Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
This document is the confidential property of Chevron U.S.A. Inc. Neither the whole nor any part of this
document may be disclosed to any third party without the prior written consent of Chevron U.S.A. Inc.
Neither the whole nor any part of this document may be reproduced, stored in any retrieval system, or
transmitted in any form or by any means (electronic, mechanical, reprographic, recording, or otherwise)
without the prior written consent of Chevron U.S.A. Inc.
Rev.
Date
Description
Author
Technology Leader
04/09
Initial release
M. Crawford
R. Zerda
04/13
J. Pittman
R. Zerda
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
1 of 46
ICM-PU-5171-A
Summary of Changes
1. Revised technical content is indicated by change bars in the right margin.
2. Deleted, moved, and combined requirements, as well as editorial changes, are listed below.
Initial
Release
(commented
version only)
Rev. A
Description
Type of Change
NOTE: This is the initial release of the uncommented version of ICM 5171. The changes indicated below reflect
changes from the initial release of the commented version of ICM 5171.
4.0
4.0, item 1
Appendix D
Appendix D
Edit
Appendix E
Appendix E
Edit
Appendix F
Appendix F
Edit
Appendix G
Appendix G
Edit
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
2 of 46
ICM-PU-5171-A
Contents
1.0
Scope............................................................................................................................................... 4
2.0
References ...................................................................................................................................... 4
2.1
2.2
2.3
3.0
Terminology .................................................................................................................................... 5
3.1
3.2
4.0
Acronyms ............................................................................................................................ 5
Definitions ........................................................................................................................... 5
General ............................................................................................................................................ 7
4.1
4.2
5.0
Purchaser Documents......................................................................................................... 4
Industry Codes and Standards ........................................................................................... 4
Referenced Publications ..................................................................................................... 4
6.0
7.0
8.0
9.0
10.0
Appendix A
Appendix B
Appendix C
Appendix D
Appendix E
Appendix F
Appendix G
Additional Figures........................................................................................................... 44
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
3 of 46
1.0
ICM-PU-5171-A
Scope
The purpose of this document is to describe the Safety Objective Analysis (SOA) process and
how to perform it in conjunction with a Process Hazards Analysis (PHA).
2.0
References
1. The following documents are referenced herein and are considered part of this specification.
2. Unless otherwise specified in Section 2.1 or 2.2, use the latest edition of the referenced
documents.
2.1
Purchaser Documents
ICM-DU-6025
2.2
2.3
Referenced Publications
Layer of Protection Analysis, Simplified Process Risk Assessment, 2001,
Center for Chemical Process Safety of the American Institute of
Chemical Engineers, 3 Park Avenue, New York, New York
10016-5991, ISBN 0-8169-0811-7
Guidelines for Safe Automation of Chemical Processes, 1993,
Center for Chemical Process Safety of the American Institute of
Chemical Engineers, 345 East 47th Street, New York, New York 10017,
ISBN 0-8169-0554-1
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
4 of 46
3.0
Terminology
3.1
Acronyms
3.2
BLEVE
BMS
ERRF
HAZOP
PCS
PFDavg
PRD
SCADA
ICM-PU-5171-A
Definitions
Independent Protection Layer (IPL)
An IPL is a device, system, or action that is capable of preventing a scenario
from proceeding to its undesired consequence independent of the initiating event
or the action of any other layer of protection associated with the scenario.
Definition from Layer of Protection Analysis, Simplified Process Risk
Assessment, pg. 75.
IPL Credit
One order of magnitude risk reduction equals one IPL credit. Each safeguard
that qualifies as an IPL is worth a certain number of IPL credits. This number of
IPL credits is determined by examining the qualifications listed in the
SOA/SSFA Guidance Tables found in Appendix E.
Likelihood Initial (LI)
The expected frequency of reaching the stated consequence in its entirety due to
the initiating event as a starting point with all instrumentation safeguards
removed, and considering any enabling events and/or conditional probabilities.
Node
A subsection of the process under study designed to organize the PHA into
manageable segments.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
5 of 46
ICM-PU-5171-A
0.9 to 0.99
10 to 100
0.99 to 0.999
0.999 to 0.9999
0.9999 to 0.99999
SIL
100 to 1000
1000 to 10,000
10,000 to 100,000
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
6 of 46
4.0
ICM-PU-5171-A
General
1. This specification provides requirements for coordinating, conducting, and documenting a
SOA in conjunction with a PHA or a stand-alone SOA based on an existing PHA.
2. The SOA is a formal process that utilizes the results of a PHA to determine the safety system
instrumentation required to prevent and mitigate hazardous events in downstream, chemical,
and upstream onshore processes.
3. The SOA process relies on the hazardous scenario causes, consequences, and safeguards
developed during the PHA as a starting point for determining whether adequate risk
reduction has been provided for each cause-consequence scenario using Independent
Protection Layers (IPLs) and recommending additional measures to further mitigate the risk
as necessary.
4. The SOA provides a structured process to validate the IPL safeguards and determine the
performance required of Safety Instrumented Functions (SIFs).
5. The following is a summary of the SOA process steps:
a. Using the cause-consequence scenarios and safeguards identified, the SOA process
determines which safeguards qualify as IPLs.
b. Each IPL may qualify as one or more IPL credits, where one IPL credit is equal to one
order of magnitude of risk reduction.
c. If the amount of risk reduction provided by the existing IPLs is less than what is required,
then this deficiency needs to be alleviated either by adding IPLs or improving existing
safeguards to allow them to qualify for additional IPL credits.
4.1
Analysis Methods
4.1.1
Combined PHA/SOA
1. While both a PHA and an SOA can be conducted separately, the combined process saves
time, money and effort while attaining superior results. Advantages include:
a. Saving timecombining the efforts is 35 to 50 percent shorter than performing the PHA
and SOA separately.
b. Reducing resource requirements (same team only has to meet once).
c. Eliminating the need to analyze the same cause-consequence scenarios twice.
d. Eliminating the need for a different facilitator to familiarize himself with the piping and
instrumentation diagrams (P&IDs), cause and effect charts, and other project or facility
documentation.
e. Maintaining the same team for both PHA and SOA promotes consistency in results.
f.
Improving PHA quality since the team develops a better understanding of how the
instrumentation works to reduce risk while avoiding common mode failures.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
7 of 46
4.1.2
ICM-PU-5171-A
Stand-Alone SOA
1. If a valid PHA has already been performed, the project team may elect to perform a
stand-alone SOA based on the existing PHA documentation.
2. It is not possible to perform an SOA without either performing a PHA in conjunction with the
SOA or making use of existing PHA documentation.
3. If the existing PHA documentation is not complete or deemed unsuitable by the
PHA/SOA facilitator, then a new PHA will need to be performed in order to properly
perform the SOA.
4.2
Project Timing
Any time a PHA is required and instrumentation safeguards are utilized, an SOA should also be
conducted either in conjunction with the PHA or following the PHA.
5.0
5.1
General Responsibilities
The general responsibilities for the team in a combined PHA/SOA include all of the
responsibilities for a PHA, such as identifying deviation causes, consequences, safeguards, risk
ranking, and developing recommendations. The SOA (either as part of a combined PHA/SOA or
as a stand-alone SOA) introduces additional responsibilities for the team. These responsibilities
include:
1. Determining Likelihood Initial (LI).
2. Determining the number of IPL credits required.
3. Determining the number of IPL credits available.
4. Making recommendations to close the gap between the number of IPL credits required and
available where applicable.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
8 of 46
5.2
ICM-PU-5171-A
Time Commitment
Required
Responsibilities
I&C
Engineer(s)
Full-time
involvement
required
SOA
Facilitator
Full-time
involvement
required
Work with the PHA Facilitator to provide brief training to the PHA/SOA
Team with regards to the overall PHA/SOA process and methodology.
Ensure that only safeguards meeting criteria in Appendix A are credited as
IPLs and guide PHA/SOA team in determining number of IPL credits
assigned per the SOA/safety system function analysis (SSFA) Guidance
Tables (Appendix E).
Assist the PHA/SOA team in ranking the LI, which is the expected
frequency of reaching the stated consequence in its entirety due to the
initiating event as a starting point with all instrumentation safeguards
removed, and considering any enabling events and/or conditional
probabilities.
Assist team in determining the number of required IPL credits and the
number of existing IPL credits.
Assist team in creating SOA recommendations to close gaps between
required IPL credits and existing IPL credits available.
Provide input to the PHA Facilitator to assist in publishing the PHA/SOA
Report.
The roles and responsibilities of the SOA facilitator may be performed by
the PHA facilitator. See Note 2 below for details.
Notes
1. If the consequence severity and LI for the cause-consequence scenario result in a NS ranking, then further study
is required to confirm the risk of the cause-consequence scenario. This could include consequence modeling or a
more quantitative analysis of likelihood using a method such as Layer of Protection Analysis. This task should be led
by a facilitator who has been approved by the appropriate subject matter experts and developed as a combined
responsibility between the process engineer and the HES representative. Others who may be required include a
safety specialist, operations advisor and process engineer for the plant, design engineer, and/or external contractors
for quantitative analysis.
2. The combined PHA/SOA can be performed by a qualified PHA facilitator and a qualified SOA facilitator or
performed by a single facilitator qualified in both PHA and SOA processes. If one person facilitates both the PHA and
SOA portions, this facilitator must be trained in both the PHA and SOA processes and be accepted by Owner.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
9 of 46
6.0
ICM-PU-5171-A
Combined PHA/SOA
1. In a combined PHA and SOA, the steps of the PHA and the SOA are intertwined to create a
more efficient overall process.
2. This section describes the various steps of the combined PHA/SOA and how to perform them
for a given facility. The process flow diagram for the combined PHA/SOA can be found in
Appendix F of this document.
Methodology
The following steps should be completed for a combined PHA/SOA:
Step 1
Preparation
The preparation required for a combined PHA/SOA is the same as that required for a stand-alone
PHA and the same steps should be followed.
Step 2
The introduction and overview for a combined PHA/SOA or stand-alone SOA should be very
similar to that of a PHA. The key additions to the introduction are the review of IPL and safety
integrity level (SIL) concepts and the review of the SOA process steps.
Step 3
Process Review
The process review for a combined PHA/SOA should be the same as that performed for a PHA.
This step will familiarize the PHA/SOA participants with the process under review.
Step 4
Step 5
This PHA step determines the risk for the cause-consequence scenario based on the severity of
the worst-case consequence and the likelihood of reaching the stated consequence with all
safeguards in place.
Step 6
Depending on the risk ranking performed in step 5 above, the team may need to make
recommendations aimed at reducing the level of risk associated with the cause-consequence
scenario.
Step 7
1. Copy PHA severity ranking previously determined for the cause-consequence scenario (see
Step 5).
2. Determine LI.
The Likelihood Initial is the expected frequency of reaching the stated consequence in its
entirety due to the initiating event as a starting point with all instrumentation safeguards
removed, and considering any enabling events and/or conditional probabilities.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
10 of 46
ICM-PU-5171-A
Examples include:
1) A hydrocarbon fluid below its flash point is pumped from a column. A control loop
failure causes the control valve downstream of the pump to shut. Higher discharge
pressure may result in pump deadhead operation, possibly leading to pump and/or
pump seal damage. Pump seal failure may result in a release of process hydrocarbons
to atmosphere with potential fire and/or explosion with personnel exposure
including the possibility of one fatality.
Per the Owner SOA/SSFA Guidance Tables in Appendix E, a control loop failure is
likely. However, the team decided that the probability of the process fluid igniting is
very low due to the fact that the fluid is below its flash point. Based on the likely
initiating cause and the low probability of ignition the team decided that the LI is
occasional.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
11 of 46
ICM-PU-5171-A
2) On another column hydrocarbon fluid is pumped from the column but in this case the
fluid is well above its flash point. As in the previous cause-consequence scenario, a
control loop failure causes the control valve downstream of the pump to shut,
resulting in higher discharge pressure which may result in pump deadhead operation,
possibly leading to pump and/or pump seal damage. Pump seal failure may result in
a release of process hydrocarbons to atmosphere with potential fire and/or explosion
with personnel exposure including the possibility of one fatality.
The team decided that the probability of ignition is high because the hydrocarbon
fluid is above its flash point. For this reason, probability of ignition could not be used
to reduce LI from the initiating cause likelihood. As a result, the team determined
that the LI for this scenario would be the same as the initiating cause likelihood. In
this case as in the previous cause-consequence scenario the initiating cause is a
control loop failure so the LI is set to likely.
3. Determine the number of IPL credits required to adequately reduce the risk of the
cause-consequence scenario based on the severity ranking and the LI.
a. Each IPL credit reduces the risk associated with the cause-consequence scenario by an
order of magnitude.
1) One order of magnitude of risk reduction means that the likelihood of the
consequence occurring is ten times less likely than it would be if the safeguard were
removed.
2) A safeguard reliable enough to qualify for two IPL credits makes the consequence at
least 100 times less likely to occur.
b. Refer to Appendix A for a discussion of IPLs. In addition, Tables 2-6 of the SOA/SSFA
Guidance Tables (Appendix E) list typical IPLs, the criteria for each, and the amount of
IPL credit that can be taken for each.
Note: The number of IPL credits required is determined by locating the intersection of
the column corresponding to the severity ranking and the row corresponding to
the LI for the cause-consequence scenario on the risk prioritization matrix of
Appendix D.
Step 8
Determine which safeguards listed in Step 4 qualify as IPLs. Appendix A describes IPLs in
detail. In addition, refer to Appendix E for the SOA/SSFA Guidance Tables, Tables 2-6, for a list
of potential IPLs and the number of IPL credits that can be taken for each.
1. The identified safeguards must possess the following four characteristics in order to qualify
as IPLs:
a. Specificity
b. Independence
c. Dependability
d. Auditability
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
12 of 46
ICM-PU-5171-A
2. The categories of potential IPLs listed in the SOA/SSFA Guidance Tables include:
a. Process Control System (PCS) control loop
b. Alarms with operator response
c. Routine operator surveillance
d. Pressure relief valve
e. Vessel rupture disk
f.
Flame arrestor
j.
Vacuum breaker
k. Restrictive orifice
l.
SIF
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
13 of 46
ICM-PU-5171-A
2. Examples:
a. If an undesirable Safety/Health consequence has been given a severity of 2 (Severe) and
a LI of 2 (Occasional) then, per the matrix, 3 IPL credits would be required.
1) Assume a total of two different non-SIS IPLs (each worth 1 IPL credit) were
identified. One more IPL credit would be needed to satisfy the risk reduction
requirement of this cause-consequence scenario. The team might recommend
designing and implementing a SIL 1 SIF to prevent the undesirable consequence
(due to the specific initiating cause) from occurring. The team might also
recommend adding another non-SIS IPL or improving one of the existing non-SIS
IPLs to qualify for more IPL credits.
2) If only one non-SIS IPL (worth 1 IPL credit) was identified, two more IPL credits
would be needed to satisfy the risk reduction requirement of this cause-consequence
scenario. The team might recommend designing and implementing a SIL 2 SIF to
prevent the undesirable consequence (due to the specific initiating cause) from
occurring. The team might also recommend adding another non-SIS IPL or
improving one of the existing non-SIS IPLs to qualify for more IPL credits.
3) If no IPLs were identified, then the team would need to make one or more SOA
recommendations to provide three IPL credits for this cause-consequence scenario.
This can be achieved using a SIL 3 SIF but it is strongly recommended that non-SIS
IPLs be designed or the process be redesigned to avoid using a SIL 3 SIF since it is
very difficult to maintain a SIL 3 SIF.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
14 of 46
ICM-PU-5171-A
SOA recommendations are generated as part of the SOA IPL analysis portion of the PHA/SOA.
1. If, during the analysis, the number of IPL credits required is greater than the number of
existing IPL credits available, then the team needs to make one or more SOA
recommendations to provide the additional required IPL credits for this cause-consequence
scenario. The targeted number of IPL credits for each recommendation should be recorded in
the PHA/SOA worksheet.
2. If the SIF has already been designed and documented as one of the IPL safeguards in Step 5,
then no further action is required other than proper SIS engineering to ensure that the SIF
design and proof test frequency will meet the documented SIL and plant process reliability
requirements.
3. SOA recommendations often include the following types of action items:
a. Modification of an existing SIF to meet requirements. These modifications can include
changes to hardware, software or the proof test intervals for any given function.
b. Implementation of a new SIF to a specific SIL to bridge the risk gap identified during the
analysis.
1) It is important to clearly describe the new SIF (i.e.; the process variable to be
measured by the SIF sensors, the manipulated variable [valve, pump or compressor]
that would need to be activated to bring the process to a safe state).
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
15 of 46
ICM-PU-5171-A
2) If it is not possible to describe the new SIF during the PHA/SOA, then the
recommendation should clearly describe the follow-up action needed.
3) To obtain a clear description of the requirements of a SIF will often require the help
of experienced process engineers or process control engineers. Actual conceptual
design of the SIF should not be done during the PHA/SOA.
4) SIF conceptual design is an activity that should take place during the SRS
development phase of the safety life cycle.
c. Addition of new or improvement of existing non-SIS IPLs to eliminate the IPL credit
gap.
d. Further study to investigate options identified during the SOA with respect to the
implementation of IPLs will be required when recommended by the team.
1) This may include modifications to the base process design and/or the
implementation of additional non-SIS IPLs (e.g., additional alarms with appropriate
operator response) for the purpose of either removing the need for a SIF or reducing
the target SIL of the SIF.
Note: This type of recommendation is often made during PHA/SOAs that are
conducted for new facilities where the process is being used to determine the
gaps between actual risk and acceptable risk for a proposed design. The
SOA portion of the PHA/SOA then becomes a design tool to investigate
options of bridging the gaps using IPLs.
2) SIFs associated only with an asset consequence may be removed at the project
managers discretion upon upper management and Legals concurrence and only if
the following conditions are met:
i. Asset damage is the only type of consequence of interest that generates a target
SIL (No safety, health or environment related consequences require a SIF);
ii. Cost of implementing function for asset protection is greater than the potential
asset loss associated with the cause-consequence scenario;
iii. This SIF is not used to mitigate the risk of any other cause-consequence
scenario.
4. SOA recommendations carry the same weight as the PHA recommendations if they are
required to adequately reduce the risk of the cause-consequence scenario.
Step 11
The above steps should be repeated for all hazards until there are no more hazards to be
evaluated. Refer to the PHA/SOA Flowchart in Appendix F.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
16 of 46
7.0
ICM-PU-5171-A
Preparation
If a stand-alone SOA is being performed based on an existing PHA, some of the preparation will
have already been done in preparation for the original PHA. However, since the SOA is being
conducted after the conclusion of the PHA, the SOA coordinator and SOA facilitator will need to
repeat some of the PHA preparation steps such as scheduling and logistics, team selection, and
compilation of PSI. If possible, the original PHA team should be reassembled for the SOA. An
SOA facilitator will take the place of the PHA facilitator for the stand-alone SOA. However, the
stand-alone SOA must not alter any of the PHA results during the SOA. If any of the PHA results
are determined to be invalid, a combined PHA/SOA should be conducted as specified in
Section 6.0 of this document.
Step 2
Process Review
The cause, consequence, safeguards, and severity ranking for each cause-consequence scenario
are copied over from the PHA worksheets.
Step 5
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
17 of 46
Step 7
ICM-PU-5171-A
Steps 48 above are repeated for all hazards until there are no more hazards to be evaluated.
Refer to the PHA/SOA Flowchart in Appendix F for an illustration of this process.
8.0
PHA/SOA Tool
The preferred tool for conducting SOAs (either in conjunction with a PHA or as a stand-alone
SOA based on an existing PHA) is PHA Pro7 from Dyadem International Ltd. For the latest
version of the combined PHA/SOA template for PHA Pro7, please contact the Owner.
9.0
10.0
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
18 of 46
ICM-PU-5171-A
SOA worksheets
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
19 of 46
Appendix A
ICM-PU-5171-A
The concept of IPLs and how these are applied to prevent or mitigate a potential incident in a
process is crucial for a good understanding of the SOA process. The concept of IPLs helps
produce a consistent basis for selecting the target SIL for each safety instrumented function. The
more non-SIS IPLs identified, the lower the target SIL. If enough non-SIS IPLs are identified
then a SIS SIF designed to a specific SIL is not required.
Per guidance from the Center for Chemical Process Safety, each IPL should exhibit the
following:
1. Specificity (designed specifically to prevent or mitigate the consequences of one event)
2. Independence (independent of other protection layers for the hazard)
3. Dependability (will do what it is designed to do)
4. Auditability (designed to accommodate required testing and maintenance for regular
validation)
Note: Refer to Guidelines for Safe Automation of Chemical Processes for more
information.
When determining IPL credit, the team should focus only on the current cause-consequence
scenario to ensure that the safeguard prevents the specific consequence associated with this
cause-consequence scenario.
The dependability characteristic can be quantified by the amount of risk reduction the safeguard
provides. To qualify as an IPL the safeguard must reduce the risk of the cause-consequence
scenario by at least one order of magnitude. Each order of magnitude of risk reduction provided
by an IPL is worth one IPL credit in the SOA/SSFA Guidance Tables. For example, per
Table 3 of the SOA/SSFA Guidance Tables in Appendix E, a single relief valve in clean service
can qualify for up to two IPL credits. This means that the relief valve provides two orders of
magnitude of risk reduction. Stated another way, the relief valve makes reaching the undesirable
consequence at least 100 times less likely.
When considering whether a protection layer is independent, the degree of diversity must be
considered. Diversity is the use of different people, design methods, software languages,
functionality, measurement signals, or equipment to perform a common function with the intent
of minimizing common mode failures. For safety instrumented systems, diversity is primarily
used for the logic solver, which is generally diverse and functionally independent of the PCS.
Additionally, diversity should be considered for SIS sensors and final elements where there is a
potential for common mode failures in these elements. For example, loss of flame in a BMS is
typically detected by a fire-eye. However, alternative diverse ways of measuring loss of flame are
low fuel gas pressure via a pressure transmitter or low fuel gas/air flow via a differential pressure
transmitter across an orifice plate. So for measuring loss of flame, using both fire-eyes and low
fuel gas pressure measurement would provide diverse measurements that could improve the
performance of the SIF.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
20 of 46
ICM-PU-5171-A
To determine whether or not a safeguard qualifies as an IPL, consider the 3 Ds and the Big I
as follows:
1. An IPL must have the following 3 Ds:
a. DetectSense a condition or problem,
b. DecideWhether an action or intervention is necessary or not,
c. DeflectIf action is required; the action must be capable of preventing the consequence
in a timely manner.
2. And, an IPL must have the Big I:
a. Independent of initiating cause
b. Independent of other IPLs
Figure A-1 illustrates the general concept of IPLs in a processing facility. Some of these IPLs
may not be applicable depending on the type of facility and/or process.
Process Design
The Process Design consists of the process physical limits themselves.This includes the process
equipment (vessels, tanks, valves, pumps and pipes). Process equipment should have been
designed to handle design process fluid conditions as well as conditions that exceed these limits
by a safety factor (e.g. the maximum working pressure of a vessel). However, undesirable
variations in these process conditions can occur at any time due to a variety of reasons.
Figure A-1: Layers of Protection
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
21 of 46
ICM-PU-5171-A
Among numerous others, some typical undesirable conditions could include any one or a
combination of the following: overpressure, under pressure (vacuum), liquid overflow, gas
blow-by, leak, excess temperature, direct ignition source, excess combustible vapors, excess
toxic gases, runaway exothermic reactions (rapid temperature increase), compressor surge, high
rotor axial displacement in a turbine/compressor, high radial vibration in a turbine or compressor,
turbine/compressor over-speed, high turbine/compressor bearing temperatures.
These undesirable conditions can occur due to a variety of initiating causes such as equipment
failure (e.g., valve failure), process excursion due to a change in the process gases, liquids or
solids or external influences such as harsh weather (i.e., either hot or cold). Human error can also
cause a process undesirable condition. Additionally, process control loops can fail and be the
initiating cause that could lead to undesirable conditions. Any of these undesirable conditions can
ultimately lead to undesirable consequences such as release of flammable or toxic liquids or
gases, loss of containment, personnel injury/fatality, asset/equipment damage and/or
environmental damage.
Basic Controls, Alarms, and Operator Supervision
The first independent protection layer above the process design consists of the basic controls that
are being used to control the process and if required the associated operator supervision and
intervention. The basic controls can be stand-alone single-loop controllers, a PCS, or a
supervisory control and data acquisition (SCADA) system. These could be either analog or
pneumatic control systems. Included in this layer of protection are the process alarms that are
typically generated by the control system to alert the operator that there has been an excursion
(undesirable condition) in the process. The operator in response to this alarm either makes a
correction to the process or takes action to bring the process back under control.
The process design and PCS with alarms with operator supervision are considered the process
baseline and are required for a process facility to function safely as designed to produce the
desired products. Unfortunately, components of this baseline can fail and cause undesirable
conditions.
A PCS control loop can be considered an IPL provided:
1. It can be genuinely proven to prevent the undesirable consequences,
2. None of its sensors, PCS input/output modules, or final elements is a part of the initiating
cause,
3. The normal action of the PCS control loop is able to prevent the undesirable consequence and
the control loop must be kept in automatic for all modes of operation where the potential for
the undesirable consequence exists.
Additionally, it is highly desirable that the control loop not be a dormant control loop. A dormant
control loop is typically an on/off controller where the function is only called upon to activate
when the process variable exceeds a given controller set point which is outside the normal
process variable operating range. This type of function is more typical of a SIF and is probably
best if implemented within a SIS to ensure periodic testing of the SIF to meet its SIL performance
requirement. However, there may be circumstances where it is not practical or in the best interest
of the process control scheme for the dormant control loop to be implemented in the SIS as a SIF.
In these cases, it is important for the PHA/SOA team to clearly document reasons for keeping the
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
22 of 46
ICM-PU-5171-A
dormant loop in the PCS. Additionally, provisions should be made to periodically test the
dormant control loop to meet a PFDavg of 0.1 to 0.01. Further guidance on PCS control loops as
IPLs can be found in Appendix E, Table 2.
Critical Alarms and Manual Intervention
The second independent protection layer consists of critical process alarms with appropriate
operator intervention. For new systems, critical process alarms should be generated by the SIS
logic solver or through an independent dedicated alarm system and a sensor independent of the
initiating cause and all other IPLs. In cause-consequence scenarios also using a SIF as part of the
risk mitigation, the sensor generating the IPL alarm should be separate from the sensor used for
the SIF. If the SIF for the cause-consequence scenario is SIL 3, then a critical alarm should not be
used in conjunction with the SIF to mitigate the hazard risk. For existing systems, critical alarms
may be routed through the PCS but it is highly desirable that the IPL alarm be displayed on a
dedicated PCS IPL alarm window. A control room operator must have at least 10-15 minutes to
respond to the process alarm with appropriate intervention to prevent the undesirable
consequence. A field operator must have at least 30 minutes to respond appropriately to the alarm
to prevent the undesirable consequence. Furthermore, control room or field operators must be
trained via periodic drills to respond appropriately to the critical process alarms. Further guidance
on using alarms with operator response as IPLs can be found in Appendix E, Table 2.
Safety Instrumented System
The third independent protection layer is the automatic SIS. This independent protection layer
consists of a SIS SIF that is dedicated to preventing a specific undesirable consequence by means
of functionally independent automated instrumentation. A SIF consists of sensors designed to
measure critical process conditions; a logic solver designed and configured to interpret the sensor
signals (i.e. whenever the signals indicate that the process has reached an undesirable condition)
and take appropriate action to bring the process back to a safe state. This action typically involves
automatically closing dedicated shutdown valves, shutting down motors and/or equipment. A
typical SIS has many SIFs which are individually designed to prevent various undesirable
consequences to certain target SILs (i.e. SIL 1, 2, or 3). A SIF designed to meet a target SIL of 1
provides a single IPL credit. A SIF designed to meet a target SIL of 2 or 3 provides 2 or 3 IPL
credits respectively. Although the internationally recognized standards recognize SIL 4, it is
Owners standard practice to only implement SIL 1, 2, or 3 SIFs as described in the Owners
Integrated Risk Prioritization Matrix for SOA/SSFA IPL Analysis found in Appendix D. If a SIL
4 SIF is required for any cause-consequence scenario, the team should consider implementation
of additional non-SIS IPLs, or changes in the process/operations that allow for a lower target SIL.
If this is not possible, the SOA facilitator should contact Owner for further guidance. Further
guidance on using Safety Instrumented Functions as IPLs can be found in Appendix E, Table 5.
Pressure Relief Devices
The fourth independent protection layer typically consists of stand-alone pressure relief devices
(PRDs) such as pressure relief valves and rupture disks. PRDs are generally considered very
good IPLs for use in cause-consequence scenarios associated with overpressure of pipes, vessels
and equipment. It is important to note that IPL credit for PRDs can vary depending on the type of
service. PRDs in clean service can be given more IPL credit than PRDs in dirty service.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
23 of 46
ICM-PU-5171-A
Additionally, two or more PRDs sized to handle the full contents of a pressure release can be
given more IPL credits than single PRDs. IPL credit for PRDs should only be taken if they
provide specific protection for the undesirable consequence being analyzed, e.g., PRDs that are
installed on a vessel for a fire case cannot be given IPL credit for an overpressure
cause-consequence scenario where the full contents of the vessel need to be relieved to a safe
location. Further guidance on using PRDs as IPLs can be found in Appendix E, Table 3.
Independent Protection Layers 1-4 are all considered preventive and are designed to reduce the
likelihood of undesirable consequences using instrumentation.
Fire and Gas Deluge Systems
The fifth independent protection layer is considered a mitigating IPL because it is designed to
reduce the potential severity of a consequence after the process has experienced an undesirable
event with an intermediate consequence. Examples of undesirable intermediate events are pipe or
vessel leak, fire or release of hydrocarbon or toxic gas. The mitigating IPL is designed to reduce
the effects of the undesirable intermediate events so as to prevent the full-blown undesirable
consequence such as complete loss of containment, explosion, boiling liquid expanding vapor
explosion (BLEVE), major equipment destruction, personnel injury/fatality or major
environmental damage. A typical example of this layer is a fire and gas system with an associated
deluge system. Mitigating IPLs are rarely used during a PHA/SOA because they are so difficult
to apply qualitatively. They are more often used in quantitative analyses or semi-quantitative
analyses such as Event Tree and/or full-blown LOPA which make use of both preventive
safeguards (to reduce the likelihood of the full-blown consequence) and mitigative safeguards (to
reduce the severity of the full-blown consequence). Further guidance on using Fire and Gas
Deluge Systems as IPLs can be found in Appendix E, Table 6.
Facility Emergency Response.
The sixth protection layer is the facility emergency response plan designed to handle any
undesirable consequences once they have occurred. This again is a consequence mitigating layer
and is designed to respond to the emergency situation that the undesirable consequence has
created. This protection layer is not normally given any IPL credit because it is mitigative and
does not prevent the stated consequence in the cause-consequence scenario.
Community Emergency Response
The seventh and final protection layer is the community emergency response plan which is
carried out by the community fire department or community emergency response department (if
available) to help deal with the emergency situation that the undesirable consequence has created.
This protection layer is not normally given any IPL credit because it is mitigative and does not
prevent the stated consequence in the cause-consequence scenario.
Other IPLs
The following is a list of other IPLS that can be used during SOA and can be given IPL credit.
1. Check valve
2. Flame arrestor
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
24 of 46
ICM-PU-5171-A
3. Vacuum breaker
4. Restrictive orifice
5. Mechanical over-speed trip
Guidance on using these other IPLs is found in Appendix E, Table 4.
It is important to note that in all of the above IPLs, no failure in one IPL is expected to fail the
other IPLs. This independence is important in guarding against common mode failure. Diversity
is an important characteristic of independence.
It is important to note that all IPLs are considered safeguards. However, not all safeguards can be
considered IPLs. IPLs are typically selected from the list of safeguards that have been identified
during the PHA study.
1. Typical examples of non-IPL safeguards include:
a. Training and certification
b. Normal operating procedures
c. Normal testing and inspection
d. Maintenance
e. Signs
f.
Flame-proofing
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
25 of 46
Appendix B
ICM-PU-5171-A
The following compressor knock-out drum example will be used to help describe and illustrate
Steps 411 of the combined PHA/SOA process.
WARNING This example is intended for illustration purposes only. In no way is this
example meant to represent an actual analysis for this type of process.
See Figure G-1: Compressor & Knock-Out Drum.
In this example, hot hydrocarbon gas and liquid (oil and water) from the main process enters
knock-out drum V-101 prior to being sent to 1st stage compressor K-102. The purpose of the
knock-out drum is to eliminate liquids from the process or liquid/gas stream that could severely
damage the compressor.
The PHA/SOA team in this example used the guide word hazards and operability study
(HAZOP) method of analyzing process hazards. Figure G-1 represents the first node analyzed by
the HAZOP/SOA team. A sampling of the high pressure, high level, and low level deviations
were analyzed for this node.
Steps 411 of the combined PHA/SOA Process are described for each of these three deviations.
B.1
Identify Causes. While looking for causes of high pressure, the team determined that if the block
valve between the knock-out drum and the compressor was closed by mistake (human error),
then high pressure could result in V-101.
Develop Consequences. The consequence of high gas input to V-101 would be high pressure in
the drum, with potential overpressure, loss of containment, and personnel exposure.
Identify and Validate Safeguards. The safeguards against this cause-consequence scenario
include relief valve PSV-101 and high pressure alarm PAHH-102 with a corresponding trip of
liquid/gas inlet valve UV-109 by SIS interlock I-103. The team also identified operator training
as a safeguard.
Step 5
The team determined that the safety severity of the consequence would be major. The likelihood
of the consequence with all safeguards in place was determined to be unlikely. This equates to an
overall PHA risk rank of 6.
Step 6
Based on the PHA risk rank of 6, the team decided that the risk would be considered tolerable if
the validity of the safeguards is confirmed during the SOA portion of the PHA/SOA. For this
reason, no specific PHA recommendations were made for this cause-consequence scenario.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
26 of 46
Step 7
ICM-PU-5171-A
The PHA risk rank severity of major was copied over for the SOA. The LI was determined to be
equal to the likelihood of the initiating cause likelihood. The initiating cause likelihood of an
operator erroneously closing the knock-out drum gas outlet block valve was determined to be
likely because the operator will have to independently close this block valve for maintenance on
the compressor more than once per year. The operator has training on the operation but the
operation is not independently verified. This severity of major and LI of likely results in a total of
3 IPL credits required. Figure G-2 shows that the total of 3 required IPL credits is found at the
intersection of the severity and LI on the matrix.
Step 8
Using the SOA/SSFA Guidance Tables, the team determined that relief valve PSV-101 qualifies
as 2 IPL credits. The team determined that the operator training safeguard would not qualify as an
IPL. SIS interlock I-103 is shown on the P&IDs, but no IPL credit is taken for this SIF because
this is a new facility and the SIL of the SIF has not been verified and documented. Step 9 below
will determine whether a gap exists between the number of IPL credits available and the number
of IPL credits required.
Step 9
If the total number of IPL credits required is greater than the number of IPL credits available for
the cause-consequence scenario, the difference is the IPL credit gap. Since 3 IPL credits are
required and the team identified 2 IPL credits in Step 8 (for PSV-101), then the IPL credit gap
is 1. This means that one more order of magnitude risk reduction is required to adequately reduce
the risk of the cause-consequence scenario. Figure G-2 shows how the total number of required
IPL credits and IPL credit gap values are related.
See Figure G-2: Example of Determining Total Number of IPL Credits Required and IPL
Credit Gap.
Step 10
The team made the recommendation to consider adding independent verification of the manual
operation of the block valve. This could reduce the initiating cause likelihood from likely to
occasional. This would make the number of IPL credits available equal to the number of IPL
credits required, so the IPL credit gap would be eliminated. Because the IPL credit requirement
has been met outside of the SIS, the SIF would no longer be required for this cause-consequence
scenario. However, the project manager would have to obtain the concurrence of her/his upper
management and ensure that the SIF is not necessary to reduce the risk for any other
cause-consequence scenarios before removing it.
Step 11
Steps 410 are repeated for all hazards until there are no more hazards to be evaluated. The
example above evaluated the safety consequences related to the initiating cause. Any health,
environment, or asset consequences would also be evaluated before moving on to the next
initiating cause. Refer to Appendix C for an illustration of the PHA/SOA process.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
27 of 46
B.2
ICM-PU-5171-A
Identify Causes. While looking for causes of high level, the team determined that if control loop
LIC-201 fails LV-201 closed, then high level could result in V-101.
Develop Consequences. The consequence of high liquid level in V-101 would be potential liquid
carryover to compressor K-102, resulting in potential equipment damage and possible personnel
exposure.
Identify and Validate Safeguards. The safeguards against this cause-consequence scenario
include SIF I-101 in which high level indicated by high level alarm LAHH-103 will trip
compressor K-102. SIS transmitter LT-202 also has a high alarm LAH-202 with operator
intervention to manually open valve LV-201. Based on the size of the knock-out drum and the
setting of high level alarm LAH-202, the operator will have at least 30 minutes to open valve
LV-201 before the liquid overflows into the compressor.
Step 5
The team determined that the safety severity of the consequence would be major. The likelihood
of the consequence with all safeguards in place was determined to be unlikely. This equates to an
overall PHA risk rank of 6.
Step 6
Based on the PHA risk rank of 6, the team decided that the risk would be considered tolerable if
the validity of the safeguards is confirmed during the SOA portion of the PHA/SOA. For this
reason, no specific PHA recommendations were made for this cause-consequence scenario.
Step 7
The PHA risk rank severity of major was copied over for the SOA. The LI was determined to be
equal to the likelihood of the initiating cause likelihood. The initiating cause likelihood of a
control loop failure is likely. This severity of major and LI of likely results in a total of 3 IPL
credits required.
Step 8
Using the SOA/SSFA Guidance Tables, the team determined that the operator response to
LAH-202 qualifies as 1 IPL credit. SIS interlock I-101 is shown on the P&IDs, but no IPL credit
is taken for this SIF because this is a new facility and the SIL of the SIF has not been verified and
documented. Step 9 below will determine whether a gap exists between the number of IPL credits
available and the number of IPL credits required.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
28 of 46
Step 9
ICM-PU-5171-A
If the total number of IPL credits required is greater than the number of IPL credits available for
the cause-consequence scenario, the difference is the IPL credit gap. Since 3 IPL credits are
required and the team identified 1 IPL credit in Step 8 above, then the IPL credit gap is 2. This
means that an additional two orders of magnitude risk reduction are required to adequately
reduce the risk of the cause-consequence scenario.
Step 10
The team made the recommendation to consider implementing SIS interlock I-101 as a SIL 2
SIF. This would successfully close the IPL credit gap associated with the cause-consequence
scenario.
Step 11
Steps 410 are repeated for all hazards until there are no more hazards to be evaluated. The
example above evaluated the safety consequences related to the initiating cause. Any health,
environment, or asset consequences would also be evaluated before moving on to the next
initiating cause. Refer to the flowchart in Appendix F for an illustration of the PHA/SOA process.
B.3
Cause. While looking for causes of low level, the team determined that if control loop LIC-201
fails LV-201 open, then low level could result in V-101.
Consequence. The consequence of low liquid level in V-101 would be potential gas blow-by to
downstream oil/water vessels, resulting in possible equipment damage and personnel exposure.
This is an example of a situation where the cause occurs in this node, but the consequence occurs
outside of the node. In such cases, the team should follow the consequence wherever it leads and
evaluate the risk as part of this cause-consequence scenario. Figure G-3 shows the separator in
Node 2 that would be affected by the gas blow-by that could result from the low level in
Knock-Out Drum V-101 which is in Node 1. The team determined that gas blow-by through
V-101 could lead to overpressure of Separator V-102, resulting in loss of containment and
personnel exposure
See Figure G-3: Separator, Compressor, and Knock-Out Drum.
Safeguards. The safeguards for this cause-consequence scenario include relief valve PSV-302
which is in clean service and has been sized to handle the flow rate of anticipated gas blow-by
coming from the knock-out drum. SIF I-102 will detect low level indicated by low level alarm
LALL-103 and close valve UV-108 to block the outlet of the knock-out drum to prevent the gas
blow-by to the separator. Separator V-102 also has PCS pressure transmitter PT-301 with a high
alarm and operator intervention to block in the inlet of the separator with the manual block valve.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
29 of 46
Step 5
ICM-PU-5171-A
The team determined that the safety severity of the consequence would be major. The likelihood
of the consequence with all safeguards in place was determined to be unlikely. This equates to an
overall PHA risk rank of 6.
Step 6
Based on the PHA risk rank of 6, the team decided that the risk would be considered tolerable if
the validity of the safeguards is confirmed during the SOA portion of the PHA/SOA. For this
reason, no specific PHA recommendations were made for this cause-consequence scenario.
Step 7
The PHA risk rank severity of major was copied over for the SOA. The LI was determined to be
equal to the likelihood of the initiating cause likelihood. The initiating cause likelihood of a
control loop failure is likely. This severity of major and LI of likely results in a total of 3 IPL
credits required.
Step 8
Per the SOA/SSFA Guidance Tables, relief valve PSV-302 qualifies for 2 IPL credits since it is in
clean service and the facility has plans in place to regularly test the relief valve. The team decided
that the high alarm on PT-301 with operator intervention would not qualify as an IPL because the
operator would not have enough time to respond to prevent the overpressure of the separator. In
addition, since this is a new system any critical alarms should be routed to a dedicated
annunciator panel, either directly or via an SIS logic solver in order to qualify for IPL credit. SIS
interlock I-102 is shown on the P&IDs, but no IPL credit is taken for this SIF because the SIL of
the SIF has not yet been verified and documented. Step 9 below will determine whether a gap
exists between the number of IPL credits available and the number of IPL credits required.
Step 9
If the total number of IPL credits required is greater than the number of IPL credits available for
the cause-consequence scenario, the difference is the IPL credit gap. Since 3 IPL credits are
required and the team identified 2 IPL credits in Step 8 above, then the IPL credit gap is 1. This
means that one more order of magnitude risk reduction is required to adequately reduce the risk
of the cause-consequence scenario.
Step 10
The team made the recommendation to consider implementing SIS interlock I-102 as a SIL 1
SIF. This would successfully close the IPL credit gap associated with the cause-consequence
scenario.
Step 11
Steps 410 are repeated for all hazards until there are no more hazards to be evaluated. The
example above evaluated the safety consequences related to the initiating cause. Any health,
environment, or asset consequences would also be evaluated before moving on to the next
initiating cause. Refer to the flowchart in Appendix F for an illustration of the PHA/SOA process.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
30 of 46
Appendix C
ICM-PU-5171-A
The following compressor knock-out drum example will be used to help describe and illustrate
Steps 49 of the stand-alone SOA process.
WARNING This example is intended for illustration purposes only. In no way is this
example meant to represent an actual analysis for this type of process.
In this example, hot hydrocarbon gas and liquid (oil and water) from the main process enters
knock-out drum V-101 prior to being sent to 1st stage compressor K-102. The purpose of the
knock-out drum is to eliminate liquids from the process or liquid/gas stream that could severely
damage the compressor.
See Figure G-3: Separator, Compressor, and Knock-out Drum.
In this example a PHA had been conducted before the SOA. As a result, the SOA team copied the
cause-consequence scenario causes, consequences, safeguards, and severity ranking for each
cause-consequence scenario from the PHA and then used the SOA process to determine the
safety system instrumentation required to prevent and mitigate the hazardous events for this
process. Steps 49 of the stand-alone SOA Process are described below for a sampling of the
cause-consequence scenarios for this process.
C.1
The cause, consequence, safeguards, and severity ranking for each cause-consequence scenario
are copied over from the PHA worksheets.
Cause. The cause of high pressure copied over from the PHA is erroneous closure of the block
valve between the knock-out drum and the compressor (human error).
Consequence. The consequence of high gas input to V-101 would be high pressure in the drum,
with potential overpressure, loss of containment, and personnel exposure.
Safeguards. The safeguards against this cause-consequence scenario include relief valve
PSV-101 and high pressure alarm PAHH-102 with corresponding trip of liquid/gas inlet valve
UV-109 by SIS interlock I-103. The PHA team also identified operator training as a safeguard.
Severity Ranking. The PHA team previously determined that the safety severity of the
consequence would be major.
Step 5
The LI was determined to be equal to the likelihood of the initiating cause likelihood. The
initiating cause likelihood of an operator erroneously closing the knock-out drum gas outlet block
valve was determined to be likely because the operator will have to independently close this
block valve for maintenance on the compressor more than once per year. The operator has
training on the operation but the operation is not independently verified. This severity of major
and LI of likely results in a total of 3 IPL credits required. Figure G-2 shows that the total of 3
required IPL credits is found at the intersection of the severity and LI on the matrix.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
31 of 46
Step 6
ICM-PU-5171-A
Using the SOA/SSFA Guidance Tables, the team determined that relief valve PSV-101 qualifies
as 2 IPL credits. The team determined that the operator training safeguard would not qualify as an
IPL, but might affect the initiating event frequency for the cause-consequence scenario. SIS
interlock I-103 is shown on the P&IDs, but no IPL credit is taken for this SIF because this is a
new facility and the SIL of the SIF has not been verified and documented. Step 9 below will
determine whether a gap exists between the number of IPL credits available and the number of
IPL credits required.
Step 7
If the total number of IPL credits required is greater than the number of IPL credits available for
the cause-consequence scenario, the difference is the IPL credit gap. Since 3 IPL credits are
required and the team identified 2 IPL credits in Step 6 (for PSV-101), then the IPL credit gap is
1. This means that one more order of magnitude risk reduction is required to adequately reduce
the risk of the cause-consequence scenario. Figure G-2 shows how the total number of required
IPL credits and IPL credit gap values are related.
See Figure G-2: Example of Determining Total Number of IPL Credits Required and IPL
Credit Gap.
Step 8
SOA Recommendations
The team made the recommendation to consider adding independent verification of the manual
operation of the block valve. This could reduce the initiating cause frequency from likely to
occasional. This would make the number of IPL credits available equal to the number of IPL
credits required, so the IPL credit gap would be eliminated. Because the IPL credit requirement
has been met outside of the SIS, the SIF would no longer be required for this cause-consequence
scenario. However, the project manager would have to obtain the concurrence of her/his upper
management and ensure that the SIF is not necessary to reduce the risk for any other
cause-consequence scenarios before removing it.
Step 9
Steps 48 are repeated for all hazards until there are no more hazards to be evaluated. The
example above evaluated the safety consequences related to the initiating cause. Any health,
environment, or asset consequences would also be evaluated before moving on to the next
initiating cause. Refer to Appendix F for an illustration of the PHA/SOA process.
C.2
The cause, consequence, safeguards, and severity ranking for each cause-consequence scenario
are copied over from the PHA worksheets.
Cause. The PHA team determined that if control loop LIC-201 fails LV-201 closed, then high
level could result in V-101.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
32 of 46
ICM-PU-5171-A
Consequence. The consequence of high liquid level in V-101 established in the PHA was
potential liquid carryover to compressor K-102, resulting in potential equipment damage and
possible personnel exposure.
Safeguards. The safeguards documented for this cause-consequence scenario include SIF I-101
in which high level indicated by high level alarm LAHH-103 will trip compressor K-102. SIS
transmitter LT-202 also has a high alarm LAH-202 with operator intervention to manually open
valve LV-201. Based on the size of the knock-out drum and the setting of high level alarm
LAH-202, the operator will have at least 30 minutes to open valve LV-201 before the liquid
overflows into the compressor.
Severity Ranking. The PHA team previously determined that the safety severity of the
consequence would be major.
Step 5
The LI was determined to be equal to the likelihood of the initiating cause likelihood. The
initiating cause likelihood of a control loop failure is likely. This severity of major and LI of
likely results in a total of 3 IPL credits required.
Step 6
Using the SOA/SSFA Guidance Tables, the team determined that the operator response to
LAH-202 qualifies as 1 IPL credit. SIS interlock I-101 is shown on the P&IDs, but no IPL credit
is taken for this SIF because this is a new facility and the SIL of the SIF has not been verified and
documented. Step 9 below will determine whether a gap exists between the number of IPL credits
available and the number of IPL credits required.
Step 7
If the total number of IPL credits required is greater than the number of IPL credits available for
the cause-consequence scenario, the difference is the IPL credit gap. Since 3 IPL credits are
required and the team identified 1 IPL credit in Step 6 above, then the IPL credit gap is 2. This
means that an additional two orders of magnitude risk reduction are required to adequately
reduce the risk of the cause-consequence scenario.
Step 8
SOA Recommendations
The team made the recommendation to consider implementing SIS interlock I-101 as a SIL 2
SIF. This would successfully close the IPL credit gap associated with the cause-consequence
scenario.
Step 9
Steps 48 are repeated for all hazards until there are no more hazards to be evaluated. The
example above evaluated the safety consequences related to the initiating cause. Any health,
environment, or asset consequences would also be evaluated before moving on to the next
initiating cause. Refer to the flowchart in Appendix F for an illustration of the PHA/SOA process.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
33 of 46
C.3
ICM-PU-5171-A
The cause, consequence, safeguards, and severity ranking for each cause-consequence scenario
are copied over from the PHA worksheets.
Cause. The PHA team determined that if control loop LIC-201 fails LV-201 open, then low level
could result in V-101.
Consequence. The consequence of low liquid level in V-101 would be potential gas blow-by to
downstream oil/water vessels, resulting in possible equipment damage and personnel exposure.
Figure G-3 shows the separator in Node 2 that would be affected by the gas blow-by that could
result from the low level in Knock-Out Drum V-101 which is in Node 1. The PHA team
previously determined that gas blow-by through V-101 could lead to overpressure of Separator
V-102, resulting in loss of containment and personnel exposure
See Figure G-3: Separator, Compressor, and Knock-Out Drum.
Safeguards. The safeguards for this cause-consequence scenario include relief valve PSV-302
which is in clean service and has been sized to handle the flow rate of anticipated gas blow-by
coming from the knock-out drum. SIF I-102 will detect low level indicated by low level alarm
LALL-103 and close valve UV-108 to block the outlet of the knock-out drum to prevent the gas
blow-by to the separator. Separator V-102 also has PCS pressure transmitter PT-301 with a high
alarm and operator intervention to block in the inlet of the separator with the manual block valve.
Severity Ranking. The PHA team previously determined that the safety severity of the
consequence would be major.
Step 5
The LI was determined to be equal to the likelihood of the initiating cause likelihood. The
initiating cause likelihood of a control loop failure is likely. This severity of major and LI of
likely results in a total of 3 IPL credits required.
Step 6
Per the SOA/SSFA Guidance Tables, relief valve PSV-302 qualifies for 2 IPL credits since it is in
clean service and the facility has plans in place to regularly test the relief valve. The team decided
that the high alarm on PT-301 with operator intervention would not qualify as an IPL because the
operator would not have enough time to respond to prevent the overpressure of the separator. In
addition, since this is a new system any critical alarms should be routed to a dedicated
annunciator panel, either directly or via an SIS logic solver in order to qualify for IPL credit. SIS
interlock I-102 is shown on the P&IDs, but no IPL credit is taken for this SIF because the SIL of
the SIF has not yet been verified and documented. Step 9 below will determine whether a gap
exists between the number of IPL credits available and the number of IPL credits required.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
34 of 46
Step 7
ICM-PU-5171-A
If the total number of IPL credits required is greater than the number of IPL credits available for
the cause-consequence scenario, the difference is the IPL credit gap. Since 3 IPL credits are
required and the team identified 2 IPL credits in Step 6 above, then the IPL credit gap is 1. This
means that one more order of magnitude risk reduction is required to adequately reduce the risk
of the cause-consequence scenario.
Step 8
SOA Recommendations
The team made the recommendation to consider implementing SIS interlock I-102 as a SIL 1
SIF. This would successfully close the IPL credit gap associated with the cause-consequence
scenario.
Step 9
Steps 48 are repeated for all hazards until there are no more hazards to be evaluated. The
example above evaluated the safety consequences related to the initiating cause. Any health,
environment, or asset consequences would also be evaluated before moving on to the next
initiating cause. Refer to the flowchart in Appendix F for an illustration of the PHA/SOA process.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
35 of 46
Appendix D
April 2013
ICM-PU-5171-A
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
36 of 46
Appendix E
ICM-PU-5171-A
Conditions
Initiating Cause
Likelihood
Likely (1)
Pressure Regulator
(Integral)
Occasional (2)
Likely (1)
Occasional (2)
Likely (1)
Occasional (2)
Occasional (2)
Seldom (3)
Occasional (2)
Likely (1)
Mechanical Failures
Non-metallic
Seldom (3)
Occasional (2)
Likely (1)
Mechanical Failures
(Hoses)
Seldom (3)
Occasional (2)
Likely (1)
Human Error
Note: Initiating event
frequency of human error
should consider equipment
layout, frequency of task
performance and training &
procedures. Conditions
provided are to be considered
as initial guidelines with
adjustment based on
operating experience.
Mechanical Failures Metallic
(e.g., exchanger tube leak)
Pump/
Fan/
Compressor
Failure
Pump / Compressor
Mechanical Seal Failure
Likely (1)
Likely (1)
Occasional (2)
Likely (1)
Occasional (2)
Use experience of
personnel or failure
rate data.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
37 of 46
ICM-PU-5171-A
Table 2
INDEPENDENT PROTECTION LAYERS
PCS and Operator Intervention
IPL
IPL Credit
The PCS control loop / interlock must use sensors, PCS input & output modules and final elements that are
independent of the PCS control loop / interlock identified as the initiating cause.
Regardless of whether a PCS control loop / interlock is the initiating cause or not, only one PCS control loop /
interlock may be credited as an IPL provided the PCS controller requirements below are met.
It is typically a control loop whose normal action prevents the scenario consequence.
The PCS IPL must run in automatic mode during all operational phases where the hazard scenario exists.
Testing of any PCS IPL must be part of the facilitys instrument maintenance testing plan for IPLs. This
requirement is especially important if the PCS control loop / interlock is dormant.
For pressure relief control loops, the control valve must be sized to prevent the overpressure scenario.
PCS control
loop
The PCS IPL should be designed, implemented, operated and maintained to achieve the risk reduction.
PCS IPL Controller Requirements
The following requirements should reviewed and a documented judgment made only by PCS Experts
knowledgeable in the specific hardware/architecture of the system under consideration and department/persons
having responsibility for maintaining / managing the PCS.
The controller is redundant (i.e. Main and Backup).
The controller is sufficiently reliable to ensure that common mode failure is not a cause of concern.
Adequate PCS workstation access and security procedures to provide assurance that the potential for human
error in programming, modifying or operating the PCS is reduced to an acceptable level.
Field or local control loops with different instrumentation may also be classified as an additional IPL. Additional
considerations include a service relatively clean with no or minimal history of instrumentation problems due to
plugging, polymerization or deposition.
Any PCS control loop that is affected by the CAUSE failure listed in the cause-consequence scenario. Control
loops that share or contain common process measurements and output devices with alarms, SIS functions, or
other controls affected by CAUSE failures.
Alarms with
Operator
Response
Process
Safety Time*
(min)
Location of
Preventative
Action
<10
Control Room
>10
Control Room
Control Room
>10
>30
Field
Description
IPL Credit
Note: When considering an alarm IPL implemented in the SIS logic solver, overall IPL credit must not be higher than the maximum
SIL rating that the logic solver is certified as per IEC 61508. E.g. SIL 2 certified logic solver cannot have a SIL 2 SIF and an IPL
alarm for the same scenario.
Routine
Operator
Surveillance
Process Related Rounds and Inspections. Frequency of operator rounds must be sufficient to detect potential incident.
If recognition of process variable is required, the operator must log specific values from sensors or valves independent
of the initiating cause. Log must show unacceptable out-of-range values. SOP must describe response to out-of-range
values. Note: Routine Operator Surveillance is rarely considered an IPL. However, it can affect the likelihood of a
consequence given a specific cause.
* Process Safety Time: the time it takes the process to go from the alarm condition to the hazardous condition.
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
38 of 46
ICM-PU-5171-A
Table 3
INDEPENDENT PROTECTION LAYERS
Pressure Relief Devices (PRDs)
IPL
Pressure Relief
Valve
(PRV)
Vessel Rupture
Disk
April 2013
IPL Credit
Clean Service. Three PRVs in clean service where 2 of the 3 PRVs are required to
prevent the overpressure and all three PRVs are actively connected to the process
at all times.
More than one PRV in clean service is available to prevent the overpressure
consequence. Each PRV listed must be capable of independently relieving the
vessel. PRV must be sized to prevent the scenario consequence. Note: Extreme
caution must be used before implementing this as a solution. Use of more than one
PRV can be the source of chatter. The capacity of the entire relieving system (piping,
knock-out drums, flare) also must be evaluated.
More than one PRV is available, but more than one is required to relieve the full load.
This includes staged release PRVs. To achieve higher risk reduction than 1 IPL, the
PRV sizing calculations must be reviewed to determine whether the load can be
successfully handled by one PRV, based on the specific cause-consequence
scenario under review.
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
39 of 46
ICM-PU-5171-A
Table 4
INDEPENDENT PROTECTION LAYERS
Other IPLs
IPL
IPL Credit
Vacuum Breaker
Restrictive Orifice
Mechanical
Over-Speed Trip
Check Valve
Flame Arrester
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
40 of 46
ICM-PU-5171-A
Table 5
INDEPENDENT PROTECTION LAYERS
Safety Instrumented System IPLs
IPL
Safety
Instrumented
Function (SIF)
Note:
April 2013
IPL Credit
Hardware fault tolerance requirements stated in ANSI/ISA84.00.01-2004 (IEC61511 Mod), Part 1, Section 11.4 or
IEC 61508-2 Tables 2 and 3 must also be satisfied.
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
41 of 46
ICM-PU-5171-A
Table 6
INDEPENDENT PROTECTION LAYERS (Mitigative*)
Fire and Gas Detection Systems
IPL
Note:
April 2013
IPL Credit
Operator initiated response. The risk reduction is based on operator alarm and response
criteria and must be independent of initiating cause and other IPLs. Extreme care must be
taken when using fire protection equipment as an IPL to ensure that it prevents the defined
consequence under all foreseen conditions. This includes quantitative evaluation of
sensing, actuation and action mechanisms to verify that overall effectiveness is 90% or
higher, under all credible cause-consequence scenarios.
Using fire detectors with automatic deluge, e.g., foam, water curtain, water sprays, or
emergency evacuation. Must be independent of initiating cause and other IPLs. Extreme
care must be taken when using fire protection equipment as an IPL to ensure that it
prevents the defined consequence under all foreseen conditions. This includes
quantitative evaluation of sensing, actuation and action mechanisms to verify that overall
effectiveness is 90% or higher, under all credible cause-consequence scenarios.
Operator initiated response. The risk reduction is based on operator alarm and response
criteria and must be independent of initiating cause and other IPLs. Extreme care must be
taken when using gas detection equipment as an IPL to ensure that it prevents the defined
consequence under all foreseen conditions. This includes quantitative evaluation of
sensing, actuation and action mechanisms to verify that overall effectiveness is 90% or
higher, under all credible cause-consequence scenarios.
Using gas monitor with automatic response, e.g. water cannons, water sprays, or
emergency evacuation. Must be independent of initiating cause and other IPLs. Extreme
care must be taken when using gas detection equipment as an IPL to ensure that it
prevents the defined consequence under all foreseen conditions. This includes
quantitative evaluation of sensing, actuation and action mechanisms to verify that overall
effectiveness is 90% or higher, under all credible cause-consequence scenarios.
Mitigation IPLs are typically intended to reduce the severity of the scenario consequence.
Quantitative consequence analysis may be required.Use Table 6 with caution..
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
42 of 46
Appendix F
April 2013
ICM-PU-5171-A
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
43 of 46
Appendix G
ICM-PU-5171-A
Additional Figures
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
44 of 46
ICM-PU-5171-A
Figure G-2: Example of Determining Total Number of IPL Credits Required and IPL Credit Gap
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
45 of 46
ICM-PU-5171-A
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
46 of 46