A Step-by-Step Guide to Conducting a LOPA Study

LOPA
Facebook
WhatsApp
LinkedIn
Pinterest
Telegram

Layers of Protection Analysis Methodology 

LOPA (Layers of Protection Analysis) is a semi-quantitative method used to evaluate and analyze risk scenarios with significant consequences or the potential for major accidents. It assesses all available protection layers for a specific scenario and compares the calculated risk to an organization’s established risk tolerance criteria. If the risk is unacceptable, additional control measures or protective layers are recommended.

LOPA evaluates risks in orders of magnitude of selected accidental scenarios and builds on the information developed in the qualitative hazard analysis techniques like HAZOP study. LOPA is limited to evaluating the single cause consequence pair as a scenario. After the process is designed to minimize risk, the residual risk can be managed using the IPLs identified in a LOPA.

LOPA is especially used to determine the safety integrity level (SIL) of safety instrumented functions in conjunction with IEC 61511, but also as a general risk assessment tool to evaluate if the protection layers in a system are satisfactory.

LOPA can be applied at any point in the lifecycle of a project or process, but it is most cost effective when implemented during front-end loading when process flow diagrams are complete, and the P&IDs are under development. For existing processes, LOPA should be used during or after the HAZOP review or revalidation. Also, during the operations and maintenance stage, when modifications are going to be made to an existing process or its control or safety system.

More about Independent Protection Layers can be found in the previous blog “Independent Protection Layers in Process Industry

Procedure for Conducting LOPA

A LOPA scenario is defined a single initiating event and consequence pair. LOPA is performed for one scenario at a time. The frequency of initiating event, the IPLs risk reduction factors, and the severity of the consequence are all estimated within an order of magnitude. This data is then used in conjugation with the company or site approved risk matrix to assess the resultant risk.

1. Identity High Risk Scenarios for LOPA

LOPA builds on the information developed during a qualitative hazard evaluation, such as a process hazard analysis (PHA). Since LOPA typically evaluates scenarios that have been developed in a prior study, a first step by the LOPA analyst(s) is to screen these scenarios, and the most common screening method is based on consequence.

HAZOP assesses each identified hazard by documenting the initiating event cause and the protection layers that prevent or mitigate the hazard and reduce the risk. All SIFs, ESDs / and high-risk scenarios identified during HAZOP are selected for LOPA analysis. Companies may establish their own criteria such as consequence severity or the risk-level assessment by the PHA team for the selection of scenarios to be evaluated using LOPA. The goal of a LOPA is to focus on scenarios with greatest risk.

Once all high-risk potential scenarios are selected and list down then LOPA is applied at one scenario at a time.  e. The scenario describes a single cause–consequence pair.

Example:

Scenario Title: Hexane Surge Tank Overflow and spill not contained by the dike.

Consequence Description: Release of hexane outside the dike due to tank overflow and failure of dike with potential for ignition and fatality.

 2. Evaluation of Consequence Severity

Generally, the HAZOP or hazard identification stage will describe the consequence but will not assign the category of severity.  The LOPA review team will then provide the particular severity category by using company’s risk matrix. Care should be taken by the LOPA review team to ensure consequence was estimated assuming no safeguards were in place.

Sometimes, consequence modeling is required to determine the severity of consequence, and the LOPA team will typically need to do their work offline or in some cases engage and external specialist for consequence analysis. Fully un-mitigated Risk is calculated assuming no safeguards or IPLs as follows;

Fully unmitigated risk=Initiating event frequency × Consequence severity

 3. Tolerable Frequency Selection of the LOPA Scenario

The tolerable frequency of a hazardous consequence occurring as a result of scenario is the value being determined by this analysis. Scenario frequencies calculated by LOPA can be expressed in a variety of ways, such as the frequency of loss-of-containment events per year or fatalities per year.

The tolerable risk values selected often range from 10-2 to 10-6 per year. Risk matrixes are often used to guide the safety engineers as to what portions of the hazard analysis should follow through on a LOPA analysis.

Below Fig. is an example of a risk matrix, which indicates the risk tolerance criteria for various categories of scenarios, depending on their severity.  Note the categories low, medium, serious, and high.  The more serious the consequence is, the lower the tolerable frequency, and the more protection layers needed. Companies develop their own risk tolerance criteria, and companies would generally assign a tolerable risk frequency, or a required number of IPLs, to each category of potential consequence.

Risk Matrix

For example, tolerable frequency of Hexane tank overflow and spill not contained by dike wall is 1×10-5 per year.

4. Identify the Initiating Event of the Scenario and Determine its Frequency (events per year)

Identify all initiating events of the selected scenario and determine the event frequency. In this step the frequency of a consequence, given failure of all IPLs/Safeguards, is determined. The frequency has to be based on the background of the scenario, like how often an operation causing an event is actually exercised.

An initiating event is a failure that starts a sequence of events that, if not interrupted by the successful operation of a layer of protection, results in a hazardous outcome. Examples of common initiating events include mechanical failure, operator error, and control loop failure.

Initiating event of Hexane Tank overflow: Loop failure of BPCS LIC its frequency is 1×10-1

 5. Identify Enabling Conditions and Conditional Modifiers

Enabling conditions are conditions the must be present to allow the event to cause the consequence of concern. On the other hand, conditional modifiers are the conditions that must be present for the hazard scenario to develop into the consequence of concern. Both are expressed as probabilities.

Some companies do not use enabling conditions and condition modifiers to make the calculations simpler and more conservative. However, if the these are applied properly, more accurate estimations of a risk scenario can be achieved.

Care must be taken to ensure the hazard identification team did not already account for a given enabling condition or conditional modifier when estimating the frequency or severity of the consequence int he hazard identification review.

Enabling condition for Hexane tank case is continuous operation and its probability is 1. Conditional Modifiers are; Probability of ignition is 1, Probability of personal in the affected area is 0.5, and probability of fatal injury is 0.5.

 6. Determine Frequency of Unmitigated Event

Calculate the frequency of the unmitigated event by multiplying the frequency of the event, probability of enabling condition and conditional modifiers. If the risk of unmitigated event is found to be less than the tolerable risk, we simply document the decision and move to the next scenario with no further work or risk reduction required. For Hexane tank overflow example, the unmitigated frequency calculated is 2.5×10-2

Frequency of unmitigated event = 1×0.5×0.5×1×10-1 

7. Identify All IPLs of Initiating Events

Identify IPLs and estimate their probability of failure on demand. The effectiveness of the IPL or safeguard is quantified as probability of failure on demand (PFD). The LOPA team must review all safeguards documented during the hazard identification and determine if the qualify to be IPLs. For more details about Independent Protection Layers, please view the blog “Independent Protection Layers in Process Industry

For a safeguard to qualify as an IPL it must be specific, independent, dependable, and auditable. For the simplified LOPA each IPL must provide at least a factor of 10 risk reduction. Therefore, all IPLS are safeguards, but all safeguards are not IPLs. The team should also determine if there are any IPLs overlooked during Hazard Identification stage, can be redesigned to qualify as IPLs.

There was only one IPL Dike wall for the Hexane tank case, as the BPCS failed and high-level alarm with human action cannot be taken as IPL as it depends upon the BPCS. PFD of Dike wall is 10-2

8. Calculate the Total PFD of All IPLs

The effectiveness of an IPL is quantified in terms of its probability of failure on demand (PFD) which is defined as the probability that a system (in this case the IPL) will fail to perform a specified function on demand. The PFD is a dimensionless number between 0 and 1. The smaller the value of the PFD, the larger the reduction in frequency of the consequence for a given initiating event frequency. The “reduction in frequency” achieved by an IPL is sometimes termed the “risk reduction factor.

PFD values used within an organization should be applied consistently, although variations between different facilities are appropriate if justified by differences in design, construction, installation, inspection or maintenance. The PFD values should also be consistent with the failure rates used to develop initiating event frequencies and risk tolerance criteria.

 Sources for PFD values for the IPLs include OREDA (Offshore Reliability Data), Exida, company specific failure records, SAFER-Reliability Data Library, Vendors supplied data, or Center for Chemical Process Safety guidelines etc.

Total PFD of All IPLs (Total Risk Reduction) = (PFD of IPL1) × (PFD of IPL2) × (PFD of IPL3)…..

For above example Total PFD is 1×10-2 

9. Calculate the Mitigated Event Frequency 
Mitigated Event Frequency (MEF) is the frequency at which a hazardous event occurs after accounting for the implementation of safeguards or mitigation measures. It is obtained by multiply the frequency of unimitiaged event with total PFDs of all IPLS

MEF=Unmitigated Event Frequency × Total PFD of All IPLs

Mitigated event frequency of Hexane Tank= 2.5×10-2 ×10-2  = 2.5×10-4 

10. Determine if the Risk is Tolerable

If the intermediate event frequency calculated in step 11, is greater than the tolerable event frequency for the scenario’s consequence category, then additional risk reduction will be required. In a simplified LOPA the additional risk reduction required will be one, two or three orders of magnitude. If the risk is found to be tolerable, we simply document that no associated SIF is required and start analyzing the next scenario.

In the example of Hexane tank overflow the risk is not tolerable as frequency of mitigated event (i.e. 2.5×10-4 ) is higher than the tolerable frequency which is 1×10-5 per year. A new of 1×10-2is recommended to bring the risk in the tolerable range. Then the mitigated frequency would become 2.5×10-6.

11. Assign the SILs to SIFs

If a SIF is needed, its SIL target will be selected using the risk reduction requirement as per following table;

SIL 3 & SIL 4 should be rare. Furthermore, certain companies will require the process to be redesigned if a SIL 4 SIF is identified sine that is typically easier and cheaper path to manage the overall risk. As a general rules, if more than 25% of the SIFs are SIL 3 or 4, the LOPA review should be put on hold and the root cause of the high SILs should be determined.

12. Determine how to provide the additional Risk Reduction

If additional risk reduction is required, the LOPA team has several options;

  • Redesign the system to lower the initiating event frequency or consequence severity
  • Re-deign an existing IPL to provide additional risk reduction
  • Analyze the scenario using less conservative more quantitative technique
  • Recommend a SIF be designed and implemented to mitigate the risk.

Redesigning the system to lower the initiating event frequency or consequence severity should always be the first option investigated since doing this would help to avoid the hazard in the first place instead of actively trying to prevent it from propagating into the incident.

Analyzing the scenario with a more quantitative technique is also preferred since it will determine if additional risk reduction is really required and could eliminate the design, installation and maintenance costs of new IPLS or SIFs.

 Top References

  1. Practical SIL Target Selection by Heidi Hartman, Dr. Eric Scharpf and Hal Thomas
  2. Layer of Protection Analysis, Simplified Process Risk Assessment by Center for Chemical Process Safety
  3. Basic Introduction to SIL Assessment using Layers of Protection Analysis (LOPA) by Fiaz Moazzam.
  4. IEC 5611Standard
  5. https://education.aiche.orghttps://education.aiche.org/topclass/media/aa279ee5-6a8a-466f-a9cd-16f141f49894/story_content/external_files/Level%203_Course%201.1_Unit%201_Slides.pdf /.
  6. Layer of Protection Analysisby Ronald J. WILLEY https://core.ac.uk/download/pdf/81971209.pdf

 

Share on facebook
Share on whatsapp
Share on linkedin
Share on pinterest
Share on telegram

Leave a Comment