Layers of

Protection
Analysis
(LOPA)
OBJECTIVES
Able to understand layers of protection

Able to adopt safety measures to prevent

accident

Able to identify the performance of

safety functions

Limitations: Helicopter view

Last week…

?
Layers of Protection
What are layers of
protection
The basic concept…
However…

How do we
eliminate the
holes ?
Safety systems = Layers of protection

Hazards by themselves do not cause to an immediate hazardous event

A combination of triggering effects, that is an isolated incident or a

combination of them lead hazards to develop into an accident

Safety systems are the layers of protection to prevent a hazard from

leading into an accident
BEAR IN
MIND !
Safety is ensured through
automation
Let a storage tank filled with chemical
materials…
How do we identify
all possible hazards

Hazard Operability
?
(HAZOP)
Chemical materials

Pressure, Temperature,
Volume (Process Variables)
Layer 1: Process design
Corresponds to the design of
the process, for example, the size
of the tanks, valves, pipes

Chemical materials
Layer 2: Basic Process Control System
(BPCS) FIC

A system that responds to input signals FT

from the process and its associated
equipment, other programmable systems,
and generates output signals causing the
process to operate in the desired
manner.

Example: industrial controllers, control

valve, industrial instrumentation, motor, Chemical materials
regulators, etc.

FT: Flow Transmitter, FIC: Flow Indicator Controller

Layer 3: Critical Alarms
FIC

In this layer, we can find Human Machine FT

Interface (HMI), and supervisory systems
that present to the operator, the alarms
configured on the system

An accident usually happens when there is

a flood of alarms

Alarm management is crucial! Chemical materials

LAH LSH

LSH: Level Switch High, LAH: Level Alarm High

Layer 4: Safety Instrumented System
(SIS) FIC

FT
SIS is the ultimate preventive security
layer if the control system and operator
performance are insufficient
SIS is placed to automate emergency
actions

Activates when a critical process variable LSHH

exceeds specified limits. Chemical materials
Automatic = no operator action required
SIS = passive + “sleepy”
LAH LSH

LSHH: Level Switch High High

Layer 5: Active Protection
FIC

It usually includes relief PRV

devices that are used to reduce FT
the impact of a catastrophic
failure of equipment and/or
minimize the effects of any
uncontrolled events

These relief devices are used as

emergency devices and are not LSHH
used for normal process control Chemical materials

LAH LSH
PRV: Pressure Relief Valve
Layer 6: Physical Protection
FI
C
PR
A diked area is an area shut-in by F
V
contours of concrete or a physical barrier T

that could contain oil, fuel, water or any

liquid

LSH
H
Chemical materials

LA LS
H H
Layer 7: Plant Emergency Response
Seeks to eliminate/diminish vulnerable to threats, through the necessary
measures that guarantee the survival of those involved directly or indirectly, and
the reduction of costs for damage to furniture, and equipment

Layer 8: Community Emergency

Response
Refers to the rational process by which society prepares to deal with the
consequences associated with natural events or events created by the man
To sum up…
Dike

Relief devices

Safety Instrumented System

Critical Alarms

BPCS

Process Design
An example of full P&ID
Safety Instrumented
System (SIS)
Safety Instrumented
Function (SIF),
Safety Integrity Level
(SIL)
Safety Instrumented System (SIS)
“Safety instrumented systems are designed to respond
to conditions of a plant, which may be hazardous in
themselves, or if no action were taken could eventually
give rise to a hazardous event. They must generate the
correct outputs to prevent or mitigate the hazardous
event”.
The ANSI/ISA-84.00.01-2004 (IEC 61511) standard (Ref. 1)
SIS : a system composed of sensors, logic solvers and final elements
designed for the purpose of:

Automatically taking a process to a safe state

when specified conditions are violated;

Permit a process to move forward in a safe

manner when specified conditions allow
(permissive functions)

Taking action to mitigate the consequences of an

industrial hazard.
Safety Instrumented Function (SIF)
A set of equipment intended to reduce the
risk due to a specific hazard. It includes
elements that detect an accident is
imminent, decide to take action, and then
carry out the action needed to bring the
process to a safe state
SIF Examples:

• Close outlet valve in a separation unit to prevent high pressure from

going downstream, which might result in vessel rupture and
explosion.
• Open coolant flow valve to prevent column rupture due to over
temperature.
• Close connection valve to isolate reactants to prevent unit
overpressure when reverse flow detected.
• Close valve to stop material flow into a tank to prevent spillage if
high level is detected, which might result in environmental damage.
SIF vs SIS
SIF
Refers to a single function
E.g.: high pressure shutdown,
low level shutdown, etc
Most SIFs contain a single
input sensor and a single, or
possible a few final elements
SIS
Refers to all the combined
functions that make up the
overall system
SIS contains dozens, hundreds,
or even thousands of inputs
and outputs
Safety Integrity Level (SIL)
Ability of a SIF to detect, decide and act is designated by
the Safety Integrity Level (SIL)
SIL is determined for each SIF

Safety Integrity
Safety integrity is expressed as the probability that the
safety related system will satisfactorily perform the
required safety function under all stated conditions within
a stated period of time when required to do so
Safety Integrity Level (SIL)

4 Levels: Level 1, 2, 3, and 4

SIL 4 has the highest level of safety integrity

SIL 1 has the lowest
Safety functions can be required to
operate in two modes
Low demand mode
Many of such functions are only called upon at a low frequency
demand rate.
❑ Anti-lock braking (ABS)
❑ Secondary restraint system (SRS-Air bags)

Continuous mode
There are functions which are in frequent or continuous use
❑ Normal braking
❑ Steering
Safety Integrity Levels and Required Safety System Performance for
Low Demand Mode Systems
Safety Integrity Levels and Required Safety System Performance for
Continuous Mode Systems
Example
Consider that a particular SIF is assigned a
value of SIL 1.

SIL 1 PFD: 10% Availability: 90%

1 statistical failure out of every 10 demands for that

function
 How to
determine
SIL
Method 1
Risk Matrix
Method 1: Risk Matrix
Evaluate Hazard Frequency
Method 1: Risk Matrix
Evaluate Hazard Severity
Method 1: Risk Matrix
Evaluate Overall Risk

Different criteria are possible to use!

Method 2
Layers of Protection
Analysis (LOPA)
Step 1: Tolerable risk

*Similar tables can be developed for tolerable probabilities for different size losses
due to the impact of environmental, lost production downtime, capital equipment,
and other events.
Step 2: Initiating Event Frequencies
These can either be external events (e.g., a lightning strike) or failure of one of the
layers (e.g., a control system valve fails open leading to a hazardous event
development).

Numbers may be determined based on historical records or failure rate data

(which is one form of historical record).
Step 3: Performance of each safety
layer

Numbers may be determined based on historical records or failure rate data

Numbers can also be obtained from FTA
Discussion
Time
Initial narration
A vessel is used to store hexane, a combustible material. The
level in the vessel is controlled by a level controller which
operates a valve. If the vessel is overfilled, hexane will be
released through a liquid vent and be contained within a dike. A
hazard analysis was performed and it was determined that the
level controller might fail, liquid might be released outside of the
dike, an ignition source might ignite the hexane, and there might
be a possible fatality. The organization wanted to determine if
the existing facility would meet their corporate risk criteria, or if
any changes were required (such as adding a stand-alone safety
system), how extensive the changes would need to be.
Scenarios
The organization established a yearly tolerable risk limit for a fire of 1E-4 and
1E-5 for a fatality. The initiating event for this scenario would be a failure of
the control system, which was estimated at 1E-1. The only existing safety
layer would be the dike, which had an estimated PFD of 1E-2. Alarms and
operator action were not accounted for because, in this instance, the control
system was the initiating event, therefore no alarms would be generated. The
organization took a conservative view that if material was released outside of
the dike, the likelihood of it finding an ignition source would be 100%.
However, the area was not always manned. The probability of someone being
in the area was estimated at 50%. The probability of someone in the area
actually being killed by a fire, as opposed to merely injured, was estimated at
50%.
Questions
1. Draw the event tree diagram for the hazard
2. Determine the probability of fire. Does it meet the corporate risk criterion
for fire?
3. Determine the probability of fatality. Does it meet the corporate risk
criterion for fatality?