GP 48-03 - Layer of Protection Analysis (LOPA)
GP 48-03 - Layer of Protection Analysis (LOPA)
GP 48-03 - Layer of Protection Analysis (LOPA)
GP 48-03
Applicability Group
Date 5 June 2008
GP 48-03
This Group Defined ETP has been approved by the GVP Safety
and Operations for implementation across the BP Group.
BP GROUP
ENGINEERING TECHNICAL PRACTICES
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Foreword
This revision of Engineering Technical Practice (ETP) GP 48-03 includes the following changes:
In the event of a conflict between this document and a relevant law or regulation, the
relevant law or regulation shall be followed. If the document creates a higher obligation, it
shall be followed as long as this also achieves full compliance with the law or regulation.
Page 2 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Table of Contents
Page
Foreword ........................................................................................................................................ 2
1. Scope .................................................................................................................................... 5
2. Normative references............................................................................................................. 5
3. Terms and definitions............................................................................................................. 6
4. Symbols and abbreviations .................................................................................................... 8
5. LOPA overview ...................................................................................................................... 9
5.1. What is LOPA ............................................................................................................. 9
5.2. Protection layers ......................................................................................................... 9
5.3. Independent protection layers ..................................................................................... 9
5.4. Advantages and limitations ....................................................................................... 10
5.5. Safety lifecycle .......................................................................................................... 11
5.6. LOPA timing and application ..................................................................................... 11
6. LOPA study team................................................................................................................. 12
6.1. Team leader.............................................................................................................. 12
6.2. Other team members ................................................................................................ 12
7. LOPA documentation........................................................................................................... 13
7.1. Terms of reference (TOR)......................................................................................... 13
7.2. Supporting documents .............................................................................................. 13
7.3. LOPA study report .................................................................................................... 14
7.4. Follow-up .................................................................................................................. 15
8. LOPA method steps............................................................................................................. 16
9. Initiating causes, likelihood, and frequency modifiers........................................................... 17
9.1. General..................................................................................................................... 17
9.2. Likelihood of initiating cause ..................................................................................... 18
9.3. Multiple causes ......................................................................................................... 19
9.4. Frequency modifier ................................................................................................... 20
9.5. Target mitigated event likelihood............................................................................... 22
10. Estimating consequences .................................................................................................... 25
10.1. General..................................................................................................................... 25
10.2. Vulnerability factor .................................................................................................... 26
10.3. Consequences of loss of containment from vessels and associated pipework .......... 26
11. Independent protection layers.............................................................................................. 27
11.1. General..................................................................................................................... 27
11.2. Mechanical pressure relief devices - relief valves...................................................... 28
11.3. Check valves ............................................................................................................ 28
11.4. BPCS........................................................................................................................ 29
11.5. Operator response to alarm ...................................................................................... 30
Page 3 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
11.6. SIS............................................................................................................................ 30
11.7. Other types of IPLs ................................................................................................... 31
12. Determining intermediate event likelihood............................................................................ 31
12.1. General..................................................................................................................... 31
12.2. PFD for IPLs ............................................................................................................. 31
12.3. PFD of SIF ................................................................................................................ 33
13. Evaluation of SIS integrity levels .......................................................................................... 34
13.1. ILs............................................................................................................................. 34
13.2. Spurious trips............................................................................................................ 35
Bibliography .................................................................................................................................. 40
List of Tables
List of Figures
Page 4 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
1. Scope
a. This GP describes the method used to evaluate the effectiveness of independent protection
layer(s) in reducing the likelihood or severity of an undesirable event.
b. It is applicable to Major Projects as defined by MPcp (E&P) and Pcp (R&M). This
includes onshore and offshore hydrocarbon and chemical process facilities, excluding
subsea facilities.
c. The LOPA method may be applied to other facilities such as subsea, drilling, marine, and
alternative energy and will require review and adaptation of the numerical values
contained in this GP or development of appropriate values.
d. If a SIF is involved and the demand frequency is less than the testing frequency, then the
PFD determined from LOPA is not the appropriate method to define the required integrity.
Refer to GP 30-76 in such cases.
e. If consequences are in levels A or B of GDP 31-00-01, Appendices 1 or 2, LOPA is not an
appropriate analysis method. Methods such as fault tree analysis, failure modes and effects
analysis, or quantitative risk analysis should be applied in pursuit of risk reduction options.
f. If LOPA indicates requirement for SIL 3 or higher SIFs, other methods of hazard
evaluation should be applied to better understand the risks and alternatives should be
sought that include inherently safer design strategies and alternative risk management
approaches.
The planned Group Recommended Operating Practice on Selection of hazard
evaluation and risk assessment techniques will give further guidance on the
appropriate techniques.
2. Normative references
The following referenced documents may, to the extent specified in subsequent clauses and normative
annexes, be required for full compliance with this GP:
BP
GDP 31-00-01 Assessment, prioritization and management of risk.
GP 30-75 Safety Instrumented Systems (SIS) - Management of the Safety
Lifecycle.
GP 30-76 Safety Instrumented Systems (SIS) - Development of Process
Requirements Specification.
GP 30-80 Safety Instrumented Systems (SIS) - Implementation of the Process
Requirements Specification.
GP 30-81 Safety Instrumented Systems (SIS) - Operations and Maintenance.
GP 48-50 Major Accident Risk (MAR) Process, Annex B.
Page 5 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
For the purposes of this GP, the following terms and definitions apply:
Availability
Fraction of time that a safety system is able to perform designated safety service if required for use.
Availability = 1 - Probability of failure on demand (PFD).
Competent
Describes an individual with knowledge and skills deemed acceptable by the EA to perform a task.
Appropriate knowledge and skill may be acquired through training, experience, qualifications, or some
combination of these.
Demand
Condition or event that requires a protective system or device to take appropriate action to prevent or
mitigate hazards.
Hazard
Condition or practice with the potential to cause harm to people, the environment, property, or BP’s
reputation.
Initiating cause
A failure, error, situation, or condition that results, or may result, in the propagation of a hazardous
event.
Page 6 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Initiating event
The minimum combination of failures (or errors) necessary to start the propagation of a hazardous
event. It can be comprised of a single initiating cause, multiple causes, or initiating cause(s) in the
presence of enabling conditions.
Protection layer
A device, system, or action that is capable of preventing a postulated accident sequence from
proceeding to a defined, undesirable endpoint.
Reliability
The probability that an item is able to perform a required function under stated conditions for a stated
period of time or for a stated demand.
Risk
A measure of loss/harm to people, the environment, compliance status, Group reputation, assets or
business performance in terms of the product of the probability of an event occurring and the
magnitude of its impact. Throughout this Practice the term “risk” is used to describe health, safety,
security, environmental and operational (HSSE&O) undesired events.
Safety lifecycle
Necessary activities involved in the implementation of a SIF occurring during time period that starts at
concept phase of project and ends when all SIFs are no longer required and facility is
decommissioned.
Page 7 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Vulnerability
Probability that persons will suffer a specified health and safety impact level if exposed to hazard.
For the purpose of this GP, the following symbols and abbreviations apply:
CIL Integrity level for equipment damage and business value lost.
EA Engineering authority.
IC Initiating cause.
IL Integrity level.
Page 8 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
5. LOPA overview
Page 9 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Barricades, Dikes
Critical alarms
Safety instrumental systems
Process design
Page 10 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Page 11 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Page 12 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
7. LOPA documentation
Page 13 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Page 14 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
f) Information that was referenced in the logsheets or used extensively by the team.
This can include calculations, detailed consequence analyses, or other useful
information compiled for or during the LOPA that would be useful reference
material for future MoC or safety issues.
7.4. Follow-up
a. BP Operations EA or Project EA should ensure that an effective means of tracking
recommendations is in place and accomplishes the following:
1. Track the status of open action items.
2. Record the action item closure and approval by project or site authority (Approved
action response sheets should be retained with the log sheets).
3. Include or reference documentation requirements.
4. Track the transfer of action items between delivery teams (e.g., project to
commissioning).
To facilitate future reviews and the use of material for training purposes, it is useful
if the logsheets are updated to include the actual actions taken when the
recommendations are closed out.
5. Provide for a confirmation of completion including by field-verification for operating
facilities.
b. The technical reasons for recommendation resolution, including suggestion of a different
action, or rejection, shall be clearly stated in writing and retained.
c. If recommendation and actions cannot be agreed with the project or BP Operation to the
satisfaction of the LOPA team leader then the Project EA or BP Operations EA shall be
informed. The EA shall attempt to get resolution with the Project Manager or BP
Operation leader but if this is not possible the EA shall raise the issue to a higher EA until
agreement is reached with the BP Operation leader.
d. For projects, the Project manager shall ensure that agreed recommendations are resolved in
an appropriate timescale as dictated by project schedule.
The PHSSER teams review and audit action progress at various stages of CVP in
accordance with GP 48-01.
Completion of recommendations should also consider the amount of work involved
in completing the tasks. Administrative and documentation recommendations should
be completed in a reasonably short period while recommendations requiring
extensive engineering and installation during unit downtime may require years to
complete.
e. BP Operations leader shall ensure that agreed actions are followed through to an
appropriate conclusion. A person should be nominated to do this and instructed to report
formally at regular intervals while the action remains outstanding.
f. For projects and operating facilities, complete auditable responses and actions concerning
the recommendations shall be documented and retained for the life of the operating
facilities.
Report recommendations, BP Operations responses, and supporting documentation
should ideally be recorded in a records system, which permits ready retrieval, status
reporting, progress chasing, and independent audit. The supporting documentation
should include appropriate reports, memos, drawings, and other communications
demonstrating that the recommendations arising from the LOPA have been carried
out or otherwise resolved.
Page 15 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
g. Relevant recommendations and actions from LOPA reports and related study documents
shall be communicated to members of the BP workforce who may be affected by them.
Local law may impose additional communication requirements, including a
requirement to make the risk assessment accessible to persons who work with or
near the studied risk.
h. For operating facilities, site MOC process shall be followed for approved changes resulting
from LOPA recommendations.
MOC ensures that employees are advised on changes to procedures and/or
equipment and any relevant training provided at the time of change. It also guards
against the resolution of the recommendation inadvertently introducing a new risk.
Page 16 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
be used. The PFD should be used for the SIL, EIL, and optionally CIL for the SIS.
Refer to Table 11, Table 12, and Table 13.
2. If there are not any existing SISs, recommend additional protection layers, non SIS or
SIS, with PFD to make the IEL < TMEL.
i. Proceed to the next scenario until analysis of all scenarios is completed.
No
Identify the initiating causes
of hazardous scenario and
Yes
estimate the initiating cause
frequency
Recommend Is there an ISD
ISD option option?
No
Determine the scenario
consequence level.
No
Is the initiating
event frequency
below the Use TMEL/IEL to Recommend additional
TMELs? determine PFD for SIL, EIC protection layers, non SIS or
and CIL for existing SIS SIS, with PFD to make IEL<
TMEL
No
Go to next
scenario
9.1. General
a. Initiating causes of hazardous scenarios normally identified in HAZOPs generally fall into
two categories:
Page 17 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Page 18 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Table 2 - Human error frequency for actions taken at least once per month
Sources of failure rate data for initiating event frequencies include the following..
• CCPS Guidelines, 1989.
• CCPS Concept Book, 2001.
• IEEE, 1996.
• IIT Research, 1987.
• ISA TR 84.00.02.
• OREDA 1984, 1992, 1997, and 2002.
• Reliability, Maintainability and Risk (Smith).
• Proprietary data base that BP collected from many sources.
Page 19 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
In the strict application of the LOPA method, initiating cause likelihoods that lead to
the same consequence and can be mitigated by the same IPLs, should be added as
they all refer to a single scenario. However, in many cases, there are 1-3 initiating
causes and the difference between using a single initiating cause likelihood and
adding 3 together does not impact the outcome. The LOPA facilitator should be able
to analyze this and decide if there is value gained in the exercise of identifying and
adding initiating cause likelihoods.
9.4.1. General
a. While considering the initiating event likelihood, the LOPA team may consider the
potential frequency modifiers: time at risk, occupancy factor, and ignition probability.
Caution should be used when applying frequency modifiers. If incorrectly estimated,
and applied in determining event likelihood, the risk may be underestimated.
If these frequency modifiers are not used a conservative modifier of 1 is effectively
applied.
b. Some initiating events might be given in terms of likelihood per action. In this case, the
team needs to consider how often this action takes place in 1 year.
Page 20 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Where:
ICL = initiating cause likelihood.
Pp = occupancy factor = time present to hazard/total time.
c. Factor Pp is only valid if a person’s presence is random with respect to the hazard causes. If
hazard only occurs at start-up and persons are always present at startup, then the
occupancy factor is 1.
Operator response should be considered for occupancy if a proposed event is not
considered an instantaneous incident. If operator response can be expected, no
credit for occupancy factor should be taken.
If an alarm is considered as an IPL, then occupancy factor should be applied
cautiously as the alarm may draw the operator into the area.
d. Occupancy factor is not used for environmental and commercial scenarios.
Page 21 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Page 22 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
The use of TMELs does not imply that BP accepts or tolerates risks at the level of
any given TMEL. LOPA is applied in the context of continuous risk reduction.
Page 23 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Page 24 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Table 8 - TMEL for equipment damage and business value lost hazards
10.1. General
a. Health and safety and environmental consequences shall be assessed.
Consequence of potential hazards can be obtained from the HAZOP worksheets.
Care should be taken when assessing the consequences. Underestimating can lead
to insufficient layers of protection being applied and risk being insufficiently
managed. Overestimating can lead to more layers of protection being applied than
are warranted for the risk level which, over the lifecycle of the operation, will result
in additional cost, inspection, and maintenance requirements.
b. Equipment damage and business value lost consequences may be assessed.
c. If the consequences are not clearly identified, further analysis shall be completed before
LOPA can proceed.
d. If the consequences are identified, but not fully defined, the LOPA team may complete the
definition or seek assistance from process safety and risk specialists to estimate the
consequences.
This could include estimate of flammable cloud extent or explosion overpressure
distance.
e. If the LOPA team feels that the HAZOP has underestimated or overestimated the
consequences, the LOPA team should consult with:
1. HAZOP team representatives to understand their rationale.
2. Process Safety Engineering professionals to better understand potential consequences.
The consequence severity level utilised in the LOPA should be seen as the case with
a reasonable probability of occurrence and not specifically the worst case scenario.
The consequence severity level should include the vulnerability
f. The LOPA team should consider previous consequence analyses and aspects of the
scenario to estimate possible outcomes such as potential fire or explosion, including:
1. Release: size, material, operating pressure and temperature.
2. Ambient conditions.
3. Locations of persons, both onsite and offsite.
4. Escalation potential.
Page 25 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
g. Costs associated with environmental impacts including cleanup, outage, and legal support
for environmental risks should be considered under equipment damage and business value
lost impacts.
h. The LOPA team should include the following when considering equipment damage and
business value lost impacts:
1. Replacement and repair costs.
2. Cost of lost or deferred production during replacement and repair.
3. Costs of penalties for non delivery of contracted production.
4. Environmental cleanup costs.
5. Legal costs.
i. To support an efficient LOPA, it is recommended to develop a rule set for equipment
damage and business value lost impacts specific to the facility being evaluated before the
LOPA begins.
Such rules may include the cost of lost or deferred production per event plus per
hour or day.
Page 26 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
11.1. General
a. There are two types of IPLs:
1. Passive IPL
a) Dike/bund.
b) Open vent.
c) Blast wall/bunker.
d) Flame/detonation arrestors.
e) Restriction orifice.
2. Active IPL
a) BPCS.
b) Human response to alarm.
c) Pressure relief device.
d) SIS.
e) Other design specific IPLs (e.g., mechanical stop for a valve).
b. The LOPA team should review safeguards from the HAZOP and identify those that meet
the criteria for an IPL. Many safeguards identified in the HAZOP will not meet the criteria
specified for IPLs in a LOPA analysis.
c. Assessment of IPLs shall be performed to determine amount of risk reduction provided by
each, its dependability, and its independence from other IPLs.
d. Protection layers shall be assessed to verify that they meet the four criteria described in
5.3.b: specificity, independence, dependability, and auditability.
e. IPLs credited for startup scenarios shall be verified to be functional (not bypassed or
disabled) during startup.
The process hazards during startup are likely to be mitigated by IPLs (including
SIS) for normal operations. During startup there may be other transient (non-steady
state operation) conditions that are not addressed by the normal operation IPLs,
Page 27 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Page 28 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
11.4. BPCS
a. The following rules shall apply to basic process control systems (BPCS) that have been
identified as IPLs.
1. Typically, the IPL credit for a BPCS control loop is taken as 0,1
2. Credit can be taken for a two semi-independent layers of protection (e.g., initiating
event, alarm, second control loop) in a BPCS loop using the following rules.
a) The LOPA team shall justify the PFDs for each element based on actual site
testing records.
b) If the common element between two semi-independent layers of protection has a
PFD that is at least one order of magnitude less than the PFD for the loop, a PFD
for one IPL is taken as 0,1 and for the second IPL is taken as 0,3.
c) If the common element between two semi-independent layers of protection has a
PFD that is at least one order of magnitude greater than the PFD for the loop,
then a PFD for one IPL is taken as 0,1 and for the second IPL is taken as 1,0.
Independence between protection layers is a necessary principle for the math in
LOPA to be correct. Practically, however, the failure rate for the processor is much
lower than for an I/O card and for field sensors and final elements. If the processor
is the only common element between a BPCS loop and an alarm, taking credit for
both as though they were truly independent is only slightly optimistic
mathematically.
The partial credit on semi-independent BPCS is dependent on the relative values of
the PFD loops and components. These values vary depending on the manufacturer
and type. It is not easy to determine these values for each scenario during the
LOPA. Typically the PFD of the loop is calculated during SIL verification (not
during LOPA) based on testing intervals.
3. Credit shall not be taken for more than two semi-independent IPLs.
4. Failure mode of final element is to safe state for the specific scenario.
5. If the control valve is used for final actuation of the SIF, the solenoid valve is located
between the I/P converter and the actuator, and no bypass around the control valve is
installed.
6. Operations is trained that the BPCS loop is a protective function (e.g., clarify that the
loop should not be put in manual control).
7. If a tight shut-off is required, the BPCS valve meets this criteria and is tested and
maintained.
Page 29 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
b. BPCS credit as IPL should be minimized because the BPCS is subject to the same
requirements as any other IPL (i.e., periodic testing, controlled access, availability, etc.).
Because of the access control requirement, the operators cannot be allowed to
change the set points for the control loops or alarms that are credited as IPLs. This
limitation may impact the operator flexibility to control the process. The control
loop needs to be periodically tested and documented to meet the availability and
reliability requirements.
11.6. SIS
a. An SIS may be used to reduce the likelihood of a hazardous event.
Safety instrumented systems should be considered after more inherently safer
approaches have been identified and considered.
b. SISs should be allocated a SIL in relation to the credit given for risk reduction. The
following conditions shall be met:
1. SIS is separate and independent from the cause of demand.
2. SIS is separate and independent from any other SIS that is used to reduce the
intermediate event likelihood to the TMEL.
The SIS and associated SIL for one instrumented system protecting against as
scenario is independent (and independently calculated) from a separate SIS and
associated SIL protecting against the scenario.
Independence between protection layers is a necessary principle for the math in
LOPA to be correct. Practically, however, the failure rate for the processor is much
lower than for an I/O card and for field sensors and final elements. If the processor
is the only common element between a BPCS loop and an alarm, taking credit for
both as though they were truly independent is only slightly optimistic
mathematically.
Page 30 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
12.1. General
a. Intermediate event likelihood is the product of the initiating event likelihood, enabling
event probabilities, PFD of IPL, and frequency modifiers. The result is compared to TMEL
for the consequence category.
b. Calculation is generally performed on a logsheet, spreadsheet, or proprietary software.
Page 31 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Risk Reduction
PFD Comments
Measures
Will reduce frequency of large consequences (widespread spill) of
Dike/Bund 1 x 10-2
tank overfill/ rupture/spill.
Underground -2 Will reduce frequency of large consequences (widespread spill) of
1 x 10
drainage system tank overfill/ rupture/spill.
Open vent (no -2
1 x 10 Will prevent overpressure.
valve)
-2 Will reduce rate of heat input and provide additional time for
Fireproofing 1 x 10
depressurising/firefighting.
-3 Will reduce frequency of large consequences of explosion by
Blast wall/bunker 1 x 10
confining blast and protecting equipment/buildings.
Flame/detonation -2 If properly designed, installed, and maintained, should eliminate
1 x 10
arrestors potential for flashback through piping system or into vessel or tank.
Page 32 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Risk reduction
PFD Comments
measures
Human action
Simple well documented action with clear and reliable indications
with 10 min 0,1 to 0,5
that action is required.
response time
Human response
Simple well documented action with clear and reliable indications
with 20 min 0,1
that action is required.
response time
IEL1 + IEL2 + IEL3 + …< TMEL (H&S, E, or Damage) (Table 6, Table 7, or Table 8)
Page 33 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Where:
TMEL = TMEL from table indicated.
IEL1 = Intermediate event likelihood (ICL1 *PFD1*PFD2…*Ptr*Pp*Pi).
ICL = initiating cause likelihood (Table 1 and Table 2).
PFD1, PFD2 = PFD for each IPLs (Tables 11, Table 12, Table 13, and Table 14).
Ptr = probability of time at risk (see 9.4.2).
Pp = probability of persons present (see 9.4.3).
Pi = probability of ignition (see 9.4.4).
4. If the sum of the IELs < TMEL, then further risk reduction is not appropriate.
5. If the sum of the IELs > TMEL and there is existing SIF, then the ratio of TMEL to
the sum of the IELs, PFDSIF, should be calculated to determine the SIL, EIL, CIL of
the existing SIF.
TMEL(Table5)
PFDSIF (HealthandSafety ) =
IEL1 + IEL 2 + IEL3 +& ...
TMEL(Table6 )
PFDSIF (Environmental ) =
IEL1 + IEL2 + IEL3 + ...
TMEL(Table7 )
PFD SIF (Equip.damageandvaluelost ) =
IEL1 = IEL2 + IEL3 + ...
6. If the sum of the IELs > TMEL and there is not an existing SIF, then existing
protection layers are considered insufficient to mitigate risk. Recommendation should
be made to use inherently safer design strategies to redesign system, add additional
protection layers, or add a SIF.
7. Recommendations for SIFs should use the ratio of TMEL to the sum of the IELs,
PFDSIF , to determine the SIL, EIL, CIL of the new SIF.
13.1. ILs
a. If protection is currently provided by SIF or if a SIF is recommended, the LOPA
determines the PFD to reduce the risks to below the TMEL for that consequence category.
b. The procedure for determining SIL, EIL, and CIL shall be as follows:
1. Calculate PFDSIF without giving any credit to SIF (12.3).
2. Determine required SIL, EIL, and CIL from Table 15.
3. Select highest integrity level (the lowest PFDSIF) and use it as design basis for SIF.
c. The PFD of the SIF shall be less than or equal to the lowest of PFDSIF for all hazards for
which the SIF provides protection.
d. Determination of IL for pushbutton initiation of isolation or depressurisation as part of
ESD system shall be performed in accordance with GP 30-76, Annex E.
Page 34 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Page 35 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Annex A
(Informative)
Example of LOPA for SIL determination from PHA/HAZOP
Example of LOPA for SIL determination process using HAZOP in Table A.1 is described as
follows:
a. Select hazardous scenario from HAZOP (Table A.1). This example has two initiating
causes for the same hazard and has different IPLs applicable to each initiating cause.
b. Select TMEL as follows:
1. For safety (severity level D), TMEL is 1 x 10-5 /yr.
2. For environmental (severity level F), TMEL is 1 x 10-3 /yr.
3. For damage and loss (severity level E), TMEL is 1 x 10-3 /yr.
c. Identify initiating causes and quantify likelihood as follows:
1. Using Table 1, item “BPCS instrument loop failure”, likelihood of the first initiating
cause is 0,1/yr.
ICL1 = 0,1/yr
2. Using Table 2, the second initiating cause is due to human intervention and the
likelihood is assumed to be 0,1/yr.
Page 36 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
ICL2 = 0,1/yr
d. Identify independent layers of protection from existing safeguards without taking credit for
SIS:
1. PSV-2714 on amine regenerator is IPL for both initiating causes. Using Table 12,
item “Relief Valve”, PFD for PSV is 0,01.
2. The team verifies that the operator should be able to respond within 20 minutes after
receipt of a low level alarm. Using Table 14, PFD for human response is 0,1. Since
low level alarm uses the same level transmitter as LV-2702, credit should not be
given to the first initiating cause.
Page 37 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
1 × 10 −5
PFDSIF = = 0,017
( )
5,0 × 10 − 4 + 1,0 × 10 − 4
For environmental,
1 × 10 −3
PFDSIF = = 0,91
( )
1,0 × 10 −3 + 1,0 × 10 − 4
For damage and loss,
1 × 10 −3
PFDSIF = = 0,91
( )
1,0 × 10 −3 + 1,0 × 10 − 4
i. Evaluation of SIS integrity level: the lowest PFDSIF is 0,017 which requires a SIL 1.
j. Table A.2 shows the LOPA logsheet for this scenario.
Page 38 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Likelihood values are events per year; other numerical values are probabilities of failure on demand average.
Ref 1 2 3 4 5 6 7 8 9 10 11
Protection layers (PLs)
Impact event Severity Initiating Initiation General BPCS Alarms, Additional Additional Intermediate PFDSIF Target Notes
description level cause likelihood process etc. mitigation, mitigation event mitigated
design restricted dikes likelihood event
access (bunds), likelihood
pressure
relief
1 Over pressure D LV-2702 0,1 -- -- -- Occupancy PSV 0,01 5E-4 0,017 1E-5
of amine malfunction 0,5 (SIL 1)
regenerator
and potential --
Operator 0,1 -- -- 0,1 PSV 0,01 1E-4
3 to 9 fatalities error
(Safety impact)
1 Over pressure F LV-2702 0,1 -- -- -- -- PSV 0,01 1E-3 0,91 1E-3
of amine malfunction (EIL 0)
regenerator
leading to
localized Operator 0,1 -- -- 0,1 -- PSV 0,01 1E-4
damage to a error
non-sensitive
environment
(Environmental
impact)
1 Over pressure E LV-2702 0,1 -- -- -- -- PSV 0,01 1E-3 0,91 1E-3
of amine malfunction (CIL 0)
regenerator
leading to
damage and Operator 0,1 -- -- 0,1 -- PSV 0,01 1E-4
lost production error
($5M to
$100M)
(Damage and
loss impact)
Page 39 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
Bibliography
BP
[1] Awaiting Number, Group Recommended Operating Practice on Selection of hazard evaluation and
risk assessment techniques.
[9] CCPS Guidelines, Guidelines for Process Equipment Reliability Data, (CCPS), 1989.
[10] CCPS Guidelines, Guidelines for Safe and Reliable Instrumented Protective Systems, (CCPS), 2007.
Page 40 of 41
5 June 2008 GP 48-03
Layer of Protection Analysis (LOPA)
[20] IEC 61511-1, Functional safety - Safety instrumented systems for the process industry sector -
Parts 1: Framework, definitions, system, hardware and software requirements.
[21] IEC 61511-2, Functional safety - Safety instrumented systems for the process industry sector -
Part 2: General requirements - Rating specifications for low voltage adjustable frequency a.c. power
drive systems.
[22] IEC 61511-3, Functional safety - Safety instrumented systems for the process industry sector -
Part 3: EMC requirements product standard.
IIT Research
[24] Non-operating Reliability Databook, 1987.
Publications
[26] Smith, David, Reliability, Maintainability and Risk, David J. Smith PhD, ISBN 0 7506 5168 7, 5th ed.,
published by Butterworth Heinemann.
[27] Smith, D.J., Reliability and Maintainability in Perspective, 2nd and 3rd editions, Macmillan, London,
1985.
Page 41 of 41