2008 Spring National Meeting of American Institute of Chemical Engineers New Orleans, LA April 6 10, 2008
ABSTRACT
The original concepts that led to todays Layers of Protection Analysis (LOPA) were developed in the US in the late 80s and early 90s. In 2001 CCPS developed the LOPA method as a systematic approach to ensure sufficient protective barriers are available to prevent specific hazardous scenarios or mitigate the consequence. Different LOPA methodologies have been used: some are based on simple frequency- consequences matrices, others are based on risk targets; some follow the order of magnitude approach, others follow a simplified quantitative risk assessment (QRA) approach. LOPA is not supposed to be a fancy HAZOP, nor a simplified QRA. This paper presents some often misunderstood LOPA concepts using a case study.
193 1. Introduction
In the world of process safety, LOPA is a well known acronym that represents a methodology for hazard and risk assessment. The methodology was developed as a simplified form of risk assessment that might be used in cases where a simple HAZOP was deemed insufficient to fully understand the intrinsic hazards and risk associated to a specific scenario. For such scenarios, it was also recognized that a full quantitative risk assessment (QRA) would demand significant expenses in terms of time and resources, with the potential to obtain results that might be approximate because of the lack of accurate data and information. The Center for Chemical process Safety (CCPS) in 1993 published Guidelines for Safe Automation of Chemical Processes. This book introduced the concept of Layer of Protection and the approach to analyze if sufficient independent layers were available (1). The LOPA methodology was further defined by the 2001 CCPS book, Layers of Protection Analysis (2) and the concepts were retaken in Guidelines for Safe and Reliable Instrumented Protective Systems (3), published in 2007 by CCPS. A number of other publications on the topics of layers of protection and LOPAs have also been produced during the last fifteen years. The literature produced, documents the evolution of the concepts and ideas around the Layers of Protection Analysis. The literature also shows how the application of the methodology has progressed mainly towards a specialized field such as safety instrumented systems. Today, LOPA is commonly applied to determine the level of integrity required for instrumented systems to close the risk gap in a specific facility or design. In other cases, LOPA is also used as an advanced HAZOP with the idea of identifying hazards and risks gaps. A growing interest appears to be developing for better or more accurate data for protective layers leading the LOPA methodology towards a more quantitative methodology. In general, the definition of the LOPA acronym is very well understood, but the application of the LOPA concepts and the methodology is challenging and sometimes misused. This paper explores the challenges associated with the use of LOPA in different environments and presents examples of some of the most common misunderstandings.
2. Back to the basics
The question that a layer of protection analysis seeks to answer is Are there sufficient protective layers to prevent the scenario or eventually mitigate the potential consequences? By providing a systematic approach to verify which safeguards can be used as IPLs and how much credit can be assigned, LOPA allows to identify and close risk gaps. LOPA was developed with specific goals, namely to ensure that:
- Appropriate and sufficient risk reduction measures are in place to achieve the risk target 194 Michela Gentile, John Baik - Existing risk gaps are identified and appropriate measures (i.e., new IPLs) are designed, installed, and maintained. While performing LOPA, it is frequently assumed that when a risk gap is identified (i.e., the available layers of protections are deemed insufficient to prevent or mitigate the hazardous scenario) it should be closed by designing instrumented functions. In reality, the instrumented functions should be considered as a last resource and only when other type of IPLs cannot be identified or implemented. Inherently safer design should be the first option to be analyzed, followed by non-instrumented options. Life-Cycle of Protective Systems Hazard identification and Layer of Protection Analysis are the first steps to identify and design protective system. LOPA is just the beginning of the lifecycle of protective systems. LOPA is the beginning and is not the end. The output from the LOPA, which include the list of IPLs and its requirements, is used to ensure that the existing IPLs are designed, operated, tested, and maintained according to the specifications. The LOPA output also indicates the list of new IPLs that shall be designed and installed in order to close the risk gaps identified by the LOPA.
Hazard Identification
LOPA relies on the identification of hazardous scenarios through the application of other techniques, better suited for the task, such as HAZOP. HAZOP identifies initiating causes and its potential consequences and provides the basis for LOPA. Therefore, if the hazard identification step is poorly performed, LOPA may become quite challenging. The output from LOPA is a list of existing protective layers that meet the core requirements and are maintained according to the specifications. LOPA provides also a list of risk gaps where additional IPLs are required in order to reduce the likelihood of hazardous scenarios. LOPA is therefore an important intermediate step in the management of process safety. The study offers the opportunity to ensure that the operational and equipment constraints and needs are fully understood and adequate documentation and management systems are in place. While all HAZOP scenarios with high consequence rankings should be carefully analyzed, not all of them are candidates for a LOPA. Examples of this are normal corrosion of pipelines or vessels, design errors that lead to release of hazardous chemicals, most weather-related events, acts of God, poor maintenance, etc. These scenarios are better addressed by integrity and quality assurance programs. This issue is addressed in more detail in example 2 of Section 4.
195 A Lopa Case Study 3. Challenges
Since LOPA requires consideration of not only the technical aspects of the process but also human factors and management aspects, it is also subject to the challenges associated with handling of all the information. Therefore, the LOPA facilitator must have good understanding about those aspects and should be able to extract sufficient information from the team and integrate it in the LOPA scenario. In some cases, the daily workload and limited availability of highly trained and experienced individuals in the team must be accounted for as the studies are conducted. Currently, different LOPA approaches are used depending on the companies involved. Some use a simplified QRA approach that allows the use of modifiers such as probability of ignition, while others use risk matrices, known as order of magnitude approach, that indicate the required number of IPLs for an initiating cause frequency and consequence couple. Theoretically, regardless of the methodology applied, the LOPA study should lead to similar conclusions. However, the outcome of the two approaches can sometimes be quite different. A challenge in the QRA-like approach is the use of frequency modification factors. People using this approach tend to use the factors by default and may underestimate the risk associated with the scenario. The outcomes of the LOPA can also be quite different depending on the team members involved. Therefore, if this approach is used, it is important that the LOPA team choose the factors based on careful engineering judgments considering the operating environment and conditions. In the order of magnitude approach, usually no modification factors are used and the results are consistent regardless of the team members involved. However, this approach can sometimes result in an overly conservative result. Regardless of the approaches used, the outcome of the LOPA should always be checked and confirmed whether it make sense.
4. Case Study
What is a LOPA Scenario?
As mentioned previously, LOPA relies on hazard identification. It is therefore fundamental for LOPA to start from an appropriate HAZOP analysis, where the initiating cause and consequence pair have been clearly identified and the severity of the consequence is ranked without taking into account the safeguards identified for the scenario. Unless hazardous scenarios and their severity of consequences are identified during the HAZOP, it is not possible for LOPA to assess how many IPLs are required to close the risk gap. The severity of the consequence has to be reasonably conservative. If the severity ranking is estimated too low, then the outcome can be no or less IPLs required. On the contrary, if the severity ranking is estimated in an overly conservative way (e.g., if all flammable releases are assumed to lead to a fatality) it is possible to end up with an excessive number of IPLs required. 196 Michela Gentile, John Baik For a system shown in Figure 1, a HAZOP scenario for high pressure may look like:
Example 1a:
PARAMETER: PRESSURE GW DEVIATION CAUSE CONSEQUENCE SAFEGUARD MORE Excessive flow Valve failure No consequence identified
The scenario presented in Example 1a will not be included in a LOPA since no consequences are identified. In this case, the HAZOP team is assumed to have considered the safeguards in determining the consequence. Since they are assuming that the safeguards would work properly, no consequences were identified. A better HAZOP entry for the scenario presented in Example 1a, is shown in the following examples:
Example 1b:
PARAMETER: PRESSURE GW DEVIATION CAUSE CONSEQUENCE SAFEGUARD MORE High pressure in V-01 Pressure regulator Valve PRV- 01fails open Hazard: vessel/flange failure and release of flammable gas Consequence: Potential for flash fire that will lead to injuries RV-01 PAH-01
Based on this HAZOP entry, the scenario will be included in a LOPA study. The team identified the specific deviation (i.e., initiating cause), hazardous events and most credible hazardous consequences based on the type of process fluid and the quantity that could be released. When this HAZOP scenario is analyzed in a LOPA, the identified safeguards will be assessed against the requirements to be credited as IPLs (i.e., independence, specificity, auditability, etc.).
197 A Lopa Case Study
Figure 1: System for Example 1a and 1b.
Validity of Initiating Causes In cases where corrosion is likely to affect the integrity of a vessel, a HAZOP scenario may be developed as shown in Example 2:
Example 2:
PARAMETER: corrosion/erosion GW DEVIATION CAUSE CONSEQUENCE SAFEGUARD
ISSUES Excessive corrosion General corrosion Possible piping failure, release of hydrocarbons, fire and explosion Integrity management program
Corrosion probes
From a HAZOP viewpoint, this scenario is valid and the potential consequence may be severe. All HAZOP scenarios with high consequence rankings should be carefully analyzed to ensure that sufficient risk reduction is available to prevent or mitigate the consequences. However, not all HAZOP scenarios that may lead to severe consequences are candidates for a LOPA. In general, a LOPA is not a useful tool in cases where passive or active protective systems (instrumented or non-instrumented) cannot prevent the scenario or fully mitigate the consequence. When a scenario is better addressed through integrity management and quality assurance programs, a LOPA is not a proper tool to evaluate the scenario. For example, normal corrosion of pipelines or vessels, design errors that lead to release of hazardous chemicals, equipment failure due to lack of maintenance, most weather-related events, acts of God, and poor maintenance cannot be evaluated by LOPA. The concern for vessel failure can be addressed as a High pressure scenario.
PRV-01 V-01 Manual drain PAH-01 Safe location RV-01 198 Michela Gentile, John Baik IPLs Lets assume that for a system shown in Figure 2, a HAZOP scenario has been identified for the failure of the control valve, as shown in Example 3. The LOPA team has assessed the LOPA scenario and determined that a risk reduction factor of 1000 is required to close the risk gap.
Figure 2: System for Example 3
Example 3:
PARAMETER: FLOW GW DEVIATION CAUSE CONSEQUENCE SAFEGUARD MORE Excessive flow Flow control valve FV-01 fails open Hazard: vessel overfill and overpressure Consequence: Potential vessel failure, release of flammable liquid, pool fire and potential injuries. RV-01 (liq.) LAH-01 LAH-02 Manual drain
Assuming the RV-01 is a valid device (with the required recommendation to ensure the core requirements are met) capable of providing the equivalent of two IPLs (i.e., risk reduction factor of 100), one more IPL is required. The additional IPL may be provided by the supervisory layer. A possibility is given by the high level alarm LAH-2 and operator response. This alarm is independent of the initiating cause. During the discussion of the scenario the LOPA team may discover that given the small size of the vessel it is expected that the level excursion will occur in few minutes. The board operator can detect the alarm but it is not specific to the scenario that is being analyzed. RV-01 V-01 Manual drain LAH-01 Safe location LT-01 P-01 FV-01 LAH-02 FV-02 199 A Lopa Case Study Time for troubleshooting is required and that may involve sending an operator to the field to investigate the problem, exposing him to potentially dangerous consequences. Additionally, because of operational excursions and spurious trips, the set points for the alarms may be frequently changed. The high level alarm is therefore not specific for the initiating cause and may not provide sufficient time for operator intervention to eliminate the hazardous condition. In this case, the high level alarm should not be credited as an IPL. To close the risk gap, a SIF may be recommended. However, as mentioned earlier, instrumentation should be the last choice. ISD should be considered as a first option. Brainstorming may lead to a possible solution involving the substitution of a specific length of pipe with a smaller diameter to increase the pressure drop and either prevent the overpressure scenario or increase the process time required to reach the overpressure of the vessel. Another possible ISD option could be to change the impeller of the pump P-01 to reduce the maximum flow and pressure. From the engineering viewpoint, the hazard source has been eliminated (assuming that the hazard has not been migrated to other connected process areas). But the question that now arises is about proper management of those changes. What measures are in place to ensure that the impeller is not changed back to its original size? The answer may be a Management of Change system, recognizing that in the real world things are not perfect. If this ISD is used as an IPL then it would have to be managed according to the lifecycle requirements which imply a more rigorous management process. The following step could be to change the whole pump for a smaller one. In this case it would be more difficult to defeat the ISD measure, and in this case it can be assumed that the hazardous scenario has been eliminated by design.
5. Conclusions
LOPA is used widely in the industry as a risk assessment tool to evaluate the IPLs required to achieve the risk target. This paper presented common problems that are encountered during LOPA. The LOPA concept can be applied to any system but the outcome is not always justified. In general, LOPA is not a useful tool in cases where passive or active protective systems (instrumented or non-instrumented) cannot prevent the scenario or fully mitigate the consequence.
Understanding the life cycle of the protective system is critical for LOPA. If a protective system is credited as an IPL during LOPA, then there should be a management system to ensure that the existing IPLs are designed, operated, tested, and maintained according to the specifications.
In order to close the risk gap, SIFs are usually recommended. However, instrumentation should be the last choice. The LOPA team should always seek for an ISD option first before going to the SIF option.
200 Michela Gentile, John Baik
6. References
1. Center for Chemical Process Safety (CCPS), Guidelines for Safe Automation of Chemical Processes, American Institute of Chemical Engineers, New York, NY, 1993.
2. Center for Chemical Process Safety (CCPS), Layer of Protection Analysis, Simplified Process Risk Assessment, American Institute of Chemical Engineers, New York, NY, 2001.
3. Center for Chemical Process Safety (CCPS), Guidelines for Safe and Reliable Instrumented Protective Systems, American Institute of Chemical Engineers, New York, NY, 2007.
201 A Lopa Case Study 202 Michela Gentile, John Baik