ELA980 Unit 1 - The LOPA Process
Transcript of ELA980 Unit 1 - The LOPA Process
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
1
SAChE® Certificate Program
Level 3, Course 1.1: Risk Review Using LOPA (Layer of Protection Analysis)
Unit 1 – The LOPA Process
Narration:
[No narration]
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
2
Getting Started
Narration (female voice):
If this is your first time taking a SAChE course, please take a few minutes to explore the
interface. This slide will explain how to use the controls to navigate through the course.
All of the units in the course use the same interface.
• This interface has four main features that you should be aware of:
• Here is the left navigation bar. It contains a list of the slides as well as the
narrative transcript. At any point in the course, if you would like to revisit any
content, click the slide title to jump back.
• You may also use the Previous button on the bottom of the player. To advance
forward, use the Next button.
• The Search feature allows you to search for content using any word in the
current unit.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
3
• On the top menu bar you will find the Help, Abbreviations, Glossary, Resources
and Exit options. The resources included in this course include any unit-specific
attachment as well as a printable copy of the unit slides and narrative. Use the
Exit tab to leave this unit at any time.
Click the arrows if you want to learn more about the interface features. Click ‘Next’
when you’re ready to continue.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
4
About This Training Program
Narration (male voice):
Welcome to the American Institute of Chemical Engineers’ online Process Safety training
program. This course will introduce you to Risk Review Using LOPA (Layer of Protection
Analysis). It’s divided into three units:
• Unit 1 – The LOPA Process;
• Unit 2 – Core Attributes of Independent Protection Layers; and
• Unit 3 – Enabling Conditions and Conditional Modifiers.
Each unit takes about 30 to 45 minutes to complete. At the end of each unit, you will be
presented with a quiz. You must pass the quiz in order to have the unit marked as
complete so be sure to pay close attention to the content and answer all of the review
questions along the way. After completing all of the units in the course, you will take a
final exam. You must pass the exam to have the course marked as completed.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
5
Objectives
Narration (male voice):
This is the first of three units in the Risk Review Using LOPA (Layer of Protection
Analysis) course. By the end of this unit, titled “The LOPA Process,” you will be able to:
• Describe when in the life cycle of a chemical process LOPA can be used and in
what situations LOPA can be helpful; and
• Describe the LOPA process and the common elements of a LOPA.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
6
SECTION 1: Introduction
Narration:
[No narration]
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
7
What is Risk?
Narration (male voice):
We’re going to begin this unit by defining “risk.”
Risk is a measure of human injury, environmental damage, or economic loss in terms of
both the incident likelihood and the magnitude of the loss or injury.
A simplified version of this relationship expresses risk as the product of the likelihood
and the consequences (that is, Risk = Consequence x Likelihood) of an incident.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
8
Qualitative Risk Matrix
Narration (male voice):
Risk can be illustrated as a matrix with consequence severity on the X-axis and
frequency or probability on the Y-axis. Risk increases on the diagonal as shown.
Each company establishes its own risk matrix. Colors may be used to classify risk, such as
green for tolerable, yellow for marginal, and red for unacceptable.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
9
What is a Layer of Protection Analysis (LOPA)?
Narration (male voice):
A Layer of Protection Analysis is an approach that analyzes an incident scenario to
compare the scenario risk estimate to risk criteria for determining where additional risk
reduction or more detailed analysis is needed.
Incident sequences, developing scenarios, and understanding the types of
“consequences of concern” – such as toxic releases, fires, and explosions – are covered
in other SAChE courses. The scenarios used in a LOPA are typically identified during a
scenario-based hazard evaluation procedure such as a HAZOP Study (also detailed in
other SAChE courses).
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
10
LOPA Goal
Narration (male voice):
The goal of a LOPA is to focus on scenarios with greatest risk, such has those with high
severity and high frequency (the red region of a risk matrix). The LOPA method
evaluates which safeguards, also called layers of protection, can be credited as
independent protection layers (IPLs) for risk management.
Examples of safeguards, or layers of protection, are shown here. You will learn in Unit 2
of this course which layers of protection can be considered as an IPL for use in the LOPA
method.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
11
Part 2
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
12
Key Questions When Assessing Risk
Narration (male voice):
LOPA can help answer these key questions when assessing risk:
• How safe is "safe enough?"
• How many protection layers are needed?
Keep in mind that these are overview questions relating to risk reduction. They are not
specific to the LOPA method.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
13
LOPA – A Structured Approach
Narration (male voice):
This structured approach:
• Reduces emotionalism in decision making;
• Provides clarity and consistency;
• Documents the basis of the decision; and
• Facilitates understanding of risk and layers of protection among plant personnel.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
14
LOPA – Semi-quantitative Risk Assessment
Narration (male voice):
A LOPA is often called a “semi-quantitative” risk assessment since it deals with order-of-
magnitude estimates of risk. It can be used to bridge the gap between a qualitative
hazard identification and risk analysis, such as a HAZOP, and a Quantitative Risk Analysis,
also knows as a QRA.
QRAs are the systematic development of numerical estimates of the expected frequency
and severity of potential incidents based on engineering evaluation and mathematical
techniques. QRAs require sophisticated, often proprietary, source and dispersion-based
modeling software. The LOPA method is an excellent screening method to use before
investing time and resources on a QRA for a specific scenario.
Source models, dispersion models, and QRAs are discussed in more detail in other
SAChE Courses.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
15
Common Elements of LOPA
Narration (male voice):
While LOPA methods used by various companies differ, they have common elements.
These include:
• A method for selecting scenarios;
• A consequence classification method that can be applied throughout the
company;
• Specific rules for considering safeguards as IPLs;
• Specified default data for initiating event frequencies (IEFs) and IPL probabilities
of failure on demand (PFDs);
• A specified procedure for performing the required calculations;
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
16
• Numerical risk tolerance criteria. Individual companies use different criteria,
examples of which include:
o Frequency of fatalities;
o Frequency of fires;
o Required number of independent protection layers (IPLs); and
o Maximum frequency for specific categories of consequences based on
severity measures, such as release size and characteristics or value of lost
production.
• And a specified procedure for determining whether the risk associated with a
scenario meets the risk tolerance criteria for an organization, and if it does not,
how this is resolved and documented.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
17
When to Use LOPA
Narration (male voice):
LOPA can effectively be used at any point in the life cycle of a process or facility but is
most frequently used during:
• The design stage when the process flow diagrams and the piping and
instrumentation diagrams (P & IDs) are usually complete; and
• The operations and maintenance stage, when modifications are going to be
made to an existing process or its control or safety systems.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
18
Situations Requiring LOPA
Narration (male voice):
LOPA is typically applied after a qualitative hazard evaluation, such as a process hazard
analysis (PHA).
LOPA can be applied when the hazard evaluation team or others believe a scenario is
too complex for the team to make a reasonable risk judgment. That is, the
consequences are perceived to be too severe to rely solely on qualitative risk judgment.
LOPA can be used any time when more than qualitative judgment of risk is required, but
companies often establish consequence severity or risk-based criteria for when PHA-
generated scenarios must be taken to LOPA.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
19
Example “Onion Skin” Diagram
Narration (male voice):
The layers of protection analyzed in LOPA can be represented by an example onion skin
diagram shown here.
After the process is designed to minimize risk, the residual risk can be managed using
the IPLs identified in a LOPA.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
20
Inherently Safer Design Approaches and LOPA
Narration (male voice):
Inherently safer design approaches to process safety are used to eliminate or minimize a
hazard. This reduces the need for layers of protection that would otherwise be required
to manage the risk of a process.
Inherently safer design reviews should be done prior to LOPA so that the number of
likely scenarios can be reduced. LOPA can also be used to identify where inherently
safer approaches would be useful.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
21
SECTION 2: The LOPA Process
Narration:
[No narration]
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
22
Management Systems to Support LOPA
Narration (male voice):
In this section, we will discuss various concepts important to the understanding of the
LOPA process. Then in Section 3, we will list the steps involved in conducting a LOPA and
look at an example.
The LOPA process is just a part of an overall process safety and risk management
program. An effective process safety management system includes twenty key elements
as shown in the CCPS Risk Based Process Safety model. For the purposes of this LOPA
course, the orange “Hazard Identification and Risk Analysis” column on the “Understand
Hazards and Risk” foundational block is where a LOPA is used.
Keep in mind that the success of your LOPA effort hinges on effective implementation of
many of the blue “Manage Risk” pillar elements, as well. In particular, equipment
reliability is sustained in the “Asset Integrity and Reliability” element and human
performance is managed in both the “Operating Procedures” and “Training and
Performance Assurance” elements.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
23
Management systems supporting LOPA are beyond the scope of this course. You can
learn more by referring to the CCPS book: Guidelines for Risk Based Process Safety for a
detailed discussion of management systems. These systems are also discussed in other
SAChE courses.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
24
Scenario Development
Narration (male voice):
As we begin to discuss the LOPA process, it is important to remember that LOPA is not a
technique for identifying scenarios. LOPA is a simplified method to estimate the risk
associated with a previously identified scenario and to ensure that there are sufficient
IPLs in place to manage the risk.
There are several means of identifying scenarios for LOPA. They include commonly used
methods such as:
• Process Hazards Analyses (PHAs), using PHA methods such as:
o Hazard and Operability Studies (HAZOPs);
o What-if or Checklist Analysis; and
o Failure Modes and Effect Analysis (FMEA);
• Plant operational experience;
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
25
• Review of past plant and industry incident and near miss data; and
• Management of Change (MOC) reviews.
These techniques will not be explained here; they are discussed in detail in other SAChE
courses and the CCPS book: Guidelines for Hazard Evaluation Procedures.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
26
Scenario Selection
Narration (male voice):
As stated before, the goal of a LOPA is to focus on scenarios with greatest risk.
Companies may establish criteria such as consequence severity or the risk-level
assessment of the PHA team for the selection of scenarios to be evaluated using LOPA.
During a HAZOP, there may be hundreds of process deviations which can be used to
develop hundreds of scenarios. Even using selection criteria, a large number of LOPA
scenarios may be indicated. One approach to reduce the number of scenarios for LOPA
is to analyze the scenarios for one operation, usually the one presenting the highest risk,
and then apply applicable IPLs to similar operations within the scope of the study.
For example, scenarios considered for the storage tank with the greatest risk can be
assessed and the protection layers needed can be applied to the other, lower-risk,
storage tanks. This can result in a conservative approach for the application of
protection layers.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
27
Preventive and Mitigative Safeguards
Narration (male voice):
Once we have selected a scenario, we must identify the layers of protection that can be
considered in the LOPA calculations. We will discuss the difference between a safeguard
and an IPL in detail in Unit 2 of this course. For now, let’s discuss protection layers in
general. As mentioned earlier, some safeguards prevent the consequence from
occurring (which may be referred to as “preventive safeguards”) and some safeguards
are used to reduce the consequence severity (“mitigative safeguards”).
• A high-level switch that shuts a valve to prevent a tank from overflowing is a
preventive safeguard.
• A dike that minimizes the environmental impact of a spill is a mitigative
safeguard.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
28
Preventive and Mitigative Safeguards (continued)
Narration (male voice):
When describing how process safety risk is evaluated, remember that:
• A consequence is the undesirable result of a loss event, usually measured in
health and safety effects, environmental impacts, loss of property, and business
interruption costs…
…and that…
• A “consequence of concern” can include toxic releases, fires, explosions, and
runaway reactions.
A preventive or mitigative safeguard may effectively prevent one specific consequence
of concern while contributing to a different but significant consequence.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
29
Preventive and Mitigative Safeguards (continued)
Narration (male voice):
For example, a relief device activation might prevent a tank from overpressure but
result in a release of a hazardous material. Since not all safeguards apply to all scenarios,
both scenarios – tank overpressure and relief valve lifting – must be evaluated with
separate LOPA calculations to ensure that there are sufficient IPLs to adequately
manage the risk associated with both scenarios.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
30
Overview of Frequency
Narration (male voice):
A scenario begins with a deviation from normal operation, such as an equipment failure
or a human error. This deviation is called the “initiating event,” or IE. To estimate the
likelihood that a consequence of concern will occur, we must consider the frequency
with which the IE will occur and the probability that the sequence will be halted by one
of the layers of protection.
Terms related to LOPA frequency calculations include:
• Initiating Event Frequency (IEF); this is how often the IE is expected to occur. In
LOPA, the IEF is typically expressed in terms of occurrences per year.
• Probability of Failure on Demand (PFD) is the likelihood that a system will fail to
perform a specific function when needed. In LOPA, the PFD is typically expressed
as a decimal value between 0.001 and 1.0. It is a dimensionless number.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
31
Overview of Frequency (continued)
Narration (male voice):
It is important to always distinguish between frequencies and probabilities. To calculate
a scenario frequency, you must start with a single event frequency and multiply it by
appropriate probabilities, as shown.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
32
Overview of Frequency (continued)
Narration (male voice):
To better understand the frequency calculation, it can be useful to think of the IPLs
applied as filters. They remove a portion of the probability of the undesired
consequence occurring. The undesired consequence of concern occurs at an overall
frequency reduced by each IPL.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
33
Level of Analysis for Each Scenario
Narration (male voice):
IEs for each scenario can be defined at several levels of detail. For example, you may
consider the failure of a control loop (such as a flow control system), an element of the
system (such as a valve), or a component of an element (such as a valve seat). The
analysis level needed is generally limited to what is necessary to understand the
required effectiveness of the IPLs and the level of independence that exists between the
IE and the IPLs.
You will learn more about this “independence” in Unit 2.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
34
Level of Analysis for Each Scenario (continued)
Narration (male voice):
For example, consider a loss event initiated by the failure of a pressure control loop that
allows the process pressure to exceed the vessel maximum allowable working pressure
(MAWP) with the potential for vessel rupture due to an internal overpressure.
The pressure control loop malfunctions due to the failure of the control system. The
specific potential causes of the system failure are numerous (for example, failure of
components, loss of utilities, human error, failure of support systems, failure of
interfaces, errors of commission and omission, and so on).
The cause of concern that should be analyzed should be based on the causes of interest
to the company. For example, if loss of utilities is a major concern of the company, loss
of specific utilities (air, water, or power) should be analyzed in separate LOPAs.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
35
Level of Analysis for Each Scenario (continued)
Narration (male voice):
Some of the terms shown here are used when describing component failures associated
with instrumented protective systems. These terms will be used later in this unit as you
learn how to apply a LOPA to an example scenario.
Click the buttons for a definition of each.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
36
SIF (Slide Layer)
[When “Safety Instrumented Function (SIF)” is clicked…]
A Safety Instrumented Function, or SIF, is a system composed of servers, logic solvers,
and final control elements for the purpose of taking the process to a safe state when
predetermined conditions are violated.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
37
SIL (Slide Layer)
[When “Safety Integrity Level (SIL)” is clicked…]
A Safety Integrity Level (SIL) is a discrete level (one to four) allocated to the SIF for
specifying the safety integrity requirements to be achieved by the SIS (see “Safety
Instrumented System”), where an SIL 4 rating is the highest integrity and an SIL 1 rating
is the lowest.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
38
SIS (Slide Layer)
[When “Safety Instrumented System (SIS)” is clicked…]
A Safety Instrumented System (SIS) is a separate and independent combination of
sensors, logic solvers, final elements, and support systems that are designed and
managed to achieve a specified Safety Integrity Level (SIL). An SIS may implement one or
more Safety Instrumented Functions (SIFs).
Refer to the CCPS books: Safe Automation of Chemical Process and Guidelines for Safe
and Reliable Instrumented Protective Systems for more information on these topics.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
39
Equipment Life Cycles and Failure Rates
Narration (male voice):
Equipment failure rate data is frequently used in estimating IEFs and PFDs. It is
important to manage equipment reliability and integrity to ensure that the data used
are relevant.
A generic “bath tub” curve can be used to illustrate three distinct regions in the life cycle
of some equipment. There is a “break-in” region (Region 1), a useful life region (Region
2), and an end-of-life region (Region 3). Not all equipment follows this exact course, but
this curve is typical.
When using equipment failure rate data, it is generally assumed that there is an
effective Risk Based Process Safety (RBPS) asset integrity program in place to maximize
the time the equipment spends in Region 2, its useful life. During this time, the
equipment has a defined and established constant failure rate value that can be used in
the LOPA.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
40
Initiating Event Frequencies (IEFs) – Human Factor Considerations
Narration (male voice):
Managing human performance is important to prevent errors that can initiate LOPA
scenarios and adversely impact the reliability of the safeguards. Human error depends
on many factors that should be considered during the selection of IEF and IPL PFD values.
These factors include:
• Procedure accuracy and procedure clarity;
• Training, knowledge and skills;
• Fitness for duty;
• Workload management;
• Communications;
• Work environment;
• Human-machine interface; and
• Job complexity.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
41
Initiating Event Frequencies (IEFs) – Failure and Error Rate Sources
Narration (male voice):
Failure rate data can be based on expert opinion at one end of the spectrum to carefully
collected plant data at the other end. Human error and equipment reliability data can
be obtained from many sources with a wide range of quality. Most equipment failure
rate data that exist are specific to component failure rates.
Data sources can be categorized as:
• Expert judgment: this is data based on the opinion of experts.
• Generic: this is publicly available data that have been aggregated from similar
systems or situations.
• Predicted: this is the application of basic failure rate data for the elemental
components to determine the failure rate of the aggregate system or the error
rate of a specific task.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
42
• And site-specific: these are the ideal data for the analysis and are specific to the
plant and the application being analyzed.
Sources of data and their limitations are listed and discussed further in Guidelines for
Initiating Events and Independent Protection Layers in Layer of Protection Analysis.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
43
Overview of Consequence Severity
Narration (male voice):
When determining the risk, both the frequency and consequence must be determined.
We have discussed briefly some of the ways the frequency can be determined in a LOPA.
Next, we will provide a brief overview of how the severity of a consequence is
determined and how it will be used in a LOPA.
On the slides that follow, we will briefly discuss the evaluation of consequence severity.
Detailed coverage of consequence evaluation can be found in the CCPS books: Layer of
Protection Analysis, Simplified Risk Assessment and Guidelines for Initiating Events and
Independent Protection Layers in Layer of Protection Analysis. Detailed consequence
evaluation methods can be found in Guidelines for Consequence Analysis of Chemical
Releases.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
44
Evaluation of Consequence Severity
Narration (male voice):
In LOPA, a consequence of concern (impact) is the ultimate outcome of a LOPA scenario
assuming failure of all the IPLs in the scenario being evaluated. You must evaluate the
consequence of concern or impact assuming there are no IPLs, or if existing, the IPLs do
not work.
The consequences of concern or impacts that might be of interest to an organization
include a toxic release that results in injury or fatality, a fire or explosion that results in
injury, property damage or business loss, or a spill that results in environmental damage.
The worst credible consequence (impact) is generally assessed, and scenarios are
selected based on the individual organization’s protocol for selecting scenarios.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
45
Evaluation of Consequence Severity (continued)
Narration (male voice):
There are two basic approaches to estimating the consequence severity. The first
approach shown here is to classify the release into a consequence category, based on
factors such as the amount of material released and its chemical and physical properties.
Use the scroll bar to view all of the examples.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
46
Evaluation of Consequence Severity (continued)
Narration (male voice):
The second approach is to define the consequence severity in terms of impact, such as
the number of fatalities, level of environmental impact, equipment damage or loss of
production.
Again, use the scroll bar to view all of the examples.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
47
Inherently Safer Design and Consequence Severity
Narration (male voice):
As discussed earlier, inherently safer design practices can eliminate scenarios or reduce
their consequence severity. Examples of process modifications that can reduce
consequence severity include:
• Minimizing the chemical inventory in process equipment;
• Moderating the conditions in a process;
• Substituting a less hazardous material that can reduce the consequences of a
release;
• Limiting the quantity of a reagent present in a reactor by gradually feeding the
material, rather than adding it in one charge, can reduce the potential for an
uncontrolled chemical reaction; and
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
48
• Reducing the impact of a fire or explosion on multiple receptors by using proper
equipment spacing and facility siting.
Refer to the SAChE course and the CCPS book: Inherently Safer Chemical Process, A Life
Cycle Approach for more information.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
49
Summary of the LOPA Process
Narration (male voice):
In the next section, we’ll explore an example LOPA, but before moving on, let’s
summarize the key points we have discussed about the LOPA process:
• The LOPA process is a part of an overall process safety and risk management
program;
• LOPA is a structured, semi-quantitative method that can be used as part of a risk
assessment;
• LOPA is not a hazard identification method;
• LOPA is most frequently used during the design and operations stages in the
process life cycle; and
• Risk is a function of both likelihood and the potential consequence severity.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
50
SECTION 3: Example LOPA
Narration:
[No narration]
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
51
Example LOPA
Narration (male voice):
In this section, we’ll walk through an example LOPA so that you have a basic
understanding of how the analysis is conducted.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
52
The LOPA Process
Narration (male voice):
The basic LOPA process is as follows:
1. Identify the consequences from a hazard identification process, such as a process
hazards analysis, to help screen scenarios for LOPA;
2. Select the incident scenario (cause-consequence pair);
3. Identify the Initiating Event Frequency (IEF) and the applicable Independent
Protection Layers (IPLs) and estimate the Probability of Failure on Demand (PFD)
of each IPL;
4. Calculate the scenario frequency; and
5. Evaluate the risk to reach a decision concerning the scenario.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
53
STEP 1: Identify the Consequences
Narration (male voice):
The first step in the LOPA process is to identify the consequences from the hazard
identification process, generally a process hazards analysis. For our example, assume
that a HAZOP has been done on the proposed design of the reactor system of a polymer
plant. Several consequences have been identified from this process hazards analysis.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
54
STEP 2: Select the Incident Scenario (Cause-Consequence Pair)
Narration (male voice):
In Step 2, an incident scenario (cause-consequence pair) is selected from the previously
identified scenarios. For our example, the scenario of interest involves the following:
• Cause (that is, the initiating event): The cooing water pump to the polymer
reactor fails during the step where monomer is added to the reactor.
• Consequence: High temperature resulting in a runaway reaction with elevated
pressure and ultimate failure of the reactor vessel due to vessel overpressure.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
55
STEP 3: Identify Applicable IPLs and Estimate PFD of Each IPL
Narration (male voice):
Step 3 is to identify the applicable Independent Protection Layers (IPLs) and estimate
the Probability of Failure on Demand (PFD) of each IPL. As was mentioned earlier, not all
safeguards are IPLs; you will learn more about what makes a safeguard an IPL in Unit 2.
The following Independent Protection Layers have been identified as applicable and
have been proposed for the reactor design:
• IPL 1: Automatic detection of low cooling water flow that would turn on the
spare water pump during the monomer addition step (assume this is part of an
SIS, with an SIL 1 performance);
• IPL 2: Automatic shut off of the monomer feed flow if high temperature is
detected during the monomer addition step (assume this is part of an SIS, with
an SIL 2 performance);
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
56
• IPL 3: Spring-operated pressure relief valve designed for the worst case runaway
reaction scenario; and
• IPL 4: Automatic emergency venting of the reactor to a collection vessel if high
pressure is attained during the monomer addition step (assume this is part of an
SIS, with an SIL 3 performance).
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
57
STEP 3: Identify Applicable IPLs and Estimate PFD of Each IPL (continued)
Narration (male voice):
Continuing with Step 3, we need to estimate the IEF and the PFD for each IPL. To assist
us with this, we’ll use data from the CCPS book: Guidelines for Initiating Events and
Independent Protection Layers in Layer of Protection Analysis.
• In Data Table 4.9: Pump, compressor, fan, or blower failure is 0.1 events/year.
• In Data Table 5.15: Spring operated pressure relief valve failure is 0.01 for failure
to open enough at set pressure (100% of rating).
• In Data Table 5.14: A Safety Instrumented System (SIS) loop has the following
PFD values for three Safety Integrity Levels:
o SIL 1: 0.1;
o SIL 2: 0.01; and
o SIL 3: 0.001.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
58
Problem Statement
Narration (male voice):
For this example, we’ll consider this problem…
The design team would like to install IPL 1, IPL 2, and IPL 3 at this time, delaying the
installation of IPL 4 until a later date.
If the company has determined that the tolerable risk of the reactor exploding is less
than 0.0000001 (1 x 10-7
) events per year, is the proposed design with only the three
IPLs adequate?
If not (that is, if the risk does not meet the tolerable risk criteria), what additional design
features could be added?
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
59
IPLs Filter Scenario Risk
Narration (male voice):
As we continue with this process, it’s important to remember that each IPL acts like a
filter removing part of the overall scenario risk.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
60
STEP 4: Calculate Scenario Frequency
Narration (male voice):
Step 4 in the LOPA process is calculation of the scenario’s frequency. Using the initiating
event frequency and PFDs for each IPL gathered in Step 3, the frequency is 1 x 10-6
events per year for our example.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
61
LOPA Event Tree Model
Narration (male voice):
LOPA can be thought of as an event tree with each IPL reducing a portion of the
probability of catastrophic consequences. If the IPL is successful, move up; if not, move
down.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
62
STEP 5: Evaluate Risk
Narration (male voice):
The last step in the LOPA process is to decide whether the risk is tolerable with this
scenario and its IPLs.
In our example, the calculated risk is 0.000001 (1 x 10-6
) events per year. This is above
the company’s risk tolerance criteria of 0.0000001 (1 x 10-7
) events per year. Therefore,
the proposed design is not adequate since the risk is not tolerable.
Because the design does not meet the company’s risk tolerance criteria, a more detailed
quantitative risk assessment may be appropriate. Additional IPLs could be added (for
example, IPL 4, which was initially not considered).
Alternately, the proposed IPLs could be made more reliable by designing to higher
Safety Integrity Levels (SILs). Any combination of IPLs that reduce the risk below
0.0000001 (1 x 10-7
) is acceptable.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
63
Calculate Scenario Frequency – Different Design
Narration (male voice):
Now suppose the design team decides on using IPL 3 and IPL 4 as safeguards. In this
case, the event frequency happens to be the same as the previous design: 0.000001 (1 x
10-6
) events per year.
Copyright ©American Institute of Chemical Engineers 2018. All rights reserved.
64
Unit 1 Summary
Narration (male voice):
We’ve reached the end of the first unit in the Risk Review Using LOPA (Layer of
Protection Analysis) course. Having completed this first unit, titled “The LOPA Process,”
you should now be able to:
• Describe when in the life cycle of a chemical process LOPA can be used and in
what situations LOPA can be helpful; and
• Describe the LOPA process and the common elements of a LOPA.
In Unit 2, you will learn about the core attributes of Independent Protection Layers. But
first, please take the quiz for Unit 1 beginning on the next slide.