QUANTIFYING UNCERTAINTIES IN LOPA
Layers of Protection Analysis (LOPA) is a well-known analytical method for assessing the ability of existing safeguards to reduce the risk of hazardous events to an acceptable level. It is an order of magnitude method, where the consequence of a hazardous event is defined with an acceptable frequency based on the severity of the event. The frequency of the initiating causes for the event, as well as the probability that existing safeguards will fail to prevent or mitigate the event is then assessed to ensure that there are sufficient protection layers in place to bring the frequency of the hazardous event below the acceptance criteria.
LOPA was originally intended to look at single cause-consequence pairs. However, recent practice, especially when using the method to allocate Safety Integrity Levels (SIL) to Safety Instrumented Functions (SIF), have been to include multiple initiating causes in one single LOPA scenario, when they have the same consequence, and are protected against by the SIF in question. This increases the need to better understand the inherent conservativeness and uncertainty in the input data. The example used later in this article will hence use this approach.
LOPA is a methodology based on order of magnitude, and given the conservative rules applied to safeguards, it is intended to be an inherently conservative approach. However, there are certain pitfalls during a LOPA that might lead the LOPA team to estimate a too optimistic mitigated event frequency. This article will focus on using correct accuracy of Initiating Cause (IC) frequencies and Independent Protection Layer (IPL) Probability of Failure on Demands (PFDs). In addition, the article will present a solution to illustrate the uncertainty in the result of the LOPA.
If not generic conservative data is used, inherent uncertainty in failure data might lead to a too optimistic result. When the LOPA is used to allocate SIL to SIFs, even a small deviation from the ‘true’ value could have a large consequence if the resulting PFD requirement for the SIF is around the boundary for different SILs. As obvious from Table 1, a PFD requirement on a SIS of 9.9·10-3 from a LOPA induces a SIL 2 requirement, while a slight deviation in the input values for initiating cause frequencies or protection layer probabilities to the non-conservative side would reduce the requirement to SIL 1.
INSTALLATION SPECIFIC CONSERVATIVENESS
It is important to be consistent in the approach to IC frequencies and IPL PFD. Avoid deviating from the order of magnitude approach to IC frequencies and IPL PFDs, but rather stay conservative and stick to generic data. However, a conservative value for one installation could be heavily conservative for another one, but optimistic for a third one, depending on e.g. process parameters and type of installation as well as testing, inspection and maintenance programs. In the case of a PSV, clean service and good maintenance implies that a PFD of 0.01 might be possible and still be conservative, while a single valve in non-clean service is often recommended a PFD of maximum 0.1 to stay conservative.
Based on this, one improvement to the standard methodology is to complement the generic point value by an interval of possible generic values. This could be included in the LOPA results if the analyst concludes that deviations may exist, e.g. due to uncertainty regarding maintenance procedures, boundary conditions or application. Hence, sensitivity analysis could be done by adjusting the point value, based on the interval and knowledge on how different factors could affect the input data. However, it is nevertheless important that the selection of values always stay conservative.
STATISTICAL DISTRIBUTIONS TO QUANTIFY THE LEVEL OF CONSERVATISM
Despite the nature of a rough and semi-quantitative analysis, the result from a LOPA is often only presented as a point frequency or required PFDavg (even though this might not be the correct application of the method). To be able to express the uncertainty and investigate the effect of conservative data, this article suggests that statistical distributions can be assigned to the input data. By doing so, it is possible to express the result in terms of confidence intervals, rather than a point value.
The type of distribution to use depends on the information available for the variable in question. However, it is important to ensure that the distribution stays within the boundaries of the data, e.g. a PFD value must be greater or equal to 0 and less or equal to 1 and a frequency must be greater or equal to 0. A simple and intuitive distribution is the triangular distribution, which is used in the example below. A triangular distribution is defined by its minimum value, maximum value and the mode, i.e. the most likely value.
To once again investigate the case of a PSV as a safety barrier, where there is an uncertainty if the application can be regarded as clean service or not. The recommended value for a single PSV in clean service of 0.01 is therefore threated as the minimum value and 0.1 becomes the maximum value. The most likely value, the mode, is placed in between slightly closer towards clean service as this was regarded as most credible. The probability density function of the resulting distribution is available in Figure 1.
To illustrate the value of adding distributions to the input data, an example of a LOPA covering an overpressure scenario of a separator is carried out. The process segment is presented in the simplified process flow diagram in Figure 2. The purpose of the LOPA is to assign a SIL rating to the instrumented protection layer PAHH, closing the inlet shutdown valve XV-101 to protect the separator from overpressure from upstream sources.
As a basis for the LOPA, it is assumed that the worst case safety consequence is rupture of the separator and leakage of process hydrocarbons, which if ignited causes an explosion with the possibility of 1 fatality. This results, according to the Risk Matrix for the hypothetical plant in the example in an acceptance criteria or Target Mitigated Event Likelihood (TMEL), of 10-5 per year.
Three different initiating causes are identified, including PCV-989 failure to open position, operator error, opening HCV-104 too much, and spurious closure of XV-102. There are no additional protection layers apart from the PAHH. However, two conditional modifiers, probability of ignition and occupancy, have been taken into consideration.
First, a conventional LOPA approach is applied for the scenario, applying generic conservative values to the initiating cause frequencies and the probability of the conditional modifiers. The data is listed in the LOPA calculation table below. As seen from the result in the lower right part of the table, a SIL 3 requirement is raised for the PAHH safety function, with a required PFDavg of at least 6.35E-4.
TRIANGULAR DISTRIBUTION APPLIED TO ONE VARIABLE
Further, the uncertainties are modelled using a triangular statistical distribution. The first step is to apply a triangular distribution only to one of the variables, where the uncertainty is expected to be greater. The occupancy is often associated with uncertainty, depending on the size of the area affected by the explosion, maintenance schedule, and daily routines. The minimum and maximum values of the triangular distribution are based on the extremes suggested by operations and the other participants in the LOPA workshop. In this case, a minimum value of 6 hour per day and a maximum value of 14 hours per day is applied. The mode of the triangular distribution is chosen based on the most credible value, which was assumed around 8 hours per day. The probability density function for the occupancy factor is shown in Figure 3.
In Figure 4, the output of a simulation with the input parameters described above is presented. The diagram shows the cumulative distribution function where the y-value indicates the probability that the outcome is lower or equal to the x-value, i.e. the probability that the required PFDavg of the SIF will be lower or equal to the x-value. From the diagram it is possible to conclude that there is at least 16.4 % chance that the acceptable risk could be achieved with a SIL 2 rated SIF.
TRIANGULAR DISTRIBUTION APPLIED TO ALL INPUT VARIABLES
Uncertainties exist in all data and as described above, conservatism is added to all input data in a LOPA. Hence, this section investigates the effect of defining a triangular distribution for all the five input variables, with the same approach as for the occupancy. The resulting cumulative distribution function is shown in Figure 5. Now the result indicates a 75.2 % probability of a SIL 2 requirement.
From the result, it is possible to claim that with a confidence of about 75 % a SIL requirement on the PAHH protection layer of SIL 2 would be enough to meet the risk acceptance criteria for the scenario. However, there is still a probability of about 25 % that a SIL 3 is required. These statements are based on non-conservative, but probably realistic assumptions and justifications. The result should not be handled as a final decisive result, but rather an indication. In this case, it might imply that it is motivated to perform further detailed studies to investigate if it is possible to reduce the SIL 3 requirement to SIL 2 and by that reduce maintenance and design requirements but still be confident that the risk is reduced to an acceptable level. Such studies could for example include a Fault Tree Analysis and Event Tree Analysis, where the level of conservatism could be reduced, since those techniques allows for more complexity in the models.
ORS offers highly experienced personnel to facilitate and record LOPAs. Our expert will help you customize the analysis to your purpose and need. ORS services covers activities throughout the SIS lifecycle. For more information on our functional safety services, please visit