IChemE SYMPOSIUM SERIES NO.

153 # 2007 IChemE

HAZOPS ROLE IN THE APPLICATION OF SAFETY STANDARDS

George Baradits
V FSE, SIL4S Kft, Hungary, H 8200, Balaca u 54; www.sil4s.hu, e-mail:bgs@sil4s.hu
TU

In this presentation we would like to discuss how the HAZOP is working within the frame of IEC
61508 and IEC 61511 Safety standards.
HAZOP itself a methodology detailed in CEI IEC 61822 standards to find the hazard of tech-
nology in the Process Industry and evaluate the risk involving the hazard.
HAZOP a multidiscipline team works looking for the cause of risk, the consequences and
safeguards (prevention and mitigation).
All the Process Technology has hazards and risky and the cited safety standard analyze the tech-
niques and measures how to reduce the frequency of unwanted events (prevention of the risks or
decreasing to an tolerable frequency level) and how to reduce the consequence of hazards.
In the application of the safety standards one of the most important lifecycle is the Hazard and
Risk analysis done by HAZOP.
The question is the role of HAZOP in the safety life cycle.
It is clear from the standard that in the case of new plant without HAZOP study no possible to
built a plant with SIS Independent Protection Layer correct way. But what is the procedure in an
existing plant or revamp project.
In our presentation we will analyze, based on the standards what process should be follow to
reach the target functional safety in our plant.
Our background for this presentation is our work in the Oil and Refinery and Power Station
Industry preparing more than 20 HAZOPs, SIF assessment, Safety Requirement specifications
and allocation including the validation of the systems.
We will analyze the typical revamp projects step by step following the methodology of Safety
standards and analyzing the interpretation of the safety life cycle involving in the revamp project.
We will discuss when and why is to be Management of Change (MOC) applied and giving
information about our experience and practice.
We also will discuss the Hazard and Risk analysis, Safety Requirement Specifications,
Allocation of Safety functions safety life cycle phase.
In the project we prepare a special calibration of risk frequency and consequence using Risk
Matrix methodology and used LOPA for S1L value selection. This mix risk evaluation model
had good result and makes our project successful.
We also add an extra to our project called by us pre-validation. We have learned from our
experience that in the SIL evaluation phase it is very useful preparing a pre-validation against
that is not in the standards.
Result of our HAZOP and SIL project was lot of practical experience what I would like to share
with you in my presentation.

KEYWORDS: IEC 61508 and IEC 61511, hazard and risk analysis, HAZOP, SIL, allocation, safety
requirement documentation, management of change, SIS

INTRODUCTION
This paper discusses how HAZOP is working within the
frame of IEC 61508 and IEC 61511 Safety standards. In
the application of the safety standards one of the most
important point is the HAZOP based Hazard and Risk analy-
sis. This paper focuses on the role of HAZOP. A procedure
based on the Process Safety Standards will be introduced to
evaluate the safety systems of existing plants.
ABOUT THE PROJECT
In this paper a new methodology will be presented to evalu-
ate the safety systems of existing plants (see Figure 1).
A case study will be given to present the details of this meth-
odology and discuss its applicability. The presented project
started in 2005 and will end last quarter of 2008. Our task
was to supervise shut down systems in all the 102 of
MOL Rt (the biggest petrochemical company in Hungary
(see www.mol.hu for more details). Our work is based on
the IEC 61508 and IEC 61511 and includes:
HAZOP study
allocation of Safety Function
define the SIL value of Safety Instrumented Function
preparing Safety Requirement Documentation
Pre validation

1
IChemE SYMPOSIUM SERIES NO. 153 # 2007 IChemE

LOPA
PROCESS SF1&SIL SIF&SIL

HAZOP Allocation SFN&SIL

SIS SRS

SIF
Pre
MOL MOL
Matrix ALARP

Figure 1. Work flow diagram of the project

MANAGEMENT OF CHANGE (MOC) HAZARD AND RISK ANALYSIS: HAZOP (IEC 61511
All company must have Application Guide for Management SAFETY LIFE CYCLE, PHASE 1)
of Change. MOL also has such a guide, and according to this HAZOP is a methodology (covering by IEC 61823 stan-
we have followed this guideline (see Figure 2), since the dard) of risk evaluation discovering
following two important reasons.
The first reason was that new/amended legislation the deviation from the design intent (hazardous events)
comes in force in Hungary and Slovakia joining the Causes
European Community in mid of 2004. Effects (consequences)
The second reason was the modification of MOLs Prevention and mitigation possibilities (safe guards)
Safety Policy.
The flowchart of the project is depicted on Figure 1. The HAZOP team at the HAZOP meeting evaluate
As can be seen on Figure 2, MoC is based on the Risks
IEC 61508 standard. It is clear that because of new legis-
lation and new safety policy of MOL according the Frequency
process Safety Standard and MOLs Application Guide Consequence
for MoC we have to go back the first safety life cycle: Severity
Hazard and Risk analysis. That is why our first step in Possibility of prevention
the project was preparing the HAZOP study of the exist-
ing plants. Some of the plants were more than twenty Preparing the HAZOP study of the plants based on
years old but less than five of them were not older than HAZOP standard and according IEC 61508/61511 the fol-
5 years. lowing task was performed:

Modification request initiators

Safety performance below target
Systematic faults
Incident/accident experience
Operation/production request
New/amended legislation
Modification
Modification to EUC
request
Modification to the safety requirements

Modification
log Impact analysis study HAZARD and Risk
analysis

Update Back to appropriate

Impact analysis report
Overall safety lifecycle

Update
Modification design
authorization

Figure 2. Management of change

2
IChemE SYMPOSIUM SERIES NO. 153
to determine the hazards and hazardous events of EUC
and the EUC control system (BPCS) (in all modes of
operation) for all reasonable foreseeable circumstances,
including fault conditions and misuse
to determine the event sequence leading to the hazar-
dous events determined above
to determine the BPCS risks associated with hazardous
events determined above
to determine the safety requirements for SIS on a sys-
tematic risk-based approach. EUC and BPCS are con-
sidered
Based on the HAZOP standard we have developed a
SIL4S HAZOP SW and prepared the studies with this
SW. The main features of this SW are:
Web base
Report formats: Word, Excel, PHA Pro
Involving freely scaleable risk matrix and decision of
HAZOP team about frequency and severity of the Risk
regarding people, environment and business
Involving decision about the Independent Protection
Layers (SF: Safety Functions)
These features made the HAZOP study into key pos-
ition giving the possibility for the HAZOP team to decide all
the parameters needed for the works of next phases.
The inputs of the HAZOP were the following:
P&ID drawings
PFD drawings
Instruction manual of the process
IO list of the shut down system
Instrument list of the shut down system
Narratives and logic
MOL Safety Matrix and conversion table to SIL
MOLs ALARM value for human, environment and
business based on the MOL Safety Policy,
Figure 3. Allocation of the safety functions
3
# 2007 IChemE
while the outputs were:
Causes of the Hazards
Consequences of Hazards
Safe guards (preventions and mitigations)
Type of the safe guards like existing or suggested
Frequency of the unwanted event
Severity of the consequences separately for human,
environment and business
Independent Protection Layers (Safety Functions)
Safety Instrumented Functions
When we finalized the HAZOP study we had all the
basic information needed for the following phase of the
work. One can see above that the HAZOP study real play
a key role in our work giving us a communicative possibility
to gather the information and experience we need.
Our final conclusion was that without HAZOP we
would be unable to make this work.
ALLOCATION OF THE SAFETY FUNCTIONS (IEC
61511 SAFETY LIFE CYCLE, PHASE 2, FIGURE 3)
In the IEC 61508-1 the Safety Life Cycle model Phase 4 use
only three independent layers:
External risk reduction facility
Other Technological Safety Function and
Safety Instrumented Function
Our opinion and experience was that these three
layers will not give a fine tuning to fit the starting frequency
to ALARP frequency.
Based on the output of the HAZOPs outputs we allo-
cated the safety functions (safeguards) to different indepen-
dent protection layers using a more detailed layering like:
Local alarms for start up and shut down
Critical alarms (fully independent)
BPCS alarm (partial independent)
IChemE SYMPOSIUM SERIES NO. 153
Engineering
Mechanical protection (rupture disk, relief valve etc. . .)
Physical protection
Human intervention
The input of the allocation activity was the safety
functions which were output of the HAZOP study, while
the outputs were the Safety Functions for the different
kind of Independent Protection Layers (IPL). All the non
SIS IPL was important for us as this was the input for the
LOPA (Layer of Protection Analysis see Figure 4) analysis.
Also the second outputs of the allocation were the SIFs.
Why is necessary the LOPA analysis? If we wanted to
calculate the SIL value for the SIFs we have to take into con-
sideration the credits for the non SIS IPL. The output of the
LOPA analysis was the SIL value of the SIFs.
How this procedure works? After finding the SIFs we
have to calculate the SIL value for all safety instrumented
function. Figure 3 shows the procedure how builds up the
Safety Instrumented System with given SIL value.
We had to decide about the calculation methods for
the SIFs. The starting frequency of the Hazard events was
defined in the HAZOP study. The target frequency was
found in the MOL Safety Quality Assurance Manual. Our
choice was using LOPA to calculate the PFD (Probability
Failure on Demand) values of the Independent Protection
Layers. An example of LOPA is on the Figure 4. One can
see four IPL which able to protect the vessel to be exploded,
or release to environment.
Alarm system
Relief valve
Flare
SIS
If we calculate the PFD value of the first three IPL
(giving credit to them to operate on demand and protect
Figure 4. LOPA philosophy
4
# 2007 IChemE
the vessel) and reduce the staring frequency with this
value the result will be the SIL value of the given SIF.
Of course that is the basic idea but in the practice we
were taking into consideration different causes leading to
the same consequences etc. (that is pure mathematics).
SAFETY REQUIREMENT SPECIFICATION (SRS)
(IEC 61511 SAFETY LIFE CYCLE, PHASE 3)
Now we know all the Safety Instrumented Function with its
SIL value and have to make a requirement specification for
the realization phase. In this specification we have to take
account the following (without completeness):
a description of all the safety instrumented functions
necessary to achieve the required functional safety
requirements to identify and take account of common
cause failures
a definition of the safe state of the process for each ident-
ified safety instrumented function
a definition of any individually safe process states
which, when occurring concurrently, create a separate
hazard (for example, overload of emergency storage,
multiple relief to flare system)
the assumed sources of demand and demand rate on the
safety instrumented function
requirement for proof-test intervals
response time requirements for the SIS to bring the
process to a safe state
the safety integrity level and mode of operation
(demand/continuous) for each safety instrumented
function
a description of SIS process measurements and their trip
points
a description of SIS process output actions and the cri-
teria for successful operation, for example, requirements
for tight shut-off valves
IChemE SYMPOSIUM SERIES NO. 153 # 2007 IChemE

the functional relationship between process inputs and close to 100 furnace HAZOP study. In very beginning we
outputs, including logic, mathematical functions and prepare Furnace HAZOP templates involving:
any required permissive
Technology part
requirements for manual shutdown
Burner Management part for gas
requirements relating to energize or de-energize to trip
Burner Management part for oil
requirements for resetting the SIS after a shutdown
Convection zone of the Furnace
maximum allowable spurious trip rate
Radiation zone of the furnace
failure modes and desired response of the SIS (for
Steam drum in the furnace.
example alarms, automatic shutdown)
any specific requirements related to the procedures for This template were tuned (amended) in our working
starting up and restarting the SIS phase but was extremely useful. The same procedure was
all interfaces between the SIS and any other system followed for the package HAZOPs (pumps, compressors,
(including the BPCS and operators) turbines etc.).
a description of the modes of operation of the plant and We also prepared lot of statistic about the distribution
identification of the safety instrumented functions of the different kind of IPLs but this rather scientific result
required to operate within each mode then practical.
requirements for overrides/inhibits/bypasses including In the HAZOP meeting work we discovered some
how they will be cleared and documented missed protection layer which shocked our partners and
the mean time to repair which is feasible for the SIS needed immediate actions from their side.
Our biggest profit from this job were our database
Based on this requirement specification the realization may
about Refinery Industry and our high sophisticated
start.
HAZOP SW.
PRE VALIDATION
If one looking for the definition of the pre validation in the
IEC 61508/61511 standards the result is zero. Of course the ABBREVIATIONS/ACRONYMS
validation itself is a phase of the Safety Life Cycle but HAZOP : Hazard and Operability
according us it is a bit too late. Our industrial experience LOPA : Layer of Protection Analysis
dictates that after the SRS is ready we started modeling IPL : Independent protection Layer
the different SIF whether will fit the target SIL or not. If SF : Safety Function
the result of our modeling was false we in iterative way SIF : Safety Instrumented Function
went back to the SRS and modified it. The pre validation EUC : Equipment Under Control
gives the possibility avoiding any discrepancy in the phase BPCS : Basic Process Control System
of Validation. Any discrepancy in the validation phase SIS : Safety Instrumented System
makes everybody nervous and to avoid this and saving a SIL : Safety Integrity Level
lot of time and money we introduced the pre validation. SRS : Safety Requirement Specification
PFD : Probability Failure on Demand
ALARP : As Low As Reasonable Possible
CONCLUSIONS: EXPERIENCE OF
THE PROJECTS
Our first problem was the pure documentation and was not REFERENCES
too easy to overcome it. IEC 61508
But all the experience from these projects was extre- IEC 61511
mely useful and promising for us. For example we prepare IEC 61823