Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Using HAZOPS
Héctor Javier Cruz-Campa and M. Javier Cruz-Gómez*
Departamento de Ingenieria Quimica, Facultad de Quı́mica, Universidad Nacional Autónoma de México, Mexico City, D.F.,
Mexico; mjcg@servidor.unam.mx (for correspondence)
A simplified quantitative analysis methodology for cal solvers [the most common is a safety program-
the determination of required Safety Instrumented Sys- mable logic controller or (PLC)], and (c) one or more
tems (SIS) and the associated target Safety Integrity process control final elements (i.e., shutdown valves,
Levels (SIL) is presented. As prerequisites, the company electrical switches).
policy for risk acceptability and a hazard and oper- The design of a SIS includes two parts: (a) estab-
ability (HAZOP) study are needed. A risk acceptability lishing what it will do, that is, specifying the SIFs it
criterion for large commodity chemical, petrochemical, will perform, and (b) for each SIF, establish how well
or refining companies is discussed. The methodology it is required to work.
starts with the selection of high potential risk scenarios In the United States, law [1] enforces the assurance
from the HAZOP study. Then the effectiveness of the of the mechanical integrity of emergency shutdown
relevant process safeguards is evaluated based on systems and safety controls (SISs), following ‘‘recog-
layers of protection analysis, to assess if there are nized and generally accepted good engineering prac-
adequate and sufficient safety protection layers in the tices.’’ The latter clause has been interpreted by many
chemical process, so that the actual risk of the process authorities as ‘‘comply with all applicable interna-
is at an acceptable level. The method allows the user to tional standards.’’ The European Union and many
determine first if a SIS is required and then, what SIL countries around the world have similar laws. In
is required for each function it performs. If a SIS al- countries where no similar law exists, international
ready exists in the process, the methodology can be standards compliance is indirectly enforced by insur-
used to verify the required SIL for each safety instru- ance company recommendations, by means of corre-
mented function. Ó 2009 American Institute of Chemi- lating degree of compliance with insurance rates.
cal Engineers Process Saf Prog 29: 22–31, 2010 The current international standard applicable to
Keywords: Safety Instrumented Systems, Safety In- the integrity of SISs is IEC 61511 [2], entitled ‘‘Func-
tegrity Levels, Layers of Protection Analysis, hazard tional safety—SISs for the process industry sector,’’
and operability, risk, policy also accepted by ISA SP84 committee as ANSI/ISA
84.00.01-2004 [3]. The main difference between these
two standards is the addition, in the ISA standard, of
INTRODUCTION
one extra clause applicable for systems commissioned
Safety Instrumented Systems (SISs), such as emer- before its publication date. This clause allows a com-
gency shutdown systems, fire and gas systems, and pany to keep their existing SIS designed to the previ-
safety interlocks, are safety related systems that ous version of the standard (ANSI/ISA S-84.01-1996)
implement one or more Safety Instrumented Func- as long as the company determines that the equip-
tions (SIFs). A SIF’s job is to sense a hazardous condi- ment is designed, maintained, inspected, tested, and
tion and automatically take appropriate actions to operating in a safe manner.
move the process to a safe state. A SIS implements its To establish how well a SIF is required to work, IEC
61511 defines 4 Safety Integrity Levels (SILs), which are
SIFs by means of (a) one or more sensors (e.g., tem-
categories based on the probability of failure on
perature, pressure, level, fire presence, toxic or flam- demand (PFD) of the SIF. The inverse of the PFD is
mable gas concentration), (b) one or more electrical, called the risk reduction factor (RRF). Table 1 shows
electronic, or programmable electronic (E/E/PE) logi- the ranges of PFDs and associated RRFs for each SIL.
IEC 61511 establishes requirements for the entire
life cycle of the SISs. This ‘‘Safety Life Cycle’’ (SLC)
Ó 2009 American Institute of Chemical Engineers includes requirements for the specification, design,
Process Safety Progress (Vol.29, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2010 23
Table 3. Frequency indexes for different kinds of expected events in a process plant lifetime.
Order of Magnitude
of the Frequency f Frequency
(events/year) Index (F) Qualitative Description
1,000 10 Occurs every shift
100 9 Occurs weekly
10 8 Occurs monthly
1 7 Occurs yearly
1/10 6 High probability of occurrence in the plants lifetime. Event has occurred at
least once in similar plants
1/100 5 Medium probability (26%) of occurrence in the plants lifetime. High
probability of occurrence at least once in the lifetime of 10 similar plants
1/1,000 4 Low probability (3%) of occurrence in the plants lifetime. Medium
probability (26%) of occurrence in the lifetime of 10 similar plants
1/10,000 3 Low probability (3%) of occurrence in the lifetime of 10 similar plants
1/100,000 2 Low probability (3%) of occurrence in the lifetime of 100 similar plants
1/1,000,000 1 Low probability (3%) of occurring one in the lifetime of 1,000 similar plants
1/10,000,000 0 Inconceivable event for practical purposes
24 March 2010 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.29, No.1)
Table 4. Limit frequency in the variable criteria zone for each consequence category.
Table 5. Threshold frequency numbers for each non-SIS protection layers should be used to prevent
consequence category. or reduce the identified risks. Only if the non-SIS pro-
tection layers are found insufficient for risk mitigation
to acceptable or tolerable levels can we recommend
Maximum
the use of a SIS, for which we need to define the
Acceptable Threshold
required SIL. To carry out the definition of the SIS/
Frequency Frequency
SIL, a semiquantitative methodology was developed
Consequence Severity (events/year) Index (Ft)
based on the Layers of Protection Analysis (LOPA) [4],
Category 5—Catastrophic 1/10,000 3 which is described next. The term SIS/SIL is used to
Category 4—Major 1/1,000 4 indicate that the methodology helps to define first if
Category 3—Critical 1/100 5 a SIS is to be used and second what is the required
Category 2—Minor 1/10 6 SIL. This implies that in many risk scenarios no SIS
Category 1—Negligible 1 7 may be justified and existing protection layers will be
adequate for risk mitigation.
Chemical process incidents involving hazardous
• Totally negligible risks: All criteria agree that in chemicals, particularly catastrophic ones, occur when
this zone, actions for further risk reduction or an initial enabling event is combined with the failure
mitigation are not required or convenient. of one or more process protection layers. The esti-
• Variable criteria zone: In this zone, each crite- mated frequency for these incidents is equal to the
rion differs in how much risk reduction is frequency of the initial events multiplied by the prob-
needed, recommended or convenient, or the ur- ability of these layers failing simultaneously on
gency of these actions. In this zone, each com- demand. Depending on the severity of the potential
pany or industry should choose how much it is consequences of an incident, risk acceptability criteria
practical to reduce or mitigate risks. is used to establish a maximum allowable frequency.
A semiquantitative evaluation of the demand fre-
quency and the PFD of the applicable protection
The limits for each zone represented in Figure 1 layers can determine if protections are sufficient for
were obtained from published government tolerable the established criteria. If available process protection
risk criteria [5] and enlisted in Table4. layers are not sufficient, additional protection layers
For the purposes of this article, establishing a risk must be evaluated, which may include a Safety
acceptability policy means choosing a maximum ac- Instrumented System (SIS). When a SIS is recom-
ceptable frequency for each consequence category, mended, the required SIL can be easily obtained.
between the two limits established in Table 4. For cate-
gory 5 consequences, we suggest that the company at
Steps in the SIL/SIS Evaluation
least should make sure that risk inside the process fa-
cility is not greater than general outside individual acci- Step 1: Identify a Hazardous Event and Assess its Severity
dent risk which is around 1024 events/year. Other We start this methodology with a hazard and oper-
companies may choose higher performance targets ability (HAZOP) study, the most commonly used
and use a frequency an order of magnitude less. This methodology for process plant hazard evaluation,
would mean that the company wants the operation of from which the highest potential risk scenarios are
the process facility to be safer than the average. For selected. High potential risk scenarios are scenarios
this article we chose the first criterion for maximum ac- with high initiating event (cause) frequency and high
ceptable frequencies, represented in Table5 along with unmitigated consequences. We can detect these sce-
the associated Frequency Indexes. The maximum narios by looking at the amount of existing or pro-
allowable frequency index for each consequence cate- posed protection systems (in the safeguards and rec-
gory will be called ‘‘Threshold Frequency Index’’ (Ft). ommendations columns), where a high number of
protections can be related with high risk, or by
DESCRIPTION OF THE SIS/SIL DETERMINATION METHODOLOGY searching explosion, fire, or toxic release potential
According to the SLC described in the IEC 61511 mentioned in consequences. Other important scenar-
standard, before attempting to define a SIL for a SIS, ios for this methodology include those who mention
a process risk analysis should be carried out and existing or proposed SISs.
Process Safety Progress (Vol.29, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2010 25
Using the information available from the conse-
Category 5
Category 5
Category 5
Category 5
Category 3
Catastrophic:
Catastrophic:
Catastrophic:
Catastrophic:
quences pointed out in the HAZOP study, conse-
More than
50,000 kg
quence severity must be categorized to assign a
Critical:
threshold frequency for each scenario. Consequence
severity must be assessed considering that all existing
protections that could possibly fail, actually fail (pas-
sive consequence reducing protections such as dikes
are considered to never fail, unless the design is
judged to be inadequate).
Category 5
Category 5
Category 5
Category 4
Category 2
Catastrophic:
Catastrophic:
Catastrophic:
To help with the consequence categorization step
based on size of release and consequences on pro-
50,000 kg
5,000 to
Minor:
Major:
guidelines in Tables6 and7.
Category 5
Category 4
Category 3
Category 2
Catastrophic:
Catastrophic:
Minor:
Major:
Category 4
Category 3
Category 2
Category 1
Catastrophic:
50 to 500 kg
Negligible:
Category 3
Category 2
Category 2
Category 1
Minor:
Major:
Category 2
Category 2
Category 1
Category 1
Negligible:
Negligible:
Minor:
Minor:
Combustible liquid
Extremely toxic
below BP or
above BP
above BP
above BP
26 March 2010 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.29, No.1)
These typical values will usually require a slight
Catastrophic: Category 5
Catastrophic: Category 5
>10,000 gal >300 psig
adjustment when using this methodology, because
several factors exist in practice that reduces the effec-
tiveness of existent protections:
Vessel Rupture
• Inadequate design, e.g., worst case scenarios are
not considered.
• The construction was not carried out according
to the design established in the basic engineer-
ing, e.g., poor materials of construction.
• Maintenance less than adequate, e.g., no predic-
tive maintenance programs.
Major: Category 4
Major: Category 4
• Deficient inspection and testing of safety equip-
Vessel Rupture
ment.
100–300 psi
operation.
3,000 to
Fr ¼ Fi E s ð3Þ
Reproduced from Ref. 4, with permission from AIChE.
Equipment
Spared or
the scenario).
When Fr > Ft, we need to establish a risk control
strategy based on the required effectiveness (fre-
quency reduction) (Sadd) as shown in Eq. 4:
Facility Type
Sadd ¼ Fr Ft ð4Þ
Process Safety Progress (Vol.29, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2010 27
Figure 2. Layers of protection for a chemical process, purpose and consequences of failure on demand
(adapted from LOPA [4]).
Case 2: 2 Sadd 4
Non-SIS protection layers and existing protection If a Safety Instrumented System (SIS) is recom-
layer improvement must be suggested if possible and mended, the required SIL can be determined from
reevaluated to determine if this is enough. If no non- the Sadd value after considering the other non-SIS
SIS protection layers can be suggested and existing alternatives using Table10.
protections have been improved, we can suggest
installing a SIS.
28 March 2010 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.29, No.1)
Table 9. Typical SPDF numbers for some Table 10. Determination of the required SIL from Sadd
representative process items number.
Process Safety Progress (Vol.29, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2010 29
Figure 4. Simplified P&ID of a section of a high pressure sour gas amine treatment unit.
Step 1: Identify a hazardous event and assess its se- Assuming procedures are clearly written and operator
verity. training is adequate, from Table 9 we can assign an
For this scenario, taking into account that facility SPFD of 1 to this protection layer. The existing PSV
spacing is adequate, that personal is mostly concen- and LG were already considered inadequate for this
trated in a bunker control room at an adequate dis- scenario in the HAZOP. So total protection effective-
tance, and that the consequences involve a potential ness for this scenario is Es 5 1.
low pressure vessel rupture, we categorize the event Step 4: Calculate the expected frequency for the
as category 4 (Major). From Table 5, the associated hazardous event, taking into account the IPLs.
threshold frequency is 4. The reduced frequency for this scenario is Fr 5 Fi
Step 2: Identify the initiating event and assess its 2 Es 5 6 2 1 5 5.
frequency. Step 5: Determine the need for additional layers of
The initiating event for this scenario is the failure protection and the required SIL, if a SIS is recom-
of a level transmitter indicating wrong high level. mended.
From Table 5 we determine that the initiating event The reduced frequency for this scenario is greater
frequency is in the order of 1021 events/year (an than the threshold frequency for the consequence
event with high probability of occurring in the plants category (Fr > Ft), so we calculate the required fre-
lifetime), so the associated initiating frequency index quency reduction Sadd.
(Fi) is 6.
Step 3: Identify the applicable IPLs and evaluate Sadd ¼ Fr Ft ¼ 5 4 ¼ 1
their effectiveness.
In this scenario, the only applicable protection As Sadd 5 1 and no non-SIS protection layers are
layer is an alarm and associated human response. applicable, we may suggest installing a SIS. The SIF
30 March 2010 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.29, No.1)
would be to close an emergency shutdown valve in- LITERATURE CITED
stalled in series with LV on detection of high pressure 1. Process Safety Management of Highly Hazardous
in V-1 flash drum (we cannot use the signal from the Chemicals, 29 CRF 1910, 119, United States Code
LT as its failure was the initiating event in the sce- of Federal Regulations, 1992.
nario). Its target SIL would be SIL 1. As normally a 2. International Electrotechnical Commission, Func-
single valve will not be enough to meet SIL 1 require- tional Safety—Safety Instrumented Systems for the
ments a solenoid 3-way valve would be needed on Process Industry Sector, IEC 61511, IEC, Interna-
the air pressure control line from the LIC, to close tional Electrotechnical Commission, Geneva.
both the emergency valve and the level control valve 3. ANSI/ISA-84.00.01–2004 (IEC 61511 mod), Func-
in emergency situations, as shown conceptually in tional Safety—Safety Instrumented Systems for the
Figure 5. Process Industry Sector, ISA, Research Triangle
Park, NC, 2004.
4. Center for Chemical Process Safety (CCPS), Ameri-
CONCLUSIONS can Institute of Chemical Engineers (AIChE), Layers
It is not always necessary to have a lot of protec- of Protection Analysis (LOPA): Simplified Process
tion layers or redundant SIS (SIL 2 or 3). Many risk Risk Assessment, AIChE, New York, 2001.
scenarios can be best dealt with by improving proc- 5. Center for Chemical Process Safety (CCPS), Ameri-
ess design and instrumentation to diminish the mag- can Institute of Chemical Engineers (AIChE), Guide-
nitude and frequency of the deviations in the process lines for Chemical Process Quantitative Analysis,
so we depend less on safety systems. The approach Second Edition, New York, 2000.
presented in this article can help to make decisions 6. Center for Chemical Process Safety (CCPS), Ameri-
related with the investment in additional and sophisti- can Institute of Chemical Engineers (AIChE), Guide-
cated safety protection layers or improve already lines for Process Equipment Reliability Dates with
existent ones. Tables it Dates, New York, 1989.
Process Safety Progress (Vol.29, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2010 31