In all of the years that I have been performed LOPA (16 now…), I am still shocked at the lack of use of templates for this activity. Especially for common pieces of equipment where the operation, and hazards are very consistent from unit to unit. With respect to selecting SIL targets for SIS equipment, I would speculate that about 80-90% of safety functions fall into this category.
For instance, fired heaters used in refineries and chemical process plants are all very similar. They usually have roughly the same set of safeguards, operate in very similar process conditions and environments, and are operated by organizations that are also very similar. While I don’t think that every process heater should be designed the same way, I do think that there is a great opportunity to decrease the amount of analysis time while increasing the consistency and quality of the risk analysis process by using templates for these equipment types. In addition to fired heaters, a similar approach could be employed for compressors, and high head pump systems.
A streamlined approach would begin with a template of all of the safety instrumented functions that are typically deployed on that piece of equipment. For each function, the hazard that is being prevented would be listed along with either a constant consequence category, or rules for determining the consequence category based on conditions of the equipment (such as operating temperature/pressure, processed material phase, and location/occupancy considerations). Each of the potential initiating events would then be listed out along with rules for determining whether or not the initiating event is valid for a particular device. For each initiating event, a list of typical safeguards would be listed. Each of the safeguards could either be credited if it is present and valid, or recommended if it is not.
I think it is easy to see a huge benefit of this type of approach. It is easy for me to see as I know a lot of “failed” LOPA studies that did things like omit important initiating events, fail to take credit for obvious safeguards, and set non-credible consequence categories. The reason for these failures is that the team – who are usually tired and bored (and even more so if the LOPA occurs along with the HAZOP) – are required to creatively dream up things that they may have never experienced. Starting with a good template should be able to greatly improve quality with the benefit of streamlining the process because the template can be used with a smaller team, who can cover ground more quickly because there is less of a requirement for brainstorming.
I think that the ultimate end result of this thought process would be for SIL selection software tools to include “wizards” for common pieces of equipment (e.g., fired heaters) that ask questions about the design and operating conditions of these pieces of equipment, and then automatically create and pre-populate the LOPA scenarios that result in the selection of SIL targets. Keep your eyes on the development of the Kenexis Instrumented Safeguarding Suite (KISS), as this capability may be ready for commercialization soon!
Last week I taught the ISA EC 52 training course – Advanced SIL Selection. This course covers a wide range of SIL selection topics and techniques, but spends the build of its time addressing the Layer of Protection Analysis (LOPA) approach, because this is the approach that is most commonly used in industry. The LOPA approach tends to use more quantitative information in the development of accident frequencies, as opposed to the more qualitative approaches in risk graphs, hazard matrices, and consequence only approaches. Initiating event frequencies and independent protection layers need to be quantified – at least to the order of magnitude level – in order to obtain results.
Immediately, as soon as the need to perform a calculation is developed students immediately ask “where do I get the data?” The answer is usually not what the student wants to hear. What would is desired is a look-up table that is always correct, but unfortunately, that is not realistic. As engineers we are perpetually searching for the “right” number. For instance, when it comes to the probability of failure of an operator to properly respond to an alarm and bring the process to a safe state, some say that the right answer is 10% given that the response situations meets certain criteria and 100% if it does not. Other adamantly profess that 100% is the correct number because you can never rely on a human being in an emergency situation. Other have different opinions still. So, what is right? The real but undesirable answer is – it depends. The specific situation and the specific person has to be taken into consideration when making this assessment. Even something more concrete such as failure of a pump is still situationally depended. Some pumps in severe service are expected to fail in less than a year while others can last dozens of years without failing.
While the “numbers” put into a LOPA are situationally dependent, there are good sources of data that you can use as a starting point. Books such as the Layer of Protection Analysis: Simplified Process Risk Assessment from the Center for Chemical Process Safety of the American Institute of Chemical Engineers and the Kenexis SIS Engineering Handbook provide data tables that include some discussion about applicability of the data in certain situations. While these references are good starting points for the quantification of LOPA scenarios, they are only initiation estimates that should be used in lieu of actual operational statistics.
As a plant’s experience with the use of SIS in accordance with IEC 61511 (ISA 84) grows, it will become necessary to utilize real operating data instead of what are essentially assumptions about expected performance that come from the aforementioned reference books. The standard clearly states that these initial estimates must be replaced with actual operating data at some time in the future. As such, it is incumbent upon each operating plant to being collecting data now that will be used during the SIS Design Basis Revalidation process that will necessarily occur in the future. The other benefit of this data collection activity is the ability to be able to report real time trends of activity to key decision makers so that corrective actions can be taken if IPL performance or initiating event rates are greater than initially estimated.
Kenexis has a lot of good reference information on the use of real data for SIS design basis revalidation. This month’s newsletter contains a feature on a presentation the I gave on using real time data to track safety performance, and the website contains a great white paper on the SIS Design Basis Revalidation Process. If you are interested in SIS Design Basis Revalidation you can download the White Paper.
Over the past week I have been at a Oil Refinery and Oil Products Storage Terminal Fire Safety Conclave in New Delhi, sponsored by Indian Oil Company. One of the drivers of the conclave was the explosion and fire at Indian Oil’s Jaipur Terminal. Attending this conference gave me a lot of time to reflect at the causes, mechanisms, and consequences of large spills of gasoline. After this reflection, I think that traditional risk analysis techniques might be under-reporting the risk posed by gasoline spills because of a fundamental assumption about the progression from spill to explosion may be fundamentally incorrect.
Tank Fire at Indian Oil's Jaipur Terminal
Traditional risk analysis techniques discount the probability of a vapor cloud explosion as the result of a gasoline spill because the cloud size is expected to be relatively small and relatively quickly dissipated by wind and atmospheric instability. The analysis is usually undertaken as follows. A spill rate is calculated, and then is either determined or assumed to filled the diked area around the tank. An amount of vapor generation is calculated the reflects the rate at which material evaporates off the surface of the pool. This evaporation rate is the used as an input to a dispersion model that determines the extents of the vapor cloud beyond which the flammable materials dissipate below the lower flammability limit concentration. If a source of ignition is present, the cloud will burn in what is typically expected to be a flash fire, which will subsequently ignite the pool resulting in a pool fire.
Typically, the possibility of a vapor cloud explosion is discounted. Storage tank farms are typically unconfined and relatively unobstructed. As a result, there is not enough turbulence generating obstacles to increase the flame speed to a point where significant overpressure (and thus a significant shock wave) is generated. These conclusions are based on numerous studies where unconfined vapor clouds are generated in test environments where obstruction blockage ratios of up to 30-40 percent do not generate dangerous overpressure levels. These experiments were typically performed using hydrocarbons such as methane and propane. An excellent summary of this data is presented in a document published by the UK Health and Safety Executive (HSE) entitled, Offshore Technology Report – OTO 92 002 – Offshore Gas Detector Siting Criterion Investigation of Detector Spacing.
The fundamental problem with discounting the explosion potential of a gasoline spill is that it may not actually be analogous to the tests that resulted in the conclusion that dangerous over pressures are not expected to be obtained. Upon reflection and review of the incidents I believe that traditional techniques might under-report the size of the extents of the flammable cloud that is created and the propensity of that cloud to explode instead of simply burning in a nearly laminar fashion (resulting in negligible overpressure. Even more fundamentally, the consequences of ignited gasoline spills are typically greater than would be predicted by standard quantitative chemical release consequence analysis techniques.
Consider three recent high-profile gasoline spills in fuels storage terminals: Buncefield – in the United Kingdom, Jaipur Terminal – in India, and Carribean Petroleum Refining – in Puerto Rico in the USA. All three of these incidents resulted in the vapor cloud explosions that traditional modeling techniques would have dismissed as not credible.
Video of the explosive overpressure effects of the Buncefield explosion can be seen in the following video.
Based on the previous video, it is quite clear that the Buncefield explosion did indeed result in significant overpressure and explosive effects. Similar explosive effects are evident at the Caribbean Oil Refining incident, as seen in the following video.
Granted, the explosions in the video are after the fire was fully developed and are not the result of the initial gas cloud explosion, but a detailed analysis of the incident being performed by the Chemical Safety Board indicates that vapor cloud explosions occurred (More information here).
In addition, the Indian Oil Jaipur incident, can seen in this video.
Based on all of the previous information, it should be clear that vapor cloud explosions are a credible outcome of gasoline storage tank overfills. The question that needs to be researched and answered is why current risk analysis techniques discount them. I believe that the answer may lie in what is being modeled versus what is actually occurring. My hypothesis is that we are modeling and analyzing vapor clouds when we should be modeling and analyzing aerosol clouds.
The following video shows the buildup of the gasoline cloud at buncefield
Another view of the Buncefield Gas Cloud formation is shown in this video.
What is curious about this video is the appearance of the cloud. What we are seeing here is not a traditional vapor cloud. A true vapor cloud, meaning the the hydrocarbon that has evaporated from the pool is in the gaseous state, would be transparent. Since we are seeing a white opaque fog, the physical phenomenon is different from what is being modeled. A visible opaque fog is not caused by a gas, which would normally be transparent. A fog is technically an aerosol, which is a colloid where finely divided drops of liquid are suspended in a continuous phase of a gas.
If we are indeed seeing an aerosol cloud, the dispersion and explosion modeling will take on an entirely different character. Since the cloud is not simply a gas, it will cling together differently then a traditional vapor cloud, potentially resulting in much larger cloud sizes than dispersion modeling predicts. This is the result of the finely divided droplets being able to continue to evaporate and generate more vapor inside the cloud as it travels. Also, the amount of energy contained in the cloud is significantly higher than a pure vapor cloud since the finely divided droplets will contain much more mass of hydrocarbon than a our vapor.
It is also try reasonable to assume that aerosol clouds could have been developed. Since gasoline is stored near its flash point, if material were released at even a slightly elevated temperature above atmospheric, one would expect pool evaporated hydrocarbon to condense back into droplets as the material is cooled in the ambient air.
In order to firmly establish the causes of this recent rash of gasoline storage facility explosions, industry needs to perform more research. It is my opinion that research into the generation of aerosol clouds from these releases, along with the dispersion and explosion effects of the aerosol clouds will be critical in understanding the explosion mechanisms of these events.
As the result of some recent contract negotiations, I am becoming more and more concerned that process safety is being impacted in a very negative way not by engineers, but by accountants and lawyers. I’ve noted an unsettling trend in the purchasing contract processes of some process sector operating companies that is a recipe for disaster. Basically, the drive to save a nickel of capital expenditure is resulting in millions of dollars of increased risk.
Let me explain. From time to time, as a business, we are required to negotiate contracts with operating companies that define the terms and conditions by which we perform our services. We have noted a trend where the some companies push the envelope further every year with respect to how much liability that they expect a contractor to accept. You would think that a contractor is liable for errors in the work that they perform right? Wrong. The starting point for most agreements now is that as a contractor you are liable for 100% of damages in any way related to your work regardless of how small of a fraction your own negligence played in the incident. Now we’re starting to receive proposed agreements where we’re being asked to indemnify the operating companies to the tune of millions of dollars simply because a claim has been made in the general vicinity of where our work occurred, this must paid regardless of who is at fault.
No rationale person who reads the contract would be willing to sign an agreement, and their lawyers know this. In our conversations they have clearly stated that there are two kinds of people, the people who read the contracts and object, and the people who just sign it without reading it. Their preference, is the people who sign without reading it. These morons thinks that they “win” because someone signed an obviously one-sided unfair contract that we written in their favor, but did they really win? The more important consideration is – do you want a company that is so unsophisticated that sign contracts without reading them to be doing process safety designs and consulting at your facility? In my unfortunate experience, the answer is yes. Sophisticated companies who consider the documents that they’re signing are moved to the back of the line and only contracted with if the operating company’s lawyers can’t get some sucker to sign off on the unfair contract.
This doesn’t begin and end at legal, it’s also a big part of purchasing. The lowest bidder for process safety consulting projects is usually the lowest bidder because they are using personnel whose qualifications is suspect at best. The use of third party certifications which often only really require you to pay for the training class before receiving your sheep-skin don’t fix the problem, they exacerbate it.
Ultimately, it appears to me that the use of these formalized processes for purchasing are guaranteeing the survival of the least fit. The most competent groups are overlooked in favor of organizations who don’t know what they’re getting themselves into and don’t even understand that they’re not qualified to take on the work that they’re contracting. When accidents happen and managers ask why their plants were designed in such an incompetent fashion, the answer will be that the lawyers and accountants set up the system so that the competent people would never agree to work for them.
There are many methods used in the process industries for placing gas detectors. These methods range from pure rule-of-thumb approaches and semi-educated guesses all the way to full quantitative risk analysis with computerized tools for calculating coverage provided by the detector arrays. In oil and gas production, particularly offshore, one of the more common methodologies is to simply put detectors on a grid. The advantage of the grid approach is that it is somewhat deterministic and leads to consistent and predictable designs.
Given that a grid type approach is desirable to some engineering and operating companies, the next question that is typically asked is what should the grid size be? A number that many people will run into through a quick literature search or conversations with colleagues is 5 meters. While a number is generally easy enough to get hold of, the basis for that number is typically not present. As a result, other grid sizes are often utilized depending on the situation and “gut feel” of the project manager. And unfortunately, sometimes these figures lead to inappropriate and even comical results. Detector grid spacings that I have seen range from a three dimensional 3-meter grid – which resulted in nearly 2,000 detectors for a fairly small facility, all the way to no detectors being placed at all… On the large spacing end, 10 meters is a spacing figure that can also be commonly found.
Since the spread of grid spacing figures has a somewhat wide range, and the spacing number is critical in balancing required risk mitigation and cost of installation. As a result, having a firm grasp on what number is required and why is critical for gas detection system design.
The most referenced document discussing gas detection grid spacing is Offshore Technology Report – OTO 93 002 – Offshore Gas Detector Siting Criterion, Investigation of Detector Spacing. This report was funded and is distributed by the UK Health and Safety Executive. It is available for download from their web site (www.hse.gov.uk). The fundamental concept behind gas detection philosophy, as defined in the HSE report, is that any gas cloud that is sufficiently large that if ignited it will create an explosion that will cause significant damage should be detectable by the installed gas detection array.
The HSE report, and conventional wisdom, has agreed that a “significant” explosion is one where the flame front of the ignited gas cloud reaches a greater than 100 meters per second, which then will result in a peak overpressure in the resulting shock wave of more than 150 millibar. Explaining in a bit more detail, when a gas cloud ignites the oxidation reaction that generates the flame travels at a speed that is determined by the material being combusted and the confinement and obstructions surrounding the cloud. More confinement traps and builds pressure and obstructions quickly generate turbulence, reducing laminar drag resulting from surface tension (the same reason that golf balls have dimples). The following figure shows pictures from tests that were run in the US by NASA that show flame fronts as they are being generated.
Flame Front of Ignited Cloud
The HSE report went through a host of literature where flame speed and overpressure were measured in experimental trials. The trials covered a range of conditions, including methane and propane as the hydrocarbon source, and blockage rations ranging from 0-40%. Upon review of all of the data HSE determined that for blockage ratios of up to 30-40%, which is typical of a congested offshore production platform, cloud sizes that are less than 6 meters in length are not expected to result in damaging over pressures resulting from explosion. As a result of this determine, the HSE subsequently recommended employing a 5 meter grid for offshore oil production.
Of course, these results are really customized for offshore production where methane is the species of concern. If other chemicals such as Propane, or worse yet Ethylene, are the concern, much smaller clouds can result in significantly more damage. On the other hand, large open facilities such as refinery tank farms could have much larger clouds (10 meters or more) that will not result in significant damage because there is a lack of confinement and obstructions. A general rule of thumb has evolved that says 1) in dense process areas, 5 meter grids are acceptable, 2) if highly confined areas or areas where the chemical of concern has a greater ability to cause damage, smaller (e.g., 4 meter) grids should be considered, and 3) in open on-shore process areas a wider 10 meter spacing is more appropriate.
The next figure shows a layout of a 5 meter grid for a typical well bay of an offshore platform.
Typical Wellbay with a 5 Meter Gas Detection Grid Layout
You can see that the spacing is reasonably good, but the grid sometimes results in odd locations, where either equipment is not present, or no feasible means of actually mounting the detector are available. Using the Kenexis Effigy Fire and Gas Mapping tool to calculate the coverage (using a 5 meter critical cloud size) you will also see that the coverage is quite good.
Typical Wellbay Coverage Map - 5 Meter Grid with 5 Meter Critical Cloud
While the design of the gas detection layout is good with the grid spacing layout shown here, more sophisticated techniques, such as gas detection mapping based on the critical cloud size will allow better coverage to be achieved with fewer detectors and also allow novel technologies such as open path. This results in better safety performance at a lower cost. Enhancing the gas detector grid approach will be the topic of an upcoming magazine article. I’ll keep you posted on where and when it will be available.
As many practitioners of chemical process risk analysis know, LOPA is a simple tool for simple problems. In many cases, the simple rule sets that guide LOPA yield results that are patently absurd when you step back and look at them with a Lucid Eye (no reference to the paintings of Verneer intended). As I have noted on several occasions, LOPA is a simple tool for simple problems, and by no means an infallible golden rule for safety. Risk analysis, in general, is an art of estimation. With all of the uncertainty and variance associated with risk analysis, none of its practitioners ever claim to know anything with any degree of certainty. Instead, we use various levels of conservative assumption to attempt to “bound” the upper limit of the risk. If these conservatively bounded assumptions yield an answer that a process plant can live with, we simply implement the recommendations and move on.
The problem comes when one implements a the recommendations of a LOPA that are:
1. Excessively expensive.
2. Inconsistent with standard design practices
3. Inconsistent with the actual operating history of a facility.
Consider an example. If you’re LOPA determines that an event is occurring once per year, and resulting in a fatality – it will probably result in high risk reduction requirements, most likely quite expensive to implement. When this result occurs, it is incumbent upon the team implementing the solution to ensure that the result of the LOPA are realistic. This can usually be done with a simple check of the history of the facility. At Kenexis, we refer to this type of study as a “focused QRA”. In this type of study we direct and concentrate the tools of QRA on a single specific scenario.
Going back to the previous scenario, if a LOPA determines that extensive safeguarding is needed because an event occurs annually that results in a fatality, this is quite easy to check against the actual operating history of the facility. If the facility has been in operation for 10 years, then 10 fatalities should have occurred. If that is not the case, either reality is lying, or the model is. My guess, is that the model is inaccurate, because reality tend to be, in a word, real. At that point if a trained analyst brings out more sophisticated tools, to source of the overly pessimistic assumptions are readily identified. And hopefully, a more realistic design will be implemented.
I have had yet another discussion today on what it means to put something into bypass when an instrument is part of a multiple instrument voting arrangement. At its most basic level, when you logically put something into bypass, that should mean that the instrument is voting NOT to trip. While logical, many like to “improve” by creating elaborate voting tables. While these tables do have their merit, then can be confusing. For instance, if you have a voting table that says that when a sensor in a 2oo2 voting arrangement is put into bypass you revert to 1oo1 mode, that is counter to the physical functionality of how a bypass works. You are turning that “bypass” signal into a vote TO trip, which is logically the exact opposite of what you expect.
While there are merits to keeping it simple and also merits to advanced voting schemes, it is important that all people who interact with the SIS understand exactly how it works.
During my trip to Houston (from Columbus, OH) last week as we were listening to the pre-take-off safety instructions, an alarm sounded, interrupting the take-off sequence. We were in an Embraer RJ-45 regional jet, and I was in my usual 2A seat. This seat is directly across the flight attendant’s control center (and kitchenette). As such, I was able to view the alarm panel and the ensuing activity. The alarm panel went off with an ISA 18.01 approved sequence that would make any control engineer proud. Of course, the flight attendant become flustered due to the significant amount of activity required to clear the alarm. First there was an audible alarm and associated flashing red light on the alarm panel. After a moderate amount of effort, the flight attendant was able to stop the audible alarm with the silence button, leaving the flashing red light. After some consternation, the flight attendant was then able to stop the flashing by pressing the acknowledge key. Whether or not silence and acknowledge functionality is required on a panel with only one alarm is debatable, but it was accurately implemented. Soon after the alarm was acknowledged, it cleared, and the system return to a “normal” state.
Apparently the alarm is associated with the smoke detector in the lavatory, and a quick check of the lavatory determined the there was indeed no fire or smoke present. It is also fairly well known to fire and gas system designers that smoke detectors can inadvertently activate for myriad reasons including mist and dust, so nuisance alarms are not unheard of. So, at this point you would figure that we would light the engines and hit the road, yes? No. In the airline industry the activation of an alarm (at least the smoke detector in the lavatory) is a very significant event that requires a significant follow up investigation. As a result, we returned to the gate, deplaned and called in the maintenance crew. The maintenance crew performed a full inspection of the lavatory, of the alarm system equipment, and performance a functional test of the alarm equipment. Only after that checkout were we allowed to re-board and continue our journey.
This struck me as a dramatic contrast with what I’ve seen in a lot of process industry plants. In many process facilities alarms occur so quickly and in such large numbers that many are acknowledged with little or no action taken to their presence. If the alarm clears quickly, virtually no review of the situation is performed. On the contrary, in many cases alarm equipment is allowed to stay in a failed state for long periods of time due to a perceived low priority. In some cases, with very unfortunate results. Alarms in the process industries do not get the respect that they deserve. This is mainly because there are too many of them, and both operating and maintenance staff are in relatively short supply. Perhaps the process industries can learn something from the airlines about alarm system design, operational response and maintenance philosophy.d
I have recently put together a couple of presentations and a paper on the topic of shared field equipment in BPCS and SIS service. The bottom line is that sharing a piece of field equipment is often a clear violation of the IEC 61511 standard that can not be “assessed away”, at least not without very rigorous mathematical proof that you often will not be able to get.
The IEC 61511 standard (or whatever national variant that you follow) discourages sharing of components between SIS and BPCS, and specifically excludes it in one case. That case where the use of a single component is not allowed is when failure of a single component both INITIATES a hazardous event and simultaneously PREVENTS the SIS from taking action. Let me give you two quick examples.
1. A single flow transmitter is used to control flow of a fired heater pass and also cause a shutdown of fuel gas if the flow goes too low. In this case, if the device fails in place (e.g., taps freeze) and the set point is above the frozen measure value, the controller will cause the control valve to go closed, stopping flow (i.e., INITIATING the hazard) and also prevents the SIS from detecting the abnormally low flow condition (i.e., PREVENTING the SIS from taking action).
2. Control valve throttles flow on the outlet of a vessel, and solenoid on that valve is de-energized upon low level preventing low level. If that valve gets stuck in position and inflow decreases, the level will start to drop because the valve cannot close to decrease outlet (i.e., INITIATING the hazard). Also, the SIS action to de-energize the solenoid valve does nothing because the valve is stuck in position (i.e., PREVENTING the SIS from taking action).
While it is apparent that these types of installations are quite dangerous, the standard does still allow them to exist, but it states that if this situation occurs, there shall be an analysis that justifies the use of the single component. While some may use a simple hand-waving justification, this is not adequate. When a single device’s failure can essentially cause a hazardous event to occur, you have essentially created a continuous mode safety function. Thus, if one desires to demonstrate that use of the single component is still acceptable, you would be required to mathematically show that the dangerous failure rate of the device (in reality, of the whole loop associated with the device) is lower than the tolerable frequency of the event that the SIF is intended to protect against. This is significantly different and more labor intensive that simply having a meeting where everyone agrees that it is “safe enough”.
Of course, this type of quantitative analysis is complex and beyond the abilities of a lot of practitioners. My advice, install separate hardware! In my experience, the cost of the additional hardware is lower than the cost of the analysis, and at the end of the project you have additional tangible safety hardware instead of a consultant’s report.
I am currently in Perth Australia at the IDC Technologies Safety Control Systems conference. As usual with this forum the presentations are good and the question and answer between presentations is even better. Here on the second day of the conference there is a lot of discussion of machine safeguarding standards, analysis techniques, and design practices. Machine guarding standards are currently significantly different from the IEC 61511 style performances based analysis used for safety instrumented functions in the process industry. The machine guarding standards are a lot more prescriptive as to design and stay away from quantitative analysis of risk and reliability. The machine standards are actually quite good as they are. There is currently a push to move toward an IEC 61508 style analysis, as defined in IEC62061, but the end user community is really not much interested, and I personally think the push will fail.
There are quite a few process industry users in the audience here, and it may seem at first look that machine safeguarding standards do not apply to the process industries, but that is not true. Very frequently, the process industries use machines and those machines should be safeguarded using the machine safeguarding standards, not the process functional safety standards.
Let me give you an example. A typical polypropylene plant uses propylene as a raw materials, polymerizes it in a reaction, and then processes the polymer powder that is created. The polymer processing often includes extrusion and the creation of polymer pellets. While most of the interlocks are process related and designed in accordance with the IEC 61511 / ISA 84.01 standard, one is clearly a machine safeguard that should not. The extruded typically has an interlock that will deenergize a motor that turns a cutting blade if the hood of the device is removed to prevent personnel from being exposed to the cutting blade. This is a machine safeguard, and it should be designed according to the appropriate standard, which in the US is the ANSI B11 series, not IEC 61511 / ISA 84.01.
