Safety Layer of

Protection Analysis
“LOPA”

1
 PROCESS
CONTROL SYSTEMS

2
 AUTOMATIC CONTROL SYSTEMS
1. The Need for Control

• Automatic process control systems are

used extensively in chemical and
petrochemical plants and facilities with
systems ranging from local vessel level
and pressure control to fully automated
computer control.

3
 1. The Need for Control
• The basic objective of any process control application is to
achieve a control system to:-
 closely monitor the condition of the process,
 provide sufficient information to enable the control system to
maintain the process in a stable condition,
 produce the design throughput of the unit,
 compensate for limited changes in process conditions and
maintain production to the given specification.

 Automatic control is achieved with various types of control

systems covering several generations of system development

4
 2. Purpose Of Automatic Control
• The purpose of automatic control is to provide a means by which any process
operating condition within a production system can be maintained in a stable
and consistent manner.

• This requires that there is some means of measuring the condition of the
process and that some method of adjusting the operating condition is provided.

• The effect of automatic control is an adjustment to the process which corrects a

deviation from the preset operating condition.

• It follows that four main components are required for any automatic control
loop:-
 process,
 measuring unit,
 controlling unit,
 correcting unit.

5
 3. Components Of An Automatic Control Loop

• The main components of an automatic

control loop comprise a process, measuring
unit, controlling unit and correcting unit.

• These units can be shown in block diagram

(Figure 1) form as in the accompanying
illustration.

6
FIGURE 1 CONTROL SYSTEM BLOCK DIAGRAM

7
FIGURE 2. EXAMPLES OF AUTOMATIC CONTROL LOOP COMPONENTS
8
 Unit-1
Unit-2

Unit-3

9
10
 Control Media

 The common types of operating control

media used are:-
1. Pneumatic system (Air).
2. Electronic systems (Electricity)
3. Hydraulic systems (Hydraulic Fluid)

11
1. The pneumatic system is widely used due
to its reliability and the fact that it can be
used in hazardous areas.

12
2. Electronic System can be easily interfaced
with control computers and logic systems
which give fast response and, where a large
number of control loops exist, an electronic
system or computer is often a cost effective
control method.

13
3. Hydraulic Systems may be supplied in
package units.
• They have proved reliable extremely
powerful when used to position the final
control element

14
 Automatic Control Loops Modes

• Automatic control loops may be considered

in two distinct modes, namely, open loop
control and closed loop control

15
 1. Open Loop Control
• In open loop control (Figure 3) the process condition is measured
and continuously indicated.

• The output of the measuring element does not play a direct part in
actuating the valve; its only function is to provide information.

• The reading from the measuring element is taken periodically and

the hand valve on the process fluid output adjusted accordingly.

• These operations are carried out by an operator.

16
FIGURE 3. OPEN LOOP CONTROL SYSTEM

17
2. Closed Loop Control
• In a closed loop control system (figure 5) the output of the measuring
element is fed into the loop controller where it is compared with the set
point.
• An error signal is generated when the measured value is not equal to
the set point.
• Subsequently, the controller adjusts the position of the control valve
until the measured value fed into the controller is equal to the set point.

• The Measured Value (MV) signal is fed back to the controller after
adjustment of the control valve (correcting element)-by the controller.
• The controller continuously compares this feedback (MV) signal with
the Set Point (SP) and readjusts the control valve to maintain MV = SP.
Thus closed loop control is often referred to as feedback control.

18
FIGURE 5. PNEUMATIC CLOSED LOOP CONTROL SYSTEM

19
20
 Risk Management Principles
Hazard Controls

• Mitigation Controls
• Prevention Controls
– Ignition Prevention
– Elimination
– Alarms and Procedures
– Substitution
– Mitigation
– Engineering
– Emergency Response
– Alarms & Procedures
– Prevention of “Escalation
– Passive Devices
to other vessel”
– Prevention of “Escalation
from other incident”
Risk Management Principles SIMPLIFIED RISK
MANAGEMENT PROCESS

DETERMINE WHEN
RISK REVIEW &
REQUIREMENTS WHO

This map is common Prevention

IDENTIFY
HAZARDS

Risk is a
REDUCE
RISK
Analyze/Assess
RISK
combination
WHAT of HAZARD
YES
&
HOW
Severity and
FREQUENCY or
IS
CAN
RISK BE
NO RISK
TOLERABLE
LIKELIHOOD
REDUCED
? ?

NO YES

DISCONTINUE MANAGE
ACTIVITY RESIDUAL RISK Mitigation
22
 Risk Review Requirements

The risk review process has to be determined

• by all relevant stakeholders/departments of the organisation

• in writing (company guideline)

• shared with authorities etc.

• defining the risk review team (multi-disciplinary including operator

level)

• defining milestones for and different levels of risk review (e.g. Design
phase, pre-commissioning, pre-start up, changes, etc)

23
 Design, Build and Operate

What the client How the project mgr. How it was planned How it was implemented How the consultant
ordered understood it by the engineer by the technicians interpreted it

How it was How it was What was charged What was subject of What the client
documented eventually built To the client the service agreement really wanted
24
Hazard Identification
All hazards have to be identified comprehensively and systematically ...

Operation
• eg. „classical“ EHS-hazards, loss of production, ...
hazards

Network hazards • eg. failure of utilities, supplies, transportation ...

Environmental
hazards • eg. natural hazards, adjacent plants and traffic ways, ...

Environmental
vulnerability • eg. densely populated areas/buildings, natural reserves, ...

Terrorist threats • eg. plant vulnerability, neighbourhood/environment sensitivity,

company image, ...

... by e.g. “What if”, checklists, HAZOP, FMEA etc.

25
Risk Assessment
Risk is a combination of hazard Severity and Likelihood or frequency, often
expressed as R=f(S,L)

• Severity may be determined by

• Gas dispersion in combination with criteria for human effects such as:
• ERPGs (Emergency Response Planning Guidelines)
• AEGLs (Acute Exposure Guideline Levels)
• Explosion Overpressure and Fire radiation effects using tools such as:
• TNO methodology
• FLACS
• Likelihood may be estimated by
• expert opinion/experience
• databases for failure frequencies
• (semi-) quantitative assessments (risk graph, fault or event trees etc.)
• Assessment of safety barriers and mitigation (e.g. “bow tie” diagram, Layer of
Protection Analysis = LOPA)

26
‘Bow Tie’ Diagram
Prevention Mitigation
LOPs / LODs
Initiating Event 1 LOPs / LODs M1 M2

1a 1b
1c
No consequence

Initiating Event 2
1a 2a
Consequence A
Release
Consequence B

3c
3a 3b Consequence C
Initiating Event 3

4a

Initiating Event 4

27
The LOPA “Onion”

Community Emergency Response

Plant Emergency Response
Physical Protection e.g. Relief Devices

Safety Instrumented System preventative action

Critical Alarms and Operator intervention

Basic Process Control System,
Operating Discipline / Supervision

Plant Design
integrity

28
 Layers of Protection Analysis (LOPA)

COMMUNITY EMERGENCY
RESPONSE

Emergency Scenario PLANT EMERGENCY

Training RESPONSE
MITIGATION
Fire Protection SYSTEM

PSV’s PREVENTION SYSTEM

SIS
RBI
BPCS
Process
Alarms PROCESS DESIGN
Operations
Supervision PROCESS

Operating vs Design Verification

Protection Layer Concept

IPL 1 IPL 2 IPL 3

Impact Event
Occurs

PFD 3 = y3 Impact Event

Frequency,
f3 = x * y 1 * y 2 * y 3
PFD 2 = y2
f2=x * y 1 * y2
PFD 1 = y1 success
Safe Outcome
f1 = x * y 1
Initiating Event success
Estimated Safe Outcome
Frequency success
fi = x Safe Outcome

Key:
Arrow represents
severity and frequency of Im pact
Frequency
Event
the Impact Event if later
IPLs are not successful
Severi ty

IPL - Independent Protection Layer

PFD - Probability of Failure on
30Demand
f - frequency, /yr
LOPA criteria -1-

Initiating events
• Control system failures
• Human error
• Piping and equipment failures
• Interruption of utilities (e.g. Cooling)
Enabling Events/conditions
• e.g. proportion of time when hazard may be present
Independent layers of protection
• Basic Process Control System (possibly)
• Alarm and operator response
• Relief systems
• Safety Instrumented Systems
• Other qualifying Safety Related Protection Systems
• Need to independent, effective, tested, audited
LOPA criteria -2-

Conditional Modifiers
• Weather conditions
• Probability of ignition
• Probability of ignition leading to explosion
• Probability that person(s) will be exposed
• Probability that an exposed person will suffer a particular harm
• May be difficult to justify and evaluate

Mitigation (right hand side of bow tie)

• Fire protection
• Emergency Response
• Water curtains
• Secondary and tertiary containment
• etc
 ‘Tolerable’ frequencies for events

• What risk can we tolerate?

– Frequency for an event of a given severity (injury, environmental
insult etc.)
• Users need to specify but aim to meet or exceed (do better than) regulator
requirements
• The chosen tolerability becomes the target for risk management
sometimes called ‘Risk Governance’ for the company (usually Individual
or Societal Risk)
• Data and guidance available for injury/fatality and environmental effects

33
Tolerability Data (Fatalities) (Buncefield LOPA Guidance Dec
2009, final report from U.K. HSE)

Likelihood of ‘n’ fatalities

from a tank explosion per Risk Tolerability
tank per year

10-4/yr - 10-5/yr Tolerable if ALARP Tolerable if ALARP Tolerable if ALARP

10-5/yr - 10-6/yr Broadly acceptable Tolerable if ALARP Tolerable if ALARP

10-6/yr - 10-7/yr Broadly acceptable Broadly acceptable Tolerable if ALARP

10-7/yr - 10-8/yr Broadly acceptable Broadly acceptable Broadly acceptable

Fatalities (n) 1 2-10 11-50

ALARP = As Low as Reasonably Practicable

34
Example Risk Evaluation Criteria

1.E-02

1.E-03
Frequency of N or more Serious Injuries

1.E-04

1.E-05
Government or Corporate
1.E-06 Evaluation Criteria

1.E-07

1.E-08

1.E-09
Business
1.E-10 Evaluation Criteria

1.E-11

1.E-12
1 10 100 1,000 10,000
(N) Number of Potential Fatalities

35
Categories for Environmental Risk (U.K. Environment Agency)

Category Definitions
6 Catastrophic • Major airborne release with serious offsite effects
• Site shutdown
• Serious contamination of groundwater or watercourse with extensive loss of
aquatic life
5 Major • Evacuation of local populace
• Temporary disabling and hospitalisation
• Serious toxic effect on beneficial or protected species
• Widespread but not persistent damage to land
• Significant fish kill over 5 mile range
4 Severe • Hospital treatment required
• Public warning and off-site emergency plan invoked
• Hazardous substance releases into water course with ½ mile effect
3 Significant • Severe and sustained nuisance, e.g. strong offensive odours or noise
disturbance
• Major breach of Permitted emissions limits with possibility of prosecution
• Numerous public complaints
2 Noticeable • Noticeable nuisance off-site e.g. discernible odours
• Minor breach of Permitted emission limits, but no environmental harm
• One or two complaints from the public
1 Minor • Nuisance on site only (no off-site effects)
• No outside complaint

Heading and introduction from Section 3.7 in “IPPC H1: Integrated Pollution Prevention and Control (IPPC) and
Environmental
Assessment and Appraisal of BAT”, Version 6 July 20
36
Typical Environmental Tolerability Criteria

Acceptable if Reduced as
Acceptable if frequency Unacceptable if
Category Reasonably Practical and
less than frequency above
frequency between
6
Catastrophic 10-6 per year 10-4 to 10-6 per year 10-4 per year

5
Major 10-6 per year 10-4 to 10-6 per year 10-4 per year

4
Severe 10-6 per year 10-2 to 10-6 per year 10-2 per year
3
Significant 10-4 per year 10-1 to 10-4 per year 10-1 per year

2
Noticeable 10-2 per year ~ 10+1 to 10-2 per year ~10+1 per year

1
Minor All shown as acceptable - -

37
Example for Risk Calculation

TOLERATED EVENT PER YEAR SINGLE FATALITY 10-5

(per year)
FREQUENCY (e.g.)
(Target)
INITIATING EVENT PER YEAR CONTROL 10-1
FREQUENCY SYSTEM LOOP
FAILS
PROBABILITY OF PROBABILITY Quantity, site 10-1
IGNITION (e.g.) factors
PROBABILITY OF PROBABILITY 100% 10-0
EXPOSURE
INDEPENDENT PROBABILITY OF Basic Process 10-1
LAYER OF FAILURE ON Control System
PROTECTION 1 DEMAND
INDEPENDENT PROBABILITY OF Safety 
LAYER OF FAILURE ON Instrumented <10-2
PROTECTION 2 DEMAND System

38
Land Use Planning example from Netherlands

10-
Freque3
ncy in Societal
1/a 10- 
Risk not
5
acceptabl
10- e
7

10- Societal
9
Risk
http://www.sfk-taa.de/publikationen/andere/DNV_14102005.pdf 10- acceptab
11 1 le 10 100
fatalities
- Individual Risk (fatality) 10-6 1/a
- In addition Societal Risk as criterion
- Definition of thresholds for overpressure, heat
39
radiation and toxicity
Risk Assessment has to be adopted to the needs

LEVEL 1: PROCESS HAZARDS ANALYSIS

Should be done by plant based people

They then have a better understanding of the risks and

possibly how they may be reduced

LEVEL 2: RISK REVIEW Level 1:

PROCESS HAZARD ANALYSIS
Specialist help from e.g. Process Engineering or
Process safety function at site – should include
Plant based people in the team
Level 2:
LEVEL 3: ENHANCED RISK REVIEW RISK REVIEW

Specialist help from e.g. Process Engineering or Process

Safety function within Corporate – should include Site and Level 3
Plant based people in the team ENHANCED RISK
REVIEW
LEVEL 4: QUANTITATIVE RISK ASSESSMENT
L4:
Specialist help from external expertise. Owner needs to
QRA
define scope and data.
critique outcome.

40
 Measuring Process Safety Performance:
Process Safety Indicators (PSI) reporting levels

La
gg
in g
Large loss of primary

In d
Tier 1
containment (LOPC) event

ic a
LOPC Events of

tor
Greater Consequence

s
Small loss of primary Tier 2
containment event LOPC Events of
Lesser Consequence

Le
ad
Challenges to the Tier 3

ing
safety system

In d
Challenges to Safety Systems

ica
tor
s
Operating discipline & Tier 4
Operating Discipline & Management System
management system Performance Indicators

41
Thresholds for Loss of Containment becoming a PSI

GHS classified
Health Hazards
Acute Toxic 1 2
all other

Not GHS classified

Carcinogenic, Reproductive,
Mutagenic categories

substances
1
STOT single exposure

Physical Hazards All categories

Environmental Hazards All categories

Thresholds (8h rule applies)

2000 kg
5 kg 100 kg (recommended)
Cefic (European Chemical Industry Council)
suggestion based on GHS classification
GHS: Globally Harmonized System
42
PSI: Process Safety Incident
STOT: Specific Target Organ Toxicity
 Management of Remaining Risks

Communicate remaining risks

• to staff (operating procedures, training, drills, …)
• to external stakeholders (customers, neighbours, authorities – but careful
regarding security risks!)

Mitigate consequences
• Internal emergency planning (above all organisation, equipment, drills)
• Cooperation with external services (neighbouring plants, public services)

Important: ability to react fast!

The bigger a corporation,

the higher the expectations even for small sites

43
 Crisis Management Systems: can the unpredictable be planned?

Define as much as possible in advance, because ...

• ... crisis always happen at the wrong time and place

• ... your regular organisation is not sufficient to handle crisis

• ... all resources of the whole company have to be available in due time

• ... public, media and authorities expect professional handling of crisis, too

44
Emergency Preparedness

Accidents may happen even in most modern plants. They cannot be

planned, but they should be considered.
• Cover all relevant scenarios in the emergency plan
• Assign responsibilities rather than regulating details
• The emergency organisation is different from the normal organisation, but has
to be empowered to use it
• Adjust the emergency organisation to the dimension of the incident (e.g. “blue,
yellow, red alert”)
• Clearly document all available resources (site, company, neighbouring sites,
authorities, ...) for the different scenarios. Ensure that they can be used in
emergencies (e.g. co-operative agreements)
• Train your people and run exercises
• Before you rely on off-site resources, consider the time until availability
• Industrial zones with many companies close together need special attention
(“domino-effects”)

45
 Mock Drills

Major incidents hopefully become less frequent. This makes drills even more important ...

• ... to train seldom used procedures

• ... to reduce mental stress during incidents

• ... to optimise emergency- and crisis- management

• ... to make sure that necessary resources are available

• … to de-brief after exercise, act on results

46
Emergency Response

The basic principle: the faster and more effective the initial response, the
smaller the consequences for men, environment and economy.
• Provide the infrastructure for fast response (fire brigade, emergency control
room, availability of key personnel, etc.)

• Encourage immediate reporting of incidents (not to wait until own efforts

failed ...), do not blame for false alarms
• If the fire brigade is (partly) staffed by operators be aware of the risks of
understaffed production

• Better start with a higher level of alarm (worst case assumption) and grade it
down later than vice versa

• Notify and involve public fire brigades and authorities as soon as possible

• Analyse every incident and the response to improve the emergency

organisation without blaming anyone 47
Emergency Response Workflow

emergency call

fire alarm system

dispatch
incident of task forces
Crisis Management: Operational Structure

Scene of Emergency Response Committee

Incident
Emergency Manager Site Incident Manager Documentation

Fire Brigade (site) Emergency Manager3-5 Secretary

Company Representative
Environmental control Emergency Manager 2 (company affected by incident)

Site Security Fire Brigade (site) Communications

Plant Manager Occupational Physician Toxicology

Occupational Physician Environmental Protection Additional Experts

Public Fire Brigade Site Security Public Fire Brigade

Police Plant Safety Police

 ACHIEVING ACCEPTABLE RISK
Level of Protection Analysis
• HAZARD IDENTIFICATION
1. Check lists
2. Dow Relative Ranking
3. HAZOP - Hazard and Operability

• LAYER OF PROTECTION ANALYSIS

1. Express risk target quantitatively
2. Determine risk for system
3. Reduce risk to meet target
• HAZARD ASSESSMENT
- Fault Tree
More Semi-quantitative analysis
- Event Tree to give order-of-magnitude
- Consequence analysis accurate
estimate
- Human Error Analysis
• ACTIONS TO ELIMINATE OR MITIGATE We will use our group skills
- Apply all engineering sciences and knowledge of safety
layers in applications.
 Safety Layer of Protection Analysis
1. Express risk target quantitatively

• FAR: Fatal Accident Rate - This is the number of

fatalities occurring during 1000 working lifetimes (10 8
hours). This is used in the U.K.

• Fatality Rate = FAR * (hours worked) / 108

• OSHA Incidence Rate - This is the number of illnesses

and injuries for 100 work-years. This is used in the USA.
 Safety Layer of Protection Analysis
1. Express risk target quantitatively
FAR Data for typical Activities
Activity FAR
Chemical Industry 4
Steel Industry 8
Coal Mining 40
Construction 67
What is FAR for cigarette
Uranium 70 smoking?
Asbestos (old data?) 620

Staying home 3
Traveling by automobile 57
Traveling by airplane 240
Cigarette smoking ???
What is the fatality rate/year for the chemical industry?
 Safety Layer of Protection Analysis
1. Express risk target quantitatively

• One standard used is to maintain the risk for

involuntary activities less (much less?) than
typical risks such as “staying home”
- Results in rules, such as fatality rate < 10 -6/year
- See Wells (1996) Table 9.4
- Remember that many risks exist (total risk is sum)

• Are current risks accepted or merely tolerated?

• We must consider the inaccuracies of the
estimates
• We must consider people outside of the
manufacturing site.
 Safety Layer of Protection Analysis
1. Express risk target quantitatively

• People usually distinguish between voluntary and

involuntary risk. They often accept higher risk
for voluntary activities (rock climbing).
• People consider the number of fatalities per
accident
Fatalities = (frequency) (fatalities/accident)
.001 = (.001) (1) fatalities/time period

.001 = (.0000001)(100,000) fatalities/time period

We need to consider frequency and consequence

 Safety Layer of Protection Analysis
1. Express risk target quantitatively
The decision can be presented in a F-N plot similar to the one below.
(The coordinate values here are not “standard”; they must be selected by the professional.)

1.00E-07
Probability or Frequency, F

“Unacceptable risk”
(events/year)

1.00E-08

“Acceptable risk”

1.00E-09
1 10 100

Deaths per event, N

The design must be enhanced to reduce the likelihood of death (or

serious damage) and/or to mitigate the effects.
 Safety Layer of Protection Analysis
2. Determine the risk for system

• In Level of Protection Analysis (LOPA), we assume

that the probability of each element in the system
functioning (or failing) is independent of all other
elements.
• We consider the probability of the initiating event
(root cause) occurring
• We consider the probability that every independent
protection layer (IPL) will prevent the cause or
satisfactorily mitigate the effect
 Safety Layer of Protection Analysis
2. Determine the risk for system

X is the probability of the

event Unsafe,
Yn
Yi is the probability of unsafe
failure on demand (PFD)
I
for each IPL
  P
L
n
Unsafe,
I
Y2 P
L
3
Unsafe,
I
Y1 P
L
2
Initiating I Safe/
event, X P tolerable
L
1
 Safety Layer of Protection Analysis
2. Determine the risk for system

unsafe

… I

Recall that
P
L
n
Unsafe,
I
Y2

the events
P
L
3
Unsafe,
I
Y1

are
P
L
2
Initiating I Safe/
event, X

considered
P tolerable
L
1

independent

The probability that the unsafe consequence will

occur is the product of the individual probabilities.

 n 
Pconsequence  ( X )
  Yi 

 i 1 
 Safety Layer of Protection Analysis
2. Determine the risk for system

• How do we determine the initiating HAZOP

events?
• How do we determine the Company, industry
probability of the initiating event, X experience
• How do we determine the
Company, industry
probability that each IPL will
experience
function successfully?
• How do we determine the target F-N plot, depends
level for the system? on consequence
 Safety Layer of Protection Analysis
2. Determine the risk for system

Some typical protection layer Probability of Failure on

Demand (PFD)
• BPCS control loop = 0.10
• Operator response to alarm = 0.10
• Relief safety valve = 0.001
• Vessel failure at maximum design pressure = 10-4 or better
(lower)

Source: A. Frederickson, Layer of Protection Analysis, www.safetyusersgroup.com, May 2006

 Safety Layer of Protection Analysis
2. Determine the risk for system

Often, credit is taken for good design and maintenance

procedures.
• Proper materials of construction (reduce corrosion)
• Proper equipment specification (pumps, etc.)
• Good maintenance (monitor for corrosion, test
safety systems periodically, train personnel on
proper responses, etc.)

A typical value is PFD = 0.10

 Safety Layer of Protection Analysis
3. Reduce the risk to achieve the target

The general approach is to

• Set the target frequency for an event leading to an
unsafe situation (based on F-N plot)
• Calculate the frequency for a proposed design
• If the frequency for the design is too high, reduce it
- The first approach is often to introduce or enhance
the safety interlock system (SIS) system
• Continue with improvements until the target
frequency has been achieved
 Safety Layer of Protection Analysis
Process examples

The Layer of Protection Analysis (LOPA) is performed using a

standard table for data entry.
1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes, restricted
access, etc.)

Likelihood = X Probability of failure on

demand = Yi

Mitigated likelihood = (X)(Y1)(Y 2)  (Yn)

 Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Flash drum for “rough” component separation for this
proposed design.
cascade

PAH Vapor
Split range TC-6 PC-1 product

T1 T5
Feed T2

Methane LAL
Ethane (LK) LAH
Propane FC-1
T3 LC-1
Butane
Pentane

F2 F3
Liquid
AC-1 product
Process Steam L. Key
fluid
 Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Flash drum for “rough” component separation.
Complete the table with your best estimates of values.
1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes,
restricted
access, etc.)
1 High Connection Pressure sensor
pressure (tap) for does not
pressure measure the
sensor P1 drum pressure
becomes
plugged

Assume that the target mitigated likelihood = 10 -5 event/year

 Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Some observations about the design.

• The drum pressure controller uses only one sensor; when

it fails, the pressure is not controlled.
• The same sensor is used for control and alarming.
Therefore, the alarm provides no additional protection
for this initiating cause.
• No safety valve is provided (which is a serious design
flaw).
• No SIS is provided for the system. (No SIS would be
provided for a typical design.)
 Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Solution using initial design and typical published values.
1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes,
restricted
access, etc.)
1 High Connection 0.10 0.10 1. 1.0 1.0 1.0 .01 Pressure sensor
pressure (tap) for does not
pressure measure the
sensor P1 drum pressure
becomes
plugged

Much too high! We must make improvements to the design.

 Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Solution using enhanced design and typical published values.

1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes,
restricted
access, etc.)
1 High Connection 0.10 0.10 1.0 0.10 1.0 PRV 0.01 .00001 Pressure sensor
pressure (tap) for does not
pressure measure the
sensor P1 drum pressure
becomes
plugged The PRV must
exhaust to a
separation
(knock-out)
Enhanced design includes The enhanced design achieves drum and fuel or
flare system.
separate P sensor for alarm the target mitigated
and a pressure relief valve. likelihood.
Sketch on process drawing. Verify table entries.
 Safety Layer of Protection Analysis
c
Split a PC-1P
TC-6 Va Process examples
A
rang s po
T1 T2 e T5 c H r Class Exercise 1: Solution.
a pr
FC-1 L
T3 d LC-1A od
e L uct
F2 F3 L
AC-1 A cascade
ProcessSteam L. Key H
fluid Vapor
Split range TC-6 PC-1 product

PAH
P-2
T1 T5
Feed T2

Methane LAL
Ethane (LK) LAH
Propane FC-1
T3 LC-1
Butane
Pentane

F2 F3
Liquid
AC-1 product
Process Steam L. Key
fluid
 Safety Layer of Protection Analysis
Process examples
Class Exercise 1: Each IPL must be independent.

For the solution in the LOPA table and process sketch,

describe some situations (equipment faults) in which the
independent layers of protection are
- Independent Hints: Consider faults such as power supply,
signal transmission, computing, and actuation
- Dependent
For each situation in which the IPLs are dependent, suggest
a design improvement that would remove the common
cause fault, so that the LOPA analysis in the table would be
correct.
 Safety Layer of Protection Analysis
Approaches to reducing risk

• The most common are BPCS, Alarms and Pressure

relief. They are typically provided in the base design.
• The next most common is SIS, which requires careful
design and continuing maintenance
• The probability of failure on demand for an SIS
depends on its design. Duplicated equipment (e.g.,
sensors, valves, transmission lines) can improve the
performance
• A very reliable method is to design an “inherently
safe” process, but these concepts should be applied in
the base case
 Safety Layer of Protection Analysis
Approaches to reducing risk

• The safety interlock system (SIS) must use independent

sensor, calculation, and final element to be independent!
• We desire an SIS that functions when a fault has
occurred and does not function when the fault has not
occurred.
• SIS performance improves with the use of redundant
elements; however, the systems become complex,
requiring high capital cost and extensive ongoing
maintenance.
• Use LOPA to determine the required PFD; then, design
the SIS to achieve the required PFD.
 Safety Layer of Protection Analysis
Approaches to reducing risk
Performance for the four SIL’s levels for a safety interlock
system (SIS)

Safety Integrity Probability of

Level (SIL) Failure on Demand
SIL-1 0.10 to 0.001

SIL-2 0.01 to 0.001

SIL-3 0.001 to 0.0001

SIL-4 Less than 0.0001

 Safety Layer of Protection Analysis
Approaches to reducing risk
Two common designs for a safety interlock system (SIS)
Failure
False on
shutdown demand
T100 1 out of 1
s
must indicate
failure
Better 5 x 10-3 5 x 10-3
performance,
more expensive

T100 2 out of 3
s
T101 must indicate
T102 failure 2.5 x 10-6 2.5 x 10-6
Same variable,
multiple sensors!
 Safety Layer of Protection Analysis
Process examples
Class Exercise 2: Fired heater to increase stream’s temperature.
Flue gas

PIC
1

AT PI
1 4

FT
1 TI
PI
1
5
TI
5
TI
2

feed
TI
6
PT
1

TI
3
TI
7 TI TI
TI 9 10
4

FT TI
FI
2 8 TI
3
11

PI PI PI
2 3 6

air Fuel gas

 Safety Layer of Protection Analysis
Process examples
Class Exercise 2: Fired heater to increase stream’s temperature.
1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes,
restricted
access, etc.)
1 Combustibles Limited air All equipment is
in stack, fire supply functioning
or explosion because air properly in this
blower scenario. The
reaches feed rate is very
maximum high, beyond its
power design value.
 Safety Layer of Protection Analysis

References

Dowell, A. and D. Hendershoot, Simplified Risk Analysis - Layer of Protection Analysis, AIChE National Meeting, Indianapolis, Paper
281a, Nov. 3-8, 2002

Dowell, A. and T. Williams, Layer of Protection Analysis: Generating Scenarios Automatically from HAZOP Data, Process Safety
Progress, 24, 1, 38-44 (March 2005).

Frederickson A., Layer of Protection Analysis, www.safetyusersgroup.com, May 2006

Gulland, W., Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons,
http://www.chemicalprocessing.com/whitepapers/2005/006.html

Haight, J. and V. Kecojevic, Automation vs. Human Intervantion: What is the Best Fit for the Best Performance?, Process Safety
Progress, 24, 1, 45-51 (March 2005)

Melhem, G. and P. Stickles, How Much Safety is Enough, Hydrocarbon Processing, 1999

Wiegernick, J., Introduction to the Risk-Based Design of Safety Instrumented Systems for the Process Industries, Seventh International
Conference on Control, Automation, Robotics and Vision, Singapore, Dec. 2002.