A LOPA CASE STUDY

Michela Gentile, Ph.D.

BP America
Houston, TX

John Baik, Ph.D.
BP America
Houston, TX


For presentation at:

2008 Spring National Meeting of
American Institute of Chemical Engineers
New Orleans, LA
April 6 10, 2008




ABSTRACT

The original concepts that led to todays Layers of Protection Analysis (LOPA) were
developed in the US in the late 80s and early 90s. In 2001 CCPS developed the LOPA
method as a systematic approach to ensure sufficient protective barriers are available to
prevent specific hazardous scenarios or mitigate the consequence.
Different LOPA methodologies have been used: some are based on simple frequency-
consequences matrices, others are based on risk targets; some follow the order of
magnitude approach, others follow a simplified quantitative risk assessment (QRA)
approach.
LOPA is not supposed to be a fancy HAZOP, nor a simplified QRA. This paper
presents some often misunderstood LOPA concepts using a case study.











193
1. Introduction

In the world of process safety, LOPA is a well known acronym that represents a
methodology for hazard and risk assessment. The methodology was developed as a
simplified form of risk assessment that might be used in cases where a simple HAZOP
was deemed insufficient to fully understand the intrinsic hazards and risk associated to a
specific scenario. For such scenarios, it was also recognized that a full quantitative risk
assessment (QRA) would demand significant expenses in terms of time and resources,
with the potential to obtain results that might be approximate because of the lack of
accurate data and information.
The Center for Chemical process Safety (CCPS) in 1993 published Guidelines for
Safe Automation of Chemical Processes. This book introduced the concept of Layer of
Protection and the approach to analyze if sufficient independent layers were available (1).
The LOPA methodology was further defined by the 2001 CCPS book, Layers of
Protection Analysis (2) and the concepts were retaken in Guidelines for Safe and
Reliable Instrumented Protective Systems (3), published in 2007 by CCPS. A number of
other publications on the topics of layers of protection and LOPAs have also been
produced during the last fifteen years.
The literature produced, documents the evolution of the concepts and ideas around
the Layers of Protection Analysis. The literature also shows how the application of the
methodology has progressed mainly towards a specialized field such as safety
instrumented systems.
Today, LOPA is commonly applied to determine the level of integrity required for
instrumented systems to close the risk gap in a specific facility or design. In other cases,
LOPA is also used as an advanced HAZOP with the idea of identifying hazards and
risks gaps. A growing interest appears to be developing for better or more accurate
data for protective layers leading the LOPA methodology towards a more quantitative
methodology.
In general, the definition of the LOPA acronym is very well understood, but the
application of the LOPA concepts and the methodology is challenging and sometimes
misused. This paper explores the challenges associated with the use of LOPA in different
environments and presents examples of some of the most common misunderstandings.


2. Back to the basics

The question that a layer of protection analysis seeks to answer is Are there
sufficient protective layers to prevent the scenario or eventually mitigate the potential
consequences? By providing a systematic approach to verify which safeguards can be
used as IPLs and how much credit can be assigned, LOPA allows to identify and close
risk gaps. LOPA was developed with specific goals, namely to ensure that:

- Appropriate and sufficient risk reduction measures are in place to achieve the risk
target
194 Michela Gentile, John Baik
- Existing risk gaps are identified and appropriate measures (i.e., new IPLs) are
designed, installed, and maintained.
While performing LOPA, it is frequently assumed that when a risk gap is identified
(i.e., the available layers of protections are deemed insufficient to prevent or mitigate the
hazardous scenario) it should be closed by designing instrumented functions. In reality,
the instrumented functions should be considered as a last resource and only when other
type of IPLs cannot be identified or implemented. Inherently safer design should be the
first option to be analyzed, followed by non-instrumented options.
Life-Cycle of Protective Systems
Hazard identification and Layer of Protection Analysis are the first steps to identify
and design protective system. LOPA is just the beginning of the lifecycle of protective
systems. LOPA is the beginning and is not the end. The output from the LOPA, which
include the list of IPLs and its requirements, is used to ensure that the existing IPLs are
designed, operated, tested, and maintained according to the specifications. The LOPA
output also indicates the list of new IPLs that shall be designed and installed in order to
close the risk gaps identified by the LOPA.

Hazard Identification

LOPA relies on the identification of hazardous scenarios through the application of
other techniques, better suited for the task, such as HAZOP. HAZOP identifies initiating
causes and its potential consequences and provides the basis for LOPA. Therefore, if the
hazard identification step is poorly performed, LOPA may become quite challenging.
The output from LOPA is a list of existing protective layers that meet the core
requirements and are maintained according to the specifications. LOPA provides also a
list of risk gaps where additional IPLs are required in order to reduce the likelihood of
hazardous scenarios. LOPA is therefore an important intermediate step in the
management of process safety.
The study offers the opportunity to ensure that the operational and equipment
constraints and needs are fully understood and adequate documentation and management
systems are in place.
While all HAZOP scenarios with high consequence rankings should be carefully
analyzed, not all of them are candidates for a LOPA. Examples of this are normal
corrosion of pipelines or vessels, design errors that lead to release of hazardous
chemicals, most weather-related events, acts of God, poor maintenance, etc. These
scenarios are better addressed by integrity and quality assurance programs. This issue is
addressed in more detail in example 2 of Section 4.


195 A Lopa Case Study
3. Challenges

Since LOPA requires consideration of not only the technical aspects of the process
but also human factors and management aspects, it is also subject to the challenges
associated with handling of all the information. Therefore, the LOPA facilitator must
have good understanding about those aspects and should be able to extract sufficient
information from the team and integrate it in the LOPA scenario. In some cases, the daily
workload and limited availability of highly trained and experienced individuals in the
team must be accounted for as the studies are conducted.
Currently, different LOPA approaches are used depending on the companies
involved. Some use a simplified QRA approach that allows the use of modifiers such as
probability of ignition, while others use risk matrices, known as order of magnitude
approach, that indicate the required number of IPLs for an initiating cause frequency and
consequence couple. Theoretically, regardless of the methodology applied, the LOPA
study should lead to similar conclusions. However, the outcome of the two approaches
can sometimes be quite different.
A challenge in the QRA-like approach is the use of frequency modification factors.
People using this approach tend to use the factors by default and may underestimate the
risk associated with the scenario. The outcomes of the LOPA can also be quite different
depending on the team members involved. Therefore, if this approach is used, it is
important that the LOPA team choose the factors based on careful engineering judgments
considering the operating environment and conditions.
In the order of magnitude approach, usually no modification factors are used and the
results are consistent regardless of the team members involved. However, this approach
can sometimes result in an overly conservative result.
Regardless of the approaches used, the outcome of the LOPA should always be
checked and confirmed whether it make sense.


4. Case Study

What is a LOPA Scenario?

As mentioned previously, LOPA relies on hazard identification. It is therefore
fundamental for LOPA to start from an appropriate HAZOP analysis, where the initiating
cause and consequence pair have been clearly identified and the severity of the
consequence is ranked without taking into account the safeguards identified for the
scenario.
Unless hazardous scenarios and their severity of consequences are identified during
the HAZOP, it is not possible for LOPA to assess how many IPLs are required to close
the risk gap. The severity of the consequence has to be reasonably conservative. If the
severity ranking is estimated too low, then the outcome can be no or less IPLs required.
On the contrary, if the severity ranking is estimated in an overly conservative way (e.g., if
all flammable releases are assumed to lead to a fatality) it is possible to end up with an
excessive number of IPLs required.
196 Michela Gentile, John Baik
For a system shown in Figure 1, a HAZOP scenario for high pressure may look like:







Example 1a:

PARAMETER: PRESSURE
GW DEVIATION CAUSE CONSEQUENCE SAFEGUARD
MORE Excessive
flow
Valve
failure
No consequence
identified



The scenario presented in Example 1a will not be included in a LOPA since no
consequences are identified. In this case, the HAZOP team is assumed to have considered
the safeguards in determining the consequence. Since they are assuming that the
safeguards would work properly, no consequences were identified.
A better HAZOP entry for the scenario presented in Example 1a, is shown in the
following examples:

Example 1b:

PARAMETER: PRESSURE
GW DEVIATION CAUSE CONSEQUENCE SAFEGUARD
MORE High pressure
in V-01
Pressure
regulator
Valve
PRV-
01fails
open
Hazard:
vessel/flange failure
and release of
flammable gas
Consequence:
Potential for flash
fire that will lead to
injuries
RV-01
PAH-01


Based on this HAZOP entry, the scenario will be included in a LOPA study. The
team identified the specific deviation (i.e., initiating cause), hazardous events and most
credible hazardous consequences based on the type of process fluid and the quantity that
could be released. When this HAZOP scenario is analyzed in a LOPA, the identified
safeguards will be assessed against the requirements to be credited as IPLs (i.e.,
independence, specificity, auditability, etc.).

197 A Lopa Case Study

Figure 1: System for Example 1a and 1b.


Validity of Initiating Causes
In cases where corrosion is likely to affect the integrity of a vessel, a HAZOP
scenario may be developed as shown in Example 2:

Example 2:

PARAMETER: corrosion/erosion
GW DEVIATION CAUSE CONSEQUENCE SAFEGUARD

ISSUES Excessive
corrosion
General
corrosion
Possible piping
failure, release of
hydrocarbons, fire
and explosion
Integrity
management
program

Corrosion
probes


From a HAZOP viewpoint, this scenario is valid and the potential consequence may
be severe. All HAZOP scenarios with high consequence rankings should be carefully
analyzed to ensure that sufficient risk reduction is available to prevent or mitigate the
consequences. However, not all HAZOP scenarios that may lead to severe consequences
are candidates for a LOPA.
In general, a LOPA is not a useful tool in cases where passive or active protective
systems (instrumented or non-instrumented) cannot prevent the scenario or fully mitigate
the consequence. When a scenario is better addressed through integrity management and
quality assurance programs, a LOPA is not a proper tool to evaluate the scenario. For
example, normal corrosion of pipelines or vessels, design errors that lead to release of
hazardous chemicals, equipment failure due to lack of maintenance, most weather-related
events, acts of God, and poor maintenance cannot be evaluated by LOPA. The concern for
vessel failure can be addressed as a High pressure scenario.

PRV-01
V-01
Manual
drain
PAH-01
Safe location
RV-01
198 Michela Gentile, John Baik
IPLs
Lets assume that for a system shown in Figure 2, a HAZOP scenario has been
identified for the failure of the control valve, as shown in Example 3. The LOPA team
has assessed the LOPA scenario and determined that a risk reduction factor of 1000 is
required to close the risk gap.

Figure 2: System for Example 3


Example 3:

PARAMETER: FLOW
GW DEVIATION CAUSE CONSEQUENCE SAFEGUARD
MORE Excessive
flow
Flow
control
valve
FV-01
fails
open
Hazard: vessel
overfill and
overpressure
Consequence:
Potential vessel
failure, release of
flammable liquid,
pool fire and
potential injuries.
RV-01 (liq.)
LAH-01
LAH-02
Manual drain


Assuming the RV-01 is a valid device (with the required recommendation to ensure
the core requirements are met) capable of providing the equivalent of two IPLs (i.e., risk
reduction factor of 100), one more IPL is required. The additional IPL may be provided
by the supervisory layer. A possibility is given by the high level alarm LAH-2 and
operator response. This alarm is independent of the initiating cause. During the
discussion of the scenario the LOPA team may discover that given the small size of the
vessel it is expected that the level excursion will occur in few minutes. The board
operator can detect the alarm but it is not specific to the scenario that is being analyzed.
RV-01
V-01
Manual
drain
LAH-01
Safe location
LT-01
P-01
FV-01
LAH-02
FV-02
199 A Lopa Case Study
Time for troubleshooting is required and that may involve sending an operator to the field
to investigate the problem, exposing him to potentially dangerous consequences.
Additionally, because of operational excursions and spurious trips, the set points for the
alarms may be frequently changed. The high level alarm is therefore not specific for the
initiating cause and may not provide sufficient time for operator intervention to eliminate
the hazardous condition. In this case, the high level alarm should not be credited as an
IPL.
To close the risk gap, a SIF may be recommended. However, as mentioned earlier,
instrumentation should be the last choice. ISD should be considered as a first option.
Brainstorming may lead to a possible solution involving the substitution of a specific
length of pipe with a smaller diameter to increase the pressure drop and either prevent the
overpressure scenario or increase the process time required to reach the overpressure of
the vessel. Another possible ISD option could be to change the impeller of the pump P-01
to reduce the maximum flow and pressure. From the engineering viewpoint, the hazard
source has been eliminated (assuming that the hazard has not been migrated to other
connected process areas). But the question that now arises is about proper management of
those changes. What measures are in place to ensure that the impeller is not changed back
to its original size? The answer may be a Management of Change system, recognizing
that in the real world things are not perfect. If this ISD is used as an IPL then it would
have to be managed according to the lifecycle requirements which imply a more rigorous
management process. The following step could be to change the whole pump for a
smaller one. In this case it would be more difficult to defeat the ISD measure, and in this
case it can be assumed that the hazardous scenario has been eliminated by design.


5. Conclusions

LOPA is used widely in the industry as a risk assessment tool to evaluate the IPLs
required to achieve the risk target. This paper presented common problems that are
encountered during LOPA. The LOPA concept can be applied to any system but the
outcome is not always justified. In general, LOPA is not a useful tool in cases where
passive or active protective systems (instrumented or non-instrumented) cannot prevent
the scenario or fully mitigate the consequence.

Understanding the life cycle of the protective system is critical for LOPA. If a protective
system is credited as an IPL during LOPA, then there should be a management system to
ensure that the existing IPLs are designed, operated, tested, and maintained according to
the specifications.

In order to close the risk gap, SIFs are usually recommended. However, instrumentation
should be the last choice. The LOPA team should always seek for an ISD option first
before going to the SIF option.




200 Michela Gentile, John Baik





6. References

1. Center for Chemical Process Safety (CCPS), Guidelines for Safe Automation of
Chemical Processes, American Institute of Chemical Engineers, New York, NY, 1993.

2. Center for Chemical Process Safety (CCPS), Layer of Protection Analysis, Simplified
Process Risk Assessment, American Institute of Chemical Engineers, New York, NY,
2001.

3. Center for Chemical Process Safety (CCPS), Guidelines for Safe and Reliable
Instrumented Protective Systems, American Institute of Chemical Engineers, New York,
NY, 2007.




201 A Lopa Case Study
202 Michela Gentile, John Baik