Is it okay to challenge a LOPA after the fact? Is it reasonable to do so if you were not in attendance? The answer is yes, but prepare yourself for pushback, writes James Coakley. This short article will attempt to answer these questions in the event that you may be required to challenge a LOPA study.

It is controversial to challenge a LOPA after the fact and may raise grievances with colleagues especially if you were not in attendance. However, there are occasions where it is warranted.

There is documented evidence of LOPA studies not meeting the expectations of the UK HSE regulator and deficiencies to satisfy international standards such as IEC-615112.

Following the Buncefield incident the UK HSE reviewed 15 LOPA studies of overfill of fuel storage tanks1. The findings of the report make it clear that the rigor and consistency in the application of the LOPA technique varied across companies in the same process (bulk storage of flammable fuels).

Authority to raise the flag

If we were able to have a macro view of the LOPA technique across all industries where it is used, the variances may be more pronounced. All engineers involved in the LOPA process, but specifically process safety engineers, Chartered Engineers or with accreditation in functional safety from Exida or TÜV Rheinland, have the authority to raise the flag and seek clarification as the case arises.

Nobody will thank you for your challenge. Expect resistance from project managers, budget holders and generally anybody who has a bonus linked to the project. 

Ultimately, if the challenge results in safe operation over the lifecycle of the Safety Instrumented Function (SIFs) involved, then consider it a success. This success can only be measured as a function of time.

The success of the challenge does not provide instant feedback or payback. The success may feel and look like never hearing or reading about a disaster during the mission time of that plant or process.

LOPA challenges missed, ignored or overruled result in lost opportunity – the opportunity to fine-tune a company’s in-house LOPA technique, learn from past mistakes, perform sensitivity studies and understand your organisation’s LOPA limitations.

Engage with leading risk consultants or experts in this field and review the quality of the consultants' output and recommendations. Schedule and budget pressures tend to dominate projects.

The irony being the schedule and budget of a project may be blown by the time a mistake is revealed after procurement, during construction or the commissioning phase. Worse, insufficient risk reduction leave people, the environment and capital exposed.

Grounds for challenge Table 1

 

Scenario

Examples

Root causes

1.

You attended the LOPA or are part of the project team and new information which is relevant to the LOPA has come to light after the session.

Occupancy frequencies updated, design changes at interfaces to the study such as number of wells routed to a tie-in platform has been increased, number of manual valves giving rise to an initiating event increased as documentation used in the study had not been ever-greened.

 

  1. Poor planning
  2. No terms of reference
  3. Lack of communication between project interfaces
  4. Poor document management
  5. Operations personnel not present during LOPA

2.

You are in a pool of reviewers/approvers with the Technical Authority within the company having the competency to do so.

Loss Prevention & HSE departments in large organisations can afford this level of scrutiny.

 

  1. The LOPA report does not meet the company and Industry guidelines, standard or best practice.

3.

You joined the project after the LOPA was conducted.

 

You have seen from the LOPA report technique misapplication, miscalculation, unrealistic failure rates or IE or cause consequence pairs that lead to high impact events that are not capable of being handled by LOPA.

  1. Inexperienced LOPA team
  2. LOPA chairperson allowed non-conservative approach to develop
  3. Justification of values not present such as IPLS, CM and IE frequencies

4.

You are part of a value engineering team with the expertise and experience to challenge the LOPA.

 

  1. LOPA report recommends many SIL 3 applications
  2. Cost of SIF implementation and maintenance over its lifecycle is grossly disproportionate to the risk

 

 

  1. Lack of inherently safe design, LOPA semi-quantitative technique not sufficient, QRA more suitable
  2. LOPA report recommends SIFs where mechanical solutions can be implemented such as positive isolations, double block and bleeds to prevent loss of containment

5.

You are in the commissioning or operational phase of the lifecycle and you have the competency to challenge the LOPA assumptions used.

 

Demand rate or mode incorrect, observation of more than one trip in a year due to process conditions – not low demand.

  1. Unrealistic low initiating event frequencies
  2. Incorrect failure rates for IPLs selected
  3. Initiating events missed (startup cases)

 

Challenge Specifics Table 2

 

Scenario

Justification

Recommendation

1.

LOPA challenged based on incorrect risk criteria

Insufficient details to determine why the team chose a certain tolerable risk for example 1E-05/Yr rather than 1E-06/Yr (broadly acceptable)

  1. Terms of reference for the study available
  2. Company risk criteria documentation available during the session
  3. Member of Loss Prevention or HSE TA present during LOPA

2.

LOPA challenged based on very low IE

IE taken as granular events. PCV A fails (1E-01/Yr) and PCV B fails (1E-01/Yr) giving rise to overpressure downstream the spec break, so IE is 1E-02/yr. Both share a common BPCS

  1. Justification based on operating experience and site conditions required, verbatim IE frequencies from IEC-61511 to be discussed and documented to determine if valid and applicable to the site and scenario

3.

LOPA challenged on miscalculation

 

  1. Typo in report
  2. Incorrect LOPA software selection
  1. LOPA report to be reviewed by end user competent authority or independent third party

4.

LOPA challenged on IPL failure rates , CM

 

Independence of IPLs not fully established

Common cause elements not documented

Justification for conditional modifiers lacking – occupancy

 

  1. Justification of data sources, maintenance records, FMEDA, TOR
  2. Operations input required
  3. Awareness during the session to avoid double dipping on credits.

 

5.

LOPA by exception

A company has the same process across multiple sites and countries. One LOPA performed and results rolled out across the entire organisation

  1. Every site will be unique there will always be exceptions to the rule. Understand the findings of this LOPA may only represent the minimum risk reduction required

6.

Independent alarm with operator intervention claimed

No justification in report that operator has sufficient time to take corrective action

  1. Be specific in the terms of reference what constitutes credit for alarms and operator intervention2
  2. Ensure  process safety time is verified if it cannot be determined during the session
  3. Verify operator is trained in appropriate response to the scenario3

 

Conclusion

Challenges to LOPA are controversial and resisted as it translates into a criticism of the team or chairperson in the application of the technique. LOPA is semi-quantitative and subjective which rely on assumptions being made by the team.  

The engagement of the team to be forthright needs to be protected in order to maintain LOPA as a value added and simplified process hazard analysis (PHA) technique for a company. 

Who would be willing to attend knowing it will be challenged later on? That is why challenges must be handled in a delicate manner. The challenge needs to be concise, supported by evidence and routed to a single focal point independent of the project.

Most multinationals can facilitate this. Smaller organisations should have a Technical Authority but it is likely that this person would be at the session or chairing it.

Risk consultants are more than willing to offer their services to review, audit and rate past LOPAs and is worth considering as part of operational excellence programme to improve overall plant safety.

Top tips

  1. Your operators have the most intrinsic knowledge of the process. Train non-engineering employees in LOPA technique if they are being requested to attend. The answers/assumptions provided by operations have a considerable effect on the result. Better comprehension of risk and risk reduction techniques will have positive ripple effects.
  2. Employ competent people to chair the sessions or independent external third party.
  3. Develop in-house LOPA guidelines as you would for a hazard and operability study (HAZOP).
  4. Engage with external consultants for human error probability techniques if required.
  5. Derive your own in-house failure rates for Independent Protection Layers (IPLs). The impact will be considerable as the confidence in the numbers is raised.
  6. Be aware of software limitations and default settings used for LOPA. Ensure the risk tolerability is criteria calibrated to your facility.
  7. Provide the LOPA team with enough time to finish the study. Plan the session, allow for breaks, provide the latest documentation and engage with your independent consultant before the session. Ensure the key people are at the session or available when required.
  8. Be cautious of LOPA by exception.
  9. Recognise when LOPA is insufficient. Fault tree, event trees, quantitative risk analysis may be more appropriate
  10. For managers, project directors and senior stakeholders. Be open to challenge, it may save your reputation and be aware the challenger is staking theirs. Skin in the game4.

Author: EUR ING James Alan Coakley, MSc Process Safety & Loss Prevention, FS Engineer (TÜV Rheinland) ID No. 7059/13, SNC Lavalin Kentz, Oman. The views expressed herein are those of the author and do not necessarily reflect the official policy or position of any other agency, organisation, employer or company.

Abbreviations

  • CM: Conditional Modifier
  • FMEDA: Failure Mode Effects and Diagnostic Analysis
  • HAZOP: Hazard and Operability Study (PHA Technique)
  • HSE: Health Safety & Environment
  • IE: Initiating Event
  • IPL: Independent Protection Layer
  • LOPA: Layers of Protection Analysis
  • LPD: Loss Prevention Department
  • PCV: Pressure Control Valve
  • PHA: Process Hazard Analysis
  • TA: Technical Authority
  • TOR: Terms of Reference

References

  1. RR716 – A review of Layers of Protection Analysis (LOPA) analyses of overfill of fuel storage tanks [Online] Prepared by Health and Safety Laboratory for the Health and Safety Executive 2009. Available at: https://www.hse.gov.uk/research/rrpdf/rr716.pdf
  2. Scharpf, E & Thomas, HW, & Stauffer, T, (2016). Practical SIL Target Selection. 2nd Edition: Exida
  3. International Electrotechnical Commission,. (2016). IEC-61511, Functional safety – Safety instrumented systems for the process industry sector. 2nd edition
  4. Taleb, NN, (2016). Skin in the game : Penguin Random House