Integrating HAZOP and LOPA - ACM

2
38 | October 2007 | PROCESSWest D ue to compressed project schedules, limited staff accessibility and engi- neering cost pressures, many compa- nies want to integrate their HAZOP and SIL / LOPA studies. This is not surprising, as the IEC 61511 Functional safety - Safety instru- mented systems for the process industry sec- tor standard promotes a tight relationship between the two. However, since this approach is still relatively new in the safety and risk assessment tool kit, the practice is open to some misinterpretation and in con- sequence, to misapplication and thus ques- tionable results. The root cause of most problems is that HAZOP is a cause-based method and LOPA is a consequence-based method. By trying to perform HAZOP and LOPA concurrently, risk assessment practitioners are virtually forced to adopt a cause-based approach for both methods. This compromises the value of the entire exercise and can lead to severe- ly flawed results. A bit of background Hazard and Operability or HAZOP stud- ies identify and assess the hazards and oper- ability issues in existing and new facilities. HAZOP is a qualitative type of risk assess- ment. According to the IEC 61882 Hazard and Operability Studies standard, the pur- pose of a HAZOP is to identify; •Potential hazards in the system. The haz- ards involved may include both those essen- tially relevant only to the immediate area of the system and those with a much wider sphere of influence (e.g. some environmental hazards); •Potential operability problems with the system and in particular identifying causes of operational disturbances and production deviations likely to lead to nonconforming products. In summary, HAZOP is a cause based method and a good tool for identifying caus- es and consequences for hazardous events. Let’s now look at the Layer of Protection Analysis (LOPA) method of Safety Integrity Level (SIL) Determination. It is a semi-quantitative risk analysis technique that considers the reliability of safeguards applicable to a specific cause-consequence scenario in terms of probability of failure on demand (PFD) of each safeguard and determines if there is enough reliability in the safeguards in total. The IEC 61511 standard suggests that the Safety Lifecycle work process begin with Hazard and Risk Analysis (such as a HAZOP) and accounts for each identi- fied hazard by documenting the initiating event or cause and the protection layers. The total amount of risk reduction provided by these protection layers is then defined and the need for more risk reduction determined. If additional risk reduction is required and if it is to be provided by a Safety Instrumented Function (SIF), for example, the LOPA method specifies the precise amount of risk reduction required by the SIF. This risk reduction can also be expressed in terms of Safety Integrity Level (SIL) and ranges from SIL 1 (the lowest) to SIL 4 (the highest). In essence, LOPA is a consequence-based method and a good technique for working with the consequences and identifying the adequacy of the safeguards, or lack of them. Example LOPA To illustrate the fundamentals of a proper LOPA analysis, consider the following situa- tion where a distillation column has an over- head reflux stream. If the cooling stream is lost, the tower will overpressure, eventually rupture and cause an uncontrolled loss of containment. Two possible initiating events or causes of the loss of reflux (the conse- quence) were identified in the HAZOP - a closed reflux valve and a reflux pump failure. In addition, four protection layers were iden- tified, each with a defined PFD value. The resulting LOPA calculation in Figure 1 below shows how the PFD for the Safety Instrumented Function (SIF) would be calcu- lated. The key issue to note in the Figure 1 example is that there were two causes identi- fied for the same consequence and each cause-consequence pairing had a unique set of protection layers. Single biggest mistake The single biggest mistake many risk assessment practitioners make is trying to perform HAZOP and SIL / LOPA concur- rently in the same team meeting. They think an integrated HAZOP and SIL / LOPA means performing the HAZOP and SIL / LOPA concurrently with the same team. By doing so, they are virtually forcing the team to adopt a cause-based approach for both methods. While this approach is acceptable when there is a one-to-one pair- ing between cause and consequence, in instances where there is more than one cause for the same consequence, this approach is not accurate. Instead, it is only when there is a rigorous examination of all causes which result in the same consequence that the ben- efits of integrated HAZOP and LOPA can be fully realized. Recommended practice The best approach is to conduct the HAZOP and SIL / LOPA in separate sessions where the HAZOP is conducted first, fol- lowed by the LOPA. The HAZOP session is kept focused. The meetings are completed in as little time as possible and the HAZOP team is not confused trying to understand and use the SIL / LOPA method. Typically, the SIL / LOPA session lasts 25 - 35% of the HAZOP duration. In summary, the work process for success- fully integrating HAZOP and SIL / LOPA methods is: 1. Perform the HAZOP. Comprehensively identify all the causes, consequences and safeguards. 2. All causes resulting in the same conse- quence should be identified and analyzed by an experienced LOPA analyst. This should be done off-line. Remember that if this is not done or is done incorrectly, it invalidates the assumption that HAZOP and SIL / LOPA will provide accurate results. 3. Perform the LOPA review. The LOPA team should be led by a LOPA expert and include an experienced operator, a process engineer and an instrument - electrical maintenance person. However, the real practical chal- lenge of effectively integrating HAZOP and SIL / LOPA studies, once the three steps are followed, is in documenting and managing the vast amounts of data generated by the process. When docu- menting the study results of large proj- ects where HAZOP studies takes weeks and create hundreds of recommenda- tions, doing this work accurately and efficiently takes on a whole new mean- ing. PROCESSSAFETY By Ken Bingham ...can result in exceptional benefits SAFETY Integrating HAZOP and LOPA Figure 1: Example LOPA Table

Transcript of Integrating HAZOP and LOPA - ACM

Page 1: Integrating HAZOP and LOPA - ACM

38 | October 2007 | PPRROOCCEESSSSWest

DDue to compressed project schedules,limited staff accessibility and engi-neering cost pressures, many compa-

nies want to integrate their HAZOP and SIL/ LOPA studies. This is not surprising, as theIEC 61511 Functional safety - Safety instru-mented systems for the process industry sec-tor standard promotes a tight relationshipbetween the two. However, since thisapproach is still relatively new in the safetyand risk assessment tool kit, the practice isopen to some misinterpretation and in con-sequence, to misapplication and thus ques-tionable results.

The root cause of most problems is thatHAZOP is a cause-based method and LOPAis a consequence-based method. By tryingto perform HAZOP and LOPA concurrently,risk assessment practitioners are virtuallyforced to adopt a cause-based approach forboth methods. This compromises the valueof the entire exercise and can lead to severe-ly flawed results.

AA bbiitt ooff bbaacckkggrroouunnddHazard and Operability or HAZOP stud-

ies identify and assess the hazards and oper-ability issues in existing and new facilities.HAZOP is a qualitative type of risk assess-ment. According to the IEC 61882 Hazardand Operability Studies standard, the pur-pose of a HAZOP is to identify;•Potential hazards in the system. The haz-ards involved may include both those essen-tially relevant only to the immediate area ofthe system and those with a much widersphere of influence (e.g. some environmentalhazards);•Potential operability problems with thesystem and in particular identifying causes ofoperational disturbances and productiondeviations likely to lead to nonconformingproducts.

In summary, HAZOP is a cause basedmethod and a good tool for identifying caus-es and consequences for hazardous events.

Let’s now look at the Layer ofProtection Analysis (LOPA) method ofSafety Integrity Level (SIL)Determination. It is a semi-quantitativerisk analysis technique that considersthe reliability of safeguards applicable toa specific cause-consequence scenario interms of probability of failure ondemand (PFD) of each safeguard anddetermines if there is enough reliabilityin the safeguards in total.

The IEC 61511 standard suggeststhat the Safety Lifecycle work process

begin with Hazard and Risk Analysis (suchas a HAZOP) and accounts for each identi-fied hazard by documenting the initiatingevent or cause and the protection layers. Thetotal amount of risk reduction provided bythese protection layers is then defined andthe need for more risk reduction determined.If additional risk reduction is required and ifit is to be provided by a Safety InstrumentedFunction (SIF), for example, the LOPAmethod specifies the precise amount of riskreduction required by the SIF. This riskreduction can also be expressed in terms ofSafety Integrity Level (SIL) and ranges fromSIL 1 (the lowest) to SIL 4 (the highest).

In essence, LOPA is a consequence-basedmethod and a good technique for workingwith the consequences and identifying theadequacy of the safeguards, or lack of them.

EExxaammppllee LLOOPPAATo illustrate the fundamentals of a proper

LOPA analysis, consider the following situa-tion where a distillation column has an over-head reflux stream. If the cooling stream islost, the tower will overpressure, eventuallyrupture and cause an uncontrolled loss ofcontainment. Two possible initiating eventsor causes of the loss of reflux (the conse-quence) were identified in the HAZOP - aclosed reflux valve and a reflux pump failure.In addition, four protection layers were iden-tified, each with a defined PFD value. Theresulting LOPA calculation in Figure 1below shows how the PFD for the SafetyInstrumented Function (SIF) would be calcu-lated.

The key issue to note in the Figure 1example is that there were two causes identi-fied for the same consequence and eachcause-consequence pairing had a unique setof protection layers.

SSiinnggllee bbiiggggeesstt mmiissttaakkeeThe single biggest mistake many risk

assessment practitioners make is trying to

perform HAZOP and SIL / LOPA concur-rently in the same team meeting. Theythink an integrated HAZOP and SIL /LOPA means performing the HAZOP andSIL / LOPA concurrently with the sameteam. By doing so, they are virtually forcingthe team to adopt a cause-based approach forboth methods. While this approach isacceptable when there is a one-to-one pair-ing between cause and consequence, ininstances where there is more than one causefor the same consequence, this approach isnot accurate. Instead, it is only when thereis a rigorous examination of all causes whichresult in the same consequence that the ben-efits of integrated HAZOP and LOPA can befully realized.

RReeccoommmmeennddeedd pprraaccttiicceeThe best approach is to conduct the

HAZOP and SIL / LOPA in separate sessionswhere the HAZOP is conducted first, fol-lowed by the LOPA. The HAZOP session iskept focused. The meetings are completedin as little time as possible and the HAZOPteam is not confused trying to understandand use the SIL / LOPA method. Typically,the SIL / LOPA session lasts 25 - 35% of theHAZOP duration.

In summary, the work process for success-fully integrating HAZOP and SIL / LOPAmethods is:1. Perform the HAZOP. Comprehensivelyidentify all the causes, consequences andsafeguards.2. All causes resulting in the same conse-quence should be identified and analyzed byan experienced LOPA analyst. This shouldbe done off-line. Remember that if this isnot done or is done incorrectly, it invalidatesthe assumption that HAZOP and SIL /LOPA will provide accurate results. 3. Perform the LOPA review. The LOPAteam should be led by a LOPA expert andinclude an experienced operator, a processengineer and an instrument - electrical

maintenance person.However, the real practical chal-

lenge of effectively integrating HAZOPand SIL / LOPA studies, once the threesteps are followed, is in documentingand managing the vast amounts of datagenerated by the process. When docu-menting the study results of large proj-ects where HAZOP studies takes weeksand create hundreds of recommenda-tions, doing this work accurately andefficiently takes on a whole new mean-ing.

PPRROOCCEESSSSSAFETYBy Ken Bingham

...can result in exceptional benefitsSAFETYIInntteeggrraattiinngg HHAAZZOOPP aanndd LLOOPPAA

FFiigguurree 11:: EExxaammppllee LLOOPPAA TTaabbllee

Page 2: Integrating HAZOP and LOPA - ACM

For example, Figure 2 shows a screen shotwhere HAZOP data, taken from either a MS-Excel, MS-Word or a commercial PHA soft-ware package has been imported intoSilCore™. The yellow high-lighted areasshow that two causes have been identified forthe same consequence. Ensuring that theHAZOP data has been accurately inputtedinto the front end of the SIL / LOPA is possi-ble with a software package that has “datamapping” functionality. Such a feature virtu-ally eliminates thepotential for dataentry error and pro-vides a huge produc-tivity boost whendoing integratedHAZOP and SIL /LOPA studies.

In Figure 3, for thesame consequence(e.g. potential liquidcarryover to K101

resulting in compressordamage), the informa-tion is captured in theLOPA table and the rel-evant causes, initiatingevent frequencies (like-lihoods), consequences,protection layers andtheir PFD values aredocumented. Theinformation is displayedfor easy understanding.The screen also shows

the TF and MF values and the amount of riskreduction necessary to mitigate the residualrisk. There is more than a passing similarityto the simplified table shown in Figure 1.

While it is true that the SIL / LOPA calcu-lations are relatively simple, because there areso many scenarios to consider and workthrough, well designed and easy-to-use soft-ware tools are essential for accurate, compre-hensive and productive analysis.

In our experience, there is a gap in themarketplace’s tools today for conductingintegrated HAZOP and SIL / LOPA studieswhich allow the user to analyze all causes fora given consequence. This led to our devel-oping a software tool called SilCore™,designed to fully integrate the HAZOP, theSIL / LOPA, the SIL Verification and SafetyRequirements Specification (SRS) process intoone database, so you don’t have to deal withthe hassles of multiple spreadsheets.Compared to the traditional spreadsheetmethod, SilCore™ users can realize savings ofat least 50% of their time, even more forlarge numbers of scenarios.

Remember, used separately, HAZOP andSIL / LOPA techniques are powerful methodsfor evaluating and improving the safety ofprocess facilities. However, they need to becarefully integrated so the results are mean-ingful and comprehensive. A trained riskassessment specialist, with a robust softwaretool, can provide solid, cost effective solu-tions. PPWW

SilCore™ is an integrated HAZOP -SIL / LOPA software package and iscommercially available to the generalmarketplace. The work process and the-ory behind LOPA can be downloadedfrom ACM's website at http://www.acm.ab.ca Readers can contact the author, Ken Bingham of ACMFacility Safety, a division of ACM Automation Inc. formore information by email: [email protected] by phone at 403-264-9637.

PPRROOCCEESSSSWest | October 2007 | 39

FFiigguurree 33:: SSiillCCoorree™™ SSIILL DDeetteerrmmii--nnaattiioonn ((LLOOPPAA)) SSccrreeeenn

FFiigguurree 22:: SSiillCCoorree™™ HHAAZZOOPP IImmppoorrtt SSccrreeeenn