13th Annual Symposium, Mary Kay O’Connor Process Safety Center “Beyond Regulatory Compliance: Making Safety Second Nature” Texas A&M University, College Station, Texas October 26-28, 2010 Layer of Protection Analysis (LOPA) Fabienne Salimi ADEPP Academy, Frederic Salimi ADEPP Academy ABSTRACT: Prevention and control of major hazards relies on multiple layers of protection. If something happens to compromise the primary protection, then the next layer will prevent or control the major hazard. Normally the first layer is the basic process design. Subsequent layers include control systems, alarms and interlocks, safety shutdown systems, protective systems and response plans. Analysing all of the layers working together gives rise to the concept of Layer of Protection Analysis (LOPA). This paper shows how LOPA can be performed efficiently for a hazardous project. It also describe how Duty holder, Contractors, Consultants and Verification bodies can add and review LOPA actions by ADEPP monitor and define the critical activities and tasks for Safety Critical systems (SCSs). Key words: LOPA, API 14C, Bow-Tie, Safety Critical Elements, SIL assessment, HSEMS, ADEPP monitor
17
Embed
Layer of Protection Analysis (LOPA) Fabienne Salimi ABSTRACT
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
13th Annual Symposium, Mary Kay O’Connor Process Safety Center
“Beyond Regulatory Compliance: Making Safety Second Nature”
Texas A&M University, College Station, Texas
October 26-28, 2010
Layer of Protection Analysis (LOPA)
Fabienne Salimi
ADEPP Academy, Frederic Salimi ADEPP Academy
ABSTRACT:
Prevention and control of major hazards relies on multiple layers of protection. If something
happens to compromise the primary protection, then the next layer will prevent or control the
major hazard.
Normally the first layer is the basic process design. Subsequent layers include control systems,
alarms and interlocks, safety shutdown systems, protective systems and response plans.
Analysing all of the layers working together gives rise to the concept of Layer of Protection
Analysis (LOPA).
This paper shows how LOPA can be performed efficiently for a hazardous project. It also
describe how Duty holder, Contractors, Consultants and Verification bodies can add and review
LOPA actions by ADEPP monitor and define the critical activities and tasks for Safety Critical
systems (SCSs).
Key words: LOPA, API 14C, Bow-Tie, Safety Critical Elements, SIL assessment, HSEMS,
ADEPP monitor
1- IDENTIFICATION OF THE LAYER OF PROTECTIONS
The first safeguard that is built into oil and gas or a chemical plant is the process design that
strives to build a plant with minimum potential for chemical releases. We can reduce the risk by
adding such things as: Basic Process Control Systems (BPCS); operators responding to alarms or
following job procedures; automated safety instrumented systems (SIS) that can more quickly
handle process deviations; pressure relief devices; bunds/dikes and enclosures; and so on. Each
layer builds on the protection provided by those inside it and they all work together to protect.
COMMUNITY EMERGENCY RESPONSE
Emergency broadcasting
PLANT EMERGENCY RESPONSE
Evacuation procedures
MITIGATION
Mechanical mitigation system
Safety Instrumented control system
Safety instrumented mitigation systems
Operator supervision
PREVENTION
Mechanical protection system
Process alarms with operator corrective action
Safety Instrumented control system
Safety instrumented prevention systems
CONTROL and MONITORING
Basic Process Control Systems
Monitoring system (process alarms)
Operator supervision
PROCESS
Fig-1 Layer of protection according to IEC-61511
Layers of protection need to be independent of each other. This consideration remains crucial to
the analysis. In most of the process industries, basic process control functions and safety
instrumented functions were traditionally, and still are, separated. Today, there is a strong
emphasis in both industry and regulatory bodies to keep these functions separate in order to
guarantee independent protection layers.
The objective is to ensure that major incidents do not occur unless there are multiple
(simultaneous) failures. All the layers of protection would have to fail simultaneously or be
circumvented somehow for the full incident potential to occur. None of the safety barriers are
100% effective. The holes in safety barriers in Fig-2 represent the systematic failures and flaws
in the safety barriers.
The principles of redundancy, diversity, separation and segregation must be applied to reduce the
risk of systematic failures associated with the safety barrier, common mode or common cause
failures and ensure the availability of support systems.
Fig-2 Bow-Tie diagram for gas release scenarios
Failures of the HSE Management System (HSEMS) can also result in failure of multiple layers
of protection, in particular the incorrect use of Permit to Work Systems and where safety systems
have been isolated or overridden/inhibited for maintenance purposes.
The following life cycle safety issues should be identified and accounted for in the design for
LOPA:
Safe operating limits and their relation to the set points for safety functions, including the
selection of an appropriate measurement and accuracy of instrumentation.
Independence and separation from other systems or the initiating faults which require their
operation (if the safety-related control systems are not separate from other equipment,
LOPA should show that failures of connected equipment cannot affect the safety function
and single-point failures cannot result in the failure of both systems. If this cannot be
shown, the connected equipment or system should be regarded as being part of the safety-
related control system).
Operating conditions, including start-up and shutdown and unusual operating conditions –
for example, single train operation.
Operating duty, including shut-off requirements for valves and how their performance will
be affected by the presence of corrosive or erosive conditions.
Inspection and maintenance requirements, including the provision of facilities for carrying
out proof testing.
Gas Release
Environmental considerations, including requirements to operate in flammable
atmospheres, equipment which requires special environments, prevention and consideration
of electromagnetic interference, weather, etc.
Layer of protection analysis should identify support systems and back-up measures for the
control and protective systems, including their component parts (for example, power supplies or
pneumatic systems). Evidence should be presented to show that support systems and back-up
measures have adequate safety and reliability.
One aspect of design which may not be given enough attention is the reliability, availability and
survivability of utilities. Failure of a utility – for example, water, air, steam, electricity
(including power surge or partial loss) – often results in a process upset, and may have effects
across the entire establishment.
API 14C (Recommended Practice for Analysis, Design, Installation, and Testing of Basic
Surface Safety Systems for Offshore Production Platforms) has been adopted by ISO 10418 and
is widely used by the oil & gas companies even for onshore applications. It provides the
prescriptive guidelines for those undesirable process events which can lead to a major accident at
oil & gas plant.
Fig-3: Layers of protection for overpressure according API 14C
According to API 14C at least two levels of protection independent and diverse shall be
provided to protect equipment under control against the process upsets which can lead to a major
accident i.e. major fire, explosion or toxic material release.
API 14C covers the required protection layers for credible process upsets such as over pressure,
leak, over temperature, etc. equipment by equipment.
Fig-3 illustrates the required protection layers for a pressure vessel. In this example, high
pressure trip is an instrumented based system and protect against the overpressure by shutting
down the EDV valve located on the feed stream
If high pressure trip fails on demand then pressure relief valve protect equipment against
overpressure by discharging the materials to safe location (flare). By doing so, valuable process
materials are lost but equipment remains safe and functional.
Safety Analysis Tables (SAT) are the mini HAZOP and assess the causes and consequences of
the process upsets within the generic equipment such as flowlines, pressure vessel, atmospheric
vessels, pumps, compressors, heat exchangers and fire heaters (See Table-1).
Undesirable Event Cause Detectable Abnormal
condition at component
Overpressure (Suction) Excess inflow
Failure of suction pressure
Control system
Compressor or driver malfunction
High Pressure
Overpressure (Discharge) Blocked or restricted discharge line
Excess back pressure
High inlet pressure
Over-speed
High pressure
Leak Deterioration
Erosion
Corrosion
Impact damage
Vibration
Low pressure
High Gas Concentration
(Building)
Excess Temperature Compressor valve failure
Cooler failure
Excess compression ratio
Insufficient flow
High Temperature
Table-1: Safety Analysis Table for Compressor
Safety Analysis Checklists (SAC) review the requirement for the protective systems considering
the upstream and downstream processes and the other protective systems (Table-2).
Safety Analysis Function Evaluation (SAFE) charts are similar to cause & effect matrices and
summarise the protection measures and their effects. Advantage of SAFE chart is:
1. Safety systems are summarised
2. Rationales for the required safety measures are recorded in a traceable and auditable
manner.
Table A-1.2—Safety Analysis Checklist (SAC)—Flow Line Segment
a. High Pressure Sensor (PSH).
1. PSH installed.
2. Flow line segment has a maximum allowable working pressure greater than
maximum shut in pressure and is protected by a PSH on a downstream flow line
segment.
c. Pressure Safety Valve (PSV).
1. PSV installed.
2. Flow line segment has a maximum allowable working pressure greater than the
maximum shut in pressure.
3. Two SDVs (one of which may be the SSV) with independent PSHs, relays, and
sensing points are installed where there is adequate flow line volume upstream of
any block valves to allow sufficient time for the SDVs to close before exceeding
the maximum allowable working pressure.
4. Flow line segment is protected by a PSV on upstream segment.
5. Flow line segment is protected by a PSV on downstream component that cannot
be isolated from the Flow line segment and there are no chokes or other
restrictions between the Flow line segment and the PSV.
Table-2: Example Safety Analysis Checklist according to guidelines of API 14C
API 14C also provides the guidelines for location, maintenance and testing routines for the
detection and final elements of the protection systems (Fig-4).
Fig-4: Location of safety systems according API 14C
A dedicated onion diagram should be developed for each deviation within equipment under
control (EUC) or area under control (AUC). Table-3 presents the protection layers for the
credible undesirable events at second stage compressor as an example.
SAFETY CRITICAL ELEMENTS (Equipment, Components and Software)
Element Supplier Failure
Mode
Severity Ranking Assurance Verification
Fig-7: Performance Standard Tables
4- REQUIRED SAFEGUARDS & HAZOP
LOPA is developed as an extension to Process Hazard Analysis (PHA) to provide an objective,
rational and defensible basis for recommendations to install or not to install the safeguards.
During conventional HAZOP process deviations, their causes, consequences and safeguards are
assessed “qualitatively” by a systematic brainstorming approach. The main issues associated
with HAZOP are as follows:
a- The key words classify the process operating hazards as “higher” or “lower” than operation
intent but they don’t address the extent of theses deviations. The HAZOP team are not
informed and/or encouraged to reflect about the ultimate extent of deviation. The causes,
consequences and required safeguards for the deviation scenarios depend on the ultimate
extent of deviation. For example if the ultimate extent high pressure in a node is less than
5% then a conventional single loop control system is sufficient but if pressure can be
increased to more than 21% higher than design pressure then a high pressure trip and relief
valve should also be added to protect the equipment or node against such overpressures.
b- Dependency and interaction between the different deviations are not recorded
systematically.
c- Intermediate consequences are not distinguished from the ultimate consequences. For
example uncontrolled high pressure may cause small or medium or large flammable gas
release. Depending on non-process safeguards such as safety distances from the ignition
sources, area classification, layout and congestion of process module the released gas can
be:
- dispersed safely or
- ignited immediately and result a jet fire or
- Accumulated and cause an explosion due to delayed ignition.
d- Simultaneous multiple failures/causes are not considered.
e- A node represents a section of a process in which conditions undergo a significant change.
For example, a pump system will be a node because liquid pressure is increased. The
decision as to how big a node may be will depend on the experience of the team, the degree
to which similar process systems have already been discussed, the complexity of the
process and the judgment of the HAZOP chairman.
The required safeguards which are identified for a node may not be required if the
protection function by another safety device(s) at upstream or downstream nodes. There is
no HAZOP checklist similar to API 14C Safety Analysis Checklists (SAC) allowing the
exclusion of some devices (Table-2).
f- Consequences are assessed based on the subjective engineering judgement.
g- Sometimes the consequences are underestimated because it was assumed that the
safeguards within and outside the node function.
h- Hierarchy, capacity, set point, location and reliability of the safeguards are not reported and
remain vague.
For example, in an alarm management survey performed by HSE in UK[1]
a major concern
expressed by operators was that “HAZOPs increase the number of alarms”.
HAZOP reviews are very often resulting in increases in the number - and the complexity -
of the alarms. An automatic reaction could develop of seeing a problem, - e.g. the
possibility of a valve being left open -and installing an alarm to indicate this. Each alarm is
individually intended to increase the safety of the plant, but as a whole the proliferation of
alarms reduced the chances of the operator noticing any particular alarm. No “cost” was
assigned to putting in an alarm on a DCS, and there are generally no controls to prevent
more and more being installed. Moreover, alarms identified in HAZOP could become
labelled as “safety related” and get locked into the safety case of the plant which will be
difficult to alter at a subsequent time if they cause a nuisance.
Preliminary HAZOP should be performed at early stage of project when the process flow
diagrams (PFD) are ready and none of the protection layers are implemented yet. The causes and
consequences of the process deviations should be evaluated without any safeguards. The
HAZOP action should recommend the required layers of protections.
Then SIL assessment should be performed to determine the required integrity level of the
instrumented based protection systems.
When project progressed detailed HAZOP should be performed to minimise the risk of
increasing the complexity of safety barriers by adding the unnecessary or contradictory
safeguards.
5- SENSITIVITY ANALYSIS BY DYNAMIC SIMULATIONS
Dynamic simulation is rarely used as supporting evidence to consequence assessment in HAZOP
sessions while it is the only way to have a good judgement about ultimate extent of HAZOP
guidewords. It also enables to simulate the sequenced and/or multiple failures.
Fig-8 illustrates a typical dynamic simulation model. This model should be built prior to
HAZOP. Then HAZOP team can study different type of failures such as block outlets due to
failure of one of the control loops. In this example it can be observed that with present tuning of
PIC-101 pressure at D100 is controlled at 17barg but pressure control valve begins to chatter.
Authors of this paper believes that not only high fidelity dynamic simulation models but also
simpler Laplace transform models can improve significantly the quality of the process deviations
consequence assessments.
Fig-9 illustrates a two tank level control. In this example since there are now two lags to control,
the simple gain control is no longer sufficient for good performance and the height of liquid in
tank 1 gets unacceptably large.
Fig-8: Example of dynamic simulation based on the high fidelity model on OTS platform (Demo: http://www.adepp.com/Site_Demo/ADEPP_HSE_Toolkit.html)
Fig-9: Example of Lapace transform application as dynamic simulation tool With permission and courtesy of Ventimar LLC and SimApp Full report is available @
http://www.simapp.com/simulation-tutorials
6- ADEPP LOPA monitor
To achieve an effective LOPA numerous data, code based requirements, specific and supporting
studies from different disciplines and phases of project should be considered in a consistent,
traceable and auditable manner.
LOPA module of ADEPP monitor combines HAZOP, FMEA, API 14J checklist, BCPS, Alarm
management, SIL assessment, API 14C to support a consistent safety barrier identification and