P RefStd - 4043 - v091130 - EN - LOPA

Short Name:
4043_v091130 OMV Petrom

Refining Standard
Description:
Layer of Protection Analysis (LOPA)
This Standard was adopted for OMV Petrom Refining based on
OMV Refining Standard 4043_v091130 by issuing and releasing of Local Amendment
Subject:
Layer of Protection Analysis (LOPA): Risk
Evaluation for Discrete Process Scenarios
Objective: This procedure provides guidance for the evaluation of prevention and mitigation
measures which contribute to the reduction of process risks to tolerable and acceptable
limits.
Target Group: This standard applies to all employees and contractor staff working in relation with
OMV Petrom Refining.It applies to all lifecycle stages of production units from concept
to decommissioning.
Scope of The scope of effectiveness is limited to Refining business segment within

Effectiveness: OMV Petrom Refining.
Author PMRP-R George Stoica
Responsible for the content PMRP-R George Stoica
Approved regarding formal

PMRS-N Felicia Decusara
correctness by
Verified with regard to PMRP-H Tudor Anca
correctness of content by PMRP-P Cosmescu Marin
PMR-P Dir.Alfred Leodolter
Released by
PMRP-O Bertram Muchan
Released by PM-R Dir. Neil Morgan

Organisational unit Name Date Signature
Notes:
1. In the interests of simplicity and readability the language of this statement is as far as possible gender neutral. Where
applicable, the masculine includes the feminine.
2. Hardcopies of this document may not represent the current applicable standard. Check for latest document on the
Regulations Platform
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA) Page Valid as of: 111110
1 of 18 Version: v091130
OMV Petrom Refining &Petrochemicals – all rights reserved
1. Introduction
Reliable and safe operation of refinery process plants usually requires the seamless and sustainable
interaction of prevention and mitigation measures. These measures may be technical or
organizational or a combination of both. Risk evaluation is required to balance the goals of reduction
of process risks and the efforts which are needed to achieve them.
The Layer of Protection Analysis (LOPA) is a semi-quantitative methodology to evaluate the
reliability of measures which are required to prevent undesired events and to reduce the risks in
process units to tolerable or acceptable limits.
This standard provides guidance on the application of the LOPA for OMV Petrom refinery process
units. It describes the workflow of risk evaluation and defines responsibilities and requirements.
The principles of the methodology are in accordance with the requirements of IEC61511 Part 3,
Appendix F [03].
Scope of the Standard
The LOPA method may be applied to process risks arising from hydrocarbon and chemical process
facilities initiated by a discrete initiating event (single scenarios). It is not intended to be used for the
assessment of more general business risk, financial risk, and project risk as well as more complex
aggregated risks.
LOPA is not a stand alone methodology for risk assessment as it requires the inputs of a previous
hazard analysis for identification of hazardous scenarios and evaluation of the potential
consequences (e.g. 04, 05). The layer of protection analysis (LOPA) shall be used if:
the consequences of the scenario are above the following critical values (equal or greater than
consequence level 3 as given in the OMV Corporate HSE Standard 020 [06])
Personnel: serious personnel injury
Environment: release with local effect (outside the refining area)
Economic (asset or production): loss greater than 100.000€ or shut down of a unit
a preliminary qualitatively risk assessment yield that the risks are ALARP or not acceptable
a preliminary qualitatively risk assessment showed uncertainties regarding consequences or

safe guards (prevention & mitigation)
a safety instrumented function (SIF) is used as a risk reduction measure
The standard especially applies for the classification of Safety Instrumented Functions (SIF) which
are used in low demand mode.[01] (e.g. emergency shut down systems). The standard is to be used
to determine the necessary Safety Integrity Level (SIL) or Asset Integrity Level (AIL) for each SIF.
Within this framework the usage of the standard is also recommended for operational interlocks to
show their adequacy (i.e. that they are not safety relevant). (Note: SIFs which are operated in
continuous mode are quite rare in refinery process units; the principles given in [07] shall be used.)
The standard applies for existing systems as well as for planned systems. Existing SIFs which have
been classified using any other risk evaluation system (e.g. Risk Graphs [03, 08]) may remain
untouched if the following two requirements are met: there are no doubts concerning the suitability
of the classification, and related technical standards and regulations have been checked regarding
compliance.
Rationale for Refining Standard
This standard harmonizes the available approaches throughout OMV Refining with the aim to
provide best practice and to optimize the efforts needed to achieve and maintain safe and reliable
production units. It contributes to the establishment of unambiguous and sustainable tools for
decision making and thus well-aimed investments to improve the safety and reliability of Refinery
production units.
2. Regulatory Content
The Regulatory Content of this document is structured as follows:
Table of Contents
2.1 Principles of the Layer of Protection Analysis ................................................................... 4
2.1.1 Application & Goals.............................................................................................................. 4
2.1.2 Protection layer model ......................................................................................................... 4
2.1.3 Protection layer principles .................................................................................................... 5
2.1.4 Scenario modeling ............................................................................................................... 5
2.2 Performance, responsibilities and roles ............................................................................. 6
2.2.1 Performance of LOPA .......................................................................................................... 6
2.2.2 Input Requirements.............................................................................................................. 7
2.2.3 Responsibilities for performance of risk evaluation ............................................................. 7
2.2.4 Composition of the risk evaluation team .............................................................................. 7
2.2.5 Break-off condition for LOPA assessment & nomination of representatives ....................... 9
2.3 LOPA Process ........................................................................................................................ 9
2.3.1 Administrative information.................................................................................................. 10
2.3.2 Scenario description........................................................................................................... 11
2.3.3 Identification of initiating events ......................................................................................... 11
2.3.4 Identify enabling conditions................................................................................................ 11
2.3.5 Worst reasonable foreseeable consequences................................................................... 12
2.3.6 Conditional modifiers.......................................................................................................... 12
2.3.7 Initiating risk ....................................................................................................................... 13
2.3.8 Independent Protection Layers (IPL) ................................................................................. 13
2.3.9 Calculation of residual risk ................................................................................................. 13
2.3.10 Assessment of the residual risk ......................................................................................... 14
2.3.11 Action items........................................................................................................................ 14
2.3.12 Critical aspects for realization & operation......................................................................... 15
2.4 Documentation..................................................................................................................... 15
2.5 Audit & Review..................................................................................................................... 15
2.1 Principles of the Layer of Protection Analysis
Layer of protection analysis (LOPA) is a rule-based methodology. If these rules are systematically
applied the team will create very consistent and comparable results.
LOPA evaluates risk in a semi-quantitative way. This means that the values for the frequencies and
probability used in the calculation are representative values in the sense of their magnitude.
Consequently the resulting probability of a scenario has to be understood in a semi-quantitative
manner.
2.1.1 Application & Goals

Layer of protection analysis (LOPA) is used in conjunction with hazard analysis to evaluate for
individual scenarios the necessity and effectiveness of prevention and mitigation measures. As a
methodology LOPA depends on information derived from previously performed hazard identification
and evaluation analysis. This could be HAZOP analysis [04], Management of Change [05], incident
investigation, hazard analysis in the framework of safety report or explosion document, etc.
The goal of LOPA is to evaluate whether sufficient protection layers are implemented and/or
planned to reduce the risk associated with a hazardous event to tolerable and/or acceptable limits
(see also criteria for risk acceptance and tolerance [06] and Paragraph 2.3.10). The assessment
may yield that additional protection layers are needed or not, or that the current layers need to be
improved so that they operate more reliable.
In conjunction with this refining standard the legal regulations, standards and guidelines valid in the
respective country shall be considered in the latest release (see also Local Amendments [LA03]). If
deviations or conflicts between the different legal regulations, standards and guidelines exist, and
explicit definitions are missing in this refining standard, the strictest variant is to be applied.
Particularly, the LOPA must not be used as argument why state-of-the-art controls or regulatory
requirements are not applied (see also definition of ALARP as given in section 2.3.10 or [06]).
2.1.2 Protection layer model

LOPA is based on the assumption that the development of an initiating event to undesired
occurrence is hindered or mitigated by protection layers. LOPA calculates the residual risk by
evaluating the efficiency of the protection layers. The protection layer model in Figure 1
demonstrates the principle structure of risk reduction measures.
Emergency Response
Community Emergency Response
Plant Emergency Response
Mitigation
Mechanical Mitigation Systems
Safety Instrumented Systems
Prevention
Mechanical Protections Systems
Safety Instrumented Systems
Alarms & Operator Correction
Operation
Process Monitoring
Operator Supervision
Process control
Process & Design
Figure 1 Protection Layer Model
Typical protection layers are:
Design of the process and plant (excluding any control or safety systems)
Inherent safe design
Reduction of hazards potential
Operation systems (preventive):
Process control system (e.g. BPCS, DCS)
Operators supervision and control (e.g. operational alarms)
Process monitoring (e.g. walk around, laboratory measurements)
Preventive safety system
Safety critical alarms and corresponding operator interaction and correction
Safety instrumented systems (e.g. high pressure shut off)
Mechanical protection systems (e.g. safety valves)
Mitigation system
Safety instrumented systems (e.g. emergency isolation valves)
Mechanical mitigation systems (e.g. dikes)
Internal and external emergency response system (e.g. fire brigade, evacuation). Note: Usually
they are not considered in the LOPA calculation.
2.1.3 Protection layer principles

The protection layers are part of the risk reduction philosophy which is used to manage safety
associated with operating an industrial process. For risk reduction the following principles shall be
adhered in the given order (see also 06):
1. Risk avoidance is given priority by minimizing inherent hazards.
2. Inherent safe design is preferred and complexity of systems should be minimized.
3. Preventive safeguards are given priority over mitigation measures and technical are given
priority over operational measures.
4. Collective measures have priority over individual measures.
5. For any hazard which can escalate to a major accident event at least two independent, effective
protection measures shall be present.
6. Protection prioritization is given to the following ranking: people, environment, property, interests
of the business (incl. reputation).
For the selection of protection layers it shall be considered:
independency between protection layers
diversity between protection layers (e.g. different measurement principles)
physical separation between different protection layers (e.g. separated conduct of wiring)
common cause failures between protection layers (e.g. plugging of a sensor may also cause
plugging of a relief valve)
2.1.4 Scenario modeling

Within the LOPA the scenarios are modeled as shown in Figure 2.
top outcome (safe)
top outcome
enabling (unsafe)
event or state
initiating
event
residual
initiating
risk
risk
independent conditional
protection layers modifier
Figure 2 Scenario development (thickness of arrows represent the likelihood of the
respective condition)
Initiating events are the starting point for a scenario. Usually this is a technical or human failure.
Enabling events or states are precondition which are neither failures nor protection layers but
must be present that the initiating event may develop undesired outcomes.
Independent protection layers (IPL) are audible measures which have the capability to hinder
the development of the scenario to the worst reasonable foreseeable outcome. Their
functioning is either be preventing further consequences (e.g. blow down to flare) or mitigating
the severity of consequences (e.g. dike around tanks). The degree of independence
determines the degree of effectiveness of the protection layer and the credit it receives for
doing so. Within the risk analysis their effectiveness is considered in terms of reducing the
likelihood of the worst reasonable foreseeable scenario. Though mitigation measures reduce
the severity of the consequences the worst reasonable foreseeable consequences are still
possible but with a reduced likelihood.
Conditional modifiers (CM) are conditions or coincidences which influence the probability that
the given scenario results into the worst reasonable foreseeable consequences (e.g. probability
of ignition, probability of personnel being in the affected area). In contrast to an Independent
Protection Layer (IPL) a CM is not designed to perform an intended function in relation to the
specific scenario (e.g. camera supervision which is installed to detect any unusual
circumstances).
The initiating risk is the combination of the frequency of the initiating event which may lead to a
worst reasonable foreseeable outcome and the severity of that outcome. Relevant enabling
conditions or events as well as conditional modifiers are considered.
Residual risk is the combination of the severity of the worst reasonable foreseeable outcome
and the likelihood of its occurrence taking into consideration all measures, conditions and
safeguards installed.
2.2 Performance, responsibilities and roles
2.2.1 Performance of LOPA

For projected systems it is recommended to perform a preliminary evaluation at an early stage once
a process flow diagram has been completed and all of the initial process data is available. This
preliminary evaluation is important because establishing, designing and implementing of reliable
safety systems are complex tasks and can take a considerable length of time. Review of the
analysis should be done as more information becomes available and final analysis should be done
during the detailed engineering when the process instrumentation diagrams are completed.
Following the requirements from Corporate Risk Assessment Standard [06] the LOPA the evaluation
shall be reviewed in intervals of maximum five years and at relevant changes of the system,
procedures, organization or legislation as well as if significant information becomes available (e.g.
after incidents or near misses).
2.2.2 Input Requirements

The information used during a LOPA session should be limited to information which is needed to
perform the evaluation. Typically the following information needs to be present:
technical documentation of the system to which the scenario belong (e.g. process flow diagram
(PFD), process instrumentation diagram (P&ID), cause & effect matrix, process description,
operations manual, design data, material data)
hazard identification reports (e.g. HAZID documentation [04], safety report, explosion
document) which contains the scenario description subject to the LOPA
description of the required safety instrumented function(s) and associated safety integrity
requirements as identified in a preceding hazard identification
existing SIL/AIL classification (if applicable)
statistical information about event and failure frequencies (e.g. probability of failure of protection
layer)
2.2.3 Responsibilities for performance of risk evaluation

The responsibilities for the performance of risk assessment during the life cycle of units are given in
the following table.
Life Cycle Phase Responsible
Concept phase of technical projects Conceptual Designer
Basic engineering phase of technical projects Basic Designer
Detailed engineering phase of technical Project Manager
projects
Review & Update (periodic) Plant Manager (or Operations Manager for
systems which are not clearly allocated to a
distinct production unit)
Review & Update (due to modifications) Initiator MoC [05]
Decommissioning Project Manager
Table 1 Responsibilities for performance of risk assessment during life cycle of units.
The responsible person has to ensure:
nomination of the risk evaluation team
scheduling of the sessions
preparation of information and documents which are required to perform the evaluation
distribution of the risk assessment protocols for implementation of the results (e.g. realization or
validation of classified safety instrumented functions (SIF), realization of identified action items)
follow up of action items which have been identified during evaluation
appropriate archive of the risk assessment protocols
information of the Process Safety Engineer about planned sessions and their results
2.2.4 Composition of the risk evaluation team

Risk assessment shall be done in a team (see also [06]). The evaluation team shall consist at least
of representatives of the disciplines as given in the following table:
Function Participation
Risk owner (plant manager/operations Mandatory
manager) (Note: for systems which are not clearly allocated to a distinct
production unit the roles of the Plant Manager shall be shifted to the
Operations Manager)
Risk assessment team leader Mandatory

(moderator)
Process Engineer, Technologist One of them recommended
Instrumentation & Control Engineer Mandatory
Field Engineering, Mechanical Engineer, Mandatory (depending on problem)
Rotating Equipment Engineer,
Inspection, Electrical Engineer, Quality
Control Engineer
Occupational Safety Advisor Optional (depending on problem)
Process Safety Engineer Recommended
Independent Experts & Specialist Invited on a part-time basis
For assessments during projects the team has to be amended by the following person:
Function Participation
Conceptual Designer, Basic Designer, One of them mandatory depending on the phase of
Project Manager (for projects only) the project (see PMS [10])
Engineering contractor (for projects only)
Technology, Process Engineering (mandatory);
Electric & Control (mandatory); Project Manager
Contractor (recommended)
Table 2 Team composition LOPA assessment
Usually the LOPA evaluation team corresponds widely to the HAZID team [04]. Therefore,
performance of the LOPA assessment during HAZID (e.g. HAZOP) sessions is strongly
recommended.
Risk owner (plant manager/operations manager)
The risk owner is always the person who has the control about the resources to amend the risk and
is accountable for the residual risk. For process risk this will be in most of the cases the plant
manager or the operations manager for more wide ranging scenarios. The risk owner is the ultimate
instance to agree on the results of the LOPA assessment (see also [06]) and approves the risk
evaluation report.
Risk evaluation team leader
A team leader shall be nominated who is responsible for leading the assessment and for checking
the risk assessment protocol. He must be familiar with the assessment procedure and must have
sufficient knowledge on process risk assessment.
If appropriate the role of the team leader can be covered by an external person. For LOPA
assessment which is done in the framework of HAZOP studies the HAZOP moderator may also take
the role of the LOPA moderator (compare also OMV Standard HAZID [04]).
Risk evaluation team
The risk assessment team shall ensure that all relevant information and knowledge is available to
evaluate the risk (i.e. hazards, possible consequences, safeguards) and to decide on the
requirement for additional actions. The accountability for the evaluation results should be aligned
with the competency of the respective person as given e.g. in their job description.
The team member should have a basic understand about probability theory and shall be familiar
with the methodology and its rules as required by their role in the team. If the rules are not
understood and consistently applied credit for risk reduction measures may be given in the wrong
way and risks might be undervalued (safety issue) or overvalued (cost issue).
By the nomination the risk assessment team member assumes the responsibility to contribute to the
assessment with technical knowledge and expertise (e.g. failure rates, feasibility of proposed SIFs).
The accountability for results is according to the role of the team member and aligned with the
competency as given e.g. in the job description.
2.2.5 Break-off condition for LOPA assessment & nomination of representatives

Any LOPA assessment shall be broken-off if one of the mandatory persons is not available or
present or expertise to decide on the discussed problem is missing in the team. This does not apply
for short time absences during a session. The decision about break-off of the assessment lies upon
the risk assessment team leader (moderator), the responsible person, or the risk owner.
Any mandatory person may nominate representatives who assume their role including the obligation
of participation in the sessions (restrictions to accountabilities aligned with job description and
competency of the nominated representative). Corresponding information shall be given in the team
list.
2.3 LOPA Process

The workflow of risk assessment and the LOPA evaluation process consists of several steps as
shown in Figure 3. The description of the activities for each step is given in the subsequent sections.
The process follows the workflow when entering data into the LOPA evaluation report [TA01].
Precondition to start LOPA
Hazard identification & evaluation:
(see section 2.1)
Record administrative information
Describe the scenario
Identify initiating event(s)
Identify enabling condition(s) (if appropriate)
Evaluate worst reasonably foreseeable consequences
Identify conditional modifier (if appropriate)
Calculation of initiating risk
Specify independent protection layers (IPL)

(SIF and non-SIF)
Calculation of residual risk
Is the residual risk tolerable / acceptable?

NO YES
Identify additional IPLs

or redesign system
Add action items
Identify critical aspects for realization & operation
Documentation & implementation of results

(see section 2.4)
Review
(see section 2.2.1)
Figure 3 LOPA Process Overview
2.3.1 Administrative information

Revision and date of the risk evaluation
(document identification number if applicable)
Short description of the scenario
Information on allocation of the scenario to production unit and section
(project number if applicable)
List of documents used for reference (e.g. PID, PFD, HAZOP studies, cause & effect matrix)
Document title, type of document, document number, revision, status
(document number and comment optional)
Team list
Name, organization / department, function and date of the session at which the team
member participated
(phone, email and comments optional)
Signatures (see also responsibilities and accountabilities 2.2.3)
after completion of the classification the assessment shall be signed
Responsibility for checking the classification lies at the risk assessment leader; this
comprises the formal check of the protocol and the suitability of the data entered
Responsibility for approval lies at the risk owner
It is recommended that also each team member signs the assessment
Summary of the risk evaluation results

(When using the LOPA template [TA01] to this standard this will be filled in automatically)
2.3.2 Scenario description

Here a brief verbal description of the scenario shall be given. This comprises information about:
Initiating event: description of each identified hazardous event and the factors that contribute to
it (including human errors)
Worst reasonable foreseeable consequences:
all credible outcomes should be considered (including different operation modes, e.g.:
normal operation, start-up, shutdown, maintenance, process upset, emergency shutdown)
Relevant safeguards for risk reduction
If applicable this text should correspond to the HAZID report.
2.3.3 Identification of initiating events

Initiating events are those events which cause the production process to deviate from the intended
way. For the purpose here the underlying cause for the initiating event will not be further developed.
Initiating events are all reasonable foreseeable hazardous events including fault conditions and
reasonably foreseeable misuse.
The frequencies given for initiating event must be given as case per year [case/year] or case per
cases [case/cases]. The value should represent the resulting frequency of all underlying causes
which result into the given initiating event. It is important to be clear about the dimension of these
data to allow for comparison of the resulting risk with the OMV tolerability and acceptability criteria
[06] where the frequency is consistently defined as cases per year.
If multiple initiating events result into similar consequences and also have similar protection layers it
is recommended to combine them into one evaluation (e.g. failure closing of a valve or closing of a
blind which are operated in series). In this case, the frequency of the initiating event to be used in
the risk assessment is the sum of the frequency of these initiating events.
For very complex scenarios it is recommended to apply a fault tree analysis for the initiating event.
A catalogue of reference data for initiating events including their frequency of occurrence is given in
the appendix to this standard [SU01]. The applicability of these data has to be verified and adjusted
for the respective refinery site and the scenario under investigation (see also Local Amendment
[LA03]). (Reference data are already incorporated in the LOPA template to this standard [TA01]).
2.3.4 Identify enabling conditions

Enabling conditions are conditions or events which are requisite that the initiating event develops to
undesired outcomes. Examples for such conditions are a period in a batch operation or start-up or
shut-down procedures. Certain failures might not be critical if the process is in other condition than
the enabling condition or state.
For the LOPA calculation the specification of enabling condition is an option which has to be entered
if applicable to the specific scenario. The dimension of the frequency value entered must correspond
to the dimension of the frequency of the initiating event the way their product has the dimension
case per year [cases/year].
2.3.5 Worst reasonable foreseeable consequences
The consequences have to be considered for the consequence to personnel, environmental and
asset. These consequence categories correspond to those given in OMV Corporate standard - Risk
Assessment and Evaluation Criteria [06] as follows:
Personnel (P) = Human: short, medium or long-term effects on the physical or psychological
condition of people
Environmental (E) = Environment: short, medium or long-term impacts to environment (air,
water, soil, fauna & flora)
Asset (A) = Financial: Short, medium or long-term losses of assets, production, sales, quality,
or business; (Note: this includes damage to asset as well as production losses)
The consequence levels which are selected shall correspond to the levels given in the Risk Matrix
for the evaluation of single scenario in OMV Corporate standard - Risk Assessment and Evaluation
Criteria [06]. (These data are already incorporated in the LOPA template to this standard [TA01]).
Consequences with respect to reputation are not considered explicitly in the LOPA, as for process
risks they are usually a subsequent loss from personnel, environmental or asset damages. In their
impact to the business they result for the most part into further financial losses (e.g. loss in revenue)
which may be considered at the Asset category of LOPA.
The level should represent the worst reasonable foreseeable outcome of the scenario without
consideration of safeguards which reduce the likelihood of occurrence. The consequences should
be assessed in a realistic manner and relevant safeguards for mitigation shall be considered
appropriately. For example many scenarios within a production area will only cause a single fatality
since during normal operation only the field operator might be present. For a particular situation e.g.
maintenance work when more people might be around but the time they are around will be
delimited. This aspect will have to be considered by the conditional modifiers (see 2.3.6). It is the
task of the evaluation team to assess whether the normal operating condition or any other particular
situation yields the higher initiating risk.
Financial loss calculation & relevant systems to mitigate financial risks
For asset consequences additionally the cost estimation shall be given which is the base for
selection of the consequence level. These may include costs due to asset damage, repair, direct
and indirect production losses, compensation, etc.
For the calculation of the financial losses relevant redundant equipment or system shall be
considered which is dedicated to mitigate consequence of the respective scenario (e.g. a redundant
circulating gas compressor by which the operation of the overall system can be continued).
Corresponding information shall be given in the LOPA protocol.
If the LOPA results in the requirement to install new or updated systems in order to reduce financial
risk the costs for installation (CAPEX) shall be calculated against the benefit for operation (OPEX)
following the principles of cost benefit analysis (see ALARP principle 2.3.10 and [06]).
2.3.6 Conditional modifiers

Conditional modifiers are conditions or coincidences which influence the probability that the given
scenario results into the worst reasonable foreseeable consequences. Examples are the probability
of ignition or the probability of personnel being in the affected area.
Reference to conditional modifiers should only be made if they are significant and clearly defined.
Their capability for risk reduction must not be stressed excessively.
Within the LOPA calculation the conditional modifier is consider as a reduction of the frequency that
the worst reasonable foreseeable outcome occurs. These reduction factors must be declared
separately for each of the consequence types: personnel, environmental and asset.
Guidance for the selection of conditional modifiers including reference data for their risk reduction
factor is given in the appendix to this standard [SU02]. The applicability of these data has to be
verified and adjusted for the respective refinery site and the scenario under investigation (see also
Local Amendments [LA03]). (The reference data are already incorporated in the LOPA template to
this standard [TA01]).
2.3.7 Initiating risk

Initiating risk is the combination of the severity of the potential consequences and the frequency of
occurrence due to an initiating event with consideration of relevant enabling conditions and
conditional modifiers. Any further protection layer is not considered.
For the initiating risk the frequency of occurrence is the product of the frequency of the initiating
event, the probability of any enabling event or condition, and any conditional modifiers.
The initiating risk is calculated for each of the consequence categories. By comparison with the risk
acceptance and tolerability limits [06] the initiating risk can be assessed to be acceptable, ALARP or
intolerable (see also section 2.3.10).
2.3.8 Independent Protection Layers (IPL)

Independent protection layers are used to reduce process risk to acceptable or at least tolerable
limits. An independent protection layer is a (audible) device, system, or human action, which meets
the core attribute to the necessary level of rigor and is capable of preventing an initiating cause from
propagating to a hazardous event [10]. They meet the following requirements:
Effectiveness in preventing the consequence when it functions as designed
Independency of the initiating event and the components of any other IPL already claimed for
the same scenario (Potential reduction in the effectiveness of risk reduction due to common
cause failure between the safety layers need to be considered in the analysis.)
Are auditable which means that the assumed effectiveness in terms of consequence prevention
must be capable of validation and/or verification by documentation, calculation, proof, review,
testing, etc.
Within LOPA their risk reduction capability of the IPLs is considered by the probability that the IPL
fails on demand (PFD). Thus their effectiveness in risk reduction is expressed by the reduction of
the frequency that the scenario develops to its worst reasonable foreseeable outcome. According to
this assumption SIFs can only be considered as IPL here if operated in low demand mode (i.e. there
demand frequency is low in comparison to the test frequency).
Effective mitigation layers (e.g. redundant systems which reduce production losses) shall be
considered at the selection of reasonable foreseeable consequences.
Typical layers of protection are process design, functions of the basic process control system
(BPCS) or distributed control system (DCS), Safety Instrumented Functions (SIF), physical
protection, or post release protection.
In the protocol a description of the assumptions made on probable demand rates, equipment failure
rates, and of any credit taken for operational constraints or human intervention shall be given.
Guidance for the selection of Independent Protection Layers including reference data for their
probability of failure on demand (PFD) is given in the appendix to this standard [SU03]. The
applicability of these data has to be verified and adjusted for the respective refinery site and the
scenario under investigation (see also Local Amendments [LA03]). (The reference data are already
incorporated in the LOPA template to this standard [TA01]).
2.3.9 Calculation of residual risk

Residual risk is the combination of the severity of the potential consequences and the frequency that
the event occurs with consideration of all relevant enabling conditions, conditional modifiers and
independent protection layers.
For the residual risk the frequency of occurrence is the product of the frequency of the initiating
event, the probability of any enabling event or condition, any conditional modifiers and the
probability of failure of demand of the respective independent protection layers.
The following additional data are given in the LOPA template [TA01]:
Calculation of the safety integrity level of a safety instrumented function which would be needed
to reduce the risk to acceptable or tolerable limits.
Calculation of the LOPA gap
LOPA gap below 1: This is the PFD which an additional protection layer needs to reduce
the risk to acceptable or tolerable limits. Alternatively this gap may also be closed by the
improvement of the PFD of an existing protection layer.
LOPA gap above 1: This is the remaining safety margin by which the PFD of an existing
protection layer may be decreased or existing layers may be removed while still keeping
the acceptability and tolerability limits.
2.3.10 Assessment of the residual risk

The results of the risk evaluation shall be compared against the defined risk acceptability criteria
[06]. Risk may be evaluated to be:
Acceptable: These are broadly acceptable risks (green area in the risk matrix). Typically these
would be comparable to average daily living risks. Further risk reduction can be
requested by line management, legislative requirements, state of the art or for
continuous improvement and optimization.
ALARP: These are tolerable risks (yellow area in the risk matrix) as long as they fulfill the
following criteria:
Risk reduction is impracticable or its cost are grossly disproportionate to the
improvement gained (i.e. there is a trade-off between the costs of risk reduction and
the benefits obtained which could be demonstrated through cost-benefit analysis).
The risk controls corresponds to legislative requirements and relevant good practice
and all aspects and measures are thoroughly known.
The risk is periodically reviewed (see 2.2.1).
Intolerable: These are unacceptable risks (red area in the risk matrix). Additional measures are
required to reduce them to at least to ALARP. These measures have to be implemented
even if they require significant resources or fundamental changes in the activities and
systems.
The risk evaluation shall be completed by checking the need for additional risk reduction measures.
They may be required:
if requested by law or state of the art regardless if the risk evaluation yields tolerable or
acceptable risks
if the residual risk is considered as intolerable
if the residual risk does not fulfill the ALARP criteria
if requested by line management for continuous improvement
2.3.11 Action items

The risk evaluation shall be completed by checking the need for additional risk reduction measures
to achieve the required safety. They may be required:
if requested by legislation or state of the art regardless if the risk evaluation yields tolerable or
acceptable risks
if the residual risk is considered as intolerable
if the residual risk does not fulfill the ALARP criteria
if requested by line management for continuous improvement
For the specification of additional risk reduction measures the risk reduction philosophy (see 2.1.3)
has to be adhered (e.g. rerate by calculation if a design is capable for higher pressures instead of
installing safety instrumented function).
If further risk reduction is required these measures shall be recorded in the action item list. The
action item list shall comprise at least the following information:
Number, responsible, action item and due date
2.3.12 Critical aspects for realization & operation
The information given here should specify basic requirements which need to be addressed in
engineering and operation of the system:
Legal requirements: all relevant legislation which apply to the scenario or the system
configuration (e.g. Seveso Directive, ATEX99 Directive)
Applicable standards: relevant standards which apply to the scenario or the system or the
system configuration (e.g. EN746-2, EN61508)
Interlock sequences: verbal description of the conditions which initiate the identified safeguards
to react and of the actions which are required to bring the system into safe conditions (i.e.
cause and effect)
Operational requirements: basic requirements for operating the system such as operational
bypass (e.g. start-up), set-points, switch/alarms/pre-alarms, response time, principle
architecture, test intervals; here only those information should be given which is critical for
operation and which shall be explicitly considered in engineering; more detailed requirements
will be given in functional specification of the respective system
2.4 Documentation
The assumption and the results of the LOPA assessment shall be recorded in a LOPA sheet. It is
recommended to use the LOPA template related to this standard [TA01]. If alternative records are
prepared the information which is described above and indicated in the template shall be given as
minimum.
If Safety Instrumented Functions (SIF) are required to achieve the necessary risk reduction the
LOPA report is part of the documentation as required by the safety plan.
2.5 Audit & Review

Audit and review are used to evaluate the qualitative implementation of this standard. The results of
audit and review will be used for continuous improvement of the procedure and its application.
The following minimum criteria which shall be considered in audit and review:
Was the risk assessment documented properly?
Is the information given in the risk assessment report understandable and sufficient for follow-
up?
Is the evaluation sound and sufficient?
Were the frequency and PFD data used correctly?
Are the selected frequency and PFD data appropriate to the given situation?
Were all hazards fully identified?
Were all reasonable foreseeable consequences identified?
Is the financial losses calculation understandable and realistic (if appropriate)?
Were the risk judgment appropriate and any necessary further actions to reduce the risk
identified?
Were identified actions completed and their results incorporated accordingly?
Are the risk controls state of the art?
Are the risk controls recognized for all consequences?
Does the documented risk assessment correspond to actual as built situation?
Does the team covers all required disciplines and is sufficiently competent?
Are the results of the risk assessment implemented accordingly?
Are the results of the risk assessment communicated to stakeholders?
3. Terms and Abbreviations
Term Definition
Asset Integrity Level The asset integrity level is a measure for a safety instrumented function to
reduce the risk of potential economic loss caused by system failure.
Basic Process Control System which responds to input signals from the process, its associated
System equipment, other programmable systems and/or an operator and
generates output signals causing the process and its associated
equipment to operate in the desired manner. The BPCS does not perform
any safety instrumented function with a claimed SIL ≥ 1 and its failure
does not affect the core attributes of any safety instrumented function.
Conditional Modifiers see chapter 2.3.6
Distributed Control A system which divides process control functions into specific areas
System interconnected by communications to form a single entity. A DCS does
not perform any safety instrumented function with a claimed SIL ≥ 1 and
its failure does not affect the core attributes of any safety instrumented
function.
Frequency Number of occurrences of an event per unit time [10].
Functional Safety Part of the overall safety relating to the process and the basic process
control system which depends on the correct functioning of the safety
instrumented systems and other protection layers [01].
Independent see chapter 2.3.8
Protection Layer
Likelihood A measure of the expected probability [case/cases] or frequency
[case/year] of occurrence of an event [10].
Mitigation Action causing a consequence to be less severe [10].
Prevention The act of causing an event not to happen [10]
Probability Expression of the likelihood of success or failure of an event on demand.
Probability is expressed as a dimensionless number ranging from 0 to 1
[10].
Safeguard Any engineered system of administrative control that would likely interrupt
the chain of events following an initiating cause or mitigate its
consequence [10].
Safety Instrumented Safety function with a specified safety integrity level which is necessary to
Function achieve functional safety and which can be either a safety instrumented
protection function or a safety instrumented control function [01].
Safety Integrity Level Discrete level (one out of four) for specifying the safety integrity
requirements of the safety instrumented functions to be allocated to the
safety instrumented systems. Safety integrity level 4 has the highest level
of safety integrity; safety integrity level 1 has the lowest [01].
Single scenario A scenario based on a discrete initiating event which has been identified
in a hazard analysis. The consequence of a single scenario may also be
derived from other single scenarios. From the process point of view it is
not useful to develop the initiating event of a single scenario (e.g. pump
failure) into further primary events (break of shaft, failure of motor, etc.).
Abbreviation Meaning
AIL Asset Integrity Level
Abbreviation Meaning
ALARP As Low As Reasonable Practicable
BPCS Basic Process Control System
DCS Distributed Control System
FSM Functional Safety Management
HAZID Hazard identification
HAZOP Hazard and operability analysis
IPL Independent Protection Layer
LOPA Layer of Protection Analysis
SIF Safety Instrumented Function
SIL Safety Integrity Level
4. Keywords (Search Criteria, Search Terms)

Process Risk Evaluation, Process Safety, Functional Safety, Safety Instrumented Function
5. Local Amendments, Sub-Documents & References

Local Amendments
[LA01] Local Amendment MR-S
[LA02] Local Amendment MR-B
[LA03] Local Amendment Petrom OMV Refining - Petrobrazi
Sub-Documents
[SU01] Appendix A: Catalogue of reference data for initiating events and their frequency of
occurrence (recommended)
[SU02] Appendix B: Catalogue of reference data for conditional modifiers and their risk reduction
factor (recommended)
[SU03] Appendix C: Catalogue of reference data for Independent Protection layers including
their probability of failure on demand (recommended)
[SU04] Appendix D: Worked examples of typical risk solutions for OMV Refining (recommended)
Templates
[TA01] Template: Layer of Protection Analysis (recommended)
References
[01] IEC 61511-1; Functional safety - Safety instrumented systems for the process industry
sector - Part 1: Framework, definitions, system, hardware and software requirements;
01.2003
sector - Part 2: Guidelines for the application of IEC61511-1; 07.2003
sector - Part 3: Guidance for the determination of the required safety integrity levels;
03.2003
[04] OMV Refining Standard 4041: Hazard Identification for Process Units
[05] OMV Refining Standard 4040: Management of Change
[06] OMV Corporate HSE Standard 020: Risk Assessment and Evaluation Criteria
[07] EN62061: Safety of machinery - Functional safety of electrical, electronic and
programmable control systems; 2005
[08] VDI/VDE 2180: Sicherung von Anlagen der Verfahrenstechnik mit Mitteln der
Prozessleittechnik (PLT); Part 1 - 3; 2007 (German only)
[09] OMV Refining Standard 5000: Project Management System for Technical Projects
[10] Guidelines for Safe and Reliable Instrumented Protective System; CCPS/AIChE; 2007
6. Obsolete Regulations
None
7. Amendments from Previous Versions

Date Comment
30.11.2009 New publication

P RefStd - 4043 - v091130 - EN - LOPA

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

P RefStd - 4043 - v091130 - EN - LOPA

Uploaded by

Copyright:

Available Formats

Short Name:

4043_v091130 OMV Petrom

Scope of The scope of effectiveness is limited to Refining business segment within

Author PMRP-R George Stoica

Responsible for the content PMRP-R George Stoica

Approved regarding formal

Released by PM-R Dir. Neil Morgan

Environment: release with local effect (outside the refining area)

a preliminary qualitatively risk assessment showed uncertainties regarding consequences or

2.1.1 Application & Goals

2.1.2 Protection layer model

Figure 1 Protection Layer Model

Inherent safe design

Reduction of hazards potential

Operation systems (preventive):

Process control system (e.g. BPCS, DCS)

Operators supervision and control (e.g. operational alarms)

Process monitoring (e.g. walk around, laboratory measurements)

Preventive safety system

Safety critical alarms and corresponding operator interaction and correction

Safety instrumented systems (e.g. high pressure shut off)

Mechanical protection systems (e.g. safety valves)

Safety instrumented systems (e.g. emergency isolation valves)

Mechanical mitigation systems (e.g. dikes)

2.1.3 Protection layer principles

diversity between protection layers (e.g. different measurement principles)

2.1.4 Scenario modeling

2.2 Performance, responsibilities and roles

2.2.1 Performance of LOPA

2.2.2 Input Requirements

2.2.3 Responsibilities for performance of risk evaluation

scheduling of the sessions

appropriate archive of the risk assessment protocols

2.2.4 Composition of the risk evaluation team

Risk assessment team leader Mandatory

2.2.5 Break-off condition for LOPA assessment & nomination of representatives

2.3 LOPA Process

Record administrative information

Describe the scenario

Identify initiating event(s)

Identify enabling condition(s) (if appropriate)

Evaluate worst reasonably foreseeable consequences

Identify conditional modifier (if appropriate)

Calculation of initiating risk

Specify independent protection layers (IPL)

Calculation of residual risk

Is the residual risk tolerable / acceptable?

Identify additional IPLs

Add action items

Identify critical aspects for realization & operation

Documentation & implementation of results

2.3.1 Administrative information

It is recommended that also each team member signs the assessment

Summary of the risk evaluation results

2.3.2 Scenario description

If applicable this text should correspond to the HAZID report.

2.3.3 Identification of initiating events

2.3.4 Identify enabling conditions

2.3.6 Conditional modifiers

2.3.7 Initiating risk

2.3.8 Independent Protection Layers (IPL)

2.3.9 Calculation of residual risk