(80c) Supporting LOPA with Fault Tree Analysis – Butane Overfill Protection Case Study

Layer of Protection Analysis (LOPA) is an important tool for risk analysis and safeguard design, but its limitations can result in unrealistic analysis and overdesign. This is especially true when the analysis is used to develop performance targets for safeguarding equipment such as Safety Integrity Levels (SIL) of Safety Instrumented Systems (SIS). The ease of use of LOPA relies on conservative assumptions about system design that are not always true or appropriate, including the independence between initiating events and protection layers and simplified consideration of operator response. When LOPA fails to yield appropriate results, risk analysts can use more sophisticated techniques such as fault tree analysis and human reliability analysis. Fault tree analysis is more sophisticated and allows for elegant handling of shared components, allowing for more accurate risk analysis and appropriate credit for dependent systems. This paper explains some situations where LOPA is expected to result in inaccurate risk analysis and presents how they analysis could be better performed using fault tree analysis. The concepts are presented through an example of a butane sphere batch filling operation where single pieces of equipment are multiple purposes, such as a dual level transmitter system that is used as part of the filling control loops, as part of an alarm for manual response, and as part of the SIS. LOPA would not allow these shared components to be credited, whereas fault tree analysis elegantly models their effectiveness.