Layers Of Protection

Analysis
Method for SIL Determination
ADNOC COP V5.04

Definition
A method that utilizes event - consequence
pair identified during hazard analysis to
determine the likelihood of the undesired
event and comparing it to company
tolerable risk guidelines to confirm the
adequacy of safeguards in the design of
process facilities

Methodology

LOPA HAZOP LINK

HAZOP

LOPA

Consequence
Consequence Severity
Cause
Cause Frequency
Existing Safeguards
Recommended New
Safeguards

Impact Event
Severity Level
Initiating Event
Initiating Event Likelihood
Protection Layers
Additional Mitigation

Level of protection
SIL

PFD

RRF

0.0001
0.00001
0.001
0.0001
0.01 0.001
0.1 0.01

10000 100000
1000 - 10000

3
2
1

100 - 1000
10 - 100

PFH

IPL Criteria
Specific - The IPL is specifically designed to prevent or
mitigate the consequences of a potentially hazardous
event.
Independent - The IPL must be truly independent of the
other protection layers i.e common cause failure is not
tolerated
Dependable - The IPL can be counted upon to do what it
was intended to do.
Auditable - The IPL will be designed so it can be audited
and a system to audit and maintain it will be provided.

IPL PFD

Initiating Event
Pressure vessel residual failure
Piping residual failure (100m) - Full Breach
Piping leak (10% section) - 100m
Atmospheric tank failure
Gasket/packing blowout
Turbine/diesel engine over-speed with casing breach
Third party intervention (external impact by backhoe,
vehicle, etc.)
Crane load drop
Lightning strike
Safety valve opens spuriously
Cooling water failure
Pump seal failure
Unloading/loading hose failure
BPCS instrument loop failure
Note: IEC 61511 limit is > 1 x 10-5/hr or 8.76 x 10-2/yr
Regulator failure
Small external fire (aggregate causes)
Large external fire (aggregate causes)
LOTO (lock-out tag-out) procedure* failure (*overall
failure of a multiple-element process)
Operator failure (to execute routine procedure,
assuming well trained, unstressed, not fatigued)

Frequency Range Typical values used

from Literature
in LOPA (per year}
(per year)
10-5
10-5
10-3
10-3
10-2
10-3
10-2

to
to
to
to
to
to
to

10-7
10-6
10-4
10-5
10-6
10-4
10-4

10-3 to 10-4
per lift
10-3 to 10-4
10-2 to 10-4
1 to 10-2
10-1 to 10-2
1 to 10-2
1 to 10-2
1 to 10-1
10-1 to 10-2
10-2 to 10-3
10-3 to 10-4
per opportunity
10-1 to 10-3

1
1
1
1
1
1
1

1
1
1
1
1
1

x
x
x
x
x
x
x

10-6
10-5
10-3
10-3
10-2
10-4
10-2

x
x
x
x
x
x

1 x 10-4
per lift
10-3
10-2
10-1
10-1
10-1
10-1

1 x 10-1
1 x 10-1
1 x 10-2
1 x 10-3
per opportunity
1 x 10-2

IPL PFD - Active

IPL

Relief valve Test Interval < 3 years

Relief valve
Test Interval > 3 years
Rupture disc
Basic Process Control
System (BPCS)
Non-Return Valves

Automatic Start-up of Standby Pump

SIL 1 IPL

Comments
Assuming an adequate design basis,
adequate inspection & maintenance
procedures
Prevents system exceeding specified
overpressure. Effectiveness of this device is
sensitive to service and experience.
Prevents system exceeding specified
overpressure. Effectiveness can be very
sensitive to service and experience
Can be credited as an IPL if not associated with the
initiating event being considered (see also Chapter
11). (See IEC 61508 (IEC, 1998) and IEC 61511
(IEC, 2001) for additional discussion.)
It can normally be assumed that a NRV will operate
correctly in 9oo10 cases of demand, i.e. will reduce
the demand rate on the instrumented backflow
system by a factor 10.
Credit may only be taken if the NRV is
inspected on a regular basis.
It is normally assumed that a small amount of
leakage across the NRV can be tolerated.
Where two NRVs are installed in series, the
demand rate reduction claimed should not exceed
a factor of 50 (instead of 10*10) in view of
common mode failures that affect both
NRVs simultaneously.
Credit may only be taken if the NRVs are
inspected on a regular basis.
This protection is for the mechanical failure of
the duty pump. It cannot be an IPL where failure
of the duty pump is due to a failure of the BPCS
and the auto start-up of the standby pump is
initiated by the same BPCS.
Typically consists of:
Single sensor (redundant for fault tolerance )

PFD from
Literature and
Industry

Recommended
PFD

10-1 to 10-5

10-2
10-1

10-1 to 10-5

10-2

10-1 to 10-2

10-1

Taken from Shell

DEP32.80.10.1
0-Gen (July
2008)

10-1

Taken from Shell

DEP32.80.10.1
0-Gen (July
2008)

5 x 10-1

Taken to be
same PFD as
BPCS

10-2 to <10-1

10-1

10-1
(unless actual

IPL PFD - Mitigative

IPL
Bund (Dyke)
Underground
Drainage
System
Open Vent (no
valve)
Fireproofing
Blast-wall/Bunker

"Inherently Safe"
Design

Flame/Detonation
Arrestors

Comments
Assuming an adequate design basis,
adequate inspection & maintenance
procedures
Will reduce the frequency of large
consequences
Will reduce the frequency of large consequences
(widespread spill) of a tank overfill/rupture/spill/
etc.
Will prevent over pressure
Will reduce rate of heat input and provide
additional time for depressurizing/firefighting/etc.
Will reduce the frequency of large
consequences of an explosion by confining
blast and protecting
equipment/buildings/etc.
If properly implemented can significantly reduce
the frequency of consequences associated with a
scenario. Note: the LOPA rules for some
companies allow inherently safe design features to
eliminate certain scenarios (e.g., vessel design
pressure exceeds all possible high pressure
challenges).
If
properly
designed,
installed
and
maintained these should eliminate the
potential for flashback through a piping
system or into a vessel or tank.

PFD from Literature and

Industry

Recommended
PFD

1 x 10-2 to 1 x 10-3

1 x 10-2

1 x 10-2 to 1 x 10-3

1 x 10-2

1 x 10-2 to 1 x 10-3

1 x 10-2

1 x 10-2 to 1 x 10-3

1 x 10-2

1 x 10-2 to 1 x 10-3

1 x 10-3

1 x 10-1 to 1 x 10-6

1 x 10-2

1 x 10-1 to 1 x 10-3

1 x 10-2

IPL PFD Human Intervention

Comments
IPL

Assuming an adequate design basis, adequate

inspection & maintenance procedures

Human action with 10

minutes response
time.

Simple well-documented action with clear and reliable

indications that the action is required

Human response to
BPCS indication or alarm
with 40 minutes
response time

Simple well-documented action with clear and reliable

indications that the action is required. (The PFD is limited
by IEC 61511)

Human action with 40

minutes response
time

Simple well-documented action with clear and

reliable indications that the action is required

PFD from
Literature and
Industry

100 to 10-1

10-1

10-1 to 10-2

Recommended
PFD

10-1

10-1

10-1

IPL PFD
Event Modifier Factors
Situation or Condition
General Description
Qualifying Parameters

Operator Presence per 24 hours Exposed to Risk < 2 hours

Exposed to Risk 2 to 12 hours 0.5
Exposed to Risk > 12 hours
Flammable or Toxic Gas Release
High Probability of Avoidance:
High Coverage of Gas Detectors
in affected areas together with
Visual/Audible Annunciation
Limited Probability of
Avoidance: Limited or
No Gas detection
Coverage

Modify
ing
Factor
0.1
0.5
1.0
0.5

1.0

Safety Layer of Protection Analysis

Unmitigated Event Frequency
unsafe

I
P
L

Unsafe,
Y2

n
I
P
L

Unsafe,
Y1

3
I
P
L

Initiating
event, X

2
I

Safe/

tolerable

L
1

The unmitigated event frequency or likelihood that the undesired

event will occur is the product of the initiating event frequency and
the probabilities of failure of each IPL.

Pconsequence ( X )

i 1

Yi