Layer of Protection Analysis E-Book
204,99 €
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Fachliteratur
- Serie: A CCPS Concept Book
- Sprache: Englisch
Layer of protection analysis (LOPA) is a recently developed, simplified method of risk assessment that provides the much-needed middle ground between a qualitative process hazard analysis and a traditional, expensive quantitative risk analysis. Beginning with an identified accident scenario, LOPA uses simplifying rules to evaluate initiating event frequency, independent layers of protection, and consequences to provide an order-of-magnitude estimate of risk. LOPA has also proven an excellent approach for determining the safety integrity level necessary for an instrumented safety system, an approach endorsed in instrument standards, such as ISA S84 and IEC 61511. Written by industry experts in LOPA, this pioneering book provides all the necessary information to undertake and complete a Layer of Protection Analysis during any stage in a processes' life cycle. Loaded with tables, charts, and examples, this book is invaluable to technical experts involved with ensuring the safety of a process. Because of its simplified, quicker risk assessment approach, LOPA is destined to become a widely used technique. Join other major companies and start your LOPA efforts now by purchasing this book.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 354
Veröffentlichungsjahr: 2011
Ähnliche
Contents
Cover
Half Title page
Title page
Copyright page
Preface
Acknowledgments
Acronyms and Abbreviations
Chapter 1: Introduction
1.1. Audience
1.2. History of LOPA
1.3. Use of LOPA in the Process Life Cycle
1.4. Linkage to Other CCPS Publications
1.5. Annotated Outline of the LOPA book
Chapter 2: Overview of LOPA
2.1. Purpose
2.2. What Is LOPA?
2.3. What LOPA Does
2.4. When to Use LOPA
2.5. How LOPA Works
2.6. How to Implement LOPA
2.7. Limitations of LOPA
2.8. Benefits of LOPA
2.9. Introduction of Continuing Examples
Chapter 3: Introduction
3.1. Purpose
3.2. Consequences of Interest
3.3. Consequence Evaluation Approaches for LOPA
3.4. Continuing Examples
3.5. Link Forward
Chapter 4: Developing Scenarios
4.1. Purpose
4.2. LOPA Scenarios and Components
4.3. Identifying and Developing Candidate Scenarios
4.4. Continuing Examples
4.5. Link Forward
Chapter 5: Identifying Initiating Event Frequency
5.1. Purpose
5.2. Initiating Events
5.3. Frequency Estimation
5.4. Expression of Failure Rates
5.5. Continuing Examples
5.6. Limitations (Cautions)
5.7. Link Forward
Chapter 6: Identifying Independent Protection Layers
6.1. Purpose
6.2. Definition and Purpose of an IPL
6.3. IPL Rules
6.4. LOPA IPL Assessment
6.5. Examples of IPLs
6.6. Preventive IPLs versus Mitigation IPLs
6.7. Continuing Examples
6.8. Link Forward
Chapter 7: Determining the Frequency of Scenarios
7.1. Purpose
7.2. Quantitative Calculation of Risk and Frequency
7.3. Look-up Table Determination of Risk or Frequency
7.4. Calculation of Risk or Frequency with Integer Logarithms
7.5. Continuing Examples
7.6. Link Forward
Chapter 8: Using LOPA to Make Risk Decisions
8.1. Purpose
8.2. Introduction
8.3. Comparing Calculated Risk to Scenario Risk Tolerance Criteria
8.4. Expert Judgment
8.5. Using Cost-Benefit to Compare Alternatives
8.6. Comparison of Approaches, Pros and Cons
8.7. Cumulative Risk Criteria versus Scenario Criteria
8.8. Continuing Examples
8.9. Cautions
8.10. Link Forward
Chapter 9: Using LOPA to Make Risk Decisions
9.1. Purpose
9.2. Is the Company Ready for LOPA?
9.3. What Is the Current Foundation for Risk Assessment?
9.4. What Data Are Required?
9.5. Will the IPLs Remain in Place?
9.6. How Are the Risk Tolerance Criteria Established?
9.7. When Is LOPA Used?
9.8. Typical Implementation Tasks
Chapter 10: Using LOPA to Make Risk Decisions
10.1. Purpose
10.2. Using LOPA in Capital Improvement Planning
10.3. Using LOPA in Management of Change
10.4. Using LOPA in Mechanical Integrity Programs or Risk-Based Inspection/Risk-Based Maintenance Programs
10.5. Using LOPA in Risk-Based Operator Training
10.6. Using LOPA in Emergency Response Planning
10.7. Using LOPA to Determine a Credible Design Basis for Overpressure Protection
10.8. Using LOPA in Evaluating Facility Siting Risks
10.9. Using LOPA to Evaluate the Need for Emergency Isolation Valves
10.10. Using LOPA to Evaluate Taking a Safety System Out of Service
10.11. Using LOPA during Incident Investigations
10.12. Using LOPA in the Determination of SIL for SIF
Chapter 11: Using LOPA to Make Risk Decisions
11.1. Purpose
11.2. Counting Multiple Functions in One BPCS as IPLs in the Same Scenario
11.3. Summation of Risk for Multiple Scenarios
11.4. Using LOPA to Develop F/N Curves
11.5. Operator Response Issues
11.6. Normal Plant Operations as “Tests” of IPL Components
11.7. Focused Fault Tree/Event Tree Analysis of IPL Components
Appendix A: LOPA Summary Sheets for the Continuing Examples
Appendix B: Worked Examples from CCPS’s Safe Automation Book
B.1. Introduction
B.2. Problem Description
B.3. Problem Discussion
B.4. Design Modifications for Consideration
Appendix C: Documentation for a LOPA Study
C.1. Documentation to be Developed during LOPA
C.2. Uses of LOPA Documentation
Appendix D: Linkage with Other Publications
Appendix E: Industry Risk Tolerance Criteria Data
Appendix F: Appendix F
Appendix G: Additional Reading
G.1. General Risk
G.2. Target Risk
G.3. General Interest
G.4. Instruments and Safety Instrumented Systems (Interlocks) Design
G.5. International Topics
G.6. SIS Design as Part of the PHA Process
G.7. Cost-Benefit Analysis—Solution Prioritization
References
Glossary of Terms
Index
Eula
Layer of Protection Analysis
SIMPLIFIED PROCESS RISK ASSESSMENT
This is one of a series of publications available from the Center for Chemical Process Safety. A complete list of CCPS books is available online: www.aiche.org/ccps
Copyright © 2001 American Institute of Chemical Engineers 3 Park Avenue New York, New York 10016-5991
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise without the prior permission of the copyright owner.
Library of Congress Cataloging-in-Publication Data CIP Data applied for.
ISBN 0-8169-0811-7
It is sincerely hoped that the information presented in this volume will lead to an even more impressive safety record for the entire industry. However, the American Institute of Chemical Engineers, its consultants, CCPS Subcommittee members, their employers, and their employers’ officers and directors disclaim making or giving any warranties or representations, express or implied, including with respect to fitness, intended purpose, use or merchantability, and/or correctness or accuracy of the content of the information presented in this document. As between (1) American Institute of Chemical Engineers, its consultants, CCPS Subcommittee members, their employers, and their employers’ officers and directors and (2) the user of this document, the user accepts any legal liability or responsibility whatsoever for the consequences of its use or misuse.
Preface
For over 40 years the American Institute of Chemical Engineers (AIChE) has been involved with process safety and loss control in the chemical, petrochemical, hydrocarbon process and related industries and facilities. The AIChE publications are information resources for the chemical engineering and other professions on the causes of process incidents and the means of preventing their occurrences and mitigating their consequences.
The Center for Chemical Process Safety (CCPS), a Directorate of the AIChE, was established in 1985 to develop and disseminate information for use in promoting the safe operation of chemical processes and facilities and the prevention of chemical process incidents. With the support and direction of its advisory and management boards, CCPS established a multifaceted program to address the need for process safety technology and management systems to reduce potential exposures to the public, the environment, personnel and facilities. This program entails the development, publication and dissemination of Guidelines relating to specific areas of process safety; organizing, conveningand conducting seminars, symposia, training programs, and meetings on process safety-related matters; and cooperating with other organizations and institutions, internationally and domestically to promote process safety. Within the past several years CCPS extended its publication program to include a “Concept Series” of books. These books are focused on more specific topics than the longer, more comprehensive Guidelines series and are intended to complement them. With the issuance of this book, CCPS has published 65 books.
CCPS activities are supported by the funding and technical expertise of over 80 corporations. Several government agencies and nonprofit and academic institutions participate in CCPS endeavors.
In 1989 CCPS published the landmark Guidelines for the Technical Management of Chemical Process Safety. This book presents a model for process safety management built on twelve distinct, essential, and interrelated elements. The foreword to that book states:
For the first time all the essential elements and components of a model of a technical management program have been assembled in one document. We believe the Guidelines provide the umbrella under which all other CCPS Technical Guidelines will be promulgated.
This Concept Series book supports several of the twelve elements of process safety enunciated in the landmark Guidelines for the Technical Management of Chemical Process Safety including Process Risk Management, Incident Investigation, Process Knowledge and Documentation, and Enhancement of Process Safety Knowledge. The purpose of this book is to assist designers and operators of chemical facilities to use Layer of Protection Analysis (LOPA) to evaluate risk and to make rational decisions to manage risk with a simplified methodology.
Acknowledgments
The American Institute of Chemical Engineers and the Center for Chemical Process Safety express their gratitude to all the members of the Layer of Protection Analysis Subcommittee for their generous efforts and technical contributions in the preparation of this Concept Series book.
Layer of Protection Analysis: Simplified Process Risk Assessment was written by the Center for Chemical Process Safety Layer of Protection Analysis Subcommittee.
Chair:
Arthur M. Dowell, III, P.E. Rohm and Haas Company
The primary authors were
William G. Bridges ABS Consulting (includes former JBF Associates)
Arthur M. Dowell, III, P.E. Rohm and Haas Company
Martin Gollin Consultant, formerly of ARCO Chemical
Warren A. Greenfield International Specialty Products
John M. Poulson now retired from Union Carbide Corporation
William Turetsky International Specialty Products
Providing support and valuable contributions throughout the project were
John T. Marshall The Dow Chemical Company
Stanley A. Urbanik E. J. Du Pont de Nemours and Company
Providing important guidance in the conceptual phases of the book were
Rodger M. Ewbank Rhodia Inc.
Robert J. Gardner now retired from E. I. Du Pont de Nemours and Company
Kumar Bhimavarapu Factory Mutual Research
John A. McIntosh The Proctor & Gamble Company
R. Peter Stickles A. D. Little
Arthur W. Woltman Equilon Enterprises LLC, formerly Shell
CCPS Staff Consultant
Robert E. Bollinger Center for Chemical Process Safety
Editor
Dr. Daniel A. Crowl Michigan Technological University
The Subcommittee acknowledges the support and contributions of their employer organizations in completing this book. Dr. Jack Weaver and Mr. Les Wittenberg of CCPS sponsored and supported this project and provided access to the resources of CCPS and its sponsoring organizations. The authors thank the following for their contributions in creation of figures and tables, setting up committee meetings and teleconferences and other administrative functions that were essential to the completion of this book: Ms. Jill Johnson and Mr. Paul M. Olsen, ABS Consulting; Ms. Sandy Baswell, Ms. Marge Killmeier, Ms. Angella Lewis and Ms. Jackie Rico’t, Rohm and Haas Company.
Before publication, all CCPS books are subjected to a thorough peer review process. CCPS also gratefully acknowledges the thoughtful comments and suggestions of the peer reviewers. Their work enhanced the accuracy and clarity of the book.
Steve Arendt ABS Consulting (includes former JBF Associates)
Helmut Bezecny Dow Deutschland Inc.
Alfred W. Bickum Goodyear Tire and Rubber Company
Dennis Blowers, C.S.P. Solvay Polymers, Inc.
Michael P. Broadribb BP Amoco Company
David Campbell Concord Associates
Bill Carter CCPS Staff Consultant
Curtis Clements E. I. Du Pont de Nemours and Company
Kimberly F. Dejmek Wilfred Baker Engineering
Richard R. Dunn E. I. Du Pont de Nemours and Company
Jim Evans Union Carbide Corporation
Rodger M. Ewbank Rhodia Inc.
Dave Fontaine Chevron Corporation
Raymond A. Freeman ABS Consulting
Raymond W. French Exxon Mobil Corporation
Dallas L. Green Rohm and Haas Company
Dennis C. Hendershot Rohm and Haas Company
William H. Johnson E. I. Du Pont de Nemours and Company
Peter N. Lodal, P.E. Eastman Chemical Company
Donald M. Lorenzo ABS Consulting (includes former JBF Associates)
Vic Maggioli Feltronics Corporation
Rick Mann Union Carbide Corporation
Peter McGrath Olin Corporation
Norman McLeod ATOFINA Chemicals, Inc.
Steve Metzler Primatech Inc.
Dr. Hans Pasman TNO
Jack Philley, C.S.P. Det Norske Veritas (DNV)
Michael E. G. Schmidt, P.E. Industrial Risk Insurers
Art Schwartz Bayer Corporation
Adrian Sepeda Occidental Chemical Corporation
Bastiaan Schupp Delft University of Technology
Robert Stankovich Eli Lilly and Company
Peter Stickles A. D. Little
Dr. Angela E. Summers, P.E. SIS-Tech Solutions, LLC
Clark Thurston Union Carbide Corporation
Anthony Torres Eastman Kodak
Jan Windhorst NOVA Chemicals
Acronyms and Abbreviations
AIChEAmerican Institute of Chemical EngineersALARPAs Low as Reasonably PracticableANSIAmerican National Standards InstituteAPIAmerican Petroleum InstituteASMEAmerican Society of Mechanical EngineersBIBusiness InterruptionBLEVEBoiling Liquid Expanding Vapor ExplosionB.P.Boiling PointBPCSBasic Process Control SystemCConsequence factor, related to magnitude of severityCCFCommon Cause FailureCCPSCenter for Chemical Process Safety, American Institute of Chemical EngineersCEIDow Chemical Exposure IndexCPQRAChemical Process Quantitative Risk AssessmentCWCooling WaterDNumber of times a component or system is challenged (hr−1 or year−1)DCSDistributed Control SystemDIERSDesign Institute for Emergency Relief Systems, American Institute of Chemical EngineersDOTDepartment of TransportationEBVEmergency Block ValveERPGEmergency Response Planning GuidelineEuReDataEuropean Reliability Data (series of conferences)FFailure Rate (hr−1 or year1)fFrequency (hr−1 or year1)F&EIDow Fire and Explosion IndexF/NFatality Frequency versus Cumulative NumberFCEFinal Control ElementFMEAFailure Modes and Effect AnalysisFTAFault Tree AnalysisHAZOPHazard and Operability StudyHEHazard EvaluationHRAHuman Reliability AnalysisIECInternational Electrotechnical CommissionIEEEInstitute of Electrical and Electronic EngineersIPLIndependent Protection LayerISAThe Instrumentation, Systems, and Automation Society (formerly, Instrument Society of America)LAHLevel Alarm—HighLILevel IndicatorLICLevel Indicator — ControlLFLLower Flammability LimitLNGLiquefied Natural GasLOPALayer of Protection AnalysisLOTOLock-Out Tag-OutLTLevel TransmitterMAWPMaximum Allowable Working PressureMOCManagement of ChangeN2NitrogenOSBLOutside Battery LimitsOREDAThe Offshore Reliability Data projectOSHAOccupational Safety and Health Administration (U.S.)PfatalityProbability of FatalityPignitionProbability of IgnitionPperson presentProbability of Person PresentPProbabilityP&IDPiping and Instrumentation DiagramPFDProbability of Failure on DemandPHAProcess Hazard AnalysisPIPressure IndicatorPLProtection LayerPMPreventive MaintenancePSMProcess Safety ManagementPSVPressure Safety Valve (Relief Valve)RRiskRVRelief ValveSCESafety Critical EquipmentSIFSafety Instrumented FunctionSILSafety Integrity LevelSISSafety Instrumented SystemTTest Interval for the Component or System (hours or years)VCEVapor Cloud ExplosionVLEVapor Liquid EquilibriumXVRemote Activated/Controlled ValveChapter 1
Introduction
Layer of protection analysis (LOPA) is a semiquantitative tool for analyzing and assessing risk. This book
describes the LOPA process,discusses the strengths and limitations of LOPA,describes the requirements for implementing LOPA in an organization, andprovides worked examples that show how several different companies have applied LOPA.This chapter
identifies the audience for this book,provides the history of LOPA,shows the use of LOPA in the process life cycle,discusses the linkage to other publications, andprovides an annotated outline for the book.1.1. Audience
This book is intended for:
Executives who are considering expanding their corporate strategy for managing risk by adding LOPA to their existing risk analysis process. For the executive audience, the following chapters are recommended. Chapter 2 summarizes the LOPA method and its benefits. Chapter 9 discusses the questions that an organization must answer when deciding whether to use LOPA and the required steps to implement the process effectively. Chapter 10 describes other processes (such as management of change, identification of safety critical equipment, etc.) which can be enhanced by LOPA. The appendices contain summary forms and worked examples that demonstrate the LOPA product.Safety specialists who are familiar with existing methods (such as HAZOP, fault tree analysis, event tree analysis, etc.) or who may already have some experience with LOPA (analysts, participants, reviewers, auditors, etc.). For this audience, Chapters 3 through 8 discuss the steps of the LOPA process in detail, with several continuing examples used to demonstrate the method. The appendices contain additional worked examples and other supporting documentation.Process and process control engineers, chemists, operations and maintenance personnel, and others who may participate in LOPA reviews or who may be affected by LOPA recommendations. This includes those who implement the recommendations and those who receive the outcomes from LOPA. Chapters 1, 2, and 6 may be helpful for this audience.Persons around the world who are responsible for compliance with process safety regulations — including the US Process Safety Management rule (OSHA, 1992), Seveso II Regulations in EU member countries—and related standards — including ISA S84.01 (ISA, 1996), IEC 61508 (IEC, 1998) and IEC 61511 (IEC, 2001).1.2. History of LOPA
In a typical chemical process, various protection layers are in place to lower the frequency of undesired consequences: the process design (including inherently safer concepts); the basic process control system; safety instrumented systems; passive devices (such as dikes and blast walls); active devices (such as relief valves); human intervention; etc. There has been much discussion among project teams, hazard analysts, and management about the number of and strength of protection layers (see text box below). Decisions were sometimes made using subjective arguments, emotional appeals, and occasionally simply by the loudness or persistence of an individual.
LOPA has its origins in the desire to answer these key questions using a rational, objective, risk-based approach. In LOPA, the individual protection layers proposed or provided are analyzed for their effectiveness. The combined effects of the protection layers are then compared against risk tolerance criteria. Characteristics of the answers provided by LOPA are listed in the text box above.
KEY QUESTIONS FOR PROTECTION LAYERS
How safe is safe enough?How many protection layers are needed?How much risk reduction should each layer provide?LOPA answers the key questions about the number and strength of protection layers by
providing rational, semiquantitative, risk-based answers,reducing emotionalism.providing clarity and consistency,documenting the basis of the decision,facilitating understanding among plant personnel.The genesis of this method was suggested in two publications:
1. In the late 1980s, the then Chemical Manufacturers Association published the Responsible Care®Process Safety Code of Management Practices which included “sufficient layers of protection” as one of the recommended components of an effective process safety management system (American Chemistry Council, 2000). The Chemical Manufacturers Association is now the American Chemistry Council.
2. In 1993, CCPS published its Guidelines for Safe Automation of Chemical Processes (CCPS, 1993b). Although it was called the risk-based SIS integrity level method, LOPA was suggested as one method to determine the integrity level for safety instrumented functions (SIFs). (See Table 7.4 in Safe Automation; CCPS, 1993b.) “Interlock” is an older, imprecise term for SIF. The method used was not as fully developed as the LOPA technique described in this book. However, it did indicate a path forward, which was pursued by several companies independently. The reasons for this effort included the desire to
classify SIF to determine the appropriate safety integrity level (SIL) (this was the starting point for some companies),develop a screening tool to reduce the number of scenarios requiring a full (chemical process) quantitative risk assessment (CPQRA),develop a tool that would identify “safety critical” equipment and systems to focus limited resources,develop a semiquantitative tool to make consistent risk based judgments within an organization,harmonize terminology and methodology with recently developed and developing international process sector standards, andfacilitate communication (e.g., SIS, SIF, SIL, IPL) between the hazard and risk analysis community and the process control community (e.g., integrators, manufacturers, instrument and electrical engineers, plant personnel).The initial development of LOPA was done internally within individual companies, in some cases focusing on existing processes, e.g., converting a control system to DCS. However, once a method had been developed and refined, several companies published papers describing the driving forces behind their efforts to develop the method, their experience with LOPA, and examples of its use (Dowell, 1997; 1998; 1999a; 1999b; Bridges and Williams, 1997; Fuller and Marszal, 1999; Lorenzo and Bridges, 1997; Ewbank and York, 1997; Huff and Montgomery, 1997). In particular, the papers and discussion among the attendees at the CCPS International Conference and Workshop on Risk Analysis in Process Safety in Atlanta in October 1997 brought agreement that a book describing the LOPA method should be developed.
In parallel with these efforts, discussions took place on the requirements for the design of safety instrumented functions (SIF) to provide the required PFDs (probability of failure on demand). United States (ISA S84.01, (ISA, 1996)) and international standards (IEC 61508, (IEC, 1998) and IEC 61511, (IEC, 2001)) described the architecture and design features of SIFs. Informative sections of the ISA and IEC standards suggested methods to determine the required SIL (safety integrity level), but LOPA was not mentioned until the draft of IEC 61511, Part 3 appeared in late 1999. These issues were summarized in the CCPS workshop on the application of ISA S84.01 (CCPS, 2000c).
In response to all this activity, CCPS assembled in 1998 a team from A. D. Little, ARCO Chemical, Dow Chemical, DuPont, Factory Mutual, ABS Consulting (includes former JBF Associates), International Specialty Products, Proctor and Gamble (P&G), Rhodia, Rohm and Haas, Shell (Equilon), and Union Carbide to tabulate and present industry practice for LOPA in this book.
This book extends the method outlined in Safe Automation of Chemical Processes (CCPS, 1993b) by
developing concepts and definitions for use throughout industry,showing how numerical risk tolerance criteria have been developed by different companies,defining the requirements for a safeguard to be considered an independent protection layer (IPL),demonstrating how LOPA can be used for purposes other than the classification of SIF systems, andrecommending documentation procedures to ensure consistency of application within an organization.While the LOPA methods used by various companies differ, they share the following common features:
a consequence classification method that can be applied throughout the organization;numerical risk tolerance criteria. Individual companies use different criteria which include:frequency of fatalities,
frequency of fires,
required number of independent protection layers (IPLs), and
maximum frequency for specified categories of consequence based on release size and characteristics or lost production;
1.3. Use of LOPA in the Process Life Cycle
LOPA can be effectively used at any point in the life cycle of a process or a facility (see Figure 1.1), but it is most frequently used during:
FIGURE 1.1. The process life cycle showing where LOPA is typically used (after Inherently Safer Chemical Processes: A Life Cycle Approach, CCPS 1996b)
However, LOPA can also be used in all phases of the process life cycle:
LOPA can be used during the initial conceptual process design to examine basic design alternatives and provide guidance to select a design that has lower initiating event frequencies, or a lower consequence, or for which the number and type of IPLs are “better” than alternatives. Ideally, LOPA could be used to design a process that is “inherently safer” by providing an objective method to compare alternative designs quickly and quantifiably.LOPA can be used during the regular cycle of process hazard analyses (PHAs) performed on a process. Experience with LOPA at several companies has shown that its scenario-focused methodology can reveal additional safety issues in fully mature processes that have previously undergone numerous PHAs. In addition, its objective risk criteria have proven effective in resolving disagreements on PHA findings.LOPA can readily determine if the risk is tolerable for a process. If an SIF is required, LOPA can determine the required SIL. LOPA can examine alternatives to a SIF (modifying the process, adding other IPLs, etc.). Note that IEC 61508 (IEC, 1998) and IEC 61511 (IEC, 2001) define a safety system life cycle that covers all the activities associated with safety instrumented functions. LOPA can be a valuable tool in that safety system life cycle.LOPA can be used to identify equipment that, as part of an IPL, is relied upon to maintain the process within the tolerable risk criteria of an organization. Such equipment may be denoted as “safety critical” (ISA S91.01, 1995) and is subjected to specified testing, inspection and maintenance. At least one company has found that LOPA has significantly decreased the number of safety critical equipment items. (The amount of safety critical equipment had erroneously grown over time by adding equipment on a qualitative “better safe than sorry” basis.)LOPA can be used to identify operator actions and responses that are critical to the safety of the process. This will allow focused training and testing to be performed during the life of the process and for the operating manuals to reflect the importance of a limited number of process variables, alarms and actions.LOPA can also be used for other risk assessment studies within an organization, including transportation studies (road, rail, pipeline), terminal operations, toll conversion operations, auditing of third parties, loss prevention and insurance issues, etc.
In some companies LOPA is now used for a wide variety of purposes beyond the initial use for which it was developed (see Chapter 10).
1.4. Linkage to Other CCPS Publications
CCPS has published many books dealing with process safety issues in the chemical industry. LOPA depends on techniques described in the following CCPS books. Connections with other publications are cited in Appendix D.
A key input to LOPA is scenarios obtained from hazard identification. Guidelines for Hazard Evaluation Procedures, Second Edition with Worked Examples (CCPS, 1992a) describes methods used to identify and assess the significance of hazardous situations found in process operations or activities involving hazardous chemicals. Generally, LOPA uses scenarios developed by hazard identification methods — usually qualitative (HAZOP, what-if, etc). However, companies have found that LOPA will often uncover scenarios overlooked by other methods because of the rigor in applying the concept of IPLs to the scenario. LOPA should be considered an extension to the Guidelines for Hazard Evaluation book as it provides a consistent, objective, semiquantitative method for addressing the issues covered.
LOPA is a semiquantitative approach. It can be viewed as a simplification of the quantitative risk analysis methods described in Guidelines for Chemical Process Quantitative Risk Analysis (CCPS, 1989a) and the Second Edition (CCPS, 2000a). CCPS (2000a) builds upon the information contained in CCPS (1989a) to demonstrate how to make quantitative risk estimates for the hazards identified by the techniques described in the Guidelines for Hazard Evaluation book. LOPA adds simplifying assumptions concerning the numerical values for the components of the scenario (initiating event frequency, enabling event/condition, number of IPLs, numerical value for an IPL) and in the calculation techniques employed. The simplifications are intended to be conservative so that, if a study were to be performed using a full quantitative analysis (event tree, fault tree, etc.), the results would show less risk associated with the scenario when compared to the results of an LOPA analysis. In order to ensure this, an analyst must understand the issues involved in performing a full quantitative risk analysis and what issues are important. Chapter 11 describes situations where a focused quantitative study can be performed on one component of a LOPA scenario to provide useful additional confidence in the numerical values used.
Evaluating Process Safety in the Chemical Industry: A User’s Guide to Quantitative Risk Analysis CCPS (2000b) is a brief and relatively inexpensive introduction to the concepts of CPQRA. These concepts also apply for using LOPA.
The LOPA book is a direct extension to concepts briefly described in Guidelines for Safe Automation of Chemical Processes (CCPS, 1993b). The LOPA book shows how to determine the required safety integrity level (in terms of the probability of failure on demand or PFD) of safety instrumented functions (SIF) that may be implemented in a safety instrumented system (SIS).
LOPA is an alternative method to the techniques described in Tools for Making Acute Risk Decisions with Chemical Process Safety Applications (CCPS, 1995c). CCPS (1995c) discusses methods used for decision making where risks have been assessed. In addition to chemical process risk, other factors, including financial cost, corporate image, employment of workers, etc., may be involved in a decision. The Making Acute Risk Decisions book (CCPS, 1995c) provides a collection of decision aids to assist a company in making a decision. LOPA should be considered an alternate method for making such decisions as it employs objective, quantified risk tolerance criteria. Some of the more qualitative factors (company image, morale, etc.) cannot be directly included, but that is the case for all other objective methodologies. Some LOPA risk tolerance criteria include a range where a cost-benefit study—or another type of judgment—is required to assist in making the decision on whether a risk should be tolerated or mitigated. Analysts using LOPA should be familiar with the techniques in the Making Acute Risk Decisions book (CCPS, 1995c).
More detailed links to other CCPS books and other publications are shown in Appendices D and E.
1.5. Annotated Outline of the LOPA book
Chapter 1 (this chapter) is an Introduction to the book.
Chapter 2 (Overview of LOPA) provides an outline of the LOPA process, discusses concepts and definitions unique to LOPA, and introduces the continuing examples used throughout the book.
Chapter 3 (Estimating Consequences and Severity) describes the concept of consequence, and its definition, in the LOPA process and provides examples of consequence categories used by some companies.
Chapter 4 (Developing Scenarios) discusses the concept of a scenario as used in LOPA, including the components that comprise a scenario. A format for presenting the results of LOPA studies is presented.
Chapter 5 (Identifying Initiating Event Frequency) discusses various initiating and enabling events and summarizes typical frequency data. The importance of using consistent initiating event frequencies for LOPA studies within an organization is emphasized.
Chapter 6 (Identifying Independent Protection Layers) discusses independent protection layers (IPLs). The requirements for a device, system, or action to be considered an IPL are defined and the concept of the probability of failure on demand (PFD) for an IPL is presented and discussed. Examples of active, passive and human IPLs are given together with typical ranges of PFD.
Chapter 7 (Determining the Frequency of Scenarios) presents the calculations for the continuing example problems using several methods. These show how different organizations would combine the individual components of a scenario to calculate the frequency of the consequence type specific to their method.
Chapter 8 (Using LOPA to Make Risk Decisions) discusses how the results of calculations are used to make decisions on whether the frequency of the consequence for a given scenario meets the risk tolerance criteria for a particular organization. Methods from various companies are used to demonstrate the concepts.
Chapter 9 (Implementing LOPA) discusses the implementation of LOPA within an organization. Reference materials, standards, and procedures, together with personnel expertise and training issues, are discussed.
Chapter 10 (Using LOPA for Other Applications) discusses other uses, apart from risk assessment, for which LOPA may be considered.
Chapter 11 (Advanced LOPA Techniques) discusses advanced LOPA topics. Situations where some of the inherently conservative assumptions made in LOPA may be modified are reviewed. The use of LOPA for other risk assessment applications is discussed.
Appendix A (LOPA Summary Sheets for the Continuing Examples) contains the complete LOPA sheets for all of the scenarios in the continuing examples using all of the methodologies discussed in the book.
Appendix B (Worked Examples from CCPS’s Safe Automation Book) provides an analysis of the problem discussed in Chapter 7 of CCPS (1993b). Important issues regarding the application of the rules for an IPL are discussed.
Appendix C (Documentation for a LOPA Study) summarizes the minimum documentation requirements for a LOPA study and discusses why such information is required, the appropriate level of detail, and other uses of the documentation.
Appendix D (Linkage with Other Publications) discusses other publications. Included are the use of LOPA to address regulatory or other process safety issues, and how other publications can assist in the implementation of LOPA.
Appendix E (Industry Risk Tolerance Criteria Data) lists typical data related to risk tolerance criteria.
Appendix F (High Initiating Event Frequency Scenarios) describes LOPA calculations when the initiating event frequency is high compared to the test frequency of the independent protection layer.
Appendix G (Additional Reading) is a list of other books and articles that may be of interest to the reader.
Chapter 2
Overview of LOPA
2.1. Purpose
The purpose of this chapter is to introduce layer of protection analysis (LOPA) by describing what LOPA is, what it does, when it is used, how it works, and how it is implemented. The limitations and benefits of LOPA are also discussed. This chapter also introduces two example problems used throughout the book to illustrate each step in the LOPA process.
2.2. What Is LOPA?
LOPA is a simplified form of risk assessment. LOPA typically uses order of magnitude categories for initiating event frequency, consequence severity, and the likelihood of failure of independent protection layers (IPLs) to approximate the risk of a scenario. LOPA is an analysis tool that typically builds on the information developed during a qualitative hazard evaluation, such as a process hazard analysis (PHA). LOPA is implemented using a set of rules.
Like many other hazard analysis methods, the primary purpose of LOPA is to determine if there are sufficient layers of protection against an accident scenario (can the risk be tolerated?). As illustrated in Figure 2.1, many types of protective layers are possible. A scenario may require one or many protection layers depending on the process complexity and potential severity of a consequence. Note that for a given scenario, only one layer must work successfully for the consequence to be prevented. However, since no layer is perfectly effective, sufficient protection layers must be provided to render the risk of the accident tolerable.
FIGURE 2.1. Layers of defense against a possible accident.
LOPA provides a consistent basis for judging whether there are sufficient IPLs to control the risk of an accident for a given scenario. If the estimated risk of a scenario is not acceptable, additional IPLs may be added. Alternatives encompassing inherently safer design can be evaluated as well. LOPA does not suggest which IPLs to add or which design to choose, but it assists in judging between alternatives for risk mitigation. LOPA is not a fully quantitative risk assessment approach, but is rather a simplified method for assessing the value of protection layers for a well-defined accident scenario.
2.3. What LOPA Does
LOPA provides a risk analyst with a method to reproducibly evaluate the risk of selected accident scenarios. A scenario is typically identified during a qualitative hazard evaluation (HE), such as a PHA, management of change evaluation, or design review. LOPA is applied after an unacceptable consequence, and a credible cause for it, is selected. It then provides an order of magnitude approximation of the risk of a scenario.
LOPA is limited to evaluating a single cause-consequence pair as a scenario.
Once a cause–consequence pair is selected for analysis, the analyst can use LOPA to determine which engineering and administrative controls (often called safeguards) meet the definition of IPLs, and then estimate the as-is risk of the scenario. The results can then be extended to make risk judgments and to help the analyst decide how much additional risk reduction may be required to reach a tolerable risk level. Other scenarios or other issues may be revealed while performing LOPA on a scenario.
Another way to understand LOPA is to view it relative to quantitative risk assessment (CPQRA). In this context, a LOPA scenario represents one path (typically we choose the path to the worst consequence) through an event tree. Figure 2.2 shows an event tree for a given initiating event. An event tree shows all the possible outcomes (consequences) of an initiating event. A comprehensive treatment of the use of event trees and other quantitative risk assessment methods is provided by the CCPS CPQRA books Guidelines for Chemical Process Quantitative Risk Analysis and Guidelines for Chemical Process Quantitative Risk Analysis, Second Edition (CCPS, 1989a, 2000a) and Guidelines for Hazard Evaluation Procedures, Second Edition with Worked Examples (CCPS, 1992a). For LOPA, the analyst (or team) must limit each analysis to a single consequence, paired to a single cause (initiating event). In many applications of LOPA, the goal of the analyst is to identify all cause–consequence pairs that can exceed the organization’s tolerance for risk. In others, the analyst chooses the cause–consequence pair that likely represents the highest risk scenario from many scenarios that may be similar to the one chosen. The approach taken depends upon the analyst’s experience with LOPA and with the process under consideration - this is not always straightforward.
FIGURE 2.2. Comparison of LOPA and event tree analysis.
In practice, the analyst who will apply LOPA will not have the benefit of picking a scenario from a fully developed event tree. Instead, LOPA typically begins with scenarios identified by a qualitative hazard review team. As mentioned earlier, LOPA is a method that falls between qualitative and quantitative methods and is applied when the analyst decides it is the best tool for judging risk. The goal is to choose scenarios that the analyst believes represent the most significant risk scenarios, as described in the next section.
2.4. When to Use LOPA
LOPA is typically applied after a qualitative hazard evaluation (e.g., PHA) using the scenarios identified by the qualitative hazard review team. However, “typically” means just that—LOPA can also be used to analyze scenarios that originate from any source, including design option analysis and incident investigations. LOPA can also be applied when a hazard evaluation team (or other entity)
believes a scenario is too complex for the team to make a reasonable risk judgment using purely qualitative judgment, orthe consequences are too severe to rely solely on qualitative risk judgment.The hazard evaluation team may judge the “scenario as too complex” if they
do not understand the initiating event well enough,do not understand the sequence of events well enough, ordo not understand whether safeguards are truly IPLs.LOPA can also be used as a screening tool prior to a more rigorous quantitative risk assessment (CPQRA) method. When used as a screening tool, each scenario above a specified consequence or risk level will first go through LOPA analysis, and then certain scenarios will be targeted for a higher level of risk assessment. The decision to proceed to CPQRA is typically based on the risk level determined by LOPA or based on the opinion of the LOPA analyst (i.e., the scenario is too critical or complex to rely on LOPA for risk assessment).
Figure 2.3 depicts the spectrum of risk assessment tools: from purely qualitative to rigorous application of quantitative methods. At the far left are qualitative tools; these are typically used to identify scenarios and qualita-tively judge if the risk is tolerable. In the middle are semi-quantitative tools (or simplified quantitative tools); these include LOPA and are used to provide an order-of-magnitude estimate of risk. Finally at the far right are quantitative tools; these allow analysis of more complex scenarios and provide risk estimates for comparison and risk judgment. The percentages shown in Figure 2.3 are for illustration purposes only. Typically all scenarios are identified and evaluated qualitatively, and some that are too onerous or complex proceed to semiquantitative risk assessment, and a few scenarios may need more rigorous evaulation than is than possible with LOPA. Thus, LOPA can be applied to evaluate scenarios that are too complex or consequential for only qualitative review and LOPA can screen which scenarios need more quantitative scrutiny (which need to go beyond LOPA to CPQRA).
FIGURE 2.3. Spectrum of tools for risk-based decision making.
Later chapters provide examples of how companies have incorporated LOPA into their risk assessment approaches. In general, the writers believe that if the analyst or team can make a reasonable risk decision using only qualitative methods, then LOPA may be overkill. However, LOPA can be much more efficient than qualitative methods for judging the sufficiency of IPLs; in a qualitative hazard review these decisions can quickly digress into shouting matches. LOPA should not be used as a replacement for quantitative analysis. If complex human behavior models or equipment failure models are required to understand the risk of a scenario, then quantitative analysis is more appropriate.
2.5. How LOPA Works
Like all analytical methods, LOPA has rules that are provided in this book. Like other methods, LOPA can be divided into steps. The LOPA steps are outlined in Figure 2.4 and summarized below. Figure 2.4 also identifies the relevant chapter for each step. The steps below refer to Figures 2.5 through 2.11 and show how the results are selected from the figures. These figures are discussed in detail in later chapters.
FIGURE 2.4. How LOPA works.
Step 1: Identify the consequence to screen the scenarios. Since LOPA typically evaluates scenarios that have been developed in a prior study, a first step by the LOPA analyst(s) is to screen these scenarios, and the most common screening method is based on consequence. The consequence is typically identified during a qualitative hazard review (such as a HAZOP study) (see Figure 2.5). Next the analyst evaluates the consequence (including the impact) and estimates its magnitude. Some companies stop at the magnitude of a release (of material or energy), which implies, but does not explicitly state, the impact to people, the environment, and the production system (see Figure 2.6). Other companies will model the release (see Figure 2.7) and more explicitly estimate the risk to people, the environment, and production by accounting for the likelihood of harm resulting from a specific scenario, for instance by also accounting for the probability of operators being in harm’s way during a release scenario. Chapter 3 describes the methods used for consequence estimation within LOPA.
FIGURE 2.5. Choosing the scenario.
FIGURE 2.6. Determining the consequence and its severity.
FIGURE 2.7. Mathematical modeling of consequence.
Step 2: Select an accident scenario. LOPA is applied to one scenario at a time. The scenario can come from other analyses (such as qualitative analyses), but the scenario describes a single cause-consequence pair (see Figure 2.5). Chapter 4 provides rules and examples for identifying scenarios.
Step 3
