Layers of Safety
Chapter 55
55.1 Concept of Layers
55.2 Passive Systems Layer
55.3 Active Systems Layer
55.4 Control Systems Layer
55.5 The HSE Guidelines
55.6 The EEMUA Guidelines
55.7 Comments
Companies have a general responsibility to their
employees and others for safety. In the UK this is
covered by the Health and Safety at Work Act (1974)
and responsibility for monitoring its implementa-
tion is vested in the Health and Safety Executive
(HSE). In particular, there is a duty for
“the provision and maintenance of
plant and systems of work that are, so
far as is reasonably practicable, safe
and without risks to health.”
Safety, therefore, is fundamental to the design and
operation of process plant and pervades all oper-
ability and viability considerations. Designs must
ensure that all plant is as safe as is reasonably prac-
ticable under all normal and most abnormal con-
ditions. In the event of a hazardous incident occur-
ring, for which it can be proven that not all rea-
sonable safety measures were taken, any company
involved in the design, manufacture, installation
or operation of the plant and/or its safety systems
is potentially liable to prosecution. So too are the
individuals involved: they cannot hide behind the
company.
Plant designs which are inherently safe are best,
they do not need additional protection. However,
in practice, few plants are inherently safe and it
is necessary to enhance their safety by the instal-
lation of protection systems. Indeed, for existing
plants whose design cannot be changed, it is often
the case that additional protection systems are the
only practicable way of enhancing safety.
Protection systems are designed on the basis of
reducing, to an acceptable level, the probability of
some hazardous event occurring. Normally the de-
sign is driven by safety considerations: that is, the
consequences of the hazardous event in terms of
risk to life and limb. However, depending upon the
nature of the process, such a system may well also
provide protection against environmental damage,
say in terms of toxic release or pollutant discharge,
protection against plant damage, or indeed protec-
tion against lost production. It is also true to say
that protection systems designed on the basis of
these other criteria will probably reduce the risk to
life and limb too.
This chapter considers the contribution to
safety made by automation and the relationship
between plant design, protection systems and pro-
cess control issues. Reference is made to industrial
codes and standards as appropriate. A good intro-
duction to the subject is given by Kletz (1995) but
for a more comprehensive treatment the reader is
referred to the text by Lees (2005).
 426 55 Layers of Safety

55.1 Concept of Layers As stated in Chapter 54, basic process control sys-
tems are not protection systems. In the event of the
Hazard assessment, as described in Chapter 54,
failure of a control system, it cannot itself be relied
provides a basis for deciding upon the appropriate
upon to provide any means of protection. For this
preventive and protective measures to be incorpo-
reason HAZOP applies to the outer and middle
rated in the design of the plant. There are many
layers of protection only. If the inner layer is be-
means of protection which may be categorised, on
ing relied upon to provide protection, the design is
a broad brush basis, into three concentric layers of
faulty.
passive, active and control systems as depicted in
Nevertheless, control systems make a signifi-
Figure 55.1.
cant contribution to plant safety to the extent that
Passive systems layer
effective control, alarm management, and so on,
reduce the demand on the protection systems. To
Fa
t
en

il-
prevent the protection systems being exercised un-
nm

sa
Active systems layer

fe
ai

necessarily, CHAZOP and COOP studies should be

de
nt

sig
Co

Du

Control carried out on the design of the control system and

n
ESD
ali

systems layer the functionality of its application software. It fol-

Intrinsic safety
ty
Bur

Alarm handling lows that CHAZOP and COOP studies only apply
Bac
s

to the inner layer.

ting

Diagnostics F&G
k-u
disc

p
s

Alarms, trips & interlocks

Pre
ss ure 55.2 Passive Systems Layer
re lief
val Safe plant design is essentially a chemical engi-
ves
One way valves neering issue. The contribution of control engi-
Fig. 55.1 Passive, active and control layers of protection neering personnel to the outer layer of safety is
through participation in the HAZOP study team,in
The concept of layers of safety is a proven approach the specification of any passive devices used and in
to protection system design. The outer layer com- their subsequent testing and/or maintenance. Pro-
prises a combination of safe plant design measures tection at this layer is realised by means of:
and civil/mechanical means.Protection devices are
passive in the sense that they are mechanical, fail- 1. Inherent safety. Whenever options exist, select
safe and require no power supply. Ultimately, if ev- items of plant which are inherently safe or
erything else fails,it is this outer layer that provides choose process routes which minimise the ex-
the final protection to personnel, plant and the en- tent of hazard. For example, stationary plant
vironment. Clearly, from a design point of view, the is safer than rotating equipment so use filters
objective is to never have to exercise this layer. rather than centrifuges.Avoid solvent based re-
Protection defaults to the outer layer only if actions if aqueous routes are viable. Use non-
the active systems of the middle layer fail. These toxic chemicals if there alternatives available.
protection systems are of an active nature in the 2. Minimum inventory. Choose operations that
sense that, typically, they require a power supply to minimise the inventory of hazardous materials.
function. Similarly, protection defaults to the mid- In general, continuous operations have lower
dle layer only if the basic process control system inventories than batch. Avoid the use of buffer
(BPCS) of the inner layer fails, or fails to cope. Un- tanks between continuous operations.
der all normal and most abnormal circumstances, 3. Containment systems. Provide facilities such as
plant operation should be maintained by the con- quench tanks,bund walls and segregated drains
trol system within the inner layer. to contain reagents in the event of unscheduled

releases. Use flame traps to prevent the propa-
gation of fire.
4. Passive devices. Use bursting discs, pressure re-
lief valves and vacuum breakers to protect plant
against over and under pressures. Install one-
way valves to prevent reverse flows. Fit over-
speed bolts on rotating machinery. These are
passive in the sense that they are all mechani-
cal and not dependant upon a power supply.
5. Fail-safe design. For example, specify the ac-
tion of pneumatically actuated valves such that
in the event of air failure they fail-safe. Typi-
cally, a cooling water valve will be required to
fail open whereas a steam valve will be required
to fail closed.
6. Intrinsic safety. Specify instrumentation that
does not in itself constitute a hazard. If this is
not possible then use enclosures as appropriate.
This is discussed in detail in Chapter 52.
55.3 Active Systems Layer
The middle layer is comprised of independent ac-
tive protection systems and augments the passive
features of the outer layer. These systems are ac-
tive in the sense that they require a power supply
to function. Clearly there is scope for either the
protection system or its power supply to fail, in
which case safety provision defaults to the outer
layer. In safety critical applications, active protec-
tion systems must be designed to guarantee some
minimum reliability criteria: this is discussed in
detail in Chapter 56.
The middle layer contains the following means
8.
of protection:
7. Alarms, trips and interlocks. These are closely
related and it is convenient to treat them to-
gether. They are by far the most common type
of active system and it makes sense to define
them formally:
An alarm indicates to an operator that some
abnormal condition or event has occurred and
that some action may be required. It has the
following syntax:
55.3 Active Systems Layer 427
“If some condition becomes true or
false then annunciate or display the
change in status”.
There are normally two ways in which an
alarm can be activated. Either some analogue
input signal, such as a level measurement, has
reached a threshold value or because a dis-
crete signal, such as that from a level switch,
has changed its status. The outcome is usually
an audio and/or visual signal to the operator.
A trip automatically takes some action due to
the occurrence of an alarm condition. It has
the following syntax:
“If some alarm condition occurs
then change the status of some out-
put signal”.
The change in output is normally associated
with a discrete signal. Typically, if a tank is
full then an isolating valve in the inlet will be
closed or a pump in the outlet started.
An interlock is generally used for prevention
purposes and is,in effect,the converse of a trip.
The syntax of an interlock is of the following
form:
“Unless (or while) some condition
occurs (exists) do not change the
status of some output signal”.
A typical example with machinery would be:
unless the guard is in place, do not enable the
start button. A more typical process example
would be in charging a vessel: while the inlet
valve is open, do not open the drain valve or
close the vent valve.
Emergency shut-down (ESD) systems. Under
certain circumstances, it may be necessary to
automatically shut down a plant. This is in-
variably triggered by some prescribed critical
condition or combination of conditions. The
syntax is typically:
“If some critical condition occurs
then force an emergency shut down”.
There are various shut-down strategies. One
simple but effective strategy is to switch off a
common power supply to a number of output
 428 55 Layers of Safety
channels grouped together for that purpose.
Thus, in effect, all those channels are forced
into a fail-safe condition consistent with the
shut-down mode of the plant. Another strat-
egy is to shut down the plant by manipulat-
ing the systems’ outputs in a time ordered se-
quence. Sequence control was introduced in
Chapter 29.
9. Fire and gas detection systems (F&G). These
are commonly used on off-shore gas and oil
installations. Typically, an F&G system con-
sists of sensors to detect gas leaks or the pres-
ence of fire. F&G systems do not necessarily
have shut-down capability in themselves but
are invariably connected up to ESD systems.
The syntax is thus:
“If a gas leak or a fire is detected
then force an emergency shut down”.
10. Dual systems.A common approach to increas-
ing the reliability of active safety systems is to
provide duality. Typically, critical instruments
may be duplicated, or even triplicated, with
some means of cross-checking or polling of
the measurement. In extreme cases whole sys-
tems may be duplicated.
11. Back-up systems. An active protection system
cannot function in the event of failure of its
own power supply or of any of the utilities
that it is required to manipulate. Sometimes
it may be necessary to provide back-ups. For
example, mains power supply may be backed
up by diesel generators which switch on au-
tomatically when the power fails. A head tank
of cooling water may be installed as a back-up
for failure of the pumps on the works cooling
water supply main.
It is good practice to separate the active protection
systems from the control systems. Thus each uses
different sensors and actuators, and their signals
are carefully segregated with colour coded cabling.
Active protection systems usually utilise discrete
signals, typically inputs from switches, logic ele-
ments, and outputs to relays. It is normal practice
for these elements and signals to be individually
hard wired.
55.4 Control Systems Layer
The inner layer consists of the plant’s control sys-
tems. These contribute to safety in various ways:
12. Control schemes. Effective control schemes
and strategies mean that processes are nor-
mally under control. Thus the active protec-
tion systems are only called upon to function
in the event of an incident such as a failure of
the control system or a mistake in operation.
Maintaining control at the inner layer, and not
exercising the middle and outer layers unnec-
essarily, represents an enhancement in safety.
13. Integrated alarm environment. Supported as
standard by all modern control systems, DCS
or otherwise, integrated alarm environments
make a major contribution to the safe opera-
tion of process plants. These are discussed in
detail in Chapter 43.
14. Application diagnostics. These are sequences
which monitor complex situations and, de-
pending upon circumstances, initiate either
some recovery option or an emergency shut-
down.
15. Recovery options. These are normally associ-
ated with complex batch processes. They are,
in effect, sequences that are activated under
prescribed circumstances which are designed
to retrieve abnormal process situations and
return the plant into a safe hold state.
55.5 The HSE Guidelines
Traditionally, all active protection systems of an
electrical nature were comprised of distinct ele-
ments such as sensors, switches, relays and actu-
ators using analogue and/or discrete signals. In
particular they were characterised as being hard-
wired. The advent of microprocessor based devices
and systems led to pressure to permit software
based protection systems. To address the vacuum
in standards and codes of practice, the HSE Guide-
lines (1987) on the use of programmable electronic
systems (PES) in safety related applications were
produced.

What the Guidelines said, in essence, was that
under certain circumstances, and subject to vari-
ous important constraints,it is acceptable for active
safety functions to be realised by means of software
based systems such as PLCs instead of hard-wired
systems. The criterion used was to provide levels of
protection that were at least as good as what would
be provided by conventional hard-wired systems.
In that sense, the Guidelines were both construc-
tive and forward looking and were a landmark in
plant protection.
The Guidelines were largely qualitative, their
emphasis being on the approach to the provision
of protection and on sound engineering practice.
Although they were prescriptive with regard to
methodology,focussing on the design process,they
nevertheless provided a good degree of flexibility
with regard to implementation.
The fundamental question to be asked was
whether a protection system fell within the scope of
the Guidelines or not.Any active protection system
that was hard-wired, using conventional analogue
and/or discrete elements, and was separate from
the control systems, fell outside the scope of the
Guidelines. Many companies had, and still have, a
policy that active protection is only ever provided
by such hard-wired systems.
An important precedent was set by the guide-
lines in relation to the use of software in instru-
mentation. If any part of a protection system was
user programmable,by configuration or otherwise,
then the HSE Guidelines applied. Thus, for exam-
ple, most single loop controllers and any PLC fell
Table 55.1 EEMUA vs IEC 61508/61511 categories of protection
Figure 55.1 EEMUA EEMUA
layers category consequences
Passive 0 Risk to life and limb
Active 1 Risk to life and limb
2 Damage to plant
Lost production
Control 3 Off spec product, loss of efficiency, etc.
55.6 The EEMUA Guidelines 429
within the scope of the Guidelines. However, if the
electronics were embedded within a device such
that, to all practical intents and purposes, the soft-
ware was inaccessible to the user, then the device
was not covered by the Guidelines. An example of
this is the intelligent dp cell in which the embedded
ROM based software is treated as if it was hardware.
The status of the Guidelines was slightly am-
biguous. They were neither a formal standard nor
a code of practice. They may as well have been
though given that they were published by the HSE,
the regulatory body, and represented what it con-
sidered to be good practice.
55.6 The EEMUA Guidelines
The HSE Guidelines were generic in that they were
applicable to all sectors of industry. Second tier
guidance specific to the process industry was de-
veloped and published by EEMUA (1989). It should
be noted that the principles defined were not pecu-
liar to PES, they were just as valid for all classes of
protection systems. The concept of layers of safety
is the basis of the EEMUA Guidelines, as depicted
in Table 55.1.
The distinction between the different cate-
gories is essentially on the basis of the conse-
quences of failure.
Category 0 systems are the passive devices re-
ferred to in Section 55.2 above. Failure of a Cate-
gory 0 system results in risk to life and limb.
EEMUA Comment IEC 61508
divisions
ERRF
ESD, HIPS
2 (a) PSD, HIPS SRS (SIS)
2 (b) PSD
DCS, SCADA BPCS
 430 55 Layers of Safety
Category 1 systems are instrument based sys-
tems equivalent to the passive devices of Cate-
gory 0. These systems are only required when Cat-
egory 0 protection cannot meet the safety require-
ments, such as when dynamics are involved. For
example, it is better to anticipate shut-down of
an exothermic reaction by monitoring the rate of
change of temperature than waiting to vent the re-
actor by means of a pressure relief valve. Category
1 systems are also referred to as emergency shut-
down (ESD) systems.
Category 1 protection is best applied on a per
potential hazard basis, such as over heating of a
reactor, over-pressure of a vessel or over-speed of
a compressor. Keeping protection systems entirely
separate from each other, as well as from the con-
trol systems, has the advantage of simplifying sys-
tem design and facilitates the use of FMEA and
FTA.It also minimises the scope for common mode
failure. Category 1 protection systems should react
by removing the primary cause such as heat or
power. ESDs of this type represent a “narrow” view
of the plant: secondary effects are ignored.
Category 1 protection systems must have a
lower probability of failure to meet a demand than
Category 2 or 3 systems.This lower PFD is obtained
by using special purpose equipment, described in
Chapter 57, and regular manual verification (proof
testing), both of which make Category 1 systems
expensive to purchase and operate. For this rea-
son, instances of Category 1 protection should be
kept to a minimum.
Category 2 systems are also referred to as pro-
cess shut-down (PSD) systems.If an abnormal situ-
ation occurs which the control system cannot han-
dle, the PSD shuts down the plant area automati-
cally, i.e. without operator intervention. It may also
shut down associated plant in other areas to affect
an orderly shut-down rather than shut-down by the
domino effect. This minimises the risk of damage
to plant and simplifies subsequent start-up. PSDs
represent a “plant-wide” view of protection. The
worst case scenario for failure by a PSD is of a fi-
nancial nature through damage to plant and/or lost
production. Failure of a PSD results in a demand
on the Category 1 systems or Category 0 devices.
In many processes there will be protection sys-
tems which are critical from a production point of
view but, not being responsible for life and limb
protection, are Category 2. For such systems the
end-user may wish to provide protection using
the same technologies and procedures as for Cate-
gory 1. These applications are sometimes referred
to as Category 2(a) and the remainder as Cate-
gory 2(b), the split being application dependant.
When the same technology is employed,some end-
users lump Categories 1 and 2(a) together and re-
fer to them as high integrity protection systems
(HIPS).
Category 3 systems are typically DCS, SCADA
or PLC systems used for maintaining the plant
under normal operating conditions, for handling
many abnormal conditions, and for supporting an
integrated alarm environment. The worst case sce-
nario for failure of a basic process control system
(BPCS) is of a process nature such as off-spec prod-
uct, loss of efficiency, etc. Failure of a BPCS results
in a demand on a Category 2 system.
Whilst Category 2 and 3 systems are not man-
datory, if they are used then care must be taken
in giving them credit for any reduction in demand
on the Category 0/1 devices and/or systems. Such
credit could lead to an expensive and time con-
suming third party validation of the Category 2/3
systems,plus additional in-service costs associated
with maintenance and modification to ensure that
the validation is not compromised.
In the context of the IEC 61508 and 61511 stan-
dards, Category 0 systems are equivalent to the so-
called external risk reduction facilities (ERRF) and
Category 1 and 2 systems are equivalent to safety
related systems (SRS). The EEMUA hierarchy of
categories is consistent with the safety layer model
of the ISA S84 standard in which Category 1 and
2 systems are referred to as safety instrumented
systems (SIS).
Also,the EEMUA layers fit well with API RP 14C
(1998) which requires that there should be two lev-
els of protection “independent of and in addition
to the control devices used in normal process op-
eration”.

55.7 Comments
The HSE and EEMUA Guidelines have been super-
seded by the IEC 61508 standard. It is nevertheless
important to understand them because:
1. Much of the thinking behind the HSE and
EEMUA Guidelines underpins the concepts and
terminology of IEC 61508.
2. There is a large installed base of protection sys-
tems that have been designed, implemented,
validated and documented on the HSE and/or
EEMUA basis which will be in use for decades
to come.
IEC 61508 is a generic standard in that it applies
to all aspects of safety for all sectors of industry.
As such it is extensive: there are seven sections of
which Parts 1 to 3 are normative (mandatory) and
Parts 4 to 7 are advisory. Second tier guidance is
55.7 Comments 431
provided on a sector basis.That for the process sec-
tor, IEC 61511, specifically concerns instrumenta-
tion aspects of safety systems for the process in-
dustries. It is in three parts of which Part1 is nor-
mative. Second tier guidance for the nuclear sector
is IEC 61513.
In the US the standard which is equivalent to
IEC 61511 is ISA S84 which is itself complemented
by ISA TR84.
A fundamental difference between the HSE and
EEMUA Guidelines and the IEC/ISA standards is
that targets have been set in the latter for the PFD
of the various grades of protection system. These
targets, known as safety integrity levels (SIL), are
quantitative and represent a major step forward in
system design. In effect, for the first time, accept-
able levels of unreliability have been articulated on
an authoritative basis. SILs are discussed in detail
in Chapter 56.