lopa para sil

84
Layer of protection analysis (LOPA) for determination of safety integrity level (SIL) stud. techn. Christopher A. Lassen [email protected] The Norwegian University of Science and Technology Department of Production and Quality Engineering June 2008

Upload: maygomez

Post on 22-Feb-2015

347 views

Category:

Documents


19 download

TRANSCRIPT

Page 1: Lopa Para Sil

Layer of protection analysis (LOPA) fordetermination of safety integrity level

(SIL)

stud. techn. Christopher A. [email protected]

The Norwegian University of Science and TechnologyDepartment of Production and Quality Engineering

June 2008

Page 2: Lopa Para Sil

Preface

This report is the result of the master project executed Spring 2008, and is thefinal step in graduating as an Engineer with a Msc degree from The NorwegianUniversity of Science and Technology (NTNU). The master project is in collab-oration with Aker Subsea AS, which is part of the Subsea Business Area withinAker Solutions. Aker Subsea provides leading oil production systems and equip-ment located sub-surface, and recent projects are Morvin (North Sea), Kristin(Noth-Sea), Reliance KG-D6 (India) and Dalia (Angola). The work has been per-formed partly in Trondheim at the facilities of the Department of Production andQuality Engineering (IPK), and at Aker Solutions head quarters outside of Oslo.A very special thanks to my supervisor and professor Marvin Rausand (NTNU)who has been helpful with thorough guidance throughout the master project.Another person that deserves attention is Linn Nordhagen (Aker Engineeringand Technology) who has provided helpful information on LOPA from a practi-cal perspective, and given comments to the final product. Gratitude must be ex-pressed toward Aker Subsea and Thor Kjetil Hallan for offering office space, andproviding information. Others that should be mentioned are: Katrine HarsemLund (Scandpower risk management. AS), Bjørn Solheim (BP) and Hanne Rolén(Aker Subsea).

Particular gratitude must be expressed to my father, Petter O. Lassen, for adviceand support throughout my entire education.

Christopher A. Lassen

Snarøya, 19.06.2008

I

Page 3: Lopa Para Sil

Contents

List of Tables IV

List of Figures V

1 Introduction 11.1 Introduction to LOPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.3 Limitations and structure . . . . . . . . . . . . . . . . . . . . . . . . . 21.4 Relation to IEC 61508 and 61511 . . . . . . . . . . . . . . . . . . . . . 3

2 Methods in determining SIL 62.1 Quantitative method as described in IEC 61508 . . . . . . . . . . . . 62.2 Risk matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.3 Safety layer matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.4 The OLF 070 guideline . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.5 Risk graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.6 Calibrated risk graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3 LOPA 183.1 What is LOPA? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183.2 Explanation of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223.3 The LOPA team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253.4 LOPA worksheet and the LOPA process . . . . . . . . . . . . . . . . . 253.5 Different approaches in literature . . . . . . . . . . . . . . . . . . . . 293.6 Aker E&T methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4 Preferred approach 324.1 Flowchart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324.2 Comments to the preferred LOPA approach . . . . . . . . . . . . . . 39

5 Interface with HAZOP 415.1 Introduction to HAZOP . . . . . . . . . . . . . . . . . . . . . . . . . . 415.2 HAZOP integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415.3 Adjustments and transformation of data . . . . . . . . . . . . . . . . 445.4 HAZOP / LOPA program specification . . . . . . . . . . . . . . . . . . 44

II

Page 4: Lopa Para Sil

5.5 Illustration of software program . . . . . . . . . . . . . . . . . . . . . 46

6 Case study: Applicability of LOPA 496.1 Case text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496.2 Introduction to system . . . . . . . . . . . . . . . . . . . . . . . . . . . 496.3 LOPA applied on the case study . . . . . . . . . . . . . . . . . . . . . . 526.4 Comments to the result . . . . . . . . . . . . . . . . . . . . . . . . . . 586.5 Implications during the case . . . . . . . . . . . . . . . . . . . . . . . 59

7 Conclusions and recommendations for further work 60

A Basic concepts 66

B Software schematic 67

C Case study: Worksheet 73

III

Page 5: Lopa Para Sil

List of Tables

1.1 SIL for safety functions operating in low demand of operation adaptedfrom IEC 61511 (2003) . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1 Risk classification of accidents adapted from IEC 61508 . . . . . . . 72.2 Frequency of hazardous event likelihood adopted from IEC 61511 . 102.3 SIL requirement table adopted from OLF 070 . . . . . . . . . . . . . 122.4 Classification of risk parameters adopted from IEC 61511 . . . . . . 132.5 Example calibration adapted from IEC 61511 . . . . . . . . . . . . . 16

3.1 Important columns in the LOPA report / worksheet adapted fromIEC 61511 (2003) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.1 Target mitigated event likelihood for safety hazards adapted fromNordhagen (2007) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4.2 Typical frequency values assigned to initiating causes adapted fromCCPS (2001) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.3 PFDs for IPLs adapted from CCPS (2001) and BP (2006) . . . . . . . 37

5.1 Process HAZOP worksheet adopted from Rausand (2005) . . . . . . 42

6.1 Initiating cause frequencies . . . . . . . . . . . . . . . . . . . . . . . . 536.2 IPL PFDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

IV

Page 6: Lopa Para Sil

List of Figures

1.1 Safety lifecycle (IEC 61508, 2003) . . . . . . . . . . . . . . . . . . . . . 4

2.1 Typical risk matrix modified for SIL determination adapted from(Marszal and Scharpf, 2002) . . . . . . . . . . . . . . . . . . . . . . . . 8

2.2 Safety layer matrix diagram adapted from IEC 61511 (2003) . . . . . 102.3 Typical risk graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.1 Risk analysis procedures adopted from Rausand and Høyland (2004) 183.2 The LOPA onion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203.3 Relation between initiating causes, impact event, process devia-

tion and IPLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.4 Extract of SIL determination methodology from Ellis and Wharton

(2006) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.5 Aker E&T methodology adapted from Nordhagen (2007) . . . . . . . 31

4.1 Preferred approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

5.1 Relationship between HAZOP and LOPA worksheets . . . . . . . . . 43

6.1 SPS and separator schematic . . . . . . . . . . . . . . . . . . . . . . . 506.2 Relation between initiating causes, impact event, process devia-

tion and PLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

B.1 Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68B.2 Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69B.3 Step 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70B.4 Step 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71B.5 Step 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

C.1 LOPA worksheet: Case study . . . . . . . . . . . . . . . . . . . . . . . 74

V

Page 7: Lopa Para Sil

Abbreviations

AIChE American Institute of Chemical EngineersAker E&T Aker Engineering & TechnologyAMV annulus master valveBP British PetroleumBPCS basic process control systemCCF common cause failuresCV control valveDHSV downhole safety valveESD emergency shutdownEUC equipment under controlFTA fault tree analysisFMECA failure modes, effects, and criticality analysisFPSO floating production, storage and offloading vesselHAZID hazard identification studyHAZOP hazard and operability studyHCM HIPPS control moduleHIPPS high integrity pressure protection systemHPU hydraulic pump unitIEL intermediate event likelihoodIPL independent protection layerLOPA layer of protection analysisMEL mitigated event likelihoodMV master valve (PMV)OREDA Offshore Reliability DataPCV production choke valvePFD probability of failure on demandP&ID piping and instrumentation diagramPIG pipeline inspection gaugePL protection layerPSD process shutdownPSDV process shutdown valvePST pressure safety transmitter

VI

Page 8: Lopa Para Sil

PSV pressure safety valvePT pressure transmitterQRA quantitative risk analysisROV remotely operated vehicleSCM susbea control moduleSEM electronic control moduleSIF safety instrumented functionSIL safety integrity levelSIS safety instrumented systemSPS subsea production systemTMEL target mitigated event likelihoodTT temperature transmitterVB Visual BasicWV wing valve (PWV)XV cross-over valve (XOV)XT X-mas tree (XMT)

VII

Page 9: Lopa Para Sil

Summary

Layer of protection analysis (LOPA) and other safety integrity level (SIL) deter-mination methods have been described, and the terms used in LOPA have beenthoroughly defined and clarified. Different views on LOPA found in literaturehave been presented, and a preferred / recommended LOPA approach has beendeveloped and described. This preferred approach has also been applied on acase study based on systems from Aker Engineering and Technology and AkerSubsea. The interface between LOPA and hazard and operability study (HAZOP)has been discussed, and it has been presented how an integrated software toolcould work.

The SIL is a measure of the availability of a protection layer or barrier. Pro-tection layers include basic process control system (BPCS), critical alarms andhuman intervention, safety instrumented functions (SIF), physical protectionand emergency response. All these mitigate the frequency of the occurrenceof the potential unwanted end-consequence or mitigate the impact the end-consequence represents.

LOPA is a tool to determine the SIL of a SIF and evaluates the other pro-tection layers individually by looking at the risk mitigation they lead to. Othertools are the quantitative method described in IEC 61508, the OLF 070 guideline,risk matrix, safety layer matrix, risk graph and the calibrated risk graph. Exceptfrom the quantitative method in IEC 61508 and the OLF 070 guideline these aregraphical and qualitative methods which are simpler than LOPA. These SIL de-termination methods do not differentiate between the individual risk mitigationthe protection layers lead to.

A clear understanding of the terms in LOPA is important, and a clear method-ology essential to ensure a strong framework. The following relationship be-tween terms are defined: The initiating causes lead to a process deviation, whichagain may lead to an impact event that may result in an end-consequence. Pro-tection layers are introduced previously and subsequently to the impact event.An example is the initiating cause slippery road which lead to the impact eventcar crash. The car crash has an end-consequence of three fatalities. In orderto prevent this fatal outcome, protection layers as rigid car body, air-bags, andtraction control may serve as protection layers.

The preferred LOPA approach developed during the master thesis is basedon the one in IEC 61511, taking the views from other methodologies in literature

VIII

Page 10: Lopa Para Sil

into account. The impact event is the starting point of the analysis. The fre-quency of the initiating events are multiplied with the probability of failure ondemand for all credited independent protection layers. In addition occupancyand ignition probability (if applicable) is multiplied with the result. The finalvalue is denoted the intermediate event likelihood. This is the frequency of theoccurrence of the end-consequence with the existing protection layers in place.By comparing this with a target frequency measure, the needed SIL is estimated.

HAZOP is a hazard identification method often applied previously or simul-taneously to a LOPA. By integrating HAZOP and LOPA a high quality analysis,requiring less resources, may be the result. HAZOP has information in commonwith LOPA and some information have to be transformed. A software tool usedto combine and integrate the two methods is beneficial. Such a tool is advanced,and must incorporate a complex issue like the implementation of expert judg-ment, which is important in LOPA.

The definition of terms and the preferred approach have proved to be ben-eficial when applying LOPA during the case study. An extensive issue duringthis process has been which protection layers that are independent, and whichthat are not. This requires understanding of basic reliability concepts, but also agreat amount of process and system understanding.

The concept of independent protection layers should be evaluated further,and together with facilitating expert judgment during LOPA and in eventual soft-ware tools, these are considered the main challenges.

IX

Page 11: Lopa Para Sil

Chapter 1

Introduction

1.1 Introduction to LOPA

Offshore accidents may result in causalities and economic loss. Determiningspecific safety requirements of safety systems is an important part in ensuringthat accidents are prevented. In the 1990s the standards IEC 61508 and IEC61511 emerged, and the need for documenting compliance with these in a con-sistent manner led to the introduction of the layer of protection analysis (LOPA).

In chemical processes several protection layers are used, and in LOPA thenumber and the strength of these protection layers are analyzed. LOPA can beconsidered as a simplified form of a quantitative risk assessment. It can be usedafter a hazard and operability analysis (HAZOP), and before a quantitative riskanalysis (QRA). A difference between LOPA and other tools is that LOPA ana-lyzes the different protection layers individually, and the mitigation they lead to.LOPA is especially used to determine the safety integrity level (SIL) of safety in-strumented functions in conjunction with IEC 61511, but also as a general riskassessment tool to evaluate if the protection layers in a system are satisfactory.In addition, several other applications as capital improvement planning, inci-dent investigation and management of change can be found. The method is notused to a large extent in Norway, but widely implemented internationally. Ingas / oil industry LOPA is more frequently applied on topside equipment thansubsea equipment

The concept of protection layers was first covered in the book Guidelinesfor Safe Automation of Chemical Processes published by the Center of Chemi-cal Process Safety (CCPS), a section of the American Institute of Chemical En-gineers (AIChE), in 1993. These thoughts were developed further by the indus-try resulting in internal procedures (Dowell, 1998). In 2001 the CCPS publishedthe book Layer of Protection Analysis, Simplified Risk Assessment describing theLOPA method (Gowland, 2006). The method is also described in Part III AnnexF of IEC 61511. Extensive literature can be found on LOPA, and stepwise ap-proaches are given both in IEC 61511 and CCPS (2001). The terms vary among

1

Page 12: Lopa Para Sil

different authors, and definitions and interpretations of terms like scenario andindependent protection layers (IPL) may be confusing.

1.2 Objectives

The objective of the master project is to gain extensive knowledge of variousmethods to allocate requirements to safety instrumented systems, with focus onlayer of protection analysis (LOPA). As a part of this the following aspects shallbe covered:

• Carry out a literature survey and compare and discuss the different ap-proaches to LOPA found in the literature.

• Give a thorough presentation of a recommended LOPA approach. The ap-proach shall be stepwise with a clear description of each step.

• Define and clarify all basic concepts of the recommended LOPA approach.

• Identify and describe interfaces between LOPA and other risk analysis meth-ods (especially HAZOP)

• Discuss pros and cons related to LOPA - and especially the limitations ofLOPA.

• Define, exemplify, and discuss the independent protection layer (IPL) con-cept and discuss the applicability of LOPA in cases where the indepen-dence is violated.

• Compare the applicability of LOPA in determining SIL, and compare LOPAwith alternative approaches (incl. risk graphs). If possible, this evaluationshould be rooted in a practical case study.

1.3 Limitations and structure

A bayesian approach is used in this thesis, which is concerned with the ”degreeof belief” compared to a classical approach. The master project is executed ina limited time frame, constraining the coverage of the topic. The reader shouldhave basic understanding of reliability concepts. In addition, knowledge of IEC61508 and IEC 61511 is an advantage.

An introduction to LOPA and the project is given in Chapter 1. In addition,the relation to IEC 61508 and 61511 is described to give the reader complemen-tary background information. In Chapter 2 different methods in determiningSIL are presented, including the quantitative method in IEC 61508, the risk ma-trix, the safety layer matrix, the OLF 070 guideline, the risk graph and the cal-ibrated risk graph. Chapter 3 describes LOPA where important terms are de-fined and clarified. Further different approaches to LOPA are compared and

2

Page 13: Lopa Para Sil

discussed. A preferred approach is developed, and presented in Chapter 4, in-cluding description of each step and the basic concepts that are employed. Theinterface between HAZOP and LOPA is covered in Chapter 5. In addition thefunctionality of a software tool integrating LOPA and HAZOP is described. InChapter 6 the applicability of the preferred LOPA approach suggested in Chap-ter 4 is evaluated in a case study. Finally, conclusions and recommendations forfurther work are given in Chapter 7.

1.4 Relation to IEC 61508 and 61511

Requirements to safety instrumented systems (SIS) are given in IEC 61508 andIEC 61511. Rausand and Høyland (2004) describe a SIS as a system comprisingsensors, logic solver(s), and actuating (final) items, and can be looked upon asan independent protection shell for machinery or equipment. What the safetysystems shall protect is referred to as equipment under control (EUC) and is de-fined as ”Equipment, machinery, apparatus, or plant used for manufacturing,process, transport, medical, or other activities” (IEC 61508, 2003). A SIS imple-ments the wanted safety function needed to maintain a safe state of the equip-ment and has the function of achieving the essential risk reduction given by therequirements (IEC 61508, 2003). Subsequently to the SIS-definition a safety in-strumented function (SIF) can then be defined as a function implemented byone or more SIS. However, usually a SIS realizes a number of SIFs (IEC 61508,2003; Schönbeck, 2007).

Safety integrity is the probability of the safety related system performing therequired safety functions under all conditions, within a period of time. Safetyintegrity level (SIL) is classified into four levels, and is defined by the proba-bility of failure on demand (PFD). The PFD is the average safety unavailabilityof an item, thus the mean proportion of time the item does not function as asafety barrier. A protection layer is considered a safety barrier. When evaluating

Table 1.1: SIL for safety functions operating in low demand of operation adaptedfrom IEC 61511 (2003)

Safety integritylevel (SIL)

Average probability of fail-ure to perform its designfunction on demand

4 ≤ 10−5 to < 10−4

3 ≤ 10−4 to < 10−3

2 ≤ 10−3 to < 10−2

1 ≤ 10−2 to < 10−1

the SIL-requirements the system has to be classified either as high demand ofoperation or low demand of operation. For subsea production equipment lowdemand would be the most applicable because the systems are not used fre-

3

Page 14: Lopa Para Sil

quently. The SIL-requirement is then verified by calculating the PFD (Rausandand Høyland, 2004; Schönbeck, 2007). In Table 1.1 the PFD related to the fourSILs for low demand of operation is presented.

Standards do not require how the SIL should be determined to the SIFs, onlythat they have to be determined. Figure 1.1 shows the safety lifecycle used as thebasic framework in IEC 61508 and IEC 61511. This framework makes it possible

Figure 1.1: Safety lifecycle (IEC 61508, 2003)

to deal with requirements and activities in a structured manner. After the twoinitial phases, "concept" and "overall scope definition", the risk associated withthe EUC is analyzed in the "Hazard and risk analysis"- phase. Techniques aschecklists, failure modes and effects analysis (FMEA) and HAZOP may be used.The next step, which has a red box in Figure 1.1, is to specify the overall safetyrequirements in terms of safety functions and safety integrity which are neededto achieve the necessary risk reduction. It is during this activity the SIL is deter-mined, and this activity / phase is of greatest importance. LOPA may be applied

4

Page 15: Lopa Para Sil

during this phase, but other methods like risk graph and safety layer matrix arealso applicable. In the next phase, "safety requirements allocation", the safetyfunctions are allocated to one or more SIS. Although phase four is the most in-teresting in this case, phase three and five will come into play, as they give theinput and receive the output from phase four. All of these activities are carriedout in the design phase prior to final design and manufacturing (Rausand andHøyland, 2004; IEC 61508, 2003; Schönbeck, 2007).

5

Page 16: Lopa Para Sil

Chapter 2

Methods in determining SIL

As mentioned in the previous section various SIL determination methods andtools exist. These may be applied during phase four in Figure 1.1, and in thischapter the most common are presented briefly. Organizations have developedthese tools to help engineers to estimate the process risk and convert it to a re-quired SIL (Marszal and Scharpf, 2002). Both qualitative and quantitative ap-proaches may be applied. In qualitative methods the parameters used as deci-sion basis are subjective and estimated by expert judgment. Quantitative meth-ods describe the risk by calculations, and a numerical target value is comparedwith the result. Which method to apply rely primarily on whether the necessaryrisk reduction is specified in a numerical manner or qualitative manner. Thescope and extent of the analysis would also be an influencing factor. Even if theassignment method is qualitative the SIL is always quantified by a numericalnumber (IEC 61508, 2003; Marszal and Scharpf, 2002). The methods describedin this chapter include the quantitative method in IEC 61511, the risk matrix, thesafety layer matrix, the OLF 070 guideline, the risk graph and the calibrated riskgraph.

2.1 Quantitative method as described in IEC 61508

The approach starts off with establishing the tolerable risk target, which mustbe in accordance with the company risk acceptance criteria. This is the accept-able number of times the SIF is allowed to fail, i.e. the tolerable number of timesper year the specific unwanted consequence may occur. This can be determinedfrom a table where categories of consequences are assigned acceptable frequen-cies. Such a classification is shown in Table 2.1. Assigning numerical values interms of frequencies, defining which classes that are tolerable and plotting theconsequence specific to the situation, makes it possible to determine the tolera-ble risk target. If class III in Table 2.1 is tolerable, a catastrophic consequence hasa tolerable risk target of improbable which has an assigned numerical frequencyper year (IEC 61508, 2003).

6

Page 17: Lopa Para Sil

Table 2.1: Risk classification of accidents adapted from IEC 61508Frequency Consequence

Catastrophic Critical Marginal NeglibleFrequent I I I IIProbable I I II III

Occasional I II III IIIRemote II III III IV

Improbable III III IV IVIncredible IV IV IV IV

The next step is to determine the EUC-risk. Risk is a measure of probabilityand consequence. The EUC-risk consists of the unwanted consequence, and thedemand rate on the system without protective features, i.e. number of times peryear the unwanted consequence occur without the SIF. This can be estimatedusing quantitative risk assessment methods, e.g. fault tree analysis (FTA) or reli-ability block diagram (RBD) (IEC 61508, 2003).

The final step is to calculate the necessary risk reduction to meet the tolera-ble risk. This is obtained by dividing the number of times per year the SIF fail bythe number of demands per year. The result is ”the acceptable number of timesthe SIF may fail per demand per year” thus the needed probability of failure perdemand, which is the PFD. The SIL requirement could be allocated further downto subsystems, e.g. by expert judgment (IEC 61508, 2003).

A separator located topside on a platform or floating production, storage andoffloading vessel (FPSO), with a riser down to a subsea production system (SPS)consisting of X-mas tree (XT) and reservoir, could be used as an example. TheEUC is in this case defined as the separator. The acceptable frequency of over-pressure of the separator could be 10−6/year, which could answer to categoryclass III with critical consequence. Note that this is the acceptable frequency ofa given unwanted consequence, which in this case is overpressure. The conse-quence could in some cases also be directly related to human harm. From thereservoir the demand rate on the system, without any protection systems, canbe found. If this is estimated to be 25 demands/year, the approach gives:

PF D ≤ Acceptable no. of times the SIF may fail / year

No. of demands / year= 10−6

25= 4 ·10−7

This result is the acceptable frequency / demand, hence the probability of fail-ure on demand. The protection system may consist of several sub-systems per-forming several SIFs, and the PFD may be allocated further down. In this casehigh integrity pipeline protection system (HIPPS), production shutdown (PSD),emergency shut down (ESD) etc. are such systems or functions.

7

Page 18: Lopa Para Sil

2.2 Risk matrix

Risk matrix, or often denoted hazard matrix, is one of the most popular SIL de-termination methods due to it’s simplicity. The risk matrix takes frequency andconsequence into account qualitatively, based on a categorization of the risk pa-rameters. Figure 2.1 shows a typical risk matrix diagram is modified for SIL de-termination. The consequence and frequency (likelihood) make one axis each,enabling the user to plot the situation under consideration in the diagram. Ifeach box in the diagram has an attached SIL level, the determination process issimple. The consequence categories may be expressed in terms of economic,human or environmental loss. The categories divide the consequences into mi-nor, serious or extensive according to the level of severity. The likelihood cate-gories are divided into low, moderate or high. The categories can be selectedeither qualitatively, using expert judgment, but quantitative tools can in somecases be utilized to make it easier to determine which category to use. Then thecategories may be attached to economic figures, number of fatalities, frequencycategories, etc. In Figure 2.1, different SILs are applied. Minor consequence -low likelihood lead to no SIL required. This means that the risk is consideredtolerable. Minor consequence - moderate likelihood lead to a low SIL, while ex-tensive consequence - high likelihood lead to a high SIL. If a SIL 3 is required,further analysis should be done, as one SIF may not provide sufficient risk re-duction (Marszal and Scharpf, 2002).

Figure 2.1: Typical risk matrix modified for SIL determination adapted from(Marszal and Scharpf, 2002)

If the consequence is one that could cause any serious injury or fatality on

8

Page 19: Lopa Para Sil

site or off site, it could be categorized as serious. If the frequency of this outcomeis expected to be > 10−2, the assigned category is high. This consequence - like-lihood pair would in Figure 2.1 give a SIL 3, but with further analysis required(Marszal and Scharpf, 2002).

It is important to emphasize that the categorization and determination maylead to an unrealistic result. Other tools and methods may be used in conjunc-tion with this method to improve the quality of the categories and the accuracyof the plotting (Marszal and Scharpf, 2002; IEC 61511, 2003).

2.3 Safety layer matrix

Safety layer matrix is a risk matrix which in addition to frequency and conse-quence takes the number of protection layers (PL) into account. The resem-blance between Figure 2.1 showing a typical risk matrix, and Figure 2.2 whichshow a typical safety layer matrix, is as expected strong.

A PL is according to IEC 61511 a grouping of equipment and / or adminis-trative controls which functioning together with other protection layers mitigatethe process risk. A PL must lead to a risk reduction factor of at least 10, and fulfillthe following criteria (IEC 61511, 2003):

• Specificity (one PL designed to prevent or mitigate the consequences ofone potential hazardous event. Multiple causes may initiate action by thePL)

• Independence (PL must be independent of other protection layers, nocommon cause failures (CCF))

• Dependability (PL must act as intended in design)

• Audibility (PL must be designed to facilitate validation of function)

A SIS is considered a safety instrumented PL (IEC 61511, 2003). Compared tothe term safety barrier as presented in Sklet (2006) a PL is a safety barrier withadditional requirements.

The classification of the consequence severity is almost identical as for therisk matrix, with severity categories minor, serious and extensive. Table 2.2 showshow to estimate the likelihood of the hazardous event which leads to the un-wanted consequence or impact. The categorization of likelihood in the risk ma-trix approach focus on frequency specifically, while the safety layer matrix cate-gorization in IEC 61511 is based on type of events. Plant specific data should beemployed, if available, to establish the likelihood. The event classification in IEC61511 makes it easy to distinguish between the frequency categories, as the fre-quencies are related to specific events. Note that the categorization of likelihoodand consequence is done without considering the PLs (IEC 61511, 2003).

9

Page 20: Lopa Para Sil

Table 2.2: Frequency of hazardous event likelihood adopted from IEC 61511Type of events Likelihood

Qualitative rankingEvents such as multiple failures of diverse instru-ments or valves, multiple human errors in a stressfree environment, or spontaneous failures of pro-cess vessels

Low

Events such as dual instrument, valve failures, ormajor releases in loading / unloading areas

Medium

Events such as process leaks, single instrument,valve failures or human errors that result in smallreleases of hazardous materials

High

*The system should be in accordance with this standard when a claim thata control function fail less frequently than 10−1 per year is made

Figure 2.2: Safety layer matrix diagram adapted from IEC 61511 (2003)

10

Page 21: Lopa Para Sil

Figure 2.2 shows a typical safety layer matrix. The risk criteria are embeddedinto the diagram, and the methodology and categorization is similar to the riskmatrix. The specific hazardous event likelihood and hazardous event severityclassification is plotted. This results in one of the 9 columns in the figure. Inorder to determine the the final box in the figure that contain the necessary SIL- the number of PLs must identified (IEC 61511, 2003). An example could be aprocess leak resulting in catastrophic consequence to personnel (several causal-ities). The hazardous event severity is categorized as serious. In Table 2.2 theoccurrence of a process leak is classified with high likelihood. Two mechanicalpressure relief devices were identified satisfying the PL criteria. In Figure 2.2 anevent with serious consequence - high likelihood rating with two PLs, would re-quire a SIL 2. If the number of PLs had been one, a SIL 3 and additional analysiswould be required.

2.4 The OLF 070 guideline

OLF 070 was developed by operators and suppliers of services and equipment,to facilitate the implementation of IEC 61508 and IEC 61511 in the Norwegianpetroleum industry. The guideline presents conservative minimum SIL require-ments. A conservative requirement is a strict requirement which takes uncer-tainty into consideration. It can be compared to oversizing a beam in order toensure the rigidity of the construction. The requirements in OLF 070 are givenin a set of tables in chapter seven of the guideline. Background information,as definition of function including schematics and assumptions, for the variousSIL requirements is documented in appendix A OLF 070. If the tables are notapplicable, then a risk based methodology should be used. The guideline makesit possible to skip many of the steps in the determination process, leading toreduced engineering costs. But, the approach is not fully risk based and the re-sults are not as appropriate as quantitative calculations (OLF 070, 2004). Table2.3 show the table with SIL requirement to a subsea ESD function.

2.5 Risk graph

The risk graphs are based on methods described in the German publication DIN19250 published in 1994, and is a popular approach for determining SIL (Bay-butt, 2007). Risk graphs are qualitative and category based. It considers the con-sequence and frequency of the hazardous event, but also occupancy and theprobability of personnel avoiding the hazard (Marszal and Scharpf, 2002; Bay-butt, 2007).

In Table 2.4 the classification of the risk parameters suggested in IEC 61511is shown. The consequence parameter (C) describes the likely outcome of thehazardous event, and four categories of consequences are suggested. CA is lesssevere than CD, ranging from light injury to many fatalities. In this case conse-

11

Page 22: Lopa Para Sil

Table 2.3: SIL requirement table adopted from OLF 070Safety function SIL Functional boundaries for given SIL

requirement / commentsRef.

Subsea ESD 3 Shut-in of one subsea well A.13Isolate one subsea well The SIL requirement applies to a con-

ventional system with flowline, riserand riser ESD valve rated for shut-inconditions. Isolation of one well byactivating or closing:

- ESD node- Topside HPU and / or EPU- WV and CIV including actuators andsolenoids- MV- DHSV including actuators andsolenoids

NOTE: If injection pressure throughutility line may exceed design capac-ity of manifold or flow line, protectionagainst such scenarios must be evalu-ated specifically

NOTE: If a PSD system is specified fora conventional system for safety rea-sons, the PSD functions shall be min-imum SIL 1

12

Page 23: Lopa Para Sil

Table 2.4: Classification of risk parameters adopted from IEC 61511Risk parameter Category ClassificationConsequence (C) C A Light injury to persons

CB Serious injury to one or morepersons. Death of one person

CC Death of several personsCD Catastrophic effect, very many

people killedFrequency of presence in thehazardous zone (F) (occu-pancy)

FA Rare to more frequent exposurein the hazardous zone

FB Frequent to permanent expo-sure in the hazardous zone

Possibility of avoiding the con-sequences of the hazardousevent (P)

P A Possible under certain condi-tions

PB Almost impossibleFrequency of the unwantedconsequence (W)

W1 A very slight probability thatthe unwanted occurrences oc-cur and only a few occurrencesare likely

W2 A slight probability that the un-wanted occurrences occur andfew occurrences are likely

W3 A relatively high probabilitythat the unwanted occur-rences occur and frequentoccurrences are likely

13

Page 24: Lopa Para Sil

quences are measured in the extent of injury to people, but also environmen-tal or financial target measures can be utilized (IEC 61511, 2003; Marszal andScharpf, 2002).

The occupancy parameter (F) indicates the fraction of time the hazardousarea is occupied by personnel. FB indicates higher risk than FA, as the area ismore frequently exposed. Usually, FA is selected if the hazardous area is occu-pied less than approximately 10% of the time IEC 61511 (2003).

The possibility of personnel avoiding the hazard is incorporated in the pa-rameter P . This parameter reflects what methods the personnel have to identifyand escape the hazard. In addition skill and supervision in process operation,and the rate of development of the hazardous event are taken into account. Twocategories, PA and PB, are suggested and PB indicates the highest risk. A check-list of statements that must be true in order to select PA, can be utilized in theevaluation. Such statements are suggested in IEC 61511.

The final parameter is the demand rate parameter (W), which is the fre-quency per year of the unwanted consequence without the concerning SIF butwith other safeguards operating. Also for this parameter higher parameter in-dices indicate higher risk, as they take less credit for risk reduction by other safe-guards. W1 indicates that only a few occurrences are likely, and a demand rateless than 0.03 per year could fit such description. W2 and W3 indicate that fewoccurrences or frequent occurrences are likely, and suitable demand rates peryear could be 0.03 - 0.3 and more than 3, respectively. The choice of this pa-rameter will affect the result, and care should be taken when selecting category(Baybutt, 2007; IEC 61511, 2003).

Figure 2.3 shows a typical risk graph diagram. The path from left to right isdecided by the selected risk parameters. The selected consequence, occupancyand possibility of avoidance categories result in an output row X . Each outputrow corresponds to three values of W . The selection of the demand rate W isthe last step in determining the SIL. Higher W -parameter lead to a higher SIL.The tolerable level of risk is embedded in the boxes in the three columns at theright hand side, and the choice of these must support the company risk criteria(Marszal and Scharpf, 2002; IEC 61511, 2003).

If the separator example, as explained in section 2.1, is employed - the rea-soning will be as follows: If the likely consequence is evaluated to be seriousinjury to one or more persons, CB is selected. Then, FA is chosen because thearea could be rare to more frequent exposed to personnel. It is possible undercertain conditions to avoid the consequences, which indicates that parameterPA should be used. The combination of these risk parameters result in outputrow X2. It is a relative high probability that the unwanted occurrence takes placeand the demand rate category is set to W3. In Figure 2.3 this results in a SIL 1 re-quirement.

14

Page 25: Lopa Para Sil

Figure 2.3: Typical risk graph

2.6 Calibrated risk graph

The calibrated risk graph method is a semi-qualitative method, similar to thequalitative risk graph. The same risk parameters are used as for the conven-tional risk graph approach, and Figure 2.3 is also applicable. Calibration meansthat numerical values are assigned to the risk graph, and these are assigned tothe risk parameters. This allows a more precise determination of the SIL, andmaking the decisions more objective. The calibration depends on individualand societal risk, and these issues in addition to company criteria and authorityregulations, should be considered before assigning the parameter values. Cali-bration does not need to be carried out every time a SIL need to be determined.The organization only need to do it once for similar hazards(IEC 61511, 2003).

The consequence can be quantified by the number of fatalities. But in manyinstances a failure does not cause immediate fatality, which leads to the intro-duction of the vulnerability concept. Vulnerability (V) is a function of the con-centration of the hazard and the duration of the exposure. In Table 2.5 a vul-nerability range is given. By multiplying this measure with the number of peo-ple present when the area exposed to hazard is occupied, the number of fatali-ties is estimated. In the table a range is assigned to each consequence category,making the categorization possible. Note that vulnerability (V) and possibilityof avoiding the hazard (P) are two different factors. V concerns the escalation,while P concerns the prevention of the hazard by the operator (IEC 61511, 2003).

15

Page 26: Lopa Para Sil

Table 2.5: Example calibration adapted from IEC 61511Risk parameter ClassificationConsequence (C)

C A Minor injuryNumber of fatalities

Can be calculated as: ”No. of people presentwhen the area exposed to the hazard isoccupied” · ”vulnerability to the identifiedhazard”

CB 0.01 < No. of fatalities <0.1

V = 0.01 (small release of flammable toxicmaterial)

CC 0.1 < No. of fatalities <1.0

V = 0.1 (large release of flammable or toxicmaterial)V = 0.5 (As above but also a high probabilityof catching a fire or highly toxic material)

CD No. of fatalities > 1.0

V = 1 (Rupture or explosion)Occupancy (F) FA Occupancy < 0.1

FB

Percentage of time the exposed area is occu-pied during a normal working periodPossibility of avoidance (P) P A Hazard can be prevented

by operator taking ac-tion, after he realizesSIS has failed to operate.Refer certain conditions(given in IEC 61511-3)

PB Adopted if conditions donot apply

Demand rate (W) W1 Demand rate <0.1D per year

W2 0.1D < Demand rate <10D

W3 For Demand rate> 10D,higher safety integrityshall be needed

D is the calibration factor

16

Page 27: Lopa Para Sil

According to Marszal and Scharpf (2002) potential loss of life (PLL) ranges couldalso be used as a measure of the consequence. PLL is the expected number offatalities within a population during a specified period of time (NORSOK Z-013,2001). Note that care should be taken if PLL is chosen as a measure, because itincorporates both probability and consequence. When assigning the other riskparameters it is important to make sure that the consequence parameter is con-sidered independent (Marszal and Scharpf, 2002).

The parameter F is often measured by the percentage of time the area, thatis exposed to hazard, is occupied. FA should be used if the parameter value isless than 0.1 (IEC 61511, 2003; Marszal and Scharpf, 2002).

The avoidance factor PA is selected if all conditions stated in IEC 61511-3 aresatisfied. PB is selected if not (IEC 61511, 2003).

The demand rate (W) is the number of times per year that the hazardousevent would occur in the absence of the SIF under consideration. In Table 2.5ranges to the different categories are assigned. D is a calibration factor thatshould make the risk graph result in a level of residual risk that is tolerable. Itis important that issues not are accounted for several times, making the resulterroneous. Documentation of the calibration process with references is neces-sary, and should be done with care (Marszal and Scharpf, 2002; IEC 61511, 2003).

When the calibration process is finished, and the parameters decided. Therisk graph is used to determine the SIL. The demand rate, occupancy and pos-sibility of avoiding the consequence of the hazardous event, represents the fre-quency of the unwanted consequence. In combination with the unwanted con-sequence the frequency constitutes the risk without the SIF in place. The inputin each box in the risk graph must be in accordance with the tolerable risk (IEC61511, 2003; Marszal and Scharpf, 2002).

The separator example as referred to in the previous section could againserve as an illustration. In this case the vulnerability measure is estimated to beequal to 0.5. Overpressure is severe and results in large release of flammable ma-terial with a high probability of catching a fire. If the number of people presentwhen the area is occupied is 2, the resulting number of fatalities is 1 and class CC

is selected as the consequence severity. One operator does maintenance work orsupervision approximately 45 minutes per day, leading to that the exposed areais occupied less than 10% of the time giving the occupancy class FA. The condi-tions regarding the possibility of avoidance are satisfied and PA is selected. Thecalibration factor D is set to 4. The demand rate is estimted to 20 demands peryear. This is less than 40 and greater than 0.4 which corresponds to W2. The SILis determined as for the qualitative risk graph, and results in a SIL 2 requirement.

17

Page 28: Lopa Para Sil

Chapter 3

LOPA

3.1 What is LOPA?

LOPA was introduced in the 1990s, and has recently gained international popu-larity. LOPA is referred to in literature as both a simplified risk assessment tech-nique and a risk analysis tool. Capital improvement planning, incident inves-tigation, and management of change can be found as additional applications.LOPA is a flexible tool which can be used in different contexts and applicationsmaking it confusing to understand what it really is. The application under con-sideration is LOPA as a SIL determination tool.

Figure 3.1: Risk analysis procedures adopted from Rausand and Høyland (2004)

18

Page 29: Lopa Para Sil

According to Marszal and Scharpf (2002) LOPA can be viewed as a specialtype of event tree analysis (ETA), which has the purpose of determining the fre-quency of an unwanted consequence, that can be prevented by a set of protec-tion layers. The approach evaluates a worst-case scenario, where all the protec-tion layers must fail in order for the consequence to occur. The frequency of theunwanted consequence is calculated by multiplying the PFDs of the protectionlayers with the demand on the protection system (represented as a frequency).Comparing the resulting frequency of the unwanted consequence with a toler-able risk frequency, identifies the necessary risk reduction and an appropriateSIL can be selected (Marszal and Scharpf, 2002; CCPS, 2001).

LOPA is a semi-quantitative method using numerical categories to estimatethe parameters needed to calculate the necessary risk reduction which corre-sponds to the acceptance criteria (CCPS, 2001). In a quantitative risk assessment(QRA) mathematical models and simulations are often used to estimate the ex-tent or escalation of damage, e.g. toxic diffusion, explosion expansion or fire es-calation. In addition, FTA or other methods are used to calculate the frequencyof the accidental event (Rausand and Høyland, 2004). In LOPA, simplifications,expert judgment and tables are used to estimate the needed numbers (CCPS,2001). LOPA usually receives output from a HAZOP or a hazard identificationstudy (HAZID) and often serve as input to a more thorough analysis as a QRA.Figure 3.1 is often referred to as the bow-tie and is a common figure to describerisk analysis. It shows the accidental event which is linked to the causes and theconsequences, and the methods which may be applied in the different phases.An ETA focuses on the consequence spectrum not on the causal analysis, im-plying that LOPA is placed in column (c) to the right in the figure. On the otherhand LOPA is not as in-depth as would be expected from a consequence anal-ysis and does have a close interaction with HAZOP suggesting that it should bepositioned more to the middle (column b). The final ”position” is somewhere inbetween.

Often, an "onion" as the one in Figure 3.2 is used as an illustration of theprotection layers in LOPA. The system or process design has protection layersincluding basic process control system (BPCS), critical alarms and human inter-vention, SIFs, physical protection and emergency response.

BPCS is the control system used during normal operation and sometimesdenoted as the process control system (PCS). Input signals from the process and/ or from the operator are generated into output which make the process operatein a desired manner. If the control system discovers that the process is out ofcontrol (e.g. high pressure) it may initiate actions to stabilize the temperature(e.g. choking the flow) (CCPS, 2001; IEC 61511, 2003).

Alarms monitoring certain parameters (e.g. pressure and temperature) areconsidered another protection layer. When the alarm is tripped, the operatormay intervene to stop the hazardous development. Note that the alarm systemhas to be wired to another loop than the BPCS in order to be independent (CCPS,2001; IEC 61511, 2003).

19

Page 30: Lopa Para Sil

Figure 3.2: The LOPA onion

20

Page 31: Lopa Para Sil

Rausand (2004) describes a SIS as a system comprising sensors, logic solver(s),and actuating (final) items, and can be looked upon as an independent pro-tection shell for machinery or equipment. A SIS implements the wanted safetyfunction SIF. In LOPA, SIFs are considered as protection layers.

Physical protection include equipment like pressure relief devices. In a sep-arator this may be a rupture disc which blows-off pressure if the pressure istoo high. Post release protection is physical protection as dikes, blast walls etc.These have their function after the release or explosion has occurred. Both ofthese types of physical protection are considered protection layers in LOPA (CCPS,2001; The Dow chemical company, 2002; ACM Facility Safety, 2006).

If an accident occurs, procedures, evacuation plans, equipment and medicaltreatment help the exposed personnel to escape, or to mitigate damage / injury.Such measures are classified as plant and community emergency response, andare considered the final protection layer (CCPS, 2001; The Dow chemical com-pany, 2002; ACM Facility Safety, 2006).

LOPA incorporates the reliability of the existing barriers to determine the re-liability of the needed SIF. Note that LOPA does not determine what protectionlayers to implement, only the needed performance. In some cases, a SIF is al-ready present, and the SIL of an additional SIF shall be determined. How manyand which protection layers that are required, depend on the situation at hand(CCPS, 2001; The Dow chemical company, 2002).

21

Page 32: Lopa Para Sil

3.2 Explanation of terms

Various authors use different terms in LOPA. Examples are terms like scenario,impact event and initiating event. This makes it confusing to understand whatis meant by the different terms and how they are applied. What exactly is animpact event? Does an impact event description include both causes and con-sequences? What is an impact event compared to an accidental event? What isa scenario? What is an independent protection layer? ”Where” do we start theLOPA analysis? The objective of this section is to clarify these questions, andbuild the foundation for the further evaluation of LOPA. The relation betweenthe terms is described by Figure 3.3.

Process deviation

According to NORSOK Z-013 (2001) an accidental event is defined as ”event orchain of events that may cause loss of life, or damage to health, the environmentor assets”. Another definition is ”the first significant deviation from a normal sit-uation that may lead to unwanted consequences” (Rausand and Høyland, 2004).In IEC 60300-3-9 (1995) they use the term hazardous event instead of accidentalevent. In the HAZOP study the accidental event is referred to as a process devi-ation. The term process deviation is from now on used and the definition fromRausand and Høyland (2004) is acknowledged as adequate.

Impact event

CCPS (2001) describe an impact as: ”The ultimate potential result of a hazardousevent. Impact may be expressed in numbers of injuries or fatalities, environmen-tal or property damage, or business interruption.” According to IEC 61511 animpact event is equivalent to the consequence in the HAZOP study. This im-plies that the impact event is the unwanted consequence of the hazardous eventor accidental event which is referred to as a process deviation. Impact event isclosely related to the unwanted consequence, and the question which remains iswhat degree of consequence an impact event represents, e.g. end-consequenceor intermediate consequence. From now on it is chosen to define impact eventas ”the first sign of harm to people, environment or assets”. Examples are a carcrash or an explosion due to overpressure of a separator. The impact event maylead to an end-consequence which may include fatalities / injury, environmen-tal damage or economic loss. For the impact event: car crash, the process devia-tion could be: car starts to slide. The car is out of control and if not the situationis brought back in control, the impact event occurs. For the impact event: ex-plosion due to overpressure of separator, the process deviation could be highpressure up-stream separator.

22

Page 33: Lopa Para Sil

Initiating cause

The initiating causes are the reasons why the process deviation occur, not themost basic underlying root-causes. The initiating causes are the results of theroot causes. CCPS presents three types of initiating causes: External events,equipment failures and human failure. External events are earthquakes, hurri-canes and other external shocks. Equipment failures are control system failuresor mechanical failures. Human failures are either error of commission (failureto observe or respond appropriately) or error of omission (failure to execute thetask properly or not doing it at all) (CCPS, 2001). For the car crash example aninitiating cause could be slippery road.

Scenario

According to CCPS (2001) a scenario describes a single cause - consequence pairfrom the HAZOP. In LOPA terminology this is a single initiating cause - impactevent pair. This implies that a scenario consists of more than just the impactevent. But should not a scenario comprise even more? A more appropriate defi-nition of a scenario would include more than one cause. The scenario definitionis extended to describing ”the development from a process deviation to an impactevent, including the causes leading to the process deviation”.

Protection layers vs. independent protection layers

The term protection layer was defined by IEC 61511, and four important charac-teristics were given in Section 2.3. What is the difference beetween a PL and anIPL, and is the definition appropriate? According to IEC 61511 an IPL must havethe same inherent characteristics. In addition it must provide at least 100-foldof risk reduction (not 10 as for a PL) and have functional availability of at least0.9 (IEC 61511, 2003). These definitions seem confusing. From the point of viewof IEC 61511 an IPL is just a PL with stricter requirements to availability and de-gree of risk reduction. A PL does have the same requirement to independence,and the name is misleading. A more appropriate definition would be to call allPLs as IPLs, and IPLs with high degree of availability and risk reduction as highintegrity IPLs. A definition of PL in CCPS (2001) is rewritten to: ”device, systemor action that is capable of preventing a process deviation from proceeding to theend consequence”. Subsequently an IPL is defined as ”a PL that is capable of pre-venting a process deviation from proceeding to the end consequence, regardless ofother PLs associated with the same impact event - initiating cause pair, and of theinitiating event”. An IPL should fulfill the characteristics presented in Section2.3.

Another issue of interest is whether the PLs are designed to prevent the un-wanted consequence from happening, or placed as barriers to mitigate the con-sequences after the impact event has occurred. PLs mitigate the frequency ofthe occurrence of the unwanted consequence, or mitigate the consequences.

23

Page 34: Lopa Para Sil

An airbag-system is defined as a SIS. The airbag inflates when a set of sensorssend signals to a logic solver which initiates the inflation. If the impact event isa car crash, this protection system will function subsequent to the occurrenceof the impact event. It limits the extent of damage rather than mitigating thefrequency of the impact event. In other cases SIFs may be placed previous tothe impact event. If the impact event is overpressure of separator, SIFs with theintention of closing valves and shutting down the system, are vice. The SIF triesto prevent the impact event from occurring, thus reducing the frequency.

Relation between terms

Figure 3.3: Relation between initiating causes, impact event, process deviationand IPLs

Figure 3.3 shows the relation between the initiating causes, impact event,process deviation and the PLs listed in IEC 61511. It shows how all the termsfit together and the figure and the definitions given found the basis of the un-derstanding of LOPA. Initiating causes may be the sources of a process devia-tion which may lead to an impact event. The impact event may result in anend-consequence. In order to prevent the end-consequence PLs are introduced.Most of these have the objective of limiting the frequency of the impact event,but PLs to minimize the extent of damage may also be put in place. Note thatthe worst-case scenario is assumed. All the PLs have to fail in order for the end-consequence to occur thus the analogy to a branch in an ETA. The symbol *means that the PL may be credited as a IPL. The concept of IPL is discussed inthe case study in Chapter 6. Note that the starting point of the LOPA analysis isthe impact event. After this is identified, the causes are identified and the pro-tection layers evaluated.

24

Page 35: Lopa Para Sil

3.3 The LOPA team

LOPA is performed by a multi-disciplinary team, which at least should consist ofone:

• operator

• process engineer

• process control engineer

• manufacturing management representative

• instrument / electrical maintenance representative

• risk analysis specialist

One of the team members should be skilled in LOPA methodology, and it is im-portant that the team has experience with the related process / system. Oneof the team members should be a skilled meeting facilitator, and one secretaryof the team should also be elected. Persons with other expertise may take partin the analysis at different points in the analysis when needed. The meetingsare usually run in several sessions, taking basis in process documentation and aspreadsheet report to document the analysis (IEC 61511, 2003; Dowell, 1998; BP,2006).

3.4 LOPA worksheet and the LOPA process

This section describes how LOPA works, and the LOPA process as described inIEC 61511. The terms are adapted to the definitions presented earlier thus some-what different from the ones in IEC 61511 Note that different approaches andmethodologies exists, and these are discussed in Section 3.5. The LOPA reportworksheet presented in IEC 61511 is shown in Table 3.1. Further the columnswill be explained briefly step by step.

Impact event

The potential impact event is described in the first column in the table. This isthe consequences determined in the HAZOP study.

Severity Level

In the next column the severity level of the impact event is entered, and levelsof Minor (M), Serious (S), or Extensive (E) are suggested, which is the same clas-sification as in the risk matrix approach and safety layer matrix approach. Notethat in the risk graph approach the consequence levels are ranging from CA toCD where CD is the most severe.

25

Page 36: Lopa Para Sil

Tab

le3.

1:Im

po

rtan

tco

lum

ns

inth

eLO

PAre

po

rt/

wo

rksh

eeta

dap

ted

fro

mIE

C61

511

(200

3)P

rote

ctio

nla

yers

12

34

56

78

910

Imp

act

even

tdes

crip

-ti

onSe

veri

tyle

vel

Init

iati

ng

cau

seIn

itia

tion

like

li-

hoo

d

Gen

era

lp

roce

ssd

esig

n

BP

CS

Ala

rms

etc.

Ad

dit

ion

al

mit

iga

tion

(res

tric

ted

acc

ess)

Hig

hin

tegr

ity

ad

dit

ion

al

mit

iga

tion

(dik

es,

pre

s-su

rere

lief

)

Inte

rmed

iate

even

tli

keli

-h

ood

SIF

inte

grit

yle

vel

Mit

iga

ted

even

tli

keli

hoo

d

Pre

ssu

reab

ove

des

ign

pre

ssu

reo

fse

par

ato

r.R

up

ture

of

sep

arat

or

and

po

ssib

leig

nit

ion

.

EP

ress

ure

con

tro

lfa

il-

ure

cau

sin

gb

lock

edo

utl

et.

0.1

11

10.

210.

081.

7·1

0−3

3·1

0−5

Lead

ing

toth

een

d-

con

seq

uen

ce:

No.

of

fata

litie

sb

etw

een

1to

10.

Ass

um

ing

no

slu

gen

teri

ng.

ESp

uri

ou

str

ipo

fth

eX

Vin

add

i-ti

on

toP

Vco

n-

tro

lfai

lure

0.00

11

11

0.21

0.08

1.7·1

0−5

1.75

·10−

23·1

0−7

1.71

7·1

0−3

SIL

13.

03·1

0−5

26

Page 37: Lopa Para Sil

Initiating cause and initiation likelihood

All direct initiating causes of the impact event are listed in column 3. In column4 the likelihood values of the initiating causes occurring, in events per year, areentered. A table showing typical values is shown in IEC 61511, e.g. a failure witha low probability of occurring within the lifetime of the plant (dual instrumentor valve failure) is categorized with a frequency between 10−4 and 10−2 per year.

Independent Protection layers

If protection layers satisfy the IPL criteria, they are given credit. The PFD valueis then added in the worksheet. Process design to reduce the likelihood of animpact event from occurring, when an initiating cause occurs, are listed first incolumn 5. Jacketed pipe or vessels serve as examples. BPCS is the next to belisted in column 5. If the BPCS prevents the impact event from occurring, whenthe initiating cause occurs, credit based on its PFD is claimed. The last itemin column 5 takes credit for alarms that alert the operator and utilize operatorintervention.

Additional mitigation layers with associated PFDs are listed in column 6.Mitigation layers are normally mechanical, structural, or procedural and mayreduce the severity. However, not prevent the impact event from occurring. Ex-amples of additional mitigation could be pressure relief devices, dikes, restrictedaccess and evacuation procedures.

IPLs may be credited as high integrity IPLs, if the functional availability is atleast 0.9 and if it provides at least 100-fold risk reduction. They are then listed incolumn 7. A table in IEC 61511 presents typical PFD values for certain protectionlayers.

Intermediate event likelihood

The intermediate event is the occurrence of the end-consequence with the ex-isting / planned protection layers in place, but without the SIF under consid-eration. The intermediate event likelihood is the frequency per year of the oc-currence the this event. The intermediate event likelihood is entered in column8. It is calculated by multiplying the initiating event likelihood (column 4) bythe PFDs of the protection layers and mitigating layers (column 5, 6 and 7). Thecalculated number should be in events per year, and compared with the corpo-rate criteria. If the intermediate event likelihood is greater than the corporatecriteria, additional mitigation is needed. Inherently safer design should be con-sidered before new SIFs are introduced.

27

Page 38: Lopa Para Sil

Safety integrity level (SIL)

If a new SIF is needed, the SIL is calculated by dividing the corporate criteria forthis severity level by the intermediate event likelihood. The result is entered incolumn 9.

Mitigated event likelihood

The mitigated event is the occurrence of the end-consequence with all protec-tion layers in place, including the proposed SIF. The mitigated event likelihoodis the frequency per year of the occurrence the this event. The mitigated eventlikelihood is calculated by multiplying columns 8 and 9 and entering the resultin column 10. This is step is continued until the team has calculated a mitigatedevent likelihood for each impact event.

Total risk

The last step could be to calculate the total risk with respect to each specificimpact event. The mitigated event likelihood for all the events rated as seriousor extensive, and that present the same hazard are added up. This step couldinclude additional probabilities, if not accounted for in the previous steps.

Example

In Table 3.1 some rows are filled in. The example is overpressure of a topsideseparator taken from Harsem Lund (2007). The HAZOP identified that pressureabove design pressure of the separator could cause rupture and possible igni-tion, leading to a number of fatalities between 1 and 10. Further, two initiatingcauses with initiating likelihoods were identified. General process design, BPCSand alarms are not given credit as PLs, thus given the value 1. Additional mitiga-tion (restricted access) is estimated to 0.21, due to an assumed ignition probabil-ity of 0.3 and occupancy of 70%. IPL additional mitigation is estimated to 0.08,due to the assumption that 8 PSVs must be running to avoid pressure build-upabove test pressure. The intermediate event likelihood is now calculated for theinitiating events, and the corporate / company criteria for this severity level (E)is 3 · 10−5 events per year. The sum of the intermediate event likelihoods are1.717 ·10−3 events per year. Dividing 3 ·10−5 by 1.717 ·10−3 give a necessary riskreduction of 1.75 ·10−2, which is a SIL 1 requirement. The mitigated event likeli-hood becomes 3·10−5 and 3·10−7 events per year, which give a total of 3.03·10−5

events per year.Note that both in the table and in the calculations accurate numbers are

used with several decimals. This is done for illustration only. Usually, two deci-mals are appropriate.

28

Page 39: Lopa Para Sil

3.5 Different approaches in literature

Many similarities can be found among the approaches and methodologies pre-sented in the literature. Summers (2003), Ellis and Wharton (2006) and Dowell(1998) have presented flowcharts, while IEC 61511 use a worksheet as the basisfor their methodology. BP (2006) have their own procedure providing guidanceon LOPA which includes a flowchart. CCPS (2001) presents a diagram explain-ing the LOPA steps, with a chapter explaining each step. But the approach in IEC61511 is the most prevailing. The essential steps that seem common are:

• Documentation of the hazard analysis

• Development of scenario or impact event

• Identification of initiating causes

• Determination of the protection layers including the IPLs

• Quantification (cause frequency / likelihood and PFD)

• Target risk evaluation / SIL determination

As the list indicates the major steps in the SIL determination process are cov-ered. Most approaches take information from previous studies to identify haz-ards, and to found a basis for the next steps. The initiating causes are identified,and the frequency determined. The most substantial differences between thevarious approaches are the use of terms, the order of sequence and the intendedapplication. Another distinction is how the SIL is incorporated and evaluated.Often the "as is" process design is evaluated. The existing protection layers areidentified and the intermediate event likelihood determined before assigning aSIL level to the SIF. Sometimes the SIF under consideration, with the expectedPFD, is implemented implicit in the calculations. This result in a different crite-rion for acceptability. The mitigated event likelihood is then the calculated fre-quency that is compared to the acceptance criteria, not the intermediate eventlikelihood.

Some authors use screening tools, and / or suggest LOPA as a part of a totalmethodology. Ellis and Wharton (2006) suggest such a close interface betweenLOPA and other methods. Figure 3.4 is an extract of the determination method-ology presented in Ellis and Wharton (2006). The consequences of the impactevents are classified. A consequence level is chosen for the impact event underconsideration, and LOPA used if the most severe category CE is selected. If nota risk graph approach is utilized. If the risk graph results in SIL 1 (or lower) thisis documented as the final SIL. The risk graph may result in a high SIL (SIL 2- 4), and LOPA is suggested in those cases. The LOPA may conclude a SIL 3-4.If this is the case, a fault tree analysis (FTA) is initiated. If the FTA result in SIL3-4, redesign to eliminate hazard or reduce event severity or event likelihood isneeded. Harsem Lund (2007) supports the use of risk graph and QRA in additionto LOPA, depending on the calculated SIL.

29

Page 40: Lopa Para Sil

Figure 3.4: Extract of SIL determination methodology from Ellis and Wharton(2006)

3.6 Aker E&T methodology

Aker E&T LOPA methodology is presented in Figure 3.5. The method is modifiedin contrast to the one given in Nordhagen (2007). Compared to the approachesdiscussed in Section 3.5, the Aker E&T approach is an overall methodology, nottaking the proposed SIF implicit into account. Often the customer methodology(i.e. Statoil, BP) found basis for the analysis.

P&IDs are schematic diagrams describing piping, equipment and instru-mentation connections within process plants. ISO 10418 (2003) is a technicalstandard that provides objectives, functional requirements and guidelines fortechniques for analysis, design and testing of surface process safety systems.This standard helps the design team to implement safety functions in the P&IDsfor the concerning system. A HAZID, HAZOP or WHAT-IF analysis helps to iden-tify process deviations which require additional SIFs. After all information havebeen gathered and documented in the P&IDs and additional documentation, aLOPA is initiated. The report sheet in Table 3.1 is used, and the steps describedin Section 3.4 followed except from the steps where the mitigated event likeli-hood and the total risk is calculated. An example of acceptance criteria is shownin Table 4.1, and the accepted frequency denoted target mitigated event likeli-hood (TMEL). The mitigated event likelihood is in the Aker E&T approach equalto the TMEL (Nordhagen, 2007; ISO 10418, 2003).

30

Page 41: Lopa Para Sil

Figure 3.5: Aker E&T methodology adapted from Nordhagen (2007)

The SIF under consideration is assumed not in place during the analysis, andthe formula used in the evaluation of the LOPA results can be written: Acc. freq

Total IEL .If the fraction between the accepted frequency (Acc. freq.) and the calculatedtotal intermediate event likelihood (IEL) is greater or equal to 1, the team shallevaluate whether the SIF shall be removed or not. This implies that the result-ing frequency of the end-consequence, without the proposed SIF, is equal or lessthan the accepted frequency. The analysis team can either remove the SIF, be-cause the system is evaluated safe enough, or keep the SIF but without any re-quirements to the safety function. If 1 > Acc. freq

Total IEL > 0.1, ”SIL 0” is selected. Thisimplies that the intermediate event likelihood is between 1 and ten times higherthan the acceptable value. No further evaluation is necessary, but the SIF iskept in order to achieve some risk reduction. If 0.1 > Acc. freq

Total IEL > 0.01, which isequivalent to SIL 1 in IEC 61511, SIL 1 is selected and no further evaluation isdone. SIL 2 is selected if 0.01 > Acc. freq

Total IEL > 0.001. If the analysis result is SIL 3

(0.001 > Acc. freqTotal IEL > 0.0001), a QRA is initiated to further evaluate the SIF (Nord-

hagen, 2007).

31

Page 42: Lopa Para Sil

Chapter 4

Preferred approach

4.1 Flowchart

When performing LOPA, a clear methodology and approach is needed to makethe team focus on the analysis and not on how to do the analysis. The preferredapproach is a developed recommended approach based on the worksheet pre-sented in IEC 61511, reproduced in Table 3.1. It is modified taking the viewspresented in Sections 3.5 and 3.6 into consideration using the terms describedin Section 3.2. The steps in Figure 4.1 are described in the paragraphs below.

Step 1: Develop and document the risk acceptance criteria

It is of great importance that this step is done with care. The acceptance crite-ria has to respond to the requirements from the company, authorities and cus-tomers. Acceptance criteria should be established for different types of conse-quences as safety, environmental and economical. In Table 4.1 an example ofacceptance criteria for safety hazards are presented. Note that the TMEL is afrequency. For economical / commercial hazards the criteria could consist oftarget mitigated likelihoods and monetary consequences. If acceptance criteriado already exist, these should be verified before employed.

Step 2: Gather and document data

The results from HAZOP, HAZID and WHAT-IF analysis must be gathered anddocumented. In addition, documentation like equipment data, maintenanceplans and operational conditions and procedures are important to obtain. If thedata material is not sufficient, further data must be collected. Especially, theneed for further hazard identification must be evaluated.

32

Page 43: Lopa Para Sil

Figure 4.1: Preferred approach

33

Page 44: Lopa Para Sil

Table 4.1: Target mitigated event likelihood for safety hazards adapted fromNordhagen (2007)

Severity level Safety consequence Target mitigatedevent likelihood

CA Single first aid injury 3 ·10−2 per yearCB Multiple first aid injuries 3 ·10−3 per yearCC Single disabling injury or mul-

tiple serious injuries3 ·10−4 per year

CD Single on-site fatality 3 ·10−5 per yearCE More than one and up to three

on-site fatalities1 ·10−5 per year

Step 3: Transform and integrate data

The data material have to be adapted to the input that LOPA requires. Accep-tance criteria, frequencies and consequence / likelihood ratings may have to beconverted. The interface between HAZOP and LOPA is discussed in Chapter 5.

Step 4: Select impact event

The impact events should be evaluated separately, one at the time.

Step 5: Screen impact event

To each impact event a consequence severity level is determined, and the im-pact event under consideration is screened by a criterion using these levels. Thiscould have been done already in the HAZOP study, and if applicable these re-sults can be used. In Table 4.1 such severity levels are given. Let C be denotedas the consequence severity level divided into five categories. If an impact eventis classified with consequence severity level C > CC (CD or CE), a QRA has tobe performed. This implies that impact event consequences rated as CA, CB, orCC are evaluated with LOPA. Note that the criterion for selecting either QRA orLOPA should be adapted to how the acceptance criteria are expressed and thesituation under consideration.

Step 6: Identify initiating causes

The initiating causes are most likely identified in the HAZOP study, but thesemay not include sub-causes. Sub-causes might be beneficial to identify to getunderstanding of the situation at hand. But also to get an accurate result whenit comes to the calculations. Expert judgment and previous studies (as HAZOP)is used in the identification process.

34

Page 45: Lopa Para Sil

Step 7: Establish / determine initiating cause frequencies

The initiating cause frequencies must be determined. In Table 4.2 initiatingcause frequencies are presented. In addition expert judgment and plant specificdata / company data may be helpful in determining the frequencies.

Step 8: Select initiating cause - impact event pair

One pair of initiating cause and impact event should be evaluated at the time.

Step 9: Identify IPLs and determine PFDs

The IPLs must be identified, and the assumption of independence should beevaluated with care and be thoroughly documented. If the IPL criteria are satis-fied the PFDs are added in the LOPA worksheet in 3.1. Estimates of PFDs can befound in tables in CCPS (2001) and OREDA. But company or plant specific datacan also be used. Table 4.3 shows some PFDs for different IPLs. If a protectionlayer can not be given credit as an IPL the PFD value entered in the worksheetis 1. The inherent process design and the reduction factor this gives should beevaluated carefully. This protection layer is difficult to assess, and in most casesno risk reduction is given credit.

In addition to the PFDs the following frequency modifiers may be included:

• Occupancy

• Ignition probability

• Time at risk (for systems not continuously in operation)

The additional mitigation (restricted access) column shall include ignition prob-ability, in addition to occupancy. The occupancy factor is calculated as for therisk graph (IEC 61511, 2003). For flammable hazards ignition probability shallbe considered. If there are many sources of ignition and the release is large, aconservative value should be chosen. A conservative value is in this case a valueclose to 1. The time at risk factor reflects the time the system is in the hazardousmode, and is evaluated only for systems not in continuous operation. All of thefrequency modifiers are are a number between 0 and 1, and it should be takencare in such a way that not too much risk reduction is given credit (BP, 2006;CCPS, 2001; Harsem Lund, 2007). Note that the frequency modifiers are optionaland should be seen in relation to the impact event under consideration.

Step 10: Calculate intermediate event likelihood (IEL)

fIEL,i = fi ·J∏

j=1PF Dij (4.1)

35

Page 46: Lopa Para Sil

Table 4.2: Typical frequency values assigned to initiating causes adapted fromCCPS (2001)

Initiating event Frequency range fromliterature (per year)

Example of a valuechosen by a company

Pressure vessel residualfailure

10−5 to 10−7 1 ·10−6

Piping residual failure-100m-full breach

10−5 to 10−6 1 ·10−5

Piping leak (10 % section)-100m

10−3 to 10−4 1 ·10−3

Atmospheric tank failure 10−3 to 10−5 1 ·10−3

Gasket / packing blowout 10−2 to 10−6 1 ·10−2

Turbine diesel engineoverspeed with casingbreech

10−3 to 10−4 1 ·10−4

Third party intervention(external impact by back-hoe, vehicle etc.)

10−2 to 10−4 1 ·10−2

Crane load drop 10−3 to 10−4 per lift 1 ·10−4 per liftLightning strike 10−3 to 10−4 1 ·10−3

Safety valve opens spuri-ously

10−2 to 10−4 1 ·10−2

Cooling water failure 1 to 10−2 1 ·10−1

Pump seal failure 10−1 to 10−2 1 ·10−1

Unloading / loading hosefailure

1 to 10−2 1 ·10−1

BPCS instrument loopfailure

1 to 10−2 1 ·10−1

Regulator failure 1 to 10−1 1 ·10−1

Small external fire (aggre-gate causes)

10−1 to 10−2 1 ·10−1

Large external fire (aggre-gate causes)

10−2 to 10−3 1 ·10−2

LOTO (lock-out tag-out)procedure failure

10−3 to 10−4 per oppor-tunity

1 · 10−1 per opportu-nity

Operator failure (to ex-ecute routine procedure,assuming well trained, un-stressed, not fatigued)

10−1 to 10−3 per oppor-tunity

1 · 10−2 per opportu-nity

36

Page 47: Lopa Para Sil

Table 4.3: PFDs for IPLs adapted from CCPS (2001) and BP (2006)IPL PFD

BPCS, if not associated with the initiatingevent being considered

1 ·10−1

Operator alarm with sufficient time avail-able to respond

1 ·10−1

Relief valve 1 ·10−2

Rupture disc 1 ·10−2

Flame / detonation arrestors 1 ·10−2

Dike / bund 1 ·10−2

Underground drainage system 1 ·10−2

Open vent (no valve) 1 ·10−2

Fireproofing 1 ·10−2

Blast-wall / bunker 1 ·10−3

Identical redundant equipment 1 ·10−1 (max credit)Diverse redundant equipment 1 ·10−1 to 1 ·10−2

Other events Use experience of personnelSIS that typically consist of single sensor,logic and final element

1 ·10−1 to 1 ·10−2

SIL 1SIS that typically consist of multiple sensors,multiple channel logic and multiple final el-ements (for fault tolerance)

1 ·10−2 to 1 ·10−3

SIL 2SIS that typically consist of multiple sensors,multiple channel logic and multiple final el-ements. Requires careful design and fre-quent proof tests

1 ·10−3 to 1 ·10−4

SIL 3

37

Page 48: Lopa Para Sil

Equation 4.1 shows the formula to calculate the intermediate event likeli-hood, fIEL,i, for a certain initiating event, i . Let the number of IPLs range from 1to J, and each IPL have a PFD denoted PF Dij. The product of the PFDs is multi-plied by the frequency of initiating event i , fi. The intermediate event likelihoodis the expected frequency of the consequence with the credited IPLs in place.

Next initiating cause - impact event pair

If there are more initiating event - impact event pairs, they should be evaluated.As shown in Figure 5.1 the analysis team have to go back to the pair selectionphase. This process is iterative until all pairs have been evaluated

Step 11: Sum up the intermediate event likelihoods

The intermediate event likelihood of all the related initiating cause - consequencepairs have to be summed, in order to identify the total rate of demands that arenot eliminated by the system (including planned / existing protection layers andmitigation). Equation 4.2 shows the applied formula to determine the total mit-igated event likelihood fIEL,total, for initiating events ranging from i = 1 to i = I .

fIEL,total =I∑

i=1fIEL,i (4.2)

Target risk measurement

Column 3 in Table 4.1 shows the target mitigated event likelihood (TMEL) fordifferent consequence severity levels. The combination of the TMEL and con-sequence category is in this case the risk acceptance criteria, which is the targetrisk measure. For the concerning consequence severity level - the total interme-diate event likelihood and target mitigated event likelihood are compared. If thetotal intermediate event likelihood is less than the target mitigated event likeli-hood, the target risk is acceptable. The next impact event can then be evaluated.If not, a SIL should be determined. Note that even if the target risk is acceptable,introducing a SIL may still be vice due to uncertainty in the calculations.

Modifications and changes to planned / existing system should be consid-ered prior to introducing a SIF. Can the risk be reduced by enhancing the existingprotection layers, or by changing the design? If the answer is yes, such measuresshould be evaluated, and the new intermediate event likelihood calculated andcompared with the acceptance criteria. If the answer is no, a SIF with an associ-ated SIL have to be implemented.

Step 12: Determine SIL

The gap between the acceptable risk (the target mitigated event likelihood cor-responding to a specific consequence category) and the current risk (interme-

38

Page 49: Lopa Para Sil

diate event likelihood) must be eliminated by the SIF, hence the needed SIL. Bydividing the target mitigated event likelihood by the total intermediate eventlikelihood, the PFD responding to the SIL is found. Equation 4.3 show how theacceptable frequency, fAcc, is used to determine the necessary risk reduction.The target mitigated event likelihood is denoted fTMEL.

SIL = neccesary risk reduction = fAcc

fIEL,total= fTMEL

fIEL,total(4.3)

Screen by SIL

If the resulting SIL > SIL 3, a QRA should be initiated. A high SIL requirement isstricter demanding higher reliability and performance of the SIS. LOPA includesuncertainty, and for SIL requiring high integrity a more thorough analysis is rec-ommended. If SIL < SIL 4, the flowchart loop is finished. Note that the screeningcriterion in this case is SIL > 3, and the criterion should be adapted to the situa-tion at hand. In some cases SIL > SIL 2 is more applicable.

Step 13: Calculate mitigated event likelihood (MEL)

The last step is to calculate the mitigated event likelihood, fmit,i. This is the fre-quency of the consequence in events per year, after the SIF has been imple-mented. The selected SIL is multiplied with the intermediate event likelihoodto obtain the mitigated event likelihood, as Equation 4.4 shows.

fMEL,i = fIEL,i ·SIL (4.4)

The calculation is done for all rows in the LOPA worksheet related to theconcerning impact event. Note that the mitigated event likelihood is the same asthe TMEL if the exact number of the calculated SIL is employed. It then serves asa check whether the acceptable risk is satisfied or not with the current calculatedSIL.

This is the last step in the LOPA procedure. If there are more impact events,these shall be evaluated. Then, the analysis team go back to the pick impactevent - phase. But, this is not implemented in the flowchart. The team usuallycontinue the analysis until all process deviations from the HAZOP are evaluated.

4.2 Comments to the preferred LOPA approach

The preferred approach is an overall approach considering the planned / exist-ing system without the proposed SIF. As discussed previously several screeningtools exists, but it is chosen to screen by consequence and SIL only. Conductinga risk graph-analysis for then to initiate a LOPA cause extra work and increasedengineering cost.

39

Page 50: Lopa Para Sil

Only safety aspects have been considered. Usually economical and environ-mental issues are also evaluated during a LOPA analysis. Such levels may bedetermined to the SIF, and the integrity level giving the highest integrity levelchosen. Note that this requires additional acceptance criteria (BP, 2006; Nord-hagen, 2007).

In the approach it is chosen to select an impact event before it is screened byseverity level. Another possibility is to do this the other way around.

Another issue is how to express and transmit the requirements to the ven-dors or to the further allocation process. If the LOPA result in a required PFD8 ·10−3 giving SIL 2, and the suppliers design their product with a designed PFDof 1 ·10−2 the outcome may be that the system do not fulfill requirements. Im-portant issues that must be covered in the interface work packages by the systemvendor are: What is the requirement? How is it expressed?

40

Page 51: Lopa Para Sil

Chapter 5

Interface with HAZOP

5.1 Introduction to HAZOP

Table 5.1 presents a typical HAZOP worksheet. HAZOP is a structured way ofexamining the planned or existing process operation. The objective of a HAZOPstudy is to identify and evaluate problems that may represent risk to personnelor equipment, or prevent efficient operation. The HAZOP is usually performedearly in the design stage, in a multidisciplinary team. The HAZOP meetings /sessions are carried out with a leader, a secretary and team members with pro-cess experience. The system is divided into nodes, and each node is evaluated bya set of guidewords and parameters. The results are recorded in a report sheetlike the one in Table 5.1. A guideword + a parameter lead to a deviation. Thecauses are the reasons why the deviation occurs, and the consequences are theresults of the deviations. Safeguards have the intention of reducing frequency ofoccurrence and / or mitigate the consequences. During the meeting actions areallocated to the participating parties. This can be technical improvements, butalso work tasks (Rausand, 2005). The briefly described HAZOP methodology isclose to how HAZOP is performed by Aker Solutions. Note that the experienceand knowledge of the participants are vital in getting a thorough examination.

5.2 HAZOP integration

Traditionally, HAZOP and SIL-determination have been two separate sessions.They both require much of the same information and a common database isbeneficial, as it results in saved time and cost. Performing the analyzes in onesession give savings up to 30% and a significant improvement in data integrityand manageability (Bingham and Goteti, 2004; ACM Facility safety, 2004). Soft-ware tools to integrate LOPA and HAZOP exist, but Aker Solutions do not employsuch programs. Software programs can be used when HAZOP and LOPA are in-tegrated in one session, but also when two sessions are performed. Further, therelationship between the HAZOP output and LOPA input is discussed.

41

Page 52: Lopa Para Sil

Tab

le5.

1:P

roce

ssH

AZ

OP

wo

rksh

eeta

do

pte

dfr

om

Rau

san

d(2

005)

Stu

dy

titl

e:Pa

ge:

Dra

win

gn

o:

Rev

.no.

:D

ate:

HA

ZO

Pte

am:

Mee

tin

gd

ate:

Part

con

sid

ered

:D

esig

nin

ten

t:M

ater

ial:

Act

ivit

y:So

urc

e:D

esti

nat

ion

:N

o.G

uid

ewo

rdE

lem

ent

/p

roce

ssp

aram

e-te

r

Dev

iati

on

Po

ssib

leca

use

sC

on

seq

uen

ces

Safe

guar

ds

Co

mm

ents

Act

ion

sre

qu

ired

Act

ion

sal

loca

ted

to

Sep

-ar

ato

rH

igh

pre

ssu

reP

ress

ure

abov

ed

e-si

gnp

res-

sure

Fail

ure

of

BP

CS,

hig

hle

vel,

exte

rnal

fire

Rel

ease

toen

vi-

ron

men

tA

larm

,o

per

-at

or,

del

uge

syst

em

Eva

luat

en

ewP

Ls.

Joe

Joh

n-

son

(Ake

rSo

luti

on

s)

42

Page 53: Lopa Para Sil

Figure 5.1: Relationship between HAZOP and LOPA worksheets

Figure 5.1 shows the interaction between the HAZOP and LOPA worksheets.LOPA is performed from the left to the right in the worksheet and receives inputfrom the HAZOP during the analysis. Note that the HAZOP worksheet in the fig-ure is somewhat different from the one presented in Table 5.1, as it incorporatesseverity level (S) and likelihood (L) of the HAZOP consequence (IEC 61511, 2003;Dowell and Williams, 2005; CCPS, 2001).

If the (process) deviation in the HAZOP is high pressure, the HAZOP con-sequence could be: release to environment. The impact event would then alsobe release to environment because the consequence identified in the HAZOPanswers to the impact event in LOPA.

The possible causes from HAZOP are the initiating causes in LOPA (Dowell,1998; IEC 61511, 2003). Further transformation or evaluation of causes and sub-causes may be necessary and should be expected.

The safeguards identified in HAZOP are denoted PLs in LOPA. Note that allIPLs are safeguards, but not all safeguards are IPLs (CCPS, 2001). What IPLsto include and in which column in the LOPA worksheet they should be imple-mented, requires evaluation. The actions required column in the HAZOP work-sheet may include many things, e.g. new recommended safeguards and worktasks. New recommended safeguards could either be modifications to existingPLs and design or new protection layers, e.g. SIFs (CCPS, 2001). In Figure 5.1the arrows are blue and dotted which indicates that the information from the

43

Page 54: Lopa Para Sil

columns including safeguards and actions required can not be transformed di-rectly.

The HAZOP consequence severity ranking (S), and the HAZOP consequencelikelihood (L) can be transformed to LOPA, and impact event severity level andinitiating cause frequency are the applicable terms in LOPA with associated columns(Dowell and Williams, 2005). The HAZOP worksheet does not necessarily in-clude these columns. There are several views of what columns are included inthe HAZOP according to what the organization or author prefer. The HAZOPmay either include severity ranking and likelihood of the HAZOP consequence,or just the severity ranking. Another possibility is that HAZOP has none of these,as in Table 5.1. This makes it difficult to know how this part of the interface willbe. If the HAZOP worksheet has both the severity and likelihood ranking it is notcertain that this categorization is used, adding another issue to the current prob-lem. These issues must be evaluated prior to a LOPA and the blue dotted linesin Figure 5.1 indicate that evaluation is needed when transferring data to LOPA.It is suggested that the same risk matrix is used for HAZOP as for the LOPA withrelated risk acceptance criteria. At least the severity ranking should be identi-cal, because the initiating cause frequencies in LOPA usually are obtained fromtables and / or expert judgment. In BP (2006) such a common risk matrix in-cluding risk acceptance criteria is presented.

5.3 Adjustments and transformation of data

It might be that only limited data are available to the analysis team. This requiresthe analysis team to do adjustments. In Section 3.4 and Chapter 4 the initiatingcause frequency was represented as a number of occurrences per year. The fre-quency from the data source may be expressed in occurrences per hour or perminute. Sometimes the data is not even given as a frequency, but as a PFD. Ex-amples are human error to execute a task or a crane load drop. If the frequencyis expressed in the wrong unit, the team has to multiply the data to get the cor-rect frequency. When only a PFD is available, the PFD has to be multiplied withthe number of demands per year to get the wanted frequency (CCPS, 2001).

Another issue is when only general industry data are available. General datashould be adjusted to fit the local conditions. This requires understanding ofhow the local conditions are compared to the general conditions.

In LOPA the numbers are often expressed in orders of magnitude. It is im-portant that the team is consistent when rounding the numerical values (CCPS,2001).

5.4 HAZOP / LOPA program specification

It is decided to assume that HAZOP and LOPA are divided into two sessions, butthat they are adapted to each other to enable a better interface. If HAZOP and

44

Page 55: Lopa Para Sil

LOPA are performed by using an integrated software tool, several of the phasesin Figure 4.1 may be performed almost automatically, e.g. data gathering anddocumentation and transformation of data. In addition, the calculation phasesare performed more efficiently. The objectives of a HAZOP / LOPA tool are:

• Reduce the time spent on the analysis (typing / rework, data collection,meeting activity, calculations)

• Making it easier to quality check the results as the calculations/analysisare conducted in real time

• Increased quality of the analyses

Specifications are vital in order to make a consistent and thorough softwareprogram. These include what exactly the program has to do, and what character-istics it needs. The basis for the specification is the objectives given above, andthe previous section. The specification of the proposed HAZOP / LOPA programis as follows:

• HAZOP worksheet cells equal to cells in LOPA report, and automatic trans-formation of data. This applies to:

– HAZOP consequence = LOPA impact event

– HAZOP possible causes = LOPA initiating causes

– HAZOP consequence likelihood = LOPA initiating cause frequency(Note: may need adjustment)

– HAZOP consequence severity level = Severity level (Note: May needadjustment)

• Calculate results based on data:

– Intermediate event likelihood

– Mitigated event likelihood

– SIL

• Provide database with risk acceptance criteria

• Interface with additional databases:

– Initiating cause frequency

– PFDs of IPLs

• Automatically include risk acceptance criteria in the calculations

• User interface quality assurance:

45

Page 56: Lopa Para Sil

– Interactive SIL selection which allows the user to select a SIL by click-ing and see the impact on the mitigated event likelihood on the screen

– Rectify erroneous input from user

– Modify input / help to specify the units

– Reminders / pop-up boxes

• Help function with guidelines describing how to implement LOPA. Thisshould include a flowchart, explanation of terms and examples. The helpfunction database should be searchable.

The planned software platform is a Microsoft Excel-workbook in combina-tion with Visual Basic (VB) and macros.

5.5 Illustration of software program

To better illustrate how a program could work the execution is divided into 5steps. It is important to emphasize that a real program has not been created,only a model / illustration of how it could work. The illustration is showed inAppendix B. Note that the suggested program is a simple program, with the pur-pose of describing the underlying solutions. It is not put emphasis on sophisti-cated coding.

Step 1 - HAZOP

The cells containing the HAZOP consequences are set equal to the ones thatshall contain the impact events. In excel this could be done by either creatinga VB macro which copies the information, or by defining the cell informationequal directly in Excel. The same applies to the possible causes in HAZOP. Therisk matrix sheet contains the classification of the HAZOP consequence and im-pact event severity. The chosen severity level is transferred in the same man-ner as the HAZOP consequence. To initiate the process of transferring the data,a command button which is constantly visible is placed in the bottom of theLOPA sheet. This is named ”Transfer HAZOP data”, and when clicked the rowscontaining the data are transferred or copied.

After all the cause and impact event data are transferred, the impact eventsare screened by severity level. Those impact events that are classified above acertain severity level are colored red because the initiation of a QRA is suggested.The encoding solution is VB in addition to macros.

Some impact events are similar, and combining several impact events is rel-evant. This is not taken into account in this program illustration.

46

Page 57: Lopa Para Sil

Step 2 - Retrieve initiating cause frequency

Next to the command button proposed in Step 1, a command button named”implement initiating cause frequency” is placed. When this is clicked the usermay choose which cell to implement the value and which value to select in thedatabase sheet. The user may also adjust the numbers. This requires more ex-tensive VB encoding.

The initiating cause frequency may be given as a PFD. A pop-up box, whichappears after the value has been implemented, asks the user to specify addi-tional information if it is necessary. The number of demands / opportunitiesper year is such information, this is done to make sure that the correct unit isused. The program adjusts the numbers automatically.

Step 3 - Retrieve IPL PFDs

The same method and encoding applies to the IPL PFD selection. When all thePFDs are filled in, the IPL cells that contains no numerical value are given thevalue 1. This can be realized by a IF sentence checking if the cells have a valueor not, and employing the necessary values.

Step 4 - Calculation

The intermediate event likelihood is calculated directly in Excel by formulas, i.e.’cell 10’ = product(’cell 4’;’cell 9’).

The TMEL is specified in the risk matrix sheet. Corresponding to whichseverity level is selected the program implements the correct value of TMEL inthe mitigated event likelihood cell in the LOPA sheet. A simple IF sentence coulddo this automatically. A command button called ”Calculate SIL” initiates the SILcalculation. The IELs for each initiating cause related to the same impact eventis added. A set of IF sentences count how many rows that are related to the sameimpact event and calculate the total IEL for the respective impact event. Thevalue of the total IEL for the impact event is divided by the TMEL value, andthe result is the needed SIL. IF sentences containing text strings evaluates theresults and prints a message to the user in the cell, i.e. ”SIL 2” or ”No SIS nec-essary”. This part of the program requires extensive VB encoding. The programhas to remember parameters, and use these to calculate the correct columnsand implement the results in the correct cells.

Step 5 - SIL selection

It is not certain that the calculated SIL is the one the team wants to employ.A command button named ”Change SIL”makes an input box appear if clicked.The user may input the wanted SIL or specify the PFD of the SIS. The mitigated

47

Page 58: Lopa Para Sil

event likelihood is again calculated, and a pop-up box notifies the user if thisPFD fulfill the TMEL requirement.

A screening process based on the calculated SIL is beneficial, as higher SILsmay require the initiation of a QRA. The program may color the entire row in acertain color if the SIL is higher than a specified limit.

Comments to the illustrated software program

The illustrated program seems reasonable, as it helps the user to manage data,and do the needed calculations. In addition it supports the user during theanalysis. The help function mentioned in the specification in section 5.4 is nottreated, but is expected to be a vital part in a program. The illustrated programshould be evaluated more in detail, and should be extended from a thought pro-gram to a real prototype with more advanced coding and better user interface.

Expert judgment make an extensive amount of the analysis, which is difficultto incorporate in a program. A software tool that ”learns by doing” is beneficial.An example is a software program that saves and interprets the possible initi-ating causes of an HAZOP or LOPA analysis. When a new analysis on a similarsystem is performed the information from previous studies becomes availableto the user. This is an effective way of facilitating the transfer of experience.

48

Page 59: Lopa Para Sil

Chapter 6

Case study: Applicability of LOPA

The objective of the study is to apply LOPA to a real system, to illustrate and eval-uate the LOPA process described in Chapter 4. First the case and the concerningsystem is described, before the LOPA approach and results are presented anddiscussed. Finally, comments and remarks are given.

6.1 Case text

It is assumed that a new SIF may have to be implemented, and the LOPA is per-formed to evaluate if this is necessary, and what SIL to assign. The evaluatedSIF is assumed not in place during the analysis. The topside oil/gas/water sep-arator located in the FPSO is defined as the EUC. Overpressure of the topsideseparator is evaluated in the case, and the source of the pressure build-up is thereservoir. The case has a subsea and topside part combined together, and thecase schematic in Figure 6.1 describes a typical SPS and topside separator de-sign. Skarv (BP / Aker E&T) and Morvin (Statoil / Aker Subsea) are two projectsthat have P&IDs mounted on the same principles as the schematic.

6.2 Introduction to system

The production flows from the well through the X-mas tree (XT), the produc-tion choke module and the manifold. From the manifold the flow is lead to theriserbase and up to the FPSO and the separator in a production riser. The nextparagraphs explain the different parts of the system.

FPSO and topside equipment

The flow consists of water, oil and gas which are segregated in the separator lo-cated on the FPSO. The separator has three outlets. Two for gas and producedwater, and one liquid outlet that goes to the second stage separation process.The topside process control system control the inlet flow to the separator and

49

Page 60: Lopa Para Sil

Figure 6.1: SPS and separator schematic

50

Page 61: Lopa Para Sil

consist of a pressure transmitter (PT) and the control valve (CV). The processshutdown valve (PSDV) and pressure safety transmitter (PST) is the only shut-down possibility topside denoted PSDtopside. When the PST detects high pres-sure the PSDV closes. The valve is hydraulically or air operated, and a logic solverinterprets the signal from the PST. Usually, additional barriers are located in theturret, but for simplicity,these are neglected. A mechanical pressure relief deviceis placed in the separator called production shutdown valve (PSV). This is eithera spring-loaded device or a pilot operated device that allows gas to go to flare ifthe pressure exceeds a certain limit.

The subsea control unit (SCU) and the hydraulic pump unit (HPU) are lo-cated topside in the FPSO. The HPU is basically a pump that supplies hydraulicfluid to the subsea control module (SCM) and the HIPPS control module (HCM),which again provides hydraulic pressure to the valve actuators. The SCU in-cludes the logic solver which interprets the signals from the pressure and tem-perature transmitters, and two surface power and communications units (SPCU)or circuit breakers.

In the umbilical electronic signals (to and from the SCU), hydraulics (fromthe HPU) and scale and hydrate (methanol) inhibitors are transported from theFPSO to the production system on the seabed.

Choke module

The production choke valve (PCV) has the objective of throttling the flow to con-trol the temperature and the pressure. The choke module is the process controlsystem located subsea. It is important that the flow from different XTs have thesame pressure to prevent one well from producing into another.

X-mas tree

The XT is an assembly of valves, spools and fittings for the oil well. The downhole safety valve (DHSV) is the valve closest to the reservoir, but not used as ashutdown o ption in case of overpressure. The production master valve (PMV)and the production wing valve (PWV) are the next two valves in the productionpipeline, and possible shutdown options. The crossover valve (XOV) is an annu-lus service line. It can relief a potential pressure buildup in annulus, by injectingthe pressure in the production flow. In addition to the valves described abovethe XT provides scale inhibitor and / or Methanol inhibitor injection lines. Notethat these are neglected in the schematic.

The XT valves are hydraulically held. The pressure from the fluid columnresist a spring force in the valve actuator to keep the valve open. In order toshut the valve the hydraulics are bled off and the spring makes the valve go toclosed position. The valve is fail safe because it goes to a safe position (closedposition) in case of a failure (leakage in the hydraulic system, spring collapseetc.). When closing the valve the hydraulics may either be bled off in the subsea

51

Page 62: Lopa Para Sil

control module (SCM) or to sea. Another possibility is to turn down the pumpin the HPU in order to create a pressure drop.

The subsea control module (SCM) is together with the HPU / SCU the sus-bea control system. Note that a process control system (like the choke module)controls the flow, while the subsea control system is used to control the valveoperation on the XT. The subsea control system contains hydraulics and accom-modates two subsea electronic modules (SEMs) which is the electronic part ofthe control system. When the PTs used as reference detect high pressure, signalsare sent to the SEMs which transforms the signals into a rating. This rating (elec-tronic pulse) is sent to the logic solver in the SCU. If the voting in the logic solver(i.e. 2oo4) decides to initiate a shutdown, initiation signals are sent back to theSEMs. The SEMs control change-over valves that are held electrically. When thelogic solver commands a shutdown the valves will switch, enabling hydraulicsfrom the actuator to bleed off in an internal loop in the SCM.

PSDsubsea is initiated automatically and either the PMV or the PWV and theXOV must be closed. Figure 6.1 shows that the well is isolated by performing atleast one of the two shutdown options. Usually, both options are used during aPSDsubsea shutdown. The PT / TT downstream the PCV are used as reference. Ifhigh pressure is experienced at this point the PSD is initiated.

HIPPS

The HIPPS is located in the manifold. The manifold is an arrangement of pipingor valves designed to control, distribute and monitor the flow. Several XTs maybe mounted directly on the manifold, or be placed as satellite trees. The mani-fold has inhibitor injection lines and pipeline inspection gauge (PIG) launch, toprevent hydrate formation.

The objective of the HIPPS is to protect the pipeline from the manifold tothe FPSO. They have their own control system called the HIPPS control module(HCM). This device is similar to the SCM. Note that the HCM is independent ofthe SCM. HIPPS shutdown is initiated automatically. The 2 HIPPS valves on themanifold are closed if high pressure is experienced by the PT / TT between thevalves or downstream the valves. Another possibility is that one set of transmit-ter controls one HIPPS and the other the last HIPPS valve.

6.3 LOPA applied on the case study

In this section the LOPA procedure based on the system is described, where theprocess in Figure 4.1 is used as the approach. In Appendix C the spreadsheetused in the study is presented.

The acceptance criteria are as in Table 4.1. The severity level is categorizedas CC which is 1 to 3 fatalities suffered. The screening criteria give us that theimpact event is within the scope of LOPA and no QRA initiated at this stage inthe analysis.

52

Page 63: Lopa Para Sil

Experts were involved in the hazard identification study, and all membersinvolved in the LOPA as well as in previous studies fulfill requirements regardingcompetency. The HAZOP preformed previously to the LOPA is assumed welldocumented and sufficient, and the data adjusted to fit with the LOPA analysis.

Initiating causes

Fluid slug congestion, choke control error due to human error, and choke col-lapse are the initiating causes identified. Slug congestion is accumulation offluid / hydrates / scale leading to a blockage and pressure build-up upstreamthe blockage point. When this substance yields, the fluid accelerates and createsoverpressure in the separator. Choke collapse is most likely a hardware valvefailure, e.g. fatigue. Choke control error is erroneous operation of the chokecontrol where the operator make the wrong response or fails to act at all. Allthese initiating causes lead to potential overpressure of the separator. The ini-tiating cause frequencies are found from tables, and the chosen values showedin Table 6.1 The frequency of slug congestion differs from field to field, and de-

Table 6.1: Initiating cause frequenciesInitiating cause Data source FrequencyFluid slug congestion Expert judgment / Ormen

Lange5 times per year

Choke control, human error BP/CCPS 1·10−1/ per oppor-tunity to act

Choke collapse / error OREDA 11.3 per 106 hours

pends on the composition of the fluid and the field construction. In the OrmenLange project 5 demands was identified by expert judgment, which is assumedapplicable. The human error (choke control) is assumed to be a routine task. Inorder to estimate the frequency the value in the table has to be multiplied withthe number of opportunities / demands per year. The choke task is assumed tobe executed approximately 20 times per year giving a resulting frequency of 2times per year for this initiating cause. The OREDA estimate is given in hours,and assuming 8760 hours per year gives a frequency of 9.9 ·10−2 per year.

IPLs - general considerations

In the next section it is described and discussed what protections layers thatexist, and which of these that can be credited as IPLs.

The PL criteria are presented, and the definition of IPL clarified, in Section3.2. The risk reduction and availability requirements are easy to assess. The fourcharacteristics, especially the independence characteristic, are more difficult toprove. The key issue is to clarify what lies in the term independent. Can theIPLs share components, or do they have to be totally redundant? CCPS (2001)

53

Page 64: Lopa Para Sil

state that the independence requirement claims that the IPL must be indepen-dent of the occurrence, consequence of the initiating event, and the failure ofany component of an IPL already credited. Two approaches (A and B) are sug-gested, where B allows IPLs to physically share components and A restrains thisconfiguration. But it is assumed that the logic solver will not be the source offailure, which imply detectors or final element to fail more frequently. If twoIPLs share the same sensor(s) or final element(s) neither of the approaches jus-tify more than one IPL given credit. Note that approach A eliminates a largerextent of CCFs.

IPLs in the system

The system has the following protection layers:

• Topside PSD (closing PSDV)

• PSV (mechanical relief device)

• HIPPS

• Subsea PSD (closing PMV and / or: PWV and XOV)

• BPCSsubsea (PCV)

• BPCStopside (CV)

BPCS is referred to as process control system in the introduction to system para-graph. When and if these can be credited as IPLs must be evaluated. The BPCSsubsea

which has the PCV as the actuating item, is not independent when the initiatingcause is collapse of this valve. The PCV also share the same PT and TT as thesubsea PSD. These are not independent and both cannot be credited as IPL. Aquestion that arises is which system to credit. The most rational is to credit thePSD, but should be evaluated for the different initiating causes.

The PSV is credited as an IPL. It is independent as it shares no other com-ponents with any other protection layers. It is also independent of the initiatingcauses, and of high reliability.

The requirement and credited risk reduction of the PSD functions may vary.The equipment vendor (e.g. the valve manufacturer) must document the per-formance of the valves in terms of SIL. This is documented in the safety anal-ysis report (SAR), which is included in an overall document called safety anal-ysis specification (SRS). The contractor (e.g. Aker E&T and Aker Subsea) oftenpresent requirements to the equipment vendor which must be verified. In orderto save time on documentation the equipment vendor certify the equipment.The equipment then becomes SIL-certified. Usually the PSD functions are givencredit within the interval of SIL 1, which is a PFD between 0.1 and 0.01. The con-servative choice which is often used, is crediting the PSDs as SIL 1. Anotheroption is to use OLF 070 which requires minimum SIL 2 for PSD functions. It is

54

Page 65: Lopa Para Sil

in the concerning case chosen to credit both PSD topside and subsea as a SIL 1risk reduction.

Table 6.2: IPL PFDsIPL Data source PFDPSV CCPS table 1 ·10−2

Topside PSD (PSDV) BP / Aker Solutions 0.1 (SIL 1)Subsea PSD BP / Aker Solutions 0.1 (SIL 1)BPCSsubsea (PCV) CCPS table / BP 1 ·10−1

BPCStopside (CV) CCPS table / BP 1 ·10−1

HIPPS BP / Aker Solutions 5 ·10−4 (SIL 3)

The HIPPS and the PSD subsea do have different PTs and actuating items,but they do share the same HPU / SCU. The XT and HIPPS valves will go to safestate if the HPU / SCU fails to provide hydraulic pressure. The only way thisunit may cause an error is if the logic solver in the SCU fails in such way that thesystem does not initiate shutdown when a shutdown is needed. The issue thatarise is how strict the independence requirement should be, and which of thetwo approaches presented in the previous paragraph to use. Even if they sharelogic solver both lead to risk reduction. With this basis approach B, which isdescribed in the previous section, seems fair to use.

It is important to emphasize that a PL can be an IPL for one initiating cause- impact event pair, and not for another. The IPL PFDs are from different datasources, and Table 6.2 show the selected values.

Occupancy factor and ignition probability

Occupancy and ignition probability is included in the IPL columns in the LOPAworksheet. But they are not per definition considered as IPLs. It is assumed that3 operators do rounds, and that the area is occupied 30 % of the time, leadingto an occupancy factor of 0.3. The ignition probability depends on the pressureand the type of fluid. High pressure applied to a flammable fluid have a higherignition probability than a low inflammable fluid working under low pressure.A common classification is: 1 if the fluid is self igniting, 0.3 if the fluid is easyignitable and 0.1 if it is a stable fluid. The fluid is a composition of oil, gas andwater. This is assumed to be easy ignitable, but not 100% self ignitable leadingto a chosen ignition probability of 0.5.

Analogy to Section 3.2: Relation between terms

Figure 6.3 is related to the figure in Section 3.2 and shows the initiating causes,process deviation, impact event and PLs based on the case description.

55

Page 66: Lopa Para Sil

Figure 6.2: Relation between initiating causes, impact event, process deviationand PLs

Initiating cause - impact event pair 1: Choke control human error -overpressure

The operator controlling the PCV has already failed and the PCV can not be cred-ited. Another question is whether the BPCS topside can be credited if the oper-ator and BPCSsubsea fails. The BPCS topside have sensors and actuating itemstopside, which is far from the PCV located subsea. It is assumed that even if theoperator is involved in the failure of the PCV, the topside BPCS will still function.The credited IPLs are:

• Topside PSD (PSDV)

• PSV (mechanical relief device)

• HIPPS

• Subsea PSD

• BPCStopside (CV)

The formula for calculating the intermediate event likelihood becomes:Initiating cause frequency · PFDCV · PFDHIPPS · PFDPSDV · PFDsubseaPSD · PFDPSV ·occupancy · ign. prob. = 2 ·10−1 ·5 ·10−4 ·0.1 ·0.1 ·1 ·10−2 ·0.3 ·0.5 = 1.5 ·10−9

Initiating cause - impact event pair 2: PCV collapse - overpressure

When the PCV fails, does this influence the performance of the subsea PSD? Ifthe PCV fails due to a SCU error it is expected that the subsea PSD will not func-tion, as they have this component in common. But it is more likely that the PCVfails due to a valve hardware failure. Another issue is the response time. It is

56

Page 67: Lopa Para Sil

not certain that the PSD is able to prevent a pressure build-up due to the shortdistance between the XT valves and the choke module. There are several waysto interpret these issues. It is chosen to not give credit to the susbea PSD due tothe response time. The following IPLs given credit are:

• Topside PSD (PSDV)

• PSV (mechanical relief device)

• HIPPS

• BPCStopside (CV)

The formula for calculating the intermediate event likelihood becomes:Initiating cause frequency·PFDCV·PFDHIPPS·PFDPSDV·PFDPSV·occupancy·ign. prob. =9.9 ·10−2 ·10−1 ·5 ·10−4 ·0.1 ·10−2 ·0.3 ·0.5 = 7.42 ·10−10

Initiating cause - impact event pair 3: Slug congestion - overpressure

What PLs to give credit depends on where the slug congestion occurs. The PLshaving actuating items upstream the blockage point have no function. If theblockage point is upstream the PSDV and downstream the riserbase the HIPPS,PCV and PSD will not be able to eliminate the hazard. The fluid column be-tween the blockage point and the valves will still provide pressure even if thevalves close. The only way to eliminate pressure would be to have some sort ofa bypass line in the system. Another issue is whether the other protection layersdownstream have time to act. In the situation described the BPCStopside (CV)does probably not have time to act. The blockage point considered is upstreamthe PSDV and downstream the riser base, and the only IPLs given credit are:

• Topside PSD (PSDV)

• PSV (mechanical relief device)

The formula for calculating the intermediate event likelihood becomes: Initiating cause frequency·PFDPSDV ·PFDPSV ·occupancy · ign. prob. = 5 ·10−1 ·0.1 ·10−2 ·0.3 ·0.5 = 7.5 ·10−4

Sum up intermediate event likelihood for all pairs

The intermediate event likelihood for the three initiating cause - impact eventpairs is summed up. The total intermediate event likelihood is 7.5 · 10−4. Thethird initiating cause - impact event pair is the most contributing to the total in-termediate event likelihood, and the frequencies associated with the two othershave little effect.

57

Page 68: Lopa Para Sil

Target risk measurement, SIL determination and mitigated event like-lihood

Compared to the TMEL the first two pairs are within the acceptable region be-cause 1.5 ·10−9 and 7.42 ·10−10 is less than 3 ·10−5. The total intermediate eventlikelihood is greater than the total TMEL for the entire scenario leading to theend-consequence (7.5 · 10−4 > 3 · 10−5). This implies that a SIL must be deter-mined. By using Equation 4.3 the necessary risk reduction corresponding to theneeded SIL is calculated:

Necessary risk reduction = 3 ·10−5

7.5 ·10−4 = 4 ·10−2

The question is now what SIL to set as the requirement. The necessary risk re-duction is between 10−2 and 10−1, and a SIL 2 is applicable. A conservative ap-proach is chosen and a SIL 2 is set as the requirement.

The next question is what PFD value a SIL 2 requirement constitutes, i.e whatrequirement to pass on to the SIS vendor. If the SIS vendor provides a systemfulfilling SIL 2, but which only gives a risk reduction of 5 ·10−2 the system is notsafe enough. To solve this potential issue an additional PFD requirement is setto 1·10−2. The final requirement is SIL 2, where the new safety system must havea specific PF D ≤ 1 ·10−2.

The chosen PFD requirement is implemented in worksheet, and the miti-gated event likelihood is calculated. All values are within requirements, and theanalysis is finalized.

6.4 Comments to the result

The LOPA identified that a SIS performing a new SIF had to be introduced, andassigned a SIL to this function. It might be that improvements could have beendone to the existing system, e.g. improving the risk reduction provided by theexisting IPLs. Another approach could have been to make some of the PLs notcredited as IPLs more independent. Introducing a new SIF could have beenavoided. The PSDs were credited as SIL 1 risk reduction. If they had been cred-ited as SIL 2, the final determined SIL of the new SIF would then have been SIL1.

It is discussable whether the topside BPCS should have been included at all.It is not included on the separator in the Skarv project. The contribution thismakes on the final LOPA result is neglectable because the specific intermediateevent likelihood is well below the TMEL where the topside BPCS is credited asan IPL.

58

Page 69: Lopa Para Sil

6.5 Implications during the case

In this section implications during the case is discussed. This throw light on theshortfalls of the preferred approach presented in Chapter 4 illustrated in Figure4.1, and on LOPA in general.

Most of the phases in Figure 4.1 were easy to apply, but there were some im-plications encountered during the analysis. The initiating cause frequency of theslug congestion was not possible to find from the tables. Expert judgment wasnecessary which emphasize the need for database and exchange of experienceas discussed in Chapter 5.5.

Whether the IPLs were independent or not was a considerable issue dur-ing the case. This touched deep into the valve control system, and an extensivesystem understanding seems necessary. The independence requirement is alsohard to interpret, because it is difficult to know how strict these requirementshould be followed. Exchange of experience and more guidelines are needed inorder to make this part of the analysis easier.

What value to use as ignition probability was not intuitive, and a classifi-cation and guideline in the approach in Chapter 4 should have been included.LOPA requires knowledge, and the team composition is important in getting asatisfying result. When the necessary risk reduction was calculated some ef-fort was required to evaluate the result. This could have led to problems andknowledge of the process, how LOPA works and laws of probability, are essentialaspects.

During the analysis it was made an error when converting failure data fromOREDA. This was corrected, but this incident underlines the importance of qual-ity assurance and transformation process in an eventual software tool as men-tioned in Chapter 5.5. The overall impression is that the preferred approach inChapter 4 is clear and applicable. Linking this together with a software tool asdescribed in Chapter 5.5, makes the LOPA procedure more efficient as well asproviding useful features.

Process experience, understanding of LOPA and knowledge of general relia-bility and probability is success factors in making LOPA efficient and robust.

59

Page 70: Lopa Para Sil

Chapter 7

Conclusions andrecommendations for furtherwork

Both qualitative and quantitative SIL determination methods and tools may beapplied during phase four in the IEC safety life cycle (Figure 1.1). The quantita-tive method in IEC 61508, the OLF 070 guideline, the risk matrix, the safety layermatrix, the risk graph and the calibrated risk graph are SIL determination meth-ods that have been described in addition to LOPA. In qualitative methods theparameters used as decision basis are subjective and estimated by expert judg-ment. Quantitative methods describe the risk by calculations, and a numericaltarget value is compared with the result. Which method to apply rely primarilyon whether the necessary risk reduction is specified in a numerical manner orqualitative manner. The scope and extent of the analysis would also be an in-fluencing factor. Even if the assignment method is qualitative the SIL is alwaysquantified by a numerical number.

The main objective of this thesis has been to gain knowledge of SIL deter-mination tools, with LOPA as the the main focus. This is accomplished, and thesub-objectives of the report is listed below, and the coverage and findings con-cerning each objective discussed.

• Literature survey and different approaches to LOPA found in the literature.

A literature survey has been carried out and different methodologies andapproaches in literature has been presented and discussed. Especially, the IEC61511 approach, Aker E&T and the approach in CCPS (2001) have been covered.The guideline in BP (2006) seems reasonable and should have been covered to agreater extent. Most methodologies and approaches have the similar basis, butuse different terms and have different sequence. Another distinction is how theSIL is incorporated and evaluated. The process design can be evaluated ”as is”,or with a new protection layer (e.g. SIF) implemented in the evaluation. Some

60

Page 71: Lopa Para Sil

authors also use screening tools, i.e. risk graph, prior to, or embedded in theLOPA-process.

Compared to the approaches discussed in Section 3.5, the Aker E&T LOPAapproach is an overall methodology, not taking the proposed SIF implicit intoaccount. Often the customer methodology also (e.g. Statoil or BP) found basisfor the analysis. ISO 10418 (2003) helps the design team to implement safetyfunctions in the P&IDs for the concerning system, and after all hazard identifi-cation is finished the LOPA is initiated. The further approach is similar to theapproach presented in IEC 61511 (2003).

• Recommended LOPA approach

A stepwise preferred (recommended) approach has been developed and eachstep described. The approach is clear, and all basic concepts clarified. In thecase study in Chapter 6 the need for more guidelines on how to credit IPLs hasbeen identified, and this part needs to be improved. The preferred approachis an overall approach considering the planned / existing system without theproposed SIF. Several screening tools exists, but it is chosen to screen by con-sequence and SIL only. Conducting a risk graph-analysis for then to initiate aLOPA cause extra work and increased engineering cost. The approach is shownin Figure 4.1.

• Interfaces between LOPA and other risk analysis methods.

Interfaces between LOPA and HAZOP has been identified, but other riskanalysis methods have not been covered. Information in columns as conse-quence and possible causes in the HAZOP worksheet can be directly transferredto the LOPA worksheet. Information in the other columns may require transfor-mation. This includes IPL PFD data and initiating cause frequency.

The thoughts behind a software tool transferring, facilitating, and adjustingdata have been presented. This includes a program specification and a sim-ple illustration of a thought software program. The illustrated software programtakes basis in automatic data transformation from HAZOP, IPL PFD and initiat-ing cause frequency databases, and a risk matrix including the acceptance crite-ria. Linking all these aspects with a LOPA worksheet give the outline of the pro-gram. The illustrated program showed in Annex B seems reasonable, but shouldbe evaluated more in detail. Expert judgment make an extensive amount of theanalysis, and a program that ”learns by doing” is beneficial. An example is aprogram that has a database with previous analyzes, which provides previousinformation when a new analysis is performed, e.g. possible initiating causes ofa specific type of valve.

• Discuss pros and cons related to LOPA

Advantages and disadvantages of LOPA and especially the limitations of LOPA,have not been covered.

61

Page 72: Lopa Para Sil

• Discussion of the IPL concept and the applicability of LOPA in cases wherethe independence is violated

IPL has been defined, exemplified, and discussed. In the case study the IPLconcept has been applied to a practical system. CCFs have not been covered toa great extent, which should have been the case.

IPL is defined as: Protection layer that is capable of preventing the processdeviation from proceeding to the end-consequence regardless of other protec-tion layers associated with the same impact event - initiating cause pair, and ofthe initiating event. It must lead to a risk reduction factor of at least 10, and fulfillthe specificity, independence, dependability and audibility criteria. The defini-tion is clear, but it is still uncertain how to apply the concept of IPL in practice.

• Compare the applicability of LOPA in determining SIL, and compare LOPAwith alternative approaches (incl. risk graphs). If possible, this evaluationshould be rooted in a practical case study.

The preferred approach, based on the literature study, has been applied toa combined system based on real systems by Aker Subsea and Aker E&T. Thepreferred approach was easy to use, but as mentioned the IPL concept was diffi-cult to apply. Where to draw the line where a component is independent or notwas the key issue throughout the case study. The case concluded that processunderstanding and knowledge of basic reliability concepts are important.

This thesis may give some readers a more clear understanding of LOPA. Thesections explaining and clarifying terms and the IPL discussion in the case study,may be a contribution to the LOPA discussion.

Still, many of the issues need to be clarified, and further work is recom-mended. Specific recommendations for further work are:

• More in depth analyzes of CCFs and IPLs.

– What is the effect of not considering CCFs?

– Guideline describing concept of IPL for different systems, with ex-tended definition of IPL.

• HAZOP integration software tool prototype that includes advanced func-tions which incorporates expert judgment and previous analyzes.

• Combined framework of LOPA and HAZOP including a common termi-nology and worksheet.

• Extend the development of the preferred approach.

– Include risk acceptance criteria development.

– Comparison with the approach in BP (2006).

62

Page 73: Lopa Para Sil

Bibliography

ACM Facility safety (2004). HAZOP / SIL analysis item and cost compari-son - Traditional way vs. integrated SILCore approach. Advertorial, SafetyUsers Group. Retrieved on 03.04.08 from internet address: http://www.

safetyusersgroup.com/documents/AD040001/EN/AD040001.pdf .

ACM Facility Safety (2006). SIL Determination Techniques Report. "White Paper".Retrieved on 30.02.08 from internet address: http://www.iceweb.com.au/sis/ACMWhite-PaperSILDeterminationTechniquesReportA4.pdf .

Baybutt, P. (2007). An improved Risk Graph Approach for Determination ofSafety Integrity Levels (SILs). Process Safety Progress, 26:66–76.

Bingham, K. and Goteti, P. (2004). ISA (The Instrumentation, Systems, and Au-tomation Society) 2004. In Integrating HAZOP and SIL / LOPA analysis: Bestpractice recommendations.

BP (2006). Guidance on Practices for Layer of Protection Analysis (LOPA). BritishPetroleum procedure: Engineering Technical Practice (ETP) GP 48-03, 1st edi-tion.

CCPS (2001). Layer of protection analysis - simplified process risk assessment.American Institute of Chemical Engineers (AIChE), Centre for Chemical Pro-cess Safety (CCPS). 3 Park Avenue, New York.

Dowell, A. (1998). Layer of protection analysis for determining safety integritylevel. ISA Transactions, 37:155–165.

Dowell, A. and Williams, T. (2005). Layer of Protection Analysis: Generating Sce-narios Automatically from HAZOP Data. Process Safety Progress, 24:38–44.

Ellis, G. and Wharton, M. (2006). Symposium Series No. 151, IChemE. In Prac-tical experience in determining safety integrity levels for safety instrumentedsystems.

Gowland, R. (2006). The accidental risk assessment methodology for industries(ARAMIS) / layer of protection analysis (LOPA) methodology: A step forwardtowards convergent practices in risk assessment? Journal of Hazardous Mate-rials, 130:307–310.

63

Page 74: Lopa Para Sil

Harsem Lund, K. (2007). Alternative måter for SIL fastsettelse - en sammen-ligning (LOPA, Risk graf, OLF 070). In PDS forum, Trondheim. Scandpower,Kjeller.

IEC 60300-3-9 (1995). Dependability management- Part 3: application guide -section 9: Risk analysis of technological systems. International Electrotechni-cal Commission, Geneva.

IEC 61508 (2003). Functional safety of electrical/electronic/programmable elec-tronic safety-related systems. International Electrotechnical Commission,Geneva.

IEC 61511 (1998-2003). Functional safety - safety instrumented systems for theprocess industry sector. International Electrotechnical Commission, Geneva.

ISO 10418 (2003). Petroleum and natural gas industries - offshore installations -Basic surface process safety systems. International Organization for Standard-ization, Geneva.

Marszal, E. and Scharpf, E. (2002). Safety Integrity Level Selection - SystematicMethods Including Layer of Protection Analysis. The Instrumentation, Systemsand Society (ISA). Research Triangle Park, NC.

Nordhagen, L. (2007). Bruk av LOPA ved fastsettelse av IL krav, Aker KværnerEngineering &Technology. In PDS forum, Trondheim.

NORSOK Z-013 (2001). Risk and emergency preparedness analysis. NorwegianTechnology Centre, Oslo.

OLF 070 (2004). Application of IEC 61508 and IEC 61511 in the norwegianpetroleum industry. OLF.

Rausand, M. (2004). Reliability of safety systems (Slides). Retrievedon 28.02.08 from internet address: http://frigg.ivt.ntnu.no/ross/

slides/chapt10.pdf .

Rausand, M. (2005). HAZOP - Hazard and Operability Study (Slides). Re-trieved on 28.02.08 from internet address: http://frigg.ivt.ntnu.no/

ross/slides/hazop.pdf .

Rausand, M. and Høyland, A. (2004). System Reliability Theory. Models, Statisti-cal Methods, and Applications. 2nd edition John Wiley & Sons. Hoboken, NJ.

Schönbeck, M. (2007). Introduction to reliability of safety systems, ROSS(NTNU) report 200702, NTNU, Trondheim. Technical report, NTNU, ROSS.

Sklet, S. (2006). 2006:3, Safety Barriers on Oil and Gas Platforms. PhD thesis,NTNU.

64

Page 75: Lopa Para Sil

Summers, A. (2003). Introduction to layers of protection analysis. Journal ofHazardous Materials, 104:163–168.

The Dow chemical company (2002). Introducing dow application of layer of pro-tection analysis. In Introducing Dow Application of Layer of Protection Analy-sis - LOPA.

65

Page 76: Lopa Para Sil

Appendix A

Basic concepts

Impact event The first sign of harm to people, environment orassets

Independent protection layer Protection layer that is capable of preventing aprocess deviation from proceeding to the end-consequence, regardless of other protection layersassociated with the same impact event - initiatingcause pair, and of the initiating event

Initiating cause Direct reasons why the process deviation occur,not the most basic underlying root-causes

Intermediate event likelihood Intermediate event is the occurrence of the end-consequence with the existing / planned protec-tion layers in place, but without the SIF under con-sideration. The intermediate event likelihood isthe frequency per year of the occurrence the thisevent

Mitigated event likelihood Mitigated event is the occurrence of the end-consequence with all protection layers in place, in-cluding the proposed SIF. The mitigated event like-lihood is the frequency per year of the occurrencethe this event

Process deviation The first significant deviation from a normal situa-tion that may lead to unwanted consequences

Protection layer Device, system or action that is capable of prevent-ing a process deviation from proceeding to the endconsequence

Scenario The development from a process deviation to animpact event, including the causes leading to theprocess deviation

66

Page 77: Lopa Para Sil

Appendix B

Software schematic

Legend:Black circles - User inputBlue Circles - Data cellRed circles - Calculation cell (output cell)Blue lines - Data path (blue or black circle to red circle)Pale yellow box - ButtonYellow box - Clicked button

67

Page 78: Lopa Para Sil

Figure B.1: Step 1

68

Page 79: Lopa Para Sil

Figure B.2: Step 2

69

Page 80: Lopa Para Sil

Figure B.3: Step 3

70

Page 81: Lopa Para Sil

Figure B.4: Step 4

71

Page 82: Lopa Para Sil

Figure B.5: Step 5

72

Page 83: Lopa Para Sil

Appendix C

Case study: Worksheet

73

Page 84: Lopa Para Sil

Figure C.1: LOPA worksheet: Case study

74