LOPA

(1)

Layer of protection analysis (LOPA) for

determination of safety integrity level

(SIL)

stud. techn. Christopher A. Lassen [email protected]

The Norwegian University of Science and Technology

Department of Production and Quality Engineering

(2)

Preface

This report is the result of the master project executed Spring 2008, and is the final step in graduating as an Engineer with a Msc degree from The Norwegian University of Science and Technology (NTNU). The master project is in collab-oration with Aker Subsea AS, which is part of the Subsea Business Area within Aker Solutions. Aker Subsea provides leading oil production systems and equip-ment located sub-surface, and recent projects are Morvin (North Sea), Kristin (Noth-Sea), Reliance KG-D6 (India) and Dalia (Angola). The work has been per-formed partly in Trondheim at the facilities of the Department of Production and Quality Engineering (IPK), and at Aker Solutions head quarters outside of Oslo. A very special thanks to my supervisor and professor Marvin Rausand (NTNU) who has been helpful with thorough guidance throughout the master project. Another person that deserves attention is Linn Nordhagen (Aker Engineering and Technology) who has provided helpful information on LOPA from a practi-cal perspective, and given comments to the final product. Gratitude must be ex-pressed toward Aker Subsea and Thor Kjetil Hallan for offering office space, and providing information. Others that should be mentioned are: Katrine Harsem Lund (Scandpower risk management. AS), Bjørn Solheim (BP) and Hanne Rolén (Aker Subsea).

Particular gratitude must be expressed to my father, Petter O. Lassen, for advice and support throughout my entire education.

Christopher A. Lassen Snarøya, 19.06.2008

(3)

List of Tables

1.1 SIL for safety functions operating in low demand of operation adapted

from IEC 61511 (2003) . . . 3

2.1 Risk classification of accidents adapted from IEC 61508 . . . 7

2.2 Frequency of hazardous event likelihood adopted from IEC 61511 . 10 2.3 SIL requirement table adopted from OLF 070 . . . 12

2.4 Classification of risk parameters adopted from IEC 61511 . . . 13

2.5 Example calibration adapted from IEC 61511 . . . 16

3.1 Important columns in the LOPA report / worksheet adapted from IEC 61511 (2003) . . . 26

4.1 Target mitigated event likelihood for safety hazards adapted from Nordhagen (2007) . . . 34

4.2 Typical frequency values assigned to initiating causes adapted from CCPS (2001) . . . 36

4.3 PFDs for IPLs adapted from CCPS (2001) and BP (2006) . . . 37

5.1 Process HAZOP worksheet adopted from Rausand (2005) . . . 42

6.1 Initiating cause frequencies . . . 53

(6)

List of Figures

1.1 Safety lifecycle (IEC 61508, 2003) . . . 4

2.1 Typical risk matrix modified for SIL determination adapted from (Marszal and Scharpf, 2002) . . . 8

2.2 Safety layer matrix diagram adapted from IEC 61511 (2003) . . . 10

2.3 Typical risk graph . . . 15

3.1 Risk analysis procedures adopted from Rausand and Høyland (2004) 18 3.2 The LOPA onion . . . 20

3.3 Relation between initiating causes, impact event, process devia-tion and IPLs . . . 24

3.4 Extract of SIL determination methodology from Ellis and Wharton (2006) . . . 30

3.5 Aker E&T methodology adapted from Nordhagen (2007) . . . 31

4.1 Preferred approach . . . 33

5.1 Relationship between HAZOP and LOPA worksheets . . . 43

6.1 SPS and separator schematic . . . 50

6.2 Relation between initiating causes, impact event, process devia-tion and PLs . . . 56 B.1 Step 1 . . . 68 B.2 Step 2 . . . 69 B.3 Step 3 . . . 70 B.4 Step 4 . . . 71 B.5 Step 5 . . . 72

(7)

Abbreviations

AIChE American Institute of Chemical Engineers Aker E&T Aker Engineering & Technology

AMV annulus master valve BP British Petroleum

BPCS basic process control system CCF common cause failures CV control valve

DHSV downhole safety valve ESD emergency shutdown EUC equipment under control FTA fault tree analysis

FMECA failure modes, effects, and criticality analysis FPSO floating production, storage and offloading vessel HAZID hazard identification study

HAZOP hazard and operability study HCM HIPPS control module

HIPPS high integrity pressure protection system HPU hydraulic pump unit

IEL intermediate event likelihood IPL independent protection layer LOPA layer of protection analysis MEL mitigated event likelihood MV master valve (PMV) OREDA Offshore Reliability Data PCV production choke valve

PFD probability of failure on demand P&ID piping and instrumentation diagram PIG pipeline inspection gauge

PL protection layer PSD process shutdown PSDV process shutdown valve PST pressure safety transmitter

(8)

PSV pressure safety valve PT pressure transmitter QRA quantitative risk analysis ROV remotely operated vehicle SCM susbea control module SEM electronic control module SIF safety instrumented function SIL safety integrity level

SIS safety instrumented system SPS subsea production system TMEL target mitigated event likelihood TT temperature transmitter

VB Visual Basic WV wing valve (PWV) XV cross-over valve (XOV) XT X-mas tree (XMT)

(9)

Summary

Layer of protection analysis (LOPA) and other safety integrity level (SIL) deter-mination methods have been described, and the terms used in LOPA have been thoroughly defined and clarified. Different views on LOPA found in literature have been presented, and a preferred / recommended LOPA approach has been developed and described. This preferred approach has also been applied on a case study based on systems from Aker Engineering and Technology and Aker Subsea. The interface between LOPA and hazard and operability study (HAZOP) has been discussed, and it has been presented how an integrated software tool could work.

The SIL is a measure of the availability of a protection layer or barrier. Pro-tection layers include basic process control system (BPCS), critical alarms and human intervention, safety instrumented functions (SIF), physical protection and emergency response. All these mitigate the frequency of the occurrence of the potential unwanted consequence or mitigate the impact the end-consequence represents.

LOPA is a tool to determine the SIL of a SIF and evaluates the other pro-tection layers individually by looking at the risk mitigation they lead to. Other tools are the quantitative method described in IEC 61508, the OLF 070 guideline, risk matrix, safety layer matrix, risk graph and the calibrated risk graph. Except from the quantitative method in IEC 61508 and the OLF 070 guideline these are graphical and qualitative methods which are simpler than LOPA. These SIL de-termination methods do not differentiate between the individual risk mitigation the protection layers lead to.

A clear understanding of the terms in LOPA is important, and a clear method-ology essential to ensure a strong framework. The following relationship be-tween terms are defined: The initiating causes lead to a process deviation, which again may lead to an impact event that may result in an end-consequence. Pro-tection layers are introduced previously and subsequently to the impact event. An example is the initiating cause slippery road which lead to the impact event car crash. The car crash has an end-consequence of three fatalities. In order to prevent this fatal outcome, protection layers as rigid car body, air-bags, and traction control may serve as protection layers.

The preferred LOPA approach developed during the master thesis is based on the one in IEC 61511, taking the views from other methodologies in literature

(10)

into account. The impact event is the starting point of the analysis. The fre-quency of the initiating events are multiplied with the probability of failure on demand for all credited independent protection layers. In addition occupancy and ignition probability (if applicable) is multiplied with the result. The final value is denoted the intermediate event likelihood. This is the frequency of the occurrence of the end-consequence with the existing protection layers in place. By comparing this with a target frequency measure, the needed SIL is estimated. HAZOP is a hazard identification method often applied previously or simul-taneously to a LOPA. By integrating HAZOP and LOPA a high quality analysis, requiring less resources, may be the result. HAZOP has information in common with LOPA and some information have to be transformed. A software tool used to combine and integrate the two methods is beneficial. Such a tool is advanced, and must incorporate a complex issue like the implementation of expert judg-ment, which is important in LOPA.

The definition of terms and the preferred approach have proved to be ben-eficial when applying LOPA during the case study. An extensive issue during this process has been which protection layers that are independent, and which that are not. This requires understanding of basic reliability concepts, but also a great amount of process and system understanding.

The concept of independent protection layers should be evaluated further, and together with facilitating expert judgment during LOPA and in eventual soft-ware tools, these are considered the main challenges.

(11)

Chapter 1

Introduction

1.1 Introduction to LOPA

Offshore accidents may result in causalities and economic loss. Determining specific safety requirements of safety systems is an important part in ensuring that accidents are prevented. In the 1990s the standards IEC 61508 and IEC 61511 emerged, and the need for documenting compliance with these in a con-sistent manner led to the introduction of the layer of protection analysis (LOPA). In chemical processes several protection layers are used, and in LOPA the number and the strength of these protection layers are analyzed. LOPA can be considered as a simplified form of a quantitative risk assessment. It can be used after a hazard and operability analysis (HAZOP), and before a quantitative risk analysis (QRA). A difference between LOPA and other tools is that LOPA ana-lyzes the different protection layers individually, and the mitigation they lead to. LOPA is especially used to determine the safety integrity level (SIL) of safety in-strumented functions in conjunction with IEC 61511, but also as a general risk assessment tool to evaluate if the protection layers in a system are satisfactory. In addition, several other applications as capital improvement planning, inci-dent investigation and management of change can be found. The method is not used to a large extent in Norway, but widely implemented internationally. In gas / oil industry LOPA is more frequently applied on topside equipment than subsea equipment

The concept of protection layers was first covered in the book Guidelines

for Safe Automation of Chemical Processes published by the Center of

Chemi-cal Process Safety (CCPS), a section of the American Institute of ChemiChemi-cal En-gineers (AIChE), in 1993. These thoughts were developed further by the indus-try resulting in internal procedures (Dowell, 1998). In 2001 the CCPS published the book Layer of Protection Analysis, Simplified Risk Assessment describing the LOPA method (Gowland, 2006). The method is also described in Part III Annex F of IEC 61511. Extensive literature can be found on LOPA, and stepwise ap-proaches are given both in IEC 61511 and CCPS (2001). The terms vary among

(12)

different authors, and definitions and interpretations of terms like scenario and independent protection layers (IPL) may be confusing.

1.2 Objectives

The objective of the master project is to gain extensive knowledge of various methods to allocate requirements to safety instrumented systems, with focus on layer of protection analysis (LOPA). As a part of this the following aspects shall be covered:

• Carry out a literature survey and compare and discuss the different ap-proaches to LOPA found in the literature.

• Give a thorough presentation of a recommended LOPA approach. The ap-proach shall be stepwise with a clear description of each step.

• Define and clarify all basic concepts of the recommended LOPA approach. • Identify and describe interfaces between LOPA and other risk analysis

meth-ods (especially HAZOP)

• Discuss pros and cons related to LOPA - and especially the limitations of LOPA.

• Define, exemplify, and discuss the independent protection layer (IPL) con-cept and discuss the applicability of LOPA in cases where the indepen-dence is violated.

• Compare the applicability of LOPA in determining SIL, and compare LOPA with alternative approaches (incl. risk graphs). If possible, this evaluation should be rooted in a practical case study.

1.3 Limitations and structure

A bayesian approach is used in this thesis, which is concerned with the ”degree of belief” compared to a classical approach. The master project is executed in a limited time frame, constraining the coverage of the topic. The reader should have basic understanding of reliability concepts. In addition, knowledge of IEC 61508 and IEC 61511 is an advantage.

An introduction to LOPA and the project is given in Chapter 1. In addition, the relation to IEC 61508 and 61511 is described to give the reader complemen-tary background information. In Chapter 2 different methods in determining SIL are presented, including the quantitative method in IEC 61508, the risk ma-trix, the safety layer mama-trix, the OLF 070 guideline, the risk graph and the

(13)

cal-discussed. A preferred approach is developed, and presented in Chapter 4, in-cluding description of each step and the basic concepts that are employed. The interface between HAZOP and LOPA is covered in Chapter 5. In addition the functionality of a software tool integrating LOPA and HAZOP is described. In Chapter 6 the applicability of the preferred LOPA approach suggested in Chap-ter 4 is evaluated in a case study. Finally, conclusions and recommendations for further work are given in Chapter 7.

1.4 Relation to IEC 61508 and 61511

Requirements to safety instrumented systems (SIS) are given in IEC 61508 and IEC 61511. Rausand and Høyland (2004) describe a SIS as a system comprising sensors, logic solver(s), and actuating (final) items, and can be looked upon as an independent protection shell for machinery or equipment. What the safety systems shall protect is referred to as equipment under control (EUC) and is de-fined as ”Equipment, machinery, apparatus, or plant used for manufacturing,

process, transport, medical, or other activities” (IEC 61508, 2003). A SIS

imple-ments the wanted safety function needed to maintain a safe state of the equip-ment and has the function of achieving the essential risk reduction given by the requirements (IEC 61508, 2003). Subsequently to the SIS-definition a safety in-strumented function (SIF) can then be defined as a function implemented by one or more SIS. However, usually a SIS realizes a number of SIFs (IEC 61508, 2003; Schönbeck, 2007).

Safety integrity is the probability of the safety related system performing the required safety functions under all conditions, within a period of time. Safety integrity level (SIL) is classified into four levels, and is defined by the proba-bility of failure on demand (PFD). The PFD is the average safety unavailaproba-bility of an item, thus the mean proportion of time the item does not function as a safety barrier. A protection layer is considered a safety barrier. When evaluating Table 1.1: SIL for safety functions operating in low demand of operation adapted from IEC 61511 (2003)

Safety integrity level (SIL)

Average probability of fail-ure to perform its design function on demand

4 ≤ 10−5to < 10−4 3 ≤ 10−4to < 10−3 2 ≤ 10−3to < 10−2 1 ≤ 10−2to < 10−1

the SIL-requirements the system has to be classified either as high demand of operation or low demand of operation. For subsea production equipment low demand would be the most applicable because the systems are not used

(14)

fre-quently. The SIL-requirement is then verified by calculating the PFD (Rausand and Høyland, 2004; Schönbeck, 2007). In Table 1.1 the PFD related to the four SILs for low demand of operation is presented.

Standards do not require how the SIL should be determined to the SIFs, only that they have to be determined. Figure 1.1 shows the safety lifecycle used as the basic framework in IEC 61508 and IEC 61511. This framework makes it possible

Figure 1.1: Safety lifecycle (IEC 61508, 2003)

to deal with requirements and activities in a structured manner. After the two initial phases, "concept" and "overall scope definition", the risk associated with the EUC is analyzed in the "Hazard and risk analysis"- phase. Techniques as checklists, failure modes and effects analysis (FMEA) and HAZOP may be used. The next step, which has a red box in Figure 1.1, is to specify the overall safety requirements in terms of safety functions and safety integrity which are needed

(15)

during this phase, but other methods like risk graph and safety layer matrix are also applicable. In the next phase, "safety requirements allocation", the safety functions are allocated to one or more SIS. Although phase four is the most in-teresting in this case, phase three and five will come into play, as they give the input and receive the output from phase four. All of these activities are carried out in the design phase prior to final design and manufacturing (Rausand and Høyland, 2004; IEC 61508, 2003; Schönbeck, 2007).

(16)

Chapter 2

Methods in determining SIL

As mentioned in the previous section various SIL determination methods and tools exist. These may be applied during phase four in Figure 1.1, and in this chapter the most common are presented briefly. Organizations have developed these tools to help engineers to estimate the process risk and convert it to a re-quired SIL (Marszal and Scharpf, 2002). Both qualitative and quantitative ap-proaches may be applied. In qualitative methods the parameters used as deci-sion basis are subjective and estimated by expert judgment. Quantitative meth-ods describe the risk by calculations, and a numerical target value is compared with the result. Which method to apply rely primarily on whether the necessary risk reduction is specified in a numerical manner or qualitative manner. The scope and extent of the analysis would also be an influencing factor. Even if the assignment method is qualitative the SIL is always quantified by a numerical number (IEC 61508, 2003; Marszal and Scharpf, 2002). The methods described in this chapter include the quantitative method in IEC 61511, the risk matrix, the safety layer matrix, the OLF 070 guideline, the risk graph and the calibrated risk graph.

2.1 Quantitative method as described in IEC 61508

The approach starts off with establishing the tolerable risk target, which must be in accordance with the company risk acceptance criteria. This is the accept-able number of times the SIF is allowed to fail, i.e. the toleraccept-able number of times per year the specific unwanted consequence may occur. This can be determined from a table where categories of consequences are assigned acceptable frequen-cies. Such a classification is shown in Table 2.1. Assigning numerical values in terms of frequencies, defining which classes that are tolerable and plotting the consequence specific to the situation, makes it possible to determine the tolera-ble risk target. If class III in Tatolera-ble 2.1 is toleratolera-ble, a catastrophic consequence has

(17)

Table 2.1: Risk classification of accidents adapted from IEC 61508

Frequency Consequence

Catastrophic Critical Marginal Neglible

Frequent I I I II

Probable I I II III

Occasional I II III III

Remote II III III IV

Improbable III III IV IV

Incredible IV IV IV IV

The next step is to determine the EUC-risk. Risk is a measure of probability and consequence. The EUC-risk consists of the unwanted consequence, and the demand rate on the system without protective features, i.e. number of times per year the unwanted consequence occur without the SIF. This can be estimated using quantitative risk assessment methods, e.g. fault tree analysis (FTA) or reli-ability block diagram (RBD) (IEC 61508, 2003).

The final step is to calculate the necessary risk reduction to meet the tolera-ble risk. This is obtained by dividing the number of times per year the SIF fail by the number of demands per year. The result is ”the acceptable number of times the SIF may fail per demand per year” thus the needed probability of failure per demand, which is the PFD. The SIL requirement could be allocated further down to subsystems, e.g. by expert judgment (IEC 61508, 2003).

A separator located topside on a platform or floating production, storage and offloading vessel (FPSO), with a riser down to a subsea production system (SPS) consisting of X-mas tree (XT) and reservoir, could be used as an example. The EUC is in this case defined as the separator. The acceptable frequency of over-pressure of the separator could be 10−6/year, which could answer to category class III with critical consequence. Note that this is the acceptable frequency of a given unwanted consequence, which in this case is overpressure. The conse-quence could in some cases also be directly related to human harm. From the reservoir the demand rate on the system, without any protection systems, can be found. If this is estimated to be 25 demands/year, the approach gives:

P F D ≤Acceptable no. of times the SIF may fail / year

No. of demands / year = 10−6

25 = 4 · 10

−7

This result is the acceptable frequency / demand, hence the probability of fail-ure on demand. The protection system may consist of several sub-systems per-forming several SIFs, and the PFD may be allocated further down. In this case high integrity pipeline protection system (HIPPS), production shutdown (PSD), emergency shut down (ESD) etc. are such systems or functions.

(18)

2.2 Risk matrix

Risk matrix, or often denoted hazard matrix, is one of the most popular SIL de-termination methods due to it’s simplicity. The risk matrix takes frequency and consequence into account qualitatively, based on a categorization of the risk pa-rameters. Figure 2.1 shows a typical risk matrix diagram is modified for SIL de-termination. The consequence and frequency (likelihood) make one axis each, enabling the user to plot the situation under consideration in the diagram. If each box in the diagram has an attached SIL level, the determination process is simple. The consequence categories may be expressed in terms of economic, human or environmental loss. The categories divide the consequences into

mi-nor, serious or extensive according to the level of severity. The likelihood

cate-gories are divided into low, moderate or high. The catecate-gories can be selected either qualitatively, using expert judgment, but quantitative tools can in some cases be utilized to make it easier to determine which category to use. Then the categories may be attached to economic figures, number of fatalities, frequency categories, etc. In Figure 2.1, different SILs are applied. Minor consequence -low likelihood lead to no SIL required. This means that the risk is considered tolerable. Minor consequence - moderate likelihood lead to a low SIL, while ex-tensive consequence - high likelihood lead to a high SIL. If a SIL 3 is required, further analysis should be done, as one SIF may not provide sufficient risk re-duction (Marszal and Scharpf, 2002).

Figure 2.1: Typical risk matrix modified for SIL determination adapted from (Marszal and Scharpf, 2002)

(19)

site or off site, it could be categorized as serious. If the frequency of this outcome is expected to be > 10−2, the assigned category is high. This consequence - like-lihood pair would in Figure 2.1 give a SIL 3, but with further analysis required (Marszal and Scharpf, 2002).

It is important to emphasize that the categorization and determination may lead to an unrealistic result. Other tools and methods may be used in conjunc-tion with this method to improve the quality of the categories and the accuracy of the plotting (Marszal and Scharpf, 2002; IEC 61511, 2003).

2.3 Safety layer matrix

Safety layer matrix is a risk matrix which in addition to frequency and conse-quence takes the number of protection layers (PL) into account. The resem-blance between Figure 2.1 showing a typical risk matrix, and Figure 2.2 which show a typical safety layer matrix, is as expected strong.

A PL is according to IEC 61511 a grouping of equipment and / or adminis-trative controls which functioning together with other protection layers mitigate the process risk. A PL must lead to a risk reduction factor of at least 10, and fulfill the following criteria (IEC 61511, 2003):

• Specificity (one PL designed to prevent or mitigate the consequences of one potential hazardous event. Multiple causes may initiate action by the PL)

• Independence (PL must be independent of other protection layers, no common cause failures (CCF))

• Dependability (PL must act as intended in design)

• Audibility (PL must be designed to facilitate validation of function) A SIS is considered a safety instrumented PL (IEC 61511, 2003). Compared to the term safety barrier as presented in Sklet (2006) a PL is a safety barrier with additional requirements.

The classification of the consequence severity is almost identical as for the risk matrix, with severity categories minor, serious and extensive. Table 2.2 shows how to estimate the likelihood of the hazardous event which leads to the un-wanted consequence or impact. The categorization of likelihood in the risk ma-trix approach focus on frequency specifically, while the safety layer mama-trix cate-gorization in IEC 61511 is based on type of events. Plant specific data should be employed, if available, to establish the likelihood. The event classification in IEC 61511 makes it easy to distinguish between the frequency categories, as the fre-quencies are related to specific events. Note that the categorization of likelihood and consequence is done without considering the PLs (IEC 61511, 2003).

(20)

Table 2.2: Frequency of hazardous event likelihood adopted from IEC 61511

Type of events Likelihood

Qualitative ranking

Events such as multiple failures of diverse instru-ments or valves, multiple human errors in a stress free environment, or spontaneous failures of pro-cess vessels

Low

Events such as dual instrument, valve failures, or major releases in loading / unloading areas

Medium Events such as process leaks, single instrument,

valve failures or human errors that result in small releases of hazardous materials

High

*The system should be in accordance with this standard when a claim that a control function fail less frequently than 10−1per year is made

(21)

Figure 2.2 shows a typical safety layer matrix. The risk criteria are embedded into the diagram, and the methodology and categorization is similar to the risk matrix. The specific hazardous event likelihood and hazardous event severity classification is plotted. This results in one of the 9 columns in the figure. In order to determine the the final box in the figure that contain the necessary SIL - the number of PLs must identified (IEC 61511, 2003). An example could be a process leak resulting in catastrophic consequence to personnel (several causal-ities). The hazardous event severity is categorized as serious. In Table 2.2 the occurrence of a process leak is classified with high likelihood. Two mechanical pressure relief devices were identified satisfying the PL criteria. In Figure 2.2 an event with serious consequence - high likelihood rating with two PLs, would re-quire a SIL 2. If the number of PLs had been one, a SIL 3 and additional analysis would be required.

2.4 The OLF 070 guideline

OLF 070 was developed by operators and suppliers of services and equipment, to facilitate the implementation of IEC 61508 and IEC 61511 in the Norwegian petroleum industry. The guideline presents conservative minimum SIL require-ments. A conservative requirement is a strict requirement which takes uncer-tainty into consideration. It can be compared to oversizing a beam in order to ensure the rigidity of the construction. The requirements in OLF 070 are given in a set of tables in chapter seven of the guideline. Background information, as definition of function including schematics and assumptions, for the various SIL requirements is documented in appendix A OLF 070. If the tables are not applicable, then a risk based methodology should be used. The guideline makes it possible to skip many of the steps in the determination process, leading to reduced engineering costs. But, the approach is not fully risk based and the re-sults are not as appropriate as quantitative calculations (OLF 070, 2004). Table 2.3 show the table with SIL requirement to a subsea ESD function.

2.5 Risk graph

The risk graphs are based on methods described in the German publication DIN 19250 published in 1994, and is a popular approach for determining SIL (Bay-butt, 2007). Risk graphs are qualitative and category based. It considers the con-sequence and frequency of the hazardous event, but also occupancy and the probability of personnel avoiding the hazard (Marszal and Scharpf, 2002; Bay-butt, 2007).

In Table 2.4 the classification of the risk parameters suggested in IEC 61511 is shown. The consequence parameter (C) describes the likely outcome of the hazardous event, and four categories of consequences are suggested. CAis less

(22)

conse-Table 2.3: SIL requirement table adopted from OLF 070 Safety function SIL Functional boundaries for given SIL

requirement / comments

Ref.

Subsea ESD 3 Shut-in of one subsea well A.13

Isolate one subsea well The SIL requirement applies to a

con-ventional system with flowline, riser and riser ESD valve rated for shut-in conditions. Isolation of one well by activating or closing:

- ESD node

- Topside HPU and / or EPU

- WV and CIV including actuators and solenoids

- MV

- DHSV including actuators and solenoids

NOTE: If injection pressure through utility line may exceed design capac-ity of manifold or flow line, protection against such scenarios must be evalu-ated specifically

NOTE: If a PSD system is specified for a conventional system for safety rea-sons, the PSD functions shall be min-imum SIL 1

(23)

Table 2.4: Classification of risk parameters adopted from IEC 61511 Risk parameter Category Classification

Consequence (C) CA Light injury to persons

CB Serious injury to one or more

persons. Death of one person

CC Death of several persons

CD Catastrophic effect, very many

people killed Frequency of presence in the

hazardous zone (F) (occu-pancy)

FA Rare to more frequent exposure

in the hazardous zone

FB Frequent to permanent

expo-sure in the hazardous zone Possibility of avoiding the

con-sequences of the hazardous event (P)

PA Possible under certain

condi-tions

PB Almost impossible

Frequency of the unwanted consequence (W)

W1 A very slight probability that

the unwanted occurrences oc-cur and only a few ococ-currences are likely

W2 A slight probability that the

un-wanted occurrences occur and few occurrences are likely

W3 A relatively high probability

that the unwanted occur-rences occur and frequent occurrences are likely

(24)

quences are measured in the extent of injury to people, but also environmen-tal or financial target measures can be utilized (IEC 61511, 2003; Marszal and Scharpf, 2002).

The occupancy parameter (F) indicates the fraction of time the hazardous area is occupied by personnel. FB indicates higher risk than FA, as the area is

more frequently exposed. Usually, FA is selected if the hazardous area is

occu-pied less than approximately 10% of the time IEC 61511 (2003).

The possibility of personnel avoiding the hazard is incorporated in the pa-rameter P . This papa-rameter reflects what methods the personnel have to identify and escape the hazard. In addition skill and supervision in process operation, and the rate of development of the hazardous event are taken into account. Two categories, PAand PB, are suggested and PBindicates the highest risk. A

check-list of statements that must be true in order to select PA, can be utilized in the

evaluation. Such statements are suggested in IEC 61511.

The final parameter is the demand rate parameter (W), which is the fre-quency per year of the unwanted consequence without the concerning SIF but with other safeguards operating. Also for this parameter higher parameter in-dices indicate higher risk, as they take less credit for risk reduction by other safe-guards. W1indicates that only a few occurrences are likely, and a demand rate

less than 0.03 per year could fit such description. W2and W3indicate that few

occurrences or frequent occurrences are likely, and suitable demand rates per year could be 0.03 - 0.3 and more than 3, respectively. The choice of this pa-rameter will affect the result, and care should be taken when selecting category (Baybutt, 2007; IEC 61511, 2003).

Figure 2.3 shows a typical risk graph diagram. The path from left to right is decided by the selected risk parameters. The selected consequence, occupancy and possibility of avoidance categories result in an output row X . Each output row corresponds to three values of W . The selection of the demand rate W is the last step in determining the SIL. Higher W -parameter lead to a higher SIL. The tolerable level of risk is embedded in the boxes in the three columns at the right hand side, and the choice of these must support the company risk criteria (Marszal and Scharpf, 2002; IEC 61511, 2003).

If the separator example, as explained in section 2.1, is employed - the rea-soning will be as follows: If the likely consequence is evaluated to be serious injury to one or more persons, CBis selected. Then, FA is chosen because the

area could be rare to more frequent exposed to personnel. It is possible under certain conditions to avoid the consequences, which indicates that parameter

PAshould be used. The combination of these risk parameters result in output

row X2. It is a relative high probability that the unwanted occurrence takes place

and the demand rate category is set to W3. In Figure 2.3 this results in a SIL 1

(25)

Figure 2.3: Typical risk graph

2.6 Calibrated risk graph

The calibrated risk graph method is a semi-qualitative method, similar to the qualitative risk graph. The same risk parameters are used as for the conven-tional risk graph approach, and Figure 2.3 is also applicable. Calibration means that numerical values are assigned to the risk graph, and these are assigned to the risk parameters. This allows a more precise determination of the SIL, and making the decisions more objective. The calibration depends on individual and societal risk, and these issues in addition to company criteria and authority regulations, should be considered before assigning the parameter values. Cali-bration does not need to be carried out every time a SIL need to be determined. The organization only need to do it once for similar hazards(IEC 61511, 2003).

The consequence can be quantified by the number of fatalities. But in many instances a failure does not cause immediate fatality, which leads to the intro-duction of the vulnerability concept. Vulnerability (V) is a function of the con-centration of the hazard and the duration of the exposure. In Table 2.5 a vul-nerability range is given. By multiplying this measure with the number of peo-ple present when the area exposed to hazard is occupied, the number of fatali-ties is estimated. In the table a range is assigned to each consequence category, making the categorization possible. Note that vulnerability (V) and possibility of avoiding the hazard (P) are two different factors. V concerns the escalation, while P concerns the prevention of the hazard by the operator (IEC 61511, 2003).

(26)

Table 2.5: Example calibration adapted from IEC 61511

Risk parameter Classification

Consequence (C)

CA Minor injury

Number of fatalities

Can be calculated as: ”No. of people present when the area exposed to the hazard is occupied” · ”vulnerability to the identified hazard”

CB 0.01 < No. of fatalities <

0.1

V = 0.01 (small release of flammable toxic material)

CC 0.1 < No. of fatalities <

1.0 V = 0.1 (large release of flammable or toxic

material)

V = 0.5 (As above but also a high probability of catching a fire or highly toxic material)

CD No. of fatalities > 1.0

V = 1 (Rupture or explosion)

Occupancy (F) FA Occupancy < 0.1

FB

Percentage of time the exposed area is occu-pied during a normal working period

Possibility of avoidance (P) PA Hazard can be prevented

by operator taking ac-tion, after he realizes SIS has failed to operate. Refer certain conditions (given in IEC 61511-3)

PB Adopted if conditions do

not apply

Demand rate (W) W1 Demand rate <

0.1D per year

W2 0.1D < Demand rate <

10D

W3 For Demand rate> 10D,

higher safety integrity shall be needed

(27)

According to Marszal and Scharpf (2002) potential loss of life (PLL) ranges could also be used as a measure of the consequence. PLL is the expected number of fatalities within a population during a specified period of time (NORSOK Z-013, 2001). Note that care should be taken if PLL is chosen as a measure, because it incorporates both probability and consequence. When assigning the other risk parameters it is important to make sure that the consequence parameter is con-sidered independent (Marszal and Scharpf, 2002).

The parameter F is often measured by the percentage of time the area, that is exposed to hazard, is occupied. FA should be used if the parameter value is

less than 0.1 (IEC 61511, 2003; Marszal and Scharpf, 2002).

The avoidance factor PAis selected if all conditions stated in IEC 61511-3 are

satisfied. PBis selected if not (IEC 61511, 2003).

The demand rate (W) is the number of times per year that the hazardous event would occur in the absence of the SIF under consideration. In Table 2.5 ranges to the different categories are assigned. D is a calibration factor that should make the risk graph result in a level of residual risk that is tolerable. It is important that issues not are accounted for several times, making the result erroneous. Documentation of the calibration process with references is neces-sary, and should be done with care (Marszal and Scharpf, 2002; IEC 61511, 2003). When the calibration process is finished, and the parameters decided. The risk graph is used to determine the SIL. The demand rate, occupancy and pos-sibility of avoiding the consequence of the hazardous event, represents the fre-quency of the unwanted consequence. In combination with the unwanted con-sequence the frequency constitutes the risk without the SIF in place. The input in each box in the risk graph must be in accordance with the tolerable risk (IEC 61511, 2003; Marszal and Scharpf, 2002).

The separator example as referred to in the previous section could again serve as an illustration. In this case the vulnerability measure is estimated to be equal to 0.5. Overpressure is severe and results in large release of flammable ma-terial with a high probability of catching a fire. If the number of people present when the area is occupied is 2, the resulting number of fatalities is 1 and class CC

is selected as the consequence severity. One operator does maintenance work or supervision approximately 45 minutes per day, leading to that the exposed area is occupied less than 10% of the time giving the occupancy class FA. The

condi-tions regarding the possibility of avoidance are satisfied and PAis selected. The

calibration factor D is set to 4. The demand rate is estimted to 20 demands per year. This is less than 40 and greater than 0.4 which corresponds to W2. The SIL

(28)

Chapter 3

LOPA

3.1 What is LOPA?

LOPA was introduced in the 1990s, and has recently gained international popu-larity. LOPA is referred to in literature as both a simplified risk assessment tech-nique and a risk analysis tool. Capital improvement planning, incident inves-tigation, and management of change can be found as additional applications. LOPA is a flexible tool which can be used in different contexts and applications making it confusing to understand what it really is. The application under con-sideration is LOPA as a SIL determination tool.

(29)

According to Marszal and Scharpf (2002) LOPA can be viewed as a special type of event tree analysis (ETA), which has the purpose of determining the fre-quency of an unwanted consequence, that can be prevented by a set of tion layers. The approach evaluates a worst-case scenario, where all the protec-tion layers must fail in order for the consequence to occur. The frequency of the unwanted consequence is calculated by multiplying the PFDs of the protection layers with the demand on the protection system (represented as a frequency). Comparing the resulting frequency of the unwanted consequence with a toler-able risk frequency, identifies the necessary risk reduction and an appropriate SIL can be selected (Marszal and Scharpf, 2002; CCPS, 2001).

LOPA is a semi-quantitative method using numerical categories to estimate the parameters needed to calculate the necessary risk reduction which corre-sponds to the acceptance criteria (CCPS, 2001). In a quantitative risk assessment (QRA) mathematical models and simulations are often used to estimate the ex-tent or escalation of damage, e.g. toxic diffusion, explosion expansion or fire es-calation. In addition, FTA or other methods are used to calculate the frequency of the accidental event (Rausand and Høyland, 2004). In LOPA, simplifications, expert judgment and tables are used to estimate the needed numbers (CCPS, 2001). LOPA usually receives output from a HAZOP or a hazard identification study (HAZID) and often serve as input to a more thorough analysis as a QRA. Figure 3.1 is often referred to as the bow-tie and is a common figure to describe risk analysis. It shows the accidental event which is linked to the causes and the consequences, and the methods which may be applied in the different phases. An ETA focuses on the consequence spectrum not on the causal analysis, im-plying that LOPA is placed in column (c) to the right in the figure. On the other hand LOPA is not as in-depth as would be expected from a consequence anal-ysis and does have a close interaction with HAZOP suggesting that it should be positioned more to the middle (column b). The final ”position” is somewhere in between.

Often, an "onion" as the one in Figure 3.2 is used as an illustration of the protection layers in LOPA. The system or process design has protection layers including basic process control system (BPCS), critical alarms and human inter-vention, SIFs, physical protection and emergency response.

BPCS is the control system used during normal operation and sometimes denoted as the process control system (PCS). Input signals from the process and / or from the operator are generated into output which make the process operate in a desired manner. If the control system discovers that the process is out of control (e.g. high pressure) it may initiate actions to stabilize the temperature (e.g. choking the flow) (CCPS, 2001; IEC 61511, 2003).

Alarms monitoring certain parameters (e.g. pressure and temperature) are considered another protection layer. When the alarm is tripped, the operator may intervene to stop the hazardous development. Note that the alarm system has to be wired to another loop than the BPCS in order to be independent (CCPS, 2001; IEC 61511, 2003).

(30)

(31)

Rausand (2004) describes a SIS as a system comprising sensors, logic solver(s), and actuating (final) items, and can be looked upon as an independent pro-tection shell for machinery or equipment. A SIS implements the wanted safety function SIF. In LOPA, SIFs are considered as protection layers.

Physical protection include equipment like pressure relief devices. In a sep-arator this may be a rupture disc which blows-off pressure if the pressure is too high. Post release protection is physical protection as dikes, blast walls etc. These have their function after the release or explosion has occurred. Both of these types of physical protection are considered protection layers in LOPA (CCPS, 2001; The Dow chemical company, 2002; ACM Facility Safety, 2006).

If an accident occurs, procedures, evacuation plans, equipment and medical treatment help the exposed personnel to escape, or to mitigate damage / injury. Such measures are classified as plant and community emergency response, and are considered the final protection layer (CCPS, 2001; The Dow chemical com-pany, 2002; ACM Facility Safety, 2006).

LOPA incorporates the reliability of the existing barriers to determine the re-liability of the needed SIF. Note that LOPA does not determine what protection layers to implement, only the needed performance. In some cases, a SIF is al-ready present, and the SIL of an additional SIF shall be determined. How many and which protection layers that are required, depend on the situation at hand (CCPS, 2001; The Dow chemical company, 2002).

(32)

3.2 Explanation of terms

Various authors use different terms in LOPA. Examples are terms like scenario, impact event and initiating event. This makes it confusing to understand what is meant by the different terms and how they are applied. What exactly is an impact event? Does an impact event description include both causes and con-sequences? What is an impact event compared to an accidental event? What is a scenario? What is an independent protection layer? ”Where” do we start the LOPA analysis? The objective of this section is to clarify these questions, and build the foundation for the further evaluation of LOPA. The relation between the terms is described by Figure 3.3.

Process deviation

According to NORSOK Z-013 (2001) an accidental event is defined as ”event or

chain of events that may cause loss of life, or damage to health, the environment or assets”. Another definition is ”the first significant deviation from a normal sit-uation that may lead to unwanted consequences” (Rausand and Høyland, 2004).

In IEC 60300-3-9 (1995) they use the term hazardous event instead of accidental event. In the HAZOP study the accidental event is referred to as a process devi-ation. The term process deviation is from now on used and the definition from Rausand and Høyland (2004) is acknowledged as adequate.

Impact event

CCPS (2001) describe an impact as: ”The ultimate potential result of a hazardous

event. Impact may be expressed in numbers of injuries or fatalities, environmen-tal or property damage, or business interruption.” According to IEC 61511 an

impact event is equivalent to the consequence in the HAZOP study. This im-plies that the impact event is the unwanted consequence of the hazardous event or accidental event which is referred to as a process deviation. Impact event is closely related to the unwanted consequence, and the question which remains is what degree of consequence an impact event represents, e.g. end-consequence or intermediate consequence. From now on it is chosen to define impact event as ”the first sign of harm to people, environment or assets”. Examples are a car crash or an explosion due to overpressure of a separator. The impact event may lead to an end-consequence which may include fatalities / injury, environmen-tal damage or economic loss. For the impact event: car crash, the process devia-tion could be: car starts to slide. The car is out of control and if not the situadevia-tion is brought back in control, the impact event occurs. For the impact event: ex-plosion due to overpressure of separator, the process deviation could be high pressure up-stream separator.

(33)

Initiating cause

The initiating causes are the reasons why the process deviation occur, not the most basic underlying root-causes. The initiating causes are the results of the root causes. CCPS presents three types of initiating causes: External events, equipment failures and human failure. External events are earthquakes, hurri-canes and other external shocks. Equipment failures are control system failures or mechanical failures. Human failures are either error of commission (failure to observe or respond appropriately) or error of omission (failure to execute the task properly or not doing it at all) (CCPS, 2001). For the car crash example an initiating cause could be slippery road.

Scenario

According to CCPS (2001) a scenario describes a single cause - consequence pair from the HAZOP. In LOPA terminology this is a single initiating cause - impact event pair. This implies that a scenario consists of more than just the impact event. But should not a scenario comprise even more? A more appropriate defi-nition of a scenario would include more than one cause. The scenario defidefi-nition is extended to describing ”the development from a process deviation to an impact

event, including the causes leading to the process deviation”.

Protection layers vs. independent protection layers

The term protection layer was defined by IEC 61511, and four important charac-teristics were given in Section 2.3. What is the difference beetween a PL and an IPL, and is the definition appropriate? According to IEC 61511 an IPL must have the same inherent characteristics. In addition it must provide at least 100-fold of risk reduction (not 10 as for a PL) and have functional availability of at least 0.9 (IEC 61511, 2003). These definitions seem confusing. From the point of view of IEC 61511 an IPL is just a PL with stricter requirements to availability and de-gree of risk reduction. A PL does have the same requirement to independence, and the name is misleading. A more appropriate definition would be to call all PLs as IPLs, and IPLs with high degree of availability and risk reduction as high

integrity IPLs. A definition of PL in CCPS (2001) is rewritten to: ”device, system or action that is capable of preventing a process deviation from proceeding to the end consequence”. Subsequently an IPL is defined as ”a PL that is capable of pre-venting a process deviation from proceeding to the end consequence, regardless of other PLs associated with the same impact event - initiating cause pair, and of the initiating event”. An IPL should fulfill the characteristics presented in Section

2.3.

Another issue of interest is whether the PLs are designed to prevent the un-wanted consequence from happening, or placed as barriers to mitigate the con-sequences after the impact event has occurred. PLs mitigate the frequency of the occurrence of the unwanted consequence, or mitigate the consequences.

(34)

An airbag-system is defined as a SIS. The airbag inflates when a set of sensors send signals to a logic solver which initiates the inflation. If the impact event is a car crash, this protection system will function subsequent to the occurrence of the impact event. It limits the extent of damage rather than mitigating the frequency of the impact event. In other cases SIFs may be placed previous to the impact event. If the impact event is overpressure of separator, SIFs with the intention of closing valves and shutting down the system, are vice. The SIF tries to prevent the impact event from occurring, thus reducing the frequency.

Relation between terms

Figure 3.3: Relation between initiating causes, impact event, process deviation and IPLs

Figure 3.3 shows the relation between the initiating causes, impact event, process deviation and the PLs listed in IEC 61511. It shows how all the terms fit together and the figure and the definitions given found the basis of the un-derstanding of LOPA. Initiating causes may be the sources of a process devia-tion which may lead to an impact event. The impact event may result in an end-consequence. In order to prevent the end-consequence PLs are introduced. Most of these have the objective of limiting the frequency of the impact event, but PLs to minimize the extent of damage may also be put in place. Note that the worst-case scenario is assumed. All the PLs have to fail in order for the end-consequence to occur thus the analogy to a branch in an ETA. The symbol * means that the PL may be credited as a IPL. The concept of IPL is discussed in the case study in Chapter 6. Note that the starting point of the LOPA analysis is the impact event. After this is identified, the causes are identified and the

(35)

pro-3.3 The LOPA team

LOPA is performed by a multi-disciplinary team, which at least should consist of one:

• operator

• process engineer

• process control engineer

• manufacturing management representative • instrument / electrical maintenance representative • risk analysis specialist

One of the team members should be skilled in LOPA methodology, and it is im-portant that the team has experience with the related process / system. One of the team members should be a skilled meeting facilitator, and one secretary of the team should also be elected. Persons with other expertise may take part in the analysis at different points in the analysis when needed. The meetings are usually run in several sessions, taking basis in process documentation and a spreadsheet report to document the analysis (IEC 61511, 2003; Dowell, 1998; BP, 2006).

3.4 LOPA worksheet and the LOPA process

This section describes how LOPA works, and the LOPA process as described in IEC 61511. The terms are adapted to the definitions presented earlier thus some-what different from the ones in IEC 61511 Note that different approaches and methodologies exists, and these are discussed in Section 3.5. The LOPA report worksheet presented in IEC 61511 is shown in Table 3.1. Further the columns will be explained briefly step by step.

Impact event

The potential impact event is described in the first column in the table. This is the consequences determined in the HAZOP study.

Severity Level

In the next column the severity level of the impact event is entered, and levels of Minor (M), Serious (S), or Extensive (E) are suggested, which is the same clas-sification as in the risk matrix approach and safety layer matrix approach. Note that in the risk graph approach the consequence levels are ranging from CAto

(36)

T ab le 3.1 : Imp or tan t col umn s in th e L OP A repor t / wor ksh eet ada pted fr om IE C 61 511 (20 03 ) P rot ection lay ers 2 3 4 5 6 7 8 9 10 ev ent des crip -S ev erity le v el Initiat in g ca use Initiat ion likeli- hood G en er a l p roc ess design BPCS A larms etc. A dd it ional mitiga tion (r es tr icted acc ess ) H igh integrity ad ditiona l mitiga tion (dik es , p res -sur e reli ef ) Intermediate event likeli-hood SIF integrity le v el M itiga ted ev ent likelih ood u re ab o v e design re of separ ator . u re of sepa rat or ig nit ion . E P ressur e con tr o l fail -u re c au sin g blocked ou tle t. 0. 1 1 1 1 0. 21 0. 08 1. 7 · 10 − 3 3 · 10 − 5 n g to the e n d-uenc e: N o . of bet w een 1 to n o slu g ing . E S pu ri ous tr ip of th e XV in ad di -tion to PV con-tr ol fail ur e 0. 00 1 1 1 1 0. 21 0. 08 1. 7 · 10 − 5 1. 75 · 10 − 2 3 · 10 − 7 1. 717 · 10 − 3 SIL 1 3. 03 · 10 − 5

(37)

Initiating cause and initiation likelihood

All direct initiating causes of the impact event are listed in column 3. In column 4 the likelihood values of the initiating causes occurring, in events per year, are entered. A table showing typical values is shown in IEC 61511, e.g. a failure with a low probability of occurring within the lifetime of the plant (dual instrument or valve failure) is categorized with a frequency between 10−4and 10−2per year.

Independent Protection layers

If protection layers satisfy the IPL criteria, they are given credit. The PFD value is then added in the worksheet. Process design to reduce the likelihood of an impact event from occurring, when an initiating cause occurs, are listed first in column 5. Jacketed pipe or vessels serve as examples. BPCS is the next to be listed in column 5. If the BPCS prevents the impact event from occurring, when the initiating cause occurs, credit based on its PFD is claimed. The last item in column 5 takes credit for alarms that alert the operator and utilize operator intervention.

Additional mitigation layers with associated PFDs are listed in column 6. Mitigation layers are normally mechanical, structural, or procedural and may reduce the severity. However, not prevent the impact event from occurring. Ex-amples of additional mitigation could be pressure relief devices, dikes, restricted access and evacuation procedures.

IPLs may be credited as high integrity IPLs, if the functional availability is at least 0.9 and if it provides at least 100-fold risk reduction. They are then listed in column 7. A table in IEC 61511 presents typical PFD values for certain protection layers.

Intermediate event likelihood

The intermediate event is the occurrence of the end-consequence with the ex-isting / planned protection layers in place, but without the SIF under consid-eration. The intermediate event likelihood is the frequency per year of the oc-currence the this event. The intermediate event likelihood is entered in column 8. It is calculated by multiplying the initiating event likelihood (column 4) by the PFDs of the protection layers and mitigating layers (column 5, 6 and 7). The calculated number should be in events per year, and compared with the corpo-rate criteria. If the intermediate event likelihood is greater than the corpocorpo-rate criteria, additional mitigation is needed. Inherently safer design should be con-sidered before new SIFs are introduced.

(38)

Safety integrity level (SIL)

If a new SIF is needed, the SIL is calculated by dividing the corporate criteria for this severity level by the intermediate event likelihood. The result is entered in column 9.

Mitigated event likelihood

The mitigated event is the occurrence of the end-consequence with all protec-tion layers in place, including the proposed SIF. The mitigated event likelihood is the frequency per year of the occurrence the this event. The mitigated event likelihood is calculated by multiplying columns 8 and 9 and entering the result in column 10. This is step is continued until the team has calculated a mitigated event likelihood for each impact event.

Total risk

The last step could be to calculate the total risk with respect to each specific impact event. The mitigated event likelihood for all the events rated as serious or extensive, and that present the same hazard are added up. This step could include additional probabilities, if not accounted for in the previous steps.

Example

In Table 3.1 some rows are filled in. The example is overpressure of a topside separator taken from Harsem Lund (2007). The HAZOP identified that pressure above design pressure of the separator could cause rupture and possible igni-tion, leading to a number of fatalities between 1 and 10. Further, two initiating causes with initiating likelihoods were identified. General process design, BPCS and alarms are not given credit as PLs, thus given the value 1. Additional mitiga-tion (restricted access) is estimated to 0.21, due to an assumed ignimitiga-tion probabil-ity of 0.3 and occupancy of 70%. IPL additional mitigation is estimated to 0.08, due to the assumption that 8 PSVs must be running to avoid pressure build-up above test pressure. The intermediate event likelihood is now calculated for the initiating events, and the corporate / company criteria for this severity level (E) is 3 · 10−5 events per year. The sum of the intermediate event likelihoods are 1.717 · 10−3events per year. Dividing 3 · 10−5by 1.717 · 10−3give a necessary risk reduction of 1.75 · 10−2_{, which is a SIL 1 requirement. The mitigated event}

likeli-hood becomes 3·10−5and 3·10−7events per year, which give a total of 3.03·10−5 events per year.

(39)

3.5 Different approaches in literature

Many similarities can be found among the approaches and methodologies pre-sented in the literature. Summers (2003), Ellis and Wharton (2006) and Dowell (1998) have presented flowcharts, while IEC 61511 use a worksheet as the basis for their methodology. BP (2006) have their own procedure providing guidance on LOPA which includes a flowchart. CCPS (2001) presents a diagram explain-ing the LOPA steps, with a chapter explainexplain-ing each step. But the approach in IEC 61511 is the most prevailing. The essential steps that seem common are:

• Documentation of the hazard analysis • Development of scenario or impact event • Identification of initiating causes

• Determination of the protection layers including the IPLs • Quantification (cause frequency / likelihood and PFD) • Target risk evaluation / SIL determination

As the list indicates the major steps in the SIL determination process are cov-ered. Most approaches take information from previous studies to identify haz-ards, and to found a basis for the next steps. The initiating causes are identified, and the frequency determined. The most substantial differences between the various approaches are the use of terms, the order of sequence and the intended application. Another distinction is how the SIL is incorporated and evaluated. Often the "as is" process design is evaluated. The existing protection layers are identified and the intermediate event likelihood determined before assigning a SIL level to the SIF. Sometimes the SIF under consideration, with the expected PFD, is implemented implicit in the calculations. This result in a different crite-rion for acceptability. The mitigated event likelihood is then the calculated fre-quency that is compared to the acceptance criteria, not the intermediate event likelihood.

Some authors use screening tools, and / or suggest LOPA as a part of a total methodology. Ellis and Wharton (2006) suggest such a close interface between LOPA and other methods. Figure 3.4 is an extract of the determination method-ology presented in Ellis and Wharton (2006). The consequences of the impact events are classified. A consequence level is chosen for the impact event under consideration, and LOPA used if the most severe category CEis selected. If not

a risk graph approach is utilized. If the risk graph results in SIL 1 (or lower) this is documented as the final SIL. The risk graph may result in a high SIL (SIL 2 - 4), and LOPA is suggested in those cases. The LOPA may conclude a SIL 3-4. If this is the case, a fault tree analysis (FTA) is initiated. If the FTA result in SIL 3-4, redesign to eliminate hazard or reduce event severity or event likelihood is needed. Harsem Lund (2007) supports the use of risk graph and QRA in addition to LOPA, depending on the calculated SIL.

(40)

Figure 3.4: Extract of SIL determination methodology from Ellis and Wharton (2006)

3.6 Aker E&T methodology

Aker E&T LOPA methodology is presented in Figure 3.5. The method is modified in contrast to the one given in Nordhagen (2007). Compared to the approaches discussed in Section 3.5, the Aker E&T approach is an overall methodology, not taking the proposed SIF implicit into account. Often the customer methodology (i.e. Statoil, BP) found basis for the analysis.

P&IDs are schematic diagrams describing piping, equipment and instru-mentation connections within process plants. ISO 10418 (2003) is a technical standard that provides objectives, functional requirements and guidelines for techniques for analysis, design and testing of surface process safety systems. This standard helps the design team to implement safety functions in the P&IDs for the concerning system. A HAZID, HAZOP or WHAT-IF analysis helps to iden-tify process deviations which require additional SIFs. After all information have been gathered and documented in the P&IDs and additional documentation, a LOPA is initiated. The report sheet in Table 3.1 is used, and the steps described in Section 3.4 followed except from the steps where the mitigated event likeli-hood and the total risk is calculated. An example of acceptance criteria is shown in Table 4.1, and the accepted frequency denoted target mitigated event likeli-hood (TMEL). The mitigated event likelilikeli-hood is in the Aker E&T approach equal

(41)

Figure 3.5: Aker E&T methodology adapted from Nordhagen (2007)

The SIF under consideration is assumed not in place during the analysis, and the formula used in the evaluation of the LOPA results can be written: _{Total IEL}Acc. freq. If the fraction between the accepted frequency (Acc. freq.) and the calculated total intermediate event likelihood (IEL) is greater or equal to 1, the team shall evaluate whether the SIF shall be removed or not. This implies that the result-ing frequency of the end-consequence, without the proposed SIF, is equal or less than the accepted frequency. The analysis team can either remove the SIF, be-cause the system is evaluated safe enough, or keep the SIF but without any re-quirements to the safety function. If 1 >_{Total IEL}Acc. freq> 0.1, ”SIL 0” is selected. This implies that the intermediate event likelihood is between 1 and ten times higher than the acceptable value. No further evaluation is necessary, but the SIF is kept in order to achieve some risk reduction. If 0.1 >_{Total IEL}Acc. freq > 0.01, which is equivalent to SIL 1 in IEC 61511, SIL 1 is selected and no further evaluation is done. SIL 2 is selected if 0.01 > Acc. freq_{Total IEL}> 0.001. If the analysis result is SIL 3 (0.001 >Acc. freq_{Total IEL}> 0.0001), a QRA is initiated to further evaluate the SIF (Nord-hagen, 2007).

(42)

Chapter 4

Preferred approach

4.1 Flowchart

When performing LOPA, a clear methodology and approach is needed to make the team focus on the analysis and not on how to do the analysis. The preferred approach is a developed recommended approach based on the worksheet pre-sented in IEC 61511, reproduced in Table 3.1. It is modified taking the views presented in Sections 3.5 and 3.6 into consideration using the terms described in Section 3.2. The steps in Figure 4.1 are described in the paragraphs below.

Step 1: Develop and document the risk acceptance criteria

It is of great importance that this step is done with care. The acceptance crite-ria has to respond to the requirements from the company, authorities and cus-tomers. Acceptance criteria should be established for different types of conse-quences as safety, environmental and economical. In Table 4.1 an example of acceptance criteria for safety hazards are presented. Note that the TMEL is a frequency. For economical / commercial hazards the criteria could consist of target mitigated likelihoods and monetary consequences. If acceptance criteria do already exist, these should be verified before employed.

Step 2: Gather and document data

The results from HAZOP, HAZID and WHAT-IF analysis must be gathered and documented. In addition, documentation like equipment data, maintenance plans and operational conditions and procedures are important to obtain. If the data material is not sufficient, further data must be collected. Especially, the need for further hazard identification must be evaluated.

(43)

LOPA

Layer of protection analysis (LOPA) for

determination of safety integrity level

(SIL)

The Norwegian University of Science and Technology

Department of Production and Quality Engineering

Preface

Contents

List of Tables

List of Figures

Abbreviations

Summary

Chapter 1

Introduction

1.1 Introduction to LOPA

1.2 Objectives

1.3 Limitations and structure

1.4 Relation to IEC 61508 and 61511

Chapter 2

Methods in determining SIL

2.1 Quantitative method as described in IEC 61508

2.2 Risk matrix

2.3 Safety layer matrix

2.4 The OLF 070 guideline

2.5 Risk graph

2.6 Calibrated risk graph

Chapter 3

LOPA

3.1 What is LOPA?

3.2 Explanation of terms

pro-3.3 The LOPA team

3.4 LOPA worksheet and the LOPA process

Impact event

Severity Level

Initiating cause and initiation likelihood

Independent Protection layers

Intermediate event likelihood

Safety integrity level (SIL)

Mitigated event likelihood

Total risk

Example

3.5 Different approaches in literature

3.6 Aker E&T methodology

Chapter 4

Preferred approach

4.1 Flowchart