Artificial Intelligence Notice: ISA prohibits the entry of any ISA intellectual property (¡°ISA IP¡±), including standards, publications, training or other materials into any form of Artificial Intelligence (AI) tools, such as ChatGPT. Additionally, creating derivatives of ISA IP using AI is also prohibited without express written permission from ISA¡¯s CEO. In the case of such use, ISA will suspend a licensee¡¯s access to ISA IP, and further legal action will be considered. Please review ISA's policies for Use of AI Tools, Intellectual Property and Terms and Conditions for further information.
Cybersecurity Awareness Month Sale:
This October, save 300 USD on select ISA cyber training and 10% on select cyber standards during Cybersecurity Awareness Month. View the deals.
LOPA is a valuable tool to analyze the risk associated with an event scenario and document the expected effectiveness of protective layers.
LOPA reviews are intended to determine if there are adequate protective devices or features in the process to provide tolerable risk
Layer of protection analysis (LOPA) is a method of analyzing the likelihood (frequency) of an event with a harmful outcome based on the initiating event frequency and the probability of failure of a series of independent protection layers, which could prevent the harmful outcome.
LOPA is one of the most used risk assessment techniques, and, in its simplified form, is only a semiquantitative technique. As with most risk assessment techniques, the primary focus of a LOPA review is to determine if there are adequate protective devices or features in the process to provide tolerable risk.
Protection layers are the most critical and fundamental aspect in any LOPA review. Most of the analysis is spent determining if the safeguards proposed by a hazard identification team can be independent protective layers (IPLs). In the hazard identification review, all safeguards are listed, and no estimations are made regarding their effectiveness in preventing the hazard or their dependence on one another. In the field, some teams assume certain safeguards can provide significantly more risk reduction than their true capability. LOPA resolves this problem by requiring the safeguards to meet predefined criteria before they are assumed to provide risk reduction.
LOPA methodologies
There are qualitative and quantitative LOPA methodologies. The qualitative LOPA methodology is performed one scenario at a time. The benefit of qualitative LOPA is it consumes less time and fewer resources than more quantitative risk analysis techniques. It also provides a consistent and defensible methodology for a company’s risk and safety integrity level (SIL) target selection decisions. The steps are:
Identify all scenarios to be analyzed.
Select a scenario to analyze.
Estimate initiating event frequency.
Estimate consequence severity.
Determine the fully unmitigated risks.
Determine if the fully unmitigated risk is tolerable.
Identify the IPLs.
Identify the enabling conditions and conditional modifiers.
Determine the intermediate event frequency.
Determine if the risk is tolerable.
Determine how to provide the additional risk reduction, if needed.
Assign the SILs to safety instrumented functions (SIFs), if
applicable.
Repeat steps 2 through 12.
Increase the SIL of the SIFs used more than once, if appropriate.
Ensure the risk reduction provided by the IPLs will be maintained and validated.
Complete and approve the LOPA documentation.
A quantitative LOPA methodology is performed based on the multiple initiating event scenarios. The benefit of quantitative LOPA is it determines a more precise numerical estimate of a SIF’s required performance and a required risk reduction factor (RRF) and SIL for SIFs protecting against multiple events. The steps are:
Verify the effectiveness of each IPL for each initiating event.
Estimate initiating event frequencies and IPL failure probabilities.
Determine the SIL target for high-demand safety instrumented functions.
Determine the SIL target for continuous demand SIFs.
LOPA worksheets
Consider an example from some LOPA 2012 problem studies. A hazard and operability study (HAZOP) reviewed an amine stripping column. An excerpt of the documentation is shown in figure 1. Quantification of risk categories and frequency is shown in figure 2.
Figure 1. Results of amine stripping column HAZOP reviewFigure 2. Quantifying risk categories and frequency
Consider the resulting developed worksheet shown in figure 3 and note this additional information about the completed LOPA worksheet:
The column is out of service three months of every year. Because this tower is in service more than 10 percent of the time, this means no use factor may be used. If a quantitative LOPA was performed, a use factor of 25 percent could be used.
Operation and maintenance personnel are in the vicinity of the amine stripping column approximately 15 percent of each day. Because personnel are present more than 10 percent of the time, this means no occupational factor may be used. If a quantitative LOPA was performed, an occupational factor of 15 percent could be used.
The pressure safety valve (PSV) setting is 220 psig, and it releases to atmosphere. This means there should be another reviewed LOPA scenario with the initiating event of the PSV lifting and the consequence of potential personnel exposure to H2S.
The column maximum allowable working pressure is 300 psig. This means the PSV lift setting is adequate to protect the column from overpressure.
The PSV is bench tested yearly, and this testing is documented. This means the PSV meets the auditability requirement for an IPL.
The column pressure will increase from its normal operating pressure of 30 psig to 220 psig in approximately 15 minutes. This means no safeguards involving operator field actions can be IPLs.
The column design feed rate is approximately 1,450 liters per minute (LPM), but recent debottlenecking has increased the feed rate to approximately 2,175 LPM. The review team is not aware of the PSV being resized for this increased feed rate. This means the PSV cannot be an IPL, because the review team does not know if the PSV is adequate for the increased feed rate. This should be noted as an action to confirm whether or not the sizing is correct for the new case.
The spare reflux pump and low-pressure autostart are not periodically tested. Because the spare pump and autostart are not periodically tested, this safeguard fails the auditability requirement for IPLs and cannot be considered an IPL.
The low-pressure autostart is performed in a local controller in the field that is separate from the basic process control system (BPCS). This means the spare pump and autostart could meet the independent IPL requirement based on periodical testing, even if the pressure or temperature controller was used as an IPL, since its logic is not performed in the BPCS.
The main reflux pump is turbine driven, and the spare reflux pump is electrically driven. This means the pump power supply is independent. If the spare pump and autostart safeguard met all the other IPL criteria, it would be an IPL.
The operators keep the column temperature control in manual approximately 25 percent of the time due to “controllability issues.” This means the temperature controller cannot be used as an IPL, because it is not at least 90 percent dependable. If a quantitative LOPA was performed, a probability of failure on demand of 0.33 = (1 – 0.9 × 0.75) may be used if the temperature controller met the remaining IPL criteria.
The column high-pressure alarm, high-temperature alarm, temperature control, and pressure control are performed in the unit’s BPCS. The BPCS contains redundant control processors and is powered using a redundant power supply. Because all these functions reside in the same BPCS and the BPCS has not been designed to meet IEC 61508 or documented to meet the “proven in use” criteria of IEC 61511, only one IPL involving the BPCS may be allowed.
The operators have a detailed procedure to respond to the reflux pump tripping, which requires the field operator to restart the pump. If the pump cannot be restarted, the control room operator must trip the steam to the reboiler. If the operating procedure was rewritten to have the control room operator immediately trip the reboiler steam after the reflux pump trips, and the review team believes each control operator would perform this action without hesitation, this could qualify as an IPL.
The company LOPA procedure requires the operator be given at least 30 minutes to respond to an alarm for the alarm and operator intervention to be considered a safeguard. Assuming the company requires the field operator to have at least 30 minutes to intervene for an operator intervention safeguard to qualify as an IPL, this safeguard is not an IPL.
? Figure 3. The resulting developed worksheet
Final thoughts
LOPA is a valuable tool to analyze the risk associated with an event scenario and document the expected effectiveness of protective layers. When using a tool that performs analysis on single cause/consequence pairs, it is necessary to perform an additional step to determine the combined demand frequency and RRF requirement for the SIF. Failure to do so will result in an underestimation of both the initiating event frequency and the RRF target.
When a LOPA is used to determine the design basis for a SIF, it is critical that the cumulative effects of multiple initiating events be considered together when assessing IPL effectiveness and determining the SIF demand frequency and the SIL target. IPLs should be applied only against the initiating events where they are effective, thus reducing the residual risk for that scenario. Some IPLs, such as operator response to an alarm, may be considered to reduce the demand rate on a SIF when well managed and monitored by a process such as the ISA-18.2 lifecycle. IPLs should only be considered to reduce SIF demand frequency when they are well managed and monitored to ensure effectiveness.
Reader Feedback
We want to hear from you! Please send us your comments and questions about this topic to InTechmagazine@isa.org.
Narasimha Himakuntala is controls engineer – Protection Systems RAD for the Spallation Neutron Source (SNS) at Oak Ridge National Laboratory. He has delivered process safety instrumentation and control systems engineering services for more than 17 years for manufacturing facilities, oil and gas, petrochemicals, refineries, and process plants.
More than that, he deduced, the man had vanished and yet, after he was gone, there had come that unexpected descent of the rolling door which had first made them think themselves trapped. Sandy argued, and with good common sense, that a ghost, in broad sunny daylight, was a silly way to account for the man. He also felt that it was equally unjust to credit the drop of the door to gravity. Friction drums are not designed to allow the ropes on them to slip, especially if there is no jolt or jar to shake them. Walpole, however, continued to oppose the South Sea Bill in the Commons, declaring that the terms were too extravagant ever to be fulfilled; that the experiment could result in nothing but a fearful increase of the costs of stockjobbing, and final confusion and ruin. He insisted that, before the proposals of the Company were accepted,[47] the rise of their stock should be limited, and every means taken to prevent the fever of infatuation that would ensue from the promise of dividends out of funds which could never be realised. He proposed for this purpose the introduction of a clause fixing the number of years' purchase to be granted to the annuitants of the South Sea Company; but to this it was objected that it was the interest of the Company to take up the annuities; and, as the annuitants had the power of coming in or not, as they pleased, the Company would, of course, offer advantageous terms, and, therefore, the whole affair might be safely left to private adjustment. Aislabie added that the South Sea Company would not submit to be controlled in an undertaking they were to pay so dear for. The Bill passed both Houses. As the woollen manufactures of Ireland had received a check from the selfishness of the English manufacturers, it was sought to compensate the Protestants of Ulster by encouraging the linen manufacture there, which the English did not value so much as their woollen. A Board was established in Dublin in 1711, and one also in Scotland in 1727, for the purpose of superintending the trade, and bounties and premiums on exportation were offered. In these favourable circumstances the trade rapidly grew, both in Ireland and Scotland. In 1750 seven and a half million yards of linen were annually woven in Scotland alone. "Pardon me, Lieutenant¡ªI should perhaps say Captain"¡ªinterrupted Lieut. Bowersox, with much sweetness of manner, "but the most of us are familiar with your views as to the inferiority of the discipline of the Western Armies to that of the Army of the Potomac and European armies, so that we need not take up the' time of the court with its reiteration. What farther happened?" "Sure," Dodd said. "But I mean people. And you want the same things we do. You want a little comfort out of life, a little security¡ªsome food, say, and enough food for tomorrow. Right?" "Why, two shillings is too much fur farm-folks lik us to give fur a pound of chocolate. It's naun but a treat, and we can do wudout it." At last they came to Castweasel¡ªthree old cottages and a ruined one, leaning together in a hollow like mushrooms. Beside the ruined cottage a tree-trunk was lying, and Rose suddenly stretched herself with a little sigh. "I'm sorry," he said sheepishly. Rate, skate, and crabs. Farewell, farewell, you jolly young girls! HoMEɧµÄ»¤Ê¿ÃÃÃÃ
ENTER NUMBET 0017 www.yinyi3.com.cn www.xy528.com.cn zhixianla.com.cn fj-sf.com.cn lezhu3.com.cn lulai4.net.cn wunan7.net.cn subei9.net.cn nijia8.net.cn www.8webfind.com.cn
