Introduction to this workbook, and some user notes

A B C D

E F

G H I J K L

This workbook allows data to be collected and analysed for assessing the SIL requirement for a SIF. The sheet "Blank low demand" is a master and should be copied and used for each SIF to be considered. Ideally the tab nam The Company target tolerability levels used throughout this workbook should be entered in the sheet "TOR" Use the duplicate Worksheets for each SIF 1 Fields where data can be entered are shaded green - fill them in as required. If it has a black border it has restricted 2 Fields where there should be no user entry are locked. 3 Several scenarios (possible causes) to the same consequent incident can be analysed on the same worksheet. 4 Enter the scenarios in section 1 5 Enter ALL Enabling Conditions, Conditional Modifiers and Independent Protection Layers and the probabilities / PFD 6 In the Applicability Matrix section below the data input, you will find that the data entered in steps 4 and 5 above have 7 Alter any probability or PFD data in the table if it is not applicable. So if, for example, Layer of Protection 1 was not ap If you alter a value in the matrix from the value entered in the data input section it will turn red to show that it will no lo 8 Input data for the severity of the incident in the Assessment section below the Matrix. These are multiple choice field The workbook shows all three key values for the risk type and severity category selected. 9 The workbook then shows the required PFD from any additional protection required to make the situation meet the ke If the target is already met and no further equipment is required, the worksheet shows this. 10 If the system does not meet the key value selected to be met, you can select a further protection layer level from the 11 Fields that are calculated are shaded blue - do not fill them in unless you mean to over-write the formula Some data for use in the worksheets are shown in the sheets with blue tabs. Substitute Company data if available. The best d Enter the Company view of the PFDs of safety devices in the following table: SIL 1 device 0.1 SIL 2 device 0.01 SIL 3 device 0.001 These are copied onto the individ SIL 4 device 0.0001 Revised values in the given SIL b Bursting disc 0.01 Relief valve 0.05 BPCS 0.1 Sheet "IPL checklist" shows some criteria to be applied to systems being considered as Independent Protection Layers befor Spreadsheets are locked to prevent inadvertant data entry or alteration. They can be unlocked if needed. Some cells at the top of column I in the Worksheets are used in the calculations and for input validation, and are in light grey Data provided in this workbook is taken from CEDCS general experience from various root sources and should be checked b Some clips from the CCPS book "Layers of Protection Analysis" ISBN 0-8169-0811-7 were shown here. Permission for this h The Tolerability of Risk table is an example and should be adjusted to suit the client situation if necessary. Developed by Stuart Ord, September 2006-October 2010

DISCLAIMER This workbook is provided without guarantee. Whilst every care has been taken in its design and content, it is the res

ach SIF to be considered. Ideally the tab name would be changed as well for easy navigation when there are lots of SIF worksheets. entered in the sheet "TOR"

red. If it has a black border it has restricted input - click the cell, click the little down arrow that appears, then click your choice.

n be analysed on the same worksheet.

Protection Layers and the probabilities / PFDs in sections 2 to 4. Don't worry if they don't apply to all scenarios at this stage. he data entered in steps 4 and 5 above have been copied into the table. or example, Layer of Protection 1 was not applicable to Scenario 1, then over-write the value 1 in cell F77 with the value 0. section it will turn red to show that it will no longer be updated if you alter the data in the data input section. w the Matrix. These are multiple choice fields and select tolerability values shown in the Tolerability of Risk sheet ("TOR").

on required to make the situation meet the key values, and the SIL value it would require.

elect a further protection layer level from the list and the worksheet indicates whether or not this is sufficient. mean to over-write the formula stitute Company data if available. The best data to use is that resulting from practical experience in the Company in question.

These are copied onto the individual SIL assessment sheets Revised values in the given SIL band can be substituted if appropriate.

red as Independent Protection Layers before entering them into section 4. It can be copied into the worksheets if needed. n be unlocked if needed. and for input validation, and are in light grey - do not alter! Cell F105 is also used but in white font - don't alter this! arious root sources and should be checked before use for any client 11-7 were shown here. Permission for this has been applied for but not yet received - versions sent out have had these deleted ent situation if necessary.

n taken in its design and content, it is the responsibility of the user to ensure that the results are accurate for the purpose intended

e are lots of SIF worksheets.

then click your choice.

Company in question.

have had these deleted

e for the purpose intended

A 1 2 3 4 5 6

Tolerability of Risk
Personnel injury & health
5 Category 5 extremely Two to five fatalities onsite. serious consequences Fatality or serious injuries offsite Major health effects to many people Category 4 major Single onsite fatality. consequences Many serious injuries onsite. Serious offsite injuries. Category 3 severe Reportable injury or injuries. People hospitalised. consequences Category 2 serious consequences Category 1 minor consequences Reportable injury or injuries. Minor injury on-site, not reportable. Possible exposure to chemicals Ill effect on some employees HSE / media International news coverage. Site closure threatened National news coverage. Prosecution by authorities Site closure threatened Many complaints. Prosecution or formal caution National attention Some complaints. HSE warning. No external effect Broadly Acceptable 1.0E-06 Company Maximum Target 1.0E-05 Intolerable 1.0E-04 Name: TOR_Personal 1.0E-06 1.0E-04 1.0E-03

7 4 8 3 9 10 2 1 11 12 13 5 14 4 15 3 16 2 17 1 18 19 20 5 21 22 23 24 25 26 27 4 3 2 1

1.0E-04

1.0E-03

0.1

0.01 0.1

0.1 1

1 1

Environmental
Category 5 extremely Significant environmental damage. serious consequences Category 4 major consequences Category 3 severe consequences Category 2 serious consequences Category 1 minor consequences Significant local environmental damage

HSE / media International news coverage. Site closure threatened National news coverage. Prosecution by authorities Site closure threatened Many complaints. Prosecution or formal caution National attention Some complaints. HSE warning. No external effect

Broadly Acceptable 2.0E-06

Company Maximum Target 2.0E-05

Intolerable 2.0E-04 Name: TOR_Environment

2.0E-06

2.0E-04

2.0E-03

Large loss of listed substance. Fire and smoke Significantly exceeding consents. Significant loss of listed material. Toxic gas cloud, some killed wildlife. Contained spillage Minor loss of chemical outside plant / visible plume. Sustained noise or nuisance

2.0E-04

2.0E-03

0.2

0.02

0.2

0.2

Assets
Category 5 extremely Not used in this study serious consequences Category 4 major consequences Category 3 severe consequences Category 2 serious consequences Category 1 minor consequences Not used in this study Not used in this study Not used in this study Not used in this study Not used in this study

HSE / media

Broadly Acceptable

Company Maximum Target

Intolerable

Name: TOR_Assets Not used in this study Not used in this study Not used in this study Not used in this study

Units: incidents per year

173451027.xls.ms_office

TOR

9/18/2013

Title of event Title of equipment SIF reference

Description of scenario of operation of the SIF

Observed previous operation of the SIF or loop (for scenario frequency estimation)

Consequence of failure of SIF to operate correctly Description: Losses:

1. LOPA description and data input

1 Basic initiating events
1 2 3 4 5 Description Scenario 1 Scenario 2 S3 (not used) S4 (not used) S5 (not used)

2 Enabling conditions
1 2 3 4 Description Description of EC1 EC2 (not used) EC3 (not used) EC4 (not used)

3 Conditional modifiers
1 2 3 4 Description Description of CM1 CM2 (not used) CM3 (not used) CM4 (not used)

4 Independent layers of protection

1 2 3 4 Description Description of ILP1 IPL2 (not used) IPL3 (not used) IPL4 (not used)

5 Safeguards
1 2 3 4 5 Description Safeguard 1 Safeguard 2 Safeguard 3 Safeguard 4 Safeguard 5

Notes

2. Applicability matrix refinement

Initiating causes Scenario 1 Scenario 2 S3 (not used) S4 (not used) S5 (not used) Initiating causes Scenario 1 Scenario 2 S3 (not used) S4 (not used) S5 (not used) Initiating causes Scenario 1 Scenario 2 S3 (not used) S4 (not used) S5 (not used) Mitigated consequence frequency Scenario 1 Scenario 2 S3 (not used) S4 (not used) S5 (not used) Total (occurrences per year) Frequency 1 0 0 0 0 Frequency 1 0 0 0 0 Frequency 1 0 0 0 0

1 0 0 0 0 1.0000

3. Assessment of incident categories

1. Type of loss Personnel safety 2. Severity of loss Cat 3

4. Results - comparison of prediction with targets

Required PFD (maximum value) Protection factor (minimum value)

SIL class of additional protective layer required

5. Assessment of proposed additional protection

Type of device proposed Attributed PFD

Ability to meet each criterion:

Assumed values for safety devices on this sheet (see cell comment) SIL 1 device SIL 2 device SIL 3 device SIL 4 device Bursting disc Relief valve BPCS

n of the SIF

SIF or loop (for scenario frequency estimation)

Frequency 1 0 0 0 0

Probability 1 1 1 1

Probability 1 1 1 1

PFD 1 1 1 1

Overtype the probability value to 0, if the consideration does not apply to this initiating cause. It will then show in red. Place justificat Enabling condition 1 Description of EC1 Description of EC1 Description of EC1 Description of EC1 Description of EC1 Conditional modifier 1 Description of CM1 Description of CM1 Description of CM1 Description of CM1 Description of CM1 Independent layer 1 Description of ILP1 Description of ILP1 Description of ILP1 Description of ILP1 Description of ILP1 Probability 1 1 1 1 1 Probability 1 1 1 1 1 PFD 1 1 1 1 1 Enabling condition 2 EC2 (not used) EC2 (not used) EC2 (not used) EC2 (not used) EC2 (not used) Conditional modifier 2 CM2 (not used) CM2 (not used) CM2 (not used) CM2 (not used) CM2 (not used) Independent layer 2 IPL2 (not used) IPL2 (not used) IPL2 (not used) IPL2 (not used) IPL2 (not used)

Justification of any changes made Cell Change

2. Severity of loss Cat 3

Intolerable 0.1

Target frequencies (from TOR sheet) Company target 0.001

ediction with targets

0.100000 10 SIL 2 0.001000 1000 SIL 4

ve layer required

additional protection
SIL3 system 0.0010

Intolerable
Able

Company target
Not able

PFD 0.1 0.01 0.001 0.0001 0.01 0.05 0.1

SIL 1 2 3 4 2 1 1

Comments

Application notes See also Initiating!A1 Vessels!A1

Comments

Application notes See also ECs!A1 eg tank above a certain level, disposal plant not available, two pumps running

Comments

Application notes See also CMs!A1 eg probability of person present, fatal injury, wind direction, probability of ignition, etc

Comments

Application notes See list of possible devices / systems: LoP candidates'!A1 Non-SIS LoP'!A1

Comments

Application notes

Should not be given numberical credit; record only

o this initiating cause. It will then show in red. Place justification of the change in the table below. Probability 1 1 1 1 1 Probability 1 1 1 1 1 PFD 1 1 1 1 1 Enabling condition 3 EC3 (not used) EC3 (not used) EC3 (not used) EC3 (not used) EC3 (not used) Conditional modifier 3 CM3 (not used) CM3 (not used) CM3 (not used) CM3 (not used) CM3 (not used) Independent layer 3 IPL3 (not used) IPL3 (not used) IPL3 (not used) IPL3 (not used) IPL3 (not used) Probability 1 1 1 1 1 Probability 1 1 1 1 1 PFD 1 1 1 1 1 Enabling condition 4 EC4 (not used) EC4 (not used) EC4 (not used) EC4 (not used) EC4 (not used) Conditional modifier 4 CM4 (not used) CM4 (not used) CM4 (not used) CM4 (not used) CM4 (not used) Independent layer 4 IPL4 (not used) IPL4 (not used) IPL4 (not used) IPL4 (not used) IPL4 (not used)

Justification of any changes made to the data in the matrix Reason

t frequencies (from TOR sheet) Broadly acceptable 0.0001

0.000100 10000 SIL 5

Description

Broadly acceptable
Not able

Cells used by spreadsheet Cat 1 Cat 2 Cat 3 Cat 4 Cat 5 Bursting disk Relief valve BPCS SIL1 system SIL2 system SIL3 system SIL4 system Other See Intro See Intro 0 1 2 3 4

None Personnel safety Environment Production and equipment

disposal plant not ing

nt, fatal injury, wind ition, etc

ystems:

al credit; record only

Probability 1 1 1 1 1 Probability 1 1 1 1 1 PFD 1 1 1 1 1

Enabling conditions Description 1.0 Probability

Event

1.1Control Loop fail to danger 1.2 Loss of cooling water supply 1.3 Regulator failure 1.4 Single Pump failure (if no MTBF data available) 1.5 Dual pump failure if autostart and run status provided 1.6 Significant pump seal leak 1.7 Electrical Failure 1.8 N2 or instrument air failure Mechanical failure (e.g. tube rupture, bellows failure, etc.) 1.9 No moving parts, no vibration, erosion, corrosion 1.10 Low vibration, erosion, corrosion 1.11 High vibration, erosion, corrosion Hoses / Couplings failure (loading / unloading systems) 1.12 Basic facilities 1.13 Average facilities 1.14 Multi safety system facilities
Basic: Average: Multi safety:

Operator error

Probabilities in table should be multiplied by the number of opportunities, e.g. Error in routine op carried out daily = 0.001/opportunity * 365 opportunities / yr = 0.37/yr. 1.15 General rate for errors involving very high stress levels 1.16 Complicated non-routine task, with stress 1.17 Supervisor does not recognise the operations error 1.18 Non-routine operation, with other duties at the same time 1.19 Operator fails to act correctly in the first 30 minutes of stressful emergency 1.20 Errors in simple arithmetic with self-checking 1.21 General error rate for oral communication 1.22 Failure to return the manually operated test valve to the correct configuration 1.23 Operator fails to act correctly after the first few hours in a high-stress scenario

1.24 General error of omission 1.25 Error in a routine operation where care is required 1.26 Error of omission of an act embedded in a procedure 1.27 General error rate for an act performed incorrectly 1.28 Error in simple routine operation

Generic Frequency for LOPA (if no specific plant experience)

Frequency

e (if no MTBF data available) f autostart and run status provided

0.1/yr 0.1/yr 0.1/yr 0.1/yr 0.01/yr 0.1/yr 0.1/yr 0.1/yr

. tube rupture, bellows failure, etc.) no vibration, erosion, corrosion sion, corrosion osion, corrosion

0.001/yr 0.01/yr 0.1/yr

ure (loading / unloading systems) Failure rate per operation 40 x 10-6 Failure rate per operation 4 x 10-6 Failure rate per operation 0.2 x 10-6
These use wheel chocks for pullaway prevention, pressure / leak tests to prevent hose burst, and no pullaway mitigation. Two pullaway prevention systems as well as inspection and pressure / leak tests to prevent hose burst. Two pullaway preventions systems, an effective mitigation system (not airline) and pressure / leak tests to prevent hose burst.

hould be multiplied by the number of opportunities, e.g. Error in routine operation where care is required when 1/opportunity * 365 opportunities / yr = 0.37/yr. 0.3 0.3 0.1 0.1 0.1 0.03 0.03 0.01 0.01
probability probability probability probability probability probability probability probability probability

rrors involving very high stress levels routine task, with stress not recognise the operations error ation, with other duties at the same time act correctly in the first 30 minutes of stressful emergency rithmetic with self-checking for oral communication he manually operated test valve to the correct configuration act correctly after the first few hours in a high-stress scenario

mission operation where care is required of an act embedded in a procedure for an act performed incorrectly utine operation

0.01 0.01 0.003 0.003 0.001

probability probability probability probability probability

From CCPS book

no pullaway mitigation.

k tests to prevent hose burst.

e is required when

Probability of failure on demand for Non SIS layers of protection: Protection Layer 1.29 Relief valve sized for scenario (Clean service) 1.30 Relief valve sized for scenario (Dirty service) Check valves 1.31 Single 1.32 Dissimilar registered valves in series Bund wall (reduces frequency of large spills) 1.31 Concrete well maintained 1.32 Earth 1.33 Underground drainage (reduced frequency of large spill) 1.34 Independent control loop
(Note: Must be independent of initiating event, 0.1 is max credit allowed)

1.35 Gas detection with automatic response

(independent of other protection layers)

1.36 Flare failure

Or estimate from plant experience based on pilots being unavailable (e.g. if pilots are out 1 day/yr, PFD = 1 day/365 days = 0.003)

1.37 Odour detection allows escape Operator response to an alarm

1.38 Separately annunciated hard wired / safety PLC alarm specific to hazard, with 30 minute response 1.39 Hardwired alarm, stressful situation, action less clear, 30 minute response time OR Hazard specific DCS alarm, no coincident upsets, 30 minute response time OR Multiple DCS alarms that indicate the same hazard with hours of response time (discretion of study leader to use 0.01) 1.40 Other alarms
(response time < 30 minutes, DCS alarm during other upsets, etc.)

From CCPS book

Probability of Failure on Demand 0.01 0.1

1 0.1

0.01 0.1 0.1 0.1

0.1 0.01

Team judgement based on chemical

0.01

0.1

From CCPS book

Probability of significant leak from pressure system: Case 1.41 1.42 Scenario Pressurise vessel to 1.25 times design pressure but check Case 5 does not apply. Also use for vacuum cases. Pressurise vessel to 1.5 times design pressure but check Chase 6 dos not apply. Pressurise vessel to 2 times design pressure but check Case 7 does not apply. Pressurise vessel to 2.5 times design pressure. Pressurise vessel in fatigue service or carbon steel equipment which is simultaneously exposed to sub zero temperature, or low chrome moly (up to 2 Cr) in elevated temperature service that is pressurised when below 50 oC pressurised to 1.25 times design Pressurise vessel in fatigue service or pressurise carbon steel equipment which is simultaneously exposed to sub zero temperature, or low chrome moly elevated temperature service that is pressurised when below 50 oC pressurised to 1.5 times design. Pressurise vessel in fatigue service or carbon steel equipment which is simultaneously exposed to sub zero temperature that is pressurised below 50oC - pressurised to 2 times design.

1.43 1.44 1.45

1.46

1.47

Notes:

1. An aged vessel here is one in service for 20 years of longer and where the following app carbon steel; >420oC for chrome moly steels up to 12% Cr; >485oC for austenitic steel), or if significan

2. Above risks will apply to all BS vessels as well as ASME vessels built after 1998. Probab ultimate tensile strengths. The probabilities quoted on this basis are directly comparable against Europ probabilities quoted with tend to be conservative, and the degree of conservatism increases for ASME is a high potential that nozzles can be excessively loaded, as the code does not mandate consideration

3. This level of pressure (1.5 times design) will generate bulk membrane (hoop) stresses close to few applications is unlikely, there is a risk of opening a significant crack in highly stressed and localised

4. This level of pressure (2.5 times design) will generate bulk membrane (hoop) stresses close to European code vessels, and failure could well be significant or catastrophic.

5. In the event of only a flange leak (1.5 to 2 times design pressure) the leak is likely to persist on design pressure, whereas in the case of a crack in a nozzle or other part, the leak will persist until plan

6. These risk factors take no account of the fact that equipment may have been supplied with exc nominal corrosion allowances have been applied.

7. This document refer to EEMUA Pressure Vessels Committee: Risk Based Mechanical Integrity relates to likelihood of failure in terms of Categories 1 to 5, ranging from 1 (negligible risk) to 5 (highly Document Risk Based Inspection.

Probability of significant release 0.02 0.1 For SIL assessment use 0.05 0.3

0.7 1 0.05 0.3 For SIL assessment use 0.2 0.5 0.7 For SIL assessment use 0.7 0.8 1.0 For SIL assessment use 1

here the following applies: subject to corrosion under insulation (-5oC to 200oC), or creep conditions (>330oC for c steel), or if significant internal corrosion / erosion is expected due to fluid conditions.

ilt after 1998. Probabilities are based on the percentage of applied hoop stress to minimum yield strength and parable against European Code approaches (e.g. PD/BS 5500). For ASME VIII Division 1 equipment the m increases for ASME vessels pre-dating 1998. However, in the case of ASME vessels, particularly older ones, there mandate consideration of piping loads onto nozzles.

oop) stresses close to minimum yield strength in European code vessels. Although failure of the membrane from a stressed and localised regions such as nozzles.

oop) stresses close to ultimate tensile strength in European code vessels. Failure could almost be guaranteed to

k is likely to persist only while the pressure is elevated, and could diminish or cease when pressure returns below k will persist until plant shutdown / isolation.

been supplied with excess wall thickness versus the design requirement. It assumes the worst case, and that only

d Mechanical Integrity Work Item: Document No 3852-05. The EEMUA document covers some of these issues, and gible risk) to 5 (highly probable). These categories in turn derive from API Publication 581: Base Resource

Comments Small potential increases with aged equipment (corroded etc see Note 1) Some risk of flange leakage specially on heavily loaded nozzles, and potential for crack at high stress location (e.g. nozzle) see Note 3 Even if high stress region / nozzle crack does not open and lead to release, there is significant likelihood of flange leak Even if nozzle does not fail likelihood of other weld catastrophic failure is significant see Note 4 Probability will depend on years of service and quality of design

Probability will depend on years of service and quality of design

Probability will depend on years of service and quality of design

orrosion under insulation (-5oC to 200oC), or creep conditions (>330oC for on / erosion is expected due to fluid conditions.

on the percentage of applied hoop stress to minimum yield strength and aches (e.g. PD/BS 5500). For ASME VIII Division 1 equipment the ng 1998. However, in the case of ASME vessels, particularly older ones, there onto nozzles.

trength in European code vessels. Although failure of the membrane from a nozzles.

strength in European code vessels. Failure could almost be guaranteed to

sure is elevated, and could diminish or cease when pressure returns below ation.

ss versus the design requirement. It assumes the worst case, and that only

ument No 3852-05. The EEMUA document covers some of these issues, and e categories in turn derive from API Publication 581: Base Resource

Conditional modifiers
Will it catch fire or explode? Zoned or IS area Ignition sources Inert gas Pressure safety margin in pipes and vessels at actual temperature People exposure Probability of being in the danger area

Probability of worst harm being realised Release dispersion Weather Prevailing wind Dense or light vapour Toxicity, bioactivity Quantity and release rate

Probability of leak (/problem) being undetected Secondary protection Buildings Blast walls Topography

Can people avoid, or are they drawn to the event seeking to ameliorate? Will they get involved in precursor conditions Safety time and response time Local alarms Refuges

Probability of ignition: 1.48 Near obvious ignition sources such as fired heaters 1.49 Near a road When the leak is not near an obvious ignition source or road: 1 0.5

1.50 LPG, liquid above its atmospheric boiling point, or material above its flash point released at height. N Mass released (tonnes) <1 2 5 10 >38.8 Immediate ignition 0.02 0.05 0.1 0.2 0.9 Delayed ignition 0.02 0.05 0.1 0.8 0.1

Release rate (kg/s) <10 20 50 100 >388

No ignition 0.96 0.9 0.8 0 0

1.51 Ignition inside a vessel (e.g. air ingress to a vessel by operation of vacuum valves or landing

1.52 Liquid hydrocarbon below its atmospheric boiling point and released near ground level. No obvious ig

Type of release Liquid

Release rate (kg/s) <1 1 50

Location General

Ignition 0.01 0.03

No ignition 0.99 0.97

Liquid >50 Person present

General 0.08 0.92

1.53 Large release, normally occupied area, operator present during 1.54 Within the plant structure 1.55 Normally unoccupied area (e.g. tank farms)

1 0.1 0.01

Note: Team can also estimate probability directly if information available (e.g. 1 hour operator tour of area Wind Direction 1.56 Wind in prevailing direction 1.57 Wind other than prevailing direction Guidance on Consequence Categories: Choosing the consequence category requires some judgement from the LOPA leader in 1.58 For analysing safety consequences, a release of hydrocarbon below its boiling point would 1.59 A release of LPG, hydrocarbon above its atmospheric boiling point, or hydrocarbon above its The scenarios with very large released (large enough to have offsite fatality potential, or occupied

0.7 0.3

Probability of being in the danger area Employees Plant operators Other (maintenance etc) Visitors Public

lity of leak (/problem) being undetected

bove its flash point released at height. No obvious ignition sources.

ion of vacuum valves or landing

eleased near ground level. No obvious ignition sources.

ailable (e.g. 1 hour operator tour of area every shift = 1 hours / 12 hours = 0.08).

om the LOPA leader in n below its boiling point would g point, or hydrocarbon above its ite fatality potential, or occupied

Data for IPL assessments

Human action
IPL With 10 minutes response time With 40 minutes response time (New entry) Conditions Simple action, clear requirements, reliable indications Simple action, clear requirements, reliable indications PFD 1 to 0.1 0.1 to 0.01

Instruments
BPCS Shut-down module (New entry) Normal control system in good order If truly an IPL (see "IPL checklist" tab) 1 to 0.1 0.1 to 0.001

Fire probability
Large fire due to vessel failure Take generic vessel failure data.

Frequency, /yr 0.0001

Shutdown systems
Make Components PFD

Comments LOPA textbook recommendation LOPA textbook recommendation

Values <0.1 not allowed by BS IEC 61511 SIL 1 to SIL 3 possible - to be justified by manufacturer data and/or calculation

Comments

IPL checklist
Name of IPL Description

Is it an IPL? Does it detect the condition? Does it decide to take action? Does it deflect the undesired event? Is it enough? Is it big enough? Is it fast enough? Is it strong enough? Is it reliable? Can any circumstances arise that will reduce its effectiveness? Can it be tested and be auditable? Is it independent? Of the initiating event and any enabling event? Of any other device, system or action that is already credited with being an IPL?

Judgement

Note - Standards only allows one credit for the BPCS. Two are allowed under certain circumstances, and should n IPL checks Consider the following three "D" factors to help decide if a safeguard is an IPL: Detect Decide Deflect Then consider the following three "E" factors to help decide if the safegualrd will be an effective IPL: Big enough? Fast enough? Strong enough? Finally, ensure that the safeguard is INDEPENDENT of the initiating event and all the other IPLs so that it can be

Copy this sheet / table as needed for multiple IPLs

Comments

edit for the BPCS. Two are allowed under certain circumstances, and should not credit a PFD better than 0.1 unless carefully

tors to help decide if a safeguard is an IPL: Most IPLs detect a condition that is leading to the loss scenario Many IPLs make a decision whether or not to take action All IPLs must deflect the loss event by preventing it E" factors to help decide if the safegualrd will be an effective IPL:

INDEPENDENT of the initiating event and all the other IPLs so that it can be assumed to work every time (assuming it is operational)

uming it is operational)

http://virtual.vtt.fi/virtual/proj3/s-2-s/lopa_intro_tampere.pdf

Layers of protection candidates

Non-instrumented devices or equipment Other than routine and site issues Other than Basic Process Control System

Pressure Mechanical relief Containment Design specification and envelope Non-return valves Pump design curve and spillback Control valve rates Temperature Fusible plug Temperature of heating medium Contacting (mass transfer improvement) Lagging Flowrate Restrictor orifice Non-return valves Pump design curve Speed limit on rotary valves Restricted funnel size Level Overflow to ground Connected tanks Limited volume of feed vessel Limited flowrate in Interlocks Quantity Limited volume of feed vessel Drum counting Limited space for drums Domino effect Prevention of by buildings separation separation from public blast screens redundancy of critical services

Routine / site (generally expected)

Alarms

Any measure taken as an IPL must satisfy the LoPA conditions - see

Routine / site (generally expected) Security (public, visitors, criminal, terrorist) Traffic control (road, rail) Training and competency Inventory control (raw materials) Materials control (maintenance materials, spares) Operator tours Manager tours Logs and signed batch sheets Toolbox talks Equipment routine checking and maintenance Frost protection Heat protection Offsite impact - visual, smell, noise Prepration for maintenance Structural integrity Escape routes Safe havens / toxic refuges Permit to Work Hot Work permits Vessel entry control Scaffolding control Housekeeping Severe weather precautions Flooding protection Off-spec material control (raw materials & products) Emergency response / testing / management Routine PPE - sight, breathing, ears, skin Hygiene monitoring Control of radioactive sources Alarms Operator responds to independent alarm Operator responds to obvious visual signs

Mechanical integrity

Wrong material

Mitigation

Fire / explosion

IPL validity'!A1

Mechanical integrity Interlocks Corrosion monitoring Erosion monitoring X-ray testing Pressure / leak testing Registered equipment Vibration monitoring Wrong material Interlocked valves Hose stations with mechanical checks Physical difference in materials (size, state, colour) Different containers Segregation of stock

Bunds Steam curtain Interceptor tanks Sprinklers Emergency vents Quench Fire / explosion Below autoignition temperature Below flash point DSEAR compliance Sprinklers Inerting / low oxygen concentration Mechanical explosion relief Explosion suppression Fuel rich / fuel lean Lightning protection Static electricity protection Fire lagging Gas detectors

Date Study name Outline of system

State of design Appropriate people Knowledge of people Design changes made 1

Other notes

Notes for future reference

SIL study preparation checklist

Preparation - get P&IDs Cause & effect diagrams Project approved SIL procedure Project TOR General process description Project forms for SIL / LoPA assessment Risk graph if needed LoPA analysis Meeting records List of people Confirmation of area to be covered

Preparation - do Highlight trips and ESDs on P&IDs working copy Review any previous ones on the project Agree recording style with Secretary Find items to be considered on Control Sheet

Meeting start What has gone before; current meeting aims Review of forms to be used Review of recording procedure Emphasise all team's names are signed to records, must point out any disagreements before item is saved Run though an assessment Emphasis BPCS limitation Clarify control systems in use (PESS, PLC, DCS, etc)

Seating plan