See

discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/275208864

Data Transfer from Hazard and Operability

(HAZOP) to Layer of Protection Analysis (LOPA)
RESEARCH APRIL 2015
DOI: 10.13140/RG.2.1.1320.4007

READS

398

1 AUTHOR:
Muhammad Nawaz
Teesside University
3 PUBLICATIONS 0 CITATIONS
SEE PROFILE

Available from: Muhammad Nawaz

Retrieved on: 31 January 2016

Data Transfer from HAZOP to LOPA

Summer Placement at Jacobs Process
Nawaz, Muhammad
L1199568@tees.ac.uk

7/26/2013

Preface
This report is the result of my six weeks placement at JACOBS Engineering. JACOBS is one of the
worlds largest and most diverse providers of technical, professional and technical services. Very
special thanks to Simon Clark who has been very helpful with thorough guidance though out my 6
weeks placement and provided me enough information to write my final report. Gratitude must be
expressed towards my supervisor Richard Foreman who has provided me helpful information on
HAZOP and LOPA from practical perspective.
Muhammad Nawaz
26/07/2013

Contents
Objective ................................................................................................................................................. 3
1

Introduction .................................................................................................................................... 3
1.1 Introduction to HAZOP .................................................................................................................. 3
1.2 Introduction to LOPA .................................................................................................................... 4
1.4 Relation to International Electrotechnical Commission (IEC) 61508 &61511 .............................. 4

Methods in Determining Safety Instrumented Layers (SILs) .......................................................... 5

LOPA ................................................................................................................................................ 5
3.1 Explanation of terms ..................................................................................................................... 6
3.1.1 Process Deviation ....................................................................................................................... 6
3.1.2 Impact event .............................................................................................................................. 6
3.1.3 Initiating cause ........................................................................................................................... 6
3.1.4 Scenario...................................................................................................................................... 6
3.1.4 Protection layers vs. independent protection layers ................................................................. 7
3.1.4 Conditional Modifiers ................................................................................................................ 7
3.1.5 Intermediate event likelihood ................................................................................................... 7
3.1.6 Mitigated event likelihood ......................................................................................................... 7
3.2 Different Approaches in Literature for LOPA ................................................................................ 7
3.3 Probability of Failure on Demand for different Independent Protection Layers ......................... 9

Interface with HAZOP...................................................................................................................... 9

4.1 JACOBS HAZOP and LOPA Interface .............................................................................................. 9
4.3 Consultancy Spread sheet Vs. Manchester site LOPA sheet....................................................... 10
4.3

General method to transfer data from HAZOP to LOPA ....................................................... 11

4.4

Recommended LOPA approach ........................................................................................... 11

4.5

Comparison between Consultancy spread sheet Vs. Aker Solution spread sheet ............... 13

4.6 Example LOPA ............................................................................................................................. 13

5

Jacobs Issues and Software Specification ..................................................................................... 14

5.1 HAZOP Issues .............................................................................................................................. 14
5.2 Recommendations ...................................................................................................................... 14
5.3

HAZOP and LOPA programme specification ......................................................................... 14

5.4 Illustration of Software Programme (Provided by Aker Solution) .............................................. 15

2

Step 1 - HAZOP .................................................................................................................................. 15

Step 2 - Retrieve initiating cause frequency ..................................................................................... 15
Step 3 - Retrieve IPL PFDs ................................................................................................................. 16
Step 4 - Calculation ........................................................................................................................... 16
Step 5 - SIL selection ......................................................................................................................... 16
Comments to the illustrated software program ............................................................................... 16
6

Commercial available software..................................................................................................... 16

6.1 Decision Analysis ......................................................................................................................... 17
6.2 Recommended Software ............................................................................................................ 17

7. Conclusion ......................................................................................................................................... 18
References ............................................................................................................................................ 18
Abbreviations ........................................................................................................................................ 18
Appendix ............................................................................................................................................... 19

Objective
The objective of this report is to thoroughly understand JACOBS HAZOP and LOPA methods. Identify
all the issues in HAZOP and LOPA worksheet and suggest recommendations to further improve the
software programme which carries out the HAZOP and LOPA studies. As a part of this the following
steps will be covered
How data is transferred from HAZOP to LOPA
JACOBS HAZOP and LOPA data mapping
Carry out literature survey and discuss the different approaches available in the literature
Best LOPA approach to determine Safety Instrumented Layer (SIL)
Comparison between consultancy spread sheet and Manchester LOPA spread sheet
LOPA programme specifications
Illustration of software provided by Aker Solution
Different software available in the market and recommended software

Introduction

1.1 Introduction to HAZOP

Hazards and Operability (HAZOP) study is structured and systematic approach to identify the
potential hazards involved during the process and to make sure that the plant is safe and practical
operable. HAZOP is a cause based method and performed by the multidisciplinary team. HAZOP
meeting and session is carried out by the chairman, secretory and team members with process
experience. Piping and Instrumentation Diagram (P&ID) is divided into different nodes and each
nodes are evaluated by set of guide words and process deviation which leads to initiating causes and

consequences are the results of the deviations. Safeguards have the intention of reducing the
frequency of the causes and mitigate the consequences.

1.2 Introduction to LOPA

How many safeguards are needed to prevent process from impact events and what integrity level
should be chosen for Safety Instrumented (Interlock) System (SIS)? A new Process Hazards Safety
(PHA) tool called Layer of Protection Analysis (LOPA) focuses on the risk reduction effort towards the
impact event and provide rational basis to allocate risk reduction resources efficiently. It is a
consequence based method and first start using the data from HAZOP output and suggest screening
values and methodology account for further risk reduction for each safeguard. Mitigated risk for
impact event can be compared with the Clients criteria for unacceptable risk. The additional
Independent Protection Layer (IPL) can then be added and required safety integrity level (SIL) for SIS
can be determined.

1.4 Relation to International Electrotechnical Commission (IEC) 61508 &61511

Safety Instrumented system (SIS) requirements are describe in the IEC 61508 and 61511 standards.
(Hoyland, 2004)describe SIS as sensor(s), logic solver, actuating items and independent protection
shall for machinery and equipments. Safety system shall protect is referred to as equipment under
control (EUC) and is defined as Equipments, machinery and apparatus used for manufacturing
process, transport, medical or other activities. SIS implements Safety Instrumented Function (SIF) to
provide the system enough protection against risk and have the function of achieving enough risk
reduction by complying IEC requirements. SIF can now be defined as the function implemented on
the one or SIS. Usually SIS realizes the number of SIFs (Schonbeck, 2005).
Safety integrity is the probability of safety related systems performing all the safety functions under
all conditions, within a period of time. Safety Instrumented Layers (SILs) determines the potential
risks for people, devices, process or operation in case of malfunction. SIL are classified from SIL1 to
SIL4 and defined by Probability of Failure on Demand (PFD) where PFD is the average unavailability
of an item. A protection layers are considered a safety barrier. When evaluating SILs requirements,
the system has to be classified as high demand of operation or low demand of operation. A high
demand system is where there is a continuous mode of operation and usually defined PFD per hour
where the systems are not used more frequently are referred to as Low Demand System and
normally represent per year. RRF represent Risk Reduction Factor. The table below shows the
average PFDs follows IEC 61508 standard
Table1.1 shows the average PFD for safety function in low demand system
SIL
1
2
3
4

PFD (low)
101 - 102
102 - 103
103 - 104
104 - 105

RRF
10-100
100-1000
1000-10,000
10,000-100,000

For continuous operation (high demand system), these change to the following. (Probability of
Failure per Hour)
SIL

PFD(high)

RRF
4

1
2
3
4

105 - 106
106 - 107
107 - 108
108 - 109

100,000-1,000,000
1,000,000-10,000,000
10,000,000-100,000,000
100,000,000-1,000,000,000

Methods in Determining Safety Instrumented Layers (SILs)

There are several methods available to determine SIL. Organization has helped engineers by
developing these tools to estimate the process risk and convert it to required SIL. Both quantitative
and qualitative approach may be applied. In qualitative methods the parameters used as decision
basis are subjective and estimated by expert judgement. Quantitative methods describe the risk by
calculation and numerical valve is than compared with the targeted valves. Which method is applied
primarily depends on where the necessarily risk reduction is specified in a numerical manner or
qualitative manner. The scope and extent of analysis would also be an influence factor. Even if the
assignment method is qualitative the SIL is always quantified by a numerical value. These methods
include Quantitative method in IEC 61511, the risk matrix, the safety layer matrix, the OLF 070
guidelines, the risk graphs and calibrated risk graphs and layer of protection analysis (LOPA). At this
stage I will only focus on LOPA however other methods detail and their procedures to determine SIL
could be found on (http://ieeexplore.ieee.org).

LOPA

LOPA was introduced in 1990s and has become more popular in all over the world. LOPA is semi
quantitative method using numerical categories to estimate the parameters need to calculate the
necessary risk reduction which correspond the acceptance criteria (CCPS, 2001). LOPA can be viewed
as special type of event tree analysis (ETA) which has the purpose to determine the frequency of an
unwanted consequence, which can be protected by a set of independent protection layers. The
frequency of unwanted consequences can be calculated by multiplying PFDs with demand on the
protection layers. Comparing the resultant frequency with tolerable frequency identifies the risk
reduction and required SIL can be calculated. The system has the protection layers including Basic
Process Control System (BPCS), critical alarm, human intervention, SIFs, physical protection and
emergency response as shown in figure1.

Figure1: shows Independent Protection Layers (IPL)

BPCS is used during the normal operation. Input signal from the process or operator are generated
into the process output which make the process operate in the design manner. For example if the
process input signals to the output as high pressure it may initiate the action by stabilizing the
temperature (CCPS, 2001).
Alarm monitoring certain parameters (e.g. temperature and pressure) is considered another
protection layer. An operator may intervene to stop the hazardous event if the alarm tripped. Note
that alarm system has to be wired to another loop than the BPCS in order to be an independent.

3.1 Explanation of terms

Authors use different terms in LOPA for example, hazardous event, scenario development, impact
event. This makes it confusing to understand what does these terms mean and how they are
applied. Does impact event include cause and consequences? What is impact event compared to the
accidental event? What is independent protection layer? This section clarifies all these questions.

3.1.1 Process Deviation

Event or chain of events that may cause loss of life or damage to health, the environment or assets
In the HAZOP study accidental event is referred to as a process deviation.

3.1.2 Impact event

(CCPS, 2001) describe impact event as the ultimate potential result of hazardous event. Impact may
be expressed in term of injuries or fatalities, environment or property damage or business
interruption. According to the IEC 61511 an impact event in the LOPA is same as consequence in
HAZOP study. This implies that an impact event is the unwanted consequences of the hazardous
event or accidental events which are referred to as process deviation. Example is explosion due to
over pressure of a separator. For the impact event: explosion due to overpressure of separator and
process deviation could be high pressure up-stream separator.

3.1.3 Initiating cause

The initiating causes are the reasons why the process deviation occurs, not the most basic
underlying root-causes. The initiating causes are the results of the root causes. CCPS presents three
types of initiating causes: External events, equipment failures and human failure. External events are
earthquakes, hurricanes and other external shocks. Equipment failures are control system failures or
mechanical failures. Human failures are either error of commission (failure to observe or respond
appropriately) or error of omission.

3.1.4 Scenario
According to (CCPS, 2001)a scenario describes a single cause - consequence pair from the HAZOP. In
LOPA terminology this is a single initiating cause impact event pair. This implies that a scenario
consists of more than just the impact event. But should not a scenario comprise even more? Amore
appropriate definition of a scenario would include more than one cause. The scenario definition is
extended to describing the development from a process deviation to an impact event, including the
causes leading to the process deviation.
6

3.1.4 Protection layers vs. independent protection layers

The term protection layer was defined by IEC 61511. What is the difference between a PL and an
IPL, and is the definition appropriate? According to IEC 61511 an IPL must have the same inherent
characteristics. In addition it must provide at least 100-fold of risk reduction (not 10 as for a PL) and
have functional availability of at least 0.9 (IEC 61511, 2003). These definitions seem confusing. From
the point of view of IEC 61511 an IPL is just a PL with stricter requirements to availability and degree
of risk reduction. A definition of PL in CCPS (2001) is rewritten to: system or action that is capable of
preventing a process deviation from proceeding to the end consequence. Subsequently an IPL is
defined as a PL that is capable of preventing a process deviation from proceeding to the end
consequence, regardless of other PLs associated with the same impact event - initiating cause pair,
and of the initiating event.

3.1.4 Conditional Modifiers

In some scenarios, there are some other factors which are neither cause failure nor protection
layers. For example in case of fire,
Probability for Ignition
Probability of Presence of People
Probability of Escape or Incidence
These factors are called conditional modifier and reduce the frequency of unmitigated events.

3.1.5 Intermediate event likelihood

The intermediate event is the occurrence of the end-consequence with the existing/planned
protection layers in place, but without the SIF under consideration. The intermediate event
likelihood is the frequency per year of the occurrence of this event. It is calculated by multiplying the
initiating event likelihood by the PFDs of the protection layers and mitigating layers. Inherently safer
design should be considered before new SIFs are introduced.

3.1.6 Mitigated event likelihood

The mitigated event is the occurrence of the end-consequence with all protection layers in place,
including the proposed SIF. The mitigated event likelihood is the frequency per year of the
occurrence of this event.

3.2 Different Approaches in Literature for LOPA

Many similarities can be found among the approaches and methodologies presented in the
literature. (Summers, 2003), (Wharton, 2006) have presented flowcharts while International Electro
technical Commission (IEC) 61511 uses a worksheet as a basis for their methodology (see Appendix
5). Centre for Chemical Process Safety (CCPS, 2001) presents a diagram explaining the LOPA steps.
Among those standard and methods, here are the most common steps that everyone has in their
own LOPA methods
Documentation of the hazards analysis
Development of scenario or impact events
Identification of initiating causes
Determination of Independent Protection Layers (IPLs)
7

Quantification (cause frequency/likelihood and Probability on Demand (PFD))

SIL determination and Target risk evaluation
Most approaches takes information from previous studies to identify risk and to found a basis for
the next step. The major difference between most of the approaches are the use of terms, the order
of sequence and the intended application in the HAZOP and LOPA for example, in our consultancy
sheet we use Hazardous Event and Scenario Development for Consequences whereas others use
simple Consequence term. Some others use screening tool and or suggest LOPA as a part of their
total methodology. (Ellis & Wharton, 2006) Suggested close relationship between LOPA and other
methods.

CE
Select Consequence level
CA CE
Select Occupancy (F),
Avoidance (P) and Demand
(W) values
Determine SIL using Risk
Graph
Determine SIL using LOPA

Determine SIL using FTA

SILa
(Ungraded)

SIL 1

SIL 2

Redesign Process

Figure 3: extract of SIL determination methodology from Ellis and Wharton 2006.
In the above figure the consequence of the impact event is chosen and classified and LOPA is used if
there is high level of Consequence (CE) if not than a risk graphs is used which results in SIL1. This is
documented as a final SIL but if the Risk Graphs is results in higher SIL say SIL2 or 3 LOPA is
suggested in those cases. Fault Tree Analysis (FTA) is used if LOPA concluded SIL3-4. If FTA concluded
SIL3 to 4 than redesign is needed to reduce the level of risk or event likelihood.

3.3 Probability of Failure on Demand for different Independent Protection Layers

Table 2: shows PFDs for IPLs adopted from CCPS (2001)
Independent Protection Layers (IPLs)
BPCS, if not associated with the initiating
event being considered
Operator alarm with sufficient time available
to respond
Relief Valve
Rupture Disc
Flame / detonation arrestors
Dike / bund
Underground drainage system
Open vent (no valve)
Fireproofing
Blast-wall / bunker
Identical redundant equipment
Other events Use experience of personnel
Diverse redundant equipment
SIS that typically consist of single sensor,
logic and final element
SIS that typically consist of multiple sensors,
multiple channel logic and multiple final
elements
(for fault tolerance)
SIS that typically consist of multiple sensors,
Multiple channel logic and multiple final
elements.
Requires careful design and frequent
proof tests

Probability of Failure on Demand (PFDs)

1*10-1
1*10-1
1*10-2
1*10-2
1*10-2
1*10-2
1*10-2
1*10-2
1*10-2
1*10-3
1*10-1
Other events Use experience of personnel
1*10-1 to 1*10-2
1*10-1 to 1*10-2
SIL 1
1*10-1 to 1*10-3
SIL 2

1*10-1 to 1*10-4
SIL 3

Interface with HAZOP

4.1 JACOBS HAZOP and LOPA Interface

Appendix 1 shows how data is mapped for HAZOP to LOPA. The Possible causes in the HAZOP sheet
are the initiating causes in the LOPA sheet. The deviation in the HAZOP sheet is no flow, Hazards
Event (Consequences) could be high temperature of the effluent system which potentially exceeding
the design temperature of the effluent drain. Hazardous description in the LOPA would also be the
same as in the HAZOP because Hazards Events identified in the HAZOP answers to the Hazards
Description in LOPA. The safeguards identified in HAZOP goes to the Independent Protection Layers
(IPL) in LOPA but note that all IPL are same as safeguards but not all safeguards are same as IPL. The
arrows indicate how data is mapped and transferred from HAZOP to LOPA.
HAZOP consequence severity ranking and consequence likelihood can be transformed to the LOPA,
and impact event severity level and initiating event frequency are the applicable term in LOPA with
their associated column (Dowell and William, 2005). The HAZOP work sheet does not necessarily
9

include these columns. There are several possibilities either to include severity level and likelihood
of the consequences or not it is entirely depends on the organization. Another possibility of that
HAZOP has none of these which make it difficult to know how this part of HAZOP will interfere be.
These issues must be evaluated and resolved prior to a LOPA. It is suggested that same risk matrix
must be used for HAZOP and LOPA with same risk acceptance criteria.

4.3 Consultancy Spread sheet Vs. Manchester site LOPA sheet

Manchester site LOPA spread sheet is less validate than consultancy one as there is limitation to
write no more than two initiating events (Or causes) in Manchester site. Comparatively, consultancy
one includes more detail for initiating event (IE) and can handle 6 initiating events. Apart from the
initiating events, same procedure is followed to find the safety Integrity Level (SIL). Comparison for
both LOPA sheets is illustrated by worked example is shown in the excel sheet (see appendix 4).

10

4.3

4.4

General method to transfer data from HAZOP to LOPA

Recommended LOPA approach

The recommended LOPA approach is shown in the above figure 1 which explains the sequences of
the data transfer with the LOPA study. This approach is recommended by IEC61511 worksheet as
shown in appendix5. The terms have been explained in the above Explanation of Terms section. The
following steps should be considered from best LOPA approach

11

Start
Develop and Document Risk
Acceptance Criteria

Gather and Document data

Sufficient data?

Transform data

Select impact event

Screen impact event by consequence

C<Cc

Identify initiating causes and

determine frequencies of these causes

Select initiating cause-impact event

pair
Identify IPLs and determine PFDs

Finish

Calculate Intermediate Event

Likelihood

If SIL >2 than do QRA if no than

calculate mitigated event likelihood

Next initiating cause-impact event pair

Than determine SIL

Sum up the intermediate event

likelihood

Target risk satisfied? If No

Figure 2: preferred LOPA approach

12

4.5 Comparison between Consultancy spread sheet Vs. Aker Solution spread
sheet
Consultancy spread sheet is design to manually transfer data from HAZOP to LOPA whereas Aker
Solution spread sheet has some features to automatically transfer data e.g. consequence from
HAZOP to impact event description in the LOPA. A yellow tab is shown in the Aker Solution spread
sheet under the impact event description column which automatically populates the data as shown
in the Appendix 6. To transfer data from HAZOP consequence to LOPA impact event description, the
words or sentence should be the same otherwise computer cannot understand the different word
regardless different meaning. This feature could be built in consultancy spread sheet by using some
VB macro which will help to reduce time to transfer data.

4.6 Example LOPA

Initiating causes lead to process deviations which again lead to impact event that may result in an
end-consequence. To illustrate the fundamentals of proper LOPA analysis, consider the situation
where distillation column has an overhead reflux stream. If the relief valve in the cooling stream is
closed which cause more pressure and high temperature in the distillation column, eventually
rupture and cause loss of containment. Two possible causes were identified in the HAZOP sheet
which was closed relief valve and reflux pump failure. In addition 4 Independent Protection Layers
(IPL) were identified each with their Probability on Demand (PFD) see figure1. The resulting LOPA
calculation with SIL is shown in the LOPA sheet (see appendix 4) for Safety Instrumented System
(SIS).
Figure 1: LOPA table
Initiating
cause

Initiating
cause
frequency
(per year)

Reflux
valve
closed

0.08

Reflux
pump
failure

0.15

Enabling
event
value
(prob/fre
q)
1

Independent
Protection
Layers (IPLs)

Relief valve
Auto
Depressurising
valve
Auto start spare
pump
BPCS low flow
pump

Probabilit
y of
Failure on
Demand
(PFD)
0.05
0.01

0.1
0.1

Mitigated
event
frequency(
per year)

Tolerable
Frequenc
y

SIL

0.0001

0.00004

0.0015

Summed Mitigated Frequency (MF)

0.00154

Tolerable Frequency (TF)

0.0001

TF/MF

= 0.0001/0.00154

PFD (SIF) = 0.065 or SIL 1 required

The key issue in the spread sheet is that there were two initiating causes were identified for the
same consequence and each cause-consequence pair had unique set of IPL.
13

The problems in LOPA analysis arise when integrating HAZOP/LOPA on the same time which means
performing HAZOP and LOPA concurrently with the same team which mean team are trying to
perform cause-based approach for both methods. While this approach is only valid for causeconsequence one to one pair. In instance this approach is inapplicable when there is more than one
cause for same scenario. It is only possible when there is rigorous examination for all causes with
same consequences which means that the benefits of integrating the methods can only be fully
realized.

5 Jacobs Issues and Software Specification

5.1 HAZOP Issues
In each scenario there are number of same Scenario Development/hazardous events for different
initiating causes as shown in the HAZOP sheet (see Appendix 1) for Flash Vessel. For example in
scenario 1&2, two initiating causes (inlet valve closed and outlet valve closed from the tank) lead to
the scenario development (Consequence) i.e. no biofuel coming for Chip Plant because of incorrect
position of valves or valves shut down. There are numbers of same scenarios for different initiating
causes as shown with yellow highlighted area in appendix 3 where scenario 127 is same as scenario
90 in the HAZOP sheet. It is difficult and time consuming effort to find same scenarios from all over
the HAZOP sheet when applying LOPA to it.

5.2 Recommendations
This problem could be overcome by using a combination of keywords and lists all the
typical causes for deviation and group under the relevant keywords combinations
(i.e. no flow, more pressure etc.). In other words there is a listing of all the potential
problems cause by FLOW NO or MORE PRESSURE etc. during HAZOP review if the
team is having a problem in identifying the potential deviations, the causes
database can easily be interrogated. The database may easily be amended or
expanded so that it becomes a repository of information that can be accessed during
study. The program will automatically display the page that is relevant to the
keywords combination. OR
Create a spread sheet for most common cause and consequences and link it with
HAZOP software so that if the same problems come up you can go into the spread
sheet and choose via hyperlink instead of inputting the data each time. OR
Separate table in HAZOP software built-up to list scenario numbers and descriptions.
OR
Buy a new software from venders which has data mapping features

5.3

HAZOP and LOPA programme specification

The best approach to transfer data is to conduct HAZOP and LOPA separately where the HAZOP is
conducted first followed by LOPA, but they are adapted to each other to enable better interfere. If
the HAZOP and LOPA are performed by integrated software tool, several of the phases in figure1 will
14

automatically performed. For example, data gathering, transformation of data and documentation.
Specifications are vital to make consistence and thorough software program. These include what
exactly the program has to do and what characteristics it needs to make easier calculation and
reduce time while applying LOPA.
The specification of the proposed HAZOP/LOPA program is as follows:
HAZOP work sheet cells equal to the LOPA work sheet cells and automatic transform of data.
This applies to
HAZOP consequence= LOPA impact event (Hazardous event)
HAZOP possible causes= LOPA initiating events
HAZOP consequences likelihood and severity level= LOPA initiating events
Frequency and severity level which might be adjusted later
Calculate results based on the data:
Intermediate/mitigated event likelihood
Safety Instrumented Layers (SILs)
Provide data base with risk assessment criteria
Interface with additional databases:
Initiating cause frequency
Probability of Failure on Demand (PFDs)
Automatic include risk acceptance criteria in the calculation
User interfere quality assurance:
Interactive SIL selection which allows the users to select SIL by clicking and see the impact on the
mitigated event likelihood on the screen

5.4 Illustration of Software Programme (Provided by Aker Solution)

To better illustrate how a program could work the execution is divided into 5 steps. It is important to
emphasize that a real program has not been created, only a model / illustration of how it could
work. The illustration is showed in Appendix 6. Note that the suggested program is a simple
program, with the purpose of describing the underlying solutions. It is not put emphasis on
sophisticated coding.

Step 1 - HAZOP
The cells containing the HAZOP consequences are set equal to the ones that shall contain the impact
events. In excel this could be done by either creating a VB macro which copies the information, or by
defining the cell information equal directly in Excel. The same applies to the possible causes in
HAZOP. The risk matrix sheet contains the classification of the HAZOP consequence and impact
event severity. The chosen severity level is transferred in the same manner as the HAZOP
consequence. To initiate the process of transferring the data, a command button which is constantly
visible is placed in the bottom of the LOPA sheet. This is named Transfer HAZOP data, and when
clicked the rows containing the data are transferred or copied. After all the cause and impact event
data are transferred, the impact events are screened by severity level. The encoding solution is VB in
addition to macros. Some impact events are similar, and combining several impact events is
relevant.
This is not taken into account in this program illustration.

Step 2 - Retrieve initiating cause frequency

Next to the command button proposed in Step 1, a command button named implement initiating
cause frequency is placed. When this is clicked the user may choose which cell to implement the
value and which value to select in the data base sheet. The user may also adjust the numbers. This
requires more extensive VB encoding.
15

The initiating cause frequency may be given as a PFD. A pop-up box, which appears after the value
has been implemented, asks the user to specify additional information if it is necessary. The number
of demands / opportunities per year is such information; this is done to make sure that the correct
unit is used. The programme adjusts the numbers automatically.

Step 3 - Retrieve IPL PFDs

The same method and encoding applies to the IPL PFD selection. When all the PFDs are filled in, the
IPL cells that contain no numerical value are given the value 1. This can be realized by an IF sentence
checking if the cells have a value or not, and employing the necessary values.

Step 4 - Calculation
The intermediate event likelihood is calculated directly in Excel by formulas, i.e. cell 10 = product
(cell 4;cell 9). The TMEL is specified in the risk matrix sheet. Corresponding to which severity level
is selected the program implements the correct value of TMEL in the mitigated event likelihood cell
in the LOPA sheet. A simple IF sentence could do this automatically. A command button called
Calculate SIL initiates the SIL calculation. The IELs for each initiating cause related to the same
impact event is added. A set of IF sentences count how many rows that are related to the same
impact event and calculate the total IEL for the respective impact event. The value of the total IEL for
the impact event is divided by the TMEL value, and the result is the needed SIL. IF sentences
containing text strings evaluates the results and prints a message to the user in the cell, i.e. SIL 2 or
No SIS necessary. This part of the program requires extensive VB encoding. The program has to
remember parameters, and use these to calculate the correct columns and implement the results in
the correct cells.

Step 5 - SIL selection

It is not certain that the calculated SIL is the one the team wants to employ. A command button
named Change SIL makes an input box appear if clicked. The user may input the wanted SIL or
specify the PFD of the SIS. The mitigated event likelihood is again calculated, and a pop-up box
notifies the user if this PFD fulfil the TMEL requirement. A screening process based on the calculated
SIL is beneficial, as higher SILs may require the initiation of a QRA. The program may colour the
entire row in a certain colour if the SIL is higher than a specified limit.

Comments to the illustrated software program

The illustrated program seems reasonable, as it helps the user to manage data and do the needed
calculations. In addition it supports the user during the analysis. The help function mentioned in the
specification in section 5.4 is not treated, but is expected to be a vital part in a program. The
illustrated program should be evaluated more in detail, and should be extended from a thought
program to a real prototype with more advanced coding and better user interface.
Expert judgment makes an extensive amount of the analysis, which is difficult to incorporate in a
program. Software tool that learns by doing is beneficial. An example is a software program that
saves and interprets the possible initiating causes of an HAZOP or LOPA analysis. When a new
analysis on a similar system is performed the information from previous studies becomes available
to the user. This is an effective way of facilitating the transfer of experience.

Commercial available software

Table2: List of commercially available software for HAZOP and LOPA

Software Name

Suppliers

Contact Details

16

PHA-Pro

EHS & Sustainability

www.ihs.com

Paul Wentzel
paul.wentzel@ihs.com
Phone: +44(0)1344 328 258
Mob: +44(0)7545 550 780

HAZOP Manager V6

Lihoutech

http://www.lihoutech.com/

ExSILentia

Exide
www.exida.com

Jon Keswick

SilCore

ACM Facility Safety

info@acm.ab.ca

jon.keswick@exida.com
Alan Gaulton
alan.gaulton@exida.com
Phone: +44 (0) 24 76 214 794

www.silcore.com

LOPAWorks 5 and 3

Primates (America)
www.primatech.com

software@primatech.com
Phone : 614-841-9800

6.1 Decision Analysis

Based on the decision analysis table shown in appendix 2, PHA-Pro is the best software for industry
demand and has been ranked as number 1 followed by ExSILentia and SilCore which demonstrates
its industry-leading feature according to the JACOBS IT platform. PHA-Pro is flexible and user friendly
software which has an open structure allowing customizing template according to the company
specific guidelines and organizational needs. PHA-Pro data linking features reduce the amount of
time and effort required to finish study and fulfil the recommendation by automatically replicating
the data in the appropriate areas. In contrast, SilCore, HAZOP Manager V6 and LOPA Works does not
have an appropriate feature for data mirroring and required more time to transfer data and
therefore it is not useful for JACOBS. HAZOP Manager does not use LOPA to calculate Safety
Instrumented Layers (SIL). ExSILentia illustrate some of the common feature with PHA-Pro for
example, it standalone and requires no special connectivity., on the same time it could be used for
multiple users for this It required multiusers license for 5 or 10 concurrent users which must be
connected to the same network (subnet) as the license server for the application to run. PHA-Pro
and ExSILentia have the same SIL determination flexibility as they give users the option to calculate
unmitigated risks by using Risk Graphs, LOPA or Safety Layer Matrix. PHA-Pro comes equipped with
most comprehensive professional libraries available, including over 25oo checklist items to make
studies more complete. PHA-Pro helps to build on previous study to avoid wasting time and allowing
reusing past studies to retain valuable corporate knowledge including past incidents.

6.2 Recommended Software

Base on the above comparison PHA-Pro is the most suitable software for JACOBS which have the
functionality to group the same scenarios together during HAZOP review. It is a proven technology
with preformatted industry-standard PHA templates and myriad of features that are user friendly
and intuitive. In addition to pre populated libraries, PHA-Pro allows to capture language from
previous studies to help build corporate libraries by ensuring that engineering expertise is retained
and accessible for future studies.

17

7. Conclusion
Various methods were discussed briefly to calculate SIL including LOPA. Best LOPA approach was
defined step by step with the help of flow chart. General methods were explained to transfer data
from HAZOP to LOPA which followed IEC 61511 guidelines. Different issues were identified with in
the JACOBS HAZOP sheet (e.g. how to group same scenarios during HAZOP review) and some
recommendation for this. Comparison between Consultancy spread sheet, Manchester spread sheet
and Aker Solution Spread sheet were made to find which area of the software could be improved in
consultancy spread sheet. Software specifications were discussed for HAZOP and LOPA and found
that PHA-Pro is the best software for SIL calculation by using decision analysis table.

References
CCPS. (2001). Centre for Chemical Process Safety (CCPS).
Dowell and William. (2005). Layer of Protection analysis for determining safety integrity level.
Ellis, G., & Wharton, M. (2006). practical experiance in determining safety integrity level for safety
instrumented systems. Symposium series 1. IChemE.
Hoyland, R. a. (2004). System Reliability Theory. System Reliability Theory, 2nd addition John Wiley
and Sons.
Lassen, A. C. (2008). Layer of Protection Analysis for detemination of Safety Integrity Level. Layer of
Protection Analysis for detemination of Safety Integrity Level, 29-35.
M, A. (1997). Layer of Protection Analysis. Layer of Protection Analysis: A New PHA Tool After
Hazop,, 31.
Schonbeck, M. (2005). intorudction of reliability of safet systems.
Ellis, G. and Wharton, M. (2006). Symposium Series No. 151, IChemE. In Practical
experience in determining safety integrity levels for safety instrumented systems
Bingham, K. and Goteti, P. (2004). ISA (The Instrumentation, Systems, and Automation
Society) 2004. In Integrating HAZOP and SIL / LOPA analysis: Best practice recommendations.

CCPS (2001). Layer of protection analysis - simplified process risk assessment. American
Institute of Chemical Engineers (AIChE), Centre for Chemical Process Safety (CCPS). 3 Park
Avenue, New York.
Rausand, M. and Hyland, A. (2004). System Reliability Theory. Models, StatisticalMethods,
and Applications. 2nd edition JohnWiley & Sons. Hoboken, NJ.

Abbreviations
Independent Protection Layer (IPL)

18

Probability of Failure on Demand (PFD)

Piping and Instrumentation Diagram (P&ID)
Risk Reduction Factor (RRF)
Initiating Events (IE)
Conditional Modifier (CM)
Centre for Chemical Process Safety (CCPS)
Basic Process Control Systems (BPCS)
Hazards and Operability (HAZOP)
Layer of Protection Analysis (LOPA)
Intermediate Event Likelihood (IEL)
Target Mitigated Event Likelihood (TMEL)
Quantitative Risk Analysis (QRA)
Fault Tree Analysis (FTA)

Appendix

19

Mapping Data from HAZOP to LOPA

Appendix 1

HAZOP
Markinch Biomass CHP

Title:
Doc Number:
1
Client Reference:
61060082-000-000-111-E-0028

Ref No.

NODE:
P&ID Drawing No
PFD Drawing No
Design Intention

Deviation
Parameter
Guideword
FLOW
No

61060082-600-000-111-H-0034
NRL 0529
Review No

Initiating Cause

Scenario Development

closed valve (inlet from tanker

loading)

01

FLOW

No

No Biofuel oil for Chip plant.

Control valve does not work or
incorrect position.

Hazardous Event

Inherent Safety Features?

Frequency

Safety Environment
1

Commercial

High Temperature Water going to

Effluent system.
Potentially exceeding design
temperature of effluent drains.

Unlikely

Scenario origin
Reference documentation

HAZOP Node 1 Ref 1,3,4,12,22,29,42

ST000801-000-000-111-E-0031
Status
awaing further information
Spare1
Spare2

Risk

2 Serious

Safeguards

1. Multiple storage tanks. Expect 5 days worth of fuel at any

time. 2. two service taks ( 24 hrs buffer). 3. control system will
alarm however this would only be logged locally and the site is
unmanned

same as entry 1
tank outlet closed valve,
blockage

04

LOPA
Prefix 2-Node 1
Equipment item
Date of assessment
Safety
Conseq. definition
Consequence level
Tolerable frequency

E192

Scenario 1
HP Gas Pre heater
Environmental

Asset/Commercial

serial number 2
Spare3

4
0
1
1.00E-06
1.00E-02
1.00E-03
no flow leads to loss of suplly to district, major risk of injury and harm to people. Gas flow diverted to JT valve

Hazard/fault description and scenario

development
Initiating event: IE1
IE2
IE3
IE4
IE5
IE6

Enabling event
value (prob/freq)
valve closed, manual operation
blocked filtre
pipe rupture -loss of supplyonly. Fire and explosion in scenario 2.
closed auto valve
low upstream pressure-network problem
bursting disc sensor failure leads to shut down

Initiating event freq/prob

1
1
1
2
1
1

Description

1.00E-01
0.001
1.00E-04
0.1
0.1
0.1

CM/IPL/IML values with ref to IE

CM1: Prob. of exposure, vulnerability

CM2: Ignition probability

N/A

CM3: Other (specify)

vent is blanked. Permit to work procedure for maintenance. Pipework design standards.

IPL1: Process plant design/integrity

0.001 for IE1. 0.1 for IE3. 1 for IE5

valve locked open with procedural control to remote lock (0.01) operator training and procedures (0.1). Unmanned NGG station.
MOV 1710 or MOV 1746 reaching closed position when in operation result in bypass line and MOV 1723 opening to maintain supply to district

IPL2: Basic process control system

1 for IE1,IE2,IE3,IE5. 0.1 for IE4 and IE6

IPL3: Operator monitoring or response to DP indication and alarm across filtre(0.1). Maintain procedures (0.1)
process alarms

1 for IE1. 0.01 for IE2. 1 for IE5

IPL4: Passive protection (e.g. PRVs)

IML: Mitigation (e.g. bunds, emergency

response)

SAFETY
IE1
IE2
IE3
IE4
IE5
IE6
ENVIRONMENTAL
IE1
IE2
IE3
IE4
IE5
IE6
ASSET/COMMERCIAL
IE1
IE2
IE3
IE4
IE5
IE6

Enabling
1
1
1
2
1
1
Enabling
1
1
1
2
1
1
Enabling
1
1
1
2
1
1

IEF
0.1
0.001
0.0001
0.1
0.1
0.1
IEF
0.1
0.001
0.0001
0.1
0.1
0.1
IEF
0.1
0.001
0.0001
0.1
0.1
0.1

CM1
1
1
1
1
1
1
CM1
1
1
1
1
1
1
CM1
1
1
1
1
1
1

CM2
1
1
1
1
1
1
CM2
1
1
1
1
1
1
CM2
1
1
1
1
1
1

CM3
1
1
1
1
1
1
CM3
1
1
1
1
1
1
CM3
1
1
1
1
1
1

20

IPL1
0.001
1
0.01
1
1
1
IPL1
0.001
1
0.1
1
1
1
IPL1
0.001
1
0.1
1
1
1

IPL2
1
1
1
0.1
1
0.1
IPL2
1
1
1
0.1
1
0.1
IPL2
1
1
1
0.1
1
0.1

IPL3
1
0.01
1
1
1
1
IPL3
1
0.01
1
1
1
1
IPL3
1
0.01
1
1
1
1

IPL4
1
1
1
1
1
1
IPL4
1
1
1
1
1
1
IPL4
1
1
1
1
1
1

IML
1 1.00E-04
1 1.00E-05
1 1.00E-05
2.00E-02
1 1.00E-01
1
IML
1 1.00E-04
1 1.00E-05
1 1.00E-05
1 2.00E-02
1 1.00E-01
1 1.00E-02
IML
1 1.00E-04
1 1.00E-05
1 1.00E-05
1 2.00E-02
1 1.00E-01
1 1.00E-02

Appendix 2
Decision analysis

comparison between different HAZOP/LOPA

softwares

Title

Aims

PHA-Pro

ExSILentia

SilCore

HAZOP Manager V6

PHA Works

Mandatory

fulfilled

fulfilled

fulfilled

fulfilled

fulfilled

yes

yes

yes

no

no

yes

yes

no

no

yes

yes

yes

yes

no

no

User Friendliness

yes

yes

yes

yes

yes

Documentation

yes

yes

yes

yes

yes

Standalone/Site i.e. single or

multiple users

yes

yes

yes

yes

yes

SIL Validation based on LOPA

yes

yes

yes

no

no

Software Update

yes

yes

yes

yes

yes

Run on Multiple PCs

Reporting

yes
yes

yes
yes

yes
yes

yes
yes

no
yes

Run on Jacobs IT platform

Data Mirroring
Functionality Defined

Nice-tohave
Cost
Quality
Time
Vendor
Support

Evaluation

Weight

9
8
9
8

Sum
Ranking order

Weight *
Evaluation

9
8
8
9

Remark

81
64
64
72

Evaluation

Weight *
Evaluation

8
7
7
8

281

Remark

72
56
63
64

Weight *
Evaluation

7
6
6
8

255
1

Evaluation

Remark

56
48
54
64

Remark

54
40
45
54

Evaluation

Weight *
Evaluation

6
5
6
6

193
3

21

Weight *
Evaluation

6
5
5
6

222
2

Evaluation

Remark

54
40
54
54

202
5

HAZOP Issue (Appendix 3)

Appendix 4: (please double click on the excel sheet to open)

Man LOPA Work
example.xls

Consultancy
sheet.xlsx

22

Appendix 5: LOPA sheet provided by CCPS 2001

23

Appendix 6 :Aker Solution HAZOP/LOPA interface

24