The last step could be to calculate the total risk with respect to each specific impact event. The mitigated event likelihood for all the events rated as serious or extensive, and that present the same hazard are added up. This step could include additional probabilities, if not accounted for in the previous steps.
Example
In Table 3.1 some rows are filled in. The example is overpressure of a topside separator taken from Harsem Lund (2007). The HAZOP identified that pressure above design pressure of the separator could cause rupture and possible igni-tion, leading to a number of fatalities between 1 and 10. Further, two initiating causes with initiating likelihoods were identified. General process design, BPCS and alarms are not given credit as PLs, thus given the value 1. Additional mitiga-tion (restricted access) is estimated to 0.21, due to an assumed ignimitiga-tion probabil-ity of 0.3 and occupancy of 70%. IPL additional mitigation is estimated to 0.08, due to the assumption that 8 PSVs must be running to avoid pressure build-up above test pressure. The intermediate event likelihood is now calculated for the initiating events, and the corporate / company criteria for this severity level (E) is 3 · 10−5 events per year. The sum of the intermediate event likelihoods are 1.717 · 10−3events per year. Dividing 3 · 10−5by 1.717 · 10−3give a necessary risk reduction of 1.75 · 10−2, which is a SIL 1 requirement. The mitigated event likeli-hood becomes 3·10−5and 3·10−7events per year, which give a total of 3.03·10−5 events per year.
Note that both in the table and in the calculations accurate numbers are
3.5 Different approaches in literature
Many similarities can be found among the approaches and methodologies pre-sented in the literature. Summers (2003), Ellis and Wharton (2006) and Dowell (1998) have presented flowcharts, while IEC 61511 use a worksheet as the basis for their methodology. BP (2006) have their own procedure providing guidance on LOPA which includes a flowchart. CCPS (2001) presents a diagram explain-ing the LOPA steps, with a chapter explainexplain-ing each step. But the approach in IEC 61511 is the most prevailing. The essential steps that seem common are:
• Documentation of the hazard analysis
• Development of scenario or impact event
• Identification of initiating causes
• Determination of the protection layers including the IPLs
• Quantification (cause frequency / likelihood and PFD)
• Target risk evaluation / SIL determination
As the list indicates the major steps in the SIL determination process are cov-ered. Most approaches take information from previous studies to identify haz-ards, and to found a basis for the next steps. The initiating causes are identified, and the frequency determined. The most substantial differences between the various approaches are the use of terms, the order of sequence and the intended application. Another distinction is how the SIL is incorporated and evaluated.
Often the "as is" process design is evaluated. The existing protection layers are identified and the intermediate event likelihood determined before assigning a SIL level to the SIF. Sometimes the SIF under consideration, with the expected PFD, is implemented implicit in the calculations. This result in a different crite-rion for acceptability. The mitigated event likelihood is then the calculated fre-quency that is compared to the acceptance criteria, not the intermediate event likelihood.
Some authors use screening tools, and / or suggest LOPA as a part of a total methodology. Ellis and Wharton (2006) suggest such a close interface between LOPA and other methods. Figure 3.4 is an extract of the determination method-ology presented in Ellis and Wharton (2006). The consequences of the impact events are classified. A consequence level is chosen for the impact event under consideration, and LOPA used if the most severe category CEis selected. If not a risk graph approach is utilized. If the risk graph results in SIL 1 (or lower) this is documented as the final SIL. The risk graph may result in a high SIL (SIL 2 - 4), and LOPA is suggested in those cases. The LOPA may conclude a SIL 3-4.
If this is the case, a fault tree analysis (FTA) is initiated. If the FTA result in SIL 3-4, redesign to eliminate hazard or reduce event severity or event likelihood is needed. Harsem Lund (2007) supports the use of risk graph and QRA in addition to LOPA, depending on the calculated SIL.
Figure 3.4: Extract of SIL determination methodology from Ellis and Wharton (2006)
3.6 Aker E&T methodology
Aker E&T LOPA methodology is presented in Figure 3.5. The method is modified in contrast to the one given in Nordhagen (2007). Compared to the approaches discussed in Section 3.5, the Aker E&T approach is an overall methodology, not taking the proposed SIF implicit into account. Often the customer methodology (i.e. Statoil, BP) found basis for the analysis.
P&IDs are schematic diagrams describing piping, equipment and instru-mentation connections within process plants. ISO 10418 (2003) is a technical standard that provides objectives, functional requirements and guidelines for techniques for analysis, design and testing of surface process safety systems.
This standard helps the design team to implement safety functions in the P&IDs for the concerning system. A HAZID, HAZOP or WHAT-IF analysis helps to iden-tify process deviations which require additional SIFs. After all information have been gathered and documented in the P&IDs and additional documentation, a LOPA is initiated. The report sheet in Table 3.1 is used, and the steps described in Section 3.4 followed except from the steps where the mitigated event likeli-hood and the total risk is calculated. An example of acceptance criteria is shown in Table 4.1, and the accepted frequency denoted target mitigated event likeli-hood (TMEL). The mitigated event likelilikeli-hood is in the Aker E&T approach equal
Figure 3.5: Aker E&T methodology adapted from Nordhagen (2007)
The SIF under consideration is assumed not in place during the analysis, and the formula used in the evaluation of the LOPA results can be written: Total IELAcc. freq. If the fraction between the accepted frequency (Acc. freq.) and the calculated total intermediate event likelihood (IEL) is greater or equal to 1, the team shall evaluate whether the SIF shall be removed or not. This implies that the result-ing frequency of the end-consequence, without the proposed SIF, is equal or less than the accepted frequency. The analysis team can either remove the SIF, be-cause the system is evaluated safe enough, or keep the SIF but without any re-quirements to the safety function. If 1 >Total IELAcc. freq> 0.1, ”SIL 0” is selected. This implies that the intermediate event likelihood is between 1 and ten times higher than the acceptable value. No further evaluation is necessary, but the SIF is kept in order to achieve some risk reduction. If 0.1 >Total IELAcc. freq > 0.01, which is equivalent to SIL 1 in IEC 61511, SIL 1 is selected and no further evaluation is done. SIL 2 is selected if 0.01 > Acc. freqTotal IEL> 0.001. If the analysis result is SIL 3 (0.001 >Acc. freqTotal IEL> 0.0001), a QRA is initiated to further evaluate the SIF (Nord-hagen, 2007).