Latest post

Layer of protection Analysis - LOPA - HSE guide

Layer of protection Analysis - LOPA

Layer of protection Analysis - LOPA

There are seven layers of protection for accident prevention and mitigation. Each layer is important as some are for prevention and other are for protections. Staying within inner most layer of protection is the key for higher plant availability and safe operation. Maintaining other layers of protection intact, ensure prevention and mitigation of accidents.
In this article we will discuss what LOPA is and how it is carried out step by step.
The Layer of protection analysis (LOPA) is a risk assessment tool developed within the framework of an international standard to quantify risks in order to reach a specific probability objective. It is a systematic decision-making process and one of the methods for determining the risk associated with various hazardous process events using their severity and the probability of the events occurring.

Applicability of LOPA

Applicability of LOPA

LOPA is generally used for high-risk scenarios where the quality of the decision must be higher and allows a multidisciplinary team to assess the risk with greater clarity and more explicit decision criteria. It is used to ensure that a design is not under-designed, that the design is not over-designed, that people are not exposed to excessive risk, to verify that operating resources are adequate, don't waste money, etc. Thus, LOPA is concerns about allocating appropriate resources proportional to the risk.

Concept of risk acceptance / tolerance in the LOPA

Before starting the layer of protection analysis (LOPA), the company must define the tolerable frequencies for events with high consequences.
The LOPA is used to assess a specific scenario to determine whether it is acceptable, depending on the consequence, risk tolerance may differ from one person to another. Therefore, when analyzing the layer of protection, the challenge is to have a team of experienced people with diverse backgrounds and objectives to make rational business decisions (a rational business decision is a decision that makes sense for long-term business).
Sometimes a decision may make sense for the life of the project but will expose an installation to undue risk or it is on the way. The level of risk acceptance is expressed in terms of tolerable frequency which is the maximum number of events expected per year, which is considered practicable, achievable, sometimes this can be expressed in terms of probability. The tolerable frequency is the decision criterion for design and operational changes. It is a risk tolerance objective set by a company and often aligned with society's expectations to make consistent decisions. The justification is simple, the more the consequence decreases the tolerable frequency. As a general rule, the industry accepts a 0.01% chance of a single death in a given year, i.e. the risk of death is 1 in 10,000 for an individual per year. It would expect several deaths/ multiple fatality to be less tolerated with a tolerable frequency of 0.001% chance per year. More serious is the consequence of lowering the tolerable frequency.
Decide on the level of risk tolerance in the business to set the business goals. The operator can set the target by focusing on quarterly production targets, the project manager focuses on lead times and the tolerable frequency should be set at the company level while the risk is perceived at the portfolio level.

Concept of conducting a layer of protection analysis

The LOPA begins by focusing on a single consequence and applies to the higher severity scenarios identified in the HAZOP.
We will take the help of the schematic diagram below to understand the concept layer of protective;

LOPA begins by focusing on a single consequence
Fig-1 - Schematic diagram of separator vessel with pressure valve at gas outlet

Suppose, in an example above, consider a separator vessel over pressurizing, the worst credible case of a vessel rupture results in the death of a single worker nearby. Now, we must apply the tolerable frequency of the over pressure of the separator vessel which can cause death according to the standards defined by the company. Then think about, how can a company reasonably tolerate it, how can an engineer demonstrate that the design is as low as reasonably practicable (ALRAP). From now on, designing this process according to the consequence of the death of a single worker can occur at most at 0.01% per year.
At this point, we now need to determine what triggered the consequence and the likelihood of it happening. We must send back the HAZOP, the cause of a deviation in an HAZOP is the initiating event in the protective layer. If we see in our study example, the triggering event is the faulty pressure control valve in the closed position. There is a blocked flow from the gas line produced when the PV-50 is closed, causing the vessel to over pressure. let's say that the pressure control valve has a probability of 0.1 of failing to close in a year or in other words, the expected inadvertent closure is once every ten years.
Now the next step is to identify the independent protective layers in the system, these are mechanisms that prevent the consequences from occurring. These independent layers of protection are the safeguards identified during a HAZOP to assign a backup. As an independent protective layer, it must meet specific requirements defined by international and regional standards. It is important to remember that the protective layer must be independent of the triggering event and of the other safeguards applied to this scenario. Here, the team of experts must decide which independent protective layers can be used. We can therefore consider here that the Pressure Safety Valve (PSV) on the separator vessel can be provided,

Concept of conducting a layer of protection analysis
Fig-2 - Pressure safety valve

Let’s take the PSV-50 which will protect the separator vessel from excessive pressure. In addition, it is clearly independent and there would be no impact from the PV failure. This can certainly reduce the probability of a vessel rupture by a factor of 10, it can also be expressed as a risk reduction factor of 10 or a probability of failure on demand of 0.1.
Now is the time to calculate the expected frequency of the consequence. Here we need to determine the probability of the triggering event, i.e. the pressure control valve inadvertently closes and the probability of PSV-51 failure and the probability of the vessel rupture. The expected frequency can be calculated taking into account the fact that the vessel is in an area with heavy traffic and that a person is present when a vessel rupture. Consider 1% chance of death per year, or 1 in 100 chance.
Now decide whether the risk is tolerable or not. If the risk is acceptable based on the tolerable frequency, make a risk-based decision, is this process as safe as we want it to compare what we calculated and the tolerable frequency this scenario is 100 times more likely to happen than is acceptable. Since we cannot accept this risk, we must find a way to further reduce the risk.
Here we must determine the additional safeguard to reduce the risk of respecting the tolerable frequency. We can add an independent high-pressure shutdown on the vessel blanket gas as collateral to eliminate the high pressure source.

Concept of conducting a layer of protection analysis
Fig-3- Provision of SIF

We can add a backup safeguard that consists of a sensor, logic solver and a valve called as Safety Instrumented Function (SIF). It is an automated safety action to bring the process to a safe state. The current system is 100 times more likely than acceptable. The Safety Instrumented Function (SIF) must reduce the probability by a factor of 100. The reliability target of this function must have a probability of failure on demand (PFD) of less than 1%. As this safety function must reduce the consequence, probably by 100 times, it must meet the requirements of safety integrity level 2 (SIL-2).

Concept of conducting a layer of protection analysis
Fig-4-Provision of safety instrument system with SIL level calculation

Here, the combination of the sensor, logic solver and the final element meets the requirements of safety integrity level 2.  Now we can calculate the new expected frequency of the system, as below;
With safeguard, expected frequency = 0.1 (PFD of Valve) x 0.1 (PFD of safety valve) x 0.01 (PFD of SIF)
= 0.0001/year
= 0.01 % per year
Here, the final result is 0.01% chance per year. So finally, we can conclude that the likelihood of the vessel over pressurization is within tolerable frequency and risk is acceptable.

The layer of protection analysis (LOPA) is a risk assessment tool which is used for a systematic decision-making process and one of the methods for determining the risk associated with various hazardous process events using their severity and the probability of the events occurring. By evaluating the process failure causes in reference to HAZOP, a team of expert deciding the best control to minimize the risk at tolerable level. It is step by step process where independent safeguard are identified and risk level is compared with company set target for tolerable of risk. Provision of Safety instrument system with safety instrumented level may reduce the risk at tolerable level.

Related Articles


Please don't add links in the comments, they will be treated as spam comments