Reliability Engineering and System Safety 108 (2012) 5664

Contents lists available at SciVerse ScienceDirect

Reliability Engineering and System Safety

journal homepage: www.elsevier.com/locate/ress

HASILT: An intelligent software platform for HAZOP, LOPA, SRS and SIL verication
Lin Cui a, Yidan Shu a, Zhaohui Wang b, Jinsong Zhao a,n, Tong Qiu a, Wenyong Sun b, Zhenqiang Wei b
a b

Chemical Process Accident Prevention and Emergency Research Center, Department of Chemical Engineering, Tsinghua University, Beijing 100084, China CNPC Research Institute of Safety & Environment Technology, Beijing, 100083 China

a r t i c l e i n f o
Article history: Received 28 June 2011 Received in revised form 9 June 2012 Accepted 18 June 2012 Available online 26 June 2012 Keywords: HAZOP LOPA Safety requirements specication SIL validation Knowledge management PSM

a b s t r a c t
Incomplete process hazard analysis (PHA) and poor knowledge management have been two major reasons that have caused numerous lamentable disasters in the chemical process industry (CPI). To improve PHA quality, a new integration framework that combines HAZOP, layer of protection analysis (LOPA), safety requirements specication (SRS) and safety integrity level (SIL) validation is proposed in this paper. To facilitate the integrated work ow and improve the relevant knowledge management, an intelligent software platform named HASILT has been developed by our research team. Its key components and functions are described in this paper. Furthermore, since the platform keeps all history data in a central case base and case-based reasoning is used to automatically retrieve similar old cases for helping resolve new problems, a recall opportunity is created to reduce information loss which has been cited many times as a common root cause in investigations of accidents. & 2012 Elsevier Ltd. All rights reserved.

1. Introduction With the rapidly increasing scale and complexity of the modern CPI, it is becoming harder to control chemical accidents in chemical plants. Offsite consequences often lead to ecological disasters. For example, about 40% of large-scale environmental emergency events reported to the Ministry of Environmental Protection of China were caused by accidents occurred inside chemical plants. To prevent major accidents from occurring, the process safety management (PSM) programs have been implemented by many companies around the world since the PSM of Highly Hazardous Chemical standard, 29CFR 1910.119 was promulgated by the US Occupational Safety and Health Administration (OSHA) in 1992. However, the implementation degrees vary from plant to plant. It is interesting to note that for most accidents, companies are cited for failure to comply with this standard and no companies are cited after an accident for having a good PSM program [1]. There were a total of 6578 citations of past 1227 OSHA PSM inspections from 1992 to 2006 [2]. Among all OSHA citation data, incomplete process hazard analysis (PHA) was one of the most frequently cited. According to the PSM

Corresponding author. Tel.: 86 10 62783109; fax: 86 10 62770304. E-mail addresses: mr.cuilin@mail.tsinghua.edu.cn (L. Cui), shuyd@tom.com (Y. Shu), xjyx_wzh@petrochina.com.cn (Z. Wang), jinsongzhao@tsinghua.edu.cn (J. Zhao), qiutong@tsinghua.edu.cn (T. Qiu), weizhenqiang@cnpc.com.cn (W. Sun), wei-zhenqiang@cnpc.com.cn (Z. Wei). 0951-8320/$ - see front matter & 2012 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.ress.2012.06.014

regulation, the purpose of a PHA study is to review a process design to identify hazardous scenarios and ensure they are properly safeguarded. A complete PHA study for a process design is the nal check to make sure that the design activities for the plant have not generated any new unacceptable risks. PSM standards have been implemented for nearly 20 years. However, catastrophic accidents are still persistently occurring and there is not an obvious decline in process safety events. Through investigations of accidents of the last decade it can be found that their occurrence was not due to unknown physical or chemical process hazards. Why did they still happen? One of the major reasons is that lessons have not been learnt by all people, only by some [3]. It is a well known fact that corporations dont have memories but their employees do. When the employees leave, their knowledge generally goes away with them. A 2006 research report indicated that 50% of the process industry workforce would retire in the next 10 years and that there was a shortage of trained staff available to replace them [4]. Therefore, authors have developed HAZOPSuite not only for facilitating HAZOP meetings, but also for HAZOP knowledge management [5] that help knowledge transfer and reuse through the open and structured use of expert knowledge. Motivated by the same thought, authors have developed HASILT for PHA knowledge management through a single open platform. Although Bingham and Goteti [6] recommended the integration of HAZOP, LOPA and SIL validation, a clearly described integration strategy is still not available, and the corresponding software is rarely reported in literature. Therefore a software that combines them as

L. Cui et al. / Reliability Engineering and System Safety 108 (2012) 5664

57

Nomenclature CBR CPI ESD ETA FMEA FT HASILT Case based reasoning Chemical process industry Emergency shutdown Event tree analysis Failure modes and effects analysis Fault trees analysis Integrated intelligent software system developed by the authors HAZOP Hazard and operability HAZOPSuite The prototype software system of HASILT IPL Independent protection layer

LOPA Layer of protection analysis MSDS Material safety datasheet OSHA US occupational safety and health administration P&ID Piping and instrument diagram PetroHAZOP The prototype software system of HAZOPSuite PFD Probability of failure on demand PHA Process hazard analysis PSI Process safety information PSM Process safety management SIF Safety instrumented function SIL Safety integrity level SIS Safety instrumental system SRS Safety requirement specication

well as SRS is much needed to ease the integration work ow and realize knowledge management through information technology. In this paper, the PHA methods and some related issues are presented in Section 2, the integration framework will be described in Section 3, and the software platform HASILT will be briey introduced in Section 4. There is a case study in Section 5 demonstrating the effectiveness of the software platform. Conclusions will be drawn in Section 6.

2. The PHA methods and related issues There are several PHA methods recommended in the OSHAs PSM standards, including hazard and operability (HAZOP) study, what-if/checklist analysis, fault trees analysis (FTA), failure modes and effects analysis (FMEA). Among them, the HAZOP study method has been recognized as a best PHA practice in the CPI because of its thorough and holistic analysis methodology. HAZOP analysis assumes that hazards arise in a process plant due to deviations from design intents or from acceptable normal behaviors. It systematically and critically identies all the possible causes and consequences of each hypothesized process deviation in a formal and systematic way. Its methodology was described in the book written by Kletz [7]. He also reviewed the HAZOPs history and its future developments [8]. The standard IEC61882 by International Electrotechnical Commission is the ofcial application guidelines of HAZOP. The PHA methods, such as HAZOP, can be used at any point in the life cycle of a process or a facility, but it is most frequently used during the design stage when the process ow diagram and the P&IDs are essentially complete, or after each modication. According to the OSHA PSM standards, PHA also should be thoroughly updated at least every 5 years for a facility without any process related change. However, HAZOP is time consuming and effort consuming. It takes a HAZOP team consisting of 5 to 8 domain experts 18 weeks to complete the HAZOP analysis of a typical chemical process. For a large scale chemical process such as a one-millionton-per-year ethylene plant which has more than two hundreds of P&IDs, it takes a much longer time according to the HAZOP duration estimation by Khan and Abbasi [9]. To identify all of the potential hazards in the process, the HAZOP analysis has to cover different operation stages including planned startup, normal operation, planned shutdown, unplanned shutdown and unplanned startup. However, not all of the stages are considered in HAZOP meetings, which often leads to incomplete PHA. For example, the BP Texas City renery explosion accident in March, 2005 occurred during the isomerization unit startup of which the HAZOP analysis had not been done. Another factor that contributes to incomplete PHA is

that even an experienced HAZOP team may be prone to overlook some potential hazards during the tedious and day-after-day HAZOP meetings of a large scale chemical process. To lower the workload of the HAZOP team and improve HAZOP analysis quality, there has been a considerable motivation for more than two decades to develop intelligent systems for automating PHA of chemical plants since the end of 1980s, using various methodologies [10,11,12,13]. However, few of the intelligent systems have been widely accepted by the CPI. The authors developed an intelligent HAZOP software platform, currently named HAZOPSuite based on case-based reasoning and ontology [5]. Up to the day when the authors are drafting this paper, HAZOPSuite has been deployed and used in the Dushanzi renery of China National Petroleum Corporation (CNPC) for more than four years, and HAZOP studies of more than 90 renery and/or petrochemical processes have been done by using this software platform. Even though HAZOP has been a successful practice of PHA in the CPI for about a half century, not all chemical companies have practiced it. There might be many contributing factors. One reason that the authors want to mention is that HAZOP study is essentially designed as a qualitative approach, and it is not uncommon that the HAZOP team quickly estimates risk ratings based on their experiences. Lacking of an efcient quantitative risk estimation algorithm available in HAZOP analysis has resulted in inconsistency and ambiguity. Therefore, management people often get frustrated when they need to make decisions based on the HAZOP results. About ten years ago, Dr. Trevor Kletz already warned of this tendency by stating that all techniques tend to degrade as they become more widespread and there is concern that some companies that claim to carry out HAZOPs are undertaking little more than a perfunctory examination of the line diagrams [14]. Therefore another better PHA practice has to be adopted. HAZOP study is only used to identify the hazardous scenarios while some other semi-quantitative or quantitative risk assessment methods and technologies are adopted to determine the risk levels of the hazards identied by HAZOP. Tens of such semiquantitative/quantitative methods or technologies such as fault tree analysis (FTA), event tree analysis (ETA) and layer of process analysis (LOPA) have been developed during the past decades [15,16,17,18]. Among these technologies, LOPA is often the rst approach taken in quantifying risk [19]. It typically uses order of magnitude, instead of specic data, for estimating initiating event frequency, and the likelihood of failure of independent protection layers (IPLs).The methods primary object is to determine whether the existing safeguards against a potential risk scenario are sufcient, and what additional protections should by applied if they are not enough [20]. As the needed additional protections can be SIS (safety instrumented system), it can also be used to determine the needed SIL (safety integrity level) of a SIS [21].

58

L. Cui et al. / Reliability Engineering and System Safety 108 (2012) 5664

Traditionally HAZOP and LOPA are two separately facilitated sessions which produce two unique databases [6]. There is an increasing trend that more and more companies are integrating LOPA with HAZOP in order to save time, cut cost and keep team continuity [22]. It is estimated that 1% of hazardous scenarios identied by HAZOP proceed to LOPA [20], and 1 million LOPAs have been performed even though many of the originators thought LOPA would be used a lot less frequently than it is now [23]. In a developing country like China, however, some chemical companies are starting to do HAZOP while much less companies are even aware of LOPA, let along do it. To improve the LOPA efciency and reduce the possibility of overlooking scenarios, commercial software such as Hazard Review LEADER that generates LOPA scenarios automatically from HAZOP data has been developed. Detailed relationship between HAZOP and LOPA information can be found in literature [24]. SIS, sometimes called the interlock system or the emergency shutdown (ESD) system, etc., is a complicated and important type of protection layer. It is a combination of sensors, logic solvers and actuators designed for taking a process to a safe state when predetermined set points are exceeded or safe operating condition are violated. A SIS may perform several Safety instrumented functions (SIFs). Each SIF with an assigned safety integrity level (SIL) describing the SIFs reliability is designed to minimize a process risk to a tolerable level. A safety requirement specication (SRS) document has to be developed for helping the SIS design. The standards such as IEC61508, IEC61511 and ISA S84.01 not only provide the guidelines for SISs design, implementation and validation activities [25,26], but also stimulate researches on SIL validation algorithms [27,28].

3. Integration frameworks Since the rst book of LOPA was publish in 2001 [20], more and more companies have accelerated to either incorporate LOPA as part of their HAZOP analysis meetings or use it after HAZOP is complete for sake of the cost saving and team continuity. From

the pure technological aspect, that integrated approach also ensures the data consistency and integrity [22]. Although LOPA has a tremendous impact on the CPI with many benets reaped, issues exist in implementing LOPA. One of the biggest issues is that companies use LOPA without following the basic rules for LOPA. Among the issues, a major problem is that the failure rate data, probability of failure on demand (PFD), of each independent protection layer (IPL) and the frequency value of each initiating event (IE) are generally picked from a list whereas the specic IPLs are not validated to have the claimed PFD values [23]. In fact, based on our experience, about 5% to 10% of SISs failed in the SIL validation projects we have done. For an installed chemical process, the invalidated values used in LOPA can lead to unreliable LOPA and therefore PHA results. To solve this problem, we propose a new HAZOP, LOPA, SRS and SIL integration framework (Fig. 1) to better analyze and manage the risks of chemical processes although LOPA, SRS and SIL verication are not mentioned in the PSM standards. In the integration framework, a new seven step PHA workow which includes HAZOP and LOPA, SRS and SIL validation is presented. Different from the traditional one-way workow, there are branch ows and backows in the new workow in order to increase the reliability of the results of each step. The data generated in each step is stored in an integrated central database in a unied manner for keeping data consistency. The data sharing among different steps is implemented by using the central database. The workow begins from the HAZOP study to identify the hazards. For complex HAZOP scenarios LOPA should be done to determine whether the existing safeguards are enough or not. Therefore, the LOPA needed data already acquired in the HAZOP step is transferred from HAZOP to LOPA (step 2). Before the LOPA of an installed process, the safety integrity level (SIL) of any existing safety instrumented system (SIS) has to be insured. Therefore, SIL validation should be done in this case if any existing SIS has not been validated (step 3a). Usually it is done through another piece of software. Here it is however done within the HASILT platform which will be presented later. SIL validation cannot be done without safety requirements specication (SRS).

Start
New SIS needed?

No

HAZOP Study

Yes
Export LOPA data to SRS worksheet

For complex scenarios Export HAZOP data to LOPA worksheets

Specify SRS

No
Safeguards contain SIS? For processes installed SIS Design

Yes

For processes in the design phase SIL validation

SIL validation on existing SIS

Extract SIL data from existing SRSs

SILs meet SRS?

No

Yes
Update HAZOP results LOPA

End

Fig. 1. Integration framework.

L. Cui et al. / Reliability Engineering and System Safety 108 (2012) 5664

59

If the SIS has been installed in the plant, the information that is required by SIL validation has to be extracted from its corresponding SRS (step 3b). If the SIS is still in the design phase, its SRS can be obtained from the design documents (step 3b). If its SRS is not available, a new one has to be created for the instrument engineers to design, purchase and install the required SIS with its SIL determined through LOPA. After LOPA is done with the validated SIL information (step 4), if the existing safeguards are not enough to reduce the risk level to the tolerable risk criteria of the company, a new safeguard is usually recommended. If the new safeguard is a SIS, the SIL requirement for the SIS should be determined by using LOPA algorithms and its SRS has to be developed (step 5, 6) thereafter. Before the new SIS is installed, its SIL has to be validated (step 7). Unfortunately many SIS systems have been designed and installed without going through the above workow procedure. Therefore, many installed safety instrumented systems may not provide sufcient protection, and few people in the CPI are even aware of this hidden hole. In this integration framework, although HAZOP is the selected PHA method, other PHA approaches can also t into this framework without loss of generality. It should also be noted that HAZOP, LOPA, SRS and SIL validation can all be done separately no matter when they are needed. However, by adopting this integration strategy, PHA quality can be improved while this best practice can be followed by using the integration software platform HASILT that is described next.

4. HASILT 4.1. Knowledge management Knowledge management comprises a range of strategies and practices used in an organization to identify, create, represent,

distribute and enable adoption of insights and experiences. These insights and experiences comprise knowledge, either embodied in individuals or embedded in organizations as processes or practices. With the rapid development in information technology, many international companies have developed business knowledge management systems such as enterprise resource planning systems. If it can work for business then it can work for process safety and there is clearly a need for process safety knowledge management systems to improve the effectiveness and efciency of PSM activities and prevent major chemical accidents. To facilitate the proposed PHA workow described in Section 2 and the knowledge management for the steps in the workow, a new software platform named HASILT has been developed. HASILT coded in the Java environment has its roots in the PetroHAZOP/HAZOPSuite strategies developed by Zhao et al. [5]. Its main graphical user interfaces are shown in Fig. 2 and its architecture is shown in Fig. 3. The main feature of PetroHAZOP is a case based reasoning (CBR) technology that automatically provides its users with similar HAZOP cases done before. HASILT enhances this idea of PetroHAZOP by using CBR in developing a new SRS and recommending a SIS that could satisfy the SIL requirement. Knowledge about the risk assessment and SIS implementation is managed in the system as cases aided by the enhanced CBR technology. The HASILT system can provide the users useful messages, called Intelligent Tips, automatically during the individual analysis process. For HAZOP analysis, a similar case means a similar HAZOP deviation on a similar process node [5]. By using the CBR technology, HAZOP analysis can be done in the HAZOP subsystem according to the workow shown in Fig. 4 which is derived from PetroHAZOP [5]. For SRS specication and SIL validation, a similar case means a similar SIFs details. Users can utilize the history data easily without any additional effort. The data inputted into the system during the analysis is also stored

Fig. 2. Main graphical user interfaces.

60

L. Cui et al. / Reliability Engineering and System Safety 108 (2012) 5664

Core subsystems HAZOP study subsystem LOPA subsystem SRS subsystem SIL validation subsystem

Auxiliary subsystems

Reporting subsystem Action item tracking subsystem

Extendable generic data libraries

Miscellaneous data libraries

Knowledge base

LOPA initial event library

LOPA IPL library

SIS component library

User management subsystem

HAZOP case base

LOPA case base

Validated SIF case base

PSI management subsystem

Fig. 3. System architecture.

Fig. 4. The PetroHAZOP workow (Zhao et al. [5]).

and automatically reorganized as new cases, which provides the case-base with the ability of self-extension or self-learning. 4.2. System architecture The architecture of HASILT consists of core subsystems, auxiliary subsystems, a knowledge (case) base and some extendable generic data libraries. Fig. 3 demonstrates the interactions between these main components. In HASILT, the HAZOP study subsystem, the LOPA subsystem, the SRS subsystem, SIL validation subsystem are dened as its core subsystems while the reporting subsystem, action item tracking subsystem, user management subsystem and process safety information (PSI) management subsystem are dened as its auxiliary subsystems. There are also four libraries and three case-bases for different purpose. As the users cannot access the libraries and case-bases directly, there is no need to introduce them separately. The four core subsystems, respectively, undertake the tasks of HAZOP analysis, LOPA analysis, SRS specication and SIL

validation. The four subsystems all have data import and export interfaces which are used to transfer data among relevant subsystems. The user can open the subsystems simultaneously and switch from one to another. The integrated framework described in previous section is implemented by those four subsystems mainly. The four auxiliary subsystems have been developed to facilitate the core subsystems. The user manager subsystem implements role-based access controls, which are necessary for a multiple users within a corporation. Customizable MS Word, Excel and/or PDF reports of HAZOP, LOPA, SRS and SIL validation can be generated in the reporting subsystem. PSI is a critical base for risk management. PSI including MSDS database, equipment database, Piping and Instrumentation Diagrams (P&IDs) and so on can be stored and managed and viewed through the PSI management subsystem. Recommendations given in HAZOP, LOPA, SRS and/or SIL validation are all managed and monitored by the Action Item Tracking (AIT) subsystem. There are increasing trends in overdue PSM action items, and many accidents could have been prevented

L. Cui et al. / Reliability Engineering and System Safety 108 (2012) 5664

61

if all recommended PHA action items were timely and properly addressed. Therefore, this AIT subsystem has been designed to be open so that recommended action items generated from PHA activities can also be managed. As the libraries and the case bases will expand along with the usage of the system, the information and knowledge generated during HAZOP studies, LOPA, SRS development and SIL validation will accumulate. As described above, CBR is adopted in the whole platform which facilitates knowledge management and reuse. 4.3. The workow details According to the workow in Fig. 1, for simple scenarios, the HAZOP team can assign the severity and likelihood values based on their experiences. However, for complex scenarios or those scenarios with severe consequences, the HAZOP team or another team or person in charge of LOPA can directly load those scenarios into the LOPA subsystem to perform LOPA. To help determine the frequency of an initiating event, users can check the extendable initiating events library to retrieve a reference value. Plant specic information though can still be used to revise this value, and this revised value can be stored in the initiating events library through authorization. Similarly, to help determine the IPLs reliability data, probability of failure in demand (PFD), users can utilize the extendable IPL library. If an IPL is a SIS, for a newly designed process where the SISs have not been purchased, the SIL information can be retrieved from its SRS in the SRS case base. If its SRS is not available in the SRS case base, it has to be developed by using the SRS subsystem, which is discussed below. For an installed or a purchased SIS, the LOPA subsystem will automatically check if its SIL has been validated. If not, the LOPA user will be prompted to have its validation done before continuing LOPA. Then an SIL validation expert might be invited to complete the SIL validation by using the SIL validation subsystem. In the SIL validation subsystem, the standard Markov modeling algorithm [29], realized as an independent calculation module in the SIL subsystem, is used for SIL validation. The SIS component information used in SIL validation can be stored in the SIS component library. In the miscellany data library, there are several databases used by the HAZOP subsystem and the LOPA subsystem for risk assessment, such as risk matrices, general chemicals Material Safety Data Sheets (MSDS) database, etc. The output information from the LOPA subsystem includes the likelihood of the analyzed HAZOP scenario, the required SIL that meets the companys tolerable risk criteria and some risk reduction recommendations. As there are data sharing relationships between the HAZOP analysis and LOPA, after accomplishing LOPA on one scenario, some of the updated LOPA information can be automatically fed back to the original HAZOP worksheet from which the initial LOPA scenario is generated. For example, since the safeguards are discussed more carefully in LOPA rather than in HAZOP, all of the safeguards including the IPLs in the LOPA worksheet can be lled back into the Safeguards column in the HAZOP worksheet. The mitigated scenario frequency in the LOPA worksheet corresponds to the AL column in the HAZOP worksheet which also means mitigated frequency in HAZOP analysis. On the other hand, the output information from LOPA can also be used to initialize a SRS worksheet in the SRS subsystem for further development when a new SIS is recommended or an existing SIS needs to be changed based on the LOPA results. The newly developed SRS will be added to the SRS case base and the SRS changes need to be documented too. During the SRS development, CBR is used to retrieve similar old SRSs from the SRS case base. The case similarity includes the process type similarity, the process input measurement type similarity, and the process output type similarity. When the SRS information is shared throughout a corporation for similar processes, best practices can be

summarized resulting in further cost savings and in the minimization of inconsistencies from one site to another [30]. After a new or changed SRS has been developed, the corresponding SIS can be designed or redesigned. Before the plant is built, the SIS components incorporated into the SIS need to be validated so that it can be conrmed that the plant is properly protected. In this nal validation process, the actual parameters for the exact components including the maintenance testing frequencies are used to validate the SIS. This nal validation can be done with the SIL validation subsystem again, and all information of the SIS components can be stored in the SIS component library, and information of validated SISs can be stored in the validated SIF case base. The cases in the validated SIF case base can be used for giving recommendation after SIL validation is done. For example, when a SIF fails in the SIL validation, the user can search this case base for a SIF with more proper structure and component parameters.

5. A case study The Hexane Storage Tank example (Fig. 5) from the CCPSs LOPA guidance book [20] is used here to illustrate how HASILT works. Hexane ows from another process unit (not shown) into a hexane surge tank. The hexane supply pipeline is always under pressure. The surge tank level is controlled by a level control loop (LIC-90) that senses the level in the tank and throttles a level valve (LV-90) to control the level. Hexane is used by a downstream process (also not shown). The LIC loop includes a high level alarm (LAH-90) to alert the operator. The tank normally operates half full; the total tank capacity is 80,000 lbs of hexane. The tank is located in a dike that can contain up to 120,000 lbs of hexane. Suppose the HAZOP team identies the cause and consequence of the deviation High level shown in Fig. 6 and gives a recommendation to install a SIS to shutoff the inlet ow on highhigh level of T-401. Since its consequence is severe, a LOPA session can be continued by clicking on the LOPA button on the right hand side of the scenario on the HAZOP worksheet. The cause, the consequence, the consequences severity and the existing safeguards of this deviation are automatically lled in the columns of Initiating Events, the Description of Consequence, the Severity of Consequence and the Non-IPL Safeguards on the LOPA worksheet for initialization (Fig. 7). The system cannot distinguish the IPLs from protection layers (PLs), therefore the safeguards specied in HAZOP worksheet are all imported into the LOPA worksheets as Non-IPLs. Then the LOPA analyst has to

Fig. 5. Hexane surge tank drawing (CCPS, [20]).

62

L. Cui et al. / Reliability Engineering and System Safety 108 (2012) 5664

Fig. 6. The HAZOP worksheet of the high-level deviation.

Fig. 7. The LOPA worksheet with imported data from HAZOP.

Fig. 8. The completed LOPA worksheet.

L. Cui et al. / Reliability Engineering and System Safety 108 (2012) 5664

63

Fig. 9. The SRS worksheet. It is the screen snapshot of the SRS user interface of the HASILT system.

manually move the IPLs from the Non-IPL Safeguards column to the column of Description of IPL. With the help of the Extendible Initiating Event database and the plant-specic information, the LOPA analyst can enter the initiating events frequency value. After the LOPA analyst types in the conditional modiers and their frequency values, the frequency of the unmitigated consequence (2.5 10 2/year) can be automatically calculated by the HASILT. With the help of the Extendible IPLs PFD database, the LOPA analyst can enter the dikes PFD value. In this case, no SIS exists yet. So, it is not necessary to do SIL validation before LOPA. Once the PFD of each IPL is entered, the Total PFD (1 10 2) and the frequency of the Mitigated Event (2.5 10 4/year) can be automatically obtained through HASILT (Fig. 8). Based on the risk criteria of the plant (maximum tolerable risk of a fatal injury is o 10 5 per year), the SIF requirement is therefore SIL-2 (Fig. 8). With this requirement, the SRS can be developed by clicking on the SRS button (Fig. 8) on the worksheet of LOPA in HASILT. The SRS worksheet is shown in Fig. 9. The SRS can then be printed through HASILT and passed onto the design team to design the required SIS. Before the SIS is implemented, its value can be validated by using HASILT again once its parameters are input into HASILT (the worksheet is shown in Fig. 10, the calculated PFD graph is also shown in the gure) where b represents common cause failure factor, lDD represents failure rate of dangerous detected, lDU represents failure rate of dangerous undetected, lSD represents failure rate of safe detected, lSU represents failure rate of safe undetected, TI represents test interval, CTI represents test coverage rate, TSD represents startup time, LT represents SIF living time and MTTR represents mean time to restoration. The parameters listed above are dened by the standard IEC 61508 [31]. In this case, the implemented SIS satises the SIL requirement determined by the LOPA.

Fig. 10. The SIL validation worksheet and result graph.

6. Conclusions As the widely adopted risk identication method and risk assessment method, respectively, HAZOP and LOPA are often used successively in industrial practices. The SRS specication and SIL validation are among the nal steps of risk reduction. In order to facilitate the whole workow from risk identication to SIL validation, reduce the costs, ensure the data consistency and

manage the knowledge, a new integrated framework that integrates HAZOP study, LOPA, SRS and SIL validation is presented in this paper with a new PHA workow. The intelligent software platform HASILT for facilitating the new PHA workow is developed and demonstrated through a case study. Since relevant knowledge is represented with cases stored in a central case base, knowledge management which has been recognized as a core problem in loss prevention is also realized through this platform. Recently HASILT has been installed in a server of an Information Technology department of China National Petroleum Corporation (CNPC). We will focus on solving the practical problems that may rise during the widespread usage of the platform within the corporation.

Acknowledgements The authors gratefully acknowledge nancial supports from the National Basic Research Program of China (973 Program, Grant No. 2012CB720500) and CNPC.

64

L. Cui et al. / Reliability Engineering and System Safety 108 (2012) 5664

References
[1] William BL, Mostia J. Got a risk reduction strategy? Journal of Loss Prevention in the Process Industries 2009;22(6):77882. [2] Luo H. The effectiveness of U.S. OSHA process safety management inspectiona preliminary quantitative evaluation. Journal of Loss Prevention in the Process Industries 2010;23(3):45561. [3] Pasman HJ. Learning from the past and knowledge management: are we making progress? Journal of Loss Prevention in the Process Industries 2009; 22(6):6729. [4] Knegtering B, Pasman HJ. Safety of the process industries in the 21st century: a changing need of process safety management for a changing industry. Journal of Loss Prevention in the Process Industries 2009;22(2):1628. [5] Zhao JS, Cui L, Zhao LH, Qiu T, Chen BZ. Learning HAZOP expert system by case based reasoning and ontology. Computers & Chemical Engineering 2009;33(1):3718. [6] Bingham K and Goteti P, Integrating HAZOP and SIL/LOPA analysis: best practice recommendations, ISA 2004, Houston, TX, October 57,2004. [7] Kletz T A, Hazop and Hazanidentifying and assessing Process Industry Hazards, 3rd ed., Institution of Chemical Engineers, Rugby, 1992. [8] Kletz T A. Hazoppast and future. Reliability Engineering & System Safety 1997;55(3):2636. [9] Khan FI, Abbasi S A. Mathematical model for HAZOP study time estimation. Journal of Loss Prevention in the Process Industries 1997;10(4):24957. [10] Vaidhyanathan R, Venkatasubramanian V. Digraph-based models for automated HAZOP analysis. Reliability Engineering & System Safety 1995;50(1): 3349. [11] Venkatasubramanian V, Zhao JS, Viswanathan S. Intelligent systems for HAZOP analysis of complex process plants. Computers & Chemical Engineering 2000;24(910):2291302. [12] Bartolozzi V, Castiglione L, Picciotto A, Galluzzo M. Qualitative models of equipment units and their use in automatic HAZOP analysis. Reliability Engineering & System Safety 2000;70(1):4957. [13] Palmer C, Chung PWH. An automated system for batch hazard and operability studies. Reliability Engineering & System Safety 2009;94(6):1095106. [14] Kletz TA. The origins and history of loss prevention. Process Safety and Environmental Protection 1999;77(3):10916. [15] Marhavilas PK, Koulouriotis D, Gemeni V. Risk analysis and assessment methodologies in the work sites: on a review, classication and comparative [16]

[17] [18] [19] [20]

[21] [22] [23] [24] [25] [26] [27]

[28] [29]

[30]

[31]

study of the scientic literature of the period 20002009. Journal of Loss Prevention in the Process Industries 2011;24(5):477523. Khan FI, Abbasi SA. Techniques and methodologies for risk analysis in chemical process industries. Journal of Loss Prevention in the Process Industries 1998;11(4):26177. Arendt JS and Lorenzo, DK Evaluating process safety in the chemical industry: a users guide to quantitative risk analysis, CCPS, New York, 2000,p. 3140. Clifton A Ericson II, Hazard analysis techniques for system safety, WileyBlackwell, English, 2005. Rothschild M. Fault tree and layer of protection hybrid risk analysis. Process Safety Progress 2004;23(3):18590. Center for Chemical Process Safety (CCPS), Layer of protection analysis: simplied process risk assessment, American Institute of Chemical Engineers, New York. 2001. Arthur M, Dowell III. Layer of protection analysis for determining safety integrity level. ISA Transactions 1998;37:15565. rez John PE. Improved integration of LOPA with HAZOP Baum D, Faulk N, Pe analyses. Process Safety Progress 2009;28(4):30811. Bridges WB, Clark T. Key issues with implementing LOPA. Process Safety Progress 2010;29(2):1037. Dowell AM, William TR. Layer of protection analysis: generating scenarios automatically from HAZOP data. Process Safety Progress 2005;24(1):3844. Paris S, Kumar B. Safety instrumented functions and safety integrity levels (SIL). ISA Transactions 1998;37:33751. Hokstad P, Corneliussen K. Loss of safety assessment and the IEC 61508 standard. Reliability Engineering & System Safety 2004;83(1):11120. Oliveira LF, Abramovitch RN. Extension of ISA TR84.00.02 PFD equations to KooN architectures. Reliability Engineering & System Safety 2010;95(7): 70715. Guo H, Yang X. A simple reliability block diagram method for safety integrity verication. Reliability Engineering & System Safety 2007;92(9):126773. Guo HT, Yang XH. Automatic creation of Markov models for reliability assessment of safety instrumented systems. Reliability Engineering & System Safety 2008;93(6):82937. Summers A, 2000. Safety requirements specication in a capital project environment, Control Engineering Online, Available on /www.controleng. com/index.php?id=483&cHash=081010&tx_ttnews[tt_news]=112S. International Electrotechnical Commission(IEC), Functional safety of electrical/ electronic/programmable electronic safety-related systems( IEC 61508), IEC,1999.