Layer of Protection Analysis as a Multifunctional
Team Problem Solving Tool
Edward Cialkowski
Air Products and Chemicals, Inc, Allentown, PA; cialkoej@airproducts.com (for correspondence)
Published online 00 Month 2016 in Wiley Online Library (wileyonlinelibrary.com). DOI 10.1002/prs.11870
Layer of Protection Analysis (LOPA) has been widely
adopted as a method of organizing and quantifying hazard
rates. Frequently, an initial LOPA may indicate that a risk
target has not been met and that a scenario requires addi-
tional layers of protection. Unlike Fault Tree Analysis, the
inherent simplicity of the LOPA format makes it conducive
for use directly as a problem solving tool in a team environ-
ment to close risk gaps. Teams at Air Products with represen-
tatives from operations, process controls, process design and
process safety, have effectively used the LOPA format in
problem-solving sessions to identify and improve components
of the analysis involving human error, controls architecture,
and inherently safer process designs. This multifunctional
team approach has resulted in broader ownership of the safe-
ty analysis by the full team of stakeholders, and this has ulti-
mately led to more cost effective solutions. The benefits of
multifunctional team review are illustrated with a case study
example. V C 2016 American Institute of Chemical Engineers Process
Saf Prog 000: 000–000, 2016
Keywords: Layer of Protection Analysis review; problem
solving; team
INTRODUCTION
Air Products has greatly expanded the use of Layer of
Protection Analysis (LOPA) [1–3] for process safety risk
assessment and management over the past decade. In transi-
tioning from using primarily Fault Tree Analysis (FTA) [[4]]
to LOPA for frequency quantification, Air Products has
observed both benefits and drawbacks of the LOPA
approach.
Several of the drawbacks [[5]] are widely understood and
workarounds have been developed. For example, dependen-
cy between layers of protection or an initiating event and a
layer of protection is not as obvious to spot with LOPA as it
is with FTA. This is often addressed with appropriate training
and quality assurance reviews. In addition, high demand sce-
narios, or initiating events with high frequency, may not be
modeled in LOPA as correctly (or conservatively) as they
would be in FTA with robust gate calculations. Checking
high demand cases against an FTA or establishing certain
rules for high demand cases in LOPA are strategies that can
be used to manage this.
On the positive side, a LOPA takes less effort to construct
and much less training to understand than an FTA does for
Originally presented at the Global Congress on Process Safety,
AIChE Spring 2016 Meeting, Houston, Texas, April 11–13, 2016
C 2016 American Institute of Chemical Engineers
V events all have the same hazardous consequence. Each
Process Safety Progress (Vol.00, No.00)
the same scope of analysis. One of the benefits of this is that
more risk assessments tend to be documented simply
because the barrier to entry with LOPA is so much lower
than FTA.
One of the most positive benefits Air Products has experi-
enced in transitioning from primarily FTA to primarily LOPA
for risk assessments is the ability to review the frequency
quantification results with a multifunctional team. One does
not need to be a process safety practitioner to understand a
LOPA. Compared to a fault tree structure that often spans
several pages, the LOPA format is simple, often fits on one
page (or screen), and is highly intuitive once the basic rules
of its structure are explained.
This article presents a case study from an actual project in
which LOPA was used to quantify and manage risk. As has
been the case at Air Products for some time now, multifunc-
tional teams review LOPAs developed by safety or systems
engineers. This diverse team review approach may have
started out as a means of assuring accuracy and quality, but
there is increasing evidence that it has other distinct and sub-
stantial benefits as well.
By practicing multifunctional reviews of LOPAs, especially
when initial results indicate that corporate risk criteria are
not being met, Air Products has observed some encouraging
benefits.
Multifunctional reviews of LOPAs have demonstrated the
ability to do the following:
1. Broaden the base of process safety ownership beyond
the process safety function
2. Achieve better solutions for the lowest asset life cycle
cost
The purpose of presenting the detail of the case study
below is to illustrate the above benefits of reviewing LOPAs
with multifunctional teams. The case study is broken into
two sections, with each section followed by a description of
the detailed benefits observed fitting into one of the catego-
ries above.
The general structure of a LOPA is well documented else-
where and is not the subject of this article. However, there is
one clarifying distinction that may help overcome some
potential confusion with the case study that follows. Some
LOPA practitioner guides [1] suggest that each LOPA should
have only one initiating event. At Air Products, the corporate
risk criteria are defined based on a hazardous consequence,
not an initiating event. Therefore, our practice is to include
multiple initiating events in the same LOPA if the initiating
Month 2016 1
Table 1. Summary of tank overpressure items identified during design hazard review.

Cause Consequence Safeguards

Failure to open vapor return valve
during offloading from railcar to
tank.
LT fails low.
N2 pad regulator adjusted too high.
N2 pad regulator fails open.
Operator error during line clearing
with Utility N2
Process feed pump failure and
reverse flow from process unit.
Offload incompatible material from
railcar due to spotting the wrong
railcar for offloading.
Transfer pump deadhead pressure
exceeds tank design pressure.
Potential overpressure of tank.
Operator offloads material from
railcar without sufficient capacity
in the tank. Potential overfill and
overpressure.
Potential to overpressure tank since
N2 pressure upstream of regulator
exceeds tank design pressure.
Potential to overpressure tank since
N2 pressure upstream of regulator
exceeds tank design pressure.
Potential to overpressure tank since
Utility N2 pressure exceeds tank
design pressure.
Potential overfill and overpressure
of tank.
Rapid reaction with residual material
in tank resulting in heat and vapor
generation with potential for tank
overpressure.
Pressure Switch High (PSH) turns off
railcar transfer pump.
PSH closes railcar transfer valve.
Pressure Safety Valve (PSV) adequately
sized for this cause.
Level Switch High (LSH) turns off
railcar transfer pump.
LSH closes railcar transfer valve.
PSV adequately sized for this cause.
PSV adequately sized for this cause.
PSV adequately sized for this cause.
PSV adequately sized for this cause.
LSH closes pump suction and recycle
isolation valves.
PSV adequately sized for this cause.
PSH turns off railcar transfer pump.PSH
closes railcar transfer valve.
PSV adequately sized for this cause.

initiating event corresponds to a single row in the LOPA
table, and each layer of protection corresponds to a single
column in the LOPA table. In each row, the initiating event
frequency is multiplied by the average Probability of Failure
on Demand (PFDavg) for each Independent Protection Layer
(IPL) that applies.
CASE STUDY—RAW MATERIAL STORAGE TANK CONTAINING
HAZARDOUS MATERIAL
A project to build a new chemical process facility includes
a storage tank containing a raw material that is subsequently
fed to a process unit. The liquid raw material has a high
enough vapor pressure to generate a hazardous vapor cloud
upon loss of primary containment. Any deviation that results
in loss of containment has the potential to cause a severe
consequence for which risk criteria have been set. A simpli-
fied flowsheet for the process is shown in Figure 1.
During the project hazard review, using HAZOP method-
ology, the team documents causes, consequences and
safeguards for tank overpressure. The overpressure items
from the hazard review are summarized in Table 1.
Initial LOPA
Note that the consequences for each of the overpressure
events listed above are comparable: tank rupture with loss of
containment and generation of a hazardous vapor cloud.
Since the risk criteria is consequence based, the hazard rates
for each row are summed in the LOPA structure to generate
an overall consequence frequency and then compared to the
risk criteria.
The LOPA, developed after the hazard review, would be
structured by listing the causes of deviation as initiating
events and the safeguards as layers of protection. Marks in
the Table 2 below indicate which layers are effective in pro-
tection against each of the initiating events. Note that actual
values for initiating event frequencies, PFDavg for layers of
protection, and hazard rates are not presented because they
are not essential to the topic of this article.

Table 2. Initial LOPA based on hazard review.

Layers of Protection
Tank High Tank High Tank Relief
Initiating Event Pressure Switch Level Switch Valve
Vapor Return Valve Left Closed X X
LT Fails Low X X
N2 pad regulator adjusted too high X
N2 pad regulator fails open X
Operator error during line clearing with utility N2 X
Process Feed Pump failure and reverse flow X X
Offload incompatible material into tank X X

2 Month 2016 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)
Figure 1. Case study storage system diagram. [Color figure can be viewed at wileyonlinelibrary.com]
When a risk analysis is first developed, such as in
the LOPA depicted above, it is sometimes the case that the
calculated hazard rate exceeds the risk criteria for the
consequence.
What happens next is important.
Sometimes the safety analyst develops a risk assessment,
determines there is a gap between estimated risk and the
risk target (risk gap), and develops a list of design changes
the team must accept. This “over-the-fence” or non-
interactive method of design change has been used for years.
It has been used for a number of reasons, a couple of which
are mentioned below:
 Safety assessments may have been based on a set of eso-
teric rules that related the number of safeguards to the
severity of a consequence in a non-quantitative way. The
safety engineer was the only one who understood (rather,
who needed to understand) these rules and the resulting
effort tended to be conducted exclusively by the safety
engineer. The tediousness and perception of arbitrariness
of this method created a barrier to team participation.
 Safety assessments have been done using quantitative
tools like FTA to generate hazard rates. Although robust
in developing frequency estimates, these tools are not at
all suited to communicating results or requirements to
multifunctional audiences. The format of the analysis cre-
ated a barrier to team participation.
What can often happen with non-interactive design
change by the safety analyst is that the basis for the safety
assessment remains mysterious to the team. If the proposed
design changes increase project cost or add a burden to
operations, those stakeholders have to accept these things
without understanding why they are necessary, except for
the reason that “safety says so.” This can undermine team
effectiveness and create a sense among the stakeholders of
being disengaged from the safety objectives.
Process Safety Progress (Vol.00, No.00) Published on behalf of the AIChE
The intuitive structure of a LOPA, conversely, opens up
the possibility of reviewing a safety assessment directly with
the multifunctional stakeholders on the project team. Partici-
pants in the review could include project engineers, opera-
tions representatives, process engineers, controls engineers,
asset managers, and others. The purpose of the review is to
make the entire team responsible for the solution. Everyone
on the team is responsible to help close the risk gap
between the current LOPA result and the risk target.
The narrative of the group problem solving sessions
below illustrate how this may work.
Group Problem Solving, Part 1
There are 3 initiating events for which the relief device is
the only layer of protection. They all involve overpressure
due to a high-pressure nitrogen source. And all 3 cases con-
tribute significantly to exceeding the hazard rate target:
 Adjusting the tank headspace regulator set pressure too
high for the tank
 Spurious fail open case for the tank headspace regulator
 Connecting utility N2 to the pump circuit for line clearing
prior to maintenance
Utility N2 for Line Cleaning
If the line clearing case is done every couple years for
maintenance, then that frequency coupled with the probabil-
ity of human error results in a slightly lower hazard rate than
the other N2 cases. As the team discusses the options for this
case, the process engineer does some quick math and points
out that, due to the large size of the tank, and the hydraulic
limits of the N2 connection, it would take at least 2 minutes
for the utility N2 line clearing flow to cause the tank pressure
to go from the alarm point to a hazardous overpressure con-
dition. The controls engineer responds that 2 minutes is
DOI 10.1002/prs Month 2016 3
Table 3. LOPA following group problem solving, Part 1.
Tank High Pressure
Initiating Event Switch
Vapor Return Valve Left Closed
LT Fails Low
N2 pad regulator adjusted too high
N2 pad regulator fails open
Operator error during line clearing with utility N2
Process Feed Pump failure and reverse flow
Offload incompatible material into tank
enough time for the high pressure switch to respond and
trip the isolation valves on the pump suction and return lines
closed. Therefore, the high pressure switch, which was not
identified as a safeguard for this case by the hazard review
team, and is already in the scope of the design, can be
claimed as a layer of protection.
Having dealt with the line clearing utility N2 case, the
team moves on to consider the two N2 regulator cases for
the tank headspace pad.
N2 Regulator Adjusted Too High
Since the N2 regulator is used to both pressurize the rail-
car high enough to prime the transfer pump and then later
adjusted lower to provide a pad for the tank, the operator
needs to adjust the N2 regulator while referring to the local
pressure indicator (PI) every time the tank is filled, which
could be dozens of times per year. Let us say that this is the
highest hazard rate in the table. It is now easy for the team
to see that this particular operation is the greatest risk to
tank overpressure.
Operations are now engaged. Can something be done
with operating procedures or the operating environment to
reduce the likelihood of human error? What mistake-
proofing strategies could be employed? Are there visual aids
that would help? How about creating procedural steps that
allow for recovery such as checking and verification?
Process is now engaged. Can the process for priming the
transfer pump be changed so the regulator does not need to
be adjusted every time the tank is filled? It would add some
cost, but a second regulator could be added to the scope
that is used exclusively for priming the railcar offloading
transfer pump.
With a little coaching from the safety analyst, the team
recognizes that the separate regulator approach is an exam-
ple of an inherently safe solution – it eliminates this particu-
lar cause of overpressure entirely. It is much more effective
than adding procedural steps to reduce human error proba-
bility. It eliminates the possibility of human error by eliminat-
ing the procedure entirely. The team adopts the separate
regulator design change and removes this line item from the
LOPA.
N2 Regulator Fails Open
The initial LOPA indicates that the combination of regula-
tor failure rate and probability of tank relief protection failing
results in a frequency that exceeds the hazard rate criteria.
As the team is discussing its options, the operations repre-
sentative recognizes a new issue. The random failure rate of
the regulator is shown in the initiating event frequency of
the LOPA table. Although this is a relatively low value, it is
high enough that one may expect it to occur sometime dur-
ing the life of the plant (201 years). The LOPA clearly shows
4 Month 2016 Published on behalf of the AIChE
Layers of Protection
Tank High Tank Relief N2 Regulator
Level Switch Valve Relief Valve
X X
X X
X
X X
X X
X X
X X
that the tank relief is the only protection. Therefore, one
would expect a demand on the tank relief device at the reg-
ulator failure frequency.
Due to the nature of the contents of the tank headspace,
the consequence of venting through the relief could be sig-
nificant and is therefore undesired. If an additional layer of
protection is needed, it would be highly desirable to have
that layer of protection function to prevent a demand on the
tank relief valve.
The team identified two options:
 Adding an actuated isolation valve to the N2 supply line
that would close on high tank pressure
 Adding a relief valve to the N2 supply line just down-
stream of the regulator and upstream of the tank
The controls engineer provides some feedback on the
total installed cost of the isolation valve option. The project
engineer had some data on small N2-service relief valves that
shows the installed cost of the relief was a factor of 5 lower
than the actuated isolation valve. The team adds the N2 relief
valve with a set pressure 10% lower than the tank relief valve
and moves on.
Summary of Scope Changes from Group Problem Solving, Part 1
The two changes made by the team during Problem Solv-
ing, Part 1 are shown on the updated flowsheet in Figure 2,
and included in the LOPA in Table 3.
Observed Benefits from Group Problem Solving, Part 1
The case study LOPA review is not yet complete, but this
is a good time to summarize some of the benefits of the mul-
tifunctional review process that have been illustrated thus
far.
Broaden the base of process safety ownership:
 Problem Visibility: LOPA presents a risk assessment in a
format that is easy for a multifunctional team of stake-
holders to understand. As a result, the team is able to
actively contribute as reviewers and problem-solvers.
 Active Engagement: Once the team is asked to participate
in the problem-solving process, the members’ perception
of their role transitions from being input providers to
being active developers of the LOPA structure.
 Common Goal: The quantitative nature of the hazard rate
criteria and the mathematical structure of the LOPA make
it easy for everyone to see where risk gaps exist and
where solutions are required.
Achieve better solutions for the lowest asset life cycle
cost:
 Prioritize Effort: LOPA allows team members to identify
the initiating events or protection weaknesses that are
DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)
Figure 2. Scope changes from problem solving, Part 1. [Color figure can be viewed at wileyonlinelibrary.com]
contributing most substantially to the total hazard rate.
This improves execution efficiency by focusing effort on
the issues with most leverage.
 Generate Viable Options: Having a diversity of expertise
on the review team results in a wide variety of potential
solutions to problems. The greater the number of viable
proposals, the greater the likelihood the team will find
the lowest cost solution.
 High Leverage Solutions: The LOPA structure clearly por-
trays which layers provide effective protection for each of
the initiating events. As illustrated by the case study,
teams become motivated to find ways to determine if a
layer of protection for one initiating event can be effective
in mitigating others.
 Option Sort in a Safety Context: LOPA development solu-
tions may add an ongoing burden to operations. They
may increase the installed cost of a facility. Some may do
both to some degree. The multifunctional team review
process creates a forum where those issues and costs can
be discussed and minimized within a context where safety
value is part of the analysis.
Group Problem Solving, Part 2
Returning to the case study, there remain two more initi-
ating events that contribute to exceeding the hazard rate
criteria.
 Vapor return valve left closed during railcar offloading
 Tank level transmitter (LT) fails low and tank overfilled
Vapor Return Valve Left Closed
Leaving the vapor return valve in a closed condition is
a problem because this is a manual operation and the
operator has an opportunity to skip the step of opening
Process Safety Progress (Vol.00, No.00) Published on behalf of the AIChE
the valve every time the tank is filled. Despite the tank
high pressure interlock protection, the hazard rate is still
too high.
A problem-solving process similar to the regulator adjust-
ment failure case occurs. Operations begin thinking about
ways to reduce human error. They also ask if the valve could
be automated and a batch sequence control program written
to control it. It is a fair question, but when the controls engi-
neer provides an indication of the equipment and engineer-
ing cost to set up such a system, the entire team agrees to
keep looking for alternatives.
Then, looking through the railcar unloading flowsheet,
the operations representative points out that, during the
operability review, a pressure transmitter (PT) was put on
the railcar vapor connection. This was done to provide a low
pressure interlock in the event that the railcar headspace was
blocked while the transfer pump was on. The interlock
would alert the operator to the low pressure condition and
stop the pump before it entered a cavitation regime. Could
this same device be used as an indication that the vapor
return valve from the tank was closed? The process engineer
does some math comparing headspace volume in the tank
vs. the railcar and determines that it would be possible to
define a set point for the railcar low pressure interlock that
protects both the pump and the tank.
At this point, the safety engineer emphasizes the impor-
tance of the LOPA rule that all layers of protection must be
independent from each other. If the team is going to take
credit for two instrumented layers of protection, those two
layers must not share any common field elements. In this
case, the team verifies that it is possible to identify two inde-
pendent safety instrumented functions [[6,7]] because there
are two sensing elements (high tank pressure and low railcar
pressure) and two final control elements (pump shutdown
and isolation valve closure).
DOI 10.1002/prs Month 2016 5
Figure 3. Scope changes from problem solving, Part 2. [Color figure can be viewed at wileyonlinelibrary.com]
Level Transmitter Fails Low
After solving the closed vapor return valve issue, the only
remaining line item that contributes significantly to exceed-
ing the hazard rate target is the tank level indication failing
low. There is a high level interlock on the tank already, and
based on the prior experience of adding another pressure
interlock with the vapor return valve closed case, the team is
naturally drawn to the idea of adding a second high level
switch to the tank.
There is a problem, however, with this approach. The
safety engineer points out that both the initiating event and
the first layer of protection involve the failure of a level
device. If the team attempts to add another layer of protec-
tion based on a level device, the contribution of common
mode failure will tend to dominate the frequency of failure.
This may be a difficult moment for the team, and espe-
cially for the safety engineer. Common mode failure is one
of the more difficult concepts for stakeholders outside the
safety profession to understand and therefore accept. Com-
mon mode failure is a real yet enigmatic contributor to the
reliability of protective systems. Unlike the failure rate for an
individual component, one cannot open a database and find
a probability that two or more LTs will both simultaneously
be in a failed state for reasons other than random failure. It
is the safety engineer’s responsibility to educate the team on
this subject and steer them away from excessive redundancy
and toward diversity in layers of protection.
In the case study, the team accepts the common mode
failure limitation and moves on toward finding ways to det-
ermine when the tank is at risk of being overfilled without
an additional level interlock.
Over in the process unit, the raw material from the tank
passes through a flow control station into the destination
vessel. The controls engineer points out that it would be rel-
atively easy to totalize the flow through this meter, starting
from zero each time the tank is filled. Since this is the only
6 Month 2016 Published on behalf of the AIChE
destination of this material, the totalized flow represents the
quantity of material that has been removed from the tank.
The control system could be configured to provide an alarm
if the railcar offloading transfer pump is turned on when the
current totalized flow value is less than the contents of a typ-
ical railcar. The entire team likes this approach because it
diversifies the layers of protection while using equipment
that is already in the scope of the project.
Summary of Scope Changes from Group Problem-Solving, Part 2
At this stage, the sum of all the individual row hazard
rates in the LOPA is less than or equal to the hazard rate cri-
teria for the loss of containment consequence. The work of
the team is done. Figure 3 shows the updated flowsheet and
the LOPA changes are reflected in Table 4.
Observed Benefits from Group Problem Solving, Part 2
This most recent work illustrated again some of the bene-
fits described in Observed Benefits from Group Problem
Solving, Part 1 Section above. But the Part 2 events just com-
pleted also illustrate some new benefits of multifunctional
team LOPA review that are summarized below.
Broaden the base of process safety ownership:
 Education in Independence: The strict LOPA rule requiring
protection layers be independent of each other teaches the
team members what independence means with the practi-
cal examples immediately before them. Because indepen-
dence is easy to understand in this context, team members
are empowered to apply this knowledge in future LOPA
reviews and even future project design hazard reviews.
 Education in Diversity: By taking a multifunctional team
through a LOPA where common mode failure presents a
limit on what types of protection layers can be applied,
the team members begin to accept the concepts of depen-
dent failure. They are far less likely to put 4 check valves
in series when drawing flowsheets in the future.
DOI 10.1002/prs Process Safety Progress (Vol.00, No.00)
Table 4. LOPA following group problem solving, Part 2.
Tank High
Pressure
Initiating Event Switch
Vapor Return Valve Left Closed X X
LT Fails Low
N2 pad regulator adjusted too high
N2 pad regulator fails open
Operator error during line clearing with X X
utility N2
Process Feed Pump failure and reverse
flow
Offload incompatible material into tank X X
Achieve better solutions for the lowest asset life cycle cost
 Creative Options for Diversity: A LOPA review team
where members represent different disciplines or func-
tions makes it easier to identify options to overcome com-
mon mode failure with equipment or method diversity.
Often, equipment, instruments or procedures that are
already required for operability reasons can be utilized to
provide additional protections to overcome common
mode failure with diversity. The key skill is understanding
how the potential for diagnosing or correcting one prob-
lem can be positively inferred from the observation of
something else.
CONCLUSION
The case study presented is illustrative of some of the posi-
tive experiences Air Products has had as it has utilized multi-
functional teams to review LOPAs, especially in cases where
risk criteria were not initially being met. In the circumstance
where there is a risk gap in a LOPA between a risk target and
the calculated hazard rate, Air Products generally has achieved
better results using multifunctional teams for problem solving
rather than having a safety analyst working in a non-interactive
way. The better results have been observed to come in two
forms: (1) broadened process safety ownership, and (2) better
solutions to minimize asset life cycle cost.
Interactive team review and problem solving of LOPAs
has broadened the base of process safety ownership well
beyond the process safety function by increasing:
 Problem Visibility – the ease with which team members
are able to understand the problem
 Active Engagement – the level of impact each team mem-
ber perceives they can have on the outcome
 Commonality of Goals – translating a corporate risk target
to a specific objective within a process unit that everyone
can understand and work together to solve
 Knowledge of Risk Quantification Basics – recognizing
the importance of maintaining independence between
layers of protection and the pitfalls as well as potential
solutions for common mode failure
Multifunctional team problem solving of LOPAs has
resulted in better solutions to achieve the lowest asset life
cycle cost by:
Process Safety Progress (Vol.00, No.00) Published on behalf of the AIChE
Layers of Protection
Tank High Tank N2 Regulator Railcar Low
Level Relief Relief Pressure Flow Tot.
Switch Valve Valve Switch Alarm
X
X X X
X
X X
X X
 Prioritizing Effort – review team can easily assess the
issues driving the results and focus their efforts on those
items
 Generating Viable Options – having a diversity of exper-
tise on the review team results in a wide variety of poten-
tial solutions to problems – this is especially valuable with
common mode failure limitations are encountered
 Generating High-Leverage Solutions – teams quickly learn
that the best layers of protection are those able to be
applied to multiple initiating events
 Option Sorting in a Safety Context – solutions often create
capital versus operating cost trade-offs that can be evalu-
ated in the context of achieving safety goals
LITERATURE CITED
1. CCPS, Layer of Protection Analysis: Simplified Process
Risk Assessment, Joint Publication of the Center for
Chemical Process Safety, American Institute of Chemical
Engineers, New York, NY, 2001.
2. CCPS, Guidelines for Initiating Events and Independent
Protection Layers in Layer of Protection Analysis, Joint
Publication of the Center for Chemical Process Safety,
American Institute of Chemical Engineers, New York, NY;
Wiley, Hoboken, NJ, 2015.
3. CCPS, Guidelines for Enabling Conditions and Condi-
tional Modifiers in Layers of Protection Analysis, Joint
Publication of the Center for Chemical Process Safety,
American Institute of Chemical Engineers, New York, NY;
Wiley, Hoboken, NJ, 2013.
4. NASA, Fault Tree Handbook with Aerospace Applica-
tions, Version 1.1, NASA Office of Safety and Mission
Assurance, Washington, DC, 2002.
5. P. Gruhn, Layer of protection analysis and common
mistakes, 2013 Safety Control & Instrumented Systems
Conference, 2013.
6. IEC 61508 – 2010, Functional safety of electrical/electron-
ic/programmable electronic safety-related systems Part
1-7.
7. IEC 61511 – 2003, Functional Safety: Safety Instrumented
Systems for the Process Industry Sector – Part 1: Frame-
work, definitions, system, hardware and application
programming requirements.
DOI 10.1002/prs Month 2016 7