SIL Determination According To IEC 61511-3: Cumulative LOPA method

Gy. Baradits PhD. 1*, J. Madár1 PhD., Gy. Baradits jr.1, Á. Baradits1

1 SIL4S Kft, Veszprém 8200, HUNGARY

Abstract

LOPA (Layer of Protection Analysis) is a simplified risk assessment method that is uniquely useful for determining

integrity level of SIF (Safety Instrumented Function – “interlock”) should be designed. LOPA is a quantitative tool

which is readily applied after the Process Hazard Analysis (PHA) – for example, HAZOP – and before Fault Tree

Analysis/Quantitative Risk Assessment if needed. In most cases, the SIF’s Safety Integrity Level requirements can

be determined by LOPA without using the more time-consuming tool of Fault Tree Analysis or Quantitative Risk

Assessment. The problem of classical LOPA approach is that it takes into consideration only one hazard scenario

(per scenario method) at a time. However the same SIF may exist in several hazard scenarios, so in practice there is

a need for a cumulative LOPA method where we can take into account all hazard scenarios in LOPA calculation

which have identical SIF as a Safety Instrumented Independent Protection Layer. We lay down the mathematics of

cumulative LOPA and developed software called Tool4S which uses this mathematics. The article shows some

example of the SW application in the Process Industry.

Keywords: HAZOP; Process Risk; Risk reduction; LOPA; Cumulative LOPA; SIL calculation

1. Introduction

One of the first book about the safety instrumented systems was published by TÜV in 1986 (Hölscher and Rader,

1986). The topic of the book was the application of microcomputers in fields which are related to safety. In the

1990s, companies and industrial groups developed standards to design, build and maintain, that time called,

Emergency Shutdown Systems focusing only on the PLC (programmable electronic controller) system. The PLC, in

“safety application”, was classified according the German Standards (DIN 3100 - DIN EN 954). When the first

general safety standard the IEC 61508 (IEC 2000) was issued, the safety thinking both in general and industrial

segment specific point of view dramatically changed. In 2003, a sector specific safety standard, the IEC 61511 (IEC

2003), was published for process industry, e.g. for Chemical, Petrochemical, Oil and Gas Industry. This standard

firstly introduced the principle of Safety Instrumented Systems (SIS) and Safety Instrumented Function (SIF) into

the safety thinking.

A key input of the tools and techniques which implement these standards is the so-called required Probability of

Failure on Demand (PFD) value. The required PFD value determines the required Safety Integrity Level (SIL) of a

safety function (SIF) see Table 1. Normally the task of Process Hazard Analysis (PHA) teams is to determine the

existing risks (R=f*C). Required SIL values for every SIFs (“interlocks”) are calculated on the basis of these risks.

Several techniques were developed for this task, one of them is the Layer of Protection Analysis (LOPA) which

becomes more and more popular in everyday practice. LOPA is an approach which analyzes the number of layers

needed to protect the process against the unwanted consequences of the Hazards and, even it would happen, to

reduce the consequences. The concept of LOPA was firstly published by the Center for Chemical Process Safety

(CCPS) in 1993 in the book “Guidelines for Safe Automation of Chemical Processes” (CCPS, 1993). From those

* Corresponding author, Tel.: +36 88 424 075 E-mail address: bgs@sil4s.com (György Baradits snr.)

concepts, several companies developed internal procedures for LOPA (Dowel and Hendershot, 2002, SafetyLine

Inst., 1998). The CCPS and AIChE also published a book in 2001 that describes the LOPA method (CCPS, 2001).

The goal of this paper is to briefly describe the LOPA process, and discusses experience in implementing the

technique.

Table 1: Connection among SIL, PFD and RRF

SIL

High Demand Mode,

PFDawg

Continuous Mode (per

hour)

Risk Reduction factor

4 10-5 - 10-4 10-8 - 10-9 10.000-100.000 3 10-4 - 10-3 10-7 - 10-8 1000-10.000 2 10-3 - 10-2 10-6 - 10-7 100-1000 1 10-2 - 10-1 10-5 - 10-6 10–100

2. Procedure of SIL calculation

Based on the Safety Life Cycle, it is necessary to get convinced that the existing / designed SIS is appropriate for the

particular process from the safety point of view (pre-validation, validation). How does one get convince about it?

Based on the IEC-61511 standard, one should perform the following steps:

• Hazard and Risk analysis (IEC, 2001)

• IPL allocation and SIL calculation of SIFs

• Safety Requirement Specification

Fig. 1 shows flow-chart of SIL calculation process. This article point of view we are dealing with the calculation of

target SIL value. The suggested methods in the IEC 61508 and IEC 61511 which gives possibility of calculation the

target SIL value of SIF are split into three groups:

• Qualitative, like risk matrix, risk graph

• Quantitative, like LOPA or like Failure Mode and Effect Analysis (FMEA) or MARKOV modelling

The qualitative methods are simply, inaccurate and too subjective and do not deal with neither the non

instrumented independent protection layers nor the independency of the layers itself. That is why these methods are

not suggested in the everyday practice of complex technology in the process industry nowadays. On the other hand,

the FMEA and Markov techniques are too detailed and slow for practical usage. That is why the LOPA seems to be

a good compromise.

However while the LOPA is quantitative method (see the help of the ExSILentia software (Exsilentia)), there are

some arguments why LOPA should be used:

• It is not as subjective as the qualitative methods.

• The criterion of using LOPA is to build up the Corporate Tolerable Risk Matrix, which is the responsibility

of given Company.

• LOPA is the only method that is able to take into consideration various non-SIF protection layers in the

process applications.

• LOPA gives the possibility of building up the most cost effective protection layer system including

instrumented and non instrumented protection layers.

Fig. 1 – Flowchart of SIL calculation using LOPA.

3. What is LOPA?

In the IEC 61511 LOPA is mentioned as a method which gives possibility of calculation of the required SIL value of

a SIF. Actually, the LOPA method (CCPS, 2001, ISA, 1996) is a quantitative risk analysis technique that is applied

following the process hazard identification method such as HAZOP.

The LOPA main objectives are the followings:

• Identify all independent protection layers (IPLs).

• Determine if SIF is required.

• Determine required SIL and RRF values of SIFs.

Main steps of LOPA procedure are the followings:

1. Develop each impact event scenario based on PHA (typically HAZOP).

2. Identify and set the initiating event(s) and related enabling factors.

3. Calculate the enabled initiating event(s) frequency.

4. Evaluate the severity consequences for human, environment and business of the impact event scenario.

5. Determine the tolerable frequencies of the consequences for human, environment and business.

6. Determine if the initiating event frequency is smaller than the tolerable frequencies. If it is smaller, no IPLs

are necessary.

7. Add independent protection layers (IPLs) to mitigate the impact event scenario.

8. Set the probability of failure on demand (PFD) values of IPLs.

9. Calculate the frequency of the impact event scenario after mitigation; and check if the frequency meets the

company’s target frequency requirements. If one or more target frequency requirements are not met, go

back to the Step 7.

10. If no more IPL and the target frequency requirement is still not met, allocate a SIF and determine the target

SIL and RRF values of this SIF.

We define LOPA as a quantitative method because even if this technique uses numbers and generates a

numerical risk estimate, these input numbers are approximate estimates, their accuracy is about at the half order of

magnitude level. But even if the LOPA is quantitative, if it uses a well-calibrated tolerable risk matrix, the estimated

SIL and risk reduction factor (RRF) values will be adequate. The RRF value is also important because it sets the

position of the risk reduction requirement for SIF within the given SIL range. If a more complete understanding of

the risk is required, more rigorous quantitative techniques such as fault tree analysis or quantitative risk analysis

should be required.

The key word of LOPA is the independent protection layers. No other method gives the possibility of

discovering all non instrumented protection layers which necessary to reduce the probability of risk before applying

SIFs. The team also supervises the detailed P&IDs in the course of the LOPA study that gives the possibility to

discover if any non instrumented protection layers missed in the design phase.

The main goal of LOPA is to calculate the residual risk and the mitigated frequency of a given hazard scenario.

Practically, the LOPA is used to determine whether the risk reduction of identified (existing and/or proposed) non

instrumented protection layers is enough or not.

LOPA starts with a dangerous consequence, usually an event with hazardous consequence for environment,

health and business. The severity of consequences is estimated using appropriate techniques, which may range from

simple category tables to sophisticated consequence modelling software tools depending on the experience of the

HAZOP team. A consequence always has one or more initiating events (causes). Each cause-consequence pair is

called as scenario, and the LOPA focuses on one scenario at a time. The frequencies of initiating events are also

estimated (usually from historical reliability database or category tables) by the HAZOP team.

After identifying all causes and consequences, the possible safeguards (protection layers) of the given hazard

scenario is evaluated for two key characteristics:

• Is the safeguard effective enough in preventing the scenario from occurrence the consequence?

• AND, is the safeguard independent of the initiating event and the other IPLs (Independent Protection

Layers)?

If the safeguard meets both of these criteria, it is an Independent Protection Layer (IPL).

LOPA estimates the frequency of the mitigated dangerous consequence (called mitigated frequency) by

multiplying the frequency of the initiating event by the product of the probability of failure on demand (PFD) of

∏=

⋅=n

jjPFDFF

1initiatingmitigated (1)

where n is the number of the non instrumented independent protection layers for the given hazard scenario, Finitiating.

is the frequency of the cause, and PFDj gives the probability that j-th IPL cannot prevent against the scenario to

occur the unwanted consequence. The smaller the PFD value is, the better the IPL is. Fig. 2 shows a simple diagram

to illustrate how the probability of occurrence of the unwanted consequence decreases by using IPLs.

IPL1 IPL2 IPL3

Consequence realised

Fig. 2 – The principle of LOPA: the probability of the unwanted consequence decreases by IPLs.

The mitigated frequency is compared to the tolerable risk values (tolerable frequencies) of the given hazard

scenario. The tolerable frequencies are derived from the company consequence criteria matrices for people, business

and environment. If additional risk reduction is necessary, additional IPLs must be proposed to the design, which

can be non instrumented or instrumented protection layer(s).

4. Cumulative LOPA method

The fundaments of the LOPA calculation are the company tolerable risk criteria. The typical risk criteria give the

tolerable risk values, expressed in frequency, for personnel, environment and business losses. During the LOPA, it is

necessary to compare the mitigated risk to the tolerable risk. If the mitigated risk is lower than the tolerable risk or at

least it is “as low as reasonably practicable (ALARP)” there is no need for other protection layers. If the protection

layers do not protect against the unwanted consequences, it is necessary to add new protection layers and/or other

risk reduction methods.

The tolerable risk categories are always prepared by the given company and they must be included in the

Company Safety Policy. As the corporate criteria determine the tolerable risk values, the LOPA practically focuses

on the calculation of the mitigated risk to determine the necessary risk reduction factor. In everyday practice, the

mitigated risk is calculated separately for every scenario. This is so-called “per scenario” method which has one

disadvantage that it cannot take into consideration that a hazard may contain several scenarios with the same

consequence and partly or completely same protection layers (a given SIF, for example). To analyse this problem let

see what the IEC 61511-3 standard says about the SIL calculation:

“The last step is to add up all the mitigated event likelihood for serious and extensive impact events that present

the same hazard”.

This is why we suggested instead of “per scenario” method, the “cumulative” method which can take into

consideration all hazard scenario which is protected by the same SIF according the standard.

Let see a quantitative example about the difference between the “per scenario” and the “cumulative” method

suggested. Let assume that the hazard is high pressure of a vessel and there are two possible initial events:

• The pressure control loop fails. The frequency is F1.

• The vapour line is blocked. The frequency is F2.

Let us assume that the dangerous consequence is vessel rupture in both cases and there is an independent high

pressure trip, i.e. a SIF which can protect against the high pressure in both cases, and there is no any other IPL. Fig.

3 illustrates the example. If the “per scenario” method is used, it will be calculated in the following way: The target

risk reduction factor for the first scenario is: toltar FFRRF /11 = , where the Ftol is the tolerable frequency for the

given consequence based on the Company Safety Policy. The target risk reduction factor for the second scenario is:

toltar FFRRF /22 = . The final target RRF for the SIF is the higher RRF value:

( )tartar RRFRRFRRF 21scenarioper ,max=− (2)

In contrast with the previous one, the “cumulative” method adds up all the RRF values, so the target RRF for the

SIF will be:

tartar RRFRRFRRF 21cumulative += (3)

This is higher value than the result of “per scenario” method.

That above mentioned difference is important because as we mentioned the IEC 61511-3 suggests calculating

the total risk. It means that the standard suggests the cumulative LOPA method instead of the per-scenario LOPA

method.

The difference between the results of the two LOPA techniques may be very high when the given SIF can be

found in several scenarios as an IPL. This difference is usually much more than the uncertainty of the LOPA

method, so the negligence of application of cumulative LOPA method may lead to non-conservative SIL calculation

results (safety risk).

In the next chapter, we will conduct the mathematics of cumulative LOPA method and present how it is

implemented in our Tool4S software tool developed by us.

PIC

Vapour

Liquid

PSH ESD

LIC Feed

High pressure SIF

Fig. 3 – Example high pressure SIF.

5. Cumulative LOPA method SW: Tool4S

There are several software tools for making HAZOP and LOPA studies, but our experience has showed that most of

them only can calculate the RRF value for one scenario (per scenario method) but do not accumulate them. So this is

the task of the user. Preparing some hundreds of HAZOP studies showed that the same SIF can occur in several

hazard scenarios in the process industry, i.e. one SIF may belong to many different hazard scenarios. If users use

software which does not support the cumulative LOPA method, finally they will make mistakes in calculation of

SIL value and RRF value of SIFs or try to forget the cumulative LOPA method just because it is too tiresome.

Hence, we built the cumulative LOPA method into our Tool4S software making the calculation automatic. In the

following, it will be presented how the cumulative LOPA is realised in our software (see the demo of the software

(Tool4SDemo)).

The calculation is based on the “non-mitigated frequencies” matrix for causes and the “tolerable frequencies”

matrix of the given company. The non-mitigated frequencies matrix can contain one or more pre-defined likelihood

values for the initial events (causes), see Fig. 4. It is the user task to define this values, the user can easily add or

remove items to/from the matrix. Certainly it is not necessary to use this matrix for every case; the user can give a

unique frequency value for every initial event if the pre-defined values do not fit to the given case.

Fig. 4 – Definition of non-mitigated frequency matrix of causes in Tool4S.

The tolerable frequencies are also user defined. The user can define the number of consequence types (the

default is three: for human, for business and for environment), the possible severity categories, and the specific

tolerable frequencies for each severity, see Fig. 5 for an example.

Fig. 5 – Definition of tolerable frequency matrix in Tool4S.

Every pre-defined non-mitigated frequency and tolerable frequency value has a code. The user can easily do the

risk ranking by selecting only the appropriate code, see Fig. 6.

Fig. 6 – Example for risk ranking in Tool4S.

The risk ranking must be done for every cause-consequence pair, but if the consequence is the same for more

causes, the software will automatically copy the consequence ranking information to save manual work.

The main concept in the software is that every SIF has a unique tag name and own SRS (Safety Requirement

Specification) sheet. When a SIF is added into the HAZOP, the software automatically collects every scenario where

the given SIF is involved in, and calculates the cumulative RRF value of the given SIF. Fig. 7 shows an example

from the software.

Cumulative LOPA results

Where the SIF can be found

Fig. 7 – Example for cumulative LOPA in Tool4S.

The result of the calculation is the target SIL and target risk reduction factor.

6. Cumulative LOPA algorithm

In the followings, the algorithm of cumulative LOPA will be presented as it is realised in the Tool4S software.

6.1. First step

In the first step, the software takes the frequency of the cause (initiative event). This is called as non-mitigated

frequency. The software takes the cause frequency category and looks for the non-mitigated frequency value from

the user defined non-mitigated frequencies matrix. The attributes of non-mitigated frequency:

Sign : Fnon-mit

Name : Non-mitigated frequency

Unit : 1/year

Range : Real number, mitnonF −≤0

6.2. Second step

The software takes the severity categories of the consequence and look for the tolerable frequency value from the

user defined QTRM. In the QTRM, there are tables which inform about the tolerable frequency of different types of

consequences. Typically there are three types of consequences:

� Human

� Business losses

� Environment

In the followings, we assume that these three consequence types are used.

The attributes of tolerable frequencies:

Sign : tenvironmenbusinesshuman ,, toltoltol FFF

Name : Tolerable frequency (target frequency to be reached)

Unit : 1/year

Range : Real number, tenvironmenbusinesshuman ,,0 toltoltol FFF≤

6.3. Third step

The software calculates the Scenario Risk Reduction Factor (without SIF) based on the PFD values of safeguards.

The PFD values are manually given by the user in the HAZOP study (Fig. 8 illustrates an example). The attributes

of PFD:

Sign : PFD

Name : Probability of Failure on Demand

Unit : -

Range : Real number, 10 ≤≤ PFD

The attributes of scenario risk reduction factor:

Sign : scenRRF

Name : Scenario Risk Reduction Factor (without SIF)

Unit : -

Range : Integer, scenRRF≤0

The calculation of scenario risk reduction factor is:

( )tolmitupscen FFRRF /int= (4)

where upint is an integer round up function (“ceil function”), and the Ftol and Fmit are calculated as:

( )tenvironmenbuisnesspeople ,,min toltoltoltol FFFF = (5)

∏⋅= − j jmitnonmit PFDFF (6)

where j is a running index for the safeguards in the given Hazard scenario.

Fig. 8 – Edit safeguards in Tool4S.

6.4. Fourth step

Finally the software calculates the cumulative target risk reduction factor and SIL value. Both values are calculated

automatically for a given SIF based on all referenced Hazard scenarios (see Fig. 7).

The attributes of target risk reduction factor:

Symbol : tarRRF

Name : Target Risk Reduction Factor

Unit : -

Range : Integer, tarRRF≤0

The calculation of cumulative target risk reduction factor:

( )

= ∑

j

jtol

jmituptar FFRRF /int (7)

where j is running index for Hazard Scenarios in which the given SIF can be found as safeguard.

The attributes of Target SIL:

Sign : tarSIL

Name : Target Safety Integrity Level

Unit : -

Range : Integer

The calculation method of Target SIL:

( )( )tardowntar RRFSIL 10logint= (8)

where downint is an integer round down function (“floor function”).

This algorithm is running automatically when an existing SIF is added as safety instrumented protection layer to

a new hazard scenario or when after a supervision of HAZOP study a SIF is cancelled from any Hazard scenario.

7. Conclusions

In this article, we evaluated the existing methods which calculate the SIL value of SIFs within a HAZOP study using

LOPA method. We analysed the traditional LOPA method called “per scenario” in which only one scenario/SIF is

taken into consideration for each SIF. We showed that the result of this calculation is not correct and is

underestimated. We suggested and analysed the “cumulative LOPA method” that takes into consideration all hazard

scenario which contain the same SIF as an instrumented independent protection layer.

This method has only one disadvantage that it is not easy to realise manually. That is why we developed our

Tool4S HAZOP/LOPA study program, which automatically calculates target RRF value of a SIF based on the

cumulative LOPA method.

The Tool4S SW overcomes the problem of manual and very slow calculation, where the result is not always

correct, mainly in case when the technology is too complex. The Tool4S was tested some 100 HAZOP and LOPA

studies and proved that is fast, correct with high reliability.

Acknowledgements

Here we would like to express our acknowledgement to our colleges at SIL4S Kft. and the Department of Process

Engineering of Pannon University, Veszprém for their continuous contribution to this development and colleges at

Slovnaft Refinery, Slovakia taking part in the test of our SW and giving some development idea to us.

References

Hölscher H. and Rader J., 1986, Microcomputers in Safety Technique, Verlag TÜV Bayern, München DIN 3100: General Requirement, AK 1…8, WITHDRAWN DIN V VDE 081: Microprocessors in Safety Application, WITHDRAWN DIN V 19250: Control technology; fundamental safety aspects to be considered for measurement and control

equipment, WITHDRAWN DIN EN 954-1: Safety for Machinery, EXTENDED to 31 December 2012 International Electrotechnical Commission (IEC), 2000, IEC 61508 Part 1 – 7: Functional safety of electrical /

electronic/programmable electronic safety - related systems. International Electrotechnical Commission (IEC), 2003, IEC 61511 Part 1 – 3: Functional Safety: Safety

Instrumented Systems for the Process Industry Sector.

Centre for Chemical Process Safety (CCPS), 1993, Guidelines for Safe Automation of Chemical Processes, (CCPS/AIChE, New York, USA).

Dowell A.M. and Hendershot D.C., 2002, Simplified Risk Analysis - Layer of Protection Analysis (LOPA), AIChE 2002 National Meeting, Paper 281a

SafetyLine Institute, 1998, Occupational Health & Safety Practitioner - Management of major hazard facilities, (London, UK).

Center for Chemical Process Safety (CCPS), 2001, Layer of Protection Analysis – Simplified Process Risk Assessment, (CCPS/AIChE, New York, USA).

Exsilentia, www.exida.com International Electrotechnical Commission (IEC), 2001, IEC 61882: Hazard and Operability (HAZOP) Studies. Instrumentation, Systems and Automation Society (ISA), 1996, ANSI/ISA 84.01: Application of Safety

Instrumented Systems to the Process Industries. Tool4SDemo, https://tool4sdemo.sil4s.com/