![Layers of Protection (©AIChE-CCPS) Adapted from Reference [4].](https://www.researchgate.net/publication/268527070/figure/fig1/AS:295484192247818@1447460329782/Layers-of-Protection-CAIChE-CCPS-Adapted-from-Reference-4_Q320.jpg)
![An example risk matrix from [10].](https://www.researchgate.net/publication/268527070/figure/fig2/AS:295484192247819@1447460329879/An-example-risk-matrix-from-10_Q320.jpg)
![Plant destroyed by a rupture of a batch reactor, 1969 [11].](https://www.researchgate.net/publication/268527070/figure/fig3/AS:295484192247820@1447460329957/Plant-destroyed-by-a-rupture-of-a-batch-reactor-1969-11_Q320.jpg)
![Reactor destroyed by an over pressurization event [11].](https://www.researchgate.net/publication/268527070/figure/fig4/AS:295484192247821@1447460329991/Reactor-destroyed-by-an-over-pressurization-event-11_Q320.jpg)
Available via license: CC BY-NC-ND 3.0
Content may be subject to copyright.
Procedia Engineering 84 ( 2014 ) 12 – 22
1877-7058
© 2014 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/3.0/).
Peer
-review under responsibility of scientific committee of Beijing Institute of Technology
doi: 10.1016/j.proeng.2014.10.405
ScienceDirect
Available online at www.sciencedirect.com
“2014ISSST”, 2014 International Symposium on Safety Science and Technology
Layer of Protection Analysis
Ronald J. WILLEY
Department of Chemical Engineering, Northeastern University, Boston, Mass., 02115, USA
Abstract
A process hazard analysis (PHA), such as a Hazard and Operability Study (HAZOP), is a useful tool in identifying potential
hazard scenarios; however, a PHA can only give a qualitative indication of whether sufficient safeguards exist to mitigate the
hazards. Layer of Protection Analysis (LOPA) is a risk management technique commonly used in the chemical process industry
that can provide a more detailed, semi-quantitative assessment of the risks and layers of protection associated with hazard
s
cenarios. LOPA allows the safety review team an opportunity to discover weaknesses and strengths in the safety systems used to
protect employees, the plant, and the public. LOPA is a means to identify the scenarios that present the most significant risk and
determine if the consequences could be reduced by the application of inherently safer design principles. LOPA can also be used
to identify the need for safety instrumented systems (SIS) or other protection layers to improve process safety. This paper
provides a brief overview of the technique and is intended for a novice interested in the basic principles involved.
© 2014 The Authors. Published by Elsevier Ltd.
Peer-review under responsibility of scientific committee of Beijing Institute of Technology.
Keywords:safety management; LOPA; SIS
Nomenclature
AIChE American Institute of Chemical Engineering, 120 Wall St., Fl 23, New York, NY 10005-4020
CCPS Center for Chemical Process Safety, associated with AIChE.
ESD emergency shutdown
f
i
C
the frequency of the consequence, yr
-1
or hr
-1
IEF initiating event frequency, yr
-1
or hr
-1
IPL independent protection layer
LOPA layer of protection analysis
PFD average probability of failure to perform upon demand (used in low demand mode)
PFH average probability of dangerous failures per hour(used in a high demand mode)
RRF risk reduction factor; RRF is the reciprocal of PFD
SIF safety instrumented function
© 2014 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/3.0/).
Peer
-review under responsibility of scientific committee of Beijing Institute of Technology
13
Ronald J. Willey / Procedia Engineering 84 ( 2014 ) 12 – 22
SIL safety instrument level
SIS safety instrumented system
1. Introduction
Adaptation of Layer of Protection Analysis (LOPA) began in the chemical process industry in the late 1990s.
Arthur Dowell[1, 2] and William Bridges[3], among others, began implementing the technique in their companies
and co
nsultancies as a method that captures the main concepts of independent protective safety systems, without
req
uiring a high degree of quantitative analysis. As the method became more widely used in the United States and
Europe, guidelines began to be issued by the AIChE Center of Chemical Process Safety (CCPS)[4]. Other
international agencies and codes such as th
e International Electrotechnical Commission (IEC) [5, 6] and
International Society of Automation (ISA) [7] began to reference LOPA as a method for determining the required
saf
ety integrity level (SIL) for Safety Instrumented Systems (SIS). This paper highlights the practice of LOPA. It is
directed
to the novice who may wish to apply a layer of protection analysis to a facility and would like a general
overview of the methodology.
2. Background
2.1. Overview
LOPA is a risk assessment methodology which uses simplified, con
servative rules to define risk as a function of
both frequency and potential consequence severity. LOPA is defined as a simplified risk assessment of a one cause -
one consequence pair [8]. Companies have developed their own protocols for application of LOPA principles
w
ithin their risk management systems. A variety of approaches are employed which could use order-of-magnitude,
h
alf order-of-magnitude, and decimal math. For simplicity, this paper will use the order-of-magnitude math
orig
inally shown in [4].
Conceptually, LOPA is used to understand how a process
deviation can lead to a hazardous consequence if not
interrupted by the successful operation of a safeguard called an independent protection layer (IPL). An IPL is a
safeguard that can prevent a scenario from propagating to a consequence of concern without being adversely
affected by either the initiating event or by the action (or inaction) of any other protection layer in the same scenario.
Fig. 1, copyrighted by the CCPS-AIChE, serves as an outline of the concept of layers of protection. Safety
protectio
n of a facility or chemical plant is broken down into layers. Seven layers are shown in Fig. 1 and are
g
enerally applied beginning at the center of the diagram.
x Layer 1: Process Design (e.g. inherently safer designs);
x Layer 2: Basic controls, process alarms, and operator supervision;
x Layer 3: Critical alarms, operator supervision, and manual intervention;
x Layer 4: Automatic action (e.g. SIS or ESD);
x Layer 5: Physical protection (e.g. relief devices);
x Layer 6: Physical protection (e.g. dikes);
x Layer 7: Plant emergency re
sponse; and not shown
x Layer 8: Community emergency response[9].
LOPA can be represented mathematically using the following computational equation, which multiplies the
f
requency of an initiating event by the probabilities that each independent protection layer will fail to perform its
intended function: (adapted from [8])
14 Ronald J. Willey / Procedia Engineering 84 ( 2014 ) 12 – 22
Fig. 1. Layers of Protection (©AIChE-CCPS) Adapted from Reference [4].
f
i
C
= IEF
i
× PFD
i1
× PFD
i2
× …× PFD
ij
(1)
where:
f
i
C
= Frequency of the consequence occurring for scenario i., Typical units are per year (Low Demand)
or per hour (High Dem
and).
IEF
i
= Frequency of the IE for scenario i., Typical units are per year
PFDij = Probability of Failure on Demand of Independent Protection Layer j for scenario i.
2.2. IEF – initiating event frequency
An initiating event is a failure that starts a sequence of eve
nts that, if not interrupted by the successful operation
of a layer of protection, results in a hazardous outcome. Examples of common initiating events include mechanical
failure, operator error, and control loop failure.
The initial event frequency relates to how often a failure of
error that can cause a consequence of concern is
expected to occur. For example, runaway exothermic reactions due to loss of cooling can occur in batch reactor
vessels. Let’s say that there are experienced operators and that company history indicates that this event happens at
a frequency of once every 10 years. The IEF of this event is therefore 0.1/yr.
2.3. PFD - probability of failure upon demand
Failure on demand occurs when a safety system is called upon to react following an initiating event but fails to
react. For exa
mple, the reactor system has an emergency quench water system piped to the reactor in the event of a
runaway. A runaway occurs, and the quench system is called upon to take action. This is considered a demand.
Fu
rther, it is established, either by separate testing, or plant history, that this quench system will successfully operate
15
Ronald J. Willey / Procedia Engineering 84 ( 2014 ) 12 – 22
when demanded 9 times out of 10 times. This implies that it fails only one time out of 10. The risk reduction factor,
RRF, is 10 (RRF=1/PFD). The PFD for this system will be 0.1.
2.4. IPL independent protection layer and underlying as
sumption in the analysis
Part of the assessment is to determine if each layer is in
dependent. For example, if more than 2 safety layers
depend upon plant electrical power, they are not independent. If the power goes out, the plant has to shut down, and
safety layers depending upon electricity are rendered useless. This simultaneous failure mode is referred to as
common cause failure. Part of the analysis should lead the safety engineer to evaluate failsafe modes. For example,
which way should valves fail should power cease? A typical rule of thumb is that any cooling stream control valve
should fail open and any heating stream control valve should fail closed. Process feed valves require more thought,
and so
metimes these can fail in place. If there is a safety instrumented system (SIS) and it is considered part of the
protection layer (such as layer number 4 in the example that follows), the SIS must be electrically independent of
layer number 2, which includes the basic control system.
2.5. Auditability of a safety protectio
n system
Each layer in a safety protection system must have the abil
ity to be audited. In other words, the layer must be
placed under a demand situation and tested for reliability. The testing period of these different layers will vary. For
example, major relief valves within a system are typically tested on three to five-year cycles. On the other hand, a
f
lammable gas detector might be tested every month. The testing frequency is specified to maintain the reliability of
the IPL at the PFD required of it in the LOPA
2.6. Is the IPL operating in low demand or high demand?
The understanding of the definition of low demand and high de
mand can be confusing. The latest guidance is that
an IPL is in low demand mode if it is challenged less than 1/yr. If, however, the IPL is challenged more frequently
than once a year, it is operating in high demand mode. Let’s take an example of cooling water failure leading to high
temperature in a reactor. Assume that there is a high temperature interlock on the reactor that shuts down feeds on
high temperature, and it meets the criteria of an IPL. If the cooling water fails less than 1/yr, the high temperature
interlock is challenged no more than 1/yr; then, it is in low demand mode. In this case, the initiating event frequency
is th
e failure frequency of cooling water to the reactor. If, however, the cooling water fails 2/yr, then the high
temperature interlock is challenged more often than 1/yr. It is operating in high demand mode. For this scenario, the
initiating event frequency is NOT the frequency of cooling water failure. Rather, the IEF is the failure rate of the
IPL being challenged – in this case, the high temperature interlock. It is
important to understand whether IPLs are
operating in high demand mode, and this example illustrates the benefits of reducing initiating event frequencies,
perhaps through improved design and maintenance, such that IPLs are able to operate in low demand mode.
2.7. f
i
C
, frequency of the consequence occurring for scenario
The frequency of a hazardous consequence occurring as a resu
lt of scenario is the value being determined by this
analysis. Scenario frequencies calculated by LOPA can be expressed in a variety of ways, such as the frequency of
loss-of-containment events per year or fatalities per year.
The frequency of the scenario is a semi-quantitative, often
order-of-magnitude, estimate of the frequency of a specific consequence from an incident. Examples of major
in
cidents include a reactor rupture, a toxic gas release into the environment, a major fire on site, or an explosion.
There is no frequency of consequence equal to absolute 0 for any of these incidences; even the most well-designed
and operated
facilities have some level of residual risk. The tolerable risk values selected often range from 10
-4
to10
-6
per year. Risk matrices are often used to guide the safety engineers as to what portions of the hazard analysis
should follow through on a LOPA analysis. Fig. 2 is an example of a risk matrix, which indicates the risk tolerance
criteria f
or various categories of scenarios, depending on their severity. Note the categories low, medium, serious,
and high. The more serious the consequence is, the lower the tolerable frequency, and the more protection layers
16 Ronald J. Willey / Procedia Engineering 84 ( 2014 ) 12 – 22
needed. Companies develop their own risk tolerance criteria, and companies would generally assign a tolerable risk
frequency, or a required number of IPLs, to each category of potential consequence.
Fig. 2. An example risk matrix from [10].
3. Application to a batch reactor system
Let's examine LOPA as applied to a batch reactor manufacturing ortho-nitroaniline from ammonia and ortho-
nitrobenzene.
The LOPA steps involved are: (taken directly from reference [2])
(1) Identify impacts events, determine the type of impact (peo
ple, environment, property), and classify for
severity.
(2) List of causes for each impact event.
(3) Estimate the frequency of each initiating cause.
(4) List independent protection layers for each cause – consequence pair.
(5) Determine the probability of failure on demand (PFD) for each IPL.
(6) Calculate the mitigated event frequency for each cause consequence pair by multiplying the initiating event
f
requency by the PFD for each applicable IPLs.
(7) Compare the mitigated event frequency
to the criteria for tolerable risk. If the risk criteria are not met,-can an
additional IPL be added? Can the SIL of the SIS be improved? Can the process be redesigned? [2]
In my example, let’s imagine that we want to prevent a reac
tor rupture similar to the catastrophe that occurred in
near St. Louis, MO, USA in 1969 [11]. Figs. 3 and 4 show photographs from the eve
nt. This was a reactor used to
conduct an exothermic reaction. Looking at Fig. 2, we can see that a LOPA should be performed on such a process
du
e to the potential for hazardous scenarios to occur. The actual event shown was the result of a mismanagement of
a change. Many batches of ortho-nitroaniline were made previously without incident. A feed system associated with
17
Ronald J. Willey / Procedia Engineering 84 ( 2014 ) 12 – 22
the reactor then required a repair. During this repair, plant management removed a layer of protection, and a
runaway reaction occurred. Using this incident as a guidance, let’s examine some of the layers of protection that can
be used in the prevention of a batch reactor exothermic runaway.
Fig. 3. Plant destroyed by a rupture of a batch reactor, 1969 [11].
Fig. 4. Reactor destroyed by an over pressurization event [11].
18 Ronald J. Willey / Procedia Engineering 84 ( 2014 ) 12 – 22
LOPA Step 1: The severity is serious to high. Over $1,000,000 in damage can result. Personnel on the property
such as operators are at risk of losing their lives. Finally if the reactor contains a toxic material, and it is released
into the community, the environment and surrounding properties may be adversely affected. Based on these
potential consequences, let’s assume that the company’s tolerable risk frequency for such an event is no often than
10
-5
/yr.
LOPA Step 2: The scenario of interest is a reaction
whose temperature or temperature rise rate is exceeding some
critical value. For the actual batch reactor incident shown in Fig. 3, the point of no return of 188°C was exceeded,
lead
ing to vessel overpressure. Fig. 4 is the reactor shell, or autoclave, after th
e accident. For this example, let’s
assume that the initiating event was a human error in failing to properly control the feed amount of the limiting
reactant to th
e reactor such that a distinct concentration increase of the limiting reactant occurs that accelerates the
intrinsic rate of reaction (and the rate of heat generation) by a factor of 2.5 times.
3.1. Initiating event frequency
LOPA Step 3: In this case, we will assume that 80 batches are ru
n each year, and the probability of a human error
which could result in a runaway reaction is 0.01 per opportunity. The initiating event frequency would then be 80
batches * 0.01 = 0.8/yr. (In order-of-magnitude LOPA, this would be rounded to 1/yr.) Since the IPLs are expected
to be
challenged no more than once per year, these IPLs are operating in low demand mode. (However, consider the
s
ituation where production rates increase, and 120 batches per year are now produced. The initiating event
frequency would increase to 1.2/year, and the first IPL to be challenged would be in high demand mode. In this case,
the initiating event frequency of the scenario would not be the human error frequency. Rather, it would be the failure
rate of the first IPL challenged.)
LOPA Step 4: We will stay focus on one cause - one consequence in this example. The consequence would be a
rap
id temperature rise rate/ pressurization rate that results in a ruptured vessel - the batch reactor. (It is important to
clearl
y define the consequence to ensure that the IPLs selected protect against the specific consequence of concern.
For example, a relief device may be effective in preventing a vessel rupture but would not prevent a release of
m
aterial to the atmosphere.)
LOPA Step 5: PFD for each layer is discussed below.
3.2. Layer 1 Process design
Good process design provides a system that is robus
t and can prevent or tolerate deviations in operating
conditions. The principles of inherently safer design can be employed to reduce the potential consequence of a
scenario, such as to lessen the concentration or quantity of a hazardous material in the process. In the runaway
described, there is no information to indicate that any process design elements merit LOPA credit. For this example,
I
will use a PFD of 1.0 for this layer.
3.3. Layer 2: Basic controls, process alarms, operator supervision;
The safety engineer must look at the basic control syste
m and process alarms to ensure that they are reliable.
Generally, a PFD no lower than 0.1 is taken for a basic process control system control loop action or operator
response to alarm; otherwise, IEC 61511 [5] requires that it be designed, installed, and managed as a safety
in
strumented system. In this case, the feed system was being repaired. We will therefore assume that the process
feed control loop was not operating and the PFD for this layer is 1.0.
3.4. Layer 3: Critical alarms, operator supervision, and manual intervention;
One of the critical parameters being monitored in an exothermic
reaction is the rate of temperature rise. It is
important to avoid a condition where the temperature rise occurs exothermically past a point of no return (the point
of runaway or the point where heat generated exceed the heat removal rate by cooling systems and vaporization).
19
Ronald J. Willey / Procedia Engineering 84 ( 2014 ) 12 – 22
Critical alarms can be programmed to provide the operator with the rate of temperature rise and allow the operator
to make changes such as an increasing cooling water flow. A temperature rise rate alarm, set to go off when the
temperature exceeds some predetermine value based on engineering and thermal calorimetric measurements, could
add an important layer of protection. It is possible that this layer of protection could have a PFD of 0.1. However,
recall that an IPL must be independent of the initiating event. Since an operator failure was the initiating event for
the runaway scenario, LOPA credit cannot be given for the same operator responding to a process alarm. Therefore,
the PFD would be 1.0 for an operator response to alarm for this incident.
3.5. Layer 4: Automatic action SIS or ESD
This layer implies that there is a saf
ety instrumented system or an emergency shutdown device that does not
depend upon any operator interaction. A common example is seen in burners for boilers. Should a flameout occur,
photo detectors are present that automatically shuts down the gas flow in microseconds. This prevents leakage of un-
combusted fuel into the furnace. For an exoth
ermic batch reactor, several safety instrumented systems can be
considered. One example is a diluent charge that can be triggered to enter the reactor automatically. The diluent
ab
sorbs much of the heat being generated. Another term for this type of prevention of an exothermic reaction is
called shortstop [12]. In the example of the runaway reactor, we
will assume that the system has a safety
instrumented system (SIS) loop which opens a valve and charges quench water to the reactor upon high temperature.
The loop is designed with a safety integrity level (SIL) of 1 and is assigned a PFD of 0.1.
3.6. Layer 5: Physical protection (relief devices);
This is often a key protection layer. For example, nearl
y all vessels must have a relief device. Vessel codes
make this a requirement, and it is with good reason. It is a last line of defense that has prevented many vessels from
rupturing. This brings up another fundamental concept in layer of protection analysis. The IPL must react quickly
enough to open in time to prevent the consequence (vessel rupture). As quoted from reference[8].
“Each safeguard credited as an IPL in LOPA must be effective at executing its function
f
aster than the process degrades in order to prevent the ultimate consequence of concern.[8]”
In the incident presented above, the relief system consisted of a rupture disk followed by a relief valve. It had the
appro
priate diameter, and, with good mechanical integrity, it would have relieved the reactor pressure and prevented
the rupture. However, in this case, the relief system wasn’t maintained and the rupture disk formed a small pinhole
leak over years of use. The operators were not aware of this. Material leaked between the rupture disk and relief
device, increasing the pressure in the interstitial space. The result was a compound relief system that required 2
ti
mes the overpressure within the reactor before the rupture disk would open. This lesson is often cited as a reason to
include a pressure sensing device between a rupture disk in a relief valve when using a compound relief systems.
Although a relief device is generally very reliable and often merits a PFD of 0.01, this relief device would receive no
credit because it was not maintained properly.
3.7. Layer 6: Physical protection (dikes)
This layer is often not applicable to a runaway reaction sce
nario. However, some consideration should be given
to an inadvertent loss of material within the reactor to the surrounding process area. Would a dike or berm placed
around the reactor provide an advantage by containing a spill from the reactor? Dikes can often be IPLs when
preventing a spill from impacting surrounding groundwater; however, they may not prevent a toxic gas cloud in the
event o
f a spill. Can the mixture be prevented from entering the plant sewer lines, as another example? Analyzing
further, if the mixture did enter the sewer lines, would it result in toxic effects to aquatic life? For the example of a
runaway reaction in this paper, I will use a PFD of 1.0 for this layer.
20 Ronald J. Willey / Procedia Engineering 84 ( 2014 ) 12 – 22
3.8. Layer 7: Plant emergency response
The reactor used in my example incident was part of a very large chemical complex. It had on-site emergency
respon
se teams such as a fire brigade and personnel trained in search and rescue. The quicker that trained
professionals can reach an incident, the less likely a severe outcome will occur. In the particular incident used above,
no one was killed; however, four operators had to be rescued. This emphasizes the need for continued training of
emergency plant response personnel as well as all personnel on site. Should an event occur, personnel should know
where the muster points are located, and if necessary to understand alternatives should the muster point be
threatened. For a batch reactor experiencing a runaway, emergency response will generally be too late to prevent the
rupture and is generally not credited in LOPA. Thus, I will use a PFD of 1.0.
3.9. Layer 8: Community emergency response
This is a layer that one does not want to depend upon
to mitigate a hazardous scenario. If this layer is
“demanded,” it means that the incident has grown beyond the plant site and outside assistance is required. It is
critical that emergency response exercises include community representatives such as the fire department, the
ambulance rescue team, and related emergency response personnel. The tragedy in West, Texas, USA [13]
demonstrates an example of an emergency response where th
e responders did not understand the nature of material
located within the burning fertilizer plant. Sadly, 12 community fire fighters lost their lives. They were not aware of
the hazards of fighting a fire where piles of ammonium nitrate existed. This should be a reminder that all safety
personnel (internal and external to the plan
t site) must be fully aware of the main hazards within any chemical plant.
Because of these factors, community emergency response is generally not credited in LOPA, and a PFD of 1.0 will
be used for this layer.
LOPA Step 6: Calculate the mitigated frequency
The frequency of a runaway reaction due to operator error
in controlling feed rates, with an out-of-service feed
control loop and an impaired relief system would be:
f
i
C
= IEF
i
× PFD
i1
× PFD
i2
× …× PFD
ij
f
i
C
= 1.0 × 1.0× 1.0 × 1.0 × 0.1 × 1.0 × 1.0 × 1.0 × 1.0 = 0.1/yr
The risk of a rupture of the example would be once every 10 years. Clearly
, this is unacceptable and does not
meet the example risk tolerance level of 10
-5
/yr.
LOPA Step 7: Compare the mitigated freq
uency to the risk tolerance level
In this case, the risk tolerance level for a ru
naway reaction leading to vessel rupture is 10
-5
/yr. Thus, the risk must
be decreased by four additional orders of magnitude for the risk to be tolerable. How can this be achieved?
1. The system could be operated only when the automated f
eed system is functional. The initiating event for
the scenario would then be control system failure, which could have an initiating event frequency of 0.1/yr.
2. The integrity of the SIS loop which activates a quench system upon high temperature could be upgraded to
a SIL
2, which could decrease the PFD to 0.01.
3. Properly tested and maintained, and with a pressure g
auge monitoring the interstitial space between the
rupture disk and the relief valve to detect leaks, the relief system PFD could decrease to 0.01.
The revised frequency of a runaway reaction would then be:
f
i
C
= 0.1 × 1.0 × 1.0 × 1.0 × 0.01 × 0.01 × 1.0 × 1.0 × 1.0 = 0.00001/yr, or 10
-5
/yr.
21
Ronald J. Willey / Procedia Engineering 84 ( 2014 ) 12 – 22
In Fig. 5, I provide below a visual depiction of the layers discussed for a batch reactor above
Fig. 5 Summary of LOPA mapping for a batch reactor with several layers of protection.
Note: Layer 6 is not relevant (Dike). Layers 7 and 8, plant and community response, is usually not included in
LO
PA
Clearly, sufficient layers of protection had not been in place in the ortho-nitroaniline plant accident. Where there
is t
he potential for serious events, it is important to have sufficient, diverse independent layers of protection to
prevent hazardous consequences such as a reactor runaway.
4. Summary
The LOPA method allows safety engineers to understand the risks of their processes, the independent layers of
protectio
n that are in place, and where additional risk reduction is needed to achieve tolerable risk. It allows for
relative comparisons of the risks of different plants and processes. The LOPA methodology also points out the
sign
ificance of the initiating event frequency and illustrates the benefits of basic process designs that apply
prin
ciples of inherent safety. For example, use of a continuous reactor instead of a batch reactor, could reduce the
toxic inventory in the process and decrease potential safety, environmental, and monetary consequences.
This paper provided a high-level overview of the basic methodology for novices. For more information, the
reader is
urged to consult CCPS LOPA books or attend additional training to understand the tool in more depth.
IEF
(exceed
critical
reaction
temp.)
0.1 yr
-1
Layer 1
Basic
Design
Layer 2
Controls
Alarms
Supervision
Layer 3
Crit. Alarm
Oper. Sup.
Man. Inter.
Layer 4
SIS or
ESD
Layer 5
Relief
Device
0.0
1.0
0.0
1.0
0.0
1.0
0.99
0.01
0.99
0.01
Reactor
temp
controlled
Emergency
cooling comes on
Reaction ceases
Emergency shutdown
works. Reaction
ceased.
Rupture
10
-5
yr
-1
Release
Inherently
safe reactor.
Heat of Rxn
is al
ways
removed
22 Ronald J. Willey / Procedia Engineering 84 ( 2014 ) 12 – 22
Acknowledgements
The author acknowledges the ISSST organizing committee for their support in attending ISSST 2014. The author
also ack
nowledges Ms. Kathleen Kas, The Dow Chemical Company, for helpful review and comments.
References
[1] Dowell, A. M., 1997, "Layer of protection analysis: a new PHA tool, after HAZOP, before fault tree analysis", Int Conf and Workshop on
Risk Analysis in Process Safety.
[2] Dowell, A. M., 1999, Layer of Protection Analysis and Inherently Safe
r Processes, Process Safety Progress, 18, 214-220.
[3] Bridges, W. G. and Williams, T. R., 1997, "Risk acceptance criteria and risk judgment tools applied worldwide within a chemical
co
mpany", Int Conf and Workshop on Risk Analysis in Process Safety.
[4] AIChE, 2001, Layer of Protection Analysis: Simplified Process Risk Assessment, Center for Chemical Process Safety and John Wiley &
Sons, New York, New York.
[5] 2003, International Standard IEC 61511-1, Functional safety – Safety instrumented systems for the process industry sector, IEC, Geneva,
S
witzerland.
[6] 2010, International Standard IEC 61508: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems,
I
nternational Electrotechnical Commission, Geneva, Switzerland.
[7] 2005, International Society of Automation, “Guidelines for the Implementation of ANSI/ISA 84.00.01-2004 (IEC 61511) ISA TR84.00.04,
Re
search Triangle Park, NC.
[8] 2014, Guidelines for Initiating Events and Independent Protection Layers, Wiley, New York.
[9] Mannan, S., 2005, Lees’ Loss Prevention in the Process Industries, Volumes 1-3 - Hazard Identification, Assessment and Control (3th
Edi
tion), Elsevier Butterworth Heinemann, New York, NY.
[10] Blanco, R. F., 2014, Understanding Hazards, Consequences, LOPA, SILs, PFD, and RRFs as related to Risk and Hazard Assessment,
Proc
ess Safety Progress, 33, 208-216.
[11] Vincent, G. C., 1971, "Rupture of a Nitroaniline Reactor", Loss Prevention.
[12] Dakshinamurthy, D., Khopkar, A. R., Louvar, J. F. and Ranade, V. V., 2004, CFD Simulations to Study Early Short Stop of Runaway
Re
action in Stirred Vessel, J. Loss Prevention in the Process Industries, 15, 355-364.
[13] 2013,West Fertilizer Explosion and Fire, The U.S. Chemical Safety Board, http://www.csb.gov/west-fertilizer-explosion-and-fire-/,
A
ccessed 11 July 2014.
