Professional Documents
Culture Documents
Prs 10061
Prs 10061
Prs 10061
Generating Scenarios
Automatically from HAZOP Data
Arthur M. (Art) Dowell III,a P.E., and Tom R. Williamsb
a
Rohm and Haas Company, Deer Park, TX 77536; adowell@rohmhaas.com (for correspondence)
b
ABS Consulting, Risk Consulting Division, Knoxville, TN 37932
This paper details the concept of automatically gen- Keywords: LOPA, HAZOP, linking, risk assessment
erating layer of protection analysis (LOPA) scenarios tools
from a process hazard analysis (PHA) conducted using
the hazard and operability (HAZOP) methodology. INTRODUCTION
Specialized software selects consequences that meet se- Layer of protection analysis (LOPA) helps compa-
verity criteria or risk criteria. It then takes each end nies understand, in a rational and consistent manner,
consequence, follows each link path to an initiating how many safeguards are enough for a particular acci-
dent scenario. LOPA takes a predefined cause– conse-
cause, and presents each rolled-up link path as a single
quence pairing (typically identified during a qualitative
LOPA scenario, complete with all the safeguards (that
hazard evaluation), determines how many indepen-
is, candidate protection layers) found along the link dent protection layers (IPLs) are provided by existing
path. The scenarios can be presented in database or and/or recommended safeguards, and evaluates
spreadsheet format. The rolled-up LOPA spreadsheet whether this number of IPLs provides adequate risk
allows the analyst(s) to identify safeguards that are mitigation. LOPA goes beyond the typical use of a risk
independent protection layers and assign appropriate matrix but is less detailed than quantitative risk analysis
values to each independent protection layer. The (such as fault tree analysis). LOPA is an order-of-mag-
spreadsheet calculates the resultant mitigated risk (or nitude tool. It basically separates the question of “How
mitigated likelihood or frequency) in real time. This likely is it?” into two issues:
makes it easy for the analyst(s) to determine which
independent protection layer or group of independent 1. Likelihood (frequency) of the initiating event
protection layers provides the most effective means for 2. Probability of failure on demand (PFD) of the IPLs
reaching or maintaining a target risk threshold. LOPA can provide a company with the following
The concept (demonstrated using ABS Consulting’s information for a scenario on a consistent basis:
HazardReview LEADER™ software) makes the process
1. Worst-case unmitigated risk (assuming all safe-
of going from PHA results to LOPA results a lot less time
guards fail)
consuming. It avoids retyping and reduces the risk of
2. As-is mitigated risk (with existing safeguards in
overlooking scenarios. The paper will present lessons place)
learned from applying the tools in real PHA/LOPA ap- 3. The improvements necessary to reach a target risk
plications. © 2005 American Institute of Chemical En- threshold, as described in Dowell [1, 3– 6] and CCPS
gineers Process Saf Prog 24: 38 – 44, 2005 [2]
The general format of a LOPA table is shown in
Originally presented at the AIChE Loss Prevention Symposium, New Or- Table 1 from Dowell [1] with sample information filled
leans, LA, April 2004. in for one scenario.
HazardReview LEADER™ is a trademark of ABS Consulting.
The severity of the consequence is estimated using
© 2005 American Institute of Chemical Engineers appropriate techniques, which may range from simple
写 PFD ⫽ f ⫻ PFD
j
f Ci ⫽ f Ii ⫻ ij
I
i i1 ⫻ PFD i2 ⫻ · · · (1)
j⫽1 DEVELOPING LOPA SCENARIOS
One approach to developing LOPA scenarios is to
⫻ PFD iJ use a simple screening risk matrix in the HAZOP or
other process hazard analysis methodology. Each
where fiC is the frequency for consequence C for initi- consequence is ranked for its severity, and the asso-
ating event i, fiI is the initiating event frequency for ciated causes for the consequence are placed into
initiating event i, and PFDij is the probability of failure categories for their unmitigated frequencies, that is,
on demand of the jth IPL that protects against conse- the frequency before application of safeguards. The
quence C for initiating event i. risk associated with a scenario—a cause– conse-
Typical initiating event frequencies and IPL PFDs are quence pair—is estimated by the intersection of the
given by Dowell [1, 3] and CCPS [2]. Figure 1 illustrates consequence severity and the cause frequency on
the concept of LOPA: that each IPL acts as a barrier to the risk matrix. Many companies have established
reduce the frequency of the consequence. Figure 1 also guidance criteria to select higher-risk scenarios for
shows how LOPA compares to event-tree analysis. A additional analysis. For example, the “Red” zone on
LOPA analysis describes a single path through an event the risk matrix may represent consequence severities
tree to the highest-severity consequence, as shown by of one or more fatalities with a frequency above a
the heavy line in Figure 1. An IPL may prevent an given threshold. A company’s guidance criteria may
undesirable outcome (shown by IPL1), or an IPL may require LOPA or more complex quantitative analysis
mitigate the outcome to a tolerable level (shown by for all scenarios in the “Red” zone.
IPL2 and IPL3). In either case, the frequency of occur- Translation of HAZOP information into LOPA sce-
rence of the highest-severity consequence is reduced. narios is shown graphically in Figure 2 [3]. Note that
not all the information from the HAZOP is included ated causes and safeguards. Such activities are tedious,
in the LOPA. Consequences that do not meet the risk and information can be overlooked or left out, partic-
matrix criteria are omitted. Very low frequency ularly if the PHA is not documented logically, thor-
causes may be omitted. Safeguards that do not meet oughly, and consistently.
the IPL criteria will not be given credit as IPLs in the To help ensure logical, thorough, and consistent
LOPA (but they may be noted in the LOPA documen- PHA documentation for processes involving interre-
tation). Additional IPLs may be added as a result of lated process parameters and interconnected equip-
the LOPA study. ment, interrelated HAZOP deviations are often linked
The user can manually review the PHA documenta- electronically such that the consequence of one devi-
tion; identify consequences that meet the risk matrix ation is shown as a cause of another deviation, and vice
criteria for additional analysis; and develop LOPA sce- versa. Although this is the most efficient, logical, and
narios for those consequences, including the associ- thorough way to document a PHA in many cases,
of the selected scenario is located at Deviation 1.9 in the high level should not be assigned a risk matrix
HAZOP table, and the selected cause is acid corrosion severity. Assigning a safety severity to high pres-
arising from the high concentration of water (which is sure is sufficient to ensure that high level and its
Deviation 1.8), resulting from the high concentration of preceding causes will be captured in the rolled-up
water in the compressed air system (which is Deviation LOPA scenario.
3.10), resulting from a defective or improperly maintained 2. Assign safeguards only to the specific deviations
desiccant dryer (which is the initial cause located at De- where they apply (see the relief valve example
viation 3.10). Note that there are other causes located at above). This will avoid having a particular safeguard
Deviations 1.8 and 3.10 [and perhaps elsewhere (out of appear multiple times in a particular LOPA scenario.
the current view)] that the analyst could select to form 3. Exercise discipline and consistency in linking. For
separate LOPA scenarios. The wizard also allows quick example, similar analysis nodes should have similar
selection of all scenarios as well as grouping and sorting link paths. To illustrate, a process system similar to
of scenarios by location, by consequence, and/or by that in Figure 3 should have a link path similar to
cause to aid the analyst. that shown in Figure 3.
The LOPA module does not provide the answers to 4. Minimize parallel link paths having the same ultimate
the LOPA study, but it makes the process of going from cause and the same ultimate consequence, but with
PHA results to LOPA results a lot less time consuming. different intermediate causes and consequences.
As described in previous publications [1, 2, 3, 5, 6], the Where parallel link paths are appropriate, use explan-
effort and expertise to execute a LOPA study (deter- atory text to differentiate the two paths.
mining which safeguards are IPLs, assigning initiating 5. Avoid circular links. (In working backward from an
event frequencies, and assigning PFDs to IPLs, etc.) are ultimate consequence, a circular link returns to the
not trivial. A trained LOPA analyst is needed to apply deviation with the ultimate cause. In essence, the
the LOPA rules appropriately and consistently. consequence is its own cause—a logical inconsis-
There are some pitfalls to avoid when using the tency!) For each ultimate consequence, the software
LEADER Links methodology. If linking is done inap- needs to be able to work back through each link
propriately, the user may find a multitude of essentially path to an ultimate cause without revisiting the de-
duplicate scenarios that must be screened by hand. viation having the ultimate consequence.
Based on lessons learned during actual HAZOP 6. Use the same text to describe the same consequence,
meetings and LOPA preparation, we emphasize the cause, or safeguard, wherever each item occurs.
following key points for successful linking and gener- This will help in eliminating duplicate items in the
ation of LOPA spreadsheets: LOPA scenarios.
1. Avoid assigning risk matrix severities to interme- There are also some important things to keep in
diate consequences. In the preceding example, mind when developing a LOPA protocol for your com-
where high level leads to high pressure, if there is pany. These items have a direct impact on the software
no safety consequence for the high level by itself, you choose and how, when, and by whom LOPA
1. No injury
2. First-aid injury
3. Lost-time injury
4. Fatal injury
It requires a subjective judgment to determine what types of protection layer and conditional modifiers
(probability of ignition, probability of person present, probability of fatality) reduce the expected
frequency of a fatal injury from once per year to once in 10, 100, or 1000 years. Likewise it is a subjective
judgment to determine what types of conditions make the potential for a fatal injury “not credible” [that
is, the perceived frequency of a severe consequence is so low that the analyst(s) assigns a lower severity
category]. The less-severe consequence can be visualized on Figure 1 by the path where IPL1 and IPL2
fail, but IPL3 is successful, leading to the second from the bottom consequence, a less-severe conse-
quence. For example, if IPL3 is a relief device, the more-severe consequence of vessel rupture and
release leading to multiple fatalities may be avoided, but there is now a release from the relief device,
which itself may have sufficient risk (severity and frequency) to require analysis.
studies will be conducted. The following are two of the to be conducted outside of the influences of the
most critical items to consider: various interests and biases of a typical PHA meet-
1. LOPA is an objective, deductive engineering ing. (However, some organizations do report suc-
study, in contrast to the subjective, inductive cessful use of LOPA protocols during the PHA
brainstorming nature of a PHA. LOPA does not meeting. Note that the risk tolerance criteria used
have to be quantitative or even semiquantitative, for such LOPA decisions must be based on a
but it does need to be objective. With this said, it per-scenario frequency. If the risk tolerance crite-
is nearly impossible to develop objective LOPA ria involve summation of multiple scenarios, it is
results during a PHA team meeting. LOPA needs much better to do the LOPA analysis after the PHA