Professional Documents
Culture Documents
Contents
1 Purpose ........................................................................................................... 4
2 Scope .............................................................................................................. 4
3 Background ....................................................................................................... 4
4 Responsibilities .................................................................................................. 4
4.1 Chief Officer ............................................................................................... 4
4.2 Project Manager / Location Manager ................................................................. 4
4.3 Engineering Authority .................................................................................... 5
4.4 Technical Authorities .................................................................................... 5
4.5 LOPA Study Leader...................................................................................... 6
4.6 LOPA Study Scribe ...................................................................................... 6
4.7 LOPA Study Team members ........................................................................... 6
5 LOPA Study Preparations ...................................................................................... 6
5.1 LOPA Study Terms of Reference ...................................................................... 6
5.2 LOPA study team selection ............................................................................. 7
5.3 LOPA Study Leader...................................................................................... 7
5.4 LOPA Study team Roles ................................................................................ 8
5.5 LOPA Study Team Composition ....................................................................... 8
5.6 LOPA Study Schedule and facilities................................................................... 9
5.7 LOPA Study Documentation Requirements ........................................................ 10
6 Conducting the LOPA Study .................................................................................. 10
6.1 LOPA Team briefing / orientation ..................................................................... 10
6.2 LOPA Study Methodology ............................................................................. 11
6.3 Hazardous Events....................................................................................... 11
6.4 Determine Causes of Hazardous Event ............................................................. 12
6.5 Determine the Severity of the Hazardous Event ................................................... 13
6.6 Determine the Initiating Cause Frequency .......................................................... 13
6.7 Identify the Safeguards and Determine the Independent Layers of Protection ............... 14
6.8 Estimate the Probability of Failure for each Independent Layer of Protection ................. 15
6.9 Calculate the Likelihood of Occurrence of the Hazardous Event ................................ 15
6.10 Compare the Likelihood of the Hazardous Event to Acceptance Criteria ...................... 16
6.11 Propose Recommendations ........................................................................... 16
7 Records .......................................................................................................... 17
7.1 LOPA Study Record .................................................................................... 17
7.2 LOPA Study Report ..................................................................................... 17
DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM
DIR Version: 00 DIR Status: RL
Location: All Sites Page 2 of 24
Printed copies of this document are uncontrolled unless contained in a site manual.
PROCEDURE
7.3 LOPA Study Action Close Out and Close Out Report ............................................. 17
7.4 Record Keeping ......................................................................................... 18
8 Training and Competence .................................................................................... 18
9 Related documents ............................................................................................ 18
10 Definitions .................................................................................................... 19
11 Document Version Information ........................................................................... 20
List of Appendices
List of Tables
1 Purpose
The purpose of this procedure is to specify responsibilities and the procedural
requirements for conducting Layer of Protection analyses LOPA) on Contact’s assets that
produce, transport, store or consume either energy, toxic or hazardous materials over their
lifetime from inception or acquisition through operating life to disposal or decommissioning.
2 Scope
This procedure is applicable to all Contact sites and facilities and applies to the entire
lifecycle of a facility. LOPA analysis is required when HAZID or HAZOP studies identify a
consequence ranking of 5 or 6 on the Contact Risk Tool Kit matrix.
The procedure is applicable to Greenfield and Brownfield projects, as well as modifications
to existing facilities, and as part of retrospective reviews of existing facilities.
Reference should be made to Asset Safety Lifecycle Management System Standard (SAP
DMS 10000014452) which outlines when LOPA studies shall be conducted, and the
relationship with other Process Hazard Analysis studies that shall be conducted on
Contact’s process equipment.
3 Background
LOPA studies consider the likelihood of a Major Accident Event (MAE) initiating and the
probability of failure of the safeguards in place. The outputs of HAZID and HAZOP studies
provide the process safety related hazard MAE scenarios.
LOPA studies are applied to previously identified process safety related hazards within a
proposed or operational facility or activity. The LOPA study is a semi quantified risk
analysis tool that analyses potential MAEs providing a risk numerical exposure level that
can be compared with the company risk tolerance criteria and the exposure level of other
potential MAEs.
4 Responsibilities
The severity of the hazardous event should be described and the consequence rating
should be determined using the Contact Risk Matrix. It is important that the final likelihood
result is appropriate for the consequence being analysed.
The Initiating Cause Frequency needs to be expressed in number of “times per year”. This
value may be derived from actual Contact data, industry data or team judgement and
experience. The justification for the estimate needs to be clearly documented.
The team needs to gather data on how often the activity occurs or how often the Initiating
cause occurs. The LOPA study team can use Contact incident data or draw on their
experience and knowledge of incidents within Contact or within the Industry. The LOPA
study team can also use the Initiating
Cause frequency guidelines are provided in Appendix B – these have been compiled using
generic industry data and LOPA literature.
It is helpful during the Initiating Cause Frequency discussion to consider that this is the
likelihood of the undesirable event without any controls.
Conditional Modifiers
When considering the likelihood of a hazardous event it will often be appropriate to modify
the frequency of an event for factors such as:
Time at risk (for processes that occur for only part of a year);
Occupancy:
o If the consequence requires people to be in the vicinity;
o Restricted access reducing exposure of personnel.
Ignition probability;
Vulnerability (event may not result in the consequence);
Location;
Environmental factors;
Experience level of operators.
The basis for any such modifier must be documented and when applied to an event must
be noted on the LOPA worksheet.
Example 1: Liquid into a compressor leading to a fire/explosion during compressor start-
up.
Initiating Cause Frequency comment: The compressor is shut down for maintenance once
every two years. Site experience is that liquid has been present in the compressor during
this activity. The likelihood of getting liquid into the compressor during the start-up was
considered to be a probability of 1. The probability of liquid in the compressor leading to a
major incident is one in ten as it is a large centrifugal compressor and unlike a
reciprocating compressor, a centrifugal compressor can cope with a degree of liquid.
The LOPA study team should note any safeguards or controls identified during preceding
HAZID and HAZOP studies and confirm whether these meet the requirements of an
Independent Protection Layer (IPL). Note that not all safeguards or controls will be IPLs.
An Independent Protection Layer is defined as any independent mechanism that reduces
risk by control, prevention or mitigation (AS IEC 61511.1-2004 § 3.2.59).
Protection layers that perform their function with a high degree of reliability may qualify as
Independent Protection Layers (IPL).
The criteria to qualify a Protection Layer (PL) as an IPL are:
1. The protection provided reduces the identified risk by a large amount, that is, a
minimum of a 10-fold reduction.
2. The protective function is provided with a high degree of availability (90% or greater).
3. The protection layer has the following important characteristics:
a) Specificity: An IPL is designed solely to prevent or to mitigate the consequences
of one potentially hazardous event (e.g., a runaway reaction, release of toxic
material, a loss of containment, or a fire). Multiple causes may lead to the same
hazardous event; and, therefore, multiple event scenarios may initiate action of
one IPL.
b) Independence: An IPL is independent of the other protection layers associated
with the identified danger.
c) Dependability: It can be counted on to do what it was designed to do. Both
random and systematic failures modes are addressed in the design.
d) Auditability: It is designed to facilitate regular validation of the protective
functions. Proof testing and maintenance of the safety system is necessary.
During LOPA discussions on whether a control is independent, it is important to consider if
there are common modes of failure.
Example 1:
If two controls require manual intervention by the same Operator then they are not
independent and need to be considered together with the Operator actions as one layer of
protection.
Example 2:
An instrumented system such as a level device may provide level indication, an alarm and
a shutdown but if the level tapping becomes plugged then the indication, alarm and
DIR Number: 10000011322 Printed: 21/11/2017 03:49 PM
DIR Version: 00 DIR Status: RL
Location: All Sites Page 14 of 24
Printed copies of this document are uncontrolled unless contained in a site manual.
PROCEDURE
shutdown will not prevent the undesirable event. These controls have a common mode of
failure and need to be considered as the one layer of protection.
Additional Mitigation
Mitigation systems and arrangements that reduce the severity of the Impact Event but not
prevent it from occurring may be applicable in a LOPA study.
Mitigation layers can be:
Structural such as blast walls, bunds, dikes, pressure relief devices, smoke proof
doors;
Systematic such as deluge systems, evacuation alarms, illuminated escape routes;
and
Procedural such as practised evacuation procedures.
The LOPA team should determine if there are applicable additional mitigations considering
any as independent protection layers. They are entered on the LOPA worksheet.
The LOPA Study team need to establish and document the probability of failure for each
Independent Protection Layer (IPL). The probability for each level is to be entered on the
LOPA worksheet. This includes probability if failure of additional mitigations.
The probability of failure of a protection levels is termed “Probability of failure on demand”
Guidelines on Probability of Failure are available in Appendix C. Alternative values may be
used at the discretion of the LOPA study team, provided the basis is documented clearly in
the LOPA study.
The team needs to document the associated justification for the probability of failure
assigned.
The Likelihood of the hazardous event can be calculated by multiplying the Initiating Cause
Frequency by the Probability of Failure of each Independent Protection Layer (IPL).
Likelihood = Initiating Cause Frequency x Probability of Failure IPL1 x Probability of Failure
for IPL2 x Probability of Failure for IPL3 etc.
In the case where there is more than one cause for a Hazardous Event then the
frequencies can be added to give the overall frequency of the undesired outcome.
Likelihood = (Initiating Cause Frequency Cause 1 x Probability of Failure of IPLs) +
(Initiating Cause Frequency 2 x Probability of Failure of IPLs)
For example: Vessel overfill frequency = frequency of overfill when pumping from the ship
+ frequency of overfill when pumping from a truck. In this example there would be different
IPLs involved for these two Initiating Causes.
For each hazardous event scenario, the group should review the final outcomes and
The team will compare the final calculated likelihood of the undesired outcome to the
company risk tolerance criteria and or regulatory requirements determining if further risk
reduction is needed.
If the risk is greater than the company risk tolerance then;
1. The likelihood on one or more initiating causes occurring must be reduced or
2. The probability of failure of one or more of the independent protection layers must be
reduced or
3. An additional Independent Protection layer is required.
Note that with the calculation of likelihood in engineering units to powers of base 10 the SIL
level requirement for 2 and 3 above is determined by the power difference between
calculated likelihood and tolerance criteria. For example calculated likelihood 10-7 and
company risk tolerance 10-9 there is a SIL requirement of 2 for a reduced IPL PFD or an
additional IPL.
For projects the LOPA team should carefully consider whether each proposed IPL is the
optimal method for mitigating the risk of the hazardous event, taking into account the full
lifecycle cost of the IPL.
For operating equipment the LOPA team should carefully consider the hazardous events
when their calculated frequency it is close to the Contact risk criteria. Are there additional
layers of protection required or are there ways to reduce the probability of failure of any of
the existing layers.
When the need for further risk reduction is identified, actions shall be implemented and
recommendations made consistent with the risk management action table 2 above.
Where an additional layer of protection is to be recommended or an existing layer’s
probability of failure is to be reduced the Probability of Failure value can be assigned to the
recommendation and once the recommendation is implemented then the improved
Probability of Failure can be assigned to the improved control.
The LOPA Study Leader shall ensure that the LOPA recommendations are clear and
complete and that there is consensus from the LOPA Study team on the recommendations.
Recommendations should be:
Written to be stand-alone (understandable without the benefit of the study report);
Written in terms of “what needs to be done”, “where it needs to be done”, and “why it
needs to be done”;
Written so that recommendations are accomplishable and have a clear point of
closure;
Where the team cannot reach consensus on a particular matter then the LOPA Study
Leader is the final arbiter.
Recommendations arising from the LOPA Study shall be assigned to the appropriate
member of the LOPA Study Team to action.
7 Records
At the conclusion of the Study, the LOPA study report should be prepared by the LOPA
study scribe detailing:
Administrative details, including the LOPA study team members, location and dates;
Documents and drawings reviewed, quoting revision numbers used by the LOPA
study team;
The LOPA study worksheets and LOPA study recommendations.
This report shall be endorsed as a true record by the LOPA Study Leader.
The report should then be issued by the Technical Authority and addressed to the recipient
identified in the TOR.
7.3 LOPA Study Action Close Out and Close Out Report
At the conclusion of each LOPA Study action, a record of the action close out shall be
prepared by the action assignee, and reviewed by the LOPA Study Leader.
By completion of the project phase, or an allotted timeframe for operating facility LOPAs, a
LOPA study close out report shall be issued by the Technical Authority.
Study documents should be collected and archived for future reference, including:
LOPA study worksheets;
LOPA study report;
Action close out records; and
LOPA study close out report.
9 Related documents
Employees involved with the LOPA process shall be aware of the requirements of the
following documents referenced within this procedure:
Asset integrity Directive CEN-HSE-DVE-005 SAP DMS 10000015830
Risk management Directive CEN-RM-DVE-001
Risk Management tool Kit Version 2.1
IEC / ISO 31010:2009, Risk Management - Risk Assessment Techniques
Asset Safety Lifecycle Management System Standard SAP DMS 10000014452
Process Safety Management Standard SAP DMS 10000011181
Process Safety Governance Standard SAP DMS 10000014170
Bowtie Procedure SAP DMS 10000011084
HAZOP Study Procedure SAP DMS 10000011100
HAZID Study Procedure SAP DMS 10000011320
LOPA Study Procedure SAP DMS 10000011322
10 Definitions
Term Definition
A type of failure in which diverse components can be disabled by the same
Common Mode Failure single cause. Failure of two or more channels in the same way, leading to a
system failure (AS IEC 61511.1:2004 § 3.2.6.2)
As per the Contact Risk Toolkit, consequences can be broadly categorised as
Consequence
harm to Personnel, Environment, Community, Property Damage or Loss
Category
(Financial), Reputation, or Legal
As per the Contact Risk Toolkit: (1)-Minor, (2)-Moderate, (3)-Serious, (4)-Major,
Consequence Rating (5)-Critical, (6)-Catastrophic; with selection based on the explanations within
the consequence descriptions of each category.
A clear and concise statement that explains how the process is expected to
Design Intent
behave.
HAZID Hazard Identification Study, Refer SAP DMS 10000011320
Discuss and
Approve LOPA Approve LOPA Approve LOPA
Approve LOPA
Study Leader & Study Report Study Action
Study Terms of
Team Selection quality Close out quality
Reference (TOR)
Technical
Authority
LOPA Study
Preparation Review and Review LOPA
(Review documents
Team Briefing Lead / Facilitate
(TOR, Documents Endorse LOPA Study Action
TOR, Venue Team LOPA Study
make-up) Venue Sessions) Study Report Closeouts
LOPA Study
Scribe
LOPA Study
Briefing Participate in Record LOPA Prepare LOPA
(TOR, Documents LOPA Study Study Study Report
Venue Sessions)
LOPA Study
Team
Event
Initiating Protection Layers Company likelihood
Initiating Event Comment
Cause risk / risk
Causes Likelihood recommendation
Frequency PL1 PL2 PL3 PL4 Mitigation 1 Mitigation 2 tolerance tolerance
delta
Describe PL Describe PL Describe PL Describe PL Describe PL Describe PL
Describe Calculate Enter PFD for Enter PFD for Enter PFD for Enter PFD for Calculate Enter Calculate
PL1 PL2 PL3 PL4 Enter PFD Enter PFD
Describe PL Describe PL Describe PL Describe PL Describe PL Describe PL
Describe Calculate Enter PFD for Enter PFD for Enter PFD for Enter PFD for Calculate Enter Calculate
PL1 PL2 PL3 PL4 Enter PFD Enter PFD
Describe PL Describe PL Describe PL Describe PL Describe PL Describe PL
Describe Calculate Enter PFD for Enter PFD for Enter PFD for Enter PFD for Calculate Enter Calculate
PL1 PL2 PL3 PL4 Enter PFD Enter PFD
Describe PL Describe PL Describe PL Describe PL Describe PL Describe PL
Describe Calculate Enter PFD for Enter PFD for Enter PFD for Enter PFD for Calculate Enter Calculate
PL1 PL2 PL3 PL4 Enter PFD Enter PFD