Safety instrumented system SIL calculation

Linking HAZOP and LOPA is easier than you think

By Peter Morgan

Although a hazard and operability (HAZOP) analysis identifies failure events or upsets and the severity of the outcomes by engaging knowledgeable plant
personnel, the process typically provides only qualitative information about event frequency and mitigated frequencies. This helps plants make decisions for safety
improvement, but does not provide the detailed information necessary for a safety integrity level (SIL) determination. The layer of protection analysis (LOPA), on
the other hand, is a means to analyze event frequencies and the mitigating effects of protection layers. It does not provide a process for identifying possible
failures in the plant and the severity of their consequences. This article shows how the two activities can be easily linked to provide the information required for a
safety integrity level determination for a safety instrumented system (SIS), according to the recommendations of ISA-84.00.01 (IEC 61511 Mod).

HAZOP severity levels

HAZOP identifies severity levels for event outcomes (typically four of five).

Severity of
consequences

Description

Safety: three or more fatalities or permanent disabling injuries (PDIs)

Environmental: major impact, making the national news
Economic: losses greater than $10 million

Safety: one or two fatalities or PDIs, or serious injury to three or more people
Environmental: large impact, making the local news
Economic: losses between $1 million and $10 million

Safety: serious injury to one or two people, or minor injury to three or more
Environmental: moderate impact, must be reported to environmental agency
Economic: losses between $100,000 and $1 million

Safety: minor injury to no more than two people. First aid.

Environmental: minor impact
Economic: losses less than $100,000

Safety: no adverse health effects

Environmental: no detectable impact
Economic: negligible economic impact

Likelihood of occurrence
Likelihood Description
of
occurrence
5

The event has happened several times at the plant. Likelihood is more than once in 100 years.

The event has occurred at the plant and frequently in industry. Likelihood is between once in 100 years and once in 1,000 years.

Incident has occurred at the plant, but is not common in industry. Likelihood is between once in 1,000 years and once in 10,000 years.

Incident has occurred in industry. Likelihood is between once in 10,000 years and once in 100,000 years.

The event has a remote chance of happening and is unheard of in industry. Likelihood is less than once in 100,000 years.

The HAZOP also identifies the frequency or likelihood of events ranging from 1 in 100 years to 1 in 100,000 years (i.e., not likely to ever occur).
It is immediately obvious that this broad categorization of the frequency of initiation events does not provide the precision necessary to evaluate the demand on a
safety system. This, however, need not detract from the usefulness of the HAZOP as long as actual event frequencies (if they are known at the time of the
HAZOP) are recorded in the LOPA.
The HAZOP process provides an assessment of the effect of individual events and their mitigation through existing safeguards to determine whether or not a
design change or additional layers of protection are required. Objectively, when the plant owner establishes a target risk of, for example, 10 4 per year for events of
severity 4, this is the target risk for all events combined. For example, for a burner management system (BMS) on a boiler, failure of a feedwater valve or loss of
combustion air are required to shut off the fuel supply. In one case, failure of the BMS to act on demand could cause boiler or turbine damage and, in the other
case, a boiler explosion. The HAZOP process treats these as quite separate events, but both create demands for action from the BMS. The SIL calculation cannot
be done until the HAZOP has been completed, and all events in this severity category have been identified and assessed. It is important to note that although
events of a particular severity may be mitigated by existing safeguards (including the operator) so that the residual risk appears acceptable without further
mitigation, if events of this severity place a demand on the SIS, then the event must be included in the LOPA and subsequent SIL calculation.
HAZOP worksheet

The example HAZOP worksheet shows just two events to demonstrate the integration of the HAZOP process and the LOPA. Note that it is not uncommon to have
to consider thirty or more events as demands on a particular SIS (e.g., in the case of a BMS).
The qualitative assessment of the residual risk for these events indicates that additional protection is required in one case but not necessarily the other. However,
the assessment acknowledges that the risk will be further reduced for both events by tripping the boiler on detection of a high drum level through the action of an
additional layer of protection (i.e., a BMS in this case). Adding a column to the traditional HAZOP worksheet is a way to flag that these events can be further
mitigated by a SIS and that the events are to be included in the SIL calculation.
Note that a HAZOP analysis carried out to establish the safety requirements for a replacement safety system cannot include the existing system in assessing the
demands placed on the replacement system. This may be obvious, but it is a trap easily fallen into by those imbued in the normal operation of the plant with all
installed systems available.

LOPA worksheet

The LOPA worksheet uses item reference nomenclature (#) that allows each event to be readily identified in the HAZOP by node, deviation, item, and
consequence.
Initiating frequency is obtained either directly from the HAZOP or from published device failure statistics from the industry or from equipment manufacturers.
The identified protection layers mitigate the event by reducing the likelihood that the event will occur. Note that the mitigation cannot be dependent on the correct
operation of the SIS (BMS in this case). ISA-84.00.01 allows operator action in the mitigation of events (e.g., by responding to alarms), but limits the frequency
reduction factor to 0.1.
Intermediate event frequency is the product of the event initiating frequency and the identified mitigation factors; it represents the individual event likelihood after
mitigation but without the protection offered by the SIS. Note that these are not required to be determined during the HAZOP, but that assessments by HAZOP
participants can be useful and should be recorded if offered.
This analysis (compared to ISA-84.00.01) adds an additional entry in the table to identify the SIS inputs (process measurements) that are required for event
mitigation. This helps calculate the required availability of each SIS input to achieve the target probability of failing on demand (PFD) for the entire system.
The mitigated event frequency is the event likelihood with the SIS protection. It is the product of the intermediate event frequency and the SIS PFD.

SIL calculation
The plant owner establishes target risk for event impacts in each severity level. Published statistics for fatalities in various industries are a basis for establishing
target risk for the most serious events, in this case 1E-4 (once in 10,000 years) for severity level 4 events.
For events that can be mitigated by the SIS (BMS in this case), every initiating cause that results in an event outcome of severity level 4 must be considered as a
demand on the SIS for the purpose of calculating the required SIL.
Events that cause an impact severity level 3 may also place a demand on the SIS. If the combined frequency of all events in this category is more than one order
lower than events of severity level 4, a SIL determinationbased severity level 4 will be sufficient. In other words, a SIL determination based on impact severity
level 3 and a target risk for the severity of 1E-3 would cause a lower target PFD than that calculated based on severity level 4 events. If this is not the case, a SIL
calculation based on severity level 3 events will determine the target PFD for the SIS.
Target risk =
PFDSIS Intermediate event frequency
PFDSIS =
Target risk / Intermediate event frequency
The example LOPA worksheet only shows two severity level 4 events. When all severity level 4 events are included in the analysis, the intermediate event
frequencies for impact severity level 4 is 0.046 per year.
So that PFDSIS = .0001/.046 = 2.17E-3
This places the SIS in a SIL 2 category (PFD between 1E-2 and 1E-3) with a requirement that the overall system PFD is 2E-3 or better.
Minor changes to the familiar HAZOP process can increase the utility of the HAZOP in providing information for a layer of protection analysis. The calculation of
the required safety integrity level for a new or replacement safety system is simple. When based on a HAZOP and target risk agreed to by the plant owner and
operating staff, it provides a credible performance requirement that is both practical and compliant with ISA-84.00.01.

Fast Forward