Topic 5: Risk Management

Hazard identification, risk assessment, mitigation and control. Hazard

evaluation, exposure assessment (quantification), risk characterization
(qualification) and accident probability (i.e. hardware and operator failure,
event trees and fault trees).

PTK-IU 1
Chemical Process Safety

Hazard Identification

2
 Introduction
Why? To identify hazards so that they can be
eliminated or controlled.
How? Using a number of available
procedures.

4
 Procedure in Simple Terms
1. What are the hazards?
2. What can go wrong and how?
3. How bad could if be?
4. How often could it happen?
5. What is the risk?
6. How do we control and manage this risk?

5
Hazards
Identification

Hazards
Evaluation

Major Steps in Procedure

Risk
Analysis

Risk
Assessment
Non-scenario methods: Depends on the experience of the review team.

Checklist analysis: A written list of items or procedural steps to check

and validate.
Safety review: A committee review that identifies plant conditions or
operating procedures that could lead to an incident.
Inherent safety review: Identifies hazards to find ways to eliminate or
reduce hazards. Often incorporated with checklist reviews, what-if, or
HAZOP methods.
Preliminary hazard analysis: A list of hazards, causes, major effects and
corrective/preventive measures.
Relative ranking: Calculates a number that is a relative indication of the
hazard/risk.

7
Scenario-Based Methods: Use predictive and analytical methods to define
the incident scenarios.

*Hazard and Operability (HAZOP) study: A careful review of a process to

identify deviations from the design or operational intent that can lead to
undesired consequences.
*Fault Tree Analysis (FTA): A deductive technique that focuses on one
particular incident or main system failure and determines the causes of
the incident.
*Event Tree analysis (ET): Determines all the possible outcomes following
the success or failure of protective systems.
Failure Modes and Effects Analysis (FMEA): Tabulates failure modes of
equipment and their effects on a system or process.

8
Scenario-Based Methods: Use predictive and analytical methods to define
the incident scenarios.

What-if analysis: A brainstorming approach to ask questions or voice

concerns about possible undesired events.
What-if /checklist analysis: Combines what-if analysis with a checklist.
Cause –Consequence Analysis (CCA) and bow-tie analysis: A blend of
the fault tree end event tree methods.
Quantitative Risk Analysis (QRA): A very rigorous approach using source
models, dispersion models, and effect models to calculate risk estimates
for every possible scenario.

9
Scenario-Based Methods: Use predictive and analytical methods to define
the incident scenarios.

*Layer of protection analysis (LOPA): A simplified form of quantitative

risk analysis using order-of-magnitude categories for initiating event
frequency, consequence severity, and likelihood of failure of
independent protection layers (IPL). LOPA determines the adequacy of
safeguards in the context of hazard evaluations.

10
Process Example Hazard Typical Hazard Evaluation or Risk
Phase Identification/Evaluation Objectives Analysis Method
Research -Identify chemical reactions or Inherent safety review
and chemical incompatibilities that Relative ranking
development could cause runaway reactions, Preliminary hazard analysis
fires, explosions, or toxic gas
releases.
-Identify process safety data needs
for future analysis.
Conceptual -Select process technology based Inherent safety What-if
design on inherent safety. review What-
-Identify other opportunities for Checklist analysis if/checklist
inherent safety. Relative ranking Inherent
-Compare the hazards between Preliminary safety review
potential plant sites. hazard analysis LOPA
Pilot plant -Identify ways for hazardous Checklist analysis FMEA
materials to be released to the Preliminary Fault tree
environment. hazard analysis Event tree
-Identify ways a catalyst can be What-if Cause–
deactivated. What-if/checklist consequence
-Identify potentially hazardous HAZOP analysis
operator interfaces. LOPA
Bow-tie
11
Process Example Hazard Typical Hazard Evaluation or
Phase Identification/Evaluation Objectives Risk Analysis Method
Detailed -Identify ways for a flammable mixture Inherent safety FMEA
engineering to form inside process equipment. review Fault tree
-Identify how a reportable spill might Checklist Event tree
occur. analysis Cause–
-Identify which process control Preliminary consequence
malfunctions will cause runaway hazard analysis
reactions. analysis QRA
-Identify ways to reduce hazardous What-if LOPA
material inventories. What- Bow-tie
-Evaluate whether designed if/checklist
safeguards are adequate to control HAZOP
process risks to required levels.
Construction -Identify error likely situations in the Safety review
and startup startup and operating procedures. Checklist analysis
-Verify that all issues from previous What-if
hazard evaluations were resolved What-if/checklist
satisfactorily and that no new issues
were introduced.
-Identify hazards that adjacent units
may create for construction and
maintenance workers. 12
Process Example Hazard Typical Hazard Evaluation or
Phase Identification/Evaluation Objectives Risk Analysis Method
Routine -Identify hazards associated with Inherent safety FMEA
operation operating procedures. review Fault tree
-Identify ways an overpressure Safety review Event tree
transient might occur. Checklist Cause–
-Update previous hazard evaluations analysis consequence
to account for operational experience. What-if analysis
-Identify hazards associated with out- What- QRA
of-service equipment. if/checklist LOPA
-Ensure that maintenance is done on HAZOP
time and safely. Bow-tie
Process -Identify whether changing the
modification
feedstock composition will create any All methods
or plant new hazards or worsen existing ones.
expansion -Identify hazards associated with new
equipment.
Decommissi -Identify how demolition work will affect Safety What-if
oning adjacent units. review What-if/checklist
-Identify any fire, explosion, or toxic Checklist
hazards associated with any residues analysis
left in the unit after shutdown.
13
Process Phase Example Hazard Typical Hazard Evaluation or
Identification/Evaluation Objectives Risk Analysis Method
Incident As required. What-if Event tree
investigation HAZOP Cause–
FMEA consequence
Fault tree analysis
Bow-tie QRA

14
 Factors that Influence the Selection of a Method

1. Motivation for the study, i.e. regulatory requirements, company

policy.
2. Type of results needed, i.e. list of hazards, potential accident
situations.
3. Type of information available to perform the study, i.e. availability,
quality and current status of information.
4. Characteristics of the analysis problem, i.e. type of process,
complexity, nature of hazards.
5. Perceived risks associated with the process, i.e. amount and nature
of the risks.
6. Resource availability, i.e. availability of knowledgeable personnel,
target completion date, financial resources.

15
 Hazard and Operability Studies
(HAZOP)

• Can identify hazards due to fixed equipment and procedures.

• Is a huge effort.
• Provides a controlled mechanism to consider the things that can go
wrong.
• Customized for each company.
• Improves process performance, quality, etc.

16
 Hazard and Operability Studies (HAZOP)
• HAZOP review done by a team of 5 to 10 people.
• Team leader must be trained.
• Procedure can generate 1000s of combinations.
• Need a method to keep track of issues considered.
• Need a management system to track action items.
• Procedure can take several months.

• Max. activity: about 2/3 meetings per week, 2-3 hours.

17
 HAZOP Definitions
Node: A location on a process diagram at which process parameters are
investigated for deviations. Node examples are:
A pipeline transferring material between two units
A specific tank or vessel
Design intent: Defines how the system is expected to operate at the nodes. It
provides a point of reference for developing deviations.
Parameter: A characteristic of the process that describes it physically,
chemically, or in terms of what is happening:
Specific parameters: flow, temperature, pressure, etc.
General parameters: addition, reaction, maintenance, relief, etc.

18
 HAZOP Definitions
Guidewords: See Table.
Deviations: These irregularities are discovered by systematically applying
the guidewords to each parameter at each node (e.g., more + temperature =
higher temperature).
Causes: The reasons why deviations may occur. Causes can be equipment
failure, human error, or external events.
Consequences: Documented as impacts resulting from the loss event.

19
 HAZOP Definitions
Recommendations: Suggested actions to prevent or mitigate the
consequence of deviations, or to obtain further information.
Safeguards: The systems in place that reduce the probability of the
deviation occurring or mitigate the severity of the consequences.

20
 HAZOP Guidewords

No Other than
More Sooner than Batch
Less Later than
As Well as Where else
Part of
Reverse

21
 HAZOP Guidewords
Guide Meaning Comments
words
no, not, The complete No part of the design intention is
none negation of the achieved, but nothing else happens.
intention

more, Quantitative Applies to quantities such as flow rate

higher, increase and temperature and to activities such
greater as heating and reaction.

less, lower Quantitative Applies to quantities such as flow rate

decrease and temperature and to activities such
as heating and reaction.
as well as Qualitative All the design and operating intentions
increase are achieved along with some
additional activity, such as
contamination of process streams.
part of Qualitative Only some of the design intentions are
decrease achieved; some are not. 22
Guide Meaning Comments
words
reverse The logical Most applicable to activities such as
opposite flow or chemical reaction. Also
applicable to substances—for
example, poison instead of antidote.

other than Complete No part of the original intention is

substitution achieved; the original intention is
replaced by something else.

sooner than Too early or in the Applies to process steps or actions.

wrong order

later than Too late or in the Applies to process steps or actions.

wrong order

where else In additional Applies to process locations, or

locations locations in operating procedures.
23
 HAZOP Process Parameters
Temperature Start
Pressure Stop
Flow Power
Level Component
Concentration
Agitation
Reaction
24
 Guideword / Parameter Combinations

Some combinations of guidewords and process parameters do not make

sense for specific equipment pieces.
Examples: No temperature
Reverse temperature
No viscosity
Reverse pressure

25
 HAZOP Procedure - 1
1. Begin with a detailed flow sheet.
2. Divide flow sheet into sections, i.e. reactor, storage.
3. Choose a study node, i.e. line, vessel, pump, operating
instruction.
4. Describe its design intent.
5. Select a process parameter.
6. Apply a guide word to the process parameter.
7. If the deviation is applicable, determine possible causes.

26
 HAZOP Procedure - 2
8. Evaluate consequences of the deviation.
9. Recommend action:
what? who? when?
10. Record all information.
11. Repeat 5 to 10 for a new guide word.
12. Repeat 4 to 11 for a new process parameter.
13. Repeat 2 to 12 for a new study node.
14. Repeat 1 to 13 for a new flow sheet section.

27
HAZOP Example

Coffee grounds

Coffee filter
Water
Coffee
container
Power
Study Nodes

Select water as a study node.

Apply process parameter of flow.
28
 HAZOP Example - 2
Param. Dev. Cause Consequence Action

Flow No 1. No water No coffee Check water

2. Plugged spout “ Clean spout
3. No power “ Check power
4. Basket plugged “ Clean basket
More Too much water Pot overflows Check level
Less Not enough water Pot not filled Check level

29
 HAZOP Summary
Advantages: Meets regulatory requirements
Plant operates better
Less down time
Product quality improved
Employees are happier
Disadvantages: Time, people and effort
Information management problem

30
 Chemical Process Safety
Risk Assessment

PTK-IU 31
 Hazards
Introduction Identification

Hazards
Evaluation

1. What are the hazards?

2. What can go wrong and how?
3. How bad could if be?
4. How often could it happen?
5. What is the risk?
6. How do we control and manage
this risk? Risk
Analysis

Risk
Assessment
PTK-IU 33
 Probability Theory
POISSON DISTRIBUTION Probability R (t ) component will not fail during (0, t )
This is called the reliability:
R(t ) = e− t P(t ) = 1 − R(t ) = 1 − e− t
dP(t ) R Reliability (no units)
f (t ) = = e−t
dt  Average failure rate (time-1)
t1 P Failure probability (no units)
− t0 − t1
P(t0 → t1 ) =  f (t ) = e −e f(t) Failure density (time-1)
t0

1
Mean Time Between Failures (MTBF) = E (t ) =  tf (t )dt =
0

Bathtub curve
1 1
=c
R P ƒ Area= 1 

t t t t

PTK-IU 34
 Probability Theory

Example: A device is found to fail once every 2 years. What is the failure
rate, the failure probability and the reliability at the end of 1 year, and the
MTBF?
Answer:

The failure rate, , is given by:
The reliability is given by Equation (12-1): 
= 1/ 2 years = 0.5 yr −1
The failure probability is given by Equation (12-2):
R(t ) = e − t = exp  − ( 0.5 yr −1 ) (1 yr )  = 0.607
The Mean Time Between Failure is given by Equation (12-5):

P(t ) = 1 − R(t ) = 1 − 0.607 = 0.393

1 1
MTBF = = = 2 years
 0.5 yr
 Interaction
COMPONENTS IN PARALLEL: Both components must fail
n n
− ln R
P =  Pi R = 1 −  (1 − Ri ) =
i =1 i =1 t
AND

COMPONENTS IN SERIES: Either component fails

n n n
R =  Ri P = 1 −  (1 − Pi )  =  i
i =1 i =1 i
OR

n
P (A or B) = P(A) + P(B) – P(A) P(B)   Pi
i

Correction overlap → small

Table 12 -1 and Figure 12-3 if failure probabilities are small.

PTK-IU 36
TABLE 12-1
Failure Rate Data for Various Selected Process Components

Instrument Faults/Year
Controller 0.29
Control valve 0.60 Basic Fact: The
Flow measurement (fluids) 1.14
Flow measurement (solids) 3.75 more complex the
Flow switch 1.12 device the higher
Gas–liquid chromatograph 30.6 the failure rate!
Hand valve 0.13
Indicator lamp 0.044
Level measurement (liquids) 1.70
Level measurement (solids) 6.86
Oxygen analyzer 5.65
pH meter 5.88
Pressure measurement 1.41
Pressure relief valve 0.022
Pressure switch 0.14
Solenoid valve 0.42
Stepper motor 0.044
Strip chart recorder 0.22
Thermocouple temperature measurement 0.52
Thermometer temperature measurement 0.027
Valve positioner 0.44
 Interaction
Example: Compute the overall failure rate, the unreliability, and the
MTBF of the following flow control loop. Assume a 1 year period of
operation:

We have 3 components: the control valve, the controller and the DP cell.
These components are related in series, i.e. if any one component fails the
entire flow control loop fails.
 Interaction
Look up the failure rates for these three components from Table 12-1. Then
compute the reliability and failure probability for each component for a 1 year
time period.

Component Failure Rate μ Reliability Failure Probability

(faults/yr) R = e − t P=1-R
Control valve 0.60 0.55 0.45
Controller 0.29 0.75 0.25
DP cell 1.41 0.24 0.76

The overall reliability for components in series is given

by Equation 12-8:
3
R =  Ri = ( 0.55 )( 0.75 )( 0.24 ) = 0.10
i =1
 Interaction
The failure probability is then given by Equation (12-2):

P = 1 − R = 1 − 0.1 = 0.90 / year

The overall failure rate is computed from the definition of the reliability,
Equation (12-1):

R = 0.10 = e− 
 = − ln ( 0.10 ) = 2.30 failures/year
The MTBF is given by Equation (12-5):

1
1
MTBF = = = 0.43 yr
 2.30 / yr
 Bow-tie Diagram
The top event from a fault tree becomes the initiating event for
an event tree.
 Bow-tie Diagram

Incident
(Loss Event)
Initiating Events
(Causes)
Outcomes
Preventive Mitigative
Safeguards Safeguards
1) Hazards

2) Initiating Events

3) Enabling Conditions
Bow-tie Diagram
4) Conditional Modifiers

5) Preventative Safeguards

Figure 12-15
(4th only)

6) Incident or Loss Event

7) Mitigating Safeguards

8) Outcomes

9) Impacts
 Bow-tie Diagram
Mitigative
Outcomes
Initiating Events Safeguards Probability of
Ignition
(Causes) Flash Fire
Probability of
Proactive Explosion
Safeguards Vapor Cloud Explosion
Probability of
Control Failure
Preventive Incident Ignition
Building Explosion
Time at Safeguards (Loss Event) Probability of
Risk Ignition
Human Error Fireball
Physical Explosion
Mechanical Failure Chemical Exposure
Onsite Toxic
Each feasible path between an
initiating event and an outcome Toxic Infiltration
represents a scenario with
Offsite Toxic
applicable protective layers.
QRA: Quantitative Risk Assessment
Hazards
Identification
Selection of
Release Incident Fig. 4-1
Fig. 11-1
Selection of
Hazards Source Model
Evaluation
to Describe
Release Incident

Selection of
Dispersion Model

Risk Flammable Toxic

Analysis Flammable
and/or Toxic?

Selection of Selection of
Fire and Effect Model
Explosion Model

Mitigation
Risk
Assessment Factors

Consequence
Model
 QRA: Quantitative Risk Assessment
1. Define the initiating events and the incident sequence. For example, a
cooling water failure causes a runaway reaction that overpressures
the reactor vessel, causing the relief to open, discharging the reactor
contents.
2. Use source models to estimate the discharge rate. For the reactor
example, this would require a source model to estimate the discharge
rate through the relief. (See Chapter 4.)
3. Use a dispersion model to estimate the chemical concentrations
downwind of the release. (See Chapter 5.)
4. Estimate the incident consequences for people, environment, and
property using effect models. (See Chapter 3.)
5. Estimate the potential incident frequencies using event trees and fault
trees.
6. Estimate the risk by combining the consequences and frequencies.
7. Combine the risk estimates for all the scenarios to estimate the
overall risk.
8. Decide if the risk is tolerable. (See Sections 1-9 and 12-7 in 4th edition)
 LOPA: Layer of Protection Analysis

History of LOPA:
• The Quantitative Risk Analysis (QRA) approach is
too laborious and intensive – only experienced risk
analysts in industry can use it.
• In the late 1990s several risk analysts in industry got
together and decided “There has to be a better
way!”
• They developed LOPA, a simplified risk assessment
procedure.
• LOPA was originally used by risk analysts in
industry.
• However, process engineers soon realized that they
could use it directly in the plant environment.
• If you are a process engineer, you will likely use
LOPA.
 LOPA Overview

IPL 1 IPL 2 IPL 3

10-1 10-1 10-2
Single
Consequence
Cause-
occurs, but at
Consequence
lower
Frequency
frequency
10-1 10-2 10-3 10-5

IPL: Independent Protection Layer i.e. a preventive

safeguard. The IPLs do not always work and have a failure
on demand - but each IPL reduces the frequency.

The thickness of the arrows represents the frequency of

the consequence if subsequent IPLs are not successful.

The frequency, consequence and IPLs required can be

estimated using tables.
 Independent Protection Layers (IPLs)
IPLs are a special type of safeguard and must meet all of the following
criteria:
1. Independence—performance of the IPL must not be affected by the
initiating cause or the failure of other protection layers.
2. Functionality—must perform the required response to a specific
abnormal condition.
3. Integrity—must be able to deliver the expected risk reduction.
4. Reliability—must operate as intended under stated conditions for a
specified time period.
5. Auditability—must be capable of review to determine the adequacy
of the IPL.
6. Access security—must have management systems to reduce the
potential for unintentional or unauthorized changes.
7. Management of change—must have management systems to review,
document, and approve any modifications to the IPL.
 LOPA Procedure
1. Identify a single consequence to screen the scenarios (a method
to determine consequence categories is described later).
2. Identify an incident scenario and cause associated with the
consequence (the scenario consists of a single cause–
consequence pair).
3. Identify the initiating event for the scenario and estimate the
initiating event frequency (a method to determine the frequency
is described later in this section). The initiating cause assumes
failure of all the preventive safeguards.
4. Identify the IPLs available for this particular consequence and
estimate the probability of failure on demand (PFD) for each IPL.
5. Calculate the scenario frequency by combining the initiating
event frequency with the probabilities of failure on demand for
the IPLs.
6. Evaluate the risk for tolerability (if not tolerable, additional layers
of protection are required).
 Estimating the LOPA Frequency
1. Determine the failure frequency of the initiating event.
Typical failure frequencies are provided in Table 12-3
(3rd) and 12-2 (4th).
2. Adjust this frequency to include the demand. For
example, a reactor failure frequency is divided by 12 if
the reactor is used only 1 month during the entire
year. The frequencies are also adjusted (reduced) to
include the benefits of preventive maintenance. If, for
example, a control system is given preventive
maintenance 4 times each year, then its failure
frequency is divided by 4.
3. Adjust the failure frequency to include the PFD for
each independent layer of protection. Table 12-3
contains typical PFD values for passive IPLs. Table
12-4 contains PFDs for active IPLs and human
interactions.
TABLE 12-2
Typical Failure Frequency Values Assigned to Initiating Event
Example of a Value
Frequency Range Chosen by a
Initiating Event from Literature Company for Use in
(per year) LOPA (per year)
Pressure vessel residual failure –5
10 to 10 –7 10–6
Piping residual failure, 100 m, full breach 10–5 to 10–6 10–5
Piping leak (10% section), 100 m 10–3 to 10–4 10–3
Atmospheric tank failure 10–3 to 10–5 10–3
Gasket/packing blowout 10–2 to 10–6 10–2
Turbine/diesel engine overspeed with casing breach 10–3 to 10–4 10–4
Third-party intervention (e.g., external impact by 10–2 to 10–4 10–2
backhoe or vehicle)
Crane load drop 10–3 to 10–4/lift 10–4/lift
Lightning strike 10–3 to 10–4 10–3
Safety valve opens spuriously 10–2 to 10–4 10–2
Cooling water failure 1 to 10–2 10–1
Pump seal failure 10–1to 10–2 10–1
Unloading/loading hose failure 1 to 10–2 10–1
Basic process control system (BPCS) instrument 1 to 10–2 10–1
loop failure
Regulator failure 1 to 10–2 10–1
Small external fire (aggregate causes) 10–1 to 10–2 10–1
Large external fire (aggregate causes) 10–2 to 10–3 10–2
LOTO (lock-out/tag-out) procedure failure (overall 10–3 to 104 10–3/opportunity
failure of a multiple element process) /opportunity
Operator failure (to execute routine procedure; 10–1 to 103 10–2/opportunity
well trained, unstressed, not fatigued) /opportunity
TABLE 12-3
PFDs for Passive IPLs

Comments PFDs PFDs

Passive IPLs (assuming an adequate design basis, inspections, and from from
maintenance procedures) Industry CCPS

Dike: Reduces the frequency of large consequences 10–2 to 10–3 10–2

(widespread spill) of a tank overfill, rupture, spill, etc.

Underground drainage Reduces the frequency of large consequences 10–2 to 10–3 10–2
system: (widespread spill) of a tank overfill, rupture, spill, etc.
Open vent (no valve): Prevents overpressure 10–2 to 10–3 10–2
Fireproofing: Reduces rate of heat input and provides additional 10–2 to 10–3 10–2
time for depressurizing, firefighting, etc.
Blast wall or bunker: Reduces the frequency of large consequences of an 10–2 to 10–3 10–3
explosion by confining blast and by protecting
equipment, buildings, etc.
Inherently safer design: If properly implemented, can eliminate scenarios or 10–1 to 10–6 10–2
significantly reduce the consequences associated with
a scenario
Flame or detonation If properly designed, installed, and maintained, can 10–1 to 10–3 10–2
arrestors: eliminate the potential for flashback through a piping
system or into a vessel or tank
TABLE 12-4
PFDs for Active IPLs and Human Actions

Human Action [assuming an adequate design

Active IPL or Human basis, inspections, maintenance procedures PFDs PFDs
Action (active IPLs), adequate documentation, from Industry from
training, and testing procedures] CCPS
Relief valve Prevents system from exceeding specified 10–1 to 10–5 10–2
overpressure. Effectiveness of this device is
sensitive to service and experience.
Rupture disc Prevents system from exceeding specified 10–1 to 10–5 10–2
overpressure. Effectiveness of this device can
be sensitive to service and experience.
Basic process control Can be credited as an IPL if not associated with 10–1 to 10–2 10–1
system (BPCS) the initiating event being considered. See IEC
(1998, 2001)

Safety instrumented See IEC 61508 (IEC, 1998) and IEC 61511 (IEC,
functions (SIF) 2001) for life-cycle requirements and additional
discussion.

Human action Simple well-documented action with clear and 1 to 10–1 10–1
with 10-min response time reliable indications that the action is required.

Human action Simple well-documented action with clear and 10–1 to 10–2 10–1
with 40-min response time reliable indications that the action is required.
 LOPA Example

Perform a LOPA analysis for a fire external to a storage vessel

containing 50,000 pounds of flammable liquid. The liquid is
maintained above its normal boiling point temperature by its own
vapor pressure. The threshold quantity (TQ) for the release of this
liquid is 1000 lb.

The probability of personnel being in the affected area is 0.50.

Multiple employee fatalities are likely from this incident. A dike
exists around the storage vessel to contain the liquid and fire.
LOPA Worksheet

Description of event: Large external fire to storage

vessel
Initiating event (cause): External fire

1. Initiating event (IE) frequency (Table 12-2): 10–2/yr = once/100 years

2. Severity level (Table 1-14 – Risk Matrix): CATASTROPHIC due to

multiple employee fatalities.
3. Likelihood (from 1 and Table 1-14): 100 years = IMPROBABLE
4. Risk level (from 2 and 3 and Table 1-14): B

5. Target mitigated event frequency (TMEF) (Table 1-14 – Risk 10–6/yr

Matrix):
6. Enabling conditions: N/A

7. Conditional modifiers: Probability of 0.5

8. Adjusted initiating event frequency (Multiply 1 × 6 × 7): 5 × 10–3/yr

9. Existing layers of protection (type and PFD from Table 12-3 ): Dike 10–2/yr

10. Frequency with existing layers of protection: (Multiply 8 × 9): 5 × 10–5/yr

11. Additional layers of protection required (Divide 5 by 10): 2.0 × 10–2

 LOPA Example - Details
1. Table 12-2 is used to estimate the initiating event frequency.
For a large external fire this is once every 100 years.
2. The risk matrix from Table 1-14 is used to estimate the
severity level. Since multiple employee fatalities are
expected, this is classified as “Catastrophic” and the safety
severity level is 4.
3. Next, the likelihood is determined from the risk matrix of
Table 1-14. Since this occurs once every 100 years, it is
classified as “Improbable.”
4. The severity level and likelihood are combined using Table
1-14 to determine the risk level. For this scenario this is risk
level B. From the legend at the bottom of Table 1-14, risk
level B is an undesirable risk and requires that additional
safeguards must be implemented within 3 months.
5. The severity level from Step 3 is used with Table 1-14 to
determine the target mitigated event frequency (TMEF).
This is 10-6 per year.
 Risk Matrix Likelihood
1. Select the severity from the highest box in either of columns 1, 2 or 3. Read the 4 5 6 7
Category and Safety Severity Level from the same row. LIKELY UNLIKELY IMPROBABLE IMPROBABLE.
BUT NOT
2. Select the likelihood from columns 4 thru 7. IMPOSSIBLE
3. Read the Risk Level from the intersection of the severity row and the likelihood Expected to
column. Expected to happen Expected to Not expected to
happen possibly happen possibly happen anywhere
TMEF: Target mitigated event frequency several times once over once in the in the division
TQ: Threshold Quantity over the life of the life of the division over the over the life of the
the plant. plant. life of the plant. plant

1 2 3 Safety 0 to 9 10 to 99
Human Health Fire, Explosion Chemical Severity Severity ≥ 100 years > 1000 years
years years
Impact Direct Cost in $ Impact Category Level
Public fatality 4
possible, Greater than Risk Level Risk Level Risk Level Risk Level
$10 MM ≥ 20x TQ CATASTROPHIC TMEF =
employee A A B C
1×10-6
fatalities likely
Severity

Employee fatality From VERY 3

possible. Major $1 MM to < $10 MM 9x to < 20x TMEF = Risk Level Risk Level Risk Level Risk Level
SERIOUS A B C D
injury likely TQ 1×10-5
From 2
Lost time injury Risk Level Risk Level Risk Level Negligible
$100K to < $1 MM 3x to < 9x SERIOUS TMEF =
(LTI) likelya B C D Risk
TQ 1×10-4
Recordable From 1
$25K to < $100K MINOR TMEF = Risk Level Risk Level Negligible Negligible
Injuryb 1x to < 3x
TQ 1×10-3 C D Risk Risk

Risk Level A: Unacceptable risk, additional safeguards must be implemented immediately.

Risk Level B: Undesirable risk, additional safeguards must be implemented within 3 months.
Risk Level C: Acceptable risk, but only if existing safeguards reduces the risk to As Low as Reasonably Practicable (ALARP) levels.
Risk Level D: Acceptable risk, no additional safeguards required.

aLosttime injury (LTI): The injured worker is unable to perform regular job duties, takes time off for recovery, or is assigned modified work duties while
recovering.
bRecordable injury: Death, days away from work (DAW), restricted work or transfer to another job, medical treatment beyond first aid, or loss of

consciousness.

Table 1-14: Risk Matrix

Table 1-15: Risk matrix for semi-quantitative classification of incidents.
 LOPA Example - Details
6. There are no enabling conditions since the storage vessel
contains the flammable liquid all the time.
7. The conditional modifier is given as 0.5 for people being present
in the area only 50% of the time.
8. The initiating event frequency from row 1 is then multiplied by
the enabling conditions (row 6) and the conditional modifiers
(row 7) to estimate the adjusted initiating event (IE) frequency in
row 8.
9. This row shows the existing layers of protection and the
probability of failure on demand (PFD) from Table 12-4.
10. Row 8 is multiplied by row 9 to arrive at the frequency with the
existing layers of protection.
11. Row 10 is divided by the TMEF from row 5 to arrive at row 11.
Row 11 represents the additional layers of protection required to
meet the TMEF. This is 2.0x10-2. This scenario would require a
single SIL 2 (10-2 to 10-3) to achieve this. Other combinations of
SIL levels or additional equipment from Table 12-4 could be
used.
 Safety Integrity Levels (SIL)
SIL 1: SIF implemented with a single sensor, a single logic
solver and a single final control element, and they require
periodic proof testing. (Probability of failure on demand, PFD =
10-1 to 10-2)

SIL 2: Typically fully redundant, including the sensor, logic

solver and the final control element, and they require periodic
proof testing. (PFD = 10-2 to 10-3)

SIL 3: Typically fully redundant as per SIL 2, but the system

requires careful design and frequent validation tests. SIL 3’s
are very limited in number. (PFD = 10-3 to 10-4)
 Limitations to LOPA

1. LOPA is not a scenario identification tool. A method

must be available to identify accident scenarios,
initiating causes, and safeguards.
2. LOPA is not a replacement for a detailed QRA.
Complex scenarios warrant a QRA.
3. LOPA requires more time to reach a risk decision
than HAZOP or what-if analysis. The value of LOPA
for simple decisions is minimal.
4. Risk comparisons are valid only if (a) the same
methods are used to select failure data and (b)
comparisons are based on the same risk tolerance
criteria.
5. LOPA cannot generally be compared between
organizations due to differences in risk tolerance and
LOPA implementation.
 Individual Risk – Risk Contours
Individual risk is the risk to an individual person in the vicinity
of a hazard.
10-7

10-6

10-5

Plant

10-4

Community
 Individual Risk – Risk Contours
The procedure for determining the individual risk contours is
as follows:
1. Identify all the incidents and incident outcome cases.
2. Estimate the frequency for all incident outcome cases.
3. Determine the effect zone and probability of fatality at every
location for all incident outcome cases.
4. Estimate the individual risk at every location by summing
the risk for all incident outcome cases.
5. Plot individual risk estimates on the map.
6. Draw individual risk contours connecting points of equal
risk.

This is a huge amount of work!