Professional Documents
Culture Documents
Integrating Hazop and SIL
Integrating Hazop and SIL
Prasad Goteti
Safety Inst. Engineer
ACM Automation
Calgary, AB, T2R1K7
Canada
KEYWORDS
HAZOP (Hazard and Operability study ), SIL (Safety Integrity Level), LOPA (Layers Of
Protection Analysis).
ABSTRACT
Traditionally, a Hazard and Operability (HAZOP) study and Safety Integrity Level (SIL)
Assessment or SIL determination (usually using the Risk Graph or Layer Of Protection
Analysis (LOPA) methodology) are two separate facilitated sessions, which produce two
unique databases. SIL Validation is yet a third requirement of the International Electro
technical Commission (IEC) 61511 standards that demands the use of another set of tools and
produces a third database. Trying to manage the recommendations of these interconnected
studies is extremely difficult. In the Integrated Approach, only one facilitated session is
required for HAZOP and SIL Assessment. Only one database is created, and it is used to
perform SIL Validation. In addition to being a secure and auditable database, this single
database is also part of a complete handover package that operators need to ensure they
maintain the SIL integrity assigned to each SIL loop. Some demonstrated benefits of the
Integrated Approach are a minimum 30% time and costs savings; a single auditable database;
elimination of mathematical errors during SIL Validation; creation of a complete electronic
handover data package and the capability of operators to easily model proposed changes to
their maintenance and testing plans (SIL Optimization) using the same database.
INTRODUCTION
This paper details the process in which the HAZOP / SIL study is conducted. The first part
indicates the steps involved and later an example illustrates the steps.
METHODOLOGY
The Integrated HAZOP / SIL study is initiated by calling a meeting (or session) usually
comprising of the operating company, the engineering consultancy company (if this is a new
project) and the HAZOP / SIL facilitator with his scribe (who is usually an independent third
party). The team of engineers should definitely consist of chemical (or process engineers),
Instrumentation and safety engineers. Other engineers are optional depending on their need
during the course of the session.
The session has the following steps in the order as listed below.
HAZOP
A HAZOP is used to identify major process hazards or operability issues related to the process
design. Major process hazards include the release of hazardous materials and/or energy. The
focus of the study is to address incidents, which may impact on public health and safety,
worker safety in the workplace, economic loss, the environment, and the companys
reputation.
The inputs to the HAZOP are the Process and Instrumentation Diagrams (P&Ids), Cause and
Effect charts (C&E) and the operating companys risk matrix (which is a matrix quantifying the
risk level depending on the likelihood and severity).
A typical risk matrix would look as given below :
Occasional (once
every 25 years)
Severity Level 1
(Critical)
Priority 1
(Unacceptable)
Priority 1
(Unacceptable)
Priority 1
(Unacceptable)
Priority 2
(High)
Severity Level 2
(High)
Priority 1
(Unacceptable)
Priority 2
(High)
Priority 2
(High)
Priority 3
(Medium)
Severity Level 3
(Moderate)
Priority 2
(High)
Priority 3
(Medium)
Priority 4
(Low)
Priority 4
(Low)
Severity Level 4
(Minor)
Priority 3
(Medium)
Priority 4
(Low)
Priority 4
(Low)
Priority 4
(Low)
Figure 1
The outputs from the HAZOP are the risk ranking of each identified cause of process deviation
and recommendations to lower the risk involved. These recommendations are given in the
form of safeguards.
RECOMMENDATIONS
In the event that the MF is not less than the TF, more SPLs are recommended, their PFD
values are assumed and it is included in the equation of the MF to get it less than the TF.
These SPLs are recommended as safeguards to decrease the risk of the consequences
because of the deviation (or cause) being analyzed.
The session ends with the MF values of all the LOPA scenarios derived lees than the TF.
SIL / LOPA VALIDATION
This is done after the session by the reliability or safety engineer. The methodology is to
calculate the Probability of Failure on Demand (PFD) values of the identified SPLs, then derive
the mitigation frequency (MF) as a calculation from the likelihood of each cause and the PFD
of the SPLs. If the total MF of all the causes is less than the tolerable frequency (TF), which is
defined as a numerical value from the HAZOP risk matrix, the integrated study is complete.
This validates the assumed PFD values of the SPLs during the session.
The risk is re-scored taking into account the identified safeguards which are
independent SPLs. Usually a standard SIL value is assigned to the SPLs which are
validated outside the session for accuracy.
If sufficient independent layers of protection are identified to reduce the risk to the
tolerable level (TF), then no further safeguards are identified and no recommendations
are required.
If the risk with safeguards are high and not meeting the TF, then recommendations and
actions are developed in the aim of reducing the risk below the TF.
The implementation of those actions and recommendations are assigned to the
responsible party and individual. The recommended SPLs are validated and their PFD
numbers are used to calculate if the MF is less than the TF.
The process is repeated covering the applicable parameters, deviations, and nodes.
The concerns and hazards discussed at the outset of the node are reviewed to ensure that
they were covered in the HAZOP discussions
EXAMPLE
The integrated study concept is indicated in the form of an example in this section.
In the following example, a HAZOP related with High level in a storage tank is considered. As
per the HAZOP process, all the causes have been identified, consequences listed and risk
ranking done without and with the existing safeguards (SPLs).
Type of process
Process deviation
Causes of the process deviations
Consequences if the process deviation occured
Severity , likelihood and risk level if the process deviation
occurred without considering safeguards
Safeguards to mitigate the cause & consequences
HAZOP recommendations
Figure 2
The HAZOP observations when represented in the SIL / LOPA analysis would look like :
HAZOPs deviation
HAZOPs causes
Derived as a function of the risk level (from the risk matrix)
HAZOPs consequences
Figure 3
The LOPA scenario is High level and the initiating events are all the causes identified in the
HAZOP. The consequence rating is High which derives the Tolerable Frequency (TF). The
consequence rating is from the HAZOP risk matrix of the client.
HAZOPs causes
HAZOPs safeguards
Figure 4
From the HAZOP, the causes of deviation are listed as LOPA causes, their likelihoods
identified and the safeguards are listed as Protection layers (SPL). The PFD value of each
SPL is either manually entered or linked to a calculated value. If the MF is less than TF (as in
the case of this example), it implies that some additional SPLs are required to meet the TF. In
the case of this example, by adding a new SPL of 0.01 PFD, the diagram below indicates how
the TF is met.
The band indicates that the MF value is less than the TF value and hence the
SPLs have been able to mitigate the risk the company can tolerate
Figure 5
CONCLUSION
By integrating the HAZOP and SIL / LOPA studies into one session, the time and cost to
conduct these sessions are reduced, there is more data integrity as the same team conducts
both the studies and it removes the subjectivity which comes out of a pure HAZOP session.
An integrated study is a semi-quantitative technique and applies much more rigor than a
HAZOP alone. It determines if the existing safeguards are enough and if proposed safeguards
are warranted. It tightly couples the risk tools (matrices, risk graphs) of a corporation.
ACRONYMS
C&E Cause and Effect charts
LOPA- Layer of Protection Analysis
HAZOP Hazard and Operability study
MF Mitigated Frequency
PFD- Probability of Failure on Demand
P&ID Process and Instrumentation diagram
S(I)PL- Safety (Independent) Protection Layer
SIL Safety Integrity Level ( IEC specifies 4 levels, SIL 1 PFD of .1 to .01, SIL
2- PFD of .01 to .001, SIL 3- PFD of .001-.0001, SIL 4 PFD of .0001 to
.00001)
TF Tolerable Frequency