0 penilaian0% menganggap dokumen ini bermanfaat (0 suara)
209 tayangan14 halaman
This document summarizes a presentation about addressing enabling events and conditions in layers of protection analysis (LOPA). It argues that while LOPA traditionally only considers initiating events and protection layers, other factors like enabling events, management systems, time-at-risk, incident outcomes, and release conditions also influence risk. Including these factors produces more accurate risk estimates than excluding them, and the effort involved is reasonable. The document then provides examples of different types of enabling factors and how they may increase or decrease risk depending on their probability of occurrence.
This document summarizes a presentation about addressing enabling events and conditions in layers of protection analysis (LOPA). It argues that while LOPA traditionally only considers initiating events and protection layers, other factors like enabling events, management systems, time-at-risk, incident outcomes, and release conditions also influence risk. Including these factors produces more accurate risk estimates than excluding them, and the effort involved is reasonable. The document then provides examples of different types of enabling factors and how they may increase or decrease risk depending on their probability of occurrence.
This document summarizes a presentation about addressing enabling events and conditions in layers of protection analysis (LOPA). It argues that while LOPA traditionally only considers initiating events and protection layers, other factors like enabling events, management systems, time-at-risk, incident outcomes, and release conditions also influence risk. Including these factors produces more accurate risk estimates than excluding them, and the effort involved is reasonable. The document then provides examples of different types of enabling factors and how they may increase or decrease risk depending on their probability of occurrence.
Dr. Paul Baybutt Primatech Inc. 50 Northwoods Blvd., Columbus, Ohio, USA paulb@primatech.com
Prepared for Presentation at American Institute of Chemical Engineers 2013 Spring Meeting 9th Global Congress on Process Safety San Antonio, Texas April 28 May 1, 2013
UNPUBLISHED
AIChE shall not be responsible for statements or opinions contained in papers or printed in its publications GCPS 2013 __________________________________________________________________________
ADDRESSING ENABLERS IN LAYERS OF PROTECTION ANALYSIS
Dr. Paul Baybutt Primatech Inc. 50 Northwoods Blvd., Columbus, Ohio, USA paulb@primatech.com
Keywords: Layers of protection analysis; enabling events and conditions; time-at-risk factors; conditional modifiers; givens.
Abstract
Layers of protection analysis (LOPA) is used to evaluate the risk of individual hazard scenarios by combining initiating event frequencies with failure probabilities of protection layers. Some practitioners include events and conditions that enable the occurrence of hazard scenarios in the analysis, such as conditional modifiers, but sometimes they are excluded to ensure conservative results. However, these events and conditions, and other factors that enable scenarios, are often key parts of hazard scenarios and their exclusion from the analysis can result in overly conservative results. This paper broadens the definition of enabling events and conditions to include other factors that can have a significant impact on the risk of hazard scenarios. Such other factors include management systems to account for inadequacies in, and failure to follow, policies, procedures and work instructions; at-risk factors to account for the time period in which a process is at risk; incident outcomes to represent different possible consequences for the same initiating event; and release conditions to account for different release conditions or circumstances. Their inclusion in LOPA studies is described with examples. The determination of adjustment factors to account for their effect on scenario risk is also demonstrated.
1. Introduction
Layers of Protection Analysis (LOPA) is an analytical technique used to assess the risk of hazard scenarios for processes wherein scenario risk is defined as the couplet of frequency and severity for the scenario consequence [1, 2]. Frequency and severity can be evaluated qualitatively or quantitatively but most commonly qualitative severity and quantitative frequency estimates are used in LOPA. Scenario frequency is calculated using simplifying approximations and is determined by multiplying the frequency of the initiating event by the failure probabilities of protection layers that have met appropriate qualification criteria, including independence from other elements of the scenario [1, 2].
Hazard scenarios for processes begin with an initiating event and end with a consequence impact. The path from initiating event to worst-case consequence involves the failure of any protection layers that guard against the scenario. However, there may be other scenario elements GCPS 2013 __________________________________________________________________________ that influence the scenario risk including enabling events and conditions, time-at-risk factors, intermediate events, incident outcomes, conditional modifiers, and given conditions. Many of these scenario elements act to reduce scenario risk because their likelihoods of occurrence are factored into the analysis through multiplication of the scenario frequency by the likelihoods which may be quite low. In some cases, scenario consequences are also impacted and risk may be increased or decreased. This article describes the role of such elements in risk analysis and describes how to address them in LOPA.
Conventionally, LOPA studies determine the risk of a hazard scenario by accounting primarily for the initiating event and protection layers. Often, only a few of the enablers and other adjustment factors described in this article are addressed. However, the events represented by these enablers and adjustment factors commonly are key parts of hazard scenarios and their exclusion from the analysis can result in overly conservative results. Enabling events and conditions are important not only because they influence the risk of hazard scenarios but also because they make scenarios possible.
LOPA was originally conceived as a simple risk analysis method that at best produces an order of magnitude estimate of scenario risk. However, it is now being used to support the determination of Safety Integrity Levels (SILs) for Safety Instrumented Functions (SIFs) to assist compliance with the IEC 61511 / ISA 84 standard on Safety Instrumented Systems (SISs) [3 - 5]. The standard requires substantial effort to support the SILs claimed for SIFs. Consequently, refinement of LOPA to support such effort is warranted. Furthermore, LOPA has evolved from its original form and current applications seek greater rigor and incorporate more detail [6].
Historically, some LOPA practitioners have not addressed enablers and adjustment factors in the belief that the uncertainties associated with them are too great and risk may be underestimated by their inclusion, and because of the effort involved. However, they are key parts of hazard scenarios and are often part of actual incidents. Their inclusion in LOPA studies arguably produces more accurate risk estimates and conservative assumptions can be made to help avoid risk underestimation. Furthermore, the effort to include them is not substantial in comparison to the overall effort required to perform LOPA.
2. Enablers
Enabling events and conditions have been defined as events and conditions that do not directly cause a scenario but are required to be present or active for the scenario to proceed [1]. A bypassed high level alarm that allows overflow of a tank is an example. This article extends that definition to include any scenario elements, in addition to the initiating event and actions of protection layers, that influence the risk of a hazard scenario, and the term enablers is used to encompass them all. The original definition of enabling events and conditions included modes of process operation such as startup and shutdown or the operation being in a specific phase or step [1]. These are best treated using time-at risk factors.
Conventionally, enabling events and conditions usually have been viewed as acting to reduce the frequency of a hazard scenario, or modify its consequences. They do so because their probability GCPS 2013 __________________________________________________________________________ of occurrence is usually less than 1 and the scenario frequency is reduced accordingly to account for their role in enabling the scenario. Conservative analyses assume their probability of occurrence is 1. In practice, their probabilities of occurrence may be substantially less than 1 and they may reduce scenario risk significantly.
The broader definition of enablers includes elements that can increase the frequency, for example, lack of PM on equipment that increases its failure rate. Enablers may be categorized as: Enabling events and conditions. Must be present or active for the scenario to proceed. Management systems. Account for inadequacies in, and failure to follow, policies, procedures and work instructions. At-risk factors. Account for the time period in which a process is at risk. Incident outcomes. Used to represent different possible consequences for the same initiating event. Release conditions. Used to account for different release conditions or circumstances. Conditional modifiers. Affect the scenario consequence. Given conditions (also called givens). Enable a scenario but are always present.
3. Enabling Events and Conditions
Enabling events and conditions do not by themselves initiate a hazard scenario but they make them possible. An enabling event may occur or an enabling condition may exist without the scenario happening every time the event occurs or the condition is present. They are sometimes called contributing causes or contributing factors and they may make possible any other element of a hazard scenario, e.g. the initiating event, a protection layer failure, or the consequence. There may be multiple enabling events or conditions for each of the other elements of a scenario and enabling events and conditions for more than one element.
Enabling events and conditions can be classified as originating with: Human actions (errors of omission or commission, extraneous events, and deliberate acts), for example, disabling equipment, e.g. bypassing an interlock, or overriding an inhibit condition. Equipment failures, for example, an alarm failure. External events, for example, extreme ambient conditions, e.g. low temperature; or utility failures, e.g. loss of inerting. Enabling events usually occur prior to the initiating event, e.g. a failed or disabled alarm. They are sometimes called latent failures. Enabling conditions exist at the time the scenario occurs, e.g. low environmental temperature. They are sometimes called latent conditions.
Enabling events and conditions are addressed in LOPA by assigning a value to the probability that the event or condition will exist when the scenario occurs and multiplying the scenario frequency by it. The values are obtained by estimating the likelihood that the event or condition will have occurred or be present when the scenario occurs. Such estimates should be based on actual experience with the process as they are specific to the process and no generalized values can be provided.
GCPS 2013 __________________________________________________________________________ Of course, in order to address enabling events and conditions they must be identified. Arguably, that should be done as part of the performance of Process Hazard Analysis (PHA) which is the most commonly used source of hazard scenarios for LOPA studies. However, enabling events and conditions are identified infrequently in PHA [7]. Consequently, LOPA teams need to question whether enabling events and conditions may be factors for the scenarios analyzed.
4. Management systems
Management system enablers are failures in the systems set up to manage safety throughout the lifecycle of a process. For example, they may be inadequate procedures, e.g. test and inspection frequencies may be set too low; no or inadequate training of personnel; inadequate skills or knowledge of personnel; failures in the execution of procedures, e.g. PM is not conducted per requirements; and mis-operation of equipment, e.g. stressing a pump by using it outside its operating limits. Fundamentally, management system enablers are failures by people. When present, they are givens for scenarios.
Management system enablers directly influence the failure rates used in LOPA studies for other scenario elements. They may increase initiating event frequencies or probabilities of failure of protection layers and they are addressed in LOPA by assigning a value by which a failure rate must be adjusted, usually in an upwards direction, so that the values are numbers greater than 1. For example, the initiating event frequency for a pump mechanical failure may be adjusted upwards to account for mis-operation of the pump outside its limits, assuming the pump failure frequency used does not already reflect the mis-operation. Similarly, the probability of failure on demand of a relief valve may be adjusted upwards to account for lack of PM on the valve, assuming the valve failure frequency used does not already reflect operation without adequate PM. The effects of operating and maintenance regimes play a similar role and they can be considered within the category of management system enablers.
The adjustment factors can be used to modify the failure data directly, or they can be identified explicitly as modification factors and folded into the overall calculation of the scenario frequency. Such adjustment factors should be based on experience with the process or the opinions of informed personnel.
In accounting for management system enablers, it is important to ensure that their effects have not already been incorporated into the frequency or probability of the event it enables. For example, if a pipe leak failure frequency includes the effects of lack of PM, or if the probability of failure of a human protection layer already addresses the skill level of the people involved, adjustment factors should not be applied as they are already incorporated into the data. However, while tabulations of human failure data may reflect various influencing factors, such as stress on people and the time available for action, usually not all pertinent factors are addressed in the tabulations. Consequently, such unaccounted factors should be considered as management system enablers if they are to be addressed in LOPA.
The same comments apply to management system enablers as for enabling events and conditions with regard to their identification.
GCPS 2013 __________________________________________________________________________ One danger in using management system enablers is that it could institutionalize deviations from required practices by allowing some risk reduction credit to be taken even when practices are not followed exactly. Some companies may take the view that if there is a deviation from the requirements of a management system, no credit should be taken at all until the deviation is corrected. Clearly, this is a conservative position but it may have unintentional consequences. If LOPA team members are required to follow this approach, they may be unwilling to admit that management systems are not being followed, or they may claim that while there have been deviations in the past there will not be any in the future. If these claims are accepted, the LOPA results may be overly optimistic and underestimate risk. The preferred approach is to allow some justifiable credit to be taken but ensure a recommendation is made to correct the deviation promptly, or revise the requirements to comport with actual practices. Deviations from required practices that are tolerated are likely to result in more serious consequences than creating difficulties in the performance of LOPA.
5. Time-At-Risk Factors (TARFs)
Some hazard scenarios can occur only when the process is in a particular state or certain conditions exist, e.g. the process is in a particular mode, phase or step. Scenario frequencies are usually expressed on an annualized basis to match risk tolerance criteria expressed in the same form. Consequently, scenario frequencies should be adjusted for time at risk, i.e. the fraction of time the risk is present. Receptors are at risk for only this time period. If such adjustments are not made, risk may be grossly overestimated. For example, a tank that is filled 20 times per year is subject to hazard scenarios that may result in overfilling. If the cause of overfilling is failure of a BPCS level control loop with an in-service failure rate of 0.1 failures per year and each filling takes 1 hour:
Filling failures per year = Failures per year x Fillings per year x Time spent filling and, Filling failures per year = 0.1 x 20 x 1/8760 = 2.3 x 10 -4
Thus, the initiating event frequency has been reduced by almost three orders of magnitude, a risk reduction that definitely should be applied. Further examples of TARFs for processes are the fraction of time: A piece of intermittently used equipment is in operation. A continuous process is in startup or some other mode of operation. A batch process spends in a particular step. A runaway reaction is possible in a batch process. People are at risk owing to time-of-day effects, day-of-week effects, time indoors versus outdoors An adjustment is made to the scenario frequency by multiplying it by the fraction of time the scenario can occur. For example, for the initiating event of a pump seal leak, if the available data are for an annualized pump seal leak failure rate:
Scenario frequency (events / year) = Pump seal leak frequency (events / year) x Hours in use / 8760 (hours in a year)
GCPS 2013 __________________________________________________________________________ Of course, at issue is whether the data correspond to a pump that is operated intermittently and that has been annualized, or whether it corresponds to a pump that is operated continuously. Equipment in frequent use may fail at different rates than equipment used infrequently. If the data do not match the operating regime, an adjustment factor could be applied to the data, or more appropriate data sought. Note that the adjustment factor can be viewed as representing an enabler for the scenario.
Similarly, for a process that is in a particular mode of operation, e.g. startup, hazard scenarios that can occur during that mode of operation, and for which annualized frequencies have been calculated, need to be adjusted for the time at risk. For example, a process that is in startup mode once per year for 24 hours would require a time-at-risk adjustment of 1/365 for startup hazard scenarios.
Usually, TARFs are not difficult to identify, although the PHA team may not have addressed them, and they are not difficult to estimate since they depend on straightforward and readily available information. In practice, ranges of time-at-risk are usually possible and practitioners must decide if the average or end-of-the-range value should be used. Generally, the conservative choice is made.
6. Intermediate Events
Intermediate event enablers allow LOPA practitioners to account for the probabilities of different hazard scenarios that result from the same initiating event. Some events may be part of a hazard scenario but they are distinct from the initiating event, consequences and protection layers. For example, if water is introduced to a storage tank containing sulfur trioxide, a release through a relief valve may occur, but also a release owing to a corrosion failure of piping may result. These two occurrences are examples of intermediate events. Whenever there is more than one possibility for a particular intermediate event, it can be treated as an enabler representing the probability of occurrence of the specific intermediate event, provided that the events are mutually exclusive. The scenario frequency is multiplied by the probability of the intermediate event to adjust for its likelihood of occurrence. Of course, the probabilities of all such possibilities for a particular intermediate event must sum to 1. It is also entirely possible that both events may occur together, in which case an enabler would not apply.
Vessel rupture from overpressure provides another example of an intermediate event that affects the path of a hazard scenario. The probability of vessel rupture depends on various factors such as the ratio of the actual pressure reached to the design pressure for the vessel, vessel structure, vessel construction and material, vessel maintenance, and the process materials. More than one scenario is possible. In one scenario the vessel fails, presumably with serious consequences; in other scenarios the vessel does not fail but the consequences of the scenarios may still be of concern. Each of the scenarios has its own probability of occurrence and these probabilities can be used to adjust the scenario risk.
Some chemicals may pose multiple hazards, for example, hydrogen sulfide and ammonia are each both toxic and flammable. Usually, each possible hazard is addressed separately and they may be considered to be mutually exclusive in which case they can be assigned probabilities of GCPS 2013 __________________________________________________________________________ occurrence and treated as intermediate event enablers. Mixed hazards, where one hazard is realized first followed by another, e.g. a toxic exposure followed by an explosion, usually are not modeled in order to keep matters simple. Care must be taken to avoid double counting with probability of ignition enablers.
Intermediate events are identified as part of the scenario and should have been addressed in PHA. However, it is possible the PHA addressed only one of several possibilities in which case the LOPA team should consider the additional intermediate events. Values of intermediate event probabilities may be difficult to estimate. In such cases, they may be assumed equal to 1 in order to be conservative. In some cases, consequence severities may vary with the intermediate events.
7. Incident Outcomes
Sometimes the outcomes of hazard scenarios vary. Each scenario outcome should be modeled individually and its frequency adjusted by the probability of the outcome in a similar way to that for intermediate events. Of course, the probabilities of the outcomes must sum to 1 if they are mutually exclusive. Consequence severities may vary with incident outcomes. Examples of outcomes include fire versus explosion, the type of fire, and the type of explosion.
Often, the relative probabilities of incident outcomes are not known, in which case no credit can be taken for this type of enabler. However, there may be cases in which justification can be provided for a significant difference in the probabilities of outcomes, for example, a fire that may occur with a 0.9 probability and an explosion with a 0.1 probability. In such cases, risk reduction by a factor of 10 for the explosion scenario is worth considering. Some outcomes may have a sufficiently low probability of occurrence that they can be excluded from the analysis as non- credible scenarios.
Sometimes, analysts may choose a worst-case for study. However, worst-case scenarios may vary according to the receptors at risk, for example, for employees in the immediate area of a release it may be a jet fire while for employees further away it may be a flash fire. Consequently, care must be taken when using a worst-case consequence approach.
PHA may address only one incident outcome. Other possible outcomes should be addressed by the LOPA team to ensure a full consideration of risk.
8. Release Conditions
The consequences of hazard scenarios may vary according to conditions and circumstances at the time of release. Sometimes these are referred to as incident outcome cases. Each such scenario may be modeled individually and its frequency adjusted by the probability of the release conditions for the scenario. Release characteristics such as hole size, location, elevation, orientation, duration, and delayed ignition may influence the scenario that occurs. Weather conditions such as wind direction, wind speed, air temperature, atmospheric stability class, and precipitation may also play an important role. To the extent that such release conditions are important, they may be accounted for in a LOPA study by adjusting the scenario risks by their probabilities of occurrence. In some cases, they may change the consequence that is possible. GCPS 2013 __________________________________________________________________________
Release characteristics may be difficult to determine and only a worst-case scenario may be addressed. Weather conditions are easier to address because historical data are usually available but a worst-case scenario may also be considered in lieu of analyzing variants. However, there may be certain weather conditions, such as wind direction, that have a significant impact on the scenarios possible. For example, the prevailing wind may blow towards a potential ignition source for a flammable release only 10% of the time which means that the frequency of the scenario could be reduced by a factor of 10 if credit were taken for wind direction as an enabler. It may make the difference between an explosion consequence and one in which the flammable material disperses harmlessly.
9. Conditional Modifiers
Conditional modifiers directly impact the scenario consequence. Common conditional modifiers are: P ignition - Probability that a flammable / explosive material will be ignited. P present - Probability that a person will be present to be exposed to a hazard. It is sometimes called the occupancy factor and represents the fraction of time personnel are exposed to the hazard. P injury - Probability that harm will occur if an individual is exposed. It is sometimes called the vulnerability. These probabilities are used to reduce the frequency of the scenario in which harm occurs. For example, if a pump seal fire can occur during operator rounds but the operator is in the vicinity of the pump for only 30 minutes during a 12 hour shift, the frequency of the scenario in which an operator is exposed to fire should be multiplied by 0.5/12 = 0.042, assuming there are two shifts.
There can be some pitfalls with conditional modifiers [1]. During some modes of operation, such as startup, operators may always be present, i.e. P present = 1. During the build-up to a hazardous event, more people may be present investigating the symptoms, i.e. its is likely that P present = 1 when a release occurs. Human presence may be correlated with the cause of a hazardous event, i.e. it is possible that P present = 1 if the person contributes to the initiating event, for example, for a release caused by the operator opening a drain valve. The initiating event, P ignition , and P present
may be linked. For example, the actions of the person who is present may be the ignition source, e.g. a crane operator may drop a load on the process causing a flammable release and providing an ignition source through metal-on-metal sparking (or from the crane engine). In this case, P ignition = 1 and P present = 1.
Various factors influence the values of conditional modifiers (Table 1). Values for various situations are available in the literature [1] but they must be used with care as they may not apply to the situation at hand. Conditional modifiers can be controlled in various ways (Table 2).
Other possible conditional modifiers include probability of sheltering, probability of escape, and probability of evacuation, although these may be incorporated into the evaluation of P injury . For conservatism, many practitioners take no credit for emergency response actions unless special GCPS 2013 __________________________________________________________________________ circumstances warrant, e.g. special provisions are made for sheltering in particularly hazardous situations and a non-zero probability of effective sheltering can be justified.
Usually, PHA teams assume the worst case for conditional modifiers for conservatism and effectively they are not identified explicitly in PHA worksheets. LOPA teams must decide if they should be addressed explicitly.
10. Given Conditions
Some apparent enablers are actually fixed aspects for a scenario. Management system enablers are an example. In contrast, other enablers may or may not be present, i.e. they are variable in nature. Given conditions are always part of the scenario and influence it. For example, a boiler house that acts as an ignition source for a release is a given condition but hot work in the process is an enabler for a fire scenario. The former is fixed and always present, unless the probability of the boiler being in a lit condition is to be addressed, while the latter is variable as hot work is not usually conducted on a continuous basis. Other examples of given conditions include the omission of safety features from the process design and locations of stationary equipment. Many given conditions do not adjust the frequency of scenarios. Rather, they make scenarios possible by their presence.
Given conditions are part of the scenario definition although they may be assumptions in PHA. LOPA team may need to clarify the assumptions.
11. Values and Use of Enabler Multipliers
As for other failure data used in LOPA, the values used to incorporate the effect of enablers on scenario risk for processes should reflect actual experience with the processes. Judgment may also be needed as often data are sparse, but the values used should be justified with process data or expert opinion.
Typically, only enablers that may impact the scenario risk by more than an order of magnitude are included in the analysis, e.g. if a disabled alarm that allows a scenario to occur is in a disabled state 10% or less of the time so that it reduces scenario likelihood by a factor of 10 or more, or if lack of PM on a vessel increases the likelihood of a corrosion failure by a factor of 10 or more. In some cases, enablers that together produce an order of magnitude risk reduction may be credited but care must be exercised as the credits taken may produce a non-conservative result owing to possible dependencies between enablers.
For enablers that represent two or more alternative scenario paths, if one path has a probability of occurrence of 0.5 or above, the enabler multiplier may be assumed to be 1 for convenience and conservatism. Generally, such multipliers are used when the effect on the scenario risk is substantial, i.e. when their probabilities are 0.1 or less.
Various enablers may combine together to reduce the risk of a hazard scenario substantially. However, multipliers for the enablers described in this article should not be used arbitrarily to meet risk tolerance criteria. The temptation to convince oneself that an extra order of magnitude GCPS 2013 __________________________________________________________________________ risk reduction is possible by reducing the value of the multiplier for an enabler by a factor of 10, or that an additional enabler that reduces the risk to a tolerable level should be credited, must be resisted unless they can be credibly justified. All data used in LOPA must be justified and should favor conservative values.
Care must be taken not to double count enablers that have already been accounted for through scenario consequences or assumptions made in the performance of PHA or LOPA. Studies may be more susceptible to this issue when LOPA is performed by a different team or when a long time passes between the performance of PHA and LOPA. Also, enablers must not be confused with initiating events and the actions of protection layers, although they may directly impact them.
Often, PHA studies do not identify enablers, leaving the effort to LOPA teams if enablers are to be addressed. As LOPA practices evolve to address enablers, it is likely that PHA teams will begin to identify enablers. LOPA teams usually engage in more detailed discussions of hazard scenarios than PHA teams. The events that make up scenarios, including enablers, must be clearly defined and understood, and interactions between elements of scenarios must be addressed, if valid results are to be produced. The simple examples contained in this article are provided for illustrative purposes. Many actual hazard scenarios involve multiple events and event trees can be used to understand possible combinations for inclusion in LOPA studies.
12. Conclusions
Events in hazard scenarios, in addition to initiating events and the action of protection layers, can have a marked impact on their risk. Certain enabling events and conditions and some conditional modifiers are sometimes included in studies by LOPA practitioners. This article broadens the definition of enablers to include various other factors that may act and combine to make scenarios possible, including enablers relating to management systems, time at risk, intermediate events, incident outcomes, and release conditions. Factors that account for the effect of these enablers are used to multiply the scenario frequency. In some cases, the scenario consequence may also depend on the enabler. Values for multipliers must be chosen carefully and justified. In cases where data are not available, worst-case assumptions are usually employed.
13. References
[1] CCPS, 2001, Layer of Protection Analysis, Center for Chemical Process Safety / American Institute of Chemical Engineers, 2001. [2] Baybutt, P., Analytical Methods in Process Safety Management and System Safety Engineering Layers of Protection Analysis, in Handbook of Loss Prevention Engineering, J. M. Haight (ed), Wiley-VCH, 2013. [3] ANSI/ISA84.00.012004 Part 1 (IEC 61511-1 Mod), Functional Safety: Safety Instrumented Systems for the Process Industry Sector Part 1: Framework, Definitions, System, Hardware and Software Requirements. [4] ANSI/ISA84.00.012004 Part 2 (IEC 61511-2 Mod), Functional Safety: Safety Instrumented Systems for the Process Industry Sector Part 2: Guidelines for the Application of ANSI/ISA84.00.012004 Part 1 (IEC 61511-1 Mod). GCPS 2013 __________________________________________________________________________ [5] ANSI/ISA84.00.012004 Part 3 (IEC 61511-3 Mod), Functional Safety: Safety Instrumented Systems for the Process Industry Sector Part 3: Guidance for the Determination of the Required Safety Integrity Levels Informative. [6] HSE, 2009, Safety and Environmental Standards for Fuel Storage Sites, Process Safety Leadership Group, Final report, HSE Books, 2009. [7] Baybutt, P., Conducting Process Hazard Analysis to Facilitate Layers of Protection Analysis, Process Safety Progress, Vol. 31, Issue 3, pps 282286, September 2012.
GCPS 2013 __________________________________________________________________________ Table 1. Examples of Factors that Influence the Values of Conditional Modifiers P ignition P present P injury
Initiating event - if it produces or provides a source of ignition Mode of operation Type of event, e.g. pool fire versus flash fire Physical properties, e.g. - Flammable and explosive limits - Physical state ( gas, vapor, liquid) Initiating event Duration and magnitude of the exposure
Chemical properties, e.g. reactivity Attended / unattended operation Escape routes Layout, e.g. proximity and location of ignition sources Need for operator presence in an adjacent area Ability to escape: - Detection of exposure - Time to incapacitation - Skill / knowledge - Physical ability - Availability / use of PPE Environmental factors that impact dispersion, e.g. wind direction
GCPS 2013 __________________________________________________________________________ Table 2. Examples of Control Measures for Conditional Modifiers P ignition P present P injury
Hazardous area classification Barriers Hazardous area entry control Ventilation Access control Release detection and alarms Procedures Exclusion areas Escape plans Equipment design Procedures Protective equipment Release containment Refuges Training
The Safety Critical Systems Handbook: A Straightforward Guide to Functional Safety: IEC 61508 (2010 Edition), IEC 61511 (2015 Edition) and Related Guidance