Dependent, independent, and pseudo‐independent protection layers in risk analysis

Abstract

Risk analysis is an important tool to provide support for various risk management decisions in hazardous industries. For the last decade, the semiquantitative Layers of Protection Analysis (LOPA) has been the dominating risk analysis technique in the US process industry. One basic assumption in LOPA is that all the protection layers are independent from each other and from the initiating cause; otherwise, no risk reduction credit should be taken in the LOPA. However, many processes do have protection layers, which are dependent to some extent. For these systems, assuming independency may be too optimistic, whereas disregarding the partial risk reduction afforded from a partially dependent protection layer is pessimistic.This article considers processes with dependent protection layers (with a shared component), independent protection layers, and pseudo‐independent protection layers (subject to common cause failure). A long distance gas pipeline system is used as an example. Using reduced Event Trees for incident scenario modeling, Fault Trees for protection layers, and solving them in a coupled calculation, this article shows how protection layer dependencies are treated in risk analysis to obtain the overall risk reduction without being too optimistic or pessimistic. © 2015 American Institute of Chemical Engineers Process Saf Prog 35: 286–294, 2016