Professional Documents
Culture Documents
Layers of Protection Analysis
Layers of Protection Analysis
VILLE
& PHO
TO
DISC
IEEE INDUSTRY APPLICATIONS MAGAZINE SEPT j OCT 2008 WWW.IEEE.ORG/IAS
1077-2618/08/$25.00©2008 IEEE
Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
the probability of the event occurring. in the form of a risk-ranking matrix.
LOPA answers the three key questions Frequency is typically the horizontal
through a risk-based approach using IN MANY axis of the matrix, and consequence
simplified semiquantitative methods severity is the vertical axis. The Instru-
to arrive at an answer that is clear, INDUSTRIES, ment Society of America [3] suggests a
consistent, and objective. Numbers 3 3 3 risk-ranking matrix (as shown
are used to determine what is safe DECISION in Figure 2).
enough, how many protection schemes MAKERS ARE The Department of Defense [4]
are required, and to what degree each suggests frequency categories as the
protection scheme must perform. The OFTEN NEITHER following:
numbers used are in an order of A) remote, less than a one in 1 mil-
magnitude that further makes this a ELECTRICALLY lion chance
simple process. B) occasional, less than a one in ten
Layers of protection are items in NOR chance but greater than a one in
place that, when called on to act, block 1,000 chance
an undesired event from reaching its TECHNICALLY C) frequent, greater than a one in
target. Any one protection layer can ORIENTATED. ten chance.
stop the event from hitting the target. Severity categories are suggested as
As none of the protection layers are the following:
100% effective all the time, several A) minor impact on personnel
independent protection layers (IPLs) are put in place so safety or a financial impact of less than US$100,000
that the overall effectiveness of the protection system is as B) serious personnel injury or a financial impact greater
near as possible to being 100% effective all the time. This than US$100,000 but less than US$10 million
is visualized in Figure 1. The identified risk in this figure C) fatalities or serious impact to public or a financial
is the possibility of the lightning bolt hitting the target, impact greater than US$10 million.
and it is deemed to be undesirable if there is a chance of
the target being hit more than one out of 100 times. The
three key questions can now be answered. For the sake of
discussion, we will say that five protection layers are
needed to ensure that there is less than a one in 100 proba-
bility of the target being hit by lightning as long as each Undesired Event
protection layer is 90% effective.
Risk Assessment
Steps 1 and 2 will not be fully developed in this article as
there are many varied processes to identify scenarios and C III III III
High
Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
The American Institute of Chemical occurred, and these protection layers
Engineers (AIChE) [5] suggests the merely lessen the damaged caused.
risk categories to be the following: LAYERS OF In the example of a transformer
I) acceptable without improvements failure causing a 25-day outage of a
II) undesirable PROTECTION ARE production unit, what protection lay-
III) unacceptable. ers could be in place to reduce the risk
It should be noted that the 3 3 3 ITEMS THAT ACT of this occurrence? A second trans-
matrix, with the frequency, severity, former in a main-tie-main configura-
and risk categories, is only a sugges- WHEN REQUIRED tion could be a protection layer. An
tion. When performing a LOPA, you autotransfer switch between these two
should use a risk-ranking method suited TO BLOCK AN transformers could be another. Preven-
for and approved by your company. UNDESIRED EVENT tive maintenance systems that peri-
The risk assessment process can be odically determine the health of a
explained in the following manner. If we FROM REACHING transformer and take appropriate
assume that the undesired event is the actions to restore the transformer to
failure of a 25-MVA transformer serving ITS TARGET. good condition would be a protection
a processing unit that has a product layer. Critical alarms in place to indi-
throughput worth US$500,000 per day, cate abnormal conditions within the
what is the risk of this transformer fail- transformer and which prompt person-
ing and leading to a financial loss? First, we can assess the nel to take corrective actions can reduce the risk of a cata-
severity category as a C; replacement of this size of trans- strophic transformer failure.
former can easily exceed 25 days of loss production or at
US$500,000 per day with US$12.5 million in lost produc- LOPA Calculations
tion. Next, the frequency category can be assessed as a B; Step 5 determines the overall risk-reducing potential of
there is greater than a one in 1,000 chance that a transformer the IPLs identified in step 4. Step 6 evaluates the accept-
of this size will fail. With a frequency category of B and a ability of this reduced risk. We previously stated that
severity category of C, we go to the risk matrix and find the numbers were to be used to determine what was safe
risk category to be a III, unacceptable. enough, to what degree each protection layer must per-
Because this example is deemed to be unacceptable, form, and how many protection layers are required. This
what can be done to lessen the risk? To answer this ques- assessment will vary among companies, and you should
tion, we need to look at what protection layers are in place follow your company’s guidelines. For the purpose of this
that can effectively reduce the risk. article, we will assume determining what is safe enough is
IEEE INDUSTRY APPLICATIONS MAGAZINE SEPT j OCT 2008 WWW.IEEE.ORG/IAS
Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
3) preventive maintenance procedures, Figure 3 represents the reliability for
and 4) critical alarms with suitable the system connected in series. Charac-
operator intervention capabilities. The LOPA CAN BE teristics of a series configured protection
second transformer configured in a layers system are given below.
main-tie-main configuration can be LOOKED ON AS A n A series protection layered sys-
assessed with a medium level of reli- tem functions properly only if
ability. The autotransfer switch can SIX-STEP all the elements of the system
also be assessed with a medium level of function properly. Failure of any
reliability. Preventive maintenance pro- PROCESS. one component means a failure
cedures can be assessed with a medium of the overall system.
level of reliability. The last protection n Reliability of a series system is
layer, critical alarms with operator calculated as [10]
intervention, has an overall low reliability. This low level of
reliability is observed because critical alarms have two com- Rsys (t) ¼ PRn (t): (1)
ponents in series, the alarm itself and the operator’s response
to the alarm. If each component is given a medium level of n Reliability of a series system is always less than
reliability, then the overall combination of the alarm and the least reliable component.
operator’s response is a low level of reliability. Figure 4 represents a system reliability connected in a
Protection layers can combine in a simplified reliability parallel method. Characteristics of a parallel configured
manner such that they are either in series or parallel combi- protection layers system are given below.
nations. In a series combination, failure of any one compo- n A parallel protection layered system functions
nent means a failure of the overall system. For example, two properly if any one of the elements of the system
light bulbs connected in series will produce light only if functions properly. Failure of all components
both bulbs operate. Failure of one bulb means that no light means a failure of the overall system.
is produced. In a parallel combination, the overall system n Reliability of a parallel system is calculated as [10]
fails only when all components fail. To simplify the reliabil-
ity calculations involved with the combination of protec- Rsys (t) ¼ 1 P(1 Rn (t)): (2)
tion layers and provide risk reduction levels, Table 1
explains series-connected protection layers, and Table 2 n Reliability of a parallel system is always greater
explains parallel-connected protection layers. than the highest reliable component.
n The parallel components within the layered pro-
tection system must be independent of each other.
Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
[6] protection alone is sufficient protec- Looking back to Figure 2, we find
tion of a 12,000-hp, 13.2-kV, three- that the severity of the event is a cate-
phase induction motor, or the addi- gory C, greater than US$10 million
tional protection suggested in the LOPA WAS FIRST in loss. The frequency of this event
American National Standards Institute INTRODUCED BY falls in to a category B. From Figure
(ANSI)/IEEE C37.96 [7] should be 2, the risk ranking of this event is III,
used. Figures 5 and 6 can be used to vis- THE or unacceptable.
ualize this example. The first step in As this event is risk ranked as unac-
the LOPA process is to identify the risk PETROCHEMICAL ceptable, we need to look at which pro-
associated with this motor. We will tection layers are in place and determine
assume that this motor is part of a INDUSTRY IN THE if they are sufficient to reduce the risk
300,000 barrel per day crude oil to a level I or acceptable risk. The 2002
processing plant. Profit from this plant LATE 1980s. edition of the NEC [6], in sections
is US$8.00 per barrel. On failure of this 430.32 (A) (1), 430.32 (A) (4), 430.125
motor, the plant’s production rate will (B), and 430.125 (C), requires motors
be cut in half. A failure of the motor of this horsepower and voltage to have
that causes damage to the stator core will result in 21 both overload and fault current protection. This is one
days of production being at half or a financial loss of layer of protection and can be assessed as having a
US$25.2 million. From past experience, it is known that medium level of reliability. Because this is currently the
this type of failure can occasionally occur. With the sever- only identified protection layer, we use Table 1 to deter-
ity of the event known and the frequency at which the mine the level of risk reduction. In this case, one level of
event occurs also known, the event can be risk ranked. risk reduction is provided by this protection layer, which
brings the overall system risk to a level II. As stated
earlier, we are looking to reduce our risk to level I; there-
fore, the mandatory protection afforded by the NEC [6]
Stator Core Damage is not sufficient to bring the risk of this event to the
Risk III acceptable level.
Protection advised in ANSI/IEEE C37.96 [7] for a
motor of this type, size, and voltage suggest adding
motor differential protection, ground fault protection,
Overload Protection and current unbalance protection. The added protection
Medium offered by ANSI/IEEE C37.96 [7] can be viewed as a
IEEE INDUSTRY APPLICATIONS MAGAZINE SEPT j OCT 2008 WWW.IEEE.ORG/IAS
Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
The alternate design is a primary The time interval to maintain an
selective system with two independ- electrical feeder operating at a 90%
ent feeders. These two feeders can be THE NUMBER OF reliability, in this case, would be ap-
viewed as two IPLs, each of which proximately four years.
can be defined with a low level of PROTECTION
reliability. Table 2 shows that with Fourth Example:
two IPLs, both of which having a LAYERS REQUIRED Identification of Hidden Risk
low reliability level, the overall sys- WILL BE THE In our last example, we will look at
tem reliability is medium. The sys- how LOPA has the potential to iden-
tem’s medium level of reliability AMOUNT THAT tify previously undetected risk. Con-
offers a one-level risk reduction, sider a more complex model of a
which takes us to an acceptable level TAKES THE substation feeding a utilization trans-
of reliability. former (Figure 9). The double-ended,
ASSESSED RISK TO primary selective system design was
Third Example: Preventive chosen to decrease the risk potential of
Maintenance Frequency AN ACCEPTABLE a loss of power to the utilization
In our third example, we will look at transformer. In LOPA terminology,
how LOPA can be used to determine
RISK CATEGORY I risk of power failure is decreased by
the frequency at which preventive LEVEL. duplication of IPLs.
maintenance should be performed to A careful look at the model, how-
maintain the level of reliability needed ever, reveals that the dc control bus is a
to reduce the risk to an acceptable nonredundant single point of failure.
level. Using the scenario in example two, we found that Consider the dc control power cut set, reference LOPA
we needed two electrical feeders performing at a low reli- summary (Table 3). Failure of the dc control power has the
ability level for the event to be at an acceptable risk level. effect of reducing the selectivity of the protective relay
It was previously stated that a protection layer with a low scheme and forces the protective function to the upstream
level of reliability must perform between a 70 and 90% devices, which increases the severity of an event to a cate-
level of reliability. If we choose the 90% level, we can cal- gory C. The relatively low likelihood of a double failure
culate the time interval during which the system can (system fault and loss of dc) is taken into consideration by
achieve the desired risk level. assigning frequency category A.
By definition, assuming a exponential failure rate, reli- The resulting risk index, III, gauges the relative prior-
ability is [10] ity of dc control power reliability improvements versus
Medium
Feeder 2 Low
Feeder 1 Low
Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
66
IEEE INDUSTRY APPLICATIONS MAGAZINE SEPT j OCT 2008 WWW.IEEE.ORG/IAS
Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
OCB 3 XF-3 BD-3 CB-3 Swgr 3
F CB F CT
Prot Norm
Cable 1/2 1/2
Relay Fdr
R CB R CT
Primary DC
Unit
Selective Cntl
Load
Switch Bus
F CB F CT
Prot
Cable 1/2 1/2 Alt Fdr
Relay
R CB R CT
9
Reliability model.
asking yourself, ‘‘what are the tangible benefits that would Risk mitigation and system reliability improvements ini-
Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.