SYMPOSIUM SERIES NO.

155 Hazards XXI # 2009 IChemE

APPLICATION OF LOPA AND SIL ASSESSMENT TO A NEW COMAH PLANT

Jerry Mullins
Principal Consultant, Abbott Risk Consulting, Manchester, UK

High hazard industries such as those regulated by COMAH face a number of key challenges including
demonstrating that major accident risks are as low as is reasonably practicable (ALARP). The
demonstration of ALARP includes calculation of risks and judgement on the need for further risk
reduction measures. The demonstration of ALARP also involves showing that safeguards are fit for
purpose, there are adequate layers of protection and that safety-instrumented systems provide the
appropriate level of safety (SIL assessment). Techniques for demonstrating that risks are ALARP
by means of risk assessment are well established. These methods include the use of risk matrices
and full quantitative risk assessment. Risk assessment has also been utilised in defining the required
number of layers of protection and the required performance of safety-instrumented functions.
The application of robust methods for Layer of Protection Analysis (LOPA) and SIL assessment
are particularly important at the design stage, as it is at this stage that there is the greatest oppor-
tunity to reduce risks to ALARP. This paper will provide an overview of the methods used for a new
COMAH plant and illustrate their usage by means of a case study.

KEYWORDS: COMAH, LOPA, SIL

INTRODUCTION functions. Therefore, there is likely to be a need for a time

A key requirement of COMAH, and other major accident efficient SIL assessment method combined with a need for
hazards legislation, is the effective management of risk. a robust approach, which does not lead to overly conserva-
Meeting this requirement generally involves the use of tive assignment of SIL levels with its associated impli-
some form of risk assessment to demonstrate that the risk cations in terms of higher plant design and operating
is as low as is reasonably practicable (ALARP) and demon- costs. This paper describes the SIL methodology and its
strating that plant meets current good practice in terms of application to a proposed new plant on a COMAH top
design, construction and operation. Safety-instrumented tier site.
functions (SIFs), such as trips, alarms and interlocks are a
key component of many systems designed to prevent or
CASE STUDY EXAMPLE
control major accident hazards. The challenge of how to
The following case study provides an example of the
ensure that such systems provide the required safety per-
application of the SIL assessment methodology to a new
formance has been addressed in the international standards
flammable gas recovery and storage plant. At present the
IEC 611508 [ref 1] and IEC 61511 [ref 2]. Both standards
flammable gas is flared off. The objective of the proposed
require the use of risk assessment to determine a required
plant is to recover and store gas of suitable quality (below
target failure frequency or Safety Integrity Level (SIL) for
2% v/v oxygen content) as an energy source for various
each safety-instrumented function (see Table 1).
users within the site. The generated gas is to be pulled by
The standards include a number of possible risk
an ID fan into a new flare stack. Depending upon the com-
assessment techniques, which can be used for SIL assess-
position, changeover valves within the flare stack will allow
ment. The simplest of these methods rely on semi-
the gas either to be vented and flared off or recovered into
quantitative risk matrices of event severity and likelihood
a gas holder. A simplified block diagram of the plant is
to assign SIL levels (referred to as Safety Layer Matrices).
shown in Figure 2.
Another method, which builds on the risk matrix approach,
The purpose of the SIL assessment study was to allo-
is the so-called Risk Graphs, which incorporate additional
cate SIL values for the safety- instrumented functions and
semi-quantitative judgements on exposure time and the
identify where necessary additional protection requirements
probability of avoiding the hazardous event. Both of these
so that the design could be further developed and the project
techniques are likely to be suitable for low hazard/low
cost defined.
risk plant where the fault sequences are clearly understood.
For more complex hazards and/or where the hazards/risks
are greater, then more quantitative risk assessment is PROCESS HAZARD REVIEW PROCEDURE
likely to be needed. In these cases, the standards advocate A Process Hazard Review (PHR) study was undertaken on
the use of a Layers of Protection Analysis (LOPA) [ref 3] the proposed design in order to identify fault sequences
or Fault Tree Analysis. using a standard list of guidewords. The PHR study also
For new plants, there may be a need to assess a included an assessment of the risk associated with each
large number of fault sequences and safety-instrumented fault sequence by application of the company standard

303
SYMPOSIUM SERIES NO. 155 Hazards XXI # 2009 IChemE

Table 1. Definition of safety integrity levels ALARP” region are tolerable only if risks are ALARP i.e.
if further risk reduction is impracticable or the cost of
Safety integrity level Probability of failure on demand improvements is grossly disproportionate to the improve-
ment gained. Within the “broadly acceptable” risk region,
1 0.1 to 0.01
risks are judged to be low and no further formal ALARP
2 0.01 to 0.001
assessment is required. In accordance with the PHR pro-
3 0.001 to 0.0001
cedure, all major accident hazards that were ranked as
4 0.0001 to 0.00001
either “intolerable” or “tolerable if ALARP” were assessed
using LOPA. The PHR procedure also required that any
such fault sequences which included a safety-instrumented
Flammable function should be subject to SIL assessment.
gas Induced Flare stack
generation draft fan
plant
LAYERS OF PROTECTION ANALYSIS
Flare Gas holder In the LOPA analysis, identified protection systems are
represented as Independent Protection Layers (IPLs). For
simplicity an IPL is assigned in the PHR methodology as
Figure 1. Simplified block diagram for new plant equivalent to a 2 orders of magnitude reduction in event
frequency providing three tests are met: independence,
semi-quantitative consequence and frequency scoring effectiveness and auditability (in terms of maintaining the
system as shown in Figure 1. effectiveness of the safeguard). In the LOPA assessment,
The allocation of consequence categories was under- an IPL would be assigned an IPL value of 1. A risk matrix
taken on the basis of the following general definitions: can be plotted showing consequence category, initiating
Minor consequences: minor injury to worker, off site event frequency along with the required number of safe-
nuisance. guards. Figure 3 shows the matrix adopted in this case
Serious consequences: Single non-major loss time acci- study. Where a fault sequence has the appropriate number
dent, short-term minor effect off site. of IPLs then the risk may be considered to be “broadly
Major consequences: Single worker major injury or mul- acceptable” and no further action is required. Otherwise,
tiple minor injuries, few off site people require hospital the priority of the risk reduction is proportionate to the
treatment. number of required additional IPLs, which in turn is depen-
Extremely serious consequences: One or a few worker dent on consequence and frequency. In each case, imple-
fatalities, a few serious off site injuries requiring hospital menting the required number of additional safeguards will
treatment. reduce the event frequency such that the fault sequence is
Catastrophic consequences: Many worker fatalities, one or in the “broadly acceptable” risk region. The LOPA tech-
a few off site fatalities, many injuries. nique is complementary to the risk matrix approach
described above. The former approach is intended to
The allocation of event frequencies was based on provide a measure of risk for a particular fault sequence
plant experience plus judgement on the effectiveness of taking into account both engineered and administrative safe-
the safeguards in place. guards. In contrast, the LOPA approach is intended primar-
Figure 2 also shows how the risk values were ranked. ily as an engineering substantiation tool i.e. determining
Risks in the “intolerable” region cannot be justified except whether sufficient, robust safeguards are in place to guard
in extraordinary circumstances. Risks in the “tolerable if against a particular fault sequence.

Outcome Minor Serious Major Extremely Catastrophic

serious

Likelihood
Probable > INTOLERABLE
RISK
1/yr
Possible > SCENARIO 1 SCENARIO 2
10-2 /yr
Unlikely TOLERABLE
IF
10-2 - 10-4/yr ALARP
Very
unlikely
10-4-10-6/yr
Remote BROADLY
ACCEPTABLE
10-6 - 10-7/yr

Figure 2. Risk assessment matrix

304
SYMPOSIUM SERIES NO. 155 Hazards XXI # 2009 IChemE

Outcome Minor Serious Major Extremely Catastrophic

serious

Likelihood
Probable > 1.0 2.0 3.0 4.0 5.0
1/yr
Possible > No action 1.0 2.0 3.0 4.0
10-2 /yr
Unlikely No action No action 1.0 2.0 3.0
10-2 - 10-4/yr
Very No action No action No action 1.0 2.0
unlikely
10-4-10-6/yr
Remote No action No action No action No action 1.0
10-6 - 10-7/yr

Figure 3. LOPA assessment – required number of IPLs

SIL METHODOLOGY be overly conservative. The final SIL for each safety-
The initial SIL for each protection system was calculated in instrumented function within the protection system was
accordance with the guidance in IEC 65108 [ref 1] plus that determined by dividing the initial SIL by the number of
published by UKOOA for application to offshore oil and gas Independent Layers of Protection identified in the PHR
installations [ref 4]. The SIL scoring system used in the study. For example, a safety system with an initial SIL 2
study is shown in Table 2. The allocated SIL is a function with four Layers of Protection will have a final SIL of 0.5.
of the consequence of failure (C), the probability of person- This final SIL value will therefore apply to any safety-
nel being in the area of the hazard (F), the probability of instrumented function within the overall protection system.
avoiding danger (P) and the probability of demand on the The SIL methodology described above has its conse-
safety system. The assignment of initial SIL values was quence categories determined in terms of loss of human life
undertaken in accordance with the matrix shown in and injury. However COMAH also applies equally to the
Table 3. It should be noted that the probability of demand protection of the environment. Therefore when carrying
on the system was determined assuming no safety systems out a SIL assessment, it may also be necessary to consider
were in operation. This initial SIL allocation essentially environmental consequences as well. An example environ-
treats all the safeguards in place against a particular fault as mental SIL scoring system and SIL allocation method is
one safety system i.e. it takes no account of the number of shown in Tables 4 and 5. The process can also be extended
individual safeguards. This initial SIL value may therefore to cover economic losses such as plant damage, length of
shutdown and direct financial loss. In such cases, where
different types of loss are included in the SIL assessment,
Table 2. SIL scoring system the individual SILs derived for a particular fault sequence
Risk parameter PHR classification are compared and the highest value adopted.

Consequence (C) A Minor

B Serious PHR STUDY RESULTS
C Major The PHR study resulted in a large number of fault sequences
D Extremely serious or being identified. These fault sequences were ranked by the
catastrophic
Exposure (F) A Persons present in the
Table 3. Determination of SIL values
danger area ,10% of
the time (over a 24 hour SIL CFPW Score
period)
B Persons present in the – AAA1, AAA2, AAA3, AAB1, AAB2, AAB3, ABA1,
danger area .10% of ABA2, ABA3, ABB1, ABB2, ABB3, BAA1,
the time (over a 24 hour BAA2, BAB1, BBA1, CAA1
period) 1 BAA3, BAB2, BBA2, BBB1, CAA2, CAB1, CBA1,
Possibility of avoiding the A Possible to avoid danger DAA1
resulting hazard (P) B No reasonable possibility 2 BAB3, BBA3, BBB2, CAA3, CAB2, CBA2, CBB1,
to avoid danger DAA2, DAB1, DBA1
Probability of the demand 1 , once in 10 years 3 BBB3, CAB3, CBA3, CBB2, DAA3, DAB2, DBA2,
on the system (W) 2 , once per year DBB1
3 . once per year 4 DBB3, CBB3, DAB3, DBA3, DBB2

305
SYMPOSIUM SERIES NO. 155 Hazards XXI # 2009 IChemE

Table 4. Example environmental SIL scoring system team in accordance with the risk matrix shown at Figure 2.
The allocation of consequence and frequency scores was
Risk parameter Classification based on the judgment of the team. Also, on site worker
populations were assumed to be at their normal locations.
Consequence (C) A Minor environmental impact,
As per the PHR methodology, only those fault sequences
largely confined to site
assessed as being in either the “intolerable” or “tolerable
B Significant off site impact, not
if ALARP” risk region were assessed in terms of LOPA
a MATTE
and additionally only those involving safety-instrumented
C MATTE under COMAH
functions were assessed in terms of SIL.
D MATTE with long term
The case study included in this paper is based on two
damage
example fault sequences and associated safety functions
Probability of the 1 , once in 10 years
namely:
demand on the 2 , once per year
system (W) 3 . once per year Scenario 1: overfill protection in gas holder.
Scenario 2: air ingress detection upstream of induced
draft fan.
The fault sequence involving air ingress upstream of
the induced draft fan was assessed as being in the “intoler-
Table 5. Example determination of environmental SIL values able risk” region whilst gas holder overfill was assessed as
SIL Score combination being in the “tolerable if ALARP” region (see Figure 2).
For each scenario, the number of existing safeguards ident-
– A1, A2, A3, B1 ified in the PHR study (see Table 6) was compared with the
1 B2, C1 required number of safeguards as per Figure 3. From this
2 B3, C2 assessment, the following conclusions were drawn:
3 C3, D1, D2 Scenario 1: The current design has two Independent
4 D3 Layers of Protection whereas the LOPA guidance requires
a minimum of 4.0 IPLs. The LOPA study therefore con-

Table 6. SIL study output

Scores
Initial No of Final
Scenario no. Safety system C F P W SIL Safeguards IPLs SIL Actions/comments

1 (Gas leak Overfill B B B 1 1 3 individual 3 0.33 Consider including

from protection in continuous level audible alarm on gas
holder due gas holder monitors with holder roof to allow
to overfill) high level alarm operators to
through PLC evacuate on high
system level alarm
High-high alarm
with hard wired
limit switch to
stop collection
Gas monitoring on
gas holder roof
with high level
alarm
2 (Internal Air ingress D B B 1 3 4 oxygen monitors - 2 1.5 Consider use of
explosion detection 4 into gas quantitative risk
due to air upstream of holder PLC assessment to
ingress induced draft (2 upstream/2 evaluate SIL
and fan downstream of
ignition) gas holder)
Explosion relief
panels

306
SYMPOSIUM SERIES NO. 155 Hazards XXI # 2009 IChemE

cluded that the current design requires further substantiation Probability of workers in affected area
in terms of safeguards. ¼ 0:1 (plant data)
Scenario 2: The current design has two Independent
Layers of Protection, which corresponds to the LOPA gui- Probability of worker injury
dance requirement of a minimum of 2.0 IPLs. The LOPA ¼ 1 (based on consequence modeling)
study therefore concluded that the current design has an
adequate number of safeguards. The resulting event frequency was 1  1025/yr. The
The initial SIL values for the two scenarios, based on required probability of failure on demand of the safety
the scoring system shown in Tables 1 and 2, are shown in instrumented function i.e. the oxygen monitoring system is
Table 6. The final SIL values, taking into account the given by the ratio of the event frequency and the target
number of IPLs, for each fault sequence are also shown in frequency. In this case the required probability of failure
Table 6. For this plant design, as per most process plant, on demand is 0.1 with a corresponding SIL of 1.0 (see
the objective was to ensure that all safety-instrumented Table 1).
functions will be SIL 1 or lower in order to minimise
costs. From this assessment the following conclusions were
drawn: EXTENDING THE METHODOLOGY
Scenario 1: The initial SIL for this protection In the case studies presented here, only engineered protec-
system is 1 and taking into account the number of IPLs in tion systems that are independent have been considered.
this protection system results in a final SIL of 0.33 i.e. the This is clearly a conservative approach. Although this
safety-instrumented functions in the protection system approach is satisfactory in many applications, there may
do not require to meet any specific reliability requirements. be instances in which additional safeguards need to be con-
The PHR study also included an action to consider including sidered including operator action. In this PHR methodology,
an audible alarm on the gas holder roof to allow operators human actions can be taken into account by assigning such
to evacuate on high level alarm. The effect of implementing actions an IPL score of 0.5 and a corresponding generic
this additional safeguard would be to alter the SIL score probability of failure on demand of 0.1. Alternatively, for
value for the possibility of avoiding the resulting hazard high hazard/risk scenarios, specific failure probabilities
(P) from “B” to “A”. This in turn would result in an can be determined using appropriate human reliability
overall initial nil SIL value for this scenario. Implementing data. In addition, engineered safety systems that are not
this action would reinforce the conclusion that the safety- independent of each other can be modeled in terms of
instrumented functions in this protection system are not reliability using techniques such as fault tree analysis com-
required to meet specific reliability requirements. bined with appropriate failure rate data.
Scenario 2: The initial SIL for this protection system
is 3 and taking into account the number of IPLs in this pro-
tection system results in a final SIL of 1.5. The high initial CONCLUSIONS
SIL score reflects the high risk associated with this fault This paper provides an example of the application of the
sequence. For high hazard/risk scenarios such as this one, LOPA and SIL assessment methodology as applied to new
the semi quantitative method of SIL evaluation presented process plant. The purpose of the assessment was to deter-
in this paper is judged inappropriate. For these cases, the mine the appropriate number of safeguards to ensure that
risk assessment used a more quantified risk analysis invol- fault sequences are ALARP and to determine the reliability
ving the use of frequency targets, consequence assessment required for safety-instrumented functions on the plant. A
and numerical estimates of the event frequencies. Risk case study is presented which shows a method for carrying
targets needed to be set by the company prior to the study. out a LOPA and SIL assessment and demonstrates how
The frequency targets for individual events as applied in more quantitative techniques such as use of reliability data
the PHR study were 1  1025/yr and 1  1026/yr for and frequency targets can be used where the semi quantitat-
“extremely serious” and “catastrophic” events respectively. ive approach is judged inappropriate.
As part of the quantified risk assessment, the initial categor-
ization of Scenario 2 as being in the “catastrophic” category REFERENCES
was confirmed by means of a consequence assessment com- 1. IEC 61508: Functional safety of electrical/electronic/
bined with population data. The calculation of the event fre- programmable electronic safety-related systems, Internati-
quency without the safety-instrumented function was onal Electrotechnical Commission, Geneva, 1998 & 2000.
determined as follows: 2. IEC 61511: Functional safety – Safety instrumented
Initiating event frequency systems for the process industry sector, International
Electrotechnical Commission, Geneva, 2003.
¼ 1  102 =year (from operational experience) 3. Centre for Chemical Process Safety (CCPS), Guidelines for
safe automation of chemical processes, American Institute
Failure rate for explosion relief panels (IPL) of Chemical Engineers, New York, NY, 1993.
4. UKOOA, Guidelines for instrument Based Protective
¼ 1  102 =year (assumption) Systems, 1995.

307