contents

INTEGRATING HAZOP AND SIL/LOPA ANALYSIS:

BEST PRACTICE RECOMMENDATIONS

Ken Bingham Prasad Goteti

President Safety Inst. Engineer
ACM Automation ACM Automation
Calgary, AB, T2R1K7 Calgary, AB, T2R1K7
Canada Canada

KEYWORDS

HAZOP (Hazard and Operability study ), SIL (Safety Integrity Level), LOPA (Layers Of
Protection Analysis).

ABSTRACT

Traditionally, a Hazard and Operability (HAZOP) study and Safety Integrity Level (SIL)
Assessment or SIL determination (usually using the Risk Graph or Layer Of Protection
Analysis (LOPA) methodology) are two separate facilitated sessions, which produce two
unique databases. SIL Validation is yet a third requirement of the International Electro
technical Commission (IEC) 61511 standards that demands the use of another set of tools and
produces a third database. Trying to manage the recommendations of these interconnected
studies is extremely difficult. In the Integrated Approach, only one facilitated session is
required for HAZOP and SIL Assessment. Only one database is created, and it is used to
perform SIL Validation. In addition to being a secure and auditable database, this single
database is also part of a complete “handover package” that operators need to ensure they
maintain the SIL integrity assigned to each SIL loop. Some demonstrated benefits of the
Integrated Approach are a minimum 30% time and costs savings; a single auditable database;
elimination of mathematical errors during SIL Validation; creation of a complete electronic
handover data package and the capability of operators to easily model proposed changes to
their maintenance and testing plans (SIL Optimization) using the same database.

Copyright 2004 by ISA – The Instrumentation, Systems and Automation Society.

Presented at the ISA 2004, 5-7 October 2004, Reliant Center Houston, Texas, www.isa.org
INTRODUCTION

This paper details the process in which the HAZOP / SIL study is conducted. The first part
indicates the steps involved and later an example illustrates the steps.

METHODOLOGY

The Integrated HAZOP / SIL study is initiated by calling a meeting (or session) usually
comprising of the operating company, the engineering consultancy company (if this is a new
project) and the HAZOP / SIL facilitator with his scribe (who is usually an independent third
party). The team of engineers should definitely consist of chemical (or process engineers),
Instrumentation and safety engineers. Other engineers are optional depending on their need
during the course of the session.

The session has the following steps in the order as listed below.

HAZOP

A HAZOP is used to identify major process hazards or operability issues related to the process
design. Major process hazards include the release of hazardous materials and/or energy. The
focus of the study is to address incidents, which may impact on public health and safety,
worker safety in the workplace, economic loss, the environment, and the company’s
reputation.

The inputs to the HAZOP are the Process and Instrumentation Diagrams (P&Ids), Cause and
Effect charts (C&E) and the operating company’s risk matrix (which is a matrix quantifying the
risk level depending on the likelihood and severity).

A typical risk matrix would look as given below :

Copyright 2004 by ISA – The Instrumentation, Systems and Automation Society.

Presented at the ISA 2004, 5-7 October 2004, Reliant Center Houston, Texas, www.isa.org
 Frequent (more than Probable (once every Occasional (once Remote (not in the
once per year) four years) every 25 years) life of the facility)

Severity Level 1 Priority 1 Priority 1 Priority 1 Priority 2

(Critical) (Unacceptable) (Unacceptable) (Unacceptable) (High)

Severity Level 2 Priority 1 Priority 2 Priority 2 Priority 3

(High) (Unacceptable) (High) (High) (Medium)

Severity Level 3 Priority 2 Priority 3 Priority 4 Priority 4

(Moderate) (High) (Medium) (Low) (Low)

Severity Level 4 Priority 3 Priority 4 Priority 4 Priority 4

(Minor) (Medium) (Low) (Low) (Low)

Figure 1

The outputs from the HAZOP are the risk ranking of each identified cause of process deviation
and recommendations to lower the risk involved. These recommendations are given in the
form of safeguards.

SIL / LOPA ASSESSMENT

SIL/ LOPA study is to assess the adequacy of the Safety Protection Layers (SPLs) or
Safeguards that are in place to mitigate against hazardous events relating to major process
hazards, identify those SPLs or Safeguards that do not meet the required risk reduction for a
particular hazard, and make reasonable recommendations where a hazard generates a
residual risk that needs further risk reduction. This is done by defining the tolerable frequency
(TF). The TF of the process deviation is a number which is derived from the level of the risk
identified from the HAZOP risk matrix. It indicates the period of occurrence, in terms of years,
of the process deviation which the operating company can tolerate. For example a TF of 10-4
indicates that the company can tolerate the occurrence of the process deviation once in 10,000
years. The mitigation frequency (MF) is derived as a calculation from the likelihood of each
cause and the PFD of the SPLs.

The inputs to the SIL / LOPA assessment are the process deviations, causes , risk levels and
safeguards identified during the HAZOP . The SIL / LOPA assessment recommend the Safety
Protection Layers (SPL) to be designed to meet the process hazard.

Copyright 2004 by ISA – The Instrumentation, Systems and Automation Society.

Presented at the ISA 2004, 5-7 October 2004, Reliant Center Houston, Texas, www.isa.org
RECOMMENDATIONS

In the event that the MF is not less than the TF, more SPLs are recommended, their PFD
values are assumed and it is included in the equation of the MF to get it less than the TF.
These SPLs are recommended as safeguards to decrease the risk of the consequences
because of the deviation (or cause) being analyzed.

The session ends with the MF values of all the LOPA scenarios derived lees than the TF.

SIL / LOPA VALIDATION

This is done after the session by the reliability or safety engineer. The methodology is to
calculate the Probability of Failure on Demand (PFD) values of the identified SPLs, then derive
the mitigation frequency (MF) as a calculation from the likelihood of each cause and the PFD
of the SPLs. If the total MF of all the causes is less than the tolerable frequency (TF), which is
defined as a numerical value from the HAZOP risk matrix, the integrated study is complete.
This validates the assumed PFD values of the SPLs during the session.

THE INTEGRATED HAZOP / SIL PROCESS

The following process is used in a session for each of the identified nodes during an HAZOP
study:

• The process engineer describes the intention of the node.

• Concerns and hazards within the node are recorded under the discussed node notes.
• The HAZOP/SIL team applies process parameter deviations to each node and identifies
the associated hazards.
• Causes and initiating events to those hazards are identified, and recorded.
• The resulting consequences are identified, categorized, and recorded based on the
consequence grading in the operating company’s risk matrix.
• The likelihood of the initiating event is then assigned by the group and recorded based
on the risk matrix.
• The resulting risk score based on the consequence and likelihood scores are recorded
not taking credit for any of the safeguards in place, as per the risk matrix
• An identification of the Safeguards and an evaluation as SPLs is then carried out.

Copyright 2004 by ISA – The Instrumentation, Systems and Automation Society.

Presented at the ISA 2004, 5-7 October 2004, Reliant Center Houston, Texas, www.isa.org
 • The risk is re-scored taking into account the identified safeguards which are
independent SPLs. Usually a standard SIL value is assigned to the SPLs which are
validated outside the session for accuracy.
• If sufficient independent layers of protection are identified to reduce the risk to the
tolerable level (TF), then no further safeguards are identified and no recommendations
are required.
• If the risk with safeguards are high and not meeting the TF, then recommendations and
actions are developed in the aim of reducing the risk below the TF.
• The implementation of those actions and recommendations are assigned to the
responsible party and individual. The recommended SPLs are validated and their PFD
numbers are used to calculate if the MF is less than the TF.
• The process is repeated covering the applicable parameters, deviations, and nodes.

The concerns and hazards discussed at the outset of the node are reviewed to ensure that
they were covered in the HAZOP discussions

EXAMPLE

The integrated study concept is indicated in the form of an example in this section.

In the following example, a HAZOP related with High level in a storage tank is considered. As
per the HAZOP process, all the causes have been identified, consequences listed and risk
ranking done without and with the existing safeguards (SPLs).

Copyright 2004 by ISA – The Instrumentation, Systems and Automation Society.

Presented at the ISA 2004, 5-7 October 2004, Reliant Center Houston, Texas, www.isa.org
 Type of process

Process deviation

Causes of the process deviations

Consequences if the process deviation occured

Severity , likelihood and risk level if the process deviation

occurred without considering safeguards
Safeguards to mitigate the cause & consequences

IPL (SPL) – Independent protection layers Risk analysis with IPLs

HAZOP recommendations

Copyright 2004 by ISA – The Instrumentation, Systems and Automation Society.

Presented at the ISA 2004, 5-7 October 2004, Reliant Center Houston, Texas, www.isa.org
 Figure 2

Copyright 2004 by ISA – The Instrumentation, Systems and Automation Society.

Presented at the ISA 2004, 5-7 October 2004, Reliant Center Houston, Texas, www.isa.org
The HAZOP observations when represented in the SIL / LOPA analysis would look like :
HAZOP’s “ deviation “

HAZOP’s “ causes”

Derived as a function of the risk level (from the risk matrix)

HAZOP’s “ consequences”

Figure 3

The LOPA scenario is High level and the initiating events are all the causes identified in the
HAZOP. The consequence rating is High which derives the Tolerable Frequency (TF). The
consequence rating is from the HAZOP risk matrix of the client.
MF short of the TF by this
SIL value
HAZOP’s “ causes” HAZOP’s “safeguards”

Figure 4

Copyright 2004 by ISA – The Instrumentation, Systems and Automation Society.

Presented at the ISA 2004, 5-7 October 2004, Reliant Center Houston, Texas, www.isa.org
From the HAZOP, the causes of deviation are listed as LOPA causes, their likelihoods
identified and the safeguards are listed as Protection layers (SPL). The PFD value of each
SPL is either manually entered or linked to a calculated value. If the MF is less than TF (as in
the case of this example), it implies that some additional SPLs are required to meet the TF. In
the case of this example, by adding a new SPL of 0.01 PFD, the diagram below indicates how
the TF is met.

The band indicates that the MF value is less than the TF value and hence the
SPLs have been able to mitigate the risk the company can tolerate

Figure 5

CONCLUSION

By integrating the HAZOP and SIL / LOPA studies into one session, the time and cost to
conduct these sessions are reduced, there is more data integrity as the same team conducts
both the studies and it removes the subjectivity which comes out of a pure HAZOP session.
An integrated study is a semi-quantitative technique and applies much more rigor than a
HAZOP alone. It determines if the existing safeguards are enough and if proposed safeguards
are warranted. It tightly couples the risk tools (matrices, risk graphs) of a corporation.

ACRONYMS
C&E – Cause and Effect charts

LOPA- Layer of Protection Analysis

HAZOP – Hazard and Operability study

Copyright 2004 by ISA – The Instrumentation, Systems and Automation Society.

Presented at the ISA 2004, 5-7 October 2004, Reliant Center Houston, Texas, www.isa.org
MF – Mitigated Frequency

PFD- Probability of Failure on Demand

P&ID – Process and Instrumentation diagram

S(I)PL- Safety (Independent) Protection Layer

SIL – Safety Integrity Level ( IEC specifies 4 levels, SIL 1 – PFD of .1 to .01, SIL
2- PFD of .01 to .001, SIL 3- PFD of .001-.0001, SIL 4 – PFD of .0001 to
.00001)

TF – Tolerable Frequency

Copyright 2004 by ISA – The Instrumentation, Systems and Automation Society.

Presented at the ISA 2004, 5-7 October 2004, Reliant Center Houston, Texas, www.isa.org