VALUE AT RISK PERSPECTIVE ON LAYERS OF
PROTECTION ANALYSIS


Correspondence to:
Professor D. Ford, Mary Kay
O’Connor Process Safety
Center and Artie McFerrin
Department of Chemical
Engineering, Texas A&M
University, College Station,
TX 77843-3122, USA.
E-mail: D-Ford@chemail.
tamu.edu
DOI: 10.1205/psep.05195
0957–5820/07/
$30.00 þ 0.00
Process Safety and
Environmental Protection
Trans IChemE,
Part B, January 2007
# 2007 Institution
of Chemical Engineers
J. S. Fang1, M. S. Mannan1, D. M. Ford1
, J. Logan2 and A. Summers2
1
Mary Kay O’Connor Process Safety Center and Artie McFerrin Department of Chemical Engineering,
Texas A&M University, Texas, USA.
2
SIS-Tech, Houston, Texas, USA.
Abstract: Layers of protection analysis (LOPA) is an established tool for designing, character-
izing, and evaluating risk in the chemical process industry. Value at risk (VaR) is a method first
introduced in the financial sector for modeling potential loss in a complex venture. In this paper
we demonstrate the application of VaR principles to the LOPA of an ethylene refrigeration com-
pressor. We calculate the changes in risk profile (probability versus loss) associated with adding
or removing different safety interlocks around the compressor. The VaR analysis shows that the
benefits of a given layer of protection are not necessarily captured by a single average number,
since the entire probability –value curve is affected. This type of analysis will aid in the allocation
of limited resources to process risk interventions.
Keywords: chemical process safety; value at risk; quantitative risk assessment; layers of protec-
tion analysis.
INTRODUCTION so as not to assume more risk reduction than
is theoretically possible based on the perform-
Background ance of the individual components (Summers,
2003). The studies of LOPA by Pasman
Due to the inherent sensitivity of the chemical
(2000) and Summers (2003) provide an over-
process industry to the consequences of fail-
all picture of its role in chemical process
ure, chemical process safety has been a
safety.
major concern for some time. In the current
Another concept used in this paper is value
era of market mechanisms and efficiency,
at risk (VaR). Borrowed from the finance lit-
the underlying driving forces are to make pro-
erature (Jorion, 2000), VaR is a method of
duction economically competitive, to save
evaluating the probability of a gain or loss in
investment money where possible, and to
a complex venture by examining the stochas-
avoid overdoing measures that just serve to
tic behaviour of its components. We have
safeguard. However, adequate safety stan-
begun a program to implement VaR method-
dards have proven financially beneficial
ology to provide a bridge between the engin-
(Pasman, 2000).
eers and scientists who calculate process
A careful evaluation of existing or proposed
risk and the business leaders and policy
installations is essential for an adequate
makers who evaluate, manage, or regulate
safety environment. HAZOP (hazards and
risk in a broader context. Our motivation is
operability analysis) and QRA (quantitative
that current summative assessments of risk,
risk assessment) studies are typically used
such as likelihood –consequence matrices,
to determine the likelihood of undesired
may not provide the best basis for decision-
events and severity of consequences
making (Summers, 2003). In a previous publi-
(Center for Chemical Process Safety of the
cation, we demonstrated the application of
American Institute of Chemical Engineers,
VaR to two process safety case studies;
1989). A more advanced method is a layers
event trees for potential incidents with chlor-
of protection analysis (LOPA), which defines
ine rail transport and propane gas storage
a series of independent layers of defense
were used to generate VaR loss probability
against harmful events and their conse-
functions and assess risk (Fang et al.,
quences. These defense layers can range
2004). Barbaro and Bagajewicz (2004) have
from interlocks and alarms to blast walls and
recently employed VaR in developing a two-
dikes (Pasman, 2000). LOPAs differ from tra-
stage stochastic formulation for managing
ditional HAZOPs in that the analysis organizes
financial risk in planning under uncertainty.
safeguards into discrete independent layers,
81 Vol 85 (B1) 81–87
82 FANG et al.
Present Work
In this paper we describe the integration of QRA with VaR.
Specifically we analyse the VaR loss probability distribution
functions associated with different configurations of protec-
tion layers around an ethylene refrigeration compressor.
The frequency and cost data are real-world estimates for
this type of equipment. The paper is organized as follows.
The next section defines the process, potential hazards,
and available layers of protection. The third section describes
the VaR theory as applied to this problem. The results and
conclusions are presented in the two final sections,
respectively.
PROBLEM DEFINITION
Process Description and Potential Failures
The main focus of our analysis is an individual ethylene gas
refrigeration compressor with a capacity of processing
millions of pounds of material per day. Such a device would
be found in a liquefied natural gas processing complex, con-
densing light hydrocarbons for storage and transportation.
The compressor, like any piece of equipment, is subject to fail-
ures of varying type and severity. We will consider six different
types of failure, namely failures associated with surge control,
high suction drum level process demand, lube oil control, seal
oil control, speed suction control and vibration process
demand. Most of these failure types, if unchecked, would
result in approximately one million dollars of equipment
damage plus the loss of production from being shut down
for about 7 days. The exception is a seal oil control failure,
which would incur a 30-day loss of production. To prevent
these high levels of damage, one may install safety interlocks
that shut down, or ‘trip’, the compressor in response to an
undesirable event. These shutdowns typically cause the com-
pressor to be down for one business day, significantly limiting
the loss. However, one drawback of the interlocks is that they
occasionally have spurious trips that shut down the compres-
sor when there is no true process fault; this causes unnecess-
ary loss in production. Details of the interlock implementation
are described in the next section.
Layers of Protection
SIS-Tech has performed a QRA on a set of safety inter-
locks for the ethylene refrigeration compressor as described
above. The interlocks are layered in series so that if the
first interlock does not successfully shut down the system,
the second can shut it down, and so on. The QRA is rep-
resented as a set of event trees, each modeling the response
of the safety system to one of the failure events described in
the previous section. Each interlock and event tree is con-
sidered to be independent of the others. Figure 1 shows
Figure 1. General form of event tree.
Trans IChemE, Part B, Process Safety and Environmental Protection, 2007, 85(B1): 81–87
the generic event tree structure. The top event (failure)
occurs with an estimated frequency. Each of the safety
interlocks provides a success/failure node; there is a certain
probability (x) that the interlock will successfully trip the
compressor and a complementary probability (1 2 x) that it
will not trip. The upward branch represents a successful
trip and ends with a shutdown; the downward branch rep-
resents a failure to trip and leads to either a subsequent
interlock or ultimate compressor failure (if it is the last
layer). The appropriate branch probabilities are multiplied
by the top event frequency to yield the frequencies of a
given sub-event (a successful shutdown or an ultimate
compressor failure).
While we consider six types of failure events, there are
multiple surge controllers, so there are actually eight distinct
top events: (1) 1st SG surge control failure, (2) 2nd/3rd SG
surge control failure, (3) 4th/5th SG surge control failure,
(4) high suction drum level process demand failure, (5) lube
oil control system failure, (6) LC01 seal oil control failure,
(7) speed suction control failure, and (8) vibration process
demand failure. Each of the eight top events was given a fre-
quency determined from historical data.
Table 1 provides a summary of the eight top events and
their sub-events, corresponding to the response of the
safety devices in the different layers of protection. The
first column of Table 1 lists the events and sub-events.
The second column provides the cost associated with
each individual sub-event outcome. The third column
provides the frequency associated with each top and
sub-event, for the base case of full layers of protection (all
devices in place). Subsequent columns represent the
same information, but for perturbations of the base case
(called ‘scenarios’) where one layer of protection has been
removed. The cost data for each sub-event is not
scenario-dependent, so it appears in only one column.
The frequencies and costs for a top event and its sub-
events can be mapped directly onto an event tree like that
shown in Figure 1.
Spurious trips of these safety devices are summarized at
the bottom of Table 1, with the considered possible trips
being (1) Overspeed 1, (2) Overspeed 2, (3) Vibration, (4)
KO drum level 1–5, (5) lube oil pressure, and (6) SO level.
Each of these spurious trips may be considered as an inde-
pendent, individual sub-event for the purposes of the follow-
ing discussion.
THEORY AND METHODS
Calculations of Frequencies and Cost Values
As mentioned previously, the sub-event frequencies in
Table 1 were obtained from an event tree like that shown in
Figure 1. The frequency of sub-event i is given by
Y
i
fi ¼ Ftop pj (1)
j¼1
where Ftop is the top event frequency and pj is the appropriate
branch probability at node j. The pj were obtained from his-
torical performance data.
For clarity, we briefly describe an example of our frequency
calculations for the case of SG surge control failure (top
event 1) in the scenario without Overspeed interlock 1
 VALUE AT RISK PERSPECTIVE ON LAYERS OF PROTECTION ANALYSIS 83

Table 1. Frequencies and cost data for all the events and cases.

Cost Bas case Scenario w/o Scenario w/o Scenario w/o

Top event (US dollars) (1y21) Overspeed Interlock 1 Overspeed Interlock 2 vibration Interlock

"(1) SG surge control fails 1.60E–01 1.60E– 01 1.60E–01 1.60E– 01

Overspeed interlock 1 success $266, 667 1.57E–01 0.00E þ 00 1.57E–01 1.57E– 01
Overspeed interlock 2 success $266, 667 3.64E–03 1.56E– 01 0.00E þ 00 3.64E– 03
Vibration interlock success $266, 667 8.47E–05 3.64E– 03 3.61E 2 03 0.00E þ 03
Vibration interlock failure $2, 466, 667 2.02E–06 8.69E– 05 8.88E–05 8.68E– 05

(2) 2nd/3rd SG surge control fails 1.36E–01 1.36E– 01 1.36E–01 1.36E– 01

Overspeed interlock 1 success $266, 667 1.33E–01 0.00E þ 00 1.33E–01 1.33E– 01
Overspeed interlock 2 success $266, 667 3.09E–03 1.33E– 01 0.00E þ 00 3.09E– 03
Vibration interlock success $266, 667 7.20E–05 3.10E– 03 3.03E–03 0.00 þ 00
Vibration interlock failure $2, 466, 667 1.71E–06 7.36E– 05 7.20E–05 7.23E– 05

(3) 4th/5th SG surge control fails 1.36E–01 1.36E– 01 1.36E–01 1.36E– 01

Overspeed interlock 1 success $266, 667 1.33E–01 0.00E þ 00 1.33E–01 1.33E– 01
Overspeed interlock 2 success $266, 667 3.09E–03 1.33E– 01 0.00E þ 00 3.09E– 03
Vibration interlock success $266, 667 7.20E–05 3.10E– 03 3.03E–03 0.00E þ 00
Vibration interlock failure $2, 466, 667 1.71E–06 7.36E– 05 7.20E–05 7.23E– 05

(4) High level process demand 1.00E–02 1.00E– 02 1.00E–02 1.00E– 02

KO Drum LVL Interlock 1 –5 $266, 667 9.77E–03 9.77E– 03 9.77E–03 9.77E– 03
Vibration interlock success $266, 667 2.25E–04 2.25E– 04 2.25E–04 0.00E þ 00
Vibration interlock failure $2, 466, 667 5.35E–06 5.35E– 06 5.35E–06 2.30E– 04

(5) Lube Oil control system 1.01E–01 1.01E– 01 1.01E–01 1.01E– 01

Lube oil press interlock $266, 667 9.87E–02 9.87E– 02 9.87E–02 9.87E– 02
Vibration interlock success $266, 667 2.27E–03 2.27E– 03 2.27E–03 0.00E þ 00
Vibration interlock failure $2, 466, 667 5.41E–05 5.41E– 05 5.41E–05 2.32E– 03

(6) LCO1 Seal Oil Control Fails 9.80E–02 9.80E– 02 9.80E–02 9.80E– 02
SO level interlock success $266, 667 9.58E–02 9.58E– 02 9.58E–02 9.58E– 02
SO level interlock failure $7, 066, 667 2.26E–03 2.26E– 03 2.26E–03 2.26E– 03

(7) Speed suction control 1.30E–01 1.30E– 01 1.30E–01 1.30E– 01

Overspeed interlock 2 success $266, 667 1.27E–01 1.27E– 01 0.00E þ 00 1.27E– 01
Overspeed interlock 1 success $266, 667 2.96E–03 0.00E– 00 1.27E–01 2.96E– 03
Overspeed interlock 1 failure $2, 466, 667 7.06E–05 3.00E– 03 3.04E–03 7.06E– 05

(8) Vibration Process Demand 1.00E–01 1.00E– 01 1.00E–01 1.00E– 01

Vibration interlock success $266, 667 9.77E–02 9.77E– 02 9.77E–02 0.00E þ 00
Vibration interlock failure $2, 466, 667 2.32E–03 2.32E– 03 2.32E–03 1.00E– 01

Spurious Events
Overspeed interlock 1 spurious $266, 667 4.08E–02 0.00E þ 00 4.08E–02 4.08E– 02
Overspeed interlock 2 spurious $266, 667 4.88E–02 4.88E– 02 0.00E þ 00 4.88E– 02
Vibration interlock spurious $266, 667 7.31E–02 7.31E– 02 7.31E–02 0.00E þ 00
KO DRUM LVL 1 –5 spurious $266, 667 1.20E–02 1.20E– 02 1.20E–02 1.20E– 02
Lube Oil press spurious $266, 667 1.20E–02 1.20E– 02 1.20E–02 1.20E– 02
SO level spurious $266, 667 1.20E–02 1.20E– 02 1.20E–02 1.20E– 02

(fourth column in Table 1). The top event frequency was
assigned a value of 0.16 y21 based on historical data. Since
Overspeed interlock 1 is absent in this scenario, the probability
of its success is 0 and therefore the frequency of its success is
(0.16 y21)
(0.0) ¼ 0.0 y21. Overspeed interlock 2 is present in
this scenario and we assign the probability of its successful
response on demand as 0.9769 based on historical data.
The frequency for Overspeed interlock 2 success is the pro-
duct of this probability and the demand frequency under this
scenario, i.e., (0.16 y21)
(1.0–0.0)
(0.9769) ¼ 0.0156 y21.
The final layer of protection is the vibration interlock, to
which we assign a success probability of 0.9760 on demand.
The frequency for successful vibration interlock intervention
is therefore (0.16 y21)
(1.0–0.0)
(1–0.9769)
(0.9760) ¼
0.00364 y21, and the frequency of failed vibration
interlock intervention is (0.16 y21)
(1.0–0.0)
(1–0.9769)

(1–0.9760) ¼ 0.0000896 y21. These calculations produce
the numerical values found in Table 1. We note that the top
event frequency Ftop and the probability of success on
demand for a given interlock type is held fixed across the differ-
ent scenarios; it is the presence or absence of a given layer of
protection that causes the differences in frequencies observed
in Table 1.
Each of the sub-event outcomes has an associated cost.
We assume that the cost may comprise both asset damage
and business interruption. Business interruption may include
both lost (flared) feed and product that was not made.
We assume that two hours of feed flaring occurs at every
shutdown and that the feed costs $0.20/pound. We also
assume that the earnings before interest, taxes, deprecia-
tion, and amortization (EBITDA) is $0.05/pound of product.
A one-day shutdown from any safety interlock trip will

Trans IChemE, Part B, Process Safety and Environmental Protection, 2007, 85(B1): 81– 87
84 FANG et al.

then cost roughly off the abscissa value v corresponding to the ordinate at

 the chosen confidence level pv. In the present case we
2 4 MM lb $0:20 have only three discrete cost values, so it is more convenient
ctrip ¼ day  
24 day lb to choose the median cost value and report the correspond-

 ing confidence level.
4 MM lb $0:05
þ 1 day   ¼ $266 667 (2) As a first step in calculating VaR, we must convert our
day lb
event frequencies Fc to normalized probabilities over a
For most events in which all interlocks fail, there will be chosen time horizon. Perhaps the simplest approach is to
approximately $1 MM in damage to the compressor plus a assume that failure events are uncorrelated in time over a
seven day shutdown of the process. The cost will be given horizon. This assumption is likely to be accurate in
our case, because the overarching QRA analysis assumes


2 4 MM lb $0:20 that failures arise from a variety of independent event types
cfail ¼ day   and sub-types (as shown in Table 1). So we employ a Pois-
24 day lb

 son distribution of events with a 1-year time horizon
4 MM lb $0:05
þ 7 days   þ $1 000 000
day lb ln l
pðn;lÞ ¼ e , n ¼ 0, 1, 2, 3, . . . (6)
¼ $2 466 667 (3) n!

where p(n;l) is the probability of exactly n events occurring in

In the special case of the failure of the seal oil control with one year, and l is the rate of events in units of y21. (Hahn
subsequent failure of all interlocks, the downtime will be 30 and Shapiro, 1967). We first obtain the probability of any
days, leading to a cost of event occurring by

 !
2 4MM lb $0:20 X
csofail ¼ day  
24 day lb pany ¼ 1  p 0; Fc (7)

 c
4MM lb $0:05
þ 30days   þ $1 000 000
day lb where the event rate is the sum of all the frequencies of all
¼ $7 066 667 (4) cost outcomes, and n has been set to zero because we are
interested only in the probability of at least one event occur-
So in this particular QRA example there are only three ring and not about the exact number. This probability of a
different possible cost outcomes, c ¼ $266 667, $2 466 specific event c occurring is simply given by
667 or $7 066 667. One of these costs is assigned to 0 1
each sub-event as shown in Table 1, and that cost is inde- F c
pendent of scenario. pc ¼ @P Apany (8)
Fc
c

Generation of Frequency-Cost Graphs and VaR
Statistics
For a given scenario, the total Frequency Fc at a given cost
outcome c was obtained by summing up all of the frequen-
cies as
X
Fc ¼ fi (5)
fsub-eventsi gc
where the sum includes only those sub-events that have the
particular cost outcome c (spurious trips included). This was
done for each different scenario shown in Table 1 and the
results are presented as bar graphs in the next section.
These graphs are similar to probability mass function (pmf)
graphs in statistics, except that we are plotting frequency
(in y21) instead of normalized probability.
In financial applications, the actual ‘value at risk’ is defined
as the value that sets some lower confidence limit on the nor-
malized probability-value function. For example, say that the
value v represents a lower limit (typically negative, indicating
a loss) where pv of the probability lies above it. Then we can
state that we are (pv  100)% certain that we will lose no
more than v over the time horizon used to construct the prob-
ability curve, or equivalently, with (pv  100)% certainty over
the next time period t, the VaR is v (Fang et al., 2004). A
cumulative representation of the probability curve is particu-
larly useful in determining VaR, since one may simply read
These probabilities can be used to construct probability mass
functions (pmf) and cumulative mass functions (cmf) and
subsequently calculate VaR values, as described above.
Total Expected Cost Value
A total expected cost value for each scenario was calcu-
lated as
X
kEl ¼ c Fc (9)
c
where the sum runs over all possible cost outcomes c (in our
example, there are three outcomes).
RESULTS
Overview
Results for the four scenarios shown in Table 1 are pre-
sented and discussed in this section. The scenarios are the
base case (full layers of protection), overspeed interlock 1
removed, overspeed interlock 2 removed, and the vibrational
interlock removed. The different scenarios are presented
side-by-side in the figures for convenient comparison. The
frequency versus cost graphs are shown in Figure 2, the
cumulative mass function (cmf) graphs (as calculated via
the procedure described previously) are shown in Figure 3,

Trans IChemE, Part B, Process Safety and Environmental Protection, 2007, 85(B1): 81–87
 VALUE AT RISK PERSPECTIVE ON LAYERS OF PROTECTION ANALYSIS 85

Figure 2b. Close-up view of outcome frequencies at the $7 066 667

cost level.

statements can also be made from the corresponding cumu-

lative probabilities shown in Figure 3. For example, over a 1-
year time horizon, we are 99.71% confident that there will be
no worse than a $266 667 loss.
Figure 2. Outcome frequencies at all cost levels across all scenarios.
Case Without Overspeed Interlock 1

and the total expected values are shown in Figure 4. The In this case, we examine the impact of removing over-
(a,b) figures associated with Figures 2 and 3 are magnifi- speed interlock 1 layer of protection. As shown in Table 1,
cations of the low-frequency, high-cost events, which can we removed the benefits of overspeed interlock 1 from all
be difficult to see. The results of all the cmf and pmf studies top events and removed the possibility of spurious trips of
are summarized in Table 2. that device. Removal of this layer of protection affected five
of the eight top events.
Figure 2 shows that removing overspeed interlock 1
Base Case involves a tradeoff between risk at different cost levels.
Removing this interlock reduces the frequency of $266 667
The base case represents full layers or protection, mean- cost events to 1.022 y21, as compared to 1.066 y21 in the
ing the compressor is equipped with Overspeed interlock 1,
Overspeed interlock 2, and Vibrational interlock. The base
case data in Figure 2 may be used to make several state-
ments. For example, a catastrophic event costing the com-
pany $7 066 667 will happen with a frequency of 0.002259
per year (which equates to 440 years per loss of this mag-
nitude), and a shutdown at the least costly level of $266 667
will happen with a frequency of 1.066 per year. Value-at-risk

Figure 2a. Close-up view of outcome frequencies at the $2 466 667

cost level. Figure 3. Cumulative mass probability functions for each scenario.

Trans IChemE, Part B, Process Safety and Environmental Protection, 2007, 85(B1): 81– 87
86 FANG et al.

Figure 3a. Close-up view of the cumulative mass probability functions Figure 4. Total expected cost values for the four scenarios.
at the $2 466 667 cost level.

Case Without the Vibrational Interlock

base case. However, for the medium ($2 466 667) cost cat- In this scenario we removed the vibration interlock, a layer
egory the frequency is increased by 0.0031 y21. With this tra- of protection that does not always follow in series with the two
deoff comes less satisfying VaR values as compared to the aforementioned layers of protection. This particular layer of
base case; there is only a 99.51% confidence level that the protection affects six of the eight top events.
cost will be no worse than $266 667. This analysis clearly Removing the vibrational interlock is much more detrimen-
frames the impact of including, or omitting, Overspeed inter- tal to the entire safety plan. Although there is a significant
lock 1 layer of protection. 0.1735 y21 decrease in frequency at the low ($266 667)
level, there is a two order-of-magnitude increase in frequency
in the medium ($2 466 667) level. There is a 93.35% confi-
Case Without Overspeed Interlock 2 dence level that the cost will be no greater than $266 667,
which is a much lower confidence than any of the previous
In this scenario, we removed a different layer of protection,
cases.
Overspeed interlock 2 (Overspeed 1 layer remained in
place). Using the same procedure as in the previous scen-
ario, we altered the frequencies of sub-events and spurious
trips accordingly (see Table 1). The removal of this interlock
affected the same five out of eight top events that first scen- Table 2. Frequency, cumulative probability, and VaR data for all of the
ario did. scenarios."
Figures 2 and 3 show that the effects of removing over- w/o w/o w/o
speed interlock 2 are almost identical to the effects of remov- Scenario Base Overspeed 1 Overspeed 2 Vibration
ing overspeed interlock 1. The VaR value is 99.51% at the
$266 667 mark. This is perhaps not surprising because the
Cost (1y21) (1y21) (1y21) (1y21)
Overspeed interlock 1 and Overspeed interlock 2 always outcome
appeared in series under the same top events. function
$266 667 1.0660 1.0218 1.0138 0.8925
$2 466 667 0.002455 0.005613 0.005648 0.1029
$7 066 667 0.002259 0.002259 0.002259 0.002259

Cumulative (Probability) (Probability) (Probability) (Probability)

mass
funtion
$266 667 0.6572 0.6393 0.6372 0.6316
$2 466 667 0.002894 0.004887 0.004931 0.06655
$7 066 667 0.001387 0.001402 0.001409 0.001430

Total $306 284 $302 299 $300 244 $507 680

expected
cost
values

Var
confidence
table
$0 34.28 36.07 36.28 36.84
$266 667 99.71 99.51 99.51 93.35
$2 466 667 99.86 99.86 99.86 99.86
Figure 3b. Close-up view of the cumulative mass probability functions $7 066 667 100.00 100.00 100.00 100.00
at the $7 066 667 cost level.

Trans IChemE, Part B, Process Safety and Environmental Protection, 2007, 85(B1): 81–87
 VALUE AT RISK PERSPECTIVE ON LAYERS OF PROTECTION ANALYSIS
Total Expected Value for Damage Cost
The total expected loss value for each scenario is shown in
Figure 4; this is a simplified approach where the low prob-
ability/high cost –high probability/low cost tradeoffs are not
thoroughly examined, but rather all costs are integrated to
produce a single expectation value for each scenario. In
order of increasing expected cost, the scenario without Over-
speed interlock 2 is the least costly followed by overspeed
interlock 1, the base case, and then the very costly vibration
interlock scenario. As ranked solely by this criterion, the
scenario without vibration interlock is the least desirable by
far. The scenario without Overspeed interlock 2 is the most
desirable, slightly beating the base case of full layers of pro-
tection. There is an interesting contrast between this ranking
and one based on the VaR criterion, which would show that
the base case is the most desirable. This is discussed
more fully in the next subsection.
Best Choice Among the Four Scenarios?
The numerical results of the analysis are summarized in
Table 2. The total expected cost analysis and the VaR analy-
sis both send one consistent message: the first three scen-
arios (base, without Overspeed 1, without Overspeed 2) are
similar and much superior to the scenario without the
vibrational interlock. However, the two analyses diverge
slightly when considering which of the first three scenarios
is best. The total expected cost analysis indicates that the
scenario without Overspeed 2 is the best (least costly). The
VaR analysis provides a different viewpoint. In the ‘base’
scenario, we have a 99.71% confidence that there will be
no losses worse than $266 667 during the next year. In the
‘without Overspeed 2’ scenario, we have only a 99.51% con-
fidence of no losses worse than $266 667. The base scenario
might then be preferred because of this increase in confi-
dence level; although the magnitude of the increase is
small (0.2%), the next level of cost ($2 466 667) is an order
of magnitude higher.
The difference in conclusions occurs because the VaR
confidence criterion places more weight on the higher cost
levels, while the expected value criterion is based on a
straight average. Clearly, one effect of altering the layers of
Trans IChemE, Part B, Process Safety and Environmental Protection, 2007, 85(B1): 81– 87
87
protection scheme is to shift the probability between different
cost levels.
CONCLUDING REMARKS
We applied a VaR analysis to the LOPA of an ethylene
refrigeration compressor system. We analysed the data
with all layers of protection included and also in three different
scenarios in which one type of interlock was removed. We
found that the full layers of protection scheme was conserva-
tive, having the lowest frequencies of occurrence for the most
costly events but relatively frequent low-cost incidents (spur-
ious trips). Removing Overspeed interlock 1 and Overspeed
interlock 2 lowered the frequency of minor spurious shut-
downs but raised the chances of a more severe event.
Removing the Vibrational interlock, however, was much
more detrimental at the higher cost levels. A simple expec-
tation value calculation indicated that the scenario without
Overspeed interlock 2 would be the least costly on average.
However, a VaR analysis of frequencies and probabilities at
different cost levels can provide more insight than simple
averages when deciding on the allocation of safety
resources.
REFERENCES
Pasman, J., 2000, Risk informed resource allocation policy:
safety can save costs, Journal of Hazardous Materials, 71(1–3):
375– 394.
Center for Chemical Process Safety of the American Institute of
Chemical Engineers, 1989, Guidelines for Chemical Process
Quantitative Risk Analysis (American Institute of Chemical Engin-
eers, New York, USA).
Summers, A.E., 2003, Introduction to layers of protection analysis,
Journal of Hazardous Materials, 104(1– 3): 163 –168.
Jorion, P., 2000, Value at Risk: The New Benchmark for Managing
Financial Risk, 2nd edition (McGraw-Hill, New York, USA).
Fang, J., Ford, D. and Mannan, S.M., 2004, Making the business
case for process safety using value-at-risk concepts, Journal of
Hazardous Materials, 115(1–3): 17– 26.
Barbaro, A.F. and Bagajewicz, M., 2004, Managing financial risk in
planning under uncertainty, AIChE J, 50(5): 963– 989.
Hahn, G.J. and Shapiro, S.S., 1967, Statistical Models in Engineering
(John Wiley & Sons, Inc., New York, USA).
The manuscript was received 23 August 2005 and accepted for
publication after revision 16 May 2006.