SPE-173544-MS
Risk Assessment in HAZOPs
Howard Duhon, GATE; John Cronin, Hess
Copyright 2015, Society of Petroleum Engineers
This paper was prepared for presentation at the SPE E&P Health, Safety, Security and Environmental Conference-Americas held in Denver, Colorado, USA, 16 –18
March 2015.
This paper was selected for presentation by an SPE program committee following review of information contained in an abstract submitted by the author(s). Contents
of the paper have not been reviewed by the Society of Petroleum Engineers and are subject to correction by the author(s). The material does not necessarily reflect
any position of the Society of Petroleum Engineers, its officers, or members. Electronic reproduction, distribution, or storage of any part of this paper without the written
consent of the Society of Petroleum Engineers is prohibited. Permission to reproduce in print is restricted to an abstract of not more than 300 words; illustrations may
not be copied. The abstract must contain conspicuous acknowledgment of SPE copyright.
Abstract
A HAZOP is a team-based process hazard analysis (PHA) method. Its purpose is to identify hazards and
operability issues in a process design. In some HAZOPs, identified issues are evaluated for risk. An
effective risk assessment method allows the HAZOP participants and the project team to focus their time
and energy on the more significant hazards.
Risk assessments in HAZOPs are typically performed using a simple risk matrix (Figure 2). In the risk
matrix approach, participants make judgments as to the potential severity and the likelihood of an event.
The combination of severity and likelihood indicates the risk. The risk matrix will often be color coded
with green areas (OK), red areas (Unacceptable) and yellow areas (improvement suggested, subject to
ALARP).
This approach is problematic for a number of reasons:
1. The judgment of consequence severity is difficult and is often ambiguous. Any identified scenario
could play out in multiple ways often with dramatically different severities.
2. Estimation of the frequency or likelihood of the event is also difficult; especially so if the
frequency of the mitigated event is to be estimated.
3. The simple green, yellow, red bands do not provide sufficient resolution for ranking scenarios (the
yellow band may span two or three orders of magnitude, for instance).
This paper presents a more rigorous and repeatable approach to making the severity and frequency
judgments that is also simpler and quicker. The method is, in effect, a simplified layer of protection
analysis (LOPA). The authors show how LOPA techniques can be simplified and applied in a HAZOP
setting for both frequency and consequence severity judgments. These simplified techniques make such
judgments more rigorous and repeatable. Also, because the guesswork is removed, this saves time in the
HAZOP.
The proposed approach also yields a HAZOP record that is more easily used for a future LOPA study.
Risk Assessment in HAZOP
The purpose of a HAZOP is to identify hazards and operability issues in a process design. These issues
are identified by dividing the Piping and Instrumentation Drawings (P&IDs) into nodes and then asking
2
SPE-173544-MS
a series of questions about each node. The questions use guidewords structured around deviations in
process parameters - such as High Flow, Low Pressure, High Level, etc. . . Where hazard and/or
operability issues are identified, the team considers the adequacy of the existing design safeguards. If the
existing safeguards are considered insufficient, recommendations (findings) may be recorded to provide
enhanced protection.
Not all HAZOP teams assess the risk of individual findings. Some HAZOP facilitators and some
operators believe that it is more important to focus on creativity and brainstorming in the HAZOP
sessions, and leave the risk ranking to others and/or other processes.
The authors believe that risk assessment in the HAZOP can serve a valuable function of focusing the
team’s efforts on the more significant issues. However, to achieve this it is necessary to provide a clear
and consistent basis for risk assessment, which is compatible with the team-based HAZOP format.
Qualitative Risk Matrix
Risk assessment in HAZOPs is frequently performed using a qualitative risk matrix, such as the one in
Figure 2.
Using the risk matrix requires two judgments;
1. consequence severity (Y axis)
2. event frequency (X axis)
Both of these judgments can be difficult.
Consequence severity judgment is difficult, in part, because scenarios can progress in a number of
different ways. Consider the node drawn in Figure 1, a MEG (mono-ethylene glycol tank and pump). On
‘Low Level’ the tank goes empty and the pump runs dry.
Figure 1—MEG Tank and Pump
Team A might consider this a pump damage scenario and rate it as an Asset Loss Category 2.
SPE-173544-MS
3
Team B might identify potential for a seal leak, with blanket gas from the vessel vented to atmosphere
and igniting with a possible fatality and so rate this as a Safety Hazard Category 4.
Frequency judgments may be even more difficult and ambiguous. The guidance provided in Figure 2
seems reasonable at first glance. Experienced professional can distinguish between incidents that rarely
happen and incidents that happen more frequently.
Figure 2—Typical Qualitative Risk Matrix
A problem with such judgments is that we rarely know the full circumstances of previous incidents, and
we tend to judge frequency based on the initiating event (rather than on the full scenario – on which the
consequence level is usually based).
For the pump seal failure scenario discussed above, participants may judge the frequency as fairly high,
because we have all seen level control systems fail. But the frequency of the level control failing is not
the frequency that we need to estimate. We need to estimate the frequency of the actual assumed
consequence (and considering existing safeguards). The levels of progression in this scenario have
different frequencies:
1. The frequency of the tank going empty (without safeguards) may be fairly high - once in 10 years
is the typical assumed frequency for a control loop failure.
2. An independent low level shutdown will decrease this outcome frequency by about one order of
magnitude. The frequency of the level loop failure and low-level shutdown failure occurring
simultaneously is then 1/100 years.
3. The frequency of the tank going empty plus the pump seal being damaged may be somewhat
lower.
4. The frequency of the tank going empty, plus seal damage, plus blanket gas blowby, plus ignition
4
SPE-173544-MS
of the gas cloud is much lower.
5. The frequency of all of the above plus someone being exposed and killed by the flash fire is lower
still.
In order for the risk matrix approach to be useful, the frequency judgment must be based explicitly on
the consequence severity assumed and not just on the frequency of the initiating event.
Both of the judgments required by the Figure 2 risk matrix are therefore difficult.
Example – Judgment Accuracy
We should expect that this would result in significant judgment errors in the HAZOP. To quantify this,
the authors have compared the event frequency judgments made in a recent HAZOP (by a very
experienced team of design engineers and production specialists), to estimates made later on the same
project via a more detailed, quantified LOPA study.
The HAZOP Matrix provided options similar to Figure 2 for frequency judgment. For example, the B
column (low frequency) was titled “Heard of in the Industry”. Many of the HAZOP team’s judgments fell
into that column. No explicit frequency was provided in the HAZOP instruction, but we can assume that
a “Heard of in the Industry” would correspond to about a 1/1000 to 1/10000 year frequency, for a given
platform.
A random sampling of 10% of the scenarios judged to be a B (low frequency) by the HAZOP team
were compared to the LOPA team frequency judgments with the following results:
● Most of the LOPA judgments were 1/100 years or more frequent
● The highest frequency judgment was 1/30 years
● The lowest frequency judgment in the LOPA was 1/100,000 years
Conclusion: Compared to the LOPA team, the HAZOP team generally underestimated the frequency
of hazardous scenarios. And the range of judgment disparity was very large.
Proposed Solution
We suggest the following approach to make risk assessments in HAZOPs easier, more consistent and
more accurate:
1. Generate and use a risk matrix that yields order of magnitude risk reduction targets.
2. Apply simple rules for estimation of consequence severity
3. Use initiating event frequency data, conditional probability data, and probability of failure on
demand (PFD) data to make the frequency judgments.
Calibrated Risk Matrix
Figure 3 is an example of a risk reduction matrix, calibrated to yield risk reduction targets. For details on
development of the matrix see Appendix 1.
The important features of this matrix are:
1. The frequency axis is effectively a logarithmic scale, with an order of magnitude change from one
column to the next.
2. The consequence axis must also be a logarithmic scale with order of magnitude differences
between rows (see Appendix 1).
3. The numeric cell entries represent order of magnitude risk reductions required to reach a ‘target’
or ‘maximum acceptable’ risk level.
SPE-173544-MS
5
Figure 3—Example Risk Reduction Target Matrix
For example, per this matrix a scenario with a Major consequence (Row 4) with an expected frequency
of 1/10000 years (Column A) represents a maximum acceptable risk. The entry in cell 4A is ‘0’, which
means that there is no required risk reduction (subject to ALARP/RAGAGEP principles).
The same scenario occurring at a frequency of 1/100 years (cell 4C) is judged unacceptable with a
required risk reduction target of 2 (i.e. 2 orders of magnitude, or a factor of 100 risk reduction).
Using the Risk Reduction Target Matrix in a HAZOP
1. Determine the consequence severity for a scenario (see Appendix 2).
2. Determine the frequency of the initiating event and adjust that frequency (as necessary and
appropriate) to account for enabling events, multiple required events, etc. (see Appendix 3).
3. Enter the matrix at the selected consequence severity row and initiating event column. This is the
unmitigated risk - the cell entry provides the risk reduction target.
4. Apply existing safeguards/IPLs to determine the mitigated risk.
5. If necessary, recommend additional safeguard(s) to achieve the target risk level.
Example:
6
SPE-173544-MS
1. HAZOP team identifies a scenario with Major consequence (Row 4).
2. The initiating event is pressure control loop failure. Per Table 3.2 (Appendix 3) control loop failure
occurs 1/10 years (Column D).
3. Enter the matrix at 4D. The risk reduction target is 3.
4. The vessel PSV provides a 2 order of magnitude improvement (see Table 3.4 in Appendix 3).
5. That leaves a remaining 1 order of magnitude risk reduction requirement to be provided by a safety
instrumented function (SIF) or other valid independent protection layer (IPL).
Figure 4 —Example Use of the Required Risk Reduction Matrix
Conclusions
The authors suggest the following general approach to make risk assessments in HAZOPs easier, more
consistent and more accurate:
1. Generate and use a calibrated risk matrix - based on order of magnitude risk reduction targets
2. Develop and apply simple rules for estimation of consequence severity
3. Use initiating event frequency and conditional probability data to estimate frequencies of specific
outcomes
SPE-173544-MS
7
These approaches are incorporated within the calibrated risk matrix methodology described above.
Supporting estimation techniques (such as those described in Appendices 1-3) can be readily developed,
to expedite the necessary consequence and frequency estimates.
Acknowledgments
The authors would like to acknowledge the assistance and support of GATE Inc. and Hess Corporation
in supporting development and preparation of this publication.
The contents of this paper primarily reflect the personal views and experience of the authors, and do
not relate explicitly to any (GATE, Hess or 3rd party) corporate policy. The proposed methodology and
scoring metrics are provided for illustrative and discussion purposes only – these are subject to appropriate
review and calibration before further use.
Glossary
ALARP
BOPD
GOR
HAZOP
IPL
LOPA
MMSCFD
PFD
PHA
P&ID
RAGAGEP
SIF
SIL
As Low as Reasonably Practical
Barrels of Oil Per Day
Gas Oil Ratio (SCF gas / Bbl of oil)
Hazard and Operability Study
Independent Protection Layer
Layer of Protection Analysis
Million Standard Cubic Feet per Day
Probability of Failure on Demand
Process Hazard Analysis
Process (or Piping) and Instrument Diagram
Recognized and Generally Accepted Good Engineering Practice
Safety Instrumented Function
Safety Integrity Level
References
American Institute of Chemical Engineers, 2001, Layer of Protection Analysis, Simplified Process
Risk Assessment
8
SPE-173544-MS
Appendix 1
Risk Reduction Matrix Calibration and Use
(The proposed methodology and scoring metrics in this paper are provided for illustrative and discussion purposes only – these
are subject to appropriate review and calibration before further use.)
The first requirement of an effective matrix, for our purposes, is that each row and column increments by one order of
magnitude. For the frequency axis this is straightforward; we specify frequency in events per year.
Figure 1.1 is an example of a matrix with order of magnitude increments.
Figure 1.1—Beginning the Risk Reduction Target Matrix
We can define the Consequence Categories to achieve or approximate the order of magnitude steps as follows:
Table 1.1—Consequence Severity Table Example - Safety
Severity
Safety
5 Catastrophic
4 Major
3 Severe
2 Minor
1 Slight
Multiple Fatalities
Single Fatality
Serious Injury
Minor Injury
First Aid
SPE-173544-MS
9
Table 1.2—Consequence Severity Table Example - Asset
Severity
Cost
5 Catastrophic
4 Major
3 Severe
2 Minor
1 Slight
1 Billion $US
100 Million $US
10 Million $US
1 Million $US
100 Thousand $US
Table 1.3—Consequence Severity Table Example - Environmental
Severity
Environmental
5 Catastrophic
4 Major
3 Severe
2 Minor
1 Slight
50,000 bbls dead oil
5,000 bbls dead oil
500 bbls dead oil
50 bbls dead oil
5 bbls dead oil
‘Having defined the axes, we next want to populate the matrix with risk reduction target numbers.
The average healthy 30 year old person has about a 1/1000 (10⫺3) annual probability of dying from all causes (e.g., injury,
illness, automobile risk). Although many people are surprised when they first hear this number, it is a level of risk that we
implicitly accept.
We want the workplace to be at least an order of magnitude safer than the world at large. That suggests that cell 4A has
a ‘0’. It is 0 because 1/10000 years (10⫺4) is the maximum frequency at which a Major work-related event (e.g. potential
fatality) is generally considered acceptable.
Figure 1.2—Risk Reduction Target Matrix Basis
If that event were predicted to occur more frequently, risk reduction targets would apply as in the matrix below - the
10
SPE-173544-MS
numbers shown are in orders of magnitude. For example, a scenario with a Major consequence, predicted to occur 1/1000 years
(Cell 4B) has a risk reduction target of 1 order of magnitude (factor of 10). A safeguard (i.e. independent protection layer) that
decreases the event frequency by one order of magnitude will bring the scenario to the maximum acceptable frequency (of
1/10000 year).
Figure 1.3—Risk Reduction Target Matrix Development
Because the consequence severity and frequency ratings all vary by one order of magnitude from one row/column to the
next, then it is a simple task to populate the entire matrix with risk reduction targets.
Figure 1.4 is the resulting risk reduction matrix.
SPE-173544-MS
11
Figure 1.4 —Completed Example Risk Reduction Target Matrix
Using the Risk Reduction Target Matrix in a HAZOP
1.
2.
3.
4.
5.
Determine the consequence severity for a scenario (see Appendix 2).
Determine the frequency of the initiating event and adjust that frequency as necessary and appropriate to account for enabling
events, multiple required events, etc. (see Appendix 3).
Enter the matrix at the selected consequence severity row and initiating event column. This is the unmitigated risk - the cell entry
provides the risk reduction target.
Apply existing safeguards/IPLs to determine the mitigated risk.
If necessary, recommend additional safeguard(s) to achieve the target risk level.
Example:
1. HAZOP team identifies a scenario with Major consequence.
2. The initiating event is pressure control loop failure. Per Table 3.2 (Appendix 3), control loop failure occurs 1/10
years.
3. Enter the matrix at 4D. The risk reduction target is 3.
4. The vessel PSV provides a 2 order of magnitude improvement (see Appendix 3/Table 3.4).
5. That leaves a remaining 1 order of magnitude risk reduction requirement to be provided by a safety instrumented
function (SIF) or other valid independent protection layer (IPL).
12
SPE-173544-MS
Figure 1.5—Example Use of the Required Risk Reduction Matrix
SPE-173544-MS
13
Appendix 2
On Making the Consequence Judgment
(The proposed methodology and scoring metrics are provided for illustrative and discussion purposes only – these are subject
to appropriate review and calibration before further use.)
There is some unavoidable uncertainty and ambiguity in consequence severity assessment. The method used should
provide:
a.
b.
c.
Guidance on identifying the range of possible consequences
Agreement on selecting one or more of the identified consequences for further analysis
Explicit agreement that the frequency of occurrence should be matched to the specific consequence selected.
Matching the Frequency to the Consequence
For HAZOP purposes, we are typically guided to identify the worst possible consequence of a scenario, or at least the worst
credible. But the most likely outcome may be one or two orders of magnitude more likely than the worst case outcome and
its consequence may be one or two orders of magnitude less severe.
Suggestion: Identify the range of possible outcomes from the most likely to most severe. Estimate the frequency of each.
Choose the consequence/frequency pair that yields the largest risk reduction requirement on the risk matrix.
Consequence of Vessel Overpressure
Many HAZOP teams consider any overpressure to be a serious event. This is overly conservative.
The current ASME pressure vessel code provides for a design safety factor of about 3.5 for Div 1 vessels (most vessels are
designed per Div 1). The safety factor for Div 2 vessels is 2.4. High pressure vessels are frequently designed to Div 2 to save
cost and weight.
Topsides piping designed to B31.3 has a safety factor of 3.0.
While exceeding the design pressure is a notable event, we should not expect catastrophic vessel failure at pressures far
below the safety factor.
For a major process vessel we can estimate consequences severity as a simple function of overpressure. Table 2.1 can be
applied to Div 1 vessels and B31.3 piping systems. Table 2.2 is applicable to Div 2 vessels.
Table 2.1—Severity Rating vs. Overpressure – ASME Section 8 Div 1 Vessel, B31.3 Piping
Overpressure Ratio P / P design
1.0 – 1.2
1.2 – 1.5
1.5 - 2
2–3
3⫹
Consequence
Severity Rating
Process shutdown, gas flaring
Process shutdown, gas flaring
Potential for gasket leaks
Vessel damage, major gasket leaks
Vessel failure
1 (asset, production loss)
2
3 (safety)
4 (safety, asset)
5 (safety, asset)
Table 2.2—Severity Rating vs. Overpressure – ASME Section 8 Div 2 Vessel
Overpressure Ratio P / P design
1.0 – 1.2
1.2 – 1.5
1.5 – 1.75
1.75 - 2
2⫹
Consequence
Severity Rating
Process shutdown, gas flaring
Process shutdown, gas flaring
Potential for gasket leaks
Vessel damage, major gasket leaks
Vessel failure
1 (asset, production loss)
2
3 (safety)
4 (safety, asset)
5 (safety, asset)
Consequence of Loss of Containment
Tables 2.1 and 2.2 relate consequence to overpressure. There is an implicit assumption in these tables that the volume of
hydrocarbon contained in the vessel is enough to cause the consequence level quoted. For a small vessel that may not be the
case.
Another approach to severity judgment is to make it based on the volume of liquid or gas released to the atmosphere.
A release of dead liquid, such as sales quality dead oil (vapor pressure less than atmospheric), is much less hazardous than
14
SPE-173544-MS
a gas release (or a release of live oil from which gas will flash). In the method proposed here, safety risk is a function of the
volume of gas released and environmental risk is based on the volume of liquid released.
This approach is complicated by the fact that a liquid released from high pressure will often flash off gas and so the
environmental impact of the liquid spill and the safety risk of the flashed gas must both be considered.
Estimating the Consequence of a Gas Release
Table 2.3 summarizes approximate gas cloud sizes for a range of released gas volumes. The first row illustrates a gas cloud
resulting from the release of 1 pound of a gas with a MW of about 20. At standard conditions this cloud will have a volume
of about 20 ft3 (20 scf). If we assume that the gas forms a sphere with a concentration of 1 at its center and 0 at the periphery,
then that gas cloud will have radius of 2 ft. It is very likely that such a gas cloud will disperse without any ignition.
Table 2.3—Gas Release Volume vs. Consequence
lbs
SCF
Sphere R
Category
1
10
100
1000
10000
100000
20
200
2000
20000
200000
2000000
2
5
10
21
46
98
0
1
2
3
4
5
Conversely, a gas release of 100,000 lbs (2,000,000 SCF) generates a cloud with a radius of about 100 ft. Such a cloud is
much more likely to find an ignition source, and the resulting ignition could be catastrophic, due to the large fuel inventory.
In practice, the effective volume and extent of the resulting flammable cloud (within which ignition might occur) could be
much larger, as the vapor is flammable down to its lower flammable limit (LFL – 5% volume in air for methane).
Estimating the Volume of Gas Released
The effective volume of a gas release depends on:
● The size of the hole through which it escapes
● The contained pressure
● The volume of gas in the process available for release
● The duration of the leak
The amount of gas available for release may be a fixed contained volume (as might be contained in a storage sphere), or
it may be a continuously supplied flow (as would be the case in the leak from a flowline supplied by a gas well). These volumes
are of interest only for a catastrophic vessel of piping failure. The more likely case is a leak through a relatively small hole
such as a leaking flange, a broken piece of tubing, a corroded pipe wall (pit).
Gas Release through a Hole
For the case of leakage through a hole in which the contained volume is not limiting, the limiting volume is that which will
accumulate on the platform based on process obstruction, wind, dispersion etc. For estimation purposes we have assumed that
the cloud will reach its maximum (equilibrium) size within 60 seconds of the initial release. Hence we take the governing cloud
volume as that which leaks in 60 seconds.
The mass leak rate is roughly proportional to Pd2. A rough equation is:
Q ⫽ 14.6 ⫻ P ⫻ d2
Q ⫽ SCFM
P ⫽ PSIA
d ⫽ inches
Applying this equation yields Figure 2.1.
SPE-173544-MS
15
Figure 2.1—Consequence Rating for Gas Release
Estimating the Consequence of an Oil Release
Choosing the following spill rates to define consequence levels:
Severity
Environmental
5 Catastrophic
4 Major
3 Severe
2 Minor
1 Slight
50,000 bblsdead oil
5,000 bblsdead oil
500 bblsdead oil
50 bblsdead oil
5 bblsdead oil
The effective volume of an oil release depends on:
● The size of the hole through which it escapes
● The contained pressure
● The volume of oil in the process available for release
● The duration of the leak
● Capacity of containment systems
For the calculations below or release through a hole, it is assumed that there is no containment.
In the case of a gas release, we chose 1 minute as the relevant release period (since we assumed that the gas cloud will reach
its equilibrium size within that time)Ѡ In the case of an oil release, the relevant period is the time it takes to stop the release.
For the calculations below, we have assumed a 20 minute release period. This period would generally give operators enough
time to understand what is going on and to shutoff the source.
Liquid flow through and orifice is proportional to P0.5 * d2. A rough equation for our current purposes is:
F ⫽ 1000 ⫻ p0.5 ⫻ d2
16
SPE-173544-MS
F ⫽ BOPD
P ⫽ PSIA
d ⫽ inches
Applying that equation and allowing a 20 minute release period yields Figure 2.2.
Figure 2.2—Consequence Rating for a Dead Oil Release
Estimating the Consequence of a Live Oil Release
The consequence of a live oil release may be predominantly environmental (oil spill) or safety (gas flashing).
Our category 1 limits are 5 bbls for an oil spill and 200 scf for a gas release. If the oil released has an effective GOR of
40, then 200 scf will flash from a 5 bbl spill. This suggests that safety consideration will dominate for most live oil spills.
Estimating the Effective GOR
GOR is the Gas Oil Ratio defined as the amount of gas in SCF that will flash from one bbl of oil.
Gas (SCF) ⫽ Oil (bbl) * GOR
We generally think of GOR as the total amount of gas that will flash from 1 bbl of oil taken to stock tank conditions. Gas
flashes off through the stages of separation. Oil at higher pressures will have a higher effective GOR.
Flash calculations can provide the residual GOR at any point in the process. A reasonable approximation can be obtained
by assuming that the gas flashes linearly with pressure, from the bubble point pressure to atmospheric pressure.
Example:
Consider a reservoir fluid with a GOR of 1000 and a bubble point of 3600 PSIA. If the Inlet Separator pressure is 1200
PSIA, then 2/3 of the gas will flash in that separator and 1/3 of the gas will remain in the oil. An oil spill from that separator
will have an effective GOR of about 333.
SPE-173544-MS
17
Figure 2.3—Residual GOR vs. Pressure
Suggestion: If the GOR for a liquid stream is greater than 400, then add 1 to consequence rating.
18
SPE-173544-MS
Appendix 3
Making the Frequency Judgment
LOPA is a semi-quantitative tool for assessing risk. It uses order of magnitude values for initiating event frequency,
consequence severity and likelihood of failure of protective layers, to approximate a risk level for any given scenario. In rigor
it falls between a typical risk matrix approach (as commonly used in HAZOPs) and a fully quantitative method (QRA). A
LOPA is frequently performed after a HAZOP to further investigate significant findings.
The standard approach is:
1. Identify the accident scenario to be studied (The scenario is described as occurring without prevention or mitigation
by the safeguarding systems).
2. Identify the consequence severity level.
3. Identify the initiating event and determine the frequency of the initiating event.
4. Determine the risk reduction requirement via established risk targets. The required risk reduction is a function of the
consequences severity and the initiating event frequency.
5. Identify the Independent Protection Layers (IPLs) available.
6. Estimate the probability of failure on demand (PFD) of each IPL and mathematically combine the IPLs.
7. Compare the combined risk reduction effectiveness of all identified IPLs with the required risk reduction to determine
if additional risk reduction is required.
The LOPA method is enabled by:
1. Available data on initiating event frequencies (see Tables 3.2 and 3.3)
2. Available data and established calculation methods for probability of failure on demand of IPLs (see Table 3.4)
3. Generally accepted criteria for consequence severity and acceptable levels of risk (see Table 3.1).
These three items can be used to simplify and improve risk assessment in HAZOPs.
Safety Integrity Level (SIL)
In practice, LOPA is also used to determine the required reliability of any existing or proposed Safety Instrumented
Functions (SIFs). The accepted reliability standard for a SIF is the Safety Integrity level (SIL) rating. This is a measure of the
SIF’s Probability of Failure on Demand (PFD). Table 5 defines SIL levels and associated PFD ranges.
Table 3.1—SIL Definitions
SIL
SIF PFD
1
2
3
4
1/10 – 1/100
1/100 – 1/1000
1/1000 – 1/10000
1/10000 – 1-1000000
Initiating Event Frequencies
Table 3.2—Initiating Event Frequencies Example
Initiating Cause
Likelihood, events/yr
Likelihood 10ⴚx
Control Loop Failure
Seal failure
Gasket failure
Unloading hose failure
Rotating Equip Failure
Rotating Equip Trip
Fixed Equip Failure
Loss of Power
Utility Failure
1/10
1/10
1/100
1/10
1/10
1/1
1/100
1/10
1/10
10⫺1
10⫺1
10⫺2
10⫺1
10⫺1
100
10⫺2
10⫺1
10⫺1
SPE-173544-MS
19
Table 3.3—Human Error Frequencies Example
Human Errors
Likelihood
Well trained operator with stress
Well trained operator, no stress
Well trained operator, no stress, independent verification
1/(10 opportunities)
1/(100 opportunities)
1/(1000 opportunities)
Independent Protection Layers
Other (non SIF) independent protection layers (IPLs) also have associated characteristic probabilities of failure on demand
(see Table 3.4)
For example, a typical Pressure Safety Valve (PSV) is expected to fail to open in 1/100 to 1/1000 tries. Hence a PSV is
assigned a PFD of 0.01 (i.e. it should function correctly for ⬎99% of demands). This corresponds to a risk reduction factor
of 2 (orders of magnitude).
Table 3.4 —Some Typical IPL PFDs
IPL
PFD
Risk Reduction
PSV, Rupture disk (clean service, properly sized for the selected scenario)
Independent Control Loop
Open vent, no valve (clean service, properly sized for the selected scenario)
Flame arrestor (prevent flashback) (clean service, properly sized for the selected scenario)
CRO, alarm, well documented action, 20 minutes available
1/100
1/10
1/100
1/10
1/10
2
1
2
1
1
Ignition Probability
Facilities are designed to avoid ignition sources wherever hydrocarbons are contained and might be released. The
estimation of ignition probability is beyond the scope of this paper. Most gas clouds do not ignite.
Suggestion: Given that a large majority of gas releases do not ignite, it is reasonable in a HAZOP to take a 1 order of
magnitude credit on the likelihood that a gas cloud will ignite.
Number of People in the Area
If no one is around, no one will be killed. Most operating areas are sparsely populated most of the time. Except for scenarios
that envelope or risk the entire facility, a limited number of people will be at risk.
An important exception to this is the case of a slowly developing scenario in which outside operators may be directed to
the site of an upset.
Suggestion: If there is less than a 10% chance of the area being occupied, then a one order of magnitude credit can be taken.
IPLs vs. Safeguards
HAZOPs identify multiple safeguards. These will not all count as IPLs under LOPA rules.
In order to be considered an IPL, a protective function must be:
1. Effective in preventing the consequence when it functions as designed
a.
b.
c.
d.
Can the IPL detect the condition that requires it to act?
Can it detect the condition in time to take corrective action?
Does the IPL have time to detect the upset, process the information and take the required action (such as valve
closing time).? Will this entire process occur rapidly enough to have the desired effect?
Does it have adequate capacity?
2. Independent of the initiating event
3. Independent of any other IPL for which credit has already been taken
4. Auditable and testable.
Safeguards Not Usually Considered IPLs
1.
2.
3.
4.
Check valves (though 2 dissimilar valves in series may be counted)
Procedures, Certification, Training
Testing, Inspection, Maintenance
Communication Systems, Signs
20
SPE-173544-MS
5. Active Fire Fighting Systems
Determining PFDs of SIFs
In order to establish the SIL rating of a SIF, the failure probabilities of the SIF’s individual components must be statistically
combined and a testing frequency established. The testing frequency is an important consideration. Since these systems are used
very infrequently, latent (unrevealed) failure on demand is a concern. Even the best engineered SIF cannot be expected to work
forever without maintenance, and its reliability cannot be proved without testing.
Suggestion: For HAZOP risk ranking purposes, assume all SIFs have a SIL of 1 (i.e. offer a risk reduction factor of 1).
If further SIF risk reduction is required this may be achievable, provided the SIF can be shown to have a SIL rating ⬎1 (as
determined by more detailed specialist analysis).
Determining the exact SIL rating of SIFs is outside the scope of this paper. The discussion below suggests general guidance
on what is practically achievable, based on a general design configuration.
Achieving SIL 1
A single safety switch actuating a single SDV can generally achieve SIL 1 with a reasonable testing schedule. If a single
shutdown switch must actuate several SDVs in parallel (e.g. shutoff multiple feeds) then it will be more difficult to meet SIL
1 (requiring greater complexity and/or higher testing frequency).
Note: Often the Cause and Effects diagram shows a SIF actuating several different valves (final elements), to achieve a
desired process shutdown state. However, closure of a single valve may often achieve the required protective function. In that
case the SIF may be defined as utilizing only the one required valve, making SIL1 easier to achieve.
Achieving SIL 2
Achieving SIL 2 may require multiple sensing devices in a voting arrangement, and/or possibly multiple SDVs, in
conjunction with more onerous testing requirements. Expert guidance is required.
Achieving SIL 3
SIL 3 SIFs are comparatively uncommon and difficult to engineer, requiring complex voting sensors and/or final elements.
SIL 3 systems are comparatively uncommon in the oil patch. Expert guidance is required.