LOPA / SIL Classification

LOPA / SIL Assessment For :-

COKER PLANT NEW VAPOR RECOVERY UNIT (VRU)
SUEZ OIL PROCESSING COMPANY (SOPC)

1 DNV GL © SAFER, SMARTER, GREENER

Agenda for LOPA Workshop Wednesday 19 August 2015

 9:00 AM to 9:30 AM Project Briefing & Scope of LOPA Study

 9:30 AM to 10:00 AM LOPA Introduction Presentation
 10:00 AM to 10:15 AM Coffee Break
 10:15 AM to 12:00 AM LOPA Workshop 1st Session
 12:00 Am to 1:00 PM Lunch Break
 1:00 PM to 3:00 PM LOPA Workshop 2nd Session
 3:00 PM to 3:15 PM Coffee Break
 3:15 PM to 5:00 PM LOPA Workshop 3rd Session

2 DNV GL ©
LOPA / SIL Classification Presentation

3 DNV GL ©
Objectives

 To establish the minimum allowable level of safety integrity (SIL)

for each safety instrumented function in terms of Probability of Failure
on Demand (PFD)

 Classification will account for risk to Safety, Environment and

Commercial.

 Safety Integrity Levels (SIL) are measures of the safety of a given

process Control Measure – Safety Instrumented Function (SIF).
 The specifics of this measurement are outlined in the standards IEC
61508, IEC 61511.

4 DNV GL ©
SIL Classification by LOPA

 LOPA (Layer of Protection Analysis) is the newest and most

highly accepted method of risk evaluation of this decade.
 LOPA is a semi-quantitative technique and applies much more
rigor than HAZOP's alone.
 LOPA examine the HAZOP identified Safeguards and determines if
the Current safeguards are enough and if proposed safeguards
are warranted.
 LOPA determine the required Integrity Level (SIL) from the
assigned SIF
 It removes the subjectivity of operating procedures versus
automated interlocks.

5 DNV GL ©
Output from this Phase of the Lifecycle

SIS

Safety
Safety Instrumented
Instrumented System
System

safety functions safety Integrity

requirements requirements

The safety functions that The integrity with which the safety
have to be performed functions have to be performed

6 DNV GL ©
Risk Reduction Principles

Consequences Frequency
of hazardous of hazardous
event event
6 1 2

Actual
Actual
remaining Tolerable
Tolerable
remaining Process
Process
risk risk
risk
risk risk
risk
target
target

Necessary risk reduction Increasing

risk
Actual risk reduction

E/E/PE BPCS External

safety related Alarm with risk reduction
systems Operator Response facilities

5 4 3

DNV GL ©
Safety Integrity Levels (SIL)

8 DNV GL ©
SIF Target Integrity Level

 The Target Integrity Level

 The target integrity of a SIF is determined from the highest of the three
assessment:
Safety
Environment
Asset
 Target Integrity level = maximum (SIL, EIL, CIL)
 The SIF must be designed to achieve the highest target Integrity Level

9 DNV GL ©
LOPA Onion

10 DNV GL ©
Mapping HAZOP Data to LOPA Data

 LOPA Data Required

11 DNV GL ©
LOPA Elements
 Impact event
 Severity level
 Initiating cause
 Initiation likelihood
 Protection layers
– General process design
– BPCS
– Alarms
 Additional mitigation
– Bunds
– Relief valves
 Intermediate event likelihood
 Mitigated event likelihood

12 DNV GL ©
LOPA Maximum Frequency of Mitigated Event Likelihood/yr
(Severity Level) – Personal Safety

Defined Severity Safety Consequence Maximum Frequency

Level Descriptors of Mitigated Event
Likelihood/yr
Minor (Ms) Serious injury to employee (probability 1 x 10-4
Moderate of death <10%)
Serious (Ss) Potential loss of life of one or more 1 x 10-5
SIGNIFICANT employees (probability of death >
10%). Serious injury to member of
public (probability of death <10%)
Extensive (Es) Potential loss of life of many 1 x 10-6
SEVERE employees (3 - 10).
Potential loss of life of one or more
members of the public (probability of
death > 10%).
Catastrophic (Cs) Potential loss of life of many people (10 Use QRA
- 100)

DNV GL ©
LOPA Maximum Frequency of Mitigated Event Likelihood/yr
(Severity Level) - Environmental

Defined Severity Environmental Consequence Descriptors Maximum

Level Frequency of
Mitigated Event
Likelihood/yr
Minor (Ms) NOTICABLE - On site reportable - A release with minor damage 3 x 10-3
that is not very severe, but is large enough to be reported to plant
NOTICABLE management, e.g.:
- A moderate leak from a flange or valve. - Small scale liquid spill.
- Small scale soil pollution without affecting ground water
Serious (Ss) On site short term - A release within the site boundary or process 3 x 10-4
building with significant damage, e.g.:
SIGNIFICANT - A cloud of obnoxious vapor travelling beyond the unit following
flange gasket blow-out or major seal failure. Major breach of
permitted emission limits with possibility of prosecution.
Extensive (Es) A release outside the site boundary with major damage, which 3 x 10-5
can be cleaned up readily, with no significant lasting
SEVERE consequences, e.g.:
- A vapour or aerosol release with or without liquid fallout that
exceeds discharge limits (that would lead to prosecution) or
causes temporary damage to plants.
Catastrophic (Cs) MAJOR TO CATASTROPHIC - Widespread long term - Release 3 x 10-6
outside the fence with major damage, which cannot be cleaned
up quickly or with lasting consequences,

DNV GL ©
LOPA Maximum Frequency of Mitigated Event Likelihood/yr
(Severity Level) - Financial

Defined Severity Level Commercial Consequence CBA Based on

Descriptors Incident
(total of: Asset loss, Product Loss, Frequency/year
Production downtime loss &
Rebuild Cost)

Minor (Ms) $10K to <$100K 3 x 10-1

Moderate

Serious (Ss) $100K to <$1000K 3 x 10-2

SIGNIFICANT

Extensive (Es) $1000K to < $10M 3 x 10-3

SEVERE

Catastrophic (Cs) $10M to < $100M 3 x 10-4

DNV GL ©
LOPA Initiating Event (Cause) Frequency Values

Initiating Cause Initiating Initiating Likelihood Comment

Likelihood
per/yr
Failure of control system 0.1 Based on control system failure

Closure of control valve 0.08 Failure to regulate for globe control

valve in gas service
Closure of PSD valve in 0.08 Spurious operation of process
downstream system control valve in gas service

Closure of ESD valve 0.06 Spurious operation of ESD ball

valve in gas service
Blockage in control valve eg. 0.2 Based on once in 5 years operating
From hydrate formation experience

Operator Error (routine task See comment 0.1 per opportunity

with written procedure)

DNV GL ©
LOPA Possible Independent Protection Layers (IPLs) and Their
Associated PFDs

IPL COMMENT IPL

General Basic Alarms & Additional IPL
Process Process Response Giving
Design Control Failure Protection/
System Mitigation
Based on lines being tested to 150% of design 0.1
pressure
Based on control system operating 0.1

Control of pipeline pressure at gas plant 0.1

Pressure control system maintains downstream 0.1

pressure
Process alarm allows time for operator response 0.3
(response time less than approx 10 mins)
adjacent to corrective device
Process alarm allows time for operator response 0.1
(response time greater than approx 10 mins)

Standalone shutdown system. Average credit 0.03

SIL 1 pushbutton between 0.1 and 0.01

Relief Valve with 12 month test period 0.01

DNV GL ©
Initiating Events Examples (Causes From The HAZOP)

18 DNV GL ©
LOPA Independent Protection Layers (IPLs)
 Must have the following characteristics

 Specific
a PL is designed to prevent or mitigate the consequences of one potentially hazardous event.
Multiple causes may lead to the same hazardous event, and therefore multiple event
scenarios may initiate action by a PL;

 Independent
a PL is independent of other protection layers if it can be demonstrated that there is no
potential for common cause or common mode failure with any other claimed PL;

 Dependable
The PL can be counted on to do what it was designed to do by addressing both random
failures and systematic failures during its design;

 Auditable
a PL is designed to facilitate regular validation of the protective functions.

19 DNV GL ©
Basic Rules Of BPCS & Alarms

20 DNV GL ©
Rules For Pressure Relief Devices (PSVs)

21 DNV GL ©
LOPA Process

 Steps

22 DNV GL ©
LOPA Risk Equation

 Intermediate event likelihood

= frequency of hazardous event without the SIF
 Intermediate event likelihood
= frequency of initiating event
X proportion of time exposed
X probability of failure of other protection layers (= P1 x P2 x P3 x P4 x P5)

 Mitigated event likelihood

= target maximum frequency for hazardous event of assessed severity level (set
by corporate risk criteria)
= frequency of hazardous event with the SIF
= intermediate event likelihood X PFD of SIF
Mitigated event likelihood
= Intermediate event likelihood X PFDSIF
PFDSIF ≤ Target mitigated event likelihood
Intermediate event likelihood
23 DNV GL ©
Using Enabling Factors / Conditional Modifiers

 Typical Enabling Factors used during SIL assessment of a SIF:-

1- Probability Of Ignition
2- Occupancy Factor
 Workers are present all the time Presence Factor = 1
 Workers are present for less than 12 hours per day = 0.5
 Workers are present for 1-2 hours per day= 0.1
3- Operational

24 DNV GL ©
Typical Ignition Probabilities

Offshore Situation Immediate Delayed

Ignition Ignition
Congested Plus Hot Work
0.7 0.3
Congested without Hot Work
0.35 0.65
Non Congested Plus Hot Work 0.5 0.5
Non Congested without Hot Work
0.35 0.65

Type Of Release Immediate Delayed

Ignition Ignition
Material above Auto ignition / Pyrophoric
1 0
Release of heavy liquids 0.1 0.9
Volatile liquids
0.2 0.8
Flammable Gas / Liquids 0.3 0.7

25 DNV GL ©
Basic Rules For Safety Instrumented Systems (SIS)

26 DNV GL ©
LOPA Worksheet

27 DNV GL ©
References

28 DNV GL ©
 Thank you for your attention

Risk Management Advisory

www.dnvgl.com
+2 2252 87295 254

www.dnvgl.com

SAFER, SMARTER, GREENER

29 DNV GL ©