© ART

VILLE
& PHO
TO
DISC
IEEE INDUSTRY APPLICATIONS MAGAZINE  SEPT j OCT 2008  WWW.IEEE.ORG/IAS

Analysis of electrical system

effectiveness using layers of protection

HIS ARTICLE REVIEWS HOW THE Layer of Protection Analysis

T effectiveness (i.e., the ability to perform an

intended function) of electrical systems can
be analyzed using the
technique of layer of protection analysis
BY RICK MENDLER
(LOPA). It is a process currently in use to
& GARY O SB ORNE
determine if instrumented systems are
effective in reducing possible risks from
the release of hazardous chemicals. This technique can be
used to evaluate mandatory protection of electrical sys-
tems, nonmandatory protection of electrical systems,
alternate system designs, and intervals of maintenance on
electrical systems in terms of their potential reliability
risks or personnel risks.
60
Digital Object Identifier 10.1109/MIAS.2008.927528
LOPA was first introduced by the petrochemical industry
in the late 1980s. Its primary use is to determine if there
are sufficient protection layers in place to
reduce the risk of an undesirable event,
i.e., the release of a hazardous chemical.
The LOPA process does this by asking
three key questions [1].
n How safe is safe enough?
n How many protection layers are needed?
n How much risk reduction should each protection
layer provide?
Before these questions can be asked, one must identify
what is at risk and how much risk is technically and finan-
cially acceptable. Knowing what is at risk and to what
degree it is not acceptable aids in focusing how to reduce

1077-2618/08/$25.00©2008 IEEE

Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
the probability of the event occurring.
LOPA answers the three key questions
through a risk-based approach using IN MANY
simplified semiquantitative methods
to arrive at an answer that is clear, INDUSTRIES,
consistent, and objective. Numbers
are used to determine what is safe DECISION
enough, how many protection schemes MAKERS ARE
are required, and to what degree each
protection scheme must perform. The OFTEN NEITHER
numbers used are in an order of
magnitude that further makes this a ELECTRICALLY
simple process.
Layers of protection are items in NOR
place that, when called on to act, block
an undesired event from reaching its TECHNICALLY
target. Any one protection layer can ORIENTATED.
stop the event from hitting the target.
As none of the protection layers are
100% effective all the time, several
independent protection layers (IPLs) are put in place so
that the overall effectiveness of the protection system is as
near as possible to being 100% effective all the time. This
is visualized in Figure 1. The identified risk in this figure
is the possibility of the lightning bolt hitting the target,
and it is deemed to be undesirable if there is a chance of
the target being hit more than one out of 100 times. The
three key questions can now be answered. For the sake of
discussion, we will say that five protection layers are
needed to ensure that there is less than a one in 100 proba-
bility of the target being hit by lightning as long as each
protection layer is 90% effective.
in the form of a risk-ranking matrix.
Frequency is typically the horizontal
axis of the matrix, and consequence
severity is the vertical axis. The Instru-
ment Society of America [3] suggests a
3 3 3 risk-ranking matrix (as shown
in Figure 2).
The Department of Defense [4]
suggests frequency categories as the
following:
A) remote, less than a one in 1 mil-
lion chance
B) occasional, less than a one in ten
chance but greater than a one in
1,000 chance
C) frequent, greater than a one in
ten chance.
Severity categories are suggested as
the following:
A) minor impact on personnel
safety or a financial impact of less than US$100,000
B) serious personnel injury or a financial impact greater
than US$100,000 but less than US$10 million
C) fatalities or serious impact to public or a financial
impact greater than US$10 million.
Undesired Event

IEEE INDUSTRY APPLICATIONS MAGAZINE  SEPT j OCT 2008  WWW.IEEE.ORG/IAS

LOPA can be looked on as a six-step process. Protection Layer 1 Protection
n Step 1 is to identify the scenario to be reviewed. Layer 3
Protection Layer 2
n Step 2 is to identify the initiating event that trig-
gers the scenario. Protection Layer 4
n Step 3 is to risk rank the scenario.
n Step 4 involves the identification and reliability Protection Layer 5
assessment of each IPL currently in place.
n Step 5 is to determine the overall reliability of the
Target
combination of the identified IPLs.
n Step 6 is to determine if the combined effect of
1
the identified IPLs is sufficient to reduce an unac-
Protection layer diagram.
ceptable risk to an acceptable risk.

Risk Assessment
Steps 1 and 2 will not be fully developed in this article as
there are many varied processes to identify scenarios and C III III III
High

initiating events. The benefits of identification processes

will change in consideration of the complexity of the sys-
Severity

tem being analyzed. A simple ‘‘what if’’ brainstorming II II III

B
session adequately identifies scenarios, initiating events
and protection layers for simple systems. A more rigorous
minimal cut set analysis may be advantageous (IEEE Gold
Low

Book [9]) for complex systems. A I I II

For a discussion of LOPA, we need to have a high-level
overview of evaluating risk, Step 3. Risk can be defined as A B C
‘‘the possibility of loss or injury to people and property’’
Frequency
[2]. Mathematically stated, risk is a combination of the
frequency at which an undesired event could possibly Low High
occur and the consequence severity of the undesired event. 2
61
Normally, this relationship for LOPA analysis is presented Risk matrix.

Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
 The American Institute of Chemical occurred, and these protection layers
Engineers (AIChE) [5] suggests the merely lessen the damaged caused.
risk categories to be the following: LAYERS OF In the example of a transformer
I) acceptable without improvements failure causing a 25-day outage of a
II) undesirable PROTECTION ARE production unit, what protection lay-
III) unacceptable. ers could be in place to reduce the risk
It should be noted that the 3 3 3 ITEMS THAT ACT of this occurrence? A second trans-
matrix, with the frequency, severity, former in a main-tie-main configura-
and risk categories, is only a sugges- WHEN REQUIRED tion could be a protection layer. An
tion. When performing a LOPA, you autotransfer switch between these two
should use a risk-ranking method suited TO BLOCK AN transformers could be another. Preven-
for and approved by your company. UNDESIRED EVENT tive maintenance systems that peri-
The risk assessment process can be odically determine the health of a
explained in the following manner. If we FROM REACHING transformer and take appropriate
assume that the undesired event is the actions to restore the transformer to
failure of a 25-MVA transformer serving ITS TARGET. good condition would be a protection
a processing unit that has a product layer. Critical alarms in place to indi-
throughput worth US$500,000 per day, cate abnormal conditions within the
what is the risk of this transformer fail- transformer and which prompt person-
ing and leading to a financial loss? First, we can assess the nel to take corrective actions can reduce the risk of a cata-
severity category as a C; replacement of this size of trans- strophic transformer failure.
former can easily exceed 25 days of loss production or at
US$500,000 per day with US$12.5 million in lost produc- LOPA Calculations
tion. Next, the frequency category can be assessed as a B; Step 5 determines the overall risk-reducing potential of
there is greater than a one in 1,000 chance that a transformer the IPLs identified in step 4. Step 6 evaluates the accept-
of this size will fail. With a frequency category of B and a ability of this reduced risk. We previously stated that
severity category of C, we go to the risk matrix and find the numbers were to be used to determine what was safe
risk category to be a III, unacceptable. enough, to what degree each protection layer must per-
Because this example is deemed to be unacceptable, form, and how many protection layers are required. This
what can be done to lessen the risk? To answer this ques- assessment will vary among companies, and you should
tion, we need to look at what protection layers are in place follow your company’s guidelines. For the purpose of this
that can effectively reduce the risk. article, we will assume determining what is safe enough is
IEEE INDUSTRY APPLICATIONS MAGAZINE  SEPT j OCT 2008  WWW.IEEE.ORG/IAS

accomplished by the risk matrix, risks ranked as category

Independent Protection Layers I, acceptable without improvements, and will be the defi-
Step 4 is the identification of protection layers. As stated nition of what is safe enough. The next two items are
earlier, protection layers are devices, systems, or actions in accomplished through the use of simplified reliability
place that when called on can block an undesired event analysis. The performance of each protection layer will be
from occurring. A protection layer must be independent assumed to perform to a degree of reliability:
of the event and of other protection layers, effective in pre- n low: 70–90% reliable
venting the consequence, and auditable to the extent that n medium: 90–99% reliable
the device, system, or action is designed, installed, func- n high: 99–99.9% reliable.
tionally performs, and maintained to a state that allows it Last, the number of protection layers required will be the
to function as intended. AIChE [1] suggests that an IPL amount that takes the assessed risk, with no protection layers
has the characteristics of being able to in place, to an acceptable risk category I level when protec-
n detect the condition of the undesired event tion layers are put in place. To determine this, the reliability
n decide whether to take action or not of each protection layer is combined through reliability anal-
n deflect the undesired event by preventing or mitigat- ysis to determine the overall reliability of the combination of
ing it all protection layers in place to mitigate the undesired event.
n be big enough, fast enough, and strong enough to Combinations of protection layers that yield an overall low
accomplish its purpose. combined reliability offer no risk reduction, whereas combi-
Some examples of IPLs can be the system design, basic nations with a overall reliability of a medium or high offer
control/operation of the system, alarms requiring person- risk reductions levels of one and two, respectively.
nel intervention, instrumented systems, physical protec- For example, when the 25-MVA transformer failed,
tion, containment systems, and emergency response. The resulting in a financial loss of US$12.5 million, the risk
last two, containment systems and emergency response, was assessed as unacceptable. To bring this risk to an
should be used as protection layers with caution since the acceptable level, we will need sufficient protection layers
event has already occurred and these are in place to keep it that, when combined reliability wise, will yield an overall
under control. An example of an emergency response is a high reliability, thus giving two levels of risk reduction
circuit overloading to the point that it causes a fire, which bringing the overall risk to a category I, acceptable. In this
sets off a sprinkler system and triggers a call to the fire example, we identified four protection layers: 1) a second
department. Although the sprinkler system and fire transformer configured in a main-tie-main arrangement,
62
department can put the fire out, the undesired event has 2) an autotransfer switch between the two transformers,

Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
3) preventive maintenance procedures, Figure 3 represents the reliability for
and 4) critical alarms with suitable the system connected in series. Charac-
operator intervention capabilities. The LOPA CAN BE teristics of a series configured protection
second transformer configured in a layers system are given below.
main-tie-main configuration can be LOOKED ON AS A n A series protection layered sys-
assessed with a medium level of reli- tem functions properly only if
ability. The autotransfer switch can SIX-STEP all the elements of the system
also be assessed with a medium level of function properly. Failure of any
reliability. Preventive maintenance pro- PROCESS. one component means a failure
cedures can be assessed with a medium of the overall system.
level of reliability. The last protection n Reliability of a series system is
layer, critical alarms with operator calculated as [10]
intervention, has an overall low reliability. This low level of
reliability is observed because critical alarms have two com- Rsys (t) ¼ PRn (t): (1)
ponents in series, the alarm itself and the operator’s response
to the alarm. If each component is given a medium level of n Reliability of a series system is always less than
reliability, then the overall combination of the alarm and the least reliable component.
operator’s response is a low level of reliability. Figure 4 represents a system reliability connected in a
Protection layers can combine in a simplified reliability parallel method. Characteristics of a parallel configured
manner such that they are either in series or parallel combi- protection layers system are given below.
nations. In a series combination, failure of any one compo- n A parallel protection layered system functions
nent means a failure of the overall system. For example, two properly if any one of the elements of the system
light bulbs connected in series will produce light only if functions properly. Failure of all components
both bulbs operate. Failure of one bulb means that no light means a failure of the overall system.
is produced. In a parallel combination, the overall system n Reliability of a parallel system is calculated as [10]
fails only when all components fail. To simplify the reliabil-
ity calculations involved with the combination of protec- Rsys (t) ¼ 1  P(1  Rn (t)): (2)
tion layers and provide risk reduction levels, Table 1
explains series-connected protection layers, and Table 2 n Reliability of a parallel system is always greater
explains parallel-connected protection layers. than the highest reliable component.
n The parallel components within the layered pro-
tection system must be independent of each other.

IEEE INDUSTRY APPLICATIONS MAGAZINE  SEPT j OCT 2008  WWW.IEEE.ORG/IAS

TABLE 1. SERIES CALCULATIONS.
Risk Examples
IPL 1 IPL 2 IPL 3 Result Reduction
First Example: Mandatory and Nonmandatory
Low Low 0
Requirements
Medium Medium 1 In our first example, we will look to see if, from a risk
Medium Medium Low 0 perspective, the National Electric Code (NEC)-required
Medium Medium Medium Low 0
High High 2
IPL 1 IPL 2 IPL 3
High High Medium 1
High Medium Medium 1 3
Series reliability model.

TABLE 2. PARALLEL CALCULATIONS.

Risk
IPL 1
IPL 1 IPL 2 IPL 3 Result Reduction
Low Low Medium 1
Low Low Low Medium 1
IPL 2
Low Medium Medium 1
Low High High 2
Medium Medium High 2 IPL 3
Medium High High þ 3
High High High þ 3 4
63
Parallel reliability model.

Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
 [6] protection alone is sufficient protec- Looking back to Figure 2, we find
tion of a 12,000-hp, 13.2-kV, three- that the severity of the event is a cate-
phase induction motor, or the addi- gory C, greater than US$10 million
tional protection suggested in the LOPA WAS FIRST in loss. The frequency of this event
American National Standards Institute INTRODUCED BY falls in to a category B. From Figure
(ANSI)/IEEE C37.96 [7] should be 2, the risk ranking of this event is III,
used. Figures 5 and 6 can be used to vis- THE or unacceptable.
ualize this example. The first step in As this event is risk ranked as unac-
the LOPA process is to identify the risk PETROCHEMICAL ceptable, we need to look at which pro-
associated with this motor. We will tection layers are in place and determine
assume that this motor is part of a INDUSTRY IN THE if they are sufficient to reduce the risk
300,000 barrel per day crude oil to a level I or acceptable risk. The 2002
processing plant. Profit from this plant LATE 1980s. edition of the NEC [6], in sections
is US$8.00 per barrel. On failure of this 430.32 (A) (1), 430.32 (A) (4), 430.125
motor, the plant’s production rate will (B), and 430.125 (C), requires motors
be cut in half. A failure of the motor of this horsepower and voltage to have
that causes damage to the stator core will result in 21 both overload and fault current protection. This is one
days of production being at half or a financial loss of layer of protection and can be assessed as having a
US$25.2 million. From past experience, it is known that medium level of reliability. Because this is currently the
this type of failure can occasionally occur. With the sever- only identified protection layer, we use Table 1 to deter-
ity of the event known and the frequency at which the mine the level of risk reduction. In this case, one level of
event occurs also known, the event can be risk ranked. risk reduction is provided by this protection layer, which
brings the overall system risk to a level II. As stated
earlier, we are looking to reduce our risk to level I; there-
fore, the mandatory protection afforded by the NEC [6]
Stator Core Damage is not sufficient to bring the risk of this event to the
Risk III acceptable level.
Protection advised in ANSI/IEEE C37.96 [7] for a
motor of this type, size, and voltage suggest adding
motor differential protection, ground fault protection,
Overload Protection and current unbalance protection. The added protection
Medium offered by ANSI/IEEE C37.96 [7] can be viewed as a
IEEE INDUSTRY APPLICATIONS MAGAZINE  SEPT j OCT 2008  WWW.IEEE.ORG/IAS

second layer of protection. This second layer of protec-

Fault Protection
tion can be assigned a medium level of reliability. With
these two layers of independent protection, we use
Table 2 to determine the overall reliability of the two
Motor Risk II
protection layers. We find that the overall reliability
5
can be assigned as high, which offers two levels of risk
reduction.
NEC protection.
Second Example: Alternate System Designs
In the second example, we will look at alternate system
Stator Core Damage designs presented in the IEEE Red Book [8]. In particular,
Risk III we will look at the difference between a radial-fed motor
control center (MCC) versus a primary selective-fed MCC.
In this example, the event in question is the loss of the
Overload Protection feeder to the MCC. Figures 7 and 8 can be used to visualize
Medium this example. The MCC feeds a 150,000 barrel per day
chemical unit, which has a profit of US$5.00 per barrel.
Fault Protection
Loss of the electrical feeder will cause a five-day loss of
production or a US$3.75 million loss. The US$3.75 mil-
High lion loss puts it into a severity category of serious (B). The
Overload Protection frequency at which this event can occur is rated as occa-
sional (B). Using Figure 2, we risk rank this event as II or
Current Unbalance Protection undesirable.
Medium
With one electrical feeder supplying power to this
Fault Protection unit as defined in a simple radial-fed system, we have
one layer of protection, which can be defined as a low
level of reliability to protect against this event. As given
Motor Risk I
in Table 1, one protection layer with a low level of reli-
6 ability gives an overall low system reliability and no risk
64
ANSI/IEEE protection. reduction, which leaves us at an undesirable.

Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
 The alternate design is a primary The time interval to maintain an
selective system with two independ- electrical feeder operating at a 90%
ent feeders. These two feeders can be THE NUMBER OF reliability, in this case, would be ap-
viewed as two IPLs, each of which proximately four years.
can be defined with a low level of PROTECTION
reliability. Table 2 shows that with Fourth Example:
two IPLs, both of which having a LAYERS REQUIRED Identification of Hidden Risk
low reliability level, the overall sys- WILL BE THE In our last example, we will look at
tem reliability is medium. The sys- how LOPA has the potential to iden-
tem’s medium level of reliability AMOUNT THAT tify previously undetected risk. Con-
offers a one-level risk reduction, sider a more complex model of a
which takes us to an acceptable level TAKES THE substation feeding a utilization trans-
of reliability. former (Figure 9). The double-ended,
ASSESSED RISK TO primary selective system design was
Third Example: Preventive chosen to decrease the risk potential of
Maintenance Frequency AN ACCEPTABLE a loss of power to the utilization
In our third example, we will look at transformer. In LOPA terminology,
how LOPA can be used to determine
RISK CATEGORY I risk of power failure is decreased by
the frequency at which preventive LEVEL. duplication of IPLs.
maintenance should be performed to A careful look at the model, how-
maintain the level of reliability needed ever, reveals that the dc control bus is a
to reduce the risk to an acceptable nonredundant single point of failure.
level. Using the scenario in example two, we found that Consider the dc control power cut set, reference LOPA
we needed two electrical feeders performing at a low reli- summary (Table 3). Failure of the dc control power has the
ability level for the event to be at an acceptable risk level. effect of reducing the selectivity of the protective relay
It was previously stated that a protection layer with a low scheme and forces the protective function to the upstream
level of reliability must perform between a 70 and 90% devices, which increases the severity of an event to a cate-
level of reliability. If we choose the 90% level, we can cal- gory C. The relatively low likelihood of a double failure
culate the time interval during which the system can (system fault and loss of dc) is taken into consideration by
achieve the desired risk level. assigning frequency category A.
By definition, assuming a exponential failure rate, reli- The resulting risk index, III, gauges the relative prior-
ability is [10] ity of dc control power reliability improvements versus

IEEE INDUSTRY APPLICATIONS MAGAZINE  SEPT j OCT 2008  WWW.IEEE.ORG/IAS

other initiatives.
Rsys (t) ¼ ekt : (3) Conclusions
These simplified examples demonstrate how LOPA can be
Here, k is the failure rate of the equipment, and t is the used to assess the effectiveness of electrical systems and the
time interval. Because we know the desired reliability maintenance of those systems.
level, 90%, and the IEEE Gold Book [9] gives us failure The conclusions of simplified examples 1–4 may seem
rates for electrical feeders, k ¼ 0:027 failures per year, we intuitive to the seasoned electrical engineer, so you may be
can solve for
 
ln Rsys1ðtÞ
Loss of Feeder Risk II
¼ t: (4)
k

Loss of Feeder Risk II

Feeder 1 Low

Medium

Feeder 2 Low
Feeder 1 Low

MCC MCC Risk I

Risk II

Five Days to Restore Power Within Hours to Restore Power

7 8
65
Radial system. Primary selective system.

Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
 66
IEEE INDUSTRY APPLICATIONS MAGAZINE  SEPT j OCT 2008  WWW.IEEE.ORG/IAS

TABLE 3. LOPA SUMMARY.

Severity Protection
Scenario or Layer, Probability
Cut Set or Consequence Probability Business Risk Safeguards, or to Perform Recommendation
Node of Interest Frequency Safety Environmental Interruption Property Ranking Notes Fault on Demand or Actions
#2 and #3 Environmental: B C III Sandbags, False trip or Low, manually Building eliminated
incoming floods at sub A ditch failure to placed
relay building operate sandbags
#2 and #3 Environmental: B B II Substation Fault: Ø to Ø Human action: Set PM interval on
incoming dirt carbon preventive and ground low cleaning for
contamination mainte- fault (GF) medium reliabil-
nance (PM): ity level
cleaning
insulators
#2 and #3 Environmental: B B II Snake fence, Fault: Ø to Ø Snake fence:
incoming critters get into bird nest and GF medium;
substation, rounds human
incoming action: low
power failure
#2 and #3 Lightning strike, C C III Static wire or Fault: Ø to Ø High at substa- On feeder ckts PM
incoming equipment masts, and GF, over tions; low on to inspect and
damage, loss lightning voltage feeder replace arresters
of power, inad- arresters, circuits (ckts)
vertent trip ground
system
dc control Loss of dc; bat- A C III Operator Loss of system Human action: Redundant dc,
power tery, charger, rounds selectivity low alarm, dc quality
breaker, fuse record dc metering to a
failure voltages manned location
Switchgear Environmental: B B II Space heaters Fault: Ø to Ø Space heaters Check PM
moisture from and controls and GF and controls: frequency
condensation medium
Switchgear Environmental: B C III No current Fault: Ø to Ø Add building pres-
outside area protection and GF surization with
has high H2 S chemical filters
corrosion

Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.
 OCB 3 XF-3 BD-3 CB-3 Swgr 3

Utility 69kV Inc Air

1/2
CB Bus SW

OCB 2 XF-2 BD-2 CB-2 Swgr 2

F CB F CT

Prot Norm
Cable 1/2 1/2
Relay Fdr

R CB R CT
Primary DC
Unit
Selective Cntl
Load
Switch Bus
F CB F CT

Prot
Cable 1/2 1/2 Alt Fdr
Relay

R CB R CT

9
Reliability model.

asking yourself, ‘‘what are the tangible benefits that would Risk mitigation and system reliability improvements ini-

IEEE INDUSTRY APPLICATIONS MAGAZINE  SEPT j OCT 2008  WWW.IEEE.ORG/IAS

entice me to perform LOPA on my system?’’
Let’s face it; in many industries, decision makers are
often neither electrically nor technically orientated, so we
are faced with the daunting task of justifying risk mitiga-
tion and reliability improvements. When the lights are
on, these improvements can be very hard to justify; on the
other hand, when the lights go off, project money may
flow unimpeded. LOPA is a recognized tool to perform
many tasks.
1) Qualitatively and quantitatively measure risk
potential. The lights are on, why should I approve
this project?
2) Provide the necessary information, from a reliabil-
ity standpoint, to support and defend good engi-
neering practices. You have one transformer, why
should I approve the extra dollars for a second
redundant transformer?
3) Identify previously undetected weak points within
a system from a new perspective. The lights have
stayed on for the past five years, why should I
spend money now?
4) Evaluate and communicate preventive mainte-
nance frequencies, identify deficiencies in preven-
tive maintenance procedures, and improve the
effectiveness of a preventive maintenance process.
The step-by-step LOPA process can systematically
identify risk and assess effectiveness of an electrical sys-
tem’s protection layers and aid in the determination of the
frequency of preventive maintenance of those systems.
tiatives are aided by quantifying risk potential of electrical
systems.
References
[1] AIChE, Layer of Protection Analysis Simplified Process Risk Assessment.
New York: AIChE, 2001.
[2] E. J. Henley and H. Kumamoto, Probabilistic Risk Assessment. Piscat-
away, NJ: IEEE Press, 1992.
[3] Application of Safety Instrumented Systems for the Process Industry, ANSI/
ISA Standard S84.01, 1996.
[4] System Safety Program Requirements, Department of Defense Military
Standard 882C, 1993.
[5] AIChE, Hazard Evaluation Procedures, New York, NY, AIChE, 1992.
[6] NFPA, NFPA 70: National Electric Code, Quincy, MA, NFPA,
2004.
[7] ANSI/IEEE, Guide for ac Motor Protection, New York, NY, IEEE,
2000.
[8] Recommended Practice for Electric Power Distribution for Industrial Plants,
IEEE Standard 141, 1994.
[9] Recommended Practice for Design of Reliable Industrial and Commercial
Power Systems, IEEE Standard 493, 1980.
[10] D. J. Smith, Reliability Maintainability and Risk. Jordan Hill,
Oxford: Butterworth-Heinemann, 1993.
Rick Mendler (rick.mendler@conocophillips.com) is with Con-
ocoPhillips in Sweeny, Texas. Gary Osborne is with Conoco-
Phillips in Houston, Texas. Mendler and Osborne are
Members of the IEEE. This article first appeared as ‘‘Analysis
of Electrical System Effectiveness Using Layer of Protection
Analysis’’ at the 2006 Petroleum and Chemical Industry
Conference.
67

Authorized licensed use limited to: Francisco Guillen. Downloaded on April 25,2020 at 14:10:45 UTC from IEEE Xplore. Restrictions apply.