Lopa For Sil
Lopa For Sil
Lopa For Sil
TRANSACTIONS1
Abstract
This paper describes the Layer of Protection Analysis (LOPA) method for determining the needed SIL (Safety
Integrity Level) of a SIS (Safety Instrumented System). The paper also shows the relationship of LOPA to other ana-
lysis methods for safety system requirements. Building on the CCPS (Center for Chemical Process Safety) Guidelines
for Safe Automation of Chemical Processes, this paper shows how to determine if additional safeguards are needed and
how to determine the needed SIL of a SIS. LOPA is a tool that can be used after the HAZOP (HAZard and OPer-
ability Analysis), but before using fault tree analysis or quantitative risk analysis. Using a multi-disciplined team, the
consequences identi®ed in the HAZOP are listed as impact events and are classi®ed for severity level. The initiating
causes are listed for each impact event and a likelihood is estimated for each initiating cause. Independent Protection
Layers (IPLs) are listed, including process design, basic process control system, alarms and procedures, safety instru-
mented systems, and additional mitigation. Each IPL is assigned a Probability of Failure on Demand (PFD). A mitigated
event likelihood is calculated by multiplying the initiating cause likelihood by the PFDs for the applicable IPLs. The
mitigated event likelihood is then compared to a criterion linked to the corporation's criteria for unacceptable risk
levels. Additional IPLs can be added to reduce the risk. The mitigated event likelihoods are summed to give an estimate
of the risk for the whole process. # 1998 Elsevier Science Ltd. All rights reserved.
Keywords: Alarm systems; Design guidelines; Documentation; Emergency shutdown system; Fault tree analysis; Final element;
Instrumentation; Interlocks; Modeling; Probability of failure on demand; Qualitative; Quantitative; Reliability; Reliability data;
Safety; Sensors; Standards; Systems design; Unavailability
Inconsistency in determining SIL often comes LOPA uses a multi-disciplined team, like a
from a lack of clarity for the frequency of the HAZOP team. Knowledgeable representatives are
initiating cause and the target mitigated event needed from:
frequency for which the risk is viewed as tolerable.
. OperationsÐoperator, foreman
These issues may be handled implicitly with indi-
. Management
vidual team members having a dierent perception
. Process Engineering
of the frequencies and the risk level that is toler-
. Control Engineering
able. Some methods listed in the introduction do
. Instrument/Electrical (craftsman, foreman,
not deal with the causes explicitly, some do not
or engineer)
deal with the frequencies of causes explicitly, and
. Risk Analysis (hazard evaluation specialist)
some do not deal with the target frequency for a
risk level that is tolerable. Yet each team member At least one person must be skilled in the LOPA
is doing some sort of intuitive, internal analysis methodology. One of the team members should be
that asks: skilled as a meeting/team facilitator.
A HAZOP (or other hazard identi®cation pro-
. How bad is it?
cedure) is done ®rst. HAZOP tables usually list
. How often could it be caused?
Deviations, Causes, Consequences, Safeguards,
. How eective will the layers of protection
and Recommendations. The HAZOP table may
be?
also include estimates of the Frequency for each
. Is the mitigated event frequency intolerable
Cause and Severity for each Consequence. With
or not?
these estimates a risk matrix can be used to esti-
Some companies have published guidelines for mate Risk for a Cause±Consequence pair [6]. Fig.
the risk the process imposes on the community [5], 1 shows the HAZOP information and the LOPA
industrial neighbors, and employees. These guide- information in graphical form. The solid lines
lines can be used to establish criteria for the SIL show the sequence of the HAZOP or LOPA
evaluation as shown later in this paper. development. The dotted lines show how HAZOP
On the other hand, many companies have not information is transferred to the LOPA. A sample
published guidelines for the risk the process LOPA table is shown in Fig. 2.
imposes on the community, industrial neighbors,
and employees. However, for various process 3.1. Impact Event classi®cation
con®gurations, decisions are still made to apply
further risk reduction via design change or addi- Each Impact Event from the Hazard Identi®ca-
tional IPLs, or not to apply additional risk reduc- tion is classi®ed for Severity Level and Maximum
tion (i.e., risk is tolerable). This information can Target Likelihood for the impact event using
be converted to targets for use in determining SIL. Table 2. The Impact Event, Severity Level, and
The target could take the form of the number of Maximum Target Likelihood are written into col-
IPLs and the SIL value required for a given con- umn 1 of the Layer of Protection Analysis form
sequence severity and challenge frequency. (Fig. 2).
What is needed is a way to determine the
required SIL rationally and consistently among 3.2. Initiating Cause
individuals, teams, projects, and companies.
For each Impact Event, the team lists all the
Initiating Causes in column 2 of Table 2. Note
3. Layer of protection analysis (LOPA) that a HAZOP Consequence may be listed in sev-
eral sections of the HAZOP. It is important to
LOPA is built on concepts from Chapter 7 of gather all the Causes. The remaining calculations
CCPS [3]. This paper is based on more than 5 are carried out for each Initiating Cause for each
years' use of the technique. Impact Event.
158 A.M. Dowell III/ISA Transactions 37 (1998) 155±165
Table 2
Impact Event severity levels and Target Mitigated Event likelihoods
Minor (M) Impact initially limited to local area of event Depends on the economics of life
with potential for broader consequence if cycle cost of additional layers of
corrective action not taken protection versus cost of the
impact events
Serious (S) Impact event could cause any serious injury 1.0010ÿ6 Corporate risk criteria
of fatality onsite or osite
Extensive (E) Impact event that is ®ve or more times worse 1.0010ÿ8 2 orders of magnitude
than a serious event less than serious
Table 3
Typical Initiating Cause likelihood
Table 4
Typical Independent Protection and Mitigation Layer PFDs
Criteria and additional IPLs may not be required. Toxic Release: Risk of Fatality =(Mitigated
(However, further risk reduction may be desirable.) Event Likelihood of Release)(Probability of
If the Mitigated Event Likelihood is more than person in Area)(Probability of Fatal Injury in
the Target Mitigated Event Likelihood, then addi- the Release)
tional risk reduction is probably needed. The team The team uses the Risk Analyst expertise and
should seek to reduce the risk, ®rst by applying the knowledge of the team to adjust these equa-
inherently safer concepts, and then by applying tions for the conditions of the release and the
additional layers of protection. The LOPA table work practices of the aected populations.
would be updated for the design changes. Example: The team found the likelihood of a
release that could lead to a large ®re was 210ÿ5
3.8. Number of IPLs per year. The probability of ignition is taken as
0.5. The operator is in the area where the ®re could
The number of Independent Protection Layers occur for about 20 min each hour, so the prob-
is entered in column 9, Fig. 2. Serious and Extensive ability the operator is in the area at the time of the
Impact events normally require at least two IPLs. ®re is 20/60=0.33, round to 0.3. The probability
of fatal injury if a person is in a large ®re is taken
3.9. SIS needed as 0.5.
Substituting in the equation above,
If the team ®nds that an SIS is needed to meet
the Target Mitigated Event Likelihood, the team Risk of fatality=(Mitigated Event Likelihood
enters the SIS description in column 7 and assigns of Release) (Probability of Ignition) (Prob-
it a PFD. The SIL is entered in column 7, Fig. 2. ability of Person in Area) (Probability of
The team should use an SIS only if other design Fatal Injury in the Fire)
changes (using inherently safer concepts) cannot =(210ÿ5 per year)(0.5)(0.3)(0.5)
reduce the Mitigated Event Likelihood to less than =1.510ÿ6
the target [7]. Avoid using safety interlocks
(added-on features). If possible, use built-in fea- 3.11. Corporate Risk Criteria test
tures (inherent) to reduce risk.
The team continues the iterative process of The total risk from all impact events for the
increasing the number of protection layers and aected population should be compared to the
recalculating the Mitigated Event Likelihood until Corporate Risk Criteria.
the Mitigated Event Likelihood is less than the
Target Impact Event Likelihood. . If the total risk does not meet the criteria for
the aected population, then the team should
3.10. Add up all the risk seek to reduce the risk, ®rst by applying
inherently safer concepts, and then by
After all the impact events are analyzed and applying additional layers of protection.
tabulated in the LOPA Table in Fig. 2, the team Such design changes will require an update
adds up all the Mitigated Event Likelihoods for to the LOPA table.
Serious and Extensive Impact Events for each . If the total risk is less than the criteria for the
aected population group. aected population and additional risk
The Risk of Fatality for each aected popula- reduction can be achieved by some addi-
tion is calculated by the following formulas or tional cost, the Team should recommend
their equivalents: those additional risk reduction features to
Fire: Risk of Fatality =(Mitigated Event Like- the business [5].
lihood of Release)(Probability of Ignition) . If the total risk is substantially less than the
(Probability of person in Area)(Probability of criteria for the aected population, then no
Fatal Injury in the Fire [usually 0.5]) further risk reduction is needed.
A.M. Dowell III/ISA Transactions 37 (1998) 155±165 163
The objective is to be sure the total risk from the The Basic Process Control System for this plant
facility meets the Corporate Risk Criteria. The is a Distributed Control System (DCS). The DCS
team should remember that employees and the contains logic that trips the steam ¯ow valve and a
community may have risk from other parts of the steam remote control valve (RCV) on high pres-
unit, from other projects, and from other units. sure or high temperature of the distillation col-
That additional risk must be considered against umn. This logic's primary purpose is to place the
the Corporate Risk Criteria. control system in the shut-down condition after a
trip so that the system can be restarted in a con-
trolled manner. It is listed in column 5, Fig. 2,
4. Sample problem since it can prevent the impact event. However, no
PFD credit is given for this logic since the valves it
Part of a sample problem for Layer of Protec- uses are the same valves used by the SISÐthe
tion Analysis is shown in Fig. 2. The system under DCS logic does not meet the test of independence
study is an atmospheric distillation column with a for an IPLÐand the higher credit for the SIS will
steam reboiler and an overhead condenser using be taken.
cooling tower water. High pressure and temperature alarms dis-
played on the DCS can alert the operator to shut
4.1. Impact Event 1 o the steam to the distillation column, using a
manual valve if necessary. This protection layer
The HAZOP identi®ed high pressure as a meets the criteria for an IPLÐthe sensors for
deviation. One consequence of high pressure in the these alarms are separate from the sensors used by
column was catastrophic rupture of the column, if the SIS. The operators are trained and drilled in
it exceeded its design pressure. In the LOPA, this the response to these alarms. This information is
impact event is listed as Extensive for Severity recorded in Fig. 2, column 6, with the PFD of
Class, since there is potential for ®ve or more 10ÿ1.
fatalities. The Maximum Target Likelihood for SIS logic implemented in a PLC will trip the
Extensive impact events is 110ÿ8/year. The steam ¯ow valve and a steam RCV on high
impact event, its class, and Maximum Target distillation column pressure or high temperature
Likelihood are written in column 1 of Fig. 2. using dual sensors separate from the DCS.
Note that Fig. 2 uses an alternate notation for The PLC has sucient redundancy and diag-
scienti®c numbers for better legibility at smaller nostics such that the SIS has a PFD of 10ÿ3 or SIL
font sizes (110ÿ8=1E-8). 3. This information is written in column 7 of
The HAZOP listed several Initiating Causes for Fig. 2.
this impact event. One initiating cause was loss of The distillation column has Additional Mitiga-
cooling tower water to the main condenser. The tion of a pressure relief valve designed to maintain
operators said this happened about once every ten the distillation column pressure below the max-
years. The Initiating Cause is written in column 2 imum allowable working pressure when cooling
of Fig. 2, and the Challenge Likelihood is written tower water is lost to the condenser. Its PFD is
in column 3 (1/10 year=110ÿ1). 10ÿ2. This information is recorded in column 8,
The LOPA team identi®ed one Process Design Fig. 2.
IPL for this impact event and this cause. The The number of independent protection layers is
maximum allowable working pressure of the 4 (One each for Process Design, Alarm/Procedure,
distillation column and connected equipment SIS, and Pressure Relief). This value is entered in
is greater than the maximum pressure that can be column 9 of Fig. 2.
generated by the steam reboiler during a cool- The Mitigated Event Likelihood for this cause-
ing tower water failure. Its PFD is 110ÿ2. consequence pair is calculated by multiplying the
This design feature is listed in column 4 of Challenge Likelihood in column 3 by the IPL
Fig. 2. PFDs in columns 4, 6, 7, and 8:
164 A.M. Dowell III/ISA Transactions 37 (1998) 155±165
Mitigated
Challenge Process Alarms, Relief Event
Likelihood Design Procedures SIS Valve Likelihood
(110ÿ1/year) (110ÿ2) (110ÿ1) (110ÿ3) (110ÿ2) = 110ÿ9/year
protection layers, giving a required SIL a HAZOP, but it is less work than Fault Tree
based on the risk (severity and frequency). Analysis or Quantitative Risk Analysis.
LOPA avoids the problem of over- or under-
estimating the required SIL associated with Acknowledgements
the consequences-only method.
. LOPA is much less work than Fault Tree To the CCPS and ISA committees who wrote
Analysis, giving results that are slightly con- the Guidelines for Safe Automation of Chemical
servative. LOPA can be done after the Processes and the ISA-S84-01, respectively. To
HAZOP to calculate the needed SIL for Dallas Green, David Patlovany, Rich Sypek, and
most of the SIS functions. A few complex Mieng Tran, who sharpened my thinking as we
systems may require Fault Tree Analysis. wrote internal interlock guidelines. To W. H.
. LOPA focuses greater risk reduction eorts Johnson Jr., who gives excellent training in LOPA.
on Impact Events with high severity and high To Paul Gruhn, who asks excellent questions.
likelihood. It ensures that all the identi®ed
Initiating Causes are considered, and it con- Disclaimer
®rms which Independent Layers of Protec-
tion are eective for each Initiating Cause. Although we believe the information contained
LOPA can be used to allocate risk reduction in this paper is factual, no warranty or repre-
resources eciently, so that one Impact sentation, expressed or implied, is made with
Event is not left with too little protection, respect to any or all of the content thereof, and no
while another is overly protected. legal responsibility is assumed therefore. The
. LOPA encourages thinking from a system examples shown are simply for illustration, and as
perspective. Formerly, interlocks were labeled such do not necessarily represent any company's
by the sensor, as in `High Reactor Pressure'. guidelines. The readers should use data, method-
LOPA shows the Layers of Protection for ology, and guidelines that are appropriate for their
dierent Impact Events stemming from the situations.
same Initiating Cause: for example, `cata-
strophic rupture of the reactor' and `release References
of reactor contents through the relief valve'.
. LOPA gives clarity in the reasoning process [1] Instrument Society of America (ISA); Application of
and it documents everything that was Safety Instrumented Systems to the Process Industries,
ANSI/ISA-S84.01-1996. Instrument Society of America,
considered. While this method uses numbers,
Research Triangle Park, NC, 1996.
judgment and experience are not excluded. [2] D.L. Green, A. M. Dowell III, How to design, verify, and
In some cases, the team's `gut feel' was validate emergency shutdown systems, ISA Transactions
uncomfortable with the number calculated, so 34 (3) (1995) 261±272.
it went back and reviewed the assumptions [3] Center for Chemical Process Safety (CCPS), Guidelines
for Safe Automation of Chemical Processes. American
for the frequency of the initiating event. The
Institute of Chemical Engineers, New York, 1993.
method makes the input from `gut feel' [4] D.L. Green, personal communication, 1993.
explicit, rather than implicit. [5] F.M. Renshaw, A major accident prevention program,
. In addition, LOPA oers a rational basis for Plant/Operations Progress 9 (3) (1990) 194±197.
managing Layers of Protection that may be [6] C. Fryman, Managing HazOp recommendations using an
action classi®cation scheme. AIChE Spring National
taken out of serviceÐe.g. interlock bypass.
Meeting, New Orleans, LA, 25±29 February, 1996.
. LOPA is more quantitative than the qualita- [7] Center for Chemical Process Safety (CCPS), Inherently
tive hazard consequence and likelihood cate- Safer Chemical Processes: A Life Cycle Approach. Amer-
gories often used to estimate risk rankings in ican Institute of Chemical Engineers, New York, 1996.