Sil Best eBook

(1)

Applicability of Layer of Protection

Analysis to determine Safety Integrity

Levels in the Process Industry

Stud. techn.

Anniken Reusch Berg

Department of Production and Quality Engineering, Norwegian University of Science and Technology,

Norway

(2)

@ I\TI\TJ

Faculty of Engineering Science and Technology Department of Production and Quality Engineering

1 o f 2 Date Our reference

2007-09-13 MAR/LMS

MASTER THESIS Autumn 2007

for

stud. techn. Anniken Reusch Berg

DETERMINATION OF SAFETY INTEGRITY LEVEL BY LAYER OF

PROTECTTON

ANALYSTS

(LOPA)

(Bestemmelse

av SIL-nivi ved LoPA-analyse)

Various approaches have been suggested to determine the appropriate safety integrity level (SL) for safety instrumented functions (SIFs). Some of these approaches are indicated in the international standards IEC 61508 and IEC 6l5l I and also in the application guide OLF 070 for the Norwegian oil and gas industry. The main objective of this master thesis is to study the applicability of the semi-quantitative approach Layer of protection analysis (LOPA). LOPA is briefly described and recommended in IEC 61511 and in guides from the Center for Chemical Process Safetv of the American Institute of Chemical Ensineers.

As part of this thesis, the candidate shall:

L ldentify, become familiar with - and give a brief description of available approaches for determination of appropriate Sll--levels, Pros and cons related to the various approaches shall briefly be highlighted.

2. Give a detailed presentation of the LOPA approach and illustrate its use through simple examples. 3. Carry out a case study on Petrojarl Varg and analyze this case by LOPA and selected alternative

methods. Compare the results from the various methods and discuss possible deviations. 4. Identify and discuss practical advantages and disadvantages by using LOPA.

5. Give recommendations to which approach is most applicable for determination of the Sll--level in selected application areas.

Following agreement with the supervisors, the various items may be given different weights.

Within three weeks after the date of the task handout, a pre-study report shall be-prepared. The report shall cover the following:

o An analysis of the work task's content with specific emphasis of the areas where new knowledge has to be gained.

o A description of the work packages that shall be performed. This description shall lead to a clear definition of the scope and extent of the total task to be performed.

(3)

2 o f 2 Date Our reference

Master Thesis Spring 2007 tor stud. techn. Anniken Reusch Berg 2007-09-13 MAR/LMS

r A time schedule for the project. The plan shall comprise a Gantt diagram with specification of the individual work packages, their scheduled start and end dates and a specification of project milestones.

The pre-study report is a part of the total task reporting. It shall be included in the final report. Progress reports made during the project period shall also be included in the final report.

The report should be edited as a research report with a sufltmary, table of contents, conclusion, list of reference, list ofliterature etc. The text should be clear and concise, and include the necessary references to figures, tables, and diagrams. It is also important that exact references are given to any external source used in the text.

Equipment and software developed during the project is a part of the fulf,rlment of the task. Unless outside partiis have exclusive property rights or the equipment is physically non-moveable, it should be handed in ilong with the final report. Suitable documentation for the correct use of such material is also required as part of the final report.

The student must cover travel expenses, telecommunication, and copying unless otherwise agreed.

If the candidate encounters unforeseen difficulties in the work, and if these difficulties warrant a reformulation of the task, these problems should immediately be addressed to the Department.

Two bound copies of the final report and one electronic version are required. Responsible professor: Marvin Rausand

Telephone: 73 5925 42

E-mail: marvin.rausand@ntnu.no Supervisor at Safetec Nordic AS Atle Westby

Sluppenvegenl2B. Telephone: 982 59 588

7037 Trondheim E-mail: atle.westby@safetec.no

DEPARTMENT OF PRODUCTION AND QUALITY ENGINEERING

T) f tr //i

Y,/ WAUL%

PerSchjOlbdrg J

Associate Professor/llead of Department

.r'

hr'atw*,

Eaurt.""/

Marvin Rausand I Responsible Professor I FAKiJI,'TET FOI{

IN GEN IORV I'f I1N S :'" A I) OG TEKNOI,f)GI MAS'f ER()l'l){ l1\\'/ I r\j

Utlevert

, 0-5'q- Ld121

(4)

NTNU

Norges teknisk-naturvitenskapelige universitet

Fakultet for ingeniorvitenskap og teknologi Linjen for produktutvikling og produlsjon

erklarins MASTEROPPGAVE Hdstsemesteret200T

Stud.techn.

....Annikgn...Rzussh...8e

yg

?rotectiort

PP

lntegci:{,y

E R K L . I t r R I N G

Jeg erklrerer herved pfl are og samvittighet at jeg har utfort ovennevnte masteroppgave selv og uten noen som helst ulovlig hjelp.

)nla

- 2006

De innleverte besvarelser med bilag blir i henhold til reglement for sivilarkitekt- og sivilingeniorstudiets $ 3.5.5 universitetets eiendom, og kan av universitetet fritt benyttes til undervisnings- og forskningsformil. Arbeidene kan ikke nyttes til andre formAl, f.eks. 0konomiske, uten etter avtale mellom universitetet os vedkommende student.

(5)

Preface

This Master Thesis was written during the autumn semester 2007 at the Norwegian University of Science and Technology, NTNU, and is considered the finalization of the studies. The Master Thesis is performed in co-operation with Safetec Nordic AS.

The main objective of this thesis was to study the Layer of Protection Analysis (LOPA) regarding its ability to determine appropriate Safety Integrity Levels (SIL) for the offshore and petroleum industry. Further, to briefly describe some alternative methods mentioned in the international standards IEC 61508 and IEC 61511. As a part of this thesis a practical case has been executed at Petrojarl Varg using the LOPA method to analyze and determine

acceptable SIL requirements. The results are compared to the minimum requirements in OLF Guideline-070.

It is assumed that the readers of this report have basic knowledge in risk analysis. I would like to thank my supervisor Atle Vestby at Safetec Nordic AS for his assistance during the preparation of this paper. Also thanks to my supervisor Professor Marvin Rausand at NTNU for sharing his knowledge and for constructive and patient supervision throughout the course of this work. I would also like to thank Teekay Petrojarl for allowing me to execute a case using LOPA at Petrojarl Varg and taking the time to participate in the analysis. Special thanks are also due to Linn Nordhagen at Aker Kværner who helpfully answered my

questions and gave me guidance during the preparation of this paper.

Anniken Reusch Berg Trondheim February, 2007

(6)

ii

Summary

All businesses and projects are subject to risk. The key to success lies in how one manages risks and what protective measures are taken to minimize the likelihood and the consequences of undesirable events.

In the process industry, failure or malfunction of process plants, machinery and other equipment present risk to people, the environment and assets. In response to the increasing severity and number of industrial accidents, international standards, like IEC 61508 and IEC 61511, have forced the industry to seek instrumental solutions that will improve the safety of industrial processes. IEC 61508 is a generic standard that applies to all electrical, electronic and programmable electronic (E/E/PE) technologies, irrespective of their application. IEC 61511 defines the functional safety requirements established by IEC 61508 in the process industry sector terminology. In the Norwegian oil and gas industry the OLF Guideline-070 has become prominent. The overall goal to ensure that plants and equipment can be safely operated.

The standards present approaches to determine the necessity of implementing additional equipment and defining the functional requirements of these. The standards employ the concept of safety integrity levels (SIL) which is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. The establishment of SIL is a requirement in IEC 61508, and it is, therefore, necessary to have a methodology that provides consistent auditable results. The difficulty is that there is a considerable number of methods for the SIL determination while the information regarding which method to use and for which case, is limited.

A relatively new method for determining appropriate SIL is Layer of Protection Analysis (LOPA), proposed in IEC 61511. It is a semi-quantitative method used to ensure that process risk is reduced to an acceptable level. Individual hazard scenarios defined by

cause-consequence pairs are analyzed. Scenario risk is determined by combining scenario frequency and consequence severity. Individual protection layers (IPL) are analyzed for their

effectiveness. The combined effects of the protection layers are then compared to risk tolerance criteria to determine if additional risk reduction is necessary to reach an acceptable level.

A case study has been performed to examine the applicability of LOPA to determine

appropriate SIL and to compare the results with the minimum SIL requirements that is given in the OLF guideline. The case study revealed that it can be difficult to obtain consistent results with the use of LOPA. Different users can come up with different SIL for the same function depending on the experience-data established by the team participants. That is why repeatability is an important factor with the use of LOPA. Each company should strive to provide an internal guidance document so that all sites will be consistent in their application of LOPA initiating cause frequencies. The OLF guideline also tends to give stricter SIL requirements than LOPA, which again may lead to higher frequency testing and, more often, place people in the hazardous zones. Another problem with the minimum SIL table in OLF is that it opens the possibility for shortcuts, e.g., no performed evaluation in advance. This may cause the final product being less reliable than necessary.

(7)

iii Semi-quantitative methods are favoured by industries for their less mathematical modelling. Because of its simplicity and quicker risk assessment approach, LOPA is destined to become a widely used technique. LOPA has already been widely adopted over the past years. This is mainly because it allows a more detailed consideration of a specific situation and its

(8)

iv

Applicability of Layer of Protection

Analysis to determine Safety Integrity

Levels in the Process Industry

Stud. Techn.

Anniken Reusch Berg

Department of Production and Quality Engineering,

Norwegian University of Science and Technology, S. P. Andersens v. 5, NO 7491 Trondheim, Norway

Abstract

Tools such as Layer of Protection Analysis (LOPA) can be used to improve the understanding and managing of risks related to process safety. LOPA is a relatively new semi-quantitative method used to ensure that process risk is successfully reduced to an acceptable level. This article presents and discusses the applicability of the LOPA method in determining

appropriate Safety Integrity Levels (SIL) for the process industry. The global importance of SIL has grown considerably over the last decade. The various methods available for

determining acceptable SIL have a tendency to yield different answers. Up till today, limited guidance on which method to use and for what case has been given. This article briefly describes some of the methods available for SIL determination, but with main focus on the LOPA method. LOPA is considered an effective tool for SIL assignment and allocates risk reduction resources efficiently.

Keywords: Layer of Protection Analysis (LOPA), protection layers, Safety Integrity Level

(10)

1 Introduction

In today’s industry there is a constant struggle to improve performance and profitability while maintaining and improving safety. The process industry is required to provide for and

maintain a safe working environment for its employees. Providing safety is being done through safe design and various safeguards, such as instrumented systems, procedures and training of personnel. At processing plants in both land-based and offshore industry safety instrumented systems (SIS) are often used to keep the risk within acceptable limits. The quality of the instrumented solution is directly vital for the risk reduction obtained. The safety of a plant, its employees and its surroundings depends on the ability of the plant to quickly shut down or shift to a safe state should an abnormality occur. The reliability is dependent on the integrity of its sensors.

Learning the details of our industrial processes is important in improving safety; not only by adding safeguards, but by eliminating hazards. Risk assessment can be used as an effective tool in fully understanding the entire process.

There are a number of resources available today to inform about the need, importance, and methodology for risk assessments. Regardless of which of the many methodologies we choose, resources are available to us to perform comprehensive risk assessments. In fact, choosing the method may now be the biggest decision we have to make when we set about to do a risk assessment. Major accidents around the world have raised awareness and the desire to design safety systems in such a way as to prevent dangerous failures or to control them when they arise. To what extent, however, can a process be expected to perform safely? And, if in the presence of failure, to what extent can the process be expected to fail safely? These questions are answered through the performance ofa Safety Integrity Level (SIL) analysis [16].

A SIL is a measure of safety system performance, in terms of Probability of Failure on Demand (PFD).SIL is a way of indicating the tolerable failure rate of a particular safety function. The worldwide importance of SIL has, during the last decade, grown noticeably in the oil/gas, petrochemical and other process industries. The objective of SIL allocation is to

allocate the safety functions contained in the overall safety requirements. This applies to both the safety function requirements and the safety integrity requirements to the safety related systems. Using SILs allows the rare but possible safety system failures to be taken into consideration, in addition to those existing in the operational system. The SIL has to be allocated for each safety function.

The international standards IEC 61508 [5] and IEC 61511 [6] give life cycle requirements to the Safety Instrumented Systems (SIS), and use SIL as a measure of the reliability for the SIS. Safety integrity is defined by IEC 61508 as “the probability of a safety-related system

satisfactorily performing the required safety functions under all the stated conditions within a specific period of time” .IEC 61508 is a generic standard, while IEC 61511 is guidance for implementation of IEC 61508 in the process sector. Both IEC 61508-5 and IEC 61511-3 contain several risk based methods for establishingSILs.

The Norwegian Oil Industry Association (OLF) has developed an application guideline OLF-070 [6] to support the use of IEC 61508 / 61511. While IEC 61508 describes a fully risk-based allocation of SIL, the OLF-070 introduces minimum SIL requirements for the most common instrumented safety functions on a petroleum production station. The requirements are based on experience, with a design practice that has resulted in a safety level considered

(11)

adequate. OLF-070 is meant to be a standardisation for the industry and to avoid a great consumption of time in determining the requirements.

There is a problem that the number of methods available for SIL determination is

considerable while the description of which method to use and for what case is limited [20]. Experience has shown that the different techniques can yield significantly different answers. The qualitative techniques can result in overly pessimistic answers (e.g., falsely high integrity level requirements). More quantitative techniques can provide significantly lower

requirements. The process sector recommends Layers of Protection Analysis (LOPA) as an alternative approach to risk reduction proposed in IEC 61511. LOPA has, during the last ten years, emerged as a simplified form of Quantitative Risk Assessment (QRA) and is a

relatively new method. It introduced a new concept for safety related control systems, combining traditional protection layers with safety instrumented systems in a new analysis tool to determine SIL requirements.

The only Integrity Level (IL) taken allows for in this thesis is the SIL, and not Environmental IL (EIL) or Commercial IL (CIL).

The main objectives of this paper are to: i) describe available approaches to the determination of appropriate SIL-levels, and highlight “pros” and “cons” related to the various approaches; ii) present and discuss the applicability of the LOPA method in determining SIL; iii) analyze a practical case by LOPA and a selected alternative method, OLF guideline 070, and compare the results and discuss possible deviations; iv) evaluate the LOPA method and give

recommendations of the approach that is most applicable for determination of the SIL in selected application areas.

The remainder of this paper is organized as follows: section 2 describes some selected

approaches indicated in the international standards IEC 61508 and IEC 61511 for determining SIL. Section 3 describes the LOPA approach, while a practical case study is conducted in section 4 using LOPA as the analytical tool. Section 5 gives an evaluation of LOPA, and concluding remarks are presented in section 6.

2 Approaches to the determination of SIL

While the Hazard and Operability (HAZOP) study identifies and risk ranks hazards, SIL determination focuses on the adequacy of safeguards to reduce or mitigate hazards [15]. There are four levels of safety integrity specified in IEC 61508, where SIL 4 is the highest level and SIL 1 the lowest. The levels are defined by the PFD. Each level corresponds to a PFD

(12)

Table 1: The relationship between SIL and the required failure probability. Adopted from [3].

Safety Integrity Level

Demand Mode of Operation

(average probability of failure to perform its design function on demand -

PFD)

Continuous / High Demand Mode of Operation

(probability of a dangerous failure per hour)

4 ≥ 10-5_{to < 10}-4 _{≥ 10}-9_{to < 10}-8

3 ≥ 10-4_{to < 10}-3 _{≥ 10}-8_{to < 10}-7

2 ≥ 10-3_{to < 10}-2 _{≥ 10}-7_{to < 10}-6

1 ≥ 10-2_{to < 10}-1 _{≥ 10}-6_{to < 10}-5

SIL determination of a Safety Instrumented Function (SIF) is not solely the responsibility of the instrumentation engineer. It is a team assessment where the team represents knowledge of the hazards, any associated risks, and the other layers of risk reduction that are being applied during the ’life cycle’ of the plant under review, to reduce the risk towards the declared tolerable value.Tolerable risk is based on the current values of society.

There is a variety of techniques for determining SILs, and some of the risk-based methods from IEC 61508 and IEC 61511 are presented in the next sections.The standards offer three types of methods of determining SIL requirements [5, 6]:

• Qualitative methods; • Semi-quantitative methods; • Quantitative methods.

This section represents a brief example of each method. More detailed information can be found in the Annexes in IEC 61508-5 and IEC 61511-3.

2.1 A qualitative method – The Safety Layer Matrix

The safety layer matrix method is described in Annex E in IEC 61508 and Annex C in IEC 61511-3. It is a qualitative method that is an attractive alternative for SIL determination because it is not in need of actual quantitative figures on the hazard demand rates, risk frequency and the consequences.

The general procedure for the safety layer matrix method is as follows: 1. Establish the process safety target level

2. Identify all relevant hazardous events

3. Establish the hazardous event scenarios and estimate the hazardous event likelihood using company specific data and guidelines

4. Establish severity rating of the hazardous events using company specific guidelines 5. Identify the existing protection layers. The estimated likelihood of hazardous event

should be reduced by a factor of 10 for every protection layer.

6. Identify the need for possible additional SIS and protection layers by comparing the remaining risk with the safety target level

(13)

Figure 1 An example of a safety layer matrix. Copied from [21].

The SIL requirements are determined from a safety layer matrix as shown in Figure 1. The likelihood of the hazardous event, the hazardous event severity rating and the numbers of protection layers are essential parameters that together with the safety layer matrix are able to identify the SIL requirements.

This method is not suitable for detailed analysis and is a somewhat simplistic approach. It is a conservative approach and probably ensures adequate protection but could lead to relatively expensive solutions [18]. Another disadvantage is that it only provides a SIL rating not a PFD value and as such no indication of where within the SIL band.

2.2 A semi-quantitative method - Risk Graph

The Risk Graph method presented in Annex D in IEC 61508-5 is a qualitative method, while the IEC 61511-3 defines it as a semi-quantitative method. This article refers to Risk Graph as a semi-quantitative approach. This method enables the SIL of a safety-related system to be determined from knowledge of four parameters: consequence, C; frequency of exposure, F; possibility of escape, P; and likelihood of event, W. The procedure continues with

determining each of these parameters, in terms of levels shown as subscripted numbers. The Risk Graph shown in Figure 2 has four levels for consequence, two levels for frequency, two levels for possibility of escape, and three levels for likelihood. As the subscripted

numbers increase, the perceived hazard is higher. Each of these levels must be carefully defined on a corporate basis for the methodology to be useful.

This method is consequence-driven, but allows credit for controlling access to the facility. For this method, the likelihood and consequence are determined by considering the independent protection layers during the assessment. The SIL requirements can be determined by using the predefined parameters of table D.2 (IEC 61511- annex D) and implement them in the Risk Graph scheme such as Figure 2. The parameters should represent the risk factors that relate best to the application characteristics involved.

(14)

The Risk Graph method depends heavily on the experience of the hazard analysis-team, and may tend to be subjective and emotional. It is not well suited for complex scenarios [9]. Like the safety layer matrix, it does only provide a SIL rating not a PFD value.

Figure 2: Typical Risk Graph. Copied from [6]

2.3 A quantitative method- Fault tree Analysis (FTA)

Fault tree analysis (FTA) is one of the most common techniques applied for quantifying risk in the process industry. The technique is being used as a quantitative method because fault tree symbols are used to show the failure logic of the SIS and it is mathematically rigorous. FTA is binary (fail-success) and a structured top-down deductive analysis [27]. The graphical nature of this technique affords visualization of failure paths. Fault trees can model diverse technologies and complex failure. Even though FTA largely depends on domain-specific knowledge of human experts, an advantage is that the process is not automated. The analysis requires fully involvement by the participants.

The quantitative approach to the determination of SIL is the most rigorous and time-consuming. You start with determining the process demand or incident likelihood quantitatively with the use of fault tree.

A FTA begins with a graphical representation of the SIS failure. A simple fault tree, or

perhaps a part of a larger fault tree, is shown in Figure 3. The failure of the SIS would occur if device A or device B failed, and device B only fails if device C and D fails. The or- and and-gate is used to illustrate this logic.

(15)

Figure 3 A simple Fault Tree

Note, when we have a specific problem in hand, it becomes necessary to describe exactly what such events such as Q, A, B, C, and D are. The proper procedure for doing this is to write the statements that are entered in the event boxes as faults; state precisely what the fault is and when it occurs.

This approach is more suitable for complex scenarios than the two previous methods. FTA quantitatively estimates the frequency of the undesired event for a given process

configuration. If the frequency is too high, a SIS of a certain SIL is added to the design and incorporated into the FTA. The SIL can be increased until the frequency is low enough in the judgment of the team.

FTA provides acceptable approximations of the PFDavg for the SIS [26], but because of its

binary behaviour it may fail to address some problems [27].

2.4 Layer of Protection Analysis (LOPA)

The process sector recommends LOPA as an alternative approach to risk reduction proposed in IEC 61511. This approach has during the last ten years emerged as a simplified form of quantitative risk assessment (QRA) and is a relatively new method for determining SIL requirements. This approach is described more thoroughly in the next section.

(16)

3 Layer of Protection Analysis (LOPA) approach

3.1 Introduction

LOPA was a tool developed by the American Institute of Chemical Engineers CCPS in 2001 [3] for assessing the adequacy of protection analysis used to mitigate process risk [1]. LOPA introduced a new concept for safety related control systems with combining traditional protection layers with SIS in a relatively new analysis tool to determine SIL requirements. It is used to ensure that process risk is at an acceptable level.

LOPA is a semi-quantitative technique that can estimate the required PFD for a SIF. It is semi-quantitative since it does use numbers and generates a numerical risk estimate, but is not as rigorous as a fault tree or QRA. It is usually applied after a qualitative hazard analysis, for example a HAZOP, and before quantitative risk assessment/fault tree [8].

LOPA is used to identify multiple independent protection layers (IPLs) that mitigate a potential hazard. IPLs are devices, systems, or actions that are capable of preventing a scenario from developing into an undesired consequence and all these layers are independent from one another so that any failure of the layer will not affect the functioning of the other layers [1, 8]. The layers can be either preventive by avoiding an occurrence of the scenario or mitigating by minimizing the effects of consequences. Figure 4 illustrates the frequency reduction of an initial event (consequence) by each IPL. The width of the arrow, representing frequency, becomes smaller as the initial event passes through each IPL. Figure 4 also shows an event tree model for the success or failure of each IPL. LOPA focuses on the worst case failure path through the event tree, shown by the heavy line.

Figure 4 The concept of LOPA. Copied from [6]

There have been many discussions about the number of and the strength of protection layers. LOPA has its origin in the desire to answer the following key questions [3]:

- How safe is safe enough?

- How many protection layers are needed?

(17)

Each plant has multiple layers of protection (Figure 5), and each layer has its own level of risk reduction. In LOPA, the IPLs proposed are analyzed for their effectiveness. The combined effects of the protection layers are then compared against risk tolerance criteria, as the typical human response would be to keep adding safeguards even after a point where additional safeguards are unnecessary.

Figure 5 Layers of protection. Copied from [15]

These risk tolerance criteria vary between operators and the cultural and regulatory

environment of the project’s location. In general, they can be expressed either qualitatively or quantitatively, or often as a mixture of the two. Qualitative criteria include words like

probable, frequent, unlikely, etc. for the description of the likelihood of an event. As for the description of the consequences of the event, words such as minor, major, catastrophic, etc. are used. To ensure consistency in the application of these criteria, it is often introduced quantitative numbers, for example, “once every 5 years” [19].

Quantitative criteria use numerical values to describe the likelihood and severity of the event. An example can be “an event having a frequency of less than 1×10¯3 per year”. Whether one chose to use qualitative or quantitative values, risk tolerance criterion need to be established

(18)

for LOPA to answer the 'how safe is safe enough' question. Risk tolerance criteria are used to decide if the frequency of the mitigated consequence (with the IPLs in place) is low enough. CCPS [3] provides guidance and references on how to establish and develop risk criteria. Quantitative criteria are the most common to use in conjunction with semi-quantitative analysis, such as LOPA [28].

To ensure consistent application of the risk criteria, internal practices should explain how the criteria are used at different stages of the process unit life. The intent is to reduce the risk below the risk criteria, unless a deviation from the risk criteria is justified and formally approved by management.The risk criteria should be stated in such a way that is clear and understandable to personnel assigned responsibility for risk assessment activities. Assigned personnel should also receive training on how the frequency and consequence severity are evaluated and how the risk criteria are used to define the risk reduction requirements [28].

3.2 The LOPA process

Each company that chooses to use LOPA needs its own specific procedure. The LOPA procedure must include tables for initiating cause likelihoods and PFDs for various types of IPLs [13]. It is important that they have defined risk tolerance criteria beforehand; otherwise it will be difficult to make risk-based decisions. The LOPA procedure must have clear rules with which to evaluate safeguards to determine if they qualify as IPLs. Many of these rules are available in the CCPS LOPA book [3], including requirements for effectiveness, independence, and auditability. The company should also establish the minimum requirements for LOPA team composition and training for LOPA facilitators. The team should consist of the [6]:

- operator with experience operating the process under consideration; - engineer with experience in the process;

- manufacturing management; - process control engineer;

- instrument/ electrical maintenance person with experience in the process under consideration;

- risk analysis (LOPA) specialist.

It is important that one on the team is trained in the LOPA methodology.

LOPA is based on the assessment of single event-consequence scenarios. A scenario consists of an initiating cause and a consequence (initial event). There are multiple initiating causes that can lead to the same consequence, and all these causes must be used to develop scenarios for subsequent assessment. LOPA is a rational methodology that allows rapid, cost-effective means for identifying the IPLs that lower the frequency and/or the consequence of specific hazardous incidents [1]. It is typically applied after a qualitatively hazard analysis has been completed, but before the quantitative analysis like fault tree or QRA. Since LOPA uses simplifying assumptions and approximations, it is not intended to be either a complex or a high level of detail decision tool. It is most effective when one need a general approximation of risk and the associated opportunities for mitigation of those risks. It is a method that is intended to be conservative. Figure 6 illustrates the LOPA process.

(19)

Figure 6: The LOPA process [3]

The LOPA process consists of 6 steps [3, 1]:

(1) Identify the consequence to screen the scenarios

The first step initiates with recording all reference documentation like inspection reports, hazard analysis documentation, etc [1]. The consequences (initial events) are often identified earlier during a qualitative hazard analysis, ex. a HAZOP, which provides the LOPA team with a listing of hazard scenarios with associated consequence description and potential safeguards for consideration. Table 2 shows the relationship between the data required for the LOPA and the data developed during the HAZOP study.

Table 2 HAZOP developed data for LOPA. Adopted from [6].

LOPA required information HAZOP developed information

Initial event Consequence

Severity level Consequence severity

Initiating cause Cause

Initiating likelihood Cause frequency

Protection layers Existing safeguards

(20)

The initial events are each classified for severity; how many people are affected, how large is the affected area,what is the downtime or economic cost of the event? [12]

LOPA is performed using a standard table for data entry shown in Table 3. The initial events are entered in column 1, and the severity level in column 2.

Table 3: Standard table for LOPA data

Ref 1 2 3 4 5 6 7 8 9 10 11

# Initial Severity Initiating Cause Protection Layers Intermediate SIF IL & Mitigated Notes

Event Level Cause likelihood Process BPCS Alarms Additional IPL additional event PFD event

Description design etc. mitigation mitigation likelihood likelihood

Restricted Dikes,

access pressure relief

(2) Select an accident scenario

It is important to apply LOPA to one scenario at a time. A scenario consists of at least two elements: cause and consequence. The scenario then describes a single cause-consequence pair [3]. During this step the analyst or the team shall construct a series of events, including initiating causes and errors in IPLs, which lead to an undesired event. There may be multiple scenarios leading to one single release case, but, it may be possible to reduce the number of scenarios that need to be analyzed in detail.

(3) Identify the initiating cause of the scenario and determine the initiating cause frequency (events per year)

In LOPA each scenario has one initiating cause. The initiating causes are evaluated for each hazardous event [28]. The CCPS [3] defines three different groupings of causes:

- External events (earthquakes, tornadoes, terrorism, sabotage, etc) - Equipment failure (component error, corrosion, wear, etc)

- Human failure (operational error, maintenance error, etc)

The initiating event must lead to a consequence, given all the safeguards fail. It is important to review and verify all causes from the scenario development step as valid initiating causes for the consequence identified prior to assigning frequencies. The causes which turn out to be incorrect or inappropriate should either be rejected or developed into valid initiating causes [3]. These causes are entered in column 3 in Table 3.

The frequency can be estimated using look-up tables or historical data. A number of sources of failure rate data are available [3, 9]. Other sources are company experience, which include the hazard analysis team experience, and vendor data, which often may be too optimistic.

(21)

Typical initiating cause likelihoods and IPL PFDs are given by Dowell [10, 11] and CCPS [3] (see also table 1.4, Appendix C).

LOPA assumes that the failure rate is constant. This is not always the case, since equipment failure rates often are higher when the equipment is new and when it ages. But for the purpose of LOPA, a constant failure rate is adequate. LOPA only requires order-of-magnitude

approximation, and failure rate data should be rounded up to the nearest whole order of magnitude. In the case of a more complex scenario, it may be more appropriate to use a QRA and/or a fault tree.

When the LOPA-team has reached an understanding of the frequency and consequence of the potential hazardous event, a risk matrix is often used for determining the acceptability of the risk or if there is a need for further risk reduction of the IPLs.

(4) Identify the IPL and estimate the probability of failure on demand of each IPL

It is important to distinguish between an IPL and a safeguard. A safeguard is any device, system or action that likely would interrupt the chain of events following an initiating cause. First you identify safeguards, which have to meet two requirements [8]:

1) Is it effective in preventing the scenario to reach a consequence?

2) AND, is it independent of the initiating cause and other protective layers? If you answer yes to both of these questions, it can be qualified as an IPL.

The effectiveness of an IPL is quantified in terms of its PFD; the smaller the value, the larger the reduction in frequency of the consequence for a given initiating event frequency. The analyst should evaluate the design of the candidate IPL against the conditions of the scenario to estimate the appropriate PFD for the IPL. The PFD is then entered in columns 5-7 in Table 3.

(5) Estimate the risk of the scenario by mathematically combining the consequence, initiating event and IPL data

The result of LOPA is a risk measure for the scenario, - an estimate of the likelihood and consequence. This estimate can be considered Intermediate Event Likelihood – the likelihood of the consequence is reduced by the IPLs. The team calculates this likelihood by multiplying the Initiating Cause Likelihood (column 4, Table 3) by the PFDs of the IPLs (column 5-7) and enters the number in column 8. The formula is shown in Equation 1. The intermediate Event Likelihood has units of event per year. It is then compared to the Mitigated Event Likelihood shown in column 10. Equation 1 [8]: 1 J c I i i j ij

f

PFD

=

×

∏

(22)

Where

c i

f = frequency for consequence C for initiating event i I

i

f = frequency for initiating event i

ij

PFD = probability of failure on demand of the jth IPL that protects

against consequence C for initiating event i.

It is important to evaluate each scenario individually, since different IPLs may apply to different scenarios, even if both scenarios result in the same consequence.

If the Intermediate Event Likelihood is less than the Mitigated Event Likelihood, additional IPLs may not be required. If the Intermediate Event Likelihood is higher than the Mitigated Event Likelihood, additional risk reduction is probably needed.

If the team finds that a SIS is needed to meet the Mitigated Event Likelihood, the team enters the description of the SIS in column 9 and assigns it a PFD. Then the SIL is entered in column 9 as well. Until the Intermediate Event Likelihood is less than the Mitigated Event likelihood, the team continues the process of increasing the number of protection layers and recalculates the numbers [11].

(6) Evaluate the risk and give recommendations

The LOPA team then evaluates the estimated risk and provides specific implementable recommendations. The team should be encouraged to develop as many recommendations as possible to allow the project team to select the best option both with consideration to

implementation and costs.

Cost-benefit analysis is often used to compare the value of competing options. It is a supplement to the basic risk judgment approaches. Some risk-evaluation methods are [3]:

- Risk matrix

- Numerical Criteria method (Maximum Tolerable Risk per Scenario) - Number of IPL credits

- Expert judgment

Following the comparison, a judgement must be made to whether further action is needed. These actions might be an additional IPL or a fundamental change in design to make the process safer.

Section 4 presents a case study at Petrojarl Varg, in co-operation with Safetec Nordic AS, using the LOPA approach.

(23)

4 Case study

A case study is conducted to check the applicability of LOPA to determine appropriate SIL for a particular system, and also in order to compare this method with the minimum SIL table in OLF Guideline-070.

4.1 System analyzed

Teekay Petrojarl is the largest operator of Floating Production, Storage and Offtake (FPSO) vessels in the North Sea. One of the four FPSOs they own and operate is Petrojarl Varg. The Petrojarl Varg is a ship-shaped, turret moored, FPSO vessel (see Figure 7). The vessel is equipped with processing facilities for oil production, gas injection and water injection. The Varg field is located in the Norwegian Sector of the North Sea [17].

Figure 7 Petrojarl Varg (Adopted from [17])

The first task in the procedure for allocation of SIL is to define the equipment under control (EUC). The EUC for this case is shown in Figure 8.

(24)

The EUC shall be considered the source of hazards and hence shall be protected either by SIS, other technology safety systems, external risk reducing measures, or a combination of these [4]. The main objective is to gain an understanding of the EUC and its environment, both physical and legislative. In this study we chose to consider high pressure in the 1st separator as the scenario for this case. High pressure may be caused when a pressure control system failure occurs or there is a blocked or restricted outlet which prevents outflow.

4.2 Application of LOPA

The starting point of this case study was to analyze the P&IDs (Piping & Instrumentation Diagram) of Petrojarl Varg to identify the safety functions (see Appendix B). Subsequently, the LOPA team followed the LOPA process listed in Chapter 3.2.

The team identified high pressure as a deviation to study. A consequence of high pressure is rupture in separator, if it exceeds its design pressure. This could lead to leakage of

hydrocarbons and further lead to fire or explosion. This initial event was entered in column 1 in Table 4. Next, the severity level was set to B (single onsite fatality), which from the severity level table (Table 1.1, Appendix C) gives target mitigated event likelihood: 3×10¯5 per year. The target mitigated event likelihood is the same as mitigated event likelihood. Severity level B is then written in column 2, and the mitigated event likelihood in column 10, in Table 4.

One of the initiating causes for this initial event is control failure. The operator said this happened about once every ten years. The initiating cause is written in column 3 of Table 4, and the cause likelihood is written in column 4 (1/10 yr = 0.1). This is a typical value given to this parameter. 0.1 is as good as the control system can be without changing status to safety system [23].

The process design and the alarm were set to 1 which indicates that there is nothing to take credit for in this scenario.

The control functions are typically implemented in the basic process control system (BPCS).

The BPCS manage two valves, one process valve and one spill-off valve which directs the production to flare. Error in the BPCS can have three possible causes; failure of pressure transmitter, BPCS-logic and control valves. Totally, the tables indicate 10¯¹ for error in the BPCS. Because the initiating cause for this scenario is control failure, we can not take credit for the BPCS as an IPL, since it is indicated to already have failed. The PFD is for that reason 1 in this case, and is listed in column 5, Table 4.

IPLs relevant to this scenario are the PSV and organizational measures.

Additional mitigation, restricted access is calculated by multiplying personnel’s vulnerability with the average presence in the area; here the probability of ignition given release is set to 0,3 for flammable liquids/gas and people present in the hazard zone equals 1,0 since there are people present all the time.

PFD for the PSV is set to 0.01 (From Table 1.5, Appendix C) which is a common value for PSV [23].

(25)

The intermediate event likelihood is then estimated by multiplying columns 4-7:

Cause Process BPCS Alarms Additional IPL additional

likelihood design etc. mitigation mitigation Intermediate

Restricted Dikes,

Event Likelihood

access pressure relief

0,1 × 1 × 1 × 1 × 0,3 × 0,01 = 3,00E-04

For control failure we get an intermediate event likelihood at 3,00E-04.

The second initiating cause to high pressure in the 1st separator was unintentional closure of manual valve leading to blocked or restricted outlet (inflow exceeds outflow). The cause likelihood is set to 0.1 (once every 10 years), the same as for the first initiating cause.

The only difference is the PFD for the BPCS. If demand is due to other valves than the control valves (manual closing or ESDVs), one can assume that the BPCS is functioning and thereby rate the failure likelihood to 10¯¹ for the spill-off valve to open and ”save the situation”(see table 1.5, Appendix C).

As for the intermediate event likelihood, we then get:

Cause Process BPCS Alarms Additional IPL additional

likelihood design etc. mitigation mitigation Intermediate

Restricted Dikes, Event Likelihood 0,1 × 1 × 0,1 × 1 × 0,3 × 0,01 = 3,00E-05

This gives an intermediate event likelihood at 3,00E-05.

We then add the two intermediate event likelihoods together. The SIF PFD is then calculated by dividing the mitigating event likelihood with the total intermediate event likelihood. This gives us a PFDavg = 9,09E-02 → SIL 1.

(26)

Table 4 LOPA report - Case study

# Initial Severity Initiating Cause Protection Layers Intermediate

SIF

IL & Mitigated Notes

Event Level Cause likelihood Process BPCS Alarms Additional

IPL

additional event PFD event

Description design etc. mitigation mitigation likelihood likelihood

Restricted Dikes, access pressure relief 1 High pressure. Leakage of hydrocarbons leading to fire or explosion. B Control

failure 0,1 1 1 1 0,3 1,00E-02 3,00E-04 3,00E-05

B

Unintentional closure of valve leading to blocked

outlet 0,1 1 0,1 1 0,3 1,00E-02 3,00E-05 3,00E-05 3,3E-04

0,09=

SIL1

4.3 Application of the OLF Guideline 070

The minimum SIL table in OLF-070 is meant to simplify the process of determining SIL for safety functions. On an average offshore installation there are a considerable number of safety functions and determining SIL for each function is time-consuming. The minimum SIL table covers the most common safety functions. It is based on experiences and procedures that result in acceptable minimum safety levels [4]. It is, however, important to be aware that deviations may occur, since the table does not cover all functions.

From Table 7.1 in OLF-070 [4] the SIL requirement for high pressure gave a SIL 2. The SIL requirement from the LOPA analysis gave a SIL 1 for the same scenario. This shows that the minimum table in OLF-070 can result in stricter requirements than LOPA. It is important to study the PFDavg as well as the SIL result when using LOPA. Often the PFDavg output lies in the border area between two SIL, and this will not be shown by just considering the SIL value. This may affect the safety functions as they suffer under insufficient attention.

(27)

4.4 Discussion

Using the OLF guideline may contribute to reduction in time and work scope as SIL

requirements already have been set for the most common safety functions. On the other side, the SIL requirements from the minimum table tend to be stricter than the SIL obtained by LOPA. This may lead to an increased amount of testing and may affect the reliability of the tests due to less time and opportunity to focus on each test, which again will lead to an increased amount of people in the hazardous zones.

Another problem with the minimum table is that is opens for possible shortcuts, e.g., no performed evaluation in advance. This leads to that the SIL table loses its purpose as it makes is impossible to discover whether a function is performing as intended without evaluation. This may cause the final product to be less reliable than necessary.

The case study revealed that it can be difficult to obtain consistent results with the use of LOPA, since different users can come up with different SIL for the same function depending on the experience-data established by the team participants. Repeatability is an important factor with the use of LOPA, in order to make the results more consistent. Also, in order to maintain consistency, most companies have a procedure for adding new causes to the initiating events table. These new causes and their likelihoods should receive formal review and acceptance before being used. In the course of the case study, the team found the cause likelihood as very critical to SIL determination (i.e. one order of magnitude out on the cause likelihood and the SIL can be increased by 1 and therefore costs can be greatly increased), therefore, more time should be spent ensuring this figure is as accurate as possible.

Choosing between whether the minimum SIL table or LOPA are best in use of the

determination of appropriate SIL values is difficult. There are positive and negative sides with both of the alternatives. If the minimum SIL table is used correctly with proper evaluation, it would be recommended. However, since the table opens for the use of cutoffs and easy solutions, it is recommended that the LOPA method is used for determination of SIL requirements.

5 Evaluation of LOPA

5.1 Benefits of using LOPA

LOPA has many advantages compared to other risk assessment tools and combines the

advantage of qualitative and quantitative tools. Some of the advantages are summarized below [7, 8, 10, 14, 15, and 25]:

• It is a simple risk assessment tool and requires less time and resources than for a QRA but is more rigorous than HAZOP. The benefit applies especially to scenarios that are too complex for a pure qualitative assessment. One can use it as a screening tool for QRA.

(28)

• It facilitates the determination of more precise cause-consequence pairs than the safety layer matrix and the risk graph method, and therefore improves

scenario-identification.

• It identifies operations, practices, systems and processes that do not have adequate safeguards and helps in deciding the PLs required for a process operation and thereby focuses on the most critical safety systems. It helps to determine the need for SIS and the SIL for SIS.

• It avoids the generalities of the safety layer matrix method by including its own calibration. The assumptions and included IPLs are clearly documented.

• Even though LOPA is more time-consuming to complete than Risk graph, in the right hands, it allows a better understanding of the safety system in the functional safety of the overall design. Risk graph often over-simplifies the determination of required risk reduction to the point that errors in SIL determination have occurred because the methodology has been applied quickly and badly.

• It requires much less work than FTA, giving results that can be somewhat

conservative. LOPA can be used at most of the SIS functions, while a few complex systems may require FTA.

• Another important aspect is that methods like the safety layer matrix and the risk graph, just give e.g. SIL 1 for performance of SIF. This implies that anywhere in the SIL 1 range will do.That is to say, a PFDavg of 0.1 would be sufficient. Methods like LOPA provide a PFDavg and hence imply that the design must achieve rigour for SIL 1 and the PFDavg stated.

• It is useful for making risk-based decisions during stages like design, management of change, preparation of safety operating procedures for operators, incident

investigation, emergency response planning, bypassing a safety system, etc.

• Provides due credit to all PLs and helps in estimating the specific risk level of the unit/ equipment.

• It removes subjectivity while providing clarity and consistency to risk assessment and helps to compare risks based on a common ground if it is used throughout a plant. It also supports compliance with process safety regulations - including among others Seveso II regulations, IEC 61508 and IEC 61511.

5.2 Limitations of using LOPA

While using this technique, its limitations should also be kept in mind for deriving better results [7, 8, 10, 14, 15, and 25]:

• It is not intended to be a hazard identification tool. LOPA depends on methods used to identify the hazardous events and to identify a starting list of causes and safeguards.

• Criteria for risk tolerance must be established for LOPA exercise before the process starts. For countries where such criteria have not been specified by statutes it will be difficult to decide which standards are to be adopted. Differences in risk tolerance criteria and LOPA implementation between organizations mean the results cannot usually be compared directly from one organization to another.

• LOPA offers flexibility to the user in the areas of selecting IPLs and PFDs associated with the IPLs though the general industry data is available for the purpose. This brings in subjectivity in the assessment process and depends on the expertise of the user.

(29)

• LOPA is a simplified approach and should not be applied to all scenarios. The amount of effort required to implement LOPA may be excessive for some risk-based decisions and is overly simplistic for other decisions.

• LOPA analysis tends to drive initiating cause likelihoods to higher levels than actual field experience. Because LOPA typically classifies initiating cause likelihoods only in order-of-magnitude changes (once in ten years, once in a hundred, etc.), all likelihood numbers are rounded upwards to the next order of magnitude. This can make the likelihood of events higher than the actual likelihood.

5.3 Recommendations

The different methods presented in section 2 are all useful in converting HAZOP data into SIL. There is no ideal candidate to cover all the areas in SIL determination, though some methods are more suitable for selected application areas than others.

When choosing a method, there are a number of factors that should be considered [7]: - Is the process well understood?

- How complex is the process?

- Will the SIL assignment team be consistent from project to project? - Are there multiple causes with different protection?

The safety layer matrix and the risk graph method are recommended as initial screening tools, and are suitable for SIL 1 assessments. This is because they are both somewhat simplistic approaches and tend to be subjective. For more detailed and complex analysis quantitative tools such as LOPA and FTA are needed.

FTA remains one of the more popular and accurate methods. It is also a relatively expensive and comprehensive technique and this can make it obstructive in conducting SIL assessments, especially in industries experiencing cost-cutting [25]. However, it still remains one of the definitive methods for more critical and complex safety assessments.

LOPA provides an approach more rigorous than risk graph and safety layer matrix and

requires less time and money than FTA. The advantages and disadvantages listed above prove that it is a promising technique in determining SIL. It is a relatively new method, so potential shortcomings have not yet been fully explored, though it seems to be in progressive

development throughout the process industry.

It is important to remember that whichever method is chosen, it is necessary for the user to develop procedures and guidelines to ensure that the method is used effectively and

(30)

6 Conclusions and further work

Process industries prefer techniques which can assess the risk levels and identify suitable safeguards for minimizing the risk levels to satisfy the statutory requirements. The global importance of SIL has grown considerably over the last decade and semi-quantitative methods are favoured by industries for their limited need for mathematical modelling.

This article describes the LOPA method in determining SIL requirements in the process industry and discusses some advantages and disadvantages in connection to LOPA. It is a simplified quantitative approach based on orders-of-magnitude calculations which is easy to learn and apply.

The case study at Teekay demonstrates that the LOPA method is useful in practice but can be time-consuming. Discussions often arise during the analysis which might prolong the time compared to what was originally predicted. If a company chooses to use LOPA, it should develop its own LOPA procedure specific to its needs in advance of the analysis. The company should strive to provide an internal guidance-document so that all sites will be consistent in its application of LOPA initiating cause frequencies.

OLF-070 describes minimum SIL tables as guidance to the Norwegian oil and gas industry. The results of the LOPA study compared to the minimum SIL table showed that the SIL obtained by OLF-070 have a tendency to give stricter requirements than LOPA. It is important to study the PFDavg as well as the SIL in LOPA to be able to make the most

adequate safety measures. This is also an advantage with LOPA in comparison with the safety layer matrix and risk graph, which only provide SIL rating. This thesis does not recommend uncritically using OLF-070 for SIL determination.

It is natural to suggest that the companies should take a more active part in the risk assessment process. The LOPA team should include individuals that understand the system well and a facilitator who is organized and can draw valuable contributions from the employees. By this, LOPA contributes to the attainment of “ownership” and more awareness and interest in risk assessment within the employees.

This thesis has shown that LOPA is a useful method for determining SIL in the process industry. It is more powerful than qualitative methods, making it especially valuable for evaluating relatively complex scenarios and scenarios with relatively severe consequences. A more rigorous QRA may be more appropriate for extremely complex scenarios and scenarios involving very severe consequences. It is important not to use LOPA as a replacement for QRA.

LOPA is a promising technique and appears to be in progressive development, but its potential shortcomings have not yet been fully explored by a sufficient body of users to establish conclusively its suitability. There is still a need for a clearly set out procedure for the use of LOPA in the process industry. Effort must be carried out to obtain more accurate values of those data that might actually lead to a change of SIL. The author believes that the LOPA methodology will guide SIS designers and process hazard analysts toward a more accurate SIL estimation. As a recommendation for further work, a guideline should be developed on how to use the LOPA method of IEC 61511-3 to determine SIL requirements.

(31)

7 Acknowlegement

I would like to thank my supervisor Professor Marvin Rausand at NTNU for his assistance during the preparation of this paper. I am very grateful for his constructive hints and inputs. Thanks to my supervisor Atle Vestby at Safetec Nordic AS for giving me good guidance and helpful advice. I would also like to thank Teekay Petrojarl for allowing me to execute a case study using LOPA at Petrojarl Varg and taking the time to participate in the analysis. Special thanks are also due to Linn Nordhagen at Aker Kværner who helpfully answered my

(32)

8 References

[1] Summers, A. E. (2003). Introduction to layers of protection analysis. Journal of

Hazardous Materials, Volume 104, Issues 1-3 , 163-168.

2] Gowland, R. (2006). The accidental risk assessment methodology for industries (ARAMIS)/layer of protection analysis (LOPA) methodology: A step forward towards convergent practices in risk assessment? Journal of Hazardous Materials, Volume 130, Issue

3 , 307-310.

[3] CCPS. (2001). Layer of Protection Analysis - Simplified Process Risk Assessment. ISBN 0-8169-0811-7, Center for Chemical Process Safety of the American Institute of Chemical Engineers. New York, US.

[4] OLF Guideline 070 (2004). OLF Guideline 070 - Application of IEC 61508 and IEC

61511 in the Norwegian Petroleum Industry, Rev.02, Oljeindustriens Landsforening,

Stavanger.

[5] IEC 61508 (1998). Functional Safety of Electrical/Electronic/Programmable Electronic

Safety-Related Systems, parts 1-7. Geneva: International Electrotechnical Commision.

[6] IEC 61511 (2003). Functional safety – safety instrumented systems for the process

industry. Geneva: International Electrotechnical Commision.

[7] Summers, A. E. (1998) Techniques for assigning a target safety integrity level. ISA

Transactions 37, 95-104.

[8] Dowell, A. M. and Hendershot, D. C. (2002). Simplified Risk Analysis - Layer of Protection Analysis (LOPA). AiChe National Meeting. Indianapolis, IN.

[9] Oreda (2002). Offshore Reliability Data Handbook, 4th ed., OREDA participants, Høvik, Norway: Det Norske Veritas.

[10] Dowell, A. M., III. (1998). Layer of Protection Analysis for Determining Safety Integrity Level. ISA transactions 37, 155-165.

[11] Dowell, A. M., III, (1997). Layer Of Protection Analysis: A new PHA tool, After HAZOP, Before Fault tree analysis. International conference and workshop on Risk Analysis

in Process Safety, October 21-24, 1997, Atlanta, GA, 13-28. American Institute of Chemical

Engineers (AIChE), USA.

[12] Dowell, A. M. III. (1999). Layer of Protection Analysis and Inherently Safer Processes.

Process Safety Progress, Volume 18, Issue 4, 214-220.

[13] Goddard, W. K. (2007). Use Layers of Protection Analysis (LOPA) to Determine Protective System Requirements. Chemical Engineering Progress, Volume 103; N. 2, 47-51. American Institute of Chemical Engineers (AIChE), USA.

(33)

[14] Summers, A. E. Layers of protection analysis. PPT, SIS-TECH Solutions, LLC

www.mpri.lsu.edu/workshop/Layers%20of%20Protection%20Angela%20Summers.ppt

(03.01.08)

[15] ACM Facility Safety (2006). SIL determination techniques report. January 2006.

www.iceweb.com.au/sis/ACMWhite-PaperSILDeterminationTechniquesReportA4.pdf

(22.11.07)

[16] Magnetrol International (2007). Understanding safety instrumented systems (SIS) and

safety integrity level (SIL). www.magnetrol.com/v2/pdf/MII/41-299.pdf (05.11.07)

[17] Teekay Petrojarl Homepage. www.teekay.com (29.01.08)

[18] Macdonald, D. (2004). Practical Industrial Safety, Risk assessment and Shutdown

Systems. ISBN 0-7506-5804-5, Butterworth-Heinemann, Oxford.

[19] Dean, S. (1999). IEC 61508 – Assessing the hazard and risk. Sault consulting Ltd.

www.sauf.co.uk/Documents/Sauf%20SIL%20Paper%204-99%20(public).doc

[20] Onshus, T. (2006). Guideline for the use of IEC 61508 and IEC 61511 in the offshore

industry. Norwegian Institute of Science and Technology (NTNU).

http://www.sipi61508.com/ciks/NTNU1.pdf (12.09.07)

[21] Beugin, J., Renaux, D. and Cauffriez, L. (2006). A SIL quantification approach based on an operating situation model for safety evaluation in complex guided transportation systems.

Reliability Engineering & System Safety, Volume 92, Issue 12, 1686-1700.

[22] Haugen, S. (Published 22.08.07). IEC 61508 – Hovedprinsipper og veiledning, Sintef Teknologiledelse. http://www.sintef.no/content/page1____16476.aspx (22.11.07) [23] Nordhagen, L. (2008). Personal communication, Aker Kværner.

[24] King, A. G. Methods for SIL Determination. ABB Eutech Process Solutions, Cleveland.

www.sipi61508.com/ciks/king3.pdf (09.01.08)

[25] Kirkwood, D. Current issues with SIL assessment methods. Functional Safety Professional Network, Technical Advisory Panel.

www.iee.org/oncomms/pn/functionalsafety/SIL_Assessment_Methods_Current_Issues.pdf

(09.01.08)

[26] Summers, A. E. (2000). Viewpoint on ISA TR84.0.02 — simplified methods and fault tree analysis. ISA Transactions 39, 125-131.

[27] Rausand, M. & Høyland, A. (2004). System Reliability Theory; Models, Statistical

(34)

[28] CCPS. (2007). Guidelines for Safe and Reliable Instrumented Protective Systems, Ch.3. ISBN: 978-0-471-97940-1, Center for Chemical Process Safety of the American Institute of Chemical Engineers. New York, US.

Sil Best eBook

Applicability of Layer of Protection

Analysis to determine Safety Integrity

Levels in the Process Industry

Stud. techn.

Anniken Reusch Berg

@ I\TI\TJ

DETERMINATION OF SAFETY INTEGRITY LEVEL BY LAYER OF

PROTECTTON

ANALYSTS

(LOPA)

(Bestemmelse

av SIL-nivi ved LoPA-analyse)

Y,/ WAUL%

.r'

hr'atw*,

Eaurt.""/

Utlevert

, 0-5'q- Ld121

Stud.techn.

....Annikgn...Rzussh...8e

yg

?rotectiort

PP

lntegci:{,y

)nla

- 2006

Preface

Summary

Table of contents

Applicability of Layer of Protection

Analysis to determine Safety Integrity

Levels in the Process Industry

Stud. Techn.

Anniken Reusch Berg

1 Introduction

2 Approaches to the determination of SIL

2.1 A qualitative method – The Safety Layer Matrix

2.2 A semi-quantitative method - Risk Graph

2.3 A quantitative method- Fault tree Analysis (FTA)

2.4 Layer of Protection Analysis (LOPA)

3 Layer of Protection Analysis (LOPA) approach

3.1 Introduction

3.2 The LOPA process

f

f

PFD

=

×

∏

4 Case study

4.1 System analyzed

4.2 Application of LOPA

4.3 Application of the OLF Guideline 070

4.4 Discussion

5 Evaluation of LOPA

5.1 Benefits of using LOPA

5.2 Limitations of using LOPA

5.3 Recommendations

6 Conclusions and further work

7 Acknowlegement

8 References

LOPA

LOPA

--

Layer

Layer

Of

Of

Protection

Protection

Analysis

Analysis

Innhold:

Innhold:

•

•

Introduksjon av LOPA

Introduksjon av LOPA

•