134
8.4. CONTROL SYSTEM DESIGN
8.4.1 Control System Design
The operation of the plant according to specified condi-
tions is an important aspect of loss prevention. This is
very largely a matter of keeping the system under control
and preventing deviations. The control system, which
includes both the process instrumentation and the process
operator, therefore has a crucial role to play.
Traditionally, control systems have tended to grow by a
process of accretion as further functions are added. One
of the thrusts of current work is to move toward a more
systematic design approach in which there is a more for-
mal statement of the control objectives, hierarchy, sys-
tems, and subsystems. Once the objectives have been
defined, the functions of the systems and subsystems can
be specified.
It is convenient to distinguish several broad categories
of function that the control system has to perform: these
are (1) information collection, (2) normal control, and
(3) fault administration. A control system is usually also
an information collection system. In addition to that
required for immediate control of the process, other infor-
mation is collected and transmitted. Much of this is used
in the longer term control of the process. Another cate-
gory which is somewhat distinct from normal control is
the administration of fault conditions which represent dis-
turbances more severe than the control loops can handle.
8.4.2 Process Characteristics
The control system required depends very much on the
process characteristics (Edwards and Lees, 1973).
Important characteristics include those relating to the
disturbances and the feedback and sequential features.
A review of the process characteristics under these head-
ings assists in understanding the nature of the control
problem in a particular process and of the control system
required to handle it.
Processes are subject to disturbances due to unavoid-
able fluctuations and management decisions. The distur-
bances include:(1) raw materials quality and availability,
(2) services quality and availability, (3) product quality
and throughput, (4) plant equipment availability, (5) envi-
ronmental conditions, and due to (6) links with other
plants, (7) drifting and decaying factors, (8) process mate-
rials behavior, (9) plant equipment malfunction, (10) con-
trol system malfunction.
Some process characteristics which tend to make feed-
back control more difficult include: (1) measurement pro-
blems, (2) instability, (3) very short time constants, (4)
very long time constants, (5) recycle, (6) non-linearity,
(7) inherent limit cycles, (8) dead time, (9) strong
Lees Process Safety Essentials
interactions, (10) high sensitivity, (11) high penalties,
(12) parameter changes, (13) constraint changes.
The sequential control characteristics of a process
include: (1) plant start-up, (2) plant shut-down, (3) batch
operation, (4) equipment changeover, (5) product quality
changes, (6) product throughput changes, (7) equipment
availability changes, (8) mechanical handling operations.
Some other process characteristics which may be
significant include requirements for: (1) monitoring,
(2) feedforward control, (3) optimization, (4) scheduling,
(5) process investigation, (6) plant commissioning.
8.4.3 Control System Characteristics
The characteristics of process control systems have
passed through three broad phases: (1) manual control,
(2) analogue control, and (3) computer control (covering
all forms of programmable electronic system). However,
such a classification can be misleading because it does
not bring out the importance of measuring instrumenta-
tion and displays, because neither analogue nor computer
control is homogeneous stage, and because it says very
little about the quality of control engineering and reliabil-
ity engineering and the human factors involved.
The sophistication of the measuring instrumentation
greatly affects the nature of the control system even at the
manual control stage. This covers instruments for measur-
ing the whole range of chemical and physical properties.
The displays provided can also vary widely.
The stage of analogue control implies the use of
simple analogue controllers but may also involve the
use of other special purpose equipment. Most of this
equipment serves to facilitate one of the following
functions: (1) measurement, (2) information reduction,
and (3) sequential control.
Another crucial distinction is in the provision of pro-
tective or trip systems. In some cases, the safety shut-
down function is assigned primarily to automatic systems;
in others it is left to the operator. Similarly, computer
control is not a homogeneous stage of development. In
some early systems, the function of the computer was
limited to the execution of Direct Digital Control (DDC).
The real control of the plant was then carried out by the
operator with the computer as a rather powerful tool at
his disposal. In other systems, the computer had a com-
plex supervisory program which took most of the control
decisions and altered the control loop set points, leaving
the operator a largely monitoring function. The two types
of system are very different.
The quality of the theoretical control engineering is
another factor which distinguishes a system and largely
determines its effectiveness in coping with problems such
as throughput changes, dead time, and loop interactions.
Chapter | 8 Process Design 135

Equally important is reliability engineering. Unless vs dedicated system problem is the choice between a
good reliability is achieved nominally automated func- computer-based and a hardwired trip system.
tions will be degraded so that they have to be done manu-
ally or not at all. Control loops on manual setting are the
typical result.
8.4.5 Control of Batch Processes
The control of batch processes involves a considerable
technology over and above that required for the control of
8.4.4 Instrument System Design continuous processes. Batch processes constitute a large
proportion of those in the process industries. Many batch
The design of process instrument systems, like most kinds
plants are multi-purpose and can make multiple products.
of design, is largely based on previous practice. The con-
Their outstanding characteristic is their flexibility. They
trol panel instrumentation and the control systems on par-
differ from continuous plants in that: the operations are
ticular operations tend to become fairly standardized.
sequential rather than continuous; the environment in
Some points should be taken into account like:
which they operate is often subject to major variability;
1. Some design principles: There are some basic princi- and the intervention of the operator is to a much greater
ples which are important for control and instrument extent part of their normal operation rather than a
systems on hazardous processes. It is also necessary to response to abnormal conditions.
pay careful attention to the details of the individual
1. Models of batch processing: There are a number of
instruments used.
models which have been developed to represent batch
2. Instrument distribution: A feel for the distribution of
processing. Three described by Fisher (1990) are (a)
types of instrument on a process plant is given by
the recipe model, which centers on the recipe required
Tayler (1987).
to make a particular product, and its elements are the
3. Instrument accuracy: Most process plant instrumenta-
procedures, the formula, the equipment requirements,
tion is quite accurate provided they are working prop-
and the header; (b) the procedure model, which has
erly. Information on the expected error limits of
the form: Procedure-Operation-Phase-Control
commercially available instrumentation has been
step; (c) the unit model, which is equipment-oriented
given by Andrew and Williams (1980), who list limits
and has the form: Unit-Equipment module-Device/
for over 100 generic types of instrument.
loop-Element.
4. Instrument signal transmission: Pneumatic instrument
2. Representation of sequential operations: The control
signals are transmitted by tubing, but several means
of a batch process is a form of sequential control.
are available for the transmission of electrical signals.
Various methods are available for the specification of
5. Instrument utilities: Instrument systems require high
sequences. They include (1) flowcharts, (2) sequential
quality and high reliability utilities. As far as quality
function charts, and (3) structured plain language.
is concerned, pneumatic systems require instrument
3. Structure of batch processing: The overall structure of
air which is free of dirt and oil. Many electronic
batch processing is commonly represented as a
instrument systems can operate from an electrical feed
hierarchy.
which does not constitute an Uninterruptible Power
4. Batch control systems: Batch processing may be con-
Supply (UPS).
trolled by the process operator, a system of single con-
6. Valve leak-tightness: In many situations on process
trollers or a Programmable Logic Control (PLC)
plants, the leak-tightness of a valve is of some impor-
system, a distributed Control Logic System (DCL) or
tance. The leak-tightness of valves is discussed by
a Centralized Control System (CCS). The selection of
Hutchison (1976) in the ISA Handbook of Control
the system architecture and hardware is discussed by
Valves.
Sawyer (1993).
7. Hazardous area compatibility: The instrument system,
including the links to the control computers, should be
compatible with the hazardous area classification. 8.4.6 Control of Particular Units
Hazardous area classification involves first zoning the
The safe operation of process units is critically dependent
plant and then installing in each zone instrumentation
on their control systems. Two particularly important fea-
with a degree of safeguarding appropriate to that zone.
tures of control in process plant are (1) compressor con-
8. Multi-functional vs dedicated systems: An aspect of
trol and (2) chemical reactor control. These are now
basic design philosophy which occurs repeatedly in dif-
considered in turn.
ferent guises is the choice which has to be made
between a multi-functional and a dedicated system. A 1. Compressor control: Centrifugal and axial compres-
particular but common example of the multi-functional sors are subject to the phenomenon of surging.
136
Surging occurs when flow through the compressor
falls to a critical value so that a momentary reversal of
flow occurs. This reversal of flow tends to lower the
discharge pressure and normal flow resumes. The
surge cycle is then repeated. Severe surging causes
violent mechanical shock and noise and can result in
complete destruction of parts of the compressor such
as the rotor blades.
2. Chemical reactor control: A continuous stirred tank
reactor is generally stable under open-loop conditions,
but in some cases, a reactor may be unstable under
open-loop but stable under closed-loop conditions.
Some polymerization reactors and some fluidized bed
reactors may be open-loop unstable under certain con-
ditions. The reactor should be designed so that it is
open-loop stable unless there is good reason to the
contrary. One method of achieving this is to use jacket
cooling with a large heat transfer area. Another is to
cool by vaporization of the liquid in the reactor. This
latter method gives a virtually isothermal reactor.
8.4.7 Computer Integrated Manufacturing
There is now a strong trend in the process industries to
integrate the business and plant control functions in a
total system of Computer Integrated Manufacturing
(CIM). The aim of CIM is essentially to obtain a flexible
and optimal response to changes in market demand, on
the one hand, and to plant capabilities on the other. It has
been common practice for many years for production
plans to be formulated and production schedules to be
produced by computer and for these schedules to be
passed down to the plant. In refineries, use of large sched-
uling programs is widespread. In addition to flexibility,
other benefits claimed are improved product quality,
higher throughputs, lower costs, and greater safety.
A characteristic feature of CIM is that information
also flows the other way, that is, up from the plant to the
planning function. This provides the latter with a continu-
ous flow of up-to-date information on the capability of
the plant so that the schedule can be modified to produce
the optimal solution. A CIM system may therefore carry
out not only the process control and quality control but
also scheduling, inventory control, customer order proces-
sing, and accounting functions.
The architecture of a CIM system is generally hierar-
chical and distributed. Treatments of such architecture are
given in Controlling Automated Manufacturing Systems
(OGrady, 1986) and by Dempster et al. (1981).
For such a system to be effective, it is necessary that
the data passing up from the plant be of high quality. The
system needs to have a full model of the plant, including
the mass and energy balances and the states and
Lees Process Safety Essentials
capabilities of the equipment. This involves various forms
of model-based control, which is of such prominence in
CIM that the two are sometimes treated as if they are
equivalent.
Plant data are corrupted by noise and errors of various
kinds, and in order to obtain a consistent data set, it is
necessary to perform data reconciliation. Methods based
on estimation theory and other techniques are used to
achieve this. Complete and Rigorous Model-Based
Reconciliation (CRMR) is therefore a feature of CIM.
One implication of CIM is that the plant is run under
much tighter control, which should be beneficial to
safety.
8.4.8 Instrument Failure
Process plants are dependent on complex control systems,
and instrument failures may have serious effects. It is
helpful to consider first the ways in which instruments
are used. Measuring instruments are taken to include digi-
tal as well as analogue outputs. Control elements are nor-
mally control valves but can include power cylinders,
motors, etc.
The important point is that some of these applications
constitute a more severe test of the instrumentation than
others. The accuracy of a flowmeter may be sufficient for
flow control, but it may not be good enough for an input
to a mass balance model in a computer. The dynamic
response of a thermocouple may be adequate for a panel
display, but it may be quite unacceptable in a trip system.
This leads directly, of course, to the question of the
definition of failure. It is sufficient here to emphasize that
the reliability of an instrument depends on the definition
of failure and may vary depending on the application.
8.4.9 Trip Systems
It is increasingly the practice in situations where a hazard-
ous condition may arise in the plant to provide some form
of automatic protective system. One of the principal types
of protective system is the trip system, which shuts down
the plant, or part of it, if a hazardous condition is
detected. Another important type of protective system is
the interlock system, which prevents the operator or the
automatic control system from following a hazardous
sequence of control actions.
The existence of a hazard which may require a protec-
tive system is usually revealed either during the design
process, which includes, as routine, consideration of pro-
tective features, or by hazard identification techniques
such as HAZOP studies. Some operator calculates Safety
Integrity Level (SIL) for having specification of trip sys-
tems. Oil and Gas UK has a guideline for it but it is not
Chapter | 8 Process Design
mandatory for all operators to follow it. Risk graphs and
Layer of Protection Analysis (LOPA) are also used for
specifying and designing of trip systems for offshore, but
it is complicated to use these methods as there are argu-
ments about the required of degree of independence.
The decision as to whether a trip system is necessary
in a given case depends on the design philosophy. There
are quite wide variations in practice on the use of trip sys-
tems. There is no doubt, however, about the general trend,
which is toward the provision of a more comprehensive
coverage by trip systems. The decision as to whether to
install a trip system can be put on a less subjective basis
by making a quantitative assessment of the hazard and of
the reliability of the operator in preventing it.
Since a trip system is used to protect against a hazard-
ous condition, it is essential for the system itself to be
dependable. The dependability of a trip system depends
on (1) capability and (2) reliability. Thus, it is necessary
both for the system to have the capability of carrying out
its function in terms of features such as accuracy,
dynamic response, etc., and for it to be reliable in doing
so. The reliability of the trip system may be improved by
the use of (1) redundancy and (2) diversity.
Most trip systems consist of a single channel comprising
of a sensor, a switch, and a shut-off valve, but where the
integrity required is higher than that which can be obtained
from a single channel, redundancy is generally used.
A trip system is normally dormant and comes to life
only when a demand occurs. An element of the trip sys-
tem such as a sensor or a valve may experience failure,
and such a failure will lie unrevealed unless detected by
proof testing or some other means. By contrast, equiva-
lent elements in a control system are exercised continu-
ously, and failure in such an element is liable to cause an
operational excursion of some kind.
It should be an aim of trip system design to convert
unrevealed failures into revealed failures, and hence to
enhance reliability, by the judicious exploitation of
benign integration.
8.4.10 Interlock Systems
Interlocks are another important type of protective device.
They are used to control operations which must take place
in a specified sequence and equipments which must have
specified relations between their states. This definition of
an interlock differs from that often used in the American
literature, where the term interlock tends to be applied
to both trip and interlock systems (as defined here).
There are various kinds of interlocks. The original
type is a mechanical device such as a padlock and chain
on a hand valve. Another common type is the key inter-
lock. Increasing use is made of software interlocks based
on process computers.
137
Some typical applications of interlocks are in such
areas as: (1) electrical switchgear, (2) test cubicles,
(3) machinery guards, (4) vehicle loading, (5) conveyor
systems, (6) machine start-up and shut-down, (7) valve
systems, (8) instrument systems, (9) fire protection sys-
tems, (10) plant maintenance.
An interlock is often used to prevent access as long as
a piece of equipment is operating. Thus, electrical switch-
gear may be installed in a room where an interlock pre-
vents the door opening until there is electrical isolation.
Similarly, an interlock prevents access to a test cubicle
for operations involving high pressure or explosive mate-
rials until safe conditions pertain. An interlock may be
used to stop access to a machine or entry into a vessel
unless the associated machinery cannot move. In vehicle
loading, interlocks are used to prevent a tanker moving
away while it is still connected to the discharge point.
Pressure relief valves have interlocks to prevent all
the valves being shut off simultaneously. There may be
interlocks on other critical valve systems. Interlocks are
also a part of instrument systems. An interlock may be
used to prevent the disarming of a trip system unless cer-
tain conditions are met. Fire protection systems are pro-
vided with interlocks as a safeguard against leaving the
system disabled, particularly after testing or maintenance.
Plant maintenance operations make much use of inter-
locks to prevent valves being opened or machinery started
up while work is in progress.
Some features of a good hardware interlock are that it
(1) controls operations positively, (2) is incapable of
defeat, (3) is simple, robust, and inexpensive, (4) is read-
ily and securely attachable to engineering devices, and
(5) is regularly tested and maintained.
8.4.11 Programmable Logic Systems
As already indicated, increasing use is made in process
control systems of PLCs. An account of the application of
PLCs to functions such as pump change over, fire and gas
detection, and ESD has been given by Margetts (1986a,b).
He describes the planning of an operation such as pump
change over using hierarchical task analysis, in which the
change over task is successively re-described until it has
been broken down into executable elements, and the appli-
cation of the hazard and operability (HAZOP) method to
assess the adequacy of the resultant design.
He also deals with the reliability of the PLC system.
For the system which he considers, the MTBFs of the input
device, the control logic, and the output device are 100,000,
10,000, and 50,000 h, respectively, giving an overall system
MTBF of 7690 h. Use of as many as four control logic
units in parallel would raise the system MTBF to 14,480 h,
but this is not the complete answer. The method described
by the author for the further enhancement of reliability is
138
the exploitation of the ability of the PLC to test the input
and output devices and also itself.
8.4.12 Programmable Electronic Systems
Increasingly, the concept of computer control has become
subsumed in the broader one of the PES. The account
given here is confined to the safety aspects of PESs and
is based on the HSE PES Guide.
HSE PES Guide: An account of PESs and their safety
implications is given in Programmable Electronic
Systems in Safety Related Applications (HSE, 1987) (the
HSE PES Guide), of which Part 1 is an Introductory
Guide (PES 1) and Part 2 the General Technical
Guidelines (PES 2). Whereas in a safety-related system
the use of conventional hardwired equipment is routine,
the use of a PES in such an application has been rela-
tively unknown territory. The approach taken, therefore,
has been to assess the level of integrity required in the
PES by reference to that obtained with a conventional
system based on good practice. This level of integrity is
referred to as conventional safety integrity. PES 2 gives
three system elements which should be taken into account
in the design and analysis of safety-related systems:
(1) configuration; (2) reliability; (3) overall quality.
Safety integrity criteria for the system should be specified
which cover all three of these system elements.
a. Configuration: The configuration of the system should
be such as to protect against failures, both random and
systematic. The former are associated particularly
with hardware and the latter with software.
b. Reliability: The governing principle for reliability of
the hardware is that the overall failure rate in a dan-
gerous mode of failure, or, for a protection system, the
probability of failure to operate on demand, should
meet the standard of conventional safety integrity.
Essentially, the level of reliability should be governed
by the conventional safety integrity principle. Where
the acceptable level of reliability is relatively low, the
first method may suffice, but where a higher reliability
is required, the second and third methods will be
appropriate.
c. Overall quality: It is concerned essentially with high-
quality procedures and engineering. These should
cover the quality of the specification, design, construc-
tion, testing, commissioning, operation, maintenance,
and modification of the hardware and software.
d. Design considerations: PES 2 describes a number of
design considerations which are particularly relevant
to the safety integrity of PESs. The replacement of a
control chain in which the sensor sends a signal
directly to the actuator by one which involves
Lees Process Safety Essentials
analogue-to-digital (A/D) converters and PES may
reduce the safety integrity.
e. Software considerations: The software for use in
safety-related applications needs to be of high quality,
and PES 2 gives an account of some of the measures
which may be taken to achieve this.
8.4.13 Emergency Shut-Down Systems
In quite a large proportion of cases, the plant is provided
not just with individual trips but with a complete auto-
matic emergency shut-down (ESD) system. There is rela-
tively little written about ESD systems. The following is
an account and explanation of the steps that are taken in
the synthesis of an emergency shutdown system.
1. Conceptual design of ESD: The function of an ESD
system is to detect a condition or an event sufficiently
hazardous or undesirable as to require shut-down and
then to effect transition to a safe state. The potential
hazards are determined by a method of hazard identifi-
cation such as HAZOP, Layer of Protection Analysis,
Fault tree techniques. Estimates are then made of the
frequency and consequences of these hazards. The
hazards against which the ESD system is to protect
are then defined.
2. Initiation of ESD: The arrangements for initiation of
the ESD are critical. If these are defective, so that the
system is not activated when it should be, all the rest
of the design goes for nothing. There is a balance to
be struck between the functional and the operational
reliability of the ESD system. It should act when a
hazard arises, but should not cause unnecessary shut-
downs or other hazards.
3. Action on ESD: There are a variety of actions which
an ESD system may take. Three principal types are
(a) flow shut-off, (b) energy reduction, (c) material
transfer. Flow shut-off includes shut-off of feed and
other flows. It often involves shut-down of machinery
and may include isolation of units. Energy reduction
covers shut-off of heat input and initiation of addi-
tional cooling. Material transfer refers to pressure
reduction, venting, and blow-down.
4. Detail design of ESD system: It is a fundamental prin-
ciple that protective systems be independent of the
rest of the instrument and control system, and this
applies equally to an ESD system. The design of the
ESD system should follow the principles which apply
to trip systems generally. There should be a balance
between functional and operational reliability.
Dependent failures should be considered. The reliabil-
ity may be assessed using fault tree and other meth-
ods. The techniques of diversity and redundancy
Chapter | 8 Process Design 139

should be used as appropriate. Use may be made of BPCS Basic Process Control System
majority voting systems. ETT Energize-to-trip
5. Operation of ESD system: The status of the ESD sys- DTT De-energize-to-trip
tem should be clear at all times. There should be a UPS Uninterruptible Power Supply
separate display showing this status in the control cen- PLC Programmable Logic Control
ter. This display should give the status of any part of PFD Process Flow Diagram
the ESD system which is under test or maintenance PSAT Pre-start-up Acceptance Test
and of any part which is disarmed. Initiation of ESD SAT Site Acceptance Test
should activate audible and visual alarms in the con- API American Petroleum Institute
ASME American Society of Mechanical Engineers
trol center. There should be an indication of the source
BSI British Standards Institution
of the initiation, whether manual or instrument. ESD
HTHM Highly Toxic Hazardous Material
should also be signaled by an alarm which is part of DOT Department of Transportation
the general alarm system. NB Nominal Bore
6. Testing and maintenance of ESD system: The ESD NRV Non-Return Valve (Check Valve)
system should be subject to periodic proof testing, and EIV Emergency Isolation Valve
such testing should be governed by a formal system. PLC Programmable Logic Control
As far as is practical, the test should cover the com- DCL Distributed Control Logic
plete system from initiation to shut-down condition. CCS Centralized Control System
The need for proof testing and, more generally, for the CIM Computer Integrated Manufacturing
detection of unrevealed failure, should be taken into CRMR Complete and Rigorous Model-Based Reconciliation
SIL Safety Integrity Level
account in the design. The equipment should be
MTBF Mean Time Between Failures
designed for ease of testing. It should be segregated
PES Programmable Electronic System
and clearly identified. Techniques for detection of ESD Emergency Shut Down
instrument malfunction should be exploited. In voting EDP Emergency Depressurization
systems, the failure of a single channel should be
signaled.
7. Documentation of an ESD system: The ESD system REFERENCES
should be fully documented. The HSE Design, Abbott, J.A., 1990. Prevention of Fires and Explosions in Dryers, second
Construction and Certification Guidance Notes give ed. Institution of Chemical Engineers, Rugby.
details of recommended documentation. Andrew, W.G., Williams, H.B., 1980. Applied Instrumentation in the
8. ESD of a gas terminal: The design of systems for ESD Process Industries, vol. 2: Practical Guidelines. Gulf Publishing
and (Emergency Depressurization) EDP of a gas ter- Company, Houston, TX.
minal has been described by Valk and Sylvester-Evans Barrell, A., 1988. Inherent safetyonly by design? (editorial). Chem.
(1985). The design philosophy described is that the Eng. (London). 451, 3.
ESD system should operate only in an extreme emer- Broughton, J., 1993. Process Utility Systems. Institution of Chemical
gency, that the ESD and EDP systems are separate Engineers, Rugby.
Butterwick, B., 1976. User Guide for the Safe Operation of Centrifuges.
from the control, trip, and relief systems, and that the
Institution of Chemical Engineers, Rugby.
systems should be simple and reliable.
Campbell, I.E., Sherwood, E.M., 1967. High Temperature Materials and
Technology. Wiley, New York, NY.
ACRONYMS CCPS (Center for Chemical Process Safety), 1989. Guidelines for
Chemical Process Quantitative Risk Analysis. American Institute of
SLP Safety and Loss Prevention Chemical Engineers, New York, NY, ISBN 0-8169-0402-2, p. 585.
CCPS Center for Chemical Process Safety CCPS (Center for Chemical Process Safety), 1993. Guidelines for
P&ID Piping and Instrument Diagram Engineering Design for Process Safety. WileyAmerican Institute
MOC Management of Change of Chemical Engineers, New York, NY.
CAD Computer-Aided Design CCPS, 1996a. Inherently Safer Chemical Processes, A Life Cycle
VIP Value Improving Practice Approach, Gold Book. American Institute of Chemical Engineers,
IChemE Institution of Chemical Engineers New York, NY, ISBN 0-8169-0703-X.
AIChE American Institute of Chemical Engineers CCPS (Center for Chemical Process Safety), 1996b. Guidelines for
HAZOP Hazard and Operability (study) Evaluating Process Plant Buildings for External Explosions and Fires.
HSE Health and Safety Executive American Institute of Chemical Engineers, New York, NY, ISBN 0-
SIS Safety Instrumented System 8169-0646-7, p. 208.
LOPA Layers of Protection Analysis CCPS (Center for Chemical Process Safety), 2001. Layer of
PHA Process Hazards Analysis Protection Analysis. American Institute of Chemical Engineers,
IPL Independent Layer of Protection New York, NY.