LAYER OF PROTECTION ANALYSIS (LOPA)

LAYER OF PROTECTION ANALYSIS (LOPA)

Oleh : Bayu Nurwinanto

The Layer of Protection Analysis (LOPA) technique is described in detail in The American Institute of Chemical Engineers Center for Chemical Process Safety (CCPS) publication on the subject. An overview of the technique is presented here. For more information the reader is referred to the CCPS publication, which contains a number of worked examples and extensive references.

BACKGROUND

LOPA is one of a number of techniques developed in response to a requirement within the process industry to be able to assess the adequacy of the layers of protection provided for an activity. Initially this was driven by industry codes of practice or guidance and latterly by the development of international standards such as IEC61508 and IEC61511.

In outline, IEC61508 is a standard for managing the functional safety of Electrical / Electronic / Programmable Electronic Safety Related Systems (E/E/PES). The standard is generic and can be applied to any safety related application in any industry sector. The process industry sector specific standard, IEC61511, is under development. A description of the practical application of the standard in the process industry has been presented by Charnock.

The standard uses a ‘safety lifecycle’ concept (from concept design, through hazard and risk analysis, specification, implementation, operation and maintenance to decommissioning) to address the steps to achieving functional safety in a systematic and auditable manner.

In essence, implementation of the standard involves, firstly, identification of the hazards associated with the Equipment Under Control (EUC) and the EUC control system. The EUC (a reactor, for example) comprises the plant item (vessel and pipework). The EUC control system is the basic process control system (BPCS, e.g. – DCS or PLC / SCADA). Protection systems relying on other technology (OT, i.e. – not E/E/PES) and External Risk Reduction Facilities (such as blast walls or bunds) are considered to the extent that they contribute to the

overall risk reduction in relation to a particular hazard.

A risk analysis is then conducted, to determine the risks associated with the EUC and EUC control system. If this risk is above the upper level of tolerability then the standard requires that a so-called ‘safety function’ is put in place to reduce the risk to a tolerable level. The safety function will have an associated safety integrity requirement (e.g. – a probability of failure on demand). This is a measure of the risk reduction associated with the safety function. The risk reduction for a safety function can then be allocated between E/E/PE safety-related systems, OT safety-related systems and external risk reduction facilities. Safety functions allocated to E/E/PE safety-related systems are specified in terms of Safety Integrity Levels (SILs), where a SIL is defined in terms of a target range of failure likelihood.

Several methods for performing this risk analysis have been proposed, including LOPA. LOPA has subsequently found much broader application as a relatively simple risk assessment methodology.

THE LOPA PROCESS

The LOPA process is summarised in Figure 2.1. Each of the steps involved is described in more detail in subsequent sections.

Pigure : LOPA Process

Establish Consequence Screening Criteria

Typically LOPA is used to evaluate scenarios that have been identified in a prior hazard identification exercise using HAZOP, for example. A first step in the LOPA study is commonly to screen these scenarios, usually on the basis of consequences. In a LOPA performed for the purposes of COMAH, for example, the focus would be on major accidents to people or the environment and the analyst would seek to screen out non-major accidents.

This requires that the consequences associated with each scenario are evaluated. There are two main approaches to this:

1.  To characterise the consequences in terms of the quantity of material released; or
2. To calculate the outcome more explicitly, for example in terms of the area corresponding to a given fatality probability, or the expected number of fatal

The second of these approaches would normally involve estimating the likelihood of exposed persons being present in the affected area at the time of a release.

Develop Accident Scenarios

In LOPA terms, a scenario comprises a single initiating event – consequence pair.  scenario constitutes a single path through the bow-tie diagram, from left to right. It is important that the scenarios to be considered are well defined prior to proceeding with the remaining steps of the analysis.

In theory the number of scenarios arising from a single hazard identification study could be very large. In reality however, it may be possible to reduce the number of scenarios that need to be analysed in detail, for example, one of the outcomes is ‘No Consequence’, hence the number of scenarios can immediately be reduced from sixteen to twelve. Application of consequence screening as described above may eliminate further scenarios. It is also possible that some scenarios may be amenable to analysis using simpler, qualitative techniques, whilst other, particularly complex or significant scenarios may require more sophisticated study using quantitative risk analysis (QRA).