Layer of Protection Analysis:

„ Overview
– Historical Perspective
– A New Concept for Safety Related Control systems
– LOPA, SIS, SIL
– Where does LOPA fit?

Introduction to Layer of Protection Analysis

Sept 2005 – Richard Gowland

Historical Perspective A New Concept...

„ Emerging Standards / Practices start picking „ Combine traditional Protection Layers with
up momentum Safety Instrumented Systems in a new
– IEC 61508 / 61511 Analysis tool to determine Safety Integrity
– CCPS Safe Process Automation (1993) Level requirements for Safety Related
– ISA SP - 84.01 (1997) Instrument systems
– CCPS Layers of Protection Analysis (2001) „ Incorporate “LOPA Tolerance Criteria” or
Guidance published “Target Factors” that meets the target risk
tolerance into the methodology

1
…That Addresses These Issues... …While Keeping It Simple
„ Have I defined my risk tolerance criteria or Complex Mathematical Simple
target? terms & Systems Tools
„ Does my system ensure my criteria are met?
„ Do I need a Safety Instrumented System?
„ Are there Alternatives ?
„ Global Consistency & Industry Standards
PFD= λDU⎛⎜ + MTTR⎞⎟ +λDD∗ MTTR
T1 1 + 1 + 2 = 4 or
„ Internal Requirements for risk management ⎝2 ⎠ 0.1x0.01x0.07=0.0007
„ Competent Authority/Regulator Requirements

How does it work?

INDEPENDENCE
The LOPA “Onion” Community Emergency Response

Independent Layer of Protection Plant Emergency Response

Physical Protection e.g. Relief Devices

(IPL) Safety Instrumented System preventative action

Critical Alarms and Operator intervention

Basic Process Control System,
Operating Discipline / Supervision
A layer of protection that will prevent an unsafe
Plant Integrity
scenario from progressing regardless of the
initiating event or the performance of another
layer of protection.

2
The LOPA “Onion” The LOPA “Onion”

Basic Process Control System,

Operating Discipline/Supervision

Plant Plant Iintegrity

Integrity

The LOPA “Onion” The LOPA “Onion”

Safety Instrumented System preventative action

Critical Alarms and Operator intervention Critical Alarms and Operator intervention
Basic Process Control System, Basic Process Control System,
Operating Discipline / Supervision Operating Discipline / Supervision

Plant Plant Integrity

Integrity

3
 The LOPA “Onion” The LOPA “Onion”
Plant Emergency Response
Physical Protection e.g. Relief Devices Physical Protection e.g. Relief Devices

Safety Instrumented System preventative action Safety Instrumented System preventative action

Critical Alarms and Operator intervention Critical Alarms and Operator intervention
Basic Process Control System, Basic Process Control System,
Operating Discipline / Supervision Operating Discipline / Supervision

Plant Plant
Integrity Integrity

The LOPA “Onion” Community Emergency Response

Common Terms & Acronyms
Plant Emergency Response
Physical Protection e.g. Relief Devices
Layer of Protection Analysis (LOPA) - A process of
Safety Instrumented System preventative action evaluating the effectiveness of Independent Protection Layers
Critical Alarms and Operator intervention in reducing the likelihood or severity of an undesirable event to
Basic Process Control System,
meet organizational needs.
Operating Discipline / Supervision
BPCS Protective Function – Any action, initiated by
Plant Instrumentation, a BPCS, equipment failure or human response, which is
Integrity intended to achieve or maintain a safe state of the process in respect to a
specific hazardous event. This includes all instrumented non- "Safety
Instrumented Functions" identified in LOPA

Safety Instrumented Function (SIF) - The complete action

which the SIS is designed to perform from sensing to the final
control element

4
Protection Layer Concept What LOPA does with the event
IPL1 IPL2 IPL3 tree
Impact Event
Example
Occurs

PFD3 = y3 Impact Event Risk Tolerance Criteria (freq.) 10-7

Frequency,
f3 = x * y 1 * y 2 * y 3
PFD2 = y2
f2=x * y1 * y2 Initiating Event Frequency 10-1
PFD1 = y1 success
Safe Outcome

Initiating Event
f1 = x * y 1
success
Conditional Modifier 10-2
Safe Outcome
Estimated
Frequency success
Safe Outcome
PFD of 1st IPL (BPCS) 10-1
fi = x

PFD of 2nd IPL (Alarms + Operator) 10-1

Key:
Arrow represents
severity and frequency of Impact
Event
Frequency SIL (1-3) for SIS1 10-?
the Impact Event if later
IPLs are not successful
Severity
SIS Required. SIL = 10-7/(10-1*10-2*10-1*10-1) = 10-2
IPL - Independent Protection Layer
PFD - Probability of Failure on Demand
f - frequency, /yr

What LOPA does with the event Risk Tolerance Criteria

tree - alternative - Example Target Frequency Return to Analysis Worksheet'

Example
Target Frequency Target Factor Impact on People

Risk Tolerance Criteria (freq.) 7 On-site Off-site

A minor injury with no permaent

Initiating Event Frequency 1 1.00E-03 3
health damage
Nuisance complaint

Conditional Modifier 2 Serious permanent injury - one or An event requiring neighbours

1.00E-04 4
more persons being told to take shelter indoors.
PFD of 1st IPL (BPCS) 1 1.00E-05 5 Single fatality

PFD of 2nd IPL (Alarms + Operator) 1 1.00E-06 6 Multiple fatalities

An event leading to the need to
evacuate neighbours.

SIL (1-3) for SIS1 ? 1.00E-07 7 neighbour injury

1.00E-08 8 neighbour fatality

SIS Required. SIL = 7 - 1 - 2 - 1 - 1 = 2 1.00E-09 9 Catastrophic event - many fatalities. Multiple fatalities to neighbours.

Concept of closing the Protection Gap

5
 Basic Rules for Initiating Events
Now step 3 - Conditional Modifiers
1 Process control software should not be an initiating
event. Testing and simulation must be in place to „ Other conditions which must be true for the
eliminate as a source. Management of Change must be scenario to fully develop e.g.
robust enough to avoid corrupting the operating program.
2 An IPL cannot be the initiating event. The only
– Probability of ignition
exceptions are failed elements of BPCS and Alarms - if
they can create the scenario. – Probability of exposure
3 Initiating events are single events, but may be
modified by the probability of a |Conditional Modifier „ And when you are sure - move on to
occurring (e.g., an ignition occurring). Independent Protection Layers

Examples Probability of Exposure Examples

Conditional Modifiers

Conditional
Conditional Modifier
Probability of Exposure Modifier LOPA
R e tu r n to A n a ly s is W Probability
factor
C o n d itio n a l M o d if ie r E n a b lin g e v e n t fo r L a y e r o f
P r o te c t io n A n a ly s is
Probability of Exposure allowed for processes/process steps in operation
1x10-1 1
for less than 5 weeks/yr
P r o b a b ility o f Ig n itio n

O r d in a r y H y d r o c a r b o n s L o w M .I.E (< 0 .3 m J )
m a te r ia ls
A m o u n t o f F la m m a b le M a te r ia l P r o b a b i l i ty o f E n a b lin g P r o b a b i l i ty E n a b lin g Probability of Exposure allowed for processes/process steps in operation
1x10-2 2
I g n i ti o n F a c to r o f I g n i ti o n F a c to r for less than 3 days/yr
R e le a s e d , k g
5 - 50 1 . 0 E -0 2 2 1 . 0 E -0 2 2
51 - 501 1 . 0 E -0 2 2 1 . 0 E -0 1 1
501 - 5000 1 . 0 E -0 1 1 1 0

Probability that persons will be in the area of consequence and exposed

1x10-1 or 1X10-2 1 or 2
to it. (e.g. rarely visited or occupied areas such as remote tank farms).

6
 •Basic Rules for BPCS and Alarms
If a BPCS (whole loop) is an Initiating Event, no credit is taken for the BPCS or Alarm IPL
unless they are completely separate systems.
General Rule of Independence If BPCS and Alarm IPLs use the same sensor, you can take credit for one IPL only.
The Alarm IPL requires a formally recorded and auditable operator action to prevent the
scenario.
To be Independent, a layer of protection shall If a sensor failure is the Initiating Event, BPCS and Alarm IPL are not valid credits if they
require the failed sensor to function.
prevent an unsafe scenario from progressing
If a final element failure is the Initiating Event, BPCS and Operator action on Alarm IPL are not
regardless of the initiating event or the valid credits if they require the failed final element to function. (most common could be a control
performance of another layer of protection. valve.
If a BPCS logic solver is an Initiating Event, no credit is taken for the BPCS or Alarm IPL,
unless the Alarm IPL is a completely separate system.
Given events A and B, A is independent of B if, and only if, the probability If an Alarm is an IPL, the operator must have time to prevent the scenario. No credit shall be
of A is unchanged by the occurrence of B. taken if the operator has less than 15 minutes to respond. May be able to take credit if this is a
recognized case in the Emergency Response plan.
Two events (A and B) are independent if the probability that they both Maximum of only one (1) BPCS and one (1) Alarm IPL credit are allowed for a case.
occur is the product of their separate probabilities: P(A and B) = P(A) * Sharing of BPCS and SIS elements may be allowed when there is evidence of adequate
P(B). independence. (see rules for sharing SIS elements by the BPCS)
Mechanical safety devices such as over-speed trips are not Instrumented IPL’s. However, they
may qualify as an Independent Safety Related Protection System under the Other Safety Related
Protection System column.

Rules for Pressure Relief Devices What LOPA does with the event
tree (re-cap)
1 The Pressure Relief Device either protects or it Example
doesn’t. Partial credit is not allowed. Risk Tolerance Criteria (freq.) 10-7
2 If the Pressure Relief Device discharges to the
atmosphere creating a 2nd hazard (to people, the Initiating Event Frequency 10-1
environment or equipment), no credit is allowed. If Conditional Modifier 10-2
the release to the atmosphere has an acceptable risk, PFD of 1st IPL (BPCS) 10-1
credit may be taken PFD of 2nd IPL (Alarms + Operator) 10-1
3 If the Pressure Relief Device discharges to a flare, SIL (1-3) for SIS1 10-?
tank, or scrubber, credit is taken
SIS Required. SIL = 10-7/(10-1*10-2*10-1*10-1) = 10-2
4 This is not a tool for deciding “No Overpressure
Protection Device Needed”.

7
BPCS and SIS are Different.
address SIS needs
„ BPCS keeps the plant within defined
operating parameters
„ BPCS and SISs may both act as IPLs „ List Safety Instrumented Functions if
„ A BPCS is very unlikely to meet > SIL1
required. The SIL of the SIF is the
PFD or Fault requirements (May even be numerical value needed to “Close the Gap”.
prevented unless certified)
„ Certification requirements are different
„ Documentation requirements are different
„ Testing requirements are different

Basic Rules for SIS

1 SIS entries are considered last and then only if necessary to close the
Step 7
protection gap
2 A non-zero, positive value in the Protection Gap column indicates a SIS is
needed.
3 The required SIL of the SIS is the value which closes the Protection Gap
4 A SIL value greater than 3 should not be allowed. Additional non-SIS IPL’s „ Completely document scenario, Initiating
are required. - or there is something wrong with the process
5 A zero or negative value in the Protection Gap column indicates a SIS is not event, conditional modifiers, IPLs. Justify
needed.
6 A SIS with a SIL of 2 or 3 can be replaced with a combination of lower SIL
and address Uncertainties and Sensitivities.
provided they are independent from each other.
„ Document the SIS requirements AND the
SIL 1 + SIL 1 = SIL 2 ; SIL 1 + SIL 2 = SIL 3
7 Two (2) SIS IPL’s used in the same case require separate sensors, logic solver requirements for the other Safety Related
and final element. Independent paths through the same SIS logic solver must
be used.
Protection Systems

8
 All Plant engineers trained in LOPA. Work to be validated
That’s the theory By process Safety Specialists
LEVEL 1: PROCESS HAZARDS ANALYSIS
– Triggers : All plants, significant projects and changes
• Fire & Explosion Index (FEI)
„ Now the practical experience • Chemical Exposure Index (CEI)
• RC/PHA Questionnaire
• LOPA Target Factors* Level 1:
PROCESS HAZARD ANALYSIS
LEVEL 2: RISK REVIEW
– Triggers: F&EI>128, CEI>200, LOPA Target Factor >= 7
from Level 1
„ Review of a company policy • Cause-Consequence pair Identification*
• LOPA* (Technologies new to Dow are HAZOP’d)
• Explosion Impact (Building Overpressure) evaluation* Level 2:
– Triggers: LOPA Target >= 8 or LOPA inappropriate.
• Structured Hazard Analysis RISK REVIEW
(Fault Tree analysis*, FMEA, Checklist, etc.)
LEVEL 3: ENHANCED RISK REVIEW Level 3
– Triggers: LOPA Protection Gap > 0
• Dose-adjusted consequence analysis ENHANCED RISK
• Screen for QRA* REVIEW

LEVEL 4: QUANTITATIVE RISK ASSESSMENT

– Triggers: Individual Risk contours in off-site population exceeds L4:
Business Governance Elevation Criteria QRA
• Combination of Consequence Analysis, Frequency of Impact
• Focuses on highest risk activities

Case 3

Using tools like this What scenarios can occur?

To Mixing unit

• Workbook July 9 draft.xls

V 301

Examples like this

Standard Centrifugal pump,

Rated at 3KW.
P 301 Operating at 55 C on a
Thermally Sensitive material

9
 PADDING/INERTING

What scenarios can occur? Nitrogen Control valve

Leak, pump rupture etc. Set 50mm wg vac
To Mixing unit 200 mm wg press N2 at 100mm wg N2 at 2 bar

Pressure/Vacuum relief Vent

V 301
Temperature trip?
Fill

Power meter Sealed

T-25 overflow

P 301 LT MAWP = 300 mm wg

LSL

Standard Centrifugal pump, Storage of Xylene

Rated at 3KW.
Operating at 55 C on a
Thermally Sensitive material

PADDING/INERTING Pyridine compound

Conservation
Vent to scrubber
Nitrogen Control valve vent
VV 201
Set 50mm wg vac NaOH PSV 201
200 mm wg press N2 at 100mm wg N2 at 2 bar
water
A 201
Pressure/Vacuum relief Vent alarm
CV 201
Fill Steam in
P

R 201
V 201

T-25

LT MAWP = 300 mm wg
TE 201a TE 201b

0
LSL
Storage of Xylene
Condensate out

To Esterification
section
P 201

10
 Pyridine compound
Conservation
Vent to scrubber
vent
VV 201
NaOH PSV 201
water
A 201
alarm
CV 201
Steam in
P

ESV 201 R 201

V 201

TE 201a TE 201b

0
Condensate out

To Esterification
section
P 201

11