MainLOPA

LOPA

LOPA (Layer Of Protection Analysis) - Analysis of protection levels. This is a simplified semi-quantitative methodology used in engineering to assess protection against a given risk.

We offer semi-quantitative LOPA analysis services in risk assessment to improve safety levels and consequently the efficiency of enterprises in various industries.

Management System

ISO 9001:2015
ID 9000012276

www.tuv.com

Trust your tasks to like-minded people

At your service is a team of highly qualified engineers and managers who are at the center of information flows, have the necessary practical experience and modern methods of analysis and training. RBI Concept is your partner in business development with over 20 years of experience!

Relevance

Major technological accidents and catastrophes in the second half of the 20th century worldwide, including in Russia, forced a reconsideration of approaches to safety management. Production safety became the main priority. This can be seen in the number of various regulatory documents already adopted and being adopted. This trend is very clearly visible in the graph in Fig. 1. It was during this time that various methodologies and approaches in risk analysis and management developed, which are legally enshrined. In Russia during this period, an entire system of standards for risk analysis and management emerged.

Fig. 1. Number of Russian regulatory legal and normative-technical documents containing the words "safety," "danger," and "risk." [2]

The update of the Russian regulatory framework for ensuring the safety of hazardous production facilities has not been left aside, which is also developing and harmonizing with international best practices in terms of general approaches and methodology, and is reflected in federal laws, documents of Rostekhnadzor, EMERCOM, and GOST R.

For example, in accordance with Federal Law-116 [1], when registering hazardous production facilities (HPF) of classes I and II, the development of an industrial safety declaration requires conducting a comprehensive assessment of accident risks and related threats to human life and health, property, and the environment. The industrial safety declaration of a hazardous production facility in operation must be regularly updated:

after ten years of operation;
when technological processes at the hazardous production facility change;
when industrial safety requirements change;
upon instruction from the federal executive authority.

It should be noted that this is not the only mention in Federal Law-116 [1] of the need for risk assessment; the entire concept of the industrial safety management system is based on this, including accompanying regulatory legal acts. The main risk assessment methods (31 methods) and recommendations for method selection are described in GOST R [4], which also provides references to other international standards that describe in more detail the application of specific risk assessment methods. Each of these methods is applicable in various situations; in our case, we will consider various aspects of applying LOPA risk analysis.

Principle

LOPA stands for Layer of Protection Analysis, which means analysis of independent levels of protection. LOPA is a simplified semi-quantitative risk assessment method that evaluates a hazardous scenario to determine its consequences and initiating events leading to the risk of this scenario occurring. That is, before establishing the need for a safety function, all independent protection layers using other technologies should be considered. The independent protection levels of a technological facility can be visually represented in Fig. 2. Here it is evident that inadequacy or failure of one protection level leads to activation of a higher protective level. The principle of LOPA analysis consists of risk assessment considering the action of all independent protection levels of the facility. This is the main difference between LOPA and other risk assessment methods.

All independent protection levels are evaluated for a specific scenario to determine the reduced probability of risk occurrence. For each scenario, LOPA separately analyzes the adequacy of existing barriers to reduce risk, i.e., acceptable risk criteria are achieved. In addition to analyzing the reliability of independent protection levels, LOPA determines the target Safety Integrity Level (SIL) for automated safety instrumented systems in accordance with the GOST R IEC 61508/61511 series of standards.

Fig. 3. General format of table for conducting LOPA analysis

Explanations for the LOPA table in Fig. 3

Initial Event – a potential cause of danger that can activate one or more independent protection levels

Initial Event Frequency per year (Initial Event Frequency or IEF) - Quantitative assessment of the expected frequency of initial event occurrence, based on regulatory sources or operational experience in a specific company.

Condition Modifier (Condition Modifier or CM) – A condition modifier is an action or event that can reduce the probability of an undesirable initial event. For example, the probability of personnel being in the considered risk zone during accident realization throughout the year. If constantly, then the condition modifier equals 1.0. Or, for example, the influence of factors such as discharge direction, wind, ignition, etc. during an accident is considered.

Independent Protective Layers (Independent Protective Layers or IPL) - an independent mechanism consisting of comprehensive equipment and/or administrative measures that prevent or reduce risk to an acceptable level. For example, in Fig. 2, the process control system and safety system having one common pressure sensor are not independent protection levels and cannot be considered in LOPA.

Fig. 4. Visual representation of independent protection layers action in case of risk occurrence.

Numerical values of IPL failure probability are typically selected from practice at the specific enterprise where the analysis is conducted. For example, safety system failure occurs once in 10 years, or 0.1 times per year.

Probability of Failure on Demand (Probability of Failure on Demand or PFD) – maximum probability that a system will fail and be unable to perform its safety functions when needed over a one-year period.

Target Risk (Target Risk or TR) – acceptable numerical values of risk occurrence taken from the legislation of the country where LOPA analysis is conducted, for example, Rostekhnadzor Order No. 144 dated April 11, 2016 [8], enterprise standard, or company risk tables.

Risk reduction through independent protection levels (Actual Risk or AR) – this is the final numerical value of the probability of risk occurrence per year. This value is determined as the product of all values in the considered scenario:

AR = EIF x CM x IPL1 x IPL2 x IPL3 х IPLn

If the initial event (IE) realization has several development scenarios, then for each of them its own value of reduced risk through independent protection levels (AR) is calculated:

AR = AR1 + AR2 + ARn

where AR1, AR2…ARn are the values of reduced risk through independent protection levels for each risk realization scenario.

Determining acceptable risk after determining the final AR value:

The essence of the calculation is to determine residual risk (AR) after applying condition modifiers and protective independent layers. Then, using the ALARP principle, acceptable risk for this initial event is determined.

Fig. 5. ALARP principle (As Low As Reasonably Practicable Level) - practically acceptable lower level

To determine acceptable risk (Tolerability Criteria-TC), reference materials, regulatory documents, or a table for qualitative assessment of acceptable risk adopted at the enterprise and complying with regulatory legal acts requirements are used. These must be determined before beginning risk analysis using the LOPA method.

Fig. 6. Example table for qualitative acceptance of acceptable risk

If AR ≤ TC, then the goal was achieved. In this case, risk is considered acceptable. If the residual risk frequency AR > EC, then the goal was not achieved and additional risk reduction is required.

SIL

SIL - Safety Integrity Level SIL of automated safety instrumented systems.

Basic terms and concepts

As mentioned above in this article, using the LOPA risk assessment methodology, the target value of the safety integrity level of the safety instrumented system can be determined. But to understand how and why this is done, let's first consider the fundamental terms of the safety instrumented system that will participate in calculating the target SIL. First, let's present the structure of the enterprise technological process control system.

Fig. 7. Typical structure of enterprise technological process control (Integrated Control and Safety System – ICSS), where:

F&G – fire and gas detection system;
SIS – safety instrumented system;
DCS – distributed control system.

As seen from the diagram, three independent systems are connected into a single integrated system, and the safety instrumented system plays a key role in it.

Basic definitions of safety instrumented system:

Safety Instrumented System - prevents emergency situations in technological processes due to human factors or equipment failures, performs emergency shutdown and brings to safe states. All actions are controlled by the safety controller, which is programmed according to the "cause and effect" table.

Safety Instrumented Function (Safety Instrumented Function or SIF) consists of instruments connected in a logical chain "Sensor – Logic device - Final element".

Fig. 8. Structure of Safety Instrumented Function

The safety instrumented system consists of at least one safety instrumented function and can reach several thousand or more in large safety instrumented systems.

Safety Integrity Level (Safety Integrity Level or SIL) – this is a reliability class of Safety Instrumented Function. There are 4 SIL classes. The highest and most reliable is SIL4 with a probability of failure on demand of no more than 1 time in 10 thousand years, which is used only in nuclear and space industries due to high equipment costs. The remaining 3 SIL classes, see Fig. 7, are widely used in oil and gas, petrochemical and other industries.

Fig. 9. Table of Safety Integrity Level (SIL) reliability classes

SIL levels determine the magnitude of acceptable risk for the safety instrumented system. This indicator is the probability that the safety instrumented system will correctly perform its functions in case of an accident in the technological process. Determining the PFD value to determine the necessary SIL class will be considered in the next chapter. Determining the target SIL level using the LOPA methodology.

Let's return to Chapter 2 of this article, where we determined the numerical value of risk realization probability reduced through independent protection levels (Actual Risk or AR). To determine the target SIL value, it is necessary to perform 2 actions:

First: Calculate the Probability of Failure of the safety instrumented function (PFD):

PFD = TR / AR, where

TR - Target risk;

AR - Probability of risk realization reduced through independent protection levels.

Second: The obtained value of safety instrumented function failure probability (PFD) is compared with values in the SIL classes table in Fig. 7, from which the nearest larger PFD value in the table is selected, then we see which SIL class it corresponds to.

This is our target SIL level. For example, if we get a calculated PFD value = 0.5 х 10⁻², this corresponds to SIL2 level.

Fig. 10 Structural diagram of LOPA analysis for determining target SIL level

Performers

LOPA analysis team and necessary documentation

LOPA analysis is performed by a multidisciplinary group led by an experienced chairman with experience in organizing and conducting PHA analyses, for example, HAZOP and LOPA. The group, in addition to the chairman, should include specialists of the following qualifications:

Secretary;
Process engineer;
Operations engineer for specific facilities and equipment, having deep knowledge of procedures and possessing technological process safety information;
Mechanical engineer;
Instrumentation and control engineer;
Occupational safety, industrial safety and environmental protection engineer;
Other specialists, as necessary.

The following documents are necessary for conducting LOPA analysis:

Working tables of process hazard analysis / HAZOP or source data on existing hazards;
Cause-and-effect diagrams;
Piping and instrumentation diagrams (P&ID);
Technical specifications defining safety requirements.

The results of the performed LOPA analysis are documented in a protocol that includes: source data, description of performed calculations, calculation table, and recommendations.

Advantages

The LOPA method has several advantages that make it popular in the engineering community:

first, it is a simplified tool for checking risk analysis in a hazardous scenario and developing appropriate safety measures to reduce it;
second, based on the conducted analysis, it is quite simple to determine the target SIL level in safety instrumented systems without complex calculations or special software;
third, LOPA can use source data for conducting risk assessments obtained by other methods, for example, HAZOP. LOPA analysis can also be conducted during a HAZOP session to clarify the influence of other risks on the investigated one.

Bibliography

Federal Law of July 21, 1997 N 116-FZ "On Industrial Safety of Hazardous Production Facilities"
Website "Hazard Analysis and Technological Risk Assessment" (riskprom.ru)
GOST R 51898-2002 Safety aspects. Rules for inclusion in standards
GOST R ISO/IEC 31010-2011. Risk management. Risk assessment techniques
Simplified Risk Analysis – Layer of Protection Analysis (LOPA). Prepared for Presentation at the American Institute of Chemical Engineers 2002 National Meeting Indianapolis, in November 3-8, 2002. Paper 281a
GOST R IEC 61508 series Functional safety of electrical/electronic/programmable electronic safety-related systems
GOST R IEC 61511 series Functional safety. Safety instrumented systems for the process industry sector
Rostekhnadzor Order of April 11, 2016 N 144 "Safety Guide "Methodological foundations for conducting hazard analysis and accident risk assessment at hazardous production facilities
Standard Rule Set for Layers of Protection Analysis Studies. ESC Co. 2013