 61508 and IEC 6l5l I and also in the applicationguideOLF 070 for the Norwegianoil and gas industry. The main objectiveof this masterthesisis to study the applicability of the semi-quantitativeapproachLayer of protection analysis (LOPA). LOPA is briefly describedand recommendedin IEC 61511 and in guides from the Centerfor ChemicalProcessSafetvof the AmericanInstituteof ChemicalEnsineers. As part of this thesis,the candidateshall: L
ldentify, become familiar with - and give a brief description of available approachesfor determinationof appropriateSll--levels, Pros and cons related to the various approachesshall briefly be highlighted.
2. Give a detailedpresentationof the LOPA approachand illustrateits usethroughsimpleexamples. 3. Carry out a case study on Petrojarl Varg and analyzethis caseby LOPA and selectedalternative methods.Comparethe resultsfrom the variousmethodsand discusspossibledeviations. 4. Identify and discusspracticaladvantagesand disadvantages by using LOPA. 5. Give recommendations to which approachis most applicablefor determinationof the Sll--level in selectedapplicationareas. Following agreementwith the supervisors,the variousitemsmay be given different weights. Within three weeks after the date of the task handout, a pre-study report shall be-prepared. The report shall cover the following: o o
An analysis of the work task's content with specific emphasisof the areaswhere new knowledge hasto be gained. A description of the work packagesthat shall be performed. This description shall lead to a clear definition of the scopeand extent of the total task to be performed.
2of2 Date
r
Our reference
2007-09-13 MAR/LMS
MasterThesisSpring 2007tor stud. techn.AnnikenReuschBerg
A time schedulefor the project. The plan shall comprisea Gantt diagram with specification of the individual work packages, their scheduled start and end dates and a specification of project milestones.
The pre-study report is a part of the total task reporting. It shall be included in the final report. Progress reports made during the project period shall also be included in the final report. The report should be edited as a research report with a sufltmary, table of contents, conclusion, list of reference, list ofliterature etc. The text should be clear and concise, and include the necessaryreferencesto figures, tables, and diagrams. It is also important that exact referencesare given to any external sourceused in the text. Equipment and software developed during the project is a part of the fulf,rlment of the task. Unless outside partiis have exclusive property rights or the equipment is physically non-moveable,it should be handed in ilong with the final report. Suitable documentationfor the correct use of such material is also required as part of the final report. The studentmust cover travel expenses,telecommunication,and copying unlessotherwiseagreed. If the candidateencountersunforeseendifficulties in the work, and if thesedifficulties warrant a reformulation of the task, theseproblems should immediately be addressedto the Department. Two bound copies of the final report and one electronic version are required. Responsibleprofessor:
Marvin Rausand Telephone:73 5925 42 E-mail:
[email protected]
Supervisor at SafetecNordic AS Sluppenvegenl2B. 7037 Trondheim
Atle Westby Telephone:982 59 588 E-mail:
[email protected]
DEPARTMENT OF PRODUCTION AND QUALITY ENGINEERING T) f tr //i
Y,/ WAUL% PerSchjOlbdrg
J AssociateProfessor/lleadof Department
.r'
hr'atw*, FAKiJI,'TET FOI{ IN GEN IORV I'f I1NS:'"A I) OG TEKNOI,f)GI MAS'f ER()l'l){l1\\'/Ir\j
Utlevert I r r n l c . u ' c r escn s rl l 1
Eaurt.""/
MarvinRausand Professor Responsible
I I
, 0-5'q- Ld121 1 q .d .
L d ef
I
NTNU Norgesteknisk-naturvitenskapelige universitet Fakultetfor ingeniorvitenskap og teknologi Linjen for produktutvikling og produlsjon erklarins
MASTEROPPGAVE Hdstsemesteret200T
yg Stud.techn. ....Annikgn...Rzussh......8e
?rotectiort
PP
lntegci:{,y
ERKL.ItrRING
Jeg erklrererhervedpfl are og samvittighet at jeg har utfort ovennevntemasteroppgaveselv og uten noensom helstulovlig hjelp.
- 2006 )nla
De innleverte besvarelsermed bilag blir i henhold til reglement for sivilarkitekt- og sivilingeniorstudiets $ 3.5.5 universitetetseiendom, og kan av universitetet fritt benyttes til undervisnings- og forskningsformil. Arbeidene kan ikke nyttes til andre formAl, f.eks. 0konomiske, uten etteravtalemellom universitetetos vedkommendestudent.
Preface This Master Thesis was written during the autumn semester 2007 at the Norwegian University of Science and Technology, NTNU, and is considered the finalization of the studies. The Master Thesis is performed in co-operation with Safetec Nordic AS. The main objective of this thesis was to study the Layer of Protection Analysis (LOPA) regarding its ability to determine appropriate Safety Integrity Levels (SIL) for the offshore and petroleum industry. Further, to briefly describe some alternative methods mentioned in the international standards IEC 61508 and IEC 61511. As a part of this thesis a practical case has been executed at Petrojarl Varg using the LOPA method to analyze and determine acceptable SIL requirements. The results are compared to the minimum requirements in OLF Guideline-070. It is assumed that the readers of this report have basic knowledge in risk analysis. I would like to thank my supervisor Atle Vestby at Safetec Nordic AS for his assistance during the preparation of this paper. Also thanks to my supervisor Professor Marvin Rausand at NTNU for sharing his knowledge and for constructive and patient supervision throughout the course of this work. I would also like to thank Teekay Petrojarl for allowing me to execute a case using LOPA at Petrojarl Varg and taking the time to participate in the analysis. Special thanks are also due to Linn Nordhagen at Aker Kværner who helpfully answered my questions and gave me guidance during the preparation of this paper.
Anniken Reusch Berg Trondheim February, 2007
i
Summary All businesses and projects are subject to risk. The key to success lies in how one manages risks and what protective measures are taken to minimize the likelihood and the consequences of undesirable events. In the process industry, failure or malfunction of process plants, machinery and other equipment present risk to people, the environment and assets. In response to the increasing severity and number of industrial accidents, international standards, like IEC 61508 and IEC 61511, have forced the industry to seek instrumental solutions that will improve the safety of industrial processes. IEC 61508 is a generic standard that applies to all electrical, electronic and programmable electronic (E/E/PE) technologies, irrespective of their application. IEC 61511 defines the functional safety requirements established by IEC 61508 in the process industry sector terminology. In the Norwegian oil and gas industry the OLF Guideline-070 has become prominent. The overall goal to ensure that plants and equipment can be safely operated. The standards present approaches to determine the necessity of implementing additional equipment and defining the functional requirements of these. The standards employ the concept of safety integrity levels (SIL) which is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. The establishment of SIL is a requirement in IEC 61508, and it is, therefore, necessary to have a methodology that provides consistent auditable results. The difficulty is that there is a considerable number of methods for the SIL determination while the information regarding which method to use and for which case, is limited. A relatively new method for determining appropriate SIL is Layer of Protection Analysis (LOPA), proposed in IEC 61511. It is a semi-quantitative method used to ensure that process risk is reduced to an acceptable level. Individual hazard scenarios defined by causeconsequence pairs are analyzed. Scenario risk is determined by combining scenario frequency and consequence severity. Individual protection layers (IPL) are analyzed for their effectiveness. The combined effects of the protection layers are then compared to risk tolerance criteria to determine if additional risk reduction is necessary to reach an acceptable level. A case study has been performed to examine the applicability of LOPA to determine appropriate SIL and to compare the results with the minimum SIL requirements that is given in the OLF guideline. The case study revealed that it can be difficult to obtain consistent results with the use of LOPA. Different users can come up with different SIL for the same function depending on the experience-data established by the team participants. That is why repeatability is an important factor with the use of LOPA. Each company should strive to provide an internal guidance document so that all sites will be consistent in their application of LOPA initiating cause frequencies. The OLF guideline also tends to give stricter SIL requirements than LOPA, which again may lead to higher frequency testing and, more often, place people in the hazardous zones. Another problem with the minimum SIL table in OLF is that it opens the possibility for shortcuts, e.g., no performed evaluation in advance. This may cause the final product being less reliable than necessary. ii
Semi-quantitative methods are favoured by industries for their less mathematical modelling. Because of its simplicity and quicker risk assessment approach, LOPA is destined to become a widely used technique. LOPA has already been widely adopted over the past years. This is mainly because it allows a more detailed consideration of a specific situation and its safeguards than many other methods.
iii
Table of contents Preface ........................................................................................................................................ i Summary ................................................................................................................................... ii Table of contents...................................................................................................................... iv Abstract ..................................................................................................................................... 1 1 Introduction ........................................................................................................................... 2 2 Approaches to the determination of SIL............................................................................. 3 2.1 A qualitative method – The Safety Layer Matrix ............................................................ 4 2.2 A semi-quantitative method - Risk Graph........................................................................ 5 2.3 A quantitative method- Fault tree Analysis (FTA) .......................................................... 6 2.4 Layer of Protection Analysis (LOPA).............................................................................. 7 3 Layer of Protection Analysis (LOPA) approach ................................................................ 8 3.1 Introduction ...................................................................................................................... 8 3.2 The LOPA process ......................................................................................................... 10 4 Case study ............................................................................................................................ 15 4.1 System analyzed............................................................................................................. 15 4.2 Application of LOPA ..................................................................................................... 16 4.3 Application of the OLF Guideline 070 .......................................................................... 18 4.4 Discussion ...................................................................................................................... 19 5 Evaluation of LOPA............................................................................................................ 19 5.1 Benefits of using LOPA ................................................................................................. 19 5.2 Limitations of using LOPA ............................................................................................ 20 5.3 Recommendations .......................................................................................................... 21 6 Conclusions and further work ........................................................................................... 22 7 Acknowlegement.................................................................................................................. 23 8 References ............................................................................................................................ 24 Appendixes.............................................................................................................................. 27 Appendix A: LOPA presentation Appendix B: P&ID for Petrojarl Varg Appendix C: LOPA data Appendix D: Preparatory Study Report Appendix E: Progress report
iv
Applicability of Layer of Protection Analysis to determine Safety Integrity Levels in the Process Industry Stud. Techn. Anniken Reusch Berg Department of Production and Quality Engineering, Norwegian University of Science and Technology, S. P. Andersens v. 5, NO 7491 Trondheim, Norway
Abstract
Tools such as Layer of Protection Analysis (LOPA) can be used to improve the understanding and managing of risks related to process safety. LOPA is a relatively new semi-quantitative method used to ensure that process risk is successfully reduced to an acceptable level. This article presents and discusses the applicability of the LOPA method in determining appropriate Safety Integrity Levels (SIL) for the process industry. The global importance of SIL has grown considerably over the last decade. The various methods available for determining acceptable SIL have a tendency to yield different answers. Up till today, limited guidance on which method to use and for what case has been given. This article briefly describes some of the methods available for SIL determination, but with main focus on the LOPA method. LOPA is considered an effective tool for SIL assignment and allocates risk reduction resources efficiently. Keywords: Layer of Protection Analysis (LOPA), protection layers, Safety Integrity Level (SIL), Safety Instrumented Systems (SIS), OLF guidelines-070
1
1 Introduction In today’s industry there is a constant struggle to improve performance and profitability while maintaining and improving safety. The process industry is required to provide for and maintain a safe working environment for its employees. Providing safety is being done through safe design and various safeguards, such as instrumented systems, procedures and training of personnel. At processing plants in both land-based and offshore industry safety instrumented systems (SIS) are often used to keep the risk within acceptable limits. The quality of the instrumented solution is directly vital for the risk reduction obtained. The safety of a plant, its employees and its surroundings depends on the ability of the plant to quickly shut down or shift to a safe state should an abnormality occur. The reliability is dependent on the integrity of its sensors. Learning the details of our industrial processes is important in improving safety; not only by adding safeguards, but by eliminating hazards. Risk assessment can be used as an effective tool in fully understanding the entire process. There are a number of resources available today to inform about the need, importance, and methodology for risk assessments. Regardless of which of the many methodologies we choose, resources are available to us to perform comprehensive risk assessments. In fact, choosing the method may now be the biggest decision we have to make when we set about to do a risk assessment. Major accidents around the world have raised awareness and the desire to design safety systems in such a way as to prevent dangerous failures or to control them when they arise. To what extent, however, can a process be expected to perform safely? And, if in the presence of failure, to what extent can the process be expected to fail safely? These questions are answered through the performance of a Safety Integrity Level (SIL) analysis [16]. A SIL is a measure of safety system performance, in terms of Probability of Failure on Demand (PFD). SIL is a way of indicating the tolerable failure rate of a particular safety function. The worldwide importance of SIL has, during the last decade, grown noticeably in the oil/gas, petrochemical and other process industries. The objective of SIL allocation is to allocate the safety functions contained in the overall safety requirements. This applies to both the safety function requirements and the safety integrity requirements to the safety related systems. Using SILs allows the rare but possible safety system failures to be taken into consideration, in addition to those existing in the operational system. The SIL has to be allocated for each safety function. The international standards IEC 61508 [5] and IEC 61511 [6] give life cycle requirements to the Safety Instrumented Systems (SIS), and use SIL as a measure of the reliability for the SIS. Safety integrity is defined by IEC 61508 as “the probability of a safety-related system satisfactorily performing the required safety functions under all the stated conditions within a specific period of time” .IEC 61508 is a generic standard, while IEC 61511 is guidance for implementation of IEC 61508 in the process sector. Both IEC 61508-5 and IEC 61511-3 contain several risk based methods for establishing SILs. The Norwegian Oil Industry Association (OLF) has developed an application guideline OLF070 [6] to support the use of IEC 61508 / 61511. While IEC 61508 describes a fully riskbased allocation of SIL, the OLF-070 introduces minimum SIL requirements for the most common instrumented safety functions on a petroleum production station. The requirements are based on experience, with a design practice that has resulted in a safety level considered 2
adequate. OLF-070 is meant to be a standardisation for the industry and to avoid a great consumption of time in determining the requirements. There is a problem that the number of methods available for SIL determination is considerable while the description of which method to use and for what case is limited [20]. Experience has shown that the different techniques can yield significantly different answers. The qualitative techniques can result in overly pessimistic answers (e.g., falsely high integrity level requirements). More quantitative techniques can provide significantly lower requirements. The process sector recommends Layers of Protection Analysis (LOPA) as an alternative approach to risk reduction proposed in IEC 61511. LOPA has, during the last ten years, emerged as a simplified form of Quantitative Risk Assessment (QRA) and is a relatively new method. It introduced a new concept for safety related control systems, combining traditional protection layers with safety instrumented systems in a new analysis tool to determine SIL requirements. The only Integrity Level (IL) taken allows for in this thesis is the SIL, and not Environmental IL (EIL) or Commercial IL (CIL). The main objectives of this paper are to: i) describe available approaches to the determination of appropriate SIL-levels, and highlight “pros” and “cons” related to the various approaches; ii) present and discuss the applicability of the LOPA method in determining SIL; iii) analyze a practical case by LOPA and a selected alternative method, OLF guideline 070, and compare the results and discuss possible deviations; iv) evaluate the LOPA method and give recommendations of the approach that is most applicable for determination of the SIL in selected application areas. The remainder of this paper is organized as follows: section 2 describes some selected approaches indicated in the international standards IEC 61508 and IEC 61511 for determining SIL. Section 3 describes the LOPA approach, while a practical case study is conducted in section 4 using LOPA as the analytical tool. Section 5 gives an evaluation of LOPA, and concluding remarks are presented in section 6.
2 Approaches to the determination of SIL While the Hazard and Operability (HAZOP) study identifies and risk ranks hazards, SIL determination focuses on the adequacy of safeguards to reduce or mitigate hazards [15]. There are four levels of safety integrity specified in IEC 61508, where SIL 4 is the highest level and SIL 1 the lowest. The levels are defined by the PFD. Each level corresponds to a PFD interval. Table 1 shows the relationship between SIL and PFD.
3
Table 1: The relationship between SIL and the required failure probability. Adopted from [3].
Safety Integrity Level
4 3 2 1
Demand Mode of Operation (average probability of failure to perform its design function on demand PFD) ≥ 10-5 to < 10-4 ≥ 10-4 to < 10-3 ≥ 10-3 to < 10-2 ≥ 10-2 to < 10-1
Continuous / High Demand Mode of Operation (probability of a dangerous failure per hour) ≥ 10-9 to < 10-8 ≥ 10-8 to < 10-7 ≥ 10-7 to < 10-6 ≥ 10-6 to < 10-5
SIL determination of a Safety Instrumented Function (SIF) is not solely the responsibility of the instrumentation engineer. It is a team assessment where the team represents knowledge of the hazards, any associated risks, and the other layers of risk reduction that are being applied during the ’life cycle’ of the plant under review, to reduce the risk towards the declared tolerable value. Tolerable risk is based on the current values of society. There is a variety of techniques for determining SILs, and some of the risk-based methods from IEC 61508 and IEC 61511 are presented in the next sections. The standards offer three types of methods of determining SIL requirements [5, 6]: • Qualitative methods; • Semi-quantitative methods; • Quantitative methods. This section represents a brief example of each method. More detailed information can be found in the Annexes in IEC 61508-5 and IEC 61511-3.
2.1 A qualitative method – The Safety Layer Matrix The safety layer matrix method is described in Annex E in IEC 61508 and Annex C in IEC 61511-3. It is a qualitative method that is an attractive alternative for SIL determination because it is not in need of actual quantitative figures on the hazard demand rates, risk frequency and the consequences. The general procedure for the safety layer matrix method is as follows: 1. Establish the process safety target level 2. Identify all relevant hazardous events 3. Establish the hazardous event scenarios and estimate the hazardous event likelihood using company specific data and guidelines 4. Establish severity rating of the hazardous events using company specific guidelines 5. Identify the existing protection layers. The estimated likelihood of hazardous event should be reduced by a factor of 10 for every protection layer. 6. Identify the need for possible additional SIS and protection layers by comparing the remaining risk with the safety target level 7. SIL identification
4
Figure 1 An example of a safety layer matrix. Copied from [21].
The SIL requirements are determined from a safety layer matrix as shown in Figure 1. The likelihood of the hazardous event, the hazardous event severity rating and the numbers of protection layers are essential parameters that together with the safety layer matrix are able to identify the SIL requirements. This method is not suitable for detailed analysis and is a somewhat simplistic approach. It is a conservative approach and probably ensures adequate protection but could lead to relatively expensive solutions [18]. Another disadvantage is that it only provides a SIL rating not a PFD value and as such no indication of where within the SIL band.
2.2 A semi-quantitative method - Risk Graph The Risk Graph method presented in Annex D in IEC 61508-5 is a qualitative method, while the IEC 61511-3 defines it as a semi-quantitative method. This article refers to Risk Graph as a semi-quantitative approach. This method enables the SIL of a safety-related system to be determined from knowledge of four parameters: consequence, C; frequency of exposure, F; possibility of escape, P; and likelihood of event, W. The procedure continues with determining each of these parameters, in terms of levels shown as subscripted numbers. The Risk Graph shown in Figure 2 has four levels for consequence, two levels for frequency, two levels for possibility of escape, and three levels for likelihood. As the subscripted numbers increase, the perceived hazard is higher. Each of these levels must be carefully defined on a corporate basis for the methodology to be useful. This method is consequence-driven, but allows credit for controlling access to the facility. For this method, the likelihood and consequence are determined by considering the independent protection layers during the assessment. The SIL requirements can be determined by using the predefined parameters of table D.2 (IEC 61511- annex D) and implement them in the Risk Graph scheme such as Figure 2. The parameters should represent the risk factors that relate best to the application characteristics involved. 5
The Risk Graph method depends heavily on the experience of the hazard analysis-team, and may tend to be subjective and emotional. It is not well suited for complex scenarios [9]. Like the safety layer matrix, it does only provide a SIL rating not a PFD value.
Figure 2: Typical Risk Graph. Copied from [6]
2.3 A quantitative method- Fault tree Analysis (FTA) Fault tree analysis (FTA) is one of the most common techniques applied for quantifying risk in the process industry. The technique is being used as a quantitative method because fault tree symbols are used to show the failure logic of the SIS and it is mathematically rigorous. FTA is binary (fail-success) and a structured top-down deductive analysis [27]. The graphical nature of this technique affords visualization of failure paths. Fault trees can model diverse technologies and complex failure. Even though FTA largely depends on domain-specific knowledge of human experts, an advantage is that the process is not automated. The analysis requires fully involvement by the participants. The quantitative approach to the determination of SIL is the most rigorous and timeconsuming. You start with determining the process demand or incident likelihood quantitatively with the use of fault tree. A FTA begins with a graphical representation of the SIS failure. A simple fault tree, or perhaps a part of a larger fault tree, is shown in Figure 3. The failure of the SIS would occur if device A or device B failed, and device B only fails if device C and D fails. The or- and andgate is used to illustrate this logic.
6
Figure 3 A simple Fault Tree
Note, when we have a specific problem in hand, it becomes necessary to describe exactly what such events such as Q, A, B, C, and D are. The proper procedure for doing this is to write the statements that are entered in the event boxes as faults; state precisely what the fault is and when it occurs. This approach is more suitable for complex scenarios than the two previous methods. FTA quantitatively estimates the frequency of the undesired event for a given process configuration. If the frequency is too high, a SIS of a certain SIL is added to the design and incorporated into the FTA. The SIL can be increased until the frequency is low enough in the judgment of the team. FTA provides acceptable approximations of the PFDavg for the SIS [26], but because of its binary behaviour it may fail to address some problems [27].
2.4 Layer of Protection Analysis (LOPA) The process sector recommends LOPA as an alternative approach to risk reduction proposed in IEC 61511. This approach has during the last ten years emerged as a simplified form of quantitative risk assessment (QRA) and is a relatively new method for determining SIL requirements. This approach is described more thoroughly in the next section.
7
3 Layer of Protection Analysis (LOPA) approach 3.1 Introduction LOPA was a tool developed by the American Institute of Chemical Engineers CCPS in 2001 [3] for assessing the adequacy of protection analysis used to mitigate process risk [1]. LOPA introduced a new concept for safety related control systems with combining traditional protection layers with SIS in a relatively new analysis tool to determine SIL requirements. It is used to ensure that process risk is at an acceptable level. LOPA is a semi-quantitative technique that can estimate the required PFD for a SIF. It is semi-quantitative since it does use numbers and generates a numerical risk estimate, but is not as rigorous as a fault tree or QRA. It is usually applied after a qualitative hazard analysis, for example a HAZOP, and before quantitative risk assessment/fault tree [8]. LOPA is used to identify multiple independent protection layers (IPLs) that mitigate a potential hazard. IPLs are devices, systems, or actions that are capable of preventing a scenario from developing into an undesired consequence and all these layers are independent from one another so that any failure of the layer will not affect the functioning of the other layers [1, 8]. The layers can be either preventive by avoiding an occurrence of the scenario or mitigating by minimizing the effects of consequences. Figure 4 illustrates the frequency reduction of an initial event (consequence) by each IPL. The width of the arrow, representing frequency, becomes smaller as the initial event passes through each IPL. Figure 4 also shows an event tree model for the success or failure of each IPL. LOPA focuses on the worst case failure path through the event tree, shown by the heavy line.
Figure 4 The concept of LOPA. Copied from [6]
There have been many discussions about the number of and the strength of protection layers. LOPA has its origin in the desire to answer the following key questions [3]: - How safe is safe enough? - How many protection layers are needed? - How much risk reduction should each layer provide?
8
Each plant has multiple layers of protection (Figure 5), and each layer has its own level of risk reduction. In LOPA, the IPLs proposed are analyzed for their effectiveness. The combined effects of the protection layers are then compared against risk tolerance criteria, as the typical human response would be to keep adding safeguards even after a point where additional safeguards are unnecessary.
Figure 5 Layers of protection. Copied from [15]
These risk tolerance criteria vary between operators and the cultural and regulatory environment of the project’s location. In general, they can be expressed either qualitatively or quantitatively, or often as a mixture of the two. Qualitative criteria include words like probable, frequent, unlikely, etc. for the description of the likelihood of an event. As for the description of the consequences of the event, words such as minor, major, catastrophic, etc. are used. To ensure consistency in the application of these criteria, it is often introduced quantitative numbers, for example, “once every 5 years” [19]. Quantitative criteria use numerical values to describe the likelihood and severity of the event. An example can be “an event having a frequency of less than 1×10¯3 per year”. Whether one chose to use qualitative or quantitative values, risk tolerance criterion need to be established
9
for LOPA to answer the 'how safe is safe enough' question. Risk tolerance criteria are used to decide if the frequency of the mitigated consequence (with the IPLs in place) is low enough. CCPS [3] provides guidance and references on how to establish and develop risk criteria. Quantitative criteria are the most common to use in conjunction with semi-quantitative analysis, such as LOPA [28]. To ensure consistent application of the risk criteria, internal practices should explain how the criteria are used at different stages of the process unit life. The intent is to reduce the risk below the risk criteria, unless a deviation from the risk criteria is justified and formally approved by management. The risk criteria should be stated in such a way that is clear and understandable to personnel assigned responsibility for risk assessment activities. Assigned personnel should also receive training on how the frequency and consequence severity are evaluated and how the risk criteria are used to define the risk reduction requirements [28].
3.2 The LOPA process Each company that chooses to use LOPA needs its own specific procedure. The LOPA procedure must include tables for initiating cause likelihoods and PFDs for various types of IPLs [13]. It is important that they have defined risk tolerance criteria beforehand; otherwise it will be difficult to make risk-based decisions. The LOPA procedure must have clear rules with which to evaluate safeguards to determine if they qualify as IPLs. Many of these rules are available in the CCPS LOPA book [3], including requirements for effectiveness, independence, and auditability. The company should also establish the minimum requirements for LOPA team composition and training for LOPA facilitators. The team should consist of the [6]: -
operator with experience operating the process under consideration; engineer with experience in the process; manufacturing management; process control engineer; instrument/ electrical maintenance person with experience in the process under consideration; risk analysis (LOPA) specialist.
It is important that one on the team is trained in the LOPA methodology. LOPA is based on the assessment of single event-consequence scenarios. A scenario consists of an initiating cause and a consequence (initial event). There are multiple initiating causes that can lead to the same consequence, and all these causes must be used to develop scenarios for subsequent assessment. LOPA is a rational methodology that allows rapid, cost-effective means for identifying the IPLs that lower the frequency and/or the consequence of specific hazardous incidents [1]. It is typically applied after a qualitatively hazard analysis has been completed, but before the quantitative analysis like fault tree or QRA. Since LOPA uses simplifying assumptions and approximations, it is not intended to be either a complex or a high level of detail decision tool. It is most effective when one need a general approximation of risk and the associated opportunities for mitigation of those risks. It is a method that is intended to be conservative. Figure 6 illustrates the LOPA process.
10
Figure 6: The LOPA process [3]
The LOPA process consists of 6 steps [3, 1]: (1) Identify the consequence to screen the scenarios The first step initiates with recording all reference documentation like inspection reports, hazard analysis documentation, etc [1]. The consequences (initial events) are often identified earlier during a qualitative hazard analysis, ex. a HAZOP, which provides the LOPA team with a listing of hazard scenarios with associated consequence description and potential safeguards for consideration. Table 2 shows the relationship between the data required for the LOPA and the data developed during the HAZOP study. Table 2 HAZOP developed data for LOPA. Adopted from [6].
LOPA required information Initial event Severity level Initiating cause Initiating likelihood
HAZOP developed information Consequence Consequence severity Cause Cause frequency
Protection layers Required additional mitigation
Existing safeguards Recommended new safeguards 11
The initial events are each classified for severity; how many people are affected, how large is the affected area, what is the downtime or economic cost of the event? [12] LOPA is performed using a standard table for data entry shown in Table 3. The initial events are entered in column 1, and the severity level in column 2.
Table 3: Standard table for LOPA data Ref #
1
2
3
4
Initial
Severity
Initiating
Cause
Event
Level
Cause
likelihood
Description
5
6
7
Protection Layers Process design
BPCS
8
9
10
11
Intermediate
SIF IL &
Mitigated
Notes
PFD
Alarms
Additional
IPL additional
event
etc.
mitigation
mitigation
likelihood
Restricted access
event likelihood
Dikes, pressure relief
(2) Select an accident scenario It is important to apply LOPA to one scenario at a time. A scenario consists of at least two elements: cause and consequence. The scenario then describes a single cause-consequence pair [3]. During this step the analyst or the team shall construct a series of events, including initiating causes and errors in IPLs, which lead to an undesired event. There may be multiple scenarios leading to one single release case, but, it may be possible to reduce the number of scenarios that need to be analyzed in detail.
(3) Identify the initiating cause of the scenario and determine the initiating cause frequency (events per year) In LOPA each scenario has one initiating cause. The initiating causes are evaluated for each hazardous event [28]. The CCPS [3] defines three different groupings of causes: -
External events (earthquakes, tornadoes, terrorism, sabotage, etc) Equipment failure (component error, corrosion, wear, etc) Human failure (operational error, maintenance error, etc)
The initiating event must lead to a consequence, given all the safeguards fail. It is important to review and verify all causes from the scenario development step as valid initiating causes for the consequence identified prior to assigning frequencies. The causes which turn out to be incorrect or inappropriate should either be rejected or developed into valid initiating causes [3]. These causes are entered in column 3 in Table 3. The frequency can be estimated using look-up tables or historical data. A number of sources of failure rate data are available [3, 9]. Other sources are company experience, which include the hazard analysis team experience, and vendor data, which often may be too optimistic.
12
Typical initiating cause likelihoods and IPL PFDs are given by Dowell [10, 11] and CCPS [3] (see also table 1.4, Appendix C). LOPA assumes that the failure rate is constant. This is not always the case, since equipment failure rates often are higher when the equipment is new and when it ages. But for the purpose of LOPA, a constant failure rate is adequate. LOPA only requires order-of-magnitude approximation, and failure rate data should be rounded up to the nearest whole order of magnitude. In the case of a more complex scenario, it may be more appropriate to use a QRA and/or a fault tree. When the LOPA-team has reached an understanding of the frequency and consequence of the potential hazardous event, a risk matrix is often used for determining the acceptability of the risk or if there is a need for further risk reduction of the IPLs.
(4) Identify the IPL and estimate the probability of failure on demand of each IPL It is important to distinguish between an IPL and a safeguard. A safeguard is any device, system or action that likely would interrupt the chain of events following an initiating cause. First you identify safeguards, which have to meet two requirements [8]: 1) Is it effective in preventing the scenario to reach a consequence? 2) AND, is it independent of the initiating cause and other protective layers? If you answer yes to both of these questions, it can be qualified as an IPL. The effectiveness of an IPL is quantified in terms of its PFD; the smaller the value, the larger the reduction in frequency of the consequence for a given initiating event frequency. The analyst should evaluate the design of the candidate IPL against the conditions of the scenario to estimate the appropriate PFD for the IPL. The PFD is then entered in columns 5-7 in Table 3.
(5) Estimate the risk of the scenario by mathematically combining the consequence, initiating event and IPL data The result of LOPA is a risk measure for the scenario, - an estimate of the likelihood and consequence. This estimate can be considered Intermediate Event Likelihood – the likelihood of the consequence is reduced by the IPLs. The team calculates this likelihood by multiplying the Initiating Cause Likelihood (column 4, Table 3) by the PFDs of the IPLs (column 5-7) and enters the number in column 8. The formula is shown in Equation 1. The intermediate Event Likelihood has units of event per year. It is then compared to the Mitigated Event Likelihood shown in column 10. Equation 1 [8]:
J
fi = f i × ∏ PFDij c
I
j =1
13
Where fi c = frequency for consequence C for initiating event i fi I = frequency for initiating event i PFDij = probability of failure on demand of the jth IPL that protects
against consequence C for initiating event i. It is important to evaluate each scenario individually, since different IPLs may apply to different scenarios, even if both scenarios result in the same consequence. If the Intermediate Event Likelihood is less than the Mitigated Event Likelihood, additional IPLs may not be required. If the Intermediate Event Likelihood is higher than the Mitigated Event Likelihood, additional risk reduction is probably needed. If the team finds that a SIS is needed to meet the Mitigated Event Likelihood, the team enters the description of the SIS in column 9 and assigns it a PFD. Then the SIL is entered in column 9 as well. Until the Intermediate Event Likelihood is less than the Mitigated Event likelihood, the team continues the process of increasing the number of protection layers and recalculates the numbers [11].
(6) Evaluate the risk and give recommendations The LOPA team then evaluates the estimated risk and provides specific implementable recommendations. The team should be encouraged to develop as many recommendations as possible to allow the project team to select the best option both with consideration to implementation and costs. Cost-benefit analysis is often used to compare the value of competing options. It is a supplement to the basic risk judgment approaches. Some risk-evaluation methods are [3]: - Risk matrix - Numerical Criteria method (Maximum Tolerable Risk per Scenario) - Number of IPL credits - Expert judgment Following the comparison, a judgement must be made to whether further action is needed. These actions might be an additional IPL or a fundamental change in design to make the process safer. Section 4 presents a case study at Petrojarl Varg, in co-operation with Safetec Nordic AS, using the LOPA approach.
14
4 Case study A case study is conducted to check the applicability of LOPA to determine appropriate SIL for a particular system, and also in order to compare this method with the minimum SIL table in OLF Guideline-070.
4.1 System analyzed Teekay Petrojarl is the largest operator of Floating Production, Storage and Offtake (FPSO) vessels in the North Sea. One of the four FPSOs they own and operate is Petrojarl Varg. The Petrojarl Varg is a ship-shaped, turret moored, FPSO vessel (see Figure 7). The vessel is equipped with processing facilities for oil production, gas injection and water injection. The Varg field is located in the Norwegian Sector of the North Sea [17].
Figure 7 Petrojarl Varg (Adopted from [17])
The first task in the procedure for allocation of SIL is to define the equipment under control (EUC). The EUC for this case is shown in Figure 8.
Figure 8 EUC
15
The EUC shall be considered the source of hazards and hence shall be protected either by SIS, other technology safety systems, external risk reducing measures, or a combination of these [4]. The main objective is to gain an understanding of the EUC and its environment, both physical and legislative. In this study we chose to consider high pressure in the 1st separator as the scenario for this case. High pressure may be caused when a pressure control system failure occurs or there is a blocked or restricted outlet which prevents outflow.
4.2 Application of LOPA The starting point of this case study was to analyze the P&IDs (Piping & Instrumentation Diagram) of Petrojarl Varg to identify the safety functions (see Appendix B). Subsequently, the LOPA team followed the LOPA process listed in Chapter 3.2. The team identified high pressure as a deviation to study. A consequence of high pressure is rupture in separator, if it exceeds its design pressure. This could lead to leakage of hydrocarbons and further lead to fire or explosion. This initial event was entered in column 1 in Table 4. Next, the severity level was set to B (single onsite fatality), which from the severity level table (Table 1.1, Appendix C) gives target mitigated event likelihood: 3×10¯5 per year. The target mitigated event likelihood is the same as mitigated event likelihood. Severity level B is then written in column 2, and the mitigated event likelihood in column 10, in Table 4. One of the initiating causes for this initial event is control failure. The operator said this happened about once every ten years. The initiating cause is written in column 3 of Table 4, and the cause likelihood is written in column 4 (1/10 yr = 0.1). This is a typical value given to this parameter. 0.1 is as good as the control system can be without changing status to safety system [23]. The process design and the alarm were set to 1 which indicates that there is nothing to take credit for in this scenario. The control functions are typically implemented in the basic process control system (BPCS). The BPCS manage two valves, one process valve and one spill-off valve which directs the production to flare. Error in the BPCS can have three possible causes; failure of pressure transmitter, BPCS-logic and control valves. Totally, the tables indicate 10¯¹ for error in the BPCS. Because the initiating cause for this scenario is control failure, we can not take credit for the BPCS as an IPL, since it is indicated to already have failed. The PFD is for that reason 1 in this case, and is listed in column 5, Table 4. IPLs relevant to this scenario are the PSV and organizational measures. Additional mitigation, restricted access is calculated by multiplying personnel’s vulnerability with the average presence in the area; here the probability of ignition given release is set to 0,3 for flammable liquids/gas and people present in the hazard zone equals 1,0 since there are people present all the time. PFD for the PSV is set to 0.01 (From Table 1.5, Appendix C) which is a common value for PSV [23].
16
The intermediate event likelihood is then estimated by multiplying columns 4-7: Cause
Process
likelihood
design
0,1
×
1 ×
BPCS
1 ×
Alarms
Additional
IPL additional
etc.
mitigation
mitigation
Restricted
Dikes,
access
pressure relief
1 ×
0,3
×
0,01
Intermediate Event Likelihood
=
3,00E-04
For control failure we get an intermediate event likelihood at 3,00E-04. The second initiating cause to high pressure in the 1st separator was unintentional closure of manual valve leading to blocked or restricted outlet (inflow exceeds outflow). The cause likelihood is set to 0.1 (once every 10 years), the same as for the first initiating cause. The only difference is the PFD for the BPCS. If demand is due to other valves than the control valves (manual closing or ESDVs), one can assume that the BPCS is functioning and thereby rate the failure likelihood to 10¯¹ for the spill-off valve to open and ”save the situation”(see table 1.5, Appendix C). As for the intermediate event likelihood, we then get: Cause
Process
likelihood
design
0,1
×
1 ×
BPCS
0,1 ×
Alarms
Additional
IPL additional
etc.
mitigation
mitigation
Restricted
Dikes,
Intermediate Event Likelihood
0,01
= 3,00E-05
1 ×
0,3
×
This gives an intermediate event likelihood at 3,00E-05. We then add the two intermediate event likelihoods together. The SIF PFD is then calculated by dividing the mitigating event likelihood with the total intermediate event likelihood. This gives us a PFDavg = 9,09E-02 → SIL 1.
17
Table 4 LOPA report - Case study
#
Initial
Severity
Event
Level
Initiating Cause
Cause likelihood
Description
Protection Layers Process
BPCS
design
IPL Alarms Additional additional etc.
mitigation
mitigation
Restricted
Dikes, pressure relief
access High pressure. Leakage of hydrocarbons leading to fire 1 or explosion.
Intermediate
SIF IL &
Mitigated
event
PFD
event
likelihood
likelihood
B
Control failure
0,1
1
1
1
0,3
1,00E-02
3,00E-04
3,00E-05
B
Unintentional closure of valve leading to blocked outlet
0,1
1
0,1
1
0,3
1,00E-02
3,00E-05
3,00E-05
3,3E-04 0,09 = SIL1
4.3 Application of the OLF Guideline 070 The minimum SIL table in OLF-070 is meant to simplify the process of determining SIL for safety functions. On an average offshore installation there are a considerable number of safety functions and determining SIL for each function is time-consuming. The minimum SIL table covers the most common safety functions. It is based on experiences and procedures that result in acceptable minimum safety levels [4]. It is, however, important to be aware that deviations may occur, since the table does not cover all functions. From Table 7.1 in OLF-070 [4] the SIL requirement for high pressure gave a SIL 2. The SIL requirement from the LOPA analysis gave a SIL 1 for the same scenario. This shows that the minimum table in OLF-070 can result in stricter requirements than LOPA. It is important to study the PFDavg as well as the SIL result when using LOPA. Often the PFDavg output lies in the border area between two SIL, and this will not be shown by just considering the SIL value. This may affect the safety functions as they suffer under insufficient attention.
18
Notes
4.4 Discussion Using the OLF guideline may contribute to reduction in time and work scope as SIL requirements already have been set for the most common safety functions. On the other side, the SIL requirements from the minimum table tend to be stricter than the SIL obtained by LOPA. This may lead to an increased amount of testing and may affect the reliability of the tests due to less time and opportunity to focus on each test, which again will lead to an increased amount of people in the hazardous zones. Another problem with the minimum table is that is opens for possible shortcuts, e.g., no performed evaluation in advance. This leads to that the SIL table loses its purpose as it makes is impossible to discover whether a function is performing as intended without evaluation. This may cause the final product to be less reliable than necessary. The case study revealed that it can be difficult to obtain consistent results with the use of LOPA, since different users can come up with different SIL for the same function depending on the experience-data established by the team participants. Repeatability is an important factor with the use of LOPA, in order to make the results more consistent. Also, in order to maintain consistency, most companies have a procedure for adding new causes to the initiating events table. These new causes and their likelihoods should receive formal review and acceptance before being used. In the course of the case study, the team found the cause likelihood as very critical to SIL determination (i.e. one order of magnitude out on the cause likelihood and the SIL can be increased by 1 and therefore costs can be greatly increased), therefore, more time should be spent ensuring this figure is as accurate as possible. Choosing between whether the minimum SIL table or LOPA are best in use of the determination of appropriate SIL values is difficult. There are positive and negative sides with both of the alternatives. If the minimum SIL table is used correctly with proper evaluation, it would be recommended. However, since the table opens for the use of cutoffs and easy solutions, it is recommended that the LOPA method is used for determination of SIL requirements.
5 Evaluation of LOPA 5.1 Benefits of using LOPA LOPA has many advantages compared to other risk assessment tools and combines the advantage of qualitative and quantitative tools. Some of the advantages are summarized below [7, 8, 10, 14, 15, and 25]: •
It is a simple risk assessment tool and requires less time and resources than for a QRA but is more rigorous than HAZOP. The benefit applies especially to scenarios that are too complex for a pure qualitative assessment. One can use it as a screening tool for QRA.
19
•
•
• •
•
•
•
• •
It facilitates the determination of more precise cause-consequence pairs than the safety layer matrix and the risk graph method, and therefore improves scenarioidentification. It identifies operations, practices, systems and processes that do not have adequate safeguards and helps in deciding the PLs required for a process operation and thereby focuses on the most critical safety systems. It helps to determine the need for SIS and the SIL for SIS. It avoids the generalities of the safety layer matrix method by including its own calibration. The assumptions and included IPLs are clearly documented. Even though LOPA is more time-consuming to complete than Risk graph, in the right hands, it allows a better understanding of the safety system in the functional safety of the overall design. Risk graph often over-simplifies the determination of required risk reduction to the point that errors in SIL determination have occurred because the methodology has been applied quickly and badly. It requires much less work than FTA, giving results that can be somewhat conservative. LOPA can be used at most of the SIS functions, while a few complex systems may require FTA. Another important aspect is that methods like the safety layer matrix and the risk graph, just give e.g. SIL 1 for performance of SIF. This implies that anywhere in the SIL 1 range will do. That is to say, a PFDavg of 0.1 would be sufficient. Methods like LOPA provide a PFDavg and hence imply that the design must achieve rigour for SIL 1 and the PFDavg stated. It is useful for making risk-based decisions during stages like design, management of change, preparation of safety operating procedures for operators, incident investigation, emergency response planning, bypassing a safety system, etc. Provides due credit to all PLs and helps in estimating the specific risk level of the unit/ equipment. It removes subjectivity while providing clarity and consistency to risk assessment and helps to compare risks based on a common ground if it is used throughout a plant.
It also supports compliance with process safety regulations - including among others Seveso II regulations, IEC 61508 and IEC 61511.
5.2 Limitations of using LOPA While using this technique, its limitations should also be kept in mind for deriving better results [7, 8, 10, 14, 15, and 25]: • •
•
It is not intended to be a hazard identification tool. LOPA depends on methods used to identify the hazardous events and to identify a starting list of causes and safeguards. Criteria for risk tolerance must be established for LOPA exercise before the process starts. For countries where such criteria have not been specified by statutes it will be difficult to decide which standards are to be adopted. Differences in risk tolerance criteria and LOPA implementation between organizations mean the results cannot usually be compared directly from one organization to another. LOPA offers flexibility to the user in the areas of selecting IPLs and PFDs associated with the IPLs though the general industry data is available for the purpose. This brings in subjectivity in the assessment process and depends on the expertise of the user.
20
•
•
LOPA is a simplified approach and should not be applied to all scenarios. The amount of effort required to implement LOPA may be excessive for some risk-based decisions and is overly simplistic for other decisions. LOPA analysis tends to drive initiating cause likelihoods to higher levels than actual field experience. Because LOPA typically classifies initiating cause likelihoods only in order-of-magnitude changes (once in ten years, once in a hundred, etc.), all likelihood numbers are rounded upwards to the next order of magnitude. This can make the likelihood of events higher than the actual likelihood.
5.3 Recommendations The different methods presented in section 2 are all useful in converting HAZOP data into SIL. There is no ideal candidate to cover all the areas in SIL determination, though some methods are more suitable for selected application areas than others. When choosing a method, there are a number of factors that should be considered [7]: -
Is the process well understood? How complex is the process? Will the SIL assignment team be consistent from project to project? Are there multiple causes with different protection?
The safety layer matrix and the risk graph method are recommended as initial screening tools, and are suitable for SIL 1 assessments. This is because they are both somewhat simplistic approaches and tend to be subjective. For more detailed and complex analysis quantitative tools such as LOPA and FTA are needed. FTA remains one of the more popular and accurate methods. It is also a relatively expensive and comprehensive technique and this can make it obstructive in conducting SIL assessments, especially in industries experiencing cost-cutting [25]. However, it still remains one of the definitive methods for more critical and complex safety assessments. LOPA provides an approach more rigorous than risk graph and safety layer matrix and requires less time and money than FTA. The advantages and disadvantages listed above prove that it is a promising technique in determining SIL. It is a relatively new method, so potential shortcomings have not yet been fully explored, though it seems to be in progressive development throughout the process industry. It is important to remember that whichever method is chosen, it is necessary for the user to develop procedures and guidelines to ensure that the method is used effectively and consistently.
21
6 Conclusions and further work Process industries prefer techniques which can assess the risk levels and identify suitable safeguards for minimizing the risk levels to satisfy the statutory requirements. The global importance of SIL has grown considerably over the last decade and semi-quantitative methods are favoured by industries for their limited need for mathematical modelling. This article describes the LOPA method in determining SIL requirements in the process industry and discusses some advantages and disadvantages in connection to LOPA. It is a simplified quantitative approach based on orders-of-magnitude calculations which is easy to learn and apply. The case study at Teekay demonstrates that the LOPA method is useful in practice but can be time-consuming. Discussions often arise during the analysis which might prolong the time compared to what was originally predicted. If a company chooses to use LOPA, it should develop its own LOPA procedure specific to its needs in advance of the analysis. The company should strive to provide an internal guidance-document so that all sites will be consistent in its application of LOPA initiating cause frequencies. OLF-070 describes minimum SIL tables as guidance to the Norwegian oil and gas industry. The results of the LOPA study compared to the minimum SIL table showed that the SIL obtained by OLF-070 have a tendency to give stricter requirements than LOPA. It is important to study the PFDavg as well as the SIL in LOPA to be able to make the most adequate safety measures. This is also an advantage with LOPA in comparison with the safety layer matrix and risk graph, which only provide SIL rating. This thesis does not recommend uncritically using OLF-070 for SIL determination. It is natural to suggest that the companies should take a more active part in the risk assessment process. The LOPA team should include individuals that understand the system well and a facilitator who is organized and can draw valuable contributions from the employees. By this, LOPA contributes to the attainment of “ownership” and more awareness and interest in risk assessment within the employees. This thesis has shown that LOPA is a useful method for determining SIL in the process industry. It is more powerful than qualitative methods, making it especially valuable for evaluating relatively complex scenarios and scenarios with relatively severe consequences. A more rigorous QRA may be more appropriate for extremely complex scenarios and scenarios involving very severe consequences. It is important not to use LOPA as a replacement for QRA. LOPA is a promising technique and appears to be in progressive development, but its potential shortcomings have not yet been fully explored by a sufficient body of users to establish conclusively its suitability. There is still a need for a clearly set out procedure for the use of LOPA in the process industry. Effort must be carried out to obtain more accurate values of those data that might actually lead to a change of SIL. The author believes that the LOPA methodology will guide SIS designers and process hazard analysts toward a more accurate SIL estimation. As a recommendation for further work, a guideline should be developed on how to use the LOPA method of IEC 61511-3 to determine SIL requirements.
22
7 Acknowlegement I would like to thank my supervisor Professor Marvin Rausand at NTNU for his assistance during the preparation of this paper. I am very grateful for his constructive hints and inputs. Thanks to my supervisor Atle Vestby at Safetec Nordic AS for giving me good guidance and helpful advice. I would also like to thank Teekay Petrojarl for allowing me to execute a case study using LOPA at Petrojarl Varg and taking the time to participate in the analysis. Special thanks are also due to Linn Nordhagen at Aker Kværner who helpfully answered my questions and gave me guidance during the preparation of this paper.
23
8 References [1] Summers, A. E. (2003). Introduction to layers of protection analysis. Journal of Hazardous Materials, Volume 104, Issues 1-3 , 163-168. 2] Gowland, R. (2006). The accidental risk assessment methodology for industries (ARAMIS)/layer of protection analysis (LOPA) methodology: A step forward towards convergent practices in risk assessment? Journal of Hazardous Materials, Volume 130, Issue 3 , 307-310. [3] CCPS. (2001). Layer of Protection Analysis - Simplified Process Risk Assessment. ISBN 0-8169-0811-7, Center for Chemical Process Safety of the American Institute of Chemical Engineers. New York, US. [4] OLF Guideline 070 (2004). OLF Guideline 070 - Application of IEC 61508 and IEC 61511 in the Norwegian Petroleum Industry, Rev.02, Oljeindustriens Landsforening, Stavanger. [5] IEC 61508 (1998). Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems, parts 1-7. Geneva: International Electrotechnical Commision. [6] IEC 61511 (2003). Functional safety – safety instrumented systems for the process industry. Geneva: International Electrotechnical Commision. [7] Summers, A. E. (1998) Techniques for assigning a target safety integrity level. ISA Transactions 37, 95-104. [8] Dowell, A. M. and Hendershot, D. C. (2002). Simplified Risk Analysis - Layer of Protection Analysis (LOPA). AiChe National Meeting. Indianapolis, IN. [9] Oreda (2002). Offshore Reliability Data Handbook, 4th ed., OREDA participants, Høvik, Norway: Det Norske Veritas. [10] Dowell, A. M., III. (1998). Layer of Protection Analysis for Determining Safety Integrity Level. ISA transactions 37, 155-165. [11] Dowell, A. M., III, (1997). Layer Of Protection Analysis: A new PHA tool, After HAZOP, Before Fault tree analysis. International conference and workshop on Risk Analysis in Process Safety, October 21-24, 1997, Atlanta, GA, 13-28. American Institute of Chemical Engineers (AIChE), USA. [12] Dowell, A. M. III. (1999). Layer of Protection Analysis and Inherently Safer Processes. Process Safety Progress, Volume 18, Issue 4, 214-220. [13] Goddard, W. K. (2007). Use Layers of Protection Analysis (LOPA) to Determine Protective System Requirements. Chemical Engineering Progress, Volume 103; N. 2, 47-51. American Institute of Chemical Engineers (AIChE), USA.
24
[14] Summers, A. E. Layers of protection analysis. PPT, SIS-TECH Solutions, LLC www.mpri.lsu.edu/workshop/Layers%20of%20Protection%20Angela%20Summers.ppt (03.01.08) [15] ACM Facility Safety (2006). SIL determination techniques report. January 2006. www.iceweb.com.au/sis/ACMWhite-PaperSILDeterminationTechniquesReportA4.pdf (22.11.07) [16] Magnetrol International (2007). Understanding safety instrumented systems (SIS) and safety integrity level (SIL). www.magnetrol.com/v2/pdf/MII/41-299.pdf (05.11.07) [17] Teekay Petrojarl Homepage. www.teekay.com (29.01.08) [18] Macdonald, D. (2004). Practical Industrial Safety, Risk assessment and Shutdown Systems. ISBN 0-7506-5804-5, Butterworth-Heinemann, Oxford. [19] Dean, S. (1999). IEC 61508 – Assessing the hazard and risk. Sault consulting Ltd. www.sauf.co.uk/Documents/Sauf%20SIL%20Paper%204-99%20(public).doc [20] Onshus, T. (2006). Guideline for the use of IEC 61508 and IEC 61511 in the offshore industry. Norwegian Institute of Science and Technology (NTNU). http://www.sipi61508.com/ciks/NTNU1.pdf (12.09.07) [21] Beugin, J., Renaux, D. and Cauffriez, L. (2006). A SIL quantification approach based on an operating situation model for safety evaluation in complex guided transportation systems. Reliability Engineering & System Safety, Volume 92, Issue 12, 1686-1700. [22] Haugen, S. (Published 22.08.07). IEC 61508 – Hovedprinsipper og veiledning, Sintef Teknologiledelse. http://www.sintef.no/content/page1____16476.aspx (22.11.07) [23] Nordhagen, L. (2008). Personal communication, Aker Kværner. [24] King, A. G. Methods for SIL Determination. ABB Eutech Process Solutions, Cleveland. www.sipi61508.com/ciks/king3.pdf (09.01.08) [25] Kirkwood, D. Current issues with SIL assessment methods. Functional Safety Professional Network, Technical Advisory Panel. www.iee.org/oncomms/pn/functionalsafety/SIL_Assessment_Methods_Current_Issues.pdf (09.01.08) [26] Summers, A. E. (2000). Viewpoint on ISA TR84.0.02 — simplified methods and fault tree analysis. ISA Transactions 39, 125-131. [27] Rausand, M. & Høyland, A. (2004). System Reliability Theory; Models, Statistical Methods and Applications (2nd. ed.). New York: Wiley.
25
[28] CCPS. (2007). Guidelines for Safe and Reliable Instrumented Protective Systems, Ch.3. ISBN: 978-0-471-97940-1, Center for Chemical Process Safety of the American Institute of Chemical Engineers. New York, US.
26
Appendixes
27
Appendix A: LOPA presentation
i
LOPA - Layer Of Protection Analysis
Innhold: • Introduksjon av LOPA • Beskyttelseslag • Når bruker man LOPA? • 6 steg i LOPA prosessen • Fordeler og ulemper ved LOPA • Kort oppsummering
Dagens samfunn • Høyt sikkerhetsnivå sikkerhetsnivå • Strever etter kontinuerlig forbedring av
sikkerhet og metoder Krav om å • IEC 61508 og IEC 61511 utfø utføre SIL (Safety Integrity Level) vurderinger • ProsessProsess-sektoren foreslå foreslår blant annet LOPA som en alternativ fremgangsmå fremgangsmåte foreslå foreslått i IEC 61511 Annex F
Hvordan redusere risikoen? Risiko
All aktivitet medfører risiko
Risikoreduksjon
LOPA • Relativt ny metode for å vurdere SILSIL-nivå nivå • SemiSemi-kvantitativ (bruker tallverdier og numeriske risikoestimater)
• Forenklet QRA • Kombinerer ulike teknikker til en sammensatt
metode som er godt utstyrt til å analysere og evaluere risiko
Beskyttelseslag •
”Layer Of Protection” Protection” (Beskyttelseslag)= et redskap, system eller handling som er i stand til å hindre et scenario i å utvikle seg til en uø uønsket konsekvens, uavh. av den innledende hendelsen eller handlingen av andre beskyttelseslag assosiert med scenarioet. scenarioet.
•
LOPA utgangspunkt: besvare fø følgende nø nøkkelspø kkelspørsmå rsmål for beskyttelseslagene:
- Hvor sikkert er sikkert nok? - Hvor mange beskyttelseslag er nø nødvendig? - Hvor mye risiko reduksjon bø bør hvert enkelt lag sø sørge for?
•
I LOPA er de individuelle beskyttelseslagene (IPL) (BPCS, blast walls, etc) ( analysert for deres effektivitet. Den kombinerte effekten av de ulike lagene blir så så sammenlignet med et risikotoleransekriterium. Det primæ primære formå formålet med LOPA er å bestemme om det er nok beskyttelseslag mot ulykkesscenarioene;
•
Kan risikoen bli tolerert?
Sammenhengen mellom LOPA og hendelsestre
Når bruker en LOPA? • etter kvalitative analyser, feks. feks. HAZOP,
men fø før de kvantitative som feiltreanalyse eller QRA • Se tabell:
• LOPA bø bør brukes i grå grå områ områder når den kvalitative analysen avslø avslører behovet for risikoreduksjon: - Når det er usikkert hva frekvensen av de endelige
konsekvensene er - Usikkert hva konsekvensene er - Når prosessene eller scenarioene er for komplekse for kun kvalitativ analyse
• LOPA kan bistå bistå med hjelp i avgjø avgjørelsesrelsesprosessen
Det er 6 store steg i LOPA prosessen:
(1)Identifisere konsekvensene (initial
events) for å filtrere ut scenarioene.
• Ofte identifisert tideligere i en kvalitativ analyse (HAZOP), så analytikeren evaluerer konsekvensen og estimerer omfang. • Samle all referanse dokumentasjon (inspeksjonsrapporter, fareanalyse dokumentasjon, etc.)
Standard LOPA tabell
Severity level Severity level
Safety Consequence
E
Single first aid injury
D
Multiple first aid injuries
C
Single disabling injury and multiple serious injuries
B
Single onsite fatality
A
More than one and up to three onsite fatalities
Target Frequency[occ. per year] 3.0E-02 3.0E-03 3.0E-04 3.0E-05 1.0E-05
(2) Velg et ulykkesscenario • LOPA blir anvendt til ett scenario av
gangen (ex. Hø Høytrykk som resulterer i sprekk i tank). Et scenario bestå består minst av 2 elementer: årsak og konsekvens. Scenarioet beskriver da ett enkelt årsakrsakkonsekvenskonsekvens-par. par. • Her skal teamet eller analytikeren konstruere en serie av hendelser, inkl. innledende årsaker og feil i IPL, som leder til en uø uønsket hendelse.
(3) Identifiser de innledende
årsakene for et scenario og bestem frekvensen for hver av de (hendelser/å (hendelser/år). • I LOPA har hvert scenario en enkelt innledende årsak. • 3 grupperinger av årsaker: -eksterne, -utstyrs, eller –menneskelige feil:
• Den innledende hendelsen må må lede til en konsekvens (gitt at all beskyttelse svikter).
Estimering av frekvens
• Estimerer frekvensen fra slå slå-opp tabeller eller
• • •
historiske data. Mange kilder med feilratedata tilgjengelig: - Industri data (OREDA, CCPS,..) - Erfaringsdata - Leverandø Leverandørdata (ofte litt optimistiske) LOPA krever kun en tilnæ tilnærmelse av stø størrelsesorden LOPA metoden antar at feilraten er konstant (ikke alltid tilfelle, men holdbart for formå formålet med LOPA) Hvis det kreves mer detaljerte analyser kan en bruke hendelsestre eller feiltre
Typical Initiating Cause Likelihood
(4) Identifiser de uavhengige
beskyttelseslagene (IPL) og estimer PFD for hver av dem Noen ulykkesscenarioer vil kun trenge ett, mens andre kan trenge mange beskyttelseslag for å oppnå oppnå tolererbar risiko. risiko. Eks. Hendelsestre
• Effektiviteten til en IPL er kvantifisert som sannsynligheten for feil på på anfordring (PFD), som er definert som sanns. sanns. at systemet (IPL) vil feile å utfø utføre en spesifikk oppgave på på anfordring (verdi ml. 00-1). • Jo mindre PFDPFD-verdi, verdi, jo stø større frekvensreduksjon av konsekvensene for en gitt innledende årsaksfrekvens. • Noen vanlige verdier: IPL
PFD
Basic Process Control System (BPCS), if not associated with the initiating event being considered
1×10¯¯¹
Relief valve
1×10¯¯²
Human Performance (trained, no stress)
1×10¯¯²
Human Performance (under stress)
0,5-1,0
Operator response to alarm
1×10¯¯¹
SIL nivå er ofte definert som PFD Safety Integrity Level
4 3 2 1
Demand Mode of Operation (average probability of failure to perform its design function on demand PFD) ≥ 10-5 to < 10-4 ≥ 10-4 to < 10-3 ≥ 10-3 to < 10-2 ≥ 10-2 to < 10-1
Continuous / High Demand Mode of Operation (probability of a dangerous failure per hour) ≥ 10-9 to < 10-8 ≥ 10-8 to < 10-7 ≥ 10-7 to < 10-6 ≥ 10-6 to < 10-5
(5) Estimer frekvensen til
scenarioene ved matematisk å kombinere konsekvens, innledende årsak og IPL data • Kalkulasjonene kan bli gjort
J kvantitativt ved bruk av c I fi = fi × ∏ PFDij numeriske estimater eller j =1 ved bruk av slå slå-opp tabeller I = fi × PFDi1 × PFDi 2 × ...× PFDij
fi c =
Frekvensen av konsekvensen C for innledende årsak i
f i I = Innledende årsaksfrekvens for innledende årsak i for feil på anfordring for den j’te PFDij = Sannsynligheten IPL som beskytter mot konsekvens C for innledende årsak i
(6) Evaluer risikoen for å kunne ta en avgjø avgjørelse ang scenarioet. • Avgjø Avgjørelsene tar plass etter scenarioene har blitt fullt utviklet og risikoen kalkulert
• Metoder/Analyser: Kost/nytte Kost/nytte--analyser, analyser, Risikomatrise, Numerisk kriterier metode (max (max.. tolererbar risiko pr. scenario)
• Sørg for spesifikke implementerbare anbefalinger. LOPALOPAteamet bør bli oppmuntret til å utvikle så så mange anbefalinger som mulig for å tillate prosjektteamet til å velge den beste muligheten fra et implementeringsimplementerings- og kostnadsstandpunkt.
• Anbefalingene bø bør væ være på på ALARP (As Low As
Reasonably Possible)Possible)-nivå nivå; et tolerebart risikonivå risikonivå
ALARP
Hva er fordelene ved bruk av LOPA?
•
Veldig scenariorelatert fokus på på prosessrisikoen – avslø avslører ofte resultater som ikke har blitt identifisert i tideligere kvalitative fareanalyser.
•
Prosessfarer er i direkte forbindelse med sikkerhetsaksjoner som må ta plass, som sø sørger for klar identifisering av SIS og assosiert SIL.
•
Effektiv i å beslutte uoverensstemmelser relatert til kvalitative fareanalysefunn.
•
Identifiserer ofte akseptable alternativer til SIS, slik som å legge til andre beskyttelseslag, modifisere prosessen eller å forandre prosedyrer. Dette sø sørger for valgmuligheter for teamet i å evaluere kost/nytte kost/nytte--analyser og tillater å velge de mest kostnadseffektive midlene av risikoreduksjon.
•
Fokuserer på på alvorlige konsekvenser
•
Bekrefter hvilke IPL som er effektive for de ulike innledende årsakene Tar mindre tid og resurser enn QRA
•
Hva er ulempene med LOPA? •
LOPA er en forenklet fremgangsmå fremgangsmåte og bø bør ikke bli brukt på på alle scenarioer. Mengden innsats som kreves for å implementere LOPA kan væ være litt overdreven for noen risikobaserte avgjø avgjørelser og er litt for enkel for andre.
•
LOPA krever mer tid for å oppnå oppnå risikobaserte avgjø avgjørelser enn kvalitative metoder som HAZOP, men denne ekstra tiden utlignes da den gir bedre risikoavgjø risikoavgjørelser enn kun å bruke kvalitative metoder for komplekse scenarioer.
•
LOPA er ikke ment til å være et fareidentifiserbart verktø verktøy. Metoden avhenger av andre metoder brukt (inkl kvalitative) for å identifisere farehendelsene og identifisering av startlisten av årsaker og beskyttelser.
•
Tallverdiene gitt av LOPA kalkulering er ikke presise verdier av risikoen til et scenario. Men dette er også også en begrensning for alle kvantitative risikoanalyser.
Implementering av LOPA • For å få maks nytte av LOPA må må man også også implementere et risiko toleranse kriterium (ALARP). • Implementeringen bø bør skje i hele organisasjonen, og ikke begrenset til et enkelt områ område eller til en enkelt analytiker • Kritisk å kunne avgjø avgjøre om IPL’ IPL’ene er uavhengige fra den innledende årsak og fra hverandre. Hele LOPA metoden er basert på på antagelsen om uavhengighet. • Viktig å ha klart verktø verktøy, inkl. hjelpemidler som slå slå-opp tabeller for PFDPFD-verdier for standard IPL, innledende årsaks frekvenser, etc. Kalkuleringsverktø Kalkuleringsverktøy må må dokumenteres og brukere må må være opplæ opplært.
Formål med risikoanalyser? • • • • • • • •
Beregne risiko? Risikovurdering Iflg risikoakseptkriterier? ”Bevise” Bevise” av risikoen er lav nok?
Være aktivt involvert i prosessen! Identifisere risikoreduserende tiltak Utrede effekt av tiltaket Beslutte iverksettelse av tiltakene ALARP
Oppsummering: • LOPA tilbyr potensielle fordeler som en
forenklet kvantitativ analysemetode ved å kunne avsløre sprekker i systemet og sørge for svar og en effektiv og økonomisk måte å tette dem igjen på. • Har vist seg effektiv i å løse uenigheter relatert til kvalitative funn
Appendix B: P&ID for Petrojarl Varg
ii
Appendix C: LOPA data
iii
Appendix D: Preparatory Study Report
iv
Applicability of Layer of Protection Analysis to determine Safety Integrity Levels in the Process Industry Preparatory study Master Thesis
Stud.techn. Anniken Reusch Berg
Preface This report was carried out as a preparation plan for the Master Thesis the final year of the Master degree program at the Norwegian University of Science and Technology (NTNU). The title of the thesis is; “Applicability of Layer of Protection Analysis to determine Safety Integrity Levels in the Process Industry”, and was carried out in co-operation with NTNU and Safetec Nordic AS. The Master Thesis is prepared by stud.techn. Anniken Reusch Berg with responsible teacher supervisor Professor Marvin Rausand at the Department of Production and Quality Engineering, NTNU, and supervisor Atle Westby at Safetec Nordic AS.
Trondheim, 20.09.2007
Anniken Reusch Berg Stud.Techn.
i
Contents Preface...................................................................................... Error! Bookmark not defined. Contents...................................................................................................................................... ii 1 Introduction ............................................................................................................................. 1 1.1 Background ................................................................................................................ 1 1.2 Main Goal................................................................................................................... 1 1.3 Approach .................................................................................................................... 1 1.4 Success criteria................................................................................................................. 1 2 Project planning and control .............................................................................................. 2 2.1 Activity plan – Work Breakdown Structure (WBS) .................................................. 2 2.2 Work load................................................................................................................... 2 2.3 Work Task Analysis ................................................................................................... 2 2.4 Project plan – Gantt diagram...................................................................................... 2 Appendix 1 Work Breakdown Structure............................................................................... 3 Appendix 2 Work Task Analysis ............................................................................................... 4 Appendix 3 Gantt diagram ....................................................................................................... 12
ii
1 Introduction During the 10th semester of master study at NTNU, a Master Thesis will be carried out as a finalization of the graduate engineer education. In the following report I will present a plan on how the thesis will be performed.
1.1 Background In response to the increasing severity and number of industrial accidents, international standards, like IEC 61508 and IEC 61511, have forced the industry to seek instrumental solutions that will improve the safety of industrial processes. The standards employ the concept of safety integrity levels (SIL) which is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction.There is a problem that the number of methods available for SIL determination is considerable while the description of which method to use and for what case is limited. Experience has shown that the different techniques can yield significantly different answers. A relatively new method for determining appropriate SIL is Layer of Protection Analysis (LOPA), proposed in IEC 61511.
1.2 Main Goal The main objective of this thesis was to study the Layer of Protection Analysis (LOPA) regarding its ability to determine appropriate Safety Integrity Levels (SIL) for the process industry. Further, to briefly describe some alternative methods mentioned in the international standards IEC 61508 and IEC 61511.
1.3 Approach In order to achieve the main goal there will be performed literature studies on the Layers of Protection Analysis, and I will get in touch with relevant persons within this subjects. I will also analyze a practical case by LOPA and selected alternative methods, and compare the results and discuss possible deviations.
1.4 Success criteria Success criteria related to this project is based on the availability of relevant literature, my understanding of the LOPA methodology and my analytical abilities.
1
2 Project planning and control 2.1 Activity plan – Work Breakdown Structure (WBS) WBS gives a segmentation of the different work tasks involved in the project and explains how the project is constructed. Appendix 1 contains WBS for this project.
2.2 Work load The duration of this project is 20 weeks with an estimated consumption of 40 hours each week. According to this the total amount of workload will be 800 hours. A preparatory plan is not a final statement. The actual performance of this project may vary some from the original plan.
2.3 Work Task Analysis Appendix 2 gives a work task description of the activities in WBS.
2.4 Project plan – Gantt diagram A Gantt diagram is a useful tool in order to plan resources and distribute the time available and purposed each project task. The diagram is presented in Appendix 3.
2
Appendix 1
Work Breakdown Structure
Figur 1 WBS diagram
3
Appendix 2 Work Task Analysis Note that in this section the literature study, activity 3, also is included in the duration of activities number 4,5,6,7 and 8.
Activity 1 Preparatory report Problem: Perform a preparatory study of the project in order to analyse problems and give a description of work that has to be done in order to produce a good result. This study will contain the project tasks and when they are due in time. Purpose: • Create an overview of the workload • Define each activities goals • Distribute each activities time consume and the amount of work that needs to be done • Create a plan for further following-up Content: Preparatory study with problems to be addressed, goals and delimitations Literature: • Rolstadås, A, Praktisk Prosjektstyring, 2001 • Various literature Method of work: • Create a plan which presents how the project will be executed • Give a problem description • Create WBS, CTR and Gantt diagram Challenges: • Create a functioning preparatory study where the amount of work for each activity is properly managed. Results: • A plan on how to perform the project • Definitions of problems and work load for each activity Duration: Hours: 40 Start: 17.09.07 Finish: 21.09.07
4
Activity 2 Progress Report Problem: Prepare a report considering the projects progress, time consumption and modifications compared with the preparation plan. Purpose: • View the progress of the project, consider delimitations and prepare corrections. Content: • Status report; gives an outline of the projects progress. • The report will also show variances that might have occurred regarding the paper and project goals. Literature: • Rolstadås, A, Praktisk Prosjektstyring, 2001 • Various literature Method of work: • Compare the preparation report with the projects actual progress. Challenges: • Create good solutions as for how to solve possible delimitations. Results: • A report considering the projects progress along with possible delimitations compared to the preparation plan. If delimitations, these will be explained, and correction plans will be stated. Duration: Hours: 8 Start: 20.11.07 Finish: 20.11.07
5
Activity 3 Literature Study Problem: Collect and seek literature for application in the project. Purpose: • Find an present relevant literature Content: • Gather information from different sources. There should be a high quality level in the literature, in such a way that it will create a good foundation in the project. Literature: Method of work: • Seek information at the internet • Seek information at BIBSYS • Get in contact with competent persons • Technical and Scientific literature • Gather information from reports Challenges: • High quality level in the literature • Sorting and selection of relevant literature Results: • Create a technical and professional foundation for the project. Duration: Hours: 720 Start: 17.09.07 Finish: 18.01.08
6
Activity 4 Describe some selected methods for SIL detemination Problem: Describe available approaches to the determination of appropriate SIL-levels, and highlight “pros” and “cons” related to the various approaches. Purpose: • Get an overview on some selected approaches for SIL determination Content: • Description of the selected approaches Literature: • Research papers • Various literature regarding the subject • Competent persons Method of work: • Read relevant literature and meet with competent experts on the subject Challenges: • Create good solutions as for how to solve possible delimitations. Results: • A brief presentation of some selected methods for SIL determination • Duration: Hours: 160 Start: 17.09.07 Finish: 12.10.07
7
Activity 5 Present and discuss the applicability of the LOPA method in determining SIL Problem: Study and get familiar with the LOPA methodology Purpose: • Get an overview on the LOPA method and its applicability in determining SIL Content: • The LOPA process Literature: • Research papers • Various literature regarding the subject • Competent persons Method of work: • Read relevant literature and talk with competent experts on the subject Challenges: • Understand the LOPA process • Find data Results: • Description of LOPA and the LOPA procedure. Duration: Hours: 200 Start: 15.10.07 Finish: 16.11.07
8
Activity 6 Analyze a practical case by LOPA and selected alternative methods, and compare the results with other methods (e.g. OLF-070 minimum table) Problem: Execute a practical case using the LOPA method. Purpose: • Get to know how the LOPA process works in practice with the determination of SIL Content: • Case study Literature: • Various literature • Competent persons (+ employees at Teekay where the case is being executed) Method of work: • Read relevant literature and meet with competent experts on the subject. • Develop a LOPA procedure and find the relevant tables with the numerical values needed. Challenges: • Having understood how the LOPA method works. Results: • LOPAs applicability in determining SIL for a given system Duration: Hours: 160 Start: 19.11.07 Finish: 14.12.07
9
Activity 7 Evaluate the LOPA method and give recommendations Problem: Evaluate the usability of the LOPA method in determining SIL and compare results to other selected methods Purpose: • Learn the applicability of LOPA in determining SIL in comparison to other methods. Content: • Discussion of LOPA • Advantages and Disadvantages Literature: • Various literature • Results from the case study • Competent persons Method of work: • Read relevant literature and meet with competent experts on the subject. • Discuss the usability of LOPA. Challenges: • Having obtained usable results from the case study Results: • Establish the applicability of the LOPA method • Pros and cons Duration: Hours: 120 Start: 17.12.07 Finish: 11.01.08
10
Activity 8 Collocation and printing of the Master Thesis Problem: Complete and hand in the Master Thesis and make sure the report is in accordance with the plan. Purpose: • Make sure the report is consistent and that you are pleased with the final result. Content: • Collocation of the report • Print and handing in the project Literature: Method of work: • Examine the report and make sure it is grammatically correct and consistent. Challenges: • Making sure there are no mistakes in the report. Results: • Handing in a report you are content with, within the given time limit. Duration: Hours: 37,5 Start: 13.02.08 Finish: 19.02.08
11
Appendix 3 Gantt diagram ID
Task Name
1
Master Thesis
Mon 17.09.07 Tue 19.02.08
2
Preparatory study Progress report
Mon 17.09.07 Fri 21.09.07 Wed 21.11.07 Wed 21.11.07
Literatury study Report writing and analysis
Mon 17.09.07 Fri 18.01.08 Mon 17.09.07 Wed 13.02.08
Describe some selected methods Present and discuss the applicability of the LOPA
Mon 17.09.07 Mon 15.10.07
Fri 12.10.07 Fri 16.11.07
9
Analyse a Practical case Evaluate the LOPA method
Mon 19.11.07 Mon 17.12.07
Fri 14.12.07 Fri 11.01.08
10
Collocation and printing of the Master Thesis
Thu 14.02.08 Tue 19.02.08
11
Final report hand-in
Tue 19.02.08 Tue 19.02.08
3 4 5 6 7 8
Start
Finish
September October
November
December
January
February
March
April
Figur 2 Gantt diagram
12
Appendix E: Progress report
v
Applicability of Layer of Protection Analysis to determine Safety Integrity Levels in the Process Industry Progress Report Master Thesis 20.11.07
Stud.techn. Anniken Reusch Berg
Progress The preparatory study report indicates that the following activities should by this time have been completed: • 1: Preparation study • 2: Progress report • 3: Description of some selected methods for SIL determination • 4: An overview of the LOPA method and the LOPA procedure in determining SIL At this time activity 1, 2 and 3 is finished. Activity 4 is done to a great extent, but requires more time. It took more time than planned to come up with good literature within this subject.
Deviation The reason all the planned activities is not completed is the time needed for completion of the various tasks is greater than first assumed. This is because it was difficult to find the relevant literature I needed, and some people were difficult to get in touch with. But even though my progress is a bit behind the plan, I will stick to the original plan and try to catch up.
