Objectives of LOPA procedure

ƒ identify the safety protection layers

ƒ allocate the safety functions to the protection layers

ƒ determine if one or more safety instrumented functions (SIF) are required to achieve the target risk reduction

ƒ determine for each SIF, if required, the safety integrity level (SIL).

Figure 27 Typical LOPA structure 4.1.4 Why is LOPA used for SIL determination?

The SIL determination methods, suggested in the IEC 61508 [IEC_508] and IEC 61511 [IEC_511], giving possibility for calculation of the target SIL value of SIF are split into three groups:

ƒ Qualitative, like risk matrix see Chapter 3.1.3 , risk graph see Chapter 3.1.4

ƒ Semi quantitative, like LOPA

ƒ Quantitative, like Failure Mode and Effect Analysis (FMEA), Reliability Block Analysis see Chapter 3.1.8 and MARKOV modelling see Chapter 3.1.9.

The qualitative methods are simple, inaccurate and too subjective, that is why they are not widely applied in the practice of Process Industry nowadays. On the other side the quantitative methods are too complex and slow for practical usage; furthermore the process industry is more and more complex to be handled in a simple way by these methods. That is why the semi quantitative methods, like LOPA seem to be a good compromise.

However while the LOPA is quantitative, we have some argument why the usage of LOPA is preferable:

ƒ It is not as subjective as the qualitative methods.

ƒ It needs Company Target Risk Matrix, so it increases the safety culture of the given company as the company needs to build up the Functional Initial event IPL1

IPL2

IPL3

IPL4

IPL5 Safe

IPL1 failed, Tolerable Safe condition

IPL1, IPL2 failed, Tolerable Safe condition

IPL1, IPL2, IPL3 failed, Tolerable Safe condition

IPL1, IPL2, IPL3, IPL4 failed, Tolerable Safe condition

IPL1, IPL2, IPL3, IPL4, IPL5 failed, dangerous not tolerable condition Frequency, FNM

FNM = Non mitigated frequency F = Mitigated frequency

2

ƒ LOPA is the only method that is able to take into consideration the non-instrumented protection layers.

ƒ LOPA gives the possibility of discovering all non-instrumented protection layers.

ƒ LOPA gives the possibility of building up the most cost effective protection system (called here as Integrated Safety System) including instrumented and non instrumented protection layers.

ƒ That is why LOPA is widely accepted SIL calculation method in the Process Industry and why focused in the research to make this method more precise, cost effective and automatic.

4.1.5 SIL calculation with LOPA method

My goal was to overview, define and fix the problems of the existing methods used in practical LOPA application for determination the SIL value for a given SIF.

Based on the Safety Life Cycle, it is necessary to get convinced that the existing /designed SIS is appropriate for the particular process from the viewpoint of functional safety (pre-validation, validation). How does one get convinced about this? Based on the IEC-61511 standard [IEC_511], one should perform the following steps:

ƒ Hazard and Risk analysis

ƒ IPL allocation and SIL calculation of SIFs

ƒ Safety Requirement Documentation

The Figure 28 shows how this procedure works step by step in general.

Both in the IEC 61508 and IEC 61511, LOPA is mentioned as one of the methods, which gives a possibility for the determination of the required SIL value of SIF.

LOPA [CCPS_93], [CCPS_01] is a quantitative risk analysis technique that is applied following a qualitative hazard identification tool such as HAZOP.

LOPA is described as a semi-quantitative method because even if the technique does use numbers and generates a numerical risk estimate, the input numbers are rough estimates, their accuracy is about at the order-of-magnitude level; and the result is intended to be conservative (overestimating the risk). But even if the LOPA is semi-quantitative, the estimated risk is usually adequate to understand the required SIL for the SIFs. If a more complete understanding of the risk is required, more rigorous quantitative techniques such as fault tree analysis or quantitative risk analysis may be required. In case of process plants the latest solution does not practical or even impossible.

Figure 28 shows the procedure how to calculate the SIL values of a given SIF.

The procedure of LOPA in Figure 28 is the following:

ƒ Starting point is the unmitigated cause frequency and the target cause frequency based on evaluating and comparing the consequences of the given hazard scenario to QTRM table for people, environment and business

ƒ Identify the possible non instrumented safety protection layers.

ƒ Allocate the safety functions to the protection layers.

ƒ Determine if one or more safety instrumented functions (SIF) are required to achieve the target risk reductions.

ƒ Determine for each SIF, if required, the safety integrity level (SIL) and Risk Reduction Factor (RRF).

Figure 28 Method of SIL calculation

The main goal of LOPA is to evaluate the risk of selected hazardous scenarios without any protection layer (but BPCS involving) and the starting point is the unmitigated frequency. Practically, the LOPA is used to determine whether the identified (existing and/or proposed) protection layers are “strong” enough to reduce the risk or not, i.e. the LOPA is used to make risk avoiding (protective and preventive) decisions, for details see Chapter 4.1.

LOPA starts with reducing an undesired consequence – usually, an event with environmental, health, safety, business, or economic impact. The severity of the consequence is estimated using appropriate techniques, which may range from simple “look up” tables to sophisticated consequence modelling software tools.

The consequence always has one or more initiating events (causes). Each cause-consequence pair is called “scenario”, and LOPA focuses on one scenario at a time. The frequency of the initiating event is also estimated (usually from

look-unmitigated frequency. The rule for HAZOP study is to analyse the hazard problems of EUC (Equipment Under Control) and the BPCS is always part of the EUC system.

After identifying all causes and consequences in the given Process, the possible safeguards (protections layers) are evaluated for two key characteristics:

ƒ Is the safeguard effective in preventing the scenario from reaching the consequence? AND

ƒ Is the safeguard independent from the initiating event and the other IPLs (Independent Protection Layers)?

If the safeguard meets both of these criteria, it is an Independent Protection Layer (IPL) and will be used in LOPA calculation.

The LOPA calculation is based on the calculation described on Reliability Block Diagram, see Chapter 3.1.8. The IPLs as Reliability Blocks are connected to in serial, and all of them have to fail, to result an unwanted event of hazard scenario. Other approach: in case of an IPL is working well will save the process against the unwanted consequences of the given hazard scenario.

LOPA estimates the likelihood of the undesired consequence by multiplying the frequency of the initiating event (unmitigated frequency) by the product of the probability of failure on demand (PFD) of applicable IPLs:

∏

⋅

= initiating _j j

mit F PFD

F Equation 9

The PFD gives the probability that the given IPL cannot prevent and protect against the scenario to reach the unwanted consequence on demand.

Hence the result of the LOPA is a risk measure for the Hazard scenario – an estimate of the likelihood AND consequence. This estimate can be considered as a “mitigated consequence frequency”. The frequency is “mitigated” by the independent protection layers to reduce the risk to the tolerable level (measure of tolerable frequency) matching the QTRM value for the given cause’s frequency and consequence pair. The risk estimate can therefore be compared to company criteria for tolerable risk for that particular consequence severity (QTRM). If additional risk reduction is needed, more IPLs must be added to the design.

Figure 27 shows a simple diagram to illustrate how the probability of occurrence of the unwanted consequence decreases by using IPLs ie. frequency is decreasing from unmitigated frequency level to the tolerable frequency level.

4.1.6 LOPA method in the practice

LOPA (Layer of Protection Analysis) is a risk assessment method that is uniquely useful for determining how “strong” should be a SIF (Safety Instrumented Function – “interlock”) to be designed (SIL calculation). LOPA is a semi-quantitative tool which is readily applied after the Process Hazard Analysis (PHA) – for example, HAZOP – and before Fault Tree Analysis/Quantitative Risk Assessment, if needed. In most of the cases, the SIF’s Safety Integrity Level requirements can be determined by LOPA without using the more time-consuming tools of Fault Tree Analysis/Quantitative Risk Assessment.

LOPA starts from a cause with one consequence, as unwanted event. At the HAZOP study the HAZOP team shall decide about how often this cause may happen without any protection layer (only BPCS is involved in the system). This

consequences, one can compare this result to the QTRM table of the given Company, giving the tolerable risk for the given cause – consequence pair, which is called Hazard Scenario. Please refer to Figure 1 where I analysed how the risk would be reduced. Since the consequence of the given Hazard Scenario is fixed by the HAZOP team, the only possibility of reducing risk is to reduce the frequency of the unwanted event. Reducing the frequency of the given outcome the risk will be reduced. That is why one can say: reducing the frequency of the unwanted event the risk will be reduced also.

The starting frequency is the unmitigated frequency. The only possibility of reducing the frequency is using Independent Protection Layer, which protect the process, regarding the given hazard Scenarios, against negative events that may happen.

The strength of Independent Protection Layer is measured by the probability failure on demand (PFD) (likelihood of not protecting the process and not responding on demand). Multiplication of the PFD values of all IPL, taken into consideration for this given Hazard Scenario, with the unmitigated frequency, the result will be the mitigated frequency. This frequency will differ from the tolerable frequency in the QTRM table for the given Hazard Scenario and this difference shows whether SIF is needed (see Chapter 3.1.8).

This method seems to be simple, but the problem of classical LOPA approach is that, it takes into consideration only one hazard scenarios at the time, called per scenario method. However one SIF may belong to several hazard scenarios, to be protected by the given SIF, increasing the demand onto the given SIF. That is why in practice there is a need for a solution which takes into consideration this practical aspect of the LOPA calculation making it more precise and giving more correct result.

One method is using the highest SIL value of the given SIF from the different Hazard Scenario. That means, if we have five Hazard scenarios involving the same SIF, one shall make five SIL calculations, and the highest SIL value will be the SIL value of the given SIF. This method needs a lot of manual work and it is not correct. In Chapter 4.2.1 I demonstrated the problem of this method by an example.

I developed the cumulative LOPA method where I can take into account all hazard scenarios in LOPA calculation which have identical SIF as a Safety Instrumented Independent Protection Layer. I laid down the mathematics of cumulative LOPA, and implemented this method in Tool4S software. I show some example on the software application and the description of the Tool4S software (downloadable from www.sil4s.com/Tool4S/help).

4.2 Critical evaluation of the simple LOPA method

The fundament of the LOPA calculation is the tolerable risk criteria. The typical risk criteria give tolerable risk figures (typical tolerable frequency) for a person, for environment and for business. The risk measure is the frequency in our case and there is a frequency gap between unmitigated frequency and tolerable frequency, ie. after LOPA, the mitigated frequency. This mitigation is reached by the Independent protection Layers. During the LOPA, one always compares the mitigated risk to the tolerable risk. If the mitigated risk is lower than the tolerable risk or at least it is “as low as is reasonably practicable” there is no need for other protection layers. If not, there is a need for new protection layers

and/or other risk reduction measures (see the “Main steps of LOPA” in Chapter 4.1.5). The key point for LOPA is that it starts with the application of less expensive independent protection layers like Alarm system, relieve valves etc. In that case if, with these type of protection layers, one does not reach the tolerable frequency, ie. the risk is not reduced enough with non instrumented protection layers, then the “frequency gap” is filled up with SIS. This frequency difference is the basis for the calculation of the SIL and Risk Reduction Value of the given SIF protecting the given hazard scenario.

The tolerable risk categories (frequency) are always set up by the given Company and the QTRM must be involved in the Company Safety Policy. As the corporate criteria determines the tolerable risk values for people, environment and business, practically the LOPA focuses on the calculation of the mitigated risk with goal to determine the necessary risk reduction factor for this targeted group. However because the tolerable risk is based on a unit such as a person, it is not enough to calculate the mitigated risk for every scenario and compare them against the tolerable risk value(s). This so-called “per scenario” method has the disadvantage that it cannot take into consideration that a hazard may contain several scenarios with one or more causes and consequences using even the same or even different protection layers. From the SIL and RRF calculation point of view the SIF as a common protection layer is the most important. In this case there is more than one demand on the given SIF and instead of “per scenario” method, one should use the “cumulative” risk calculation method, taking into account all hazard scenarios protected by the same SIF.

The first problem with the “simple per scenario” method of LOPA is the lack of completeness.

Exida [EXI_1] tried to overcome this problem, giving the possibility of taking into account more consequences, but only manually, which is a time consuming process involving the possibility of human failures for example missing some hazard scenario with same SIF.

4.2.1 Critical evaluation and comparison of LOPA methods

In nowadays one used a simplified method called per scenario method.

Let see first an example about the difference between the “per scenario” LOPA and the “cumulative” LOPA method. Let assume that the hazard scenario is high pressure of a vessel and two possible initial events are:

ƒ The pressure control fails, the frequency of this event is F₁

ƒ The downstream line is blocked, the frequency of this event is F₂

Let us assume that in both cases the consequence is vessel rupture. Also let assume that there is an independent high pressure trip, i.e. a SIF which can protect against the high pressure in both cases, and there is no any other IPL, to simplify our example. This simplification will not affect the result.

When the “per scenario” LOPA method is used, one will calculate in the following way: The necessary risk reduction factor (target risk reduction factor) for the first scenario is: RRF1 = F1 / Ftol, where the Ftol is the tolerable frequency for the given consequence based on the QTRM. The target risk reduction factor for the second scenario is: RRF2 = F2 / Ftol. The final target RRF in the every day practice for the SIF is the higher RRF value. E.g. if RRF2 > RRF1, the final RRF will be:

RRF2

RRF_per−_scenario = Equation 10

In contrast, the “cumulative” LOPA method adds up all the RRF values, so the target RRF for the SIF will be:

2

1 RRF

RRF

RRF_cumulative = + Equation 11

This is a higher value than the result of “per scenario” LOPA method.

The above mentioned difference is important because the IEC-61511-3 suggests calculating the total risk:

“The last step is to add up all the mitigated event likelihood for serious and extensive impact events that present the same hazard”.

It means that the standard suggests using “cumulative” LOPA instead of the

“per-scenario” LOPA, because in our case the Hazard is the rupture of the vessel, and the two causes result in the same consequence of the same hazard protected by the same SIF. The two different scenario protected by the same SIF are independent from each other.

The result of the example shown above is independent from the number of the IPLs. In our example I do not take into account that always other IPLs also exist in the protection system and possible that in our case the two per scenarios has different IPLs involved. One concludes from this example that “per Scenario method” is a very simple approach, which does not take into consideration the co-existing hazard scenarios applying for the same SIF even as IPL different non SIS IPLs involved mitigating the consequence of the hazard.

The difference between the results of the two LOPA techniques may be very high when the given SIF can be found in several scenarios as instrumented IPL (SIS).

This difference is usually much more than the uncertainty of the LOPA method, this neglecting of cumulative LOPA may lead totally wrong SIL calculation and over riding, as a false simplified interpretation, the description of IEC 61511 standard.

4.3 Development new method of LOPA calculation: cumulative LOPA In this chapter I described the Cumulative LOPA method, developed for replacing the old (per scenario) methods, and developing the full automatic calculation techniques, implementing in Tool4S software.

Because of the problems of “per scenario” LOPA method, we suggested here the

“cumulative” LOPA method, which can take into consideration all hazard scenarios which are protected by the same SIF. The cumulative LOPA method makes the “per scenario” LOPA method less semi-quantitative, more correct and fully automatic.

4.3.1 Cumulative LOPA calculation process

I developed the “cumulative” LOPA method with the following features and methods:

ƒ The basic is the common SIF

ƒ One SIF may belong to more scenarios, comprising a “scenarios group”

ƒ A “scenarios group” has a common feature applying the same SIF, as instrumented IPL

ƒ Developing the mathematics of how to cumulate the SIL and RRF value for a “scenarios group”

ƒ How to make the calculation automatic, programmable way

ƒ Developing the program, called Tool4S, (downloadable from www.sil4s.com/tool4s/help).

First let’s see the method and the mathematic behind it. Figure 29 shows the flow diagram of the process.

The hazard scenario is the output of the HAZOP study. At the HAZOP study meeting the HAZOP team decides about how often the hazard scenario may happen, called unmitigated frequency (F_non-mit) and about the possible consequence if it would happen for human, environment and business.

Based on the F_non-mit, the possible consequences and QTRM, the HAZOP team decides about the tolerable frequency for the given hazard scenario, called tolerable frequency for human, business and environment (F_tol^human,F_tol^business,F_tol^environment).

The developed Tool4S program calculates these frequencies automatically and takes into consideration smallest (minimum) one from these tree frequencies.

The HAZOP team also looks for non SIS independent protection layers (alarm system included) for the given hazard scenarios. The measure of the IPL is the PFD value. Calculating with this PFD value one can get the mitigated frequency, of course without SIF. The mitigated frequency will depend heavily on

The HAZOP team also looks for non SIS independent protection layers (alarm system included) for the given hazard scenarios. The measure of the IPL is the PFD value. Calculating with this PFD value one can get the mitigated frequency, of course without SIF. The mitigated frequency will depend heavily on

In document Műszeres biztonsági rendszerek menedzsmentje (Pldal 101-0)