SIL and LOPA Training

Course

1 Day Training Course

Module 6 – Day 6
 TRAINING PROGRAM

• Day 1:
o Module 1: PSM Introduction and Overview
• Day 2:
o Module 2: 4 Pillars of PSM and Pillar 1 & 2 Elements
• Day 3:
o Module 3: Pillar 3 and Module 4: Pillar 4 Elements
• Day 4 and 5:
o Module 5: Auditing RBPSM
• Day 6:
o Module 6: SIL and LOPA
• Day 7: Consolidation and Tests
• Day 8: Site visit
2
 COURSE OBJECTIVES

• LOPA
– What is LOPA
– Layers of Protection
– When to use LOPA
– Application of LOPA
– Benefits of LOPA
– The 6 steps of the LOPA process
– Calculating Probability
– LOPA Exercise
• SIL
– SIL defined
– Group Exercise
– SIL Assignment
– SIL Challenges
– SIL Exercise
3
 LOPA - What

What is LOPA
• Simplified method of risk assessment. It is an engineering tool
used to ensure that process risk is successfully mitigated to an
acceptable level.
• Provides middle ground between a qualitative process hazard
analysis and a traditional, expensive quantitative risk analysis.
• Uses simplifying rules to evaluate initiating event frequency,
independent layers of protection and consequences, to provide an
order-of-magnitude estimate of risk.
• Excellent approach to identifying safety integrity level necessary
for an safety instrumented system (refer standards, such as ISA
S84 and IEC 61511).
4
 LOPA

More about Layers of Protection

• Process designers use a variety of layers or safeguards to prevent
catastrophic incidents.
• These layers include devices, systems or actions such as:
– Inherent safe designs,
– Physical protection (valves)
– Post release physical protection (fire suppression systems)
– Emergency response (plant and community)
– Safety Instrumented Systems (SIS)
• Such layers should ideally be independent of each other
(Independent Protection Layers –IPL) Ex. Two standby pumps do
not fail independently in case of loss of power.
• LOPA address safeguards that are IPL’s, including SIS .
5
 LOPA

LOPA
Community Emergency Response
Plant Emergency Response

Physical Protection e.g. Relief Devices

Safety Instrumented System preventative action

Critical Alarms and Operator intervention
Basic Process Control System,
Operating Discipline / Supervision

Plant Design
Integrity

6
 LOPA - When

When to use LOPA

• Any point in the lifecycle of a project or process, but most cost
effective when process flow diagrams are complete and the P&IDs
are under development. For existing processes, LOPA should be
used during or after the HAZOP/PHA review or revalidation.
• Typically applied after a qualitative hazards analysis when a listing
of hazard scenarios are available.
• A LOPA procedure has to be completed including criteria for
evaluation of initiating cause frequency and IPL probability to fail
on demand (PFD). This ensures rapid speed and cost reductions in
executing LOPA .

7
 LOPA - Application

Application of LOPA
• Design
• Management of Change
• Facility Risk
• Incident Investigation
• Emergency Response Planning
• Bypassing a Safety System
• Determining design basis for over-pressure protection
• Determining the need for emergency isolation valves
• Screening tool for QRA (quantitative risk analysis)

8
 LOPA - Benefits

Benefits of LOPA
• A scenario-related focus on the process risk, therefore LOPA often
reveals process safety issues not identified in previous qualitative
hazard analysis.
• Process hazards directly connected to the safety actions, clearly
providing the safety instrumented systems and associated SIL.
• Effective in resolving disagreements related to qualitative hazard
analysis findings.
• Often identifies alternatives to the SIS (adding other layers of
protection, modifying the process, or changing procedures). Other
options to evaluate using cost/benefit analysis, allowing the most
cost effective means of risk reduction to be selected.
9
 LOPA - Process
The 6 steps of the LOPA process

Determine
Process deviation consequence of Implementable
and hazard scenario hazard scenario recommendations
• Important to • Once the
focus the consequence
team on a • Consider
• such as: loss of and frequency recommen-
• Hazards specific • For each
flow control, of the hazard dations from
analysis hazard event is IPL,
loss of pressure LOPA as
documents scenario, known, the determine
control, excess options for
• pressure such as high risk is the PFD.
reaction implementa-
relief valve pressure evaluated • For SIS, the
resulting in • frequencies tion.
design and • Unacceptable PFD is
pipeline • should be based equivalent
inspection risk should be
reports, rupture on industry- to the SIL.
accepted and reduced
• protection further with • IPL list with
standards-
layer design IPLs associated
compliant
documents PFDs to be
failure rate data
• equipment provided in
for each device
failure rate the LOPA
data procedure.

Record
reference Initiating
documentation causes and List IPLs to mitigate
frequencies risk

10
 LOPA - Process
ESTABLISH CONSEQUENCE
LOPA process SCREENING CRITERIA AND 1
REFERNCE DOCUMENTATION

DEVELOP ACCIDENT SCENARIOS 2

CONSEQUENCES
3
IDENTIFY INITIATING EVENT &
FREQUENCY 4

IDENTIFY IPL’s AND

ASSOCIATED PFD’s 5

ESTIMATE RISK
NEXT
SCENARIO
EVALUATE RISK

RISK MORE
ACCEPTABLE? SCENARIOS?

CONSIDER OPTIONS TO
REDUCE RISK
IMPLEMENTATION 6
11
 LOPA - Probability

Calculating Probability
• Probability measured as a chance of happening out of a number of
occurrences:
– A dice has a 1/6 chance of falling on the number 5
• Probability (P5) = 1/6 = 0.167
– Probability of two dice falling on 6:
• P(6) AND P(6) = 1/6 * 1/6 = 1/36 = 0.0278
– A jar contains 4 blue, 5 red and 11 white marbles,
if 3 marbles are drawn at random, what is the P
that the first marble is red, second blue and third white?
• 5/20*4/19*11/18 = 220/6840 = 3.22%
Thank goodness for
probability / failure rate
data!
12
 LOPA – Fault tree analysis

Use of FTA in LOPA:

• When determining the failure rate of IPL’s or SIS, the
process is often converted into a fault tree from where
Boolean algebra is used to calculate the probability of
occurrence of the top event (Subsystem A in picture
below).

13
LOPA Group Exercise

Small Group Exercise

14
 LOPA - Example
Target mitigated likelihood: 10-5
1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes,
restricted
access, etc.)
1 High Connection Pressure sensor
pressure (tap) for does not
pressure measure the
sensor P1 drum pressure
becomes
plugged

15
 LOPA - Example
Target mitigated likelihood: 10-5

1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes,
restricted
access, etc.)
1 High Connection 0.10 0.10 1. 1.0 1.0 1.0 .01 Pressure sensor
pressure (tap) for does not
pressure measure the
sensor P1 drum pressure
becomes
plugged

Much too high! We must make improvements to the design.

16
 LOPA - Example
Target mitigated likelihood: 10-5

1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes,
restricted
access, etc.)
1 High Connection 0.10 0.10 1.0 0.10 1.0 PRV 0.01 .00001 Pressure sensor
pressure (tap) for does not
pressure measure the
sensor P1 drum pressure
becomes
plugged The PRV must
exhaust to a
separation
(knock-out)
Enhanced design includes The enhanced design drum and fuel or
flare system.
separate P sensor for achieves the target
alarm and a pressure relief mitigated likelihood.
valve.
17
 LOPA – Risk reduction

Risk reduction example

18
 SIL - Defined

• Safety Instrumented System (SIS) is designed to prevent or mitigate

hazardous events by taking the process to a safe state when predetermined conditions
are violated. A SIS is composed of a combination of logic solver(s), sensor(s), and final
element(s). Other common terms for SISs are safety interlock systems, emergency
shutdown systems (ESD), and safety shutdown systems (SSD). A SIS can be one or more
Safety Instrumented Functions (SIF).
• Safety Instrumented Function (SIF) is designed to prevent or mitigate a
hazardous event by taking a process to a tolerable risk level. A SIF is composed of a
combination of logic solver(s), sensor(s), and final element(s). A SIF has an assigned SIL
level depending on the amount of risk that needs to be reduced. One or more SIFs
comprise a SIS.
• Safety Integrity Level (SIL) is probability of failure on demand (PFD) for a SIF or
SIS. There are four discrete integrity levels associated with SIL. The higher the SIL level,
the lower the PFD for the safety system and the better the system performance (also
costs increase). A SIL level applies to an entire system. Individual products or
components do not have SIL ratings. SIL levels are used when implementing a SIF that
must reduce an existing intolerable process risk level to a tolerable risk range.
19
 SIL - Defined

A SIL level applies to an entire system if it reduces the risk in

the amount corresponding to an appropriate SIL level.
SIS1 Individual products or components do not have SIL ratings.
SIL levels are used when implementing a SIF /SIS that must
reduce an existing intolerable process risk level to a
tolerable risk range.

SIF1

SIF2

20
 SIL - Defined

What is SIL 4?

SIL 4 is the highest level of risk reduction that can be obtained through a
Safety Instrumented System. However, in the process industry this is not a
realistic level and currently there are few, if any, products / systems that
support this safety integrity level.

SIL 4 systems are typically so complex and costly that they are not
economically beneficial to implement. Additionally, if a process includes so
much risk that a SIL 4 system is required to bring it to a safe state, then
fundamentally there is a problem in the process design which needs to be
addressed by a process change or other non-instrumented method.

21
SIL Group Exercise

Small Group Exercise

Can a Fire & Gas System be a SIF or SIS?

22
 SIL – Group Exercise

Can a Fire & Gas System be a SIF or SIS?

A Fire and Gas (F&G) system that automatically initiates process
actions to prevent or mitigate a hazardous event and
subsequently takes the process to a safe state can be considered
a Safety Instrumented Function / Safety Instrumented System.

However, it is absolutely critical in a F&G system to ensure

optimal sensor placement. If there is incorrect placement of the
gas / flame detectors and hazardous gases and flames are not
adequately detected, then the SIF / SIS will not be effective.

Correct sensor placement is more important than deciding

whether a F&G SIF / SIS should be SIL 2 or SIL 3.
23
 SIL - Assignment

• Assignment of SIL is an exercise in risk analysis where the risk associated with a
specific hazard is calculated without the beneficial risk reduction effect of the
SIF. If the "unmitigated" risk is higher than the tolerable risk, then the risk must
be reduced by means of a SIF. This amount of required risk reduction is
correlated with the SIL target. As the required risk reduction increases, the
required SIL level increases.
• There are several methods used to assign a SIL. These are normally used in
combination, and may include:
– Risk Matrices
– Risk Graphs (cost benefit)
– Layers Of Protection Analysis (LOPA)
• Of the methods presented above, LOPA is by far the most commonly used by
large industrial facilities.

24
 SIL - Challenges

• Estimation of SIL based on reliability estimates. Multiplication of error in solving

a fault tree diagram.
• System complexity, particularly in software systems, making SIL estimation
difficult to impossible.
• These lead to such erroneous statements as, "This system is a SIL N system
because the process adopted during its development was the standard process
for the development of a SIL N system", or use of the SIL concept out of context
such as, "This is a SIL 3 heat exchanger" or "This software is SIL 2". According to
IEC 61508, the SIL concept must be related to the dangerous failure rate of a
system, not just its failure rate or the failure rate of a component part, such as
the software.
• It is sometimes assumed that the 'S' in SIL refers to software but the failure rate
of the software component of a system is merely a contribution to the overall
SIL level of the system as a whole.

25
 SIL – Exercise 2

Task Detail
• Use the detail of the next two slides and the SIL tables to classify the given risk
and its frequency.
• Using this table, determine the maximum tolerable risk frequency to reduce the
risk to class 3.
• Calculate:
– Target risk reduction factor (RRF),
– PFD (avg) and
– Safety availability, required from the SIF to achieve the tolerable risk frequency.
• State the required SIL required by the SIF with reference to the SIL tables.

26
SIL – Exercise 2

27
 SIL – Exercise 2

Potential Hazard / Risk

A chlorine electrolyzer plant presents a major leak hazard due to loss of pressure
control. The estimated frequency of occurrence is once per 10 years. The
estimated consequence without any protective measures is that the operating
team of 3 people will be likely to suffer serious injury or be killed. A school in the
neighborhood may experience toxic fumes leading to injuries and a public outcry.

Proposed Solution
A safety instrumented system will monitor pressure limits and will trip out the
electrolyzer operation before the leak condition can arise.

28
SIL – Exercise 2

29
SIL – Exercise 2

30
End of Module 6
Thank you

31