Safety and environmental standards for fuel storage sites
Final report
82
Appendix 2 Guidance on the application
of layer of protection analysis (LOPA) to
the overflow of an atmospheric tank
Introduction
1 The scope of this appendix is confined to the filling of atmospheric storage tanks which meet
the requirements of the scope defined within this report.
2 Throughout this report reference is made to the British Standard versions of the international
standards IEC 61508 and 61511. The British Standards are the official English-language versions
of the European Standards approved by CENELEC and are identical with the equivalent IEC
standard. The use of British Standard references is because the primary focus of the guidance
has been the application of the LOPA technique in the context of United Kingdom health, safety
and environmental legislation.
3 This guidance should not be used for occupied building assessments or land use planning
purposes due to the current uncertainty in the explosion mechanism.
Overview of LOPA methodology for Safety Integrity Level determination
4 The term ‘LOPA’ is applied to a family of techniques used for carrying out a simplified- (often
referred to as a semi-) quantified risk assessment of a defined hazardous scenario. As originally
conceived, the LOPA methodology applied simple and conservative assumptions to make the risk
assessment. In this approach, factors are typically approximated to an order of magnitude. Over
time, some operating companies have applied greater rigour to the analysis so that the LOPA may
now incorporate and summarise several more detailed analyses such as fault trees and human
reliability assessments.
5 As a result the LOPA methodology covers analyses ranging from being little different in terms of
complexity to a risk graph, to little short of a detailed quantified risk assessment (see Figure 21). Both
of these extremes, and everything in between, are legitimate applications of the LOPA methodology.
The simple order of magnitude approach is often used as a risk screening tool to determine whether
a more detailed analysis should be performed. In some cases, the use of fault tree analysis and event
tree analysis, supported by consequence/severity analysis may be more appropriate than using the
LOPA methodology.
6 The LOPA technique has been developed and refined over a number of years, and is described
more fully in the CCPS concept book
Layer of Protection Analysis
.
57
This appendix draws extensively
on the guidance given in the book. However, where the advice in the CCPS BOOK on protection
layers claimed for basic process control system (BPCS) functions is not consistent with BS EN 61511;
the more conservative approach of BS EN 61511 should be followed. Where relevant, these
differences are highlighted, and the requirements of BS EN 61511 should be given precedence.
7 LOPA is often used to identify the shortfall in meeting a predetermined dangerous failure
target frequency. For the purposes of this guidance, this shortfall, if it exists, is associated with
the average probability of failure on demand of a demand mode safety function required to meet
the target dangerous failure frequency. The identified shortfall is equated to the required SIL of a
safety instrumented function (SIF), as defined in BS EN 61511.