GCPS 2013 __________________________________________________________________________

ADDRESSING ENABLERS IN LAYERS OF PROTECTION

ANALYSIS


Dr. Paul Baybutt
Primatech Inc.
50 Northwoods Blvd., Columbus, Ohio, USA
paulb@primatech.com







Prepared for Presentation at
American Institute of Chemical Engineers
2013 Spring Meeting
9th Global Congress on Process Safety
San Antonio, Texas
April 28 May 1, 2013


UNPUBLISHED



AIChE shall not be responsible for statements or opinions contained
in papers or printed in its publications
GCPS 2013 __________________________________________________________________________

ADDRESSING ENABLERS IN LAYERS OF PROTECTION
ANALYSIS



Dr. Paul Baybutt
Primatech Inc.
50 Northwoods Blvd., Columbus, Ohio, USA
paulb@primatech.com


Keywords: Layers of protection analysis; enabling events and conditions; time-at-risk factors;
conditional modifiers; givens.

Abstract

Layers of protection analysis (LOPA) is used to evaluate the risk of individual hazard scenarios
by combining initiating event frequencies with failure probabilities of protection layers. Some
practitioners include events and conditions that enable the occurrence of hazard scenarios in the
analysis, such as conditional modifiers, but sometimes they are excluded to ensure conservative
results. However, these events and conditions, and other factors that enable scenarios, are often
key parts of hazard scenarios and their exclusion from the analysis can result in overly
conservative results. This paper broadens the definition of enabling events and conditions to
include other factors that can have a significant impact on the risk of hazard scenarios. Such
other factors include management systems to account for inadequacies in, and failure to follow,
policies, procedures and work instructions; at-risk factors to account for the time period in which
a process is at risk; incident outcomes to represent different possible consequences for the same
initiating event; and release conditions to account for different release conditions or
circumstances. Their inclusion in LOPA studies is described with examples. The determination
of adjustment factors to account for their effect on scenario risk is also demonstrated.

1. Introduction

Layers of Protection Analysis (LOPA) is an analytical technique used to assess the risk of hazard
scenarios for processes wherein scenario risk is defined as the couplet of frequency and severity
for the scenario consequence [1, 2]. Frequency and severity can be evaluated qualitatively or
quantitatively but most commonly qualitative severity and quantitative frequency estimates are
used in LOPA. Scenario frequency is calculated using simplifying approximations and is
determined by multiplying the frequency of the initiating event by the failure probabilities of
protection layers that have met appropriate qualification criteria, including independence from
other elements of the scenario [1, 2].

Hazard scenarios for processes begin with an initiating event and end with a consequence
impact. The path from initiating event to worst-case consequence involves the failure of any
protection layers that guard against the scenario. However, there may be other scenario elements
GCPS 2013 __________________________________________________________________________
that influence the scenario risk including enabling events and conditions, time-at-risk factors,
intermediate events, incident outcomes, conditional modifiers, and given conditions. Many of
these scenario elements act to reduce scenario risk because their likelihoods of occurrence are
factored into the analysis through multiplication of the scenario frequency by the likelihoods
which may be quite low. In some cases, scenario consequences are also impacted and risk may
be increased or decreased. This article describes the role of such elements in risk analysis and
describes how to address them in LOPA.

Conventionally, LOPA studies determine the risk of a hazard scenario by accounting primarily
for the initiating event and protection layers. Often, only a few of the enablers and other
adjustment factors described in this article are addressed. However, the events represented by
these enablers and adjustment factors commonly are key parts of hazard scenarios and their
exclusion from the analysis can result in overly conservative results. Enabling events and
conditions are important not only because they influence the risk of hazard scenarios but also
because they make scenarios possible.

LOPA was originally conceived as a simple risk analysis method that at best produces an order
of magnitude estimate of scenario risk. However, it is now being used to support the
determination of Safety Integrity Levels (SILs) for Safety Instrumented Functions (SIFs) to assist
compliance with the IEC 61511 / ISA 84 standard on Safety Instrumented Systems (SISs) [3 - 5].
The standard requires substantial effort to support the SILs claimed for SIFs. Consequently,
refinement of LOPA to support such effort is warranted. Furthermore, LOPA has evolved from
its original form and current applications seek greater rigor and incorporate more detail [6].

Historically, some LOPA practitioners have not addressed enablers and adjustment factors in the
belief that the uncertainties associated with them are too great and risk may be underestimated by
their inclusion, and because of the effort involved. However, they are key parts of hazard
scenarios and are often part of actual incidents. Their inclusion in LOPA studies arguably
produces more accurate risk estimates and conservative assumptions can be made to help avoid
risk underestimation. Furthermore, the effort to include them is not substantial in comparison to
the overall effort required to perform LOPA.


2. Enablers

Enabling events and conditions have been defined as events and conditions that do not directly
cause a scenario but are required to be present or active for the scenario to proceed [1]. A
bypassed high level alarm that allows overflow of a tank is an example. This article extends that
definition to include any scenario elements, in addition to the initiating event and actions of
protection layers, that influence the risk of a hazard scenario, and the term enablers is used to
encompass them all. The original definition of enabling events and conditions included modes of
process operation such as startup and shutdown or the operation being in a specific phase or step
[1]. These are best treated using time-at risk factors.

Conventionally, enabling events and conditions usually have been viewed as acting to reduce the
frequency of a hazard scenario, or modify its consequences. They do so because their probability
GCPS 2013 __________________________________________________________________________
of occurrence is usually less than 1 and the scenario frequency is reduced accordingly to account
for their role in enabling the scenario. Conservative analyses assume their probability of
occurrence is 1. In practice, their probabilities of occurrence may be substantially less than 1 and
they may reduce scenario risk significantly.

The broader definition of enablers includes elements that can increase the frequency, for
example, lack of PM on equipment that increases its failure rate. Enablers may be categorized as:
Enabling events and conditions. Must be present or active for the scenario to proceed.
Management systems. Account for inadequacies in, and failure to follow, policies,
procedures and work instructions.
At-risk factors. Account for the time period in which a process is at risk.
Incident outcomes. Used to represent different possible consequences for the same
initiating event.
Release conditions. Used to account for different release conditions or circumstances.
Conditional modifiers. Affect the scenario consequence.
Given conditions (also called givens). Enable a scenario but are always present.

3. Enabling Events and Conditions

Enabling events and conditions do not by themselves initiate a hazard scenario but they make
them possible. An enabling event may occur or an enabling condition may exist without the
scenario happening every time the event occurs or the condition is present. They are sometimes
called contributing causes or contributing factors and they may make possible any other element
of a hazard scenario, e.g. the initiating event, a protection layer failure, or the consequence.
There may be multiple enabling events or conditions for each of the other elements of a scenario
and enabling events and conditions for more than one element.

Enabling events and conditions can be classified as originating with:
Human actions (errors of omission or commission, extraneous events, and deliberate
acts), for example, disabling equipment, e.g. bypassing an interlock, or overriding an
inhibit condition.
Equipment failures, for example, an alarm failure.
External events, for example, extreme ambient conditions, e.g. low temperature; or utility
failures, e.g. loss of inerting.
Enabling events usually occur prior to the initiating event, e.g. a failed or disabled alarm. They
are sometimes called latent failures. Enabling conditions exist at the time the scenario occurs,
e.g. low environmental temperature. They are sometimes called latent conditions.

Enabling events and conditions are addressed in LOPA by assigning a value to the probability
that the event or condition will exist when the scenario occurs and multiplying the scenario
frequency by it. The values are obtained by estimating the likelihood that the event or condition
will have occurred or be present when the scenario occurs. Such estimates should be based on
actual experience with the process as they are specific to the process and no generalized values
can be provided.

GCPS 2013 __________________________________________________________________________
Of course, in order to address enabling events and conditions they must be identified. Arguably,
that should be done as part of the performance of Process Hazard Analysis (PHA) which is the
most commonly used source of hazard scenarios for LOPA studies. However, enabling events
and conditions are identified infrequently in PHA [7]. Consequently, LOPA teams need to
question whether enabling events and conditions may be factors for the scenarios analyzed.

4. Management systems

Management system enablers are failures in the systems set up to manage safety throughout the
lifecycle of a process. For example, they may be inadequate procedures, e.g. test and inspection
frequencies may be set too low; no or inadequate training of personnel; inadequate skills or
knowledge of personnel; failures in the execution of procedures, e.g. PM is not conducted per
requirements; and mis-operation of equipment, e.g. stressing a pump by using it outside its
operating limits. Fundamentally, management system enablers are failures by people. When
present, they are givens for scenarios.

Management system enablers directly influence the failure rates used in LOPA studies for other
scenario elements. They may increase initiating event frequencies or probabilities of failure of
protection layers and they are addressed in LOPA by assigning a value by which a failure rate
must be adjusted, usually in an upwards direction, so that the values are numbers greater than 1.
For example, the initiating event frequency for a pump mechanical failure may be adjusted
upwards to account for mis-operation of the pump outside its limits, assuming the pump failure
frequency used does not already reflect the mis-operation. Similarly, the probability of failure on
demand of a relief valve may be adjusted upwards to account for lack of PM on the valve,
assuming the valve failure frequency used does not already reflect operation without adequate
PM. The effects of operating and maintenance regimes play a similar role and they can be
considered within the category of management system enablers.

The adjustment factors can be used to modify the failure data directly, or they can be identified
explicitly as modification factors and folded into the overall calculation of the scenario
frequency. Such adjustment factors should be based on experience with the process or the
opinions of informed personnel.

In accounting for management system enablers, it is important to ensure that their effects have
not already been incorporated into the frequency or probability of the event it enables. For
example, if a pipe leak failure frequency includes the effects of lack of PM, or if the probability
of failure of a human protection layer already addresses the skill level of the people involved,
adjustment factors should not be applied as they are already incorporated into the data. However,
while tabulations of human failure data may reflect various influencing factors, such as stress on
people and the time available for action, usually not all pertinent factors are addressed in the
tabulations. Consequently, such unaccounted factors should be considered as management
system enablers if they are to be addressed in LOPA.

The same comments apply to management system enablers as for enabling events and conditions
with regard to their identification.

GCPS 2013 __________________________________________________________________________
One danger in using management system enablers is that it could institutionalize deviations from
required practices by allowing some risk reduction credit to be taken even when practices are not
followed exactly. Some companies may take the view that if there is a deviation from the
requirements of a management system, no credit should be taken at all until the deviation is
corrected. Clearly, this is a conservative position but it may have unintentional consequences. If
LOPA team members are required to follow this approach, they may be unwilling to admit that
management systems are not being followed, or they may claim that while there have been
deviations in the past there will not be any in the future. If these claims are accepted, the LOPA
results may be overly optimistic and underestimate risk. The preferred approach is to allow some
justifiable credit to be taken but ensure a recommendation is made to correct the deviation
promptly, or revise the requirements to comport with actual practices. Deviations from required
practices that are tolerated are likely to result in more serious consequences than creating
difficulties in the performance of LOPA.

5. Time-At-Risk Factors (TARFs)

Some hazard scenarios can occur only when the process is in a particular state or certain
conditions exist, e.g. the process is in a particular mode, phase or step. Scenario frequencies are
usually expressed on an annualized basis to match risk tolerance criteria expressed in the same
form. Consequently, scenario frequencies should be adjusted for time at risk, i.e. the fraction of
time the risk is present. Receptors are at risk for only this time period. If such adjustments are
not made, risk may be grossly overestimated. For example, a tank that is filled 20 times per year
is subject to hazard scenarios that may result in overfilling. If the cause of overfilling is failure of
a BPCS level control loop with an in-service failure rate of 0.1 failures per year and each filling
takes 1 hour:

Filling failures per year = Failures per year x Fillings per year x Time spent filling
and, Filling failures per year = 0.1 x 20 x 1/8760 = 2.3 x 10
-4


Thus, the initiating event frequency has been reduced by almost three orders of magnitude, a risk
reduction that definitely should be applied. Further examples of TARFs for processes are the
fraction of time:
A piece of intermittently used equipment is in operation.
A continuous process is in startup or some other mode of operation.
A batch process spends in a particular step.
A runaway reaction is possible in a batch process.
People are at risk owing to time-of-day effects, day-of-week effects, time indoors versus
outdoors
An adjustment is made to the scenario frequency by multiplying it by the fraction of time the
scenario can occur. For example, for the initiating event of a pump seal leak, if the available data
are for an annualized pump seal leak failure rate:

Scenario frequency (events / year) = Pump seal leak frequency (events / year) x Hours in
use / 8760 (hours in a year)

GCPS 2013 __________________________________________________________________________
Of course, at issue is whether the data correspond to a pump that is operated intermittently and
that has been annualized, or whether it corresponds to a pump that is operated continuously.
Equipment in frequent use may fail at different rates than equipment used infrequently. If the
data do not match the operating regime, an adjustment factor could be applied to the data, or
more appropriate data sought. Note that the adjustment factor can be viewed as representing an
enabler for the scenario.

Similarly, for a process that is in a particular mode of operation, e.g. startup, hazard scenarios
that can occur during that mode of operation, and for which annualized frequencies have been
calculated, need to be adjusted for the time at risk. For example, a process that is in startup mode
once per year for 24 hours would require a time-at-risk adjustment of 1/365 for startup hazard
scenarios.

Usually, TARFs are not difficult to identify, although the PHA team may not have addressed
them, and they are not difficult to estimate since they depend on straightforward and readily
available information. In practice, ranges of time-at-risk are usually possible and practitioners
must decide if the average or end-of-the-range value should be used. Generally, the conservative
choice is made.

6. Intermediate Events

Intermediate event enablers allow LOPA practitioners to account for the probabilities of different
hazard scenarios that result from the same initiating event. Some events may be part of a hazard
scenario but they are distinct from the initiating event, consequences and protection layers. For
example, if water is introduced to a storage tank containing sulfur trioxide, a release through a
relief valve may occur, but also a release owing to a corrosion failure of piping may result. These
two occurrences are examples of intermediate events. Whenever there is more than one
possibility for a particular intermediate event, it can be treated as an enabler representing the
probability of occurrence of the specific intermediate event, provided that the events are
mutually exclusive. The scenario frequency is multiplied by the probability of the intermediate
event to adjust for its likelihood of occurrence. Of course, the probabilities of all such
possibilities for a particular intermediate event must sum to 1. It is also entirely possible that
both events may occur together, in which case an enabler would not apply.

Vessel rupture from overpressure provides another example of an intermediate event that affects
the path of a hazard scenario. The probability of vessel rupture depends on various factors such
as the ratio of the actual pressure reached to the design pressure for the vessel, vessel structure,
vessel construction and material, vessel maintenance, and the process materials. More than one
scenario is possible. In one scenario the vessel fails, presumably with serious consequences; in
other scenarios the vessel does not fail but the consequences of the scenarios may still be of
concern. Each of the scenarios has its own probability of occurrence and these probabilities can
be used to adjust the scenario risk.

Some chemicals may pose multiple hazards, for example, hydrogen sulfide and ammonia are
each both toxic and flammable. Usually, each possible hazard is addressed separately and they
may be considered to be mutually exclusive in which case they can be assigned probabilities of
GCPS 2013 __________________________________________________________________________
occurrence and treated as intermediate event enablers. Mixed hazards, where one hazard is
realized first followed by another, e.g. a toxic exposure followed by an explosion, usually are not
modeled in order to keep matters simple. Care must be taken to avoid double counting with
probability of ignition enablers.

Intermediate events are identified as part of the scenario and should have been addressed in
PHA. However, it is possible the PHA addressed only one of several possibilities in which case
the LOPA team should consider the additional intermediate events. Values of intermediate event
probabilities may be difficult to estimate. In such cases, they may be assumed equal to 1 in order
to be conservative. In some cases, consequence severities may vary with the intermediate events.

7. Incident Outcomes

Sometimes the outcomes of hazard scenarios vary. Each scenario outcome should be modeled
individually and its frequency adjusted by the probability of the outcome in a similar way to that
for intermediate events. Of course, the probabilities of the outcomes must sum to 1 if they are
mutually exclusive. Consequence severities may vary with incident outcomes. Examples of
outcomes include fire versus explosion, the type of fire, and the type of explosion.

Often, the relative probabilities of incident outcomes are not known, in which case no credit can
be taken for this type of enabler. However, there may be cases in which justification can be
provided for a significant difference in the probabilities of outcomes, for example, a fire that may
occur with a 0.9 probability and an explosion with a 0.1 probability. In such cases, risk reduction
by a factor of 10 for the explosion scenario is worth considering. Some outcomes may have a
sufficiently low probability of occurrence that they can be excluded from the analysis as non-
credible scenarios.

Sometimes, analysts may choose a worst-case for study. However, worst-case scenarios may
vary according to the receptors at risk, for example, for employees in the immediate area of a
release it may be a jet fire while for employees further away it may be a flash fire. Consequently,
care must be taken when using a worst-case consequence approach.

PHA may address only one incident outcome. Other possible outcomes should be addressed by
the LOPA team to ensure a full consideration of risk.

8. Release Conditions

The consequences of hazard scenarios may vary according to conditions and circumstances at the
time of release. Sometimes these are referred to as incident outcome cases. Each such scenario
may be modeled individually and its frequency adjusted by the probability of the release
conditions for the scenario. Release characteristics such as hole size, location, elevation,
orientation, duration, and delayed ignition may influence the scenario that occurs. Weather
conditions such as wind direction, wind speed, air temperature, atmospheric stability class, and
precipitation may also play an important role. To the extent that such release conditions are
important, they may be accounted for in a LOPA study by adjusting the scenario risks by their
probabilities of occurrence. In some cases, they may change the consequence that is possible.
GCPS 2013 __________________________________________________________________________

Release characteristics may be difficult to determine and only a worst-case scenario may be
addressed. Weather conditions are easier to address because historical data are usually available
but a worst-case scenario may also be considered in lieu of analyzing variants. However, there
may be certain weather conditions, such as wind direction, that have a significant impact on the
scenarios possible. For example, the prevailing wind may blow towards a potential ignition
source for a flammable release only 10% of the time which means that the frequency of the
scenario could be reduced by a factor of 10 if credit were taken for wind direction as an enabler.
It may make the difference between an explosion consequence and one in which the flammable
material disperses harmlessly.

9. Conditional Modifiers

Conditional modifiers directly impact the scenario consequence. Common conditional modifiers
are:
P
ignition
- Probability that a flammable / explosive material will be ignited.
P
present
- Probability that a person will be present to be exposed to a hazard. It is sometimes
called the occupancy factor and represents the fraction of time personnel are exposed to
the hazard.
P
injury
- Probability that harm will occur if an individual is exposed. It is sometimes called the
vulnerability.
These probabilities are used to reduce the frequency of the scenario in which harm occurs. For
example, if a pump seal fire can occur during operator rounds but the operator is in the vicinity
of the pump for only 30 minutes during a 12 hour shift, the frequency of the scenario in which an
operator is exposed to fire should be multiplied by 0.5/12 = 0.042, assuming there are two shifts.

There can be some pitfalls with conditional modifiers [1]. During some modes of operation, such
as startup, operators may always be present, i.e. P
present
= 1. During the build-up to a hazardous
event, more people may be present investigating the symptoms, i.e. its is likely that P
present
= 1
when a release occurs. Human presence may be correlated with the cause of a hazardous event,
i.e. it is possible that P
present
= 1 if the person contributes to the initiating event, for example, for a
release caused by the operator opening a drain valve. The initiating event, P
ignition
, and P
present

may be linked. For example, the actions of the person who is present may be the ignition source,
e.g. a crane operator may drop a load on the process causing a flammable release and providing
an ignition source through metal-on-metal sparking (or from the crane engine). In this case,
P
ignition
= 1 and P
present
= 1.

Various factors influence the values of conditional modifiers (Table 1). Values for various
situations are available in the literature [1] but they must be used with care as they may not apply
to the situation at hand. Conditional modifiers can be controlled in various ways (Table 2).


Other possible conditional modifiers include probability of sheltering, probability of escape, and
probability of evacuation, although these may be incorporated into the evaluation of P
injury
. For
conservatism, many practitioners take no credit for emergency response actions unless special
GCPS 2013 __________________________________________________________________________
circumstances warrant, e.g. special provisions are made for sheltering in particularly hazardous
situations and a non-zero probability of effective sheltering can be justified.

Usually, PHA teams assume the worst case for conditional modifiers for conservatism and
effectively they are not identified explicitly in PHA worksheets. LOPA teams must decide if they
should be addressed explicitly.

10. Given Conditions

Some apparent enablers are actually fixed aspects for a scenario. Management system enablers
are an example. In contrast, other enablers may or may not be present, i.e. they are variable in
nature. Given conditions are always part of the scenario and influence it. For example, a boiler
house that acts as an ignition source for a release is a given condition but hot work in the process
is an enabler for a fire scenario. The former is fixed and always present, unless the probability of
the boiler being in a lit condition is to be addressed, while the latter is variable as hot work is not
usually conducted on a continuous basis. Other examples of given conditions include the
omission of safety features from the process design and locations of stationary equipment. Many
given conditions do not adjust the frequency of scenarios. Rather, they make scenarios possible
by their presence.

Given conditions are part of the scenario definition although they may be assumptions in PHA.
LOPA team may need to clarify the assumptions.

11. Values and Use of Enabler Multipliers

As for other failure data used in LOPA, the values used to incorporate the effect of enablers on
scenario risk for processes should reflect actual experience with the processes. Judgment may
also be needed as often data are sparse, but the values used should be justified with process data
or expert opinion.

Typically, only enablers that may impact the scenario risk by more than an order of magnitude
are included in the analysis, e.g. if a disabled alarm that allows a scenario to occur is in a
disabled state 10% or less of the time so that it reduces scenario likelihood by a factor of 10 or
more, or if lack of PM on a vessel increases the likelihood of a corrosion failure by a factor of 10
or more. In some cases, enablers that together produce an order of magnitude risk reduction may
be credited but care must be exercised as the credits taken may produce a non-conservative result
owing to possible dependencies between enablers.

For enablers that represent two or more alternative scenario paths, if one path has a probability of
occurrence of 0.5 or above, the enabler multiplier may be assumed to be 1 for convenience and
conservatism. Generally, such multipliers are used when the effect on the scenario risk is
substantial, i.e. when their probabilities are 0.1 or less.

Various enablers may combine together to reduce the risk of a hazard scenario substantially.
However, multipliers for the enablers described in this article should not be used arbitrarily to
meet risk tolerance criteria. The temptation to convince oneself that an extra order of magnitude
GCPS 2013 __________________________________________________________________________
risk reduction is possible by reducing the value of the multiplier for an enabler by a factor of 10,
or that an additional enabler that reduces the risk to a tolerable level should be credited, must be
resisted unless they can be credibly justified. All data used in LOPA must be justified and should
favor conservative values.

Care must be taken not to double count enablers that have already been accounted for through
scenario consequences or assumptions made in the performance of PHA or LOPA. Studies may
be more susceptible to this issue when LOPA is performed by a different team or when a long
time passes between the performance of PHA and LOPA. Also, enablers must not be confused
with initiating events and the actions of protection layers, although they may directly impact
them.

Often, PHA studies do not identify enablers, leaving the effort to LOPA teams if enablers are to
be addressed. As LOPA practices evolve to address enablers, it is likely that PHA teams will
begin to identify enablers. LOPA teams usually engage in more detailed discussions of hazard
scenarios than PHA teams. The events that make up scenarios, including enablers, must be
clearly defined and understood, and interactions between elements of scenarios must be
addressed, if valid results are to be produced. The simple examples contained in this article are
provided for illustrative purposes. Many actual hazard scenarios involve multiple events and
event trees can be used to understand possible combinations for inclusion in LOPA studies.

12. Conclusions

Events in hazard scenarios, in addition to initiating events and the action of protection layers, can
have a marked impact on their risk. Certain enabling events and conditions and some conditional
modifiers are sometimes included in studies by LOPA practitioners. This article broadens the
definition of enablers to include various other factors that may act and combine to make
scenarios possible, including enablers relating to management systems, time at risk, intermediate
events, incident outcomes, and release conditions. Factors that account for the effect of these
enablers are used to multiply the scenario frequency. In some cases, the scenario consequence
may also depend on the enabler. Values for multipliers must be chosen carefully and justified. In
cases where data are not available, worst-case assumptions are usually employed.

13. References

[1] CCPS, 2001, Layer of Protection Analysis, Center for Chemical Process Safety /
American Institute of Chemical Engineers, 2001.
[2] Baybutt, P., Analytical Methods in Process Safety Management and System Safety
Engineering Layers of Protection Analysis, in Handbook of Loss Prevention
Engineering, J. M. Haight (ed), Wiley-VCH, 2013.
[3] ANSI/ISA84.00.012004 Part 1 (IEC 61511-1 Mod), Functional Safety: Safety
Instrumented Systems for the Process Industry Sector Part 1: Framework, Definitions,
System, Hardware and Software Requirements.
[4] ANSI/ISA84.00.012004 Part 2 (IEC 61511-2 Mod), Functional Safety: Safety
Instrumented Systems for the Process Industry Sector Part 2: Guidelines for the
Application of ANSI/ISA84.00.012004 Part 1 (IEC 61511-1 Mod).
GCPS 2013 __________________________________________________________________________
[5] ANSI/ISA84.00.012004 Part 3 (IEC 61511-3 Mod), Functional Safety: Safety
Instrumented Systems for the Process Industry Sector Part 3: Guidance for the
Determination of the Required Safety Integrity Levels Informative.
[6] HSE, 2009, Safety and Environmental Standards for Fuel Storage Sites, Process Safety
Leadership Group, Final report, HSE Books, 2009.
[7] Baybutt, P., Conducting Process Hazard Analysis to Facilitate Layers of Protection
Analysis, Process Safety Progress, Vol. 31, Issue 3, pps 282286, September 2012.

GCPS 2013 __________________________________________________________________________
Table 1. Examples of Factors that Influence the Values of Conditional Modifiers
P
ignition
P
present
P
injury

Initiating event - if it produces or
provides a source of ignition
Mode of operation Type of event, e.g. pool fire versus
flash fire
Physical properties, e.g.
- Flammable and explosive limits
- Physical state ( gas, vapor, liquid)
Initiating event Duration and magnitude of the
exposure

Chemical properties, e.g. reactivity Attended / unattended
operation
Escape routes
Layout, e.g. proximity and location of
ignition sources
Need for operator presence in
an adjacent area
Ability to escape:
- Detection of exposure
- Time to incapacitation
- Skill / knowledge
- Physical ability
- Availability / use of PPE
Environmental factors that impact
dispersion, e.g.
wind direction



GCPS 2013 __________________________________________________________________________
Table 2. Examples of Control Measures for Conditional Modifiers
P
ignition
P
present
P
injury

Hazardous area classification Barriers Hazardous area entry control
Ventilation Access control Release detection and alarms
Procedures Exclusion areas Escape plans
Equipment design Procedures Protective equipment
Release containment Refuges
Training