Page 282 - CHEF Guide
P. 282

Layers of Protection Analysis


                   4. Instrumentation and Alarms. These engineering controls are designed to detect deviations from the normal,
               expected operating parameters. Once deviations are detected, automatic and/or human responses are required to keep
               the process operating in a safe state. These responses may involve emergency or safe process shutdowns.

                   5. Safety Instrumented Systems (SIS): These independent engineering controls are designed as the “last line of
               defense” before a hazardous release - a Loss of Primary Containment (LOPC). The SIS responses may involve emergency
               or safe process shutdowns, as well.

                   6.  Active  Mitigative  Engineering  Controls:  These  engineering  controls  are  designed  to  reduce  or  mitigate  the
               consequences of a hazardous release. They include pressure relief devices, flares, and scrubbers.
                   7. Passive Mitigative Engineering Controls:  These engineering controls are designed to reduce or mitigate the
               consequences of a hazardous release. They include dikes and catch tanks.

                   8. Emergency Response:  Emergency response systems are the engineering and administrative controls designed
               to  contain,  reduce  and  mitigate  the  consequences  of  the  hazardous  release.  The  engineering  controls  include  foam
               systems; the administrative controls include emergency response plans with trained internal and/or emergency responders.
               There are two aspects to emergency response which are considered: 1) Internal – facility resources only; and 2) External
               – with both internal and external, community resources.

                   An Independent Protection Layer (IPL) is a device, system, or action that is capable of preventing a scenario from
               proceeding to the undesired consequence without being adversely affected by the initiating event or the action of any other
               protection layer associated with the scenario. The effectiveness of an IPL is quantified in terms of its probability of failure
               on demand (PFD). Safeguards that do not meet the requirements of an IPL are important as part of the overall risk reduction
               strategy and good engineering practice. All IPLs are safeguards but not safeguards are IPLs.

                   The general requirements for IPLs include:
                   •   Is independent of other IPLs and the Initiating Event
                   •   Functions in a way that prevents or mitigates the consequence of concern
                   •   Has sufficient integrity to be capable of completely preventing the scenario consequence
                   •   Can be relied upon to operate as intended, under stated conditions, for a specified period of time
                   •   Can be audited to ensure that the management systems to support the IPL are in place and effective
                   •   Is protected by access security, with controls in place to reduce the change of impairment
                   •   Is covered by a management of change process to review, approve, and document changes.

                   Independence is a basic tenet of LOPA, although absolute independence is not truly achievable. Plants generally have
               common utilities, a single maintenance staff, common calibration instruments, and vendors who supply similar components
               to  those  in  use.  IPLs  should  be  sufficiently  independent  such  that  the  degree  of  interdependence  is  not  statistically
               significant. A common cause failure is when a single event may result in failure of more than one device, procedure or
               system. An example is loss of power which could cause failure of multiple sensing instruments as well as electronic
               equipment such as pumps or agitators. Another example is the sharing of control loops between a protective layer and
               initiating event such as level control and high level shut off utilizing the same sensing instrument or same shut off valve.
                   For a device, system or action to be credited as an IPL, it must be effective in preventing the undesired consequence
               associated with the scenario. The IPL design basis must apply to the specific scenario for which it is credited and is valid
               for the mode of operation being analyzed (normal, start-up, or shut-down). For example, a relief device for a storage vessel
               may have been sized for fire exposure but be inadequate for a back-flow scenario. The IPL must also be able to accomplish
               its function in sufficient time to prevent the consequence of concern and perform reliably. When operator response is part

               Page 242
   277   278   279   280   281   282   283   284   285   286   287