Icm Pu 5171 A

ICM-PU-5171-A
Safety Objective Analysis / Process Hazards Analysis

Operating Environment: Onshore
This document is the confidential property of Chevron U.S.A. Inc. Neither the whole nor any part of this
document may be disclosed to any third party without the prior written consent of Chevron U.S.A. Inc.
Neither the whole nor any part of this document may be reproduced, stored in any retrieval system, or
transmitted in any form or by any means (electronic, mechanical, reprographic, recording, or otherwise)
without the prior written consent of Chevron U.S.A. Inc.
Rev.
Date
Description
Author
Technology Leader
04/09
Initial release
M. Crawford
R. Zerda
04/13
Create uncommented version, minor editing

to facilitate. No technical content changes
J. Pittman
R. Zerda
April 2013
20092013 Chevron U.S.A. Inc. All rights reserved. Confidential Restricted Access
1 of 46
ICM-PU-5171-A
Summary of Changes
1. Revised technical content is indicated by change bars in the right margin.
2. Deleted, moved, and combined requirements, as well as editorial changes, are listed below.
Initial
Release
(commented
version only)
Rev. A
Description
Type of Change
NOTE: This is the initial release of the uncommented version of ICM 5171. The changes indicated below reflect
changes from the initial release of the commented version of ICM 5171.
Throughout: Moved proprietary information to

comments.
Update to current CES

editorial standards
Throughout: Replaced Purchaser with Owner.

editorial standards
Throughout: Replaced Chevron Risk Integration

Prioritization Matrix with risk prioritization matrix.

editorial standards
Throughout: Changed references to ICM-DC-6025 to

ICM-DU-6025

editorial standards
4.0
4.0, item 1
Reworded to remove proprietary information.

editorial standards
Appendix D
Appendix D
Retitled to remove proprietary information.

Edited graphic to remove proprietary information.
Edit
Appendix E
Appendix E
Retitled to remove proprietary information.
Edit
Appendix F
Appendix F
Edited graphic to remove proprietary information.
Edit
Appendix G
Appendix G
Reworded Figure G-2 title to remove proprietary

information.
Edit
April 2013
2 of 46
ICM-PU-5171-A
Contents
1.0
Scope............................................................................................................................................... 4
2.0
References ...................................................................................................................................... 4
2.1
2.2
2.3
3.0
Terminology .................................................................................................................................... 5
3.1
3.2
4.0
Acronyms ............................................................................................................................ 5
Definitions ........................................................................................................................... 5
General ............................................................................................................................................ 7
4.1
4.2
5.0
Purchaser Documents......................................................................................................... 4
Industry Codes and Standards ........................................................................................... 4
Referenced Publications ..................................................................................................... 4
Analysis Methods ................................................................................................................ 7

Project Timing ..................................................................................................................... 8
Roles and Responsibilities ........................................................................................................... 8

5.1
5.2
General Responsibilities ..................................................................................................... 8

SOA Specific Responsibilities by Role................................................................................ 9
6.0
Combined PHA/SOA .................................................................................................................... 10
7.0
Stand-Alone SOA Process .......................................................................................................... 17
8.0
PHA/SOA Tool .............................................................................................................................. 18
9.0
Deliverables of a Combined PHA/SOA ...................................................................................... 18
10.0
Deliverables of a Stand-Alone SOA ........................................................................................... 18
Appendix A
Independent Protection Layers ..................................................................................... 20
Appendix B
Combined PHA/SOA Example ....................................................................................... 26
Appendix C
Stand-Alone SOA Example ............................................................................................ 31
Appendix D
Integrated Risk Prioritization Matrix for SOA/SSFA IPL Analysis ............................. 36
Appendix E
SOA/SSFA Guidance Tables .......................................................................................... 37
Appendix F
Combined PHA/SOA or SOA Standalone Flowchart ................................................... 43
Appendix G
Additional Figures........................................................................................................... 44
April 2013
3 of 46
1.0
ICM-PU-5171-A
Scope
The purpose of this document is to describe the Safety Objective Analysis (SOA) process and
how to perform it in conjunction with a Process Hazards Analysis (PHA).
2.0
References
1. The following documents are referenced herein and are considered part of this specification.
2. Unless otherwise specified in Section 2.1 or 2.2, use the latest edition of the referenced
documents.
2.1
Purchaser Documents
ICM-DU-6025
2.2
Safety Instrumented Systems
Industry Codes and Standards

International Society of Automation
(ISA with ANSI)
ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod)
Functional Safety: Safety Instrumented Systems for the Process
Industry Sector - Part 1: Framework, Definitions, System, Hardware and
Software Requirements
International Electrotechnical Commission (IEC)
61511-1
2.3
Functional Safety: Safety Instrumented Systems for the Process

Industry Sector - Part 1: Framework, Definitions, System, Hardware and
Software Requirements
Referenced Publications
Layer of Protection Analysis, Simplified Process Risk Assessment, 2001,
Center for Chemical Process Safety of the American Institute of
Chemical Engineers, 3 Park Avenue, New York, New York
10016-5991, ISBN 0-8169-0811-7
Guidelines for Safe Automation of Chemical Processes, 1993,
Center for Chemical Process Safety of the American Institute of
Chemical Engineers, 345 East 47th Street, New York, New York 10017,
ISBN 0-8169-0554-1
April 2013
4 of 46
3.0
Terminology
3.1
Acronyms
3.2
BLEVE
Boiling Liquid Expanding Vapor Explosion
BMS
Burner Management System
ERRF
External Risk Reduction Facilities
HAZOP
Hazards and Operability Study
PCS
Process Control System
PFDavg
Average Probability of Failure on Demand
PRD
Pressure Relief Device
SCADA
Supervisory Control and Data Acquisition
ICM-PU-5171-A
Definitions
Independent Protection Layer (IPL)
An IPL is a device, system, or action that is capable of preventing a scenario
from proceeding to its undesired consequence independent of the initiating event
or the action of any other layer of protection associated with the scenario.
Definition from Layer of Protection Analysis, Simplified Process Risk
Assessment, pg. 75.
IPL Credit
One order of magnitude risk reduction equals one IPL credit. Each safeguard
that qualifies as an IPL is worth a certain number of IPL credits. This number of
IPL credits is determined by examining the qualifications listed in the
SOA/SSFA Guidance Tables found in Appendix E.
Likelihood Initial (LI)
The expected frequency of reaching the stated consequence in its entirety due to
the initiating event as a starting point with all instrumentation safeguards
removed, and considering any enabling events and/or conditional probabilities.
Node
A subsection of the process under study designed to organize the PHA into
manageable segments.
Process Hazards Analysis (PHA)

A hazard evaluation of broad scope that identifies and qualitatively analyzes
the significance of hazardous situations associated with a process or activity.
Definition from Layer of Protection Analysis, Simplified Process Risk
Assessment, pg. 261.
Safety Instrumented Function (SIF)
A function that is implemented by a safety instrumented system which is
intended to achieve or maintain a safe state for the process with respect to a
specific hazardous event. Each SIF should be designed and tested to meet its
target SIL.
April 2013
5 of 46
ICM-PU-5171-A
Safety Instrumented System (SIS)

A system consisting of one or more SIFs. Consists of sensors, logic solver(s),
and final elements.
Safety Integrity Level (SIL)
Discrete level (one out of a possible four) for specifying the probability of a SIS
satisfactorily performing the required SIF under all of the stated conditions
within a stated period of time. Definition from ICM-DU-6025.
Table 1 shows the performance requirements for the different safety integrity levelsboth the
range of safety availability and the average probability of failure on demand.
Table 1: Performance Requirements for Different Safety Levels
Safety Availability
Range
Average Probability of Failure to Respond to

a Demand (PFDavg)
Risk Reduction Factor
0.9 to 0.99
0.1 to 0.01 (1 in 10 to 1 in 100 chance of failing)
10 to 100
0.99 to 0.999
0.01 to 0.001 (1 in 100 to 1 in 1000 chance of

failing)
0.999 to 0.9999
0.001 to 0.0001 (1 in 1000 to 1 in 10,000 chance

of failing)
0.9999 to 0.99999
0.0001 to 0.00001 (1 in 10,000 to 1 in 100,000

chance of failing)
SIL
100 to 1000
1000 to 10,000
10,000 to 100,000
Target Safety Integrity Level

The SIL required of a SIF such that when this SIF is combined with any non-SIS
IPLs, the overall risk associated with the cause-consequence scenario is
adequately reduced.
Safety Objective Analysis (SOA)
A formal process utilizing the results of a PHA to determine the safety system
instrumentation required to prevent and mitigate hazardous events in
downstream, chemical, and upstream onshore processes. The SOA process relies
on the hazardous scenario causes, consequences, and safeguards developed
during the PHA as a starting point for determining whether adequate risk
reduction has been provided for each cause-consequence scenario and
recommending additional measures to further mitigate the risk as necessary.
Safety Requirements Specification (SRS)
Specification that contains all the requirements of the safety instrumented
functions that have to be performed by the safety instrumented systems.
Definition from ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod), page 35.
Safety System Function Analysis (SSFA)
A formal process utilizing the results of a PHA to determine the safety system
instrumentation required to prevent and mitigate hazardous events on offshore
production platforms where API RP 14C has already been applied. The SSFA
process relies on the hazardous scenario causes, consequences, and safeguards
developed during the PHA as a starting point for determining whether adequate
risk reduction has been provided for each cause-consequence scenario and
recommending additional measures to further mitigate the risk as necessary.
April 2013
6 of 46
4.0
ICM-PU-5171-A
General
1. This specification provides requirements for coordinating, conducting, and documenting a
SOA in conjunction with a PHA or a stand-alone SOA based on an existing PHA.
2. The SOA is a formal process that utilizes the results of a PHA to determine the safety system
instrumentation required to prevent and mitigate hazardous events in downstream, chemical,
and upstream onshore processes.
3. The SOA process relies on the hazardous scenario causes, consequences, and safeguards
developed during the PHA as a starting point for determining whether adequate risk
reduction has been provided for each cause-consequence scenario using Independent
Protection Layers (IPLs) and recommending additional measures to further mitigate the risk
as necessary.
4. The SOA provides a structured process to validate the IPL safeguards and determine the
performance required of Safety Instrumented Functions (SIFs).
5. The following is a summary of the SOA process steps:
a. Using the cause-consequence scenarios and safeguards identified, the SOA process
determines which safeguards qualify as IPLs.
b. Each IPL may qualify as one or more IPL credits, where one IPL credit is equal to one
order of magnitude of risk reduction.
c. If the amount of risk reduction provided by the existing IPLs is less than what is required,
then this deficiency needs to be alleviated either by adding IPLs or improving existing
safeguards to allow them to qualify for additional IPL credits.
4.1
Analysis Methods
4.1.1
Combined PHA/SOA
1. While both a PHA and an SOA can be conducted separately, the combined process saves
time, money and effort while attaining superior results. Advantages include:
a. Saving timecombining the efforts is 35 to 50 percent shorter than performing the PHA
and SOA separately.
b. Reducing resource requirements (same team only has to meet once).
c. Eliminating the need to analyze the same cause-consequence scenarios twice.
d. Eliminating the need for a different facilitator to familiarize himself with the piping and
instrumentation diagrams (P&IDs), cause and effect charts, and other project or facility
documentation.
e. Maintaining the same team for both PHA and SOA promotes consistency in results.
f.
Improving PHA quality since the team develops a better understanding of how the
instrumentation works to reduce risk while avoiding common mode failures.
g. Combining, if appropriate, the PHA and SOA documentation, including

recommendations, so that they are jointly monitored.
2. The end result of this procedure is a combined PHA/SOA Report. See Section 9.0 of this
document for details.
April 2013
7 of 46
4.1.2
ICM-PU-5171-A
Stand-Alone SOA
1. If a valid PHA has already been performed, the project team may elect to perform a
stand-alone SOA based on the existing PHA documentation.
2. It is not possible to perform an SOA without either performing a PHA in conjunction with the
SOA or making use of existing PHA documentation.
3. If the existing PHA documentation is not complete or deemed unsuitable by the
PHA/SOA facilitator, then a new PHA will need to be performed in order to properly
perform the SOA.
4.2
Project Timing
Any time a PHA is required and instrumentation safeguards are utilized, an SOA should also be
conducted either in conjunction with the PHA or following the PHA.
5.0
Roles and Responsibilities
5.1
General Responsibilities
The general responsibilities for the team in a combined PHA/SOA include all of the
responsibilities for a PHA, such as identifying deviation causes, consequences, safeguards, risk
ranking, and developing recommendations. The SOA (either as part of a combined PHA/SOA or
as a stand-alone SOA) introduces additional responsibilities for the team. These responsibilities
include:
1. Determining Likelihood Initial (LI).
2. Determining the number of IPL credits required.
3. Determining the number of IPL credits available.
4. Making recommendations to close the gap between the number of IPL credits required and
available where applicable.
April 2013
8 of 46
5.2
ICM-PU-5171-A
SOA Specific Responsibilities by Role
Table 2: Roles and Responsibilities

Role
Time Commitment
Required
Responsibilities
I&C
Engineer(s)
Full-time
involvement
required
Explain existing facility control and safety instrumented system (SIS)

philosophy and design.
Describe existing instrumented safeguards for each cause-consequence
scenario.
Provide failure modes of instrumentation in cases where this could be an
initiating cause of a hazardous consequence.
Provide and implement recommendations for instrumented safeguard
additions/changes.
SOA
Facilitator
Full-time
involvement
required
Work with the PHA Facilitator to provide brief training to the PHA/SOA
Team with regards to the overall PHA/SOA process and methodology.
Ensure that only safeguards meeting criteria in Appendix A are credited as
IPLs and guide PHA/SOA team in determining number of IPL credits
assigned per the SOA/safety system function analysis (SSFA) Guidance
Tables (Appendix E).
Assist the PHA/SOA team in ranking the LI, which is the expected
frequency of reaching the stated consequence in its entirety due to the
initiating event as a starting point with all instrumentation safeguards
removed, and considering any enabling events and/or conditional
probabilities.
Assist team in determining the number of required IPL credits and the
number of existing IPL credits.
Assist team in creating SOA recommendations to close gaps between
required IPL credits and existing IPL credits available.
Provide input to the PHA Facilitator to assist in publishing the PHA/SOA
Report.
The roles and responsibilities of the SOA facilitator may be performed by
the PHA facilitator. See Note 2 below for details.
Notes
1. If the consequence severity and LI for the cause-consequence scenario result in a NS ranking, then further study
is required to confirm the risk of the cause-consequence scenario. This could include consequence modeling or a
more quantitative analysis of likelihood using a method such as Layer of Protection Analysis. This task should be led
by a facilitator who has been approved by the appropriate subject matter experts and developed as a combined
responsibility between the process engineer and the HES representative. Others who may be required include a
safety specialist, operations advisor and process engineer for the plant, design engineer, and/or external contractors
for quantitative analysis.
2. The combined PHA/SOA can be performed by a qualified PHA facilitator and a qualified SOA facilitator or
performed by a single facilitator qualified in both PHA and SOA processes. If one person facilitates both the PHA and
SOA portions, this facilitator must be trained in both the PHA and SOA processes and be accepted by Owner.
April 2013
9 of 46
6.0
ICM-PU-5171-A
Combined PHA/SOA
1. In a combined PHA and SOA, the steps of the PHA and the SOA are intertwined to create a
more efficient overall process.
2. This section describes the various steps of the combined PHA/SOA and how to perform them
for a given facility. The process flow diagram for the combined PHA/SOA can be found in
Appendix F of this document.
Methodology
The following steps should be completed for a combined PHA/SOA:
Step 1
Preparation
The preparation required for a combined PHA/SOA is the same as that required for a stand-alone
PHA and the same steps should be followed.
Step 2
Introductions and PHA/SOA Overview
The introduction and overview for a combined PHA/SOA or stand-alone SOA should be very
similar to that of a PHA. The key additions to the introduction are the review of IPL and safety
integrity level (SIL) concepts and the review of the SOA process steps.
Step 3
Process Review
The process review for a combined PHA/SOA should be the same as that performed for a PHA.
This step will familiarize the PHA/SOA participants with the process under review.
Step 4
Identify Causes, Consequences, and Safeguards
Step 5
Perform PHA Risk Rank
This PHA step determines the risk for the cause-consequence scenario based on the severity of
the worst-case consequence and the likelihood of reaching the stated consequence with all
safeguards in place.
Step 6
Postulate PHA Recommendations Based on Risk Ranking
Depending on the risk ranking performed in step 5 above, the team may need to make
recommendations aimed at reducing the level of risk associated with the cause-consequence
scenario.
Step 7
Determine Total Number of IPL Credits Required
1. Copy PHA severity ranking previously determined for the cause-consequence scenario (see
Step 5).
2. Determine LI.
The Likelihood Initial is the expected frequency of reaching the stated consequence in its
entirety due to the initiating event as a starting point with all instrumentation safeguards
removed, and considering any enabling events and/or conditional probabilities.
April 2013
10 of 46
ICM-PU-5171-A
Sometimes, without instrumented safeguards, the identified consequence is very likely to

occur as soon as the initiating cause occurs, in which case the Likelihood Initial will be the
same as the Initiating Cause Likelihood. However there are often occasions when the stated
consequence only occurs when the initiating cause occurs at the same time as some other
operational mode, event or condition. If this is the case then those conditions should be listed
in the Safeguards column on the PHA/SOA worksheet.
a. Refer to Table 1 of the SOA/SSFA Guidance Tables attached in Appendix E for a list of
typical initiating cause likelihoods.
b. The initiating cause likelihood should be used as a starting point. However, this initiating
cause likelihood is not necessarily the LI. An enabling event, conditional probability, or
other non-instrumented safeguards can reduce the LI from the initiating cause likelihood
to recognize the qualitative aspects of the analysis.
c. Examples of enabling events include:
1) Phase of operation: condition where the cause-consequence scenario only occurs
during certain phases of operation (e.g., flame failure during light-off of a burner
management system [BMS], etc.);
2) Ambient temperature conditions: where the cause-consequence scenario occurs only
under certain temperatures (e.g., compressor blowdown during very cold ambient
conditions can lead to metal embrittlement).
d. Examples of conditional probabilities include:
1) The probability of the event locality being occupied to the extent that the
individual(s) would be exposed to the extent listed in the consequence statement;
2) The probability that there is an ignition source in the area of a release of combustible
liquid.
e. Enabling events, conditional probabilities, and non-instrumented safeguards need to be
carefully identified, described and documented in the PHA/SOA worksheet in the
safeguards column so that it is clear why LI is qualitatively less likely than the initiating
event likelihood for the cause-consequence scenario.
f.
Examples include:
1) A hydrocarbon fluid below its flash point is pumped from a column. A control loop
failure causes the control valve downstream of the pump to shut. Higher discharge
pressure may result in pump deadhead operation, possibly leading to pump and/or
pump seal damage. Pump seal failure may result in a release of process hydrocarbons
to atmosphere with potential fire and/or explosion with personnel exposure
including the possibility of one fatality.
Per the Owner SOA/SSFA Guidance Tables in Appendix E, a control loop failure is
likely. However, the team decided that the probability of the process fluid igniting is
very low due to the fact that the fluid is below its flash point. Based on the likely
initiating cause and the low probability of ignition the team decided that the LI is
occasional.
April 2013
11 of 46
ICM-PU-5171-A
2) On another column hydrocarbon fluid is pumped from the column but in this case the
fluid is well above its flash point. As in the previous cause-consequence scenario, a
control loop failure causes the control valve downstream of the pump to shut,
resulting in higher discharge pressure which may result in pump deadhead operation,
possibly leading to pump and/or pump seal damage. Pump seal failure may result in
a release of process hydrocarbons to atmosphere with potential fire and/or explosion
with personnel exposure including the possibility of one fatality.
The team decided that the probability of ignition is high because the hydrocarbon
fluid is above its flash point. For this reason, probability of ignition could not be used
to reduce LI from the initiating cause likelihood. As a result, the team determined
that the LI for this scenario would be the same as the initiating cause likelihood. In
this case as in the previous cause-consequence scenario the initiating cause is a
control loop failure so the LI is set to likely.
3. Determine the number of IPL credits required to adequately reduce the risk of the
cause-consequence scenario based on the severity ranking and the LI.
a. Each IPL credit reduces the risk associated with the cause-consequence scenario by an
order of magnitude.
1) One order of magnitude of risk reduction means that the likelihood of the
consequence occurring is ten times less likely than it would be if the safeguard were
removed.
2) A safeguard reliable enough to qualify for two IPL credits makes the consequence at
least 100 times less likely to occur.
b. Refer to Appendix A for a discussion of IPLs. In addition, Tables 2-6 of the SOA/SSFA
Guidance Tables (Appendix E) list typical IPLs, the criteria for each, and the amount of
IPL credit that can be taken for each.
Note: The number of IPL credits required is determined by locating the intersection of
the column corresponding to the severity ranking and the row corresponding to
the LI for the cause-consequence scenario on the risk prioritization matrix of
Appendix D.
Step 8
Identify all IPLs
Determine which safeguards listed in Step 4 qualify as IPLs. Appendix A describes IPLs in
detail. In addition, refer to Appendix E for the SOA/SSFA Guidance Tables, Tables 2-6, for a list
of potential IPLs and the number of IPL credits that can be taken for each.
1. The identified safeguards must possess the following four characteristics in order to qualify
as IPLs:
a. Specificity
b. Independence
c. Dependability
d. Auditability
April 2013
12 of 46
ICM-PU-5171-A
2. The categories of potential IPLs listed in the SOA/SSFA Guidance Tables include:
a. Process Control System (PCS) control loop
b. Alarms with operator response
c. Routine operator surveillance
d. Pressure relief valve
e. Vessel rupture disk
f.
Fire detection with water deluge system
g. Gas monitors with automated deluge

h. Check valve
i.
Flame arrestor
j.
Vacuum breaker
k. Restrictive orifice
l.
SIF
m. Mechanical over-speed trip

3. If a SIF has already been designed and documented on the P&IDs, it should be documented
as an SIS IPL.
a. If the SIF is part of an existing facility and its SIL is documented in the Safety
Requirements Specification (SRS), then the SIL should be recorded in the PHA/SOA
worksheet as the number of IPL credits for the SIF.
b. If the SIF is new or its SIL is undocumented, then no IPL credit should be given to the
SIF during the PHA/SOA.
Step 9
Determine IPL Credit Gap
The team should determine if additional IPL credits are required.

1. If the total number of IPL credits required for the cause-consequence scenario is greater than
the number of IPL credits available per Tables 2 through 6 in Appendix E, then a SOA
recommendation is needed to address this deficiency. Figure 1 below illustrates the different
methods of reducing the risk associated with a cause-consequence scenario that requires a
total of 4 IPL credits.
a. Method A uses a single non-SIS IPL and a SIF designed to meet SIL 3.
b. Method B uses two non-SIS IPLs and a SIF designed to meet SIL 2.
c. Method C uses three non-SIS IPLs and a SIF designed to meet SIL 1.
d. Method D uses four separate non-SIS IPLs and no SIF.
April 2013
13 of 46
ICM-PU-5171-A
Figure 1: Risk Reduction Using Non-SIS IPLs and SIFs
2. Examples:
a. If an undesirable Safety/Health consequence has been given a severity of 2 (Severe) and
a LI of 2 (Occasional) then, per the matrix, 3 IPL credits would be required.
1) Assume a total of two different non-SIS IPLs (each worth 1 IPL credit) were
identified. One more IPL credit would be needed to satisfy the risk reduction
requirement of this cause-consequence scenario. The team might recommend
designing and implementing a SIL 1 SIF to prevent the undesirable consequence
(due to the specific initiating cause) from occurring. The team might also
recommend adding another non-SIS IPL or improving one of the existing non-SIS
IPLs to qualify for more IPL credits.
2) If only one non-SIS IPL (worth 1 IPL credit) was identified, two more IPL credits
would be needed to satisfy the risk reduction requirement of this cause-consequence
scenario. The team might recommend designing and implementing a SIL 2 SIF to
prevent the undesirable consequence (due to the specific initiating cause) from
occurring. The team might also recommend adding another non-SIS IPL or
improving one of the existing non-SIS IPLs to qualify for more IPL credits.
3) If no IPLs were identified, then the team would need to make one or more SOA
recommendations to provide three IPL credits for this cause-consequence scenario.
This can be achieved using a SIL 3 SIF but it is strongly recommended that non-SIS
IPLs be designed or the process be redesigned to avoid using a SIL 3 SIF since it is
very difficult to maintain a SIL 3 SIF.
April 2013
14 of 46
ICM-PU-5171-A
b. If a cause-consequence scenario has been given a Safety/Health severity of 3 (Major) and

a LI of 2 (Occasional), then per the matrix, two IPL credits are required for this
cause-consequence scenario. If two IPL credits were identified for the
cause-consequence scenario, then no further risk reduction is required.
3. If 4 IPL credits are required, this is a very high risk cause-consequence scenario that can be
mitigated using 4 IPL credits. However, a SIL 4 SIF shall not be used to mitigate the risk.
4. If the severity is 1 (Catastrophic) and the LI is 1 (Likely), then the corresponding result on the
risk prioritization matrix of Appendix D is NS (Not Sufficient). This means this is an
extremely high risk cause-consequence scenario. Risk reduction measures to be implemented
require further analysis beyond the SOA and consultation with appropriate technical
personnel to properly address the cause-consequence scenario. This analysis may include:
a. Designing a more inherently safe process;
b. Conducting a Layer of Protection Analysis (LOPA) and/or quantitative study to
determine what other measures can be implemented for this high risk cause-consequence
scenario.
5. If a SIF already exists on the P&IDs but the SOA indicates that the non-SIS IPLs are
adequate to reduce the risk, then the SIF has no target SIL.
If the existing SIF is not needed to provide the required risk reduction for this or any other
cause-consequence scenario, then the SIF can be removed since the risk has been reduced by
non-SIS IPLs as shown in Figure 1, Method D. Note that all due diligence must be followed
before removing any existing SIF. The SIF and associated cause-consequence scenario must be
thoroughly re-evaluated to ensure that the cause-consequence scenario will not exceed the level
of acceptable risk because of this change. Before removing the SIF, the project must also ensure
that it is not necessary for another unique cause-consequence scenario.
Step 10
Create SOA Recommendations
SOA recommendations are generated as part of the SOA IPL analysis portion of the PHA/SOA.
1. If, during the analysis, the number of IPL credits required is greater than the number of
existing IPL credits available, then the team needs to make one or more SOA
recommendations to provide the additional required IPL credits for this cause-consequence
scenario. The targeted number of IPL credits for each recommendation should be recorded in
the PHA/SOA worksheet.
2. If the SIF has already been designed and documented as one of the IPL safeguards in Step 5,
then no further action is required other than proper SIS engineering to ensure that the SIF
design and proof test frequency will meet the documented SIL and plant process reliability
requirements.
3. SOA recommendations often include the following types of action items:
a. Modification of an existing SIF to meet requirements. These modifications can include
changes to hardware, software or the proof test intervals for any given function.
b. Implementation of a new SIF to a specific SIL to bridge the risk gap identified during the
analysis.
1) It is important to clearly describe the new SIF (i.e.; the process variable to be
measured by the SIF sensors, the manipulated variable [valve, pump or compressor]
that would need to be activated to bring the process to a safe state).
April 2013
15 of 46
ICM-PU-5171-A
2) If it is not possible to describe the new SIF during the PHA/SOA, then the
recommendation should clearly describe the follow-up action needed.
3) To obtain a clear description of the requirements of a SIF will often require the help
of experienced process engineers or process control engineers. Actual conceptual
design of the SIF should not be done during the PHA/SOA.
4) SIF conceptual design is an activity that should take place during the SRS
development phase of the safety life cycle.
c. Addition of new or improvement of existing non-SIS IPLs to eliminate the IPL credit
gap.
d. Further study to investigate options identified during the SOA with respect to the
implementation of IPLs will be required when recommended by the team.
1) This may include modifications to the base process design and/or the
implementation of additional non-SIS IPLs (e.g., additional alarms with appropriate
operator response) for the purpose of either removing the need for a SIF or reducing
the target SIL of the SIF.
Note: This type of recommendation is often made during PHA/SOAs that are
conducted for new facilities where the process is being used to determine the
gaps between actual risk and acceptable risk for a proposed design. The
SOA portion of the PHA/SOA then becomes a design tool to investigate
options of bridging the gaps using IPLs.
2) SIFs associated only with an asset consequence may be removed at the project
managers discretion upon upper management and Legals concurrence and only if
the following conditions are met:
i. Asset damage is the only type of consequence of interest that generates a target
SIL (No safety, health or environment related consequences require a SIF);
ii. Cost of implementing function for asset protection is greater than the potential
asset loss associated with the cause-consequence scenario;
iii. This SIF is not used to mitigate the risk of any other cause-consequence
scenario.
4. SOA recommendations carry the same weight as the PHA recommendations if they are
required to adequately reduce the risk of the cause-consequence scenario.
Step 11
Repeat PHA/SOA Steps 4-10.
The above steps should be repeated for all hazards until there are no more hazards to be
evaluated. Refer to the PHA/SOA Flowchart in Appendix F.
April 2013
16 of 46
7.0
ICM-PU-5171-A
Stand-Alone SOA Process

This section describes the various steps of a stand-alone SOA and how to perform them for a
given process facility. The process is illustrated in Appendix C of this document.
1. If a PHA has already been performed the SOA will use the cause-consequence scenario
causes, consequences, and safeguards developed therein as a starting point for determining
whether each cause-consequence scenario has enough IPL credits to adequately reduce the
cause-consequence scenario risk.
2. An SOA is based upon the results from the PHA and a stand-alone SOA should only be
conducted either in conjunction with the PHA or based on the results of a valid existing PHA.
If a PHA has not already been performed or the results are no longer valid for any reason,
then a combined PHA/SOA should be performed.
Methodology
The following steps should be completed for a stand-alone SOA:
Step 1
Preparation
If a stand-alone SOA is being performed based on an existing PHA, some of the preparation will
have already been done in preparation for the original PHA. However, since the SOA is being
conducted after the conclusion of the PHA, the SOA coordinator and SOA facilitator will need to
repeat some of the PHA preparation steps such as scheduling and logistics, team selection, and
compilation of PSI. If possible, the original PHA team should be reassembled for the SOA. An
SOA facilitator will take the place of the PHA facilitator for the stand-alone SOA. However, the
stand-alone SOA must not alter any of the PHA results during the SOA. If any of the PHA results
are determined to be invalid, a combined PHA/SOA should be conducted as specified in
Section 6.0 of this document.
Step 2
Introductions and SOA Overview
(Same requirements as Section 6.0, Step 2.)

Step 3
Process Review

Step 4
Documentation of cause-consequence scenario and severity ranking.
The cause, consequence, safeguards, and severity ranking for each cause-consequence scenario
are copied over from the PHA worksheets.
Step 5
Determine Total number of IPL credits required

Step 6
Identify all IPLs
April 2013
17 of 46
Step 7
ICM-PU-5171-A
Determine IPL credit gap

Step 8

Step 9
Repeat Stand-alone SOA Steps 4-8
Steps 48 above are repeated for all hazards until there are no more hazards to be evaluated.
Refer to the PHA/SOA Flowchart in Appendix F for an illustration of this process.
8.0
PHA/SOA Tool
The preferred tool for conducting SOAs (either in conjunction with a PHA or as a stand-alone
SOA based on an existing PHA) is PHA Pro7 from Dyadem International Ltd. For the latest
version of the combined PHA/SOA template for PHA Pro7, please contact the Owner.
9.0
Deliverables of a Combined PHA/SOA

1. The proceedings of all Owner PHA/SOAs will be documented with a written PHA/SOA
Report.
2. Publication of the PHA/SOA Report is the ultimate responsibility of the PHA Facilitator. The
PHA Facilitator must consult with the SOA Facilitator.
3. For specific examples of PHA/SOA reports, please contact the Owner.
4. A typical report should contain all of the components required for the PHA.
5. The following SOA components are also required for a combined PHA/SOA report:
a. SOA methodologies
b. Risk Prioritization Matrix in Appendix D
c. PHA/SOA Worksheets
d. SOA Summary Tables
1) SIF Table with description of SIFs and target SILs
2) Non-SIS IPLs Table
3) Critical Alarm List
10.0
Deliverables of a Stand-Alone SOA

1. The proceedings of all Owner SOAs should be documented with a written SOA Report.
2. Publication of the SOA Report is the ultimate responsibility of the SOA Facilitator.
3. For specific examples of SOA reports, please contact the Owner.
April 2013
18 of 46
ICM-PU-5171-A
4. A typical report should include the following sections:

a. A copy of the PHA report
b. SOA methodologies
c. Risk Prioritization Matrix in Appendix D
d. Recommendations list
e. Attendance table
f.
SOA worksheets
g. SOA summary tables:

1) SIF table with description of SIFs and target SILs
2) Non-SIS IPLs table
3) Critical alarm list
April 2013
19 of 46
Appendix A
ICM-PU-5171-A
Independent Protection Layers
The concept of IPLs and how these are applied to prevent or mitigate a potential incident in a
process is crucial for a good understanding of the SOA process. The concept of IPLs helps
produce a consistent basis for selecting the target SIL for each safety instrumented function. The
more non-SIS IPLs identified, the lower the target SIL. If enough non-SIS IPLs are identified
then a SIS SIF designed to a specific SIL is not required.
Per guidance from the Center for Chemical Process Safety, each IPL should exhibit the
following:
1. Specificity (designed specifically to prevent or mitigate the consequences of one event)
2. Independence (independent of other protection layers for the hazard)
3. Dependability (will do what it is designed to do)
4. Auditability (designed to accommodate required testing and maintenance for regular
validation)
Note: Refer to Guidelines for Safe Automation of Chemical Processes for more
information.
When determining IPL credit, the team should focus only on the current cause-consequence
scenario to ensure that the safeguard prevents the specific consequence associated with this
cause-consequence scenario.
The dependability characteristic can be quantified by the amount of risk reduction the safeguard
provides. To qualify as an IPL the safeguard must reduce the risk of the cause-consequence
scenario by at least one order of magnitude. Each order of magnitude of risk reduction provided
by an IPL is worth one IPL credit in the SOA/SSFA Guidance Tables. For example, per
Table 3 of the SOA/SSFA Guidance Tables in Appendix E, a single relief valve in clean service
can qualify for up to two IPL credits. This means that the relief valve provides two orders of
magnitude of risk reduction. Stated another way, the relief valve makes reaching the undesirable
consequence at least 100 times less likely.
When considering whether a protection layer is independent, the degree of diversity must be
considered. Diversity is the use of different people, design methods, software languages,
functionality, measurement signals, or equipment to perform a common function with the intent
of minimizing common mode failures. For safety instrumented systems, diversity is primarily
used for the logic solver, which is generally diverse and functionally independent of the PCS.
Additionally, diversity should be considered for SIS sensors and final elements where there is a
potential for common mode failures in these elements. For example, loss of flame in a BMS is
typically detected by a fire-eye. However, alternative diverse ways of measuring loss of flame are
low fuel gas pressure via a pressure transmitter or low fuel gas/air flow via a differential pressure
transmitter across an orifice plate. So for measuring loss of flame, using both fire-eyes and low
fuel gas pressure measurement would provide diverse measurements that could improve the
performance of the SIF.
April 2013
20 of 46
ICM-PU-5171-A
To determine whether or not a safeguard qualifies as an IPL, consider the 3 Ds and the Big I
as follows:
1. An IPL must have the following 3 Ds:
a. DetectSense a condition or problem,
b. DecideWhether an action or intervention is necessary or not,
c. DeflectIf action is required; the action must be capable of preventing the consequence
in a timely manner.
2. And, an IPL must have the Big I:
a. Independent of initiating cause
b. Independent of other IPLs
Figure A-1 illustrates the general concept of IPLs in a processing facility. Some of these IPLs
may not be applicable depending on the type of facility and/or process.
Process Design
The Process Design consists of the process physical limits themselves.This includes the process
equipment (vessels, tanks, valves, pumps and pipes). Process equipment should have been
designed to handle design process fluid conditions as well as conditions that exceed these limits
by a safety factor (e.g. the maximum working pressure of a vessel). However, undesirable
variations in these process conditions can occur at any time due to a variety of reasons.
Figure A-1: Layers of Protection
April 2013
21 of 46
ICM-PU-5171-A
Among numerous others, some typical undesirable conditions could include any one or a
combination of the following: overpressure, under pressure (vacuum), liquid overflow, gas
blow-by, leak, excess temperature, direct ignition source, excess combustible vapors, excess
toxic gases, runaway exothermic reactions (rapid temperature increase), compressor surge, high
rotor axial displacement in a turbine/compressor, high radial vibration in a turbine or compressor,
turbine/compressor over-speed, high turbine/compressor bearing temperatures.
These undesirable conditions can occur due to a variety of initiating causes such as equipment
failure (e.g., valve failure), process excursion due to a change in the process gases, liquids or
solids or external influences such as harsh weather (i.e., either hot or cold). Human error can also
cause a process undesirable condition. Additionally, process control loops can fail and be the
initiating cause that could lead to undesirable conditions. Any of these undesirable conditions can
ultimately lead to undesirable consequences such as release of flammable or toxic liquids or
gases, loss of containment, personnel injury/fatality, asset/equipment damage and/or
environmental damage.
Basic Controls, Alarms, and Operator Supervision
The first independent protection layer above the process design consists of the basic controls that
are being used to control the process and if required the associated operator supervision and
intervention. The basic controls can be stand-alone single-loop controllers, a PCS, or a
supervisory control and data acquisition (SCADA) system. These could be either analog or
pneumatic control systems. Included in this layer of protection are the process alarms that are
typically generated by the control system to alert the operator that there has been an excursion
(undesirable condition) in the process. The operator in response to this alarm either makes a
correction to the process or takes action to bring the process back under control.
The process design and PCS with alarms with operator supervision are considered the process
baseline and are required for a process facility to function safely as designed to produce the
desired products. Unfortunately, components of this baseline can fail and cause undesirable
conditions.
A PCS control loop can be considered an IPL provided:
1. It can be genuinely proven to prevent the undesirable consequences,
2. None of its sensors, PCS input/output modules, or final elements is a part of the initiating
cause,
3. The normal action of the PCS control loop is able to prevent the undesirable consequence and
the control loop must be kept in automatic for all modes of operation where the potential for
the undesirable consequence exists.
Additionally, it is highly desirable that the control loop not be a dormant control loop. A dormant
control loop is typically an on/off controller where the function is only called upon to activate
when the process variable exceeds a given controller set point which is outside the normal
process variable operating range. This type of function is more typical of a SIF and is probably
best if implemented within a SIS to ensure periodic testing of the SIF to meet its SIL performance
requirement. However, there may be circumstances where it is not practical or in the best interest
of the process control scheme for the dormant control loop to be implemented in the SIS as a SIF.
In these cases, it is important for the PHA/SOA team to clearly document reasons for keeping the
April 2013
22 of 46
ICM-PU-5171-A
dormant loop in the PCS. Additionally, provisions should be made to periodically test the
dormant control loop to meet a PFDavg of 0.1 to 0.01. Further guidance on PCS control loops as
IPLs can be found in Appendix E, Table 2.
Critical Alarms and Manual Intervention
The second independent protection layer consists of critical process alarms with appropriate
operator intervention. For new systems, critical process alarms should be generated by the SIS
logic solver or through an independent dedicated alarm system and a sensor independent of the
initiating cause and all other IPLs. In cause-consequence scenarios also using a SIF as part of the
risk mitigation, the sensor generating the IPL alarm should be separate from the sensor used for
the SIF. If the SIF for the cause-consequence scenario is SIL 3, then a critical alarm should not be
used in conjunction with the SIF to mitigate the hazard risk. For existing systems, critical alarms
may be routed through the PCS but it is highly desirable that the IPL alarm be displayed on a
dedicated PCS IPL alarm window. A control room operator must have at least 10-15 minutes to
respond to the process alarm with appropriate intervention to prevent the undesirable
consequence. A field operator must have at least 30 minutes to respond appropriately to the alarm
to prevent the undesirable consequence. Furthermore, control room or field operators must be
trained via periodic drills to respond appropriately to the critical process alarms. Further guidance
on using alarms with operator response as IPLs can be found in Appendix E, Table 2.
Safety Instrumented System
The third independent protection layer is the automatic SIS. This independent protection layer
consists of a SIS SIF that is dedicated to preventing a specific undesirable consequence by means
of functionally independent automated instrumentation. A SIF consists of sensors designed to
measure critical process conditions; a logic solver designed and configured to interpret the sensor
signals (i.e. whenever the signals indicate that the process has reached an undesirable condition)
and take appropriate action to bring the process back to a safe state. This action typically involves
automatically closing dedicated shutdown valves, shutting down motors and/or equipment. A
typical SIS has many SIFs which are individually designed to prevent various undesirable
consequences to certain target SILs (i.e. SIL 1, 2, or 3). A SIF designed to meet a target SIL of 1
provides a single IPL credit. A SIF designed to meet a target SIL of 2 or 3 provides 2 or 3 IPL
credits respectively. Although the internationally recognized standards recognize SIL 4, it is
Owners standard practice to only implement SIL 1, 2, or 3 SIFs as described in the Owners
Integrated Risk Prioritization Matrix for SOA/SSFA IPL Analysis found in Appendix D. If a SIL
4 SIF is required for any cause-consequence scenario, the team should consider implementation
of additional non-SIS IPLs, or changes in the process/operations that allow for a lower target SIL.
If this is not possible, the SOA facilitator should contact Owner for further guidance. Further
guidance on using Safety Instrumented Functions as IPLs can be found in Appendix E, Table 5.
Pressure Relief Devices
The fourth independent protection layer typically consists of stand-alone pressure relief devices
(PRDs) such as pressure relief valves and rupture disks. PRDs are generally considered very
good IPLs for use in cause-consequence scenarios associated with overpressure of pipes, vessels
and equipment. It is important to note that IPL credit for PRDs can vary depending on the type of
service. PRDs in clean service can be given more IPL credit than PRDs in dirty service.
April 2013
23 of 46
ICM-PU-5171-A
Additionally, two or more PRDs sized to handle the full contents of a pressure release can be
given more IPL credits than single PRDs. IPL credit for PRDs should only be taken if they
provide specific protection for the undesirable consequence being analyzed, e.g., PRDs that are
installed on a vessel for a fire case cannot be given IPL credit for an overpressure
cause-consequence scenario where the full contents of the vessel need to be relieved to a safe
location. Further guidance on using PRDs as IPLs can be found in Appendix E, Table 3.
Independent Protection Layers 1-4 are all considered preventive and are designed to reduce the
likelihood of undesirable consequences using instrumentation.
Fire and Gas Deluge Systems
The fifth independent protection layer is considered a mitigating IPL because it is designed to
reduce the potential severity of a consequence after the process has experienced an undesirable
event with an intermediate consequence. Examples of undesirable intermediate events are pipe or
vessel leak, fire or release of hydrocarbon or toxic gas. The mitigating IPL is designed to reduce
the effects of the undesirable intermediate events so as to prevent the full-blown undesirable
consequence such as complete loss of containment, explosion, boiling liquid expanding vapor
explosion (BLEVE), major equipment destruction, personnel injury/fatality or major
environmental damage. A typical example of this layer is a fire and gas system with an associated
deluge system. Mitigating IPLs are rarely used during a PHA/SOA because they are so difficult
to apply qualitatively. They are more often used in quantitative analyses or semi-quantitative
analyses such as Event Tree and/or full-blown LOPA which make use of both preventive
safeguards (to reduce the likelihood of the full-blown consequence) and mitigative safeguards (to
reduce the severity of the full-blown consequence). Further guidance on using Fire and Gas
Deluge Systems as IPLs can be found in Appendix E, Table 6.
Facility Emergency Response.
The sixth protection layer is the facility emergency response plan designed to handle any
undesirable consequences once they have occurred. This again is a consequence mitigating layer
and is designed to respond to the emergency situation that the undesirable consequence has
created. This protection layer is not normally given any IPL credit because it is mitigative and
does not prevent the stated consequence in the cause-consequence scenario.
Community Emergency Response
The seventh and final protection layer is the community emergency response plan which is
carried out by the community fire department or community emergency response department (if
available) to help deal with the emergency situation that the undesirable consequence has created.
This protection layer is not normally given any IPL credit because it is mitigative and does not
prevent the stated consequence in the cause-consequence scenario.
Other IPLs
The following is a list of other IPLS that can be used during SOA and can be given IPL credit.
1. Check valve
2. Flame arrestor
April 2013
24 of 46
ICM-PU-5171-A
3. Vacuum breaker
4. Restrictive orifice
5. Mechanical over-speed trip
Guidance on using these other IPLs is found in Appendix E, Table 4.
It is important to note that in all of the above IPLs, no failure in one IPL is expected to fail the
other IPLs. This independence is important in guarding against common mode failure. Diversity
is an important characteristic of independence.
It is important to note that all IPLs are considered safeguards. However, not all safeguards can be
considered IPLs. IPLs are typically selected from the list of safeguards that have been identified
during the PHA study.
1. Typical examples of non-IPL safeguards include:
a. Training and certification
b. Normal operating procedures
c. Normal testing and inspection
d. Maintenance
e. Signs
f.
Flame-proofing
g. Requirement that information is available and understood

2. Examples of active IPLs are:
a. PCS or other control system.
b. Critical alarm with appropriate operator intervention.
c. Pressure relief valve, rupture disk.
d. External risk reduction facilities (ERRF): Some hazards are mitigated by external actions
that will completely eliminate the consequence, but are initiated by active mechanical
means. ERRF may include items such as water spray curtains that prevent dispersion of
toxic liquids.
April 2013
25 of 46
Appendix B
ICM-PU-5171-A
Combined PHA/SOA Example
The following compressor knock-out drum example will be used to help describe and illustrate
Steps 411 of the combined PHA/SOA process.
WARNING This example is intended for illustration purposes only. In no way is this
example meant to represent an actual analysis for this type of process.
See Figure G-1: Compressor & Knock-Out Drum.
In this example, hot hydrocarbon gas and liquid (oil and water) from the main process enters
knock-out drum V-101 prior to being sent to 1st stage compressor K-102. The purpose of the
knock-out drum is to eliminate liquids from the process or liquid/gas stream that could severely
damage the compressor.
The PHA/SOA team in this example used the guide word hazards and operability study
(HAZOP) method of analyzing process hazards. Figure G-1 represents the first node analyzed by
the HAZOP/SOA team. A sampling of the high pressure, high level, and low level deviations
were analyzed for this node.
Steps 411 of the combined PHA/SOA Process are described for each of these three deviations.
B.1
Node 1, High Pressure Deviation

Step 4
Identify Causes. While looking for causes of high pressure, the team determined that if the block
valve between the knock-out drum and the compressor was closed by mistake (human error),
then high pressure could result in V-101.
Develop Consequences. The consequence of high gas input to V-101 would be high pressure in
the drum, with potential overpressure, loss of containment, and personnel exposure.
Identify and Validate Safeguards. The safeguards against this cause-consequence scenario
include relief valve PSV-101 and high pressure alarm PAHH-102 with a corresponding trip of
liquid/gas inlet valve UV-109 by SIS interlock I-103. The team also identified operator training
as a safeguard.
Step 5
The team determined that the safety severity of the consequence would be major. The likelihood
of the consequence with all safeguards in place was determined to be unlikely. This equates to an
overall PHA risk rank of 6.
Step 6
Based on the PHA risk rank of 6, the team decided that the risk would be considered tolerable if
the validity of the safeguards is confirmed during the SOA portion of the PHA/SOA. For this
reason, no specific PHA recommendations were made for this cause-consequence scenario.
April 2013
26 of 46
Step 7
ICM-PU-5171-A
The PHA risk rank severity of major was copied over for the SOA. The LI was determined to be
equal to the likelihood of the initiating cause likelihood. The initiating cause likelihood of an
operator erroneously closing the knock-out drum gas outlet block valve was determined to be
likely because the operator will have to independently close this block valve for maintenance on
the compressor more than once per year. The operator has training on the operation but the
operation is not independently verified. This severity of major and LI of likely results in a total of
3 IPL credits required. Figure G-2 shows that the total of 3 required IPL credits is found at the
intersection of the severity and LI on the matrix.
Step 8
Identify all IPLs
Using the SOA/SSFA Guidance Tables, the team determined that relief valve PSV-101 qualifies
as 2 IPL credits. The team determined that the operator training safeguard would not qualify as an
IPL. SIS interlock I-103 is shown on the P&IDs, but no IPL credit is taken for this SIF because
this is a new facility and the SIL of the SIF has not been verified and documented. Step 9 below
will determine whether a gap exists between the number of IPL credits available and the number
of IPL credits required.
Step 9
If the total number of IPL credits required is greater than the number of IPL credits available for
the cause-consequence scenario, the difference is the IPL credit gap. Since 3 IPL credits are
required and the team identified 2 IPL credits in Step 8 (for PSV-101), then the IPL credit gap
is 1. This means that one more order of magnitude risk reduction is required to adequately reduce
the risk of the cause-consequence scenario. Figure G-2 shows how the total number of required
IPL credits and IPL credit gap values are related.
See Figure G-2: Example of Determining Total Number of IPL Credits Required and IPL
Credit Gap.
Step 10
The team made the recommendation to consider adding independent verification of the manual
operation of the block valve. This could reduce the initiating cause likelihood from likely to
occasional. This would make the number of IPL credits available equal to the number of IPL
credits required, so the IPL credit gap would be eliminated. Because the IPL credit requirement
has been met outside of the SIS, the SIF would no longer be required for this cause-consequence
scenario. However, the project manager would have to obtain the concurrence of her/his upper
management and ensure that the SIF is not necessary to reduce the risk for any other
cause-consequence scenarios before removing it.
Step 11
Repeat PHA/SOA Steps 4-10
Steps 410 are repeated for all hazards until there are no more hazards to be evaluated. The
example above evaluated the safety consequences related to the initiating cause. Any health,
environment, or asset consequences would also be evaluated before moving on to the next
initiating cause. Refer to Appendix C for an illustration of the PHA/SOA process.
April 2013
27 of 46
B.2
ICM-PU-5171-A
Node 1, High Level Deviation

Step 4
Identify Causes. While looking for causes of high level, the team determined that if control loop
LIC-201 fails LV-201 closed, then high level could result in V-101.
Develop Consequences. The consequence of high liquid level in V-101 would be potential liquid
carryover to compressor K-102, resulting in potential equipment damage and possible personnel
exposure.
Identify and Validate Safeguards. The safeguards against this cause-consequence scenario
include SIF I-101 in which high level indicated by high level alarm LAHH-103 will trip
compressor K-102. SIS transmitter LT-202 also has a high alarm LAH-202 with operator
intervention to manually open valve LV-201. Based on the size of the knock-out drum and the
setting of high level alarm LAH-202, the operator will have at least 30 minutes to open valve
LV-201 before the liquid overflows into the compressor.
Step 5
Step 6
Step 7
equal to the likelihood of the initiating cause likelihood. The initiating cause likelihood of a
control loop failure is likely. This severity of major and LI of likely results in a total of 3 IPL
credits required.
Step 8
Identify all IPLs
Using the SOA/SSFA Guidance Tables, the team determined that the operator response to
LAH-202 qualifies as 1 IPL credit. SIS interlock I-101 is shown on the P&IDs, but no IPL credit
is taken for this SIF because this is a new facility and the SIL of the SIF has not been verified and
documented. Step 9 below will determine whether a gap exists between the number of IPL credits
available and the number of IPL credits required.
April 2013
28 of 46
Step 9
ICM-PU-5171-A
required and the team identified 1 IPL credit in Step 8 above, then the IPL credit gap is 2. This
means that an additional two orders of magnitude risk reduction are required to adequately
reduce the risk of the cause-consequence scenario.
Step 10
The team made the recommendation to consider implementing SIS interlock I-101 as a SIL 2
SIF. This would successfully close the IPL credit gap associated with the cause-consequence
scenario.
Step 11
initiating cause. Refer to the flowchart in Appendix F for an illustration of the PHA/SOA process.
B.3
Node 1, Low Level Deviation

Step 4
Cause. While looking for causes of low level, the team determined that if control loop LIC-201
fails LV-201 open, then low level could result in V-101.
Consequence. The consequence of low liquid level in V-101 would be potential gas blow-by to
downstream oil/water vessels, resulting in possible equipment damage and personnel exposure.
This is an example of a situation where the cause occurs in this node, but the consequence occurs
outside of the node. In such cases, the team should follow the consequence wherever it leads and
evaluate the risk as part of this cause-consequence scenario. Figure G-3 shows the separator in
Node 2 that would be affected by the gas blow-by that could result from the low level in
Knock-Out Drum V-101 which is in Node 1. The team determined that gas blow-by through
V-101 could lead to overpressure of Separator V-102, resulting in loss of containment and
personnel exposure
See Figure G-3: Separator, Compressor, and Knock-Out Drum.
Safeguards. The safeguards for this cause-consequence scenario include relief valve PSV-302
which is in clean service and has been sized to handle the flow rate of anticipated gas blow-by
coming from the knock-out drum. SIF I-102 will detect low level indicated by low level alarm
LALL-103 and close valve UV-108 to block the outlet of the knock-out drum to prevent the gas
blow-by to the separator. Separator V-102 also has PCS pressure transmitter PT-301 with a high
alarm and operator intervention to block in the inlet of the separator with the manual block valve.
April 2013
29 of 46
Step 5
ICM-PU-5171-A
Step 6
Step 7
equal to the likelihood of the initiating cause likelihood. The initiating cause likelihood of a
control loop failure is likely. This severity of major and LI of likely results in a total of 3 IPL
credits required.
Step 8
Identify all IPLs
Per the SOA/SSFA Guidance Tables, relief valve PSV-302 qualifies for 2 IPL credits since it is in
clean service and the facility has plans in place to regularly test the relief valve. The team decided
that the high alarm on PT-301 with operator intervention would not qualify as an IPL because the
operator would not have enough time to respond to prevent the overpressure of the separator. In
addition, since this is a new system any critical alarms should be routed to a dedicated
annunciator panel, either directly or via an SIS logic solver in order to qualify for IPL credit. SIS
interlock I-102 is shown on the P&IDs, but no IPL credit is taken for this SIF because the SIL of
the SIF has not yet been verified and documented. Step 9 below will determine whether a gap
exists between the number of IPL credits available and the number of IPL credits required.
Step 9
required and the team identified 2 IPL credits in Step 8 above, then the IPL credit gap is 1. This
means that one more order of magnitude risk reduction is required to adequately reduce the risk
of the cause-consequence scenario.
Step 10
scenario.
Step 11
April 2013
30 of 46
Appendix C
ICM-PU-5171-A
Stand-Alone SOA Example
The following compressor knock-out drum example will be used to help describe and illustrate
Steps 49 of the stand-alone SOA process.
WARNING This example is intended for illustration purposes only. In no way is this
example meant to represent an actual analysis for this type of process.
In this example, hot hydrocarbon gas and liquid (oil and water) from the main process enters
knock-out drum V-101 prior to being sent to 1st stage compressor K-102. The purpose of the
knock-out drum is to eliminate liquids from the process or liquid/gas stream that could severely
damage the compressor.
See Figure G-3: Separator, Compressor, and Knock-out Drum.
In this example a PHA had been conducted before the SOA. As a result, the SOA team copied the
cause-consequence scenario causes, consequences, safeguards, and severity ranking for each
cause-consequence scenario from the PHA and then used the SOA process to determine the
safety system instrumentation required to prevent and mitigate the hazardous events for this
process. Steps 49 of the stand-alone SOA Process are described below for a sampling of the
cause-consequence scenarios for this process.
C.1
Node 1, High Pressure Deviation

Step 4
Documentation of cause-consequence scenario and severity ranking
Cause. The cause of high pressure copied over from the PHA is erroneous closure of the block
valve between the knock-out drum and the compressor (human error).
Consequence. The consequence of high gas input to V-101 would be high pressure in the drum,
with potential overpressure, loss of containment, and personnel exposure.
Safeguards. The safeguards against this cause-consequence scenario include relief valve
PSV-101 and high pressure alarm PAHH-102 with corresponding trip of liquid/gas inlet valve
UV-109 by SIS interlock I-103. The PHA team also identified operator training as a safeguard.
Severity Ranking. The PHA team previously determined that the safety severity of the
consequence would be major.
Step 5
The LI was determined to be equal to the likelihood of the initiating cause likelihood. The
initiating cause likelihood of an operator erroneously closing the knock-out drum gas outlet block
valve was determined to be likely because the operator will have to independently close this
block valve for maintenance on the compressor more than once per year. The operator has
training on the operation but the operation is not independently verified. This severity of major
and LI of likely results in a total of 3 IPL credits required. Figure G-2 shows that the total of 3
required IPL credits is found at the intersection of the severity and LI on the matrix.
April 2013
31 of 46
Step 6
ICM-PU-5171-A
Identify all IPLs
Using the SOA/SSFA Guidance Tables, the team determined that relief valve PSV-101 qualifies
as 2 IPL credits. The team determined that the operator training safeguard would not qualify as an
IPL, but might affect the initiating event frequency for the cause-consequence scenario. SIS
interlock I-103 is shown on the P&IDs, but no IPL credit is taken for this SIF because this is a
new facility and the SIL of the SIF has not been verified and documented. Step 9 below will
determine whether a gap exists between the number of IPL credits available and the number of
IPL credits required.
Step 7
required and the team identified 2 IPL credits in Step 6 (for PSV-101), then the IPL credit gap is
1. This means that one more order of magnitude risk reduction is required to adequately reduce
the risk of the cause-consequence scenario. Figure G-2 shows how the total number of required
IPL credits and IPL credit gap values are related.
See Figure G-2: Example of Determining Total Number of IPL Credits Required and IPL
Credit Gap.
Step 8
SOA Recommendations
The team made the recommendation to consider adding independent verification of the manual
operation of the block valve. This could reduce the initiating cause frequency from likely to
occasional. This would make the number of IPL credits available equal to the number of IPL
credits required, so the IPL credit gap would be eliminated. Because the IPL credit requirement
has been met outside of the SIS, the SIF would no longer be required for this cause-consequence
scenario. However, the project manager would have to obtain the concurrence of her/his upper
management and ensure that the SIF is not necessary to reduce the risk for any other
cause-consequence scenarios before removing it.
Step 9
initiating cause. Refer to Appendix F for an illustration of the PHA/SOA process.
C.2
Node 1, High Level Deviation

Step 4
Cause. The PHA team determined that if control loop LIC-201 fails LV-201 closed, then high
level could result in V-101.
April 2013
32 of 46
ICM-PU-5171-A
Consequence. The consequence of high liquid level in V-101 established in the PHA was
potential liquid carryover to compressor K-102, resulting in potential equipment damage and
possible personnel exposure.
Safeguards. The safeguards documented for this cause-consequence scenario include SIF I-101
in which high level indicated by high level alarm LAHH-103 will trip compressor K-102. SIS
transmitter LT-202 also has a high alarm LAH-202 with operator intervention to manually open
valve LV-201. Based on the size of the knock-out drum and the setting of high level alarm
LAH-202, the operator will have at least 30 minutes to open valve LV-201 before the liquid
overflows into the compressor.
Step 5
initiating cause likelihood of a control loop failure is likely. This severity of major and LI of
likely results in a total of 3 IPL credits required.
Step 6
Identify all IPLs
Using the SOA/SSFA Guidance Tables, the team determined that the operator response to
LAH-202 qualifies as 1 IPL credit. SIS interlock I-101 is shown on the P&IDs, but no IPL credit
is taken for this SIF because this is a new facility and the SIL of the SIF has not been verified and
documented. Step 9 below will determine whether a gap exists between the number of IPL credits
available and the number of IPL credits required.
Step 7
required and the team identified 1 IPL credit in Step 6 above, then the IPL credit gap is 2. This
means that an additional two orders of magnitude risk reduction are required to adequately
reduce the risk of the cause-consequence scenario.
Step 8
SOA Recommendations
scenario.
Step 9
April 2013
33 of 46
C.3
ICM-PU-5171-A
Node 1, Low Level Deviation

Step 4
Cause. The PHA team determined that if control loop LIC-201 fails LV-201 open, then low level
could result in V-101.
Consequence. The consequence of low liquid level in V-101 would be potential gas blow-by to
downstream oil/water vessels, resulting in possible equipment damage and personnel exposure.
Figure G-3 shows the separator in Node 2 that would be affected by the gas blow-by that could
result from the low level in Knock-Out Drum V-101 which is in Node 1. The PHA team
previously determined that gas blow-by through V-101 could lead to overpressure of Separator
V-102, resulting in loss of containment and personnel exposure
See Figure G-3: Separator, Compressor, and Knock-Out Drum.
Safeguards. The safeguards for this cause-consequence scenario include relief valve PSV-302
which is in clean service and has been sized to handle the flow rate of anticipated gas blow-by
coming from the knock-out drum. SIF I-102 will detect low level indicated by low level alarm
LALL-103 and close valve UV-108 to block the outlet of the knock-out drum to prevent the gas
blow-by to the separator. Separator V-102 also has PCS pressure transmitter PT-301 with a high
alarm and operator intervention to block in the inlet of the separator with the manual block valve.
Step 5
initiating cause likelihood of a control loop failure is likely. This severity of major and LI of
likely results in a total of 3 IPL credits required.
Step 6
Identify All IPLs
Per the SOA/SSFA Guidance Tables, relief valve PSV-302 qualifies for 2 IPL credits since it is in
clean service and the facility has plans in place to regularly test the relief valve. The team decided
that the high alarm on PT-301 with operator intervention would not qualify as an IPL because the
operator would not have enough time to respond to prevent the overpressure of the separator. In
addition, since this is a new system any critical alarms should be routed to a dedicated
annunciator panel, either directly or via an SIS logic solver in order to qualify for IPL credit. SIS
interlock I-102 is shown on the P&IDs, but no IPL credit is taken for this SIF because the SIL of
the SIF has not yet been verified and documented. Step 9 below will determine whether a gap
exists between the number of IPL credits available and the number of IPL credits required.
April 2013
34 of 46
Step 7
ICM-PU-5171-A
required and the team identified 2 IPL credits in Step 6 above, then the IPL credit gap is 1. This
means that one more order of magnitude risk reduction is required to adequately reduce the risk
of the cause-consequence scenario.
Step 8
SOA Recommendations
scenario.
Step 9
Repeat Stand-alone SOA Steps 48
April 2013
35 of 46
Appendix D
April 2013
ICM-PU-5171-A
Integrated Risk Prioritization Matrix for SOA/SSFA IPL Analysis
36 of 46
Appendix E
ICM-PU-5171-A
SOA/SSFA Guidance Tables

Table 1
Initiating Cause Likelihood
Initiating Cause
Conditions
Initiating Cause
Likelihood
Process Control System

(PCS) Loop Failure
The PCS consists of the complete instrumented loop, including

the sensor, controller and final element (i.e. valve, pump motor,
etc.). The dangerous failure rate of a Process Control System
(PCS) loop is restricted by ANSI/ISA 84.00.01-2004 (IEC 61511
MOD.) or IEC 61511 which states that the dangerous failure rate
of a PCS that is not designed, implemented, operated and
maintained in compliance with IEC 61511 cannot be assumed
-5
to be better (less frequent) than 10 /hour. This is approximately
1 in 11 years or 0.1 events per year.
Likely (1)
Pressure Regulator
(Integral)
Local pressure regulator or pressure reducing valve in clean

service and under periodic maintenance.
Occasional (2)
Loss of Process Supply
Loss of supply from all causes, e.g., pump failure, accidental

block in from external source (off plot).
Likely (1)
Relief Valve Opens Early
Early opening propagates to an incident.
Occasional (2)
Omission or commission during normal operational duty. The

person is trained on the required task and has procedures
available to examine. An individual performs the task more than
once per year without independent checking.
Likely (1)

available to examine. The task is independently checked to verify
correctness.
Occasional (2)

available to examine. An individual performs the task less than
once per year.
Occasional (2)
No moving parts no vibration (non-corrosive service)

Low vibration
High vibration
Seldom (3)
Occasional (2)
Likely (1)
Mechanical Failures
Non-metallic
No moving parts no vibration

Low vibration
High vibration
Seldom (3)
Occasional (2)
Likely (1)
Mechanical Failures
(Hoses)
No moving parts no vibration

Low vibration
High vibration
Seldom (3)
Occasional (2)
Likely (1)
Human Error
Note: Initiating event
frequency of human error
should consider equipment
layout, frequency of task
performance and training &
procedures. Conditions
provided are to be considered
as initial guidelines with
adjustment based on
operating experience.
Mechanical Failures Metallic
(e.g., exchanger tube leak)
Pump/
Fan/
Compressor
Failure
Pump / Compressor
Mechanical Seal Failure
Other initiating causes

(OTHER)
Single equipment whose failure is sufficiently catastrophic to

prevent adequate supply to downstream process, directly
resulting in the potential hazard scenario.
Likely (1)
Spared equipment with no auto-start. Failure is sufficiently

catastrophic to prevent adequate supply to downstream process,
directly resulting in the potential hazard scenario.
Likely (1)
Spared equipment with one in standby with auto-start. Both

pumps must fail catastrophically and prevent adequate supply to
downstream process, directly resulting in the potential hazard
scenario.
Occasional (2)
Single Mechanical Seal: Must be designed to prevent the

scenario consequence. Seal must be part of the facilitys
preventive maintenance program.
Double Mechanical Seal with Alarm: Must be designed to prevent
the scenario consequence. Double seals and associated alarm
must be part of the facilitys preventive maintenance program.
Group must consider the components involved in the initiating
cause.
Likely (1)
Occasional (2)
Use experience of
personnel or failure
rate data.
ENABLING EVENTS & CONDITIONAL PROBABILITIES

The Likelihood Initial is the expected frequency of reaching the stated consequence in its entirety due to the initiating event as
a starting point with all instrumentation safeguards removed, and considering any enabling events and/or conditional
probabilities.
Sometimes the consequence is guaranteed or very likely to occur as soon as the initiating cause occurs, in which case the
Likelihood Initial will be the same as the Initiating Cause Frequency. However there are often occasions when the stated
consequence only occurs when the initiating cause occurs at the same time as some other operational mode, event, or
condition. If this is the case then this should be listed in the Safeguards column on the PHA/SOA Worksheet.
April 2013
37 of 46
ICM-PU-5171-A
Table 2
INDEPENDENT PROTECTION LAYERS
PCS and Operator Intervention
IPL
RULES on Considering as IPL
IPL Credit
The PCS control loop / interlock must use sensors, PCS input & output modules and final elements that are
independent of the PCS control loop / interlock identified as the initiating cause.
Regardless of whether a PCS control loop / interlock is the initiating cause or not, only one PCS control loop /
interlock may be credited as an IPL provided the PCS controller requirements below are met.
It is typically a control loop whose normal action prevents the scenario consequence.
The PCS IPL must run in automatic mode during all operational phases where the hazard scenario exists.
Testing of any PCS IPL must be part of the facilitys instrument maintenance testing plan for IPLs. This
requirement is especially important if the PCS control loop / interlock is dormant.
For pressure relief control loops, the control valve must be sized to prevent the overpressure scenario.
PCS control
loop
The PCS IPL should be designed, implemented, operated and maintained to achieve the risk reduction.
PCS IPL Controller Requirements
The following requirements should reviewed and a documented judgment made only by PCS Experts
knowledgeable in the specific hardware/architecture of the system under consideration and department/persons
having responsibility for maintaining / managing the PCS.
The controller is redundant (i.e. Main and Backup).
The controller is sufficiently reliable to ensure that common mode failure is not a cause of concern.
Adequate PCS workstation access and security procedures to provide assurance that the potential for human
error in programming, modifying or operating the PCS is reduced to an acceptable level.
Field or local control loops with different instrumentation may also be classified as an additional IPL. Additional
considerations include a service relatively clean with no or minimal history of instrumentation problems due to
plugging, polymerization or deposition.
Any PCS control loop that is affected by the CAUSE failure listed in the cause-consequence scenario. Control
loops that share or contain common process measurements and output devices with alarms, SIS functions, or
other controls affected by CAUSE failures.
Simplified Qualification Criteria

The following criteria for qualification of alarms with operator response as IPLs is simplified to aid in the execution of the SOA. It is the basic
fundamental criteria which is not influenced by more detailed design aspects. Qualification against the detailed design aspects will be carried
out by an SIS Engineering resource when the recommendations are reviewed prior to approval.
Alarm signal being claimed as part of IPL is NOT from the same instrument that forms part of the initiating cause or any other IPL related to
this cause-consequence scenario.
If a PCS control loop has been recognized as an IPL, an Alarm with Operator Response cannot also be recognized if the alarm is routed
through the PCS.
For existing facilities, it is highly desirable that the IPL alarm be displayed on a dedicated PCS IPL alarm window.
For new facilities (inc. capital upgrade projects and/or unit expansions), the sensor signal should be routed to a dedicated annunciator panel,
either directly or via an SIS Logic Solver.
Alarms with
Operator
Response
Process
Safety Time*
(min)
Location of
Preventative
Action
<10
Control Room
Operator has less than 10 minutes to respond to the alarm.
>10
Control Room
Operator action is complicated, i.e. large number of alarms generated by initiating

cause and the response cannot be adequately determined or documented.
Control Room
The operator is trained on alarm response, has procedures available to examine

and practices the action periodically. Alarm setting cannot be changed by operator
or bypass-able unless through Management of Change (MOC) procedure. Alarm
must fall within safe upper and lower limits, and allow timely response from the
control room.
>10
>30
Field
Description
The operator is trained on alarm response, has procedures available to examine

and practices the action periodically. Alarm setting cannot be changed by operator
or bypass-able unless through MOC. Alarm must fall within safe upper and lower
limits, and allow timely response in the field.
IPL Credit
Note: When considering an alarm IPL implemented in the SIS logic solver, overall IPL credit must not be higher than the maximum
SIL rating that the logic solver is certified as per IEC 61508. E.g. SIL 2 certified logic solver cannot have a SIL 2 SIF and an IPL
alarm for the same scenario.
Routine
Operator
Surveillance
Process Related Rounds and Inspections. Frequency of operator rounds must be sufficient to detect potential incident.
If recognition of process variable is required, the operator must log specific values from sensors or valves independent
of the initiating cause. Log must show unacceptable out-of-range values. SOP must describe response to out-of-range
values. Note: Routine Operator Surveillance is rarely considered an IPL. However, it can affect the likelihood of a
consequence given a specific cause.
* Process Safety Time: the time it takes the process to go from the alarm condition to the hazardous condition.
April 2013
38 of 46
ICM-PU-5171-A
Table 3
Pressure Relief Devices (PRDs)
IPL
Pressure Relief
Valve
(PRV)
Vessel Rupture
Disk
April 2013
Rules on Considering as IPL
IPL Credit
Clean Service. PRV must be sized to prevent the scenario consequence.

Additionally, it is required that the facility has plans in place to regularly test the PRV
within the required test interval given its predicted failure rate. For a new facility,
these plans need to be written. For existing facilities, documentation proving that
these testing plans are in place and being followed is required.
Clean Service. Three PRVs in clean service where 2 of the 3 PRVs are required to
prevent the overpressure and all three PRVs are actively connected to the process
at all times.
More than one PRV in clean service is available to prevent the overpressure
consequence. Each PRV listed must be capable of independently relieving the
vessel. PRV must be sized to prevent the scenario consequence. Note: Extreme
caution must be used before implementing this as a solution. Use of more than one
PRV can be the source of chatter. The capacity of the entire relieving system (piping,
knock-out drums, flare) also must be evaluated.
More than one PRV is available, but more than one is required to relieve the full load.
This includes staged release PRVs. To achieve higher risk reduction than 1 IPL, the
PRV sizing calculations must be reviewed to determine whether the load can be
successfully handled by one PRV, based on the specific cause-consequence
scenario under review.
Plugging Service, i.e. prone to plugging, polymerization, deposition, or has a history

of failure to operate properly when tested. An unprotected PRV used in a plugging
service is not considered sufficient for consideration as an IPL.

of failure to operate properly when tested. Redundant Pressure Relief Valves with
separate process connections. Each PRV must be sized to prevent the scenario
consequence.

of failure to operate properly when tested. Pressure Relief Valve with integrated
rupture disk. Pressure gauge must be installed to measure pressure between
rupture disk and PRV to detect small leaks in disk. PRV must be sized to prevent the
scenario consequence.

of failure to operate properly when tested. Pressure Relief Valve with integrated
rupture disk with purging. Pressure gauge must be installed to measure pressure
between rupture disk and PRV to detect small leaks in disc. PRV must be sized to
prevent the scenario consequence.
Clean service. Must be designed to prevent the scenario consequence. Release

must be evaluated for potential risk.
Plugging Service. Must be designed to prevent the scenario consequence. Release

must be evaluated for potential risk.
39 of 46
ICM-PU-5171-A
Table 4
Other IPLs
IPL
IPL Credit
Single check valve. Must be designed to prevent the scenario consequence.
Dual check valves in series. Must be designed to prevent the scenario

consequence. Additionally, check valves must be part of the facilitys
preventive maintenance program.
Must be designed to prevent the scenario consequence. Flame arrestor

Vacuum Breaker
Must be designed to prevent the scenario consequence. Vacuum breaker

Restrictive Orifice
Must be designed to prevent the scenario consequence. Care must be taken

to avoid giving double credit to a restrictive orifice if installation is considered
when developing consequences.
Mechanical
Over-Speed Trip
Must be specifically designed for the relevant rotating equipment and

appropriately tested as part of the facilitys preventive maintenance
program.
Check Valve
Flame Arrester
April 2013
40 of 46
ICM-PU-5171-A
Table 5
Safety Instrumented System IPLs
IPL
Safety
Instrumented
Function (SIF)
Note:
April 2013
IPL Credit
Must be functionally independent of PCS hardware and software. Must be independent

of event initiating cause. Achieves SIL 1 Average Probability of Failure of Demand
(PFDavg) of 0.1 to 0.01.

of event initiating cause. Achieves SIL 2 PFDavg of 0.01 to 0.001.

of event initiating cause. Achieves SIL 3 PFDavg of 0.001 to 0.0001.
Hardware fault tolerance requirements stated in ANSI/ISA84.00.01-2004 (IEC61511 Mod), Part 1, Section 11.4 or
IEC 61508-2 Tables 2 and 3 must also be satisfied.
41 of 46
ICM-PU-5171-A
Table 6
INDEPENDENT PROTECTION LAYERS (Mitigative*)
Fire and Gas Detection Systems
IPL
Fire Detection with

Water Deluge System
Gas Monitors with

Automated Deluge
Note:
April 2013
IPL Credit
Operator initiated response. The risk reduction is based on operator alarm and response
criteria and must be independent of initiating cause and other IPLs. Extreme care must be
taken when using fire protection equipment as an IPL to ensure that it prevents the defined
consequence under all foreseen conditions. This includes quantitative evaluation of
sensing, actuation and action mechanisms to verify that overall effectiveness is 90% or
higher, under all credible cause-consequence scenarios.
Using fire detectors with automatic deluge, e.g., foam, water curtain, water sprays, or
emergency evacuation. Must be independent of initiating cause and other IPLs. Extreme
care must be taken when using fire protection equipment as an IPL to ensure that it
prevents the defined consequence under all foreseen conditions. This includes
quantitative evaluation of sensing, actuation and action mechanisms to verify that overall
effectiveness is 90% or higher, under all credible cause-consequence scenarios.
Operator initiated response. The risk reduction is based on operator alarm and response
criteria and must be independent of initiating cause and other IPLs. Extreme care must be
taken when using gas detection equipment as an IPL to ensure that it prevents the defined
consequence under all foreseen conditions. This includes quantitative evaluation of
sensing, actuation and action mechanisms to verify that overall effectiveness is 90% or
higher, under all credible cause-consequence scenarios.
Using gas monitor with automatic response, e.g. water cannons, water sprays, or
emergency evacuation. Must be independent of initiating cause and other IPLs. Extreme
care must be taken when using gas detection equipment as an IPL to ensure that it
prevents the defined consequence under all foreseen conditions. This includes
quantitative evaluation of sensing, actuation and action mechanisms to verify that overall
effectiveness is 90% or higher, under all credible cause-consequence scenarios.
Mitigation IPLs are typically intended to reduce the severity of the scenario consequence.
Quantitative consequence analysis may be required.Use Table 6 with caution..
42 of 46
Appendix F
April 2013
ICM-PU-5171-A
Combined PHA/SOA or SOA Standalone Flowchart
43 of 46
Appendix G
ICM-PU-5171-A
Additional Figures
Figure G-1: Compressor & Knock-out Drum
April 2013
44 of 46
ICM-PU-5171-A
Figure G-2: Example of Determining Total Number of IPL Credits Required and IPL Credit Gap
April 2013
45 of 46
ICM-PU-5171-A
Figure G-3: Separator, Compressor, and Knock-out Drum
April 2013
46 of 46

Icm Pu 5171 A

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Icm Pu 5171 A

Caricato da

Copyright:

Formati disponibili

ICM-PU-5171-A

Safety Objective Analysis / Process Hazards Analysis

Create uncommented version, minor editing

Safety Objective Analysis / Process Hazards Analysis

Throughout: Moved proprietary information to

Update to current CES

Throughout: Replaced Purchaser with Owner.

Update to current CES

Throughout: Replaced Chevron Risk Integration

Update to current CES

Throughout: Changed references to ICM-DC-6025 to

Update to current CES

Reworded to remove proprietary information.

Update to current CES

Retitled to remove proprietary information.

Retitled to remove proprietary information.

Edited graphic to remove proprietary information.

Reworded Figure G-2 title to remove proprietary

Safety Objective Analysis / Process Hazards Analysis

Analysis Methods ................................................................................................................ 7

Roles and Responsibilities ........................................................................................................... 8

General Responsibilities ..................................................................................................... 8

Combined PHA/SOA .................................................................................................................... 10

Stand-Alone SOA Process .......................................................................................................... 17

PHA/SOA Tool .............................................................................................................................. 18

Deliverables of a Combined PHA/SOA ...................................................................................... 18

Deliverables of a Stand-Alone SOA ........................................................................................... 18

Independent Protection Layers ..................................................................................... 20

Combined PHA/SOA Example ....................................................................................... 26

Stand-Alone SOA Example ............................................................................................ 31

Integrated Risk Prioritization Matrix for SOA/SSFA IPL Analysis ............................. 36

SOA/SSFA Guidance Tables .......................................................................................... 37

Combined PHA/SOA or SOA Standalone Flowchart ................................................... 43

Safety Objective Analysis / Process Hazards Analysis

Safety Instrumented Systems

Industry Codes and Standards

Functional Safety: Safety Instrumented Systems for the Process

Safety Objective Analysis / Process Hazards Analysis

Boiling Liquid Expanding Vapor Explosion

Burner Management System

External Risk Reduction Facilities

Hazards and Operability Study

Process Control System

Average Probability of Failure on Demand

Pressure Relief Device

Supervisory Control and Data Acquisition

Process Hazards Analysis (PHA)

Safety Objective Analysis / Process Hazards Analysis

Safety Instrumented System (SIS)

Average Probability of Failure to Respond to

Risk Reduction Factor

0.1 to 0.01 (1 in 10 to 1 in 100 chance of failing)

0.01 to 0.001 (1 in 100 to 1 in 1000 chance of

0.001 to 0.0001 (1 in 1000 to 1 in 10,000 chance

0.0001 to 0.00001 (1 in 10,000 to 1 in 100,000

Target Safety Integrity Level

Safety Objective Analysis / Process Hazards Analysis

g. Combining, if appropriate, the PHA and SOA documentation, including

Safety Objective Analysis / Process Hazards Analysis

Roles and Responsibilities

Safety Objective Analysis / Process Hazards Analysis

SOA Specific Responsibilities by Role

Table 2: Roles and Responsibilities