Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
13th Annual Symposium, Mary Kay O’Connor Process Safety Center
“Beyond Regulatory Compliance: Making Safety Second Nature”
Texas A&M University, College Station, Texas
October 26-28, 2010
Layer of Protection Analysis (LOPA)
Fabienne Salimi
ADEPP Academy, Frederic Salimi ADEPP Academy
ABSTRACT:
Prevention and control of major hazards relies on multiple layers of protection. If something
happens to compromise the primary protection, then the next layer will prevent or control the
major hazard.
Normally the first layer is the basic process design. Subsequent layers include control systems,
alarms and interlocks, safety shutdown systems, protective systems and response plans.
Analysing all of the layers working together gives rise to the concept of Layer of Protection
Analysis (LOPA).
This paper shows how LOPA can be performed efficiently for a hazardous project. It also
describe how Duty holder, Contractors, Consultants and Verification bodies can add and review
LOPA actions by ADEPP monitor and define the critical activities and tasks for Safety Critical
systems (SCSs).
Key words: LOPA, API 14C, Bow-Tie, Safety Critical Elements, SIL assessment, HSEMS,
ADEPP monitor
1- IDENTIFICATION OF THE LAYER OF PROTECTIONS
The first safeguard that is built into oil and gas or a chemical plant is the process design that
strives to build a plant with minimum potential for chemical releases. We can reduce the risk by
adding such things as: Basic Process Control Systems (BPCS); operators responding to alarms or
following job procedures; automated safety instrumented systems (SIS) that can more quickly
handle process deviations; pressure relief devices; bunds/dikes and enclosures; and so on. Each
layer builds on the protection provided by those inside it and they all work together to protect.
COMMUNITY EMERGENCY RESPONSE
Emergency broadcasting
PLANT EMERGENCY RESPONSE
Evacuation procedures
MITIGATION
Mechanical mitigation system
Safety Instrumented control system
Safety instrumented mitigation systems
Operator supervision
PREVENTION
Mechanical protection system
Process alarms with operator corrective action
Safety Instrumented control system
Safety instrumented prevention systems
CONTROL and MONITORING
Basic Process Control Systems
Monitoring system (process alarms)
Operator supervision
PROCESS
Fig-1 Layer of protection according to IEC-61511
Layers of protection need to be independent of each other. This consideration remains crucial to
the analysis. In most of the process industries, basic process control functions and safety
instrumented functions were traditionally, and still are, separated. Today, there is a strong
emphasis in both industry and regulatory bodies to keep these functions separate in order to
guarantee independent protection layers.
The objective is to ensure that major incidents do not occur unless there are multiple
(simultaneous) failures. All the layers of protection would have to fail simultaneously or be
circumvented somehow for the full incident potential to occur. None of the safety barriers are
100% effective. The holes in safety barriers in Fig-2 represent the systematic failures and flaws
in the safety barriers.
The principles of redundancy, diversity, separation and segregation must be applied to reduce the
risk of systematic failures associated with the safety barrier, common mode or common cause
failures and ensure the availability of support systems.
Fig-2 Bow-Tie diagram for gas release scenarios
Failures of the HSE Management System (HSEMS) can also result in failure of multiple layers
of protection, in particular the incorrect use of Permit to Work Systems and where safety systems
have been isolated or overridden/inhibited for maintenance purposes.
The following life cycle safety issues should be identified and accounted for in the design for
LOPA:
Safe operating limits and their relation to the set points for safety functions, including the
selection of an appropriate measurement and accuracy of instrumentation.
Independence and separation from other systems or the initiating faults which require their
operation (if the safety-related control systems are not separate from other equipment,
LOPA should show that failures of connected equipment cannot affect the safety function
and single-point failures cannot result in the failure of both systems. If this cannot be
shown, the connected equipment or system should be regarded as being part of the safety-
related control system).
Operating conditions, including start-up and shutdown and unusual operating conditions –
for example, single train operation.
Operating duty, including shut-off requirements for valves and how their performance will
be affected by the presence of corrosive or erosive conditions.
Inspection and maintenance requirements, including the provision of facilities for carrying
out proof testing.
Gas Release
Environmental considerations, including requirements to operate in flammable
atmospheres, equipment which requires special environments, prevention and consideration
of electromagnetic interference, weather, etc.
Layer of protection analysis should identify support systems and back-up measures for the
control and protective systems, including their component parts (for example, power supplies or
pneumatic systems). Evidence should be presented to show that support systems and back-up
measures have adequate safety and reliability.
One aspect of design which may not be given enough attention is the reliability, availability and
survivability of utilities. Failure of a utility – for example, water, air, steam, electricity
(including power surge or partial loss) – often results in a process upset, and may have effects
across the entire establishment.
API 14C (Recommended Practice for Analysis, Design, Installation, and Testing of Basic
Surface Safety Systems for Offshore Production Platforms) has been adopted by ISO 10418 and
is widely used by the oil & gas companies even for onshore applications. It provides the
prescriptive guidelines for those undesirable process events which can lead to a major accident at
oil & gas plant.
Fig-3: Layers of protection for overpressure according API 14C
According to API 14C at least two levels of protection independent and diverse shall be
provided to protect equipment under control against the process upsets which can lead to a major
accident i.e. major fire, explosion or toxic material release.
API 14C covers the required protection layers for credible process upsets such as over pressure,
leak, over temperature, etc. equipment by equipment.
Fig-3 illustrates the required protection layers for a pressure vessel. In this example, high
pressure trip is an instrumented based system and protect against the overpressure by shutting
down the EDV valve located on the feed stream
If high pressure trip fails on demand then pressure relief valve protect equipment against
overpressure by discharging the materials to safe location (flare). By doing so, valuable process
materials are lost but equipment remains safe and functional.
Safety Analysis Tables (SAT) are the mini HAZOP and assess the causes and consequences of
the process upsets within the generic equipment such as flowlines, pressure vessel, atmospheric
vessels, pumps, compressors, heat exchangers and fire heaters (See Table-1).
Undesirable Event Cause Detectable Abnormal
condition at component
Overpressure (Suction) Excess inflow
Failure of suction pressure
Control system
Compressor or driver malfunction
High Pressure
Overpressure (Discharge) Blocked or restricted discharge line
Excess back pressure
High inlet pressure
Over-speed
High pressure
Leak Deterioration
Erosion
Corrosion
Impact damage
Vibration
Low pressure
High Gas Concentration
(Building)
Excess Temperature Compressor valve failure
Cooler failure
Excess compression ratio
Insufficient flow
High Temperature
Table-1: Safety Analysis Table for Compressor
Safety Analysis Checklists (SAC) review the requirement for the protective systems considering
the upstream and downstream processes and the other protective systems (Table-2).
Safety Analysis Function Evaluation (SAFE) charts are similar to cause & effect matrices and
summarise the protection measures and their effects. Advantage of SAFE chart is:
1. Safety systems are summarised
2. Rationales for the required safety measures are recorded in a traceable and auditable
manner.
Table A-1.2—Safety Analysis Checklist (SAC)—Flow Line Segment
a. High Pressure Sensor (PSH).
1. PSH installed.
2. Flow line segment has a maximum allowable working pressure greater than
maximum shut in pressure and is protected by a PSH on a downstream flow line
segment.
c. Pressure Safety Valve (PSV).
1. PSV installed.
2. Flow line segment has a maximum allowable working pressure greater than the
maximum shut in pressure.
3. Two SDVs (one of which may be the SSV) with independent PSHs, relays, and
sensing points are installed where there is adequate flow line volume upstream of
any block valves to allow sufficient time for the SDVs to close before exceeding
the maximum allowable working pressure.
4. Flow line segment is protected by a PSV on upstream segment.
5. Flow line segment is protected by a PSV on downstream component that cannot
be isolated from the Flow line segment and there are no chokes or other
restrictions between the Flow line segment and the PSV.
Table-2: Example Safety Analysis Checklist according to guidelines of API 14C
API 14C also provides the guidelines for location, maintenance and testing routines for the
detection and final elements of the protection systems (Fig-4).
Fig-4: Location of safety systems according API 14C
A dedicated onion diagram should be developed for each deviation within equipment under
control (EUC) or area under control (AUC). Table-3 presents the protection layers for the
credible undesirable events at second stage compressor as an example.
1 2 3 4
Overpressure (Suction)
Excluding fire3 Yes 4
For parallel operation suction
scrubber is inherently safe:
- design pressure = 210 barg
- Surge recycle line pressure = 144
barg
Overpressure (Discharge)
Excluding fire4 Yes 4
Low pressure 3 Yes 1
Excess Temperature 3 Yes 1
Low Temperature 3 Yes 1
Liquid overflow in suction
scrubber2 Yes 1
No considerable liquid is expected in
this vessel.
Reverse flow 3 Yes 3
Double check valve with two different
type are considered as SIL2
secondary protection.
Leak 3 Yes 31PZA-2p20-LL can be an indication
of gas leak to atmpsphere.
External fire 2 Yes 4
The suction scrubbers and
pipeworks outside compressor house
are protected by the PFP.
L0- Inherently Safe, L1- BPCS, L2- Alarm, operator, L3- SIS, L4- Mechanical/ Relief devices
L5- Physical protection: L5.1 - ESD, L5.2 - EDP, L5.3 - Passive fire protection, L5.4 - Active fire protection
5Total
Achieved
SIL
Remarks/ Recommmendations /
ActionsUndeirable event
1 2 3
No. of protection Layers
0
Protection
Adequate?4
SUMMARY OF THE PROTECTION MEASURES
Table-3: Protection layers for different undesirable deviation within equipment
LOPA is successful and an added value to all disciplines if the following issues are taken into
account:
1- BPCS, Alarms, Trips are provided to protect against the process deviations within
equipment under control (EUC). If one of these protection layers works no hazardous
material is released. Therefore people and environment won’t be harmed and
consequence of the undesirable event will be limited to “loss of production” including the
required time to shutdown, investigate and re-start up.
Mechanical systems such as pressure relief valve still protect the process equipment. If
instrumented based protection layers don’t work relief valve will open and consequence
of undesirable event will extend to loss of valuable materials plus a controlled
environmental damage.
If all the process safeguarding layers fail to function then hazardous material is released
into atmosphere and boundary of event will be changed from equipment under control
(EUC) to area under control (AUC) as shown in Fig-5.
COMMUNITY EMERGENCY RESPONSE
Emergency broadcasting
PLANT EMERGENCY RESPONSE
Emergency Power
Emergency Communication
Emergency Lighting
MITIGATION (Fire & Explosion) PREVENTION OF ESCALTION
Fire &Gas Detection System
Emergency Shutdown (ESD-1)
Blowdown & Drainage System
Active & Passive Fire Protection
MITIGATION (Process Safeguarding)
Mechanical mitigation system (eg pressure relief, dike,…)
PREVENTION
Process Shutdown (ESD-3 & ESD-2)
Process alarms with operator corrective action
CONTROL and MONITORING
Basic Process Control Systems
Monitoring system (process alarms)
Operator supervision
PROCESS
(EUC)
Fire Zone
AUC
EER Area
AUC
Fig-5: Layer of protection prior and post hazardous material release
2- Safety measures to protect the area under control are classified as the “mitigation
measures” with respect to the process upsets. Sometimes risk assessors assume that at this
stage additional safety measures have no effect on safety because if fire or explosion will
cause the immediate fatalities and equipment damage. Therefore no further protection
layer is required.
It is a wrong assumption because mitigation measures with respect of EUC are indeed the
“preventive measures” against further escalations.
Escalation can lead to a major accident and affect public. If tolerable risk to public is
considered as 1E-6/yr then frequency of major accident /escalation should be less than
1E-9/yr which can never be achieved by the process safeguarding only.
3- Protection layers for EUCs are relatively standard but the protection layers for the AUC
can be very different from one case to another and depends on:
- type of released material
- type of external fire jet or pool fires
- type of process material in the equipment which is exposed to the external fire
- Sources of ignitions in area
- Safety distances, layout and congestion of process equipment and modules
For example if the process equipment contains liquefied material passive fire protection
is the best option to protect vessel against the fire impingement because pressure relief
valve protects vessel against overpressure but cannot protect the vessel body against the
local damage which may cause a catastrophic rupture and further BLEVE.
4- Fire & gas detection system is much more complex than process detections. It consists of
numerous detectors and dedicated panel. Number of detector for coverage reasons should
not be confused as redundancy measure.
5- Blowdown system is dependent on the ESD systems. If ESD system fails to isolate
section then automatic blowdown valves will not be opened too.
6- Effectiveness of the non-instrumented systems such safety distances, passive fire
protection and active fire protection is also dependent on the performance of the
instrumented based protection measures.
For example passive fire protection is implemented to protect the equipment against the
fire impingement and thermal radiation for a period of time (30 min to 2 hr). If ESD
system fails to operate then duration of fire can be more than failure time of the passive
fire protection and escalation will occur.
7- EER (Escape, Evacuation & Rescue) should also be considered as a new area under
control too. Survivability of emergency systems when they are exposed to thermal
radiation, blast overpressure, dropped object, impact, etc. is as important as their
reliability.
For example if an unprotected relief valve is exposed to external fire or thermal radiation
for more than 15 min then it may get impaired before overpressure inside the vessel reach
to relief set point.
8- Hazardous materials can be released not only due to the process upsets but also the other
causes such as mechanical failure, structural failure, dropped object, impact, etc.
Therefore release frequency is much higher that the release frequency due to a single
hazardous process upset.
9- Safety measures for different release size are also different because:
- Duration of small releases is very long but their consequences are limited. Therefore,
protection philosophy is focused on “mitigation measures”.
- Duration of large release is short but their consequences are very severe. Therefore,
protection philosophy is focused on “prevention measures”.
- Both duration and consequences of medium release are significant. Therefore, both
“prevention measures” and “mitigation measures” are required to reduce their risk to
ALARP.
2- LAYER OF PROTECTIONS INTEGRITY
A Safety Integrity Level (SIL) is defined as a discrete level (one out of possible four) for
specifying the safety requirements of the safety functions to be allocated to safety-related
systems, where safety integrity level 4 has the highest level of integrity and safety integrity level
1 has the lowest. Many organisations avoid the use of SIL4 and require the hazard to be
addressed by redesign instead. SIL is a direct expression of the implied reliability of the
equipment under the IEC 61508 standard.
Qualitative SIL assessment is performed through the brainstorming sessions using the risk graphs
and calibration tables. Following these session the safety instrumented systems are classified and
screened based on their required SIL.
SIL2 and higher should be assessed by a quantitative approach using combination fault and event
trees.
The safety systems with higher SIL means the lower probability of failure on demand can be
tolerated. Probability of failure on demand can be reduced or eliminated by different techniques
including intrinsically safe, fail safe, redundancy, shorter inspection, test and planned
maintenance routines and more advanced technology.
Fig-6: Higher SIL means fewer flaws in safety barrier performance
Specification of SILs will allow procurement of equipment with optimum reliability and
insurance of a safety function on demand. SIL requirements are incorporated in the performance
standards and written schemes of examination of the safety critical systems.
Typical maintenance or testing routines are recommended by the manufacturer. Sometime
shorter period of test and more rigorous planned maintenance routines are required to achieve the
required SIL. It is essential that the importance and nature of such maintenance and tests is
clearly communicated between the designers, operations and maintenance teams.
3- PERFORMANCE STANDARD & VERIFICATION SCHEME OF PROTECTION
SYSTEMS
Effectiveness of the protection systems functions is not only dependent to reliability/availability
but also their survivability under the accident conditions and interaction/dependency to the other
safety system. Performance standards are prepared to summarise the following requirements for
the safety critical system, subsystems and elements with a traceable and auditable manner:
- Goals
- Boundaries
- Functionalities
- Reliability / Availability
- Survivability
- Interaction / Dependences.
Verification schemes define the risk based inspection to ensure that the performance standards
are maintained during operation (Fig-7).
Performance Objectives:
System Components:
FUNCTIONALITY
Function Performance Criteria & Basis Assurance Verification
RELIABILITY / AVAILABILITY
Sub-System/Component Performance Criteria & Basis Assurance Verification
SURVIVABILITY
Hazardous Event Performance Criteria & Basis Assurance Verification
INTERACTIONS / DEPENDENCIES / LIMITATIONS
System/
Sub -
System
Supplier Safety
Critical
Element
(Y/N)
Interactions/Dependencies/
Limitations
Performance
Standard
Ref.
Responsibility
INTEGRITY ENVELOPE
Failure Mode Performance Criteria Threshold Operational Limitation
SAFETY CRITICAL ELEMENTS (Equipment, Components and Software)
Element Supplier Failure
Mode
Severity Ranking Assurance Verification
Fig-7: Performance Standard Tables
4- REQUIRED SAFEGUARDS & HAZOP
LOPA is developed as an extension to Process Hazard Analysis (PHA) to provide an objective,
rational and defensible basis for recommendations to install or not to install the safeguards.
During conventional HAZOP process deviations, their causes, consequences and safeguards are
assessed “qualitatively” by a systematic brainstorming approach. The main issues associated
with HAZOP are as follows:
a- The key words classify the process operating hazards as “higher” or “lower” than operation
intent but they don’t address the extent of theses deviations. The HAZOP team are not
informed and/or encouraged to reflect about the ultimate extent of deviation. The causes,
consequences and required safeguards for the deviation scenarios depend on the ultimate
extent of deviation. For example if the ultimate extent high pressure in a node is less than
5% then a conventional single loop control system is sufficient but if pressure can be
increased to more than 21% higher than design pressure then a high pressure trip and relief
valve should also be added to protect the equipment or node against such overpressures.
b- Dependency and interaction between the different deviations are not recorded
systematically.
c- Intermediate consequences are not distinguished from the ultimate consequences. For
example uncontrolled high pressure may cause small or medium or large flammable gas
release. Depending on non-process safeguards such as safety distances from the ignition
sources, area classification, layout and congestion of process module the released gas can
be:
- dispersed safely or
- ignited immediately and result a jet fire or
- Accumulated and cause an explosion due to delayed ignition.
d- Simultaneous multiple failures/causes are not considered.
e- A node represents a section of a process in which conditions undergo a significant change.
For example, a pump system will be a node because liquid pressure is increased. The
decision as to how big a node may be will depend on the experience of the team, the degree
to which similar process systems have already been discussed, the complexity of the
process and the judgment of the HAZOP chairman.
The required safeguards which are identified for a node may not be required if the
protection function by another safety device(s) at upstream or downstream nodes. There is
no HAZOP checklist similar to API 14C Safety Analysis Checklists (SAC) allowing the
exclusion of some devices (Table-2).
f- Consequences are assessed based on the subjective engineering judgement.
g- Sometimes the consequences are underestimated because it was assumed that the
safeguards within and outside the node function.
h- Hierarchy, capacity, set point, location and reliability of the safeguards are not reported and
remain vague.
For example, in an alarm management survey performed by HSE in UK[1]
a major concern
expressed by operators was that “HAZOPs increase the number of alarms”.
HAZOP reviews are very often resulting in increases in the number - and the complexity -
of the alarms. An automatic reaction could develop of seeing a problem, - e.g. the
possibility of a valve being left open -and installing an alarm to indicate this. Each alarm is
individually intended to increase the safety of the plant, but as a whole the proliferation of
alarms reduced the chances of the operator noticing any particular alarm. No “cost” was
assigned to putting in an alarm on a DCS, and there are generally no controls to prevent
more and more being installed. Moreover, alarms identified in HAZOP could become
labelled as “safety related” and get locked into the safety case of the plant which will be
difficult to alter at a subsequent time if they cause a nuisance.
Preliminary HAZOP should be performed at early stage of project when the process flow
diagrams (PFD) are ready and none of the protection layers are implemented yet. The causes and
consequences of the process deviations should be evaluated without any safeguards. The
HAZOP action should recommend the required layers of protections.
Then SIL assessment should be performed to determine the required integrity level of the
instrumented based protection systems.
When project progressed detailed HAZOP should be performed to minimise the risk of
increasing the complexity of safety barriers by adding the unnecessary or contradictory
safeguards.
5- SENSITIVITY ANALYSIS BY DYNAMIC SIMULATIONS
Dynamic simulation is rarely used as supporting evidence to consequence assessment in HAZOP
sessions while it is the only way to have a good judgement about ultimate extent of HAZOP
guidewords. It also enables to simulate the sequenced and/or multiple failures.
Fig-8 illustrates a typical dynamic simulation model. This model should be built prior to
HAZOP. Then HAZOP team can study different type of failures such as block outlets due to
failure of one of the control loops. In this example it can be observed that with present tuning of
PIC-101 pressure at D100 is controlled at 17barg but pressure control valve begins to chatter.
Authors of this paper believes that not only high fidelity dynamic simulation models but also
simpler Laplace transform models can improve significantly the quality of the process deviations
consequence assessments.
Fig-9 illustrates a two tank level control. In this example since there are now two lags to control,
the simple gain control is no longer sufficient for good performance and the height of liquid in
tank 1 gets unacceptably large.
Fig-8: Example of dynamic simulation based on the high fidelity model on OTS platform (Demo: http://www.adepp.com/Site_Demo/ADEPP_HSE_Toolkit.html)
Fig-9: Example of Lapace transform application as dynamic simulation tool With permission and courtesy of Ventimar LLC and SimApp Full report is available @
http://www.simapp.com/simulation-tutorials
6- ADEPP LOPA monitor
To achieve an effective LOPA numerous data, code based requirements, specific and supporting
studies from different disciplines and phases of project should be considered in a consistent,
traceable and auditable manner.
LOPA module of ADEPP monitor combines HAZOP, FMEA, API 14J checklist, BCPS, Alarm
management, SIL assessment, API 14C to support a consistent safety barrier identification and
management.
Fig-10: ADEPP LOPA monitor (Demo: http://www.adepp.com/Site_Demo/ADEPP_HSE_Toolkit.html)
ADEPP monitor provides the generic performance standards for the protection systems which
are determined during LOPA. These generic Performance Standards can be copied and
customised for project specific systems.
Critical tasks are defined by verification schemes. They are easily attached to each performance
standard and planned for the life cycle of project.
ADEPP monitor is an online open source data base and eases the communication between the
project team, consultants, and verification parties while they are located in the physically remote
offices. On time reactions and corrective actions can save a considerable time and effort of
project.
7- CONCLUSION
Layer of protection analysis is an effective approach to assess the requirements for both
instrumented based and non-instrumented based safety measures.
Identification of the layer of protections depends on the availably of safety studies, level of
scrutiny and judgement of the assessors. Therefore it is crucial that all the relevant disciplines
and phases of project get involved in LOPA.
API 14C is a robust and cost effective LOPA which can be used at early stage of project. When
project progresses and more information are available Bow-tie approach can bed used as the
extended LOPA for different risk based studies such as SIL assessment and verification.
Proper definition of the scope and boundaries of the equipment and/or area under control is key
factor to a successful and consistent safety barrier management.
ADEPP LOPA monitor is designed to communicate the roles and responsibilities for
identification and management of critical projection system to Company, Contractors,
Consultants and Verification bodies.
8- Acronyms
ADEPP Analysis & Dynamic Evaluation of Project Processes
ALARP As Low As Reasonably Practicable
API American Petroleum Institute
AUC Area Under Control
BLEVE Boiling Liquid Expanding Vapour Explosion
COMAH Control of major accident hazards
EEMUA Engineering Equipment and Materials Users Association
EER Escape, Evacuation & Rescue
ESD Emergency Shutdown
EUC Equipment Under Control
F&G Fire & Gas
FES Fire & Explosion Study
FMEA Failure Mode and Effect Analysis
HAZID Hazard Identification
HAZOP Hazard & Operability
HSE Health & Safety Executive
HSEMS Health, Safety and Environmental Management System
IEC International Electrotechnical Commission
ISA International Society of Automation
LOPA Layer of Protection Analysis
OREDA Offshore Reliability Data
P&ID Piping & Instrumentation Diagram
PFD Process Flow Diagram
PFEER Prevention of Fire & Explosion Emergency Response
SAC Safety Analysis Checklist
SAFE chart Safety Analysis Function Evaluation chart
SAT Safety Analysis Table
SCE Safety Critical Element
SCS Safety Critical System
SDV Shutdown Valve
SIL Safety Integrity Level
9- References
[1] F. Salimi, “Requirement engineering and management- fundamental issues in the Performance Standards of
Safety Critical Elements”, Hydrocarbon processing journal, Nov and Dec. 2009.
[2] Roger, M. C., Bamforth, P., Salimi, F., Thomas, E. J., “Determination of safety critical equipment, safety
critical procedures and softwares utilising quantitative risk assessment data,” Offshore structures hazards &
integrity management, International conference of ERA Technology, London/UK, 4-5 December 1996.
[3] Dr. Salimi Fabienne-Fariba, Mutiplan R&F, France and Martin C. Rogers, Kvaerner Oil & Gas, UK, Use of
Quantified Risk Assessment for the determination of Safety Integrity Levels (SIL) utilised in the design of
offshore oil and gas installation, ERA Technology, Dec. 1999.
[4] The Management of alarm systems, HSE, 1998
This document is available at http://www.hse.gov.uk/research/crr_pdf/1998/crr98166.pdf)
[5] OREDA (Offshore Reliability Data), DNV
[6] Asset Integrity – The key to managing major incident risk, OGP Report No. 415, 2008. This document is
available at: http://chen.qatar.tamu.edu/assets/PDFs/OGP_Guide.pdf
[7] Asset Integrity Programme, HSE(UK), This document is available at:
http://www.hse.gov.uk/offshore/kp3.pdf