Modified LOPA Procedure for Catastrophic Events

a. Determine the Tolerable Risk Level

Define the catastrophic event (fire, spillage, overpressure, mechanical failure, etc).

Assess the severity category, i.e. significant, major, catastrophic, for each relevant risk
parameter, i.e. personnel, cost, environmental and company reputation.

Refer to ‘look up’ table to establish the Tolerable Hazard Frequency for each risk parameter
and select the highest. This is the target, not to be exceeded. (Note 1)

b. Determine the Unmitigated Catastrophic Event Frequency

Identify all contributory causes, e.g. from HAZOP, by brainstorming discussion, etc.

Assess the frequency / probability of each cause and summate them. (Note 2)

c. Calculate the Intermediate Catastrophic Event Frequency

Identify Protection Layers. (Note 3)

Assess the risk reduction for each PL.

Multiply the total risk reduction of PLs by the Unmitigated Catastrophic Event frequency.

d. Determine the need for additional risk reduction

Only required if item c > item a.

Divide the Tolerable Hazard frequency (item a) by the Intermediate Catastrophic Event
frequency (item c). This value is the target risk reduction for additional safety measures to
achieve the Tolerable Hazard frequency.

Notes

1. The Tolerable Event Frequency could be simplified to a single value for all scenarios if all
events are sufficiently ‘catastrophic’ to not require further categorisation.

2. If one cause with a certain frequency is conditional on another cause(s) occurring

simultaneously, its frequency is multiplied by the probability(s) of the other cause(s), i.e. FxP
or FxPxP. Do not multiply frequencies (FxF or FxFxF).

3. Protection layers or safeguards can be passive (e.g. bund, fire wall, fire-resistant coating) or
active (e.g. fire suppression, plant shutdown). They can either prevent a hazard or control its
effects, e.g. robust design, process control, administrative controls, restricted access, alarms.
Some PLs are called ‘independent’ because they are considered to be highly reliable and
they reduce the risk by at least 10 times. However, they have to be specific to one event, not
reliant on other PLs, and verifiable by regular testing or inspection. Examples of independent
PLs include relief valves, bunds, drainage, vents, blast wall, fire-retardant coating.
 Identifying Risk Reduction Measures

Assuming that the Intermediate Catastrophic Event Frequency is greater than the Tolerable Hazard
Frequency (item c > item a above), it is necessary to provide additional measures. Any measure has
to be reliable and requires periodic checking or testing to confirm that it will work when necessary.

Hardware Measures

Hardware measures can be mechanical, structural or instrumentation. Mechanical measures include

process devices to prevent over/underpressure, prevent reverse flow, restrict flow, limit overspeed,
etc. Structural measures include fire / blast barriers, safe refuges, escape routes.

Automatic controls, called ‘Safety Instrumented Function’ (SIF), can be employed to detect a critical
deviation and take action without human intervention to prevent or mitigate the hazard. An
example would be a high level switch cutting off the supply into a tank. SIFs are frequently identified
during a HAZOP or FMEA study.

The design of the SIF depends upon the degree of reliability (e.g. how many sensors ?) and the level
of risk reduction required. Regular testing is required to achieve the target reliability and corrective
action is required if the test fails to meet the ‘performance standard’, e.g. flow stopped within 10
seconds.

Procedural Measures

Human error is a significant cause of most accidents, due to a lapse of concentration, making a
mistake or a procedure violation. This should not be confused with a lack of training.

It is not normal to take credit for an operational procedure as a risk reduction measure, unless it will
be followed reliably. If failure to follow the normal operating procedure could be a contributory
cause of a catastrophic event, the same procedure cannot be considered as a risk reduction
measure.

However, it is possible to identify particular tasks or error-prone situations and write specific ‘safety-
critical’ procedures for them. Any ‘safety-critical’ procedure has to clearly written and well
understood, rehearsed and tested. Examples include evacuation procedure, maintenance procedure
for safety-critical equipment, operating procedure for potentially dangerous tasks. Having decided
which tasks are ‘safety-critical’, a task analysis is carried out to highlight the potential for human
error and the task and/or the working environment is modified to minimise the chance of human
error. Human reliability data can be used to quantify such improvements once a task has been
analysed in depth.