HAZOP Induction

HAZOP & LOPA Induction
30th Jan 2019, Accra Ghana
Muhammad Saim
HAZOP Induction Muhammad.Saim@shepherdrisk.com
Introductions
Name
Current Role
HAZOP Experience
1
Course Objectives
At the end of this course, you should have a working

knowledge of the skills and techniques needed to:
• Apply the basic HAZOP methodology.
• Support, scribe and eventually lead HAZOP studies
effectively.
• Understand LOPA & SIL and linkage to HAZOP
“You can have a

very good accident
rate for ‘hard hat’
accidents but not for
Process ones.”
2
“The fact that
you’ve had 20 years
without a
catastrophic event
is no guarantee that
there won’t be one
tomorrow.”
Insight into Process Safety Incidents

Insights into process safety incidents from an analysis of CSB investigations ,Paul Baybutt, Journal of Loss Prevention
Engineering, June 2016
Failure in PHA – 100%
Failures in PHA are a common finding in CSB incident investigation reports.

Indeed, issues with PHA were present for all CSB incidents where a PHA study was
performed. Of particular note is that CSB found that incidents were not identified
by the PHA studies performed.
3
Process Design - 28 %
Hazards were not recognized, designs created hazards, safety systems were
inadequate, process instrumentation was insufficient, human factors issues were
not addressed, hazards of scale-up were not recognized, and throughput was
increased without review.
Inadequate Safeguards- 56 %
Needed safeguards were not present or those that were present were
insufficient, unreliable, disabled, or lacked independence.
Operations and Maintenance - 44%
Procedures had not been developed, were not followed, were incomplete, or
were otherwise deficient.
Abnormal and non routine operation - 62%
They were not recognized as non-routine operations and were not reviewed to
ensure that work could proceed safely. Flaws in hot work and other safe work
practices also contributed to incidents.
4
Human & Organizational Factors - 100%
Valve positions were not clear, valve operation was difficult, lighting was
insufficient, operators were distracted, operators were fatigued, operators had
insufficient information, procedures were complex and lengthy, communications
were problematic, layout was error prone, staffing was not sufficient, operators
became desensitized to an alarm due to its history of unreliability, the work
environment encouraged operations personnel to deviate from procedures, a
computerized control system was poorly designed, a new control system posed
challenges, and there were difficulties with organizational structure
Change Management - 39%
Involved changes that occurred but were not reviewed for their impact on process
safety or reviews were inadequate.
Learning from incidents - 32%
Previous incidents were not investigated properly, or at all, and near misses were
ignored. The issue of retaining information from previous incidents in the corporate
memory of companies is well known.
5
Facility Layout - 43%
Proximity of facilities to members of the public was an issue in multiple incidents,

proximity of facility personnel to hazards in plants also was an issue in numerous
incidents.
Emergency Preparedness and Response - 32%
Deficiencies occurred in hazard communication, evacuation procedures and

emergency egress, community notification, emergency preparedness, knowledge
of responders, and coordination between responders
Nodes
• Nodes divide the P&IDS into logical sub systems that can
be systematically reviewed by the HAZOP team.
‒ Nodes help keep the HAZOP focused and organized
• Nodes are selected by HAZOP leader but team can have
input.
• Best selected prior to study but can be adjusted
6
Transition to next node
• Consider the following criteria in selecting
appropriate transition to next node:
• Change in design intent
• Change in state
• Change in process chemicals
• Major pieces of equipment
• Potential confusion over equipment in the node
• Consider multiple operating modes
• Generally, a node for each operating mode is easiest for
the team to follow.
HAZOP Sequence
Select node and identify on master drawing
Describe and discuss the design envelope Develop and record the design
intention
Select a Parameter and combine with a guideword and develop

deviation
Identify possible causes

Identify all consequences and rank severity
Identify safeguards and rank likelihood
Make recommendation if needed
Repeat for the next guideword
Repeat for next parameter
Repeat for the next node

7
Guide Words
Source: iCheme HAZOP Guide
Parameters
8
Deviations
Deviations
9
What is Cause
• A Cause is an event, situation, or condition that

results or, could result, directly or indirectly in an
accident or incident
• The HAZOP team systematically identifies causes
through brainstorming:
• Focus on one deviation at a time
• Apply relevant descriptors to help identify causes
Cause - Example
Cause can be due to a range of events including human error,

equipment failure, process upset
10
Causes – “No stone unturned”
• All potential causes should be established for each
deviation considered.
• There are usually multiple causes for each deviation.
• Each cause should be listed

separately
• Ensure considerations of repeat
items
• Causes to be specifically defined
by appropriate equipment,
instrumentation and piping tags
Brainstorming and recording causes

• Follow P&ID flow during brainstorming
• example: if you are looking for causes of no/low flow, work in one direction on the
P&ID and go in a logical order
• Typically take causes to the P&ID level, but be on the lookout for failure
modes that result in different consequences or have different
safeguards.
• Example : pump mechanical failure versus trip due to local power loss – run
indicator may not detect worn impeller
• Recommended sequences: brainstorm causes and list

• Return to develop consequences once all causes captured
11
Causes - Example
GW DEVIATION CAUSES CONSEQUENCE SAFEGRARDS
No No Flow Stabilizer reboiler circulating pumps (P-102A/B) trip. 1) Loss of reboil heat duty. TI-2260 (top temperature).
Increased light ends (C3+) in Stabiliser column temperature
stabilizer bottoms leading to high profile.
RVP in in condensate-floating Operating procedure-restart
roof/fixed roof tank damage. heater/ circulation pump.
2) No condensate flow though FSL-2503 (H-102 low flow trip).
condensate stabilizer reboiler (H-
102) leading to high tube
temperature due to coking and
tube leak rupture.
Condensate stabiliser reboiler flow control valve (FCV- as above as above
2253) fails FAL-2253
Condensate stabiliser reboiler shutdown valve (XV- as above
2262) fails closed.
Stabiliser spectacle blind closed post maintenance No reboiler duty provided -

inability to start up column
10" manual valve (LB-2037) closed in error As 1 and 2) above
Incorrect alignment of pump inlet/outlet isolation As 1 and 2) above

valves P-102A/B deadhead - no minimum
flow results in pump damage
Manual valve upstream or downstream of FCV2253
closed
Reboiler remote manual valves (2 off) (50ft from
reboiler closed in error)
Team Missed Causes in
Stabiliser inlet spectacle blind inadvertantly closed RED
post maintenance
Cause – Check valves
• Failure and leakage of check valves

shall be considered a credible
scenario unless specific design
measures are taken , as check
valves are not usually bubble tight
or positive shutoff devices
• Also incorrectly installed check
valves should be considered on
lines that are used infrequently
12
Common human error related causes
• Wrong lineup - valve open when it should be shut

• Skipping batches operations or doing it twice
• intentional shortcut that is unsafe
• Wrong set point (set point limits?)
• Choosing wrong material/part -additive, filter, gasket,
hose, etc.
• How many other choices are readily available ?
• Safeguards: What are the clues between choices? Color,
container, markings
• Choosing wrong spot for unloading
• Are fittings the same? Material compatible?
Common human error related causes
• Right action wrong place

• Wrong valve shut
• Wrong pump stopped
• Wrong train
• Poor communication between:
• Inside and outside operators
• Mechanics' and operations
• Drivers and dispatchers
• Good communication techniques
• Is plant practice to repeat the
desired action over radio? “Copy,
starts injection pump 361”
13
Alternative Recording Method -
Consequence within the node
• An alternative method to evaluate

consequences within the node and causes both
inside / outside the node.
• Can be a better organization if integrated LOPA
is planned
Piping failure in one location resulted in consequences to pipe rack
Multiple Cause Event – “Double Jeopardy”
“ Double jeopardy” events are multiple

independent causes events occurring at the
same time which result in a hazardous situation.
‒A X
‒C Y where X + Y
14
Examples of double jeopardy
Cooling Return
At the same time cooling to condenser
is lost, causing the pressure to further
Cooling Supply rise
Overhead Product
TIC
FIC
If the causes do not have

common mode (e.g.
Flow Control valve on instrument air / DCS) then
feed to column fails TIC
this is a double jeopardy
open. This is a cause of scenario
higher pressure
LIC
bottom Product
“Double Jeopardy”: Further considerations
• When encountering potential causes of Double jeopardy,

the team shall consider the severity of the consequences
• There may be causes in which the consequences are so
severe and unacceptable that action is needed, even if the
likelihood of the event is very low.
• e.g. the consequences include the loss of asset without time to evacuate
• e. g. severe environmental consequences
15
Common Cause Failures
• Common cause failures are often mistakenly

labeled as “Double jeopardy”
• Special consideration should be given to common
mode failure D X &D Y
• and X + Y
• Examples: DCS software failure , incorrect metallurgy, utility

failure, common instrumentation failure etc. …
• Process dependencies A B C
Common mode failure
• Flare sized for full flow relief from single train. In theory
simultaneous blocked outlet of both trains discounted
because:
• segregated air supplies to SDV-001 and SDV-002 &
• air accumulators on each valve with single check
valve in the supply line
• In practice ……
• Process Safety Information is Critical
16
Example of process dependency
Expansion tank is
adequately protected by
relief valve
Expansion tank NOT adequately

protected from burst tube and Heating Any loss of
heat gain Medium Pump trip causes circulation causes
Expansion additional pressure surge due
Tank pressure increase to heat gain from
due to heat input WHRU – ‘normal
from WHRU operation’
Heating medium
circulation pump
WHRU
Crude Oil heater PSH
OIL out OIL in

PSH trips circulation
pumps GT
Tube rupture from process side causes Exhaust
high pressure in heating medium
system
Consequences
• The team should identify all ‘potential practical’

consequences, especially the potential for harm to people
and the environment.
• The discussion should consider unmitigated consequences
i.e. those consequences without giving any credit to
safeguards i.e. assuming all safeguards fail.
• You may have consequences of concern you need to record
on the way to the unmitigated consequence. Some of the
more consequences may be the result of safety devices
working. Example:
• Relief valve lifting may cause environmental damage or potential for jet
fire
17
Consequences
• Consequences shall be taken

to be anything that affects
• Health and safety of workers,
contractors or offsite
populations
• The environment
• Business impact
• Financial impact
• Non financial (reputation)
Consequence development
C Consequence
A e.g. Business $$$
U
S
E
EVENT
Consequence Consequence
e.g. Environment / Oil spill e.g. Injury / Fatality
18
Tank overpressure example
Relief Pressure 50 Psi to Atmosphere
Maximum Pressure
= 125 Psi
MAWP = 50PSi
Cause: blocked outlet
• Event: potential vessel overpressure and release of

flammable, toxic material
Consequence development examples
• Vessel overpressure at potentially 2-3 times MAWP. Release of

flammable material in vessel plus incoming feed at 90 psi through 3”
pipe. Potential release > 10000 lbs(4500 kg) in somewhat congested
area potential vapor cloud explosion and continuing fire until release
shut off. Potential is to effect 2500 ft (760m) radius and potential result
in 3 fatalities.
• Pressure relief valve releases flammable material to atmosphere
vertically at 10 ft elevation in southwest area of rack(plot plane AE).
Potential jet fire with impact on overhead piping. Potential radiation
exposure in could extended 100 ft (30m) which reaches frequently
used walkway on upper level. Could result in injury to someone on
walkway.
19
Consequences – Consider line of fire
• Think about what the operator sees and hears

• Alarms
• Noise
• Other clues
• Will the operator respond by going to the location of
problem?
• Where are other people?
Consequences – Truck caused ignition
20
Consequences of release
• Consider the hazards of the material released

• Understand the process conditions versus
equipment limits. Is loss of primary containment
possible?
• Determine the potential range of release
quantities
• Understand how bad it could get. Not all result in
catastrophic explosion!
Consequences of release
• Depends on release conditions and types of

hazards
• Flammable hazards
• Pool fire
• Explosions
• Acute/chronic toxicity
• Environmental hazards
• Consider performing rough consequences
modeling to get an understanding of the hazards
before the HAZOP.
21
Consequences – Event Tree
Risk Rank - Consequences
22
Safeguards – Protection layers
Community emergency response
• Centre layers can Plant emergency response
prevent an Deluge systems, Fire sprinklers,

Toxic gas detection, and Alarms
incident. Barricades, Dikes
• Outer layers are Pressure relief valves

Rupture disks
mitigation. Critical alarms

Safety instrumental systems
Basic process control systems
Process design
Safeguards – Relief valves
• Relief valves should only be

listed as safeguards once it has
been confirmed that the relief
valve size and set pressure are
stuffiest for the consequences
being considered
• Relief impairment is considered
under the Relief Guideword
23
Effective Safeguard – Operator Response
Source: DNV QRA

Guidelines
24
• Procedure shall be well defined

• Operator performing safeguarding tasks shall be
designated as a Safety Critical Position, likewise
procedure shall be a Safety Critical Procedure
Safeguards - Procedures
• If operating procedures are the primary safeguards

preventing / mitigating a safety consequence, the
HAZOP team shall:
• Ensure written procedures address the
cause/consequence identified and the appropriate
action described in the safeguard.
• Consider whether operator have time and capability to
carry out the procedure.
• Make a recommendation in the HAZOP log sheet to
conduct a review of the procedures prior to start-up
25
When to provide a recommendation
• The engineered
systems and
administrative controls
are unlikely to prevent
or mitigate a
consequence.
• An operability concern
is severe
• Shortfall in compliance
with regulations or
company standards.
Risk Matrix - likelihood
26
Good Recommendations
• Course of action, not detailed solution

• Identify the reason for the recommendation
• Address the root cause of a problem
• Able to be accomplished, effectively completed,
clear point of closure
• Clearly worded and thorough
Safety Moment
27
HAZOP – LOPA Interface
Layers Of Protection Analysis
Community emergency response
Plant emergency response
Deluge systems, Fire sprinklers,

Toxic gas detection, and Alarms
Barricades, Dikes
Pressure relief valves

Rupture disks
Critical alarms
Safety instrumental systems
Basic process control systems
Process design
28
Which Standard
Device Manufacturers - Sector Specific Not Available
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
IEC 61513 IEC 62061 IEC 61511 ISO 26262

Nuclear Machinery Process Industry Road Vehicles
End Users - Systems Integrators
Relationship between IEC-61508 & 61511
Process Sector Safety Instrumented System Standards
Manufacturers and Suppliers of Safety Instrumented System

Devices designers, Integrators and users
IEC 61508 IEC 61511
29
IEC-61511 – Protection Against:
RANDOM SYSTEMATIC
Failures Failures
Random Failures? Systematic Failures?
30
Random Failures
“Usually a permanent failure due to a system component

loss of functionality – hardware related „
Systematic failure
“Usually due to a design fault, wrong specification,not

fit for purpose , error in software program, ...
31
IEC-61511 Part Structure
IEC-61511
Part 1 Part 2 Part 3

Framework, Guidance for
definitions, system, Guidelines for the determination of the
hardware and software application of IEC required safety
requirements 61511-1 (informative) integrity levels
(normative) (informative)
32
Analysis Phase
Verification
Management and
Planning
Realization Phase
Operate and Maintain
Requirements common to all lifecycle phases
• Management of functional Safety

• Safety lifecycle structure and planning
• Competency
• Verification
• Independent functional Safety assessment
• Documentation
33
IEC-61511 Safety Lifecycle
Risk Analysis
Analyze Process Risk
High
(Inherent Risk)
Risk
Tolerable Level of Risk

(defined by Customer per application)
Low
34
Risk Analysis
High
(Inherent Risk)
Define Tolerable
Risk
Risk

Low
Risk Analysis
High
(Inherent Risk)
Analyze Actual
RISK
Risk

Low
35
Risk Analysis
Calculated Process Risk
High
(Inherent Risk)
Design Changes
Risk

Low
Risk Analysis
High
(Inherent Risk)
Design Changes
Other Risk Reduction
Risk
Analyze other Layers of

Protection

Low
36
Risk Analysis
High
(Inherent Risk)
Design Changes
Risk
Bring Risk below

Tolerable
Low
Risk Analysis
High
(Inherent Risk)
Design Changes
Risk
SIL is measure for

Risk Reduction
Low
37
Risk Analysis
Initiating Cause Likelihood (ICL)
High
Protection layers
Risk
Intermediate Event Likelihood (IEL)
SIL is measure for

Risk Reduction
Target Mitigate Event Likelihood(TMEL)
Low
IEC SIL Levels
SIL PFDavg, Average RRF, Risk reduction PFDavg, Average

Safety probability of failure Factor probability of failure
integrity on demand per year on demand per hour
level (SIL) (low demand mode) (high demand or
continuous mode)
4 ≥ 10-5 to < 10-4 >10,000 - ≤100,000 ≥ 10-9 to < 10-8
3 ≥ 10-4 to < 10-3 >1000 - ≤10,000 ≥ 10-8 to < 10-7
2 ≥ 10-3 to < 10-2 >100- ≤1000 ≥ 10-7 to < 10-6
1 ≥ 10-2 to < 10-1 >10- ≤100 ≥ 10-6 to < 10-5
38
Risk Matrix
77
Risk Matrix
78
39
LOPA Basis
IEL = ∑ICF x FM x IPL
Where IEL = Intermediate Event Likelihood

ICF = Initiating Cause Frequency
FM = Frequency Modifier
IPL = PFD of Independent Protection Layers
Risk Reduction Requirement
Cause 1 FM for IPLs for C1 Intermediate event

Frequency Cause 1 Cause 1 frequency
Total intermediate
Hazard frequency without SIS event frequency
SIS risk reduction
Total Mitigated Event

Likelihood
40
Independent Protection Layers
IPLs need to meet the following criteria

• Specificity – designed solely to prevent or mitigate
consequences
• Independence – independent of other IPLs and cause of
demand
• Dependability – reduce identified risk by known and
specified amount
• Auditability – enable periodic validation
LOPA Process
• Event description
• Severity level ( taking account of vulnerability)
• Initiating likelihood
• Protection layers (IPLs)
• Frequency Modifiers (FMs)
• Intermediate event likelihood
• SIF IL (safety instrument function integrity level)
• Target mitigated event likelihood
41
LOPA Worksheet - Example
SIL/CIL/EIL Assessment sheet
Client Item no.

Project Tag No.
Area P & ID no.
Risk
Initiating event considered
Parameter
Associated Instrument
tags
Worst consequence
Consequenting rating
Safety Environmental Business
TMEL (Category)
TMEL (Value)
Intermediate Event Intermediate Event Intermediate Event

Independent Layers of Protections (IPL) Frequency Modifier (fr)
Likelihood per year Likelihood per year Likelihood per year
Initiating Cause Restricted

Causes of initating General Process BPCS Alarm etc. Probabiity of Ignition
Likelihood (ICL) per Access / time IEL Safety: ICL x IPL x fr IEL Env.: ICL x IPL IEL Business: ICL x IPL
events Design (PFD1) (PFD2) (PFD3) LoC (PFD 4) Probability (Pi)
year (Ptr)
IEL 0.00E+00 0.00E+00 0.00E+00

SIL Calculations
Probability on demand (Fgoal or TMEL/Total mitigated frequency) = PFD (SIL)
Risk reduction factor= RRF
Safety integrity level= SIL level
Probability on demand (Fgoal or TMEL/Total mitigated frequency) = PFD (EIL)

Safety integrity level= EIL level
Probability on demand (Fgoal or TMEL/Total mitigated frequency) = PFD (CIL)
0
CIL level

Client E FERT Item no. 1
Project Training Case Study 0 Tag No.
Area 1 P & ID no. Project Information
Risk
Initiating event considered 0
Parameter From HAZOP
Associated Instrument
tags
0
Worst consequence
Consequenting rating
Safety Environmental Business

From Risk Matrix
Risk Ranking
TMEL (Value)
Company risk
acceptance criteria
42
Layers Of Protection Analysis - LOPA
• Define event e.g. High Pressure, Run away reaction

etc. and consequence and severity of consequence:
• Fatality
• Environmental consequences
• Commercial consequences
• Assign TMEL from company criterion
Independent Layers of Protections (IPL) Frequency Modifier (fr)
Initiating Cause General Probability Restricted

Causes of initating BPCS Alarm etc. Ignition
Likelihood (ICL) Process of LoC Access/time
events (PFD2) (PFD3) Probability (Pi)
per year Design (PFD1) (PFD4) (Ptr)
Based
Company on
Industry avg. PFD
data or design Industry Exposure
From HAZOP (Probability of Failure on
industry vs. worst data duration
Demand) consequ
avg. ence
IEL
43
Initiating Cause
• List all initiating causes i.e. events that would lead to

hazardous event if no protection layers were present
e.g.
• loss of cooling water
• Loss of control function
• Assign likelihood of initiating causes – using company
data or industry average.
Independent Layers
There are two types of IPLs:

• Passive IPL
• Dike/bund.
• Open vent.
• Blast wall/bunker.
• Flame/detonation arrestors.
• Restriction orifice.
• Active IPL
• BPCS.
• Human response to alarm.
• Pressure relief device.
• SIS.
• Other design specific IPLs (e.g., mechanical stop for a valve).
44
IPL – Operator Response to Alarms
• Alarm is independent of cause and independent of

BPCS Used as IPL
• High priority alarm displayed in fully manned
location and operator is training
• Simple well documented action with clear and
reliable indications that action is required
• Use 0.1 to 0.5 if 10 minutes response is needed
• Use 0.1 if 20 minutes response us needed
• If several independent errors are required then
PFD can be reduced by one order of magnitude
45
IPL - SIS
• An SIS may be used to reduce the likelihood of a

hazardous event.
• Safety instrumented systems should be considered after more
inherently safer approaches have been identified and
considered.
• SISs should be allocated a SIL in relation to the credit
given for risk reduction. The following conditions shall
be met:
• SIS is separate and independent from the cause of demand.
• SIS is separate and independent from any other SIS that is
used to reduce the intermediate event likelihood to the
TMEL.
46
Frequency Modifiers
• Time at risk factor applied when systems are
not continuously operated – only applied if a
failure that cause a demand is detected and
repaired if the hazardous operation is started
• Occupancy factor applies if person is not
always present in the hazard zone - only
applies if person’s presence is random with
respect to demand
• Ignition probability – depends on numerous
factors
Additional Mitigation - Occupancy
• Occupancy in hazard zone

• Probability = hours persons present in hazard zone /
8760
• Only valid if person presence is random with respect to
hazard cause. If hazard only occurs at startup and
persons are always present then occupancy factor will
be 1
47
Additional Mitigation – Ignition Probability
Release rate Total Immediate Delayed

kg/s
Small Release <1 0.01 0.0025 0.0075
Medium Release < 50 0.07 0.0175 0.0525
Large Release >50 0.3 0.075 0.225
• Where the temperature of a released material is above its

autoignition temperature , then the ignition probability
shall be 1.0
SIL Determination
Compliance
System
Capability
Architectural Probability of
Constraints Failure
48
Systematic Capability
Systematic Capability is established by

having your quality management system
audited per IEC 61508. If the QMS meets
the requirements of 61508 a SIL Capability
rating is issued. The rating achieved
depends on the effectiveness of your
QMS. The certificate is for the systematic
capability of a product.
Architectural Constraints
Architectural constraints are established by

following Route 1H or Route 2H.
• Route 1H based on hardware fault tolerance
and safe failure fraction concepts; or,
• 2H based on component reliability data from
feedback from end users, increased
confidence levels and hardware fault
tolerance for specified safety integrity levels.
49
Important Parameters
There are three important parameters

to consider:
• Minimum hardware fault tolerance (minimum
HFT)
• Category A and B
• Safe failure fraction (SFF)
Fault Tolerance
Fault tolerance is the number of dangerous fault that a
sub-system can tolerance and retain the capability to
respond to a demand.
Hardware
Architecture Fault
Tolerance
1oo1 0
1oo1D 0
1oo2 1
2oo2 0
2oo3 1
2oo2D 0
1oo2D 1
1oo3 2
50
Fault Tolerance
Fault tolerance 1 Fault tolerance 1 Fault tolerance 2
Architecture Architecture Architecture

2 out of 3 1 out of 2 1 out of 3
Safe Failure Fraction

Determined by failure mode and effect analysis
lSD + lSU + lDD

SFF =
lSD + lSU + lDD + lDU
=1- lDU
lTotal
diagnosed undiagnosed
ʎDD ʎDU
dangerous
Safe
ʎs
51
Type A & Type B
Type A or type B are two categories used to distinguish
proven/low-complexity components from unproven/more
complex components
• A component is classified as type A if ALL the following
criteria are fulfilled:
– Failure modes of the element (and all its constituent
components) are well defined
– The behavior of the element under fault conditions can be
completely determined
– There is sufficient dependable failure data to show that the
claimed rates of failure for DD and DU failures are met
• An element is type B if one or more of the above criteria
are not met.
Route 1H
52
Route 2H
SIL Minimum hardware fault tolerance

1 0
2 1
3 2
4 Special Requirements Apply ( see IEC 61508)
SIL Determination
SIL Level is determined by three (03) things

• The Systematic Capability Rating
• The Architectural Constraints for the
element
• The PFDavg calculation for the product.
53
PFD Calculations
Select
Technology
Select
architecture Iterate if
requirements are
not met.
Reliability
evaluation
Determine test
interval
Detailed Design
Failure Rates
• Divide each failure rate into specific failure modes
SAFE DETECTED
SAFE UNDETECTED
60%
DANGEROUS
UNDETECTED
lSlSDlSU
lDlDDlDU 40%
DANGEROUS
DETECTED
54
Probability of Failure – 1oo1 Architecture
Failure probability = 1- e- ʎT
Failure probability = ʎ x T ( if ʎt << 1)
Failure
Probability
Time
Proof Test
Failure Probability = ʎd x Time ( since proof test)
Probability of Failure on
demand (average)
= 0.5 x ʎd x Testing interval
Proof Proof
Failure test test
Probability
Time
55
Proof Test
SIL 2
PFD
Proof Test Interval (years)
Channel 1
Common cause
Channel 2
Failure of Failure of
Channel 1 Channel 1
Common
causes effecting
both
56
PFDave = PFD non common cause + PFD common cause

≈ (ʎd² x T²/ 3 ) + ( 0.5 x T x Beta)
Typical Beta factors

Identical channels – range 10 – 20%
Partial diversity – range 5 – 10%
Full diversity – range 1 – 5%
Typical causes:
• design or specification error
• external stress e.g. EMC or temp
Demand Modes
• Low demand mode

• Process control protection systems
• Fire and gas systems
• Continuous /High demand mode
• Burner management( with no protection )
• Steer by wire
• Electronic speed control
57
Low Demand Mode
Sensor Sub Logic Sub System LSS Vent Valve Sub System
System SSS VV SS
Shut Down Valve Sub

System SDV SS
PFD function ≈ PFDSSS + PFDLSS + PFDVVSS + PFDSDVSS

PFD function must be less than target for SIL or specified value
Continuous Mode
Sensor Sub Logic Sub System LSS Vent Valve Sub System
System SSS VV SS
Shut Down Valve Sub

System SDV SS
ʎd function = ʎd SSS + ʎd LSS + ʎd VVSS + ʎd SDVSS

ʎd function must be less than target for SIL or specified value
58
IEC-61508 PFD Tables – Continuous Mode
IEC-61508 PFD Tables – Low Demand Mode
59
Spurious Trips
Cost of robustness shall be less than cost of spurious trip
Example:
• non-redundant SIL 1 system
• Consequence of spurious trip is production loss of 8 hr.
• Marginal loss of profit for process is $10 000 per hr.
• Transmitter safe failure rate is 5E-6 per hr.
• Logic input, processing, and output safe failure rate is 2E-6 per hr.
• Additional cost of equipment for failure robustness is $2 000 per yr.
• CST = $10 000 per hr x 8 hr x (5E-6 + 2E-6) per hr.
= $5,6E-1 per hr.
= $4 900 per yr.
• CAE = $2 000 per yr.
60

HAZOP Induction

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HAZOP Induction

Uploaded by

Copyright:

Available Formats

HAZOP & LOPA Induction

30th Jan 2019, Accra Ghana

HAZOP Induction Muhammad.Saim@shepherdrisk.com

HAZOP Induction Muhammad.Saim@shepherdrisk.com

At the end of this course, you should have a working

HAZOP Induction Muhammad.Saim@shepherdrisk.com

“You can have a

HAZOP Induction Muhammad.Saim@shepherdrisk.com

HAZOP Induction Muhammad.Saim@shepherdrisk.com

Insight into Process Safety Incidents

Failure in PHA – 100%

Failures in PHA are a common finding in CSB incident investigation reports.

HAZOP Induction Muhammad.Saim@shepherdrisk.com

HAZOP Induction Muhammad.Saim@shepherdrisk.com

Operations and Maintenance - 44%

Abnormal and non routine operation - 62%

HAZOP Induction Muhammad.Saim@shepherdrisk.com

HAZOP Induction Muhammad.Saim@shepherdrisk.com

Change Management - 39%

Learning from incidents - 32%

HAZOP Induction Muhammad.Saim@shepherdrisk.com

Proximity of facilities to members of the public was an issue in multiple incidents,

Deficiencies occurred in hazard communication, evacuation procedures and

HAZOP Induction Muhammad.Saim@shepherdrisk.com

HAZOP Induction Muhammad.Saim@shepherdrisk.com

HAZOP Induction Muhammad.Saim@shepherdrisk.com

Select a Parameter and combine with a guideword and develop

Identify possible causes

Identify safeguards and rank likelihood

Make recommendation if needed

Repeat for the next guideword

Repeat for next parameter

Repeat for the next node

Source: iCheme HAZOP Guide

HAZOP Induction Muhammad.Saim@shepherdrisk.com

Source: iCheme HAZOP Guide

HAZOP Induction Muhammad.Saim@shepherdrisk.com

Source: iCheme HAZOP Guide

HAZOP Induction Muhammad.Saim@shepherdrisk.com

HAZOP Induction Muhammad.Saim@shepherdrisk.com

• A Cause is an event, situation, or condition that

HAZOP Induction Muhammad.Saim@shepherdrisk.com

Cause can be due to a range of events including human error,

HAZOP Induction Muhammad.Saim@shepherdrisk.com

• Each cause should be listed

HAZOP Induction Muhammad.Saim@shepherdrisk.com

Brainstorming and recording causes

• Recommended sequences: brainstorm causes and list

HAZOP Induction Muhammad.Saim@shepherdrisk.com

Stabiliser spectacle blind closed post maintenance No reboiler duty provided -

Incorrect alignment of pump inlet/outlet isolation As 1 and 2) above

HAZOP Induction Muhammad.Saim@shepherdrisk.com

Cause – Check valves

• Failure and leakage of check valves

HAZOP Induction Muhammad.Saim@shepherdrisk.com

• Wrong lineup - valve open when it should be shut

HAZOP Induction Muhammad.Saim@shepherdrisk.com

Common human error related causes

• Right action wrong place

HAZOP Induction Muhammad.Saim@shepherdrisk.com

• An alternative method to evaluate

Piping failure in one location resulted in consequences to pipe rack