1. Prepared by
Mohammed Majid Khan
Senior Instrumentation Engineer

2.  What is HAZOP
 What is LOPA
 What is SIL
 What is SIS
 What is SIF
 Understanding IEC 61508
 Understanding IEC 61511
 Understanding EXIDA
 Understanding OREDA

3.  Hazard and Operability (HAZOP) Study.
 The HAZOP study is recognized worldwide as a primary
methodology for conducing hazard analyses for oil,
petrochemical and chemical process units.
 HAZOP Study provides benefits to the owner and the
contractor in the following ways ;
 Identifies improvements for the safe operation of the
process unit at an earlier stage un the project ,making it
easier and usually significantly less expensive to make
those changes (e.g cost of changes Vs project Lifestyle )
 Provides information to assist in reducing the chances of
unplanned shutdowns.
 Significantly reduces time and costs for future HAZOP
studies due to changes made to the process unit during
construction or later revalidations(a government
requirement in some parts of the World)

4.  Provides information for developing process-unit-specific
operating and maintenance procedures
 Helps answer questions during the training of operators
and maintenance personnel about deviations or unusual
scenarios that may occur in the operation of the process
unit
 Provides guidance for developing mechanical integrity
programs, including information required by ANSI/ISA S84
(USA) or IEC 61511 (International ) Instrumentation
standards
 Identifies scenarios that may impact communities and
could be subject to government –required modelling
 Contributes toward demonstrating to the communities that
potential hazards have been assessed and safeguards to
control these potential hazards have been identified

5.  Typical HAZOP Report Table of Contents
 Executive Summary( Introduction ,Objectives and
Scope, Team Composition, Study Approach,
results)
 Typical tables (Severity Definitions ,likelihood
definitions ,Risk Ranking Defination, Risk
Ranking Matrix, Distribution of Recommendation
Risk Ranking)
 Typical Appendices (Process Description ,Study
Nodes, Session Progress Reports ,HAZOP
methodology Description ,technology- Specific
HAZOP worksheets, List of technology HAZOP
Recommendation ,Process Drawings.)

6.  Severity : Five Point Scheme for Hazard
Severity Levels
 Level 1 – Very Low (Insignificant)
 Level 2 – Low ( Minor)
 Level 3- Medium (Moderate)
 Level 4- High(Major)
 Level 5- Very High ( Significant/Catastrophic
Very High)

7.  : Five Point Scheme for Hazard Likelihood Levels
 Level 1 – Very Low (never heard of in an industry)
 Level 2 – Low ( Some Incidents in the industry)
 Level 3- Medium (Incidents has occurred in the
company)
 Level 4- High(Happens several times per year in
the company)
 Level 5- Very High (Happens several times per
year in the facility)

8.  The Traditional HAZOP method does not
include any formal ranking of the hazards
identified Some times this makes it difficult
to prioritize the recommendations for
implementation.
 It is beneficial to use a risk ranking scheme to
rank failure scenarios according to their
estimated severity and likelihood covered in
(Severity Level and Likelihood levels)

9.  NO : Negation of the design intent(e.g no
flow when there should be : no pressure
when there should be
 LESS: Less of a physical property than there
should be – quantitative decrease(e.g lower
flow rate than there should be )
 MORE : More of a physical property than there
should be – Quantitative increase

10.  PART OF : Composition of the system(stream)
is different than it should be – Qualitative
decrease (e.g less of component)
 AS WELL AS : More components present than
there should be – Qualitative increase (e.g
extra phase or impurities present)
 REVERSE : Logical opposite of the design
intent (e.g reverse flow)
 OTHER THAN : Complete substitution (e.g
transfer of a material to a location other than
intended

11.  Intention : The intention defines how the part
of the process(being studied) is expected to
operate
 Causes : These are the reasons why
deviations might occur. Once a deviation has
been shown to have a conceivable or realistic
cause, it can be treated as meaningful
 Consequences : these are the results of the
deviations should they occur
 Hazard : These are the consequences which
can cause damage ,injury or loss.

12.  Process Parameters , Such as , FLOW ,
PRESSURE, TEMPERATURE, LEVEL, QUANTITY
and TIME
Guide
Words/Design
Parameters
More
of
Less
of
None
of
Reverse Part
of
As well as Other
Than
Flow
Temperature
Pressure
level

13. 1)Start-up 9)Erosion
2)Shutdown 10)Severe Cold
3) Relief System 11)Earthquake
4) Sampling 12)Tornado
5) Utility Failure 13) Airplane crash
6) Corrosion 14) Flooding
7) Maintenance 15) Sabotage
8) Grounding /Static 16) Safety

14.  Layer of Protection Analysis (LOPA) is a semi
quantitative tool for analyzing and assessing risk
 LOPA is a simplified form of risk assessment
 LOPA is an analysis tool that typically builds on
the information developed during a qualitative
hazard evaluation, such as a process hazard
analysis(PHA)
 LOPA typically uses order of magnitude
categories for initiating event
frequency,consequence severity, and the
likelihood of failureof independent protection
layers (IPLs)(to approximate the risk of a scenario

15.  The Purpose of LOPA is to determine if there
are sufficient layers of protection against an
accident scenario
 LOPA is applied after a qualitative hazard
evaluation(e.g PHA) using the scenarios
identified by the qualitative hazard review
team

16.  Process design
 Basic Process control systems
 Critical Alarms and Human Intervention
 Safety Instrumented Function (SIF)
 Physical protection (Relief Valves,Rupture Discs,etc)
 Post release Protection (Dikes,Blast walls etc)
 Plant Emergency Response
 Community Emergency Response
 SIF is a combination of sensors, logic solver, and final elements with a
specified safety integrity level that detects an out of limit(abnormal )
condition and brings the process to a functionally safe state
 IPL is a device, system, or action that is capable of preventing a scenario
from proceeding to its undesired consequence independent of the
initiating event or the action of any other layer of protection associated
with the scenario
 The effectiveness of an IPL is quantified in terms of its probability of
failure on demand (PFD) which is defined as the probability that a system
(in this case the IPL)

17.  Express risk target quantitatively
 FAR: Fatal Accident Rate – This is the number
of fatalities occurring during 1000 working
lifetimes(108 hours)
 Fatality Rate = FAR*(hours worked)/ 108
OSHA Incidence Rate – This is the number of
illnesses and injuries for 100 work-years

18.  1.Express risk target quantitatively
 Include ( Fatal Accident Rate )
 Fatalities = (Frequency)(fatalities/accident)
 .001 =(.001)(1) fatalities/time period
 .001=(.0000001)(100,000) fatalities/time period
 2.Determine the risk for system
 In level of protection Analysis(LOPA),we assume that the
probability of each element in the system functioning (or
failing) is independent of all other elements
 We consider the probability of the inititating event(root
cause)occuring
 We consider the probability that every independent
protection layer(IPL) will prevent the cause or satisfactorily
mitigate the effect.
 3.Reduce the risk to achieve the target

19.  An international standard relating to the
Functional Safety of
electrical/electronics/programmable electronic
safety related systems
 Mainly concerned with E/E/PE safety-related
systems whose failure could have an impact on
the safety of persons and/or the environment
 Could also be used to specify any E/E?PE system
used for the protection of equipment or product
 It is an industry best practice standard to enable
you to reduce the risk of a hazardous event to a
tolerable level

20. IEC61513 :
Nuclear Sector Medical Sector
IEC61511 :
Process Sector
IEC62061 :
Machinery Sector

21.  Functional safety instrumented system for the
process industry sector
 Applies to wide variety of industries across
the process sector such as
 Chemical
 Oil Refining
 Oil and Gas Production
 Pulp and Paper
 Non-Nuclear Power generation
 Pharmaceuticals/Fine Chemicals

22. SAFETY
INTEGRITY
LEVEL
(SIL)
LOW DEMAND MODE
OF OPERATION
(Probability of failure
to perform its
designed function on
demand)
CONTINUOUS/HIGH
DEMAND MODE OF
OPERATION
(Probability of one
dangerous failure per
hour)
4 >= 10-5
up to < 10-4
>= 10-9
up to < 10-8
h-1
3 >= 10-4
up to < 10-3
>= 10-8
up to < 10-7
h-1
2 >= 10-3
up to < 10-2
>= 10-7
up to < 10-6
h-1
1 >= 10-2
up to < 10-1
>= 10-6
up to < 10-5
h-1
PFD PFH
Probability of Failure on
Demand
Probability of Failure per
Hour

23. Basic
Design
Unacceptable
No
Protection
IncreasingSeverity
Increasing Likelihood

24. Safety Integrity Level Risk Reduction
1 10-100
2 100-1,000
3 1,000-10,000
4 10,000-100,000

25. Reliability Probability of
failure on demand
Tri Unavailable
(per year)
90%-99% 0.1to 0.01 876 to 87.6 hrs
99%-99.9% 0.01 to 0.001 87.6 to 8.76 hrs
99.9%-
99.99%
0.001 to 0.0001 8.76hrs to 52.6
mins
99.99%-
99.999%
0.0001 to 0.00001 52.6 mins to 5.3
mins
SIL 1
SIL 2
SIL 3
SIL 4

26. SIL1-Standard Components ,Single channel or Twin non-diverse
channels
SIL 2- Standard Components ,1 out of 2 or 2 out of 3,possible need for
some diversity. Allowance for common-cause failures needed
SIL 3-Multiple channel with diversity on sensing and actation .common-
cause failures a major consideration .should rarely be required in
process Industry
SIL 4-Specialist design .Should never be required in the process Industry

27. LOPA
PROCESS
CONTROL and MONITORING
Basic process control systems
Monitoring systems (process alarms)
Operator supervision
PREVENTION
Mechanical protection system
Process alarms with operator corrective action
Safety instrumented control systems
Safety instrumented prevention systems
MITIGATION
Mechanical mitigation systems
Safety instrumented control systems
Operator supervision
PLANT EMERGENCY RESPONSE
Evacuation procedures
COMMUNITY EMERGENCY RESPONSE
Emergency broadcasting

29. consequence
risk
parameter
minor injury
no influence
to the environment
possibility
of avoiding
hazardous
events
frequency
& exposure
time
probability of the
unwanted occurrence
very slightrelatively
high
slight
dead of 1 person
rare
frequent
periodic influence
to the environment
dead to
several people
permanent influence
to the environment
disaster
rare
frequent
possible
not
possible
possible
not
possible
requirement
classes
RC or AK
Safety Integrity
Levels (SIL)
IEC 61508

30.  Various methods available :
 Qualitative risk graph
 Calibrated risk graph(methodology only-no
definitive)
 Layer of Protection Analysis(LOPA)
 Hazardous event severity Matrix
 Quantified Risk Analysis (QRA)

31.  The Probable rate of occurrence of a hazard
causing harm
AND
The Degree of Severity of the Harm
Qualitatively – Words
Quantitatively – Figures
The formula for risk is
Risk = HAZARD FREQUENCY X HAZARD
CONSEQUENCE

32.  Two Kinds of “SIL Calcs”
 SIL Assignments Calculation
Consequence Analysis
Likelihood Analysis
SIL Verification Calculations
Required by standards
Use a combination of Software tools and
Custom Calculations
Exida – SILVER(ExSILentia)
SIS-Tech - SilSOLVER

33.  Process Design
 Hazard Identification
 Risk Assessment
 Risk Tolerance Criteria Confirmation
 Risk Reduction Allocation
 Safety Function Definition
 Safety Requirements Specification
 Reliability Verification

34.  A safety Instrumented System (SIS) may be defined as an
independent protection layer that is installed to mitigate the risk
associated with the operation of a specified hazardous system
which is referred to as the equipment under control
 The EUC is the unit protected against going into a dangerous
state by the SIS
 The purpose of SIS is to take process to a “safe state "when pre-
determined set points have been exceeded or when safe
operating condition have been transgressed
 A SIS is comprised of safety functions with sensors, logic solvers
and actuators
 Sensors for signal input and power
 Input signal interfacing and processing
 Logic solver with power and communications
 Output signal processing, interface and power
 Actuators( valves, switching devices) for final control function

35.  A safety Instrumented Function(SIF) is a safety
function with a specified safety integrity level
which is implemented by a SIS in order to
achieve or maintain a safe state.
 The SIS performs specified functions to
achieve or maintain a safe state of the
process when deviations are detected .The
Safe state is a state of the process operation
where the hazardous event cannot occur.
 The above functions are called safety
instrumented functions (SIF)

37.  A HIPPS is a SIS installed in a pipeline to a
production system and protects against
overpressure by quickly isolating the source
causing the overpressure .If deviations are
detected, a fail safe close

38.  Qualitative method for assigning a category
to safety-related Instrumentation
 Why is it used
Risk of plant failure and associated impacts on
personnel, equipment and environment can be
mitigated by provision of instrumentation with
a higher degree of reliability.
S.I.L assessment defines these risks and
provides a suitable criterion for procurement of
such instrumentation

39.  How is it done
S =C+F+M-T
Where S = Safety Integrity Level
C = Consequence to personnel
/Plant/Environment
F = Expected Frequency of Event
M = Mitigation provided by normal
process instrumentation
T = Allowable Fatal Accident Rate
(FAR)
Use value for T based on client/Project agreement
Assign values for C,F and M in accordance with
following tables

40.  Consequences (C)
 Select the highest index number from the
consequences to personnel(O0,Plant (P) and
Environment (E) and use this value for C in
the S.I.L equation
Description of Consequence to Plant Personnel
Potential
Deaths
Index
O
Accident extends beyond the plant boundary into the neighboring area >100 3
Large part of factory destroyed - Major explosion or toxic release 10 - 100 2
Factory unit or plant section destroyed. Multiple operating staff killed 1 - 10 1
Single operator killed or injured equipment damaged 1 0
If Operators are seldom in the affected area (say less than 6 mins. in every hour) then the C
index may be reduced by a value of 1

41. Description of Consequence to Production Facilities Index
P
No operational upset - No damage to equipment -6
Minor operational upset e.g.
Off specification product / Relief case of medium quantity
Minor damage to equipment e.g.
Cavitation of a conventional pump on low suction level
Longer term moderate or major damage to essential equipment
-5
Moderate operational upset e.g.
Upset in utility affecting other units such as liquids in an off-gas stream
Relief case of a large/moderate quantity of highly valuable products
Moderate damage to equipment e.g.
Over pressure resulting in minor loss of containment (e.g. gasket leaks)
Cavitation of a spared high speed or multi-stage pump.
-4
Major operational upset e.g.
An immediate large relief case that would cause violent high energy release
such as vapour breakthrough from high to low pressure
Process fluid overflow
Solidification of product in large unheated piping system requiring major
corrective action
Non-costly repair required of essential unspared equipment
Major damage to equipment e.g.
Costly repair required of major spared equipment or non-essential equipment
-3
Damage causing major loss of containment (rupture) e.g.
Excessive overtemperature such as exotherms and runaway reactions
Over pressure resulting in major loss of containment
Damage to essential equipment which could cause a major economic loss
(millions of pounds) due to disabling of essential unspared equipment
Failure of protective instrumentation system to guard against high level on
the suction vessel of a recycle gas compressor
Failure of protective instrumentation system to guard against low level on a
suction vessel for a multi-stage high speed HCU feed pump
Furnace or Boiler protection
-2

42. Description of Consequence to Environment Index
E
No release or negligible damage to the environment
No release or a very minor release that is below environmental quality standard,
not even justifying an alarm e.g.
A very small release from a flange gasket or a valve stem seal without
blowing out the gasket or seal material
-6
Release with minor damage to the environment which should be reported
A release that is not very severe but is large enough to be reported to plant
management or the local authority e.g.
A moderate leak from a flange gasket, valve stem seal, pump or compressor
seal, small bore connection, a relief valve blowing hydrocarbons to
atmosphere.
Small-scale liquid spill contained on the location or platform
Small-sale soil pollution without affect on the ground water.
-4
Release within fence with significant damage to the environment
Significant loss of containment that damages the environment on the premises but
not outside the fence e.g.
A cloud of noxious vapour travelling beyond the unit limit following flange
gasket blow out, compressor seal failure etc.
A liquid release that is not collected in the drain system and could affect
ground water locally or spill into a river or sea.
-3

43. Description of Consequence to Environment Index
E
Release outside fence with temporary major damage to the environment
Major loss of containment travelling outside the premises causing environmental
damage that can be cleaned up without lasting consequences e.g.
A vapour or aerosol release with or without liquid fallout which causes
temporary damage to flora, fauna or property following venting to
atmosphere, liquid entrainment from flare etc.
Solids (dust, catalyst, soot, ash) fallout following an operational plant upset
Liquid spill to river or sea
-1
Release outside fence with permanent major damage to the environment
Major loss of containment travelling outside the premises causing environmental
damage that cannot be cleaned up without lasting consequences
A vapour or aerosol release with or without liquid fallout which causes lasting
damage to flora, fauna or property following venting to atmosphere, liquid
entrainment from flare etc.
Solids (dust, catalyst, soot, ash) fallout following an operational plant upset
Liquid spill to river or sea
Liquid release that could affect the ground water outside the fence
0

44. Description of Frequency of Event Typical Value Index
F
Event happens frequently > 10 per year 1
Event happens occasionally  1per year 0
Event rarely happens  0.1per year -1
Event unlikely  0.01per year -2
Description of mitigation by normal process instrumentation (Not
safety related system)
Typical
reliability
Index
M
No Protective System N/A 0
Single unreliable protective system or Operator must respond under
stress within 5 minutes
90% -1
Single reliable protective system or Operator has 5 to 20 minutes to
respond to avert the disaster
99% -2
Dual protective systems or Operator has more than 20 minutes to
respond and is under low stress
99.9% -3

45. SIL System Required
1 Hardwired System
2 Dual Redundant
System(programmable Software)
3 2 out of 3 Voting
4 Nuclear industry level protection
(not required for conventional
process plant)