This article was written by Peter Morgan, director and principal consultant of Control System Design Services Inc.
Although a hazard and operability (HAZOP) analysis identifies failure events or upsets and the severity of the outcomes by engaging knowledgeable plant personnel, the process typically provides only qualitative information about event frequency and mitigated frequencies. This helps plants make decisions for safety improvement, but does not provide the detailed information necessary for a safety integrity level (SIL) determination.
The layer of protection analysis (LOPA), on the other hand, is a means to analyze event frequencies and the mitigating effects of protection layers. It does not provide a process for identifying possible failures in the plant and the severity of their consequences. This article shows how the two activities can be easily linked to provide the information required for a safety integrity level determination for a safety instrumented system (SIS), according to the recommendations of ISA84.00.01-2004 (IEC 61511 Mod).
HAZOP severity levels
HAZOP identifies severity levels for event outcomes (typically four of five).
Likelihood of occurrence
The HAZOP also identifies the frequency or likelihood of events ranging from 1 in 100 years to 1 in 100,000 years (i.e., not likely to ever occur). It is immediately obvious that this broad categorization of the frequency of initiation events does not provide the precision necessary to evaluate the demand on a safety system. This, however, need not detract from the usefulness of the HAZOP as long as actual event frequencies (if they are known at the time of the HAZOP) are recorded in the LOPA. The HAZOP process provides an assessment of the effect of individual events and their mitigation through existing safeguards to determine whether or not a design change or additional layers of protection are required. Objectively, when the plant owner establishes a target risk of, for example, 10–4 per year for events of severity 4, this is the target risk for all events combined. For example, for a burner management system (BMS) on a boiler, failure of a feedwater valve or loss of combustion air are required to shut off the fuel supply. In one case, failure of the BMS to act on demand could cause boiler or turbine damage and, in the other case, a boiler explosion. The HAZOP process treats these as quite separate events, but both create demands for action from the BMS. The SIL calculation cannot be done until the HAZOP has been completed, and all events in this severity category have been identified and assessed. It is important to note that although events of a particular severity may be mitigated by existing safeguards (including the operator) so that the residual risk appears acceptable without further mitigation, if events of this severity place a demand on the SIS, then the event must be included in the LOPA and subsequent SIL calculation. he example HAZOP worksheet shows just two events to demonstrate the integration of the HAZOP process and the LOPA. Note that it is not uncommon to have to consider thirty or more events as demands on a particular SIS (e.g., in the case of a BMS). The qualitative assessment of the residual risk for these events indicates that additional protection is required in one case but not necessarily the other. However, the assessment acknowledges that the risk will be further reduced for both events by tripping the boiler on detection of a high drum level through the action of an additional layer of protection (i.e., a BMS in this case). Adding a column to the traditional HAZOP worksheet is a way to flag that these events can be further mitigated by a SIS and that the events are to be included in the SIL calculation. Note that a HAZOP analysis carried out to establish the safety requirements for a replacement safety system cannot include the existing system in assessing the demands placed on the replacement system. This may be obvious, but it is a trap easily fallen into by those imbued in the normal operation of the plant with all installed systems available. The LOPA worksheet uses item reference nomenclature (#) that allows each event to be readily identified in the HAZOP by node, deviation, item, and consequence. Initiating frequency is obtained either directly from the HAZOP or from published device failure statistics from the industry or from equipment manufacturers. The identified protection layers mitigate the event by reducing the likelihood that the event will occur. Note that the mitigation cannot be dependent on the correct operation of the SIS (BMS in this case). ISA84.00.01 allows operator action in the mitigation of events (e.g., by responding to alarms), but limits the frequency reduction factor to 0.1. Intermediate event frequency is the product of the event initiating frequency and the identified mitigation factors; it represents the individual event likelihood after mitigation but without the protection offered by the SIS. Note that these are not required to be determined during the HAZOP, but that assessments by HAZOP participants can be useful and should be recorded if offered. This analysis (compared to ISA84.00.01) adds an additional entry in the table to identify the SIS inputs (process measurements) that are required for event mitigation. This helps calculate the required availability of each SIS input to achieve the target probability of failing on demand (PFD) for the entire system. The mitigated event frequency is the event likelihood with the SIS protection. It is the product of the “intermediate event frequency” and the SIS PFD.
The plant owner establishes target risk for event impacts in each severity level. Published statistics for fatalities in various industries are a basis for establishing target risk for the most serious events, in this case 1E-4 (once in 10,000 years) for severity level 4 events. For events that can be mitigated by the SIS (BMS in this case), every initiating cause that results in an event outcome of severity level 4 must be considered as a demand on the SIS for the purpose of calculating the required SIL. Events that cause an impact severity level 3 may also place a demand on the SIS. If the combined frequency of all events in this category is more than one order lower than events of severity level 4, a SIL determination–based severity level 4 will be sufficient. In other words, a SIL determination based on impact severity level 3 and a target risk for the severity of 1E-3 would cause a lower target PFD than that calculated based on severity level 4 events. If this is not the case, a SIL calculation based on severity level 3 events will determine the target PFD for the SIS.
Target risk = PFDSIS × Intermediate event frequency
PFDSIS = Target risk / Intermediate event frequency
The example LOPA worksheet only shows two severity level 4 events. When all severity level 4 events are included in the analysis, the intermediate event frequencies for impact severity level 4 is 0.046 per year.
So that PFDSIS = .0001/.046 = 2.17E-3
This places the SIS in a SIL 2 category (PFD between 1E-2 and 1E-3) with a requirement that the overall system PFD is 2E-3 or better. Minor changes to the familiar HAZOP process can increase the utility of the HAZOP in providing information for a layer of protection analysis. The calculation of the required safety integrity level for a new or replacement safety system is simple. When based on a HAZOP and target risk agreed to by the plant owner and operating staff, it provides a credible performance requirement that is both practical and compliant with ISA84.00.01.
About the Author
Peter Morgan is director and principal consultant of Control System Design Services Inc. He has more than 40 years of experience in the design and commissioning of control systems, control systems performance assessment, and logic design for nuclear and conventional power plants.
A version of this article also was published at InTech magazine.