Chemical plants, petrochemical plants, oil and gas facilities, pharmaceutical plants and others across the process industries will handle multiple hazardous chemicals. These products can result in the creation of various hazardous reactions to produce the desired end product. However, if the control of these hazardous reactions are lost, they can have catastrophic effects on the facility and the surrounding area.
The avoidance of catastrophic events in and around the facility should be ingrained into the process safety culture at the plant. As no company wants a catastrophic event to occur, appropriate control measures to prevent, control and mitigate such events must be put in place.
A core process safety analysis technique that can be integrated into any kind of process is Layers of Protection Analysis (LOPA). Layer of Protection Analysis is a risk assessment and hazard evaluation tool used to assess high-consequence hazard scenarios.
What is the basis behind putting certain layers of protection on our processes?
LOPA seeks to determine the likelihood of hazard occurrence, probability of failure of the safeguards and consequence severity from scenarios identified in a hazard identification process. Multiple independent protection layers and suitable safeguards are integrated around the process as a means to limit the chance of a catastrophic event from occurring.
Standard layers of protection that can be applied and are regularly encountered in the processing industry include:
- Basic Process Control System
- Alarms & Operator Intervention
- Safety Instrumented System (SIS)
- Physical Protection (Relief Devices)
- Physical Containment (Bunds)
- Fire & Gas Systems
- Plant Emergency Response
- Community Emergency Response
When to use LOPA?
LOPA sessions should be implemented when high consequence-potential incident scenarios have been discovered by a team using a hazard evaluation method like HAZOP. It can also be used as a tool for risk identification analysis and comparison within a given organisation.
During process development, it can be used to evaluate and compare the risks associated with various process technology options. LOPA is recognised as one of the methods that may be used to select the Safety Integrity Level (SIL) for a Safety Integrated System (SIS).
LOPA can also be used to help make risk judgements involving plant modifications and procedural changes during routine operations. From the assessments of a single process modification during the management of change review to the evaluation of major accident scenarios, LOPA can be applied to any further risk reduction decisions.
A layer of protection under the microscope: alarms and operator intervention
The focus of the LOPA should centre around everybody understanding all hazards present on-site, what the consequences of these hazards are and how to prevent them.
From the instrumentation team to the process team, everyone must be able to supply useful input to a hazard study. For example, when examining alarms and operator intervention as a layer of protection, it is vital to understand how the plants’ alarms are designed and how they are supposed to operate.
Operators must also know how hazard studies are supposed to be completed, as this details how the operators must react to these systems (human intervention). This is why a thorough understanding of the link between hazard studies and alarm systems is necessary.
If there is an incident and an alarm supplies sufficient time for operator intervention, then, providing the operator is sufficiently independent from the initiating event, it can be considered as a layer of protection safeguard.
Understanding how alarms and operator intervention fit into the hazard safeguards is key for the completion of a LOPA session. Alarm and trip systems must not be separated from the LOPA study and must make up an integral part of the LOPA discussion.
Key questions for protection layer discussions
LOPA is not as simple as the addition of alarms, trip systems, mechanical fallbacks or the addition of added details to a plant emergency response. It involves a far deeper understanding and discussion into how, what and why particular safeguards should be added.
If specific layers of protection must be implemented, three fundamental questions related to process production must be answered
1. How safe is safe enough?
Who decides what the safety criteria of the plant is? How many trip systems and alarms should be installed? What is the protection layer focal points and who decides this?
2. What are the safety criteria?
Are there internally defined safety criteria for the plant? Are there multiple plants at multiple locations? Do all plants follow similar safety management systems? Are there internally developed safety documents and set benchmarks?
Whenever protection layers are discussed, stop and think about safety benchmarks and how they have been devised. Have they been developed based on a number of expedients from industry sector audit data or are they based on general process safety standards that guide national/international safety?
Applying protection layers for a singular plant is not going to be universal. A hydrogen plant will need different safety levels than an automobile manufacturing plant. Each plant will also have different sets of safety features, so the identification of safety levels must be considered.
3. How many protection layers are needed?
How much risk reduction should each safety layer provide to avoid a catastrophic accident? Once this question has been answered, then it is easier to ascertain how many protection layers are needed.
Other pertinent questions to consider are how many Safety Instrumentation Systems (SIS) and Safety Instrumented Function (SIF) levels should be applied. How many relief devices should be applied and how many governing scenarios must be identified?
Protection layers as singular safeguards
Effective layers of protection should work one layer at a time. If there are six or seven layers of protection, the layer in front should be suitably designed to prevent the incident from escalating. This does not mean that only one level of protection should be applied. One layer of protection should be relied upon in reality, but multiple layers of protection must be placed across a process.
If an SIS or an alarm system is implemented as a protection layer, how much risk can be reduced via this single layer? Does it fall into the remit of the plant’s pre-defined region of acceptable safety?
This question should form a discussion on each layer of protection, the number of protection layers needed and the risk reduction rating for each layer of protection.
This is LOPA. The name itself suggests that it discusses and analyses multiple layers of protection. The layer of protection analysis will aid in the implementation of a safety model or requirement for added safeguards. It typically builds on the information developed during a qualitative hazard evaluation and supplies a consistent basis for judging whether there are sufficient Independent Protections Layers (IPLs) to control the risk of an accident for a given scenario.
Whenever hazard studies are conducted, there must be a basis to justify all recommendations and safeguards. The LOPA study will supply the justifications for future decisions.
Independent layers of protection
An Independent Protection Layer (IPL) is a device, system or action that is capable of preventing a scenario from continuing to its undesired consequence.
For independent protection layers, four criteria must be verified.
Independence
Singular protection layers must be independent. This is independent of the initiating event, action or any other layers of protection associated with the scenario. The independent layer should work as a cause and effect. If the vessel fails, the independent protection layer should work in that scenario.
Specificity
A particular protection system should be specific enough to identify a particular hazard. It should identify specific flows, thresholds or temperatures so that protection should be specific to that distinctive scenario.
Dependability
During a scenario, that protection layer should act or take some sort of pre-determined action. It must be consistently dependable.
Auditability
The individual layer must be continuously and rigorously tested for the particular protection for which it has been applied.
Examples of IPLs:
Passive IPL
- Dike/bund
- Open vent
- Blast wall/ bunker
- Flame/detonation arrestors
- Restriction orifice
Active IPL
- BPCS
- Human response to alarm
- Pressure relief device
- SIS (Safety Instrumented Systems)
- Other design specific IPLs (e.g., mechanical stop for a valve)
Independent protection layers do not include aspects such as training and certification, design to code and standards, maintenance, communication and fire protection.
Protection analysis, LOPA and plant personnel
The Layer of Protection Analysis will help create an understanding of safety measures and practices amongst plant personnel.
Although every person will have a unique perspective while conducting the LOPA session, a unanimous decision on what safeguards and layers to install must be made.
This will facilitate the understanding needed for all plant personnel as different perspectives have been used to shape the study.
LOPA and its relationship with HAZOP
When it comes to conducting a LOPA, it should be completed after a Hazard and Operability study (HAZOP), as the HAZOP supplies a range of suitable hazardous scenarios.
A good HAZOP will help uncover a range of scenarios including worst-case. The team can then investigate the effectiveness of the protection layers that have already been implemented and discuss if further additional layers are needed. The HAZOP will also provide relevant data and documentation that the LOPA cannot, and vice versa.
The LOPA utilises data developed by the HAZOP and documents initiating causes and layers that can influence potential risk. This data can then be used to determine the amount of risk reduction achieved by existing controls.
It is recommended that once a HAZOP study has been conducted, certain critical scenarios should be revisited. If an estimated risk matrix of a scenario is not acceptable, additional IPLs can be added.
As a HAZOP is generally a qualitative study, the discussion does not revolve around numbers too heavily.
This has led to some thinking that since the LOPA (as a quantitative study) uses numbers, better process risk reduction results can be gathered. It is also believed that LOPA gives precise risk reduction calculations, but this is not the case. Instead, LOPA, usually based on orders of magnitude, supplies an approximation of risk, which can be useful for the resource decision making process.
A HAZOP study, on the other hand, will help identify and uncover complex scenarios. A scenario will arise in the HAZOP and the LOPA will estimate risk based on that predefined scenario.
Additional risk reduction and existing controls
LOPA documents existing control measures. Even if these measures have reduced risk, added protection must still be considered.
Without a LOPA there is the potential for confusion within the safety operating systems. Are the given protection layers sufficient enough? Is there ambiguity when it comes to starting risk reduction factors? Has there been sufficient risk reduction achieved by the existing layers?
LOPA is applied after an unacceptable consequence has been discovered and a credible cause for its implementation has been selected. It then provides an order-of-magnitude approximation of the risk of a hazardous scenario.
The LOPA process
Following the identification of initiating events for processes via a Process Hazard Analysis (PHA) and the identification of scenarios during a HAZOP, the LOPA will look at what may trigger a particular scenario and any related failures. This would usually be the first event that can cause an unexpected event or catastrophe.
The next stage is the identification of the frequency of the initiating event. Data defined in the Centre for Chemical Process and/or Offshore and Onshore Reliability Data developed by the Petroleum Directorate can be injected into protection analysis.
After initiating event frequency identification, frequency modifiers are studied. The frequency modifiers can be used to reduce the probability of this event occurring.
After the identification of these dependents, acceptable risk mitigation can be calculated.
Managing risk decisions using LOPA
Making LOPA-based decisions can be summarised in the below statements:
- Managing residual risk and modifying/mitigating risk to make it tolerable
If residual risk is manageable and acceptable, adequate protection can be added. Whether you can manage residual risk or not is the focal point of the LOPA. If there is an SIS that can modify risk and get it down to a tolerable level, then additional safety parameters can be applied.
- Abandoning risk (i.e., businesses and processes) because it is too high.
Abandoning a plant or businesses due to risk is not possible. LOPA is usually applied to determine if a hazard scenario is within the risk tolerance criteria or as a means to reduce risk. Do not consider LOPA as a method to abandon tolerable risk.
Decisions to abandon operations are normally made as a result of other studies such as quantitative risk assessment (QRA).
Conclusion
It is important to have process safety knowledge alongside an idea about the hazards present and the consequences of those hazards. If this information is known, then it is easier to make informed safety decisions, such as the addition or alteration of independent protection layers.
Although this short blog outlines some key questions to consider when undertaking the Layers of Protection Analysis (LOPA) study, it must be remembered that the only way in which to ensure complete compliance is to have a competent person undertake the assessment.
Sigma-HSE are recognised experts in LOPA and have undertaken LOPA studies throughout the processing industries for many years. Our consultancy team are on hand to discuss your requirements and will collaborate with you to provide actionable safety solutions.
If you are unsure about the fire and explosion capabilities of the substances managed at your facility, Sigma-HSE’s accredited testing laboratory can undertake all required testing, according to the relevant standards with a quick turnaround service.