Guidance for Performing an Effective LOPA – Part Two
By Dr Esteban Bernechea, PhD FS Eng (TÜV Rheinland)
This work presents tips to help perform an effective LOPA. Part 1 introduced the LOPA methodology while presenting the tips and expanding on the first one: “Preparation is key”. In this second part, tips two through four, which are related to the calibration of risk targets, the competence of the team and the importance of traceability during the study, are expanded.
Guidance for Performing an Effective LOPA
2. Calibrate and define risk targets before sessions
In order to perform a correct SIL Determination workshop, either using the LOPA technique or other methodology, it is necessary to have previously defined the tolerability risk targets for the different potential consequences of hazardous events. This means that the user needs to define what frequency is tolerable for each specific consequence within their organization; for example, is it acceptable for an employee to suffer a minor injury once every ten years, or once per year? What about a single fatality? What consideration should be given to third parties?
The process of defining the tolerable frequency should be done for all potential consequences of hazardous events, considering safety on personnel and third parties, environmental impact and even economic or reputational concerns. However, the risk targets need to be calibrated, considering the type of operation, size, materials handled, etc. and what the worst potential consequences are, as well the differences between the different consequence categories.
For example, the tolerable risk targets may not be the same for two similar oil refineries located on different countries; although the hazards associated to both could be alike, the regulating bodies of the countries may have differing opinions on what the risk targets should be for specific consequences. Even if a company has its own set of targets, it will be required to achieve the ones set by the local regulatory body.
Although each organization may have different targets, there are guidelines that can be used to calibrate risk targets; the most frequently used in the United Kingdom is the Health and Safety Executive’s (HSE) document ‘Risk management: Reducing risks, protecting people – R2P2’ .
3. Select a Competent Team
According to IEC 61511  Section 5, Clause 184.108.40.206, persons, departments or organizations involved in Functional Safety Lifecycle activities should be competent in the tasks in which they will participate. This competency must be demonstrated through a combination of training and experience. This does not mean that all personnel should be competent in all Functional Safety Lifecycle stages and activities, but that there will be capable personnel in each of the required activities.
When performing a LOPA it is not necessary that all the team be competent to chair the study or perform the required calculations; however, the following roles should be accounted for in the meeting, and the people assigned to them should be competent in their roles.
The person in charge of leading the session must be experienced in using the LOPA methodology for different processes and applications, while also being capable of successfully leading the team to generate LOPA worksheets that present a clear, traceable and accurate representation of the meetings. It is recommendable that the LOPA Chair also be versed in other stages of the Safety Lifecycle, like hazard identification, preparation of Safety Requirement Specifications (SRS,) Verification or Validation of SIFs, etc. as this will allow them to perform the LOPA with further stages in mind.
Finally, the LOPA Chair should be knowledgeable in the fields of process engineering, risk analysis and process safety, although it is not necessary that she/him be an expert in the process or application being analysed.
The Scribe is responsible for recording the session with as much fidelity as possible. It is important that the LOPA Scribe be familiar with process engineering or safety and Functional Safety as well as with the tools used to perform the study (such as ESC’s ProSET®), to allow her/him to understand the discussions and not hinder the progress of the meeting.
The Scribe can also serve an important role by helping the Chair keep track of the consistency of the study, for example, by maintaining a register of the frequencies or probabilities used for different scenarios.
Instrumentation and Control (I&C) engineer
The I&C engineer will be in charge of providing all the information related to the design of the control and safety systems; this is, the architecture of functions, type of instruments used, etc.
The Process engineer will explain the intention and design of the process. The process engineer is very important at the moment of defining how the process will react to specific failures, and what the Safety Functions are intended to do to at that moment. She/he can also explain specific hazards related to the process or technology.
Health, Safety and Environment (HS&E) engineer
The HS&E Engineer is responsible for ensuring that the safety and environmental standards of the organization are being properly considered during the studies.
The operations representative will have sufficient experience in the operation of the process being analysed, in order to provide information regarding the real sequences of events in case of process failures, and which layers of protection can actually be considered useful during the study. Operators are extremely important at the moment of defining which alarms can actually be considered as proper Protection Layers (PLs).
4. Always keep traceability in mind
One of the most important and overlooked aspects of Functional Safety Management is the requirement for traceability across all stages of the lifecycle, as specified multiple times in IEC 61511 .
Keeping a proper record of the discussions and information during LOPA allows for the subsequent tasks in the safety lifecycle to be performed more easily. It is also very helpful in case there are changes in the team managing or performing the functional safety tasks, as it will help the new personnel transition straightforwardly into carrying out the required activities.
The key information that has to be properly recorded (including sources for all data, revision numbers, etc.) during a LOPA session is:
- Date of the meetings
- Team and roles
- Documents used during the meeting (e.g. previous PHA studies, up to date P&IDs, C&E diagrams, logic diagrams)
- Tolerability risk criteria
- For each SIF:
- Clear description of the SIF’s functionality (including, if available, sensing element, logic solver and actuator actions, Tags and voting arrangements)
- Clear description of the hazardous event against which the SIF is providing protection and its potential consequences on all vectors considered by the organization (people, environment, assets, reputation, etc.)
- Mode of operation of the SIF (low or high / continuous)
- List of Initiating Events (IEs), if available, including a reference to the PHA in which the IE was identified and which IPLs and CMs provide risk reduction for each of them
- Register of the IPLs with appropriate justification for the risk reduction that has been considered
- Register of the CMs with appropriate justification for the risk reduction that has been considered
- The Intermediate Event Frequency (IEF) resulting for each IE after considering risk reduction provided by IPLs and CMs
- Total IEF resulting from the sum of all the IE’s IEFs
- Risk targets in accordance to the tolerability criteria for the consequence against which the SIF is providing protection (for all affected vectors)
- Achieved SIL for each type of consequence of the hazardous event
Part three will be available next week.
If you have any questions or would like to leave us feedback please use the comments box below.