SETK 4573: Process Safety & Operability

Layer of Protection

Learning Outcome: Students are expected to

• explain the layers of protection commonly adopted by chemical

process plants
• explain the function of each layer of protection.
 SETK 4573: Process Safety & Operability

Topics
Ø Introduction to Layer of Protection
Ø Steps for developing LOPA
Ø Determining consequences
Ø Determining frequency
Ø Risks and LOPA
Ø Prevention layers
Ø Mitigation layers

2
What is Layer of Protection?

3
What is Layer of Protection?

4
LOP – Safety through Automation

5
 SETK 4573: Process Safety & Operability

Introduction to LOPA
Ø LOPA is a semi-quantitative tool for analyzing and assessing
risk.
Ø LOPA includes simplified methods to characterize the
consequences and estimate the frequencies.
Ø Various layers of protection are added to a process to lower
the frequency of the undesired consequences.
Ø The consequences and effects are approximated by
categories, the frequencies are estimated, and the
effectiveness of the protection layers is also approximated.
Ø The approximate values and categories are selected to
provide conservative results.
6
S A F E T Y I N S T R U M E N T E D S Y S T E M S

SETK 4573: Process Safety & Operability

7
Figure **: Protection Layers
 SETK 4573: Process Safety & Operability

Steps for developing LOPA

1. Identify a single consequence.
2. Identify an accident scenario and cause associated with the
consequences.
3. Identify the initiating event for the scenario and estimating the initiating
event frequency.
4. Identify the protection layers available for the particular consequences
and estimating the probability of failure on demand for each protection
layers.
5. Combine the initiating event frequency with the probabilities of failure
on demand for the independent protection layers to estimate a
mitigated consequences frequency.
6. Plot the consequence against the frequency to estimate the risk.
7. Evaluate the risk for acceptability. If the risk is unacceptable, additional
layers of protection is required.
8
 SETK 4573: Process Safety & Operability

Determining Consequences
• The most common scenario of interest for LOPA in the chemical process
industry is loss of containment of hazardous material.
• This can occur through a variety of incidents, such as a leak from a vessel,
a ruptured pipeline, a gasket failure, or release from a relief valve.
• The consequences are estimated using one of the following methods:
(1) semi-quantitative approach without the direct reference to human
harm,
(2) qualitative estimates with human harm, and
(3) quantitative estimates with human harm.
• When using the semi-quantitative method, the quantity of the release is
estimated using source models, and the consequences are characterized
with a category.

9
Table 11-2 Semi-Quantitative Consequences Categorization
Consequence size
-

1,000- 10,000-
1-10-lb 10-100-lb 100-1,000-lb 10,000-lb 100,000-lb >100,000-lb
release release release release release release

Release characteristic
Extremely toxic above BP1 Category 3 Category 4 Category 5 Category 5 Category 5 Category 5
Extremely toxic below BP Category 2 Category 3 Category 4 Category 5 Category 5 Category 5
or highly toxic above BP
Highly toxic below BP or Category 2 Category 2 Category 3 Category 4 Category 5 Category 5
flammable above BP
Flammable below BP Category 1 Category 2 Category 2 Category 3 Category 4 Category 5
Combustible liquid Category 1 Category 1 Category 1 Category 2 Category 2 Category 3

Spared or Vessel rupture, Vessel rupture,

nonessential Plant outage Plant outage Plant outage 3,000-10,000 gal, >10,000 gal,
equipment <1 month 1-3 months >3 months 100-300 psig >300 psig

Consequence characteristic
Mechanical damage to Category 2 Category 3 Category 4 Category 4 Category 4 Category 5
large main product plant
Mechanical damage to Category 2 Category 2 Category 3 Category 4 Category 4 Category 5
small by-product plant
Consequence cost (US dollars) $0 -$10,000 $10,000- $100,000- $1,000,000- >$10,000,000
$100,000 $1,000.000 $10,000,000

Categories Category 1 Category 2 Category 3 Category 4 Category 5

'BP, atmospheric boiling point. 10

 SETK 4573: Process Safety & Operability

Steps for determining frequency

1. Determine the failure frequency of the initiating event.
2. Adjust this frequency to include the demand.
Ø For example, a reactor failure frequency is divided by 12 if the
reactor is used only 1 month during the entire year. The frequencies
are also adjusted (reduced) to include the benefits of preventive
maintenance.
Ø If, for example, a control system is given preventive maintenance 4
times each year, then its failure frequency is divided by 4.
3. Adjust the failure frequency to include the probabilities of failure on
demand (PFDs) for each independent layer of protection.

11
504 Chapter 11 Risk Assessment
SETK 4573: Process Safety & Operability
Table 11-3 Typical Frequency Values Assigned to lnitiating Events'

Example of a
Frequency range value chosen by a
from literature company for use
Initiating event (per yr) in LOPA (per yr)

Pressure vessel residual failure

Piping residual failure, 100 rn,full breach
Piping leak (10% section), 100 m
Atmospheric tank failure
Gasket /packing blowout
Turbineldiesel engine overspeed with casing breach
Third-party intervention (external impact by back-
hoe, vehicle, etc.)
Crane load drop to 10-4/lift 1 X 10-4(/lift)
Lightning strike 10-3 to 1 x lo-"
Safety valve opens spuriously 10-2 to 1x
Cooling water failure 1 to 10-2 1 x lo-'
Pump seal failure lo-' to 10-2 1 x 10-I
Unloading/loading hose failure 1 to 10-2 1 x 10-I
BPCS instrument loop failure 1 to 10-2 1 x lo-'
Regulator failure 1 to lo-' 1 x 10-I
Small external fire (aggregate causes) lo-' to 10-2 1 x lo-'
Large external fire (aggregate causes) to lo-" 1 x 10-2
L O T 0 (lock-out tag-out) procedure failure 10-QO 1 x lo-"
(overall failure of a multiple element process) opportunity (/opportunity)
Operator failure (to execute routine procedure; 10-1 to 10-31 1 x 10-2
well trained, unstressed, not fatigued) opportunity (Iopportunity)

IIndividual companies choose their own values, consistent with the degree of conservatism or the company's risk toler-
ance criteria. Failure rates can also be greatly affected by preventive maintenance routines. 12
Add IPL to reduce risk

13
IPL

14
 SETK 4573: Process Safety & Operability

Determining frequency
• The PFD for each independent protection layer (IPL) varies from 10-1 to
10-5 for a weak IPL and a strong IPL, respectively.
• The common practice is to use a PFD of 10-2 unless experience shows it
to be higher or lower.
• There are three rules for classifying a specific system or action of an
IPL:
Ø The IPL is effective in preventing the consequence when it functions
as designed.
Ø The IPL functions independently of the initiating event and the
components of all other IPLs that are used for the same scenario.
Ø The IPL is auditable, that is, the PFD of the IPL must be capable of
validation including review, testing, and documentation.

15
1 1 -4 QRA and LOPA 505
SETK 4573: Process Safety & Operability
Table 1 1-4 PFDs for Passive lPLs

Comments PFDs PFDs

(assuming an adequate design basis, from from
Passive lPLs inspections, and maintenance procedures) industry' CCPS1

Dike Reduces the frequency of large consequences 1 X lo-z to 1X

(widespread spill) of a tank overfill, rupture, 1 x lo-'
spill, etc
Underground Reduces the frequency of large consequences 1X to 1 X lo-z
drainage system (widespread spill) of a tank overfill, rupture, 1 x lo-3
spill, etc.
Open vent Preventsoverpressure 1X to 1X
(no valve) 1x lo-3
Fireproofing Reduces rate of heat input and provides additional 1X lo-' to 1 X lo-'
time for depressurizing, fire fighting, etc. 1x lo-3
Blast wall or Reduces the frequency of large consequences of an 1X lo-' to 1X
bunker explosion by confining blast and by protecting 1x lo-3
equipment, buildings, etc.
Inherently safer If properly implemented, can eliminate scenarios 1 x lo-' to 1 X lo-z
design or significantly reduce the consequences 1 x lo-6
associated with a scenario
Flame or If properly designed, installed, and maintained, can 1 x 10-I to 1x
detonation eliminate the potential for flashback through a 1 x lo-3
arrestors piping system or into a vessel or tank

'CCPS, Simplified Process Risk Assessment: Layer of Protection Analysis, D. A. Crowl, ed. (New York: American In-
stitute of Chemical Engineers, 2001) (in press). 16

The frequency of a consequence of a specific scenario endpoint is computed using

506 Chapter 11 Risk Assessment
SETK 4573: Process Safety & Operability
Table 11-5 PFDs for Active lPLs and Human Actions

Comments [assuming an adequate design basis,

inspections, and maintenance procedures
(active IPLs) and adequate documentation, PFDs PFDs
Active IPL or training, and testing procedures from from
human action (human action)] industry CCPS1

Relief valve Prevents system from exceeding specified over- 1 x 10-I to 1 x lo-2
pressure. Effectiveness of this device is 1 x lo-5
sensitive to service and experience.
Rupture disc Prevents system from exceeding specified over- 1 x lo-' to 1x
pressure. Effectiveness of this device can be 1 x lo-'
sensitive to service and experience.
Basic process Can be credited as an IPL if not associated with 1 X lo-' to 1 X 10-'
control system the initiating event being considered. See IEC 1X
(BPCS) (1998, 2001).2.'
Safety instru- See IEC 61508 (IEC, 1998) and IEC 6151 1 (IEC, 2001) for life-cycle require-
mented func- ments and additional disc~ssion.~."
tions (inter-
locks)
Human action Simple well-documented action with clear and 1 to 1 X 10-' 1 x lo-'
with 10 min reliable indications that the action is required.
response time
Human action Simple well-documented action with clear and 1 X 10-' to 1 X lo-2
with 40 min reliable indications that the action is required. 1X
response time

'CCPS, Simplified Process Risk Assessment: Layer of Protection Analysis, D. A. Crowl, ed. (New York: American In-
stitute of Chemical Engineers, 2001) (in press).
'IEC (1998), IEC 61508, Functional Safety of ElectricaNElectronic/Programmable Electronic Safety-related Systems,
Parts 1-7, Geneva: International Electrotechnical Commission.
'IEC (2001), IEC 61511, Functional Safety Instrumented Systems for the Process Industry Sector, Parts 1-3. (Draft in Pro-
cess), Geneva: International Electrotechnical Commission. 17
 Determining frequency
The frequency of a consequence of a specific scenario

where
• 𝑓!" is the mitigated consequence frequency for a specific consequence C
for an initiating event i,
• 𝑓!# is the initiating event frequency for the initiating event i, and
• PFDij is the probability of failure of the j th IPL that protects against the
specific consequence and the specific initiating event i. The PFD is usually
10-2, as described previously.

18
 Determining frequency
Multiple scenarios with the same consequence

𝑓 ! = $ 𝑓"!
"#$
Where
• 𝑓 ! is the frequency of the C th consequence for the i th
initiating event and
• I is the total number of initiating events for the same
consequence.

19
 Exercise
Determine the consequence frequency for a cooling
water failure if the system is designed with two IPLs.
The IPLs are human interaction with 10-min response
time and a basic process control system (BPCS).

Answer: 10-3 failure/year

20
 SETK 4573: Process Safety & Operability

Risks and LOPA

Ø Risk is a function of the probability (or frequency, or
likelihood) of an event and its severity (or
consequences).
Ø Multiple and independent safety layers in any facility
are designed to reduce one or the other.
Ø Prevention layers are implemented to reduce the
probability of a hazardous event from ever occurring.
Ø Mitigation layers are implemented to reduce the
consequences once the event has already happened.

21
 Prevention Layers
Physical Protection
(Relief Devices)

Safety Instrumented Safety

System control Prevention by
control
Alarm and Human
Intervention

Process
Basic Process
Control control

Process
Inherent Safety
Design

22
Level of Prevention (Safeguards)

23
 SETK 4573: Process Safety & Operability

Process Plant Design

Process Plant Design
• The process plant itself must be designed with safety
in mind. This is why HAZOP and other safety reviews
(fault trees, checklists, what-if, etc.) are performed. A
major goal within the process industry is to design
inherently safe plants.

24
 SETK 4573: Process Safety & Operability

Prevention Layers
1. Basic Process Control System (BPCS)
Ø It controls the plant for optimum fuel usage, product
quality, etc.
Ø It attempts to keep all variables (e.g., pressure,
temperature, level, flow, etc.) within safe bounds.
Therefore it can be considered a safety layer.
Ø However, a control system failure may also initiate a
hazardous event.

25
 Prevention Layers
1. Basic Process Control System (BPCS)
• Technology -Multiple PIDs, cascade, feedforward, etc.
• Always control unstable variables(Examples?)
• Always control “quick”safety related variables
-Stable variables that tend to change quickly
(Examples?)
• Monitor variables that change very slowly
-Corrosion, erosion, build up of materials
• Provide safe response to critical instrumentation failures
-But, we use instrumentation in the BPCS?

26
Prevention Layers
BPCS: Control Loops

27
 SETK 4573: Process Safety & Operability

Prevention Layers
2. Alarm Systems
• If the process control system fails to perform its
function (for any number of reasons, such as an
internal failure or a loop being placed in bypass)
alarms may be used to alert the operators that some
form of intervention is required on their part.

29
 SETK 4573: Process Safety & Operability

Prevention Layers
2. Alarm Systems
The alarm systems should:
Ø Detect problems as soon as possible, at a level low
enough to ensure action can be taken before
hazardous conditions are reached.
Ø Be independent of the devices they’re monitoring
(i.e., they should not fail if the system they’re
monitoring fails).
Ø Add as little complexity as possible.
Ø Be easy to maintain, check, and calibrate.
30
 SETK 4573: Process Safety & Operability

Prevention Layers
2. Alarm Systems + Human Interactions
• Alarm and monitoring systems are considered to be
the safety layer where people get actively involved.
• Operators will generally be required in plants for the
simple reason that not everything can be automated.
• It is essentially impossible for designers to anticipate
every possible set of conditions that might occur.
• Human operators may need to be considered since
only they will be flexible and adaptable enough in
certain situations.
31
 Prevention Layers
2. Alarms that require action by person

32
 SETK 4573: Process Safety & Operability

Prevention Layers
3. Safety Instrumented Systems
• If the control system and the operators fail to act, automatic
shutdown systems take action.
• These systems are usually completely separate, with their
own sensors, logic system, and final elements.
• These systems are designed to:
Ø Permit a process to move forward in a safe manner when specified
conditions allow, or
Ø Automatically take a process to a safe state when specified conditions
are violated, or
Ø Take action to mitigate the consequences of an industrial hazard.

33
 Prevention Layers
3. Safety Instrumented Systems

34
 Prevention Layers
3. Safety Instrumented Systems

35
 SETK 4573: Process Safety & Operability

Prevention Layers
4. Physical Protection (Relief devices)
• Relief valves and rupture discs are one means of
physical protection that could be used to prevent an
overpressure condition.
• While this may serve to prevent a pressure vessel
from exploding, venting of material may result in a
secondary hazardous event (e.g., release of a toxic
material) or fines due to an environmental violation.

36
 Prevention Layers
4. Physical Protection (Relief devices)

37
 Prevention Layers
4. Physical Protection (Relief devices)

38
 Prevention Layers
4. Physical Protection (Pressure relief valve)

39
 Prevention Layers
4. Physical Protection (Other Relief devices)

40
 Prevention Layers
4. Physical Protection (Relief devices)

41
 SETK 4573: Process Safety & Operability
SAFETY INSTRUMENTED SYSTEMS

Mitigation Layers
Management
Mitigation

Containment

42
 SETK 4573: Process Safety & Operability

Mitigation Layers
5. Containment
• If an atmospheric storage tank were to burst, dikes could be
used to contain the release.
• However, holding process fluids within dikes may introduce
secondary hazards.
• Reactors in nuclear power plants are usually housed in
containment buildings to help prevent accidental releases.
• The Soviet reactor at Chernobyl did not have a containment
building, whereas the U.S. reactor at Three Mile Island did.

43
 SETK 4573: Process Safety & Operability

Mitigation Layers
6. Management
• In the event of a catastrophic release, evacuation
procedures can be used to evacuate plant personnel
and/or the outside community from the area.
• While these are procedures only and not a physical
system (apart from sirens), they may still be
considered one of the overall safety layers.

44
 Self-learning
• Plant Operation System: SIS
• Plant Operation System: DCS

45
 References
1. Assael, M. J., & Kakosimos, K., E. (2010). Fires, explosions, and toxic dispersions:
Effects calculations and risk analysis. New York: CRC Press Taylor & Francis Group.
2. Crowl, D.A., & Louvar, J.F. (2002). Chemical Process Safety. Upper Saddle River, NJ:
Prentice Hall, Inc.
3. The content of these slides is adapted from lecture notes of ENGI 9121 (Advanced
Safety, Risk & Reliability Engineering) of Memorial University of Newfoundland,
Canada.

48