Process Hazard Analysis

Palembang
4 – 6 Nov 2019

PT Synergy Risk Management Consultants

Wisma Tugu II, 4th Floor,
Jl. HR. Rasuna Said Kav C7-9, Jakarta Selatan.
Phone: (021) 520 8244
Fax: (021) 520 8243
 Agenda
Time Day-1
08:00 - 09:45 • Introduction to Risk Assessment and PHA Concept
09:45 – 10:00 • Morning Break
10:00 – 11: 00 • Introduction to Hazard Identification
11:00 – 12:00 • Exercise Bow Tie and Hazard Identification

12:00-13:00 Lunch and Pray

13:00-14:00 • (Cont) Exercise Hazard Identification
14:00-14:45 • Introduction to Hazard Operability Process (Method, Guideword)
14:45 – 15:00 • Afternoon Break
15:00 - 15:45 • (Cont) Introduction to Hazop
15:45 – 16:30 • Exercise Hazard Operability
 Agenda
Time Day-2
08:00 - 09:00 • Introduction to Fault Tree Analysis
09:00 – 09.30 • Exercise Fault Tree
09:30 – 09.45 • Morning Break
09:45 – 11:30 • Introduction to Event Tree
11:30 – 12:00 • Exercise Event Tree
12:00-13:00 Lunch and Pray
13:00-14:00 • Introduction to QRA
14:00-14:30 • Exercise QRA
14:30 – 14:45 • Afternoon Break
14:45-15:15 • Introduction to What If Analysis and Checklist Analysis
15:15 – 16:30 • Exercise What If Analysis / Checklist Analysis
 Agenda
Time Day-3
08:00 – 09:00 • Introduction to FMEA
09:00 – 09:45 • Exercise FMEA
09:45 – 10.00 • Morning Break
10:00 – 12:00 • Introduction to SIL / LOPA
12:00-13:00 Lunch and Pray
13:00 - 14:30 • (Cont) Introduction to SIL/LOPA, Exercise 1 - 4
14:30 – 14:45 • Afternoon Break
14:45 - 16:30 • Exercise 5 - 6
Agenda Day-3:
1. SIL / LOPA
2. FMEA
LAYER OF PROTECTION ANALYSIS (LOPA) –
SAFETY INTEGRITY LEVEL (SIL)
MODULE
 LOPA REFERENCES
ISO – IEC 31010
Management Risk
Assessment Techniques

IEC – 61511 – 3: Functional Safety –

Safety Instrumented System for the
Process Industry Sector – Part 3:
Guidance for the determination of the
required safety integrity levels
Spectrum of Risk Based Decision Making
Typical Risk Matrix

LOPA Study required

Layer of Protection and Safety Integrity Level
Scenario Application
Community Response

Plant Emerg Response

Physical Protection (Distance)

Event Physical Protection (Containment)

Realized
Physical Protection (PSVs)

SIS Systems

Critical Alarms/ Human Intervention

Event
Initiated Basic Process Control Systems

Onion Model Basic Process Design

Process Hazards
(9 layers)
Layer of Protection and Safety Integrity Level
Risk Reduction – General Concept
Risk Reduction Layers
Safety Integrity Level
What is a Safety Integrity Level (SIL)?
 Reliability value for a Safety Instrumented Function
(SIF)
 SIF is an instrumented system such as a trip that is expected to
function on demand with a reliability equal to the SIL
 The SIL rating is based on the difference between the
process risk (once all other controls are accounted
for) and the acceptable or tolerable risk
 The SIF is a Layer of Protection
 Each SIF requires a SIL value to be assigned to it
Safety Integrity Level
 The SIL value is determined by typically one of two
methods:
 Risk Graph Method
 LOPA method – Layers of Protection Analysis
 Risk Graph is semi quantitative
 LOPA can be either quantitative (more typical) or qualitative
 Separate Training course on SIL determination
 The SIL level must also be validated
 The SIF architecture is reviewed, and the reliability
calculated to see if it reaches the SIL level
Determination of Safety Integrity Level – Risk Graph

Risk Graph: a qualitative method

Determination of Safety Integrity Level – LOPA

 Layers of Protection Analysis (LOPA) is a semi-

quantitative method to identify or classify the SIL Level
required for a SIF

 LOPA will assess the consequences to personal safety,

environmental pollution and asset damage/loss in the
event the SIF fails to response on demand

 LOPA use technical data from historical records,

standards, etc.
Hazop Information and LOPA
 Layer of Protection and Safety Integrity Level

• Recommended SIF found in Excerpt from typical HAZOP report

recommendation column Dev Cause Consequence Safeguards Recommendat
ion
• Existing SIF found in safeguard 1.0 More Pressure

column 1.1 Pressure

control fail,
Vessel
overpressure and
Pressure relief
valve, operator
Install SIF to
stop inlet flow
causing hi potential intervention to upon vessel
pressure in a mechanical failure high pressure high pressure
vessel and hydrocarbon alarm
release

1.2 Outlet line Vessel Pressure relief Install SIF to

blocked overpressure and valve, operator stop inlet flow
LOGIC SOLVER PSV causing hi potential intervention to upon vessel
RELAY OR PLC pressure in a mechanical failure high pressure high pressure
PAH vessel and hydrocarbon alarm
release
PT
2.0 Less Flow
2.1 Less flow Pump Damaged Low outlet flow Existing safe
trough pump pump guard
SOV

PT
S

causes pump shutdown adequate

failure due to (SIF)
cavitation
PIC
FSL

CONTROL
ESDV VALVE
VESSEL PUMP
Layer of Protection and Safety Integrity Level

 In LOP all the risk controls are INDEPENDENT

Avoid common mode failure or account for in risk
assessment calculations
 As illustrated there are many potential risk controls
Instrumented or Hydraulic Trip Systems
 SIF or non SIF trips (DCS or other critical devices)
Instrumented Alarms
 SIF or DCS devices
Mechanical Protection
 PSV’s, Rupture Discs, Overspeed Devices, Vents
Layer of Protection and Safety Integrity Level

Sensor Final
Element
Logic

LOGIC SOLVER
RELAY OR PLC

PT

 Safety Instrumented Function SOV PT

S
consists of Sensor, Logic Solver
and Final Element PIC

CONTROL VALVE
ESD VALVE
VESSEL
SIF IDENTIFICATION (EXERCISE)
Layer of Protection and Safety Integrity Level
Layer of Protection and Safety Integrity Level
Safety Probability of Probability of Risk
Integrity Failure on Success on Reduction
Level (SIL) Demand (PFD) Demand Factor (RRF)

4 10-4 - 10-5 99.99 - 99.999% 10,000 - 100,000

3 10-3 - 10-4 99.9 - 99.99% 1,000 - 10,000

2 10-2 - 10-3 99 - 99.9% 100 - 1,000

1 10-1 - 10-2 90 - 99% 10 - 100

A 1 - 10-1 0 - 90% 1 - 10

NO IL No Requirement

1
RRF 
PFD
Determination of Safety Integrity Level

Scenario Application
Table 1 “ in the procedure”
Targeted Mitigated Event Likelihood (Events/Yr)
LOPA Ratio = TMEL
(ICL) * (EEP) * (PFD1) * (PFD2) * (PFD3)…
(LR)

Initiating Enabling Probability of

Cause Event Failure on
Likelihood Probability Demand
(Events/Yr) (Unit less) (Unit less)
Table 2 See Table 4
Section 4.4
Determination of Safety Integrity Level

Table 1
Environmental Impact Asset Damage &
Safety (Remediation or Regulatory)
Consequence Business Interruption
Severity
Negative Negative Negative
Category (event/year) Log Value (event/year) Log Value (event/year) Log Value
(-log TMEL) (-log TMEL) (-log TMEL)
-5
* 1x10 *5
-4 -4 -3
5 1x10 4 1x10 4 1x10 3
-3 -3 -2
4 1x10 3 1x10 3 1x10 2
-2 -2 -1
3 1x10 2 1x10 2 1x10 1

* For a scenario that could result in offsite fatalities, the

Safety TMEL shall be 1x10-5/year (negative log value
equals 5.0).
Using the LOPA Tables

Table 1
Environmental Impact Asset Damage &
Safety (Remediation or Regulatory)
Consequence Business Interruption
Severity
Negative Negative Negative
Category (event/year) Log Value (event/year) Log Value (event/year) Log Value
(-log TMEL) (-log TMEL) (-log TMEL)
-5
* 1x10 *5
-4 -4 -3
5 1x10 4 1x10 4 1x10 3
-3 -3 -2
4 1x10 3 1x10 3 1x10 2
-2 -2 -1
3 1x10 2 1x10 2 1x10 1

* For a scenario that could result in offsite fatalities, the

Safety TMEL shall be 1x10-5/year (negative log value
equals 5.0).
 Using the LOPA Tables
*
Initiating Cause Likelihood (ICL) Table 2
Likelihood of
Initiating Cause (IC) Failure ( /Yr)
1 BPCS Intrument loop failure. 1 x 10-1
2 Regulator Failure 1 x 10-1
3 Fixed Equipment Failure (E.g. exchanger tube failure 1 x 10-2
4 Pumps
Coolingand other
water Rotatiing
failure Equipment
(redundant CW pumps, diverse 1 x 10-1
5 drivers)
Cooling Water failure (redundant CW pumps, diverse drivers 1 x 10-1
6 Loss of Power (redundant power supplies) 1 x 10-1
7 Human Error - (Routine task, Once-per-Day Opportunity) 10-10
1 xx 10
-1
8 Human Error - (Routine task, Once-per-Month Opportunity) 11 xx 10
10-2
9 Human Error - (Non-Routine Task, Low Stress) 1 x 10-1
10 Human Error - (Non-Routine Task, HIgh Stress) 1 x 100
11 Pressure Vessel residual failure 1 x 10-6
12 Piping residual failure - 100 m - Full Breach 1 x 10-5
13 Piping Leak (10% section) - 100 m 1 x 10-3
14 Atmosphere tank failure 1 x 10-3

ote, this example table has NOT been updated with actual LOPA Standard Table 2.
 Using the LOPA Tables
* Table 2, cont. Likelihood of
Initiating Cause, IC (Continued) Failure ( /Yr)
15 Gasket / packing blowout 1 x 10-2
16 Turbine / Diesel engine overspeed w/ casing breach 1 x 10-4
Third party intervention (external impact by backhoe,
17 vechile, etc) 1 x 10-2
18 Crane load drop 1 x 10-4 per lift
19 Lightning strike 1 x 10-3
20 Safety valve opens spuriously 1 x 10-2
21 Pump seal failure 1 x 10-1
22 Unloading / loading hose failure 1 x 10-1
23 Small external fire (aggregate causes) 1 x 10-1
24 Large external fire (aggregate causes) 1 x 10-2
LOTO procedure *failure (* overall failure of a multiple- 1 x 10-3 per
25 element process) opportunity
Operator failure (routine procedure, well trained, 1 x 10-2 per
26 unstressed, not fatigued) opportunity
Develop w/
experienced
27 Other initiating Events personnel

* Note, this example table has NOT been updated with actual LOPA Standard Table 2.
Using the LOPA Tables

Enabling Event Probability (EEP):

This is the probability that is coupled with an Initiating Cause Likelihood (ICL), when
applicable, which takes into account the “condition time window” that enables the cause
potential to exist. EEP’s can include such things as batch process situations like Drill Stem
Water operations on a Coker Unit.
Example, the ICL is “operator opens water to drill stem while it is out of the
coke drum”. The water pump is only ‘on’ during drilling operations which
are approximately 8 hours per drum per day. This scenario can only take
place, during that fraction of the day when the water pump is on. * [Test of
EEP] If the operator opens water to the drill stem any other time, nothing
happens.
An example of the EEP time fraction would be:
See Section 4.4 of the
Procedure
 Using the LOPA Tables
*
Probability of Failure on Demand (PFD) Table 4
Probability of Failure on
Independent Protection Layers (IPLs) Demand (PFD)
BPCS, if not associated with the initiating event being
considered. 1 x 10-1
Operator response to alarm with at least 10 minutes
response time. 1 x 10-1
Relief valve 1 x 10-2
Rupture disc 1 x 10-2
Flame / Detonation Arrestors 1 x 10-2
Dike 1 x 10-2
-2
Underground Drainage System 1 x 10
Open Vent (no valve) 1 x 10-2
-2
Fireproofing 1 x 10
Blast-wall / Bunker 1 x 10-3
Indentical Redundant Equipment 1 x 10-1 (max credit)
Diverse Redundant Equipment 1 x 10-1 to 1 x 10-2
Other Events Use Experience of Personnel

ote, this example table has NOT been updated with actual LOPA Standard Table 4.
Using the LOPA Tables

What is the difference in between

“Safeguards”, IPLs”, and SIFs”?
Safety Instrumented Functions (Instrumented
Best
S/Ds and/or interlocks designed to the following reliability
levels designated by SIL 1, 2, & 3)

Independent Protection Layers (Constrained by

Reliability

specific rules to insure robustness. Some human intervention is

allowed, but most involve inherent design features and/or
instrumented S/Ds and interlocks.)

Safeguards (includes typical safety systems, procedures,

training, experience, and administrative controls).
Good
Using the LOPA Tables

IPL Rules

What Qualifies as a Viable Independent Protection Layer?

√ Prevents the Consequence from Happening

√ Each IPL must be independent of the other IPLs
√ Each IPL is specifically designed to prevent the scenario
identified
√ Each IPL must be dependable
√ Each IPL is designed so it can be audited
Using the LOPA Tables

IPL Rules
All IPL’s are safeguards, but not all safeguards are IPL’s

Safeguards NOT Usually Considered IPLs

• Training and Certification
• Procedures
• Normal Testing and Inspection
• Maintenance
• Communications
• Signs
• Fire Protection (excluding some fire proofing and auto activated systems)
• Availability of Information
• Understanding of Information
Involving SIF and SIL

TMEL

10-5
LOPA Ratio (LR) =
(10-1) (100) (10-2) (10-1) (10-1)
LR ≥ 1.0, Passed

ICL EEP PFDs all non-SIF

Involving SIF and SIL

Scenario has an Existing SIF Shutdown

TMEL

10-5
LOPA Ratio (LR) =
(10-1) (100) (10-1) (10-1) (10-2)
LR ≤ 1.0, Failed ICL EEP PFDs GAP for
Existing SIF

LOPA Required PFD of SIF HRF = (1/PFD)

Ratio SIL (event/year)

10-1 1 10-1  PFD < 10-2 10 < HRF  100

10-2 2 10-2  PFD < 10-3 100 < HRF  1,000

10-3 3 10-3  PFD < 10-4 1,000 < HRF 10,000

*HRF (Hazard Reduction Factor)

WHEN LOPA NOT APPLY

When does this procedure break down and

NOT apply?

 LOPA breaks down with human initiated events covered by

human initiated safeguards w/ little or no equipment
intervention (equipment failure, equipment sensing,
equipment activated functions).
 LOPA works best when the scenario being evaluated is
dominated by equipment failures, sensors, and logic driven
field elements w/ little or no human intervention.
 Human behavior and related errors can get difficult to quantify
and easily extend outside the capabilities of a limited data
base driven methodology
Example - 1

During a start-up of a C3 drain valve could be opened creating the potential for a vapor
cloud explosion. Safeguards included Administrative Control (Pre-Startup Safety
Review, P&ID walk-through, system leak check, and operator training).

TMEL: 10 -5
ICL: 10 -1
EEP: 10 0 LOPA Ratio: 0.0001
PFD1: 10 0

PFD2: 10 0

Is this a reasonable application of LOPA?

Example - 2

Heavy crane lift (100T) is conducted over a main substation. Significant damage
to the substation can result in 2 weeks downtime of refinery front end units.
Safeguards include pre-lift Job Safety Analysis.

TMEL: 10 -4
ICL: 10 -4
EEP: 10 0 LOPA Ratio: 1
PFD1: 10 0

PFD2: 10 0

Is this a reasonable application of LOPA?

Example – 3

Temperature control on C3 column fails causing a pressure increase in the column

w/ possible LOC. The column has an RV. TAH and PAH are annunciated at the
control room which is 30 feet from the column. (Operator response criterion to
alarm satisfies all the IPL Rules, Section 4.6).

TMEL: 10 -4
ICL: 10 -1
10 0
LOPA Ratio: 0.1
EEP:

PFD1: 10
-2
1
10 -1
PFD2:
Consider validating Operator Response to Alarm (PFD2 = 10-1)
Consider SIS w/ a SIF shutdown (TA or PA) of SIL 1 (PFD2 = 10-1)
Example - 4

BPCS loop component (PT, PC, control valve, or the related communication links)
failed causing the control valve to go open and start a pressure excursion,
(see below illustration).
SIF PC
1
PT
1

PT
B

Using the basic LOPA Ration computation:

Safety TMEL: 1x10-3
ICL (BPCS): PFD = 1x 10-1 (No EEP Contribution)
LR Gap: 1x 10-2
SIF Target: SIL 2.
 Example - 5

BPCS loop component (PT, PC, control valve, or the related

communication links) failed causing the control valve to go open
and start a pressure excursion, (see below illustration). Alarm exists on
the existing SIF loop in conjunction to the shutdown control loop.

fety TMEL: 1x10-3

L (BPCS): 1x 10-1 (No EEP Contribution)
L (Operator response to alarm): No IPL credit: PFD = 1x 100
arm is part of the SIF and is not independent from
her IPL credits or potential credits.
Gap: 1x 10-2
F Target: SIL 2.
 Example - 6

BPCS loop component (PT, PC, control valve, or the related communication links)
failed causing the control valve to go shut and start a pressure excursion,
(see below illustration).
Alarm exists from a separate
transmitter serving a separate PC.

afety TMEL: 1x10-5

L (BPCS): 1x 10-1 (No EEP Contribution)
L (RV protection): PFD = 1x 10-2
L (Operator response to alarm): One IPL credit: PFD = 1x 10-1
Alarm is independent from other IPL credits
potential credits. Also, operator response criterion
atisfies all the other IPL Rules (Section 4.6).
R GAP: 1x 10-1
F Target: SIL 1.
LOPA GROUP DISCUSSION

• Please take as a group to solve this case study

• Identify credible scenario using HAZOP or
What If method
• Utilize LOPA concept to evaluate adequacy of
layer of protection
• Tips: Share your thought actively and use your
experience extensively… 
Example - 6
FAILURE MODE & EFFECT ANALYSIS (FMEA)
MODULE
FMEA - REFERENCES

ISO – IEC 31010

Management Risk
Assessment Techniques

IEC – 60812 Analysis Techniques

for System Reliability – Procedure
for Failure Mode and Effect
Analysis (FMEA)
POSSIBLE CAUSE
FMEA – What Is It?
FMEA – What Is It?
FMEA TYPES
FMEA – Resource Requirement
FMEA – Resources and Data
FMEA – Prework
FMEA – Performing the Review
FMEA – Worksheet
FMEA – Tables
FMEA – Developing Incident Scenario
FMEA – Exercise
FMEA – Exercise
FMEA – Exercise
FMEA – Exercise
FMEA – Exercise
FMEA – Exercise Other Finding
FMEA – Pros/Cons
END