Level Of Protection Layers LOPA

Layer Of Protection Analysis (LOPA) Building blocks

Aim of every HAZARD analysis is to assess risks and determine if enough safeguards are at place against a specific risk. HAZOP is a common HAZARD analysis study, however it is a qualitative study. This means that the risk is not calculated but somehow guessed/estimated and depending on the client, a risk matrix is used to find the severity of consequences of a particular scenario.

Layer Of Protection Analysis (LOPA)

Layer Of Protection Analysis (LOPA) is one of the methods to determine risk for severe consequences resulting a particular scenario/deviation identified by the HAZOP team. The main objective is to quantify rather than qualify the risk and in this way have a better understanding of the risk’s magnitude.

LOPA is considered a semi-quantitative approach of risk assessment.

LOPA provides specific criteria and restrictions for evaluation of protection layers, eliminating subjectivity of qualitative methods at substantially less cost than fully quantitative techniques.

LOPA is used when the consequence identified for a scenario is too severe that the HAZOP team can’t make a sound judgment based solely on qualitative information.

LOPA provides consistent basis for judging whether there are sufficient protection layers against hazardous events to achieve required risk reduction target.

LOPA can be used to determine target Safety Integrity Level (SIL) for Safety Instrumented Function (SIF), but that is just one outcome/usage of LOPA. LOPA also evaluates adequacy of a protection layer for a hazard and can determine the performance required/expected for alternate risk reduction measures to Safety Instrumented Systems (SIS).

At the moment LOPA is generally used to determine SIL level of Safety Instrumented Functions (SIF).

Advantages limitations, and suitability of LOPA

LOPA advantages
a. LOPA is effective in resolving disagreements related to risk.
b. LOPA determines whether Safety Instrumented Systems (SIS) or an alternative means of protection are required and its associated SIL if SIS is chosen.
c. LOPA complies with IEC 61511, clauses 8 and 9.
d. LOPA eliminates excess recommendation generation in.
LOPA limitations
a. LOPA may be excessive for simple or low risk decisions making.
b. LOPA is not a tool for identifying hazards.
c. LOPA may be overly simplistic for very complex systems.
d. Risk comparison scenarios are only valid if same LOPA method is used throughout the study.
LOPA is usually not sufficient if:
a. Consequences are high severity (more than 3 fatalities). In this case Quantitative method is recommended for the estimation of event frequency and consequence.
b. It results in the need for a SIF with a specified SIL level of 3 or greater.

(Independent) Protection Layers

When designing a processing unit (e.g. a gas processing plant or even a cookie baking production line), there are layers in our design. Each layer has a specific role and shall act as an independent layer to bring the process unit back to a safe state.

As shown in Figure below, a process unit (or scenario identified in HAZOP) may require one or many types of protection layers, depending on complexity of process and potential severity of consequence.

Level Of Protection Layers LOPA

Independent Protection Layers (IPL)

LOPA uses safeguards (layer of protections) that meet independent protection layer (IPL) criteria.

Below are some criteria to be able to identify if a protection layer is IPL or not:

IPLs are extrinsic safety systems and can be active or passive systems, as long as they meet the following criteria:

a. Specificity: IPL shall be designed solely to prevent or mitigate consequences of one potentially hazardous event (e.g., runaway reaction, toxic material release, loss of contaminant, or fire). Multiple initiating causes may lead to same hazardous event, and therefore, multiple event scenarios may activate action of one IPL.
b. Independence: IPL shall be independent of all other protection layers associated with identified potentially hazardous event. Independence requires that IPL’s performance shall not be affected by failure of another protection layer or by conditions that caused another protection layer to fail. Protection layer shall also be independent of initiating cause.
c. Dependability: Protection provided by IPL shall reduce identified risk by known and specified amount.
d. Auditability: IPL shall be designed to enable periodic validation of protective function. Proof testing and maintenance of IPL is required to make sure performance in case of need.

LOPA Risk-Based Decision Criteria

In HAZOP to rank a risk has a range is used, e.g. damage between 100,000 to 500,000 US$. In LOPA, an explicit probability value, the tolerable Event Frequency Decision Value or commonly known as Tolerable Event Frequency (TEF) is used.

TEF is then used to compare with the likelihood of certain scenario after suitable protection layers, conditional modifies and enabling events have been applied, Mitigated Event Frequency (MEF). This shows the adequacy of protection layers. If the likelihood measured/calculated is lower than TEF, then we have an adequate protection layer.

Prior to every HAZOP, the risk matrix has to be calibrated and agreed with the asset owner/operator. Similar to HAZOP, before starting any LOPA study/review, tolerable event frequency for a specific consequences need to be developed and agreed upon based on the client/operator standards.

LOPA Building Blocks

Explanation of the table columns as indicated by numbers in green hexagon:

1- Initiating Event: The initial event cause that can lead to the consequences. This is same and identical to the initiating event identified in HAZOP. Initiating event has a frequency per year. This number is taken from the tables accepted by all parties before LOPA meeting.
1- Frequency (#/Yr): The frequency of initating event happening per year. This also needs to be agreed before LOPA meeting is started.
3- Consequences: The worst credible scenario/consequence that could result from the initiating event. This is normally same as identified by HAZOP team, however LOPA team might find extra consequences. It has a Category ranking and Severity. These are the same as identified in HAZOP meeting.
4- Tolerable Event Frequency (TEF): The maximum allowed frequency or the consequences identified. THE TEF is determined based on the severity level identified in the HAZOP meeting for the consequences.
5- Enabling Event Conditions: The event of conditions that need to happen as well in order for the consequences to happen.
6- Unmitigated Event Frequency (UEF): The frequency of the consequences without independent Protection Layer (IPL). This is the multiplication result of columns 2 and 5.
7- Independent Protection Layer (IPL): As identified by the LOPA team, independent protection layer from other protection layers and is effective in mitigating the consequences identified.
8- Probability of Failure on demand of Independent Protection Layer (IPL PFD): This is the probability of the independent barrier failure in time that it needs to act. For example a PSV needs to open in case it reaches its set pressure. However it can fail 1 out of 100 times.
9- Mitigated Event Frequency (MEF): This is the frequency of consequences occurring after considering/implementation of IPL. This is the multiplication result of columns 8 and 6.
10- Risk Reduction Factor (RRF) needed or remaining risk: This is the ratio of Mitigated Event Frequency (MEF) to Tolerable Event Frequency (TEF). This is the division result of columns 9 and 4.
This ratio shows if the risk is acceptable or an extra layer of protection is needed to bring the risk/consequences to acceptable region.

Normally before any LOPA meeting, an agreement shall be made on what RRF is acceptable and what needs to be done.

• Generally an RRF of less than and equal to 1.0 (One) is acceptable, meaning that the IPL considered for scenario under investigation is effective and able to reduce the risk to an acceptable level.
• The RRF larger than 1 it is not acceptable and shows that improvement of existing IPL reliability or reduction of initiating event or an extra IPL is needed.

Contact us

For more information, help on your LOPA calculations or even a tailor made training for you or your organization please don’t hesitate to contact us!

Read More

Process Safety Time (PST)

Industry safety standards

Important influential institutes within each industry create standards to improve safety across the industry they operate in. The International Electrotechnical Commission (IEC) is the primary institute that does this for all electrical, electronic and related technologies, also known as “electro technology”. The American Petroleum Institute (API) is the institute that does this for the oil and natural gas industry. An important term is Process Safety time  (PST) which in short means the time available  between a moment in time that a failure occurs and the actual hazardous event caused by the same failure. Both of these institutes issued standards regarding Safety Instrumented Systems (SIF) and determination of PST which we explain in this article and are important to anyone involved.

IEC 61508; PST: Time between a failure, that has potential to give rise for a hazardous event

IEC 61508:2010 defines Process Safety Time (PST) as “Period of time between a failure, that has the potential to give rise to a hazardous event, occurring in the EUC [equipment under control] or EUC control system and the time by which action has to be completed in the EUC to prevent the hazardous event occurring”.

IEC 61511; PST: Time between failure and the occurrence of the hazardous event

IEC 61511:2003 Part 2: defines PST as “the time period between a failure occurring in the process or the basic process control system (with the potential to give rise to a hazardous event) and the occurrence of the hazardous event if the safety instrumented function is not performed”.

API 556; The interval between the initiating event and unacceptable process deviation and the hazardous event

API 556 second edition, 2011: “the interval between the initiating event leading to an unacceptable process deviation and the hazardous event”

CCPS; The time period between a failure occurring in the process or its control system and the occurrence of the hazardous event

According to the CCPS Guidelines for Safe and Reliable Instrumented Protective Systems Process Safety Time (PST) is: “the time period between a failure occurring in the process or its control system and the occurrence of the hazardous event.”

Graphical interpretation

Refer to figure below for graphical illustration of the Process Safety Time definition:

PST is an estimation

PST is not specified but rather estimated, calculated or measured (Potentially). PST is a system dependent and hence relates to the behavior of the process and process equipment or process control system within the context of a specific unmitigated hazard scenario.

PST is unique

PST is necessarily unique to each system under study and for the cause-consequence pair, even when multiple initiating events may eventually lead to the same consequence.This is because each initiating event has the potential to impact process dynamics in different ways. In another words PST of related but separate scenarios will not necessarily be equivalent.

PST as the first step

Determination of PST is the first step in identifying the time potentially available for all protection layers to respond and will be useful in specifying the required response time of each. Calculation/determination of PST could be carried out during Safety Integrity Level (SIL) review meeting or afterwards by an experienced process or process safety engineer. For some systems an experienced operator or vendor could help a lot.

SIF response time: Time required to bring the process to a safe state

The SIF response time is the time required by a SIF to bring the process to a safe state. This time is a summation of sensor(s) time to sense a parameter, logic solver to process this change in parameter value and sends signal to SIF final element and time required by final element to act. This time could be calculated when vendor data is available. Normally SIF response time calculation is by instrumentation department and after vendor is chosen and their documents and data received.

Calculating PST & SIF response

Calculation of PST and SIF response time could sometimes be a tricky and time consuming task that might even need dynamic simulation using HYSYS. Of course it could be done qualitative or quantitatively.

Typically, a Safety Instrumented Function (SIF) is designed not to allow the process to go excursions beyond equipment or process safe design limits, this means that PST also can’t exceed safe design envelope and will not have a set point outside safe design envelope.

Explanation about the graph on why the process safety is not starting at t₀:

The Graph shows that deviation of process parameter starting at t₀, however the Process Safety Time (PST) is calculated further in time, when we pass the point that could potentially make a hazardous event. In the standard’s words: “give rise to hazardous event”.

Consider the case that we are protecting a downstream piping system against high temperature. The design temperature of the downstream piping is 100°C. The setting of the high temperature switch/trip is 90°C. The Process Safety Time (PST) is the time that takes after the high temperature switch activates (90°C) and till the temperature reaches 100°C design temperature (potential dangerous situation).

Of course the intention of the high temperature trip is to prevent reaching 100°C, but we need to assume if this switch doesn’t work (failure on demand) how much time is available to reach the hazardous event (e.g. failure of piping system because of the high temperature and pressure combination).

Contact us

For more information, help on your calculations or even a tailor made training for you or your organization please don’t hesitate to contact us!

Read More
Sign up for our newsletter

Engineering your business? Stay up to date here!