Integrating-Hazop-SIL-LOPA

contents

INTEGRATING HAZOP AND SIL/LOPA ANALYSIS: BEST PRACTICE RECOMMENDATIONS Ken Bingham President ACM Automation Calgary, AB, T2R1K7 Canada

Prasad Goteti Safety Inst. Engineer ACM Automation Calgary, AB, T2R1K7 Canada

KEYWORDS HAZOP (Hazard and Operability study ), SIL (Safety Integrity Level), LOPA (Layers Of Protection Analysis).

ABSTRACT Traditionally, a Hazard and Operability (HAZOP) study and Safety Integrity Level (SIL) Assessment or SIL determination (usually using the Risk Graph or Layer Of Protection Analysis (LOPA) methodology) are two separate facilitated sessions, which produce two unique databases. SIL Validation is yet a third requirement of the International Electro technical Commission (IEC) 61511 standards that demands the use of another set of tools and produces a third database. Trying to manage the recommendations of these interconnected studies is extremely difficult. In the Integrated Approach, only one facilitated session is required for HAZOP and SIL Assessment. Only one database is created, and it is used to perform SIL Validation. In addition to being a secure and auditable database, this single database is also part of a complete “handover package” that operators need to ensure they maintain the SIL integrity assigned to each SIL loop. Some demonstrated benefits of the Integrated Approach are a minimum 30% time and costs savings; a single auditable database; elimination of mathematical errors during SIL Validation; creation of a complete electronic handover data package and the capability of operators to easily model proposed changes to their maintenance and testing plans (SIL Optimization) using the same database.

Copyright 2004 by ISA – The Instrumentation, Systems and Automation Society. Presented at the ISA 2004, 5-7 October 2004, Reliant Center Houston, Texas, www.isa.org

INTRODUCTION This paper details the process in which the HAZOP / SIL study is conducted. The first part indicates the steps involved and later an example illustrates the steps.

METHODOLOGY The Integrated HAZOP / SIL study is initiated by calling a meeting (or session) usually comprising of the operating company, the engineering consultancy company (if this is a new project) and the HAZOP / SIL facilitator with his scribe (who is usually an independent third party). The team of engineers should definitely consist of chemical (or process engineers), Instrumentation and safety engineers. Other engineers are optional depending on their need during the course of the session. The session has the following steps in the order as listed below. HAZOP A HAZOP is used to identify major process hazards or operability issues related to the process design. Major process hazards include the release of hazardous materials and/or energy. The focus of the study is to address incidents, which may impact on public health and safety, worker safety in the workplace, economic loss, the environment, and the company’s reputation. The inputs to the HAZOP are the Process and Instrumentation Diagrams (P&Ids), Cause and Effect charts (C&E) and the operating company’s risk matrix (which is a matrix quantifying the risk level depending on the likelihood and severity). A typical risk matrix would look as given below :


Frequent (more than Probable (once every once per year) four years)

Occasional (once every 25 years)

Remote (not in the life of the facility)

Severity Level 1 (Critical)

Priority 1 (Unacceptable)



Priority 2 (High)

Severity Level 2 (High)


Priority 2 (High)

Priority 2 (High)

Priority 3 (Medium)

Severity Level 3 (Moderate)

Priority 2 (High)

Priority 3 (Medium)

Priority 4 (Low)

Priority 4 (Low)

Severity Level 4 (Minor)

Priority 3 (Medium)

Priority 4 (Low)

Priority 4 (Low)

Priority 4 (Low)

Figure 1 The outputs from the HAZOP are the risk ranking of each identified cause of process deviation and recommendations to lower the risk involved. These recommendations are given in the form of safeguards.

SIL / LOPA ASSESSMENT SIL/ LOPA study is to assess the adequacy of the Safety Protection Layers (SPLs) or Safeguards that are in place to mitigate against hazardous events relating to major process hazards, identify those SPLs or Safeguards that do not meet the required risk reduction for a particular hazard, and make reasonable recommendations where a hazard generates a residual risk that needs further risk reduction. This is done by defining the tolerable frequency (TF). The TF of the process deviation is a number which is derived from the level of the risk identified from the HAZOP risk matrix. It indicates the period of occurrence, in terms of years, of the process deviation which the operating company can tolerate. For example a TF of 10-4 indicates that the company can tolerate the occurrence of the process deviation once in 10,000 years. The mitigation frequency (MF) is derived as a calculation from the likelihood of each cause and the PFD of the SPLs. The inputs to the SIL / LOPA assessment are the process deviations, causes , risk levels and safeguards identified during the HAZOP . The SIL / LOPA assessment recommend the Safety Protection Layers (SPL) to be designed to meet the process hazard.


RECOMMENDATIONS In the event that the MF is not less than the TF, more SPLs are recommended, their PFD values are assumed and it is included in the equation of the MF to get it less than the TF. These SPLs are recommended as safeguards to decrease the risk of the consequences because of the deviation (or cause) being analyzed. The session ends with the MF values of all the LOPA scenarios derived lees than the TF. SIL / LOPA VALIDATION This is done after the session by the reliability or safety engineer. The methodology is to calculate the Probability of Failure on Demand (PFD) values of the identified SPLs, then derive the mitigation frequency (MF) as a calculation from the likelihood of each cause and the PFD of the SPLs. If the total MF of all the causes is less than the tolerable frequency (TF), which is defined as a numerical value from the HAZOP risk matrix, the integrated study is complete. This validates the assumed PFD values of the SPLs during the session.

THE INTEGRATED HAZOP / SIL PROCESS The following process is used in a session for each of the identified nodes during an HAZOP study: • • • • • • • •

The process engineer describes the intention of the node. Concerns and hazards within the node are recorded under the discussed node notes. The HAZOP/SIL team applies process parameter deviations to each node and identifies the associated hazards. Causes and initiating events to those hazards are identified, and recorded. The resulting consequences are identified, categorized, and recorded based on the consequence grading in the operating company’s risk matrix. The likelihood of the initiating event is then assigned by the group and recorded based on the risk matrix. The resulting risk score based on the consequence and likelihood scores are recorded not taking credit for any of the safeguards in place, as per the risk matrix An identification of the Safeguards and an evaluation as SPLs is then carried out.


• • • • •

The risk is re-scored taking into account the identified safeguards which are independent SPLs. Usually a standard SIL value is assigned to the SPLs which are validated outside the session for accuracy. If sufficient independent layers of protection are identified to reduce the risk to the tolerable level (TF), then no further safeguards are identified and no recommendations are required. If the risk with safeguards are high and not meeting the TF, then recommendations and actions are developed in the aim of reducing the risk below the TF. The implementation of those actions and recommendations are assigned to the responsible party and individual. The recommended SPLs are validated and their PFD numbers are used to calculate if the MF is less than the TF. The process is repeated covering the applicable parameters, deviations, and nodes.

The concerns and hazards discussed at the outset of the node are reviewed to ensure that they were covered in the HAZOP discussions

EXAMPLE The integrated study concept is indicated in the form of an example in this section. In the following example, a HAZOP related with High level in a storage tank is considered. As per the HAZOP process, all the causes have been identified, consequences listed and risk ranking done without and with the existing safeguards (SPLs).


Type of process Process deviation Causes of the process deviations Consequences if the process deviation occured Severity , likelihood and risk level if the process deviation occurred without considering safeguards Safeguards to mitigate the cause & consequences

IPL (SPL) – Independent protection layers

Risk analysis with IPLs

HAZOP recommendations


Figure 2


The HAZOP observations when represented in the SIL / LOPA analysis would look like : HAZOP’s “ deviation “ HAZOP’s “ causes” Derived as a function of the risk level (from the risk matrix)

HAZOP’s “ consequences”

Figure 3 The LOPA scenario is High level and the initiating events are all the causes identified in the HAZOP. The consequence rating is High which derives the Tolerable Frequency (TF). The consequence rating is from the HAZOP risk matrix of the client. HAZOP’s “ causes”

HAZOP’s “safeguards”

MF short of the TF by this SIL value

Figure 4


From the HAZOP, the causes of deviation are listed as LOPA causes, their likelihoods identified and the safeguards are listed as Protection layers (SPL). The PFD value of each SPL is either manually entered or linked to a calculated value. If the MF is less than TF (as in the case of this example), it implies that some additional SPLs are required to meet the TF. In the case of this example, by adding a new SPL of 0.01 PFD, the diagram below indicates how the TF is met.

The band indicates that the MF value is less than the TF value and hence the SPLs have been able to mitigate the risk the company can tolerate

Figure 5

CONCLUSION By integrating the HAZOP and SIL / LOPA studies into one session, the time and cost to conduct these sessions are reduced, there is more data integrity as the same team conducts both the studies and it removes the subjectivity which comes out of a pure HAZOP session. An integrated study is a semi-quantitative technique and applies much more rigor than a HAZOP alone. It determines if the existing safeguards are enough and if proposed safeguards are warranted. It tightly couples the risk tools (matrices, risk graphs) of a corporation.

ACRONYMS C&E – Cause and Effect charts LOPA- Layer of Protection Analysis HAZOP – Hazard and Operability study


MF – Mitigated Frequency PFD- Probability of Failure on Demand P&ID – Process and Instrumentation diagram S(I)PL- Safety (Independent) Protection Layer SIL – Safety Integrity Level ( IEC specifies 4 levels, SIL 1 – PFD of .1 to .01, SIL 2- PFD of .01 to .001, SIL 3- PFD of .001-.0001, SIL 4 – PFD of .0001 to .00001) TF – Tolerable Frequency


Integrating-Hazop-SIL-LOPA

Recommend Documents