Beruflich Dokumente
Kultur Dokumente
Nawaz, Muhammad
L1199568@tees.ac.uk
7/26/2013
Preface
This report is the result of my six weeks placement at JACOBS Engineering. JACOBS is one of the
worlds largest and most diverse providers of technical, professional and technical services. Very
special thanks to Simon Clark who has been very helpful with thorough guidance though out my 6
weeks placement and provided me enough information to write my final report. Gratitude must be
expressed towards my supervisor Richard Foreman who has provided me helpful information on
HAZOP and LOPA from practical perspective.
Muhammad Nawaz
26/07/2013
1
Contents
Objective ................................................................................................................................................. 3
1 Introduction .................................................................................................................................... 3
1.1 Introduction to HAZOP .................................................................................................................. 3
1.2 Introduction to LOPA .................................................................................................................... 4
1.4 Relation to International Electrotechnical Commission (IEC) 61508 &61511 .............................. 4
2 Methods in Determining Safety Instrumented Layers (SILs) .......................................................... 5
3 LOPA ................................................................................................................................................ 5
3.1 Explanation of terms ..................................................................................................................... 6
3.1.1 Process Deviation ....................................................................................................................... 6
3.1.2 Impact event .............................................................................................................................. 6
3.1.3 Initiating cause ........................................................................................................................... 6
3.1.4 Scenario...................................................................................................................................... 6
3.1.4 Protection layers vs. independent protection layers ................................................................. 7
3.1.4 Conditional Modifiers ................................................................................................................ 7
3.1.5 Intermediate event likelihood ................................................................................................... 7
3.1.6 Mitigated event likelihood ......................................................................................................... 7
3.2 Different Approaches in Literature for LOPA ................................................................................ 7
3.3 Probability of Failure on Demand for different Independent Protection Layers ......................... 9
4 Interface with HAZOP...................................................................................................................... 9
4.1 JACOBS HAZOP and LOPA Interface .............................................................................................. 9
4.3 Consultancy Spread sheet Vs. Manchester site LOPA sheet....................................................... 10
4.3 General method to transfer data from HAZOP to LOPA ....................................................... 11
4.4 Recommended LOPA approach ........................................................................................... 11
4.5 Comparison between Consultancy spread sheet Vs. Aker Solution spread sheet ............... 13
4.6 Example LOPA ............................................................................................................................. 13
5 Jacobs Issues and Software Specification ..................................................................................... 14
5.1 HAZOP Issues .............................................................................................................................. 14
5.2 Recommendations ...................................................................................................................... 14
5.3 HAZOP and LOPA programme specification ......................................................................... 14
5.4 Illustration of Software Programme (Provided by Aker Solution) .............................................. 15
2
Step 1 - HAZOP .................................................................................................................................. 15
Step 2 - Retrieve initiating cause frequency ..................................................................................... 15
Step 3 - Retrieve IPL PFDs ................................................................................................................. 16
Step 4 - Calculation ........................................................................................................................... 16
Step 5 - SIL selection ......................................................................................................................... 16
Comments to the illustrated software program ............................................................................... 16
6 Commercial available software..................................................................................................... 16
6.1 Decision Analysis ......................................................................................................................... 17
6.2 Recommended Software ............................................................................................................ 17
7. Conclusion ......................................................................................................................................... 18
References ............................................................................................................................................ 18
Abbreviations ........................................................................................................................................ 18
Appendix ............................................................................................................................................... 19
Objective
The objective of this report is to thoroughly understand JACOBS HAZOP and LOPA methods. Identify
all the issues in HAZOP and LOPA worksheet and suggest recommendations to further improve the
software programme which carries out the HAZOP and LOPA studies. As a part of this the following
steps will be covered
1 Introduction
3
consequences are the results of the deviations. Safeguards have the intention of reducing the
frequency of the causes and mitigate the consequences.
Safety integrity is the probability of safety related systems performing all the safety functions under
all conditions, within a period of time. Safety Instrumented Layers (SILs) determines the potential
risks for people, devices, process or operation in case of malfunction. SIL are classified from SIL1 to
SIL4 and defined by Probability of Failure on Demand (PFD) where PFD is the average unavailability
of an item. A protection layers are considered a safety barrier. When evaluating SILs requirements,
the system has to be classified as high demand of operation or low demand of operation. A high
demand system is where there is a continuous mode of operation and usually defined PFD per hour
where the systems are not used more frequently are referred to as Low Demand System and
normally represent per year. RRF represent Risk Reduction Factor. The table below shows the
average PFDs follows IEC 61508 standard
Table1.1 shows the average PFD for safety function in low demand system
For continuous operation (high demand system), these change to the following. (Probability of
Failure per Hour)
4
1 105 - 106 100,000-1,000,000
2 106 - 107 1,000,000-10,000,000
3 107 - 108 10,000,000-100,000,000
4 108 - 109 100,000,000-1,000,000,000
3 LOPA
LOPA was introduced in 1990s and has become more popular in all over the world. LOPA is semi
quantitative method using numerical categories to estimate the parameters need to calculate the
necessary risk reduction which correspond the acceptance criteria (CCPS, 2001). LOPA can be viewed
as special type of event tree analysis (ETA) which has the purpose to determine the frequency of an
unwanted consequence, which can be protected by a set of independent protection layers. The
frequency of unwanted consequences can be calculated by multiplying PFDs with demand on the
protection layers. Comparing the resultant frequency with tolerable frequency identifies the risk
reduction and required SIL can be calculated. The system has the protection layers including Basic
Process Control System (BPCS), critical alarm, human intervention, SIFs, physical protection and
emergency response as shown in figure1.
5
Figure1: shows Independent Protection Layers (IPL)
BPCS is used during the normal operation. Input signal from the process or operator are generated
into the process output which make the process operate in the design manner. For example if the
process input signals to the output as high pressure it may initiate the action by stabilizing the
temperature (CCPS, 2001).
Alarm monitoring certain parameters (e.g. temperature and pressure) is considered another
protection layer. An operator may intervene to stop the hazardous event if the alarm tripped. Note
that alarm system has to be wired to another loop than the BPCS in order to be an independent.
3.1.4 Scenario
According to (CCPS, 2001)a scenario describes a single cause - consequence pair from the HAZOP. In
LOPA terminology this is a single initiating cause impact event pair. This implies that a scenario
consists of more than just the impact event. But should not a scenario comprise even more? Amore
appropriate definition of a scenario would include more than one cause. The scenario definition is
extended to describing the development from a process deviation to an impact event, including the
causes leading to the process deviation.
6
3.1.4 Protection layers vs. independent protection layers
The term protection layer was defined by IEC 61511. What is the difference between a PL and an
IPL, and is the definition appropriate? According to IEC 61511 an IPL must have the same inherent
characteristics. In addition it must provide at least 100-fold of risk reduction (not 10 as for a PL) and
have functional availability of at least 0.9 (IEC 61511, 2003). These definitions seem confusing. From
the point of view of IEC 61511 an IPL is just a PL with stricter requirements to availability and degree
of risk reduction. A definition of PL in CCPS (2001) is rewritten to: system or action that is capable of
preventing a process deviation from proceeding to the end consequence. Subsequently an IPL is
defined as a PL that is capable of preventing a process deviation from proceeding to the end
consequence, regardless of other PLs associated with the same impact event - initiating cause pair,
and of the initiating event.
7
Quantification (cause frequency/likelihood and Probability on Demand (PFD))
SIL determination and Target risk evaluation
Most approaches takes information from previous studies to identify risk and to found a basis for
the next step. The major difference between most of the approaches are the use of terms, the order
of sequence and the intended application in the HAZOP and LOPA for example, in our consultancy
sheet we use Hazardous Event and Scenario Development for Consequences whereas others use
simple Consequence term. Some others use screening tool and or suggest LOPA as a part of their
total methodology. (Ellis & Wharton, 2006) Suggested close relationship between LOPA and other
methods.
CE
Select Consequence level
CA CE
SILa
Determine SIL using Risk
(Ungraded)
Graph
Redesign Process
Figure 3: extract of SIL determination methodology from Ellis and Wharton 2006.
In the above figure the consequence of the impact event is chosen and classified and LOPA is used if
there is high level of Consequence (CE) if not than a risk graphs is used which results in SIL1. This is
documented as a final SIL but if the Risk Graphs is results in higher SIL say SIL2 or 3 LOPA is
suggested in those cases. Fault Tree Analysis (FTA) is used if LOPA concluded SIL3-4. If FTA concluded
SIL3 to 4 than redesign is needed to reduce the level of risk or event likelihood.
8
3.3 Probability of Failure on Demand for different Independent Protection Layers
Table 2: shows PFDs for IPLs adopted from CCPS (2001)
HAZOP consequence severity ranking and consequence likelihood can be transformed to the LOPA,
and impact event severity level and initiating event frequency are the applicable term in LOPA with
their associated column (Dowell and William, 2005). The HAZOP work sheet does not necessarily
9
include these columns. There are several possibilities either to include severity level and likelihood
of the consequences or not it is entirely depends on the organization. Another possibility of that
HAZOP has none of these which make it difficult to know how this part of HAZOP will interfere be.
These issues must be evaluated and resolved prior to a LOPA. It is suggested that same risk matrix
must be used for HAZOP and LOPA with same risk acceptance criteria.
10
4.3 General method to transfer data from HAZOP to LOPA
11
Start
Sufficient data?
Transform data
C<Cc
12
4.5 Comparison between Consultancy spread sheet Vs. Aker Solution spread
sheet
Consultancy spread sheet is design to manually transfer data from HAZOP to LOPA whereas Aker
Solution spread sheet has some features to automatically transfer data e.g. consequence from
HAZOP to impact event description in the LOPA. A yellow tab is shown in the Aker Solution spread
sheet under the impact event description column which automatically populates the data as shown
in the Appendix 6. To transfer data from HAZOP consequence to LOPA impact event description, the
words or sentence should be the same otherwise computer cannot understand the different word
regardless different meaning. This feature could be built in consultancy spread sheet by using some
VB macro which will help to reduce time to transfer data.
TF/MF = 0.0001/0.00154
The key issue in the spread sheet is that there were two initiating causes were identified for the
same consequence and each cause-consequence pair had unique set of IPL.
13
The problems in LOPA analysis arise when integrating HAZOP/LOPA on the same time which means
performing HAZOP and LOPA concurrently with the same team which mean team are trying to
perform cause-based approach for both methods. While this approach is only valid for cause-
consequence one to one pair. In instance this approach is inapplicable when there is more than one
cause for same scenario. It is only possible when there is rigorous examination for all causes with
same consequences which means that the benefits of integrating the methods can only be fully
realized.
5.2 Recommendations
This problem could be overcome by using a combination of keywords and lists all the
typical causes for deviation and group under the relevant keywords combinations
(i.e. no flow, more pressure etc.). In other words there is a listing of all the potential
problems cause by FLOW NO or MORE PRESSURE etc. during HAZOP review if the
team is having a problem in identifying the potential deviations, the causes
database can easily be interrogated. The database may easily be amended or
expanded so that it becomes a repository of information that can be accessed during
study. The program will automatically display the page that is relevant to the
keywords combination. OR
Create a spread sheet for most common cause and consequences and link it with
HAZOP software so that if the same problems come up you can go into the spread
sheet and choose via hyperlink instead of inputting the data each time. OR
Separate table in HAZOP software built-up to list scenario numbers and descriptions.
OR
Buy a new software from venders which has data mapping features
14
automatically performed. For example, data gathering, transformation of data and documentation.
Specifications are vital to make consistence and thorough software program. These include what
exactly the program has to do and what characteristics it needs to make easier calculation and
reduce time while applying LOPA.
Step 1 - HAZOP
The cells containing the HAZOP consequences are set equal to the ones that shall contain the impact
events. In excel this could be done by either creating a VB macro which copies the information, or by
defining the cell information equal directly in Excel. The same applies to the possible causes in
HAZOP. The risk matrix sheet contains the classification of the HAZOP consequence and impact
event severity. The chosen severity level is transferred in the same manner as the HAZOP
consequence. To initiate the process of transferring the data, a command button which is constantly
visible is placed in the bottom of the LOPA sheet. This is named Transfer HAZOP data, and when
clicked the rows containing the data are transferred or copied. After all the cause and impact event
data are transferred, the impact events are screened by severity level. The encoding solution is VB in
addition to macros. Some impact events are similar, and combining several impact events is
relevant.
This is not taken into account in this program illustration.
15
The initiating cause frequency may be given as a PFD. A pop-up box, which appears after the value
has been implemented, asks the user to specify additional information if it is necessary. The number
of demands / opportunities per year is such information; this is done to make sure that the correct
unit is used. The programme adjusts the numbers automatically.
Step 4 - Calculation
The intermediate event likelihood is calculated directly in Excel by formulas, i.e. cell 10 = product
(cell 4;cell 9). The TMEL is specified in the risk matrix sheet. Corresponding to which severity level
is selected the program implements the correct value of TMEL in the mitigated event likelihood cell
in the LOPA sheet. A simple IF sentence could do this automatically. A command button called
Calculate SIL initiates the SIL calculation. The IELs for each initiating cause related to the same
impact event is added. A set of IF sentences count how many rows that are related to the same
impact event and calculate the total IEL for the respective impact event. The value of the total IEL for
the impact event is divided by the TMEL value, and the result is the needed SIL. IF sentences
containing text strings evaluates the results and prints a message to the user in the cell, i.e. SIL 2 or
No SIS necessary. This part of the program requires extensive VB encoding. The program has to
remember parameters, and use these to calculate the correct columns and implement the results in
the correct cells.
16
PHA-Pro EHS & Sustainability Paul Wentzel
www.ihs.com paul.wentzel@ihs.com
Phone: +44(0)1344 328 258
Mob: +44(0)7545 550 780
17
7. Conclusion
Various methods were discussed briefly to calculate SIL including LOPA. Best LOPA approach was
defined step by step with the help of flow chart. General methods were explained to transfer data
from HAZOP to LOPA which followed IEC 61511 guidelines. Different issues were identified with in
the JACOBS HAZOP sheet (e.g. how to group same scenarios during HAZOP review) and some
recommendation for this. Comparison between Consultancy spread sheet, Manchester spread sheet
and Aker Solution Spread sheet were made to find which area of the software could be improved in
consultancy spread sheet. Software specifications were discussed for HAZOP and LOPA and found
that PHA-Pro is the best software for SIL calculation by using decision analysis table.
References
CCPS. (2001). Centre for Chemical Process Safety (CCPS).
Dowell and William. (2005). Layer of Protection analysis for determining safety integrity level.
Ellis, G., & Wharton, M. (2006). practical experiance in determining safety integrity level for safety
instrumented systems. Symposium series 1. IChemE.
Hoyland, R. a. (2004). System Reliability Theory. System Reliability Theory, 2nd addition John Wiley
and Sons.
Lassen, A. C. (2008). Layer of Protection Analysis for detemination of Safety Integrity Level. Layer of
Protection Analysis for detemination of Safety Integrity Level, 29-35.
M, A. (1997). Layer of Protection Analysis. Layer of Protection Analysis: A New PHA Tool After
Hazop,, 31.
Ellis, G. and Wharton, M. (2006). Symposium Series No. 151, IChemE. In Practical
Bingham, K. and Goteti, P. (2004). ISA (The Instrumentation, Systems, and Automation
Society) 2004. In Integrating HAZOP and SIL / LOPA analysis: Best practice recommendations.
CCPS (2001). Layer of protection analysis - simplified process risk assessment. American
Institute of Chemical Engineers (AIChE), Centre for Chemical Process Safety (CCPS). 3 Park
Avenue, New York.
Rausand, M. and Hyland, A. (2004). System Reliability Theory. Models, StatisticalMethods,
Abbreviations
Independent Protection Layer (IPL)
18
Probability of Failure on Demand (PFD)
Appendix
19
Mapping Data from HAZOP to LOPA
Appendix 1
HAZOP
Title: Markinch Biomass CHP
Doc Number: 61060082-600-000-111-H-0034
NODE: 1 Client Reference: NRL 0529
P&ID Drawing No 61060082-000-000-111-E-0028
Review No 1
PFD Drawing No
Design Intention
Ref No.
Deviation
Initiating Cause Scenario Development Hazardous Event Inherent Safety Features? Frequency Safety Environment Commercial Risk Safeguards
Parameter Guideword
FLOW No closed valve (inlet from tanker No Biofuel oil for Chip plant. High Temperature Water going to Unlikely 1 2 Serious 3 1. Multiple storage tanks. Expect 5 days worth of fuel at any
loading) Control valve does not work or Effluent system. time. 2. two service taks ( 24 hrs buffer). 3. control system will
incorrect position. Potentially exceeding design alarm however this would only be logged locally and the site is
01 temperature of effluent drains. unmanned
LOPA
Prefix 2-Node 1 Scenario 1 Scenario origin HAZOP Node 1 Ref 1,3,4,12,22,29,42
Equipment item E192 HP Gas Pre heater Reference documentation ST000801-000-000-111-E-0031
Date of assessment Status awaing further information serial number 2
Safety Environmental Asset/Commercial Spare1 Spare2 Spare3
Conseq. definition
Consequence level 4 0 1
Tolerable frequency 1.00E-06 1.00E-02 1.00E-03
no flow leads to loss of suplly to district, major risk of injury and harm to people. Gas flow diverted to JT valve
Hazard/fault description and scenario Enabling event
Initiating event freq/prob
development value (prob/freq)
CM3: Other (specify) vent is blanked. Permit to work procedure for maintenance. Pipework design standards. 1
IPL1: Process plant design/integrity 0.001 for IE1. 0.1 for IE3. 1 for IE5
valve locked open with procedural control to remote lock (0.01) operator training and procedures (0.1). Unmanned NGG station.
IPL2: Basic process control system MOV 1710 or MOV 1746 reaching closed position when in operation result in bypass line and MOV 1723 opening to maintain supply to district 1 for IE1,IE2,IE3,IE5. 0.1 for IE4 and IE6
IPL3: Operator monitoring or response to DP indication and alarm across filtre(0.1). Maintain procedures (0.1) 1 for IE1. 0.01 for IE2. 1 for IE5
process alarms
have
Cost 9 9 81 8 72 7 56 6 54 6 54
Quality 8 8 64 7 56 6 48 5 40 5 40
Time 9 8 64 7 63 6 54 5 45 6 54
Vendor 8 9 72 8 64 8 64 6 54 6 54
Support
Sum 281 255 222 193 202
Ranking order 1 2 3 5 4
21
HAZOP Issue (Appendix 3)
22
Appendix 5: LOPA sheet provided by CCPS 2001
23
Appendix 6 :Aker Solution HAZOP/LOPA interface
24