3922 04

Session 4 - Safety Instrumented Systems/Layer of Projection Analysis
Session Chair:
Joseph R. Natale
Co-Chair:
Scott W. Ostrowski
SIS Growing Pains:

How and why to make the switch from an internal to an
industry standard(1)
J. Wayne Chastain and Kenneth Yount

Eastman Chemical Company
This paper was prepared for presentation at the AIChE 2004 Spring National Meeting
38th Annual Loss Prevention Symposium
April 25-29, 2004 in New Orleans
Copyright © Eastman Chemical Company

January 2004
Unpublished
AIChE shall not be responsible for statements or opinions contained in papers or printed
in its publications.
Abstract
Like many companies, Eastman Chemical Company is faced with a decision of moving
from internal standards governing the design of safety instrumented systems (SIS) to
one of the competing industry standards. This paper documents the thought process
used by Eastman personnel in making the decision to move from an established internal
standard for the specification and maintenance of SIS to an industry standard. Many of
the issues which need to be considered in making such a move are documented
including costs which should be considered, processes which may be impacted,
corporate roles which need to be addressed, and options to be considered. Other
organizations which are currently considering making such a change, or adopting an
industry standard can hopefully draw from Eastman's experience in working through this
AIChE Copyright 1987-2003

issue.
Safety Instrumented Systems (SIS) have been in use in the process industries for many
years. A Safety Instrumented System is defined as "System composed of sensors,
logic solvers, and final control elements for the purpose of taking the process to a safe
state when predetermined conditions are violated."1. Many other terms have been
used for these devices in the past by different companies, industry groups, and
governmental authorities including Emergency Shutdown Systems (ESD), Safety
Interlocks, Safety Interlock System, and Safety Shutdown Systems (SSD).
In 1996 the Instrument Society of America released ANSI/ISA-S84.01 entitled

"Application of Safety Instrumented Systems for the Process Industries." This was the
first consensus standard issued on the design and use of safety instrumented systems
for the general process industry. Response to this standard varied across the chemical
process industry (CPI.) Some companies quickly moved to adopt the standard directly,
likely finding that the methodology proposed in the standard did not vary tremendously
from internal standards. Other companies are likely still not aware that this consensus
standard exists.
Although the standard was issued in 1996, many companies' attention to this issue
changed after March 23rd, 2000 when OSHA issued a letter of interpretation2, stating,
"As S84.01 is a national consensus standard, OSHA considers it to be a recognized and
generally accepted good engineering practice for SIS." Various individuals and
organizations in the industry have interpreted this letter by OSHA as an indication that in
order to be compliant with the Process Safety Management regulation manufacturers
would have to adopt the ANSI/ISA-S84.01 standard.
At the same time that the ISA was working on the SP84.01 standard, the International
Electrochemical Committee was working on several standards addressing the design
and use of SIS. The first of these was IEC 61508 "Functional safety of
electrical/electronic/programmable electronic safety related systems", which was a
general standard applicable to not only the CPI but any manufacturer using SIS in their
plants3. The IEC followed this standard with the release of IEC 61511 "Functional
Safety: Safety Instrumented Systems for the process industry sector"4.
Indications are that the ISA Committee will revise the language in S84.01 to be identical
to that found in IEC 61511 with few exceptions. Thus, it is very likely in the near future
that one consensus industry standard for the design and use of SIS will exist. For those
companies which are facing the decision of adopting this standard or some other
standard or staying with their current internal standard, several issues must be
addressed. Eastman Chemical Company has recently gone through this thought
process of whether the company should stay with an internal standard, or adopt one of

the consensus standards. The process used to make that decision was long and
difficult and involved not only rationalizing what we hope is the correct answer, but also
convincing all of the other players in the company who had a hand in making the
decision that this was the right one for the company.
What did we have?
Tennessee Eastman Division of Eastman Chemical Company put in place an internal

standard for the design and implementation of SIS in 1989. Unlike the current
consensus standards, the Eastman standard was an architecturally based system.
Four levels of SIS were specified in the Eastman standard with each level dictating a
level of redundancy, varying requirements for use of "tried and true" technology, testing
frequency, etc. Guidelines were present in the standard for when the various levels of
SIS should be used, based on the consequence being protected against.
This standard was adopted to differing degrees by other Eastman Chemical Company
sites, with some sites using only "good engineering practice" and a subjective selection
and design criteria for SIS. Over the last several years Eastman Chemical Company
has gone through a period of expansion through acquisition. Many of the acquired sites
brought different standards for the design and implementation of SIS while some of the
new sites had few SIS and fewer standards for their design and use.
Other companies may find themselves in a similar situation as they consider a switch to
a consensus standard. Instead of one internal standard that may be in competition with
the consensus standards, they may have several internal standards in use in different
areas of the company. Certain divisions of the company may not have any standard
that is being followed. This situation can create additional problems in obtaining buy in
from the disparate groups who have very different backgrounds and levels of exposure
to the ideas of risk management and SIS. It can also increase the resulting educational
burden if the company chooses to standardize on a consensus standard or one of its
own internal standards, due to the differences in background in the various corporate
groups.
As a team within Eastman considered the key issues in standardizing the company on
the internal standard that had been developed for the Tennessee site or adopting one of
the consensus standards, the differences between the two had to be considered. The
key differences between the internal standard that Eastman followed and the consensus
standards which have been developed are:
· Basis (architectural vs. risk)

· Selection (consequence vs. required risk reduction)
· Documentation (little specified documentation vs. detailed safety requirements specification)

· SIS Reliability (architectural design vs. performance design)
· Verification (none vs. verification calculation)
Although other companies may have different types of internal standards, or no

standard at all, the process of determining if adoption of the consensus standard makes
sense, should address many of the same issues.
Why change?
Regulatory Issues
First, if a company has an internal standard, or several competing internal standards, or

for that matter, no standard at all, why should that company choose to adopt one of
these consensus standards for SIS design? One issue that will be raised by many is
that after OSHAs letter of interpretation on the issue, if a company operates processes
which are covered by the PSM standard, then the company must adopt S84.01 or it will
not be in compliance with the PSM regulation. Each individual company will, of course,
have to make an appropriate determination as to whether or not this is true, given the
language of OSHA's letter. Eastman made the determination that this was not the case.
OSHA never indicates that a company must adopt S84 in order to be in compliance, but
simply indicates that as a consensus standard, S84 meets the criteria of following good
engineering practice, as required by the standard. Indeed, OSHA specifies in this letter
of interpretation that "With respect to SIS, OSHA does not specify or benchmark S84.01
as the only recognized and generally accepted good engineering practice." So,
compliance with the PSM standard does not seem to be an adequate reason to adopt
S84.01, if a company is following another standard which could be considered to meet
the requirements of good engineering practice.
However, a company shouldn't ignore the implications of OSHA's letter of interpretation.

OSHA has clearly indicated that compliance with S84.01 will meet the requirements of
good engineering practice and the other requirements of PSM with regard to SIS with
the following statement from the same letter, "If an employer documents per
1910.119(d)(3)(i)(F) that it will comply with S84.01 for SIS and it meets all S84.01 and
other OSHA PSM requirements related to SIS, the employer will be considered in
compliance with OSHA PSM requirements for SIS." Although following S84.01 is not
required in order to be compliant with the PSM standard, by the language in OSHA's
letter, following it does meet the requirements of good engineering practice. Without a
letter to the effect that a company's internal standard also meets these requirements, it
will be unclear if compliance has been achieved.
Although compliance with S84.01 or any other SIS standard is not a requirement of the
PSM regulation in the United States, for those companies with operations overseas,

particularly in the European Union, compliance with IEC 61511 may not be optional.
There is an indication that governmental authorities in the EU have or will adopt IEC
61511 as a required standard for companies to follow. If this does occur, then at least
in European operations, a company will have to make use of this consensus standard.
If a company is required to adopt such a standard for a portion of its plants, it may be
advantageous to adopt the same standard across the board for consistency.
Cost Savings
Another reason to switch to a consensus standard is the potential for cost savings.
However, in conducting a cost benefit analysis of switching to a consensus standard, it
is necessary to account for all of the factors which need to be taken into account, both
favorable and unfavorable.
First, evaluating the favorable aspects of switching to one of the aforementioned

consensus standards:
· Lowered costs associated with execution of contracts with engineering firms.
One cost savings aspect of adopting a consensus standard is that engineering firms
which are executing design work for your company will already be familiar with the
details of the processes specified in these standards. This should result in a decrease
in the required number of hours for the execution of the job due to the contract
personnel already being high on the learning curve of the standard, as opposed to
having to learn a company standard for SIS.
Note that this argument is not as effective if your company always uses the same
engineering firm who is already familiar with your internal SIS standards.
· Lowered cost due to elimination of over-design.
The risk based methodology which can be used for the selection of the appropriate level
of SIS for a particular event can result in a savings, if there is an increase in the
precision of selection. Although a variety of methodologies can be used to select the
Safety Integrity Level for SIS, the more sophisticated risk based methods such as
Layers of Protection Analysis and Quantitative Risk Assessment should give more
precise answers than simpler methods which might be used. In general, where less
sophisticated methodologies are used, there should be a tendency toward over-design
in order to ensure that processes are adequately protected. Increasing the precision of
the selection, allows systems to be designed which adequately protect against the risks,
but contain less error and are therefore less expensive.
Although these reasons are sound economic drivers for making the switch to one of the

consensus standards, there are a variety of costs associated with making such a
change that should also be accounted for:
· Development and deployment of new internal standards.
In order to implement a consensus standard in a company with its own internal

standards or with no standards, one requirement will be determining what processes of
the company need to change and how those changes need to be implemented. Since
this effort will generally be cross functional as well as impacting all of the operating
areas of a company, in most cases a team will be required to make this evaluation.
One requirement must be that the standard picked for implementation should be
evaluated by an appropriate team to ensure that there are no changes to the standard
that are recommended for adoption by the company. This team evaluation process can
consume a significant number of man hours and is not without cost in and of itself.
· Alteration of internal processes.
Once the processes that must be changed have been identified, a plan must be
developed as to how these processes need to change in order to meet the requirements
of the standard. Developing these required changes and implementing them will require
time. Training employees on how the change of the systems will impact them and their
work also may require a significant amount of work.
Both of these costs are one time costs associated with the development of the
processes of implementing a consensus standard within a company. Although these do
need to be accounted for, they are not as significant as potential on-going costs
associated with making such a switch, such as:
· Costs of the design process.
Although the precision of the selection techniques which may be used can result in
lower installed costs for SIS using a consensus standard, both of the standards
addressed in this article require a significant amount of engineering labor in order to
meet the requirements for the design and documentation of the SIS. In many cases the
requirements of the standards may not be any more severe than internal standards
already being used by a company, but this potential cost needs to be evaluated and
accounted for in the decision, if there are significant differences.
· Costs of maintenance processes.
Because the consensus standards use a life-cycle approach to SIS, the costs which
may be added by switching to a consensus standard do not end with the design and
installation. There are testing, management of change, and decommissioning
requirements which must be met in order to maintain the required integrity of the
systems. These processes all have costs associated with them that a complete

accounting needs to consider.
Depending on the how closely existing internal standards match the safety life cycle of
the consensus standards, companies will have varying amounts of cost in switching to a
consensus standard. For most, there will be some additional cost incurred, although
this cost may be counter-balanced by the savings that can be found in other areas of
the process. One factor which should be considered, however, is if a company finds
that their systems are well below the requirements of S84.01 and switching to this
standard or another consensus standard will result in a significant expenditure of funds,
perhaps their current standards are not adequate for the task of ensuring the safe
design of SIS.
Recent evaluations at Eastman Chemical Company have shown that the costs of
switching to a consensus standard for several pilot projects have resulted in a slight
savings. These evaluations only account for the differences in cost for engineering,
design, and installation portions of the project. The ongoing maintenance costs, which
may be higher under the consensus standard, have not been accounted for. However,
these results are encouraging. Even if the maintenance costs result in a slightly higher
life cycle cost for the SIS under the consensus standard, the risk is better understood
and controlled under the new standard.
Which standard?
After evaluating the costs and benefits of switching to a consensus standard, the
committee charged with determining a path forward on this issue for Eastman Chemical
Company determined that switching was the desired option. Before presenting this as a
proposal to management a decision had to be made as to which consensus standard
would be followed. The two competing standards, S84.01 and IEC 61511, are
mentioned above, as is the indication that it is very likely that these two standards will
be harmonized in the near future. In order to be compliant with the future S84.01, it
would seem reasonable to adopt IEC 61511. However, it is important to understand the
differences between the two standards in making the determination of which one to
adopt.
The standards are very similar in their implementation. Some of the few significant
differences are:
· IEC 61511 is, in general, a broader and more prescriptive standard
IEC 61511 is more prescriptive in its approach which can be seen through out the
document when comparing it to the ISA S84.01 standard. As an example, ISA S84.01
specifies that a Process Hazards Analysis needs to be conducted but indicates that the
details of such a process are outside of the bounds of the standard. IEC 61511, on the

other hand, gives seven specific criteria which must be met by a "hazard and risk
analysis" in order to be compliant with the standard. Note, that most if not all of these
criteria would be met by a company covered by the PSM regulation in its PHA process
due to the PSM requirements. But the IEC standard is more prescriptive than the PSM
standard and might dictate a change to a company's PHA process and other
procedures due to its prescriptive nature.
· System architectural requirements for SIS under IEC 61511
The architectural requirements of IEC 61511 come in the form of "Requirements for
hardware fault tolerance." Required fault tolerance is given in terms of the SIL of the
SIS, the safe failure fraction of the sub-system, and the simplicity of the devices
specifically being concerned with the presence of microprocessors or other "smart"
devices as shown in Table 2. ISA S84.01 does not specify similar requirements for SIS.
The inclusion of this requirement in IEC 61511 can increase the required redundancy
above that otherwise required by the SIL.
· Additional documentation requirements under IEC 61511
Continuing its tendency to be more prescriptive, IEC 61511 is much more detailed about
the required elements of its safety requirements specification, requiring over 20
elements and a separate software safety requirements specification. The ISA S84.01
specifies 12 elements to be included. This is not to imply that the elements required by
IEC 61511 will not be needed in the specification, but the language of ISA S84.01
leaves a great deal of additional latitude to the company to develop their own guidelines
for SRS within the bounds set in the standard.
· Specific allowance for reliability of Basic Process Control System reliability in IEC 61511
For layers of protection for an event which do not meet the requirements of an SIS as
defined in the standard, but are implemented through the BPCS for the process in
question, IEC 61511 specifies that a risk reduction factor of 10 is the maximum
allowable value. ISA S84.01 is silent on this issue. While the value of 10 for an RRF is
reasonable in the absence of other data or any additional study, this value may be too
conservative in some cases and may dictate the use of a higher SIL SIS than would be
required if a more in-depth analysis of the BPCS layers of protection had been
conducted.
Based on the differences between the two consensus standards, a company has to
determine which standard to use. Eastman Chemical Company decided to base our
new SIS program on the current incarnation of S84.01 (1996). We did not feel that
there was enough additional value in IEC 61511 to justify using it over the current
edition of S84.01. But each company has to make this decision based on the merits of
the two standards.

Who will the change effect?
If a decision is made to change a company's standard from an internal to one of the

consensus standards, management will be the group that ultimately makes this
decision. Above we have discussed the issues which must be accounted for in making
a decision on this issue. However, before presenting a change that could be a large
one for an organization to management, it is also important to understand the various
groups and organizations that will be effected by this change. If possible buy in from
each of the effected groups should be sought prior to requesting approval from
management. Not only can this aid in obtaining approval for the change from
management, but can ease the process of implementation.
Because of the life-cycle approach taken in each of the standards, a large number of
groups can be affected to varying degrees.
· Engineering
Engineering work processes with regard to SIS can be impacted more than any other
group within an organization. A significant level of education is required in a company's
engineering organization in order to allow effective usage of the consensus standard.
This education will need to include expertise in conducting SIL calculations,
development of a database to store SIL calculations and documentation, indications on
how to deal with existing systems and grandfathering, development or acquisition of
calculation tools, and ensuring that failure rate data needs have been met to support the
required calculations. Training on appropriate documentation in Safety Requirements
Specification will be necessary and will help to ensure appropriate communication of
requirements to other engineers conducting detailed design of SIS. Note only does this
effective communication ensure that systems are designed and installed as intended,
but can reduce the cost of engineering projects.
· Safety
Several processes which are typically owned by a company's safety organization will be
affected by the change to a consensus standard. A company's Process Hazard
Analysis procedure will need to be updated to include the steps required for
identification of needed SIS. Since the risk management function is often maintained
within a company's safety organization, the safety function will likely own the LOPA
process for the organization or whatever process is used for the determination of
required SIL for a given scenario. Implementation of this technology in the safety
organization may require training of those personnel in LOPA or other risk evaluation
tools that will be used to determine required SILs. The use of these risk evaluation tools
to determine the required SILs may result in a significantly increased workload for this
group. If this function will be maintained in some other organization, then these issues

will impact that group instead.
· Maintenance
Maintenance may be significantly impacted by the change to one of the consensus

standards. Testing procedures are required for all SIS under the standards and there
must a system for keeping track of the testing requirements and scheduling. After
testing is conducted, results need to be documented and reported. Depending on the
level of maintenance that is conducted under existing standards, this may be a
significant increase in the required work load of the maintenance organization with
regard to SIS. On the other hand, if a company already has in place a well organized
preventative maintenance process, then only minimal changes may be required to the
maintenance organizations work practices.
· Operations
Operations needs to be aware of various factors that will impact them in the
implementation of the one of the consensus standards. The role of the operations
representative in any capital project will be impacted due to their need to understand the
standard so they can participate in the appropriate selection of Safety Integrity Levels.
After installation of a SIS under one of the consensus standards, operations may have
additional labor needs to meet the functional testing requirements if the testing
requirements in the consensus standard are more intensive than the testing
requirements in the existing company standard. Another aspect which can impact
operations from implementation of a consensus standard is that the requirements of the
testing frequency can constrain run times for the plant.
· Quality Assurance
The work processes of the organizations quality assurance organization may be

impacted depending on how the consensus standard is implemented. If this
organization is responsible for quality assurance on instruments or devices which are
used as part of SIS then they will have to take into account the requirements of the
standard in their work processes.
· Legal
Several issues will have to be tackled by the company's legal group. First of all, the
legal group should be responsible for making a recommendation to management on the
risk to the company of not having consistent standards across a corporation. If some
but not all of a company's sites are going to be transitioning to a consensus standard,
there may be additional liability for those sites, and therefore for the corporation, which
are operating under an old company standard or no standard at all. The legal group
should also address any grandfathering issues as most companies will continue to have
operating areas which have SIS designed under old corporate standards or which were
not based on a standard but on the "good engineering practice" at the time of the

installation.
Conclusion
Eastman Chemical Company has wrestled with the issues that need to be addressed in
making the decision to adopt a consensus standard for the design, implementation, and
operation of safety instrumented systems. This process of decision making involves
issues of cost and benefit that include many intangibles that must be taken into account.
This paper has attempted to document these issues so that other companies dealing
with this decision might get a head start based on Eastman's findings as we have gone
through this process. Eastman has arrived at the decision that an internal standard
based on ISA S84.01 (1996) meets the needs of our company. Other companies,
depending on their independent evaluations, may very well arrive at different answers to
this question.
Eastman Chemical Company is now in the early stages of implementation of this

standard. New wrinkles may be uncovered and additional learnings made as we go
through the process of integrating this standard into our work processes. If so, this
paper may be the first in a series that can hopefully assist others as they attempt to
make the decisions that will allow their own companies to better manage their risks.
References
1. ANSI/ISA-84.01-1996 - Application of Safety Instrumented Systems for the Process Industries.

Research Triangle Park, NC: ISA, 1996.
2. U.S. Department of Labor Occupational Safety and Health Administration. OSHA Standards
Interpretation and Compliance Letters, 3/23/2003 - "Compliance with PSM and
ANSI/ISA-S84.01 for safety instrumented systems."
3. International Electrochemical Commission. "Functional Safety of
Eletrical/Electronic/Programmable Electronic Safety-Related Systems," IEC 61508. Geneva:
IEC, International Electrochemical Commission.
4. International Electrochemical Commission. IEC draft standard 61511, Part 1, "Functional Safety:
Safety Instrumented Systems for the process industry sector," IEC 61511. Geneva: IEC, 1999.
Fault Tree and Layer of Protection Hybrid Risk

Analysis(2)
Marc Rothschild, P.E.
Rohm and Haas Company

Engineering Division
3100 State Road
Croydon, PA 19021
(215) 785-7327
mrothschild@rohmhaas.com
ABSTRACT
Layer of Protection Analysis (LOPA) is a relatively quick and straightforward method for
quantifying risk. However, LOPA may be inadequate if used for compound failures
when the required failure rate data is not available or when the failures are not
independent. Fault Tree Analysis (FTA) can be used in these situations. FTA is
designed to thoroughly and accurately evaluate compound failures and account for any
dependencies between failures. If necessary, FTA can augment LOPA, combining the
best qualities of both methods into one powerful hybrid tool for risk analysis.
1. INTRODUCTION
Layer of Protection Analysis (LOPA) is a simple and effective method for quantifying
PHA's (such as HAZOP's and What-If's) by linking causes of failure with their
safeguards. This quantification enables the analyst to prioritize the recommendations
made by the PHA team. Furthermore, by associating cost with the various
consequence levels, a LOPA can be used to perform a cost-benefit analysis. Many
papers have been written on applications of the LOPA technique; examples are given in
the references [1-5].
LOPA is a natural step following a HAZOP or What-If. These PHA studies identify the
potential initiating causes and the safeguards of each identified consequence. A LOPA
then evaluates the frequency of each consequence by quantifying the expected failure
rate associated with the initiating cause and the probability of failure upon demand
(PFD) of the safeguards. Also included in the LOPA equation are estimates of the
conditional likelihood of exposure (presence factor) and the vulnerability of the exposed
person to the consequence (likelihood of fatality given exposure). For flammable
consequences, an additional term is used to estimate the conditional likelihood of
ignition of the release. The LOPA equation for a given scenario takes the following
form:
While the uncertainty in the failure rate data precludes accurate analysis, LOPA is a

powerful tool for prioritizing scenarios when order-of-magnitude accuracy is sufficient.
Due to its ease and efficacy, LOPA is often the first approach taken in quantifying risk.
However, one must be cautious when applying LOPA, because it has limitations.
The failure rate data required for a LOPA are generally only available for component
failure and human error, but many failures are compound events that consist of
combinations of these basic failures. The failure rates of these compound systems
cannot be directly derived from the basic failure rate data. Another limitation is that the
safeguards must be independent of each other and of the initiating event, and that the
initiating events must be independent of each other. Otherwise, the LOPA will
underestimate the consequence frequency. Interdependence may be apparent, such
as failure of a shared component. At other times, the shared dependence may be less
obvious, and common cause failure could result from conditions such as loss of
instrument air, a process upset, or even from flawed maintenance practices.
Fault Tree Analysis (FTA) can be used when the above limitations restrict the
applicability of a LOPA. Unlike LOPA, FTA can evaluate interdependent and compound
failure events. FTA provides an additional benefit by producing a failure map that
assists the analyst in identifying the strengths and weaknesses of the entire system.
While FTA offers many benefits over LOPA, FTA is less intuitive than LOPA and FTA
requires specialized training and software. Therefore, it is desirable to apply both of
these analytical techniques, combining the power of the fault tree with the simplicity of
the LOPA.
Section 2 introduces a simple example and demonstrates the limitations of the LOPA
approach. Section 3 introduces FTA and shows how fault trees can overcome those
limitations. Finally, Section 4 shows how fault tree and LOPA methodologies can be
combined into a hybrid analytical tool.
2. ILLUSTRATION OF LOPA LIMITS
Figure 1 presents a simple process flow diagram. This process involves unloading a
toxic chemical from a tank truck into a storage tank. The operator monitors the level
gauge (LG) and calls for a delivery when the tank level is low enough to sufficiently
store the transfer. It is very important not to overfill the tank, since it would result in a
toxic spill from the overfill line. To prevent overfill, there is an independent high-level
transmitter (LT). Signals from both level instruments are sent to a logic solver. If either
of these level instruments gives a high reading, then a signal is sent from the logic
solver to an isolation valve, shutting off the charge to the tank.

The challenge is to determine the frequency of overfilling the tank:
The frequency of the initiating cause is the frequency at which the tank is filled. There
are two safeguards against overfill. The primary safeguard is the tank operation. The
operator is trained and instructed to only place an order when the tank is low (as
indicated by the level gauge). The backup safeguard is the high-level control that shuts
off the feed before the tank can be overfilled.
Expanding the above equation:
Although this equation is not complex, it nevertheless cannot be solved directly using
LOPA. Both of the safeguards are compound failure events and therefore are unlikely
to be found in failure rate databases. The PFD for tank operation is straightforward, and
an experienced analyst would recognize that this compound PFD simply consists of the
sum of the PFD of a false low reading from the level gauge plus the PFD of the operator
ordering a truck transfer despite the level being too high. On the other hand, the PFD
for the high-level protection is more complex and cannot be intuitively solved.
Furthermore, there is interdependence between the two PFDs since they both rely on
the level gauge. Ignoring this commonality would result in under-predicting the failure

rate because the failure of the level gauge can undermine both safeguards.
3. FAULT TREE ANALYSIS
This section includes a brief overview of FTA. It is not possible to provide a

comprehensive description in the space allotted. Fortunately, for those unfamiliar with
this technique, there are texts available on the subject [6-9].
A fault tree is a logic diagram showing how systems can fail. The first step is to define
the issue of concern, which is referred to as the "Top Event." The next step is to identify
the immediate, necessary and sufficient causes for the Top Event. This process is
repeated until the causes are dissected all the way to basic events.
Figure 2 presents a fault tree for the example given in Section 2 and Figure 3 gives a
key to the fault tree symbols. This fault tree shows that the tank can be overfilled if the
tank truck arrives to fill the tank AND both safeguards fail. The primary safeguard is the
tank operation, which fails if the level gauge reads lower than the actual tank level OR if
the operator neglects the level reading and accepts the transfer. The secondary
safeguard - the high level shutoff - fails if BOTH the level gauge and the level
transmitter measure lower than actual tank level OR if the logic solver fails OR if the
shutoff valve fails to close upon demand. Note that the failure of the level gauge is
common to both safeguards, thus making them interdependent.

Figure 2 - Fault Tree for Sample Problem
The following failure rate data 1 is applied to the fault tree to illustrate how fault trees
evaluate compound failure events.
Applying the above failure data, the PFD for the safeguards can be determined. Note
that the PFD of both safeguards failing (0.0049) is higher than the value calculated by
the LOPA approach of multiplying together the probability of failure of the individual
safeguards (0.03 x 0.11 = 0.0033). This higher failure rate is the result of the common
cause failure of the level gauge, which would have been neglected in the LOPA . 2
1 This failure rate data is fictional and is selected for illustrative purposes only.

2 There are actually three likely LOPA approaches. In addition to ignoring the
interdependency of the events, as given, the LOPA analyst, after recognizing the
common failure between the safeguards, may elect to only count one of the safeguards.
This approach results in an overestimation of the risk. Alternatively, the analyst may
break the scenario into its component failures, which essentially is the approach taken
by the FTA.
4. COMBINING FAULT TREES WITH LOPA'S
Despite the fact that some safeguards or initiating events are interdependent or are too
complex to apply look-up failure rate data, one does not necessarily have to sacrifice
the simplicity of a LOPA. Instead, the two techniques can be combined, conducting a
FTA where necessary to augment a LOPA. The fault tree (Figure 2) gives the PFD for
the combined safeguards of the example problem, which are compound events that
share a common basic event. The resulting PFD for the combined safeguards can then
be inserted into the LOPA formula as shown:
The user can then combine the above scenario with the LOPA analysis for the other
scenarios in the study. In this application, the fault tree analysis is used as a splint to
combine two or more failure events that are interdependent.
Fault trees can also be developed in advance to solve for commonly-used architecture.
Figure 4 shows examples of fault tree solutions for selected control schemes. These
pre-solved fault trees could be used by the analyst to quickly evaluate the effectiveness
of different control configurations as potential mitigation measures.
5. CONCLUSIONS
Layer of Protection Analysis (LOPA) is a very useful tool for prioritizing hazard
scenarios and making risk-based decisions. However, it has limitations. LOPA requires
that safeguards and initiating events be independent of each other. In addition, the
failure rate data required by LOPA are generally only available for basic safeguards and

initiating events and not for compound events. Fault Tree Analysis (FTA) is a very
useful tool when LOPA does not apply. Unlike LOPA, FTA can evaluate interdependent
and compound events. FTA also provides a visual failure map, assisting the analyst in
better understanding the overall system. While FTA is very versatile, it requires
specialized training and software and is not as intuitive as LOPA. Both methods have
their respective limitations, but they can be synergistically combined to provide a
powerful hybrid quantitative risk analysis tool.
Scenario: If the logic solver receives an input indicating an abnormal condition, it will
send a signal to the control device so that it takes corrective action.
Scenario: There are two inputs to the logic solver. If either input indicates an abnormal
condition 4, then the logic solver will send a signal to the the control device so that it
takes corrective action.

3 The equations in this figure use Boolean Algebra.
4 i.e., input to logic solver fails if both Input A and Input B fails
Scenario: There are two inputs to the logic solver. If both inputs indicate an abnormal
condition 5, then the logic solver will send a signal to the control device so that it takes
corrective action.

Scenario: There are three inputs to the logic solver. If two out of three inputs indicate
an abnormal condition, then the logic solver will send a signal to the the control device
so that it takes corrective action.
Figure 4 - Failure Analysis for Selected Control Configurations (Cont.)
5 i.e., input to logic solver fails if either Input A or Input B fails as both are required to

signal the logic solver to take action.
REFERENCES
1. Dowell, A.M. III. "Layer of Protection Analysis: A New PHA Tool, After HAZOP,
Before Fault Tree Analysis," in 1997 International Conference and Workshop on Risk
Analysis in Process Safety. New York: American Institute of Chemical Engineers, 1997.
2. Center for Chemical Process Safety (CCPS), Layer of Protection Analysis,

Simplified Process Risk Assessment. New York: American Institute of Chemical
Engineers, 2001.
3. Dowell, A.M. III, "Layer of Protection Analysis and Inherently Safer Processes,"
Process Safety Progress, vol. 18 no. 4, pp 214 - 220, 1999.
4. Baybutt, P., "Human Factors Analysis for Process Safety - Apply LOPA-HF to a
Fired Furnace," Hydrocarbon Processing, vol. 82 no. 4, pp 79 - 83, 2003.
5. Crowl, D.A. and Louvar, J.F., Chemical Process Safety - Fundamentals with
Applications, 2nd ed., pp. 500 - 507. Upper Saddle River, NJ: Prentice Hall PTR, 2002.
6. U.S. Nuclear Regulatory Commission, Fault Tree Handbook (NUREG-0492).

Washington, D.C., 1981.
7. Center for Chemical Process Safety (CCPS), Guidelines for Chemical Process
Quantitative Risk Analysis, 2nd ed., pp 304 - 322. New York: American Institute of
Chemical Engineers, New York, NY, 2001.
8. Lees, F.P., Loss Prevention in the Process Industries, 2nd ed., pp 9/13 - 9/31.
Oxford: Butterworth-Heinemann, 1996.
9. Crowl, D.A. and Louvar, J.F. , Chemical Process Safety - Fundamentals with
Applications, 2nd ed., pp. 491 - 499. Upper Saddle River, NJ: Prentice Hall PTR, 2002.
Oxidation Reaction Safeguarding with SIS(3)
Edward M. Marszal, PE, CFSE (emarszal@exida.com)

Kevin J. Mitchell, PE, CFSE (kmitchell@exida.com)
Exida
2929 Kenny Suite 225
Columbus, OH 43221
(614) 451-7031
ABSTRACT
A variety of useful chemical compounds are economically produced using catalyzed

oxidation reactions. These products include many common organic acids and
anhydrides, industrial alcohols, and organic peroxides. Safely conducting catalyzed
oxidation reactions on an industrial scale is a core competency of many chemical
companies. However, there is a history of numerous incidents involving fire and
explosion in oxidation reactors, and these accidents are compelling reminders of the
hazards of oxidation reactions.
The primary hazard that is common to these technologies is the use of oxygen - either
in air, enriched air, or pure form - as a reactant in contact with a combustible
hydrocarbon, which is used either as a reactant or a solvent. Oxidation reactor design
typically involves ensuring that residual oxygen levels in equipment are sufficiently low
that they do not support combustion. This strategy safeguards against ignition of a
flammable gas mixture within the reactor or downstream separation equipment.
Normally, the basic process control system regulates the process chemistry and avoids
potentially dangerous excursions involving high oxygen concentration. However, upset
conditions often occur, and one of the commonly-employed safeguards to prevent an
explosion is a Safety Instrumented System (SIS).
This paper explores some of the common risks that are encountered in oxidation
process reactor sections. The paper also describes the instrumented safeguards that
are typically used to prevent these risks from being realized and addresses some of the
important details that should be considered during their design.
1.0 INTRODUCTION
Catalyzed oxidation reactions allow for a variety of useful chemical compounds to be

economically produced. These products 1 include many common organic acids and
anhydrides, industrial alcohols, and organic peroxides, as shown below.
· Terephthalic Acid (PTA)

· Isophthalic Acid (PIA)

· Phthalic Anhydride
· Adipic Acid
· Maleic Anhydride
· Phenol / Cumene Hydroperoxide (CHP)
· Butandiol, 1,4-
· Acrylonitrile
· Ethylene Oxide
Safely conducting catalyzed oxidation reactions on an industrial scale is a core

competency of many chemical companies. However, there is a history of numerous
incidents involving fire and explosion in oxidation reactors, and these accidents are
compelling reminders of the hazards of oxidation reactions. Loss of control of an
oxidation reaction can result a reactor explosion, with the potential for worker injury,
significant environmental and property damage.
The primary hazard that is common to these technologies is the use of oxygen - either
in air, enriched air, or pure form - as a reactant in contact with a combustible
hydrocarbon, which is either as a reactant or a solvent. Oxidation reactor design
typically involves ensuring that residual oxygen levels in equipment are sufficiently low
that they do not support combustion. This strategy safeguards against ignition of a
flammable gas mixture within the reactor or downstream separation equipment.
Normally, the basic process control system regulates the process chemistry and avoids
potentially dangerous excursions involving high oxygen concentration. However, upset
conditions often occur, and one of the commonly-employed safeguards to prevent an
explosion is a Safety Instrumented System (SIS).
The purpose of the SIS is to automatically return the process to a safe state when
pre-determined safety conditions have been violated. They are often referred to as
emergency shutdown systems, or safety interlock systems. ISA 84 defines a SIS as "a
system composed of sensors, logic solvers, and final control elements for the purpose
of taking a process to a safe state when predetermined conditions are violated".
Design of SIS for oxidation reactor safety is governed, in part, by recent industry
consensus standards from ISA and IEC. 2 These standards employ a
performance-oriented approach in that they allow each individual company to define
performance goals based on achieving a required amount of risk reduction rather than
prescribing the hardware design of the SIS. Exida has performed numerous
conceptual design projects involving SIS for oxidation reactors. This paper will illustrate
some of the common Safety Instrumented Functions (SIF) used in oxidation reactor
technology and illustrates practical application of the ISA and IEC standards.

1 This abbreviated list of substances was generated using catalyzed oxidation reactions
was generated by reviewing the licensed processes shown in the Petrochemical
Processes Special Report section of the March 2003 Edition of Hydrocarbon Processing
Magazine. The list presented here is only intended to give a small example of the
numerous catalyzed oxidation reactions utilized the in the chemical processing
industries.
2 Instrumentation, Systems, and Automation Society (ISA), ANSI/ISA S84.01,

Application of Safety Instrumented Systems for the Process Industry, 1996.
International Electrotechnical Commission (IEC), IEC 61508, Functional Safety of
electrical/electronic/programmable electronic safety-related systems, First Edition, 1998.
IEC 61511, Functional Safety: Safety Instrumented Systems for the Process Sector,
FDIS, 2001.
2.0 GENERAL PROCESS DESCRIPTION
Commercial catalyzed oxidation reactions can take a number of forms. The primary
difference between reaction types is the phase of the hydrocarbon reactant and the
phase and type of catalyst used in the reaction. This white paper will focus on reactions
where the hydrocarbon reactant (and reaction products) is in the liquid phase, and the
catalyst for the reaction is also a liquid.
Figure 1 presents a typical process flow for the reaction section of a plant that employs
a catalyzed oxidation reaction. The process mainly consists of a reactor vessel with an
agitator. In some cases, the reactor may be jacketed to maintain the temperature of the
reaction mixture.
Figure 1 - Typical Configuration of Process Section of Oxidation Process

The reactor is typically fed with two streams, the oxygen containing stream and the
hydrocarbon stream. The oxygen containing stream varies, depending on process,
from pure air to pure oxygen. When air is used, the air is typically compressed and fed
into the reactor under pressure. In some cases, air is "spiked" with pure oxygen to
make the reaction conditions more favorable. In other cases, the reaction is run using
pure (chemical grade) oxygen.
The hydrocarbon feed is typically pumped into the reactor from a feed surge drum or
feed mix tank. The liquid catalyst is either added directly to the feed mix in the feed mix
tank, or continuously metered into the reaction vessel, sometimes through a separate
process connection.
The reaction off gas is a combination of unreacted hydrocarbon feed, inert materials in
the hydrocarbon feed, nitrogen (from the air feed), and a small amount of unreacted
oxygen. The product is typically withdrawn in the liquid phase along with excess
hydrocarbon feed materials and catalyst.
The reaction occurs in the liquid phase. The air and oxygen feed is injected into the
liquid full portion of the reactor, which is agitated. The combination of agitation injection
of gases acts to partially fluidize the reaction bed. The reaction is conducted using

excess hydrocarbon feed in order to limit the amount of unreacted oxygen leaving with
the off gas. The reaction can occur in either a continuous process or a batch operation.
3.0 PROCESS HAZARDS
The primary hazard involved in the reaction section (and downstream separation
equipment) is the potential for the occurrence of flammable mixtures of hydrocarbon
and oxygen occurring in the process equipment. If a source of ignition is put in contact
with any flammable mixture that might be generated in the process, the result could be
a fire or explosion.
The desired reaction in virtually all of the commercial oxidation processes are catalyzed
to allow the creation of a valuable and desired product. In addition to use of the proper
catalyst, the desired reaction path may also depend on appropriate temperature,
pressure, and bed fluidization (mixing) in the reaction vessel. If all of these conditions
are not present in the reactor system there is a potential for the desired reaction to fail
to occur. This will then result in unreacted oxygen and hydrocarbon accumulating in a
potentially flammable mixture in the reactor vapor space, and downstream equipment.
If a flammable mixture develops outside of the liquid reaction mixture inside the reaction
vessel, ignition will lead to the uncatalyzed and undesired side reaction where oxygen
and the hydrocarbon combust to form carbon dioxide, carbon monoxide, water, and
various other reaction products. This undesired side reaction proceeds very rapidly and
very exothermically given that a flammable mixture is present. The reaction will likely
result in an explosion in the vessel where the reaction occurs, or loss of containment
and a potential fireball if a fire occurs in the vessel instead of a sudden explosion.
4.0 INCIDENT CASE HISTORIES
1969 explosion in a Reactor Producing an Organic Acid
This operation involved a batch oxidation reaction. After the reactor was charged, air
was introduced to begin the reaction. Because a grossly insufficient amount of
hydrocarbon reactant was charged to the reactor, the reaction terminated unexpectedly
after only 10 minutes, at a time when air flow had been ramped up to a maximum rate.
As the reaction died off, oxygen concentration in the vent system began to rise rapidly.
At the same time the temperature of the batch decreased because the reaction had
stopped producing heat. Both conditions resulted in the vapors in the reactor vent
entering the flammable operating region. The explosion caused extensive damage to
the reactor and associated equipment.

1973 explosion in a Cumene Oxidation Reactor
Enriched air was being used to oxidize cumene to produce phenol. The plant had
experienced plugging in the air distribution header to the oxidation reactor. These
deposits were removed by flushing liquid back from the reactor through the header.
During this procedure air flow had to be positively isolated. On the day of the incident
two valves were left partially open in the air header. Enriched air entered the pipe and
reacted with the hydrocarbon liquid. The pipe ruptured and ignited immediately,
creating a massive fire that destroyed the entire plant.
This oxidation reactor system involved continuous feed of catalyst to control the
reaction. On the day of the incident, the reaction was proceeding normally, when it was
discovered that the catalyst flow had been interrupted. An operator was sent to
investigate and found that a manual block valve had been closed on the catalyst
addition system. By the time the problem was corrected, the reaction had died off and
oxygen levels were rapidly climbing in the reactor overhead system. The explosion
blew off the vapor outlet line from the reactor and damaged associated piping.
This batch oxidation reactor system used the concentration of oxygen in the overhead
as read by analyzers as a key parameter in determining when a reaction had
terminated. Increasing oxygen concentration in the overhead system indicated that the
hydrocarbon reactant had been completely oxidized. On the day of the incident,
operators were having problems with the oxygen analyzers causing them to periodically
give a false high oxygen spike and subsequently cause the reactor to suddenly
shutdown. During an attempt to re-start the reaction, operators disabled the oxygen
analyzers. Operators were being taxed with other operational problems in downstream
separation equipment at the time the explosion occurred. It turned out that because the
oxygen analyzers had been disabled, the control system did not terminate air flow to the
reactor when the reaction had been completed. Minor damage to reactor equipment
resulted from this explosion.
During the day prior to the explosion, an operational problem resulted in the reactor
being put in a hot hold condition. Air was isolated from the reactor and its contents
were kept hot in anticipation of a reactor restart. Over many hours, air slowly leaked
into the reactor past the air isolation valve, which was either leaking or left slightly open.

Oxygen concentration built up in the reactor's vapor space, but this remained
undetected. An explosion occurred, which was relieved through the reactor's
emergency pressure relief device.
During the initiation of the batch reaction, operating conditions (temperature and
pressure) drifted into the flammable operating region. Operators activated an inert gas
dilution system in an attempt to re-establish the reaction. They also disabled the
oxygen analyzers which would have shutdown the reactor on high oxygen
concentration. However, operators were unable to re-establish temperature and
pressure control within normal operating limits. Less than 10 minutes after the start of
the reaction, an explosion occurred, resulting in major damage to the reactor vessel,
and its associated instrumentation.
A leak in an air line internal to the oxidation reactor occurred. This allowed air to directly
enter the reactor's vapor space and bypassed the air sparging system at the bottom of
the reactor. A fire in the vapor space broke out immediately, and this actually depleted
the concentration of oxygen in the overhead system. Reactor temperature
measurements shot up rapidly. Within minutes overhead piping on the reactor failed
due to overtemperature. The reactor contents were ejected under pressure and
extensive fire damage resulted from this incident.
1999 explosion in an Air Line to an Oxidation Reactor
An operational upset occurred in a reactor producing an organic acid. Solvent from the
reactor back-flowed into an air feed line due to problems maintaining the required
differential pressure between the air line (normally higher pressure) and the reactor
(normally lower pressure). On subsequent re-start of the reactor, enriched air was
introduced into the feed line which started oxidation and combustion reactions with the
solvent contained in the line. Field operators noticed the air feed line was glowing
"cherry red". Within seconds, the line failed and a large fireball erupted.
2000 explosion in an Ethylene Oxide Manufacturing Plant
An explosion and fire occurred in the ethylene oxide manufacturing unit. Problems with
an oxygen analyzer resulted in a decision to disable the device. This key safeguard
normally monitored residual oxygen concentration in the process. Over a period of
time oxygen concentrations increased above safe operating limits. Subsequently a

detonation occurred resulting in extensive damage to the plant.
Lessons Learned
These case histories emphasize several key lessons which have been learned from
oxidation reactor accidents, including:
· Ensure that residual oxygen concentrations are - at all times - well outside the flammable
operating region.
· Ensure that the oxidation reactor is shutdown and air isolated upon detection of high residual
oxygen concentration.
· Use pressure and temperature measurements to predict an approach to a flammable operating
condition and initiate a reactor shutdown.
· Ensure operating pressures are maintained that do not allow flammable or combustible materials
to backflow into air feed lines to the reactor.
These lessons bring the topic of Safety Instrumented Systems to the forefront of the
discussion on how to design and operate oxidation reactors safely.
5.0 SAFETY FUNCTIONS
Safe operation of oxidation reactors is primarily achieved through careful control of the
reactor operating conditions. The temperature and pressure of the reaction, along with
the oxygen concentration in the vent system will determine whether the system is within
the flammable operating region or outside (i.e., either fuel rich or fuel lean). At any
given time, the operator must ensure that the process is not entering in the flammable
region or even approaching it. This is often accomplished by either monitoring oxygen
concentration in the process directly, through oxygen analyzers, or predicting a
potentially flammable condition by using a combination of pressure and temperature
measurements.
The basic process control system (BPCS) regulates normal process behavior. The
normal operating conditions are set such that they are well outside the flammable region
and they typically use a robust safety factor to ensure a wide margin of safety (See
Figure 2). Safety critical alarms are set such that when process conditions deviate from
normal operating ranges, operators have ample opportunity to intervene and correct the
abnormal situation. Exida's experience in oxidation reaction technology shows that in
most cases, operator intervention is successful in terminating a reaction before
dangerous operating conditions develop.
Figure 2 - Layers of Protection

However, many companies who conduct oxidation reactions have adopted a philosophy
that operator intervention alone is not a sufficient safeguard. This best-practice
philosophy dictates that when certain pre-defined safety conditions are violated, control
is taken away from the operator by the SIS, and the process is immediately brought to a
safe state in an orderly manner. A logic solver, such as an industrial safety-rated
Programmable Logic Controller (PLC), is used to continuously monitor process
variables and initiate a safe shutdown. This logic solver is usually separate from the
BPCS.
An oxidation reaction system will typically have between 5 and 15 Safety instrumented
Functions. A safety instrumented function (SIF) is a set of specific actions to be taken
when specific safety limits have been violated, and thereby will move the process from a
potentially unsafe state to a safe state. On the other hand, a Safety Instrumented
System (SIS) is the collection of equipment (sensors, logic solver, and final control
elements) used to perform the SIF. Multiple SIF are often implemented in a single,
complex SIS. Using the perspective of a Safety PLC, there can be many individual SIF
that are executed in that single Safety PLC.
Some of the typical SIF found in oxidation reactors are shown in Table 1:

Additional SIF are typically used when enriched air is used in the reaction. The
objective of these additional SIF is to ensure that oxygen concentration in the enriched
air header does not exceed a certain pre-defined safe operating limit.
6.0 SIS IMPLEMENTATION
The ISA and IEC consensus standards guide the user in ensuring that high-availability
safety systems are designed, installed, operated, and maintained in a manner that will
promote ongoing integrity of plant operations. The performance-oriented nature of the
standards allows for flexibility in implementing an approach that fits within a company's
overall risk management framework, but it also requires a fundamental understanding of
what SIS are required to do, and how well they need to perform to adequately manage
risk.
An effective SIS design only begins with defining the Safety Instrumented Functions for
the oxidation process. Establishing the key performance measurement for a SIF is the
next step in the safety lifecycle shown in Figure 3. This is known as the Safety Integrity
Level (SIL).

Companies are now specifying Safety Integrity Levels (SIL) based on the amount of risk
reduction that is required to achieve a tolerable risk level. The SIS is then designed to
meet or exceed this level of performance. The SIL represents the amount of risk
reduction that is required from a Safety Instrumented Function (SIF), and it is
categorized based on the average Probability of Failure on Demand (PFDavg) as shown
in Table 2.

The actual Safety Integrity Level that is selected for each SIF has an enormous impact
on the design and testing requirements. Some of the most significant impacts are
exhibited in the following areas:
Architecture - A SIL1 design can usually be achieved using a single input / single output.
However, if a SIL 2 or higher is required, a fault tolerant design may need to be employed, such
as 1-out-of-2 (1oo2) voting on redundant oxygen analyzers. While this fault tolerance can result
in significant improvements in Probability of Failure on Demand (and thus the achieved SIL
level), it also can also significantly increase the frequency on nuisance trips due to
instrumentation failures. A robust design must meet the required SIL as well as minimize the
likelihood of a nuisance trip. Requiring a Safety Function to meet a SIL 3 requirement is
possible, but often cost prohibitive.
· Testing - Air isolation valves in a SIS normally remain energized for very long periods of time
before a demand is placed upon them, when they are required to quickly de-energize and to
isolate the process. This results in an situation where an effective test of the SIS is the only way
to ensure that a component has not failed in such a way that will defeat the entire system. More
frequent testing decreases the probability that the system will fail when a demand is placed upon
it. A higher Safety Integrity Level will often result in a requirement to test the system more often.
Scheduling and completing this testing can be problematic for plants that have large on-stream
times.
In addition to the quantitative requirements of ISA 84.01, the standard also lists a
number of design criteria that must be considered and specified. These items include
such considerations as:
· Tightness of shutoff
· Failure characteristics upon loss of utility (e.g., fail-open or fail-closed valves)

· Response time
· Required diagnostics, etc.
7.0 CONCLUSION
The historical record of accidents involving oxidation reactions is compelling evidence

that process safety should not be taken lightly in such systems. Most of these accidents
have occurred as the result of undesired high levels of oxygen in areas where oxygen is
not desired, resulting in flammable atmospheres. In many cases, the risk posed by
these hazards is reduced through the use of Safety Instrumented Systems. Some
typical safety instrumented functions of oxidation reactors might include:
· Isolation of air upon detection of high reactor vapor space oxygen concentration
· Isolation of air upon detection of potential reverse flow of reactant into the air system
· Isolation upon detection of a fire in the air system
· Isolation upon detection of unfavorable reaction conditions (e.g., low temperature and high
pressure)
If you use Safety Instrumented Systems, you should ask if they have been designed,
operated, and tested as per the requirements of ISA 84.01. If not, you should begin to
carefully scrutinize your systems. They key questions you need to have answered are:
· How much risk reduction does our current SIS technology provide? Have we calculated a
Probability of Failure on Demand for the system
· How much risk reduction do we need? Has this requirement been documented so we can justify
our decisions?
· Does the existing design have sufficient amount of redundancy and fault tolerance to meet our
risk reduction requirements?
· How often should our SIS be tested in order to ensure we meet our risk reduction requirements?
· Have all design requirements for the SIS been appropriately specified, including tightness of
shutoff and process safety time?
If you don't have answers to these questions, or haven't started any of the steps in the
safety lifecycle, you may need to take action.
The Assignment of SIL Targets for Complex Systems(4)
Kimberly A. Dejmek, CFSE, PE and Ken A. Wehrman, Ph.D.
Baker Engineering and Risk Consultants, Inc.

4100 Greenbriar, Suite 130
Stafford, Texas 77477
United States of America
281-491-3881 ph., 281-491-3882 fax
Kdejmek@BakerRisk.com
Key Words: Safety Instrumented Systems (SIS), Safety Integrity Level (SIL),
Quantitative Risk Analysis (QRA)
Prepared for presentation at the 38th Annual Loss Prevention Symposium, New
Orleans, LA,
April 26-29, 2004, Session T7003: Safety Instrumented Systems/Layers of Protection
Analysis
Copyright ©, K.A. Dejmek and K.A. Wehrman, Baker Engineering and Risk Consultants,
Inc.
December 2003
Unpublished
ABSTRACT
The assignment of performance targets, or target Safety Integrity Levels (SILs), is a

critical step in the application of the Safety Instrumented System (SIS) standards, i.e.,
ANSI/ISA S84.0.01-1996, IEC 61508 and IEC61511. Although the SIL is a key concept
in the implementation of the standards, the development and application of a method for
determining the target SIL has been left to the owner/operator. However, the standards
do provide guidance on this topic and present a number of techniques that can be
considered, including risk matrix, risk graph, and Layers of Protection Analysis (LOPA).
Generally, the methods for SIL assignment are qualitative or semi-quantitative risk
assessment methods based upon the judgment of an assignment team. In most cases
the methods based on expert opinion and limited historical data are adequate.
However, in the case of reactive and other complex systems, the number and
complexity of the scenarios often overwhelm these simplified approaches. There are
warning signs that can aid in the identification of cases where the simplified methods
may break down and provide non-conservative results. In cases such as this, a
quantitative assessment should be conducted to evaluate the likelihood of Safety
Instrumented Function (SIF) demands and the risk reduction supplied by the other
protection layers, with the aim of determining the risk reduction required from the

instrumented system.
INTRODUCTION
Although pressure relief devices are generally required for all pressure vessels, the
difficulty in providing safe, adequate and reliable relief for many reactive systems may
make over-pressure prevention rather than mitigation a more attractive option. Safety
Instrumented Systems (SIS) can therefore be a critical protection layer for these
systems. tend to be quite complex, which can complicate the selection of a performance
target for SIS in this service.
In February of 1996, the ISA (The Instrumentation, Automation, and Systems Society)
approved their standard entitled Application of Safety Instrumented Systems for the
Process Industries (ANSI/ISA 84.00.01-1996)[1], and in 2003 the IEC (International
Electrotechnical Commission) promulgated IEC 61511: Functional safety - Safety
instrumented systems for the process industry sector[2-4]. One basic concept of these
standards is the definition of the Safety Integrity Level (SIL) for each Safety
Instrumented Function (SIF) within the Safety Instrumented System (SIS). The SIL
defines the safety performance criteria for the function and assigning the target requires
an allocation of a portion of the overall required risk reduction to the safety instrumented
function.
Figure 1 presents a graphical representation of the philosophy that serves as the basis
for SIL target selection. Each undesirable outcome that will be influenced by the SIS is
considered independently. The "inherent process risk", which is represented by the red
arrow at the bottom of the figure, is evaluated based upon the expected likelihood and
severity of the undesired event. Each of the available protection layers is identified and
the associated risk reduction estimated. The green arrows represent the number and
type of protection layers and provide an indication of the level of risk reduction
associated with each. These layers include passive protection; basic process control,
alarms, and operator intervention; the SIS; and event mitigation, which includes relief
and flare systems, fire and gas detection and suppression, and emergency response.
In this figure, each of the green arrows is the same size, however, for a specific event,
the level of risk reduction provided by the various protection layers can vary. The
concept of a SIL target is expressed in this figure through the size of the green arrow
labeled "SIS". The SIL target directly expresses the risk reduction that is expected from
the SIS for a particular scenario.
Although SIL is a key concept in the implementation of the standards, the development
of a method for determining the target SIL has been left in the hands of the
owner/operator. The standards do provide some guidance on this topic and include a
number of example methods to consider. The available methods range from purely

qualitative evaluation, up to and including quantitative risk analysis (QRA).
In general, these methods utilize a set of tools to guide a multi-disciplinary team in the
selection of the target SIL. The assignment of a target SIL for a particular SIF typically
requires the consideration of:
· Event likelihood,
· Event severity, and
· Effectiveness of the non-SIS protection layers.
In the evaluation of most events, this is a straightforward process effectively addressed

through a qualitative or semi-quantitative approach. However, there are scenarios that
are too complex to be addressed by any of the less rigorous methods. Reactive
systems, which generally have numerous potential initiators of high reaction rates and a
reliance on a small set of actions to take the process to a safe state, typically fall into
this category.
SIL SELECTION PROCESS
The Safety Integrity Level, or SIL, is specified as one of four discrete levels, as defined
by Table 1. The SIL specifies "the safety integrity requirements of the Safety
Instrumented Function to be allocated to the Safety Instrumented Systems [2]." Each
SIL level is defined by a range of target average probability of failure on demand

(PFDavg).
In selecting the target SIL, there is a basic thought process that is addressed by most of
the methods. The steps below outline the general process.
1. Describe the event that the SIF has been provided to prevent / mitigate.
2. Determine the consequence severity, without taking credit for any active safeguards, based upon
potential safety, public, environmental, and financial impacts.
3. Identify all of the causes for which the SIF has been designed to detect and respond.
4. Evaluate the event likelihood of the event without taking credit for any active safeguards.
5. Determine the unmitigated risk by combining the consequence severity and event likelihood.
6. Identify any and all non-SIS independent protection layers (IPLs).
7. Evaluate the effectiveness of each IPL in the prevention or mitigation of the risk.
8. Determine the mitigated risk.
9. Compare the mitigated risk to the acceptability criteria.
10. Assign any remaining required risk reduction to the SIS with the target SIL.
SIL SELECTION METHODS
There are six methods that are generally considered for SIL assignment: modified
HAZOP, consequence only, risk matrix (two and three-dimensional), risk graph, Layers
of Protection Analysis (LOPA), and quantitative assessment. A number of articles,
papers and books have been written describing the details of these methods [1-9]. Only
a brief introduction to each has been provided here.
Modified HAZOP
The modified HAZOP method, which is introduced in Annex A of the ISA standard, is a
purely qualitative SIL assignment technique [1]. As a part of the normal HAZOP
process, the team identifies existing SIF or the need for additional SIF protection [4]. In
cases where an SIF is deemed necessary, the team considers the severity of the
consequences, the probability of event occurrence, and the expected risk reduction

from non-SIS engineering and administrative controls. When all of these factors are
taken together, the team comes to a consensus as to the appropriate safety integrity
level.
Consequence Only SIL Assignment
This method is also purely qualitative, requiring only the consideration of the potential
consequences of a process event. The consequences can be defined in terms of the
potential safety, environmental, and economic impact associated with the event. An
example set of definitions is provided in Table 2. Because the initiating event
frequency, the availability of protection layers, and the probability that a dangerous
event develops are not considered, this method can produce conservative results.
However, this may be offset by the ease of application and the time saved in assigning
SIL targets.
Risk Matrix
The risk matrix method is based upon the qualitative evaluation of the potential event
consequences and likelihood. A team of process and operations specialists evaluates
each safety function, first describing the potential consequences of the event and then
developing a severity ranking. Typically, a risk matrix will have three to five severity
ratings that span the range from minor impact to catastrophic event. As in the
Consequence Only method, severity rankings can be defined for environmental and
economic effects, as well as the on-site and off-site safety consequences.
Following the development of the safety severity, the team investigates the causes of
the event, the safeguards (other than the SIS under consideration), and the event
sequence in order to estimate the likelihood that the consequences will occur. A set of

likelihood rankings is defined to represent the range of possible event frequencies.
After listing the potential causes and protection layers, the team selects the appropriate
likelihood ranking.
Using the severity and likelihood rankings together, the risk matrix is applied to
determine the target Safety Integrity Level. Based upon their corporate risk tolerance,
SIS philosophy, and ranking definitions, each corporation must determine the
relationship between the rankings and the SIL. An example of a risk matrix has been
provided in Figure 2.
The risk matrix is a widely accepted tool for the qualitative evaluation of risk. Many
companies use a form of the risk matrix as a part of their Process Hazards Analysis
(PHA) in order to determine if the existing engineering and administrative controls
provide sufficient risk reduction, or if additional safeguards should be recommended.
Although familiarity with the method could be considered a benefit, the application of
risk matrix to the selection of a target safety integrity level is somewhat different to that
used in a PHA, which may contribute to confusion.
Another variation of the risk matrix method is also used in the determination of target
SIL. This method, called the Safety Layer Matrix in Annex A of the ISA standard,
incorporates a third variable, Protection Layers, in addition to the Severity Ranking and
the Frequency Ranking [1]. When applying this method, the evaluation of the
Frequency Ranking does not include any protection layers. The Frequency Ranking
only considers likelihood of the event causes and external events that occur for the

consequences to be realized. Any risk reduction is addressed through the application of
the Protection Layer Ranking. In order to be considered in this ranking, the systems
must meet the definition of a protection layer [7]. Typically, three levels of Protection
Layer Rankings are considered. These are based upon either the amount of risk
reduction provided by the protection layers (e.g., low, medium, or high) or on the
number of protection layers that exist other than the SIS under consideration.
Risk Graph
The IEC standards 61511 and 61508 provide an alternative method to the risk matrix
called risk graph. This method provides a SIL correlation based on four factors:
· Consequence (C),
· Occupancy (probability that the exposed area is occupied) (F),
· Possibility of avoiding the hazardous event (P), and
· Frequency of the unwanted occurrence (W).
This method is a qualitative technique requiring development of definitions for each

parameter to ensure that the four parameters are properly chosen by the assignment
team. In addition to the consequence and event likelihood that are part of the basic risk
matrix, the risk graph focuses attention on the evaluation of the risk to an exposed
individual. The four factors are evaluated from the perspective of a theoretical person
being in the incident impact zone at the time of the incident.
Once these factors are determined, the risk graph is utilized to determine the associated
SIL. This method requires a multi-disciplinary team to ensure that the four parameters
listed above are properly chosen. An example risk graph is shown in Figure 3 [3].

Layers of Protection Analysis
Layers of Protection Analysis (LOPA) is a semi-quantitative method of risk analysis.

The consequence evaluation remains qualitative, as in the previously described
methods. The evaluation of the event likelihood is quantitative, based upon "order of
magnitude" estimates of the initiating event frequency and the availability of the
protection layers. The basic concept of LOPA is summarized in the following steps [6]:
· Identify impact events, determine the types of impact, and classify event severity.
· List all of the causes for each impact event.
· Estimate the frequency of each initiating cause.
· List the Independent Protection Layers (IPLs) for each cause-consequence pair.
· Determine the PFD for each IPL.
· Calculate the mitigated event frequency for each cause-consequence pair.
· Sum the frequencies for each cause-consequence pair that will place a demand on the SIS.
· Compare the total mitigated event frequency to the acceptability criteria for the associated event
severity classification.
· Determine SIL based upon required risk reduction or identify other risk reduction measures, if
required to meet the risk acceptability criteria.

Quantitative Risk Assessment (QRA)
The quantitative approach to SIL assignment is the most rigorous technique.

Quantitative evaluation of both the consequences and the event likelihood are possible;
however, it is typical for the consequence evaluation to remain qualitative. The event
likelihood is calculated by modeling the combined influence of the potential causes,
protective systems, and any external events that are required for the consequence to be
realized. These external events allow all of the steps in the event sequence to be
quantified. This includes probabilities of events such as immediate or delayed ignition,
individuals present in the hazard zone, atmospheric conditions that will support the
development of an explosive mixture, release size sufficient to lead to undesired
consequences, etc. This information can be used to construct and quantify a fault tree
or event tree.
Quantitative analysis is sometimes the only method that will allow complex events with
multiple causes, protection layers and interdependencies to be evaluated. The method
does require a thorough understanding of the event sequences and failure data for each
basic event.
REACTIVE AND OTHER COMPLEX SYSTEMS
Most corporate guidelines on SIS address only a single method; however, there is no
single SIL assignment method suitable for all situations. Since most of the methods
represent a semi-quantitative form of risk assessment, a makeshift QRA, it might be
thought that full QRA is a panacea. However, the effort and expertise required to
perform such a study is unwarranted for the majority of SIL assignments. There are
cases, however, where it provides the only means of obtaining a valid assessment of
the overall risk, the risk reduction provided by the non-SIS projection layers and the risk
reduction required from the SIS.
In order to use QRA tools effectively in the SIL assignment process, it is important to
recognize the appropriate situations. The warning signs include:
· Numerous scenarios relying on the same SIF and/or non-SIS safeguards,

· None of the initiating events is significantly more likely than the others,
· Safeguards are not equally applicable to all initiating events,
· Multiple SIFs work to prevent a single scenario,
· Interdependencies exist between safeguards, i.e., common equipment,
· Interdependencies between initiating events and safeguards,
· Safeguards are not independently capable of preventing the undesirable outcome,

· Safeguards fail to meet the minimum criteria required for consideration by the less rigorous
technique,
· Multiple event outcomes of concern, e.g., fire, explosion, toxic consequences can arise from a
single event,
· Passive safeguarding, such as elevated relief/depressure discharge piping, hardened buildings,
blast walls, etc. make consequences unclear.
In the case of overpressure protection for reactive systems, a number of these

characteristics are often present. Because the actions that stop the reaction are often
the only available actions that prevent the accident scenario, numerous SIFs, as well as
the manual intervention, may all be acting upon the same equipment items, e.g., the
isolation of feedstocks, the injection of a kill fluid, depressuring etc. It is also likely that
there will be some safeguards that, although not completely effective in preventing the
event in all cases, may reduce the likelihood or the potential consequences. This may
include actions such as introducing additional cooling. It is also likely that there may be
numerous initiators of the overpressure scenario including overfeed of reactants,
overfeed of catalyst, loss of mixing or circulation, loss of cooling, ineffective cooling,
failed temperature control, blocked/plugged reactor outlets, exposure to external fire,
etc. These overpressure scenarios may share some common safeguards and, in
addition, there may be safeguards that are designed for only one specific cause.
It may be tempting to assume that the simplified approaches have a degree of built-in
conservatism, and that the resulting SIL target insures sufficient risk reduction. This
however, can be an invalid and dangerous assumption. When simplified methods are
applied to complex systems, the tendency is to break the complex system into a number
of smaller pieces and evaluate each one independently. However, by failing to evaluate
the combined likelihood of a demand on the SIF, the assigned SIL target may be too
low.
Another common mistake is the integration of the SIL selection directly into the PHA
process, which also introduces the potential to underestimate the required SIL target.
HAZOP and other PHA methods are inductive techniques, beginning with a specific
cause and evaluating all of the potential subsequent consequences. Target SIL
assignment requires the simultaneous consideration of all of the initiating events in
order to evaluate the likelihood of a demand on the SIF. Even in somewhat simple
systems, this can introduce an error into the assessment that may underestimate the
required SIL. Although this problem is inherent in the Modified HAZOP method, any of
the other methods can also be applied with the same fatal flaw.
QRA IN SIL SELECTION
Quantitative studies can support the SIL selection process by providing greater insight

and understanding of the potential consequences and the event likelihood. Depending
upon the specific scenario under investigation, either or both types of analyses may be
considered.
Consequence modeling can be used by the SIL assignment team to better estimate the
potential for on-site and off-site exposures to toxic and flammable effects. Dispersion
modeling provides an estimate of the boundaries of a toxic or flammable cloud. It can
also be applied to specific questions such as whether an elevated atmospheric release
from relief or depressure discharge piping has the potential for ground level effects, as
illustrated in Figure 4. Fire modeling can be used to estimate the radiation effects from
pool fires, jet fires and fireballs. The team can then use these results to evaluate the
on-site and off-site safety impacts and the potential for event escalation due to thermal
exposures. Over-pressure scenarios also require the consideration of blast effects
either from a vessel rupture or a vapor cloud explosion (VCE) following the loss of
containment. Often passive protection layers are employed to address potential
explosion effects and their risk reduction should be evaluated. By determining the
explosion energies, flame speeds and associated blast contours and through the
analysis of the structural response to these blast loads, the vulnerability of personnel in
occupied buildings can be estimated. This allows teams to consider the risk reduction
provided by blast walls around reactors and explosion hardened control buildings.
Quantitative consequence analysis can be extremely helpful to SIL assignment teams
attempting to refine and confirm their initial qualitative evaluations.
Quantitative tools are more often used by SIL assignment teams to refine the event

likelihood. Fault tree analysis (FTA) and event tree analysis (ETA) can provide teams
with much needed information and understanding. Event tree analysis can be applied
to scenarios with numerous outcomes based upon the availability of the protection
layers and the presence of various conditions, e.g., wind direction, ignition sources, time
of day, etc.
Figure 5 provides an example of an event tree and illustrates how ETA can be used to
estimate the frequency of scenarios with multiple outcomes. Although this type of
evaluation can also be accomplished through the LOPA technique, the graphical nature
of ETA makes the analysis easier to understand, communicate and validate.
Fault Tree Analysisis a deductive technique for calculating the likelihood of a final event,
based upon an analysis of all of the possible paths and sequences that lead to it. This
tool is perfect for evaluating complex events with numerous paths and
interdependencies. When solved using cut-sets, rather than a simple gate-by-gate
approach, any duplications or common components are detected and correctly
assessed.
After first identifying an "undesirable" event, it is necessary to determine all precursor

events or causes which can lead to the undesirable event. The inter-relationship
between all events and causes is diagrammatically represented in the form of an
inverse tree. The single undesirable event is placed at the top and all precursors and

causes are placed on branches coming out of the top event via logic gates defining the
causality, i.e. AND and OR. The tree is drawn sufficiently downward to reach basic or
undeveloped events for which failure rates or probabilities of occurrence can be
estimated.
Figure 6, presented on the last page of this paper, represents a summary fault tree for
the evaluation of a reactor over-pressure scenario. The top event is the "frequency of
reactor overpressure." Each of the types of initiating events and protection layers is
defined by an "undeveloped event," indicating that further development of the logic for
that branch is necessary before the tree could be solved. This summary tree is
provided to illustrate how the evaluation of a complex event such as reactor
overpressure would be started. As each branch is developed, the specific initiating
events due to human error, equipment failure, and/or human error would be identified.
Additionally, any safeguards specific to that branch would be addressed. The summary
tree also shows that non-independent protection layers, such as manual and automatic
initiation of the kill system, can be taken into account.
It is worthy of note that the simple rule of adding at the OR gates and multiplying at the
AND gates is inappropriate when solving complex trees where a particular event may be
found on more than one branch. In these cases, it is necessary to perform some
Boolean simplification or rearrange the logic in some other manner. The most common
and useful means for accomplishing this is cut set analysis.
CONCLUSIONS
As corporate and regulatory pressures to eliminate atmospheric discharge continue, the

need increases to prevent relief demands and reduce the dependence upon relief
devices as the principal protection layer. The role of SIS in the risk management of
over-pressure protection is increasing. Therefore, it is critical that these instrumented
systems are properly specified to insure that they deliver adequate risk reduction.
Simplified approaches such as risk matrix, risk graph, and LOPA are effective tools for
target SIL assignment in most situations. However, these methods are unacceptable
for the analysis of complex systems, producing results that either over-specify, or more
dangerously, under-specify the SIS integrity requirements. Quantitative analysis should
be used in support of the simpler tools, in these situations. The results of any
quantitative study can usually be integrated back into the qualitative or semi-quantitative
method to provide consistency with the other SIL selection decisions.
NOMENCLATURE

ETA - Event tree analysis
FTA - Fault tree analysis
HAZOP - Hazard and operability study
IEC - International Electrotechnical Commission
IPL - Independent protection layer
ISA - Instrumentation, Systems, and Automation Society
LOPA - Layers of protection analysis
PFDavg - Average probability of failure on demand
QRA - Quantitative risk assessment
SIF - Safety instrumented function
SIL - Safety integrity level
SIS - Safety instrumented system
REFERENCES
[1] "Application of Safety Instrumented Systems for the Process Industries,"

ANSI/ISA 84.00.01-1996, 1996, ISA, Research Triangle Park, NC.
[2] "IEC 61511-1: Functional safety: Safety instrumented systems for the process
industry sector- Part 1: Framework, definitions, system, hardware and software
requirements," 2003, IEC.
[3] "IEC 61511-3: Functional safety: Safety instrumented systems for the process
industry sector- Part 3: Guidance for the determination of safety integrity levels," 2003,
IEC.
[4] Summers, A.E. and Ford, K.A., 1998, "Assigning Safety Integrity Levels," 53rd
Annual Symposium on Instrumentation for the Process Industries, College Station,
Texas.
[5] Dowell, A. M., III, 1999, "Layers of Protection Analysis and Inherently Safer
Processes," Process Safety Progress, Volume 18 No. 4, pp. 214-220.
[6] Dowell, A.M., III, 1997, "Layers of Protection Analysis: A New PHA Tool, After
Hazop, Before Fault Tree," International Conference and Workshop on Risk Analysis in
Process Safety, October 21-24, 1997, Atlanta, GA, American Institute of Chemical
Engineers, New York, pp. 13-28.
[7] CCPS, 2001, Layers of Protection Analysis: Simplified Process Risk Assessment,
New York: American Institute of Chemical Engineers, Center for Chemical Process
Safety. Guidelines for Safe Automation of Chemical Processes, Center for Chemical

Process Safety, American Institute of Chemical Engineers, New York, 1993.
[8] Guidelines for Hazard Evaluation Procedures, Center for Chemical Process
Safety, American Institute of Chemical Engineers, New York, 1985.
[9] Dejmek, K.A., "Key Factors in the Selection of a Safety Integrity Level
Assignment Method," ISA EXPO 2000, New Orleans, LA, August 2000.
[10] Marszal, E.M., and Scharpf, E.W., 2002, Safety Integrity Level Selection -
Systematic Methods including Layer of Protection Analysis, First Edition,
Instrumentation, Systems, and Automation Society (ISA), Research Triangle Park, NC.
[11] Marszal, E.M., "Hydrocracker SIL Selection Case Study," ISA 2002 Technical
Conference Series, Safety Instrumented Systems for the Process Industries, Baltimore,
MD, May 2002.
[12] Windhorst, J.C.A., "Over-pressure Protection by Means of a Designed System

Rather Than Pressure Relief Devices," International Conference and Workshop on Risk
Analysis in Process Safety, Atlanta, GA, October 1997.

Figure 6 - Sample FTA (Top of Tree Only)
Safety Measure Evaluation and Design for an Offshoure

Processing Facility Using Recently Proposed Methodology
SCAP(5)
Faisal I. Khan

Faculty of Engineering & Applied Science
Memorial University of Newfoundland
St. John's, NF
Canada A1B 3X5
<fkhan@engr.mun.ca>
and
Paul R. Amyotte
Department of Chemical Engineering
Dalhousie University
Halifax, NS
Canada B3J 2X4
<paul.amyotte@dal.ca.>
Prepared for Presentation at

American Institute of Chemical Engineers
38th Annual Loss Prevention Symposium
New Orleans, LA
April 26 - 29, 2004
Session T7003: Safety Instrumented Systems/Layer of Protection Analysis
Copyright © Faisal I. Khan and Paul R. Amyotte

November 2003
UNPUBLISHED
ABSTRACT
Risk assessment associated with engineering studies is aimed at providing decision

support to achieve a cost effective and safe design of offshore process facilities. This is
achieved by reducing the platform process risk through selection and design of cost
effective safety measures. The main benefit from this approach is the design of optimal
safety measures. In addition to optimization, significant savings are made possible by
making the right decisions at the right time.
In this paper, a methodology for risk-based process safety decision making is described
for offshore oil and gas (OOG) process activities. The methodology is applied to various

offshore process units - compressor, separators, flash drum and driers of an OOG
platform. Based on the risk potential, appropriate safety measures are designed for
each unit. The paper also illustrates that implementation of the designed safety
measures reduces the high risk values to an acceptable level.
Keywords: Offshore risk assessment, accidents, risk analysis, risk-based design,

safety measures design
INTRODUCTION
The use of Quantitative Risk Analysis (QRA) in the offshore industry dates back to the
mid 1970s. Further development of offshore QRA came in the early 1980s when the
Norwegian Petroleum Directorate issued its guidelines for safety evaluation of platform
conceptual designs. These guidelines required that QRA be carried out for all new
offshore installations in Norway at the conceptual design phase. Since 1992 in the UK,
safety case legislation has required, not formally but in practice, the industry to use
offshore risk analysis as a component in the development of a safety case (Vinnem,
1998).
The concept of a 'life cycle' for an offshore installation is gaining wide acceptance within
the offshore industry. The idea is to consider a development in totality from concept
through design, construction, operation and to abandonment. A subset of this approach
can be thought of as a 'safety life cycle' where only safety is considered. Figure 1
outlines one such safety life cycle. Most regulatory agencies require the submission of a
safety case for offshore installations for each major phase, i.e. design, operation, and
abandonment. The operational safety case is the one which companies with existing
installations have been working on for the last two years or so (Finucane, 1994). A
safety case must contain: an executive summary, details of the offshore installation, a
description of the company safety management system, analysis of hazards affecting
the installation, and identification and implementation of safety improvements.
A large component in many of these operational safety cases is a quantified risk

analysis of the major hazards. This includes quantification of risk to individuals and/or
groups of workers. The offshore fully manned production facility typically involves a
number of stages of oil, gas and water separation, gas compression, and dehydration.
The risk present on a typical offshore installation may be categorized as: process risk,
dropped object risk, structural failure risk, helicopter accident risk, and ship collision risk.
Depending upon the details of a specific installation, the percentage contribution of each
risk category could vary significantly; for example, fire and explosion risk may be
between 20 to 80% of individual risk (Finucane, 1994).

The inherent safety level of an offshore process facility can be increased by selecting
the optimum design in terms of the installation/field configuration and the layout, which
reduces the risk to a level that is As Low As Reasonably Practicable (ALARP). This
requires the identification of major risk contributors and their assessment early in the
project life cycle (HSE, 1993). The biggest challenge operators face is that of
demonstrating the implementation of ALARP. Currently, most operators use a
cost-benefit analysis method to demonstrate ALARP with respect to safety
improvements (Finucane, 1994). Figure 2 shows one such structured approach
(modified after Finucane, 1994). It is well recognized that if the structured approach of
identification and assessment is not carried out early in the project, it is possible that the
engineering judgment approach will fail to identify all of the major risks and thus loss
prevention expenditures will be targeted in areas where there is little benefit. This would

result in expensive remedial actions later during the life of the project.
Identify possible safety

improvements
Quantify cost of improvements

and benefits, including
incremental risk reduction
List improvements, identify those

reasonably practicable, prioritize
for possible implementation
Conduct cost-benefit analysis of

prioritized improvements
Are the
Yes improvements No
reasonably
practicable?
Record for Identify other
implementation alternatives that address
the concern and are
reasonably practicable
Figure 2 Simplified process of safety

improvement through ALARP. Is an Yes
No alternative
found?
Record for further
review
QUANTITATIVE RISK ANALYSIS OF OFFSHORE PROCESS OPERATIONS
The four main objectives in using QRA are: i) estimating risk (in absolute or relative

terms), ii) determining design loads and conditions, iii) understanding hazard causation
and potential escalation pathways, and iv) risk ranking. Most of these objectives usually
imply quantification of risk to personnel, and often to the environment and assets. While
there are many consequence models available for determination of personnel fatalities
and injuries, considerable modeling work is still needed for determination of
consequences to the environment and assets (Vinnem, 1998). The time and effort
required to complete a full QRA for an offshore installation is a function of the
complexity and size of the installation, which in the extreme case could require many
months of effort spread over a prolonged period (Crawley, 1999; Crawley and Grant,
1997). This time scale precludes the support of the rapidly changing design, which is a
feature of the concept development phase.
The United Kingdom Offshore Operators Association (UKOOA) has developed

guidelines for an instrument-based protective system for application to OOG
installations (UKOOA, 1995). Safety Integrity Level (SIL) determination is the key
element of these guidelines. In its simplest form, the allocation of a SIL for a safety
system is a way of specifying the appropriate level of reliability to match both the hazard
and the tolerable risk. Therefore, to determine a SIL, one needs to consider both the
severity and the likelihood of an incident.
Crawley and Grant (1997) proposed a screening tool for offshore risk assessment. This
tool permits the risk assessment of many design options in a methodical, consistent and
auditable manner. It is aimed at reducing front-end design costs and targeting design
efforts in a cost-effective and safety-oriented manner. Vinnem (1998) presented a good
overview of QRA use in offshore industries and emphasizes that QRA is an important
tool in regulation development in various jurisdictions (e.g. UK, Norway, US and
Canada). He has nicely emphasized that probabilities used in a QRA, whether in an
absolute or relative sense, should be considered as 'notional' values, i.e. that they
cannot directly be considered estimates of 'true' values.
Recently, Falck et al. (2000) and Brandsater (2002) have discussed the use of QRA in
the design of an oil production system. They have detailed the use of QRA in safety and
emergency preparedness analysis during the engineering and construction phase of the
project. Though they have emphasized the use of QRA in the conceptual design stage,
no such guidelines or methodology have been discussed. Further, they have
emphasized the use of QRA as a decision support system for offshore process facilities.
The effective linkage between the QRA and the design team is essential and is key to
QRA success. It is essential to ensure a proper understanding of the design problems
so that these can be effectively addressed in the QRA; similarly QRA results must be
understood by the design team and decision-makers. The QRA process should be
synchronized with the engineering activity (Falck et al., 2000). It is necessary to aim for

a living QRA, i.e. a risk model of the platform that is updated and refined in details as
required. Assumptions made at an early stage to compensate for missing information
need to be followed up and eventually replaced by factual information when available.
Finally, the QRA results need to be 'translated' into engineering terms (Brandsater,
2002).
To meet these challenges, Khan and co-workers have proposed a quantitative

methodology for safety measure design based on a feedback system of fault tree and
credible accident scenarios. The methodology, named SCAP
(Safety/Credible/Accident/Probabilistic fault tree analysis), has been applied to many
onshore process industries (Khan et al., 2001a, b) and an offshore platform (Khan et al.,
2002). It is effective in deciding and designing safety measures based on the risk
potential. SCAP has been closely integrated with other engineering studies for
scenario-based design in areas such as detector layout, passive protective measures,
ventilation, and location of fire walls, blast walls, flame detectors, etc.
SCAP: A METHODOLOGY FOR RISK-BASED SAFETY ASSESSMENT AND

CONTROL MEASURES DESIGN
The SCAP methodology has been revised for its application to offshore process
facilities. The revised methodology encompasses all the characteristics of the original
SCAP methodology. As previously mentioned, to demonstrate the effectiveness of
SCAP it has been applied to an offshore process facility (Khan et al., 2002). Here, we
recapitulate the methodology and its application with more detailed discussion on safety
systems evaluation.
The architecture of the methodology is presented in Figure 3. As mentioned in Khan et

al. (2002) the methodology is applicable at any stage of the design, and is particularly
useful at the early design stage when the designer is free to adopt the suggested safety
measures or modifications. Application of this methodology at the early design stage is
possible as it requires data that are readily available at this stage. The reliability of a
study conducted with such early stage data (involving uncertainties) is debatable, but
can be argued on the basis of the following points:
i) The design and evaluation of safety measures based on the risk potential considers risk in relative
terms. If there are uncertainties in risk computation, they are present in all units, and in relative
terms will not have much effect.
ii) The techniques used in SCAP, such as analytical simulations with fuzzy set theory and MCAA
(Maximum Credible Accident Analysis), are robust and less susceptible to input data uncertainty
(Khan et al., 2001a, b). Therefore, early stage data (involving uncertainties) will not significantly
affect the final outcome of the study.
This methodology tries to make the concept of a risk-based safer design a reality. It

involves risk assessment steps which are interactively linked with the implementation of
safety measures. The resultant system reveals the extent of risk reduction by each
successive safety measure. Again, this methodology has been applied to many onshore
process industries and has proven to be efficient and easy to use, as well as requiring
limited data (Khan et al., 2001a, b).
The major steps of the revised SCAP methodology remain the same with modifications
in their sub-steps (Figure 3). This paper provides a brief recounting of the revised SCAP
methodology and its application to an OOG facility, with a detailed discussion on its
applicability and effectiveness. The details of SCAP and other tools used in this paper
are discussed in Khan et al. (2001a, b).
Hazard Identification Step
This step utilizes the revised Hazard Identification and Ranking (HIRA) system, as it is
flexible and able to consider the vulnerability of offshore operations (Khan et al., 2002).
The revised HIRA is comprised of two indices: fire and explosion damage index (B1)
and toxic damage index (B2).

Start
Hazard identification
and ranking
• B1 and B2
Quantitative hazard Probabilistic hazard

assessment- MCAA assessment-ASM
Accident scenario
development Fault tree for the Fault tree
• MCAS envisaged scenario development
Consequence
analysis Fault tree analysis
• MAXCRED • PROFAT
Risk estimation Apply add-on

safety measures
Identify units that

No contribute
Risk in
acceptance? substantially to the
probability of the top
event
Yes
End
Figure 3 The SCAP algorithm.
Fire and explosion damage index (B1)

B1 is a representation of lethal heat and overpressure loads over an area. It is
measured in terms of the radius of the area (in meters) affected lethally by overpressure
and heat loads (50% probability of causing fatality). Estimation of B1 involves the
following steps:
i) classification of the various units in an industry into the five categories mentioned below:
o storage units
o units involving physical operations such as heat transfer, mass transfer, phase change, pumping
and compression
o units involving chemical reactions
o transportation units
o other hazardous units such as furnaces, boilers, direct-fired heat exchangers, etc.,
ii) evaluation of energy factors,
iii) assignment of penalties, and
iv) estimation of damage potential.
Toxic damage index (B2)
B2 quantifies the toxic load over an area in terms of the radius (in meters) affected by a
toxic load of 50% probability of causing a fatality. It is derived by using transport
phenomena and empirical models based on the quantity of chemical(s) involved in the
unit, the physical state of the chemical(s), the toxicity of the chemical(s), the operating
conditions, and the site characteristics. The dispersion is assumed to occur under
slightly stable atmospheric conditions. We have opted for 'slightly stable atmospheric
conditions' as these represent a median of high instability and high stability. We believe
that this assumption for dispersion may also hold in an offshore process facility where
partial confinement may lead to a low likelihood of dilution.
The estimation of B2 is done with one core factor named the 'G factor' and seven
penalties. The details of the G factor and penalty calculation may be found in Khan and
Abbasi (1998a).
Why is revised HIRA appropriate here?
Revised HIRA is appropriate for the present application because:
i) It considers the impact of various process operations and associated parameters for hazard
identification.
ii) It accounts for vulnerability due to the degree of unit congestion, characteristics of the
surrounding unit, and site characteristics.
iii) It considers several operating conditions generally encountered in an offshore process operation.

iv) It provides quantitative results of good reliability.
v) It does not require a case-to-case calibration as its magnitude directly signifies the hazard level.
Quantitative Hazard Assessment Step
This step aims to quantify hazards; MCAA (Maximum Credible Accident Analysis) is the
preferred approach. MCAA is comprised of two steps (Khan and Abbasi, 1997, 1998b):
i) accident scenario forecasting, and ii) consequence analysis (damage estimation for
the envisaged accident scenario).
Accident scenario forecasting
Forecasting likely accident scenarios is the most important step in this exercise. A
number of accident scenarios can be envisaged in a unit; however, it may not be
possible to analyze all these scenarios, particularly at an early design stage. A system
which short-lists the important scenarios is needed. The screening or short-listing of
accident scenarios has been debated since it was originally proposed by CCPS (1989).
Subsequently, a modified 'worst-case accident scenario' approach has been practiced
(Hirst and Carter, 2000). Although the CCPS and worst-case approaches are effective
and easy to use, they focus only on one accident parameter - consequence. Recently,
Khan (2001) proposed a 'maximum credible accident scenario' (MCAS) approach which
considers both consequences and the likelihood of accident occurrence. Khan (2001)
demonstrated that although certain accidents may not be the worst in terms of
consequences, their high probability of occurrence is a major concern. These accidents
often escalate and cause a catastrophe which is not even modeled by a worst-case
accident scenario.
The MCAS approach centers on the theme of credibility, which is defined as a

combination of impact area and the probability of occurrence, and is estimated as:
C = (L12 + L22) 1/2
where L1 and L2 represent the credibility factors estimated for fire and explosion hazard
and toxic hazard, respectively.
Consequence analysis
Many computer-automated tools are available for a detailed consequence assessment

for offshore facilities. COMEX, VENTEX, CLICHÉ, SCOPE2, ARAMAS, OHART, and
PLATO are the most frequently used. Gardner et al. (1995) reviewed these hazard
assessment tools. Complex computer models are also available for fire and explosion

characteristics estimation, e.g. FLACS, mFLACS, REAGAS, EXSIM, and EXPSIM
(Finucane, 1994; van Wingerden, 1994; Jones and Irvine, 1997).
These models are frequently used for a detailed QRA. However, their application at the
early design stage is not an easy task due to the large data requirement and lengthy
processing time. Though these models yield reliable detailed results, they may not be
helpful at the early design stage. A computer-automated tool, MAXCRED (Khan and
Abbasi, 1999), and its latest version, MAXCRED-III (Khan and Abbasi, 2000), perform
MCAA. This tool enables the simulation of accidents and an estimation of their damage
potential. MAXCRED-III also incorporates the domino/cascading effect (see Khan and
Abbasi, 2000 for details).
MAXCRED-III has five main modules (options): scenario generation, consequence

analysis, domino considerations, documentation, and graphics. In the scenario
generation module, accident scenarios are generated for the unit under study. This step
is based on the MCAS approach. The consequence analysis module involves the
assessment of likely consequences if an accident scenario materializes. The
consequences are quantified in terms of damage radii of different propensities. The
domino module analyzes the damage potential of the primary event at the point of
location of the secondary unit, and checks for the likelihood of occurrence of the
secondary accident. If the probability of the secondary accident is sufficiently high, then
appropriate accident scenarios are developed and analyzed for consequences. The
graphics module enables the visualization of risk contours in the context of accident
sites. This option has two facilities: (i) site drawing, and (ii) contour drawing. The
documentation module of MAXCRED-III deals mainly with the handling of different files:
data file, scenario file, output file, and flow of information.
Probabilistic Hazard Assessment (Fault Tree Analysis) Step
The objective of this step is to quantify the probability of occurrence of the earlier
envisaged accident scenario. Fault tree analysis (FTA), the most appropriate technique
for this application, uses deductive reasoning to determine the occurrence of an
undesired event. FTA along with component failure and human reliability data can help
in determining the frequency of occurrence of an accidental event.
Methods for FTA include the analytical method (Yllera, 1988), the Monte Carlo
simulation method (Papazoglou et al., 1992; Rauzy, 1993), and the Markov simulation
method (Hauptmanns and Werner, 1990; James et al., 1993). Khan and Abbasi (2001)
have proposed a methodology for probabilistic fault tree analysis: Analytical Simulation
Methodology (ASM). ASM combines analytical methods with fuzzy mathematics, Monte
Carlo simulations, and structure modeling. The ASM is easier, faster and involves less
uncertainty in its predictions (Khan and Abbasi, 2001). A computer-automated tool,

PROFAT (PRObabilistic FAult Tree analysis) was developed to perform ASM. ASM
involves five main steps: i)fault tree development, ii) Boolean matrix creation, iii) finding
of minimum cutsets and optimization, iv) probability analysis, and v) improvement index
estimation.
The methodology is resolved into the computer software PROFAT, which is written in
C++ and consists of five main modules: data, minimum cutsets analysis, probability
analysis, improvement factor analysis, and general purpose modules, each of which
performs a specific task, and is linked with the other modules (Khan and Abbasi, 2001).
Risk Quantification and Design of Safety Measures Step
Using the results of the hazard assessment and probabilistic hazard assessment steps,
the individual risk and/or fatality accident rate (FAR) is computed and then compared
with the regulatory standards. If they exceed the acceptance criteria, extra safety
measures need to be implemented on the unit. After deciding the necessary safety
options to be implemented, the probabilistic hazard assessment and hazard
quantification steps are repeated and the latest individual risk and/or FAR is again
computed and compared with the regulatory standards. This is repeated until the risk
and/or FAR fall within the acceptable range.
RISK-BASED SAFETY MEASURES DESIGN FOR AN OFFSHORE PROCESS UNIT
The above methodology has been applied to decide the safety measures for various
process units on an offshore platform; the detailed results of this study are given in
Khan et al. (2002). Here, we are briefly recapitulating the important points of this case
study with a detailed discussion on safety methods and their evaluation. The process
plant on an offshore platform generally has three main parts: i) the wellhead, ii)
separators, and iii) gas compression. The simplified layout of the process plant of a
typical platform is depicted in Figure 4. Production lines from individual wells terminate
at the wellhead, with each line being topped by a 'Christmas tree'. The well fluid passes
through a manifold and is withdrawn at a production separator through a wing valve.
The well fluid passing through the separators is separated into four major components.
Oil is pumped through the main oil line to the onshore facility. Part of the condensate is
pumped along with the oil. Gas is compressed using centrifugal compressors; it is
subsequently passed through the flash drum where the temperature is reduced and
condensate is formed and separated out. The gas, is subsequently dried and purified. It
is then further compressed to high pressure through reciprocating compressors. Part of
the gas is used at the wells and for power generation on the platform; the remaining gas
is pumped to the onshore facility with a small amount being flared. The study does not
include wellhead hazards but focuses on the major parts of the process plant

(separation and compressors).
Hazard Identification
The complete process facility (separators, compressors, and pipelines) was subjected
to a detailed study. Safety measures were designed and implemented on each process
unit; however, in order to prioritize by importance, a hazard identification study was first
conducted. The results of the study are plotted in Figure 5. It is evident from Figure 5
that the separators, compressors, drier, and flash drum are highly hazardous, whereas
the oil and gas pipeline and pumps are moderately hazardous. To illustrate the SCAP
methodology, a detailed study is presented on two highly hazardous units - condensate
separator and compressors (1 and 2).
300
250
Fire and explosion hazard index (B
200
150
Screening limit
100
50
0
Cond. separator
Oil separator
Compressors
Gas pipeline
Drier
Pumps
Oil pipeline
Flash drum
Quantitative Hazard Assessment
Maximum Credible Accident Scenario Development
Many accident scenarios have been envisaged for each unit. The list of the most
credible scenarios for the units presently under investigation is presented in Table 1.
The credibility of an accident scenario was assessed considering the MCAS procedure

as described earlier.
Consequence Analysis
MAXCRED was used for detailed consequence analysis. In the following sections, the
results for the separator and compressor units are discussed; results for other units are
available in Khan et al. (2002).
Condensate separator
The results for MCAS in the condensate separator - Vapor Cloud Explosion (VCE)
followed by pool fire - are presented in Table 2. A VCE followed by fire would cause
considerable damage. It is evident from Table 2 that damage of a high degree of
severity due to overpressure and shock wave would be operative over an area of ~50 m
radius, while moderate damage (50% probability of lethality) would occur over an area
of ~75 m radius. The unburned chemical in the unit would burn as a pool fire. The heat
load generated due to the pool fire would be lethal over an area of 55 m radius. The
heat load and shock wave generated by this unit may initiate secondary and a higher
order of accidents in the units within close proximity, such as condensate and gas
pipelines.
Compressors 1 and 2
The results of damage calculations for the compressor units (1 and 2) are presented in
Table 3. It is evident from these results that this scenario would cause moderate
damage. There is no likelihood of overpressure development; however, a fire jet of ~5 m
in length would be operative. The lethal heat load of 50% probability of causing fatality
and damage would be operative over an area of 35 m radius. It is likely that the jet
flame would cause serious damage in the neighboring unit either through direct
impingement or by external heat load. The units that would be affected by this accident

are the flash drum and the drier.
Table 2 Results of consequence analysis for accident in condensate separator.
Table 3 Results of consequence analysis for accident in compressor units.

Probabilistic Hazard Assessment (PHA)
Probabilistic hazard assessment was conducted for all units; however, only the results
for the condensate separator and compressors are presented here. The failure
frequency data used in the PHA (presented in Tables 4 and 6) were obtained from
Worldwide Offshore Accident Databases (WOAD, 1998), HSE reports (HSE 1994,
1996), and offshore data from E&P Forum (1995). Using these data, fault tree analysis
has been conducted to estimate the failure probability of each accident scenario with
the results given below.
Condensate separator
The most credible accident scenario for this unit is envisaged as a VCE followed by a
pool fire. There are 21 basic events that contribute directly and indirectly to the
occurrence of this accident (Table 4). The likely logical sequences of events that lead to
this accident are depicted in Figure 6.
The developed fault tree (Figure 6) was analyzed using PROFAT, and the results are
presented in Table 5. The overall occurrence rate of this accident scenario is computed
as 9.474E-04 per year. Table 5 indicates that events 18, 20, 12, and 17 contribute 17%,
17%, 12%, and 10%, respectively, in the occurrence of this accident. Controlling these
events would considerably reduce the overall probability of occurrence of this accident

scenario.
Table 4 Elements of the fault tree developed for a probable accident in condensate
separator.

Figure 6 Fault tree diagram for condensate separator; details of basic events are
presented in Table 4.
Table 5 Fault tree analysis results (output of PROFAT) for condensate separator.

Figure 7 Fault tree diagram for compressor unit; details of basic events are presented
in Table 6.
Table 6 Elements of the fault tree developed for a probable accident in compressor
units.

Table 7 Fault tree analysis results (output of PROFAT) for compressors units.

Compressors 1 and 2
The fault tree comprising of 17 basic events has been developed for the MCAS in the
compressor units (Figure 7). The probabilities of the occurrence of these basic events
are presented in Table 6.
The developed fault tree was analyzed using the PROFAT algorithm, which computed
the total occurrence rate of the top event as 1.364E-02 per year. Results reveal that
events 17, 13 and 14 are the most crucial ones and contribute about 47% in initiating
the accident (Table 7). Controlling these basic events would drastically reduce the
probability of occurrence of this scenario.
Risk Quantification
Using the results of the previous steps, risks were computed for all the units identified
as hazardous and moderately hazardous. Interesting results are observed. Though the
compressor units are moderate in damage-causing capabilities, they were found to
pose the greatest risk. This is because of their high probability of failure. The unit
observed to be the most disastrous as a result of damage calculations - the oil
separator- was found to pose comparatively less risk, due to its low probability of failure.

Figure 8 presents a summary of the average individual risk factors caused by the two
main units along with the ALARP criteria. Analysis of these results reveals that the
compressor units followed by the condensate separator pose high individual risk. Their
risk and FAR values exceed the ALARP acceptance criteria. These units need attention
in order to bring these high risks to an acceptable level.
Risk reduction through safety measures - MCAA-PFTA controller system
Safety measures evaluation
Explosion venting
The most important method of mitigating the effects of gas explosions is venting. A vent
opening is introduced to limit pressure build-up (van Wingerden, 1994). The size of this
opening is chosen in such a way that pressure build-up due to the explosion is
sufficiently compensated by outflow of burned and unburned gas. However, it is not just
the size of the vent opening which is important. The location of the vent opening and the
choice of vent cover (vent panels) are also important.
When there is sufficient venting close to the ignition point, burned gases will be vented
quickly. As a result, expansion flow in the direction of obstacles and the turbulence
generated behind the obstacles will be limited (van Wingerden, 1994). Hence, the
overpressure will be low. However, when the venting is less effective in the early phase

of the explosion, the free unburned gas will be pushed ahead of the flame, a strong
turbulent flow field will be generated and a positive feedback mechanism will accelerate
the flame and cause high overpressure (van Wingerden, 1994). This emphasizes that
venting hot combustion products at an early stage of the explosion is a very effective
means of reducing flame acceleration. The most important factors for effective venting
are: the size of the vent area, how the vent area is distributed, the direction of explosion
relief, and how quickly explosion relief panels are activated. The vent area should
simply be as large as possible. There are many methods available nowadays to
determine the correct size for a vent opening. It is important that the gas explosion
venting be directed into open areas with a minimum of obstructions.
Compartment shape
The shape of the compartment and the location of the vent areas are closely linked.
There are two main principles applied in optimizing the shape of a compartment: an
ignition point anywhere in the compartment should be as close as possible to the major
vent areas, and strong turbulence in the unburned gas ahead of the flame and long
flame travel distances should be avoided. For a compartment with explosion venting on
two end walls, the ideal shape is a cubic box. A relatively low explosion pressure can be
expected in such a configuration (van Wingerden, 1994). Most explosion scenarios will
give high pressures if the module is elongated and vent openings are only located on
the two ends. It is even more important to avoid an elongated shape if the compartment
only has a vent opening in one of the side walls. In the case of ignition at a closed end
wall, the flame can accelerate over a long distance and venting has no beneficial effect
since it only leads to flow past obstacles and hence to turbulence generation.
Water deluge
Water deluge is another important safety measure to mitigate fires and explosions. It is
important to understand that water deluge should not be considered as an alternative to
gas explosion venting, but as an additional method under certain conditions thus making
explosion venting more effective. Bjerketvedt and Bjokhaug (1991) undertook a pilot
experimental investigation addressing the effect of water sprays on gas explosions.
They used a 1:5 scale model of an offshore module. The main beneficial effect identified
was the effect of water vapor on the burning rate. Extraction of heat from the flame front
played a minor role. In strong explosions, the large droplets break up due to the flow
speeds generated in the unburned mixture ahead of the flame front. These flow speeds
cause drag forces which act on the droplets and deform them. It was observed that
water deluge is only effective for explosions in which high flame accelerations occur.
Unfortunately, there are disadvantages related to the use of a water deluge system for
explosion suppression. Since the activation time for an ordinary deluge system is much

longer than the duration of the explosion, the deluge system has to be activated on gas
detection. On activation, the water pumps are started and water will flow to the deluge
system in the relevant module. This means that there is a period during which there is a
possibility of ignition without water deluge being in full operation. In addition, there have
been reports of accidents where the probable ignition source was a discharge in
electrical equipment due to moisture from the deluge system (van Wingerden, 1994;
Wighus, 1994). Water sprays and deluge should therefore be activated only in
compartments with waterproof electrical equipment.
For fire protection, fine water sprays have been introduced and tested for offshore
applications (Shetty et al., 1998). The experiments so far have shown that they are a
good alternative for protection of enclosed or even partly enclosed spaces where
hydrocarbon fuels may create large fires. Their efficiency in extinguishing smaller fires is
less as compared to Halon protection. Even if the fine water sprays do not extinguish
the smaller fires, a reduction of fire intensity is obtained, and the potential damage can
be greatly reduced. The fine water spray may be produced in different ways, and three
different types of system are available. A twin-fluid system where water is forced
through narrow holes in a nozzle by air or other gases is self-contained with a water
reservoir and a pressurized gas bottle. Another system supplies high-pressure water
(100 bar) to a nozzle with narrow holes, and a third type of system utilizes a rotating
nozzle to produce fine droplets. The rotating nozzle system operates at low
water-supply pressures (5 - 10 bar) (Wighus, 1994).
Obstruction management
A compartment will contain process equipment, pipe-work, rooms etc. During a fire and
explosion, these objects will obstruct the flow and cause turbulence. These objects will
also interfere with venting. The main principle of the guidance here is to arrange the
obstructing objects so that: (i) minimum turbulence is generated, and ii) venting is not
blocked.
Ignition source management
Both the strength and location of the ignition source play an important role in
determining the course of fire and explosion events offshore. In general, effective
mitigation of fires/explosions is obtained if the ignition point is close to the vent area.
However, if the venting of combustion products is not sufficient to keep the flame speed
at a low level, ignition at the edge of a congested area may cause high explosion
pressures. It is imperative that attempts are made to avoid ignition sources. Known,
potential ignition sources should be located such that worst-case scenarios are avoided
and flame arrestors/suppressors provided at all vulnerable locations.

Blast walls
When aiming to add barrier walls in order to reduce the global overpressure or heat
load, one should consider (Berg et al., 2000):
o The location of the critical equipment with respect to the wall position. The wall should be used
to protect the equipment from the explosion/fire heat load and not to confine the area around the
critical equipment.
o The location of the possible ignition source. The wall should be located between the potential
existing ignition sources and the critical equipment.
o The ability of the wall to contain a possible gas leakage. Therefore, both dispersion and explosion
simulations should be run for any wall partitioning assessment.
Weak and strong walls can have the same gas-cloud containing capacities. However, in
the case of a large leakage, with almost full gas coverage, the resulting pressure
increase from an accidental explosion is expected to be generally smaller with weak
walls than with strong walls (Berg et al., 2000). If the wall is able to contain a possible
gas leakage then:
o The pressure increase on the side containing the gas cloud will be higher with a strong blast wall
than with a weak wall.
o The pressure decrease on the opposite side will be higher with a strong blast wall than with a
weak wall.
One should then choose between a weak or strong wall depending on where the critical
equipment is located. The cost and weight of a strong wall will be very different from a
weak wall.
Effect of separation
Adding a gap between the process modules can reduce the potential overpressure
level, especially in the area located just after the gap. This is due to a significant drop in
flame acceleration. Furthermore, there seems to be a maximum critical gap size beyond
which the pressure level is not reduced even by increasing the gap width. The study
conducted by Berg et al. (2000) found that there was no further significant reduction in
overpressure by increasing the gap beyond 15 m. As space is always a limiting factor
and concern for an offshore platform, this option is not very promising.
Risk re-evaluation
A risk reduction exercise was conducted by incorporating various safety measures and
add-on control measures as described above. The possible safety and hazard control

options considered to reduce the risk are given in Table 8 (Santos-Reyes and Beard,
2000; Lees, 1996). From these, various combinations of control measures were
selected to reduce the risk potential of a unit. When these measures are taken into
account, the unit fault tree is modified as shown in Figure 9 (compressor unit). On
analyzing the new fault tree (Figure 9), the frequency of occurrence of the top event
(envisaged accident) is reduced to 1.311E-06, which is 10,373 times (i.e. several orders
of magnitude) lower than the previous value. The individual risk and FAR values after
the implementation of control measures for this unit lie well within the acceptable range
(Figure 8). The FAR value was reduced from 11,127 to 1.0.
Table 8 Control measures implemented over different units to reduce the risk.
Similarly, after deciding the safety measures (Table 8), the fault tree for the condensate
separator is modified as shown in Figure 10 and processed through PROFAT for

probability estimation. The results reveal that after implementing the safety measures,
the probability of occurrence decreases to 1.555E-08. Using the revised value of the
probability of occurrence, the average individual risk decreases to 1.55E-07 and the
FAR value reduces from an original value of 1291 to 0.01. These values fall within the
acceptable zone of the ALARP criteria.
Figure 9 Modified fault tree diagram for compressor unit after implementing safety
measures.

Figure 10 Modified fault tree diagram for condensate separator after implementing
safety measures.
Further (and as shown in Khan et al., 2002), upon incorporation of safety measures for
the oil separator, the flash drum and the drier, the frequency of occurrence reduces to a
range of 1.0E-06 to 1.0E-08. The average individual risk and FAR values for these units
after implementing the safety measures fall well within the ALARP acceptable region.
CONCLUDING REMARKS

The main objective of risk assessment and the associated engineering studies is to
provide decision support to achieve a cost effective and safe design. In practice, this is
accomplished through the design requirements and a reduction of the platform risk level
with cost effective safety measures.
The main benefit from this approach is that of obtaining optimal safety measures with
the end result being a safer platform design. In addition to optimization, it is realistic to
assume that significant savings may be made by making the right decisions at the right
time. A wealth of experience shows that risk assessments carried out too late (on
existing or frozen designs) result in excessive costs for modifications and changes, or
reveal solutions where unsafe designs cannot be satisfactorily resolved or mitigated.
In this paper, a strong case is made for risk analysis to be considered a design tool,
much more so than as a tool for verification of a safe design, as emphasized by Falck et
al. (2000). Although serious concerns were raised when risk assessment was
introduced in the early 1980s, the usefulness of the technique was realized by many
within the first couple of years. Presently, the approach is considered effective and
successful. The important role of risk considerations as a design tool builds on
comparative risk assessment, not the assessment of risk in an absolute sense. A risk of
10-5 has no other meaning than expressing that this hazard is much less significant
than those other hazards at a risk level of 10-4 or 10-3. The design tool risk assessment
always needs to be quantitative - in terms of consequence calculations and also
probability analysis. In the US as well as Canadian offshore areas, developments are
being taken into deeper waters where larger installations and more significant economic
exposure are prevalent. Both the economic exposure as well as the exposure of
personnel to hazards will be expected to call for dedicated detailed engineering risk
assessments.
This paper presents a revised version of the recently proposed SCAP methodology for
risk-based safety management for offshore process activities through a quantitative
feedback system of probabilistic risk assessment. It illustrates the application of the
discussed methodology to a typical offshore process facility. The methodology is a
combination of five quantitative steps; each requires an independent technique and
computer-aided tools.
The effectiveness of this methodology has been demonstrated by applying it to a typical

offshore process facility. From the initial phase of the case study, it was observed that
compressor units inherit maximum risk due to their higher probability of failure.
However, after implementing safety measures, the probability of occurrence was
reduced drastically, thereby causing a substantial reduction in risk.

ACKNOWLEDGEMENTS
The authors gratefully acknowledge the financial support provided by the Natural
Sciences and Engineering Research Council of Canada (NSERC) and the Canada
Foundation for Innovation (CFI).
REFERENCES
Berg, J.R., Bakke, J.R., Feranley, P. and Brewerton, R.B. (2000). CFD Layout
Sensitivity Study to Identify Optimum Safe Design of a FPSO, In Proceedings of
Offshore Technology Conference, May 1-4, 2000, Houston, TX, USA.
Bjerketvedt, D. and Bjokhaug, M. (1991). Experimental Investigation - Effect of Water

Sprays on Gas Explosions, Prepared by Christian Michelsen Institute for UK
Department of Energy, OTH 90 316, HMSO, London, UK.
Brandsater, A. (2002). Risk Assessment in the Offshore Industry, Safety Science, 40,
231.
CCPS (1989). Guidelines for Chemical Process Quantitative Risk Analysis, American
Institute of Chemical Engineers, NY, USA.
Crawley, F.K. (1999). The Change in Safety Management for Offshore Oil and Gas
Production Systems, Process Safety and Environmental Protection, 77, 143.
Crawley, F.K. and Grant, M.M. (1997). Concept Risk Assessment of Offshore
Hydrocarbon Production Installations, Process Safety and Environmental Protection, 75,
157.
E&P Forum (1995). Leak and Ignition Database, Available from DNV, Hovik, Norway.
Falck, A., Skramstad, E. and Berg, M. (2000). Use of QRA for Decision Support in the
Design of an Offshore Oil Production Installation, Journal of Hazardous Materials, 71,
179.
Finucane, M. (1994). The Adoption of Performance Standards in Offshore Fire and

Explosion Hazard Management, Fire Safety Journal, 23, 171.
Gardner, D.J., Hulme, G., Hughes, D.J., Evans, R.F. and Brington, P. (1995). In

IChemE Symposium Series No. 134, Institution of Chemical Engineers, Rugby, UK.
Hauptmanns, V. and Werner, W. (1990). Engineering Risks, Springer-Verlag, Berlin,

Germany.
Hirst, I.L. and Carter, D.A. (2000). A "Worst Case" Methodology for Risk Assessment of
Major Accident Installations, Process Safety Progress, 19, 78.
HSE (1993). Draft Offshore Installations (Fire and Explosion, and Emergency
Response) Regulations and Approved Code of Practice, Consultative Document 64,
Health and Safety Executive, Sheffield, UK.
HSE (1994). Statistical Report from Leak and Ignition Database, Health and Safety
Executive, London, UK.
HSE (1996). Offshore Accident/Incident Statistics Reports, OTO 96.954. Health and
Safety Executive, London, UK.
James, H., Harris, M. J. and Hall, S. F. (1993). Comparison of Event Tree, Fault Tree
and Markov Methods for Probabilistic Safety Assessment and Application to Accident
Mitigation, Major Hazards Onshore and Offshore, IChemE Series # 130, 59.
Jones, J.C. and Irvine, P. (1997). PLATO Software for Offshore Risk Assessment: A
Critique of the Combustion Features Incorporated, Journal of Loss Prevention in the
Process Industries, 10, 259.
Khan, F.I. (2001). Development of Maximum Credible Accident Scenarios for Realistic
and Reliable Risk Assessment, Chemical Engineering Progress, November 2001, 56.
Khan, F.I. and Abbasi, S.A. (1997). A Maximum Credible Accident Analysis Based
Quantitative Risk Assessment Study of Chemical Process Industry, Indian Chemical
Engineer, A39, 92.
Khan, F.I. and Abbasi, S.A. (1998a). Multivariate Hazard Identification and Ranking
System, Process Safety Progress, 17, 157.
Khan, F.I. and Abbasi, S.A. (1998b). Techniques and Methodologies for Risk Analysis in
Chemical Process Industries, Journal of Loss Prevention in the Process Industries, 11,
261.

Khan, F.I. and Abbasi, S.A. (1999). MAXCRED - A New Software Package for Rapid
Risk Assessment in Chemical Process Industries, Environment Modeling and Software,
14, 11.
Khan, F.I. and Abbasi, S.A. (2000). Assessment of Risks Posed by Chemical Industries
- Application of a New Computer Automated Tool MAXCRED-III, Journal of Loss
Prevention in the Process Industries, 13, 12.
Khan, F.I. and Abbasi, S.A. (2001). Analytical Simulation and PROFAT II: A New
Methodology and a Computer Automated Tool for Fault Tree Analysis in Chemical
Process Industries, Journal of Hazardous Materials, A75, 1.
Khan, F.I., Husain, T. and Abbasi, S.A. (2001a). Design and Evaluation of Safety
Measures Using a Newly Proposed Methodology "SCAP", Journal of Loss Prevention in
the Process Industries, 15, 129
Khan, F.I., Iqbal, A., Ramesh, N. and Abbasi, S.A. (2001b). SCAP: A New Methodology
for Safety Management Based on Feedback From Credible Accident - Probabilistic
Fault Tree Analysis System, Journal of Hazardous Materials, A87, 23.
Khan, F.I., Sadiq, R. and Husain, T. (2002). Risk-Based Process Safety Assessment
and Control Measures for Offshore Process Facilities, Journal of Hazardous Materials,
A94, 1.
Lees, F.P. (1996). Loss Prevention in the Process Industries, Butterworths, London, UK.
Papazoglou, I.A., Nivoliantiou, A.O. and Christou, M. (1992). Probabilistic Safety

Analysis in Chemical Installation, Journal of Loss Prevention in the Process Industries,
5, 181.
Rauzy, A. (1993). New Algorithms for Fault Tree Analysis, Reliability Engineering and
System Safety, 40, 203.
Santos-Reyes, J. and Beard, A.N. (2000). A Systematic Approach to Managing Fire

Safety on Offshore Installations, In Proceedings of Offshore Technology Conference,
May 1-4, 2000, Houston, TX, USA.
Shetty, N.K., Soares, C.G., Christensen, P.T. and Jensen, F.M. (1998). Fire Safety
Assessment and Optimal Design of Passive Fire Protection for Offshore Structures,

Reliability Engineering and System Safety, 61, 139.
UKOOA (1995). Guidelines for Fire and Explosion Hazard Management, United
Kingdom Offshore Operators Association, London, UK.
van Wingerden, K. (1994). Course and Strength of Accidental Explosions on Offshore

Installations, Journal of Loss Prevention in the Process Industries, 7, 295.
Vinnem, J.E. (1998). Evaluation of Methodologies for QRA in Offshore Operations,

Reliability Engineering and System Safety, 61, 39.
Wighus, R. (1994). Fires on Offshore Process Installations, Journal of Loss Prevention

in the Process Industries, 7, 305.
WOAD (1998). Worldwide Offshore Accident Databank, Veritec, Oslo, Norway.
Yllera, J. (1988). Modularization Methods for Evaluating Fault Tree of Complex

Technical System, In Kandel, A. and Avni, V. (Eds), Engineering Risk and Hazard
Assessment, Vol 2, CRC Press, Inc, FL, USA.
Layer of Protection Analysis:

Generating Scenarios Automatically from HAZOP Data(6)
Arthur M. (Art) Dowell, III, P.E. Thomas R. (Tom) Williams

Senior Technical Fellow Senior Risk/Reliability Engineer
Hazard Analysis ABS Consulting
Rohm and Haas Compnay Risk Consulting Division
6519 State Highway 225 10301 Technology Dr
Deer Park, TX 77536 USA Knoxville, TN 37932-3392 USA
Prepared for Presentation at the

American Institute of Chemical Engineers
2004 Loss Prevention Symposium
Session T7003, Safety Instrumented Systems/Layer of Protection Analysis
New Orleans, LA
April 26-29, 2004
Copyright © 2003 Rohm and Haas Company

UNPUBLISHED
ABSTRACT
This paper details the concept of automatically generating LOPA scenarios from a
process hazard analysis (PHA) conducted using a methodology such as HAZOP.
Specialized software selects consequences that meet severity criteria or risk criteria. It
then takes each end consequence, follows each link path to an initiating cause, and
presents each rolled up link path as a single LOPA scenario, complete with all the
safeguards (i.e., candidate protection layers) found along the link path. The scenarios
can be presented in database or spreadsheet format. The rolled-up LOPA spreadsheet
allows the analyst(s) to identify safeguards that are independent protection layers and
assign appropriate values to each independent protection layer. The spreadsheet
calculates the resultant mitigated risk (or mitigated likelihood) in real time. This makes it
easy for the analyst(s) to determine which independent protection layer or group of
independent protection layers provide the most effective means for reaching or
maintaining a target risk threshold.
The concept (demonstrated using ABS Consulting's HazardReview LEADER™

software) makes the process of going from PHA results to LOPA results a lot less time
consuming. It avoids retyping and reduces the risk of overlooking scenarios. The paper
will present lessons learned from applying the tools in real PHA/LOPA applications.
INTRODUCTION
Layer of protection analysis (LOPA) helps companies understand, in a rational and

consistent manner, how many safeguards are enough for a particular accident scenario.
LOPA takes a pre-defined cause-consequence pairing (typically identified during a
qualitative hazard evaluation), determines how many independent protection layers
(IPLs) are provided by existing and/or recommended safeguards, and evaluates
whether this number of IPLs provides adequate risk mitigation. LOPA goes beyond the
typical use of a risk matrix but is less detailed than a fault tree analysis. It basically
separates the question of "How likely is it?" into two issues:
(1) likelihood (frequency) of the initiating event, and

(2) probability of failure on demand (PFD) of the IPLs.
LOPA can provide a company with the following information for a scenario on a

consistent basis:
(1) Worst-case unmitigated risk (assuming all safeguards fail),

(2) As-is mitigated risk (with existing safeguards in place), and
(3) The improvements necessary to reach a target risk threshold, as described in Dowell (1, 3, 4, 5, 6)
and CCPS (2).
The general format of a LOPA table is shown in Table 1 from Dowell (1).
Table 1: General Format of LOPA Table
The severity of the consequence is estimated using appropriate techniques, which may
range from simple "look-up" tables to sophisticated consequence modeling software
tools. One or more initiating events (causes) may lead to the consequence; each
cause-consequence pair is called a scenario. LOPA focuses on one scenario at a time.
The frequency of the initiating event is estimated (usually from look-up tables or
historical data). Each identified safeguard is evaluated for two key characteristics:
· Is the safeguard effective in preventing the scenario from reaching the consequence?
AND,
· Is the safeguard independent of the initiating event and the other IPLs?
If the safeguard meets BOTH of these tests, it is an IPL. LOPA estimates the likelihood
of the undesired consequence by multiplying the frequency of the initiating event by the
product of the PFDs for the applicable IPLs using Equation 1 from CCPS (2).

Typical initiating event frequencies and IPL PFDs are given by Dowell (1, 3) and CCPS
(2). Figure 1 illustrates the concept of LOPA - that each IPL acts as a barrier to reduce
the frequency of the consequence. Figure 1 also shows how LOPA compares to event
tree analysis. A LOPA analysis describes a single path through an event tree, as shown
by the heavy line in Figure 1.

Figure 1: Comparison between LOPA and event tree analysis
[Copyright ©2001, AIChE, reproduced by permission]
DEVELOPING LOPA SCENARIOS
One approach to developing LOPA scenarios is to use a simple screening risk matrix in
the HAZOP or other process hazard analysis methodology. Each consequence is
ranked for its severity, and the associated causes for the consequence are placed into
categories for their unmitigated frequencies, that is, the frequency before application of
safeguards. The risk associated with a scenario - a cause-consequence pair - is
estimated by the intersection of the consequence severity and the cause frequency on
the risk matrix. Many companies have established guidance criteria to select higher risk
scenarios for additional analysis. For example, the "Red" zone on the risk matrix may
represent consequence severities of one or more fatalities with a frequency above a

given threshold. A company's guidance criteria may require LOPA or more complex
quantitative analysis for all scenarios in the "Red" zone.
Translation of HAZOP information into LOPA scenarios is shown graphically in Figure 2

(Dowell, 3). Note that not all the information from the HAZOP is included in the LOPA.
Consequences that do not meet the risk matrix criteria are omitted. Very low-frequency
causes may be omitted. Safeguards that do not provide risk reduction will not be given
credit as IPLs in the LOPA (but they may be noted in the LOPA documentation).
Additional IPLs may be added as a result of the LOPA study.
The user can manually review the PHA documentation, identify consequences that
meet the risk matrix criteria for additional analysis, and develop LOPA scenarios for
those consequences, including the associated causes and safeguards. Such activities
are tedious, and information can be overlooked or left out, particularly if the PHA is not
documented logically, thoroughly, and consistently.
To help ensure logical, thorough, and consistent PHA documentation for processes
involving interrelated process parameters and interconnected equipment, interrelated
HAZOP deviations are often linked electronically such that the consequence of one
deviation is shown as a cause of another deviation, and vice versa. While this is the
most efficient, logical, and thorough way to document a PHA in many cases, linking
makes manual extraction of LOPA scenarios more difficult.
Alternatives to this approach include the following:
(1) Avoiding the use of logical cause-effect linking in favor of documenting complete HAZOP
scenarios within single deviations. While this approach often results in erroneous, misleading, or
incomplete HAZOP results, it can help minimize the effort of porting HAZOP results to LOPA.
(2) Using specialized software that queries linked HAZOP scenarios and assembles the causes and
safeguards along the entire cause-effect link path to create a complete LOPA scenario for each
cause-consequence pair. This approach is equally effective in minimizing the HAZOP-to-LOPA
effort while also allowing the HAZOP to be conducted and documented in a logical, thorough,
and consistent manner.
HazardReview LEADER includes a LOPA module that implements the second, more
thorough approach. It rolls up individual cause-consequence LOPA scenarios from
more broad PHA scenarios recorded in HazardReview LEADER. It is particularly
powerful when used in conjunction with the LEADER Links feature.
LEADER Links are used to show cause-effect relationships between multiple HAZOP
deviations. When used correctly, LEADER Links help prevent duplication or multiple
crediting of safeguards as well as helping to ensure that safeguards are listed only at
deviations where they are directly applicable. This is the first step in moving a PHA

toward LOPA. For example, a relief valve is not a direct safeguard against high level,
but high level may lead to high pressure and cause the relief valve to open. Thus, the
LEADER Links methodology credits the relief valve as a direct safeguard at the
high-pressure deviation but not at the high-level deviation. A LEADER Link then shows
the cause-effect relationship between the high-level deviation and the high-pressure
deviation.
This concept is important for understanding the power of LEADER's LOPA module. The
LOPA module rolls up linked scenarios into Excel spreadsheets. That is, it takes each
end consequence, follows each link path to an initiating cause, collects all the existing
and recommended safeguards for each link path, and presents each rolled up link path
as a single LOPA scenario, complete with all the safeguards (i.e., candidate protection
layers) found along the link path.
Each rolled-up LOPA spreadsheet allows the analyst(s) to assign appropriate values (or
credits) to each safeguard, and the spreadsheet calculates the resultant mitigated risk
(or mitigated frequency) in real time. This makes it easy for the analyst(s) to play the
"what-if" game to determine which safeguard or group of safeguards provides the most
effective means for reaching or maintaining a target risk threshold.
The LOPA module does not provide the answers, but it makes the process of going
from PHA results to LOPA results a lot less time consuming. A trained LOPA analyst is
needed in order to apply the LOPA rules appropriately and consistently.
There are some pitfalls to avoid when using the LEADER Links methodology. If linking
is done inappropriately, the user may find a multitude of essentially duplicate scenarios
that must be screened by hand.
Key points for successful linking and generation of LOPA spreadsheets include the
following:
(1) Avoid assigning risk matrix severities to intermediate consequences. In the example above, where
high level leads to high pressure, if there is no safety consequence for high level by itself, high
level should not be assigned a risk matrix severity. Assigning a safety severity to high pressure is
sufficient to ensure that high level and its preceding causes will be captured in the rolled up
LOPA scenario.
(2) Assign safeguards only to the specific deviations where they apply; see the relief valve example
above. This will avoid having a particular safeguard appear multiple times in a particular LOPA
scenario.
(3) Exercise discipline and consistency in linking. For example, similar analysis nodes should have
similar link paths.
(4) Minimize parallel link paths having the same ultimate cause and the same ultimate consequence.

Where parallel link paths are appropriate, use explanatory text to differentiate the two paths.
(5) Avoid circular links. For each ultimate consequence, the software needs to be able to work back
through each link path to an ultimate cause without revisiting the deviation having the ultimate
consequence.
(6) Use the same text to describe the same consequence, cause, or safeguard, wherever each item
occurs. This will help in eliminating duplicate items in the LOPA scenarios.
There are also some important things to keep in mind when developing a LOPA
protocol for your company. These items have a direct impact on the software you
choose and how, when, and by whom LOPA studies will be conducted. The following
are two of the most critical items to consider:
(1) LOPA is an objective engineering study, not a subjective brainstorming exercise. It does not have
to be quantitative or even semi-quantitative, but it does need to be objective. With this said, it is
nearly impossible to develop objective LOPA results during a PHA team meeting. LOPA needs
to be conducted outside of the influences of the various interests and biases of a typical PHA
meeting. (However, some organizations do report successful use of LOPA protocols during the
PHA meeting. Note that the risk tolerance criteria used for LOPA decisions must be based on a
per-scenario frequency. If the risk tolerance criteria involves summation of multiple scenarios, it
is much better to do the LOPA analysis after the PHA is complete [Dowell, 6].) The experienced
opinion of the authors is to do LOPA after the PHA.
(2) Most risk matrixes being used for risk ranking in PHA meetings are not appropriate for use in
LOPA. The reasoning is not obvious or easily understood without practice. However, the
following is a brief attempt to explain this issue.
Typical risk matrix severity categories used in PHAs are based on personnel, public,
and environmental impacts rather than quantity, type, and conditions of material or
energy released. It requires a subjective judgment to determine what type of protection
layer reduces the expected frequency of a fatal injury from once per year to once in 10
or 100 years, or what types of conditions make the potential for a fatal injury "not
credible" (i.e., the perceived frequency of a severe consequence is so low that the
analyst(s) assigns a lower severity category).
It is much more objective and defensible to state what type of protection layer reduces
the frequency of a 1000-lb release of flammable material above its boiling point from
once per year to once in 10 or 100 years, or what types of conditions make this type of
release "not credible" such that a 100-lb release becomes the assigned severity.
However, very few risk matrixes used in PHAs have these types of severity categories.
Typical PHA risk matrix categories can be used for LOPA, but the analyst(s) must be
very careful and understand the assumed conditions that are built into each category.
Most PHA teams do not have this level of understanding. To help bridge this knowledge
gap, companies have taken two basic tacks, including (A) providing specialized LOPA
training to select engineers/analysts and (B) developing more specific or advanced

LOPA rules and tables to help minimize subjectivity when estimating the frequency of
fatality or injury from a given release event, described in Dowell (1, 3, 6) and CCPS (2).
Again, we believe LOPA and particularly the more advanced LOPA rules are best
applied by trained engineers/analysts outside of PHA meetings.
CONCLUSION
LOPA has proven to be an effective tool to determine if there are enough safeguards
and sufficient risk reduction to meet the risk tolerance criteria for scenarios developed
from PHA information. However, preparing for LOPA can require tedious efforts in
pilfering through complex and duplicative PHA information to develop meaningful LOPA
scenarios. These efforts can be minimized by applying risk matrix rules consistently,
carefully documenting PHA information in a logical manner, and using specialized
software that automates the rollup of LOPA scenarios from interrelated HAZOP
deviations.
HazardReview LEADER™ is a trademark of ABS Consulting
REFERENCES
1. Dowell, A. M., III, "Layer of Protection Analysis for Determining Safety Integrity
Level," ISA Transactions 37 155-165, 1998.
2. Center for Chemical Process Safety, Layer of Protection Analysis: Simplified

Process Risk Assessment, American Institute of Chemical Engineers, New York, NY,
2001
3. Dowell, A. M., III, "Layer of Protection Analysis: A New PHA Tool, After HAZOP,
Before Fault Tree Analysis," Presented at Center for Chemical Process Safety
International Conference and Workshop on Risk Analysis in Process Safety, Atlanta,
GA, October 21, 1997, American Institute of Chemical Engineers, New York, NY, 1997.
4. Dowell, A. M., III "Layer of Protection Analysis and Inherently Safer Processes,"
Process Safety Progress, 18, 4, 214-220, 1999.
5. Dowell, A. M., III "Layer of Protection Analysis: Lessons Learned." ISA Technical
Conference Series: Safety Instrumented Systems for the Process Industry, May 14-16,
2002, Baltimore, MD.
6. Dowell, A. M., III, and D. C. Hendershot, "Simplified Risk Analysis - Layer of

Protection Analysis (LOPA)", American Institute of Chemical Engineers 2002 National

Meeting, Indianapolis, IN, November 3-8, 2002
NOMENCLATURE
AIChE American Institute of Chemical Engineers
BPCS Basic Process Control System
CCPS Center for Chemical Process Safety
DCS Distributed Control System
HAZOP Hazard and Operability Analysis
IEC International Electrotechnical Commission
IPLs Independent Protection Layer
ISA The Instrumentation, Systems, and Automation Society
LOPA Layer of Protection Analysis
PFD Probability of Failure on Demand
PHA Process Hazard Analysis
PLC Programmable Logic Controller
SIF Safety Instrumented Function


3922 04

Uploaded by

Copyright:

Available Formats

3922 04

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3922 04

Uploaded by

Copyright:

Available Formats

Session 4 - Safety Instrumented Systems/Layer of Projection Analysis

SIS Growing Pains:

J. Wayne Chastain and Kenneth Yount

Copyright © Eastman Chemical Company

AIChE Copyright 1987-2003

In 1996 the Instrument Society of America released ANSI/ISA-S84.01 entitled

AIChE Copyright 1987-2003

What did we have?

Tennessee Eastman Division of Eastman Chemical Company put in place an internal

· Basis (architectural vs. risk)

AIChE Copyright 1987-2003

Although other companies may have different types of internal standards, or no

First, if a company has an internal standard, or several competing internal standards, or

However, a company shouldn't ignore the implications of OSHA's letter of interpretation.

AIChE Copyright 1987-2003

First, evaluating the favorable aspects of switching to one of the aforementioned

· Lowered costs associated with execution of contracts with engineering firms.

· Lowered cost due to elimination of over-design.

AIChE Copyright 1987-2003

· Development and deployment of new internal standards.

In order to implement a consensus standard in a company with its own internal

· Alteration of internal processes.

· Costs of the design process.

· Costs of maintenance processes.

AIChE Copyright 1987-2003

· IEC 61511 is, in general, a broader and more prescriptive standard

AIChE Copyright 1987-2003

· System architectural requirements for SIS under IEC 61511

· Additional documentation requirements under IEC 61511

AIChE Copyright 1987-2003

If a decision is made to change a company's standard from an internal to one of the

AIChE Copyright 1987-2003

Maintenance may be significantly impacted by the change to one of the consensus

The work processes of the organizations quality assurance organization may be

AIChE Copyright 1987-2003

Eastman Chemical Company is now in the early stages of implementation of this

1. ANSI/ISA-84.01-1996 - Application of Safety Instrumented Systems for the Process Industries.

Fault Tree and Layer of Protection Hybrid Risk

Marc Rothschild, P.E.

Rohm and Haas Company

AIChE Copyright 1987-2003

AIChE Copyright 1987-2003

2. ILLUSTRATION OF LOPA LIMITS

AIChE Copyright 1987-2003

Expanding the above equation:

AIChE Copyright 1987-2003

3. FAULT TREE ANALYSIS

This section includes a brief overview of FTA. It is not possible to provide a

AIChE Copyright 1987-2003

AIChE Copyright 1987-2003

4. COMBINING FAULT TREES WITH LOPA'S

AIChE Copyright 1987-2003

AIChE Copyright 1987-2003

AIChE Copyright 1987-2003

Figure 4 - Failure Analysis for Selected Control Configurations (Cont.)

AIChE Copyright 1987-2003

2. Center for Chemical Process Safety (CCPS), Layer of Protection Analysis,

6. U.S. Nuclear Regulatory Commission, Fault Tree Handbook (NUREG-0492).

Oxidation Reaction Safeguarding with SIS(3)