GCPS 2015 __________________________________________________________________________

Impacts of Process Safety Time on Layer of Protection Analysis

Geoffrey Barnard, P.E., CFSE

aeSolutions
Anchorage, AK
geoff.barnard@aesolns.com

William Creel, CFSE

aeSolutions
Greenville, SC
william.creel@aesolns.com

Prepared for Presentation at

American Institute of Chemical Engineers
2015 Spring Meeting
11th Global Congress on Process Safety
Austin, Texas
April 27-29, 2015

UNPUBLISHED

AIChE shall not be responsible for statements or opinions contained

in papers or printed in its publications
GCPS 2015 __________________________________________________________________________

Impacts of Process Safety Time on Layer of Protection Analysis

Geoffrey Barnard, P.E., CFSE

aeSolutions

William Creel, CFSE

aeSolutions

Keywords: Layer of Protection Analysis (LOPA), Independent Protection Layer (IPL),

Process Safety Time (PST), IPL Response Time (IRT)

Abstract
The ability of an Independent Protection Layer (IPL) to achieve a given level of risk reduction is
dependent upon its fulfillment of several core attributes. A key provision for any IPL to be
considered effective and functionally adequate is its capability to respond to a process demand
quickly enough to stop the propagation of the hazard scenario it was designed to prevent. While
this seems obvious and reasonable, the estimation of Process Safety Time and the specification of
IPL Response Times is more complex, and often deferred or overlooked altogether.

What is Process Safety Time? How is it determined? When? And by whom? This paper examines
the relationship between Process Safety Time and IPL Response Times, essential variables for the
justification of IPL effectiveness, and their impacts on the success of Layer of Protection Analysis
(LOPA).

1. Introduction
Layer of Protection Analysis (LOPA) is a semi-quantitative risk assessment technique commonly
used to evaluate the likelihood of process hazards and determine the necessary Independent
Protection Layers (IPLs) to reduce the risk of a given consequence to a tolerable level. Though
many variations of LOPA have been developed in the years since its introduction, recent efforts
by industry have focused on development of more universally accepted criteria for selecting and
validating the assumptions and numerical values used in studies. The recent publication of the
CCPS Guidelines for Enabling Conditions and Conditional Modifiers [1], and Guidelines for
Initiating Events and Independent Protection Layers [2] have greatly expanded upon the guidance
in the original LOPA text [3] while refining and reinforcing necessary considerations.

One particularly important area of expansion is in the definitions surrounding the timeline of a
hazard scenario. Before seeking to define any aspects or requirements of a particular protection
layer it is important to first understand how the unmitigated hazard scenario develops and how
quickly.
GCPS 2015 __________________________________________________________________________

2. Hazard Scenario Timeline

2.1 What is Process Safety Time?
According to the CCPS Guidelines for Safe and Reliable Instrumented Protective Systems Process
Safety Time (PST) is:

“the time period between a failure occurring in the process or its control system
and the occurrence of the hazardous event.” [4]

This is consistent with the definition found in the Guidelines for Initiating Events and Independent
Protection Layers [2] as well as other industry standards applicable to the design of active
protective systems.

IEC 61511:2003 Part 2: “the time period between a failure occurring in the process
or the basic process control system (with the potential to give rise to a hazardous
event) and the occurrence of the hazardous event if the safety instrumented function
is not performed” [5].

IEC 61508:2010 Part 4: “period of time between a failure, that has the potential
to give rise to a hazardous event, occurring in the EUC [equipment under control]
or EUC control system and the time by which action has to be completed in the
EUC to prevent the hazardous event occurring” [6].

API 556 second edition, 2011: “the interval between the initiating event leading
to an unacceptable process deviation and the hazardous event” [7].

PST is not a specification, but rather a function of the behavior of the process and process
equipment within the context of a specific unmitigated hazard scenario. PST can be estimated,
calculated, or potentially measured, but by extension of the definitions above PST is necessarily
unique to each cause-consequence pair, even when multiple initiating events may eventually lead
to the same consequence. This is because each initiating event has the potential to impact process
dynamics in different ways. Likewise, a single initiating event may lead to different outcomes due
to inclusion of scenario modifiers, consideration of different operating modes, or consequences
affecting different risk receptors. PST of related but separate scenarios will not necessarily be
equivalent.

Determination of PST is the first step in identifying the time potentially available for all protection
layers to respond and will be useful in specifying the required response time of each. PST is not
dependent upon the parameters that make up the response of any one protection layer. Some
resources in the past have defined PST in terms of the point of activation of a particular IPL. Such
a definition is problematic in that it implies there is a different PST for each IPL, complicating the
evaluation of a scenario as a whole. These resources have attempted to define a means for
estimating the time available for a particular protection layer to take action and affect the process
from a given point of activation, and while this is a worthy endeavor it should not be confused
with Process Safety Time.
GCPS 2015 __________________________________________________________________________

2.2 How is Process Safety Time determined?

Unless measured in retrospect after a hazard has occurred, PST would be quite difficult to
determine precisely. The exact conditions under which a hazard scenario may develop is
argumentative, and it is not necessarily useful to consider PST to be a single specific value at which
a hazardous event will immediately occur in all circumstances. Instead, the objective is to estimate
a lower boundary in time at which hazardous potential is likely to exist under worst-case conditions
so that protection layers may be specified and designed with sufficient speed of response for any
credible scenario.

One method for determining PST is to identify the process variable that is most closely associated
with the occurrence of the hazardous event, and its likely value at the time of the hazardous event
or the point at which the hazard can no longer be reliably prevented. There may be considerable
uncertainty associated with the occurrence of the hazardous event, so this may be conservatively
associated with a known design limit of the equipment. For example, loss of containment may be
imminent when pressure continues to rises above the Maximum Allowable Working Pressure
(MAWP). The upper limit of normal operating pressure and the MAWP of the vessel must be
used to estimate PST. The amount of time between these two discrete points in time, initiating
event and hazardous event, depends on the estimated rate of change of the process variable due to
the initiating event.

Figure 1. Timeline of a hazard scenario

Eq. 1

 PST: Process Safety Time, time between Initiating Event and Hazardous Event;
 PVIE: the initial value of the process variable of interest at the time of the Initiating Event,
may be assumed to be at the extreme of the normal operating range nearest the hazard;
GCPS 2015 __________________________________________________________________________

 PVHE: the value of the process variable of interest at the time the Hazardous Event occurs
or can no longer be prevented, may be assumed to be at the design limit of the equipment;
 PVROC: the estimated Rate of Change of the process variable of interest under worst-case
credible conditions in the context of the specific hazard scenario.

Each of these three variables will be completely dependent upon the specific process, process
equipment, and even the mode of operation. Certain cases, such as liquid level in a storage vessel,
may be calculated from known operating conditions and design parameters. Other cases, such as
those involving reaction chemistry, may require creation of a process model and consideration of
non-linear rates of change. PST estimates may also be made or assumptions corroborated by
examining actual deviations recorded in the control system’s process data historian.

Once the analysis is complete and PST determined for each scenario, the data and assumptions
will be quite useful for subsequent activities and should be maintained as valuable Process Safety
Information (PSI). Not only is PST useful for protection layer design, but also as a reference for
operations, and for assigning pass/fail criteria for maintenance and testing procedures. Having a
documented PST basis will also be important for revalidation efforts when assumption are
revisited, and supports Auditability and Management of Change (MOC) – other core attributes of
IPLs.

3. Timing Aspects of IPL Functionality

3.1 What must happen within the Process Safety Time?
Once the PST has been determined and the boundaries of each scenario timeline have been
established, new IPLs may be designed with, or existing safeguards may be evaluated for adequate
and timely functionality. To do so, several additional terms of interest must be assessed that are
related to the individual protection layers. The first of which is the IPL Response Time (IRT):

“the time necessary for the IPL to detect the out-of-limit condition and complete
the actions necessary to stop the progression of the process away from a safe
state.” [2]

IRT encompasses all aspects and components of the IPL that contribute to its effectiveness in
preventing the hazard and should take into account the time to detect the condition (including
measurement lag), determine the appropriate course of action, initiate the necessary action(s), and
complete the action(s). For a simple mechanical IPL, such as a pressure relief valve, the IRT may
be relatively straightforward to determine, however for instrumented IPLs that are comprised of a
series of complex components, or IPLs involving a human response, the evaluation must consider
a number of variables.

What IRT does not include is the time for the process to react to an IPL action and reach a safe
state. This time period is known as the Process Lag Time (PLT) [2] and is perhaps the variable
with the most uncertainty. Once the IPL has completed its action there may be a period of time
before the action is effective in stopping or reversing the hazardous condition. For each IPL under
consideration, the sum of IRT and PLT must be less than the PST to be considered effective.
GCPS 2015 __________________________________________________________________________

Eq. 2

 PST: Process Safety Time, time between Initiating Event and Hazardous Event;
 IRT: IPL Response Time, total time for the IPL to detect the deviation and complete safe
action;
 PLT: Process Lag Time, time between completion of the IPL’s safe action and the process
being influenced away from the hazard.

As with PST, PLT is dependent upon the process and the specific equipment and conditions, but
unlike PST, PLT must also consider the characteristics of the IPL action. For example, the PLT
associated with opening a quench water valve to cool a reaction will depend not only on the
dynamics of the reaction and the capacity of the reactor, but also on the flow rate of the cooling
water. A design change in the cooling water system may have minimal impact on IRT, but could
significantly change PLT.

If IRT and PLT are known or can be approximated conservatively, these values can be used to
specify a Maximum Setpoint (MSP) [2] at which the IPL must be activated before losing its ability
to effectively prevent the excursion from violating Safe Operating Limits (SOL). Designing and
specifying IPL response parameters in terms of the safe upper and lower operating limits rather
than equipment design limits is intended to provide a margin of safety before reaching the
hazardous event.

Figure 2. Timeline of IPL response to a hazardous condition, determining MSP

GCPS 2015 __________________________________________________________________________

Eq. 3

 MSP: Maximum Setpoint, the maximum value of the process variable of interest at the
point of IPL activation that allows sufficient time to detect, complete action, and for the
process to respond;
 PVSOL: the Safe Operating Limit of the process variable of interest;
 PVROC: the estimated Rate Of Change of the process variable of interest under worst-case
credible conditions in the context of the specific hazard scenario;
 IRT: IPL Response Time, total time for the IPL to detect the deviation and complete safe
action;
 PLT: Process Lag Time, time between completion of the IPL’s safe action and the process
being influenced away from the hazard.

Should the value of MSP fall within the normal operating range, it is likely that the IPL is
ineffective and must be redesigned with a shorter IRT, resized or reconfigured for a shorter PLT,
or replaced with an alternative IPL. It would be impractical to take action in response to a normal
operating condition, therefore time that exists between the initiating event and the point at which
a deviation can be reliably detected (i.e. the extents of normal operation) is generally not time
available for an IPL to respond.

When evaluating an existing device or function as an IPL it is most likely that PLT and IRT can
be estimated from the known design parameters, or perhaps records from previous testing. When
practical, measuring IRT under actual process conditions will more accurately reflect performance
during the period of demand, particularly in cases where valves are attempting to close-in lines
with increasing pressure. Using this data the MSP may be specified and the existing setpoint
evaluated against this specification.

However, when new IPLs are proposed it is likely that the IRT, PLT will not be fixed or otherwise
known. The design process must evaluate what capacity is required of the function to minimize
PLT so that an MSP can be specified based on the shortest available PST from all relevant
scenarios, or so that a Maximum Allowable Response Time (MART) [8] can be specified from a
desired point of activation.
GCPS 2015 __________________________________________________________________________

Figure 3. Timeline of IPL response to a hazardous condition, determining MART

Eq. 4

 MART: Maximum Allowable Response Time, the maximum total time for an IPL to detect
the deviation and complete safe action;
 PVSOL: the Safe Operating Limit of the process variable of interest;
 PVSP: the value of the process variable of interest where the IPL is designed to take action;
 PVROC: the estimated Rate Of Change of the process variable of interest under worst-case
credible conditions in the context of the specific hazard scenario;
 PLT: Process Lag Time, time between completion of the IPL’s safe action and the process
being influenced away from the hazard.

An evaluation of MSP and/or MART should be incorporated into the design process and used as
a tool to refine IPL specifications and appropriately manage changes over time. MART from a
given setpoint may also be used to develop pass/fail criteria in test procedures to ensure
specifications continue to be met over time and that components have not been adversely affected
by wear-out and fatigue.

3.2 What about multiple IPLs?

The evaluation of scenario timing becomes even more complex when considering the response of
multiple IPLs. The PST of the scenario remains the same, but other aspects of the evaluation will
be specific to each IPL. IPLs that respond more quickly or with stronger influence over the process
may have a MSP much closer to the occurrence of the hazard, thus providing more flexibility when
considering the desired sequence of IPLs.
GCPS 2015 __________________________________________________________________________

An overall scenario evaluation that considers the sequence of activation of multiple IPLs may
promote both safety and operability. If it is possible for one or more IPLs to correct the deviation
without a total shutdown or with less severe secondary consequences it may be useful to ensure
these IPLs can activate and influence the process before more drastic measures are required. For
example, an operator response may be able to completely correct a slowly developing high
pressure condition with no loss of production, though an automated shutdown and loss of
production is preferred to a release via the relief system. When multiple safeguards are employed
against a single hazard, a typical sequencing would provide for automatic control, operator
response, orderly shutdown and idle, emergency shutdown and isolation, followed by containment
or mitigation. If typical sequencing is altered or abandoned for any reason, care should be taken
to ensure that additional hazards are not introduced, such as calling for operators to respond to a
deviation that has already developed into an imminent hazard.

Staging the activation of multiple IPLs also has the benefit of reducing the demand rate on
subsequent IPLs. As long as the core attributes are satisfied, IPLs with overlapping response times
are no less valid than those that are sequenced, however it is a good practice to reduce unnecessary
demands whenever possible. Should an IPL experience frequent demands (e.g. more than once
per year, or more often than twice the test interval) the simplified mathematics of LOPA may need
to be altered, and the IPL would be said to operate in the High Demand Mode [2].

Figure 4. Unsequenced IPL Response Times

Figure 5. Sequenced IPL Response Times

Figures 3 and 4 above illustrate the effect of IPL sequencing on an IPL’s demand rate. Although
their points of activation are sequenced, the response times and process lag times of the IPLs in
Figure 3 overlap. All IPLs in this scenario would experience the same demand rate. After a
GCPS 2015 __________________________________________________________________________

shutdown it would be difficult to determine which was ultimately successful and which may have
failed to prevent the hazard in the time expected. However, if it can be shown that an IPL is
capable of detecting the deviation, completing safe action, and successfully influencing the process
before subsequent IPLs are activated, demands experienced by the subsequent IPLs may decrease
dramatically.

4. Guidelines for Determination of Process Safety Time and Specification of

IPL Response Parameters
4.1 When should Process Safety Time and IPL Response Time be determined?
Determination of PST and the specification of IPL response parameters should be undertaken to
support claims regarding Functionality, Auditability, and controlled Management of Change as
part of a larger effort to validate each of the core attributes of an IPL. IPL validation may require
an iterative process including the potential to reconvene the LOPA teams, therefore incorporating
IPL validation activities into existing processes in advance of PHA and LOPA revalidations or in
the early stages after a study will facilitate resource management and timely completion.
Procedures developed for IPL validation should include responsibilities, scheduling, and interface
with the PHA and LOPA teams, and guidance for consistent evaluations.

If existing IPLs have not previously been validated, such an effort could begin at any time. In fact,
evaluating existing PHA or LOPA scenarios for PST in advance of a revalidation could reduce the
uncertainty associated with the overall hazard timeline, and allow team time to be focused more
in the evaluation of safeguards and protection layers rather than debating the nature of the hazard.
IRT evaluations could also begin by investigating existing IPLs in the Mechanical Integrity
program. Test procedures and completion records may provide evidence of previously specified
or achieved response times.

The hazard scenario timeline should be considered one of the first steps when designing new
protection layers or justifying existing protection layers. Recalling that PST is not necessarily the
same for each initiating event leading to a particular hazard, the design and validation of IPLs
should consider all scenarios where an IPL is credited. Delaying or deferring such evaluations
increases the risk of purchasing and installing equipment that will not meet response time
requirements, resulting in costly changes or overconfidence that risk tolerance targets have been
met.

4.2 Who should determine Process Safety Time and IPL Response Time?
PST and PLT should be evaluated by an individual or team with specific knowledge of the process,
process equipment, and its operation. Often this may be the unit or project process engineer or
someone working under his or her direction. The evaluation requires access to design
specifications, safe operating limits and other process safety information, and also experience with
the unit operation to ensure assumptions are reasonable and appropriate conclusions are drawn.
Others such as mechanical engineers, maintenance technicians, and operators may also provide
input, especially when issues involve specialized equipment.
GCPS 2015 __________________________________________________________________________

Once the PST and PLT have been determined, MART for an IPL can be specified from a given
point of activation, or the MSP can be specified from an estimated IRT. Such evaluations should
be made by the individuals or teams most familiar with the specific design and functional
requirements of each protection layer. Because determination of Process Safety Time and the
specification of IPL response parameters can be quite complex, whatever methods, procedures,
roles, and responsibilities most appropriate for your organization or project should be documented
and communicated to ensure required tasks are carried out and the results are validated prior to
placing the IPLs in service.

4.3 How is uncertainty addressed?

There will undoubtedly be uncertainty associated with the prediction of dynamic process
conditions and it is for this reason that conservative assumptions and appropriate safety margins
must be considered throughout the evaluation. A common rule of thumb has been for an IPL to
respond in less than half the process safety time. This came about as a means of addressing
uncertainty in the process dynamics, measurement uncertainty, measurement lag, as well as the
potential for degraded performance over time; all of which in many cases may be difficult or
impossible to precisely calculate. Such a practice has the benefit of being a simple means to arrive
at a design specification but this may not be appropriate for all situations, especially those where
the PLT may exceed IRT. Instead, a more rigorous evaluation of the scenario timeline should been
performed where some portion of the overall process safety time is allocated to each IPL, and the
IPL response parameters specified within this window. Guidelines for Safe and Reliable
Instrumented Protective Systems [3] recommends designing instrumented IPLs to respond within
50% of their required response time (the portion of PST allocated to the IPL), a more specific and
effective application of this rule of thumb.

5. Conclusions
5.1 What does this mean for the end user?
It would be impractical to perform a complete IPL validation in a team setting, therefore
conclusions about the core attributes of an IPL are often drawn during LOPA after a brief mental
evaluation and discussion with little detailed analysis. However, simply specifying a device or
function as an IPL is only the first step. In order to realize and maintain an IPL’s required risk
reduction there should be a formal process to develop and manage documentation validating the
suitability of each IPL for its intended purpose, and supporting evidence that the IPL possesses the
core attributes. Delaying or deferring a complete validation, including Process Safety Time and
IPL Response Time, increases the risk of late design changes or gaps in risk reduction not being
recognized at all. Addressing PST and IRT through a timely and consistent approach promotes
the success of LOPA and facilitates continuous improvement throughout the safety lifecycle.
GCPS 2015 __________________________________________________________________________

6. References
[1] CCPS. Guidelines for Enabling Conditions and Conditional Modifiers in Layer of
Protection Analysis. Center for Chemical Process Safety, American Institute of Chemical
Engineers, New York, NY, 2013.
[2] CCPS. Guidelines for Initiating Events and Independent Protection Layers in Layer of
Protection Analysis. Center for Chemical Process Safety, American Institute of Chemical
Engineers, New York, NY, 2015.
[3] CCPS. Layer of Protection Analysis: Simplified Process Risk Assessment. Center for
Chemical Process Safety, American Institute of Chemical Engineers, New York, NY,
2001.
[4] CCPS. Guidelines for Safe and Reliable Instrumented Protective Systems. Center for
Chemical Process Safety, American Institute of Chemical Engineers, New York, NY,
2007.
[5] IEC. IEC 61511 Functional safety – Safety instrumented systems for the process industry
sector, Parts 1–3, edition 1.0. International Electrotechnical Commission, Geneva,
Switzerland, 2003.
[6] IEC. IEC 61508 Functional safety of electrical/electronic/programmable electronic
safety-related systems, Parts 1–7, edition 2.0. International Electrotechnical Commission,
Geneva, Switzerland, 2010.
[7] API. API Recommended Practice 556 Instrumentation, Control, and Protective Systems
for Gas Fired Heaters, second edition. American Petroleum Institute, Washington, DC,
2011.
[8] CCPS. Draft Guidelines for Safe Automation of Chemical Processes, second edition.
Center for Chemical Process Safety, American Institute of Chemical Engineers, New York,
NY, expected publication in 2015.