Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis

GLOSSARY

Administrative Control

Procedural mechanism for controlling, monitoring, or auditing human performance, such as lockout/tagout procedures, bypass approval processes, car seals, and permit systems.

Asset Integrity

A risk-based process safety element involving work activities that help ensure that equipment is properly designed, installed in accordance with specifications, and remains fit for purpose over its life cycle. (Previously referred to as "mechanical integrity.")

Average Probability of Failure on Demand (PFDavg)

Average PFD over the proof test interval of an equipment item.

Basic Process Control System (BPCS)

System that responds to input signals from the process, its associated equipment, other programmable systems and/or operator and generates output signals causing the process and its associated equipment to operate in the desired manner but that does not perform any safety instrumented functions with a claimed SIL = 1 (IEC 61511 2003).

Bathtub Curve

Typical plot of equipment failure rate as a function of time. It is used to characterize the equipment lifecycle, such as early or premature failure, steady-state or normal operation failure, and wear out or end of useful life failure.

Beta Factor

A mathematical term applied in the PFDAVG to account for the fraction of the probability of failure that is due to dependent, or common cause, failure within the system.

Car Seal

A metal or plastic cable used to fix a valve in the open position (car sealed open) or closed position (car sealed closed). Proper authorization, controlled via administrative procedures, is obtained before operating the valve.

Chain Lock

A chain that is wrapped through or over a valve handle and locked to a support to prevent inadvertent repositioning of a valve once it is in its correct position. Removal is intended to occur only after approval is received from someone with authority and after checking that all prerequisites are met. The chain and lock provides an easy inspection aid to visually verify that the valve is in the intended position.

Clean Service

The process fluids and/or conditions do not result in fouling, corrosion, erosion, or deposition that negatively impacts the performance of a layer of protection, such as polymer formation under, in, or downstream of a relief valve.

Compensating Measures

Planned and documented methods for managing risks. They are implemented temporarily during any period of maintenance or of process operation with known faults or failures in an IPL, where there is an increased risk.

Common Cause Failure

Failure of more than one device, function, or system due to the same cause.

Common Mode Failure

A specific type of common cause failure in which the failure of more than one device, function, or system occurs due to the same cause, and failure of the devices occurs in the same manner.

Conditional Modifier

One of several possible probabilities included in scenario risk calculations, generally when the risk criteria are expressed in impact terms (e.g., fatalities) instead of loss event terms (e.g., release, loss-of-containment, vessel rupture).

Consequence

The undesirable result of an incident, usually measured in health and safety effects, environmental impacts, loss of property, and business interruption costs.

Dangerous Failure Rate

The rate (normally expressed in expected number of failures per year) that a component fails to an unsafe state/mode. (Other failure states or modes may lead to spurious trips of a system, but they do not lead to the unsafe condition of interest.)

Demand Mode

Dormant or standby operation where the IPL takes action only when a process demand occurs and is otherwise inactive. Low demand mode occurs when the process demand frequency is less than once per year. High demand mode occurs when the process demands happen more than once per year.

Dormant

A state of inactivity until a specific parametric level is reached.

Enabling Condition

Operating conditions necessary for an initiating cause to propagate into a hazardous event. Enabling conditions do not independently cause the incident, but must be present or active for it to proceed.

Event

An occurrence involving the process caused by equipment performance, human action, or external influence.

Frequency

Number of occurrences of an event per unit time (typically per year).

Human Error Probability (HEP)

The ratio between the number of human errors of a specific type and the number of opportunities for human errors on a particular task or within a defined time period. Synonyms: human failure probability and task failure probability.

Independent Protection Layer (IPL)

A device, system, or action that is capable of preventing a scenario from proceeding to the undesired consequence without being adversely affected by the initiating event or by the action of any other protection layer associated with the scenario.

Independent Protection Layer Response Time (IRT)

The IPL Response Time is the time necessary for the IPL to detect the out-of-limit condition and complete the actions necessary to stop progression of the process away from the safe state.

Incident Scenario

A hypothetical sequence of events that includes an initiating event and failure of any safeguards that ultimately results in a consequence of concern.

Initiating Event (IE)

A device failure, system failure, external event, or wrong action (or inaction) that begins a sequence of events leading to a consequence of concern.

Initiating Event Frequency (IEF)

How often the IE is expected to occur; in LOPA, the IEF is typically expressed in terms of occurrences per year.

Inspection, Testing, and Preventive Maintenance (ITPM)

Scheduled proactive maintenance activities intended to (1) assess the current condition and/or rate of degradation of equipment, (2) test the operation/functionality of the equipment, and/or (3) prevent equipment failure by restoring equipment condition. ITPM is an element of asset integrity.

Maximum Setpoint (MSP)

The maximum setpoint for an IPL is the point of maximum process deviation from the normal condition that would still allow sufficient time for the IPL to detect the deviation, to take action, and for the process to respond, preventing the consequence of concern. For SIS, this is called Maximum SIS Setpoint (MSP) per ISA-TR84.00.04 (2011).

Must

This Guidelines subcommittee believes that the IEF, PFD, or other aspect of an IE or IPL is valid only if the listed criteria are met. "Must" can also be used in reference to basic definitions.

Passive Fluid

Nonreactive and nonhazardous fluid.

Performance Shaping Factors (PSF)

Factors that influence the likelihood of human error.

Probability of Failure on Demand (PFD)

The likelihood that a system will fail to perform a specified function when it is needed.

Process Lag Time (PLT)

The process lag time indicates how much time it will take for the process to respond and avoid the consequence of concern, once the IPL has completed its action.

Process Safety Time (PST)

The time period between a failure occurring in the process, or its control system, and the occurrence of the consequence of concern.

Risk

A measure of potential economic loss, human injury, or environmental impact in terms of the frequency of the loss or injury occurring and the magnitude of the loss or injury if it occurs.

Safeguard

Any device, system, or action that either interrupts the chain of events following an initiating event or that mitigates the consequences. Not all safeguards will meet the requirements of an IPL.

Safety Controls, Alarms, and Interlocks (SCAI)

Process safety safeguards implemented with instrumentation and controls, used to achieve or maintain a safe state for a process, and required to provide risk reduction with respect to a specific hazardous event (ANSI/ISA 84.91.01 2012). These are sometimes called safety critical devices or critical safety devices.

Safety Instrumented Function (SIF)

A safety function allocated to a Safety Instrumented System (SIS) with a Safety Integrity Level (SIL) necessary to achieve the required risk reduction for an identified scenario of concern.

Safety Integrity Level (SIL)

One of four discrete ranges used to benchmark the integrity of each SIF and the SIS, where SIL 4 is the highest and SIL 1 is the lowest.

Safety Instrumented System (SIS)

A separate and independent combination of sensors, logic solvers, final elements, and support systems that are designed and managed to achieve a specified Safety Integrity Level (SIL). A SIS may implement one or more Safety Instrumented Functions (SIFs).

Severity

A measure of the degree of impact of a particular consequence.

Should

This Guidelines subcommittee believes that an alternative protocol to achieve the same criteria/goal is acceptable.

Systematic Error

Also referred to as "systemic error." ISA-TR84.00.02 (2002) defines systematic error as "an error that occurred during the specification, design, implementation, commissioning, or...