Beruflich Dokumente
Kultur Dokumente
discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/275208864
READS
398
1 AUTHOR:
Muhammad Nawaz
Teesside University
3 PUBLICATIONS 0 CITATIONS
SEE PROFILE
7/26/2013
Preface
This report is the result of my six weeks placement at JACOBS Engineering. JACOBS is one of the
worlds largest and most diverse providers of technical, professional and technical services. Very
special thanks to Simon Clark who has been very helpful with thorough guidance though out my 6
weeks placement and provided me enough information to write my final report. Gratitude must be
expressed towards my supervisor Richard Foreman who has provided me helpful information on
HAZOP and LOPA from practical perspective.
Muhammad Nawaz
26/07/2013
Contents
Objective ................................................................................................................................................. 3
1
Introduction .................................................................................................................................... 3
1.1 Introduction to HAZOP .................................................................................................................. 3
1.2 Introduction to LOPA .................................................................................................................... 4
1.4 Relation to International Electrotechnical Commission (IEC) 61508 &61511 .............................. 4
LOPA ................................................................................................................................................ 5
3.1 Explanation of terms ..................................................................................................................... 6
3.1.1 Process Deviation ....................................................................................................................... 6
3.1.2 Impact event .............................................................................................................................. 6
3.1.3 Initiating cause ........................................................................................................................... 6
3.1.4 Scenario...................................................................................................................................... 6
3.1.4 Protection layers vs. independent protection layers ................................................................. 7
3.1.4 Conditional Modifiers ................................................................................................................ 7
3.1.5 Intermediate event likelihood ................................................................................................... 7
3.1.6 Mitigated event likelihood ......................................................................................................... 7
3.2 Different Approaches in Literature for LOPA ................................................................................ 7
3.3 Probability of Failure on Demand for different Independent Protection Layers ......................... 9
4.4
4.5
Comparison between Consultancy spread sheet Vs. Aker Solution spread sheet ............... 13
7. Conclusion ......................................................................................................................................... 18
References ............................................................................................................................................ 18
Abbreviations ........................................................................................................................................ 18
Appendix ............................................................................................................................................... 19
Objective
The objective of this report is to thoroughly understand JACOBS HAZOP and LOPA methods. Identify
all the issues in HAZOP and LOPA worksheet and suggest recommendations to further improve the
software programme which carries out the HAZOP and LOPA studies. As a part of this the following
steps will be covered
How data is transferred from HAZOP to LOPA
JACOBS HAZOP and LOPA data mapping
Carry out literature survey and discuss the different approaches available in the literature
Best LOPA approach to determine Safety Instrumented Layer (SIL)
Comparison between consultancy spread sheet and Manchester LOPA spread sheet
LOPA programme specifications
Illustration of software provided by Aker Solution
Different software available in the market and recommended software
Introduction
consequences are the results of the deviations. Safeguards have the intention of reducing the
frequency of the causes and mitigate the consequences.
PFD (low)
101 - 102
102 - 103
103 - 104
104 - 105
RRF
10-100
100-1000
1000-10,000
10,000-100,000
For continuous operation (high demand system), these change to the following. (Probability of
Failure per Hour)
SIL
PFD(high)
RRF
4
1
2
3
4
105 - 106
106 - 107
107 - 108
108 - 109
100,000-1,000,000
1,000,000-10,000,000
10,000,000-100,000,000
100,000,000-1,000,000,000
There are several methods available to determine SIL. Organization has helped engineers by
developing these tools to estimate the process risk and convert it to required SIL. Both quantitative
and qualitative approach may be applied. In qualitative methods the parameters used as decision
basis are subjective and estimated by expert judgement. Quantitative methods describe the risk by
calculation and numerical valve is than compared with the targeted valves. Which method is applied
primarily depends on where the necessarily risk reduction is specified in a numerical manner or
qualitative manner. The scope and extent of analysis would also be an influence factor. Even if the
assignment method is qualitative the SIL is always quantified by a numerical value. These methods
include Quantitative method in IEC 61511, the risk matrix, the safety layer matrix, the OLF 070
guidelines, the risk graphs and calibrated risk graphs and layer of protection analysis (LOPA). At this
stage I will only focus on LOPA however other methods detail and their procedures to determine SIL
could be found on (http://ieeexplore.ieee.org).
LOPA
LOPA was introduced in 1990s and has become more popular in all over the world. LOPA is semi
quantitative method using numerical categories to estimate the parameters need to calculate the
necessary risk reduction which correspond the acceptance criteria (CCPS, 2001). LOPA can be viewed
as special type of event tree analysis (ETA) which has the purpose to determine the frequency of an
unwanted consequence, which can be protected by a set of independent protection layers. The
frequency of unwanted consequences can be calculated by multiplying PFDs with demand on the
protection layers. Comparing the resultant frequency with tolerable frequency identifies the risk
reduction and required SIL can be calculated. The system has the protection layers including Basic
Process Control System (BPCS), critical alarm, human intervention, SIFs, physical protection and
emergency response as shown in figure1.
3.1.4 Scenario
According to (CCPS, 2001)a scenario describes a single cause - consequence pair from the HAZOP. In
LOPA terminology this is a single initiating cause impact event pair. This implies that a scenario
consists of more than just the impact event. But should not a scenario comprise even more? Amore
appropriate definition of a scenario would include more than one cause. The scenario definition is
extended to describing the development from a process deviation to an impact event, including the
causes leading to the process deviation.
6
CE
Select Consequence level
CA CE
Select Occupancy (F),
Avoidance (P) and Demand
(W) values
Determine SIL using Risk
Graph
Determine SIL using LOPA
SILa
(Ungraded)
SIL 1
SIL 2
Redesign Process
Figure 3: extract of SIL determination methodology from Ellis and Wharton 2006.
In the above figure the consequence of the impact event is chosen and classified and LOPA is used if
there is high level of Consequence (CE) if not than a risk graphs is used which results in SIL1. This is
documented as a final SIL but if the Risk Graphs is results in higher SIL say SIL2 or 3 LOPA is
suggested in those cases. Fault Tree Analysis (FTA) is used if LOPA concluded SIL3-4. If FTA concluded
SIL3 to 4 than redesign is needed to reduce the level of risk or event likelihood.
1*10-1 to 1*10-4
SIL 3
include these columns. There are several possibilities either to include severity level and likelihood
of the consequences or not it is entirely depends on the organization. Another possibility of that
HAZOP has none of these which make it difficult to know how this part of HAZOP will interfere be.
These issues must be evaluated and resolved prior to a LOPA. It is suggested that same risk matrix
must be used for HAZOP and LOPA with same risk acceptance criteria.
10
4.3
4.4
The recommended LOPA approach is shown in the above figure 1 which explains the sequences of
the data transfer with the LOPA study. This approach is recommended by IEC61511 worksheet as
shown in appendix5. The terms have been explained in the above Explanation of Terms section. The
following steps should be considered from best LOPA approach
11
Start
Develop and Document Risk
Acceptance Criteria
Sufficient data?
Transform data
Finish
4.5 Comparison between Consultancy spread sheet Vs. Aker Solution spread
sheet
Consultancy spread sheet is design to manually transfer data from HAZOP to LOPA whereas Aker
Solution spread sheet has some features to automatically transfer data e.g. consequence from
HAZOP to impact event description in the LOPA. A yellow tab is shown in the Aker Solution spread
sheet under the impact event description column which automatically populates the data as shown
in the Appendix 6. To transfer data from HAZOP consequence to LOPA impact event description, the
words or sentence should be the same otherwise computer cannot understand the different word
regardless different meaning. This feature could be built in consultancy spread sheet by using some
VB macro which will help to reduce time to transfer data.
Initiating
cause
frequency
(per year)
Reflux
valve
closed
0.08
Reflux
pump
failure
0.15
Enabling
event
value
(prob/fre
q)
1
Independent
Protection
Layers (IPLs)
Relief valve
Auto
Depressurising
valve
Auto start spare
pump
BPCS low flow
pump
Probabilit
y of
Failure on
Demand
(PFD)
0.05
0.01
0.1
0.1
Mitigated
event
frequency(
per year)
Tolerable
Frequenc
y
SIL
0.0001
0.00004
0.0015
0.00154
0.0001
TF/MF
= 0.0001/0.00154
The key issue in the spread sheet is that there were two initiating causes were identified for the
same consequence and each cause-consequence pair had unique set of IPL.
13
The problems in LOPA analysis arise when integrating HAZOP/LOPA on the same time which means
performing HAZOP and LOPA concurrently with the same team which mean team are trying to
perform cause-based approach for both methods. While this approach is only valid for causeconsequence one to one pair. In instance this approach is inapplicable when there is more than one
cause for same scenario. It is only possible when there is rigorous examination for all causes with
same consequences which means that the benefits of integrating the methods can only be fully
realized.
5.2 Recommendations
This problem could be overcome by using a combination of keywords and lists all the
typical causes for deviation and group under the relevant keywords combinations
(i.e. no flow, more pressure etc.). In other words there is a listing of all the potential
problems cause by FLOW NO or MORE PRESSURE etc. during HAZOP review if the
team is having a problem in identifying the potential deviations, the causes
database can easily be interrogated. The database may easily be amended or
expanded so that it becomes a repository of information that can be accessed during
study. The program will automatically display the page that is relevant to the
keywords combination. OR
Create a spread sheet for most common cause and consequences and link it with
HAZOP software so that if the same problems come up you can go into the spread
sheet and choose via hyperlink instead of inputting the data each time. OR
Separate table in HAZOP software built-up to list scenario numbers and descriptions.
OR
Buy a new software from venders which has data mapping features
5.3
The best approach to transfer data is to conduct HAZOP and LOPA separately where the HAZOP is
conducted first followed by LOPA, but they are adapted to each other to enable better interfere. If
the HAZOP and LOPA are performed by integrated software tool, several of the phases in figure1 will
14
automatically performed. For example, data gathering, transformation of data and documentation.
Specifications are vital to make consistence and thorough software program. These include what
exactly the program has to do and what characteristics it needs to make easier calculation and
reduce time while applying LOPA.
The specification of the proposed HAZOP/LOPA program is as follows:
HAZOP work sheet cells equal to the LOPA work sheet cells and automatic transform of data.
This applies to
HAZOP consequence= LOPA impact event (Hazardous event)
HAZOP possible causes= LOPA initiating events
HAZOP consequences likelihood and severity level= LOPA initiating events
Frequency and severity level which might be adjusted later
Calculate results based on the data:
Intermediate/mitigated event likelihood
Safety Instrumented Layers (SILs)
Provide data base with risk assessment criteria
Interface with additional databases:
Initiating cause frequency
Probability of Failure on Demand (PFDs)
Automatic include risk acceptance criteria in the calculation
User interfere quality assurance:
Interactive SIL selection which allows the users to select SIL by clicking and see the impact on the
mitigated event likelihood on the screen
Step 1 - HAZOP
The cells containing the HAZOP consequences are set equal to the ones that shall contain the impact
events. In excel this could be done by either creating a VB macro which copies the information, or by
defining the cell information equal directly in Excel. The same applies to the possible causes in
HAZOP. The risk matrix sheet contains the classification of the HAZOP consequence and impact
event severity. The chosen severity level is transferred in the same manner as the HAZOP
consequence. To initiate the process of transferring the data, a command button which is constantly
visible is placed in the bottom of the LOPA sheet. This is named Transfer HAZOP data, and when
clicked the rows containing the data are transferred or copied. After all the cause and impact event
data are transferred, the impact events are screened by severity level. The encoding solution is VB in
addition to macros. Some impact events are similar, and combining several impact events is
relevant.
This is not taken into account in this program illustration.
The initiating cause frequency may be given as a PFD. A pop-up box, which appears after the value
has been implemented, asks the user to specify additional information if it is necessary. The number
of demands / opportunities per year is such information; this is done to make sure that the correct
unit is used. The programme adjusts the numbers automatically.
Step 4 - Calculation
The intermediate event likelihood is calculated directly in Excel by formulas, i.e. cell 10 = product
(cell 4;cell 9). The TMEL is specified in the risk matrix sheet. Corresponding to which severity level
is selected the program implements the correct value of TMEL in the mitigated event likelihood cell
in the LOPA sheet. A simple IF sentence could do this automatically. A command button called
Calculate SIL initiates the SIL calculation. The IELs for each initiating cause related to the same
impact event is added. A set of IF sentences count how many rows that are related to the same
impact event and calculate the total IEL for the respective impact event. The value of the total IEL for
the impact event is divided by the TMEL value, and the result is the needed SIL. IF sentences
containing text strings evaluates the results and prints a message to the user in the cell, i.e. SIL 2 or
No SIS necessary. This part of the program requires extensive VB encoding. The program has to
remember parameters, and use these to calculate the correct columns and implement the results in
the correct cells.
Software Name
Suppliers
Contact Details
16
PHA-Pro
Paul Wentzel
paul.wentzel@ihs.com
Phone: +44(0)1344 328 258
Mob: +44(0)7545 550 780
HAZOP Manager V6
Lihoutech
http://www.lihoutech.com/
ExSILentia
Exide
www.exida.com
Jon Keswick
SilCore
info@acm.ab.ca
jon.keswick@exida.com
Alan Gaulton
alan.gaulton@exida.com
Phone: +44 (0) 24 76 214 794
www.silcore.com
LOPAWorks 5 and 3
Primates (America)
www.primatech.com
software@primatech.com
Phone : 614-841-9800
17
7. Conclusion
Various methods were discussed briefly to calculate SIL including LOPA. Best LOPA approach was
defined step by step with the help of flow chart. General methods were explained to transfer data
from HAZOP to LOPA which followed IEC 61511 guidelines. Different issues were identified with in
the JACOBS HAZOP sheet (e.g. how to group same scenarios during HAZOP review) and some
recommendation for this. Comparison between Consultancy spread sheet, Manchester spread sheet
and Aker Solution Spread sheet were made to find which area of the software could be improved in
consultancy spread sheet. Software specifications were discussed for HAZOP and LOPA and found
that PHA-Pro is the best software for SIL calculation by using decision analysis table.
References
CCPS. (2001). Centre for Chemical Process Safety (CCPS).
Dowell and William. (2005). Layer of Protection analysis for determining safety integrity level.
Ellis, G., & Wharton, M. (2006). practical experiance in determining safety integrity level for safety
instrumented systems. Symposium series 1. IChemE.
Hoyland, R. a. (2004). System Reliability Theory. System Reliability Theory, 2nd addition John Wiley
and Sons.
Lassen, A. C. (2008). Layer of Protection Analysis for detemination of Safety Integrity Level. Layer of
Protection Analysis for detemination of Safety Integrity Level, 29-35.
M, A. (1997). Layer of Protection Analysis. Layer of Protection Analysis: A New PHA Tool After
Hazop,, 31.
Schonbeck, M. (2005). intorudction of reliability of safet systems.
Ellis, G. and Wharton, M. (2006). Symposium Series No. 151, IChemE. In Practical
experience in determining safety integrity levels for safety instrumented systems
Bingham, K. and Goteti, P. (2004). ISA (The Instrumentation, Systems, and Automation
Society) 2004. In Integrating HAZOP and SIL / LOPA analysis: Best practice recommendations.
CCPS (2001). Layer of protection analysis - simplified process risk assessment. American
Institute of Chemical Engineers (AIChE), Centre for Chemical Process Safety (CCPS). 3 Park
Avenue, New York.
Rausand, M. and Hyland, A. (2004). System Reliability Theory. Models, StatisticalMethods,
and Applications. 2nd edition JohnWiley & Sons. Hoboken, NJ.
Abbreviations
Independent Protection Layer (IPL)
18
Appendix
19
Appendix 1
HAZOP
Markinch Biomass CHP
Title:
Doc Number:
1
Client Reference:
61060082-000-000-111-E-0028
Ref No.
NODE:
P&ID Drawing No
PFD Drawing No
Design Intention
Deviation
Parameter
Guideword
FLOW
No
61060082-600-000-111-H-0034
NRL 0529
Review No
Initiating Cause
Scenario Development
01
FLOW
No
Hazardous Event
Frequency
Safety Environment
1
Commercial
Unlikely
Scenario origin
Reference documentation
Risk
2 Serious
Safeguards
same as entry 1
tank outlet closed valve,
blockage
04
LOPA
Prefix 2-Node 1
Equipment item
Date of assessment
Safety
Conseq. definition
Consequence level
Tolerable frequency
E192
Scenario 1
HP Gas Pre heater
Environmental
Asset/Commercial
serial number 2
Spare3
4
0
1
1.00E-06
1.00E-02
1.00E-03
no flow leads to loss of suplly to district, major risk of injury and harm to people. Gas flow diverted to JT valve
Enabling event
value (prob/freq)
valve closed, manual operation
blocked filtre
pipe rupture -loss of supplyonly. Fire and explosion in scenario 2.
closed auto valve
low upstream pressure-network problem
bursting disc sensor failure leads to shut down
1
1
1
2
1
1
Description
1.00E-01
0.001
1.00E-04
0.1
0.1
0.1
N/A
vent is blanked. Permit to work procedure for maintenance. Pipework design standards.
IPL3: Operator monitoring or response to DP indication and alarm across filtre(0.1). Maintain procedures (0.1)
process alarms
SAFETY
IE1
IE2
IE3
IE4
IE5
IE6
ENVIRONMENTAL
IE1
IE2
IE3
IE4
IE5
IE6
ASSET/COMMERCIAL
IE1
IE2
IE3
IE4
IE5
IE6
Enabling
1
1
1
2
1
1
Enabling
1
1
1
2
1
1
Enabling
1
1
1
2
1
1
IEF
0.1
0.001
0.0001
0.1
0.1
0.1
IEF
0.1
0.001
0.0001
0.1
0.1
0.1
IEF
0.1
0.001
0.0001
0.1
0.1
0.1
CM1
1
1
1
1
1
1
CM1
1
1
1
1
1
1
CM1
1
1
1
1
1
1
CM2
1
1
1
1
1
1
CM2
1
1
1
1
1
1
CM2
1
1
1
1
1
1
CM3
1
1
1
1
1
1
CM3
1
1
1
1
1
1
CM3
1
1
1
1
1
1
20
IPL1
0.001
1
0.01
1
1
1
IPL1
0.001
1
0.1
1
1
1
IPL1
0.001
1
0.1
1
1
1
IPL2
1
1
1
0.1
1
0.1
IPL2
1
1
1
0.1
1
0.1
IPL2
1
1
1
0.1
1
0.1
IPL3
1
0.01
1
1
1
1
IPL3
1
0.01
1
1
1
1
IPL3
1
0.01
1
1
1
1
IPL4
1
1
1
1
1
1
IPL4
1
1
1
1
1
1
IPL4
1
1
1
1
1
1
IML
1 1.00E-04
1 1.00E-05
1 1.00E-05
2.00E-02
1 1.00E-01
1
IML
1 1.00E-04
1 1.00E-05
1 1.00E-05
1 2.00E-02
1 1.00E-01
1 1.00E-02
IML
1 1.00E-04
1 1.00E-05
1 1.00E-05
1 2.00E-02
1 1.00E-01
1 1.00E-02
Appendix 2
Decision analysis
Title
Aims
PHA-Pro
ExSILentia
SilCore
HAZOP Manager V6
PHA Works
Mandatory
fulfilled
fulfilled
fulfilled
fulfilled
fulfilled
yes
yes
yes
no
no
yes
yes
no
no
yes
yes
yes
yes
no
no
User Friendliness
yes
yes
yes
yes
yes
Documentation
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
no
no
Software Update
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
no
yes
Nice-tohave
Cost
Quality
Time
Vendor
Support
Evaluation
Weight
9
8
9
8
Sum
Ranking order
Weight *
Evaluation
9
8
8
9
Remark
81
64
64
72
Evaluation
Weight *
Evaluation
8
7
7
8
281
Remark
72
56
63
64
Weight *
Evaluation
7
6
6
8
255
1
Evaluation
Remark
56
48
54
64
Remark
54
40
45
54
Evaluation
Weight *
Evaluation
6
5
6
6
193
3
21
Weight *
Evaluation
6
5
5
6
222
2
Evaluation
Remark
54
40
54
54
202
5
Consultancy
sheet.xlsx
22
23
24