Documentos de Académico
Documentos de Profesional
Documentos de Cultura
OMV Petrom
Refining Standard
4043_v091130
Description:
Objective:
This procedure provides guidance for the evaluation of prevention and mitigation
measures which contribute to the reduction of process risks to tolerable and acceptable
limits.
Target Group:
This standard applies to all employees and contractor staff working in relation with
refineries operated by OMV Refining and Petrochemicals. It applies to all lifecycle
stages of production units from concept to decommissioning.
Scope of
Effectiveness:
Authors
P-R-P-TS-OCI
P-R-A-TS-CI
George Stoica
Filica Ciausi
P-R-P-TS-OCI
P-R-A-TS-CI
George Stoica
Filica Ciausi
P-R-R&P-BSPM
Felicia Decusara
Verified regarding
correctness of content by
P-R-P-TS
P-R-A-TS
Mihai Antonescu
Lothar Forner
Released by
P-R-R&P-BSPM
Adrian Mincu
Released by
P-R-R&P
Dir.Neil Morgan
Organizational Unit
Name
Notes:
1.
2.
Date
Signature
In the interests of simplicity and readability the language of this statement is as far as possible gender neutral. Where
applicable, the masculine includes the feminine.
Hardcopies of this document may not represent the current applicable standard. Check for latest document on the
Regulations Platform
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
1 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
1. Introduction
Reliable and safe operation of refinery process plants usually requires the seamless and sustainable
interaction of prevention and mitigation measures. These measures may be technical or
organizational or a combination of both. Risk evaluation is required to balance the goals of reduction
of process risks and the efforts which are needed to achieve them.
The Layer of Protection Analysis (LOPA) is a semi-quantitative methodology to evaluate the
reliability of measures which are required to prevent undesired events and to reduce the risks in
process units to tolerable or acceptable limits.
This standard provides guidance on the application of the LOPA for OMV refinery process units. It
describes the workflow of risk evaluation and defines responsibilities and requirements. This
standard is part of Functional Safety Management (FSM) which is implemented in OMV Refining
according to the requirements of IEC61511 Part 1 & Part 2 [01, 02] The principles of the
methodology are in accordance with the requirements of IEC61511 Part 3, Appendix F [03].
Scope of the Standard
The LOPA method may be applied to process risks arising from hydrocarbon and chemical process
facilities initiated by a discrete initiating event (single scenarios). It is not intended to be used for the
assessment of more general business risk, financial risk, and project risk as well as more complex
aggregated risks.
LOPA is not a stand alone methodology for risk assessment as it requires the inputs of a previous
hazard analysis for identification of hazardous scenarios and evaluation of the potential
consequences (e.g. 04, 05). The layer of protection analysis (LOPA) shall be used if:
the consequences of the scenario are above the following critical values (equal or greater than
consequence level 3 as given in the OMV Corporate HSE Standard 020 [06])
Personnel: serious personnel injury
Environment: release with local effect (outside the refining area)
Economic (asset or production): loss greater than 100.000 or shut down of a unit
a preliminary qualitatively risk assessment yield that the risks are ALARP or not acceptable
a preliminary qualitatively risk assessment showed uncertainties regarding consequences or
safe guards (prevention & mitigation)
a safety instrumented function (SIF) is used as a risk reduction measure
The standard especially applies for the classification of Safety Instrumented Functions (SIF) which
are used in low demand mode according to the framework of the Functional Safety Management
(FSM) [01, 07] (e.g. emergency shut down systems). The standard is to be used to determine the
necessary Safety Integrity Level (SIL) or Asset Integrity Level (AIL) for each SIF. Within this
framework the usage of the standard is also recommended for operational interlocks to show their
adequacy (i.e. that they are not safety relevant). (Note: SIFs which are operated in continuous mode
are quite rare in refinery process units; the principles given in [08] shall be used.)
The standard applies for existing systems as well as for planned systems. Existing SIFs which have
been classified using any other risk evaluation system (e.g. Risk Graphs [03, 09]) may remain
untouched if the following two requirements are met: there are no doubts concerning the suitability
of the classification, and related technical standards and regulations have been checked regarding
compliance.
Rationale for Refining Standard
This standard harmonizes the available approaches throughout OMV Refining with the aim to
provide best practice and to optimize the efforts needed to achieve and maintain safe and reliable
production units. It contributes to the establishment of unambiguous and sustainable tools for
decision making and thus well-aimed investments to improve the safety and reliability of Refinery
production units.
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
2 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
2. Regulatory Content
The Regulatory Content of this document is structured as follows:
Table of Contents
2.1
2.1.1
2.1.2
2.1.3
2.1.4
2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3
LOPA Process ........................................................................................................................ 9
2.3.1
Administrative information.................................................................................................. 10
2.3.2
Scenario description........................................................................................................... 11
2.3.3
Identification of initiating events ......................................................................................... 11
2.3.4
Identify enabling conditions................................................................................................ 11
2.3.5
Worst reasonable foreseeable consequences................................................................... 12
2.3.6
Conditional modifiers.......................................................................................................... 12
2.3.7
Initiating risk ....................................................................................................................... 13
2.3.8
Independent Protection Layers (IPL) ................................................................................. 13
2.3.9
Calculation of residual risk ................................................................................................. 13
2.3.10
Assessment of the residual risk ......................................................................................... 14
2.3.11
Action items........................................................................................................................ 14
2.3.12
Critical aspects for realization & operation......................................................................... 15
2.4
Documentation..................................................................................................................... 15
2.5
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
3 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
2.1
Process Monitoring
Operator Supervision
Process control
Process & Design
Figure 1
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
4 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
2.
3.
Preventive safeguards are given priority over mitigation measures and technical are given
priority over operational measures.
4.
5.
For any hazard which can escalate to a major accident event at least two independent, effective
protection measures shall be present.
6.
Protection prioritization is given to the following ranking: people, environment, property, interests
of the business (incl. reputation).
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
5 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
enabling
event or state
initiating
event
residual
risk
initiating
risk
independent
protection layers
conditional
modifier
Figure 2
2.2
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
6 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
Conceptual Designer
Basic Designer
Project Manager
Decommissioning
Project Manager
Table 1
Responsibilities for performance of risk assessment during life cycle of units.
The responsible person has to ensure:
nomination of the risk evaluation team
scheduling of the sessions
preparation of information and documents which are required to perform the evaluation
distribution of the risk assessment protocols for implementation of the results (e.g. realization or
validation of classified safety instrumented functions (SIF), realization of identified action items)
follow up of action items which have been identified during evaluation
appropriate archive of the risk assessment protocols
information of the Process Safety Engineer about planned sessions and their results
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
7 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
Function
Participation
Mandatory
(Note: for systems which are not clearly allocated to a distinct
production unit the roles of the Plant Manager shall be shifted to the
Operations Manager)
Mandatory
Mandatory
Recommended
For assessments during projects the team has to be amended by the following person:
Function
Participation
Conceptual Designer, Basic Designer,
Project Manager (for projects only)
Table 2
Usually the LOPA evaluation team corresponds widely to the HAZID team [04]. Therefore,
performance of the LOPA assessment during HAZID (e.g. HAZOP) sessions is strongly
recommended.
Risk owner (plant manager/operations manager)
The risk owner is always the person who has the control about the resources to amend the risk and
is accountable for the residual risk. For process risk this will be in most of the cases the plant
manager or the operations manager for more wide ranging scenarios. The risk owner is the ultimate
instance to agree on the results of the LOPA assessment (see also [06]) and approves the risk
evaluation report.
Risk evaluation team leader
A team leader shall be nominated who is responsible for leading the assessment and for checking
the risk assessment protocol. He must be familiar with the assessment procedure and must have
sufficient knowledge on process risk assessment.
If appropriate the role of the team leader can be covered by an external person. For LOPA
assessment which is done in the framework of HAZOP studies the HAZOP moderator may also take
the role of the LOPA moderator (compare also OMV Standard HAZID [04]).
Risk evaluation team
The risk assessment team shall ensure that all relevant information and knowledge is available to
evaluate the risk (i.e. hazards, possible consequences, safeguards) and to decide on the
requirement for additional actions. The accountability for the evaluation results should be aligned
with the competency of the respective person as given e.g. in their job description.
The team member should have a basic understand about probability theory and shall be familiar
with the methodology and its rules as required by their role in the team. If the rules are not
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
8 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
understood and consistently applied credit for risk reduction measures may be given in the wrong
way and risks might be undervalued (safety issue) or overvalued (cost issue).
By the nomination the risk assessment team member assumes the responsibility to contribute to the
assessment with technical knowledge and expertise (e.g. failure rates, feasibility of proposed SIFs).
The accountability for results is according to the role of the team member and aligned with the
competency as given e.g. in the job description.
2.3
LOPA Process
The workflow of risk assessment and the LOPA evaluation process consists of several steps as
shown in Figure 3. The description of the activities for each step is given in the subsequent sections.
The process follows the workflow when entering data into the LOPA evaluation report [TA01].
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
9 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
YES
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
10 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
11 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
12 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
Local Amendments [LA01-LA03]). (The reference data are already incorporated in the LOPA
template to this standard [TA01]).
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
13 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
Calculation of the safety integrity level of a safety instrumented function which would be needed
to reduce the risk to acceptable or tolerable limits.
Calculation of the LOPA gap
LOPA gap below 1: This is the PFD which an additional protection layer needs to reduce
the risk to acceptable or tolerable limits. Alternatively this gap may also be closed by the
improvement of the PFD of an existing protection layer.
LOPA gap above 1: This is the remaining safety margin by which the PFD of an existing
protection layer may be decreased or existing layers may be removed while still keeping
the acceptability and tolerability limits.
These are tolerable risks (yellow area in the risk matrix) as long as they fulfill the
following criteria:
Risk reduction is impracticable or its cost are grossly disproportionate to the
improvement gained (i.e. there is a trade-off between the costs of risk reduction and
the benefits obtained which could be demonstrated through cost-benefit analysis).
The risk controls corresponds to legislative requirements and relevant good practice
and all aspects and measures are thoroughly known.
The risk is periodically reviewed (see 2.2.1).
Intolerable: These are unacceptable risks (red area in the risk matrix). Additional measures are
required to reduce them to at least to ALARP. These measures have to be implemented
even if they require significant resources or fundamental changes in the activities and
systems.
The risk evaluation shall be completed by checking the need for additional risk reduction measures.
They may be required:
if requested by law or state of the art regardless if the risk evaluation yields tolerable or
acceptable risks
if the residual risk is considered as intolerable
if the residual risk does not fulfill the ALARP criteria
if requested by line management for continuous improvement
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
14 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
2.4
Documentation
The assumption and the results of the LOPA assessment shall be recorded in a LOPA sheet. It is
recommended to use the LOPA template related to this standard [TA01]. If alternative records are
prepared the information which is described above and indicated in the template shall be given as
minimum.
If Safety Instrumented Functions (SIF) are required to achieve the necessary risk reduction the
LOPA report is part of the documentation as required by the safety plan according to Management
of Functional Safety [07].
2.5
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
15 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
Definition
System which responds to input signals from the process, its associated
equipment, other programmable systems and/or an operator and
generates output signals causing the process and its associated
equipment to operate in the desired manner. The BPCS does not perform
any safety instrumented function with a claimed SIL 1 and its failure
does not affect the core attributes of any safety instrumented function.
Conditional Modifiers
Distributed Control
System
Frequency
Functional Safety
Part of the overall safety relating to the process and the basic process
control system which depends on the correct functioning of the safety
instrumented systems and other protection layers [01].
Independent
Protection Layer
Likelihood
Mitigation
Prevention
Probability
Safeguard
Safety Instrumented
Function
Discrete level (one out of four) for specifying the safety integrity
requirements of the safety instrumented functions to be allocated to the
safety instrumented systems. Safety integrity level 4 has the highest level
of safety integrity; safety integrity level 1 has the lowest [01].
Single scenario
Abbreviation
Meaning
AIL
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
16 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
Abbreviation
Meaning
ALARP
BPCS
DCS
FSM
HAZID
Hazard identification
HAZOP
IPL
LOPA
SIF
SIL
[LA02]
[LA03]
Sub-Documents
[SU01]
Appendix A: Catalogue of reference data for initiating events and their frequency of
occurrence (recommended)
[SU02]
Appendix B: Catalogue of reference data for conditional modifiers and their risk reduction
factor (recommended)
[SU03]
[SU04]
Appendix D: Worked examples of typical risk solutions for OMV Refining (recommended)
Templates
[TA01]
References
[01]
IEC 61511-1; Functional safety - Safety instrumented systems for the process industry
sector - Part 1: Framework, definitions, system, hardware and software requirements;
01.2003
[02]
IEC 61511-2; Functional safety - Safety instrumented systems for the process industry
sector - Part 2: Guidelines for the application of IEC61511-1; 07.2003
[03]
IEC 61511-3; Functional safety - Safety instrumented systems for the process industry
sector - Part 3: Guidance for the determination of the required safety integrity levels;
03.2003
[04]
[05]
[06]
OMV Corporate HSE Standard 020: Risk Assessment and Evaluation Criteria
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
17 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved
[07]
[08]
[09]
VDI/VDE 2180: Sicherung von Anlagen der Verfahrenstechnik mit Mitteln der
Prozessleittechnik (PLT); Part 1 - 3; 2007 (German only)
[10]
OMV Refining Standard 5000: Project Management System for Technical Projects
[11]
Guidelines for Safe and Reliable Instrumented Protective System; CCPS/AIChE; 2007
6. Obsolete Regulations
None
Comment
30.11.2009
New publication
P RefStd_4043_v091130_EN_LOPA.doc
Layer of Protection Analysis (LOPA)
Page
Valid as of: 100901
18 of 18
Version: v091130
OMV Petrom Refining &Petrochemicals all rights reserved