Layer of Protection 2011

Process Operability Class
Materials
Safety: Layer of Protection
Design with
Basic flowsheet
LC
1
Operability
FC
1
Copyright Thomas Marlin 2013

The copyright holder provides a royalty-free license for use of this
material at non-profit educational institutions
ACHIEVING ACCEPTABLE RISK

Layer of Protection Analysis
HAZARD IDENTIFICATION
1. Check lists
2. Dow Relative Ranking
3. HAZOP - Hazard and Operability
LAYER OF PROTECTION ANALYSIS

1. Express risk target quantitatively
2. Determine risk for system
3. Reduce risk to meet target
HAZARD ASSESSMENT
- Fault Tree
More
- Event Tree
accurat
- Consequence analysis
- Human Error Analysis e
ACTIONS TO ELIMINATE OR MITIGATE

- Apply all engineering sciences
Semi-quantitative
analysis to give orderof-magnitude estimate
We will use our group
skills and knowledge of
safety layers in applicat
Safety Layer of Protection Analysis

FAR: Fatal Accident Rate - This is the number of
fatalities occurring during 1000 working lifetimes (108 ho
urs). This is used in the U.K.
Fatality Rate = FAR * (hours worked) / 108
OSHA Incidence Rate - This is the number of illnesses
and injuries for 100 work-years. This is used in the USA.

FAR Data for typical Activities
Activity
Chemical Industry
Steel Industry
Coal Mining
Construction
Uranium
Asbestos (old data?)
FAR
4
8
40
67
70
620
Staying home
Traveling by automobile
Traveling by airplane
Cigarette smoking
3
57
240
???
What is FAR for cigarette

smoking?
What is the fatality rate/year for the chemical industry?
Question:
What is the fatality rate (/year) in the

chemical industry?
(4) (8 h/day) (5 day/week) (45 weeks/y) / 108 = 7.2 x 10-5

FAR
FAR
Chemical Industry
Cigarette smoking
FAR = 40 for smoking

T. Kletz, Eliminating Potential Process Hazards, Chem. Eng., April 1, 1985
4
???

One standard used is to maintain the risk for
involuntary activities less (much less?) than typic
al risks such as staying home
- Results in rules, such as fatality rate < 10 -6/year
- See Wells (1996) Table 9.4
- Remember that many risks exist (total risk is sum)
Are current risks accepted or merely tolerated?

We must consider the inaccuracies of the
estimates
We must consider people outside of the
manufacturing site.

People usually distinguish between voluntary and
involuntary risk. They often accept higher risk fo
r voluntary activities (rock climbing).
People consider the number of fatalities per
accident
Fatalities = (frequency) (fatalities/accident)
.001 = (.001) (1)
fatalities/time period
.001 = (.0000001)(100,000)
fatalities/time period
We need to consider frequency and consequence

The decision can be presented in a F-N plot similar to the one below.
(The coordinate values here are not standard; they must be selected by the professional.)
Probability or Frequency, F
(events/year)
1.00E-07
Unacceptable risk
1.00E-08
Acceptable risk
1.00E-09
10
100
Deaths per event, N
The design must be enhanced to reduce the likelihood of death (or

serious damage) and/or to mitigate the effects.
Some Published F-N Plots
Choosing Appropriate Quantitative Safety Risk Criteria Applications from the New CCPS Guidelines by Walt Frank (Frank Risk
Solutions, Inc.) and Dave Jones (Chevron Energy Technology Company)
Some Published F-N Plots
Lees, F. (1996) Loss Prevention in the Process Industries 2nd Ed., Vol. 1, page 9/83.

2. Determine the risk for system
In Layer of Protection Analysis (LOPA), we assume

that the probability of each element in the system func
tioning (or failing) is independent of all other elements
.
We consider the probability of the initiating event

(root cause) occurring
We consider the probability that every independent

protection layer (IPL) will prevent the cause or satisfa
ctorily mitigate the effect

Failure,
PFDn

Failure,
PFD2
Failure,
PFD1
I nitiating
event, f I
Unsafe!
I
P
L
n
I
P
L
3
I
P
L
2
I
P
L
1
Safe/
tolerable
f I is the probability of the initiating event or root cause

PFDi is the probability of failure on demand (PFD) for each I PL (i)

Failure,
PFDn
Recall that the

events are conside
red independent
Failure,
PFD2
Failure,
PFD1
I nitiating
event, f I
Unsafe!
I
P
L
n
I
P
L
3
I
P
L
2
I
P
L
1
Safe/
tolerable
The probability that the unsafe consequence will occur is the product
of the individual probabilities.
n
C
I
f i f i (PFD)ij
j 1
where
i=
j=
f Ii =
f Ci =
PFDij =
scenario or event
IPL layer
frequency of initiating event I for scenario i
frequency of consequence for scenario i
frequency of failure on demand of layer j in scenario i

How do we determine the initiating

events?
HAZOP
How do we determine the

probability of the initiating event, X
Company, industry
experience
How do we determine the

probability that each IPL will
function successfully?
Company, industry
experience
How do we determine the target

level for the system?
F-N plot, depends

on consequence

Data
The maximum frequency or
probability of an accident,
fi max = F
Source
The F-N plot or similar analysis.
(A sample F-N plot is given in
Figure 5.16.)
Each event leading to significant

hazard in the process (i)
HAZOP study
Frequency of each event, fi I
Historical data from a company or from

publications
The risk that each barrier to the

accident propagation will fail on
demand, PFDij
Historical data from a company or from

publications

Table 5.13 Typical Frequencies of Initiating Events (f Ii)
(From CCPS, 2001, Table 5.1)
Initiating Event
Frequency
(events/year)
-5
-7
Pressure vessel failure
10 to 10
Piping failure (full breach)
10-5 to 10-6
Piping failure (leak)
10-3 to 10-4
Atmospheric tank failure
10-3 to 10-5
Turbine/diesel engine overspeed (with
10-3 to 10-4
casing breach)
Third party intervention (impact by
10-2 to 10-4
backhoe, etc.)
Safety valve opens spuriously
10-2 to 10-4
Cooling water failure
1 to 10-2
Pump seal failure
10-1 to 10-2
BPCS loop failure
1 to 10-2
Pressure regulator failure
1 to 10-1
Small external fire
10-1 to 10-2
Large external fire
10-2 to 10-3
Operator failure (to execute routine
10-1 to 10-3 (units are events/procedure)
procedure, assuming well trained,
unstressed, not fatigued)

3. Reduce the risk to achieve the target
The general approach is to
Set the target frequency for an event leading to an

unsafe situation (based on F-N plot)
Calculate the frequency for a proposed design
If the frequency for the design is too high, reduce it

- The first approach is often to introduce or enhance
the safety interlock system (SIS) system
Continue with improvements until the target

frequency has been achieved

Table 5.16 Typical PFD values for safety layers (IPLs)
Safety Layer (IPL)
BPCS (process control)
Alarm
SIS
(safety instrumented system)
Pressure relief
Containment *
Other layers (IPLs) *
Probability of failure of demand

(failure/demand)
10-1
10-1 to 1.0 (depends on stress and time)
10-1 to 10-4
(depends strongly on details of design and maintenance)
10-2
10-2 for dike that will reduce consequences of spill
10-2 for drainage system that will reduce consequences of
spill
-2
10 for fireproofing
10-2 for blast wall
* These layers reduce only the major consequences of an accident. When doing a LOPA, the PFD would
be 1.0 for many consequences; for example, a dike would not prevent a fire. The tabular values would be
applied for only the worst consequences, e.g., for a dike, a spill flowing into the entire facility or the local
community.

Some surprising data for human reliability in
process operations
PFD
1.0
10-1
10-2
Table 5.14 Human failure data*

Situation description
Rapid action based on complex analysis to prevent
serious accident.
Busy control room with many distractions and other
demands on time and attention
Quiet local control room with time to analyze
*Based on Kletz(1999)
Event Severity
extensive
serious
minor
Medium
2
Minimal
1
Minimal
1
Major
3
Medium
2
Minimal
1
low
Major
3
Major
3
Medium
2
moderate
high
Event Likelihood
Table entries
word = qualitative risk description
number = required safety integrity
level (SIL)
Safety Integrity Levels

(Prob. Of failure on demand)
1 = .01 to .1
2 = .001 to .01
3 = .0001 to .001
Selection
documented for
legal
requirements
SIS Depends on structure of redundancy
SIS Depends on structure of redundancy

Often, credit is taken for good design and maintenance
procedures.
Proper materials of construction (reduce corrosion)
Proper equipment specification (pumps, etc.)
Good maintenance (monitor for corrosion, test

safety systems periodically, train personnel on prop
er responses, etc.)
A typical value is PFD = 0.10

Worksheet
The Layer of Protection Analysis (LOPA) is performed using a
standard table for data entry.
1
Additional
mitigation
(safety valves,
dykes, restricted
access, etc.)
Mitigated
event
likelihood
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Likelihood
Mitigated likelihood =
Process
design
BPCS
Alarm
SIS
Probability of failure on
demand
f i f i ( PFD)ij f i max
j 1
Notes

Process examples
Class Exercise 1: Flash drum for rough component separation for this
proposed design.
cascade
PAH
Split range
Feed
Methane
Ethane (LK)
Propane
Butane
Pentane
T1
PC-1
T5
T2
LAL
LAH
FC-1
F2
TC-6
Vapor
product
T3
LC-1
F3
AC-1
Process
fluid
Steam
L. Key
Liquid
product

Process examples
Class Exercise 1: Flash drum for rough component separation.
Complete the table with your best estimates of values.
1
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
High
pressure
Connection
(tap) for
pressure
sensor P1
becomes
plugged
Process
design
BPCS
Alarm
SIS
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
Mitigated
event
likelihood
The target mitigated likelihood = 10-5 event/year

The likelihood of the event = 10-1 events/year
Notes
Pressure sensor
does not
measure the
drum pressure

Process examples
Class Exercise 1: Some observations about the design.
The drum pressure controller uses only one sensor; when

it fails, the pressure is not controlled.
The same sensor is used for control and alarming.

Therefore, the alarm provides no additional protection fo
r this initiating cause.
No safety valve is provided (which is a serious design

flaw).
No SIS is provided for the system. (No SIS would be

provided for a typical design.)

When the connection
to the sensor is plugge
d, the controller and al
arm will fail to functio
n on demand
Process examples
Class Exercise 1: Solution: Original design.
cascade
PAH
Split range
Feed
Methane
Ethane (LK)
Propane
Butane
Pentane
T1
PC-1
T5
T2
LAL
LAH
FC-1
F2
TC-6
Vapor
product
T3
LC-1
F3
AC-1
Process
fluid
Steam
L. Key
Liquid
product

Process examples
Class Exercise 1: Solution using initial design and typical published values.
1
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
BPCS
Alarm
SIS
High
pressure
Connection
(tap) for
pressure
sensor P1
becomes
plugged
0.10
0.10
1.
1.0
1.0
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
1.0
Mitigated
event
likelihood
Notes
.01
Pressure sensor
does not
measure the
drum pressure
Much too high! We must make improvements to the design.

Gap = 10-2/10-5 = 103 (sometimes given as the exponent 3)

Process examples
Class Exercise 1: Improved Design.
cascade
PAH
Split range
TC-6
PC-1
P-2
Feed
Methane
Ethane (LK)
Propane
Butane
Pentane
T1
PAHH
T5
T2
LAL
LAH
FC-1
F2
Vapor
product
T3
LC-1
F3
AC-1
Process
fluid
Steam
L. Key
Liquid
product

Process examples
Class Exercise 1: Solution using improved design and typical published values.
1
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
BPCS
Alarm
SIS
High
pressure
Connection
(tap) for
pressure
sensor P1
becomes
plugged
0.10
0.10
1.0
0.10
1.0
Enhanced design includes

separate P sensor for alarm
and a pressure relief valve.
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
PRV 0.01
Mitigated
event
likelihood
Notes
.00001
Pressure sensor
does not
measure the
drum pressure
The enhanced design achieves

the target mitigated
likelihood.
Verify table entries.
The PRV must

exhaust to a
separation
(knock-out)
drum and fuel or
flare system.

Process examples
Class Exercise 1: Each IPL must be independent.
For the solution in the LOPA table and process sketch,

describe some situations (equipment faults) in which the ind
ependent layers of protection are
-
Independent
Dependent
Hints: Consider faults such as sensor, power

supply, signal transmission, computing, and actuat
ion
For each situation in which the IPLs are dependent, suggest

a design improvement that would remove the common caus
e fault, so that the LOPA analysis in the table would be corr
ect.

Approaches to reducing risk
The most common are BPCS, Alarms and Pressure

relief. They are typically provided in the base design.
The next most common is SIS, which requires careful

design and continuing maintenance
The probability of failure on demand for an SIS

depends on its design. Duplicated equipment (e.g., se
nsors, valves, transmission lines) can improve the perf
ormance
A very reliable method is to design an inherently

safe process, but these concepts should be applied in
the base case

Approaches to reducing risk
The safety interlock system (SIS) must use independent

sensor, calculation, and final element to be independent!
We desire an SIS that functions when a fault has

occurred and does not function when the fault has not oc
curred.
SIS performance improves with the use of redundant

elements; however, the systems become complex, requiri
ng high capital cost and extensive ongoing maintenance.
Use LOPA to determine the required PFD; then, design

the SIS to achieve the required PFD.

Process examples
Class Exercise 2: Fired heater to low air flow rate.
Flue gas
PIC
1
AT
1
FT
1
PI
4
TI
1
PI
5
TI
5
TI
2
feed
TI
6
PT
1
TI
3
TI
7
TI
4
TI
8
FT
2
PI
2
air
PI
3
TI
9
TI
10
FI
3
TI
11
PI
6
Fuel gas

Process examples
Class Exercise 2: Fired heater to low air flow.
1
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Combustibles
in stack, fire
or explosion
Limited air
supply
because air
fan/motor
fails
Cause
likelihood
Process
design
BPCS
Alarm
SIS
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
Mitigated
event
likelihood
Notes
Frequency of air fan/motor failure is 0.10 to 1.0 events/year

(Lees and CCPS)

Process examples
1
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
BPCS
Alarm
SIS
No/low air
flow to
heater
burners
Failure of
the air
fan/blower
0.10
0.10
1.0
1.0
1.0
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
------
Mitigated
event
likelihood
Notes
0.01
Much too high! We must make improvements to the design.

Process examples
Class Exercise 2: Fired heater to low air flow rate.
Flue gas
Alarm
PIC
1
AT
1
FT
1
PI
4
TI
1
PI
5
TI
5
TI
2
feed
TI
6
PT
1
TI
3
Flow
control
TI
7
TI
4
TI
9
TI
8
FT
2
PI
2
TI
10
FI
3
PI
3
TI
11
PI
6
air
Fuel gas
Alarms
SIS
Redundant air flow

and pressure sensor
s

Process examples
1
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
BPCS
Alarm
SIS
No/low air
flow to
heater
burners
Limited air
supply
because air
fan/motor
fails
1.0
0.10
1.0
0.10
0.01
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
Reasonable, but a little high.
Mitigated
event
likelihood
0.0001
Notes

Process examples
Class Exercise 3: Fired heater to low feed flow rate.
Flue gas
PIC
1
AT
1
FT
1
PI
4
TI
1
PI
5
TI
5
TI
2
feed
TI
6
PT
1
TI
3
TI
7
TI
4
TI
8
FT
2
PI
2
air
PI
3
TI
9
TI
10
FI
3
TI
11
PI
6
Fuel gas

Process examples
1
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
No process
flow,
equipment
damage,
tube rupture
and fire,
loss of
production
Feed
pump/motor
fauls
Cause
likelihood
Process
design
BPCS
Alarm
SIS
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
Mitigated
event
likelihood
Notes
Probability of feed pump/motor failure is 0.01 events/year

Process examples
1
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
BPCS
Alarm
SIS
Low feed
flow rate to
tubes in
fired heater
Failure of
feed pump
0.010
0.10
1.0
1.0
1.0
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
------
Mitigated
event
likelihood
Notes
0.001
Too high! We must make improvements to the design.

Process examples
Flue gas
PIC
1
To SIS
AT
1
FS
FT
1
FAH
PI
4
TI
1
PI
5
TI
5
TI
2
feed
TI
6
PT
1
TI
3
TI
7
TI
4
TI
9
TI
8
FT
2
PI
2
TI
10
FI
3
PI
3
TI
11
PI
6
air
Fuel gas
SIS
Redundant air flow

and pressure sensor
s

Process examples
1
10
Protection Layers
#
Initial
Event
Description
Initiating
cause
Cause
likelihood
Process
design
BPCS
Alarm
SIS
Low feed
flow rate to
tubes in
fired heater
Failure of
feed pump
0.010
0.10
1.0
0.10
0.01
Additional
mitigation
(safety valves,
dykes,
restricted
access, etc.)
------
Mitigated
event
likelihood
Notes
0.000001
OK! This is very acceptable for a scenario that is not an

immediate safety concern, although tube rupture could lead to
a fire. Note that the financial loss would be large.
When working on safety, professionals

require an ethical approach!
Kletz (2001) emphasizes the necessity to avoid jiggling the values, i.e.,
selecting the values (usually by using lower failure rates) to justify a simpler, less costly
design. Such a practice would be unethical and could lead to serious consequences.
Engineers are urged to, call them like you see them (CCPS, 1992), which
means to make your best safety recommendations without being unduly
influenced by cost, project deadlines, managements preconceived ideas and so
forth.
Set Goals
Hazards and Operability

Analysis
&
Layer of Protection
Analysis
can and should be

integrated for safety mana
gement
Define process scope

Define data resources
Define F-N tradeoffs
Safety study leader
Boss
Assemble Resources
See Section 5.14
Hazard Identification
Dow Preliminary Methods
Check list/ What-if
HAZOP
Safety study team
Finalize safety design

LOPA analysis
Integrated risk determined
Report and Management

acceptance
Commitment to actions
LOPA Analyst
Lets not have this result from our

work!
BP Deepwater Horizon, April 20, 2010

References
Dowell, A. and D. Hendershoot, Simplified Risk Analysis - Layer of Protection Analysis, AIChE National Meeting, Indianapolis, Paper
281a, Nov. 3-8, 2002
Dowell, A. and T. Williams, Layer of Protection Analysis: Generating Scenarios Automatically from HAZOP Data, Process Safety
Progress, 24, 1, 38-44 (March 2005).
Frederickson A., Layer of Protection Analysis, www.safetyusersgroup.com, May 2006
Gulland, W., Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons,
http://www.chemicalprocessing.com/whitepapers/2005/006.html
Haight, J. and V. Kecojevic, Automation vs. Human Intervantion: What is the Best Fit for the Best Performance?, Process Safety
Progress, 24, 1, 45-51 (March 2005)
Melhem, G. and P. Stickles, How Much Safety is Enough, Hydrocarbon Processing, 1999
Wiegernick, J., Introduction to the Risk-Based Design of Safety Instrumented Systems for the Process Industries, Seventh International
Conference on Control, Automation, Robotics and Vision, Singapore, Dec. 2002.

Layer of Protection 2011

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Layer of Protection 2011

Încărcat de

Drepturi de autor:

Formate disponibile

Process Operability Class

Copyright Thomas Marlin 2013

ACHIEVING ACCEPTABLE RISK

LAYER OF PROTECTION ANALYSIS

ACTIONS TO ELIMINATE OR MITIGATE

Safety Layer of Protection Analysis

Safety Layer of Protection Analysis

What is FAR for cigarette

What is the fatality rate/year for the chemical industry?

What is the fatality rate (/year) in the

(4) (8 h/day) (5 day/week) (45 weeks/y) / 108 = 7.2 x 10-5

FAR = 40 for smoking

Safety Layer of Protection Analysis

Are current risks accepted or merely tolerated?

Safety Layer of Protection Analysis

We need to consider frequency and consequence

Safety Layer of Protection Analysis

Deaths per event, N

The design must be enhanced to reduce the likelihood of death (or

Some Published F-N Plots

Some Published F-N Plots

Safety Layer of Protection Analysis

In Layer of Protection Analysis (LOPA), we assume

We consider the probability of the initiating event

We consider the probability that every independent

Safety Layer of Protection Analysis

f I is the probability of the initiating event or root cause

Safety Layer of Protection Analysis

Recall that the

Safety Layer of Protection Analysis

How do we determine the initiating

How do we determine the

How do we determine the

How do we determine the target

F-N plot, depends

Safety Layer of Protection Analysis

Each event leading to significant

Frequency of each event, fi I

Historical data from a company or from

The risk that each barrier to the

Historical data from a company or from

Safety Layer of Protection Analysis

Safety Layer of Protection Analysis

Set the target frequency for an event leading to an

Calculate the frequency for a proposed design

If the frequency for the design is too high, reduce it

Continue with improvements until the target

Safety Layer of Protection Analysis

Probability of failure of demand

Safety Layer of Protection Analysis

Table 5.14 Human failure data*

Safety Layer of Protection Analysis

3. Reduce the risk to achieve the target

Safety Integrity Levels

SIS Depends on structure of redundancy

SIS Depends on structure of redundancy

Safety Layer of Protection Analysis

Proper materials of construction (reduce corrosion)

Proper equipment specification (pumps, etc.)

Good maintenance (monitor for corrosion, test

A typical value is PFD = 0.10

Safety Layer of Protection Analysis

Safety Layer of Protection Analysis

Safety Layer of Protection Analysis