Determine SIS and SIL
Using HAZOPS
Héctor Javier Cruz-Campa and M. Javier Cruz-Gómez*
Departamento de Ingenieria Quimica, Facultad de Quı́mica, Universidad Nacional Autónoma de México, Mexico City, D.F.,
Mexico; mjcg@servidor.unam.mx (for correspondence)
Published online 26 February 2009 in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/prs.10293
A simplified quantitative analysis methodology for
the determination of required Safety Instrumented Sys-
tems (SIS) and the associated target Safety Integrity
Levels (SIL) is presented. As prerequisites, the company
policy for risk acceptability and a hazard and oper-
ability (HAZOP) study are needed. A risk acceptability
criterion for large commodity chemical, petrochemical,
or refining companies is discussed. The methodology
starts with the selection of high potential risk scenarios
from the HAZOP study. Then the effectiveness of the
relevant process safeguards is evaluated based on
layers of protection analysis, to assess if there are
adequate and sufficient safety protection layers in the
chemical process, so that the actual risk of the process
is at an acceptable level. The method allows the user to
determine first if a SIS is required and then, what SIL
is required for each function it performs. If a SIS al-
ready exists in the process, the methodology can be
used to verify the required SIL for each safety instru-
mented function. Ó 2009 American Institute of Chemi-
cal Engineers Process Saf Prog 29: 22–31, 2010
Keywords: Safety Instrumented Systems, Safety In-
tegrity Levels, Layers of Protection Analysis, hazard
and operability, risk, policy
INTRODUCTION
Safety Instrumented Systems (SISs), such as emer-
gency shutdown systems, fire and gas systems, and
safety interlocks, are safety related systems that
implement one or more Safety Instrumented Func-
tions (SIFs). A SIF’s job is to sense a hazardous condi-
tion and automatically take appropriate actions to
move the process to a safe state. A SIS implements its
SIFs by means of (a) one or more sensors (e.g., tem-
perature, pressure, level, fire presence, toxic or flam-
mable gas concentration), (b) one or more electrical,
electronic, or programmable electronic (E/E/PE) logi-
Ó 2009 American Institute of Chemical Engineers
22 March 2010
cal solvers [the most common is a safety program-
mable logic controller or (PLC)], and (c) one or more
process control final elements (i.e., shutdown valves,
electrical switches).
The design of a SIS includes two parts: (a) estab-
lishing what it will do, that is, specifying the SIFs it
will perform, and (b) for each SIF, establish how well
it is required to work.
In the United States, law [1] enforces the assurance
of the mechanical integrity of emergency shutdown
systems and safety controls (SISs), following ‘‘recog-
nized and generally accepted good engineering prac-
tices.’’ The latter clause has been interpreted by many
authorities as ‘‘comply with all applicable interna-
tional standards.’’ The European Union and many
countries around the world have similar laws. In
countries where no similar law exists, international
standards compliance is indirectly enforced by insur-
ance company recommendations, by means of corre-
lating degree of compliance with insurance rates.
The current international standard applicable to
the integrity of SISs is IEC 61511 [2], entitled ‘‘Func-
tional safety—SISs for the process industry sector,’’
also accepted by ISA SP84 committee as ANSI/ISA
84.00.01-2004 [3]. The main difference between these
two standards is the addition, in the ISA standard, of
one extra clause applicable for systems commissioned
before its publication date. This clause allows a com-
pany to keep their existing SIS designed to the previ-
ous version of the standard (ANSI/ISA S-84.01-1996)
as long as the company determines that the equip-
ment is designed, maintained, inspected, tested, and
operating in a safe manner.
To establish how well a SIF is required to work, IEC
61511 defines 4 Safety Integrity Levels (SILs), which are
categories based on the probability of failure on
demand (PFD) of the SIF. The inverse of the PFD is
called the risk reduction factor (RRF). Table 1 shows
the ranges of PFDs and associated RRFs for each SIL.
IEC 61511 establishes requirements for the entire
life cycle of the SISs. This ‘‘Safety Life Cycle’’ (SLC)
includes requirements for the specification, design,
Process Safety Progress (Vol.29, No.1)
implementation, operation, maintenance, and modifi-
cation of a SIS, from its conception to the decommis-
sioning, but the most critical steps in the SLC of a SIS
are the determination of: (a) if a SIS is required at all,
and, if the answer is yes, (b) the required or target
SIL for each SIF implemented.
The lack of an adequate methodology and guid-
ance for these two steps has been the cause of many
unnecessary SIL 3 SISs been commissioned, when
only SIL 1 SISs or non-SIS protections would be
adequate. Adequate determination of the required
SIS/SIL is important to ensure process risk is main-
tained at tolerable levels with the right investment on
protection systems. Thus, the aim of this article is to
provide a straightforward and easy to use methodol-
ogy to achieve cost effective safety.
Table 1. Safety integrity levels.
SIL PFD RRF
1 0.1–0.01 10–100
2 0.01–0.001 100–1,000
3 0.001–0.0001 1,000–10,000
4 0.0001–0.00001 10,000–100,000
RISK QUANTIFICATION AND RISK ACCEPTABILITY
Understanding risk in a semiquantitative way is the
key to understand this methodology. Risk is the prod-
uct of both the magnitude of the potential conse-
quences of an unwanted event and its likelihood. By
this definition, the risk of an undesirable event that
may occur once per year is equivalent to the risk of
another event whose consequences are 10 times
greater but may occur only once in 10 years.
Consequence quantification is a difficult task that
can be addressed by using consequence categories,
roughly representing the order of magnitude of the
potential costs associated with such events. Suggested
categories for consequences are illustrated in Table 2.
The potential effects description in Table 2 is ap-
plicable to all company sizes, except for estimated
costs involved. The monetary amounts used in Table
2 may be appropriate for large chemical commod-
ities, refineries, and petrochemical companies, but for
small or mid size chemical process companies an
order or magnitude reduction is suggested (i.e., esti-
mated cost greater than 1 million dollars would be
considered catastrophic for a medium size or small
company).
There may be an event that could be categorized
beyond category 5, involving multiple fatalities or
costs greater than 100 million dollars. If such poten-

Table 2. Consequence severity categories and potential effects.

Severity Receptor Potential Effects Description

Category 5: Catastrophic
Category 4: Major
Category 3: Critical
Category 2: Minor
Category 1: Negligible
Personnel Fatality or permanently disabling injury
Community One or more severe injuries
Environment Significant release with serious offsite impact and probable
immediate or long-term health effects
Facility Major or total destruction of one or several process areas at an
estimated cost greater than 10 million dollars or a significant
loss of production
Personnel One or more severe injuries
Community One or more minor injuries
Environment Significant release with serious offsite impact
Facility Major damage to one or more process areas at an estimated cost
greater than 1 million dollars or some loss of production
Personnel Single injury, not severe; possible lost time
Community Odor or noise complaint from the public
Environment Release that results in agency notification or permit violation
Facility Some equipment damage at an estimate cost greater than
$100,000 dollars and with minimal loss of production
Personnel Minor injury; no lost time
Community No injury, hazard or annoyance to public
Environment Recordable event with no agency notification or permit violation
Facility Minor equipment damage at an estimated cost greater than
$10,000 dollars and with no loss of production
Personnel No injury, no lost time
Community No injury, hazard or annoyance to public
Environment Recordable event with no agency notification or permit violation
Facility Minor equipment damage at an estimated cost of less than
$10,000 dollars with no loss of production

Reproduced from Ref. 4, with permission from AIChE.

Process Safety Progress (Vol.29, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2010 23
Table 3. Frequency indexes for different kinds of expected events in a process plant lifetime.

Order of Magnitude
of the Frequency f Frequency
(events/year) Index (F) Qualitative Description
1,000 10 Occurs every shift
100 9 Occurs weekly
10 8 Occurs monthly
1 7 Occurs yearly
1/10 6 High probability of occurrence in the plants lifetime. Event has occurred at
least once in similar plants
1/100 5 Medium probability (26%) of occurrence in the plants lifetime. High
probability of occurrence at least once in the lifetime of 10 similar plants
1/1,000 4 Low probability (3%) of occurrence in the plants lifetime. Medium
probability (26%) of occurrence in the lifetime of 10 similar plants
1/10,000 3 Low probability (3%) of occurrence in the lifetime of 10 similar plants
1/100,000 2 Low probability (3%) of occurrence in the lifetime of 100 similar plants
1/1,000,000 1 Low probability (3%) of occurring one in the lifetime of 1,000 similar plants
1/10,000,000 0 Inconceivable event for practical purposes

tial consequences are known or discovered in a haz-

ard identification study, the advice would be either to
ensure that the process has adequate consequence
reducing protections, or use an alternate inherently
safer process, so that maximum consequence cate-
gory is 5. Consequence reducing protections include
passive energy and materials containment, like dikes
and concrete wall enclosures, and appropriate dis-
tance between hazard sources and potential recep-
tors, such as facility spacing and safety buffer zones.
No company should operate with conditions for a
potential Bhopal or Seveso. Figure 1. Representation of risk acceptability criteria
On the other side, likelihood is expressed quantita- in a frequency-severity diagram.
tively in terms of an expected number of events per
year, that is, in terms of a frequency. The useful
range of frequencies for these kinds of studies nor-
mally has limits of 1027 to 103 events/year. Given the equivalent operation years. The relationship between
uncertainty of the frequency data available for these frequency and probability is given by Eq. 2:
analyses and the wide range considered, we can
work in terms of orders of magnitude in a simplified
scale. In this simplified scale, frequency data are con- P ¼ 1
e
f T ð2Þ
verted to an integer number from 0 to 10, which we
will call ‘‘Frequency Index,’’ described in Table 3. where P, event probability; f, frequency; and T,
The equivalence between raw frequency data and reference time.
frequency indexes is given by Eq. 1: This way, if we know an event occurs once in
1,000 operation years (1023 events/year), there is a
F ¼ IntðLog10 ðf ÞÞ þ 7 ð1Þ probability of 3% of the event occurring in the life-
time of one single plant and 26% of it occurring in
the equivalent lifetime of 10 similar plants.
where F, frequency index; f, frequency in events/
To understand risk and risk acceptability, we can
year.
draw a diagram for consequence vs. frequency (likeli-
According to this formula, the ‘‘Frequency Index’’ F hood) using a logarithmic scale for each axe (see Fig-
equals the closest integer to the base 10 logarithm of
ure 1). In such diagram, the greatest risk is located at
the frequency f (that is, the base 10 exponent) plus 7,
the top-right corner of the diagram, and equivalent
where the frequency is a number between 1027 and risks can be drawn as straight lines, so we can establish
103. In the quantitative description of the lower fre-
three general zones, in relation to risk acceptability:
quency numbers shown in Table 3 we have consid-
ered the probability of occurrence in a reference time • Totally unacceptable risks: All criteria agree that
of the typical lifetime of 1, 10, 100, and 1,000 similar in this zone, the actions for risk reduction or
process plants; this is, 30, 300, 3,000, and 30,000 mitigation are obligatory and urgent.

24 March 2010 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.29, No.1)
Table 4. Limit frequency in the variable criteria zone for each consequence category.

Lower Limit Frequency Upper Limit Frequency

Consequence Severity (events/year) (events/year)
Category 5—Catastrophic 1/100,000,000 1/1,000
Category 4—Major 1/10,000,000 1/100
Category 3—Critical 1/1,000,000 1/10
Category 2—Minor 1/100,000 1
Category 1—Negligible 1/10,000 10

Table 5. Threshold frequency numbers for each
consequence category.
Maximum
Acceptable Threshold
Frequency Frequency
Consequence Severity (events/year) Index (Ft)
Category 5—Catastrophic 1/10,000 3 which is described next. The term SIS/SIL is used to
Category 4—Major 1/1,000 4 indicate that the methodology helps to define first if
Category 3—Critical 1/100 5 a SIS is to be used and second what is the required
Category 2—Minor 1/10 6 SIL. This implies that in many risk scenarios no SIS
Category 1—Negligible 1 7
• Totally negligible risks: All criteria agree that in
this zone, actions for further risk reduction or
mitigation are not required or convenient.
• Variable criteria zone: In this zone, each crite-
rion differs in how much risk reduction is
needed, recommended or convenient, or the ur-
gency of these actions. In this zone, each com-
pany or industry should choose how much it is
practical to reduce or mitigate risks.
The limits for each zone represented in Figure 1
were obtained from published government tolerable
risk criteria [5] and enlisted in Table4.
For the purposes of this article, establishing a risk
acceptability policy means choosing a maximum ac-
ceptable frequency for each consequence category,
between the two limits established in Table 4. For cate-
gory 5 consequences, we suggest that the company at
least should make sure that risk inside the process fa-
cility is not greater than general outside individual acci-
dent risk which is around 1024 events/year. Other
companies may choose higher performance targets
and use a frequency an order of magnitude less. This
would mean that the company wants the operation of
the process facility to be safer than the average. For
this article we chose the first criterion for maximum ac-
ceptable frequencies, represented in Table5 along with
the associated Frequency Indexes. The maximum
allowable frequency index for each consequence cate-
gory will be called ‘‘Threshold Frequency Index’’ (Ft).
DESCRIPTION OF THE SIS/SIL DETERMINATION METHODOLOGY
According to the SLC described in the IEC 61511
standard, before attempting to define a SIL for a SIS,
a process risk analysis should be carried out and
non-SIS protection layers should be used to prevent
or reduce the identified risks. Only if the non-SIS pro-
tection layers are found insufficient for risk mitigation
to acceptable or tolerable levels can we recommend
the use of a SIS, for which we need to define the
required SIL. To carry out the definition of the SIS/
SIL, a semiquantitative methodology was developed
based on the Layers of Protection Analysis (LOPA) [4],
may be justified and existing protection layers will be
adequate for risk mitigation.
Chemical process incidents involving hazardous
chemicals, particularly catastrophic ones, occur when
an initial enabling event is combined with the failure
of one or more process protection layers. The esti-
mated frequency for these incidents is equal to the
frequency of the initial events multiplied by the prob-
ability of these layers failing simultaneously on
demand. Depending on the severity of the potential
consequences of an incident, risk acceptability criteria
is used to establish a maximum allowable frequency.
A semiquantitative evaluation of the demand fre-
quency and the PFD of the applicable protection
layers can determine if protections are sufficient for
the established criteria. If available process protection
layers are not sufficient, additional protection layers
must be evaluated, which may include a Safety
Instrumented System (SIS). When a SIS is recom-
mended, the required SIL can be easily obtained.
Steps in the SIL/SIS Evaluation
Step 1: Identify a Hazardous Event and Assess its Severity
We start this methodology with a hazard and oper-
ability (HAZOP) study, the most commonly used
methodology for process plant hazard evaluation,
from which the highest potential risk scenarios are
selected. High potential risk scenarios are scenarios
with high initiating event (cause) frequency and high
unmitigated consequences. We can detect these sce-
narios by looking at the amount of existing or pro-
posed protection systems (in the safeguards and rec-
ommendations columns), where a high number of
protections can be related with high risk, or by
searching explosion, fire, or toxic release potential
mentioned in consequences. Other important scenar-
ios for this methodology include those who mention
existing or proposed SISs.

Process Safety Progress (Vol.29, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2010 25
 Using the information available from the conse-

Category 5

Category 5

Category 5

Category 5

Category 3
Catastrophic:

Catastrophic:

Catastrophic:

Catastrophic:
quences pointed out in the HAZOP study, conse-
More than
50,000 kg
quence severity must be categorized to assign a

Critical:
threshold frequency for each scenario. Consequence
severity must be assessed considering that all existing
protections that could possibly fail, actually fail (pas-
sive consequence reducing protections such as dikes
are considered to never fail, unless the design is
judged to be inadequate).
Category 5

Category 5

Category 5

Category 4

Category 2
Catastrophic:

Catastrophic:

Catastrophic:
To help with the consequence categorization step
based on size of release and consequences on pro-
50,000 kg
5,000 to

duction and facilities, LOPA [4] suggests using the

Minor:
Major:
guidelines in Tables6 and7.

Step 2: Identify the Initiating Event and Assess its Frequency

The initial event for a scenario is taken from the
cause column in the HAZOP study. When each sce-
nario has been evaluated with a risk matrix, its fre-
500 to 5,000 kg

quency can be determined from this evaluation. This

Category 5

Category 5

Category 4

Category 3

Category 2
Catastrophic:

Catastrophic:

value must be compared with the ranges available in

literature for validation. A very good source for
Critical:

Minor:
Major:

equipment reliability data is available from Center for

Chemical Process Safety (CCPS) [6]. As with the
threshold frequency, an ‘‘Initiating Frequence Index’’
(Fi) is assigned to the frequency data to simplify han-
dling. Table 5 can be used to assign a frequency
Table 6. Semiquantitative guide for consequence category selection based on size of release.

index for the initiating event.

Category 5

Category 4

Category 3

Category 2

Category 1
Catastrophic:
50 to 500 kg

Negligible:

Step 3: Identify the Applicable Independent Protection

Critical:

Layers and Evaluate Their Effectiveness

Minor:
Major:

Independent Protection Layers (IPLs) are devices,

systems, or actions capable of preventing a scenario
from continuing to the undesirable consequences;
they are independent of the initial event and the
action or failure of any other protection layer associ-
ated with the scenario. The commonly available pro-
Category 4

Category 3

Category 2

Category 2

Category 1

tection layers in a chemical process are shown in Fig-

Negligible:
5 to 50 kg

ure 2 (adapted from LOPA [4]).

Critical:

For the purposes of this methodology, the process

Minor:

Minor:
Major:

design layer and contention systems must be taken

into account in the potential consequences. The basic
Reproduced from Ref. 4, with permission from AIChE.

process control system (BPCS) layer will not be con-

sidered, because in a HAZOP study its failures are
normally the causes or initiating events considered in
each scenario. And finally, the emergency response
Category 3

Category 2

Category 2

Category 1

Category 1

layers are not taken into account, because the objec-

0.5 to 5 kg

Negligible:

Negligible:

tive is to end up not needing these protection layers.

Critical:

Minor:

Minor:

So, only the following protection layers remain to

consider in this methodology: (a) alarms and human
response, (b) SISs, and (c) relief systems.
BP, atmospheric boiling point.

The effectiveness of each layer is evaluated using

an index related to the order of magnitude of the
PFD (SPFD) according to Table8:
The SPFD number allows us to translate the PFD in
Flammable below BP

a value easy to manage whose magnitude is propor-

Highly toxic below
BP or flammable

Combustible liquid

tional to the effectiveness of the protection. A low

Extremely toxic

Extremely toxic
below BP or

SPFD number indicates a protection with low effec-

highly toxic
Characteristic

above BP

above BP

above BP

tiveness and very high probability of failure in case

we need it, and vice versa.
Release

SPFD numbers can be determined from the data

published by the CCPS of the AIChE [6]. Some repre-
sentative values are shown in Table9.

26 March 2010 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.29, No.1)
 These typical values will usually require a slight

Catastrophic: Category 5
Catastrophic: Category 5
>10,000 gal >300 psig
adjustment when using this methodology, because
several factors exist in practice that reduces the effec-
tiveness of existent protections:

Vessel Rupture
• Inadequate design, e.g., worst case scenarios are
not considered.
• The construction was not carried out according
to the design established in the basic engineer-
ing, e.g., poor materials of construction.
• Maintenance less than adequate, e.g., no predic-
tive maintenance programs.
Major: Category 4
Major: Category 4
• Deficient inspection and testing of safety equip-
Vessel Rupture

ment.
100–300 psi

• Lack of operation training for safety systems

10,000 gal
Table 7. Semiquantitative guide for consequence category selection according to consequences on production and facilities

operation.
3,000 to

• Systematic disabling of safety systems because of

operative problems.
• Inadequate or nonexistent management of
change.
Major: Category 4
Major: Category 4
Than 3 Months

Obtaining the total effectiveness of the protection

for Less/More
Plant Outage

layers: Once we identify the IPLs applicable to each

scenario and evaluate their effectiveness, the individ-
ual SPFD numbers must be added to obtain the total
effectiveness of the protection (Es), where Es 5 S
SPFD.
The main advantage of using indexes instead of
Critical: Category 3

exponent numbers is shown here, where a multipli-

Major: Category 4
for 1 to 3 Months

cation of probabilities is handled as adding integer

numbers.
Plant Outage

Step 4: Calculate the Expected Frequency for the Hazardous

Event
The total protection effectiveness number (Es) is
used to calculate the expected frequency for the haz-
Less Than 1 Month
Critical: Category 3

ardous event taking into account the IPLs; this fre-

Minor: Category 2
Plant Outage for

quency will be called the reduced frequency (Fr)

Fr ¼ Fi
E s ð3Þ
Reproduced from Ref. 4, with permission from AIChE.

Step 5: Determine the Need for Additional Layers of Protec-

tion and the Required SIL, if a SIS is Recommended
Once the reduced frequency (Fr) is obtained, it is
Minor: Category 2
Minor: Category 2

necessary to compare it with the threshold frequency

(Ft) for the selected scenario:
Nonessential

If Fr  Ft, then protections are sufficient for the

Mechanical
Damage to

Equipment
Spared or

risk scenario (if Fr  Ft, then there is an over-design

according to the acceptability criteria).
If Fr > Ft, then protections are insufficient for the
risk scenario (the combined effectiveness of the pro-
tections are not enough to reduce the initiating event
Large plant, main product

frequency to the maximum acceptable frequency for

Small plant, by-products

the scenario).
When Fr > Ft, we need to establish a risk control
strategy based on the required effectiveness (fre-
quency reduction) (Sadd) as shown in Eq. 4:
Facility Type

Sadd ¼ Fr
Ft ð4Þ

According to the value of Sadd, there are the fol-

lowing three cases:

Process Safety Progress (Vol.29, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2010 27
Figure 2. Layers of protection for a chemical process, purpose and consequences of failure on demand
(adapted from LOPA [4]).

Case 1: Sadd  1 Table 8. Probability of failure on demand indexes

If we already have protection layers applicable to
the scenario (usually this is the case), we recommend Probability of Expected Failures
improving the effectiveness of these layers (e.g., Failure on Demand Probability Based on
more frequent and systemized maintenance programs Index (SPFD) Range 1,000 Demands
can improve existent protection reliability and opera-
tor response to alarms can be improved with train- 0 1 1,000
ing). If there are no protection layers applicable to 1 1 to 1021 100 to 1,000
the scenario, we must recommend installing a non- 2 1021 to 1022 10 to 100
SIS protection layer. Only if no non-SIS protection 3 1022 to 1023 1 to 10
layers can be applied, we could suggest using a SIS 4 1023 to 1024 0.1 to 1
with SIL 1. 5 1024 to 1025 0.01 to 0.1

Case 2: 2  Sadd  4
Non-SIS protection layers and existing protection If a Safety Instrumented System (SIS) is recom-
layer improvement must be suggested if possible and mended, the required SIL can be determined from
reevaluated to determine if this is enough. If no non- the Sadd value after considering the other non-SIS
SIS protection layers can be suggested and existing alternatives using Table10.
protections have been improved, we can suggest
installing a SIS.

Case 3: Sadd [ 4 Special Case: Determination of the Required SIL

The value of Sadd is very high and a SIS protection
would not be enough to mitigate the risk. Therefore,
we must first recommend a reevaluation of the equip-
ment or process searching for high effectiveness solu-
tions and second, implement several SIS and non-SIS
protection layers until the risk is at acceptable level.
for an Already Installed SIS
In case we want to determine the required SIL of a
previously installed SIS, we can proceed by evaluat-
ing the scenario of risk without considering the SIS
protection layer. The value of the corresponding Sadd
will give the required SIL for the SIS.

28 March 2010 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.29, No.1)
Table 9. Typical SPDF numbers for some Table 10. Determination of the required SIL from Sadd
representative process items number.

Process Item Typical SPFD Sadd Corresponding PFD Required SIL

Centrifugal pump auctioned 2 2 1021 to 1022 1
by an electric motor (spare) 3 1022 to 1023 2
Check valve 3 4 1023 to 1024 3
Manual valve 4
Motorized valve 2
Pneumatic valve 3
Solenoid valve 3
Firefighting system (diesel motor) 2
Firefighting system (electric motor) 1
Relief valve (PSV) 4
SIL 1 SIS 2
SIL 2 SIS 3
SIL 3 SIS 4
Simple human response to a process 1
alarm (simple and clear procedure,
more than 30 min to respond,
low stress)
Complex human response with 0
short time to respond (less than
5 min) in high stress situations

Figure 3. Process flow diagram for the absorber

COMPARISON TO ‘‘CLASSIC’’ LOPA
In classic LOPA, probability and frequency data is
used ‘‘as is.’’ In this methodology, math is simplified
by using only the order of magnitude of frequency
and probability data, so multiplication of probabilities
and frequencies become simple additions of integer
numbers.
Classic LOPA uses several factors that affect the
resulting frequency for the unwanted event: mainly
use factor, ignition probability, explosion probability,
and occupancy. In this methodology, use factor, that
is, the fraction of time the hazardous process is in
operation or the hazard is present in the system is
assumed to be 1, implying continuous processes.
Also, occupancy, that is, the probability that the effect
zone of an accident will impact one or more person-
nel, and ignition and explosion probabilities, must be
section of a sour gas treatment unit.
already taken into account all together when select-
ing a consequence severity category.
WORKED EXAMPLE
A simplified process flow diagram of the absorber
section of a high pressure sour gas amine treatment
unit is shown on Figure 3. The simplified process
and instrumentation diagram (P&ID) of the bottom
section of the absorber (T-1) and the amine flash
drum (V-1) are shown on Figure 4.
From the HAZOP study of this process unit section
the following scenario was selected (Node: high pres-
sure amine absorber (T-1) and Deviation: high level):

Cause Consequences Safeguards Recommendations

Failure of LT LV fully opens
indicating a Loss of liquid seal in T-1 column
false high level (LG indication is unreliable in
this case)
High pressure gas flows to low
pressure flash tank V-1 (Note:
PSV in V-1 is not designed for
this scenario)
Potential explosion of V-1
LV bypass valve could be
erroneously opened in an
attempt to control the ‘‘high
level’’ in T-1, worsening the
scenario
High pressure alarm Consider adding a SIS and
in V-1 PIC and implement a SIF for this
operator response scenario
Lock LV bypass valve in
closed position
Update emergency operation
procedures with this
scenario and train operators
accordingly

Process Safety Progress (Vol.29, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2010 29
Figure 4. Simplified P&ID of a section of a high pressure sour gas amine treatment unit.
Figure 5. Modified P&ID including a SIS.
Step 1: Identify a hazardous event and assess its se-
verity.
For this scenario, taking into account that facility
spacing is adequate, that personal is mostly concen-
trated in a bunker control room at an adequate dis-
tance, and that the consequences involve a potential
low pressure vessel rupture, we categorize the event
as category 4 (Major). From Table 5, the associated
threshold frequency is 4.
Step 2: Identify the initiating event and assess its
frequency.
The initiating event for this scenario is the failure
of a level transmitter indicating wrong high level.
From Table 5 we determine that the initiating event
frequency is in the order of 1021 events/year (an
event with high probability of occurring in the plants
lifetime), so the associated initiating frequency index
(Fi) is 6.
Step 3: Identify the applicable IPLs and evaluate
their effectiveness.
In this scenario, the only applicable protection
layer is an alarm and associated human response.
30 March 2010 Published on behalf of the AIChE
Assuming procedures are clearly written and operator
training is adequate, from Table 9 we can assign an
SPFD of 1 to this protection layer. The existing PSV
and LG were already considered inadequate for this
scenario in the HAZOP. So total protection effective-
ness for this scenario is Es 5 1.
Step 4: Calculate the expected frequency for the
hazardous event, taking into account the IPLs.
The reduced frequency for this scenario is Fr 5 Fi
2 Es 5 6 2 1 5 5.
Step 5: Determine the need for additional layers of
protection and the required SIL, if a SIS is recom-
mended.
The reduced frequency for this scenario is greater
than the threshold frequency for the consequence
category (Fr > Ft), so we calculate the required fre-
quency reduction Sadd.
Sadd ¼ Fr
Ft ¼ 5
4 ¼ 1
As Sadd 5 1 and no non-SIS protection layers are
applicable, we may suggest installing a SIS. The SIF
DOI 10.1002/prs Process Safety Progress (Vol.29, No.1)
would be to close an emergency shutdown valve in-
stalled in series with LV on detection of high pressure
in V-1 flash drum (we cannot use the signal from the
LT as its failure was the initiating event in the sce-
nario). Its target SIL would be SIL 1. As normally a
single valve will not be enough to meet SIL 1 require-
ments a solenoid 3-way valve would be needed on
the air pressure control line from the LIC, to close
both the emergency valve and the level control valve
in emergency situations, as shown conceptually in
Figure 5.
CONCLUSIONS
It is not always necessary to have a lot of protec-
tion layers or redundant SIS (SIL 2 or 3). Many risk
scenarios can be best dealt with by improving proc-
ess design and instrumentation to diminish the mag-
nitude and frequency of the deviations in the process
so we depend less on safety systems. The approach
presented in this article can help to make decisions
related with the investment in additional and sophisti-
cated safety protection layers or improve already
existent ones.
Process Safety Progress (Vol.29, No.1) Published on behalf of the AIChE
LITERATURE CITED
1. Process Safety Management of Highly Hazardous
Chemicals, 29 CRF 1910, 119, United States Code
of Federal Regulations, 1992.
2. International Electrotechnical Commission, Func-
tional Safety—Safety Instrumented Systems for the
Process Industry Sector, IEC 61511, IEC, Interna-
tional Electrotechnical Commission, Geneva.
3. ANSI/ISA-84.00.01–2004 (IEC 61511 mod), Func-
tional Safety—Safety Instrumented Systems for the
Process Industry Sector, ISA, Research Triangle
Park, NC, 2004.
4. Center for Chemical Process Safety (CCPS), Ameri-
can Institute of Chemical Engineers (AIChE), Layers
of Protection Analysis (LOPA): Simplified Process
Risk Assessment, AIChE, New York, 2001.
5. Center for Chemical Process Safety (CCPS), Ameri-
can Institute of Chemical Engineers (AIChE), Guide-
lines for Chemical Process Quantitative Analysis,
Second Edition, New York, 2000.
6. Center for Chemical Process Safety (CCPS), Ameri-
can Institute of Chemical Engineers (AIChE), Guide-
lines for Process Equipment Reliability Dates with
Tables it Dates, New York, 1989.
DOI 10.1002/prs March 2010 31