Professional Documents
Culture Documents
2F
John F. Murphy, PE
CCPS Staff Consultant
hamjfm@embarqmail.com
UNPUBLISHED
206
This book will be a necessary reference for those applying the LOPA methodology. This paper will
summarize this upcoming textbook, highlight some of the new IPLs and IEs, and highlight some of the
chief concerns the subcommittee wrestled with.
1. Introduction
Layer of protection analysis (LOPA) is a semiquantitative tool for analyzing and assessing risk.
Basic LOPA uses order-of-magnitude estimates of frequency, probability, and consequence
severity, together with conservative rules related to ensuring all values used in the assessment as
defensible and maintainable. This tool has grown greatly in popularity and usefulness since the
publication of the first CCPS/AIChE guidebook on the subject (CCPS, 2001). This book builds
on that important text by
Providing additional choices and examples of initiating events (IEs) for analysis in tools such
as LOPA and similar approaches up to and including quantitative risk analyses (QRAs), that
use additional tools such as Fault Tree Analysis (FTA), Event Tree Analysis (ETA), and
Human Reliability Analysis (HRA)
Providing additional choices and examples of independent protection layers (IPLs)
Providing more complete criteria of how to determine the value of each prospective IE and
IPL
Providing more elaboration on the limitations that an organization should comply with to
qualify an IE or IPL at a given value; particularly defining the activities and documentation
required for a system feature or action to validate or prove the feature before it can be
credited at a given failure rate (for an IE) or a given probability of failure on demand (PFD)
for an IPL
Discusses the linkage to other publications.
1
207
2. Audience
This book is intended for:
Current practitioners of LOPA. It is assumed that readers of this book have read and
understood the first text (CCPS, 2001) on this topic. These practitioners can include process
engineers, risk analysts, and process safety and safety specialists who are also familiar with
other risk assessment methods (such as HAZOP, fault tree analysis, event tree analysis, etc.)
and who already have some experience with LOPA (analysts, participants, reviewers,
auditors, etc.). For this audience, Chapters 3 through 6 will provide additional details on
rules for LOPA, additional example IEs, and additional example IPLs. Chapter 7 and the
Appendices will contain guidance for analysts who find the need to supplement the basic
LOPA approach with the use of fully quantitative methods such as FTA, ETA, and HRA
(extensions beyond the basic, order of magnitude limits of LOPA).
Executives who are considering expanding their corporate strategy for managing risk by
adding LOPA to their existing risk analysis process. For the executive audience, Chapter 2
will summarize the LOPA method and its benefits and explain the new limitations and
interpretation of LOPA rules; and what these subtle changes in emphasis from the original
LOPA textbook might mean to the organization.
Project Managers who want to ensure that a new process or process modification has
sufficient layers of protection. LOPA is a tool for selecting and evaluating alternative layers
of protection and can be used in any phase of a capital project.
Engineers, chemists, operations and maintenance personnel, supervisors, department
managers, and others who must ensure that the technical and administrative requirements for
each IE and IPL are met to assure the risk of the facility is maintained as estimated by LOPA.
The chief ongoing effort is to maintain the IEs and IPLs at the stated failure rates. One goal
of this text is to reinforce the activities and documentation that assist in obtaining the
predicted order of magnitude risk reduction factor for each IE and IPL used by the facility.
Chapters 3 through 6 will be useful for this audience, with particular attention to the data
blocks and summary tables of validation criteria necessary for each IE and IPL. If these
validation activities (such as proof tests) are not planned for and performed, then the IE and
IPL are not valid.
3. Scope
The initial LOPA textbook (CCPS, 2001) set the guidelines for using LOPA as a middle ground
between purely qualitative analysis (also called hazard evaluation) and full quantitative analysis
methods. LOPA allows an order-of-magnitude risk estimate with fairly reproducible results
within an organization. This text builds on the foundation laid by the LOPA textbook by
clarifying key concepts and reinforcing limitations and requirements. The main scope of the
book is to provide more examples of IEs and IPLs and to provide more concrete guidance on the
protocols that must be followed to achieve and maintain these risk reduction systems and actions.
This book will not be a second edition of existing CCPS LOPA book and does not intend to
change any criteria established for LOPA in the first textbook on the topic. However, the
industry has developed further knowledge through experience and many practitioners have
2
208
requested more details on IEs and IPLs and the CCPS has seen the need to better explain the
validations necessary to claim a risk reduction value for an IPL (or for an IE as well).
This book will exclude detailed explanations of Safety Instrumented Systems (SIS) and the
related Safety Integrity Levels (SIL), or analysis of Protective Integrity Levels (PILs) afforded
by these instrumented systems, since the IPL values and requirements for maintenance of this
class of IPLs is covered in the book Guidelines for Safe and Reliable Instrumented Protective
Systems (IPS) (CCPS, 2007). Just as in the original LOPA text, this book will list the risk
reduction credits (IPL values) that can be obtained for each SIS or BPCS. But the design,
implementation, and mechanical integrity of these systems have to be demonstrated to meet the
criteria in IPS (CCPS, 2007) and the requirements of the related industry codes and standards
(ANSI/ISA 84.00.01 and IEC 61511). Otherwise, as with all other IPLs, the PFD claimed for a
PIL or SIL will not be valid.
This book will also exclude detailed explanations of conditional modifiers, which are probability
factors used to estimate likelihood of fires, explosions, and fatality given a release has occurred.
Conditional modifiers were discussed in LOPA (CCPS, 2001), but the topic is complex and
application specific, which is beyond the scope of this book.
4. Recap of LOPA
What Is LOPA?
LOPA is a simplified form of risk assessment. Risk is a combination of the frequency of the
scenario and the consequence of the scenario. LOPA typically uses order of magnitude estimates
for initiating event frequency, consequence severity, and the likelihood of failure of independent
protection layers (IPLs) to approximate the risk of a scenario. LOPA is an analysis tool that
typically builds on the information developed during a qualitative hazard evaluation, such as a
process hazard analysis (PHA), for example a hazard and operability analysis (HAZOP); LOPA
does not identify hazardous scenarios, but it does provide a streamlined method for estimating
the risk of scenarios. LOPA is implemented using a set of criteria that are more restrictive than
those typically used for event trees and fault trees.
LOPA one consequence-cause pair
One limitation of the LOPA technique is its restriction to a single cause consequence pair. By
comparison, other risk analysis methods such as fault tree or quantitative risk assessment
encompass multiple causes and can address multiple consequences in one analysis.
Like many other risk analysis methods, the primary purpose of LOPA is to determine if there are
sufficient layers of protection to reduce the risk of an accident scenario below the specified risk
criteria. A scenario may require one or many protection layers depending on the complexity of
the scenario and potential severity of the consequence. Note that for a given scenario; only one
layer must work successfully for the consequence being analyzed to be prevented. However,
since no layer is perfectly effective, sufficient layers of protection must be provided to lower the
risk below the specified risk criteria (e.g., second and third layer works when first fails).
3
209
History of LOPA
The initial development of LOPA was done internally within individual companies. However,
once the method had been developed and refined, several companies published papers describing
the driving forces behind their efforts to develop the method, their experience with LOPA, and
examples of its use. In particular, the papers and discussion among the attendees at the CCPS
International Conference and Workshop on Risk Analysis in Process Safety in Atlanta in
October 1997 brought agreement that a book describing the LOPA method should be developed.
This led to the LOPA textbook (CCPS, 2001).
Experience and developments while using LOPA over the past 10 years led to the authoring of
the current book with a:
desire to improve the understanding of when IEs and IPLs are applicable
desire to provide more examples of IEs and IPLs,
need for clearer protocols for validating an IPL or IE value.
A means to assess or estimate consequence that can be applied throughout the organization.
Numerical risk criteria. Individual companies use different criteria which may include (but
not limited to):
Frequency of fatalities
Frequency of loss of containment
Economic loss
Frequency of a consequence category (which can include damage, fatality, etc.)
Required number of independent protection layer (IPL) credits
also matures and this learning is in turn applied to the process design and operating philosophy.
In the detailed engineering and construction phases of a project, we further refine the design and
use an assortment of tools to help us determine plausible accident scenarios and judge the risk of
such scenarios. LOPA can help in the risk judgment aspect at any phase of a project (see
Bridges, et al, 2008). After a process is started up, the risk of the process must be maintained
and changes must be controlled. LOPA can be used to help make risk judgments of plant
modifications and procedural changes during these ongoing operational phases as well. Refer to
the LOPA Guideline (CCPS, 2001) for details or when and how to use LOPA over the lifecycle
of the process.
Figure 1 Types of Hazard/Risk Reviews (HR) Throughout the Life Cycle of a Process (each
type uses one or more of the HR [PHA] methods)
LOPA can be effectively used at any point in the safety life cycle of a process or a facility
(Figure 1), but it is most frequently used during:
The detailed design stage when the process flow diagram is essentially complete and the
P&IDs are being developed. LOPA is used to examine scenarios, often generated by other
process hazard assessment (PHA) tools, such as HAZOP, what-if, checklist, etc.; as part of
the SIS design; or as a risk screen; or as part of a design study on a system to classify the
various process alternatives and to select the best method.
Modifications to the process or its control or safety systems (i.e. management of change).
However, LOPA can also be used in all phases of the safety life cycle:
It can be used during the initial conceptual process design to examine basic design
alternatives and provide guidance to select a design that has lower initiating event
frequencies, or a lower consequence, or for which the number and type of IPLs are better
5
211
than alternatives. Ideally, LOPA could be used to design a process which is inherently
safer by providing an objective method to compare alternate designs quickly and
quantifiably.
LOPA can be used during the regular cycle of PHAs (process hazard analyses) performed on
a process. Experience with LOPA at several companies has shown that its scenario-focused
methodology can reveal additional safety issues in fully mature processes that have
previously undergone numerous qualitative PHAs. In addition, its objective risk criteria have
proven effective in resolving disagreements on PHA findings that were based on qualitative
techniques.
If the risk is currently too high, and if an SIS is the chosen risk reduction approach, then
LOPA can readily determine what SIL will be required.
SIS should not be the first choice in reducing the risk of a process, so LOPA also examines
alternatives to an SIS, such as modifying the process, adding other IPLs, etc.
LOPA can be used to identify equipment that, as part of an IPL, is relied upon to maintain the
process within the tolerable risk criteria of an organization. Such equipment may be denoted
as safety critical (ISA, 1995) and is subjected to specified testing, inspection and
maintenance. At least one company has found that LOPA has significantly decreased the
number of safety critical equipment; the list had grown over time by adding equipment on a
qualitative better safe than sorry basis, but many of the additional safeguards were not
necessary and diverted limited resources away from more critical risk control measures.
LOPA can be used to identify operator actions and responses that are critical to the safety of
the process. This will allow focused training and testing to be performed during the life of
the process and for the operating manuals to reflect the importance of a limited number of
process variables, alarms and actions.
Coordination of set points between various IPLs (e.g., alarms, SIF, relief devices)
LOPA can also be used for other risk assessment studies within an organization, including
terminal operations, tolling operations, auditing of third parties, loss prevention and insurance
issues, etc.
What risk assessment methods are best for helping a company judge risk? There is a spectrum of
answers to that question:
6
212
The choice and use of the various qualitative to quantitative risk assessment methods vary
between organizations (Figure 2). However, best practice is:
Note that ALL accident scenarios are identified using a team setting and qualitative hazard
evaluation methods (one primary goal of qualitative hazard evaluation is hazard identification,
which is also accident scenario identification); but occasionally, the teams do not feel capable of
making the judgments without more elaborate modeling of the risk.
7
213
8
214
Step 4: Identify the IPLs and estimate the probability of failure on demand (PFD) of each
IPL. Some accident scenarios will require only one IPL, while other accident scenarios may
require many IPLs, or IPLs of low PFD, to achieve a tolerable risk for the scenario. Recognizing
the existing safeguards that meet or can be made to meet the rules and proof requirements of
IPLs for a given scenario is the heart of LOPA. Most companies provide a predetermined set of
IPL values for use by the analyst, so the analyst may pick the values that best fit the scenario
being analyzed. This book builds on this practice and enhances it by illustrating the proof
criteria also necessary to value and maintain an IPL. It should be noted that each safeguard,
while likely to reduce the risk, does not contribute the full IPL risk reduction until it is fully
implemented.
Step 5: Estimate the risk of the scenario by mathematically combining the consequence,
initiating event, and IPL data. Other factors may be included during the calculation,
depending on the definition of consequence (impact event). Approaches include arithmetic
formulae and graphical methods. Regardless of the methods, most companies provide a standard
form for documenting the results.
Step 6: Evaluate the risk to reach a decision concerning the scenario. This includes
comparing the risk of a scenario to a companys tolerable risk criteria and/or related targets.
Note that organizations may or may not have common risk tolerance criteria. Also, note that in
some cases, the IPL or IE values assigned within a company may be different, but that they may
end up at the same judgment on tolerance of risk for a scenario common to one at your company;
this may be due to a risk tolerable criteria that is offset to the same degree as the values they
assign to IPLs and IEs. So, a LOPA from one company cannot be compared to a LOPA from
another company (as a general rule) though perhaps the number and type of IPLs
implemented can be compared.
6. Extensions beyond basic LOPA
LOPA was originally developed as a streamlined, risk quantification method to be used after a
qualitative hazard review (such as a HAZOP-based, team oriented analysis). It was developed
because FTA and HRA (full QRA methods, see Guidelines for Chemical Process Quantitative
Risk Analysis, Second Edition, CCPS, 1999) (CPQRA) were seen as gross overkill for evaluation
of most scenarios that perplexed a qualitative team or a design team. However, the criteria of
basic LOPA are necessarily limiting (which allows the simplification of approach of LOPA) and
this has led some analyst to develop extensions of LOPA beyond the basic rules and
requirements specified in the LOPA book (CCPS, 2001). A first example of this was Approach
B for using a second basic process control loop as an IPL, as described in Chapter 11, Advanced
LOPA Topics, in the LOPA book (CCPS, 2001).
This book helps to clarify what fits within the context of the original basic method called LOPA
and what constitutes extensions of that method. It is a responsibility of an organization to define
and defend their risk assessment protocol. Chapter 6 of the new book provides guidance on
when extensions beyond basic LOPA may be appropriate, and how it may be used in conjunction
with the basic approach.
9
215
Triggering Events/initiating causes (this list has been expanded since LOPA (CCPS 2001) and
also contains new criteria for when the failure rates provided in the data tables are valid.
12
218
Single Check Valve - High Test Frequency (with scenario related to large backflow, not
leakage past check valve)
Double Check Valve in series (1oo2) (with scenario related to large backflow, not leakage
past check valve)
Double Check Valve in series (1oo2) (with scenario related to large backflow, not leakage
past check valve)
Bubble tight check valve (class 5; class 6 tightness)
Mechanical stop that limits travel (adjustable)
Mechanical stop that limits travel (non-adjustable, after initial installation)
Restrictive Orifice in clean service (with scenario related to excess flow rate)
Excess flow valve
Mechanical over-speed trip on a turbine
Emergency scrubber/absorber consumes (removes) components of concern prior to release to
atmosphere
Flare consumes/combusts components of concern prior to release to atmosphere
Generic Emergency effluent/discharge systems
Continuous Pilots; capable of keeping 50% of pilots lit.
Mechanically-Activated Emergency Shutdown/Isolation Device
SIL 1 Safety Instrumented Function
SIL 2 Safety Instrumented Function
SIL 3 Safety Instrumented Function
Inerting system.
7.3 More complete criteria of how to determine the value of each prospective IE and
prospective IPL.
Table 1 provides a snippet of the IPL summary tables which will be included in the new
guideline. The criteria that must be met to claim any listed IPL dominates the IPL tables. These
criteria must be met for the PFD for the IPL to be valid.
An example is a flame arrester (see Table 1). There is a full description of the IPL and a value of
0.01 is suggested.
IPL Description
Deflagration Flame Arrester or Stable Detonation Arrester installed inline between an ignition
source (e.g., TOX) and a source of flammable or combustible vapors.
The value is only appropriate if the special conditions are met.
The piping between the ignition source and arrestor is well below the run-up distance
required to allow a transition to detonation (DDT) for Deflagration type or formation of
Unstable Detonation for a Stable Detonation type.
13
219
Location considered (avoid "hot side" on bottom of vertically mounted arrester since this
decreases endurance burn; avoid accumulation of liquids in arrester, use drains to remove
liquids).
Device does not impose excessive flow restriction on the process and any fouling issues have
been addressed.
Temperature monitoring with a thermocouple directly in contact with the hot side of the
device is highly recommended to allow operations to recognize when device is being
challenged.
7.4 More elaboration on the practices that an organization should comply with to qualify an IE
or IPL at a given value.
This is likely the most important improvement over the first LOPA book.
For a flame arrester the following proof methods and frequency requirements must be met:
Proof Method
Device is included on a routine maintenance schedule which specifies shutting down the line
and opening the device for inspection.
Device is always inspected if it is suspected to have stopped a flame or if process upset could
compromise its integrity.
Inspection includes determining whether the device is plugged and whether corrosion might
compromise its capability to arrest a flame in accordance with most industry standards.
Proof Frequency
Initially, every 12 months or per vendor recommendation, then adjust the interval to 24, 35, or up
to a maximum of 4 years, if no signs of corrosion.
Each IPL listed also has a proof method and frequency requirement.
14
220
221
Table 1. Example Extracted from the IPL/IE Guideline (CCPS, pending 2010)
4. Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition; (CPQRA),
CCPS, 1999.
5. ISA, ANSI 84.00.01-2004 (IEC 61511 modified) Functional Safety: Safety Instrumented
Systems for the Process Industry Sector, Research Triangle Park, NC, 2004.
222