Академический Документы
Профессиональный Документы
Культура Документы
This report is the result of the master project executed Spring 2008, and is the
final step in graduating as an Engineer with a Msc degree from The Norwegian
University of Science and Technology (NTNU). The master project is in collab-
oration with Aker Subsea AS, which is part of the Subsea Business Area within
Aker Solutions. Aker Subsea provides leading oil production systems and equip-
ment located sub-surface, and recent projects are Morvin (North Sea), Kristin
(Noth-Sea), Reliance KG-D6 (India) and Dalia (Angola). The work has been per-
formed partly in Trondheim at the facilities of the Department of Production and
Quality Engineering (IPK), and at Aker Solutions head quarters outside of Oslo.
A very special thanks to my supervisor and professor Marvin Rausand (NTNU)
who has been helpful with thorough guidance throughout the master project.
Another person that deserves attention is Linn Nordhagen (Aker Engineering
and Technology) who has provided helpful information on LOPA from a practi-
cal perspective, and given comments to the final product. Gratitude must be ex-
pressed toward Aker Subsea and Thor Kjetil Hallan for offering office space, and
providing information. Others that should be mentioned are: Katrine Harsem
Lund (Scandpower risk management. AS), Bjørn Solheim (BP) and Hanne Rolén
(Aker Subsea).
Christopher A. Lassen
Snarøya, 19.06.2008
I
Contents
List of Tables IV
List of Figures V
1 Introduction 1
1.1 Introduction to LOPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Limitations and structure . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4 Relation to IEC 61508 and 61511 . . . . . . . . . . . . . . . . . . . . . 3
3 LOPA 18
3.1 What is LOPA? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2 Explanation of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.3 The LOPA team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.4 LOPA worksheet and the LOPA process . . . . . . . . . . . . . . . . . 25
3.5 Different approaches in literature . . . . . . . . . . . . . . . . . . . . 29
3.6 Aker E&T methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4 Preferred approach 32
4.1 Flowchart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.2 Comments to the preferred LOPA approach . . . . . . . . . . . . . . 39
II
5.5 Illustration of software program . . . . . . . . . . . . . . . . . . . . . 46
A Basic concepts 66
B Software schematic 67
III
List of Tables
1.1 SIL for safety functions operating in low demand of operation adapted
from IEC 61511 (2003) . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4.1 Target mitigated event likelihood for safety hazards adapted from
Nordhagen (2007) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.2 Typical frequency values assigned to initiating causes adapted from
CCPS (2001) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.3 PFDs for IPLs adapted from CCPS (2001) and BP (2006) . . . . . . . 37
IV
List of Figures
2.1 Typical risk matrix modified for SIL determination adapted from
(Marszal and Scharpf, 2002) . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Safety layer matrix diagram adapted from IEC 61511 (2003) . . . . . 10
2.3 Typical risk graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1 Risk analysis procedures adopted from Rausand and Høyland (2004) 18
3.2 The LOPA onion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3 Relation between initiating causes, impact event, process devia-
tion and IPLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.4 Extract of SIL determination methodology from Ellis and Wharton
(2006) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.5 Aker E&T methodology adapted from Nordhagen (2007) . . . . . . . 31
B.1 Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
B.2 Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
B.3 Step 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
B.4 Step 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
B.5 Step 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
V
Abbreviations
VI
PSV pressure safety valve
PT pressure transmitter
QRA quantitative risk analysis
ROV remotely operated vehicle
SCM susbea control module
SEM electronic control module
SIF safety instrumented function
SIL safety integrity level
SIS safety instrumented system
SPS subsea production system
TMEL target mitigated event likelihood
TT temperature transmitter
VB Visual Basic
WV wing valve (PWV)
XV cross-over valve (XOV)
XT X-mas tree (XMT)
VII
Summary
Layer of protection analysis (LOPA) and other safety integrity level (SIL) deter-
mination methods have been described, and the terms used in LOPA have been
thoroughly defined and clarified. Different views on LOPA found in literature
have been presented, and a preferred / recommended LOPA approach has been
developed and described. This preferred approach has also been applied on a
case study based on systems from Aker Engineering and Technology and Aker
Subsea. The interface between LOPA and hazard and operability study (HAZOP)
has been discussed, and it has been presented how an integrated software tool
could work.
The SIL is a measure of the availability of a protection layer or barrier. Pro-
tection layers include basic process control system (BPCS), critical alarms and
human intervention, safety instrumented functions (SIF), physical protection
and emergency response. All these mitigate the frequency of the occurrence
of the potential unwanted end-consequence or mitigate the impact the end-
consequence represents.
LOPA is a tool to determine the SIL of a SIF and evaluates the other pro-
tection layers individually by looking at the risk mitigation they lead to. Other
tools are the quantitative method described in IEC 61508, the OLF 070 guideline,
risk matrix, safety layer matrix, risk graph and the calibrated risk graph. Except
from the quantitative method in IEC 61508 and the OLF 070 guideline these are
graphical and qualitative methods which are simpler than LOPA. These SIL de-
termination methods do not differentiate between the individual risk mitigation
the protection layers lead to.
A clear understanding of the terms in LOPA is important, and a clear method-
ology essential to ensure a strong framework. The following relationship be-
tween terms are defined: The initiating causes lead to a process deviation, which
again may lead to an impact event that may result in an end-consequence. Pro-
tection layers are introduced previously and subsequently to the impact event.
An example is the initiating cause slippery road which lead to the impact event
car crash. The car crash has an end-consequence of three fatalities. In order
to prevent this fatal outcome, protection layers as rigid car body, air-bags, and
traction control may serve as protection layers.
The preferred LOPA approach developed during the master thesis is based
on the one in IEC 61511, taking the views from other methodologies in literature
VIII
into account. The impact event is the starting point of the analysis. The fre-
quency of the initiating events are multiplied with the probability of failure on
demand for all credited independent protection layers. In addition occupancy
and ignition probability (if applicable) is multiplied with the result. The final
value is denoted the intermediate event likelihood. This is the frequency of the
occurrence of the end-consequence with the existing protection layers in place.
By comparing this with a target frequency measure, the needed SIL is estimated.
HAZOP is a hazard identification method often applied previously or simul-
taneously to a LOPA. By integrating HAZOP and LOPA a high quality analysis,
requiring less resources, may be the result. HAZOP has information in common
with LOPA and some information have to be transformed. A software tool used
to combine and integrate the two methods is beneficial. Such a tool is advanced,
and must incorporate a complex issue like the implementation of expert judg-
ment, which is important in LOPA.
The definition of terms and the preferred approach have proved to be ben-
eficial when applying LOPA during the case study. An extensive issue during
this process has been which protection layers that are independent, and which
that are not. This requires understanding of basic reliability concepts, but also a
great amount of process and system understanding.
The concept of independent protection layers should be evaluated further,
and together with facilitating expert judgment during LOPA and in eventual soft-
ware tools, these are considered the main challenges.
IX
Chapter 1
Introduction
1
different authors, and definitions and interpretations of terms like scenario and
independent protection layers (IPL) may be confusing.
1.2 Objectives
The objective of the master project is to gain extensive knowledge of various
methods to allocate requirements to safety instrumented systems, with focus on
layer of protection analysis (LOPA). As a part of this the following aspects shall
be covered:
• Carry out a literature survey and compare and discuss the different ap-
proaches to LOPA found in the literature.
• Define and clarify all basic concepts of the recommended LOPA approach.
• Identify and describe interfaces between LOPA and other risk analysis meth-
ods (especially HAZOP)
• Discuss pros and cons related to LOPA - and especially the limitations of
LOPA.
• Define, exemplify, and discuss the independent protection layer (IPL) con-
cept and discuss the applicability of LOPA in cases where the indepen-
dence is violated.
2
discussed. A preferred approach is developed, and presented in Chapter 4, in-
cluding description of each step and the basic concepts that are employed. The
interface between HAZOP and LOPA is covered in Chapter 5. In addition the
functionality of a software tool integrating LOPA and HAZOP is described. In
Chapter 6 the applicability of the preferred LOPA approach suggested in Chap-
ter 4 is evaluated in a case study. Finally, conclusions and recommendations for
further work are given in Chapter 7.
Table 1.1: SIL for safety functions operating in low demand of operation adapted
from IEC 61511 (2003)
Safety integrity Average probability of fail-
level (SIL) ure to perform its design
function on demand
4 ≤ 10−5 to < 10−4
3 ≤ 10−4 to < 10−3
2 ≤ 10−3 to < 10−2
1 ≤ 10−2 to < 10−1
3
quently. The SIL-requirement is then verified by calculating the PFD (Rausand
and Høyland, 2004; Schönbeck, 2007). In Table 1.1 the PFD related to the four
SILs for low demand of operation is presented.
Standards do not require how the SIL should be determined to the SIFs, only
that they have to be determined. Figure 1.1 shows the safety lifecycle used as the
basic framework in IEC 61508 and IEC 61511. This framework makes it possible
to deal with requirements and activities in a structured manner. After the two
initial phases, "concept" and "overall scope definition", the risk associated with
the EUC is analyzed in the "Hazard and risk analysis"- phase. Techniques as
checklists, failure modes and effects analysis (FMEA) and HAZOP may be used.
The next step, which has a red box in Figure 1.1, is to specify the overall safety
requirements in terms of safety functions and safety integrity which are needed
to achieve the necessary risk reduction. It is during this activity the SIL is deter-
mined, and this activity / phase is of greatest importance. LOPA may be applied
4
during this phase, but other methods like risk graph and safety layer matrix are
also applicable. In the next phase, "safety requirements allocation", the safety
functions are allocated to one or more SIS. Although phase four is the most in-
teresting in this case, phase three and five will come into play, as they give the
input and receive the output from phase four. All of these activities are carried
out in the design phase prior to final design and manufacturing (Rausand and
Høyland, 2004; IEC 61508, 2003; Schönbeck, 2007).
5
Chapter 2
6
Table 2.1: Risk classification of accidents adapted from IEC 61508
Frequency Consequence
Catastrophic Critical Marginal Neglible
Frequent I I I II
Probable I I II III
Occasional I II III III
Remote II III III IV
Improbable III III IV IV
Incredible IV IV IV IV
This result is the acceptable frequency / demand, hence the probability of fail-
ure on demand. The protection system may consist of several sub-systems per-
forming several SIFs, and the PFD may be allocated further down. In this case
high integrity pipeline protection system (HIPPS), production shutdown (PSD),
emergency shut down (ESD) etc. are such systems or functions.
7
2.2 Risk matrix
Risk matrix, or often denoted hazard matrix, is one of the most popular SIL de-
termination methods due to it’s simplicity. The risk matrix takes frequency and
consequence into account qualitatively, based on a categorization of the risk pa-
rameters. Figure 2.1 shows a typical risk matrix diagram is modified for SIL de-
termination. The consequence and frequency (likelihood) make one axis each,
enabling the user to plot the situation under consideration in the diagram. If
each box in the diagram has an attached SIL level, the determination process is
simple. The consequence categories may be expressed in terms of economic,
human or environmental loss. The categories divide the consequences into mi-
nor, serious or extensive according to the level of severity. The likelihood cate-
gories are divided into low, moderate or high. The categories can be selected
either qualitatively, using expert judgment, but quantitative tools can in some
cases be utilized to make it easier to determine which category to use. Then the
categories may be attached to economic figures, number of fatalities, frequency
categories, etc. In Figure 2.1, different SILs are applied. Minor consequence -
low likelihood lead to no SIL required. This means that the risk is considered
tolerable. Minor consequence - moderate likelihood lead to a low SIL, while ex-
tensive consequence - high likelihood lead to a high SIL. If a SIL 3 is required,
further analysis should be done, as one SIF may not provide sufficient risk re-
duction (Marszal and Scharpf, 2002).
Figure 2.1: Typical risk matrix modified for SIL determination adapted from
(Marszal and Scharpf, 2002)
If the consequence is one that could cause any serious injury or fatality on
8
site or off site, it could be categorized as serious. If the frequency of this outcome
is expected to be > 10−2 , the assigned category is high. This consequence - like-
lihood pair would in Figure 2.1 give a SIL 3, but with further analysis required
(Marszal and Scharpf, 2002).
It is important to emphasize that the categorization and determination may
lead to an unrealistic result. Other tools and methods may be used in conjunc-
tion with this method to improve the quality of the categories and the accuracy
of the plotting (Marszal and Scharpf, 2002; IEC 61511, 2003).
9
Table 2.2: Frequency of hazardous event likelihood adopted from IEC 61511
Type of events Likelihood
Qualitative ranking
Events such as multiple failures of diverse instru- Low
ments or valves, multiple human errors in a stress
free environment, or spontaneous failures of pro-
cess vessels
Events such as dual instrument, valve failures, or Medium
major releases in loading / unloading areas
Events such as process leaks, single instrument, High
valve failures or human errors that result in small
releases of hazardous materials
*The system should be in accordance with this standard when a claim that
a control function fail less frequently than 10−1 per year is made
Figure 2.2: Safety layer matrix diagram adapted from IEC 61511 (2003)
10
Figure 2.2 shows a typical safety layer matrix. The risk criteria are embedded
into the diagram, and the methodology and categorization is similar to the risk
matrix. The specific hazardous event likelihood and hazardous event severity
classification is plotted. This results in one of the 9 columns in the figure. In
order to determine the the final box in the figure that contain the necessary SIL
- the number of PLs must identified (IEC 61511, 2003). An example could be a
process leak resulting in catastrophic consequence to personnel (several causal-
ities). The hazardous event severity is categorized as serious. In Table 2.2 the
occurrence of a process leak is classified with high likelihood. Two mechanical
pressure relief devices were identified satisfying the PL criteria. In Figure 2.2 an
event with serious consequence - high likelihood rating with two PLs, would re-
quire a SIL 2. If the number of PLs had been one, a SIL 3 and additional analysis
would be required.
11
Table 2.3: SIL requirement table adopted from OLF 070
Safety function SIL Functional boundaries for given SIL Ref.
requirement / comments
Subsea ESD 3 Shut-in of one subsea well A.13
Isolate one subsea well The SIL requirement applies to a con-
ventional system with flowline, riser
and riser ESD valve rated for shut-in
conditions. Isolation of one well by
activating or closing:
- ESD node
- Topside HPU and / or EPU
- WV and CIV including actuators and
solenoids
- MV
- DHSV including actuators and
solenoids
12
Table 2.4: Classification of risk parameters adopted from IEC 61511
Risk parameter Category Classification
Consequence (C) CA Light injury to persons
CB Serious injury to one or more
persons. Death of one person
CC Death of several persons
CD Catastrophic effect, very many
people killed
Frequency of presence in the FA Rare to more frequent exposure
hazardous zone (F) (occu- in the hazardous zone
pancy)
FB Frequent to permanent expo-
sure in the hazardous zone
Possibility of avoiding the con- PA Possible under certain condi-
sequences of the hazardous tions
event (P)
PB Almost impossible
Frequency of the unwanted W1 A very slight probability that
consequence (W) the unwanted occurrences oc-
cur and only a few occurrences
are likely
W2 A slight probability that the un-
wanted occurrences occur and
few occurrences are likely
W3 A relatively high probability
that the unwanted occur-
rences occur and frequent
occurrences are likely
13
quences are measured in the extent of injury to people, but also environmen-
tal or financial target measures can be utilized (IEC 61511, 2003; Marszal and
Scharpf, 2002).
The occupancy parameter (F) indicates the fraction of time the hazardous
area is occupied by personnel. F B indicates higher risk than F A , as the area is
more frequently exposed. Usually, F A is selected if the hazardous area is occu-
pied less than approximately 10% of the time IEC 61511 (2003).
The possibility of personnel avoiding the hazard is incorporated in the pa-
rameter P . This parameter reflects what methods the personnel have to identify
and escape the hazard. In addition skill and supervision in process operation,
and the rate of development of the hazardous event are taken into account. Two
categories, P A and P B , are suggested and P B indicates the highest risk. A check-
list of statements that must be true in order to select P A , can be utilized in the
evaluation. Such statements are suggested in IEC 61511.
The final parameter is the demand rate parameter (W), which is the fre-
quency per year of the unwanted consequence without the concerning SIF but
with other safeguards operating. Also for this parameter higher parameter in-
dices indicate higher risk, as they take less credit for risk reduction by other safe-
guards. W1 indicates that only a few occurrences are likely, and a demand rate
less than 0.03 per year could fit such description. W2 and W3 indicate that few
occurrences or frequent occurrences are likely, and suitable demand rates per
year could be 0.03 - 0.3 and more than 3, respectively. The choice of this pa-
rameter will affect the result, and care should be taken when selecting category
(Baybutt, 2007; IEC 61511, 2003).
Figure 2.3 shows a typical risk graph diagram. The path from left to right is
decided by the selected risk parameters. The selected consequence, occupancy
and possibility of avoidance categories result in an output row X . Each output
row corresponds to three values of W . The selection of the demand rate W is
the last step in determining the SIL. Higher W -parameter lead to a higher SIL.
The tolerable level of risk is embedded in the boxes in the three columns at the
right hand side, and the choice of these must support the company risk criteria
(Marszal and Scharpf, 2002; IEC 61511, 2003).
If the separator example, as explained in section 2.1, is employed - the rea-
soning will be as follows: If the likely consequence is evaluated to be serious
injury to one or more persons, C B is selected. Then, F A is chosen because the
area could be rare to more frequent exposed to personnel. It is possible under
certain conditions to avoid the consequences, which indicates that parameter
P A should be used. The combination of these risk parameters result in output
row X 2 . It is a relative high probability that the unwanted occurrence takes place
and the demand rate category is set to W3 . In Figure 2.3 this results in a SIL 1 re-
quirement.
14
Figure 2.3: Typical risk graph
15
Table 2.5: Example calibration adapted from IEC 61511
Risk parameter Classification
Consequence (C)
C A Minor injury
Number of fatalities
Can be calculated as: ”No. of people present CB 0.01 < No. of fatalities <
when the area exposed to the hazard is 0.1
occupied” · ”vulnerability to the identified
hazard”
V = 0.01 (small release of flammable toxic CC 0.1 < No. of fatalities <
material) 1.0
V = 0.1 (large release of flammable or toxic
material)
V = 0.5 (As above but also a high probability CD No. of fatalities > 1.0
of catching a fire or highly toxic material)
V = 1 (Rupture or explosion)
Occupancy (F) FA Occupancy < 0.1
FB
Percentage of time the exposed area is occu-
pied during a normal working period
Possibility of avoidance (P) PA Hazard can be prevented
by operator taking ac-
tion, after he realizes
SIS has failed to operate.
Refer certain conditions
(given in IEC 61511-3)
PB Adopted if conditions do
not apply
Demand rate (W) W1 Demand rate <
0.1D per year
W2 0.1D < Demand rate <
10D
W3 For Demand rate> 10D,
higher safety integrity
shall be needed
D is the calibration factor
16
According to Marszal and Scharpf (2002) potential loss of life (PLL) ranges could
also be used as a measure of the consequence. PLL is the expected number of
fatalities within a population during a specified period of time (NORSOK Z-013,
2001). Note that care should be taken if PLL is chosen as a measure, because it
incorporates both probability and consequence. When assigning the other risk
parameters it is important to make sure that the consequence parameter is con-
sidered independent (Marszal and Scharpf, 2002).
The parameter F is often measured by the percentage of time the area, that
is exposed to hazard, is occupied. F A should be used if the parameter value is
less than 0.1 (IEC 61511, 2003; Marszal and Scharpf, 2002).
The avoidance factor P A is selected if all conditions stated in IEC 61511-3 are
satisfied. P B is selected if not (IEC 61511, 2003).
The demand rate (W) is the number of times per year that the hazardous
event would occur in the absence of the SIF under consideration. In Table 2.5
ranges to the different categories are assigned. D is a calibration factor that
should make the risk graph result in a level of residual risk that is tolerable. It
is important that issues not are accounted for several times, making the result
erroneous. Documentation of the calibration process with references is neces-
sary, and should be done with care (Marszal and Scharpf, 2002; IEC 61511, 2003).
When the calibration process is finished, and the parameters decided. The
risk graph is used to determine the SIL. The demand rate, occupancy and pos-
sibility of avoiding the consequence of the hazardous event, represents the fre-
quency of the unwanted consequence. In combination with the unwanted con-
sequence the frequency constitutes the risk without the SIF in place. The input
in each box in the risk graph must be in accordance with the tolerable risk (IEC
61511, 2003; Marszal and Scharpf, 2002).
The separator example as referred to in the previous section could again
serve as an illustration. In this case the vulnerability measure is estimated to be
equal to 0.5. Overpressure is severe and results in large release of flammable ma-
terial with a high probability of catching a fire. If the number of people present
when the area is occupied is 2, the resulting number of fatalities is 1 and class C C
is selected as the consequence severity. One operator does maintenance work or
supervision approximately 45 minutes per day, leading to that the exposed area
is occupied less than 10% of the time giving the occupancy class F A . The condi-
tions regarding the possibility of avoidance are satisfied and P A is selected. The
calibration factor D is set to 4. The demand rate is estimted to 20 demands per
year. This is less than 40 and greater than 0.4 which corresponds to W2 . The SIL
is determined as for the qualitative risk graph, and results in a SIL 2 requirement.
17
Chapter 3
LOPA
Figure 3.1: Risk analysis procedures adopted from Rausand and Høyland (2004)
18
According to Marszal and Scharpf (2002) LOPA can be viewed as a special
type of event tree analysis (ETA), which has the purpose of determining the fre-
quency of an unwanted consequence, that can be prevented by a set of protec-
tion layers. The approach evaluates a worst-case scenario, where all the protec-
tion layers must fail in order for the consequence to occur. The frequency of the
unwanted consequence is calculated by multiplying the PFDs of the protection
layers with the demand on the protection system (represented as a frequency).
Comparing the resulting frequency of the unwanted consequence with a toler-
able risk frequency, identifies the necessary risk reduction and an appropriate
SIL can be selected (Marszal and Scharpf, 2002; CCPS, 2001).
LOPA is a semi-quantitative method using numerical categories to estimate
the parameters needed to calculate the necessary risk reduction which corre-
sponds to the acceptance criteria (CCPS, 2001). In a quantitative risk assessment
(QRA) mathematical models and simulations are often used to estimate the ex-
tent or escalation of damage, e.g. toxic diffusion, explosion expansion or fire es-
calation. In addition, FTA or other methods are used to calculate the frequency
of the accidental event (Rausand and Høyland, 2004). In LOPA, simplifications,
expert judgment and tables are used to estimate the needed numbers (CCPS,
2001). LOPA usually receives output from a HAZOP or a hazard identification
study (HAZID) and often serve as input to a more thorough analysis as a QRA.
Figure 3.1 is often referred to as the bow-tie and is a common figure to describe
risk analysis. It shows the accidental event which is linked to the causes and the
consequences, and the methods which may be applied in the different phases.
An ETA focuses on the consequence spectrum not on the causal analysis, im-
plying that LOPA is placed in column (c) to the right in the figure. On the other
hand LOPA is not as in-depth as would be expected from a consequence anal-
ysis and does have a close interaction with HAZOP suggesting that it should be
positioned more to the middle (column b). The final ”position” is somewhere in
between.
Often, an "onion" as the one in Figure 3.2 is used as an illustration of the
protection layers in LOPA. The system or process design has protection layers
including basic process control system (BPCS), critical alarms and human inter-
vention, SIFs, physical protection and emergency response.
BPCS is the control system used during normal operation and sometimes
denoted as the process control system (PCS). Input signals from the process and
/ or from the operator are generated into output which make the process operate
in a desired manner. If the control system discovers that the process is out of
control (e.g. high pressure) it may initiate actions to stabilize the temperature
(e.g. choking the flow) (CCPS, 2001; IEC 61511, 2003).
Alarms monitoring certain parameters (e.g. pressure and temperature) are
considered another protection layer. When the alarm is tripped, the operator
may intervene to stop the hazardous development. Note that the alarm system
has to be wired to another loop than the BPCS in order to be independent (CCPS,
2001; IEC 61511, 2003).
19
Figure 3.2: The LOPA onion
20
Rausand (2004) describes a SIS as a system comprising sensors, logic solver(s),
and actuating (final) items, and can be looked upon as an independent pro-
tection shell for machinery or equipment. A SIS implements the wanted safety
function SIF. In LOPA, SIFs are considered as protection layers.
Physical protection include equipment like pressure relief devices. In a sep-
arator this may be a rupture disc which blows-off pressure if the pressure is
too high. Post release protection is physical protection as dikes, blast walls etc.
These have their function after the release or explosion has occurred. Both of
these types of physical protection are considered protection layers in LOPA (CCPS,
2001; The Dow chemical company, 2002; ACM Facility Safety, 2006).
If an accident occurs, procedures, evacuation plans, equipment and medical
treatment help the exposed personnel to escape, or to mitigate damage / injury.
Such measures are classified as plant and community emergency response, and
are considered the final protection layer (CCPS, 2001; The Dow chemical com-
pany, 2002; ACM Facility Safety, 2006).
LOPA incorporates the reliability of the existing barriers to determine the re-
liability of the needed SIF. Note that LOPA does not determine what protection
layers to implement, only the needed performance. In some cases, a SIF is al-
ready present, and the SIL of an additional SIF shall be determined. How many
and which protection layers that are required, depend on the situation at hand
(CCPS, 2001; The Dow chemical company, 2002).
21
3.2 Explanation of terms
Various authors use different terms in LOPA. Examples are terms like scenario,
impact event and initiating event. This makes it confusing to understand what
is meant by the different terms and how they are applied. What exactly is an
impact event? Does an impact event description include both causes and con-
sequences? What is an impact event compared to an accidental event? What is
a scenario? What is an independent protection layer? ”Where” do we start the
LOPA analysis? The objective of this section is to clarify these questions, and
build the foundation for the further evaluation of LOPA. The relation between
the terms is described by Figure 3.3.
Process deviation
According to NORSOK Z-013 (2001) an accidental event is defined as ”event or
chain of events that may cause loss of life, or damage to health, the environment
or assets”. Another definition is ”the first significant deviation from a normal sit-
uation that may lead to unwanted consequences” (Rausand and Høyland, 2004).
In IEC 60300-3-9 (1995) they use the term hazardous event instead of accidental
event. In the HAZOP study the accidental event is referred to as a process devi-
ation. The term process deviation is from now on used and the definition from
Rausand and Høyland (2004) is acknowledged as adequate.
Impact event
CCPS (2001) describe an impact as: ”The ultimate potential result of a hazardous
event. Impact may be expressed in numbers of injuries or fatalities, environmen-
tal or property damage, or business interruption.” According to IEC 61511 an
impact event is equivalent to the consequence in the HAZOP study. This im-
plies that the impact event is the unwanted consequence of the hazardous event
or accidental event which is referred to as a process deviation. Impact event is
closely related to the unwanted consequence, and the question which remains is
what degree of consequence an impact event represents, e.g. end-consequence
or intermediate consequence. From now on it is chosen to define impact event
as ”the first sign of harm to people, environment or assets”. Examples are a car
crash or an explosion due to overpressure of a separator. The impact event may
lead to an end-consequence which may include fatalities / injury, environmen-
tal damage or economic loss. For the impact event: car crash, the process devia-
tion could be: car starts to slide. The car is out of control and if not the situation
is brought back in control, the impact event occurs. For the impact event: ex-
plosion due to overpressure of separator, the process deviation could be high
pressure up-stream separator.
22
Initiating cause
The initiating causes are the reasons why the process deviation occur, not the
most basic underlying root-causes. The initiating causes are the results of the
root causes. CCPS presents three types of initiating causes: External events,
equipment failures and human failure. External events are earthquakes, hurri-
canes and other external shocks. Equipment failures are control system failures
or mechanical failures. Human failures are either error of commission (failure
to observe or respond appropriately) or error of omission (failure to execute the
task properly or not doing it at all) (CCPS, 2001). For the car crash example an
initiating cause could be slippery road.
Scenario
According to CCPS (2001) a scenario describes a single cause - consequence pair
from the HAZOP. In LOPA terminology this is a single initiating cause - impact
event pair. This implies that a scenario consists of more than just the impact
event. But should not a scenario comprise even more? A more appropriate defi-
nition of a scenario would include more than one cause. The scenario definition
is extended to describing ”the development from a process deviation to an impact
event, including the causes leading to the process deviation”.
23
An airbag-system is defined as a SIS. The airbag inflates when a set of sensors
send signals to a logic solver which initiates the inflation. If the impact event is
a car crash, this protection system will function subsequent to the occurrence
of the impact event. It limits the extent of damage rather than mitigating the
frequency of the impact event. In other cases SIFs may be placed previous to
the impact event. If the impact event is overpressure of separator, SIFs with the
intention of closing valves and shutting down the system, are vice. The SIF tries
to prevent the impact event from occurring, thus reducing the frequency.
Figure 3.3: Relation between initiating causes, impact event, process deviation
and IPLs
Figure 3.3 shows the relation between the initiating causes, impact event,
process deviation and the PLs listed in IEC 61511. It shows how all the terms
fit together and the figure and the definitions given found the basis of the un-
derstanding of LOPA. Initiating causes may be the sources of a process devia-
tion which may lead to an impact event. The impact event may result in an
end-consequence. In order to prevent the end-consequence PLs are introduced.
Most of these have the objective of limiting the frequency of the impact event,
but PLs to minimize the extent of damage may also be put in place. Note that
the worst-case scenario is assumed. All the PLs have to fail in order for the end-
consequence to occur thus the analogy to a branch in an ETA. The symbol *
means that the PL may be credited as a IPL. The concept of IPL is discussed in
the case study in Chapter 6. Note that the starting point of the LOPA analysis is
the impact event. After this is identified, the causes are identified and the pro-
tection layers evaluated.
24
3.3 The LOPA team
LOPA is performed by a multi-disciplinary team, which at least should consist of
one:
• operator
• process engineer
Impact event
The potential impact event is described in the first column in the table. This is
the consequences determined in the HAZOP study.
Severity Level
In the next column the severity level of the impact event is entered, and levels
of Minor (M), Serious (S), or Extensive (E) are suggested, which is the same clas-
sification as in the risk matrix approach and safety layer matrix approach. Note
that in the risk graph approach the consequence levels are ranging from C A to
C D where C D is the most severe.
25
Table 3.1: Important columns in the LOPA report / worksheet adapted from IEC 61511 (2003)
Protection layers
1 2 3 4 5 6 7 8 9 10
Impact event descrip- Severity Initiating Initiation General BPCS Alarms Additional High integrity Intermediate SIF integrity Mitigated
tion level cause likeli- process etc. mitigation additional event likeli- level event
hood design (restricted mitigation hood likelihood
access) (dikes, pres-
sure relief)
26
Pressure above design E Pressure 0.1 1 1 1 0.21 0.08 1.7 · 10−3 3 · 10−5
pressure of separator. control fail-
Rupture of separator ure causing
and possible ignition. blocked outlet.
Leading to the end- E Spurious trip of 0.001 1 1 1 0.21 0.08 1.7 · 10−5 1.75 · 10−2 3 · 10−7
consequence: No. of the XV in addi-
fatalities between 1 to tion to PV con-
10. Assuming no slug trol failure
entering.
1.717 · 10−3 SIL 1 3.03 · 10−5
Initiating cause and initiation likelihood
All direct initiating causes of the impact event are listed in column 3. In column
4 the likelihood values of the initiating causes occurring, in events per year, are
entered. A table showing typical values is shown in IEC 61511, e.g. a failure with
a low probability of occurring within the lifetime of the plant (dual instrument
or valve failure) is categorized with a frequency between 10−4 and 10−2 per year.
27
Safety integrity level (SIL)
If a new SIF is needed, the SIL is calculated by dividing the corporate criteria for
this severity level by the intermediate event likelihood. The result is entered in
column 9.
Total risk
The last step could be to calculate the total risk with respect to each specific
impact event. The mitigated event likelihood for all the events rated as serious
or extensive, and that present the same hazard are added up. This step could
include additional probabilities, if not accounted for in the previous steps.
Example
In Table 3.1 some rows are filled in. The example is overpressure of a topside
separator taken from Harsem Lund (2007). The HAZOP identified that pressure
above design pressure of the separator could cause rupture and possible igni-
tion, leading to a number of fatalities between 1 and 10. Further, two initiating
causes with initiating likelihoods were identified. General process design, BPCS
and alarms are not given credit as PLs, thus given the value 1. Additional mitiga-
tion (restricted access) is estimated to 0.21, due to an assumed ignition probabil-
ity of 0.3 and occupancy of 70%. IPL additional mitigation is estimated to 0.08,
due to the assumption that 8 PSVs must be running to avoid pressure build-up
above test pressure. The intermediate event likelihood is now calculated for the
initiating events, and the corporate / company criteria for this severity level (E)
is 3 · 10−5 events per year. The sum of the intermediate event likelihoods are
1.717 · 10−3 events per year. Dividing 3 · 10−5 by 1.717 · 10−3 give a necessary risk
reduction of 1.75 · 10−2 , which is a SIL 1 requirement. The mitigated event likeli-
hood becomes 3·10−5 and 3·10−7 events per year, which give a total of 3.03·10−5
events per year.
Note that both in the table and in the calculations accurate numbers are
used with several decimals. This is done for illustration only. Usually, two deci-
mals are appropriate.
28
3.5 Different approaches in literature
Many similarities can be found among the approaches and methodologies pre-
sented in the literature. Summers (2003), Ellis and Wharton (2006) and Dowell
(1998) have presented flowcharts, while IEC 61511 use a worksheet as the basis
for their methodology. BP (2006) have their own procedure providing guidance
on LOPA which includes a flowchart. CCPS (2001) presents a diagram explain-
ing the LOPA steps, with a chapter explaining each step. But the approach in IEC
61511 is the most prevailing. The essential steps that seem common are:
• Documentation of the hazard analysis
29
Figure 3.4: Extract of SIL determination methodology from Ellis and Wharton
(2006)
30
Figure 3.5: Aker E&T methodology adapted from Nordhagen (2007)
The SIF under consideration is assumed not in place during the analysis, and
Acc. freq
the formula used in the evaluation of the LOPA results can be written: Total IEL .
If the fraction between the accepted frequency (Acc. freq.) and the calculated
total intermediate event likelihood (IEL) is greater or equal to 1, the team shall
evaluate whether the SIF shall be removed or not. This implies that the result-
ing frequency of the end-consequence, without the proposed SIF, is equal or less
than the accepted frequency. The analysis team can either remove the SIF, be-
cause the system is evaluated safe enough, or keep the SIF but without any re-
Acc. freq
quirements to the safety function. If 1 > Total IEL > 0.1, ”SIL 0” is selected. This
implies that the intermediate event likelihood is between 1 and ten times higher
than the acceptable value. No further evaluation is necessary, but the SIF is
Acc. freq
kept in order to achieve some risk reduction. If 0.1 > Total IEL > 0.01, which is
equivalent to SIL 1 in IEC 61511, SIL 1 is selected and no further evaluation is
Acc. freq
done. SIL 2 is selected if 0.01 > Total IEL > 0.001. If the analysis result is SIL 3
Acc. freq
(0.001 > Total IEL > 0.0001), a QRA is initiated to further evaluate the SIF (Nord-
hagen, 2007).
31
Chapter 4
Preferred approach
4.1 Flowchart
When performing LOPA, a clear methodology and approach is needed to make
the team focus on the analysis and not on how to do the analysis. The preferred
approach is a developed recommended approach based on the worksheet pre-
sented in IEC 61511, reproduced in Table 3.1. It is modified taking the views
presented in Sections 3.5 and 3.6 into consideration using the terms described
in Section 3.2. The steps in Figure 4.1 are described in the paragraphs below.
32
Figure 4.1: Preferred approach
33
Table 4.1: Target mitigated event likelihood for safety hazards adapted from
Nordhagen (2007)
Severity level Safety consequence Target mitigated
event likelihood
CA Single first aid injury 3 · 10−2 per year
CB Multiple first aid injuries 3 · 10−3 per year
CC Single disabling injury or mul- 3 · 10−4 per year
tiple serious injuries
CD Single on-site fatality 3 · 10−5 per year
CE More than one and up to three 1 · 10−5 per year
on-site fatalities
34
Step 7: Establish / determine initiating cause frequencies
The initiating cause frequencies must be determined. In Table 4.2 initiating
cause frequencies are presented. In addition expert judgment and plant specific
data / company data may be helpful in determining the frequencies.
• Occupancy
• Ignition probability
The additional mitigation (restricted access) column shall include ignition prob-
ability, in addition to occupancy. The occupancy factor is calculated as for the
risk graph (IEC 61511, 2003). For flammable hazards ignition probability shall
be considered. If there are many sources of ignition and the release is large, a
conservative value should be chosen. A conservative value is in this case a value
close to 1. The time at risk factor reflects the time the system is in the hazardous
mode, and is evaluated only for systems not in continuous operation. All of the
frequency modifiers are are a number between 0 and 1, and it should be taken
care in such a way that not too much risk reduction is given credit (BP, 2006;
CCPS, 2001; Harsem Lund, 2007). Note that the frequency modifiers are optional
and should be seen in relation to the impact event under consideration.
35
Table 4.2: Typical frequency values assigned to initiating causes adapted from
CCPS (2001)
Initiating event Frequency range from Example of a value
literature (per year) chosen by a company
Pressure vessel residual 10−5 to 10−7 1 · 10−6
failure
Piping residual failure- 10−5 to 10−6 1 · 10−5
100m-full breach
Piping leak (10 % section)- 10−3 to 10−4 1 · 10−3
100m
Atmospheric tank failure 10−3 to 10−5 1 · 10−3
Gasket / packing blowout 10−2 to 10−6 1 · 10−2
Turbine diesel engine 10−3 to 10−4 1 · 10−4
overspeed with casing
breech
Third party intervention 10−2 to 10−4 1 · 10−2
(external impact by back-
hoe, vehicle etc.)
Crane load drop 10−3 to 10−4 per lift 1 · 10−4 per lift
Lightning strike 10−3 to 10−4 1 · 10−3
Safety valve opens spuri- 10−2 to 10−4 1 · 10−2
ously
Cooling water failure 1 to 10−2 1 · 10−1
Pump seal failure 10−1 to 10−2 1 · 10−1
Unloading / loading hose 1 to 10−2 1 · 10−1
failure
BPCS instrument loop 1 to 10−2 1 · 10−1
failure
Regulator failure 1 to 10−1 1 · 10−1
Small external fire (aggre- 10−1 to 10−2 1 · 10−1
gate causes)
Large external fire (aggre- 10−2 to 10−3 1 · 10−2
gate causes)
LOTO (lock-out tag-out) 10−3 to 10−4 per oppor- 1 · 10−1 per opportu-
procedure failure tunity nity
Operator failure (to ex- 10−1 to 10−3 per oppor- 1 · 10−2 per opportu-
ecute routine procedure, tunity nity
assuming well trained, un-
stressed, not fatigued)
36
Table 4.3: PFDs for IPLs adapted from CCPS (2001) and BP (2006)
IPL PFD
BPCS, if not associated with the initiating 1 · 10−1
event being considered
Operator alarm with sufficient time avail- 1 · 10−1
able to respond
Relief valve 1 · 10−2
Rupture disc 1 · 10−2
Flame / detonation arrestors 1 · 10−2
Dike / bund 1 · 10−2
Underground drainage system 1 · 10−2
Open vent (no valve) 1 · 10−2
Fireproofing 1 · 10−2
Blast-wall / bunker 1 · 10−3
−1
Identical redundant equipment 1 · 10 (max credit)
Diverse redundant equipment 1 · 10−1 to 1 · 10−2
Other events Use experience of personnel
SIS that typically consist of single sensor, 1 · 10−1 to 1 · 10−2
logic and final element
SIL 1
SIS that typically consist of multiple sensors, 1 · 10 to 1 · 10−3
−2
37
Equation 4.1 shows the formula to calculate the intermediate event likeli-
hood, f IEL,i , for a certain initiating event, i . Let the number of IPLs range from 1
to J, and each IPL have a PFD denoted P F D ij . The product of the PFDs is multi-
plied by the frequency of initiating event i , f i . The intermediate event likelihood
is the expected frequency of the consequence with the credited IPLs in place.
I
X
f IEL,total = f IEL,i (4.2)
i =1
38
diate event likelihood) must be eliminated by the SIF, hence the needed SIL. By
dividing the target mitigated event likelihood by the total intermediate event
likelihood, the PFD responding to the SIL is found. Equation 4.3 show how the
acceptable frequency, f Acc , is used to determine the necessary risk reduction.
The target mitigated event likelihood is denoted f TMEL .
f Acc f TMEL
SIL = neccesary risk reduction = = (4.3)
f IEL,total f IEL,total
Screen by SIL
If the resulting SIL > SIL 3, a QRA should be initiated. A high SIL requirement is
stricter demanding higher reliability and performance of the SIS. LOPA includes
uncertainty, and for SIL requiring high integrity a more thorough analysis is rec-
ommended. If SIL < SIL 4, the flowchart loop is finished. Note that the screening
criterion in this case is SIL > 3, and the criterion should be adapted to the situa-
tion at hand. In some cases SIL > SIL 2 is more applicable.
39
Only safety aspects have been considered. Usually economical and environ-
mental issues are also evaluated during a LOPA analysis. Such levels may be
determined to the SIF, and the integrity level giving the highest integrity level
chosen. Note that this requires additional acceptance criteria (BP, 2006; Nord-
hagen, 2007).
In the approach it is chosen to select an impact event before it is screened by
severity level. Another possibility is to do this the other way around.
Another issue is how to express and transmit the requirements to the ven-
dors or to the further allocation process. If the LOPA result in a required PFD
8 · 10−3 giving SIL 2, and the suppliers design their product with a designed PFD
of 1 · 10−2 the outcome may be that the system do not fulfill requirements. Im-
portant issues that must be covered in the interface work packages by the system
vendor are: What is the requirement? How is it expressed?
40
Chapter 5
41
Table 5.1: Process HAZOP worksheet adopted from Rausand (2005)
Study title: Page:
Drawing no: Rev. no.: Date:
HAZOP team: Meeting date:
Part considered:
Design intent: Material: Activity:
Source: Destination:
No. Guideword Element Deviation Possible Consequences Safeguards Comments Actions Actions
/ process causes required allocated to
parame-
42
ter
Sep- High pressure Pressure Failure Release to envi- Alarm, oper- Evaluate Joe John-
arator above de- of BPCS, ronment ator, deluge new PLs. son (Aker
sign pres- high level, system Solutions)
sure external fire
Figure 5.1: Relationship between HAZOP and LOPA worksheets
Figure 5.1 shows the interaction between the HAZOP and LOPA worksheets.
LOPA is performed from the left to the right in the worksheet and receives input
from the HAZOP during the analysis. Note that the HAZOP worksheet in the fig-
ure is somewhat different from the one presented in Table 5.1, as it incorporates
severity level (S) and likelihood (L) of the HAZOP consequence (IEC 61511, 2003;
Dowell and Williams, 2005; CCPS, 2001).
If the (process) deviation in the HAZOP is high pressure, the HAZOP con-
sequence could be: release to environment. The impact event would then also
be release to environment because the consequence identified in the HAZOP
answers to the impact event in LOPA.
The possible causes from HAZOP are the initiating causes in LOPA (Dowell,
1998; IEC 61511, 2003). Further transformation or evaluation of causes and sub-
causes may be necessary and should be expected.
The safeguards identified in HAZOP are denoted PLs in LOPA. Note that all
IPLs are safeguards, but not all safeguards are IPLs (CCPS, 2001). What IPLs
to include and in which column in the LOPA worksheet they should be imple-
mented, requires evaluation. The actions required column in the HAZOP work-
sheet may include many things, e.g. new recommended safeguards and work
tasks. New recommended safeguards could either be modifications to existing
PLs and design or new protection layers, e.g. SIFs (CCPS, 2001). In Figure 5.1
the arrows are blue and dotted which indicates that the information from the
43
columns including safeguards and actions required can not be transformed di-
rectly.
The HAZOP consequence severity ranking (S), and the HAZOP consequence
likelihood (L) can be transformed to LOPA, and impact event severity level and
initiating cause frequency are the applicable terms in LOPA with associated columns
(Dowell and Williams, 2005). The HAZOP worksheet does not necessarily in-
clude these columns. There are several views of what columns are included in
the HAZOP according to what the organization or author prefer. The HAZOP
may either include severity ranking and likelihood of the HAZOP consequence,
or just the severity ranking. Another possibility is that HAZOP has none of these,
as in Table 5.1. This makes it difficult to know how this part of the interface will
be. If the HAZOP worksheet has both the severity and likelihood ranking it is not
certain that this categorization is used, adding another issue to the current prob-
lem. These issues must be evaluated prior to a LOPA and the blue dotted lines
in Figure 5.1 indicate that evaluation is needed when transferring data to LOPA.
It is suggested that the same risk matrix is used for HAZOP as for the LOPA with
related risk acceptance criteria. At least the severity ranking should be identi-
cal, because the initiating cause frequencies in LOPA usually are obtained from
tables and / or expert judgment. In BP (2006) such a common risk matrix in-
cluding risk acceptance criteria is presented.
44
LOPA are performed by using an integrated software tool, several of the phases
in Figure 4.1 may be performed almost automatically, e.g. data gathering and
documentation and transformation of data. In addition, the calculation phases
are performed more efficiently. The objectives of a HAZOP / LOPA tool are:
• Reduce the time spent on the analysis (typing / rework, data collection,
meeting activity, calculations)
• HAZOP worksheet cells equal to cells in LOPA report, and automatic trans-
formation of data. This applies to:
45
– Interactive SIL selection which allows the user to select a SIL by click-
ing and see the impact on the mitigated event likelihood on the screen
– Rectify erroneous input from user
– Modify input / help to specify the units
– Reminders / pop-up boxes
Step 1 - HAZOP
The cells containing the HAZOP consequences are set equal to the ones that
shall contain the impact events. In excel this could be done by either creating
a VB macro which copies the information, or by defining the cell information
equal directly in Excel. The same applies to the possible causes in HAZOP. The
risk matrix sheet contains the classification of the HAZOP consequence and im-
pact event severity. The chosen severity level is transferred in the same man-
ner as the HAZOP consequence. To initiate the process of transferring the data,
a command button which is constantly visible is placed in the bottom of the
LOPA sheet. This is named ”Transfer HAZOP data”, and when clicked the rows
containing the data are transferred or copied.
After all the cause and impact event data are transferred, the impact events
are screened by severity level. Those impact events that are classified above a
certain severity level are colored red because the initiation of a QRA is suggested.
The encoding solution is VB in addition to macros.
Some impact events are similar, and combining several impact events is rel-
evant. This is not taken into account in this program illustration.
46
Step 2 - Retrieve initiating cause frequency
Next to the command button proposed in Step 1, a command button named
”implement initiating cause frequency” is placed. When this is clicked the user
may choose which cell to implement the value and which value to select in the
database sheet. The user may also adjust the numbers. This requires more ex-
tensive VB encoding.
The initiating cause frequency may be given as a PFD. A pop-up box, which
appears after the value has been implemented, asks the user to specify addi-
tional information if it is necessary. The number of demands / opportunities
per year is such information, this is done to make sure that the correct unit is
used. The program adjusts the numbers automatically.
Step 4 - Calculation
The intermediate event likelihood is calculated directly in Excel by formulas, i.e.
’cell 10’ = product(’cell 4’;’cell 9’).
The TMEL is specified in the risk matrix sheet. Corresponding to which
severity level is selected the program implements the correct value of TMEL in
the mitigated event likelihood cell in the LOPA sheet. A simple IF sentence could
do this automatically. A command button called ”Calculate SIL” initiates the SIL
calculation. The IELs for each initiating cause related to the same impact event
is added. A set of IF sentences count how many rows that are related to the same
impact event and calculate the total IEL for the respective impact event. The
value of the total IEL for the impact event is divided by the TMEL value, and
the result is the needed SIL. IF sentences containing text strings evaluates the
results and prints a message to the user in the cell, i.e. ”SIL 2” or ”No SIS nec-
essary”. This part of the program requires extensive VB encoding. The program
has to remember parameters, and use these to calculate the correct columns
and implement the results in the correct cells.
47
event likelihood is again calculated, and a pop-up box notifies the user if this
PFD fulfill the TMEL requirement.
A screening process based on the calculated SIL is beneficial, as higher SILs
may require the initiation of a QRA. The program may color the entire row in a
certain color if the SIL is higher than a specified limit.
48
Chapter 6
The objective of the study is to apply LOPA to a real system, to illustrate and eval-
uate the LOPA process described in Chapter 4. First the case and the concerning
system is described, before the LOPA approach and results are presented and
discussed. Finally, comments and remarks are given.
49
Figure 6.1: SPS and separator schematic
50
consist of a pressure transmitter (PT) and the control valve (CV). The process
shutdown valve (PSDV) and pressure safety transmitter (PST) is the only shut-
down possibility topside denoted PSDtopside . When the PST detects high pres-
sure the PSDV closes. The valve is hydraulically or air operated, and a logic solver
interprets the signal from the PST. Usually, additional barriers are located in the
turret, but for simplicity,these are neglected. A mechanical pressure relief device
is placed in the separator called production shutdown valve (PSV). This is either
a spring-loaded device or a pilot operated device that allows gas to go to flare if
the pressure exceeds a certain limit.
The subsea control unit (SCU) and the hydraulic pump unit (HPU) are lo-
cated topside in the FPSO. The HPU is basically a pump that supplies hydraulic
fluid to the subsea control module (SCM) and the HIPPS control module (HCM),
which again provides hydraulic pressure to the valve actuators. The SCU in-
cludes the logic solver which interprets the signals from the pressure and tem-
perature transmitters, and two surface power and communications units (SPCU)
or circuit breakers.
In the umbilical electronic signals (to and from the SCU), hydraulics (from
the HPU) and scale and hydrate (methanol) inhibitors are transported from the
FPSO to the production system on the seabed.
Choke module
The production choke valve (PCV) has the objective of throttling the flow to con-
trol the temperature and the pressure. The choke module is the process control
system located subsea. It is important that the flow from different XTs have the
same pressure to prevent one well from producing into another.
X-mas tree
The XT is an assembly of valves, spools and fittings for the oil well. The down
hole safety valve (DHSV) is the valve closest to the reservoir, but not used as a
shutdown o ption in case of overpressure. The production master valve (PMV)
and the production wing valve (PWV) are the next two valves in the production
pipeline, and possible shutdown options. The crossover valve (XOV) is an annu-
lus service line. It can relief a potential pressure buildup in annulus, by injecting
the pressure in the production flow. In addition to the valves described above
the XT provides scale inhibitor and / or Methanol inhibitor injection lines. Note
that these are neglected in the schematic.
The XT valves are hydraulically held. The pressure from the fluid column
resist a spring force in the valve actuator to keep the valve open. In order to
shut the valve the hydraulics are bled off and the spring makes the valve go to
closed position. The valve is fail safe because it goes to a safe position (closed
position) in case of a failure (leakage in the hydraulic system, spring collapse
etc.). When closing the valve the hydraulics may either be bled off in the subsea
51
control module (SCM) or to sea. Another possibility is to turn down the pump
in the HPU in order to create a pressure drop.
The subsea control module (SCM) is together with the HPU / SCU the sus-
bea control system. Note that a process control system (like the choke module)
controls the flow, while the subsea control system is used to control the valve
operation on the XT. The subsea control system contains hydraulics and accom-
modates two subsea electronic modules (SEMs) which is the electronic part of
the control system. When the PTs used as reference detect high pressure, signals
are sent to the SEMs which transforms the signals into a rating. This rating (elec-
tronic pulse) is sent to the logic solver in the SCU. If the voting in the logic solver
(i.e. 2oo4) decides to initiate a shutdown, initiation signals are sent back to the
SEMs. The SEMs control change-over valves that are held electrically. When the
logic solver commands a shutdown the valves will switch, enabling hydraulics
from the actuator to bleed off in an internal loop in the SCM.
PSDsubsea is initiated automatically and either the PMV or the PWV and the
XOV must be closed. Figure 6.1 shows that the well is isolated by performing at
least one of the two shutdown options. Usually, both options are used during a
PSDsubsea shutdown. The PT / TT downstream the PCV are used as reference. If
high pressure is experienced at this point the PSD is initiated.
HIPPS
The HIPPS is located in the manifold. The manifold is an arrangement of piping
or valves designed to control, distribute and monitor the flow. Several XTs may
be mounted directly on the manifold, or be placed as satellite trees. The mani-
fold has inhibitor injection lines and pipeline inspection gauge (PIG) launch, to
prevent hydrate formation.
The objective of the HIPPS is to protect the pipeline from the manifold to
the FPSO. They have their own control system called the HIPPS control module
(HCM). This device is similar to the SCM. Note that the HCM is independent of
the SCM. HIPPS shutdown is initiated automatically. The 2 HIPPS valves on the
manifold are closed if high pressure is experienced by the PT / TT between the
valves or downstream the valves. Another possibility is that one set of transmit-
ter controls one HIPPS and the other the last HIPPS valve.
52
Experts were involved in the hazard identification study, and all members
involved in the LOPA as well as in previous studies fulfill requirements regarding
competency. The HAZOP preformed previously to the LOPA is assumed well
documented and sufficient, and the data adjusted to fit with the LOPA analysis.
Initiating causes
Fluid slug congestion, choke control error due to human error, and choke col-
lapse are the initiating causes identified. Slug congestion is accumulation of
fluid / hydrates / scale leading to a blockage and pressure build-up upstream
the blockage point. When this substance yields, the fluid accelerates and creates
overpressure in the separator. Choke collapse is most likely a hardware valve
failure, e.g. fatigue. Choke control error is erroneous operation of the choke
control where the operator make the wrong response or fails to act at all. All
these initiating causes lead to potential overpressure of the separator. The ini-
tiating cause frequencies are found from tables, and the chosen values showed
in Table 6.1 The frequency of slug congestion differs from field to field, and de-
pends on the composition of the fluid and the field construction. In the Ormen
Lange project 5 demands was identified by expert judgment, which is assumed
applicable. The human error (choke control) is assumed to be a routine task. In
order to estimate the frequency the value in the table has to be multiplied with
the number of opportunities / demands per year. The choke task is assumed to
be executed approximately 20 times per year giving a resulting frequency of 2
times per year for this initiating cause. The OREDA estimate is given in hours,
and assuming 8760 hours per year gives a frequency of 9.9 · 10−2 per year.
53
state that the independence requirement claims that the IPL must be indepen-
dent of the occurrence, consequence of the initiating event, and the failure of
any component of an IPL already credited. Two approaches (A and B) are sug-
gested, where B allows IPLs to physically share components and A restrains this
configuration. But it is assumed that the logic solver will not be the source of
failure, which imply detectors or final element to fail more frequently. If two
IPLs share the same sensor(s) or final element(s) neither of the approaches jus-
tify more than one IPL given credit. Note that approach A eliminates a larger
extent of CCFs.
• HIPPS
• BPCSsubsea (PCV)
• BPCStopside (CV)
54
in the concerning case chosen to credit both PSD topside and subsea as a SIL 1
risk reduction.
The HIPPS and the PSD subsea do have different PTs and actuating items,
but they do share the same HPU / SCU. The XT and HIPPS valves will go to safe
state if the HPU / SCU fails to provide hydraulic pressure. The only way this
unit may cause an error is if the logic solver in the SCU fails in such way that the
system does not initiate shutdown when a shutdown is needed. The issue that
arise is how strict the independence requirement should be, and which of the
two approaches presented in the previous paragraph to use. Even if they share
logic solver both lead to risk reduction. With this basis approach B, which is
described in the previous section, seems fair to use.
It is important to emphasize that a PL can be an IPL for one initiating cause
- impact event pair, and not for another. The IPL PFDs are from different data
sources, and Table 6.2 show the selected values.
55
Figure 6.2: Relation between initiating causes, impact event, process deviation
and PLs
• HIPPS
• Subsea PSD
• BPCStopside (CV)
56
not certain that the PSD is able to prevent a pressure build-up due to the short
distance between the XT valves and the choke module. There are several ways
to interpret these issues. It is chosen to not give credit to the susbea PSD due to
the response time. The following IPLs given credit are:
• HIPPS
• BPCStopside (CV)
The formula for calculating the intermediate event likelihood becomes: Initiating cause frequency·
PFDPSDV · PFDPSV · occupancy · ign. prob. = 5 · 10−1 · 0.1 · 10−2 · 0.3 · 0.5 = 7.5 · 10−4
57
Target risk measurement, SIL determination and mitigated event like-
lihood
Compared to the TMEL the first two pairs are within the acceptable region be-
cause 1.5 · 10−9 and 7.42 · 10−10 is less than 3 · 10−5 . The total intermediate event
likelihood is greater than the total TMEL for the entire scenario leading to the
end-consequence (7.5 · 10−4 > 3 · 10−5 ). This implies that a SIL must be deter-
mined. By using Equation 4.3 the necessary risk reduction corresponding to the
needed SIL is calculated:
3 · 10−5
Necessary risk reduction = = 4 · 10−2
7.5 · 10−4
The question is now what SIL to set as the requirement. The necessary risk re-
duction is between 10−2 and 10−1 , and a SIL 2 is applicable. A conservative ap-
proach is chosen and a SIL 2 is set as the requirement.
The next question is what PFD value a SIL 2 requirement constitutes, i.e what
requirement to pass on to the SIS vendor. If the SIS vendor provides a system
fulfilling SIL 2, but which only gives a risk reduction of 5 · 10−2 the system is not
safe enough. To solve this potential issue an additional PFD requirement is set
to 1·10−2 . The final requirement is SIL 2, where the new safety system must have
a specific P F D ≤ 1 · 10−2 .
The chosen PFD requirement is implemented in worksheet, and the miti-
gated event likelihood is calculated. All values are within requirements, and the
analysis is finalized.
58
6.5 Implications during the case
In this section implications during the case is discussed. This throw light on the
shortfalls of the preferred approach presented in Chapter 4 illustrated in Figure
4.1, and on LOPA in general.
Most of the phases in Figure 4.1 were easy to apply, but there were some im-
plications encountered during the analysis. The initiating cause frequency of the
slug congestion was not possible to find from the tables. Expert judgment was
necessary which emphasize the need for database and exchange of experience
as discussed in Chapter 5.5.
Whether the IPLs were independent or not was a considerable issue dur-
ing the case. This touched deep into the valve control system, and an extensive
system understanding seems necessary. The independence requirement is also
hard to interpret, because it is difficult to know how strict these requirement
should be followed. Exchange of experience and more guidelines are needed in
order to make this part of the analysis easier.
What value to use as ignition probability was not intuitive, and a classifi-
cation and guideline in the approach in Chapter 4 should have been included.
LOPA requires knowledge, and the team composition is important in getting a
satisfying result. When the necessary risk reduction was calculated some ef-
fort was required to evaluate the result. This could have led to problems and
knowledge of the process, how LOPA works and laws of probability, are essential
aspects.
During the analysis it was made an error when converting failure data from
OREDA. This was corrected, but this incident underlines the importance of qual-
ity assurance and transformation process in an eventual software tool as men-
tioned in Chapter 5.5. The overall impression is that the preferred approach in
Chapter 4 is clear and applicable. Linking this together with a software tool as
described in Chapter 5.5, makes the LOPA procedure more efficient as well as
providing useful features.
Process experience, understanding of LOPA and knowledge of general relia-
bility and probability is success factors in making LOPA efficient and robust.
59
Chapter 7
Conclusions and
recommendations for further
work
Both qualitative and quantitative SIL determination methods and tools may be
applied during phase four in the IEC safety life cycle (Figure 1.1). The quantita-
tive method in IEC 61508, the OLF 070 guideline, the risk matrix, the safety layer
matrix, the risk graph and the calibrated risk graph are SIL determination meth-
ods that have been described in addition to LOPA. In qualitative methods the
parameters used as decision basis are subjective and estimated by expert judg-
ment. Quantitative methods describe the risk by calculations, and a numerical
target value is compared with the result. Which method to apply rely primarily
on whether the necessary risk reduction is specified in a numerical manner or
qualitative manner. The scope and extent of the analysis would also be an in-
fluencing factor. Even if the assignment method is qualitative the SIL is always
quantified by a numerical number.
The main objective of this thesis has been to gain knowledge of SIL deter-
mination tools, with LOPA as the the main focus. This is accomplished, and the
sub-objectives of the report is listed below, and the coverage and findings con-
cerning each objective discussed.
A literature survey has been carried out and different methodologies and
approaches in literature has been presented and discussed. Especially, the IEC
61511 approach, Aker E&T and the approach in CCPS (2001) have been covered.
The guideline in BP (2006) seems reasonable and should have been covered to a
greater extent. Most methodologies and approaches have the similar basis, but
use different terms and have different sequence. Another distinction is how the
SIL is incorporated and evaluated. The process design can be evaluated ”as is”,
or with a new protection layer (e.g. SIF) implemented in the evaluation. Some
60
authors also use screening tools, i.e. risk graph, prior to, or embedded in the
LOPA-process.
Compared to the approaches discussed in Section 3.5, the Aker E&T LOPA
approach is an overall methodology, not taking the proposed SIF implicit into
account. Often the customer methodology also (e.g. Statoil or BP) found basis
for the analysis. ISO 10418 (2003) helps the design team to implement safety
functions in the P&IDs for the concerning system, and after all hazard identifi-
cation is finished the LOPA is initiated. The further approach is similar to the
approach presented in IEC 61511 (2003).
Interfaces between LOPA and HAZOP has been identified, but other risk
analysis methods have not been covered. Information in columns as conse-
quence and possible causes in the HAZOP worksheet can be directly transferred
to the LOPA worksheet. Information in the other columns may require transfor-
mation. This includes IPL PFD data and initiating cause frequency.
The thoughts behind a software tool transferring, facilitating, and adjusting
data have been presented. This includes a program specification and a sim-
ple illustration of a thought software program. The illustrated software program
takes basis in automatic data transformation from HAZOP, IPL PFD and initiat-
ing cause frequency databases, and a risk matrix including the acceptance crite-
ria. Linking all these aspects with a LOPA worksheet give the outline of the pro-
gram. The illustrated program showed in Annex B seems reasonable, but should
be evaluated more in detail. Expert judgment make an extensive amount of the
analysis, and a program that ”learns by doing” is beneficial. An example is a
program that has a database with previous analyzes, which provides previous
information when a new analysis is performed, e.g. possible initiating causes of
a specific type of valve.
61
• Discussion of the IPL concept and the applicability of LOPA in cases where
the independence is violated
IPL has been defined, exemplified, and discussed. In the case study the IPL
concept has been applied to a practical system. CCFs have not been covered to
a great extent, which should have been the case.
IPL is defined as: Protection layer that is capable of preventing the process
deviation from proceeding to the end-consequence regardless of other protec-
tion layers associated with the same impact event - initiating cause pair, and of
the initiating event. It must lead to a risk reduction factor of at least 10, and fulfill
the specificity, independence, dependability and audibility criteria. The defini-
tion is clear, but it is still uncertain how to apply the concept of IPL in practice.
The preferred approach, based on the literature study, has been applied to
a combined system based on real systems by Aker Subsea and Aker E&T. The
preferred approach was easy to use, but as mentioned the IPL concept was diffi-
cult to apply. Where to draw the line where a component is independent or not
was the key issue throughout the case study. The case concluded that process
understanding and knowledge of basic reliability concepts are important.
This thesis may give some readers a more clear understanding of LOPA. The
sections explaining and clarifying terms and the IPL discussion in the case study,
may be a contribution to the LOPA discussion.
Still, many of the issues need to be clarified, and further work is recom-
mended. Specific recommendations for further work are:
62
Bibliography
ACM Facility safety (2004). HAZOP / SIL analysis item and cost compari-
son - Traditional way vs. integrated SILCore approach. Advertorial, Safety
Users Group. Retrieved on 03.04.08 from internet address: http://www.
safetyusersgroup.com/documents/AD040001/EN/AD040001.pdf.
ACM Facility Safety (2006). SIL Determination Techniques Report. "White Paper".
Retrieved on 30.02.08 from internet address: http://www.iceweb.com.au/
sis/ACMWhite-PaperSILDeterminationTechniquesReportA4.pdf.
Baybutt, P. (2007). An improved Risk Graph Approach for Determination of
Safety Integrity Levels (SILs). Process Safety Progress, 26:66–76.
Bingham, K. and Goteti, P. (2004). ISA (The Instrumentation, Systems, and Au-
tomation Society) 2004. In Integrating HAZOP and SIL / LOPA analysis: Best
practice recommendations.
Ellis, G. and Wharton, M. (2006). Symposium Series No. 151, IChemE. In Prac-
tical experience in determining safety integrity levels for safety instrumented
systems.
63
Harsem Lund, K. (2007). Alternative måter for SIL fastsettelse - en sammen-
ligning (LOPA, Risk graf, OLF 070). In PDS forum, Trondheim. Scandpower,
Kjeller.
IEC 61511 (1998-2003). Functional safety - safety instrumented systems for the
process industry sector. International Electrotechnical Commission, Geneva.
ISO 10418 (2003). Petroleum and natural gas industries - offshore installations -
Basic surface process safety systems. International Organization for Standard-
ization, Geneva.
OLF 070 (2004). Application of IEC 61508 and IEC 61511 in the norwegian
petroleum industry. OLF.
Sklet, S. (2006). 2006:3, Safety Barriers on Oil and Gas Platforms. PhD thesis,
NTNU.
64
Summers, A. (2003). Introduction to layers of protection analysis. Journal of
Hazardous Materials, 104:163–168.
The Dow chemical company (2002). Introducing dow application of layer of pro-
tection analysis. In Introducing Dow Application of Layer of Protection Analy-
sis - LOPA.
65
Appendix A
Basic concepts
66
Appendix B
Software schematic
Legend:
Black circles - User input
Blue Circles - Data cell
Red circles - Calculation cell (output cell)
Blue lines - Data path (blue or black circle to red circle)
Pale yellow box - Button
Yellow box - Clicked button
67
Figure B.1: Step 1
68
Figure B.2: Step 2
69
Figure B.3: Step 3
70
Figure B.4: Step 4
71
Figure B.5: Step 5
72
Appendix C
73
Figure C.1: LOPA worksheet: Case study
74