Why Proper PHA/HAZOP Documentation is Critical for LOPA
Updated: Mar 7
This article can also be found on LinkedIn. See what people are saying.
We may think that It should be common sense to always have proper documentation in your Process Hazard Analysis (PHA) or Hazard and Operability (HAZOP) Study. Unfortunately, I have seen so many poorly documented PHAs that it really doesn't make sense to use them in the Layer of Protection Analysis (LOPA). Some PHAs had too much information on low severity scenarios and too little information on high severity ones.
This article is mostly applicable for projects or companies that have their PHA/HAZOP facilitated by two different teams (i.e. different facilitators and/or different team members), but could also apply even if the team was the same but completed at a much later time.
Let us first understand the dynamics between PHA/HAZOP and LOPA.
What PHA/HAZOP information transfers?
For scenarios that are considered LOPA credible (based on local and federal regulations and company standards), the following are transferred:
Initiating event details
Severity (if the HAZOP includes Consequence Severity Ranking, which is the norm and best practice in recent times)
Safeguards (to be screened as IPLs)
Key remarks (if relevant notes were taken)
Recommendations, most often related to completing further analysis or gathering additional information to verify the consequence severity (e.g., dispersion modeling, etc.)
As demonstrated, these are all the details from each cause-consequence pair. I’d like to stress that LOPA requires a unique cause-consequence pair to be analyzed. The reason will be explained later in this article.
What is being asked by the LOPA “Rules”?
The CCPS Layer of Protection Analysis (purple book) indicates that LOPA is a semi-quantitative risk assessment approach and a simplified method for assessing the value of protection layers for a well-defined accident scenario.
In addition, one of the most common screening methods to determine if a scenario will go into LOPA is based on the consequence and/or severity, which is defined during a qualitative hazard review (e.g. HAZOP).
Therefore we need a well defined accident scenario that leads to a consequence of interest, which includes the consequence and/or severity defined during the PHA or HAZOP study.
What are the impacts of poor documentation?
1. The common implications of poor documentation are the possible misidentification of a scenario and a poorly developed scenario that should have been evaluated in LOPA. This could be dangerous. The following are the most common mistakes related to missed LOPA scenarios:
Potential hazards in all operating modes. This happens quite often and is dangerous since most incidents in the industry are from alternate/abnormal modes of operation. (source CSB).
Example: Gas fired heater startup scenarios
Potential collateral consequences, usually stemming from a safeguard working as intended.
Examples: Atmospheric relief valve opening against overpressure
Scenarios that were not fully developed into a consequence due to stopping at the safeguard functioning.
Example: A scenario’s cause is Reflux Pump (P-123) trips which supply reflux to the Debutanizer Tower (V-456). The team developed the consequence as potential increased pressure and lift of the relief valve at setpoint -- and it stops here.
2. Possible overestimation of a scenario’s severity, therefore increasing the required risk reduction leading to costly recommendations. This could possibly be prevented by having sufficient preparation (See this article for Preparation as a HAZOP Participant).
Example: If a scenario of a runaway reaction that could lead to loss of containment, the release of process materials, fire/explosion, and potential fatality was ranked a consequence severity of 5, (on a scale of 1 to 5, with 4 being 1 to 4 fatality and 5 being 5 or greater) but in reality, there is a potentially fatal impact to only 4 people based on modeling. Since this scenario was not flagged for further analysis, a recommendation for a higher Safety Integrity Level (SIL) on a Safety Instrumented Function (SIF) was required, increasing project AND operational cost.
3. Hopefully, the LOPA Team was able to catch the overestimated scenario severity. Unfortunately, this would still require a redefinition or redo of the consequence and severity ranking.
4. Consequently, all of these increase the time spent in session!
What are considered best practices?
1. Ensure scenarios that are unique cause-consequence pairs are documented separately. Even if a consequence of a scenario is the same, the initiating event (cause) and the safeguard are most likely different. Thus, the overall risk may be different in each case when developed separately. One safeguard that could later be an IPL may not prevent the consequence from developing for a different cause.
2. Document how the consequence developed, especially if it isn't obvious and the consequence severity is high.
A pump blocked-in scenario is straightforward vs. an initiating event that eventually led to an overfilling of a vessel several nodes from where the node of the initiating event was in, needs to be explained clearly
An initiating event of LV-123 on the oil line from a Vessel (V-231) with consequence documented as “Potential overfill and overpressure” doesn’t really explain what the source of pressure was and how high the pressure could reach.
3. Document and analyze collateral or secondary consequences, especially for safeguards that prevent one consequence but end up leading to another one.
Atmospheric relief valve relief which could have a thermal radiation impact to personnel if the vapor at the tip of the relief valve were to find an ignition source
An overfill line prevents tank overfill of a storage tank but since it is routed to grade outside of the secondary containment, it can potentially expose personnel to pool fire
4. For trips, provide tags for the logic solver, sensing and final element and setpoint. Hint: if a proven safety instrumented function (SIF), have the safety requirement specification (SRS) handy.
6. If LOPA is to be done separately from the PHA, use the same team as much as possible, including the facilitator, unless the intention is to have a 2nd team (LOPA) to review and ensure the quality of the HAZOP. Most of the time, continuity is efficiency.
7. If LOPA is to be done by a different facilitator, have the PHA/HAZOP be facilitated by someone who is also skilled and experienced in LOPA or SIL Assignment and understands what details are required to be documented well in the HAZOP.
8. If using two (2) different facilitators, keep both facilitators involved as much as possible to ensure there is a proper transition of information.
During the HAZOP, try to determine and document the following as much as possible for each LOPA credible scenario:
Initiating event likelihood (IEL) for each LOPA credible scenario
Possible enabling events and conditional modifiers
9. Lastly and equally important, involve leadership and subject matter experts (SME) every step of the way. Communicate any findings or high-risk scenarios as soon as they are identified rather than at the end of the study. Communication allows for early verification of the plausibility of the scenarios or recommendations, ensure proper documentation, and prevents unwelcome “surprises”.
If we do it (documentation and analysis) right the first time, we can be safer and we spend less time doing busy work and spend quality time in what matters.