ISSN: 1829-9466 2007 Journal of the Indonesian Oil and Gas Community.

Published by Komunitas Migas Indonesia

Some Experiences using Risk Graph and LOPA in Conducting SIL Determination Study
Mefredi, CFSE
BP West Java. E-mail: mefredi@se1.bp.com

Abstract. Risk Graph and LOPA methods have been used to determine the required Safety Integrity Level. Both are most popular methods compared to other methods outlined in the SIS standard for process sector IEC 61511. Risk graph is a structured means to determine ILs using semi quantitative judgment based on series of parameters that are relevant to a risk. LOPA is one of process hazard analysis methods, which are also used to determine ILs. LOPA starts with the identification of initiating cause and protection layer of hazard mitigation. Both Risk Graph and LOPA are suitable tools to determine ILs based on complexity of process being assessed. In general, Risk Graph is particularly appropriate for screening application, while more detail study can be done using LOPA. This paper presents an overview of Risk Graph and LOPA. Results of applying those methods to existing offshore facilities, required documents and other aspects towards more effective workshop are also presented. It can be concluded that LOPA may give lower ILs compared to the Risk graph, but the shortcoming of LOPA is that it is more complex and time consuming. Keywords: Risk Graph, LOPA, Safety Integrity Level, Safety Instrumented System

requires the hazard and risk assessment to be carried out in order to identify the overall safety requirements; requires the allocation of safety requirements for safety instrumented system(s) to be carried out; works within the framework which is applicable to all instrumented methods to achieve functional safety; discusses the use of specified activities, such as safety management, that may be applicable to all methods for achieving functional safety. IEC 61511 also deals with guidance to determine Integrity Level (IL) in hazard and risk analysis processes. Within this standard, information is given to provide broad overview of the methods used in hazard and risk analysis process. There are many methods to determine the Integrity Level required, and they are addressed in IEC 61511 standard: Qualitative Safety Matrix Qualitative Risk Graph Semi Qualitative (Calibrated) Risk Graph Semi Quantitative using LOPA (Layer of Protection Analysis) In normal approach for risk-based standard document, i.e. IEC 61511, the guidance provided contains insufficient details for direct implementation. All methods to illustrate underlying principle have been subjected to simplification. The user will need to explore the real practice on how to implement the guidance to fit with each corporate or organization guideline. Many companies feel that the qualitative methods are not consistent with their risk criteria. In this regard, Calibrated Risk Graph and LOPA are able to provide alignment with the risk criteria of a company. In present paper, author would like to discuss about the workshop-based experiences using Calibrated Risk graph and LOPA method to determine ILs for either newly designed or existing-modified facilities. This paper aims to give reader a brief overview of Safety Integrity Level (SIL) determination workshop, available methods, required documents, and team involvement to achieve effective results.

1. Introduction
Safety Instrumented System has been used for many years to perform safety instrumented function in the process industries. If instrumentation is to be effectively used for safety-instrumented functions, it is essential that this instrumentation achieve certain minimum standard and performance levels. The international standard addressing the application of safety-instrumented system in the process industries is IEC 61511, which was finally published in 2003. IEC 61511 is process sector under the framework of IEC 61508 that covers all safety-related system. Within this standard, there are two fundamental concepts pertaining to their application, namely safety lifecycle and safety integrity level. IEC 61511 sets out an approach for safety life-cycle activities in order to achieve the performance standard. To achieve this objective, the IEC 61511:

Mefredi - 7

2. Calibrated Risk Graph

Calibrated risk graph outlined in IEC 61511-3 annex D is suitable for process industry application. Risk is defined as a combination between probability of the occurrence of the harm and its severity. Typically, in process industry, risk is a function of following parameters: consequence of hazardous situation (C); occupancy (probability of occupying the exposed area) (F); probability of avoiding hazardous situation (P); demand rate (number of times per year that the hazardous situation would occur in the absence of safety instrumented function being considered) (W) The calibration of the risk graph is made to the objective of describing the parameter to enable the assessment team to make objective judgment. It is also to ensure the Integrity Level selected is in accordance with company risk criteria. Calibration of risk graph is a process of assigning numerical value to the risk graph parameters. Range of values is assigned to each of the parameters such that when it is applied in combination, a graded assessment of the risk, which exists in the absence of particular safety being produced. Thus, a measure of the degree of reliance placed on the Safety Instrumented Function can be determined. The risk graph relates particular combination of the risk parameters to Integrity Levels. The relationship between the combination of risk parameters and Integrity Levels is established by considering the tolerable risk associated with specific hazards. Within the IEC 61511 framework, the required Integrity Level needs to be determined for personnel safety and environmental hazard. The required ILs may also be applied to the asset or commercial loss. Figure 1 provides a general scheme of safety risk graph per IEC 61511 Annex D

W3
CA X1

W2

W1

a a 1 2 3 4

--a a 1 2 3

----a a 1 2

Starting point for risk reduction estimation

X2 P A CB FA FB CC FA FB CD FA FB PB P A PB PA P B PA P B X6 X5 X4 X3

C = Consequence parameter F = Exposure time parameter P = Possibility of avoiding the hazard W = Hazard rate if SIS fails to act on demand

--- = No safety requirements a b = No special safety requirements = A single E/E/PES is not sufficient

1, 2, 3, 4 = Safety integrity level

Figure 1. Safety Risk Graph General Scheme per IEC 61511

Safety Integrity Level (SIL) NO IL 0 1 2 3 4

Table 1. Safety Integrity Level DEMAND MODE OF OPERATION Target average probability of Target Risk Reduction failure on demand (PFD) Factor (RRF) 1 1 10-0 10-1 1 10 10-1 10-2 10 100 10-2 10-3 100 1,000 10-3 10-4 1,000 10,000 10-4 10-5 10,000 100,000

Mefredi - 8

ISSN: 1829-9466 2007 Journal of the Indonesian Oil and Gas Community. Published by Komunitas Migas Indonesia

One can determine Safety Integrity Level, Environmental Integrity Level and Commercial Integrity Level based on four discrete levels as specified in Table 1 for demand mode operation. Overall, integrity level of the highest IL requires safety, environmental or commercial category, and in general term, this level is called Safety Integrity Level (SIL).

3. LOPA (Layer of Protection Analysis)

LOPA is one of the process hazard analysis tools, which is also suitable for determining the Integrity Level of Safety Instrumented Function. LOPA is outlined in IEC 61511 Annex F. Table 2 provides the LOPA worksheet per IEC 61511 annex F. The method starts with the data developed in hazard and operability study, and accounts for each identified hazard by documenting the initiating event and the protection layer that prevent or mitigate the hazard. The total amount of risk reduction can then be determined, and the need for more risk reduction is analyzed. If additional risk reduction is required, and if it is to be provided in the form of a Safety Instrumented Function (SIF), LOPA methodology allows the determination of the appropriate Safety Integrity Level (SIL) for the SIF. Simply speaking, the method consists of (1) assigning a target frequency based on the consequence severity and (2) comparing it to a simplified prediction of the actual scenario frequency. LOPA process starts with identification of impact event description (column-1) based on previous hazard identification document, assign the severity level (column-2) associated with impact event description, dig dive to identify the initiating causes (column-3) and lists all credible event which lead to the hazards, and each initiating causes assigned the likelihood (column 4) in form of numerical values. These values are based on the several data source such as industry consensus as listed in CCPS data book or site-specific data if applicable. Next process is to evaluate the protection layer, which can be in the form of Process Design Effectiveness, Basic Process Control, Alarm, Mitigation Layer or Mechanical Protection such as pressure relief valve. The defined characteristic of a protection layer is that it prevents the consequence from happening. Each protection layer must function such that the defined

consequence will not occur. Each protection layer counted must be independent of other protection layers, which means that there must be no failure that can deactivate two or more protection layers. If a protection layer is believed to be more reliable (a lower value for Probability of Failure on Demand PFD), a quantitative method should be used to confirm the PFD. For example, if the team desires to improve the unavailability of risk reduction logic in the Basic Process Control System (BPCS) by adding additional sensors or final elements, the impact event should be reviewed by a quantitative method such as Fault Tree. Some set rules for protection layer are: Specifically designed to prevent or mitigate consequences of a potentially hazardous event Dependable and can be counted on to do what it was intended to do Auditable and a system to audit and maintain Using the numerical values identified in the preceding steps, a simple calculation is performed to determine the PFDSIF. The numerator of the PFDSIF is the Mitigated Event Likelihood MEL (column-10), which is the companys risk tolerance for that scenario. The denominator of the PFDSIF is the product of the Initiation Likelihood and the Probability of Failure on Demand (PFD) of each Independent Protection Layer (IPL) identified. The formula for calculating the PFDSIF is presented below

PFDSIF =

MEL ICL * PFD1 * PFD2 * ... * PFDn

If the PFDSIF is greater than or equal to one then existing protection layers in place are adequate. If the PFDSIF is less than one then SIF is required to provide necessary risk reduction to bring the process risk to a tolerable level. LOPA is used to determine the required Risk Reduction Factor (RRF) and Safety Integrity Level (SIL) for a Safety Instrumented System (SIS). To do this, the LOPA is calculated without giving any credit to the existing SIS. The RRF is calculated by taking the inverse of the PFDSIF

1 PFD SIF

. The required SIL

can then be found by using Table 1.

Table 2 LOPA worksheet

# 1 Impact event description 2 Severity Level 3 Initiating Cause 4 Initiation Likelihood General Process Design 5 BPCS 6 PROTECTION LAYER Alarm Additional Mitigation, Restricted Access 7 IPL Additional dike, pressure relief 8 Intermediate event likelihood 9 SIF integrity Level 10 Mitigated Event Likelihood 11 Notes

Mefredi - 9

ISSN: 1829-9466 2007 Journal of the Indonesian Oil and Gas Community. Published by Komunitas Migas Indonesia

4. Some Experiences using Risk Graph and LOPA

4.1 Information Requirement
To conduct the SIL study successfully, we need to provide specific information requirements. The obvious requirement is a clear indication of level of risk that is tolerable, and this is often available in corporate risk guidelines. Providing tolerable risk target is necessary to proceed with calibrating the risk graph and/or setting the mitigated event likelihood for PFDSIF calculation. In addition to this, the hazard identification, risk analysis and existing safeguard information can usually be drawn from the PHA/HAZOP study, with the relevant engineering drawing P&IDs providing an additional level of detail. Gaps in the information provided are filled by expertise and experience of the people participating in the study and additional documents, such as Cause & Effect diagrams or SAFE charts, whenever appropriate. Table 3 provides an example of identifying the SIF from previous PHA/HAZOP report. In the recommendation column, PHA/HAZOP team recommends to install a new SIF in order to prevent more pressure hazard. Hazardous events, initiating causes and protection layer are taken from information available in the table. Table 3 Excerpt from typical PHA/HAZOP report
Dev Cause Consequence Safeguards Recommendation 1.0 More Pressure 1.1 Pressure Vessel overpressure control and potential fail, causing hi mechanical pressure in failure and a vessel hydrocarbon release 1.2 Outlet line Vessel blocked overpressure causing hi and potential pressure in mechanical a vessel failure and hydrocarbon release 2.0 Less Flow 2.1 Less flow Pump trough Damaged pump causes pump failure

Another way is to identify SIFs by examining the engineering drawing such as P&IDs. Existing plant may have SIF depicted in P&IDs. Care should be taken when identifying the SIFs from P&ID. In some cases, expert judgment is required. Bear in mind that not all functions depicted in P&IDs are safety function. Some of the functions may only serve as an operational control function or alarm function. Identification of SIFs from engineering drawing P&IDs, Cause and Effect or SAFE chart may not cover the recommended SIFs as depicted in PHA/HAZOP report. In many cases, we also need to re-identify the hazardous event and initiating causes.

Figure 2 SIF identification from Engineering Drawing

Pressure relief valve, operator intervention to high pressure alarm Pressure relief valve, operator intervention to high pressure alarm Low outlet flow pump shutdown (SIF)

Install SIF to stop inlet flow upon vessel high pressure

4.2 SIL Study Team

During SIL determination workshop, personnel making decisions on parameters relevant to risk shall have the necessary skills and experience. Effective SIL determination study requires a team, which at least consists of: Chairman/Facilitator Secretary (Chairman/Facilitator may have dual role if desired) Process/Process Safety Engineering Control/Instrument/Electrical Engineering Operation Representative/Plant Operator/Plant Technician Field/Facility Engineering Other technical discipline if required (Mechanical Rotating Equipment, Corrosion, Pipeline, Structural, Health and Safety Specialist) Typically, five to six full-time team members will enable the effective discussion and decision-making. Team member compositions are most likely similar with PHA/HAZOP team member requirements. In the case whereby SIL determination study is performed in conjunction with PHA/HAZOP, the chairman/facilitator

SOV

Install SIF to stop inlet flow upon vessel high pressure

Existing safe guard adequate

Excerpt of PHA/HAZOP report also provides information of available existing SIF (i.e. low outlet pump shutdown). Both SIFs are qualified to go to further analysis with Risk graph or LOPA methods.

Mefredi - 10

ISSN: 1829-9466 2007 Journal of the Indonesian Oil and Gas Community. Published by Komunitas Migas Indonesia

shall understand PHA/HAZOP and SIL determination methods, particularly understand the likelihood and potential consequences of event. Within the mature organization, the team members are usually familiar with PHA/HAZOP methods as they have prior experiences. It is found to be useful that the team members undergo the introduction training prior to attend the workshop. Having the awareness of SIS concepts, Risk Graph and LOPA methods, team members will gain the effective results. It will be perfect if the chairman/facilitator have the capability to explaining the methods just before the workshop started, say a half day of the first day within workshop schedule. This is proven useful since the team member will have refreshed memories. Workshop will flow smoothly, and may reduce time consumption, as all team members understand the methods and objective. In this regards, they may be able to contribute in a positive way. Based on reliable information received by author, some workshop was started without giving proper knowledge preparation for team members. In this event, after completing one week of SIL determination workshop, some team members still do not understand the basic concept of Safety Instrumented System and Safety Integrity Level. In authors viewpoint, this workshop cannot be categorized as an effective workshop.

LOPA assessment was also performed to the 80 SIFs. They were assigned as SIL 2 and above. The results left only 3 functions with SIL 2, and there was no SIL 3. The results of SIL determination based on LOPA assessment are summarized in Table 4. Table 3 ILs result using Risk Graph SIL Rating No of SIF NO IL 47 SIL 0 12 SIL 1 33 SIL 2 49 SIL 3 31 TOTAL 172 Table 4 ILs result using LOPA SIL Rating No of SIF NO IL 61 SIL 0 45 SIL 1 63 SIL 2 3 TOTAL 172 Comparing the results in Table 3 and Table 4, it can be seen some lowering of SIL required by one level or even two levels. It is important to note that this comparison can only be done if the Risk Graph has been calibrated with the same tolerable risk criteria used in LOPA. Analysis of totally 210 functions was completed within six-day workshop and the other 3-day was used to complete 80 SIFs, which had SIL 2 or SIL 3 rating. During 8-hour per day workshop, averagely 25 30 SIFs can be completed using Risk Graph method and averagely 20 25 SIFs using LOPA. The duration is expected to be longer if the assessment is conducted in spreadsheet tools. It is commonly known that the progress is a little bit slow in the beginning of assessment. However, as team member are familiar with the methods and scenarios, the progress will be faster. In addition to the above, LOPA can provide more detail results since it has information of required numerical PFD and associated SIL rating.

4.3 Risk Graph vs. LOPA: Are the results different?

To answer the question above, an example of SIL determination results is presented in this section as a reference. The results can be different among facilities, but the example provided in this chapter could give a typical value or an estimated objective. Example A SIL determination study was carried out to an existing offshore oil and gas facilities safety shutdown system, which was formerly designed to comply with API 14C. The study documented in SIL software tools is called TRAC (Trip Requirement and Availability Calculator). SIFs identifications were done by identifying the function of P&IDs and then comparing it with SAFE Chart. Totally 210 functions was analyzed but only 172 functions were decided to receive further assessment. Totally 172 SIFs were identified and assessed against calibrated Risk Graph parameters. Results of Risk Graph are ranging from NO IL up to the highest SIL 3. Table 3 summarizes the results of SIL determination with Risk Graph method. According to Risk Graph parameter, from the 172 SIFs, 80 of them were identified as SIL 2 and above.

5. Conclusion
Based on some experiences using Risk Graph and LOPA, the conclusions can be drawn as follow: Risk graph and LOPA are suitable methods as SIL determination technique, and able to provide alignment with corporate risk criteria Risk Graph aims to be a screening method while LOPA aims to provide more detail assessment LOPA results will generally have lower SIL and time consuming than Risk Graph, but LOPA can provide more detail information

Mefredi - 11

ISSN: 1829-9466 2007 Journal of the Indonesian Oil and Gas Community. Published by Komunitas Migas Indonesia

Effective SIL determination workshop can be achieved by equipping team members with useful knowledge of the methods prior to the workshop.

6. References
[1] IEC 61511-3, Functional safety Safety instrumented systems for the process industry sector. Part 3: Guidance for the determination of the required safety integrity levels [2] GP 30-76, Guidance on Practice for Safety Instrumented Systems (SIS) Development of the Process Requirement Specification, BP Group Engineering Technical Practices, 2003 [3] Ed Marszal and Eric Scharpf. Safety Integrity Level Selection, Systematic Methods Including Layer of Protection Analysis, The Instrumentation, Systems and Automation Society ISA, 2002 [4] Layer of Protection Analysis, Simplified Process Risk Assessment, CCPS, 2001

7. Biography
Mefredi currently works for BP West Java as Fire & Gas Safety Instrumented System Engineer and Technical Authority. He obtained B.S. degree in Electrical Engineering from Institut Teknologi Bandung in 1997. He has over nine years of experience in oil and gas operating industry with area of interest of E&I Engineering, Risk Assessment, Process Safety Integrity Management, Operation and Maintenance, as well as SIS engineering, SIL Determination and Verification Study. He also holds a Certified Functional Safety Expert CFSE, a TV certification in area of functional safety.

Mefredi - 12