Probabilities and Statistics Role in LOPA
Risk is the likelihood or probability that a hazard, (i.e. a source of potential danger), will
cause severe harm. If we want to reduce the likelihood of a hazard to cause harm, first
it is necessary to qualify, analyze, and quantify the risk.
In the process industry we often find situations that could become the source of
potential dangers, such as handling very high pressures in vessels or tanks, or high
temperatures in gases or liquids, or toxic poisonous materials, etc.
There are processes that, when working with them, deviate from the intended handling
design and they become a source of potential harm.
Oftentimes, to reduce the likelihood of these potential dangers to cause harm, Safety
Instrumented Functions, SIFs, and other type of safeguards are used.
However, for these safety instrumented functions, or safeguards to be effective in
reducing the probability of a hazard to cause harm, they must themselves achieve a
good performance level with respect to the probability that they will function correctly
when they are required to do so in order to prevent the harm from occurring. Therefore,
safety instrumented systems have to be designed with a specific performance level in
order to be useful. (Safety Integrity Level, SIL, is an indicator of that performance).
Risk analysis is a technique based on a foundation of probability and statistics used to
determine how well an industrial process will operate, function, or perform with respect
to the likelihood that it will break or malfunction causing harm or damage.
In other words, risk analysis is used to find out the existing probable risk in a process,
and how much risk reduction is needed so that it can be provided by adding
safeguards, with the necessary level of risk reduction.
Layer of Protection Analysis, (LOPA), is a technique more associated with the
likelihood or probability part of risk analysis, and is used to determine the frequency of a
potential harmful event.
Event likelihood, (event rate or frequency), for a specific hazardous event, is usually
determined by using statistical analysis of historical or cataloged data.
LOPA is a method based on a branch of mathematics called probability and statistics,
which is used to quantify observations about events using numerical information.
One way to better understand LOPA is to see how mathematics is used to determine
the relative frequency of a potential harmful event. The use of Venn diagrams, which is
a way of expressing Boolean logic relationships between group of things or events will
help with the analysis.
Suppose we are analyzing distillation columns, and we observe that a distillation
column is a source of potential danger, because the tower could overpressure and
rupture, causing loss of containment.
Our “sample space” of all distillation columns in Hydrocarbon land, is 80. For
mathematical purposes it should be clear that either the columns lose containment or
not, that means the event is “complementary”. Furthermore, if one column fails, does
not mean that another column will also fail, then we say that column failing event is
independent.
Now, the sample space can be divided for two events: Event A, distillation columns that
had dangerous overpressure and had lost containment, and all the other distillation
columns, (complementary), that did not lose containment. The graphic diagram would
look as shown below.
The event records of the plants in “Hydrocarbon Land” also indicated that 2 towers had
overpressure, and lost containment. (In a period of 20 years)
Then, what is the probability P(A), that a randomly chosen distillation column had a
dangerous loss of containment? (Or, what is the distillation column dangerous loss of
containment rate?)
Now, using relative frequency of events based on observations:
The frequency at which event A is occurring may not be tolerable to a corporation and it
was decided that a tolerable frequency would be any one distillation column losing
containment in 1000 years.
Tolerable Frequency TF = 0.0000125 events per year
It was observed, from a Hazard and Operability Analysis, HAZOP, that there was one
Initiating Event that caused the column to overpressure and lose containment.
The reflux valve can fail closed, Event B.
Event B is now added to the Venn diagram. There are two choices for event B:
1) The reflux valve is successful, (positive), working properly regulating flow as
needed,
2) The reflux valve, was unsuccessful, failed closed (negative) when it needed to
regulate the cooling flow.
We will take Event B as “Reflux valve failed closed when regulating flow”.
What would be the probability that the reflux valve failed, (negative), for a randomly
selected column? The reflux valve independently has its own failure frequency of 1
failure in 20 years or 0.05 times per year.
Now, let’s combine the two events in the same “sample space”. (Combine the
probabilities).
What is the probability P(AB), that a randomly chosen distillation column tower had
dangerous loss of containment AND at the same time the reflux valve failed closed,
(negative)? (Overlap portion).
If event A is independent of event B, then the formula for the probability of event A and
event B happening at the same time is:
events per year
The probability of both events, A and B, occurring is P(A) x P(B) = 0.0000625 events
per year
There is also the event (B – AB), “Distillation columns that did not lose containment
AND the reflux valve had failed closed”. (Reflux valve failed during maintenance
testing, assuming that a manual by-pass valve was used during testing).
There is also the event (A – AB), “Distillation columns that had lost containment AND
the reflux valve had not failed closed”. (External event may have happened, i.e.
hurricane).
It was later found, from a reviewed HAZOP, that there were two independent possible
Initiating events that could cause the column to overpressure and lose containment:
Event B, Reflux valve failed closed, (With an independent frequency of failure of 1
failure in 20 years or 0.05 times per year), and Event C Reflux Pump failure, (With an
independent frequency of failure of 1 failure in 5 years or 0.2 times per year).
It is very important to notice that the events, B and C are each independent from each
other.
Let’s put events A and C in the same “sample space” and combine the two events to
find the probability of having event A and C at the same time.
What is the probability P(AC), that a randomly chosen distillation column tower had
dangerous loss of containment AND at the same time a reflux pump failed,
(negative)? (Overlap portion).
If event A is independent of event C and B, then the formula for the probability of having
at the same time event A and event C is:
events per year
The probability of both events, A and C, occurring is P(A) x P(C) = 0.00025 events per
year.
There is also the event (B – AC), “Distillation columns that did not lose containment
AND the reflux pump failed”. (Reflux pump failed during maintenance testing,
assuming that a stand-by back-up pump was used during testing).
There is also the event (A – AC), “Distillation columns with towers that had lost
containment AND the reflux pump had not failed”. (External event may have
happened, i.e. foundation failure).
Since the relationship between the reflux valve and pump with respect to a distillation
column losing containment is that by either having a failure of the reflux pump, OR the
reflux valve closing, the column will overpressure and lose containment.
Then, what is the probability P(AB) OR P(AC), that a randomly chosen distillation
column tower had a loss of containment with the reflux valve closing OR with the reflux
pump failing?
Then, the probability of having at the same time event A “and” event B “or” having at the
same time event A “and” event C is:
[P(A) x P(B)] + [P(A) x P(C)] = 0.0000625 + 0.00025 = 0.0003125 events per year
Therefore, as long as it can be shown that the events are completely independent from
each other and complementary in nature, the probabilistic mathematics used will serve
their purpose; otherwise, it will not make sense.
It can be seen that the contribution of the two initiating events B and C, to the total
probability of the distillation columns over-pressuring and loosing containment, is
0.0003125 events per year.
Is there a gap from the actual undesirable event frequency, AF, to the tolerable?
TF/AF, 0.0000125 / 0.0003125 = 0.04
Yes and the gap would have to be reduced by a factor of 25, (AF/TF).
How to close the gap?
The answer can be found by including another event, D, that could lower the relative
frequency of the undesirable outcome.
Evidently, event D must be independent of all other events and complementary, so that
it can be included in the Venn diagram. So now we could say that event D will prevent
event A from happening if it works when event C happens. Event D could be a spare
reflux pump that auto starts when the process running pump fails.
What is important for us to know is: what is the probability of event D failing to prevent
event A given that event C happened. In other words, the relative frequency of the three
events happening at the same time is less. The new relative frequency is [P(A) x P(C) x
P(D)]. Let’s say that the probability of event D failing to work is one out of ten demands
(per year), 0.1.
Then [P(A) x P(B)] + [P(A) x P(C) x P(D)] = 0.0000625 + 0.000025 = 0.0000875
Is there still a gap from the actual undesirable event frequency with mitigation, MF, to
the tolerable? TF/MF (0.0000125 / 0.0000875 = 0.14286).
The gap would have to be reduced by a factor of 7, which is less than the previous
factor 25.
There is a very important conclusion from the above explanation. The “Total Risk”
concept, was shown by adding up all the mitigated event frequencies for the unwanted
undesirable event that presented the same one hazard.
This concept is very important because it puts a lot of emphasis in determining the
boundaries of the Process Under Control and the Equipment Under Control system.
Industrial processes can be separated into sections called nodes. These nodes are
sections of the design that have define boundaries, such as line sections between
major pieces of equipment, tanks, pumps, etc. However, for the LOPA study the
decision as to how big a node may be, or how to combine several nodes will depend on
the consequence of the hazardous event being studied.
Therefore, the way in which the nodes are defined for a HAZOP study may be different
from the way in which nodes are defined or grouped for a LOPA study.
Note about probability:
There are several definitions of probability, some rigid and others more flexible and
practical. In this article the definition used for probability is a mix between relative
frequency, and subjective. Therefore, the probability definition used in this article would
be more axiomatic. For sure is not the classical definition of probability.
Definition of relative frequency:
The ratio of times an event happens to the times that event might happen in time. For
example, if the proportion of distillation columns that rupture remains steady at 0.125
per cent per year, then the probability of distillation columns that rupture is 0.125 per
cent in the long run. The probability is defined as the limit to which the frequency of
distillation columns that rupture tends in the long run.
Definition of subjective probability:
The probability of a particular outcome is an educated guess or a numerical measure of
a state of knowledge, a degree of belief or judgment, or a state of confidence about the
outcome of an event.
Statistical analysis may give a probability number to a particular event, but many times
a person has more insightful information and can make a better prediction of the
likelihood of the outcome of a particular event.
Guillermo Pacanins, P. Eng., TÜV FS Eng., TÜV FS Exp.
Safety Lifecycle Leader/Educator
References:
[1] Oscar Bonilla, Visualizing Bayes’ Theorem article, internet Oscar Bonilla website.
http://oscarbonilla.com/2009/05/visualizing-bayes-theorem/
[2] Layer of Protection Analysis simplified process risk assessment, CPS Center for
Chemical Process Safety of the American Institute of Chemical Engineers 3 Park
Avenue New York, New York 10016-5991 – ISBN 0-8169-0811-7
[3] Practical Industrial Safety, Risk Assessment and Shutdown Systems, ISBN 07506
58045, Newnes publication, publish 2004, IDC Technologies. All rights reserved.