Fig. 1: Risk reduction layersIndependent Protection Layers(IPL) is a safeguard that worksindependent of other safeguards like relief valves, BPCS,interlocks, alarms, etc. In case ofan independent protection layer,the plant operator gets adequatetime to respond to prevent ahazardous event from occurring.However it is not a good practiceto have an operator or humanintervention to achieve safetyprotection layer, as they are notreliable enough during momentsof stress and can make systematicfailures. It is more advisable touse only as a secondary meansof shutdown. Furthermore, anyIPL must be totally independentto exclude common cause andcommon design problems.The effectiveness of IPL isdescribed in terms of theprobability that it will fail toperform its required functionwhen called upon to do so(demand) and the scenariocontinuous towards hazardousconsequences despite of thepresence of IPL. This is calledProbability of Failure on Demand(PFD).Layers of ProtectionAnalysis (LOPA)Layers of Protection Analysis(LOPA) is a simplified form ofrisk assessment. LOPA typicallyuses order of magnitudecategories for initiating eventfrequency, consequence, severity,and the likelihood of failure ofindependent protection layers(IPLs) to approximate the riskof scenario. LOPA is limitedto evaluating a single causeconsequencepair as a scenario.In LOPA, the initiating eventsare always described in terms offrequency.The LOPA method quantifiesrisk and therefore reducesit subjectively. It is mostlyperformed after HAZOP andfocuses on selected high riskissues. LOPA helps to choose fromvarious alternative safeguardsto get the most economicallyjustifiable safe guard. TheLOPA analysis includes hazardscenarios described by causeand consequences. All IPLs areanalyzed for their effectivenessand the combined effects arecompared against the tolerablerisk and decide the requirementof additional risk reduction.To execute a proper LOPA,experienced facilitators, anexperienced LPOA team andupdated relevant plant documents24October - December 2012
are required. Any irrelevantassumptions or unrealistic hazardevent frequency or misjudgmentmay lead to wrong risk levels asLOPA is a tool which deals withnumbers.Safety Instrumented System(SIS)A SIS is a system comprisingsensors, logic solvers and finalcontrol element (actuators) forthe purposes of taking a processto a safe state when normalpredetermined set points areexceeded, or safe operatingconditions are violated. It ismandatory that any protectionsystem (including a SIS) be keptfunctionally separate from theBasic Process Control System(BPCS) in terms of its ability tooperate independent of the stateof the BPCS. However, these twosystems need some integrationat certain levels to have effectiveplant control and monitoring.The classical shutdown systemis being eventually replacedby a safety certified protectionsystem due to the stringentsafety regulations and insurancerequirements.Safety InstrumentedFunction (SIF)Safety Instrumented Function(SIF) consists of sensors (e.g.transmitters), final controlelement (e.g. valves) and a logicsolver with safety algorithm. Thepurpose of the SIF is to increaseprocess safety or reduce risk.SIFs are usually implemented in asafety instrumented system (SIS).Each SIF is designed to meet aspecific Safety Integrity Level(SIL), which is called the level ofreliability.A SIF with SIL-1 must at leastperform nine times out of 10,which provides a risk reductionfactor (RRF) of 10 and Probabilityof Failure on Demand (PFD) of0.1. A SIL-2 SIF must performat least 99 times out of 100 andprovides RRF as 100 and PFD as0.01. Meanwhile, a SIL-3 SIF mustperform minimum 999 times outof 1000 providing RRF as 1000and PFD as 0.001.The SIL rating of a SIF dependson various factors such asreliability analysis of all loopcomponents, demand frequency,proof test interval, diagnosticcoverage, human factors, etc.SIF protects against a singlehazard usually on demand, buta SIS implements one or moreSIFs, often multiple connectivitybetween one initiator and severalfinal elements, a final elementand several initiators etc. SomeSIF’s mitigate after the eventconsequences, like the Fireand Gas system, which reduceescalation.The design of SIF is initiallybased on achieving the requiredsafety integrity levels (SIL). Inaddition to that, the SIF designmust also consider the acceptablelevels of spurious (or nuisance)trips, which is the likelihoodthe safety function will activateunnecessarily. Nuisance trip is notyet completely controlled by anymethods in SIF design until now,however methods are available topredict the expected frequency ofnuisance tips such as meantime tofailure spurious (MTTFS), but notto determine an acceptable levelfor any particular SIF function.A practical approach is that thesafety function should not causein more nuisance trips than truetrips.Probability of Failure onDemand (PFD) and RiskReduction Factor (RRF)PFD probability of failure ondemand is the chance that aspecific safe guard will notperform its intended functionwhen required. For example,failure of a shutdown valve toclose when an abnormal processhazard arises. If that valve fails toclose on time of 100 times, thenthe PFD value is 0.01). Deviceswith smaller PFD values helpto reduce risk more than thedevices with higher PFD value.The probability of failure ondemand depends on its frequencyof testing and repair. The prooftest coverage is also a veryimportant factor in maintaining aSIL loop performance compliance.A device which is not prooftested gets larger PFD value astime increases since the failureremains uncorrected.Using the maximum failureprobability is a safe andconservative method in SILevaluation, but a more realisticmethod is to use averageprobability of failure (PFD Avg.)during the entire testing interval.The demand for a safeguard tooperate can happen any timeduring the test interval with equalprobability.Two fundamental differentways to calculate PFD Avg. are1. The unreliability approachin which an unreliabilityfunction is calculated as afunction of time intervalfor a specific mission timeusually equal to a “proof test”interval. The average of thisfunction is considered overthe entire mission time. PFDavg. is the average value of theunreliability function plottedover the testing period.2. In another approach, PFD avg.is considered as steady stateunavailability. The identicalapproximation in both casesproves that either methodunreliability averaged orunavailability averaged may beused to calculate PFD Avg.The integrity of a SIF issometimes expressed as the RiskReduction Factor (RRF).October - December 2012 25