Layer of protection analysis (LOPA) has become one of the most important risk analysis techniques in the process industry to determine the integrity requirements for protection layers, especially the safety integrity level (SIL) for safety instrumented functions (SIF's). Once a SIL has been allocated to a SIF safeguard in LOPA, the SIF will be designed, installed, and operated according to ANSI/ISA 84.00.01/IEC 61511. These standards require that a SIL verification be performed to assess that the integrity of the designed SIF meets the target integrity requirements determined in the LOPA. A key question is what is the appropriate target integrity measure for your SIF based on the scenario's demand rate and how might that affect the LOPA methodology.
One basic assumption in LOPA is that the safety integrity of the protection layers (including SIF's) is given by the well known average probability of failure on demand (PFDavg), which is the safety integrity measurement for low demand systems per ANSI/ISA 84.00.01/IEC 61511. However, what if the hazard scenario involved has a high/continuous demand rate (nominally defined in the standards as more than once a year)? ANSI/ISA 84.00.01/IEC 61511 explicitly defines the safety integrity measure for high/continuous demand SIF as the frequency of dangerous failures per hour (PFH), instead of PFDavg. We also potentially have a mixture of safeguards operating in different modes, e.g. both low demand and high/continuous modes, in the same LOPA scenario. Does LOPA still work? Is your SIL determination correct? Are your verification calculation going to be correct?
In this paper, we present a method to allow the handling of high/continuous demand hazard scenarios in LOPA without changing the general LOPA framework. Calculation of high/continuous mode safety functions are illustrated with discussion of diagnostic and test interval effects provided. Cases encountered in actual projects are used as examples to showcase the proposed method.