Understanding hazards, consequences, LOPA, SILs, PFD, and ... GRAPH.pdf · Understanding Hazards, Consequences, LOPA, SILs, PFD, and RRFs as Related to Risk and Hazard Assessment

Understanding Hazards Consequences LOPA SILs

PFD and RRFs as Related to Risk and Hazard

AssessmentRoberto Fernandez BlancoDASIS Corp Buenos Aires Argentina robertofblancogmailcom (for correspondence)

Published online 25 July 2014 in Wiley Online Library (wileyonlinelibrarycom) DOI 101002prs11700

This article is intended for any engineer supervisor ormanager who does not specialize in process safety engineer-ing It presents the concept of layers of protection analysissafety integrity level (SIL) and its relationship to probabilityof failure on demand (PFD) and the related risk reductionfactors (RRFs) Novel SILPFDRRF graphics are presented tohelp the reader understand the concepts involved An exam-ple using a safety instrument function for a gas-fired boileris also used to help the reader understand the conceptsVC 2014 American Institute of Chemical Engineers Process Saf Prog

33 208ndash216 2014

Keywords risk assessment hazards evaluation safetyengineering

INTRODUCTION

External safety engineers often arrive at a plant siteexpecting that terminology related to hazard and risk analy-ses are well known For example there are three ldquoSrdquo acro-nyms SIL SIS and SIF that exist and the safety engineermay use all three in the same sentence SIL is used for SafetyIntegrity Level and is associated with a Safety InstrumentedFunction (SIF) SIL is an integer with a value of ldquo1rdquo ldquo2rdquo ldquo3rdquoor ldquo4rdquo In low demand operations a mode that occurs whenthe process demand frequency is less than once per yearthese numbers are related to probability of failure ondemand (PFD) and the risk reduction factor (RRF) [1] ThePFD is the likelihood that a system will fail to perform aspecified function when it is needed RRF is the reciprocal ofthe PFD In high demand or continuous operations (an inde-pendent protection layer IPL is demanded more than twiceits test frequency per year) [1] SILs are related to probabilityof dangerous failure per hour (PFH) [2] More discussion fol-lows in the examples and tables presented below If SIL isimplemented it implies that a certain level of risk reductionwill occur depending on the integer cited by the safety engi-neer or vendor

At the highest level SILs are related to the concept ofindependent layers of protection (IPLs) and the related Layerof Protection Analysis (LOPA) [3] Often LOPA is applied after

a process hazard analysis [4] An initiating event is selectedand a consequence is imagined Then a quantitative analysisis completed determining the frequency of the consequencebased on layers of protection Figure 1 presents the conceptof layers of protection Each layer has a RRF and a PFD (lowdemand) or PFH (high demand) Several of these layersdepend upon process control For example the inside layerhas a basic control system It can be an instrumentation loopthat controls a system deviation and prevents a major inci-dent such as an explosion fire or release An outstandingreview of the general area of process control as applied toprocess safety is offered in Leersquos [5] Another layer of protec-tion in Figure 1 is related to safety instrumented systems(SIS) and the related SIF A SIS can be composed of severalSIFrsquos However a SIF is a singular safety control system withone sensor or more sensors attached to a logic system thatissues an output to a final element that should stop the dan-gerous conditions of the process [6] Further the SIF layer isthe only layer that will have a numerical SIL attached to it asspecified in industrial guidelines such as the InternationalElectrotechnical Commission Standard 61511 [7] For thechemical process industries the concepts of SIL and SIS arediscussed in a classic CCPS book Guidelines for Safe Auto-mation of Chemical Processes [8] Articles on SIS are offeredby Summers et al [9 10] and Jin et al [11]

In the article below an example related to gas boilersafety is used to demonstrate the concepts Additional PSParticles related to boiler safety have been offered by Cazabonand Erickson [12] Morrison et al [13] and Lovejoy and Clark[14] This article expands concepts presented in Ref 15 Acomplete treatise is offered by the author as noted in Refs16(English) and 17 (Spanish)

PROCESS SAFETY MANAGEMENT

Thirty years ago the science of process safety burst intoday-to-day industrial activities like a hurricane Primarilydriven by OSHAs response to the 1984 Bhopal Incident [18]process safety management (PSM) became a regulatoryrequirement [19] Along with it came the concepts such asSILs which generatedmdashamong managers and departmentheadsmdashthe uneasy and disturbing sense that it was a ldquonot aneasily understoodrdquo concept Rigorous prevention and protec-tion measures are required to reducemdashto below the levelsdeemed tolerable by the communitymdashthe risks derived fromthe hazards residing in industrial processes The idea is tosafeguard the health and physical integrity of individuals the

This article was originally presented at the 3rd CCPS Latin Ameri-can Conference on Process Safety held in Buenos Aires in August2011 A Spanish version webinar was done in October 2008

VC 2014 American Institute of Chemical Engineers

208 September 2014 Process Safety Progress (Vol33 No3)

environment production assets and the continuity of plantoperations

KEY CONCEPTS

a A process is deemed risky when it contains hazards with adamaging or destructive potential (eg a flammable ortoxic material) The situation equivalent to keeping afierce tiger in a cage that protects us from its attacks andconsequent harm

b An initiating event is an occurrence that releases the tiger(by opening its cage door) and thus generates an incidentthat exposes us to the tigerrsquos damaging potential Thiscondition that is exposure to the tigerrsquos damaging poten-tial (the hazard) is a danger Hence the phrase ldquoa hazardis a source of dangerrdquo (Figure 2)

c The possibility of the tiger escaping from its cage is meas-ured in terms of the frequency of an initiating event (anunlatched door opening) IEFi times the product of thePFD of the independent safety layers (in this example theprobability that an installed latch actually opens based onobservation of the dropping of many branches on thelatch)The general mathematical relationship is provided as fol-lows [1]

f Ci 5 IEFi 3 PFDi1 3 PFDi2 3 3 PFDij (1)

Wheref Ci 5 frequency of the consequence occurring for scenario iIEFi 5 frequency of the initiating event for the scenario iUnits are per time Must be below 1 eventtime unitPFDij 5 probability of failure on demand of independentprotection layer j for scenario i

For Eq 1 to give correct results an overall reduction infrequency of a consequence f C

i the initial event frequencymust be below 1 event per unit time used in the analysisThe time unit or period can be any convenient time units

for example seconds minutes hours days months oryears The typical default is per year for low demand proc-esses (PFD) and per hour (PFH) for high demand and con-tinuous processes The example below will use monthsPFD is the number of ldquofailedrdquo attempts divided by the totalnumber attempts when the ldquodemandrdquo is called for Ideallythe testing should be across several ldquoperiodsrdquo and an aver-age failure rate per period used

d Once an initiating event has occurred generating an inci-dent it can develop and escalate until it reaches an unde-sirable outcome (the tiger jumps out) thus causingdamaging and destructive consequences of variousdegrees of intensity severity or magnitude Consequencescan be expressed in terms of number of fatalities dollarslost in sales or the total cost involved in the incident torecover

e The risk may be reduced by diminishing the potentialdamaging capacity of the hazard That is by reducing itslevel of consequences andor decreasing the frequencythat an incident releasing its destructive force will startand spread For example the tiger in the cage could havea ball and chain attached to his paw that slows him downfrom biting Pedro

f If the incident has indeed arisen the necessary action is toterminate it as soon as practicable to prevent its develop-ment escalation expansion and outcome

g ldquoRiskrdquo R is defined in several ways A recent CCPS defini-tion cited that risk is ldquoA measure of potential economicloss human injury or environmental impact in terms ofthe frequency of the loss or injury occurring and the mag-nitude of the loss or injury if it occursrdquo [1]I will quantitatively represent the Risk (R) as the productof the frequency (F) times the Consequence (C) in anXYZ axes coordinate graph as R 5 F 3 C using arrowsto indicate the magnitude of every value (Figure 3)

h For the above graph to be meaningful a reference crite-rion or benchmark (Tolerable Risk Level) should be estab-lished so that the risk can be assessed as high low

Figure 1 Risk reduction protection layers

Process Safety Progress (Vol33 No3) Published on behalf of the AIChE DOI 101002prs September 2014 209

medium and primarily as ldquoacceptabletolerablerdquo or asldquounacceptableintolerablerdquo We will represent this refer-ence Tolerable Risk as a level which cannot be exceededby the risk arrow for the risk to be acceptable (Figure 4)

i The analysis or assessment of the different risk levels willbe performed by drawing a matrix on the base level (lev-els CndashF) which may be subdivided into any number ofrows and columns as long as these can be distinguished(Figure 5) from each other qualitatively (subjectively) orquantitatively (objectively)

j The risk of the specific hazard under consideration can bereduced by means of an ldquoinherently saferrdquo redesign of theprocess (see Inherently Safer Chemical Processes CCPS[20]) which reduces the intensity of the consequencesandor the likelihood or frequency that the incident willevolve and escalate

k If after the process has been rendered ldquoinherently saferrdquothe hazard remains higher than the Tolerable Risk and wewantmdashadditionallymdashto stop and terminate it within thelimits of the process we will have to reduce the likeli-hood or frequency of the incident being initiated andescalating This will require setting up a number of succes-sive defensive trenches (such as those that guard a fortressfrom an enemy attack) which are known as layers ofprotection [3]

l As the ldquoattack to the communityrdquo (incident) is initiatedarises and escalates from the ldquosourcerdquo of the process (therelease of the tiger) the trenches or defensive layers areset up serially from such source outward as shown in theFigure 1

EXAMPLE OF APPLICATION

Let us analyze a specific defensive trench namely thelayer of protection consisting of a Safety Instrumented Func-tion (SIF) implemented for the protection of a furnaceboiler or home water heater in the event of a flameout inthe burner An article with a broader overview of LOPAapplied to a steam boiler is offered by Morrison et al [13] Inour example the flameout incident will cause the furnace orboiler to begin to fill up with an explosive mix of flammablematerial (natural gas for instance) and air a type of incidentthat must be terminated very quickly Thus a protective SIFconsisting of three serially lined-up and linked componentsis installed a flame detector linked to a safety controllerlinked in turn to a shut-off valve to hermetically close andblock the gas flow (Figure 6)

Whenever the burner flames out (initiating event) theflame detector sends a ldquoflame outrdquo signal to the processorThis processor sends out a demand to the safety controllerwhich in turn sends a demand to the shut-off valve instruct-ing it to shut off the inflow of gas into the burner If uponany of these successive ldquodemands for protectionrdquo one of thelinks should malfunction and fail to perform its intendedrole the valve will not shut off there will be no protectionthe gas will keep feeding the firebox and the incident willescalate until it reaches a catastrophic outcome (explosion)

This highlights the importance of ensuring the integritylevel of the equipment that makes up the SIF protectiveloop as measured in terms of its risk reduction factor(RRF 5 250) and that the PFD 5 1RRF 5 1250 or 0004 Inour figure we have considered a RRF 5 250 (a fictitiousvalue used solely for illustration purposes) meaning thatmdashon averagemdashout of every 250 times the flame burns out (andthe process demands protection) the SIF function will prop-erly fulfill its protective action on each such occasion exceptone (1 in 250) This particular result was established afterseveral months of running demands and determining theaverage number of failures per month

Figure 7 is an elementary way of representing probabilityI use several references to die and gambling spinning wheelsin the narrative that follows

To sum up the process has per se an inherent flameoutlikelihood and in addition (as will be seen later) there isthe failure demand probability that the SIF protective loopmay fail If both circumstances occur it will not be possibleto stop and terminate the incident which will escalate untilit reaches a catastrophic outcome

HAZARD INCIDENT AND SIF

Each hazard residing in a process as well as the potentialincident it is capable of generating is proper to and inherentin the nature of the process itself For the same reason theaverage frequency with which the specific incident is initi-ated is also an inherent characteristic specific to the processitself and the manner in which it is operated It may be help-ful to view the process as a series of resident hazards whereone is ldquoactivatedrdquo by an initiating event which gives place toa specific incident that will develop escalate and spreadmdashdepending on its inherent potentialmdashuntil it reaches its out-come provoking consequences of various degrees of inten-sity or severity The inclusion of a SIF protective functionwill not alter the nature of the process or of its hazards northe frequency of occurrence of the incident involved The

Figure 3 Risk graph of a specific hazard

Figure 2 Concept of a hazard as opposed to an incident

DOI 101002prs Process Safety Progress (Vol33 No3)210 September 2014 Published on behalf of the AIChE

SIF function merely detects the hazard ldquoactivatedrdquo conditionthat generate the incident and then executes an immediatestop and termination action

However the SIF loop is not an entirely perfect arrange-ment Its terminative action can fail thus allowing the inci-dent to escalate until it reaches its outcome and to cause itsdamaging and destructive consequences This makes it allthe more important to install a SIF loop with the appropriatelevels of reliability and integrity in line with the harmfulpotential of the hazard and the level of risk posed by thespecific incident Reliability means the proper execution ofthe actions for which the SIF was installed and integrityrefers to its resistance strength and toughness not to falterin performing its protective action but rather to execute it indue manner and time

Let us examine a single-burner boiler more carefully(Figure 8)

In Figure 8 several initiating events can occur burnerflame out feed water loss or implosion of the superheating

zone The protective system for burner flame out includestwo flame scanners

First we should find out the event frequency of a flame-out in the burner Statistical records (fictitious values for pur-poses of this explanation) confirm that in this type of boilerthe flame tends to be out (on average) 1 time every 6months The incident frequency is 16 month21 or 0167month21 Note that the incident frequency is less than oneand thus Eq 1 can be used

Another view point on flameout frequency statistic can beconsider that if a plant has six equal boilers each monthone of these boilers will flame out For purposes of thisindustrial analysis let us assume that a company has onlyone boiler Thus the 16month unwanted flameout rate ofthe burner is represented by a six-sided die bearing a bombsymbol (Figure 7) on its 1 side This means that we shouldroll the die once a month and that whenever the die fallswith the bomb ldquohead uprdquo this means that the burner hasflamed out and given rise to the initiating event If this

Figure 4 Risk graph with a tolerable risk level plane

Figure 5 Risk matrix

Figure 6 Flameout safety instrumented function for afirebox

six-sided die is rolled once a month the average probability(considering long periods) for the bomb to land head upwill be once every six times the die is rolled that is onceevery six months equal to 1 unwanted flameout every 6months

Thus the boiler suffers a flameout every 6 months it willhave two flameouts per year that is two incidents per yearthat will tend to lead to the explosion and destruction ofldquotwordquo boilers per year withmdashadditionallymdashpotential seriousinjuries to the plant personnel Clearly running the risk ofdestroying two boilers per year plus the associated injuries

to the personnel and the disruptive effects on the continuityof the plantrsquos operations is wholly unacceptable

The Key Question is then What is the Tolerable RiskLevel

The answer should be provided by someone in chargenamely the plantrsquos operating manager the company thegovernment through a law executive decree or regulationthe technical agencies having jurisdiction over these issuesrisk insurance companies or professional references such as

Figure 7 Conventional ways to demonstrate probability of failure

Figure 8 Example of a boiler and various hazards in place

those offered by the AIChE Center for Chemical ProcessSafety (CCPS) [21 22]

By way of example let us assume that the companyimposes a maximum tolerable frequency for serious destruc-tion by a flameout to be 1 time every 120 years or 1 time in1440 months that is an average frequency of one boiler mdashout of 1440mdash experiencing a catastrophic flameout eachmonth

Based on the above two values the initiating frequencyof flameout (16month) in the boiler and the maximum tol-erable frequency for destruction of the boiler (11440month) we can calculate the integrity (strength not to falterin performing its protective action) of the SIF function thatshould be added to the boiler in order to avoid theflameout-related incident and thus reduce from 16month to11440month (or less) the possibility that such incidentwill develop and escalate until it reaches its destructive out-come (explosion in the firebox)

To achieve this flameout protection an SIF function withan Integrity of RRF 5 250 will work This SIF with RRF 5 250(PFD 5 1250 or a single probable failure for every 250 pro-tection requests) can be represented by a 250-slot gambling

wheel with only one ldquoyellowrdquo slot and all the rest of the slotswhite Now two things have to happen to reach the destruc-tive outcome The six-sided die has to come up with theldquobombrdquo appearing face up (Figure 9a) The 250-slot gamblingwheel has to stop on the single yellow spot (see base ofFigure 9b) This combination reduces the frequency of adestructive outcome by 11500month which is less than the11440month required by the companyrsquos management(Figure 9)

A key conclusion to be drawn from this analysis is thesignificant and determinant role played by the Failure-on-Demand Probability Wheel that represents the Integrity ofthe SIF function

The number of slots in the Failure-on-Demand ProbabilityWheel provided by the SIF protective function representsthe RRF A wheel having fewer slots than the required RRF the

required protection level cannot be achieved The proper or higher level of protection can only be

achieved with a SIF function represented by a ProbabilityWheel with a number of slots equal to or higher than therequired 250 (ie an equal or higher RRF)

Comparison with SILOnce the necessary risk reduction has been calculated by

determining the RRF or the required PFD for the SIF protec-tion conventional SIL tables (Figure 10) can be used deter-mine the SIL for this application For this example the SILfalls in the level ldquo2rdquo Note that there are two tables in Figure10 The first table is for low safety system demand modeThe PFDs ranges are on an annual basis The second table isfor high safety system demand operations The PFHrsquos arepresented as Dangerous Failure Frequencies per hour basisThe RRFs remain the same and match with the SIL numberIdentical SIL numbers in each table means the specificationin terms of a SIF

But beyond the systematic use of such tables as dictatedby standard practices the concept essence and content ofthe SIL remain unexplained To address this challenge in2005 I chose to discontinue the use of those conventional

Figure 9 Risk probability reduction through a protective SIL

Figure 10 Conventional SIL category table

tables and to replace them with a new SILRRF graph (Figure11) whose construction unveils the mystery of SIL as relatedto PFD PFH and RRF

In designing this new graphic I simply used what is nec-essary for the process that is the RRF represented by aProbability Disk similar to a roulette wheel with the numberof slots equal to the necessary RRF number

Looking at Figure 11 one can imagine a little cart rollingon imaginary rails in which the SIF function (metaphori-

cally) ldquotravelsrdquo in search of the Probability Wheel that repre-sents the RRF required by the process-specific hazard inorder to reduce below the Tolerable Levelmdashas set by thecompanymdashthe resulting probability that the incident willescalate until it reaches its outcome

The novel SILRRF graphic provides several benefits

1 Makes it clear that each SIL Level represents a ldquogroup orsetrdquo of ldquoProbability Disksrdquo or RRFs

Figure 11 SIFrsquos RRF selection in the SILRRF Graph

Figure 12 Insufficient protection even though a SIL 2 was purchased as specified

2 Includes in a single graph what previously required twoconventional Tables the bottom half shows the SILRRFfor processes in the Low Demand Operation Mode whilethe upper half includes those for the High or ContinuousDemand Operation Mode

3 Indicates whether or not the SIF loop that effectively pro-vides the required Risk Reduction is being introduced

EXAMPLES OF MISUNDERSTANDING

Case 1This example illustrates the protection introduced in the

boiler as explained above The analysis has confirmed thatthe RRF 5 250 required for the SIF belongs to SIL2 (Figure11) Based on this input (SIL2) a Safety Requirement Specifi-cation (SRS) is drafted (pursuant to the conventional proce-dure) to acquire a SIL2 protection function With this SRSthe procurement department will purchase a SIL2 SIF loopprovided by any of the well-established international manu-facturers of SIF functions When the function has beeninstalled in the process and the commissioning to start upthe plant is underway a validation procedure is carried outto confirm that the installed SIF is actually SIL2 However asat the time of purchase of the SIF the required RRF had notbeen specified (250-slot probability disk) upon completionof such validation procedure the installed SIF is found tohave a specific SIL2 Integrity in line with a RRF 5 120 (120-slot probability disk) The result of this difference is evi-denced in Figure 12

The SILRRF Graph confirms that the SIF with a RRF 5 120probability disk belongs to the SIL2 group as requested Theboiler figure shows that with that SIL2-level SIF andRRF 5 120 the probability that the incident may escalate untilit reaches a catastrophic outcome will be an Overall PFD of16month 3 1120 5 1720month that is twice as high asthe Tolerable Risk as set by the company (1720month 5 21440month is double the Tolerable Risk of 11440month)

The most important benefit this new SILRRF Graph pro-vides is that it renders ldquoself-evidentrdquo and obvious that settinga SIL value is not enough to define the SIF needed toadequately protect the process

What the process needs is to reduce the risk of the spe-cific hazard to below the acceptable value set by the com-pany To achieve this the proper RRF should be accuratelydetermined (or else a somewhat higher RRF should beselected with a wheel containing a larger number of slots)

Case 2Even with a targeted RRF good practice suggests round-

ing up the specification to address uncertainty If a requiredRRF for a process was 999 then one might consider that anSIL Level 2 safety instrumented instrument will work Thereare two reasons this may not work One SIL Level 2 instru-ment RRF ranges from 100 to 1000 and odds are very lowthat the instrument purchased has an RRF of 1000 Secondthere is a degree of uncertainty throughout the process Therequired RRF should then be rounded up to an adequateRRF that will introduce a proper margin of safety addedmoving in this particular case the SIL to become Level 3Finally when the required RRF is close to an upper bound-ary one should return to the process to see if any changescan be made to reduce the RRF There are significant incre-mental instrument costs and complexities as one moves froma SIL 1 SIF through to a SIL 3 SIF

CONCLUSIONS

This article provides a clearer understanding of the SILconcept as it demonstrates that each SIL level actually

groups several successive probability disks (or RRFs) It alsoclearly shows that the essential purpose of PSM is to run theprocess (in a sustainable manner) with the proper risk reduc-tion that is with an appropriate RRF

Naturally the RRF risk reduction capability should be pre-served through a rigorous preventive maintenance effort tokeep the equipment in an ldquoas newrdquo operating condition inorder to prevent the RRF from gradually degrading over timewith an ensuing increase of the risk level over and above thetolerable level allowed This is as important as checking andmaintainingmdashwith the same degree of dedication care pre-cision and perfectionmdashthe condition of the brakes in a carused daily The probability of failure will continue to grow(degrade) if no proper and timely check-ups ldquoas newrdquo main-tenance and required testing are carried out all of whichshould be carefully specified and scheduled before start-upand rigorously and continuously complied with as long asthe car is in use

Hence the recommendation repeatedly made by thisauthor to managers and department heads is to buy a con-ventional six-sided die slap a bomb sticker on its face num-bered ldquo1rdquo keep it permanently on their office desk and rollit every day when they arrive at the plant The author hasindeed found that those who have received a ldquobomb-dierdquo asa gift have become more aware of the problem and changedtheir habits as to the degree of attention and care theydevote to ensuring a sustained maintenance effort to take allthe Protection Layer components back to an ldquoas newrdquo condi-tion As the passive element of any culture entails habitscustoms and usage this simple game generated a positivecultural growth dynamics in PSM the key objective of theCCPSrsquos mission

ACKNOWLEDGMENT

I express my gratitude to Ronald J Willey PhDPE forhis assistance in the preparation of this article

LITERATURE CITED

1 Center for Chemical Process Safety (CCPS) Guidelinesfor Initiating Events and Independent Protection LayersWiley New York 2014

2 International Electrotechnical Commission InternationalStandard IEC 61508 Functional Safety of ElectricalElec-tronicProgrammable Electronic Safety-Related SystemsInternational Electrotechnical Commission Geneva Swit-zerland 2010

3 AIChE Layer of Protection Analysis Simplified ProcessRisk Assessment Center for Chemical Process SafetyWiley New York New York 2001

4 AM Dowell Layer of Protection Analysis A New PHATool after HAZOP before Fault Tree Analysis AmericanInstitute of Chemical Engineers New York Atlanta GA1997

5 S Mannan Leesrsquo Loss Prevention in the Process Indus-tries Volumes 1-3 - Chapts 89amp13 Hazard IdentificationHazard Assessment and Control System Design 4th Edi-tion Elsevier 2012

6 B Mostia The Safety Instrumented Function an S-WordWorth Knowing Control 2003 Available at httpwwwcontrolglobalcomarticles2003255 Accessed onJuly 3 2014

7 International Standard IEC 61511-1 Functional Safety ndashSafety Instrumented Systems for the Process Industry Sec-tor IEC Geneva Switzerland 2003

8 Center for Chemical Process Safety (CCPS) Guidelinesfor Safe Automation of Chemical Processes Wiley NewYork 1993

9 A Summers Safe automation through process engineer-ing Chem Eng Prog 12 (2008) 41ndash47

10 AE Summers and WH Hearn Risk criteria protectionlayers and conditional modifiers Process Saf Prog 31(2012) 139ndash144

11 H Jin MA Lundteigen and M Rausand Reliability per-formance of safety instrumented systems A commonapproach for both low- and high-demand mode of oper-ation Reliab Eng Syst Saf 96 (2011) 365ndash373

12 MD Cazabon and K Erickson An oven explosion Les-sons learned on PSM applications Process Saf Prog 29(2010) 87ndash93

13 DT Morrison M Fecke and J Ramirez Using layer ofprotection analysis to understand necessary safeguardsfor steam boiler operation Process Saf Prog 31 (2012)248ndash254

14 GR Lovejoy and IM Clark Furnace safety systems Astate-of-the-art review of current practice for safe andreliable control of industrial boilers Plant Oper Prog 2(1983) 13ndash21

15 M Charlwood S Turner and N Worsell A methodologyfor the assignment of safety integrity levels (SILs) tosafety-related control functions implemented by safety-related electrical electronic and programmable electroniccontrol systems of machines Research Report 216 Healthamp Safety Executive 2004 Available at httpwwwhse

govukresearchrrpdfrr216pdf Accessed on July 42014

16 RF Blanco SIL or RRF that is the Question 2011 Avail-able at httpwwwdasiscorpcompdfSN-516-11-English-SIL-or-RRF-for-CCPSpdf Accessed on June 122014

17 RF Blanco SIL or RRF that is the Question 2011 Avail-able at httpwwwdasiscorpcompdfSN-516-11-Articulo-SIL-or-RRF-para-CCPSpdf Accessed on June12 2014

18 M Heylin et al ldquoBhopal - The Continuing Storyrdquo Chem-ical and Engineering News 63(6) (1985) 14ndash40 DOI101021cen-v063n006p014

19 OSHA Process Safety Management of Highly HazardousChemicals Final rule first published in 24 Feb 1992Available at httpswwwoshagovSLTCprocesssafe-tymanagement Accessed June 12 2014

20 Inherently Safer Chemical Processes A Life CycleApproach 2nd Edition Center for Chemical ProcessSafety Wiley New York NY 2009

21 Center for Chemical Process Safety (CCPS) Guidelinesfor Developing Quantitative Safety Risk Criteria WileyNew York 2009

22 Center for Chemical Process Safety (CCPS) Guidelinesfor Risk Based Process Safety Wiley New York 2007