Cumulative LOPA 20100312 Figs
-
Upload
pietro-ballini -
Category
Documents
-
view
17 -
download
2
description
Transcript of Cumulative LOPA 20100312 Figs
SIL Determination According To IEC 61511-3: Cumulative LOPA method
Gy. Baradits PhD. 1*, J. Madár1 PhD., Gy. Baradits jr.1, Á. Baradits1
1 SIL4S Kft, Veszprém 8200, HUNGARY
Abstract
LOPA (Layer of Protection Analysis) is a simplified risk assessment method that is uniquely useful for determining
integrity level of SIF (Safety Instrumented Function – “interlock”) should be designed. LOPA is a quantitative tool
which is readily applied after the Process Hazard Analysis (PHA) – for example, HAZOP – and before Fault Tree
Analysis/Quantitative Risk Assessment if needed. In most cases, the SIF’s Safety Integrity Level requirements can
be determined by LOPA without using the more time-consuming tool of Fault Tree Analysis or Quantitative Risk
Assessment. The problem of classical LOPA approach is that it takes into consideration only one hazard scenario
(per scenario method) at a time. However the same SIF may exist in several hazard scenarios, so in practice there is
a need for a cumulative LOPA method where we can take into account all hazard scenarios in LOPA calculation
which have identical SIF as a Safety Instrumented Independent Protection Layer. We lay down the mathematics of
cumulative LOPA and developed software called Tool4S which uses this mathematics. The article shows some
example of the SW application in the Process Industry.
Keywords: HAZOP; Process Risk; Risk reduction; LOPA; Cumulative LOPA; SIL calculation
1. Introduction
One of the first book about the safety instrumented systems was published by TÜV in 1986 (Hölscher and Rader,
1986). The topic of the book was the application of microcomputers in fields which are related to safety. In the
1990s, companies and industrial groups developed standards to design, build and maintain, that time called,
Emergency Shutdown Systems focusing only on the PLC (programmable electronic controller) system. The PLC, in
“safety application”, was classified according the German Standards (DIN 3100 - DIN EN 954). When the first
general safety standard the IEC 61508 (IEC 2000) was issued, the safety thinking both in general and industrial
segment specific point of view dramatically changed. In 2003, a sector specific safety standard, the IEC 61511 (IEC
2003), was published for process industry, e.g. for Chemical, Petrochemical, Oil and Gas Industry. This standard
firstly introduced the principle of Safety Instrumented Systems (SIS) and Safety Instrumented Function (SIF) into
the safety thinking.
A key input of the tools and techniques which implement these standards is the so-called required Probability of
Failure on Demand (PFD) value. The required PFD value determines the required Safety Integrity Level (SIL) of a
safety function (SIF) see Table 1. Normally the task of Process Hazard Analysis (PHA) teams is to determine the
existing risks (R=f*C). Required SIL values for every SIFs (“interlocks”) are calculated on the basis of these risks.
Several techniques were developed for this task, one of them is the Layer of Protection Analysis (LOPA) which
becomes more and more popular in everyday practice. LOPA is an approach which analyzes the number of layers
needed to protect the process against the unwanted consequences of the Hazards and, even it would happen, to
reduce the consequences. The concept of LOPA was firstly published by the Center for Chemical Process Safety
(CCPS) in 1993 in the book “Guidelines for Safe Automation of Chemical Processes” (CCPS, 1993). From those
* Corresponding author, Tel.: +36 88 424 075 E-mail address: [email protected] (György Baradits snr.)
concepts, several companies developed internal procedures for LOPA (Dowel and Hendershot, 2002, SafetyLine
Inst., 1998). The CCPS and AIChE also published a book in 2001 that describes the LOPA method (CCPS, 2001).
The goal of this paper is to briefly describe the LOPA process, and discusses experience in implementing the
technique.
Table 1: Connection among SIL, PFD and RRF
SIL
High Demand Mode,
PFDawg
Continuous Mode (per
hour)
Risk Reduction factor
4 10-5 - 10-4 10-8 - 10-9 10.000-100.000 3 10-4 - 10-3 10-7 - 10-8 1000-10.000 2 10-3 - 10-2 10-6 - 10-7 100-1000 1 10-2 - 10-1 10-5 - 10-6 10–100
2. Procedure of SIL calculation
Based on the Safety Life Cycle, it is necessary to get convinced that the existing / designed SIS is appropriate for the
particular process from the safety point of view (pre-validation, validation). How does one get convince about it?
Based on the IEC-61511 standard, one should perform the following steps:
• Hazard and Risk analysis (IEC, 2001)
• IPL allocation and SIL calculation of SIFs
• Safety Requirement Specification
Fig. 1 shows flow-chart of SIL calculation process. This article point of view we are dealing with the calculation of
target SIL value. The suggested methods in the IEC 61508 and IEC 61511 which gives possibility of calculation the
target SIL value of SIF are split into three groups:
• Qualitative, like risk matrix, risk graph
• Quantitative, like LOPA or like Failure Mode and Effect Analysis (FMEA) or MARKOV modelling
The qualitative methods are simply, inaccurate and too subjective and do not deal with neither the non
instrumented independent protection layers nor the independency of the layers itself. That is why these methods are
not suggested in the everyday practice of complex technology in the process industry nowadays. On the other hand,
the FMEA and Markov techniques are too detailed and slow for practical usage. That is why the LOPA seems to be
a good compromise.
However while the LOPA is quantitative method (see the help of the ExSILentia software (Exsilentia)), there are
some arguments why LOPA should be used:
• It is not as subjective as the qualitative methods.
• The criterion of using LOPA is to build up the Corporate Tolerable Risk Matrix, which is the responsibility
of given Company.
• LOPA is the only method that is able to take into consideration various non-SIF protection layers in the
process applications.
• LOPA gives the possibility of building up the most cost effective protection layer system including
instrumented and non instrumented protection layers.
Fig. 1 – Flowchart of SIL calculation using LOPA.
3. What is LOPA?
In the IEC 61511 LOPA is mentioned as a method which gives possibility of calculation of the required SIL value of
a SIF. Actually, the LOPA method (CCPS, 2001, ISA, 1996) is a quantitative risk analysis technique that is applied
following the process hazard identification method such as HAZOP.
The LOPA main objectives are the followings:
• Identify all independent protection layers (IPLs).
• Determine if SIF is required.
• Determine required SIL and RRF values of SIFs.
Main steps of LOPA procedure are the followings:
1. Develop each impact event scenario based on PHA (typically HAZOP).
2. Identify and set the initiating event(s) and related enabling factors.
3. Calculate the enabled initiating event(s) frequency.
4. Evaluate the severity consequences for human, environment and business of the impact event scenario.
5. Determine the tolerable frequencies of the consequences for human, environment and business.
6. Determine if the initiating event frequency is smaller than the tolerable frequencies. If it is smaller, no IPLs
are necessary.
7. Add independent protection layers (IPLs) to mitigate the impact event scenario.
8. Set the probability of failure on demand (PFD) values of IPLs.
9. Calculate the frequency of the impact event scenario after mitigation; and check if the frequency meets the
company’s target frequency requirements. If one or more target frequency requirements are not met, go
back to the Step 7.
10. If no more IPL and the target frequency requirement is still not met, allocate a SIF and determine the target
SIL and RRF values of this SIF.
We define LOPA as a quantitative method because even if this technique uses numbers and generates a
numerical risk estimate, these input numbers are approximate estimates, their accuracy is about at the half order of
magnitude level. But even if the LOPA is quantitative, if it uses a well-calibrated tolerable risk matrix, the estimated
SIL and risk reduction factor (RRF) values will be adequate. The RRF value is also important because it sets the
position of the risk reduction requirement for SIF within the given SIL range. If a more complete understanding of
the risk is required, more rigorous quantitative techniques such as fault tree analysis or quantitative risk analysis
should be required.
The key word of LOPA is the independent protection layers. No other method gives the possibility of
discovering all non instrumented protection layers which necessary to reduce the probability of risk before applying
SIFs. The team also supervises the detailed P&IDs in the course of the LOPA study that gives the possibility to
discover if any non instrumented protection layers missed in the design phase.
The main goal of LOPA is to calculate the residual risk and the mitigated frequency of a given hazard scenario.
Practically, the LOPA is used to determine whether the risk reduction of identified (existing and/or proposed) non
instrumented protection layers is enough or not.
LOPA starts with a dangerous consequence, usually an event with hazardous consequence for environment,
health and business. The severity of consequences is estimated using appropriate techniques, which may range from
simple category tables to sophisticated consequence modelling software tools depending on the experience of the
HAZOP team. A consequence always has one or more initiating events (causes). Each cause-consequence pair is
called as scenario, and the LOPA focuses on one scenario at a time. The frequencies of initiating events are also
estimated (usually from historical reliability database or category tables) by the HAZOP team.
After identifying all causes and consequences, the possible safeguards (protection layers) of the given hazard
scenario is evaluated for two key characteristics:
• Is the safeguard effective enough in preventing the scenario from occurrence the consequence?
• AND, is the safeguard independent of the initiating event and the other IPLs (Independent Protection
Layers)?
If the safeguard meets both of these criteria, it is an Independent Protection Layer (IPL).
LOPA estimates the frequency of the mitigated dangerous consequence (called mitigated frequency) by
multiplying the frequency of the initiating event by the product of the probability of failure on demand (PFD) of
∏=
⋅=n
jjPFDFF
1initiatingmitigated (1)
where n is the number of the non instrumented independent protection layers for the given hazard scenario, Finitiating.
is the frequency of the cause, and PFDj gives the probability that j-th IPL cannot prevent against the scenario to
occur the unwanted consequence. The smaller the PFD value is, the better the IPL is. Fig. 2 shows a simple diagram
to illustrate how the probability of occurrence of the unwanted consequence decreases by using IPLs.
IPL1 IPL2 IPL3
Consequence realised
Fig. 2 – The principle of LOPA: the probability of the unwanted consequence decreases by IPLs.
The mitigated frequency is compared to the tolerable risk values (tolerable frequencies) of the given hazard
scenario. The tolerable frequencies are derived from the company consequence criteria matrices for people, business
and environment. If additional risk reduction is necessary, additional IPLs must be proposed to the design, which
can be non instrumented or instrumented protection layer(s).
4. Cumulative LOPA method
The fundaments of the LOPA calculation are the company tolerable risk criteria. The typical risk criteria give the
tolerable risk values, expressed in frequency, for personnel, environment and business losses. During the LOPA, it is
necessary to compare the mitigated risk to the tolerable risk. If the mitigated risk is lower than the tolerable risk or at
least it is “as low as reasonably practicable (ALARP)” there is no need for other protection layers. If the protection
layers do not protect against the unwanted consequences, it is necessary to add new protection layers and/or other
risk reduction methods.
The tolerable risk categories are always prepared by the given company and they must be included in the
Company Safety Policy. As the corporate criteria determine the tolerable risk values, the LOPA practically focuses
on the calculation of the mitigated risk to determine the necessary risk reduction factor. In everyday practice, the
mitigated risk is calculated separately for every scenario. This is so-called “per scenario” method which has one
disadvantage that it cannot take into consideration that a hazard may contain several scenarios with the same
consequence and partly or completely same protection layers (a given SIF, for example). To analyse this problem let
see what the IEC 61511-3 standard says about the SIL calculation:
“The last step is to add up all the mitigated event likelihood for serious and extensive impact events that present
the same hazard”.
This is why we suggested instead of “per scenario” method, the “cumulative” method which can take into
consideration all hazard scenario which is protected by the same SIF according the standard.
Let see a quantitative example about the difference between the “per scenario” and the “cumulative” method
suggested. Let assume that the hazard is high pressure of a vessel and there are two possible initial events:
• The pressure control loop fails. The frequency is F1.
• The vapour line is blocked. The frequency is F2.
Let us assume that the dangerous consequence is vessel rupture in both cases and there is an independent high
pressure trip, i.e. a SIF which can protect against the high pressure in both cases, and there is no any other IPL. Fig.
3 illustrates the example. If the “per scenario” method is used, it will be calculated in the following way: The target
risk reduction factor for the first scenario is: toltar FFRRF /11 = , where the Ftol is the tolerable frequency for the
given consequence based on the Company Safety Policy. The target risk reduction factor for the second scenario is:
toltar FFRRF /22 = . The final target RRF for the SIF is the higher RRF value:
( )tartar RRFRRFRRF 21scenarioper ,max=− (2)
In contrast with the previous one, the “cumulative” method adds up all the RRF values, so the target RRF for the
SIF will be:
tartar RRFRRFRRF 21cumulative += (3)
This is higher value than the result of “per scenario” method.
That above mentioned difference is important because as we mentioned the IEC 61511-3 suggests calculating
the total risk. It means that the standard suggests the cumulative LOPA method instead of the per-scenario LOPA
method.
The difference between the results of the two LOPA techniques may be very high when the given SIF can be
found in several scenarios as an IPL. This difference is usually much more than the uncertainty of the LOPA
method, so the negligence of application of cumulative LOPA method may lead to non-conservative SIL calculation
results (safety risk).
In the next chapter, we will conduct the mathematics of cumulative LOPA method and present how it is
implemented in our Tool4S software tool developed by us.
PIC
Vapour
Liquid
PSH ESD
LIC Feed
High pressure SIF
Fig. 3 – Example high pressure SIF.
5. Cumulative LOPA method SW: Tool4S
There are several software tools for making HAZOP and LOPA studies, but our experience has showed that most of
them only can calculate the RRF value for one scenario (per scenario method) but do not accumulate them. So this is
the task of the user. Preparing some hundreds of HAZOP studies showed that the same SIF can occur in several
hazard scenarios in the process industry, i.e. one SIF may belong to many different hazard scenarios. If users use
software which does not support the cumulative LOPA method, finally they will make mistakes in calculation of
SIL value and RRF value of SIFs or try to forget the cumulative LOPA method just because it is too tiresome.
Hence, we built the cumulative LOPA method into our Tool4S software making the calculation automatic. In the
following, it will be presented how the cumulative LOPA is realised in our software (see the demo of the software
(Tool4SDemo)).
The calculation is based on the “non-mitigated frequencies” matrix for causes and the “tolerable frequencies”
matrix of the given company. The non-mitigated frequencies matrix can contain one or more pre-defined likelihood
values for the initial events (causes), see Fig. 4. It is the user task to define this values, the user can easily add or
remove items to/from the matrix. Certainly it is not necessary to use this matrix for every case; the user can give a
unique frequency value for every initial event if the pre-defined values do not fit to the given case.
Fig. 4 – Definition of non-mitigated frequency matrix of causes in Tool4S.
The tolerable frequencies are also user defined. The user can define the number of consequence types (the
default is three: for human, for business and for environment), the possible severity categories, and the specific
tolerable frequencies for each severity, see Fig. 5 for an example.
Fig. 5 – Definition of tolerable frequency matrix in Tool4S.
Every pre-defined non-mitigated frequency and tolerable frequency value has a code. The user can easily do the
risk ranking by selecting only the appropriate code, see Fig. 6.
Fig. 6 – Example for risk ranking in Tool4S.
The risk ranking must be done for every cause-consequence pair, but if the consequence is the same for more
causes, the software will automatically copy the consequence ranking information to save manual work.
The main concept in the software is that every SIF has a unique tag name and own SRS (Safety Requirement
Specification) sheet. When a SIF is added into the HAZOP, the software automatically collects every scenario where
the given SIF is involved in, and calculates the cumulative RRF value of the given SIF. Fig. 7 shows an example
from the software.
Cumulative LOPA results
Where the SIF can be found
Fig. 7 – Example for cumulative LOPA in Tool4S.
The result of the calculation is the target SIL and target risk reduction factor.
6. Cumulative LOPA algorithm
In the followings, the algorithm of cumulative LOPA will be presented as it is realised in the Tool4S software.
6.1. First step
In the first step, the software takes the frequency of the cause (initiative event). This is called as non-mitigated
frequency. The software takes the cause frequency category and looks for the non-mitigated frequency value from
the user defined non-mitigated frequencies matrix. The attributes of non-mitigated frequency:
Sign : Fnon-mit
Name : Non-mitigated frequency
Unit : 1/year
Range : Real number, mitnonF −≤0
6.2. Second step
The software takes the severity categories of the consequence and look for the tolerable frequency value from the
user defined QTRM. In the QTRM, there are tables which inform about the tolerable frequency of different types of
consequences. Typically there are three types of consequences:
� Human
� Business losses
� Environment
In the followings, we assume that these three consequence types are used.
The attributes of tolerable frequencies:
Sign : tenvironmenbusinesshuman ,, toltoltol FFF
Name : Tolerable frequency (target frequency to be reached)
Unit : 1/year
Range : Real number, tenvironmenbusinesshuman ,,0 toltoltol FFF≤
6.3. Third step
The software calculates the Scenario Risk Reduction Factor (without SIF) based on the PFD values of safeguards.
The PFD values are manually given by the user in the HAZOP study (Fig. 8 illustrates an example). The attributes
of PFD:
Sign : PFD
Name : Probability of Failure on Demand
Unit : -
Range : Real number, 10 ≤≤ PFD
The attributes of scenario risk reduction factor:
Sign : scenRRF
Name : Scenario Risk Reduction Factor (without SIF)
Unit : -
Range : Integer, scenRRF≤0
The calculation of scenario risk reduction factor is:
( )tolmitupscen FFRRF /int= (4)
where upint is an integer round up function (“ceil function”), and the Ftol and Fmit are calculated as:
( )tenvironmenbuisnesspeople ,,min toltoltoltol FFFF = (5)
∏⋅= − j jmitnonmit PFDFF (6)
where j is a running index for the safeguards in the given Hazard scenario.
Fig. 8 – Edit safeguards in Tool4S.
6.4. Fourth step
Finally the software calculates the cumulative target risk reduction factor and SIL value. Both values are calculated
automatically for a given SIF based on all referenced Hazard scenarios (see Fig. 7).
The attributes of target risk reduction factor:
Symbol : tarRRF
Name : Target Risk Reduction Factor
Unit : -
Range : Integer, tarRRF≤0
The calculation of cumulative target risk reduction factor:
( )
= ∑
j
jtol
jmituptar FFRRF /int (7)
where j is running index for Hazard Scenarios in which the given SIF can be found as safeguard.
The attributes of Target SIL:
Sign : tarSIL
Name : Target Safety Integrity Level
Unit : -
Range : Integer
The calculation method of Target SIL:
( )( )tardowntar RRFSIL 10logint= (8)
where downint is an integer round down function (“floor function”).
This algorithm is running automatically when an existing SIF is added as safety instrumented protection layer to
a new hazard scenario or when after a supervision of HAZOP study a SIF is cancelled from any Hazard scenario.
7. Conclusions
In this article, we evaluated the existing methods which calculate the SIL value of SIFs within a HAZOP study using
LOPA method. We analysed the traditional LOPA method called “per scenario” in which only one scenario/SIF is
taken into consideration for each SIF. We showed that the result of this calculation is not correct and is
underestimated. We suggested and analysed the “cumulative LOPA method” that takes into consideration all hazard
scenario which contain the same SIF as an instrumented independent protection layer.
This method has only one disadvantage that it is not easy to realise manually. That is why we developed our
Tool4S HAZOP/LOPA study program, which automatically calculates target RRF value of a SIF based on the
cumulative LOPA method.
The Tool4S SW overcomes the problem of manual and very slow calculation, where the result is not always
correct, mainly in case when the technology is too complex. The Tool4S was tested some 100 HAZOP and LOPA
studies and proved that is fast, correct with high reliability.
Acknowledgements
Here we would like to express our acknowledgement to our colleges at SIL4S Kft. and the Department of Process
Engineering of Pannon University, Veszprém for their continuous contribution to this development and colleges at
Slovnaft Refinery, Slovakia taking part in the test of our SW and giving some development idea to us.
References
Hölscher H. and Rader J., 1986, Microcomputers in Safety Technique, Verlag TÜV Bayern, München DIN 3100: General Requirement, AK 1…8, WITHDRAWN DIN V VDE 081: Microprocessors in Safety Application, WITHDRAWN DIN V 19250: Control technology; fundamental safety aspects to be considered for measurement and control
equipment, WITHDRAWN DIN EN 954-1: Safety for Machinery, EXTENDED to 31 December 2012 International Electrotechnical Commission (IEC), 2000, IEC 61508 Part 1 – 7: Functional safety of electrical /
electronic/programmable electronic safety - related systems. International Electrotechnical Commission (IEC), 2003, IEC 61511 Part 1 – 3: Functional Safety: Safety
Instrumented Systems for the Process Industry Sector.
Centre for Chemical Process Safety (CCPS), 1993, Guidelines for Safe Automation of Chemical Processes, (CCPS/AIChE, New York, USA).
Dowell A.M. and Hendershot D.C., 2002, Simplified Risk Analysis - Layer of Protection Analysis (LOPA), AIChE 2002 National Meeting, Paper 281a
SafetyLine Institute, 1998, Occupational Health & Safety Practitioner - Management of major hazard facilities, (London, UK).
Center for Chemical Process Safety (CCPS), 2001, Layer of Protection Analysis – Simplified Process Risk Assessment, (CCPS/AIChE, New York, USA).
Exsilentia, www.exida.com International Electrotechnical Commission (IEC), 2001, IEC 61882: Hazard and Operability (HAZOP) Studies. Instrumentation, Systems and Automation Society (ISA), 1996, ANSI/ISA 84.01: Application of Safety
Instrumented Systems to the Process Industries. Tool4SDemo, https://tool4sdemo.sil4s.com/