- By Narasimha Himakuntala
- Automation Basics
LOPA is a valuable tool to analyze the risk associated with an event scenario and document the expected effectiveness of protective layers.
LOPA reviews are intended to determine if there are adequate protective devices or features in the process to provide tolerable risk
Layer of protection analysis (LOPA) is a method of analyzing the likelihood (frequency) of an event with a harmful outcome based on the initiating event frequency and the probability of failure of a series of independent protection layers, which could prevent the harmful outcome.
LOPA is one of the most used risk assessment techniques, and, in its simplified form, is only a semiquantitative technique. As with most risk assessment techniques, the primary focus of a LOPA review is to determine if there are adequate protective devices or features in the process to provide tolerable risk.
Protection layers are the most critical and fundamental aspect in any LOPA review. Most of the analysis is spent determining if the safeguards proposed by a hazard identification team can be independent protective layers (IPLs). In the hazard identification review, all safeguards are listed, and no estimations are made regarding their effectiveness in preventing the hazard or their dependence on one another. In the field, some teams assume certain safeguards can provide significantly more risk reduction than their true capability. LOPA resolves this problem by requiring the safeguards to meet predefined criteria before they are assumed to provide risk reduction.
There are qualitative and quantitative LOPA methodologies. The qualitative LOPA methodology is performed one scenario at a time. The benefit of qualitative LOPA is it consumes less time and fewer resources than more quantitative risk analysis techniques. It also provides a consistent and defensible methodology for a company’s risk and safety integrity level (SIL) target selection decisions. The steps are:
- Identify all scenarios to be analyzed.
- Select a scenario to analyze.
- Estimate initiating event frequency.
- Estimate consequence severity.
- Determine the fully unmitigated risks.
- Determine if the fully unmitigated risk is tolerable.
- Identify the IPLs.
- Identify the enabling conditions and conditional modifiers.
- Determine the intermediate event frequency.
- Determine if the risk is tolerable.
- Determine how to provide the additional risk reduction, if needed.
- Assign the SILs to safety instrumented functions (SIFs), if
- Repeat steps 2 through 12.
- Increase the SIL of the SIFs used more than once, if appropriate.
- Ensure the risk reduction provided by the IPLs will be maintained and validated.
- Complete and approve the LOPA documentation.
A quantitative LOPA methodology is performed based on the multiple initiating event scenarios. The benefit of quantitative LOPA is it determines a more precise numerical estimate of a SIF’s required performance and a required risk reduction factor (RRF) and SIL for SIFs protecting against multiple events. The steps are:
- Verify the effectiveness of each IPL for each initiating event.
- Estimate initiating event frequencies and IPL failure probabilities.
- Determine the SIL target for high-demand safety instrumented functions.
- Determine the SIL target for continuous demand SIFs.
Consider an example from some LOPA 2012 problem studies. A hazard and operability study (HAZOP) reviewed an amine stripping column. An excerpt of the documentation is shown in figure 1. Quantification of risk categories and frequency is shown in figure 2.
Consider the resulting developed worksheet shown in figure 3 and note this additional information about the completed LOPA worksheet:
- The column is out of service three months of every year. Because this tower is in service more than 10 percent of the time, this means no use factor may be used. If a quantitative LOPA was performed, a use factor of 25 percent could be used.
- Operation and maintenance personnel are in the vicinity of the amine stripping column approximately 15 percent of each day. Because personnel are present more than 10 percent of the time, this means no occupational factor may be used. If a quantitative LOPA was performed, an occupational factor of 15 percent could be used.
- The pressure safety valve (PSV) setting is 220 psig, and it releases to atmosphere. This means there should be another reviewed LOPA scenario with the initiating event of the PSV lifting and the consequence of potential personnel exposure to H2S.
- The column maximum allowable working pressure is 300 psig. This means the PSV lift setting is adequate to protect the column from overpressure.
- The PSV is bench tested yearly, and this testing is documented. This means the PSV meets the auditability requirement for an IPL.
- The column pressure will increase from its normal operating pressure of 30 psig to 220 psig in approximately 15 minutes. This means no safeguards involving operator field actions can be IPLs.
- The column design feed rate is approximately 1,450 liters per minute (LPM), but recent debottlenecking has increased the feed rate to approximately 2,175 LPM. The review team is not aware of the PSV being resized for this increased feed rate. This means the PSV cannot be an IPL, because the review team does not know if the PSV is adequate for the increased feed rate. This should be noted as an action to confirm whether or not the sizing is correct for the new case.
- The spare reflux pump and low-pressure autostart are not periodically tested. Because the spare pump and autostart are not periodically tested, this safeguard fails the auditability requirement for IPLs and cannot be considered an IPL.
- The low-pressure autostart is performed in a local controller in the field that is separate from the basic process control system (BPCS). This means the spare pump and autostart could meet the independent IPL requirement based on periodical testing, even if the pressure or temperature controller was used as an IPL, since its logic is not performed in the BPCS.
- The main reflux pump is turbine driven, and the spare reflux pump is electrically driven. This means the pump power supply is independent. If the spare pump and autostart safeguard met all the other IPL criteria, it would be an IPL.
- The operators keep the column temperature control in manual approximately 25 percent of the time due to “controllability issues.” This means the temperature controller cannot be used as an IPL, because it is not at least 90 percent dependable. If a quantitative LOPA was performed, a probability of failure on demand of 0.33 = (1 – 0.9 × 0.75) may be used if the temperature controller met the remaining IPL criteria.
- The column high-pressure alarm, high-temperature alarm, temperature control, and pressure control are performed in the unit’s BPCS. The BPCS contains redundant control processors and is powered using a redundant power supply. Because all these functions reside in the same BPCS and the BPCS has not been designed to meet IEC 61508 or documented to meet the “proven in use” criteria of IEC 61511, only one IPL involving the BPCS may be allowed.
- The operators have a detailed procedure to respond to the reflux pump tripping, which requires the field operator to restart the pump. If the pump cannot be restarted, the control room operator must trip the steam to the reboiler. If the operating procedure was rewritten to have the control room operator immediately trip the reboiler steam after the reflux pump trips, and the review team believes each control operator would perform this action without hesitation, this could qualify as an IPL.
- The company LOPA procedure requires the operator be given at least 30 minutes to respond to an alarm for the alarm and operator intervention to be considered a safeguard. Assuming the company requires the field operator to have at least 30 minutes to intervene for an operator intervention safeguard to qualify as an IPL, this safeguard is not an IPL.
LOPA is a valuable tool to analyze the risk associated with an event scenario and document the expected effectiveness of protective layers. When using a tool that performs analysis on single cause/consequence pairs, it is necessary to perform an additional step to determine the combined demand frequency and RRF requirement for the SIF. Failure to do so will result in an underestimation of both the initiating event frequency and the RRF target.
When a LOPA is used to determine the design basis for a SIF, it is critical that the cumulative effects of multiple initiating events be considered together when assessing IPL effectiveness and determining the SIF demand frequency and the SIL target. IPLs should be applied only against the initiating events where they are effective, thus reducing the residual risk for that scenario. Some IPLs, such as operator response to an alarm, may be considered to reduce the demand rate on a SIF when well managed and monitored by a process such as the ISA-18.2 lifecycle. IPLs should only be considered to reduce SIF demand frequency when they are well managed and monitored to ensure effectiveness.
We want to hear from you! Please send us your comments and questions about this topic to InTechmagazine@isa.org.