A LOPA (Layers of Protection Analysis) is a semi-quantitative (order of magnitude) study to be performed with an inherently conservative approach. However, input data and results are presented with point values with hidden uncertainties and conservativeness. To better reflect these issues in the LOPA studies, this article suggests applying statistical distributions to the input data. The idea is to get a better understanding of the factors influencing the outcome of the LOPA, rather than reduce the inherent conservativeness, and hence facilitate the selection of scenarios that should be further reviewed in more detailed quantitative studies, such as FTA.
Layers of Protection Analysis (LOPA) is a well-known analytical method for assessing the ability of existing safeguards to reduce the risk of hazardous events to an acceptable level. It is an order of magnitude method, where the consequence of a hazardous event is defined with an acceptable frequency based on the severity of the event. The frequency of the initiating causes for the event, as well as the probability that existing safeguards will fail to prevent or mitigate the event, is then assessed to ensure that there are sufficient protection layers in place to bring the frequency of the hazardous event below the acceptance criteria.
LOPA was originally intended to look at single cause-consequence pairs. However, recent practice, especially when using the method to allocate Safety Integrity Levels (SIL) to Safety Instrumented Functions (SIF), has been to include multiple initiating causes in one single LOPA scenario, when they have the same consequence and are protected against by the SIF in question. This increases the need to better understand the inherent conservativeness and uncertainty in the input data. The example used later in this article will hence use this approach.
LOPA is a methodology based on the order of magnitude, and given the conservative rules applied to safeguards, it is intended to be an inherently conservative approach. However, there are certain pitfalls during a LOPA that might lead the LOPA team to estimate a too-optimistic mitigated event frequency. This article will focus on using the correct accuracy of Initiating Cause (IC) frequencies and Independent Protection Layer (IPL) Probability of Failure on Demands (PFDs). In addition, the article will present a solution to illustrate the uncertainty in the result of the LOPA.
If not generic conservative data is used, the inherent uncertainty in failure data might lead to a too-optimistic result. When the LOPA is used to allocate SIL to SIFs, even a small deviation from the ‘true’ value could have a large consequence if the resulting PFD requirement for the SIF is around the boundary for different SILs. As obvious from Table 1, a PFD requirement on an SIS of 9.9·10-3 from a LOPA induces a SIL 2 requirement, while a slight deviation in the input values for initiating cause frequencies or protection layer probabilities to the non-conservative side would reduce the requirement to SIL 1.
Installation Specific Conservativeness
It is important to be consistent in the approach to IC frequencies and IPL PFD. Avoid deviating from the order of magnitude approach to IC frequencies and IPL PFDs, but rather stay conservative and stick to generic data. However, a conservative value for one installation could be heavily conservative for another one, but optimistic for a third one, depending on e.g. process parameters and type of installation as well as testing, inspection, and maintenance programs. In the case of a PSV, clean service and good maintenance imply that a PFD of 0.01 might be possible and still be conservative, while a single valve in non-clean service is often recommended a PFD of a maximum of 0.1 to stay conservative.
Based on this, one improvement to the standard methodology is to complement the generic point value by an interval of possible generic values. This could be included in the LOPA results if the analyst concludes that deviations may exist, e.g. due to uncertainty regarding maintenance procedures, boundary conditions, or application. Hence, sensitivity analysis could be done by adjusting the point value, based on the interval and knowledge of how different factors could affect the input data. However, it is nevertheless important that the selection of values always stay conservative.
Statistical Distributions to Quantify the Level of Conservatism
Despite the nature of a rough and semi-quantitative analysis, the result from a LOPA is often only presented as a point frequency or required PFDavg (even though this might not be the correct application of the method). To be able to express the uncertainty and investigate the effect of conservative data, this article suggests that statistical distributions can be assigned to the input data. By doing so, it is possible to express the result in terms of confidence intervals, rather than a point value.
The type of distribution to use depends on the information available for the variable in question. However, it is important to ensure that the distribution stays within the boundaries of the data, e.g. a PFD value must be greater or equal to 0 and less or equal to 1 and a frequency must be greater or equal to 0. A simple and intuitive distribution is the triangular distribution, which is used in the example below. A triangular distribution is defined by its minimum value, maximum value, and mode, i.e. the most likely value.
To once again investigate the case of a PSV as a safety barrier, where there is an uncertainty if the application can be regarded as clean service or not. The recommended value for a single PSV in clean service of 0.01 is therefore treated as the minimum value and 0.1 becomes the maximum value. The most likely value, the mode, is placed in between slightly closer to clean service as this was regarded as the most credible. The probability density function of the resulting distribution is available in Figure 1.
To illustrate the value of adding distributions to the input data, an example of a LOPA covering an overpressure scenario of a separator is carried out. The process segment is presented in the simplified process flow diagram in Figure 2. The purpose of the LOPA is to assign a SIL rating to the instrumented protection layer PAHH, closing the inlet shutdown valve XV-101 to protect the separator from overpressure from upstream sources.
As a basis for the LOPA, it is assumed that the worst-case safety consequence is the rupture of the separator and leakage of process hydrocarbons, which if ignited causes an explosion with the possibility of 1 fatality. This results, according to the Risk Matrix for the hypothetical plant in the example in acceptance criteria or Target Mitigated Event Likelihood (TMEL), of 10-5 per year.
Three different initiating causes are identified, including PCV-989 failure to open position, operator error, opening HCV-104 too much, and spurious closure of XV-102. There are no additional protection layers apart from the PAHH. However, two conditional modifiers, probability of ignition and occupancy, have been taken into consideration.
First, a conventional LOPA approach is applied to the scenario, applying generic conservative values to the initiating cause frequencies and the probability of the conditional modifiers. The data is listed in the LOPA calculation table below. As seen from the result in the lower right part of the table, a SIL 3 requirement is raised for the PAHH safety function, with a required PFDavg of at least 6.35E-4.
Triangular Distribution Applied to One Variable
Further, the uncertainties are modeled using a triangular statistical distribution. The first step is to apply a triangular distribution only to one of the variables, where the uncertainty is expected to be greater. The occupancy is often associated with uncertainty, depending on the size of the area affected by the explosion, maintenance schedule, and daily routines. The minimum and maximum values of the triangular distribution are based on the extremes suggested by operations and the other participants in the LOPA workshop. In this case, a minimum value of 6 hours per day and a maximum value of 14 hours per day is applied. The mode of the triangular distribution is chosen based on the most credible value, which was assumed around 8 hours per day. The probability density function for the occupancy factor is shown in Figure 3.
In Figure 4, the output of a simulation with the input parameters described above is presented. The diagram shows the cumulative distribution function where the y-value indicates the probability that the outcome is lower or equal to the x-value, i.e. the probability that the required PFDavg of the SIF will be lower or equal to the x-value. From the diagram, it is possible to conclude that there is at least a 16.4 % chance that the acceptable risk could be achieved with a SIL 2-rated SIF.
Triangular Distribution Applied to All Input Variables
Uncertainties exist in all data and as described above, conservatism is added to all input data in a LOPA. Hence, this section investigates the effect of defining a triangular distribution for all five input variables, with the same approach as for the occupancy. The resulting cumulative distribution function is shown in Figure 5. Now the result indicates a 75.2 % probability of a SIL 2 requirement.
From the result, it is possible to claim that with a confidence of about 75 % a SIL requirement on the PAHH protection layer of SIL 2 would be enough to meet the risk acceptance criteria for the scenario. However, there is still a probability of about 25 % that a SIL 3 is required. These statements are based on non-conservative, but probably realistic assumptions and justifications. The result should not be handled as a final decisive result, but rather as an indication. In this case, it might imply that it is motivated to perform further detailed studies to investigate if it is possible to reduce the SIL 3 requirement to SIL 2 and by that reduce maintenance and design requirements but still be confident that the risk is reduced to an acceptable level. Such studies could, for example, include a Fault Tree Analysis and Event Tree Analysis, where the level of conservatism could be reduced since those techniques allow for more complexity in the models.
ORS offers highly experienced personnel to facilitate and record tailored LOPA studies. Our expert will help you customize the analysis to your purpose and need. ORS services cover activities throughout the SIS lifecycle.