'

70

5. Identifying Initiating Event Frequency

with the data. (For instance, it would be inappropriate to apply OREDA data
developed by the petroleum industry for North Sea off-shore oil rigs directly
to chemical operations in Kansas.) These assumptions should be documented
so that future data selections are made consistently.
The LOPA method also assumes that the failure rate is constant. This is
not always true, since equipment failure rates are typically higher when the
equipment is new ("infant mortality") and when it ages ("old age"). However, for most equipment the longest period of operation involves a constant
failure rate. For the purposes of LOPA, a constant failure rate is adequate.
Failure Rates in LOPA
Typically, for LOPA, a company should lump discrete initiating event frequencies into a representative set of initiating event categories. This improves
the consistency of risk estimates across an organization. Typical initiating
event frequencies used by LOPA analysts in the chemical industry are shown
in Table 5.1.
,
For control system failures, the overall loop failure rate typically includes
failure of any of several components (transmitter, air supply, DCS, valve,
sensor, etc.) and can include other factors such as improper set points, miscalibration, operation on manual or off-cascade.

Derivation of Initiating Event Frequency from Failure Data

Failure data are sometimes expressed as a probability of failure on demand
(PFD). For example, human error to execute a task may be expressed as 1 x
10-1 per opportunity, or a crane load drop may be expressed as 1 x 10-4 per lift
(see Table 5.1). When this is the case, the initiating event frequency must be
derived. This involves estimating the number of times per year (or times per
106 hours) that a demand is placed on the system (or person). This may be as
straightforward as counting the number of times the operation is carried out
per year and multiplying by the probability of failure on demand (assuming
the two values are not interdependent). Or, it may be as complex as using
fault tree techniques to estimate the number of challenges per year to which
the system is subjected. LOPA is a simplified approach, and the analyst
should move on to more rigorous techniques if the scenario is overly complex
or more precision is desired.

Time at Risk
For systems/ operations that are not continuously operated (loading/
unloading, batch processes, etc.) failure rate data must be adjusted to reflect
the 'time at risk' for the component or operation under consideration. Since

71

5.3. Frequency Estimation

TABLE 5.1

Typical Frequency Values,

r. Assigned to Initiating Events

Frequency Range

Initiating Event

from Literature
(per year)

Example of a
Value Chosen by
a Company for
UseinLOPA
(per year)

Pressure vessel residual failure

10-s to 10-1

1x10-6

Piping residual failure-100 m-Full Breach

10-s to 10-6

1 x 10-s

Piping leak (10% section)-100 m

10-3to10-4

1 )( 10-3

Atmospheric tank failure

10-3to10-s

1 )( 10-3

Gasket/ packing blowout

10-2to10-0

1 )( 10-2

Turbine/ diesel engine overspeed with casing

breach

10-3 to 10-4

1 x 10-4

Third party intervention (external impact by

backhoe, vehicle, etc.)

10-2to10-4

1 )( 10-2

Crane load drop

10-3to10-4 per lift

1 x 10-4 per lift

Lightning strike

1Q-3to10-4

1 )( 10-3

Safety valve opens spuriously

10-2 to 10-4

1 )( 10-2

Cooling water failure

1 to 10-2

1)(10-1

Pump seal failure

10-1 to 10-2

1x10-1

Unloading/loading hose failure

1 to 10-2

1x10-1

BPCS instrument loop failure Note: IEC 61511

limit is more than 1x10-5/hr or8.76 x 10-2/yr

1 to 10-2

1 x 10-1

1 to 10-1

1x10-1

I Small external fire (aggregate causes)

10-1 to 10-2

1 x 10-1

I Large external fire (aggregate causes)

10-2to10-3

1 )( 10-2

LOTO (lock-out tag-out) procedure"' failure

*overall failure of a multiple-element process

10-3to10-4 per
opportunity

1x10-3 per
opportunity

Operator failure (to execute routine proce?ure,

assuming well trained, unstressed, not fatigued)

10-1 to 10-3 per

opportunity

1x10-2 per
opportunity

(IEC, 2001)

Regulator failure

Note: Individual companies should choose their own values, consistent with the degree of conse~a
tism of the company's risk tolerance criteria. Failure rates can also be greatly affected by preventive
maintenance (PM) routines .

92

6. Identifying Independent Protection layers

can be credited as IPLs with a high level of confidence and will significantly
reduce the frequency of events with potentially major consequences. However, there may be other, less serious consequences (such as a fire in dike,
blast damage to some equipment) that should be analyzed in other scenarios.
Fireproofin~ is ~ means-~ reduc~g the rate of heat input to equipment
(e.g., when cons1denng the SIZlng basis for relief valves, for preventing a boilTABLE 6.3
Examples of Passive JPLs
Comments

Assuming an adequate design

IPL
Dike

PFDUsedin
This Book

and maintenance procedures

PFDfrom
Literature and
Industry

(For screening)

Will reduce the frequency of large

consequences (widespread spil1)
of a tank overfill/rupture/spill/

1 x 10-2 - 1 Xl()-3

1 x 10-2

basis and adequate inspection

etc.

Underground
Will reduce the frequency of large
Drainage System consequences (widespread spill)
of a tank overfill/rupture/spill/
etc.

1x10-2-1x1()-3

1 x 10-2

Open Vent (no

valve)

Will prevent over pressure

1 x 10-2 - 1 x 1()-3

1 x 10-2

Fireproofing

Will reduce rate of heat input and

provide additional time for
depressurizing/ firefighting/ etc.

1x10-2-1x1()-3

1 x 10-2

Wi11 reduce the frequency of large

consequences of an explosion by
confining blast and protecting
equipment/buildings/ etc.

lxlQ-2-l><lQ..J

1x10-3

1 x 10-1 -1 x 10-6

1x10-2

Blast-wall/
Bunker

"Inherently Safe" If properly implemented can sigDesign

nificantly reduce the frequency of
consequences associated with a
scenario. Note: the LOPA rules for
some companies allow inherently
safe design features to eliminate

certain scenarios (e.g., vessel

design pressure exceeds all possihie high pressure challenges).
F1ame/Detonation Arrestors

If properly designed, installed

and maintained these should
eliminate the potential for flashback through a piping system or

into a vessel or tank.

1x10-1-1x10-3

1 x 10-2

6.5. Examples of IPLs

93

ing liquid, expanding vapor explosion (BLEVE), or for preventing an exothermic runaway reaction due to external heat input). This could mitigate the size
of a release or provide additional time to respond to the situation by
depressurizing the system, fire fighting, etc. If fireproofing is considered as
an IPL it must be shown to be effective in preventing the consequence (a
BLEVE, etc.) or provide sufficient time for other action. It should also meet
the requirements that the fireproofing remain intact when exposed directly to
a fire and that it will not be displaced by the impact of a jet of water from a
monitor or hose.
Other passive IPLs, such as flame or detonation arrestors, while employing simple physical principles, are susceptible to fouling, plugging, corrosion, unexpected conditions, potential maintenance mistakes, etc. These must
be considered when assigning a PFD to such devices.
Passive IPLs, such as dikes or blast walls, where the equipment design
prevents the consequence can have low PFD values for LOPA purposes, but
care must be taken to assess accurately the PFD to be applied.
In some companies, process design features (such as special materials
and inspection) are considered as IPLs if they can prevent the consequence
from occurring. This approach allows an organization to evaluate risk differences between plants that are designed using different equipment standards.
With this approach inherently safer process design features also have
assigned PFDs requiring appropriate inspection and maintenance (auditing)
to ensure that process changes do not change the PFD.
In many companies, the approach taken is that inherently safer design
features eliminate scenarios rather than mitigate the consequences of a scenario. For example, if equipment is designed to withstand an internal deflagration then all the scenarios that lead to a rupture of a vessel due to an
internal explosion have thereby been eliminated. Using this approach, process design is not considered to be an IPL as there are no scenarios or consequences to be considered and, therefore, no IPL is required. However,
appropriate inspection and maintenance (auditing) is required to insure that
process changes do not change the effectiveness of the inherently safer design
feature. This issue is discussed further in the following example.
Example 6.5
Consider a system where a pump feeds material to a vessel that has a
design pressure greater than the shut-off head of the pump. Some companies might view the rupture of a vessel due to overpressure from a
deadheaded feed pump as a feasible scenario. They would then count the
inherently safer design feature that the design pressure of the vessel
exceeds the deadheaded pump pressure as an IPL. Some LOPA analysts give
such an IPL a PFD range of 1 x 10-2 to 1 x 1Q-4; these PFDs recognize the
possibility that there maybe errors in fabrication and maintenance and that
corrosion could reduce the rupture pressure of the vessel. Additionally the

96

6. Identifying Independent Protection Layers

6.5.

Examples of/PLs

97

TABLE 6.4

Comments
IPL

the process to within the normal operating envelope. This action

should result in a shutdown, moving the process to a safe state.

Examples of Active IPLs

Assuming an adequate design basis and

inspection/111aintenance procedures

PFDfrom
Literature and
Industry

PFD Used in
This Book

(For screening)

Relief valve

Prevents system exceeding specified

overpressure. Effectiveness of this
device is sensitive to service and
experience.

1 x 10- -1 x 10..s

1 x 10-2

Rupture disc

Prevents system exceeding specified

overpressure. Effectiveness can be
very sensitive to service and experience

1 )( 10-1 -1 x 10-5

1 x 10-2

Basic Process
Control
System

Can be credited as an IPL if not asso- 1 x 10-1 -1 x 10-2

dated with the initiating event being
(>1 x 10-1 allowed
considered (see also Chapter 11). (See
by !EC)
!EC 61508 (!EC, 1998) and !EC 61511
(IEC, 2001) for additional discussion.)

1 x 10-1

The BPCS is a relatively weak IPL, as there is usually

Safety
Instrumented
Functions
(Interlocks)

See !EC 61508 (!EC, 1998) and !EC 61511(IEC,2001) for life cycle requirements and additional discussion
,

Sill

Typically consists of:

==:1 )(

10-1 -<1x10-2

Single sensor (redundant for fault to!erance)

Single logic processor (redundant for
fault tolerance)
Single final element (redundant for
fault tolerance)
SIL2

Typically consists of:

"Multiple" sensors (for fault tolerance)
"Multiple" channel logic processor
(for fault tolerance)
"Multiple" final elements (for fault
tolerance)

SIL3

Typicaliy consists of:

This book does

not specify a
==:1)(10-2-<1)(10-3 specific SIL
level.
Continuing
examples
calculate a
required PFD
for a SIF

little redwtdancy in the components,

limited built-in testing capability, and
limited security against unauthorized changes to the internal program
logic.
The limited security arrangements are particularly important when considering the effectiveness of the BPCS as an IPL. Human error (in modifying
logic, bypassing alarms and interlocks, etc.) can significantly degrade the
anticipated performance of BPCS systems if security is not adequate.
IEC 61511(IEC,2001) limits the combined PFD to not less than 1x10-1 for
all the BPCS IPLs that can be applied to a unique initiating event-consequence pair (i.e., combined PFD must be more than 1x101). For LOPA purposes, some companies use a PFD of 1 x 10-1 for each BPCS IPL that can be
applied to a unique initiating event-consequence pair, based on analysis of
their system configuration, implementation, maintenance and testing.
The following examples demonstrate the types of action taken by the BPCS.
Example 6.6: BPCS Normal Control Loop Action as an IPL
Consider the example of an initiating event due to abnormally high pres
sure of the fuel gas supply to a furnace. An upstream unit causes the high
pressure. The consequence is a high temperature in the furnace. If the fuel
gas flow control loop is pressure compensated, the normal action of the
loop will reduce the volumetric flow as the pressure goes up. This loop
could be an IPL if it is capable of preventing the high-pressure upset from
becoming the hightemperature consequence in the furnace.
Example 6.7: BPCS Alarm Action as an IPL
In a furnace similar to that of Example 6. 6, consider the case where the fuel
gas flow control loop is not pressure compensated. However, the BPCS has
discrete logic to generate an alarm on high fuel gas pressure. The operator
would then be expected to take action to control the gas pressure or shutdown the furnace. This BPCS loop, in conjunction with the operator action,
could be an IPL.

==:1 )( 10-3-<1x10-4

Multiple sensors
Multiple channel logic processor
Multiple final elements

Note. Multiple 1ncludes l out of 2 (1oo2) and 2 out of 3 (2oo3) voting schemes
"Mu.ltiple" indicates that multiple components may or may not be required depending upon the
arc~1tecture of t?e system, the components selected and the degree of fault tolerance required to
achieve the required overall PFD and to minimize unnecessary trips caused by failure of individual
components (see IEC 61511 (IEC, 2001) for guidance and requirements).

Example 6.8: BPCS Logic Action as an IPL

In a furnace similar to that of Example 6.6, consider again the case where
the fuel gas flow control loop is not pressure compensated. However, the
BPCS has discrete logic to trip (shutdown) the furnace on high fuel gas pressure to prevent the high furnace temperature consequence. This BPCS loop
could be an IPL.

98

6. Identifying Independent Protection Layers

Safety Instrumented System {SIS)

A safety instrumented system (SIS) is a combination of sensors, logic solvers
and final elements that performs one or more safety instrumented functions
(S!Fs). S!Fs are state control functions, sometimes called safety interlocks and
safety critical alarms. An assembly of S!Fs makes up the SIS (also known as an
emergency shutdown system). ISA 584.01 (ISA, 1996), !EC 61508 (!EC, 1998),
!EC 61511(!EC,2001), and the CCPS Safe Automation book (CCPS, 1993b) discuss the design requirements of SIS and SIF in detail and specify the life cycle
requirements (specification, design, commissioning, validation, maintenance
and testing) to achieve the desired PFD. Important design details include the
following:
S!Fs that are functionally independent from the BPCS. Measurement
devices, logic processors, and final control elements used for a SIF are
isolated from similar devices in the BPCS, except where signals can be
shared without sacrificing the PFD of the SIF.,
A safety system logic solver (typically comprising multiple redundant
processors, redundant power supplies, and a human interface) that
processes several (or many) safety.instrumented functions.
Extensive use of redundant components and signal paths. Redundancy can be achieved in several ways. The most obvious is to install
multiple sensors or multiple final elements (e.g., valves) for the same
service. Diverse technologies will reduce common cause failure for
redundant components. Examples 6.9 and 6.10 provide methods by
which redundancy is added to a system other than by just replicating
system components.
Use of voting architectures and logic that are tolerant of failures of
some components without the effectiveness of the SIS being compromised and without causing spurious trips of the process.
Use of self-diagnostics to detect and communicate sensor, logic solver,
and final control element faults. Such diagnostic coverage can reduce
the mean time to repair failed S!Fs to only a few hours. Internal testing
of the multiple logic solvers can occur many times a second.
A deenergized to trip philosophy where a low PFD is required.
Each of the S!Fs will have its own PFD value based on
the number and type of sensors, logic solvers, and final control elements; and
the time interval between periodic functional tests of system components.
The risk reduction performance of a SIF is defined in terms of its PFD.
International standards have grouped S!Fs for application in the chemical

6.5. Examples of IPLs

99

process industry into categories called Safety Integrity Levels (SILs). These
are defined as:
SIL 1 PFD 2: 1 x 10-1 to <1 x 10-2 [!EC 61511 (!EC, 2001)]. These SIFs are
normally implemented with a single sensor, a single SIS logic
solver and a single final control element.
SIL 2 PFD 2: 1 x 10-2 to <1 x 10-3 These SIFs are typically fully redundant
from the sensor through the SIS logic solver to the final control element.
SIL 3 PFD 2: 1 x 10-3 to <1 x 10-4 These S!Fs are typically fully redundant
from sensor through the SIS logic solver to the final control element and require careful design and frequent proof tests to
achieve low PFD figures. Many companies find that they have a
limited number of SIL 3 S!Fs due to the high cost normally associated with this architecture.
SIL 4 PFD 2: 1 x 10-4 to <1 x 10-5 These S!Fs are included in the !EC 61508
and 61511 standards, but such S!Fs are difficult to design and
maintain and are not used in LOPA.
Draft ISA TR84.0.02 (ISA, 2001) provides guidance to calculate the PFD
for a SIF design or SIF installation.
Example6.9

It is possible to provide redundancy for the detection of the loss of a gas

compressor by using single devices to measure gas flow, amps to the compressor motor, gas pressure drop, etc. All of these can detect the same
event, but in different ways (i.e., they provide diversity as well as redundancy), and are also used for separate reasons for monitoring the process.
However, care must be taken to insure that the signals from these instruments are truly independent (e.g., that they do not all pass through the
same input card).
Example 6.10

It is possible to provide redundancy in valving without adding additional

valves in the main process piping. Such valves can require the installation of
parallel piping for each valve with the associated block valves, etc., to allow
on-line testing to be performed. Such piping systems can be extremely
expensive to retrofit into existing plants. For example, as shown in Figure
6. 6, the heat input to a steam reboiler can be halted either by closing the
steam flow control valve (XV-411) or by opening the vent valve (XV-101) to
reduce the steam chest pressure below that required for boiling the liquid
in the process. The vent valve can be tested on-line by closing the upstream
block valve (which is sealed or locked open when not being tested). These
valves would qualify as redundant systems if:

102

6. Identifying Independent Protection Layers

has ruptured can lead to more complex scenarios. With a relief valve, the
material passes from the vessel through the valve, either directly to the atmosphere or to some form of mitigation system (vent stack, flare, quench tank,
scrubber, etc.) before passing to the atmosphere. The pressure vessel codes
require that relief valves protecting a vessel or system are designed for all
anticipated scenarios (fire, loss of cooling, control valve failure, loss of cooling water, etc.) and do not impose any other requirements. Titis implies that
the relief valve is the only IPL needed for overpressure protection.
The LOPA team or analyst should evaluate the appropriate value for a
relief valve PFD for each service. In particular, relief valves in fouling, corrosive, or two-phase flow, or where freezing of material in the relief header may
occur, can experience conditions that would result in the expected flow not
being achieved. These potential service problems may be overcome by using
nitrogen purges, rupture discs under the valve, heat tracing, installing parallel relief valves to allow on-line inspection and maintenance, and using
DIERS methods for sizing devices for two-phase flow cases as shown in the
CCPS Pressure Relief book (CCPS, 1998b). The characteristics of each system
must be carefully considered when deciding the PFD value claimed for each
service. As human action interacts with relief valve installation and maintenance (designing, installing, testing, use of block valves, etc.) and is known"to
result in error, the effective PFD in a LOPA analysis for these devices is usually higher than might otherwise be anticipated.
Relief systems are intended to provide protection against overpressure,
but the relief flow is eventually sent to the atmosphere. Titis may result in
additional scenarios (e.g., toxic cloud, flammable cloud, environmental
release) depending on the material, the types of control, and environmental
protection systems (flares, scrubbers, etc.). The LOPA analyst must determine the frequency of the consequence of the new scenario with the relief
device IPL operating as intended and determine if other IPLs may be needed
to meet the risk tolerance criteria (see Chapter 8). The risk of overpressure
may be tolerable, but the frequency of environmental release from the relief
valve may be higher than desired.
Additional scenarios could involve leakage of the relief valve or the failure of the relief valve to close after a demand.

103

6.5. Examples of/Pl.s

Human IPLs
Human IPLs involve the reliance on operators, or other staff, to tak~ action to
prevent an undesired consequence, in response to al~ or follm.vmg a r?utine check of the system. The effectiveness of humans m i:ierf?rmmg ~ou~e
and emergency tasks has been the subject of several publications (G_mdelznes
for Preventing Human Error in Process Safety; ~CPS 1994b, ru:1d Swam 19831.
Overall, human performance is usually considered less re.hab~e than engineering controls and great care should be taken when cons1dermg the e!~ec
tiveness of human action as an IPL (see Table 6.5). However, not crediting
human actions under well-defined conditions is too conservative. The general requirements for crediting human action as an IPL are the same as those
discussed in Section 6.3, but are often described in different terms. Human
action should have the following characteristics:
The indication for action required by the operator must be detectable.
The indication must always be:
~available for the operator,
~ clear to the operator even under emergency conditions,
~ simple and straightforward to understand.
. .
The time available to take the action must be adequate. Titis mcludes
the time necessary to decide that action is require~ and the tim~ necessary to take the action. The longer the time available for action, the

TABLE 6.5

Examples of Human Action IPLs*

Comments

IPL

Assuming adequate documentation,

h'aining and testing procedures

PFDfrom
Literature and

PFDUsedin

Industry

(For screening)

This Book

Human action
with 10 minutes
response time.

Simple well-documented action

with clear and reliable indications
that the action is required

1.0-1x101

1 )( 10-1

Human response
to BPCS indication or alarm
with 40 minutes
response time

Simple well-documented action

with clear and reliable indications
that the action is required. (The
PFD is limited by !EC 61511; !EC
2001.)

1 )( 10-1

1 )( 10-1

Human action
with 40 minutes
response time

Simple well-documented action

with clear and reliable indications
that the action is required

1 x 10-1 -1 )( 10-2

(>1 x 101
allowed by !EC)

1 )( 10-1

*Based on Inherently Safer Chemical Processes: A Life Cycle Appn;ac~ (CCPS 1.996b), Handbook of Human
Reliability Analysis with Emphasis. on Nuclear Power Plant Applications (Swa1n 1983).