Closing the safety gap – safety integrity level selection using LOPA

Safety instrumented systems are often used to reduce the risk associated with a potentially hazardous process or plant. It is usual to express the level of risk reduction required as a safety integrity level or ‘SIL’. As such, selecting an appropriate SIL is a fundamental step in any safety specification and there are a number of different methods employed, depending on industry. In the oil, gas and process sector, Layers of Protection Analysis (LOPA) is arguably the method of choice. Following the Buncefield incident, for example, the Buncefield Standards Task Group suggested a LOPA study be used to provide a more consistent approach to SIL assessment [Ref 1].

WHY LOPA?

LOPA is a systematic methodology for examining defence-in-depth and assigning SIL targets. Its careful application can ensure that an organisation achieves a defined and consistent level of safety across all of its processes and plant. The basic LOPA approach is described in Box 1.

When appropriately applied, LOPA can very clearly identify what independent layers of protection are available against each initiating event. It can also use the initiating event frequency and the failure probability assigned to each protection layer in order to determine any gap between the likelihood of each outcome and that which is tolerable [see Fig 1].

Figure 1 – SIL Derivation Using Layers of Protection Analysis

One way of closing this gap is to provide a safety instrumented system capable of arresting the accident sequence with an associated SIL target.

LOPA LESSONS

When the UK’s Health and Safety Executive reviewed a number of LOPAs submitted by sites which store flammable liquids such as petrol (i.e. Buncefield type sites), they identified several areas of concern with many of the assessments [Ref 2]. The main issues were:

• Inadequately defining tolerable risk levels.
• Lack of frequency justification, including compliance with Functional Safety Standard IEC 61511.
• Inadequate substantiation of human error probabilities.
• Too much reliance on generic data without accompanying applicability arguments.
• Dependencies between protection layers claimed as independent.
• An absence of sensitivity analysis to ensure the robustness of LOPA conclusions.

Although these concerns were levelled at LOPAs for fuel storage sites, they can be read across to other LOPA applications. In addressing these concerns, there are a number of other improvements that should also be considered [see Box 2].

CONCLUSION

Any SIL selection method, if inappropriately applied, can lead to an insufficient SIL target, with a potentially intolerable level of risk. Conversely, a much too stringent SIL target can divert resources away from other more deserving risk reduction projects.

While LOPA provides a sound framework for deriving representative SIL targets, unsurprisingly, it relies heavily on supporting evidence, as well as the experience and expertise of the assessment team.

References

1. Safety & environmental standards for fuel storage sites, BSTG, 2007.
2. A review of the Layers of Protection Analysis (LOPA) analysis of overfill of fuel storage tanks, HSE, 2009.

This article first appeared in RISKworld Issue 17.