Safety: Layer of Protection: Process Operability Class Materials

Process Operability Class Materials
Safety: Layer of Protection

LAH
Basic flowsheet Design with Operability

LAL
L
2
LC
LC
1 1
FC
1 FC
1
TC
2 TC
1
F
4
fuel
T
10 T
11
T
12
T
13
Copyright © Thomas Marlin 2013

The copyright holder provides a royalty-free license for use of this material at non-profit
educational institutions
ACHIEVING ACCEPTABLE RISK
Layer of Protection Analysis
• HAZARD IDENTIFICATION
1. Check lists
2. Dow Relative Ranking
3. HAZOP - Hazard and Operability
• LAYER OF PROTECTION ANALYSIS

1. Express risk target quantitatively
2. Determine risk for system
3. Reduce risk to meet target
• HAZARD ASSESSMENT
- Fault Tree
More Semi-quantitative analysis
- Event Tree to give order-of-magnitude
- Consequence analysis accurate
estimate
- Human Error Analysis
• ACTIONS TO ELIMINATE OR MITIGATE We will use our group skills
- Apply all engineering sciences and knowledge of safety
layers in applications.
Safety Layer of Protection Analysis
• FAR: Fatal Accident Rate - This is the number of

fatalities occurring during 1000 working lifetimes (108
hours). This is used in the U.K.
• Fatality Rate = FAR * (hours worked) / 108
• OSHA Incidence Rate - This is the number of illnesses

and injuries for 100 work-years. This is used in the USA.
FAR Data for typical Activities
Activity FAR
Chemical Industry 4
Steel Industry 8
Coal Mining 40
Construction 67
What is FAR for cigarette
Uranium 70 smoking?
Asbestos (old data?) 620
Staying home 3
Traveling by automobile 57
Traveling by airplane 240
Cigarette smoking ???
What is the fatality rate/year for the chemical industry?
Question: What is the fatality rate (/year) in the
chemical industry?
(4) (8 h/day) (5 day/week) (45 weeks/y) / 108 = 7.2 x 10-5
FAR Chemical Industry 4

FAR Cigarette smoking ???
FAR = 40 for smoking
T. Kletz, “Eliminating Potential Process Hazards”, Chem. Eng., April 1, 1985

• One standard used is to maintain the risk for

involuntary activities less (much less?) than
typical risks such as “staying home”
- Results in rules, such as fatality rate < 10-6/year
- See Wells (1996) Table 9.4
- Remember that many risks exist (total risk is sum)
• Are current risks accepted or merely tolerated?

• We must consider the inaccuracies of the
estimates
• We must consider people outside of the
manufacturing site.
• People usually distinguish between voluntary and

involuntary risk. They often accept higher risk
for voluntary activities (rock climbing).
• People consider the number of fatalities per
accident
Fatalities = (frequency) (fatalities/accident)
.001 = (.001) (1) fatalities/time period
.001 = (.0000001)(100,000) fatalities/time period
We need to consider frequency and consequence

The decision can be presented in a F-N plot similar to the one below.
(The coordinate values here are not “standard”; they must be selected by the professional.)
1.00E-07
Probability or Frequency, F
“Unacceptable risk”
(events/year)
1.00E-08
“Acceptable risk”
1.00E-09
1 10 100
Deaths per event, N
The design must be enhanced to reduce the likelihood of death (or

serious damage) and/or to mitigate the effects.
Some Published F-N Plots
“Choosing Appropriate Quantitative Safety Risk Criteria Applications from the New CCPS Guidelines” by Walt Frank (Frank Risk
Solutions, Inc.) and Dave Jones (Chevron Energy Technology Company)
Some Published F-N Plots
Lees, F. (1996) Loss Prevention in the Process Industries 2nd Ed., Vol. 1, page 9/83.
2. Determine the risk for system
• In Layer of Protection Analysis (LOPA), we assume

that the probability of each element in the system
functioning (or failing) is independent of all other
elements.
• We consider the probability of the initiating event
(root cause) occurring
• We consider the probability that every independent
protection layer (IPL) will prevent the cause or
satisfactorily mitigate the effect
Failure,
PFDn
Unsafe!
I
  P
L
n
Failure,
I
PFD2 P
L
3
Failure,
I
PFD1 P
L
2
Initiating I Safe/
event, f I P tolerable
L
1
f I is the probability of the initiating event or root cause

PFDi is the probability of failure on demand (PFD) for each IPL (i)
Failure,
PFDn
Unsafe!
I
  P
L
n
Failure,
Recall that the PFD2
I
P
L
events are Failure,
PFD1
I
3
considered
P
L
2
independent
Initiating I Safe/
event, f I P tolerable
L
1
The probability that the unsafe consequence will occur is the product of the
individual probabilities.
 n 
f i  f i  ( PFD)ij 
C I 
 j 1 
 
where i= scenario or event

j= IPL layer
f Ii = frequency of initiating event I for scenario i
f Ci = frequency of consequence for scenario i
PFDij = frequency of failure on demand of layer j in scenario i
• How do we determine the initiating HAZOP

events?
• How do we determine the Company, industry
probability of the initiating event, X experience
• How do we determine the
Company, industry
probability that each IPL will
experience
function successfully?
• How do we determine the target F-N plot, depends
level for the system? on consequence
Data Source
 The maximum frequency or The F-N plot or similar analysis.
probability of an accident, (A sample F-N plot is given in
fi max = F Figure 5.16.)
 Each event leading to significant HAZOP study

hazard in the process (i)
 Frequency of each event, fi I Historical data from a company or from

publications
 The risk that each barrier to the Historical data from a company or from
accident propagation will fail on publications
demand, PFDij
Table 5.13 Typical Frequencies of Initiating Events (f Ii)
(From CCPS, 2001, Table 5.1)
Initiating Event Frequency
(events/year)
-5 -7
Pressure vessel failure 10 to 10
Piping failure (full breach) 10-5 to 10-6
Piping failure (leak) 10-3 to 10-4
Atmospheric tank failure 10-3 to 10-5
Turbine/diesel engine overspeed (with 10-3 to 10-4
casing breach)
Third party intervention (impact by 10-2 to 10-4
backhoe, etc.)
Safety valve opens spuriously 10-2 to 10-4
Cooling water failure 1 to 10-2
Pump seal failure 10-1 to 10-2
BPCS loop failure 1 to 10-2
Pressure regulator failure 1 to 10-1
Small external fire 10-1 to 10-2
Large external fire 10-2 to 10-3
Operator failure (to execute routine 10-1 to 10-3 (units are events/procedure)
procedure, assuming well trained,
unstressed, not fatigued)
3. Reduce the risk to achieve the target
The general approach is to

• Set the target frequency for an event leading to an
unsafe situation (based on F-N plot)
• Calculate the frequency for a proposed design
• If the frequency for the design is too high, reduce it
- The first approach is often to introduce or enhance
the safety interlock system (SIS) system
• Continue with improvements until the target
frequency has been achieved
Table 5.16 Typical PFD values for safety layers (IPLs)

Safety Layer (IPL) Probability of failure of demand
(failure/demand)
BPCS (process control) 10-1
Alarm 10-1 to 1.0 (depends on stress and time)
SIS 10-1 to 10-4
(safety instrumented system) (depends strongly on details of design and maintenance)
Pressure relief 10-2
Containment * 10-2 for dike that will reduce consequences of spill
10-2 for drainage system that will reduce consequences of
spill
-2
Other layers (IPLs) * 10 for fireproofing
10-2 for blast wall
* These layers reduce only the major consequences of an accident. When doing a LOPA, the PFD would
be 1.0 for many consequences; for example, a dike would not prevent a fire. The tabular values would be
applied for only the worst consequences, e.g., for a dike, a spill flowing into the entire facility or the local
community.
Some surprising data for human reliability in
process operations
Table 5.14 Human failure data*

PFD Situation description
1.0 Rapid action based on complex analysis to prevent
serious accident.
10-1 Busy control room with many distractions and other
demands on time and attention
10-2 Quiet local control room with time to analyze
*Based on Kletz(1999)
Event Severity
Medium Major Major

extensive 2 3 3
Minimal Medium Major
serious 1 2 3
minor Minimal Minimal Medium
1 1 2
low moderate high
Event Likelihood
Table entries Safety Integrity Levels

(Prob. Of failure on demand)
word = qualitative risk description
1 = .01 to .1
number = required safety integrity Selection
level (SIL) 2 = .001 to .01 documented for
3 = .0001 to .001 legal
requirements
SIS Depends on structure of redundancy
SIS Depends on structure of redundancy
Often, credit is taken for good design and maintenance

procedures.
• Proper materials of construction (reduce corrosion)
• Proper equipment specification (pumps, etc.)
• Good maintenance (monitor for corrosion, test
safety systems periodically, train personnel on
proper responses, etc.)
A typical value is PFD = 0.10

Worksheet
The Layer of Protection Analysis (LOPA) is performed using a

standard table for data entry.
1 2 3 4 5 6 7 8 9 10
Protection Layers
# Initial Initiating Cause Process BPCS Alarm SIS Additional Mitigated Notes
Event cause likelihood design mitigation event
Description (safety valves, likelihood
dykes, restricted
access, etc.)
Likelihood Probability of failure on demand
n 
Mitigated likelihood = fi C
 fi   ( PFD)ij   f i max
I
 j 1 
Process examples
Class Exercise 1: Flash drum for “rough” component separation for this
proposed design.
cascade
PAH Vapor
Split range TC-6 PC-1 product
T1 T5
Feed T2
Methane LAL
Ethane (LK) LAH
Propane FC-1
T3 LC-1
Butane
Pentane
F2 F3
Liquid
AC-1 product
Process Steam L. Key
fluid
Process examples
Class Exercise 1: Flash drum for “rough” component separation.
Complete the table with your best estimates of values.
1 2 3 4 5 6 7 8 9 10
Protection Layers
dykes,
restricted
access, etc.)
1 High Connection Pressure sensor
pressure (tap) for does not
pressure measure the
sensor P1 drum pressure
becomes
plugged
The target mitigated likelihood = 10-5 event/year

The likelihood of the event = 10-1 events/year
Process examples
Class Exercise 1: Some observations about the design.
• The drum pressure controller uses only one sensor; when

it fails, the pressure is not controlled.
• The same sensor is used for control and alarming.
Therefore, the alarm provides no additional protection
for this initiating cause.
• No safety valve is provided (which is a serious design
flaw).
• No SIS is provided for the system. (No SIS would be
provided for a typical design.)
When the connection
to the sensor is
Process examples plugged, the controller
Class Exercise 1: Solution: Original design. and alarm will fail to
function on demand
cascade
PAH Vapor
T1 T5
Feed T2
Methane LAL
Ethane (LK) LAH
Propane FC-1
T3 LC-1
Butane
Pentane
F2 F3
Liquid
AC-1 product
fluid
Process examples
Class Exercise 1: Solution using initial design and typical published values.
1 2 3 4 5 6 7 8 9 10
Protection Layers
dykes,
restricted
access, etc.)
1 High Connection 0.10 0.10 1. 1.0 1.0 1.0 .01 Pressure sensor
becomes
plugged
Much too high! We must make improvements to the design.

Gap = 10-2/10-5 = 103 (sometimes given as the exponent “3”)
Process examples
Class Exercise 1: Improved Design.
cascade
PAH Vapor
PAHH
P-2
T1 T5
Feed T2
Methane LAL
Ethane (LK) LAH
Propane FC-1
T3 LC-1
Butane
Pentane
F2 F3
Liquid
AC-1 product
fluid
Process examples
Class Exercise 1: Solution using improved design and typical published values.
1 2 3 4 5 6 7 8 9 10
Protection Layers
dykes,
restricted
access, etc.)
1 High Connection 0.10 0.10 1.0 0.10 1.0 PRV 0.01 .00001 Pressure sensor
becomes
plugged The PRV must
exhaust to a
separation
(knock-out)
Enhanced design includes The enhanced design achieves drum and fuel or
flare system.
separate P sensor for alarm the target mitigated
and a pressure relief valve. likelihood.
Verify table entries.
Process examples
Class Exercise 1: Each IPL must be independent.
For the solution in the LOPA table and process sketch,

describe some situations (equipment faults) in which the
independent layers of protection are
- Independent Hints: Consider faults such as sensor, power
supply, signal transmission, computing, and
- Dependent actuation
For each situation in which the IPLs are dependent, suggest

a design improvement that would remove the common
cause fault, so that the LOPA analysis in the table would be
correct.
Approaches to reducing risk
• The most common are BPCS, Alarms and Pressure

relief. They are typically provided in the base design.
• The next most common is SIS, which requires careful
design and continuing maintenance
• The probability of failure on demand for an SIS
depends on its design. Duplicated equipment (e.g.,
sensors, valves, transmission lines) can improve the
performance
• A very reliable method is to design an “inherently
safe” process, but these concepts should be applied in
the base case
Approaches to reducing risk
• The safety interlock system (SIS) must use independent

sensor, calculation, and final element to be independent!
• We desire an SIS that functions when a fault has
occurred and does not function when the fault has not
occurred.
• SIS performance improves with the use of redundant
elements; however, the systems become complex,
requiring high capital cost and extensive ongoing
maintenance.
• Use LOPA to determine the required PFD; then, design
the SIS to achieve the required PFD.
Process examples
Class Exercise 2: Fired heater to low air flow rate.
Flue gas
PIC
1
AT PI
1 4
FT
1 TI
PI
1
5
TI
5
TI
2
feed
TI
6
PT
1
TI
3
TI
7 TI TI
TI 9 10
4
FT TI
FI
2 8 TI
3
11
PI PI PI
2 3 6
air Fuel gas

Process examples
Class Exercise 2: Fired heater to low air flow.
1 2 3 4 5 6 7 8 9 10
Protection Layers
dykes,
restricted
access, etc.)
1 Combustibles Limited air
in stack, fire supply
or explosion because air
fan/motor
fails
Frequency of air fan/motor failure is 0.10 to 1.0 events/year

(Lees and CCPS)
Process examples
1 2 3 4 5 6 7 8 9 10
Protection Layers
dykes,
restricted
access, etc.)
1 No/low air Failure of 0.10 0.10 1.0 1.0 1.0 ------ 0.01
flow to the air
heater fan/blower
burners
Much too high! We must make improvements to the design.

Process examples
Class Exercise 2: Fired heater to low air flow rate.
Flue gas
Alarm PIC
1
AT PI
1 4
FT
1 TI
PI
1
5
TI
5
TI
2
feed
TI
6
PT
1
TI
3
TI
7 TI TI
Flow
TI 9 10
4
control
FT TI
FI
2 8 TI
3
11
PI PI PI
2 3 6
air Fuel gas
F SIS Redundant air flow and

Alarms pressure sensors
Process examples
1 2 3 4 5 6 7 8 9 10
Protection Layers
dykes,
restricted
access, etc.)
1 No/low air Limited air 1.0 0.10 1.0 0.10 0.01 0.0001
flow to supply
heater because air
burners fan/motor
fails
Reasonable, but a little high.

Process examples
Class Exercise 3: Fired heater to low feed flow rate.
Flue gas
PIC
1
AT PI
1 4
FT
1 TI
PI
1
5
TI
5
TI
2
feed
TI
6
PT
1
TI
3
TI
7 TI TI
TI 9 10
4
FT TI
FI
2 8 TI
3
11
PI PI PI
2 3 6
air Fuel gas

Process examples
1 2 3 4 5 6 7 8 9 10
Protection Layers
dykes,
restricted
access, etc.)
1 No process Feed
flow, pump/motor
equipment fauls
damage,
tube rupture
and fire,
loss of
production
Probability of feed pump/motor failure is 0.01 events/year

Process examples
1 2 3 4 5 6 7 8 9 10
Protection Layers
dykes,
restricted
access, etc.)
1 Low feed Failure of 0.010 0.10 1.0 1.0 1.0 ------ 0.001
flow rate to feed pump
tubes in
fired heater
Too high! We must make improvements to the design.

Process examples
Flue gas
PIC
1
To SIS
AT PI
1 4
FS
FT
1 TI
PI
1
5
TI
5
FAH F
TI
2
feed
TI
6
PT
1
TI
3
TI
7 TI TI
TI 9 10
4
FT TI
FI
2 8 TI
3
11
PI PI PI
2 3 6
air Fuel gas
SIS Redundant air flow and

pressure sensors
Process examples
1 2 3 4 5 6 7 8 9 10
Protection Layers
dykes,
restricted
access, etc.)
1 Low feed Failure of 0.010 0.10 1.0 0.10 0.01 ------ 0.000001
flow rate to feed pump
tubes in
fired heater
OK! This is very acceptable for a scenario that is not an

immediate safety concern, although tube rupture could lead to
a fire. Note that the financial loss would be large.
When working on safety, professionals
require an ethical approach!
Kletz (2001) emphasizes the necessity to avoid “jiggling” the values, i.e.,
selecting the values (usually by using lower failure rates) to justify a simpler, less costly
design. Such a practice would be unethical and could lead to serious consequences.
Engineers are urged to, “call them like you see them” (CCPS, 1992), which
means to make your best safety recommendations without being unduly
influenced by cost, project deadlines, management’s preconceived ideas and so
forth.
Set Goals
• Define process scope
• Define data resources
• Define F-N tradeoffs
Hazards and Operability Safety study leader Boss
Analysis Assemble Resources

• See Section 5.14
&
Layer of Protection Hazard Identification
• Dow Preliminary Methods
Analysis • Check list/ What-if
• HAZOP
Safety study team

can and should be
integrated for safety Finalize safety design
• LOPA analysis
management • Integrated risk determined
LOPA Analyst
Report and Management

acceptance
• Commitment to actions
Let’s not have this result from our work!
BP Deepwater Horizon, April 20, 2010

References
Dowell, A. and D. Hendershoot, Simplified Risk Analysis - Layer of Protection Analysis, AIChE National Meeting, Indianapolis, Paper
281a, Nov. 3-8, 2002
Dowell, A. and T. Williams, Layer of Protection Analysis: Generating Scenarios Automatically from HAZOP Data, Process Safety
Progress, 24, 1, 38-44 (March 2005).
Frederickson A., Layer of Protection Analysis, www.safetyusersgroup.com, May 2006
Gulland, W., Methods of Determining Safety Integrity Level (SIL) Requirements - Pros and Cons,
http://www.chemicalprocessing.com/whitepapers/2005/006.html
Haight, J. and V. Kecojevic, Automation vs. Human Intervantion: What is the Best Fit for the Best Performance?, Process Safety
Progress, 24, 1, 45-51 (March 2005)
Melhem, G. and P. Stickles, How Much Safety is Enough, Hydrocarbon Processing, 1999
Wiegernick, J., Introduction to the Risk-Based Design of Safety Instrumented Systems for the Process Industries, Seventh International
Conference on Control, Automation, Robotics and Vision, Singapore, Dec. 2002.

Safety: Layer of Protection: Process Operability Class Materials

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Safety: Layer of Protection: Process Operability Class Materials

Uploaded by

Copyright:

Available Formats

Process Operability Class Materials

Safety: Layer of Protection

Basic flowsheet Design with Operability

Copyright © Thomas Marlin 2013

• LAYER OF PROTECTION ANALYSIS

• FAR: Fatal Accident Rate - This is the number of

• Fatality Rate = FAR * (hours worked) / 108

• OSHA Incidence Rate - This is the number of illnesses

(4) (8 h/day) (5 day/week) (45 weeks/y) / 108 = 7.2 x 10-5

FAR Chemical Industry 4

FAR = 40 for smoking

T. Kletz, “Eliminating Potential Process Hazards”, Chem. Eng., April 1, 1985

• One standard used is to maintain the risk for

• Are current risks accepted or merely tolerated?

• People usually distinguish between voluntary and

.001 = (.0000001)(100,000) fatalities/time period

We need to consider frequency and consequence

Deaths per event, N

The design must be enhanced to reduce the likelihood of death (or

• In Layer of Protection Analysis (LOPA), we assume

f I is the probability of the initiating event or root cause

where i= scenario or event

• How do we determine the initiating HAZOP

 Each event leading to significant HAZOP study

 Frequency of each event, fi I Historical data from a company or from

The general approach is to

Table 5.16 Typical PFD values for safety layers (IPLs)

Table 5.14 Human failure data*

Medium Major Major

low moderate high

Table entries Safety Integrity Levels

Often, credit is taken for good design and maintenance

A typical value is PFD = 0.10

The Layer of Protection Analysis (LOPA) is performed using a

Likelihood Probability of failure on demand

The target mitigated likelihood = 10-5 event/year

• The drum pressure controller uses only one sensor; when

Much too high! We must make improvements to the design.

For the solution in the LOPA table and process sketch,

For each situation in which the IPLs are dependent, suggest

• The most common are BPCS, Alarms and Pressure

• The safety interlock system (SIS) must use independent

air Fuel gas

Frequency of air fan/motor failure is 0.10 to 1.0 events/year

Much too high! We must make improvements to the design.

air Fuel gas

F SIS Redundant air flow and

Reasonable, but a little high.

air Fuel gas

Probability of feed pump/motor failure is 0.01 events/year

Too high! We must make improvements to the design.

air Fuel gas

SIS Redundant air flow and

OK! This is very acceptable for a scenario that is not an

Analysis Assemble Resources

Safety study team

Report and Management

BP Deepwater Horizon, April 20, 2010

Frederickson A., Layer of Protection Analysis, www.safetyusersgroup.com, May 2006

You might also like