Improve your knowledge. Functional Safety FAQs: What is LOPA? What is PHA? What is Functional Safety? What is SIL Assessment? What is HAZOP? and more ...

What is PHA?

PHA stands for Process Hazard Analysis and is the use  of a structured methodology to identify hazards, their consequences and likelihood.

Some methods adopted are:

  • HAZID
  • What If
  • QRA (Quantitive Risk Assessment) 
  • HAZOP

Identifying Major Accident Hazards (MHA) is a requirement of OSHA in the States, the HSE in the UK and SEVESO III in Europe.

To reiterate, on completing a PHA we should understand:

  1. What the hazards are
  2. What is the consequence of each hazard in terms of harm to People, the Environment and Asset
  3. The severity of each consequence
  4. The likelihood of each consequence
  5. What barriers are in place to prevent or mitigate each of the consequences

Recommended Reading:

HAZOP & HAZAN by Trevor Kletz

What is Functional Safety?

For us, Functional Safety is the compliance with all the stages of IEC61511’s lifecycle.

Read this in connection with IEC61511-1 Figure 7. This  Figure depicts the phases of the Lifecycle and indicates the relevant Clauses within IEC61511. It is recommended to read the following, then check each Clause to understand the intent of each phase.

Phase 1 and 2. Phase 1 is in effect the PHA (see above). During this phase the SIFs (Safety Instrumented Functions) will be allocated as protective layers for specific consequences. A Safety Integrity Level (SIL) will be assigned to each SIF (known as SIL assessment or SIL Classification). Once the SIL is known for each SIF and we know what hardware is to be used, what Proof Test Frequency is to be used, we can determine if the actual SIL matches the required SIL (known as SIL Verification).

Phase 3 is an evergreen phase, whereby the Safety Requirements Specification (SRS) is documented. The phase is evergreen, as it must be kept up to date throughout the lifecycle.

Phase 4 is the design and engineering of the Safety Instrumented System (SIS). The SIS contains the Logic Solver which provides the required functionality for all the SIFs. The SIS also includes the hardware required for each SIF i.e. Initiator and Final Elements, cabling. power supplies, etc. Note generally the equipment within the SIS should be designed in compliance with IEC61508.

Phase 5 is field installation of the SIS, the testing and commission. When the SIS has been Validated it is at this stage the System is handed over to the Operations Department.

Phase 6 is when the SIS is operated and maintained. Maintenance includes the scheduling and implementation of the Proof Tests for the SIFs. Note that each piece of equipment designed in accordance with IEC61508 will come with a Safety Manual. The requirements of each Safety Manual should be incorporated within the Proof Test Procedures.

Phase 7 is required throughout the lifecycle to handle all changes. Modifications to any part of the SIS must properly planned, reviewed, approved and documented prior to making the change. The required safety integrity of the SIS is maintained despite of any changes made to the SIS.

Phase 8. The objective is to ensure that prior to decommissioning any part of the SIS from active service, a proper review is conducted and required authorisation is obtained. 

[Note phases 9, 10 and 11 span the full lifecycle].

Phase 9. The objective is to demonstrate by review, analysis and/or testing, that the required outputs satisfy the defined requirements for the appropriate phases as identified by the verification planning.

Phase 10.  One of the first activities when starting the lifecycle is defining Functional Safety Management (FSM). The objective is to identify the management activities that are necessary to ensure the functional safety objectives are met. If you read IEC61511-1 Clause 5 you will see ‘competence‘ forms part of FSM. We will discuss this later.

Phase 11 is planning the lifecycle to establish how the lifecycle steps/stages are accomplished. See IEC61511-1 Clause 6.2.

Functional Safety Assessments: See IEC61511-1 Clause 5.2.6.1. An important part of the lifecycle is the Functional Safety Assessment (FSA). It is a review to ensure that the SIF under study achieves the required level of functional safety. It should be considered as a ‘hold point’ to either move to the next phase of the lifecycle or remain at the same phase until recommended modifications are implemented.

Five Stages of FSAs are required, one after phases 3 to 7.

What is a HAZOP?

As mentioned earlier, HAZOP is a methodology used in PHA. Reference IEC61882.

HAZOP stands for HAZard and OPerability.

The HAZOP study method was developed by ICI in the 1960s. The first guide being published in 1977.

A HAZOP study is a structured and systematic review of a planned or existing process or operation.

The procedure (in brief):

  1. Taking the Process Flow Diagrams (PFDs) or Piping and Instrument Diagrams (P&IDs) divide the process into bite size pieces – know as Nodes.
    Note: when Noding larger nodes can lead to increased complexity and difficulties in systematic assessment.
    The most important factor influencing node selection is the ability to clearly define and understand the purpose, or function, of the equipment in the node.
  2. For each Node we define the design intent. The design intent of a node usually includes one process operation word (i.e. react, separate, heat, cool, circulate, collect, receive, compress or remove) in addition to “transport”.
  3. Using the P&IDs marked with the Nodes, for each Node, select a deviation from the design intent e.g. More Flow.
  4. For each deviation we define it’s Cause e.g. BPCS malfunction opening LV-1000, when required closed/modulating.
  5. For each Cause we outline the Consequence in terms of potential harm to people and the environment (sometimes  asset and reputation are included). Note: the consequence should exclude credit from any safeguards. We want the unmitigated consequences. Example: The liquid level in drum V-1000 will fall. Eventually gas will blow-by and downstream vessel V-1001 will be exposed to 50 BarG. V-1001 has a design pressure of 10 BarG and will fail, leading to loss of containment. Potential for fire/explosion resulting in harm to People and the Environment.
  6. For each Consequence we list the Safeguards that can prevent or mitigate the hazard. Example:
    1. LAL-1001 (independent of LIC-1000) will alert the operator, enabling him/her to close manual isolation valve MV-1000 in the field. N.B. From LAL to emptying the drum takes 35 minutes.
    2. The SIS will initiate low level trip LZAL-1000, closing LZV-1000 to prevent gas blow-by.
    3. RV-1001 located at the roof of V-1001 is sized for gas-blow-by.
  7. For each Consequence we Risk Rank. There can be up to three Risk Rank entries.
    1. Unmitigated
    2. Mitigated 
    3. If the recommendation were implemented
  8. For each Consequence we list Recommendations as and when required. Note: Recommendations should:
    1. Be stand alone, such that it is understandable without the need of supporting information/Worksheet entry.
    2. Indicate a  a clear way of closing out the item.
    3. Be understandable, concise, and unambiguous.
    4. Be clearly worded to address the identified hazard.
    5. Be thorough i.e. identifying the reason for the recommendation and clearly state the concerns of the HAZOP team).
 

Recommended Reading:

HAZOP Guide to Best Practice, Frank Crawley and Brian Tyler

What is SIL Assessment? What is LOPA?

Safety Integrity Level (SIL) Assessment is allocation of a SIL to each Safety Instrumented Function (SIF), based upon its required Risk Reduction.

A SIF performs a single set of actions for a single hazard in order to bring the system to a safe state. Nominally a SIF comprises:

  • An Initiator, used to sense the process condition
  • A Logic Solver, used to perform the corrective action on the Final Element
  • A Final Element, used to control the process condition e.g. a valve or pump

The methodology for determining the SIL level varies between Organisation. In our experience the two most common methods are Risk Graph and Layer of Protection Analysis (LOPA). We will look at LOPA.

If the HAZOP was done correctly, LOPA follows on, using some of the information gleaned from the HAZOP Worksheet.

Procedure (broad brush):

  1. From the HAZOP obtain:
    1. LOPA scenario description (including consequence description).
    2. Consequence ranking. We are specially interested in the severity of the Consequence. Example: The HAZOP recorded that we could kill more than one person. Each organisation will have predefined tolerable frequencies for given consequences. In this example we will assume that frequency is 0.00001 per year. This frequency is the Target Mitigated Event Likelihood (TMEL). 
    3. List of initiating causes.
    4. List of safeguards.
  2. For each cause we assign an event frequency. These are industry stand frequencies (see recommended reading below). Example the BPCS event frequency is nominally 0.1 per year.
  3. For each of the Safeguards we assign a Probability of Failure on Demand (PFD). These are industry stand values (see recommended reading below). Example: Independent Alarm (see HAZOP example), PFD 0.1. Relief valve, PFD 0.01.
  4. We then consider Enabling Factors and Conditional Modifiers (see recommended reading below). Examples of these are:
    1. Time at risk
    2. Occupancy Factor
    3. Probability of ignition
    4. Probability of explosion
    5. Probability of Vessel failure 
    6. Wind direction
  5. We then determine the Initiating Event Likelihood (IEL) by multiplying the Initiating Event Frequency (IEF) by the Safeguards, or Independent Protection Layers (IPLs),  and the Enabling Factors and Conditional Modifiers. Example: Let us take the HAZOP example with no Enabling Factors and Conditional Modifiers; as there is always someone next to V-1001 and the fatalities are due to flying debris when the vessel catastrophically  fails. IEF (0.1) x Alarm/operator (0.1) x Relief valve (0.01) = 0.0001 per year.
  6. We than compare this with our target – TMEL. In this instance the TMEL is 0.00001 per year. The required Risk Reduction Factor (RRF) required by our SIF LZAH-1000 = IEL/TMEL = 0.0001/0.00001 = 10. Note that RRF = 1/PFDavg = 0.1.
  7. Item 6 shows that our SIF must be capable of providing a RRF better than 10. SIL 1 – see table below.
What is Functional Safety

Recommended Reading:

CCPS (Center for Chemical Process Safety). Layer of Protection Analysis SIMPLIFIED PROCESS RISK ASSESSMENT

CCPS (Center for Chemical Process Safety). Guidelines for Enabling Conditions and Conditional Modifiers in Layer of Protection Analysis . Wiley. 

CCPS (Center for Chemical Process Safety). Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis . Wiley.

Proving Functional Safety Competence

Training and certification is the best way of proving Functional Safety Competence. There are three main certifying bodies:

  1. exida 
  2. TUV
  3. ISA in the States

 

Read this (it may be a bit dated now).

This Website

Why the country theme on each Page?

If you look at other similar websites you will see people in hard hats, people with clipboards, diverse types in meetings and awful looking industrial plants. We wanted a fresh, back to nature theme. The pictures were free courtesy of pixabay