using layer of protection analysis to define safety integrity level requirements

Using Layer of ProtectionAnalysis to Define SafetyIntegrity Level RequirementsRaymond FreemanS&PP Consulting, 12303 Lake Shore Ridge, Houston, TX 77041; [email protected] (for correspondence)

Published online 6 June 2007 in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/prs.10203

The recent publication of ANSI/ISA standardS84.01 – 2004 defines the life safety cycle for thedesign and installation of safety instrumented func-tions (SIFs) using safety instrumented systems (SISs).However, the determination of the required safety in-tegrity level (SIL) is an activity that the process design-ers need to complete prior to detailed design. This ar-ticle outlines an approach for the determination ofthe required SIL using the layer of protection analysis(LOPA) method. An example is presented along witha suggested format for documenting the LOPA, SIL,and SIF requirements in a manner that can be trans-ferred to the detailed design team for implementation.� 2007 American Institute of Chemical EngineersProcess Saf Prog 26: 185–194, 2007

BACKGROUNDProcess hazards analysis (PHA) studies are widely

completed in the chemical, oil refining, and pharma-ceutical industries to define potential hazards for safeoperation of the facility. The PHA team prepares rec-ommendations to reduce the consequences or fre-quency of the undesired event. Often these recom-mendations will require the installation of a safetyinterlock or a control system modification. The elec-trical and instrumentation (E&I) engineering groupwill then implement the recommendation. The rec-ommendation may read as:

‘‘Install a high level shutoff interlock on tank1211 to prevent overfilling with flammable sol-vent. Overfilling with solvent could result in arelease of flammable solvent into the processarea resulting in a fire or explosion.’’

This is all the information the E&I engineeringgroup is initially given. The designers must convertthis very brief definition of a safety need into hard-ware that will provide the needed safety functionality.

LAYER OF PROTECTION ANALYSISLayer of protection analysis (LOPA) is a semi-quan-

titative risk evaluation method and begins with thedefinition of a set of undesired events (accidents,chemical releases, fires, explosions, etc.) and the esti-mate of the consequences of these undesired events.Independent layers of protection are identified andevaluated in a LOPA, based upon assigning protectivecredits for various management control systems (pro-cedures, inspections, etc.), basic process controls,and defined safety systems. The need for additionalprotective layers is based on the organization’s risktolerance. The LOPA methodology used in this studyis explained in the Center for Chemical ProcessSafety’s (CCPS’s) book Layer of Protection Analysis,Simplified Process Risk Assessment [1].

A team of knowledgeable personnel is gatheredand a systematic evaluation of the hazards of theprocess is completed. The LOPA team typicallyincludes personnel who are knowledgeable in theprocess, control system, maintenance, design, andoperations of the facility. Participants in a typicalLOPA team are presented in Table1.

The participants in a LOPA Team are essentially thesame personnel as for a PHA study team. The differ-ence between a LOPA and a typical PHA is the depthof analysis of a particular issue and the breath of thescope of the study. A typical PHA using the hazardsand operability (HAZOP) technique covers a very broadrange of subjects. A typical LOPA team will examine aselect subset of the issues identified by the PHA team.

The LOPA team leader guides the definition of theevents of concern. Typical events of concern for thestudy may include:

Presented at the American Institute of Chemical Engineers Spring2006 National Meeting, Orlando, FL.

� 2007 American Institute of Chemical Engineers

Process Safety Progress (Vol.26, No.3) September 2007 185

• Fire.• Explosion.• Toxic material release.• Significant environment impact.• Release to a flare system.• Vessel Overpressure.• Runaway reaction.

To complete the LOPA analysis, the team selects apotential cause that could lead to one or more of theevents of concern and evaluates the resulting sce-nario to determine the adequacy of existing safe-guards. An estimate of the frequency of the startingevent (cause) is made using an order of magnitudeestimate as in Table2.

Safeguards are evaluated based on the adequacyof the safeguard to prevent an undesired event fromoccurring. In general for a safeguard to be countedas a protective layer it must:

• Be capable of preventing the undesired outcomefrom occurring.

• Be independent from other safeguards beingcounted as a protective layer.

• Be auditable.

The LOPA team assigns order-of-magnitude esti-mates of the probability of failure of the protectivelayer upon demand by the scenario under review.The LOPA book [1] presents detailed descriptions ofthe assignment of these LOPA credits. The LOPAcredits are normally assigned using generic order ofmagnitude estimates as shown in Table3.

Evaluating procedural controls as a protective layerrequires a review of the operations and tasks that theoperators are conducting. For the purposes of this ar-ticle, a procedural control is defined as the entire sys-tem that a human operator uses to perform a taskand includes:

Table 1. Typical LOPA team participants [1].

Team Participant Function

LOPA team leader Lead and document the LOPAsessions. Primarily a facilitator

of the team meetingsProcess engineer Provides process chemistry

knowledge to the LOPA teamControl systems

engineerProvides control system

knowledge to the LOPA teamProduction

operatorProvides hands-on operations

knowledge of how the systemoperates. For a new facility,the production operator maybe chosen from a sisterproduction unit or from asimilar process system. Asenior operator is normallyassigned to this function

Productionsupervision

Provides management andoperating policy input tothe team

Safety advisor Provides knowledge of plantsafety policies and risktoleration

Maintenance Provides knowledge on howthe system will be maintained

Table 2. Typical initiating event frequencies [1].

EventFrequency,Events/Year

Failure of BPCS 1 3 10�1

Pump seal failure 1 3 10�1

Pressure regulator failure 1 3 10�1

Large fire of an entire processunit

1 3 10�3

Small in a process unit 1 3 10�1

Pressure vessel rupture 1 3 10�6

Human operator error—routinetask performed frequently

1 3 10�1

Spurious opening of a relief valve 1 3 10�2

Table 3. Generic protective layer LOPA credits [1].

Protective Layer

LOPA Credit(Probability ofFailure on Demand)

Basic process control system 1 3 10�1

Procedural control withmore than 10 min tocomplete the task

1 3 10�1

Procedural control withmore than 40 min tocomplete the task

1 3 10�2

Active mechanical safeguard(relief valve, rupturedisk, etc.)

1 3 100 to 1 3 10�3

depending uponprocess conditionsand history ofthe device

Passive mechanical safeguard(dike, blast wall, etc.)

1 3 10�2

Safety interlock (safetyinstrumented functionimplemented in an safetyinstrumented system) at asafety integrity level 1

1 3 10�1


1 3 10�2


1 3 10�3

186 September 2007 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.26, No.3)

1. Written procedures that define the task or actionto be taken.

2. A clear indication that the task must be performed.3. Training on how to perform the task.4. Adequate tools and materials to perform the task.

5. Proper and available PPE to perform the task.6. Adequate time to perform the task.7. Time to diagnosis abnormal problems with the task.8. Clear indication of proper performance of the task.9. Ability to verify that the task was performed

(auditability).

If the same human operator is the initiator of theevent of concern, a protective layer would not beclaimed for that operator to respond to the problem(not independent). By itself, a written procedure isnot capable of serving as a protective layer.

The severity of occurrence of the undesired eventmay be evaluated using formal quantitative conse-quence calculations or by using a qualitative evalua-tion by the LOPA team. Often the team will use aqualitative scale such as presented in Table4 to evalu-ate the consequences of the undesired event.

The adequacy of the system to protect against theoccurrence of a particular scenario is judged using arisk toleration matrix such as presented in Figure 1.The Severity levels 1 through 5 may be determinedby an independent quantitative consequence analysisor by the use of a qualitative consequence categoriza-tion such as is presented in Table 4. The frequency isdetermined using the order of magnitude estimatesfor failure of the existing protective layers (Table 3).The frequency and severity are used to locate thescenario on the LOPA Risk Toleration Matrix. Scenar-ios which are located in the shaded area are consid-ered of tolerable risk, scenarios located in the darkareas are considered intolerable and those in the mid-dle area are considered of marginal risk. Recommen-dations are developed for scenarios with risks judgedeither intolerable or marginal.

DEFINING SAFETY INSTRUMENTED FUNCTIONAL REQUIREMENTSOnce the existing system has been evaluated and

the need for additional safeguards has been deter-mined, the LOPA team develops a set of recommen-dations to reduce the risk to a tolerable level. In mostcases this reduction in risk is done by adding inde-pendent protection layers to reduce the frequency ofa bad event from occurring. Additional mechanicalsafeguards may be recommended or additional pro-cedural safeguards may be recommended by the

Figure 1. LOPA risk toleration matrix.

Table 4. Example consequence evaluation scale.

ConsequenceSeverity

Description ofthe Consequences

1 Very low consequence eventsMinor environmental event—not

reportableNo impact on communityNo injury to personnelMinor damage to equipment (no

loss of production)2 Low consequence events

Recordable event with no permitviolation

No injury to members of publicbut public is impacted

Minor injury to plant personnelEquipment damage of $10,000–

$100,000 with no loss ofproduction

3 Medium consequence eventsProbable permit violation and

agency notification requiredCommunity noise or odor

complaintRecordable injury to plant

personnel – not severeEquipment damage of $100,000

to $1,000,000with some loss ofproduction

4 High consequence eventsRelease with off site impactOne or more injuries to members

of publicOne or more severe injuries to

plant personnelEquipment damage of $100,000–

$1,000,000 with some loss ofproduction

5 Very high consequence eventsMajor environmental impact

resulting in large kill of wildlife,contamination of surroundingarea

One of more serious injuries(includes death) of membersof the public

Fatality or permanent disablinginjury of one or more plantpersonnel

Equipment damage of greaterthan $1,000,000 with significantloss of production and businessinterruption.

Process Safety Progress (Vol.26, No.3) Published on behalf of the AIChE DOI 10.1002/prs September 2007 187

LOPA team. Often, the LOPA team will recommendthat additional electronic safeguards be added to thesystem to reduce the risk to a tolerable level. The ISAS84 standard [2] define three different interlock safetyintegrity levels (SILs) and the maximum associatedprobability of failure on demand as:

SIL 1—Probability of failure on demand ¼ 1 3 10�1



For example, the reactor overfilling scenario with aseverity of rating of 5 and an estimated frequency of 13 10�3 results in an intolerable risk. Installation of aSIL-2 interlock to prevent overfilling of the reactorwould reduce the frequency of the scenario to 13 10�5

which is considered to be a tolerable risk in Figure 1.The LOPA team may recommend that one or more

additional interlocks (SIF implemented in a SIS) beadded to reduce the frequency of an undesired event.The LOPA team has spent a significant effort in theevaluation of the risk of a particular scenario and thedevelopment of recommendations to reduce the risk

to a tolerable level. Properly communicated, this eval-uation becomes the basis for the design of system.The communication of the desired functions of therecommended interlocks is where many problemsarise.

COMMUNICATION OF THE LOPA RESULTS TO THEINSTRUMENTATION ENGINEER

Unless the instrumentation engineer was a partici-pant in the LOPA review, he or she will have only alimited understanding of what was discussed andwhy a particular set of recommendations wereselected. Communication of the LOPA review resultsto the E&I engineer is a critical task. The items inTable5 are suggested as the minimum informationthat should be communicated to the E&I group fromthe LOPA review: Basically, the items in Table 4 an-swer the high school English writing questions of:

• Who?• What?• When?

Table 5. Communication of results of LOPA review to instrument design group.

Information Item Description

Identification data Process Unit ID, Equipment item numberReference data Reference P&ID drawings PHA report reference LOPA report reference

to scenario of concernHazard description Description of the scenario of concern including initiating event (or events),

existing safeguards, consequences of failure of the safeguard. This is the eventthat we are trying to prevent from occurring.

Existing safeguards Existing protective layers that we are counting on to prevent the undesiredevent from occurring,

Desired safety function Description of the desired operation of the new safety instrumented function.Generally, the function consists of three parts:

Sensing that an action is needed (sensor)Determining what action must be taken (logic solver)Taking the action (final control element)

Existing hardware Description of related existing hardware that could be used to implement thedesired safety function. If an existing valve can not be used as a safetyshutoff valve due to a process reason, the instrument designers must be told

Needed response time Time available from initiation of the need for the safety function before theundesired event occurs. Fast acting valves, or rapid scanning of sensorsrequires special equipment

Environmental data Most process units use area classification.Pseudo logic for the

Desired safety functionThe process engineer should define the logic to be implemented in the electronic

logic solver on how the desired safety function should operate. The definitionshould be done using pseudo logic that is based on a series of logicalstatements such as IF, OR, AND, THEN, WAIT, etc. This definition willlook very similar to a program written in BASIC

Reset Describe how a trip of an interlock is to be cleared. Is this an automatic clearingby the electronic logic solver (not recommended) or must the operator takea defined set of steps and the sensors that indicated there was a problemchecked before a reset of the interlock is allowed. Process conditionsneeded prior resetting the system are often overlooked

Startup and shutdown Some safety systems may be active for only a portion of a startup. Othersmay become active once normal operating conditions are achieved. Thelogic of how this is to be implemented and the process reasons are neededby the design group. Many safety systems are bypassed during processstartup because this step was forgotten


• Where?• Why?• How?

EXAMPLEThe easiest way to understand how all of these

pieces fit together is by example. Previously, Freeman[3] published an example of a HAZOP of a batch re-actor control system.

Consider the P&ID shown in Figure 2 for reactorR-102. A semibatch (sometimes called batchwise con-tinuous) process is being used to produce a productC from the chemistry of:

Aþ B ! C

The raw material ‘‘B’’ is charged into the reactor atthe beginning of a batch. Once the raw material B iscompleted, a continuous addition of raw material ‘‘A’’starts. Raw material A is slowly added to the reactor

with agitation to ensure a high conversion to product‘‘C’’. Of concern is the failure to charge the reactorwith raw material B at the beginning of the batch. Ifraw material B is added to a large amount of raw ma-terial A, an uncontrolled runaway reaction couldoccur, resulting in the failure of the reactor vessel.Likewise, if the addition rate of raw material A is toohigh (20 gpm) or an excessive amount accumulates(100 gallons) without agitation, a runaway reactionwill occur. Raw material A is toxic, and raw materialB is flammable.

To ensure that the proper amount of raw materialis added in the proper order to reactor R-102, a com-puter-controlled sequence of events has beendefined. Table6 presents the valve position truth tablefor the batch sequence. Table7 presents the safetychecks completed by the basic control system for theeight-step sequence of events that must occur for thebatch to be safely produced. A previous HAZOPreview has determined that failure of the raw materialA control valve (LV-1) poses a significant concern rel-ative to creating the conditions for a runaway reac-

Figure 2. Reactor R-102 P & ID.

Table 6. Reactor R-102 eight-step sequence of events.

Step Description LV 1 LV 2 V3 V4 V5 Duration (min)

0 Start batch X X X X X 01 Add nitrogen purge X X O X X 102 Vent to purge gas oxidizer X X X O X 103 Charge raw material ‘‘B’’ X O X O X 304 Start reactor R-102 agitator X X X O X 55 Charge raw material ‘‘A’’ O X X O X 1206 Transfer to separator X X O X O 407 End batch X X X X X 0

X, valve closed; O, valve open.


tion to occur. The production engineering group hasasked you to complete a LOPA review of the raw ma-terial A addition system to determine the need andtype of any additional safeguards.

LOPA Review of Existing SystemThe review starts with a definition of the cause

and resulting consequence of the scenario to be stud-ied. In this case the cause of the undesired event isthe uncontrolled addition of raw material ‘‘A’’ to reac-tor R-102 at a rate greater than 20 gpm. The resultingconsequence of this uncontrolled addition is a run-away reaction with the potential to blow up the reac-tor. Based on the history of operations of the additionsystem, failure of the control valve or failure of thebasic process control system once in 10 years wasestimated as the initiating event frequency. Based onthe potential to blow up the reactor with the corre-sponding potential for severe worker injury and alarge economic loss to the company, the consequen-ces were evaluated as a Severity Level 5 event fromTable 4. The existing safeguards to prevent this eventare:

1. Relief valve (PSE 102-5) is sized to prevent over-pressure in the event of a runaway.

2. Operator procedure to monitor the flow of rawmaterial ‘‘A’’ to the reactor and to stop the additionif the flow rate exceeds 20 gpm.

The maintenance history of the relief valve is goodand no significant pluggage of the valve inlet hasbeen found in the 10 year history of the plant. Thevalve is cleaned and tested annually and the valvehas never failed the pressure test. Based on this expe-rience, the LOPA team considers the service to be‘‘average’’ and a probability of failure to open ondemand of 1 event in 100 challenges (1 3 10�2) wasassigned.

The procedural control by the operator to monitorthe flow of raw material ‘‘A’’ and to stop the additionif the flow rate exceeds 20 gpm was judged to beineffective to prevent the occurrence of the event.Because failure of the BPCS was a potential initiatingevent, the LOPA team considered the use of the BPCSto monitor the flow as not an independent protectivelayer and the probability of failure of the procedureto stop the flow of 100% was assigned. This meansthat no LOPA credit was given for the procedure.

The results of these evaluations are documented inthe LOPA worksheet of Figure 3. A consequence se-verity of 5 combined with a calculated frequency of 13 10�3 results in the as-is risk being evaluated asintolerable from Figure 1.

Development of LOPA RecommendationThe LOPA team could not find any way to elimi-

nate the use of reactor R-102 or to make the opera-tion of the reactor intrinsically safe. The team couldnot find a way to make the potential incident lesssevere. Therefore, the team developed recommenda-tions to reduce the frequency of occurrence of theundesired event to a level judged to be of tolerable

Table 7. Reactor R-102 batch safety checks.

Step 0—Start BatchPT 102-8 < 1 psigLT 102-3 < 1%LV 1 AND LV 2 AND V3 AND V4 AND V5 CLOSEDR-102 agitator OFF

Step 1—Add Nitrogen PurgePT 102-8 >20 psigLT 102-3 < 1%V3 OPENLV 1 AND LV 2 AND V4 AND V5 CLOSEDR-102 agitator OFFSet timer -1 ¼ 0 min

Step 2—Vent to Purge Gas OxidizerTimer -1 > 10 minPT 102-8 < 1 psigLT 102-3 < 1%V4 OPENLV 1 AND LV 2 AND V3 AND V5 CLOSEDR-102 Agitator OFF

Step 3—Charge Raw Material ‘‘B’’Timer-1 > 10 minPT 102-8 < 1 psigLT 102-3 > 30%LV 2 AND V4 OPENLV 1 AND V3 AND V5 CLOSEDR-102 agitator OFF

Step 4—Reactor R-102 AgitatorTimer-1 > 10 minPT 102-8 < 1 psigLT 102-3 > 30%V4 OPENLV 1 AND LV 2 AND V3 AND V5 CLOSEDR-102 Agitator ONSet Timer-2 ¼ 0 min

Step 5—Charge Raw Material ‘‘A’’Timer-1 > 10 minTimer-2 > 120 minPT 102-8 < 10 psigLT 102-3 > 80%LV-1 AND V4 OPENLV 2 AND V3 AND V5 CLOSEDR-102 agitator ON

Step 6—Transfer to SeparatorTimer-1 < 10 minTimer-2 < 120 minPT 102-8 > 1 psigLT 102-3 > 1%V3 AND V5 OPENLV 1 AND LV 2 AND V4 CLOSEDR-102 agitator ON

Step 7—End BatchPT 102-8 < 1 psigLT 102-3 < 1%LV 1 AND LV 2 AND V3 AND V4 AND V5 CLOSEDR-102 agitator OFF

Tests that must be successfully passed before nextsequence step starts.


risk from Figure 1. An examination of the as-is place-ment of the undesired event in the risk matrix of Fig-ure 1 indicates that a two order of magnitude reduc-tion in the frequency of occurrence is needed tomove the resulting risk into the tolerable region. Theuse of two SIL 1 hardwired interlocks was consideredby the team. However, since the Dept 32 UpgradeProject has already decided that a SIL 2 rated SafetyInstrumented Logic Solver would be installed, theLOPA team decided to recommend the installation ofa SIL 2 interlock to manage the risk of a runawayreaction in reactor R-102 due to excess flow of rawmaterial ‘‘A’’. This recommendation is documented inthe LOPA Worksheet of Figure 4. The resulting con-ceptual process design for the revised raw material‘‘A’’ addition system is shown in Figure 5.

Note that this example problem does not considerall of the potential problems that could occur withthe reactor system. For example, reverse flow of thecontents of the reactor into the raw material storage

tank could create a serious safety issue. The designteam would normally protect against this possibilityby providing one or more of the following backflowprevention systems:

• Reverse flow check valve.• Positive pressure purge of the pipe using nitro-gen between block valves XV 102-10 and XV-102-11 upon failure of the raw material pump.

• Differential pressure shutdown interlock to closethe raw material feed line if the pressure in thereactor exceeds the discharge pressure at thepump.

The need for reverse flow protection would bedetermined by a separate LOPA analysis of the sce-nario of reverse flow of the reactor contents backinto the raw material storage tank.

The LOPA team must now communicate the resultsof evaluation to the E&I design group for implemen-tation.

Figure 3. LOPA worksheet evaluation of the AS-IS situation.


Communication to the E&I Design GroupUnless the E&I design engineer was a member of

the LOPA review team, the reasoning and logic devel-

oped during the review may not be conveyed to theE&I designer responsible for implementation of therecommendations. Table 5 of this paper presented a

Figure 4. LOPA worksheet development of recommendations.

Figure 5. Revised raw material ‘‘A’’ additional system.


generic list of items to communicate to the E&Idesign group. Based on the results of the LOPA anal-ysis of the raw material ‘‘A’’ addition to reactor R-102,the department process engineer has filled in the in-formation needed and created Table8 for conveyanceto the control group. Note that the process engineerwill also convey the LOPA worksheets, LOPA report,HAZOP report, the pseudo logic for any new safetyinstrumented functions implemented in the safetyinstrumented system (interlocks), revised P&ID draw-ings and any other concerns relative to the design ofthis new raw material ‘‘A’’ addition system.

Most of the information presented in Table 8 isroutine engineering information normally prepared

by a process engineering group. However, thepseudo logic (Table9) for the interlocks is an itemthat many engineers argue is best left to the E&Idesign group to develop. If left to the E&I designgroup, such concerns as the order of valve closure,speed of closure, special startup, and shutdown proc-ess concerns may not be obvious and may be missingin the final design. In the example, the order of clo-sure of the new valves is important to prevent trap-ping the raw material ‘‘A’’ between valves. For somechemicals trapped material may polymerize andblock the lines or may present a serious safety con-cern due to the potential to overheating in the sun.The E&I design group should not be expected to

Table 8. Communication of results of LOPA of example to E&I design group.

Information Item Description

Identification data Department 32Reactor R-102 raw material ‘‘A’’ addition system

Reference data Reactor R-102 P&ID (Figure 2)R-102 sequence control logic (Table 7)R-102 valve truth table (Table 6)Department 32 HAZOP Report, 15 Jan 2005LOPA worksheet scenario entitled ‘‘runaway reaction and explosion R-102 due to

overcharge of raw material A’’ (Figures 4 and 5)Hazard description Uncontrolled runaway reaction in reactor R-102 due to raw material ‘‘A’’ addition

flow rate exceeding 20 gpm for 5 min resulting in the potential to overpressurethe reactor leading to an explosion or fire in the department 32 process unit

Existing safeguards Relief valve PSE 102—5 is designed to prevent the overpressure of the reactor inthe event of a runaway reaction

Desired safety function Upon detection of flow rate of raw material A greater than 20 gpm, stop transferpump and close the transfer line valves. LOPA review has defined a SIL 2 as thetarget for implementation of this safety function

Existing hardware Existing flow control valve (LV 1) can not be used as a shutoff as the valve may bethe source of the high flow to the reactor

Needed response time A maximum of 5 min from the time of detection of high flow until the flow muststop is needed to prevent creating the potential for a runaway reaction inreactor R-102. Initial target for shutdown of the raw material addition systemupon detection of high flow is 30 s

Environmental Data Department 32 is a Class 1 Div II Group D AreaElectric power available is 120 VACThe process unit is an open air structure with normal weather temperature

extremes of �20 F to 110 FPseudo logic for thedesired safety function

The process engineer assigned to department 32 has evaluated the emergencyshutdown logic upon detection of high flow and recommends the pseudologic presented in Table 8

Reset Interlock resent will be completed by the console operator using the SIS console.Pseudo logic for reset as presented in Table 8

Startup and shutdown During startup of the pump P-201 for a batch, the flow of raw material A in the linemay surge and exceed the target interlock set point of 20 gpm. The BPCSshould be configured to slowly open the control valve to the desired setpoint of 10 gpm at the start of a batch.

Emergency manual shutdown logic is presented in Table 8. Processengineering could not develop a safely shutdown the system by simplyde-powering the interlocks. Sequential shutdown of the valves in the lineis needed to prevent trapping of the material between valves. Transfer lineis sloped to drain into reactor R-102


know these process engineering details. Thus, thereis a need for the development of the interlockpseudo logic by the process engineer to convey the

detailed intent of the proposed system. The E&Igroup may change the details of the proposed systemduring final design.

CONCLUSIONThis article has proposed a method for the defini-

tion of safety instrumented function requirementsusing the LOPA methodology. An example of the useof this methodology and the conveyance of theresulting information to the E&I design group hasalso been presented. Use of the LOPA methodologyto define the requirements and the development ofthe pseudo logic for the desired safety instrumentedfunction should reduce the potential for misunder-standing as to how the process risks are managedand how needed instrument systems should bedesigned.

LITERATURE CITED1. Center for Chemical Process Safety, Layer of Pro-

tection Analysis, Simplified Process Risk Analysis,American Institute of Chemical Engineers, New York,NY, 2001.

2. Instrumentation, Systems and Automation Society,Function Safety: Safety Instrumented Systems for theProcess Sector—Parts 1, 2, and 3, Standard ANSI/ISAS84.00.01, 2004.

3. R.A. Freeman, Process hazard analysis of controland instrument systems, Process Safety Prog 20 (2001),189.

Table 9. Pseudo logic for raw material shutoff safetyinstrumented system.

SHUTDOWN LOGICIF FT 201-8 GT 20 OR FT 201-9 GT 20THEN STOP P-201THEN CLOSE XV 102 -10 THEN CLOSE XV 102 -11THEN ALARM SIS CONSOLETHEN SET ESHUTDOWN ¼ TRUEOUTPUT ESHUTDOWN TO PLC 102-9MANUAL SHUTDOWN LOGICIF HS 102-10 ¼ CLOSED AND DELAY TIMER ¼ 2THEN CLOSE XV 102 -10 THEN CLOSE XV 102 -11THEN ALARM SIS CONSOLETHEN SET ESHUTDOWN ¼ TRUEOUTPUT ESHUTDOWN TO PLC 102-9RESET LOGICON SIS CONSOLE RESETIF FT 201-8 LT 15 AND FT 201-9 LT 15THEN SET ESHUTDOWN ¼ FALSEOUTPUT ESHUTDOWN TO PLC 102-9THEN START P-201THEN OPEN XV 102 -10 THEN OPEN 102 -11THEN CLEAR SIS CONSOLE ALARM

Flows in GPM; Delay timer in seconds; GT, greaterthan; LT, less than.


using layer of protection analysis to define safety integrity level requirements

Documents