SlideShare a Scribd company logo

aesolutions_impacts_of_process_safety_time_on_layer_of_protection_analysis_white_paper

G
Geoffrey Barnard, P.E., CFSE

This document discusses the impacts of process safety time on layer of protection analysis (LOPA). It defines process safety time (PST) as the time between an initiating event and hazardous event. PST is determined by identifying the process variable associated with the hazard, its value at initiating/hazardous events, and estimated rate of change. Independent protection layer (IPL) response time (IRT) and process lag time (PLT) must be considered. For an IPL to be effective, IRT + PLT must be less than PST. The maximum setpoint (MSP) or maximum allowable response time (MART) can then be specified based on PST, IRT, PLT, and

1 of 12
Download to read offline
GCPS 2015 __________________________________________________________________________ Impacts of Process Safety Time on Layer of Protection Analysis Geoffrey Barnard, P.E., CFSE aeSolutions Anchorage, AK geoff.barnard@aesolns.com William Creel, CFSE aeSolutions Greenville, SC william.creel@aesolns.com Prepared for Presentation at American Institute of Chemical Engineers 2015 Spring Meeting 11th Global Congress on Process Safety Austin, Texas April 27-29, 2015 UNPUBLISHED AIChE shall not be responsible for statements or opinions contained in papers or printed in its publications
GCPS 2015 __________________________________________________________________________ Impacts of Process Safety Time on Layer of Protection Analysis Geoffrey Barnard, P.E., CFSE aeSolutions William Creel, CFSE aeSolutions Keywords: Layer of Protection Analysis (LOPA), Independent Protection Layer (IPL), Process Safety Time (PST), IPL Response Time (IRT) Abstract The ability of an Independent Protection Layer (IPL) to achieve a given level of risk reduction is dependent upon its fulfillment of several core attributes. A key provision for any IPL to be considered effective and functionally adequate is its capability to respond to a process demand quickly enough to stop the propagation of the hazard scenario it was designed to prevent. While this seems obvious and reasonable, the estimation of Process Safety Time and the specification of IPL Response Times is more complex, and often deferred or overlooked altogether. What is Process Safety Time? How is it determined? When? And by whom? This paper examines the relationship between Process Safety Time and IPL Response Times, essential variables for the justification of IPL effectiveness, and their impacts on the success of Layer of Protection Analysis (LOPA). 1. Introduction Layer of Protection Analysis (LOPA) is a semi-quantitative risk assessment technique commonly used to evaluate the likelihood of process hazards and determine the necessary Independent Protection Layers (IPLs) to reduce the risk of a given consequence to a tolerable level. Though many variations of LOPA have been developed in the years since its introduction, recent efforts by industry have focused on development of more universally accepted criteria for selecting and validating the assumptions and numerical values used in studies. The recent publication of the CCPS Guidelines for Enabling Conditions and Conditional Modifiers [1], and Guidelines for Initiating Events and Independent Protection Layers [2] have greatly expanded upon the guidance in the original LOPA text [3] while refining and reinforcing necessary considerations. One particularly important area of expansion is in the definitions surrounding the timeline of a hazard scenario. Before seeking to define any aspects or requirements of a particular protection layer it is important to first understand how the unmitigated hazard scenario develops and how quickly.
GCPS 2015 __________________________________________________________________________ 2. Hazard Scenario Timeline 2.1 What is Process Safety Time? According to the CCPS Guidelines for Safe and Reliable Instrumented Protective Systems Process Safety Time (PST) is: “the time period between a failure occurring in the process or its control system and the occurrence of the hazardous event.” [4] This is consistent with the definition found in the Guidelines for Initiating Events and Independent Protection Layers [2] as well as other industry standards applicable to the design of active protective systems. IEC 61511:2003 Part 2: “the time period between a failure occurring in the process or the basic process control system (with the potential to give rise to a hazardous event) and the occurrence of the hazardous event if the safety instrumented function is not performed” [5]. IEC 61508:2010 Part 4: “period of time between a failure, that has the potential to give rise to a hazardous event, occurring in the EUC [equipment under control] or EUC control system and the time by which action has to be completed in the EUC to prevent the hazardous event occurring” [6]. API 556 second edition, 2011: “the interval between the initiating event leading to an unacceptable process deviation and the hazardous event” [7]. PST is not a specification, but rather a function of the behavior of the process and process equipment within the context of a specific unmitigated hazard scenario. PST can be estimated, calculated, or potentially measured, but by extension of the definitions above PST is necessarily unique to each cause-consequence pair, even when multiple initiating events may eventually lead to the same consequence. This is because each initiating event has the potential to impact process dynamics in different ways. Likewise, a single initiating event may lead to different outcomes due to inclusion of scenario modifiers, consideration of different operating modes, or consequences affecting different risk receptors. PST of related but separate scenarios will not necessarily be equivalent. Determination of PST is the first step in identifying the time potentially available for all protection layers to respond and will be useful in specifying the required response time of each. PST is not dependent upon the parameters that make up the response of any one protection layer. Some resources in the past have defined PST in terms of the point of activation of a particular IPL. Such a definition is problematic in that it implies there is a different PST for each IPL, complicating the evaluation of a scenario as a whole. These resources have attempted to define a means for estimating the time available for a particular protection layer to take action and affect the process from a given point of activation, and while this is a worthy endeavor it should not be confused with Process Safety Time.
GCPS 2015 __________________________________________________________________________ 2.2 How is Process Safety Time determined? Unless measured in retrospect after a hazard has occurred, PST would be quite difficult to determine precisely. The exact conditions under which a hazard scenario may develop is argumentative, and it is not necessarily useful to consider PST to be a single specific value at which a hazardous event will immediately occur in all circumstances. Instead, the objective is to estimate a lower boundary in time at which hazardous potential is likely to exist under worst-case conditions so that protection layers may be specified and designed with sufficient speed of response for any credible scenario. One method for determining PST is to identify the process variable that is most closely associated with the occurrence of the hazardous event, and its likely value at the time of the hazardous event or the point at which the hazard can no longer be reliably prevented. There may be considerable uncertainty associated with the occurrence of the hazardous event, so this may be conservatively associated with a known design limit of the equipment. For example, loss of containment may be imminent when pressure continues to rises above the Maximum Allowable Working Pressure (MAWP). The upper limit of normal operating pressure and the MAWP of the vessel must be used to estimate PST. The amount of time between these two discrete points in time, initiating event and hazardous event, depends on the estimated rate of change of the process variable due to the initiating event. Figure 1. Timeline of a hazard scenario Eq. 1  PST: Process Safety Time, time between Initiating Event and Hazardous Event;  PVIE: the initial value of the process variable of interest at the time of the Initiating Event, may be assumed to be at the extreme of the normal operating range nearest the hazard;
GCPS 2015 __________________________________________________________________________  PVHE: the value of the process variable of interest at the time the Hazardous Event occurs or can no longer be prevented, may be assumed to be at the design limit of the equipment;  PVROC: the estimated Rate of Change of the process variable of interest under worst-case credible conditions in the context of the specific hazard scenario. Each of these three variables will be completely dependent upon the specific process, process equipment, and even the mode of operation. Certain cases, such as liquid level in a storage vessel, may be calculated from known operating conditions and design parameters. Other cases, such as those involving reaction chemistry, may require creation of a process model and consideration of non-linear rates of change. PST estimates may also be made or assumptions corroborated by examining actual deviations recorded in the control system’s process data historian. Once the analysis is complete and PST determined for each scenario, the data and assumptions will be quite useful for subsequent activities and should be maintained as valuable Process Safety Information (PSI). Not only is PST useful for protection layer design, but also as a reference for operations, and for assigning pass/fail criteria for maintenance and testing procedures. Having a documented PST basis will also be important for revalidation efforts when assumption are revisited, and supports Auditability and Management of Change (MOC) – other core attributes of IPLs. 3. Timing Aspects of IPL Functionality 3.1 What must happen within the Process Safety Time? Once the PST has been determined and the boundaries of each scenario timeline have been established, new IPLs may be designed with, or existing safeguards may be evaluated for adequate and timely functionality. To do so, several additional terms of interest must be assessed that are related to the individual protection layers. The first of which is the IPL Response Time (IRT): “the time necessary for the IPL to detect the out-of-limit condition and complete the actions necessary to stop the progression of the process away from a safe state.” [2] IRT encompasses all aspects and components of the IPL that contribute to its effectiveness in preventing the hazard and should take into account the time to detect the condition (including measurement lag), determine the appropriate course of action, initiate the necessary action(s), and complete the action(s). For a simple mechanical IPL, such as a pressure relief valve, the IRT may be relatively straightforward to determine, however for instrumented IPLs that are comprised of a series of complex components, or IPLs involving a human response, the evaluation must consider a number of variables. What IRT does not include is the time for the process to react to an IPL action and reach a safe state. This time period is known as the Process Lag Time (PLT) [2] and is perhaps the variable with the most uncertainty. Once the IPL has completed its action there may be a period of time before the action is effective in stopping or reversing the hazardous condition. For each IPL under consideration, the sum of IRT and PLT must be less than the PST to be considered effective.
GCPS 2015 __________________________________________________________________________ Eq. 2  PST: Process Safety Time, time between Initiating Event and Hazardous Event;  IRT: IPL Response Time, total time for the IPL to detect the deviation and complete safe action;  PLT: Process Lag Time, time between completion of the IPL’s safe action and the process being influenced away from the hazard. As with PST, PLT is dependent upon the process and the specific equipment and conditions, but unlike PST, PLT must also consider the characteristics of the IPL action. For example, the PLT associated with opening a quench water valve to cool a reaction will depend not only on the dynamics of the reaction and the capacity of the reactor, but also on the flow rate of the cooling water. A design change in the cooling water system may have minimal impact on IRT, but could significantly change PLT. If IRT and PLT are known or can be approximated conservatively, these values can be used to specify a Maximum Setpoint (MSP) [2] at which the IPL must be activated before losing its ability to effectively prevent the excursion from violating Safe Operating Limits (SOL). Designing and specifying IPL response parameters in terms of the safe upper and lower operating limits rather than equipment design limits is intended to provide a margin of safety before reaching the hazardous event. Figure 2. Timeline of IPL response to a hazardous condition, determining MSP
GCPS 2015 __________________________________________________________________________ Eq. 3  MSP: Maximum Setpoint, the maximum value of the process variable of interest at the point of IPL activation that allows sufficient time to detect, complete action, and for the process to respond;  PVSOL: the Safe Operating Limit of the process variable of interest;  PVROC: the estimated Rate Of Change of the process variable of interest under worst-case credible conditions in the context of the specific hazard scenario;  IRT: IPL Response Time, total time for the IPL to detect the deviation and complete safe action;  PLT: Process Lag Time, time between completion of the IPL’s safe action and the process being influenced away from the hazard. Should the value of MSP fall within the normal operating range, it is likely that the IPL is ineffective and must be redesigned with a shorter IRT, resized or reconfigured for a shorter PLT, or replaced with an alternative IPL. It would be impractical to take action in response to a normal operating condition, therefore time that exists between the initiating event and the point at which a deviation can be reliably detected (i.e. the extents of normal operation) is generally not time available for an IPL to respond. When evaluating an existing device or function as an IPL it is most likely that PLT and IRT can be estimated from the known design parameters, or perhaps records from previous testing. When practical, measuring IRT under actual process conditions will more accurately reflect performance during the period of demand, particularly in cases where valves are attempting to close-in lines with increasing pressure. Using this data the MSP may be specified and the existing setpoint evaluated against this specification. However, when new IPLs are proposed it is likely that the IRT, PLT will not be fixed or otherwise known. The design process must evaluate what capacity is required of the function to minimize PLT so that an MSP can be specified based on the shortest available PST from all relevant scenarios, or so that a Maximum Allowable Response Time (MART) [8] can be specified from a desired point of activation.
GCPS 2015 __________________________________________________________________________ Figure 3. Timeline of IPL response to a hazardous condition, determining MART Eq. 4  MART: Maximum Allowable Response Time, the maximum total time for an IPL to detect the deviation and complete safe action;  PVSOL: the Safe Operating Limit of the process variable of interest;  PVSP: the value of the process variable of interest where the IPL is designed to take action;  PVROC: the estimated Rate Of Change of the process variable of interest under worst-case credible conditions in the context of the specific hazard scenario;  PLT: Process Lag Time, time between completion of the IPL’s safe action and the process being influenced away from the hazard. An evaluation of MSP and/or MART should be incorporated into the design process and used as a tool to refine IPL specifications and appropriately manage changes over time. MART from a given setpoint may also be used to develop pass/fail criteria in test procedures to ensure specifications continue to be met over time and that components have not been adversely affected by wear-out and fatigue. 3.2 What about multiple IPLs? The evaluation of scenario timing becomes even more complex when considering the response of multiple IPLs. The PST of the scenario remains the same, but other aspects of the evaluation will be specific to each IPL. IPLs that respond more quickly or with stronger influence over the process may have a MSP much closer to the occurrence of the hazard, thus providing more flexibility when considering the desired sequence of IPLs.
GCPS 2015 __________________________________________________________________________ An overall scenario evaluation that considers the sequence of activation of multiple IPLs may promote both safety and operability. If it is possible for one or more IPLs to correct the deviation without a total shutdown or with less severe secondary consequences it may be useful to ensure these IPLs can activate and influence the process before more drastic measures are required. For example, an operator response may be able to completely correct a slowly developing high pressure condition with no loss of production, though an automated shutdown and loss of production is preferred to a release via the relief system. When multiple safeguards are employed against a single hazard, a typical sequencing would provide for automatic control, operator response, orderly shutdown and idle, emergency shutdown and isolation, followed by containment or mitigation. If typical sequencing is altered or abandoned for any reason, care should be taken to ensure that additional hazards are not introduced, such as calling for operators to respond to a deviation that has already developed into an imminent hazard. Staging the activation of multiple IPLs also has the benefit of reducing the demand rate on subsequent IPLs. As long as the core attributes are satisfied, IPLs with overlapping response times are no less valid than those that are sequenced, however it is a good practice to reduce unnecessary demands whenever possible. Should an IPL experience frequent demands (e.g. more than once per year, or more often than twice the test interval) the simplified mathematics of LOPA may need to be altered, and the IPL would be said to operate in the High Demand Mode [2]. Figure 4. Unsequenced IPL Response Times Figure 5. Sequenced IPL Response Times Figures 3 and 4 above illustrate the effect of IPL sequencing on an IPL’s demand rate. Although their points of activation are sequenced, the response times and process lag times of the IPLs in Figure 3 overlap. All IPLs in this scenario would experience the same demand rate. After a
GCPS 2015 __________________________________________________________________________ shutdown it would be difficult to determine which was ultimately successful and which may have failed to prevent the hazard in the time expected. However, if it can be shown that an IPL is capable of detecting the deviation, completing safe action, and successfully influencing the process before subsequent IPLs are activated, demands experienced by the subsequent IPLs may decrease dramatically. 4. Guidelines for Determination of Process Safety Time and Specification of IPL Response Parameters 4.1 When should Process Safety Time and IPL Response Time be determined? Determination of PST and the specification of IPL response parameters should be undertaken to support claims regarding Functionality, Auditability, and controlled Management of Change as part of a larger effort to validate each of the core attributes of an IPL. IPL validation may require an iterative process including the potential to reconvene the LOPA teams, therefore incorporating IPL validation activities into existing processes in advance of PHA and LOPA revalidations or in the early stages after a study will facilitate resource management and timely completion. Procedures developed for IPL validation should include responsibilities, scheduling, and interface with the PHA and LOPA teams, and guidance for consistent evaluations. If existing IPLs have not previously been validated, such an effort could begin at any time. In fact, evaluating existing PHA or LOPA scenarios for PST in advance of a revalidation could reduce the uncertainty associated with the overall hazard timeline, and allow team time to be focused more in the evaluation of safeguards and protection layers rather than debating the nature of the hazard. IRT evaluations could also begin by investigating existing IPLs in the Mechanical Integrity program. Test procedures and completion records may provide evidence of previously specified or achieved response times. The hazard scenario timeline should be considered one of the first steps when designing new protection layers or justifying existing protection layers. Recalling that PST is not necessarily the same for each initiating event leading to a particular hazard, the design and validation of IPLs should consider all scenarios where an IPL is credited. Delaying or deferring such evaluations increases the risk of purchasing and installing equipment that will not meet response time requirements, resulting in costly changes or overconfidence that risk tolerance targets have been met. 4.2 Who should determine Process Safety Time and IPL Response Time? PST and PLT should be evaluated by an individual or team with specific knowledge of the process, process equipment, and its operation. Often this may be the unit or project process engineer or someone working under his or her direction. The evaluation requires access to design specifications, safe operating limits and other process safety information, and also experience with the unit operation to ensure assumptions are reasonable and appropriate conclusions are drawn. Others such as mechanical engineers, maintenance technicians, and operators may also provide input, especially when issues involve specialized equipment.
GCPS 2015 __________________________________________________________________________ Once the PST and PLT have been determined, MART for an IPL can be specified from a given point of activation, or the MSP can be specified from an estimated IRT. Such evaluations should be made by the individuals or teams most familiar with the specific design and functional requirements of each protection layer. Because determination of Process Safety Time and the specification of IPL response parameters can be quite complex, whatever methods, procedures, roles, and responsibilities most appropriate for your organization or project should be documented and communicated to ensure required tasks are carried out and the results are validated prior to placing the IPLs in service. 4.3 How is uncertainty addressed? There will undoubtedly be uncertainty associated with the prediction of dynamic process conditions and it is for this reason that conservative assumptions and appropriate safety margins must be considered throughout the evaluation. A common rule of thumb has been for an IPL to respond in less than half the process safety time. This came about as a means of addressing uncertainty in the process dynamics, measurement uncertainty, measurement lag, as well as the potential for degraded performance over time; all of which in many cases may be difficult or impossible to precisely calculate. Such a practice has the benefit of being a simple means to arrive at a design specification but this may not be appropriate for all situations, especially those where the PLT may exceed IRT. Instead, a more rigorous evaluation of the scenario timeline should been performed where some portion of the overall process safety time is allocated to each IPL, and the IPL response parameters specified within this window. Guidelines for Safe and Reliable Instrumented Protective Systems [3] recommends designing instrumented IPLs to respond within 50% of their required response time (the portion of PST allocated to the IPL), a more specific and effective application of this rule of thumb. 5. Conclusions 5.1 What does this mean for the end user? It would be impractical to perform a complete IPL validation in a team setting, therefore conclusions about the core attributes of an IPL are often drawn during LOPA after a brief mental evaluation and discussion with little detailed analysis. However, simply specifying a device or function as an IPL is only the first step. In order to realize and maintain an IPL’s required risk reduction there should be a formal process to develop and manage documentation validating the suitability of each IPL for its intended purpose, and supporting evidence that the IPL possesses the core attributes. Delaying or deferring a complete validation, including Process Safety Time and IPL Response Time, increases the risk of late design changes or gaps in risk reduction not being recognized at all. Addressing PST and IRT through a timely and consistent approach promotes the success of LOPA and facilitates continuous improvement throughout the safety lifecycle.
GCPS 2015 __________________________________________________________________________ 6. References [1] CCPS. Guidelines for Enabling Conditions and Conditional Modifiers in Layer of Protection Analysis. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 2013. [2] CCPS. Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 2015. [3] CCPS. Layer of Protection Analysis: Simplified Process Risk Assessment. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 2001. [4] CCPS. Guidelines for Safe and Reliable Instrumented Protective Systems. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 2007. [5] IEC. IEC 61511 Functional safety – Safety instrumented systems for the process industry sector, Parts 1–3, edition 1.0. International Electrotechnical Commission, Geneva, Switzerland, 2003. [6] IEC. IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems, Parts 1–7, edition 2.0. International Electrotechnical Commission, Geneva, Switzerland, 2010. [7] API. API Recommended Practice 556 Instrumentation, Control, and Protective Systems for Gas Fired Heaters, second edition. American Petroleum Institute, Washington, DC, 2011. [8] CCPS. Draft Guidelines for Safe Automation of Chemical Processes, second edition. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, expected publication in 2015.

Recommended

SIL | weyer special
SIL | weyer special SIL | weyer special
SIL | weyer special
weyer gruppe
 
Reflection Blog 5
Reflection Blog 5Reflection Blog 5
Reflection Blog 5Lillian Maksimovich
 
Yasser_Eltawel_CV
Yasser_Eltawel_CVYasser_Eltawel_CV
Yasser_Eltawel_CVYasser Eltawel
 
Daniel Rangel Barón: ¿Cómo prevenir la indigestión navideña?
Daniel Rangel Barón: ¿Cómo prevenir la indigestión navideña?Daniel Rangel Barón: ¿Cómo prevenir la indigestión navideña?
Daniel Rangel Barón: ¿Cómo prevenir la indigestión navideña?
Daniel Rangel Baron
 
Mediasport... à vos marques (Freddy TACHENY)
Mediasport... à vos marques (Freddy TACHENY)Mediasport... à vos marques (Freddy TACHENY)
Mediasport... à vos marques (Freddy TACHENY)
BMMA - Belgian Management and Marketing Association
 
Saniya's Resume for Cl
Saniya's Resume for ClSaniya's Resume for Cl
Saniya's Resume for ClDrSaniya Admani
 
Daniel Rangel Barón: Chequeos médicos preventivos para el 2017
Daniel Rangel Barón: Chequeos médicos preventivos para el 2017Daniel Rangel Barón: Chequeos médicos preventivos para el 2017
Daniel Rangel Barón: Chequeos médicos preventivos para el 2017
Daniel Rangel Baron
 
Historia Del Diseño Ensayo
Historia Del Diseño EnsayoHistoria Del Diseño Ensayo
Historia Del Diseño Ensayo
manina2093
 

Recommended

SIL | weyer special
SIL | weyer special SIL | weyer special
SIL | weyer special
weyer gruppe
 
Reflection Blog 5
Reflection Blog 5Reflection Blog 5
Reflection Blog 5Lillian Maksimovich
 
Yasser_Eltawel_CV
Yasser_Eltawel_CVYasser_Eltawel_CV
Yasser_Eltawel_CVYasser Eltawel
 
Daniel Rangel Barón: ¿Cómo prevenir la indigestión navideña?
Daniel Rangel Barón: ¿Cómo prevenir la indigestión navideña?Daniel Rangel Barón: ¿Cómo prevenir la indigestión navideña?
Daniel Rangel Barón: ¿Cómo prevenir la indigestión navideña?
Daniel Rangel Baron
 
Mediasport... à vos marques (Freddy TACHENY)
Mediasport... à vos marques (Freddy TACHENY)Mediasport... à vos marques (Freddy TACHENY)
Mediasport... à vos marques (Freddy TACHENY)
BMMA - Belgian Management and Marketing Association
 
Saniya's Resume for Cl
Saniya's Resume for ClSaniya's Resume for Cl
Saniya's Resume for ClDrSaniya Admani
 
Daniel Rangel Barón: Chequeos médicos preventivos para el 2017
Daniel Rangel Barón: Chequeos médicos preventivos para el 2017Daniel Rangel Barón: Chequeos médicos preventivos para el 2017
Daniel Rangel Barón: Chequeos médicos preventivos para el 2017
Daniel Rangel Baron
 
Historia Del Diseño Ensayo
Historia Del Diseño EnsayoHistoria Del Diseño Ensayo
Historia Del Diseño Ensayo
manina2093
 
CCPS_ProcessSafety2011_2-24-web.pdf
CCPS_ProcessSafety2011_2-24-web.pdfCCPS_ProcessSafety2011_2-24-web.pdf
CCPS_ProcessSafety2011_2-24-web.pdf
ssusercce40f1
 
Reliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic Insights Reliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic Insights
Arrelic
 
JOB SAFETY ANALYSIS ON POWER PRESS MACHINE
JOB SAFETY ANALYSIS ON POWER PRESS MACHINEJOB SAFETY ANALYSIS ON POWER PRESS MACHINE
JOB SAFETY ANALYSIS ON POWER PRESS MACHINE
IRJET Journal
 
Methods of determining_safety_integrity_level
Methods of determining_safety_integrity_levelMethods of determining_safety_integrity_level
Methods of determining_safety_integrity_levelMowaten Masry
 
Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...
Alex Apostolou
 
OTC 2015 LCE Paper
OTC 2015 LCE PaperOTC 2015 LCE Paper
OTC 2015 LCE PaperTroy Schwartz, PE, CQE, CRE, CSP, CSSBB, PMP
 
Nuclear Power Plant Risk Informed Life Management ver 9
Nuclear Power Plant Risk Informed Life Management ver 9Nuclear Power Plant Risk Informed Life Management ver 9
Nuclear Power Plant Risk Informed Life Management ver 9Michael Lemiski, P Eng., PMP
 
Application of Lean Tools in the Oil Field Safety Management
Application of Lean Tools in the Oil Field Safety ManagementApplication of Lean Tools in the Oil Field Safety Management
Application of Lean Tools in the Oil Field Safety Management
IJERA Editor
 
öZlem özkiliç makale - en
öZlem özkiliç makale - enöZlem özkiliç makale - en
öZlem özkiliç makale - en
Özlem ÖZKILIÇ
 
Application of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented SystemsApplication of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented Systems
Belilove Company-Engineers
 
ARRL: A Criterion for Composable Safety and Systems Engineering
ARRL: A Criterion for Composable Safety and Systems EngineeringARRL: A Criterion for Composable Safety and Systems Engineering
ARRL: A Criterion for Composable Safety and Systems Engineering
Vincenzo De Florio
 
Rel maint-final
Rel maint-finalRel maint-final
Rel maint-final
amar sadi
 
T Jull - Product Development for Point-of-Care Testing Systems
T Jull - Product Development for Point-of-Care Testing SystemsT Jull - Product Development for Point-of-Care Testing Systems
T Jull - Product Development for Point-of-Care Testing SystemsThomas Jull
 
Reliability - the missing leg of the stool final proof
Reliability - the missing leg of the stool final proofReliability - the missing leg of the stool final proof
Reliability - the missing leg of the stool final proof
Donald Dunn
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Vincenzo De Florio
 
AI-PS Element Guide No pdo documents 7.docx
AI-PS Element Guide No pdo documents 7.docxAI-PS Element Guide No pdo documents 7.docx
AI-PS Element Guide No pdo documents 7.docx
banubanu0101
 
Atila Kas
Atila KasAtila Kas
Atila Kas
Alma Total Solutions
 
4-SIS in EPC Project Lifecycle, May 2016
4-SIS in EPC Project Lifecycle, May 20164-SIS in EPC Project Lifecycle, May 2016
4-SIS in EPC Project Lifecycle, May 2016Shivendra Kapoor
 
US5620 A3 2012002052 FS
US5620 A3 2012002052 FSUS5620 A3 2012002052 FS
US5620 A3 2012002052 FSPhillip Jonker
 
Program DevelopmentPeer-ReviewedManagementofCExamp.docx
Program DevelopmentPeer-ReviewedManagementofCExamp.docxProgram DevelopmentPeer-ReviewedManagementofCExamp.docx
Program DevelopmentPeer-ReviewedManagementofCExamp.docx
briancrawford30935
 

More Related Content

Similar to aesolutions_impacts_of_process_safety_time_on_layer_of_protection_analysis_white_paper

CCPS_ProcessSafety2011_2-24-web.pdf
CCPS_ProcessSafety2011_2-24-web.pdfCCPS_ProcessSafety2011_2-24-web.pdf
CCPS_ProcessSafety2011_2-24-web.pdf
ssusercce40f1
 
Reliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic Insights Reliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic Insights
Arrelic
 
JOB SAFETY ANALYSIS ON POWER PRESS MACHINE
JOB SAFETY ANALYSIS ON POWER PRESS MACHINEJOB SAFETY ANALYSIS ON POWER PRESS MACHINE
JOB SAFETY ANALYSIS ON POWER PRESS MACHINE
IRJET Journal
 
Methods of determining_safety_integrity_level
Methods of determining_safety_integrity_levelMethods of determining_safety_integrity_level
Methods of determining_safety_integrity_levelMowaten Masry
 
Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...
Alex Apostolou
 
Nuclear Power Plant Risk Informed Life Management ver 9
Nuclear Power Plant Risk Informed Life Management ver 9Nuclear Power Plant Risk Informed Life Management ver 9
Nuclear Power Plant Risk Informed Life Management ver 9Michael Lemiski, P Eng., PMP
 
Application of Lean Tools in the Oil Field Safety Management
Application of Lean Tools in the Oil Field Safety ManagementApplication of Lean Tools in the Oil Field Safety Management
Application of Lean Tools in the Oil Field Safety Management
IJERA Editor
 
öZlem özkiliç makale - en
öZlem özkiliç makale - enöZlem özkiliç makale - en
öZlem özkiliç makale - en
Özlem ÖZKILIÇ
 
Application of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented SystemsApplication of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented Systems
Belilove Company-Engineers
 
ARRL: A Criterion for Composable Safety and Systems Engineering
ARRL: A Criterion for Composable Safety and Systems EngineeringARRL: A Criterion for Composable Safety and Systems Engineering
ARRL: A Criterion for Composable Safety and Systems Engineering
Vincenzo De Florio
 
Rel maint-final
Rel maint-finalRel maint-final
Rel maint-final
amar sadi
 
T Jull - Product Development for Point-of-Care Testing Systems
T Jull - Product Development for Point-of-Care Testing SystemsT Jull - Product Development for Point-of-Care Testing Systems
T Jull - Product Development for Point-of-Care Testing SystemsThomas Jull
 
Reliability - the missing leg of the stool final proof
Reliability - the missing leg of the stool final proofReliability - the missing leg of the stool final proof
Reliability - the missing leg of the stool final proof
Donald Dunn
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Vincenzo De Florio
 
AI-PS Element Guide No pdo documents 7.docx
AI-PS Element Guide No pdo documents 7.docxAI-PS Element Guide No pdo documents 7.docx
AI-PS Element Guide No pdo documents 7.docx
banubanu0101
 
Atila Kas
Atila KasAtila Kas
Atila Kas
Alma Total Solutions
 
4-SIS in EPC Project Lifecycle, May 2016
4-SIS in EPC Project Lifecycle, May 20164-SIS in EPC Project Lifecycle, May 2016
4-SIS in EPC Project Lifecycle, May 2016Shivendra Kapoor
 
US5620 A3 2012002052 FS
US5620 A3 2012002052 FSUS5620 A3 2012002052 FS
US5620 A3 2012002052 FSPhillip Jonker
 
Program DevelopmentPeer-ReviewedManagementofCExamp.docx
Program DevelopmentPeer-ReviewedManagementofCExamp.docxProgram DevelopmentPeer-ReviewedManagementofCExamp.docx
Program DevelopmentPeer-ReviewedManagementofCExamp.docx
briancrawford30935
 

Similar to aesolutions_impacts_of_process_safety_time_on_layer_of_protection_analysis_white_paper (20)

CCPS_ProcessSafety2011_2-24-web.pdf
CCPS_ProcessSafety2011_2-24-web.pdfCCPS_ProcessSafety2011_2-24-web.pdf
CCPS_ProcessSafety2011_2-24-web.pdf
 
Reliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic Insights Reliability Instrumented System | Arrelic Insights
Reliability Instrumented System | Arrelic Insights
 
JOB SAFETY ANALYSIS ON POWER PRESS MACHINE
JOB SAFETY ANALYSIS ON POWER PRESS MACHINEJOB SAFETY ANALYSIS ON POWER PRESS MACHINE
JOB SAFETY ANALYSIS ON POWER PRESS MACHINE
 
Methods of determining_safety_integrity_level
Methods of determining_safety_integrity_levelMethods of determining_safety_integrity_level
Methods of determining_safety_integrity_level
 
Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...Safety in design paper a live picture of organisational risk by linking risk...
Safety in design paper a live picture of organisational risk by linking risk...
 
OTC 2015 LCE Paper
OTC 2015 LCE PaperOTC 2015 LCE Paper
OTC 2015 LCE Paper
 
Nuclear Power Plant Risk Informed Life Management ver 9
Nuclear Power Plant Risk Informed Life Management ver 9Nuclear Power Plant Risk Informed Life Management ver 9
Nuclear Power Plant Risk Informed Life Management ver 9
 
Application of Lean Tools in the Oil Field Safety Management
Application of Lean Tools in the Oil Field Safety ManagementApplication of Lean Tools in the Oil Field Safety Management
Application of Lean Tools in the Oil Field Safety Management
 
öZlem özkiliç makale - en
öZlem özkiliç makale - enöZlem özkiliç makale - en
öZlem özkiliç makale - en
 
Application of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented SystemsApplication of Combustion Analyzers in Safety Instrumented Systems
Application of Combustion Analyzers in Safety Instrumented Systems
 
ARRL: A Criterion for Composable Safety and Systems Engineering
ARRL: A Criterion for Composable Safety and Systems EngineeringARRL: A Criterion for Composable Safety and Systems Engineering
ARRL: A Criterion for Composable Safety and Systems Engineering
 
Rel maint-final
Rel maint-finalRel maint-final
Rel maint-final
 
T Jull - Product Development for Point-of-Care Testing Systems
T Jull - Product Development for Point-of-Care Testing SystemsT Jull - Product Development for Point-of-Care Testing Systems
T Jull - Product Development for Point-of-Care Testing Systems
 
Reliability - the missing leg of the stool final proof
Reliability - the missing leg of the stool final proofReliability - the missing leg of the stool final proof
Reliability - the missing leg of the stool final proof
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013
 
AI-PS Element Guide No pdo documents 7.docx
AI-PS Element Guide No pdo documents 7.docxAI-PS Element Guide No pdo documents 7.docx
AI-PS Element Guide No pdo documents 7.docx
 
Atila Kas
Atila KasAtila Kas
Atila Kas
 
4-SIS in EPC Project Lifecycle, May 2016
4-SIS in EPC Project Lifecycle, May 20164-SIS in EPC Project Lifecycle, May 2016
4-SIS in EPC Project Lifecycle, May 2016
 
US5620 A3 2012002052 FS
US5620 A3 2012002052 FSUS5620 A3 2012002052 FS
US5620 A3 2012002052 FS
 
Program DevelopmentPeer-ReviewedManagementofCExamp.docx
Program DevelopmentPeer-ReviewedManagementofCExamp.docxProgram DevelopmentPeer-ReviewedManagementofCExamp.docx
Program DevelopmentPeer-ReviewedManagementofCExamp.docx
 

aesolutions_impacts_of_process_safety_time_on_layer_of_protection_analysis_white_paper

  • 1. GCPS 2015 __________________________________________________________________________ Impacts of Process Safety Time on Layer of Protection Analysis Geoffrey Barnard, P.E., CFSE aeSolutions Anchorage, AK geoff.barnard@aesolns.com William Creel, CFSE aeSolutions Greenville, SC william.creel@aesolns.com Prepared for Presentation at American Institute of Chemical Engineers 2015 Spring Meeting 11th Global Congress on Process Safety Austin, Texas April 27-29, 2015 UNPUBLISHED AIChE shall not be responsible for statements or opinions contained in papers or printed in its publications
  • 2. GCPS 2015 __________________________________________________________________________ Impacts of Process Safety Time on Layer of Protection Analysis Geoffrey Barnard, P.E., CFSE aeSolutions William Creel, CFSE aeSolutions Keywords: Layer of Protection Analysis (LOPA), Independent Protection Layer (IPL), Process Safety Time (PST), IPL Response Time (IRT) Abstract The ability of an Independent Protection Layer (IPL) to achieve a given level of risk reduction is dependent upon its fulfillment of several core attributes. A key provision for any IPL to be considered effective and functionally adequate is its capability to respond to a process demand quickly enough to stop the propagation of the hazard scenario it was designed to prevent. While this seems obvious and reasonable, the estimation of Process Safety Time and the specification of IPL Response Times is more complex, and often deferred or overlooked altogether. What is Process Safety Time? How is it determined? When? And by whom? This paper examines the relationship between Process Safety Time and IPL Response Times, essential variables for the justification of IPL effectiveness, and their impacts on the success of Layer of Protection Analysis (LOPA). 1. Introduction Layer of Protection Analysis (LOPA) is a semi-quantitative risk assessment technique commonly used to evaluate the likelihood of process hazards and determine the necessary Independent Protection Layers (IPLs) to reduce the risk of a given consequence to a tolerable level. Though many variations of LOPA have been developed in the years since its introduction, recent efforts by industry have focused on development of more universally accepted criteria for selecting and validating the assumptions and numerical values used in studies. The recent publication of the CCPS Guidelines for Enabling Conditions and Conditional Modifiers [1], and Guidelines for Initiating Events and Independent Protection Layers [2] have greatly expanded upon the guidance in the original LOPA text [3] while refining and reinforcing necessary considerations. One particularly important area of expansion is in the definitions surrounding the timeline of a hazard scenario. Before seeking to define any aspects or requirements of a particular protection layer it is important to first understand how the unmitigated hazard scenario develops and how quickly.
  • 3. GCPS 2015 __________________________________________________________________________ 2. Hazard Scenario Timeline 2.1 What is Process Safety Time? According to the CCPS Guidelines for Safe and Reliable Instrumented Protective Systems Process Safety Time (PST) is: “the time period between a failure occurring in the process or its control system and the occurrence of the hazardous event.” [4] This is consistent with the definition found in the Guidelines for Initiating Events and Independent Protection Layers [2] as well as other industry standards applicable to the design of active protective systems. IEC 61511:2003 Part 2: “the time period between a failure occurring in the process or the basic process control system (with the potential to give rise to a hazardous event) and the occurrence of the hazardous event if the safety instrumented function is not performed” [5]. IEC 61508:2010 Part 4: “period of time between a failure, that has the potential to give rise to a hazardous event, occurring in the EUC [equipment under control] or EUC control system and the time by which action has to be completed in the EUC to prevent the hazardous event occurring” [6]. API 556 second edition, 2011: “the interval between the initiating event leading to an unacceptable process deviation and the hazardous event” [7]. PST is not a specification, but rather a function of the behavior of the process and process equipment within the context of a specific unmitigated hazard scenario. PST can be estimated, calculated, or potentially measured, but by extension of the definitions above PST is necessarily unique to each cause-consequence pair, even when multiple initiating events may eventually lead to the same consequence. This is because each initiating event has the potential to impact process dynamics in different ways. Likewise, a single initiating event may lead to different outcomes due to inclusion of scenario modifiers, consideration of different operating modes, or consequences affecting different risk receptors. PST of related but separate scenarios will not necessarily be equivalent. Determination of PST is the first step in identifying the time potentially available for all protection layers to respond and will be useful in specifying the required response time of each. PST is not dependent upon the parameters that make up the response of any one protection layer. Some resources in the past have defined PST in terms of the point of activation of a particular IPL. Such a definition is problematic in that it implies there is a different PST for each IPL, complicating the evaluation of a scenario as a whole. These resources have attempted to define a means for estimating the time available for a particular protection layer to take action and affect the process from a given point of activation, and while this is a worthy endeavor it should not be confused with Process Safety Time.
  • 4. GCPS 2015 __________________________________________________________________________ 2.2 How is Process Safety Time determined? Unless measured in retrospect after a hazard has occurred, PST would be quite difficult to determine precisely. The exact conditions under which a hazard scenario may develop is argumentative, and it is not necessarily useful to consider PST to be a single specific value at which a hazardous event will immediately occur in all circumstances. Instead, the objective is to estimate a lower boundary in time at which hazardous potential is likely to exist under worst-case conditions so that protection layers may be specified and designed with sufficient speed of response for any credible scenario. One method for determining PST is to identify the process variable that is most closely associated with the occurrence of the hazardous event, and its likely value at the time of the hazardous event or the point at which the hazard can no longer be reliably prevented. There may be considerable uncertainty associated with the occurrence of the hazardous event, so this may be conservatively associated with a known design limit of the equipment. For example, loss of containment may be imminent when pressure continues to rises above the Maximum Allowable Working Pressure (MAWP). The upper limit of normal operating pressure and the MAWP of the vessel must be used to estimate PST. The amount of time between these two discrete points in time, initiating event and hazardous event, depends on the estimated rate of change of the process variable due to the initiating event. Figure 1. Timeline of a hazard scenario Eq. 1  PST: Process Safety Time, time between Initiating Event and Hazardous Event;  PVIE: the initial value of the process variable of interest at the time of the Initiating Event, may be assumed to be at the extreme of the normal operating range nearest the hazard;
  • 5. GCPS 2015 __________________________________________________________________________  PVHE: the value of the process variable of interest at the time the Hazardous Event occurs or can no longer be prevented, may be assumed to be at the design limit of the equipment;  PVROC: the estimated Rate of Change of the process variable of interest under worst-case credible conditions in the context of the specific hazard scenario. Each of these three variables will be completely dependent upon the specific process, process equipment, and even the mode of operation. Certain cases, such as liquid level in a storage vessel, may be calculated from known operating conditions and design parameters. Other cases, such as those involving reaction chemistry, may require creation of a process model and consideration of non-linear rates of change. PST estimates may also be made or assumptions corroborated by examining actual deviations recorded in the control system’s process data historian. Once the analysis is complete and PST determined for each scenario, the data and assumptions will be quite useful for subsequent activities and should be maintained as valuable Process Safety Information (PSI). Not only is PST useful for protection layer design, but also as a reference for operations, and for assigning pass/fail criteria for maintenance and testing procedures. Having a documented PST basis will also be important for revalidation efforts when assumption are revisited, and supports Auditability and Management of Change (MOC) – other core attributes of IPLs. 3. Timing Aspects of IPL Functionality 3.1 What must happen within the Process Safety Time? Once the PST has been determined and the boundaries of each scenario timeline have been established, new IPLs may be designed with, or existing safeguards may be evaluated for adequate and timely functionality. To do so, several additional terms of interest must be assessed that are related to the individual protection layers. The first of which is the IPL Response Time (IRT): “the time necessary for the IPL to detect the out-of-limit condition and complete the actions necessary to stop the progression of the process away from a safe state.” [2] IRT encompasses all aspects and components of the IPL that contribute to its effectiveness in preventing the hazard and should take into account the time to detect the condition (including measurement lag), determine the appropriate course of action, initiate the necessary action(s), and complete the action(s). For a simple mechanical IPL, such as a pressure relief valve, the IRT may be relatively straightforward to determine, however for instrumented IPLs that are comprised of a series of complex components, or IPLs involving a human response, the evaluation must consider a number of variables. What IRT does not include is the time for the process to react to an IPL action and reach a safe state. This time period is known as the Process Lag Time (PLT) [2] and is perhaps the variable with the most uncertainty. Once the IPL has completed its action there may be a period of time before the action is effective in stopping or reversing the hazardous condition. For each IPL under consideration, the sum of IRT and PLT must be less than the PST to be considered effective.
  • 6. GCPS 2015 __________________________________________________________________________ Eq. 2  PST: Process Safety Time, time between Initiating Event and Hazardous Event;  IRT: IPL Response Time, total time for the IPL to detect the deviation and complete safe action;  PLT: Process Lag Time, time between completion of the IPL’s safe action and the process being influenced away from the hazard. As with PST, PLT is dependent upon the process and the specific equipment and conditions, but unlike PST, PLT must also consider the characteristics of the IPL action. For example, the PLT associated with opening a quench water valve to cool a reaction will depend not only on the dynamics of the reaction and the capacity of the reactor, but also on the flow rate of the cooling water. A design change in the cooling water system may have minimal impact on IRT, but could significantly change PLT. If IRT and PLT are known or can be approximated conservatively, these values can be used to specify a Maximum Setpoint (MSP) [2] at which the IPL must be activated before losing its ability to effectively prevent the excursion from violating Safe Operating Limits (SOL). Designing and specifying IPL response parameters in terms of the safe upper and lower operating limits rather than equipment design limits is intended to provide a margin of safety before reaching the hazardous event. Figure 2. Timeline of IPL response to a hazardous condition, determining MSP
  • 7. GCPS 2015 __________________________________________________________________________ Eq. 3  MSP: Maximum Setpoint, the maximum value of the process variable of interest at the point of IPL activation that allows sufficient time to detect, complete action, and for the process to respond;  PVSOL: the Safe Operating Limit of the process variable of interest;  PVROC: the estimated Rate Of Change of the process variable of interest under worst-case credible conditions in the context of the specific hazard scenario;  IRT: IPL Response Time, total time for the IPL to detect the deviation and complete safe action;  PLT: Process Lag Time, time between completion of the IPL’s safe action and the process being influenced away from the hazard. Should the value of MSP fall within the normal operating range, it is likely that the IPL is ineffective and must be redesigned with a shorter IRT, resized or reconfigured for a shorter PLT, or replaced with an alternative IPL. It would be impractical to take action in response to a normal operating condition, therefore time that exists between the initiating event and the point at which a deviation can be reliably detected (i.e. the extents of normal operation) is generally not time available for an IPL to respond. When evaluating an existing device or function as an IPL it is most likely that PLT and IRT can be estimated from the known design parameters, or perhaps records from previous testing. When practical, measuring IRT under actual process conditions will more accurately reflect performance during the period of demand, particularly in cases where valves are attempting to close-in lines with increasing pressure. Using this data the MSP may be specified and the existing setpoint evaluated against this specification. However, when new IPLs are proposed it is likely that the IRT, PLT will not be fixed or otherwise known. The design process must evaluate what capacity is required of the function to minimize PLT so that an MSP can be specified based on the shortest available PST from all relevant scenarios, or so that a Maximum Allowable Response Time (MART) [8] can be specified from a desired point of activation.
  • 8. GCPS 2015 __________________________________________________________________________ Figure 3. Timeline of IPL response to a hazardous condition, determining MART Eq. 4  MART: Maximum Allowable Response Time, the maximum total time for an IPL to detect the deviation and complete safe action;  PVSOL: the Safe Operating Limit of the process variable of interest;  PVSP: the value of the process variable of interest where the IPL is designed to take action;  PVROC: the estimated Rate Of Change of the process variable of interest under worst-case credible conditions in the context of the specific hazard scenario;  PLT: Process Lag Time, time between completion of the IPL’s safe action and the process being influenced away from the hazard. An evaluation of MSP and/or MART should be incorporated into the design process and used as a tool to refine IPL specifications and appropriately manage changes over time. MART from a given setpoint may also be used to develop pass/fail criteria in test procedures to ensure specifications continue to be met over time and that components have not been adversely affected by wear-out and fatigue. 3.2 What about multiple IPLs? The evaluation of scenario timing becomes even more complex when considering the response of multiple IPLs. The PST of the scenario remains the same, but other aspects of the evaluation will be specific to each IPL. IPLs that respond more quickly or with stronger influence over the process may have a MSP much closer to the occurrence of the hazard, thus providing more flexibility when considering the desired sequence of IPLs.
  • 9. GCPS 2015 __________________________________________________________________________ An overall scenario evaluation that considers the sequence of activation of multiple IPLs may promote both safety and operability. If it is possible for one or more IPLs to correct the deviation without a total shutdown or with less severe secondary consequences it may be useful to ensure these IPLs can activate and influence the process before more drastic measures are required. For example, an operator response may be able to completely correct a slowly developing high pressure condition with no loss of production, though an automated shutdown and loss of production is preferred to a release via the relief system. When multiple safeguards are employed against a single hazard, a typical sequencing would provide for automatic control, operator response, orderly shutdown and idle, emergency shutdown and isolation, followed by containment or mitigation. If typical sequencing is altered or abandoned for any reason, care should be taken to ensure that additional hazards are not introduced, such as calling for operators to respond to a deviation that has already developed into an imminent hazard. Staging the activation of multiple IPLs also has the benefit of reducing the demand rate on subsequent IPLs. As long as the core attributes are satisfied, IPLs with overlapping response times are no less valid than those that are sequenced, however it is a good practice to reduce unnecessary demands whenever possible. Should an IPL experience frequent demands (e.g. more than once per year, or more often than twice the test interval) the simplified mathematics of LOPA may need to be altered, and the IPL would be said to operate in the High Demand Mode [2]. Figure 4. Unsequenced IPL Response Times Figure 5. Sequenced IPL Response Times Figures 3 and 4 above illustrate the effect of IPL sequencing on an IPL’s demand rate. Although their points of activation are sequenced, the response times and process lag times of the IPLs in Figure 3 overlap. All IPLs in this scenario would experience the same demand rate. After a
  • 10. GCPS 2015 __________________________________________________________________________ shutdown it would be difficult to determine which was ultimately successful and which may have failed to prevent the hazard in the time expected. However, if it can be shown that an IPL is capable of detecting the deviation, completing safe action, and successfully influencing the process before subsequent IPLs are activated, demands experienced by the subsequent IPLs may decrease dramatically. 4. Guidelines for Determination of Process Safety Time and Specification of IPL Response Parameters 4.1 When should Process Safety Time and IPL Response Time be determined? Determination of PST and the specification of IPL response parameters should be undertaken to support claims regarding Functionality, Auditability, and controlled Management of Change as part of a larger effort to validate each of the core attributes of an IPL. IPL validation may require an iterative process including the potential to reconvene the LOPA teams, therefore incorporating IPL validation activities into existing processes in advance of PHA and LOPA revalidations or in the early stages after a study will facilitate resource management and timely completion. Procedures developed for IPL validation should include responsibilities, scheduling, and interface with the PHA and LOPA teams, and guidance for consistent evaluations. If existing IPLs have not previously been validated, such an effort could begin at any time. In fact, evaluating existing PHA or LOPA scenarios for PST in advance of a revalidation could reduce the uncertainty associated with the overall hazard timeline, and allow team time to be focused more in the evaluation of safeguards and protection layers rather than debating the nature of the hazard. IRT evaluations could also begin by investigating existing IPLs in the Mechanical Integrity program. Test procedures and completion records may provide evidence of previously specified or achieved response times. The hazard scenario timeline should be considered one of the first steps when designing new protection layers or justifying existing protection layers. Recalling that PST is not necessarily the same for each initiating event leading to a particular hazard, the design and validation of IPLs should consider all scenarios where an IPL is credited. Delaying or deferring such evaluations increases the risk of purchasing and installing equipment that will not meet response time requirements, resulting in costly changes or overconfidence that risk tolerance targets have been met. 4.2 Who should determine Process Safety Time and IPL Response Time? PST and PLT should be evaluated by an individual or team with specific knowledge of the process, process equipment, and its operation. Often this may be the unit or project process engineer or someone working under his or her direction. The evaluation requires access to design specifications, safe operating limits and other process safety information, and also experience with the unit operation to ensure assumptions are reasonable and appropriate conclusions are drawn. Others such as mechanical engineers, maintenance technicians, and operators may also provide input, especially when issues involve specialized equipment.
  • 11. GCPS 2015 __________________________________________________________________________ Once the PST and PLT have been determined, MART for an IPL can be specified from a given point of activation, or the MSP can be specified from an estimated IRT. Such evaluations should be made by the individuals or teams most familiar with the specific design and functional requirements of each protection layer. Because determination of Process Safety Time and the specification of IPL response parameters can be quite complex, whatever methods, procedures, roles, and responsibilities most appropriate for your organization or project should be documented and communicated to ensure required tasks are carried out and the results are validated prior to placing the IPLs in service. 4.3 How is uncertainty addressed? There will undoubtedly be uncertainty associated with the prediction of dynamic process conditions and it is for this reason that conservative assumptions and appropriate safety margins must be considered throughout the evaluation. A common rule of thumb has been for an IPL to respond in less than half the process safety time. This came about as a means of addressing uncertainty in the process dynamics, measurement uncertainty, measurement lag, as well as the potential for degraded performance over time; all of which in many cases may be difficult or impossible to precisely calculate. Such a practice has the benefit of being a simple means to arrive at a design specification but this may not be appropriate for all situations, especially those where the PLT may exceed IRT. Instead, a more rigorous evaluation of the scenario timeline should been performed where some portion of the overall process safety time is allocated to each IPL, and the IPL response parameters specified within this window. Guidelines for Safe and Reliable Instrumented Protective Systems [3] recommends designing instrumented IPLs to respond within 50% of their required response time (the portion of PST allocated to the IPL), a more specific and effective application of this rule of thumb. 5. Conclusions 5.1 What does this mean for the end user? It would be impractical to perform a complete IPL validation in a team setting, therefore conclusions about the core attributes of an IPL are often drawn during LOPA after a brief mental evaluation and discussion with little detailed analysis. However, simply specifying a device or function as an IPL is only the first step. In order to realize and maintain an IPL’s required risk reduction there should be a formal process to develop and manage documentation validating the suitability of each IPL for its intended purpose, and supporting evidence that the IPL possesses the core attributes. Delaying or deferring a complete validation, including Process Safety Time and IPL Response Time, increases the risk of late design changes or gaps in risk reduction not being recognized at all. Addressing PST and IRT through a timely and consistent approach promotes the success of LOPA and facilitates continuous improvement throughout the safety lifecycle.
  • 12. GCPS 2015 __________________________________________________________________________ 6. References [1] CCPS. Guidelines for Enabling Conditions and Conditional Modifiers in Layer of Protection Analysis. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 2013. [2] CCPS. Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 2015. [3] CCPS. Layer of Protection Analysis: Simplified Process Risk Assessment. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 2001. [4] CCPS. Guidelines for Safe and Reliable Instrumented Protective Systems. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, 2007. [5] IEC. IEC 61511 Functional safety – Safety instrumented systems for the process industry sector, Parts 1–3, edition 1.0. International Electrotechnical Commission, Geneva, Switzerland, 2003. [6] IEC. IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems, Parts 1–7, edition 2.0. International Electrotechnical Commission, Geneva, Switzerland, 2010. [7] API. API Recommended Practice 556 Instrumentation, Control, and Protective Systems for Gas Fired Heaters, second edition. American Petroleum Institute, Washington, DC, 2011. [8] CCPS. Draft Guidelines for Safe Automation of Chemical Processes, second edition. Center for Chemical Process Safety, American Institute of Chemical Engineers, New York, NY, expected publication in 2015.