Limitations and misuse of layers of protection analysis
Layers of protection analysis (LOPA) is a simplified form of numerical risk assessment. It builds on qualitative studies such as HAZOP and it aims to reduce risk by using independent protection layers (IPLs).
From my experience of auditing and reviewing LOPA studies I have concerns at the level of mistakes being made using the technique. LOPA is a very useful technique, but is a simplified form of numerical risk analysis and hence has limitations. These include:
The following is an example of a LOPA study that I came across where there the use of LOPA was dubious.
It involved a solvent recovery area in a pharmaceutical company where a 220 m pipeline was pumping solvent 45% of time and was empty 55% of the time.
From Reference 1 the pipe failure rate/100 m is 1 x10-5 /y for a full-bore rupture.
The analyst multiplied the pipe failure rate by 0.45, ie the failure rate of solvent spill is:
= 2.2 x 10-5 /y x 0.45 = 9.9 x 10-6 /y
This type of de-rating of failure by dividing use time/total time has become commonplace.
However, the use of a factor of 0.45 raises an issue. It implies the pipeline can’t be damaged, degraded, or interfered with when not in use.
For example, if the pipe is subjected to corrosion under insulation (CUI) the failure rate may not be reduced by the reduced pumping time. Ageing of gaskets at flanges will not be reduced by the reduced pumping time. Also if someone leaves a drain valve open, the leak will simply occur the next time the pipeline is used.
Hence the failure rate of the system is unlikely to be linear with use time and the conditional modifier of 0.45 is highly questionable.
Further examples are given in the full Loss Prevention Bulletin article which you can read, free of charge, here. The purpose of the paper is to highlight some of the mistakes being made and challenge some of the practices that are occurring within LOPA calculations. A number of the examples relate to incorrect use of “conditional modifiers”
So why are the types of mistakes and errors of judgement occurring? In all the cases, the personnel involved had been trained in the technique and in some cases the personnel involved were quite experienced.
There appears to be a problem with the use of conditional modifiers (particularly in batch-type processes) with time at risk factors. Before using such factors, people need to think carefully and do a reality check as to whether the conditional modifier used is correct and appropriate to the situation being studied.
One uncomfortable question is: has LOPA over simplified risk assessment, and have the various spreadsheets that are available for LOPA allowed people to plug in data and get answers without fully understanding or thinking through the issues involved?
1. Layer Of Protection Analysis: Simplified Process Risk Assessment, CCPS, American Institute of Chemical Engineers, 2001.