Layers of protection analysis (LOPA) is a technique for evaluating the hazards, risks and layers of protection associated with a system, such as a chemical process plant. In terms of complexity and rigour LOPA lies between qualitative techniques such as hazard and operability studies (HAZOP) and quantitative techniques such as fault trees and event trees. [1] LOPA is used to identify scenarios that present the greatest risk and assists in considering how that risk could be reduced.
LOPA is a risk assessment technique that uses rules to evaluate the frequency of an initiating event, the independent protection layers (IPL), and the consequences of the event. LOPA aims to identify the countermeasures available against the potential consequences of a risk. An IPL is a device, system or action that prevents a scenario from escalating. The effectiveness of an IPL is quantified by its probability of failure on demand (PFD), in the range 0 to 1. [2] An IPL must be independent of the other protective layers and its functionality must be capable of validation. [3]
LOPA was developed in the 1990s in the chemical process industry but has found wider application. [4] In functional safety, LOPA is often used to allocate a safety integrity level to instrumented protective functions. When this occurs in the context of the analysis of process plants, LOPA generally leverages the results of a preceding HAZOP. [1] LOPA is complementary to HAZOP and can generate a second in-depth analysis of a scenario, which can be used to challenge the HAZOP findings in terms of failure events and safeguards. [3]
Safety protection systems for process plant typically comprises eight layers: [2]
Layer of protection | Protection measure | Examples | Safeguards |
---|---|---|---|
Layer 1 | Process design | Design to standards, inherently safer design | |
Layer 2 | Basic controls | Process controls, process alarms (yellow), operator supervision | |
Layer 3 | Critical alarms | Process alarms (red), operator intervention | Preventive safeguards |
Layer 4 | Automatic actions | Shutdown, emergency shutdown (ESD) | |
Layer 5 | Physical protection | Relief valves, rupture discs, fire and gas system | |
Layer 6 | Physical protection | Firewalls, dikes, berms, bunds (local containment) | Mitigative safeguards |
Layer 7 | Plant emergency response | Emergency response teams, muster, evacuation | |
Layer 8 | Community emergency response | Warning, evacuation, emergency services |
LOPA is used to determine how a process deviation can lead to a hazardous event if not interrupted by an IPL. [2]
LOPA is a risk assessment undertaken on a 'one cause–one consequence' pair. The steps of a LOPA risk assessment are: [4]
Consequences | ||||||
---|---|---|---|---|---|---|
Effect on reputation | Negligible | Marginal | Critical | Catastrophic | ||
Cost (indicative) | $0.1m | $1.0m | $10m | ≥$50m | ||
Frequency | Improbable | 1/100/yr | Low | Medium | Medium | Serious |
Remote | 1/50/yr | Low | Medium | Medium | Serious | |
Occasional | 1/10/yr | Low | Medium | Serious | High | |
Probable | 1/2/yr | Medium | Serious | High | High | |
Frequent | 1/½/yr | Medium | Serious | High | High |
Although the LOPA methodology started in the process industry, the technique can be used in other fields, including: [4]
Risk management is the identification, evaluation, and prioritization of risks, followed by the minimization, monitoring, and control of the impact or probability of those risks occurring.
Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.
Fault tree analysis (FTA) is a type of failure analysis in which an undesired state of a system is examined. This analysis method is mainly used in safety engineering and reliability engineering to understand how systems can fail, to identify the best ways to reduce risk and to determine event rates of a safety accident or a particular system level (functional) failure. FTA is used in the aerospace, nuclear power, chemical and process, pharmaceutical, petrochemical and other high-hazard industries; but is also used in fields as diverse as risk factor identification relating to social service system failure. FTA is also used in software engineering for debugging purposes and is closely related to cause-elimination technique used to detect bugs.
Risk assessment determines possible mishaps, their likelihood and consequences, and the tolerances for such events. The results of this process may be expressed in a quantitative or qualitative fashion. Risk assessment is an inherent part of a broader risk management strategy to help reduce any potential risk-related consequences.
Failure mode and effects analysis is the process of reviewing as many components, assemblies, and subsystems as possible to identify potential failure modes in a system and their causes and effects. For each component, the failure modes and their resulting effects on the rest of the system are recorded in a specific FMEA worksheet. There are numerous variations of such worksheets. A FMEA can be a qualitative analysis, but may be put on a quantitative basis when mathematical failure rate models are combined with a statistical failure mode ratio database. It was one of the first highly structured, systematic techniques for failure analysis. It was developed by reliability engineers in the late 1950s to study problems that might arise from malfunctions of military systems. An FMEA is often the first step of a system reliability study.
Probabilistic risk assessment (PRA) is a systematic and comprehensive methodology to evaluate risks associated with a complex engineered technological entity or the effects of stressors on the environment.
In functional safety, safety integrity level (SIL) is defined as the relative level of risk-reduction provided by a safety instrumented function (SIF), i.e. the measurement of the performance required of the SIF.
A hazard analysis is one of many methods that may be used to assess risk. At its core, the process entails describing a system object that intends to conduct some activity. During the performance of that activity, an adverse event may be encountered that could cause or contribute to an occurrence. Finally, that occurrence will result in some outcome that may be measured in terms of the degree of loss or harm. This outcome may be measured on a continuous scale, such as an amount of monetary loss, or the outcomes may be categorized into various levels of severity.
In functional safety a safety instrumented system (SIS) is an engineered set of hardware and software controls which provides a protection layer that shuts down a chemical, nuclear, electrical, or mechanical system, or part of it, if a hazardous condition is detected.
A hazard and operability study (HAZOP) is a structured and systematic examination of a complex system, usually a process facility, in order to identify hazards to personnel, equipment or the environment, as well as operability problems that could affect operations efficiency. It is the foremost hazard identification tool in the domain of process safety. The intention of performing a HAZOP is to review the design to pick up design and engineering issues that may otherwise not have been found. The technique is based on breaking the overall complex design of the process into a number of simpler sections called nodes which are then individually reviewed. It is carried out by a suitably experienced multi-disciplinary team during a series of meetings. The HAZOP technique is qualitative and aims to stimulate the imagination of participants to identify potential hazards and operability problems. Structure and direction are given to the review process by applying standardized guideword prompts to the review of each node. A relevant IEC standard calls for team members to display 'intuition and good judgement' and for the meetings to be held in "an atmosphere of critical thinking in a frank and open atmosphere [sic]."
A job safety analysis (JSA) is a procedure that helps integrate accepted safety and health principles and practices into a particular task or job operation. The goal of a JSA is to identify potential hazards of a specific role and recommend procedures to control or prevent these hazards.
Process safety is an interdisciplinary engineering domain focusing on the study, prevention, and management of large-scale fires, explosions and chemical accidents in process plants or other facilities dealing with hazardous materials, such as refineries and oil and gas production installations. Thus, process safety is generally concerned with the prevention of, control of, mitigation of and recovery from unintentional hazardous materials releases that can have a serious effect to people, plant and/or the environment.
A process hazard analysis (PHA) (or process hazard evaluation) is an exercise for the identification of hazards of a process facility and the qualitative or semi-quantitative assessment of the associated risk. A PHA provides information intended to assist managers and employees in making decisions for improving safety and reducing the consequences of unwanted or unplanned releases of hazardous materials. A PHA is directed toward analyzing potential causes and consequences of fires, explosions, releases of toxic or flammable chemicals and major spills of hazardous chemicals, and it focuses on equipment, instrumentation, utilities, human actions, and external factors that might impact the process. It is one of the elements of OSHA's program for Process Safety Management.
The Technique for human error-rate prediction (THERP) is a technique that is used in the field of Human Reliability Assessment (HRA) to evaluate the probability of human error occurring throughout the completion of a task. From such an analysis, some corrective measures could be taken to reduce the likelihood of errors occurring within a system. The overall goal of THERP is to apply and document probabilistic methodological analyses to increase safety during a given process. THERP is used in fields such as error identification, error quantification and error reduction.
A hazard is a potential source of harm. Substances, events, or circumstances can constitute hazards when their nature would potentially allow them to cause damage to health, life, property, or any other interest of value. The probability of that harm being realized in a specific incident, combined with the magnitude of potential harm, make up its risk. This term is often used synonymously in colloquial speech.
In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value, often focusing on negative, undesirable consequences. Many different definitions have been proposed. One international standard definition of risk is the "effect of uncertainty on objectives".
ISO/IEC 31010 is a standard concerning risk management codified by The International Organization for Standardization and The International Electrotechnical Commission (IEC). The full name of the standard is ISO.IEC 31010:2019 – Risk management – Risk assessment techniques.
Qualitative risk analysis is a technique used to quantify risk associated with a particular hazard. Risk assessment is used for uncertain events that could have many outcomes and for which there could be significant consequences. Risk is a function of probability of an event and the consequences given the event occurs. Probability refers to the likelihood that a hazard will occur. In a qualitative assessment, probability and consequence are not numerically estimated, but are evaluated verbally using qualifiers like high likelihood, low likelihood, etc. Qualitative assessments are good for screening level assessments when comparing/screening multiple alternatives or for when sufficient data is not available to support numerical probability or consequence estimates. Once numbers are inserted into the analysis the analysis transitions to a semi-quantitative or quantitative risk assessment.
Event tree analysis (ETA) is a forward, top-down, logical modeling technique for both success and failure that explores responses through a single initiating event and lays a path for assessing probabilities of the outcomes and overall system analysis. This analysis technique is used to analyze the effects of functioning or failed systems given that an event has occurred.
A cyber PHA or cyber HAZOP is a safety-oriented methodology to conduct a cybersecurity risk assessment for an industrial control system (ICS) or safety instrumented system (SIS). It is a systematic, consequence-driven approach that is based upon industry standards such as ISA 62443-3-2, ISA TR84.00.09, ISO/IEC 27005:2018, ISO 31000:2009 and NIST Special Publication (SP) 800-39.