13th Annual Symposium, Mary Kay O’Connor Process Safety Center

“Beyond Regulatory Compliance: Making Safety Second Nature”

Texas A&M University, College Station, Texas

October 26-28, 2010

Layer of Protection Analysis (LOPA)

Fabienne Salimi

ADEPP Academy, Frederic Salimi ADEPP Academy

ABSTRACT:

Prevention and control of major hazards relies on multiple layers of protection. If something

happens to compromise the primary protection, then the next layer will prevent or control the

major hazard.

Normally the first layer is the basic process design. Subsequent layers include control systems,

alarms and interlocks, safety shutdown systems, protective systems and response plans.

Analysing all of the layers working together gives rise to the concept of Layer of Protection

Analysis (LOPA).

This paper shows how LOPA can be performed efficiently for a hazardous project. It also

describe how Duty holder, Contractors, Consultants and Verification bodies can add and review

LOPA actions by ADEPP monitor and define the critical activities and tasks for Safety Critical

systems (SCSs).

Key words: LOPA, API 14C, Bow-Tie, Safety Critical Elements, SIL assessment, HSEMS,

ADEPP monitor

1- IDENTIFICATION OF THE LAYER OF PROTECTIONS

The first safeguard that is built into oil and gas or a chemical plant is the process design that

strives to build a plant with minimum potential for chemical releases. We can reduce the risk by

adding such things as: Basic Process Control Systems (BPCS); operators responding to alarms or

following job procedures; automated safety instrumented systems (SIS) that can more quickly

handle process deviations; pressure relief devices; bunds/dikes and enclosures; and so on. Each

layer builds on the protection provided by those inside it and they all work together to protect.

COMMUNITY EMERGENCY RESPONSE

Emergency broadcasting

PLANT EMERGENCY RESPONSE

Evacuation procedures

MITIGATION

Mechanical mitigation system

Safety Instrumented control system

Safety instrumented mitigation systems

Operator supervision

PREVENTION

Mechanical protection system

Process alarms with operator corrective action

Safety Instrumented control system

Safety instrumented prevention systems

CONTROL and MONITORING

Basic Process Control Systems

Monitoring system (process alarms)

Operator supervision

PROCESS

Fig-1 Layer of protection according to IEC-61511

Layers of protection need to be independent of each other. This consideration remains crucial to

the analysis. In most of the process industries, basic process control functions and safety

instrumented functions were traditionally, and still are, separated. Today, there is a strong

emphasis in both industry and regulatory bodies to keep these functions separate in order to

guarantee independent protection layers.

The objective is to ensure that major incidents do not occur unless there are multiple

(simultaneous) failures. All the layers of protection would have to fail simultaneously or be

circumvented somehow for the full incident potential to occur. None of the safety barriers are

100% effective. The holes in safety barriers in Fig-2 represent the systematic failures and flaws

in the safety barriers.

The principles of redundancy, diversity, separation and segregation must be applied to reduce the

risk of systematic failures associated with the safety barrier, common mode or common cause

failures and ensure the availability of support systems.

Fig-2 Bow-Tie diagram for gas release scenarios

Failures of the HSE Management System (HSEMS) can also result in failure of multiple layers

of protection, in particular the incorrect use of Permit to Work Systems and where safety systems

have been isolated or overridden/inhibited for maintenance purposes.

The following life cycle safety issues should be identified and accounted for in the design for

LOPA:

Safe operating limits and their relation to the set points for safety functions, including the

selection of an appropriate measurement and accuracy of instrumentation.

Independence and separation from other systems or the initiating faults which require their

operation (if the safety-related control systems are not separate from other equipment,

LOPA should show that failures of connected equipment cannot affect the safety function

and single-point failures cannot result in the failure of both systems. If this cannot be

shown, the connected equipment or system should be regarded as being part of the safety-

related control system).

Operating conditions, including start-up and shutdown and unusual operating conditions –

for example, single train operation.

Operating duty, including shut-off requirements for valves and how their performance will

be affected by the presence of corrosive or erosive conditions.

Inspection and maintenance requirements, including the provision of facilities for carrying

out proof testing.

Gas Release

Environmental considerations, including requirements to operate in flammable

atmospheres, equipment which requires special environments, prevention and consideration

of electromagnetic interference, weather, etc.

Layer of protection analysis should identify support systems and back-up measures for the

control and protective systems, including their component parts (for example, power supplies or

pneumatic systems). Evidence should be presented to show that support systems and back-up

measures have adequate safety and reliability.

One aspect of design which may not be given enough attention is the reliability, availability and

survivability of utilities. Failure of a utility – for example, water, air, steam, electricity

(including power surge or partial loss) – often results in a process upset, and may have effects

across the entire establishment.

API 14C (Recommended Practice for Analysis, Design, Installation, and Testing of Basic

Surface Safety Systems for Offshore Production Platforms) has been adopted by ISO 10418 and

is widely used by the oil & gas companies even for onshore applications. It provides the

prescriptive guidelines for those undesirable process events which can lead to a major accident at

oil & gas plant.

Fig-3: Layers of protection for overpressure according API 14C

According to API 14C at least two levels of protection independent and diverse shall be

provided to protect equipment under control against the process upsets which can lead to a major

accident i.e. major fire, explosion or toxic material release.

API 14C covers the required protection layers for credible process upsets such as over pressure,

leak, over temperature, etc. equipment by equipment.

Fig-3 illustrates the required protection layers for a pressure vessel. In this example, high

pressure trip is an instrumented based system and protect against the overpressure by shutting

down the EDV valve located on the feed stream

If high pressure trip fails on demand then pressure relief valve protect equipment against

overpressure by discharging the materials to safe location (flare). By doing so, valuable process

materials are lost but equipment remains safe and functional.

Safety Analysis Tables (SAT) are the mini HAZOP and assess the causes and consequences of

the process upsets within the generic equipment such as flowlines, pressure vessel, atmospheric

vessels, pumps, compressors, heat exchangers and fire heaters (See Table-1).

Undesirable Event Cause Detectable Abnormal

condition at component

Overpressure (Suction) Excess inflow

Failure of suction pressure

Control system

Compressor or driver malfunction

High Pressure

Overpressure (Discharge) Blocked or restricted discharge line

Excess back pressure

High inlet pressure

Over-speed

High pressure

Leak Deterioration

Erosion

Corrosion

Impact damage

Vibration

Low pressure

High Gas Concentration

(Building)

Excess Temperature Compressor valve failure

Cooler failure

Excess compression ratio

Insufficient flow

High Temperature

Table-1: Safety Analysis Table for Compressor

Safety Analysis Checklists (SAC) review the requirement for the protective systems considering

the upstream and downstream processes and the other protective systems (Table-2).

Safety Analysis Function Evaluation (SAFE) charts are similar to cause & effect matrices and

summarise the protection measures and their effects. Advantage of SAFE chart is:

1. Safety systems are summarised

2. Rationales for the required safety measures are recorded in a traceable and auditable

manner.

Table A-1.2—Safety Analysis Checklist (SAC)—Flow Line Segment

a. High Pressure Sensor (PSH).

1. PSH installed.

2. Flow line segment has a maximum allowable working pressure greater than

maximum shut in pressure and is protected by a PSH on a downstream flow line

segment.

c. Pressure Safety Valve (PSV).

1. PSV installed.

2. Flow line segment has a maximum allowable working pressure greater than the

maximum shut in pressure.

3. Two SDVs (one of which may be the SSV) with independent PSHs, relays, and

sensing points are installed where there is adequate flow line volume upstream of

any block valves to allow sufficient time for the SDVs to close before exceeding

the maximum allowable working pressure.

4. Flow line segment is protected by a PSV on upstream segment.

5. Flow line segment is protected by a PSV on downstream component that cannot

be isolated from the Flow line segment and there are no chokes or other

restrictions between the Flow line segment and the PSV.

Table-2: Example Safety Analysis Checklist according to guidelines of API 14C

API 14C also provides the guidelines for location, maintenance and testing routines for the

detection and final elements of the protection systems (Fig-4).

Fig-4: Location of safety systems according API 14C

A dedicated onion diagram should be developed for each deviation within equipment under

control (EUC) or area under control (AUC). Table-3 presents the protection layers for the

credible undesirable events at second stage compressor as an example.

1 2 3 4

Overpressure (Suction)

Excluding fire3 Yes 4

For parallel operation suction

scrubber is inherently safe:

- design pressure = 210 barg

- Surge recycle line pressure = 144

barg

Overpressure (Discharge)

Excluding fire4 Yes 4

Low pressure 3 Yes 1

Excess Temperature 3 Yes 1

Low Temperature 3 Yes 1

Liquid overflow in suction

scrubber2 Yes 1

No considerable liquid is expected in

this vessel.

Reverse flow 3 Yes 3

Double check valve with two different

type are considered as SIL2

secondary protection.

Leak 3 Yes 31PZA-2p20-LL can be an indication

of gas leak to atmpsphere.

External fire 2 Yes 4

The suction scrubbers and

pipeworks outside compressor house

are protected by the PFP.

L0- Inherently Safe, L1- BPCS, L2- Alarm, operator, L3- SIS, L4- Mechanical/ Relief devices

L5- Physical protection: L5.1 - ESD, L5.2 - EDP, L5.3 - Passive fire protection, L5.4 - Active fire protection

5Total

Achieved

SIL

Remarks/ Recommmendations /

ActionsUndeirable event

1 2 3

No. of protection Layers

0

Protection

Adequate?4

SUMMARY OF THE PROTECTION MEASURES

Table-3: Protection layers for different undesirable deviation within equipment

LOPA is successful and an added value to all disciplines if the following issues are taken into

account:

1- BPCS, Alarms, Trips are provided to protect against the process deviations within

equipment under control (EUC). If one of these protection layers works no hazardous

material is released. Therefore people and environment won’t be harmed and

consequence of the undesirable event will be limited to “loss of production” including the

required time to shutdown, investigate and re-start up.

Mechanical systems such as pressure relief valve still protect the process equipment. If

instrumented based protection layers don’t work relief valve will open and consequence

of undesirable event will extend to loss of valuable materials plus a controlled

environmental damage.

If all the process safeguarding layers fail to function then hazardous material is released

into atmosphere and boundary of event will be changed from equipment under control

(EUC) to area under control (AUC) as shown in Fig-5.

COMMUNITY EMERGENCY RESPONSE

Emergency broadcasting

PLANT EMERGENCY RESPONSE

Emergency Power

Emergency Communication

Emergency Lighting

MITIGATION (Fire & Explosion) PREVENTION OF ESCALTION

Fire &Gas Detection System

Emergency Shutdown (ESD-1)

Blowdown & Drainage System

Active & Passive Fire Protection

MITIGATION (Process Safeguarding)

Mechanical mitigation system (eg pressure relief, dike,…)

PREVENTION

Process Shutdown (ESD-3 & ESD-2)

Process alarms with operator corrective action

CONTROL and MONITORING

Basic Process Control Systems

Monitoring system (process alarms)

Operator supervision

PROCESS

(EUC)

Fire Zone

AUC

EER Area

AUC

Fig-5: Layer of protection prior and post hazardous material release

2- Safety measures to protect the area under control are classified as the “mitigation

measures” with respect to the process upsets. Sometimes risk assessors assume that at this

stage additional safety measures have no effect on safety because if fire or explosion will

cause the immediate fatalities and equipment damage. Therefore no further protection

layer is required.

It is a wrong assumption because mitigation measures with respect of EUC are indeed the

“preventive measures” against further escalations.

Escalation can lead to a major accident and affect public. If tolerable risk to public is

considered as 1E-6/yr then frequency of major accident /escalation should be less than

1E-9/yr which can never be achieved by the process safeguarding only.

3- Protection layers for EUCs are relatively standard but the protection layers for the AUC

can be very different from one case to another and depends on:

- type of released material

- type of external fire jet or pool fires

- type of process material in the equipment which is exposed to the external fire

- Sources of ignitions in area

- Safety distances, layout and congestion of process equipment and modules

For example if the process equipment contains liquefied material passive fire protection

is the best option to protect vessel against the fire impingement because pressure relief

valve protects vessel against overpressure but cannot protect the vessel body against the

local damage which may cause a catastrophic rupture and further BLEVE.

4- Fire & gas detection system is much more complex than process detections. It consists of

numerous detectors and dedicated panel. Number of detector for coverage reasons should

not be confused as redundancy measure.

5- Blowdown system is dependent on the ESD systems. If ESD system fails to isolate

section then automatic blowdown valves will not be opened too.

6- Effectiveness of the non-instrumented systems such safety distances, passive fire

protection and active fire protection is also dependent on the performance of the

instrumented based protection measures.

For example passive fire protection is implemented to protect the equipment against the

fire impingement and thermal radiation for a period of time (30 min to 2 hr). If ESD

system fails to operate then duration of fire can be more than failure time of the passive

fire protection and escalation will occur.

7- EER (Escape, Evacuation & Rescue) should also be considered as a new area under

control too. Survivability of emergency systems when they are exposed to thermal

radiation, blast overpressure, dropped object, impact, etc. is as important as their

reliability.

For example if an unprotected relief valve is exposed to external fire or thermal radiation

for more than 15 min then it may get impaired before overpressure inside the vessel reach

to relief set point.

8- Hazardous materials can be released not only due to the process upsets but also the other

causes such as mechanical failure, structural failure, dropped object, impact, etc.

Therefore release frequency is much higher that the release frequency due to a single

hazardous process upset.

9- Safety measures for different release size are also different because:

- Duration of small releases is very long but their consequences are limited. Therefore,

protection philosophy is focused on “mitigation measures”.

- Duration of large release is short but their consequences are very severe. Therefore,

protection philosophy is focused on “prevention measures”.

- Both duration and consequences of medium release are significant. Therefore, both

“prevention measures” and “mitigation measures” are required to reduce their risk to

ALARP.

2- LAYER OF PROTECTIONS INTEGRITY

A Safety Integrity Level (SIL) is defined as a discrete level (one out of possible four) for

specifying the safety requirements of the safety functions to be allocated to safety-related

systems, where safety integrity level 4 has the highest level of integrity and safety integrity level

1 has the lowest. Many organisations avoid the use of SIL4 and require the hazard to be

addressed by redesign instead. SIL is a direct expression of the implied reliability of the

equipment under the IEC 61508 standard.

Qualitative SIL assessment is performed through the brainstorming sessions using the risk graphs

and calibration tables. Following these session the safety instrumented systems are classified and

screened based on their required SIL.

SIL2 and higher should be assessed by a quantitative approach using combination fault and event

trees.

The safety systems with higher SIL means the lower probability of failure on demand can be

tolerated. Probability of failure on demand can be reduced or eliminated by different techniques

including intrinsically safe, fail safe, redundancy, shorter inspection, test and planned

maintenance routines and more advanced technology.

Fig-6: Higher SIL means fewer flaws in safety barrier performance

Specification of SILs will allow procurement of equipment with optimum reliability and

insurance of a safety function on demand. SIL requirements are incorporated in the performance

standards and written schemes of examination of the safety critical systems.

Typical maintenance or testing routines are recommended by the manufacturer. Sometime

shorter period of test and more rigorous planned maintenance routines are required to achieve the

required SIL. It is essential that the importance and nature of such maintenance and tests is

clearly communicated between the designers, operations and maintenance teams.

3- PERFORMANCE STANDARD & VERIFICATION SCHEME OF PROTECTION

SYSTEMS

Effectiveness of the protection systems functions is not only dependent to reliability/availability

but also their survivability under the accident conditions and interaction/dependency to the other

safety system. Performance standards are prepared to summarise the following requirements for

the safety critical system, subsystems and elements with a traceable and auditable manner:

- Goals

- Boundaries

- Functionalities

- Reliability / Availability

- Survivability

- Interaction / Dependences.

Verification schemes define the risk based inspection to ensure that the performance standards

are maintained during operation (Fig-7).

Performance Objectives:

System Components:

FUNCTIONALITY

Function Performance Criteria & Basis Assurance Verification

RELIABILITY / AVAILABILITY

Sub-System/Component Performance Criteria & Basis Assurance Verification

SURVIVABILITY

Hazardous Event Performance Criteria & Basis Assurance Verification

INTERACTIONS / DEPENDENCIES / LIMITATIONS

System/

Sub -

System

Supplier Safety

Critical

Element

(Y/N)

Interactions/Dependencies/

Limitations

Performance

Standard

Ref.

Responsibility

INTEGRITY ENVELOPE

Failure Mode Performance Criteria Threshold Operational Limitation

SAFETY CRITICAL ELEMENTS (Equipment, Components and Software)

Element Supplier Failure

Mode

Severity Ranking Assurance Verification

Fig-7: Performance Standard Tables

4- REQUIRED SAFEGUARDS & HAZOP

LOPA is developed as an extension to Process Hazard Analysis (PHA) to provide an objective,

rational and defensible basis for recommendations to install or not to install the safeguards.

During conventional HAZOP process deviations, their causes, consequences and safeguards are

assessed “qualitatively” by a systematic brainstorming approach. The main issues associated

with HAZOP are as follows:

a- The key words classify the process operating hazards as “higher” or “lower” than operation

intent but they don’t address the extent of theses deviations. The HAZOP team are not

informed and/or encouraged to reflect about the ultimate extent of deviation. The causes,

consequences and required safeguards for the deviation scenarios depend on the ultimate

extent of deviation. For example if the ultimate extent high pressure in a node is less than

5% then a conventional single loop control system is sufficient but if pressure can be

increased to more than 21% higher than design pressure then a high pressure trip and relief

valve should also be added to protect the equipment or node against such overpressures.

b- Dependency and interaction between the different deviations are not recorded

systematically.

c- Intermediate consequences are not distinguished from the ultimate consequences. For

example uncontrolled high pressure may cause small or medium or large flammable gas

release. Depending on non-process safeguards such as safety distances from the ignition

sources, area classification, layout and congestion of process module the released gas can

be:

- dispersed safely or

- ignited immediately and result a jet fire or

- Accumulated and cause an explosion due to delayed ignition.

d- Simultaneous multiple failures/causes are not considered.

e- A node represents a section of a process in which conditions undergo a significant change.

For example, a pump system will be a node because liquid pressure is increased. The

decision as to how big a node may be will depend on the experience of the team, the degree

to which similar process systems have already been discussed, the complexity of the

process and the judgment of the HAZOP chairman.

The required safeguards which are identified for a node may not be required if the

protection function by another safety device(s) at upstream or downstream nodes. There is

no HAZOP checklist similar to API 14C Safety Analysis Checklists (SAC) allowing the

exclusion of some devices (Table-2).

f- Consequences are assessed based on the subjective engineering judgement.

g- Sometimes the consequences are underestimated because it was assumed that the

safeguards within and outside the node function.

h- Hierarchy, capacity, set point, location and reliability of the safeguards are not reported and

remain vague.

For example, in an alarm management survey performed by HSE in UK[1]

a major concern

expressed by operators was that “HAZOPs increase the number of alarms”.

HAZOP reviews are very often resulting in increases in the number - and the complexity -

of the alarms. An automatic reaction could develop of seeing a problem, - e.g. the

possibility of a valve being left open -and installing an alarm to indicate this. Each alarm is

individually intended to increase the safety of the plant, but as a whole the proliferation of

alarms reduced the chances of the operator noticing any particular alarm. No “cost” was

assigned to putting in an alarm on a DCS, and there are generally no controls to prevent

more and more being installed. Moreover, alarms identified in HAZOP could become

labelled as “safety related” and get locked into the safety case of the plant which will be

difficult to alter at a subsequent time if they cause a nuisance.

Preliminary HAZOP should be performed at early stage of project when the process flow

diagrams (PFD) are ready and none of the protection layers are implemented yet. The causes and

consequences of the process deviations should be evaluated without any safeguards. The

HAZOP action should recommend the required layers of protections.

Then SIL assessment should be performed to determine the required integrity level of the

instrumented based protection systems.

When project progressed detailed HAZOP should be performed to minimise the risk of

increasing the complexity of safety barriers by adding the unnecessary or contradictory

safeguards.

5- SENSITIVITY ANALYSIS BY DYNAMIC SIMULATIONS

Dynamic simulation is rarely used as supporting evidence to consequence assessment in HAZOP

sessions while it is the only way to have a good judgement about ultimate extent of HAZOP

guidewords. It also enables to simulate the sequenced and/or multiple failures.

Fig-8 illustrates a typical dynamic simulation model. This model should be built prior to

HAZOP. Then HAZOP team can study different type of failures such as block outlets due to

failure of one of the control loops. In this example it can be observed that with present tuning of

PIC-101 pressure at D100 is controlled at 17barg but pressure control valve begins to chatter.

Authors of this paper believes that not only high fidelity dynamic simulation models but also

simpler Laplace transform models can improve significantly the quality of the process deviations

consequence assessments.

Fig-9 illustrates a two tank level control. In this example since there are now two lags to control,

the simple gain control is no longer sufficient for good performance and the height of liquid in

tank 1 gets unacceptably large.

Fig-8: Example of dynamic simulation based on the high fidelity model on OTS platform (Demo: http://www.adepp.com/Site_Demo/ADEPP_HSE_Toolkit.html)

Fig-9: Example of Lapace transform application as dynamic simulation tool With permission and courtesy of Ventimar LLC and SimApp Full report is available @

http://www.simapp.com/simulation-tutorials

6- ADEPP LOPA monitor

To achieve an effective LOPA numerous data, code based requirements, specific and supporting

studies from different disciplines and phases of project should be considered in a consistent,

traceable and auditable manner.

LOPA module of ADEPP monitor combines HAZOP, FMEA, API 14J checklist, BCPS, Alarm

management, SIL assessment, API 14C to support a consistent safety barrier identification and

management.

Fig-10: ADEPP LOPA monitor (Demo: http://www.adepp.com/Site_Demo/ADEPP_HSE_Toolkit.html)

ADEPP monitor provides the generic performance standards for the protection systems which

are determined during LOPA. These generic Performance Standards can be copied and

customised for project specific systems.

Critical tasks are defined by verification schemes. They are easily attached to each performance

standard and planned for the life cycle of project.

ADEPP monitor is an online open source data base and eases the communication between the

project team, consultants, and verification parties while they are located in the physically remote

offices. On time reactions and corrective actions can save a considerable time and effort of

project.

7- CONCLUSION

Layer of protection analysis is an effective approach to assess the requirements for both

instrumented based and non-instrumented based safety measures.

Identification of the layer of protections depends on the availably of safety studies, level of

scrutiny and judgement of the assessors. Therefore it is crucial that all the relevant disciplines

and phases of project get involved in LOPA.

API 14C is a robust and cost effective LOPA which can be used at early stage of project. When

project progresses and more information are available Bow-tie approach can bed used as the

extended LOPA for different risk based studies such as SIL assessment and verification.

Proper definition of the scope and boundaries of the equipment and/or area under control is key

factor to a successful and consistent safety barrier management.

ADEPP LOPA monitor is designed to communicate the roles and responsibilities for

identification and management of critical projection system to Company, Contractors,

Consultants and Verification bodies.

8- Acronyms

ADEPP Analysis & Dynamic Evaluation of Project Processes

ALARP As Low As Reasonably Practicable

API American Petroleum Institute

AUC Area Under Control

BLEVE Boiling Liquid Expanding Vapour Explosion

COMAH Control of major accident hazards

EEMUA Engineering Equipment and Materials Users Association

EER Escape, Evacuation & Rescue

ESD Emergency Shutdown

EUC Equipment Under Control

F&G Fire & Gas

FES Fire & Explosion Study

FMEA Failure Mode and Effect Analysis

HAZID Hazard Identification

HAZOP Hazard & Operability

HSE Health & Safety Executive

HSEMS Health, Safety and Environmental Management System

IEC International Electrotechnical Commission

ISA International Society of Automation

LOPA Layer of Protection Analysis

OREDA Offshore Reliability Data

P&ID Piping & Instrumentation Diagram

PFD Process Flow Diagram

PFEER Prevention of Fire & Explosion Emergency Response

SAC Safety Analysis Checklist

SAFE chart Safety Analysis Function Evaluation chart

SAT Safety Analysis Table

SCE Safety Critical Element

SCS Safety Critical System

SDV Shutdown Valve

SIL Safety Integrity Level

9- References

[1] F. Salimi, “Requirement engineering and management- fundamental issues in the Performance Standards of

Safety Critical Elements”, Hydrocarbon processing journal, Nov and Dec. 2009.

[2] Roger, M. C., Bamforth, P., Salimi, F., Thomas, E. J., “Determination of safety critical equipment, safety

critical procedures and softwares utilising quantitative risk assessment data,” Offshore structures hazards &

integrity management, International conference of ERA Technology, London/UK, 4-5 December 1996.

[3] Dr. Salimi Fabienne-Fariba, Mutiplan R&F, France and Martin C. Rogers, Kvaerner Oil & Gas, UK, Use of

Quantified Risk Assessment for the determination of Safety Integrity Levels (SIL) utilised in the design of

offshore oil and gas installation, ERA Technology, Dec. 1999.

[4] The Management of alarm systems, HSE, 1998

This document is available at http://www.hse.gov.uk/research/crr_pdf/1998/crr98166.pdf)

[5] OREDA (Offshore Reliability Data), DNV

[6] Asset Integrity – The key to managing major incident risk, OGP Report No. 415, 2008. This document is

available at: http://chen.qatar.tamu.edu/assets/PDFs/OGP_Guide.pdf

[7] Asset Integrity Programme, HSE(UK), This document is available at:

http://www.hse.gov.uk/offshore/kp3.pdf