1. How Layer of Protection Analysis practice in U. K
How Layer of Protection Analysis practice in U.K. is affected after the guidance drawn up after the Buncefield accident.
Richard Gowland Technical Director EPSC

2. EPSC involvement
EPSC is an Industry funded association of approximately 40 chemical companies
EPSC has cooperative groups on
IEC 61511
LOPA
Buncefield Learning Experience
Safety Critical Systems
And was asked to chair the PSLG Sub group 3 on Layer of Protection Analysis (June 2008-Dec 2009) to produce guidance on best practice.

3. Preventing another ‘Buncefield’
The Buncefield accident has been described as the biggest fire in Europe since the Second World War.
The ‘fall out’ from the event and the requirements specified in the various reports produced by:
the Major Incident Investigation Board (MIIB) and
the Buncefield Standards Technical Group (BSTG) has included a focus on the application of LOPA to facilities of the Buncefield type (2007).
Process Safety Leadership Group PSLG and….
Final Report– Safety and Environmental Standards for Fuel Storage Sites - published 11 Dec 2009 (4th anniversary)

4. 1) Fuel cascaded down the tank and formed a rich fuel/air mix, which collected in dike A
2) CCTV footage showed vapour flowing out of dike A from The
cloud was initially about 1m deep, but thickened to 2m.

5. T912 Servo level Indicator ATG Access hatch for dipping
Independent level switch
‘high-high’
atmos. vents
Vented ullage
Funnel for dip
Int. floating
roof
In/out
Gasoline
T912

9. The final Report from the PSLG
Part 1 Systematic assessment of safety integrity level requirements
Part 2 Protecting against loss of primary containment using high integrity systems
Part 3 Engineering against escalation of loss of primary containment
Part 4 Engineering against loss of secondary and tertiary containment
Part 5 Operating with high reliability organisations
Part 6 Delivering high performance through culture and leadership

10. The final Report from the PSLG main appendices
Appendix 1 Mechanisms and potential substances involved in vapour cloud formation
Appendix 2 Guidance on the application of layer of protection analysis (LOPA) to the overflow of an atmospheric storage tank
Appendix 3 Guidance on defining tank capacity
Appendix 4 Guidance on automatic overfill protection systems for bulk gasoline storage tanks
Appendix 5 Guidance for the management of operations and human factors
Appendix 6 Emergency planning guidance
Appendix 7 Principles of process safety leadership

11. Focusing on LOPA
The Health and Safety Executive (HSE) as part of its regulatory duties requested 15 similar facilities to carry out LOPA (2007).
The results showed inconsistency which caused concern for the regulator and for LOPA practitioners in the European Process Safety Centre (EPSC).
This led to the formation of the PSLG subgroup to rectify this problem

12. Results of the work What is in the Final Report
Annexes and Appendices are references to final report
IEC Rules!
This is Guidance only
We think it applies to more than just storage of gasoline.
A summary follows:

13. Consequence evaluation

14. Zone Size (measured from the tank wall)
Table 1: Hazardous Zones for a Buncefield-type explosion
Note: the distances are radii from the tank wall as this is
the location of the overflow (see diagram below). Bund
layouts can vary significantly, so measuring the distances
from the bund wall would not provide a consistent approach.
Zone Name
Zone Size (measured from the tank wall)
Comment A
r < 250m
HSE research report RR718 on the Buncefield Explosion Mechanism indicates that overpressures within the flammable cloud may have exceeded 2 bar (200 kPa) up to 250m from the tank that overflowed (see Figure 11 within RR718).
Therefore within Zone A the probability of fatality should be taken as 1.0 due to overpressure and thermal effects unless the exposed person is within a protective building specifically designed to withstand this kind of event. B
250m < r < 400m
Within Zone B there is a low likelihood of fatality as the overpressure is assumed to decay rapidly at the edge of the cloud. The expected overpressures within Zone B are 5-25 kPa (see RR718 for further information on overpressures).
Within Zone B occupants of buildings that are not designed for potential overpressures are more vulnerable than those in the open air. C
r > 400m
Within Zone C the probability of fatality of a typical population can be assumed to be zero. The probability of fatality for members of a sensitive population can be assumed to be low.
Consequence:
The HAZARD Zones for
Buncefield type facilities

15. From PSLG Final Report Substances considered likely to form a
large vapour cloud
Substances not considered likely to form a
Acetone
Diesel
Benzene
Ethanol and other alcohols
Crude Oils (see para 6)
Kerosene
Raw Gasoline
Methanol
Methyl Ethyl Ketone
Reformate (full range)
Naphthas
Reformate (heavy)
Reformate (worst case – light)
Special Boiling Point Solvent 3
Natural Gas Liquids (condensates)
Methyl Tertiary Butyl Ether (MTBE)
Iso Pentane
Special Boiling Point Solvent 2
Toluene

16. Likelihood of ‘n’ fatalities from a tank explosion per tank per year
Risk Tolerability
10-4/yr /yr
Tolerable if ALARP
10-5/yr /yr
Broadly acceptable
10-6/yr /yr
10-7/yr /yr
Fatalities (n) 1
2-10
11-50
Table 2 Risk matrix for scenario-based safety assessments

17. All shown as acceptable -
Category
Acceptable if frequency less than
Acceptable if Reduced as Reasonably Practical and frequency between
Unacceptable if frequency above 6
Catastrophic
10-6 per year
10-4 to 10-6 per year
10-4 per year 5
Major 4
Severe
10-2 to 10-6 per year
10-2 per year 3
Significant
10-1 to 10-4 per year
10-1 per year 2
Noticeable
~ 10+1 to 10-2 per year
~10+1 per year 1
Minor
All shown as acceptable -
For the purposes of this guidance, the categories from Table 3 have been aligned to COMAH terminology as follows,   “Acceptable if frequency less than” equates” to the “Broadly Acceptable region” “Acceptable if Reduced as Reasonably Practical and frequency between” equates” to the “Tolerable if ALARP region” “Unacceptable if frequency above” equates to the “Intolerable region”

18. • Major airborne release with serious offsite effects • Site shutdown
Category
Definitions 6
Catastrophic
• Major airborne release with serious offsite effects
• Site shutdown
• Serious contamination of groundwater or watercourse with extensive loss of aquatic life 5
Major
• Evacuation of local populace
• Temporary disabling and hospitalisation
• Serious toxic effect on beneficial or protected species
• Widespread but not persistent damage to land
• Significant fish kill over 5 mile range 4
Severe
• Hospital treatment required
• Public warning and off-site emergency plan invoked
• Hazardous substance releases into water course with ½ mile effect 3
Significant
• Severe and sustained nuisance, e.g. strong offensive odours or noise disturbance
• Major breach of Permitted emissions limits with possibility of prosecution
• Numerous public complaints 2
Noticeable
• Noticeable nuisance off-site e.g. discernible odours
• Minor breach of Permitted emission limits, but no environmental harm
• One or two complaints from the public 1
Minor
• Nuisance on site only (no off-site effects)
• No outside complaint
1 Heading and introduction from Section 3.7 in “IPPC H1: Integrated Pollution Prevention
and Control (IPPC) and Environmental Assessment and Appraisal of BAT”, Version 6 July 2003.
2 For discussion & review

19. The steps in LOPA Scenario definitionB A or
Scenario definition
Assign severity and target frequency
Initiating events
Enabling events
Conditional Modifiers
Independent Layers of protection
Output result
Scenario definition
Assign severity and target frequency
Initiating events
Enabling events
Independent Layers of protection
Conditional Modifiers
Output result
This is a choice where CMs may be left until last or dealt with before IPLs
Regulator prefers B. I prefer A

20. Protection Layer Concept
This diagram illustrates how independent Protection Layers are credited.
The system is designed to respond in a safe way to an initiating event or demand.
If an event occurs, there are 2 possibilities when the first IPL senses the event, It can fail (hopefully with a low probability of failure on demand (PFD)) or it can work successfully. The frequency of resulting dangerous failure is the product of the frequency of the event (the demand) multiplied by the PFD of the first layer.
If it fails, the next layer of protection is required to work, again there are 2 possibilities, failure or success. The cumulative failure frequency is the product of the original event frequency and the PFDs of the 2 layers of protection. As each layer is called upon to function, the failure frequency of the entire system becomes progressively smaller. Hopefully we can achieve the Risk Tolerance Criteria.
May 2009
IChemE LOPA training

21. Versions of LOPA A)Traditional LOPA (CCPS 2001)
uses orders of magnitude for initiating events, protection layers, enabling events and conditional modifiers
Does not ‘aggregate’ frequency for a scenario which has more than 1 initiating event
B) U.K regulator:
Accepts justified ‘fractional ‘ data
Requires ‘aggregation ‘for a scenario which has more than 1 initiating event

22. ‘conventional’ or ‘classic’ LOPA
Each case considers:
Tolerated Risk Frequency
Initiating event frequency
Conditional Modifiers
Probability of Failure on Demand of each relevant Independent Layer of Protection
One initiating event considered for each ‘case’

23. Case 1

24. Case 2

25. Case 3

26. Case 4

27. All Cases4

28. Initiating Events

29. Equipment failures:
for example failures of level measurement systems (gauges, radar devices, suspended weights), valves and other components; also failures of site services and infrastructure (e.g. loss of power, utilities, communications);

30. Failure of the Basic Process Control System
The term “Basic Process Control Function” (BPCF) was developed  to differentiate between the functional requirement for process control (what needs to be done) and the delivery of the functional requirement through the Basic Process Control System.
Although the definitions in IEC are not always explicit in this area, a BPCS can include either a fully automated control system or a system that relies on one or more people to carry out part of the BPCF. The BPCS is considered to comprise all the arrangements required to effect normal control of the working level in the storage tank, including operational controls, alarms through the BPCS and the associated operator response..

31. BPCS items Level sensor on the tank;
Field data marshalling and communications systems;
Input/output cards;
Central processing units (logic controller, processing cards, power supplies and visual displays);
Operators and other workers required to perform the normal control function required to control the level of the storage tank;
Communication arrangements between operators if more than one operator is required to carry out the control function;
Final elements (which may be a remotely or locally operated valve or pump)

32. Where the initiating event is caused by the failure of an item of equipment, the failure rate per year (in hours/year) may be derived from the failure-to-danger rate of the equipment item.
Where the initiating event is taken to be the failure of a BPCS control loop (when it does not conform to BS EN 61511), the minimum frequency which can be claimed is 1E-05 dangerous failures per hour.

33. Human Failures:
errors in executing the steps of the filling operation in the proper sequence or omitting steps; Possible errors may include but not be limited to:
Incorrect calculations of the ullage in a tank (leading to an overestimate of how much material can be safely transferred into the tank);
Incorrect verification of dips or incorrect calibration of level instrumentation;
Incorrect routing of the transfer (sending material to the wrong tank);
Incorrect calculation of filling time or incorrect setting of stop gauges;
Failure to stop the transfer at the correct time (e.g. missing or ignoring the stop gauge and/or succeeding alarms).

34. Where the initiating event is caused by the failure of a person to carry out a task correctly and in a timely manner, the initiating event frequency is calculated as the product of the number of times the task is carried out in a year and the Human Error Probability (HEP) for the task. In this case, the time at risk is already included in the number of times the task is carried out in a year and no further factor should be applied.

35. Enabling Events
The number of tank-filling operations carried out in a year (which may change as commercial circumstances change); (avoid ‘double counting’)
The proportion of tank fills which are carried out where the batch size is capable of causing the tank to overflow (it may be that the tank under review normally runs at a very low level and would not normally be able to be filled to the point of overflow by typical batch sizes);
The tank operating mode (if the tank is on a fill-and-draw operating mode so that the level is more or less static);
Role and effect of cross checks (should really be treated as possible layers of protection)

36. Protection Layers A valid protection layer needs to be:
effective in preventing the consequence; and
independent of any other protection layer or initiating event; and
auditable, which may include a requirement for a realistic functional test.

37. Protection Layers
The Basic Process Control System as a protection layer
It may be possible to take credit for the BPCS as a protection layer if sufficient independence can be demonstrated between the required functionality of the BPCS in the protection layer and any other protection layer and the initiating event.

38. Protection Layers
The basic process control system as a protection layer Claims for risk reduction achieved by the BPCS should meet the requirements of BS EN and (eg clauses 9.4, 9.5 and 11.2).
Figure below illustrates what the application of these principles could require in practice.

39. Protection Layers Response to alarms
Dutyholders should review and where necessary revise the settings of the level alarms on their tanks in accordance with Appendix 3. Where the alarm settings meet the requirements,
it is considered legitimate to consider operator response as a protection layer under suitable conditions.
Where process alarms are delivered through the BPCS, consult Annex 5 for further guidance on independence when credit is being claimed for more than one function implemented through the BPCS. The analysis should meet the requirements of BS EN (for example clauses 9.4, 9.5 and 11.2).

40. Protection Layers Safety instrumented systems
LOPA studies, the normal convention is that the need for SIS is determined when all other protection layers have been considered. If an existing SIS complies with BS EN then a reliability performance consistent with the SIL-rating of the SIS and its design and operation can be claimed.
If any ‘instrumented protection’ does not comply with BS EN then a risk reduction factor of no greater than 10 can be claimed for it.

41. Conditional Modifier 1 Probability of calm and stable weather
The Buncefield explosion occurred during calm and stable weather conditions.
There is insufficient evidence currently available to say with certainty whether the weather needed to be both calm and stable, whether only one of these conditions was required (and if so which), and what wind speed limit should be applied to the ‘calm’ condition. The basis of this guidance is that the development of a large vapour cloud with the kind of compositional homogeneity that is believed to have existed at Buncefield required both low wind speed and stable atmospheric conditions.

42. Conditional Modifier 2
Probability of ignition of a large flammable cloud
This conditional modifier represents the probability that the ignition of the vapour cloud from a storage tank overflow is delayed until it is sufficiently large to cause a widespread impact.
Alternative outcomes are an earlier ignition that causes a localised flash fire, or safe dispersal of the cloud without ignition.

43. Conditional Modifier 3 Probability of explosion after ignition
The reasons why the vapor cloud at Buncefield exploded as opposed to burning as a flash fire are not fully understood. The latest understanding is contained in the report ‘Buncefield explosion mechanism Phase 1: Volumes 1 and 2 RR718 HSE Books 2009’. Factors such as ambient temperature; cloud size, shape, and homogeneity; congestion (including that from vegetation); droplet size; and fuel properties may have a significant effect on the probability of an explosion compared to a fire.

44. Conditional Modifier 4
Probability that a person is present within the hazard zone
This conditional modifier can be used to represent the probability of a person being present in the hazardous area at the time of a tank overflow. Care should be taken with this conditional modifier to avoid double-counting factors which have already been taken into account elsewhere
(eg in other protection layers or in the calculation of the consequence) and in particular to avoid double-counting any credit taken for evacuation
The report discusses occupancy factors may be appropriate for a given scenario.

45. Conditional Modifier 5 Probability of fatality
This conditional modifier is often referred to as ‘vulnerability’.
This conditional modifier may only be used if a single value can be specified for the hazardous scenario – most likely in an Individual Risk calculation. Otherwise it should be incorporated in the calculation of the consequence. The value to be used will have to be determined on a case by case basis.

46. Where are we?
We have addressed each of the aspects of LOPA to establish consensus among the group which includes industry, the regulator (Health and Safety Executive and Health and Safety Laboratory), consultants and human factors specialists about the rules we would apply. These have been tested in real life by the group to make sure that the methods and rules did result in sensible outcomes. This supports the guidance which was completed by June – published December 2009

47. Conclusion on expected practices as a result
The PSLG Final report:
Sets the standard for fuel storage sites
It offers useful guidance for any LOPA study submitted to U.K. authorities (not limited to fuel storage)
It incorporates principles of simple order of magnitude LOPA and extends to a more advanced form of LOPA which includes
Aggregated event frequency accounting for several initiating events in a scenario
Human factors
Enhanced data on Probability of failure on demand for layers of protection

48. Thank you

49. What does the well known Process Safety guru say?
video

50. Summary of 50 LOPAs carried out since PSLG guidance published

51. Results of Competent Authority Reviews
Of the 40 reviewed, 6 sites were acceptable, ‘green’; 16 were unacceptable, ‘red’; and 18 require further information or clarification, ‘amber’.
It was noted that very few submissions included an improvement plan.

52. Results of Competent Authority Reviews
It was noted that there were some valuable lessons to be learned from the LOPA exercise – what is called for in the PSLG report is far and above what many consultants are used to doing when performing LOPAs. We should consider how these learnings can be shared (e.g. through IChemE LOPA training courses?)

53. Results of Competent Authority Reviews
Risk tolerance criteria
Many reports used inappropriate risk tolerance criteria for the consequences stated or failed to link the criteria with the assessment. One report used risk criteria in the ALARP region without an ALARP demonstration or cost benefit analysis.
Many reports failed to consider, underestimated or gave inadequate descriptions of the consequences for offsite populations or escalation (domino effects) both on and offsite and as a result may have used inappropriate risk tolerance criteria.

54. Results of Competent Authority Reviews
LOPA RULES
Many LOPA’s assigned inappropriate and over-optimistic frequencies for Initiating Events or Protection Layers without justification. Many LOPAs included double counting of IEs and CMs ,eg claims for BPCS/operator performance in IEs not demonstrated to be independent of relevant measures in IPLs .
Many LOPA’s assigned inappropriate conditional modifiers, CMs, without justification, or double counted some elements of CMs, or used invalid CMs, or problematic judgements.
Many LOPA’s included double counting of IE’s and CM’s, eg claims for BPCS in IE’s not independent of BPCS functions in IPL’s .

55. Results of Competent Authority Reviews
Examples of LOPA errors.
Double count of Operator checks and over-optimistic HEP claims (.001 X.001)
Claim for operator detection and escape without formal procedure (not allowed by PSLG).
Operator cross check incorrectly treated as enabling event when it should be a PL and follow the rules for PL’s, for example independence .
Mitigation layers lumped with CM’s and IPL’s
Lack of independence between operator checks using the same operator.
Many reports did not clearly indicate the extent of independence between the proposed (or installed) SIL-rated high integrity overfill protection system and normal tank filling arrangements.

56. Results of Competent Authority Reviews
System Improvement
Some reports suffered lack of clarity in LOPA table between required SIL and existing SIL, eg SIL1 system required in addition to existing SIL1 system using an operator in the loop.
A number of reports gave no commitment to an improved system. For example, one report stated, “a SIL1 system may give the required risk reduction”.
Some reports failed to give the safety function of a proposed SIS.