Improved Integration of LOPA with HAZOP Analyses

Similar documents
Introduction Audience

Implementing LOPA Purpose Is the Company Ready for LOPA?

Available online at ScienceDirect. Procedia Engineering 84 (2014 ) 12 22

Process Hazard Analysis Fundamentals. Walt Frank, P.E. Frank Risk Solutions F R A N K R I S K S O L U T I O N S

Are You Being Honest With Yourself Regarding IPL Integrity?

COMPARISON OF PROCESS HAZARD ANALYSIS (PHA) METHODS

Session Nine: Functional Safety Gap Analysis and Filling the Gaps

LAYERS OF PROTECTION ANALYSIS FOR HUMAN FACTORS (LOPA-HF): AN IMPROVED METHOD FOR ADDRESSING HUMAN FAILURES IN PROCESS HAZARD ANALYSIS

ABIOSH INT L CERTIFICATE IN HAZARD AND OPERABILITY -HAZOP- AND HAZARD IDENTIFICATION (HAZID) STUDIES - HAZOP/HAZIDCert

Title Slide. Nigel James March 2016

INCLUSION OF HUMAN FAILURE IN RISK ASSESSMENT

Preparing for a Successful HAZOP/LOPA (Making or Breaking Quality & Efficiency)

Qualitative & Quantitative Hazard Analysis

Ammonia Terminals Risk Management Improvements

Hazard Analysis Technique Selection

Are you in control of process safety? Basis of safety assurance can provide the answer

Implementation Guide: Responsible Care Process Safety Code of Management Practices

TECHNICAL PAPER. Selection of HAZOP or PHR for Retrospective Hazard Reviews (RHRs)

HOW TO OSHA-PROOF YOUR PHAs

A Short Report Determination of Safety Integrity Level (SIL) using LOPA method in the Emergency Shutdown System (ESD) of Hydrogen unit

Session Seven Functional safety and ageing assets

Risk Alive Analytics

ProSafe Qualitative assessment technique for control adequacy Applying LOPA approaches for non-process scenarios. R4Risk

Permissive Sequencing and ISA The Shape of Things to Come

SAFETY INTEGRITY LEVELS CONSIDERATIONS FOR NEW AND EXISTING ASSESSMENTS

The Uses and Users of PHA/HAZOP Results

Functional Safety A Reality Check in the World of Projects! 1 of 22

Functional Safety Assessments of Safety Controls, Alarms, and Interlocks

Protective Systems Lifecycle Management and IPL Data Repository A database solution

Human Factor in Functional Safety

Lessons Learned from Application of LOPA throughout the Process Lifecycle

Project risk management

Manufacturing Technology Committee Risk Management Working Group Risk Management Training Guides

TÜV Rheinland Functional Safety Engineer Certificate (Process Hazard & Risk Analysis)

Research and Application of an Advanced LOPA Method for Risk Assessment of Chemical Process

A STUDY OF EFFECTIVE PROCEDURAL PRACTICES IN REFINING AND CHEMICAL OPERATIONS 1

A FRAMEWORK FOR SELECTION OF TEST METHOD AND TEST INTERVAL FOR SAFETY CRITICAL VALVES IN SITUATIONS WITH LIMITED DATA ABSTRACT

Addressing Perceived Barriers to the Acceptance of Third Party Certification

Automated System Validation By: Daniel P. Olivier & Curtis M. Egan

Operational Safety Integrity Closing the Safety Loop

IAASB CAG Public Session (March 2018) CONFORMING AND CONSEQUENTIAL AMENDMENTS ARISING FROM DRAFT PROPOSED ISA 540 (REVISED) 1

Security Guideline for the Electricity Sector: Identifying Critical Assets

DuPont s Approach of Safety Instrumented Functions - Bypassing. Hans van Dongen January 25, 2018

STATIONARY SOURCE AUDIT SAMPLE PROGRAM [VOLUME 1, MODULE 2] GENERAL REQUIREMENTS FOR AN ACCREDITOR OF STATIONARY SOURCE AUDIT SAMPLE PROVIDERS

Field Failure Data the Good, the Bad and the Ugly

LESSONS LEARNED IN AUDITING AUTOMATED SYSTEMS FOR PSM COMPLIANCE

API Comments on OSHA Guidance Document on Process Safety Management Guidelines for Small Business Compliance September 29, 2016

Using HAZOP/LOPA to Create an Effective Mechanical Integrity Program

Integrating Human Factors into Major Accident Safety Studies

Reliability Analysis Techniques: How They Relate To Aircraft Certification

FAQ SHEET - MAJOR HAZARD ANALYSIS / DIRECT HAZARD ANALYSIS (MHA / DHA)

Dallas AIChE Meeting April 24, 2012 Don Abrahamson Process Safety Consultant Abrahamson Consulting LLC Phone:

Applying Dynamic Process Simulations Toward Flaring Reduction

CalARP/RMP/PSM. Program Upkeep Requirements & Common Program Deficiencies. Ken Hufford. 949/ Risk Management Professionals

We spend around 2000 hours a year, some even cresting 3000 a year at our places of work. For most of us, we refer to work as a home, away from home.

SAFETY RELATED SYSTEMS

Process Safety Management (PSM)

Getting Started with Risk in ISO 9001:2015

How to qualitatively assess indefinite-lived intangibles for impairment

Challenge H: For an even safer and more secure railway

Requirements Analysis and Design Definition. Chapter Study Group Learning Materials

Auditing Standards and Practices Council

Standard for Validation, Verification and Audit

IS DIGITALIZATION JUST A BUZZ WORD FOR PROCESS SAFETY MANAGEMENT? Pascal Le Gal, PhD IIRSM Meeting, Abu Dhabi, April 4 th 2018

Product quality evaluation system based on AHP fuzzy comprehensive evaluation

CASE STUDY: SAFETY INSTRUMENTED BURNER MANAGEMENT SYSTEM (SI-BMS)

STANDARD FOR THE VALIDATION AND PERFORMANCE REVIEW OF FRICTION RIDGE IMPRESSION DEVELOPMENT AND EXAMINATION TECHNIQUES

Risk Assessment Techniques

Safety cannot rely on testing

LAYERS OF PROTECTION ANALYSIS FOR HUMAN FACTORS (LOPA-HF) by Paul Baybutt Primatech Inc., 50 Northwoods Blvd., Columbus, OH

ebook THE FIVE-STEP STRATEGY FOR QUALITY AND RISK-MANAGED LIFE SCIENCES TRANSLATIONS PAGE 1 library

Workplace HSE & Process Safety Consultancy

Update on October 2011 IESBA SME/SMP Working Group Report July 2013

Robert Posgai Director of Materials Procurement, Biogen (BPOG)

Quality Manual ISO 9001:2008 ISO 9001:2015

Connecticut Valve & Fitting Co.

Enhanced Mechanical Calibration of Dissolution Test Equipment

APPENDIX Q. SERVICE LEVEL AGREEMENTS (SLAs)

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

CORE TOPICS Core topic 3: Identifying human failures. Introduction

Operational Excellence Conference: Rethinking Operational Excellence

IAASB Main Agenda (March 2019) Agenda Item

Standard Approach to Risk Management for Offshore Operations. R.T. Lokken Chief Offshore Engineer ExxonMobil Upstream Research Company May 12, 2014

Copyright 2004 The Pharmaceutical & Healthcare Sciences Society

Digital transformation in government

Managing interdependencies in Current Expected Credit Loss (CECL) implementations

7600 W. Tidwell Rd., Ste. 600 Houston, TX (713) SmithBurgess.com

Safety Results Mirror Expectations at Westlake Petrochemicals New Grassroots Ethylene Plant

IAASB Main Agenda (March 2016) Agenda Item. Initial Discussion on the IAASB s Future Project Related to ISA 315 (Revised) 1

Jon Keswick, CFSE aesolutions Inc. 250 Commonwealth Drive, Suite 200 Greenville, SC 29615, USA

Risk Management: FDA and Industry Experience. Dan Snider, Ph.D Vice President Morgantown RD Mylan Pharmaceuticals Inc.

Introduction and Revision of IEC 61508

Qualification and Delivery of All Things Pharmaceutical. Blaik C Jensen Associate Quality Engineering Consultant

A Systems Approach to Risk Management Through Leading Indicators

Chief Executive Officers and Compliance Officers of All National Banks, Department and Division Heads, and All Examining Personnel

Process Safety Management (PSM)

Audit Training-of-Trainers Workshop, November 2014, Vienna Components of internal control within organization

On the Revision of the Standards and Practice Standards for. Management Assessment and Audit concerning Internal Control

WHO guidelines on quality risk management

TRACEABILITY: SOLVING CHALLENGES & ADDING VALUE IN ELECTRONICS MANUFACTURING

Transcription:

Improved Integration of LOPA with HAZOP Analyses Dick Baum Nancy Faulk John Pérez, P.E. Lloyd s Register Celerity3, Inc. d.baum@celerity3.com ABSTRACT Integrating Layer of Protection Analysis (LOPA) with Hazard and Operability Analysis (HAZOP) has many advantages over performing these studies separately. The merits include: fewer actions from the combined effort compared to performing only a HAZOP; team continuity resulting from the combined effort as opposed to two separate teams having possibly differing points of view; and, ultimately, a time and cost savings realized by the combination. This integration defines the risk associated with a given scenario, enabling better decisions which impact business assurance. By using the Center for Chemical Process Safety (CCPS) guidelines to define the independent protection layers upfront, the gray areas can often be reduced or eliminated; thereby enabling a more thorough LOPA. Examples include taking credit if a unit has two independent operators (outside and inside) responding to critical alarms, or taking credit for centralized control rooms which may allow immediate operator interaction and response. This article shows how the guidelines have been used successfully in joint HAZOP/LOPA studies, and describes an initial preparation protocol that can ensure high-quality results.

INTRODUCTION Process safety management (PSM) has been in place in many companies around the world since 1992, after government mandates in Europe, the U.S, and elsewhere came into effect. Recently, the Center for Chemical Process Safety (CCPS) published guidelines for risk-based process safety (RBPS) as a framework for the process industries to implement and maintain PSM activities (1). These guidelines include twenty RBPS elements designed to improve process safety and effectiveness, of which one element is Hazard Identification and Risk Analysis (HIRA). HIRA comprises all activities involved in addressing the main risk questions of hazard, consequence and likelihood, and includes a spectrum of tools; which tool is chosen depends on the level of complexity of the scenario and may require multiple review processes. The following are done in order, proceeding as far down the list as is necessary to provide sufficient analysis without waste of resources: 1. The team initially performs simple hazard identification or qualitative risk assessment, through hazard and operability analysis (HAZOP), whatif/checklist analysis, or failure modes and effects analysis (FMEA). 2. If the scenario is too complex or the consequences too severe to rely solely on the qualitative assessment, the team moves to semi-quantitative risk analysis, utilizing layers of protection analysis (LOPA), or failure modes, effects, and criticality analysis (FMECA). 3. The decision to proceed to a quantitative technique, such as fault tree analysis or chemical process quantitative risk analysis (CPQRA), occurs, e.g. when the team determines the scenario is too complex or critical to rely on LOPA for risk assessment. It is estimated that 1% of scenarios proceed to this stage (2). The focus of this paper is the common practice of applying LOPA after an unacceptable consequence of a credible scenario is identified in the HAZOP, and will not consider any cause that requires a more rigorous quantitative technique. HOW LOPA IS USED LOPA is a semi-quantitative tool for understanding, through a rational, objective, risk-based approach, how many safeguards are needed for a particular incident scenario, and subsequently for performing calculations to determine whether existing protection is adequate. The CCPS responded to industry requests to tabulate and present industry practice for LOPA, and published its landmark book on the subject in 2001 (2). Since that time, LOPA has become a widely accepted tool for risk analysis and for safety integrity level (SIL) assignment. The quantitative calculation of risk is based on estimated frequency of potential incidents and the probability of failure on demand (PFOD) of the protection layers

(2, 3). The steps are outlined in the literature, for those unfamiliar with the procedure (2). TIMING OF THE LOPA PROCESS Early on in its utilization, the LOPA process was commonly viewed as an independent study, to be facilitated at a later date than the HAZOP. Usually separate teams performed the different analyses. For example, the LOPA team might have consisted of a process engineer and the LOPA team leader, or even a single analyst, in the case where the scenarios have been previously determined by a hazard evaluation team; in other cases, a larger team or an independent LOPA analyst reviewed the work (2, 4). This separation was thought to be useful because of (5, 6): concern that teams would become burned out; unavailability of software that converted HAZOP cause/consequence into a LOPA scenario; fear of inflating the cost of the proceedings; and prevention of biases from the HAZOP team. It became apparent that many of these concerns were overstated (6, 7); in addition, some problems arose because of the separation of the analyses. In many instances, facilitators were discovering that the LOPA team members wanted to recreate the HAZOP because they disagreed about the scenarios which had been developed. Completed HAZOP study records cannot be changed or modified without re-convening the original HAZOP team and performing a review of the questionable scenarios. This requirement for a HAZOP review has the potential to frustrate new LOPA members, if they disagree with the previous results. In contrast to the separate HAZOP/LOPA analyses discussed in the previous paragraphs, some of the original companies performing LOPA began incorporating it as part of their HAZOP sessions. Their positive experiences led to discussions about the timing of the LOPA process; this evolved into an issue discussed in the early CCPS book (2). Those authors suggested that LOPA could be integrated with the HAZOP, or subsequent to the HAZOP, and either process would be effective. From that point in time until now, there have been lively discussions concerning this topic (5-8), with both sides asserting that their methodology is superior. This paper shows how the guidelines have been used successfully in past joint HAZOP/LOPA studies, and describes initial preparation protocol that can ensure high-quality results. RECENT TRENDS

In recent years, the trend of integrating LOPA with HAZOP has grown substantially (6-8); those facilitators who were integrating the two analyses identified many benefits: Expertise HAZOP participants are usually process experts and at least one LOPA expert; getting a similarly qualified group together at another time is difficult and costly; Reduced time Keeping the same team in play reduces time lost in getting a new team up to speed on the systems involved. Even if the same team is utilized, memories dim and some review and ramp-up time are necessary; Ease of integration Several software tools are now available, such as PHA Pro (by Dyadem) and PHA Works (by Primatech), that maintain a common database in order to link causes, consequences and safeguards; and Cost savings Estimates of up to 30% savings were noticed as much as four years ago (7). The process industries are requesting integrated LOPA with HAZOP in response to these associated benefits. The data collected by the Risk Management Services division of Lloyd s Register Celerity3, for example, shows the following trend in the percentage of clients requesting the integrated approach when executing their HAZOPs: 2006 10% 2007 25% 2008 80% The dramatic rise is an indication of the widespread recognition that LOPA is a growing trend, and that there are advantages in this integrated approach. What follows is a discussion of ways facilities can enhance their success. IMPROVED HAZOP WITH LOPA ANALYSES This discussion will focus on three areas where experience shows the most potential for improving the integrated LOPA with HAZOP process: management decisions, training, and tracking changes. (1) Management Decisions Several key decisions must be made in advance of initiating the HIRA. LOPA is usually applied to determine if the calculated risk from a scenario is within the risk tolerance criteria or if the risk must be reduced. Thus, the first decision which must be established is the choice of criteria protocol to use. The most commonly used risk judgment protocols are: the use of a risk matrix; occasionally a numerical criteria method; and rarely (generally not recommended) the use of expert judgment (2).

This article assumes the use of the risk matrix, where each cell of the risk matrix correlates to the degree of risk reduction required for a cause-consequence pair in that cell, and is based on the consequence frequency and severity. The number of cells is in turn based on the number of rows and columns predetermined by management; will the matrix be a 4x4 or a 5x7? How many of the cells will trigger LOPA, based on management s tolerance of risk? Many companies have found that once they establish the matrix and the trigger points, the objectivity of the risk categories enables risk decisions to be made faster and more consistently. Proper calibration of and establishment of the trigger points in the risk matrix are vital to ensuring neither over- nor under-conservative specification are made (8). The next management policy decision is providing well-defined IPLs, or Independent Protection Layers. An IPL is a device, system or action that is capable of preventing a scenario from proceeding to its undesired consequence, and must meet the following requirements (2): Effective in preventing the undesired consequence, and quantifiable in terms of its PFOD Independent of the components or actions of any other IPL already claimed for the same scenario; Independent of the occurrence of consequences of the initiating event; and Auditable, by testing, documentation or review, in order to verify the assumed effectiveness. While the requirements seem straightforward, there are many instances where safeguards are confused with IPLs or where IPLs are not clearly defined. A safeguard is defined similarly to an IPL: any device, system or action that would likely interrupt the chain of events following an initiating event. The distinction is that its effectiveness cannot be quantified, due to lack of data or uncertainty as to independence (2), which leads to the commonly quoted assertion that all IPLs are safeguards, but not all safeguards are IPLs. The management or the LOPA analyst must determine if a safeguard meets the requirements listed above, and subsequently assign a PFOD based on either literature values or industry experience. The CCPS has provided guidelines that give a baseline for IPL determination, both active and passive (2). In addition, the reference provides a range of PFODs. Another source of guidelines for PFODs is the International Electrotechnical Commission (9). It has been the authors experience that the more effort management puts forth providing a listing of acceptable IPLs and specifying the PFODs to use, the less gray area exists for the LOPA team. This has the benefit of providing more objectivity, of speeding up the LOPA process, and of ensuring that the analysis follows management guidelines and not the team s interpretation. (2) Assure Proper Training Another improvement issue discussed here is the resolve to use competent personnel, with the appropriate training. Consider developing and then using

HIRA Subject Matter Experts (SMEs). These may be the process SMEs (such as operations, process chemists, reliability engineers, rotating equipment specialists), who are called upon to be part of the team. There should also be a few SMEs who are trained to lead HIRA activities routinely, including HAZOP/LOPA. Additionally, others with assigned HAZOP/LOPA duties would benefit from additional training, e.g. scribe or even participant. Note, however, that the team leader should normally come from outside the facility, independent of the operation (1, 2). The risk program should have dedicated personnel for managing HIRA activities, scheduling, tracking resolutions and so forth. There may be training involved for these personnel also. The decisions that management makes come in the form of support of the risk program personnel and support for appropriate training. (3) Track Changes Every facility should have implemented a system for auditing the elements which were identified as IPLs, either through testing or inspection, and provide maintenance or replacement as necessary. There should exist a listing of the IPLs, including design criteria, limitations, PFODs, and initiating causes for which they mitigate. Suppose, as a result of a LOPA or an audit, a change to IPL definitions or PFOD values, or a recommendation to add an IPL, occurs. These actions must be tracked as an item for review by the organization s safety committee: If after review a change in definition of IPL or PFOD values is accepted, this change needs to be updated in the appropriate published set of specifications, and the IPL summary sheet needs to be updated. Any recommendation for additional IPLs must be evaluated in order to reduce risk; implementation should be included in updates. This ensures that at the next LOPA, the analyst and team have the current IPL information and are able to apply definitions consistently. A HAZOP/LOPA can be thought of as an audit for the facility s risk management program and provides a method of continuous improvement. Items with unacceptable risk or those procedures which conflict with management guidelines are identified and assigned to appropriate personnel for resolution, as action items. Most HAZOPs produce a list of items in a node generally termed the Parking Lot or a Comment Page that records items needing further evaluation and study, but are not necessarily entered into an action tracking database. Management must ensure follow-up on these concerns as well, and track all action items through to resolution. ADDITIONAL EXAMPLES This section of the article discusses unresolved situations observed by the authors when facilitating integrated HAZOP with LOPA sessions. Involvement of

key personnel early on will ensure that the right questions are asked, and answered, in order to establish the appropriate technical risk matrix for that facility. Significant investments of time and resources made at the project frontend result in lower time and energy expenditures and less subjectivity. Example 1: What PFOD will the facility use for its relief valves? Literature suggests a range from 10-1 10-5 (2), and the PFOD must be determined based on that facility s inspection, testing and maintenance program (are the valves checked once a year or every five years?). Example 2: Whether or not to use the BPCS (Basic Process Control System) as an IPL is a concern, as it is a relatively weak IPL with limited testing capability. Human error, e.g. in bypassing alarms, can increase the probability of failure. Care must be taken to ensure that the BPCS is not associated with the initiating event. IEC 61511 limits the combined PFOD to 10-1 for any BPCS IPL that can be applied (9). Example 3: Some facilities will accept a low priority alarm as an IPL, but other facilities do not. Operator action, initiated by an alarm, is also accepted by some facilities, which have assessed the effectiveness of that operator action and determined that it meets the criteria required for an IPL. Human IPLs are generally less reliable than engineering controls, but not crediting human actions assuming adequate documentation, training and testing is too conservative. Example 4: Is it possible to count multiple functions in one BPCS as separate IPLs for a given scenario? Recall that one of the requirements for an IPL is that it is independent of the components of any other IPL, but in some situations it is possible. This requires independence of sensors and final elements, as well as adequate analysis and documentation. Example 5: If a unit that has multiple operators which can be notified of an unsafe condition; can these each count as an IPL? Consider the case of having an inside operator and an outside operator; in order to count them both as IPLs, there must exist independent alarms or sensors which would signal operator action independently. Example 6: The size of the risk matrix must be determined, and the LOPA matrix needs to mirror the HAZOP matrix. In one instance, the authors found that a facility used different matrices for HAZOP and LOPA, which caused the LOPA team to have to re-evaluate the consequences. This could have been easily prevented with better alignment of the risk matrix philosophies. CONCLUDING STATEMENTS

LOPA is a semi-quantitative risk analysis technique, triggered when the qualitative assessment of a HAZOP shows the scenario to be too complex or the consequences too severe. Facilities are increasingly integrating their HAZOP analyses with their LOPA studies, primarily because of the many benefits: a qualified group is already convened; study time is reduced; common databases can link causes, consequences and safeguards; and cost savings are realized. This article has presented three areas where experience shows the most potential for improving the integrated LOPA with HAZOP process: management decisions, training, and tracking changes. In addition, several examples were presented on the types of decisions which must be agreed upon, in order to ensure objectivity as well as to save time and effort when performing these analyses. The integrated approach of LOPA with HAZOP can be a vital part of a successful and robust HIRA program. LITERATURE CITED 1. Center for Chemical Process Safety (CCPS), Guidelines for Risk- Based Process Safety, American Institute for Chemical Engineers, New York, NY (2008). 2. Center for Chemical Process Safety (CCPS), Layer of Protection Analysis: Simplified Process Risk Assessment, American Institute for Chemical Engineers, New York, NY (2001). 3. Summers, A. E., Introduction to Layers of Protection Analysis, J. Hazard. Mater., 104 (1-3), pp. 163-168 (2003). 4. Dowell, A. M. and D. C. Hendershot, Simplified Risk Analysis Layer of Protection Analysis (LOPA), AIChE 2002 National Meeting, Indianapolis, IN, Nov. 3-8, 2002. 5. Marszal, E., Dispelling Myths about SIL Selection, http://www.isa.org/intechtemplate.cfm?section=standards_update1&te mplate=/contentmanagement/contentdisplay.cfm&contentid=58275, International Society of Automation, Research Triangle Park, NC. 6. Dowell, A. M., and T. R. Williams, Layer of Protection Analysis: Generating Scenarios Automatically from HAZOP Data, Process Saf. Prog., 24 (1), pp.38-44 (2005). 7. Bingham, K. and P. Goteti, Integrating HAZOP and SIL/LOPA Analysis: Best Practice Recommendations, ISA 2004, Houston, TX, October 5-7, 2004. 8. Kallambettu, J., Adopting Safety Life Cycle Activities for SIS by Engineering, Procurement, and Construction Companies, Safety Control Systems Conference 2008, Calgary AB, May 28-29 2008. 9. International Electrotechnical Commission (IEC), IEC 61511 Functional Safety: Safety-Instrumented Systems for the Process Industry Sector, Part 1, Geneva, Switzerland (2003).

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback