Journal of Loss Prevention in the Process Industries 23 (2010) 727e733

Contents lists available at ScienceDirect

Journal of Loss Prevention in the Process Industries

journal homepage: www.elsevier.com/locate/jlp

Beyond-compliance uses of HAZOP/LOPA studiesq

Robert W. Johnson*
Unwin Company, 1920 Northwest Blvd, Suite 201, Columbus, OH 43212, USA

a r t i c l e i n f o a b s t r a c t

Article history: Recent years have seen a convergence of scenario-based Hazard and Operability (HAZOP) studies, Layer
Received 8 March 2010 of Protection Analyses (LOPAs), and safety integrity level (SIL) determinations. These can all be performed
Received in revised form using order-of-magnitude estimates for the initiating cause frequency, the effectiveness of protection
11 May 2010
layers, the severity of loss event consequences, and the inclusion of other risk-reduction factors. Con-
Accepted 18 May 2010
ducting a HAZOP study or a HAZOP/LOPA study in this manner makes it possible to extend the study
results to not only determine required SILs, but also to sum scenario risks by process unit and show the
Keywords:
quantitative benefit of implementing risk-reduction measures. The aggregated risk can be compared to
HAZOP/LOPA
HAZOP studies
process-wide tolerable risk criteria, in addition to comparing each scenario to a risk matrix or risk
Orders of magnitude magnitude. This presentation demonstrates how a true risk-based HAZOP study can be performed with
Risk magnitudes little additional effort over that required for commonly performed cause-by-cause HAZOP studies, and
Layer of Protection Analysis how facility managers and engineers can then use the results when deciding on and implementing risk-
reduction measures.
Ó 2010 Elsevier Ltd. All rights reserved.

1. Introduction easier to grasp. The difference in pH between cola (2.5) and

household ammonia cleaner (11.5) spans a hydrogen ion concen-
Risk calculations span vast ranges. Initiating cause frequencies tration range of nine orders of magnitude, or a factor of one billion.
can range from daily occurrences to rare events with recurrence Likewise, it is easier to express that there are 11 orders of magni-
intervals in the tens of thousands of years. Impacts can range from tude between a brisk snail’s pace (3 mm/s) and the speed of light
a minor injury or spill to multiple fatalities, environmental damage (300,000 km/s) than that the difference in their velocities is
and many millions of dollars of losses. Risk, taken as the conven- 100,000,000,000-fold (Johnson, 2008).
tional combination of likelihood and severity of loss events, can Orders of magnitude are also useful in simplifying mathematics.
extend over an even greater range when these factors and their Adding and subtracting exponents is much preferable to multi-
wide spans are combined. plying and dividing very large or very small numbers. This concept
Exponential notation and orders of magnitude help us grasp has found use in combining initiating cause frequencies, safeguard
vast ranges such as those used in risk calculations. For example, the risk-reduction factors and consequence severities quickly and
Richter scale conveys in simple numerical terms the amplitude of easily in process hazard analyses (PHAs). The ability to concurrently
signals recorded by a seismograph. A magnitude 7 earthquake may develop loss event scenarios and estimate their risk parameters
have devastating consequences, whereas a magnitude 4 earth- allows PHA review teams to specify safety integrity layer (SIL)
quake may only cause minor damage. requirements in the same manner as a stand-alone Layer of
The pH scale used to measure acidity is an inverse logarithmic Protection Analysis (LOPA) study. This order-of-magnitude
measure of the effective hydrogen ion (Hþ) concentration in an approach to documenting risk parameters during a PHA is
aqueous solution. Knowing that the pH of cola is around 2.5 is much explained and illustrated, including its extension to determining
easier to express (and remember) than knowing that its hydrogen SILs to meet risk targets and other uses that extend the usefulness
ion concentration is 0.003 g-mol/L. Not only are many things easier of PHAs beyond a compliance requirement for five-year cyclical
to express in logarithmic terms, the breadth of differences are reviews.

q Presented at the Mary Kay O’Connor Process Safety Center International

2. Exponential risk calculations
Symposium, October 27e28, 2009, College Station, Texas.
* Tel.: þ1 614 486 2245; fax: þ1 614 486 2141. Risk can be defined as the combination of the likelihood
E-mail address: rjohnson@unwin-co.com (expressed as a frequency) and severity (expressed as the total

0950-4230/$ e see front matter Ó 2010 Elsevier Ltd. All rights reserved.
doi:10.1016/j.jlp.2010.05.009
728 R.W. Johnson / Journal of Loss Prevention in the Process Industries 23 (2010) 727e733

Table 1
Example impact categories and magnitudes used in hazard evaluations (CCPS, 2008a).

Impact category Impact magnitude

1 2 3 4 5

On-site (worker) health effects Recordable injury Lost-time injury Multiple or severe Permanent health effects Fatalities
injuries
Off-site (public) effects Odor; exposure below Exposure above limits Injury Hospitalization or multiple Severe injuries or permanent
limits injuries effects
Environmental impacts Reportable release Localized and short-term Intermediate effects Widespread or long-term Widespread and long-term
effects effects effects
Accountability; attention/ Plant Division; regulators Corporate; neighborhood Local/state State/national
concern/response

Tables 1 and 2 copyright CCPS (American Institute of Chemical Engineers). Used with permission.

impact) of loss events.1 This paper focuses on process industry loss CCPS (2008b) as it pertains to fire or explosion process safety
events, with a loss event defined as the point in time in an abnormal incidents (including overpressure):
situation when an irreversible physical event occurs that has the
potential for loss and harm impacts. Examples include release of Severity Level 4: Incident resulting in $25,000e$100,000 of
a hazardous material, ignition of flammable vapors or ignitable dust direct costs
cloud, and overpressurization rupture of a tank or vessel. Severity Level 3: Incident resulting in $100,000e$1 MM of
For risk calculations, the frequency and severity of a loss event direct costs
are often combined by direct multiplication: Severity Level 2: Incident resulting in $1 MMe$10 MM of direct
costs
Scenario Frequency  Scenario Impact ¼ Scenario Risk Severity Level 1: Incident resulting in >$10 MM of direct costs

ðloss events=yearÞ  ðimpact=loss eventÞ ¼ ðimpact=yearÞ: In this scale, the severity level number cannot be used directly as
the surrogate for the impact magnitude, due to the scale being
For example, if the scenario under consideration is a “hundred-
chosen such that the severity level decreases as the impact
year flood” that can affect an industrial facility and cause total
increases. A more convenient impact scale would be the exponent
monetary losses on the order of $10 million, the scenario risk is
of the dollar-denominated direct costs, as in the hundred-year
flood example above.
ð0:01 flood per yearÞ  ð$10; 000; 000 per floodÞ
¼ $100; 000 per year: 2.2. Likelihood magnitudes
This $100,000 per year can be thought of as an annualized loss rate.
For incidents in the process industries, the likelihood side of the
Risk of process incidents can also be expressed in injuries or
risk equation is expressed as the frequency of occurrence of
fatalities per year, or defined environmental impacts per year.
a specific loss event such as a fire, explosion or hazardous material
The same order-of-magnitude calculations can be performed by
release. For rare events, this can also be understood as the proba-
adding exponents rather than multiplying the frequency and
bility per year of operation that the loss event will occur. A
impact factors, which tend to be either very large or very small
frequency magnitude scale is shown in Table 2 that expresses
numbers (Johnson, 1998). For the hundred-year flood example, if
order-of-magnitude steps with their corresponding exponents
the 0.01 flood per year (¼10L2/year) frequency is represented by
highlighted in bold.
a frequency magnitude of L2 and the $10,000,000 per flood
This scale is not all-inclusive; frequencies can also be higher
(¼$107/flood) impact is represented by the impact magnitude of 7,
(e.g., ten times a year) or lower (e.g., once in a million years).
then a risk magnitude of 5 corresponding to the risk of $105/year
However, this scale covers the range of frequencies that is used
can be easily calculated.
most often to express the likelihood of significant loss events for
    a given process operation.
10-2 =year  $107 =flood ¼ $105 =year
2.3. Scenario risk magnitudes
-2 þ 7 ¼ 5:
Hazard analysis methodologies such as Hazard and Operability
(HAZOP) studies and Fault Tree Analyses can be used to break down
2.1. Severity magnitudes the likelihood of loss events into more manageable and easily
estimated components. The two basic components are the initi-
For the severity side of the risk equation, Table 1 illustrates one ating cause frequency and the safeguards risk-reduction factor:
example of a loss event severity scale that was set up with the
Scenario Frequency x Scenario Impact = Scenario Risk
intention, in the judgment of the developers of the table, that there
(loss events/year) x (impact/loss event) = (impact/year)
would be roughly an order-of-magnitude severity increase from
one column to the next.
Another example of a loss event severity scale using order-of- [Initiating Cause Frequency / Safeguards Risk Reduction Factor] x Scenario Impact =
magnitude categories is the Process Safety Incident Severity scale in Scenario Risk
[(initiating events/year) / (dimensionless factor)] x (impact/loss event) = (impact/year)
The initiating cause (often simplified to just the term cause in
1
See Appendix for a glossary of terms used in this paper. this context) is the operational error, mechanical failure, or external
 R.W. Johnson / Journal of Loss Prevention in the Process Industries 23 (2010) 727e733 729

Table 2 It has been recognized that different hazard evaluation tech-

Example order-of-magnitude initiating cause frequency scale (CCPS, 2008a). niques can be effectively combined in the analysis of a single
Magnitude Equivalent cause Comparison with experience process or part of the process. By amalgamating two methods, the
10x/yr likelihood resulting technique hopefully takes advantage of the strengths of
0 Once a year Unpredictable as to when it will occur, both methods and mitigates the weaknesses of each (CCPS, 2008a,
but within realm of most employees’ Section 9.4). Combining a scenario-based HAZOP study with a Layer
experience
of Protection Analysis (LOPA) allows a review team that is properly
L1 1 in 10 (10% likelihood) Outside of some employees’
per yr of operation experience; within realm of facilitated to avoid the duplication of effort involved in first doing
process’ experience a HAZOP study to identify scenarios, then conducting a LOPA with
L2 1 in 100 (1% likelihood) Outside of almost all employees’ its separate documentation on (usually) a subset of the HAZOP
per yr of operation experience; within realm of scenarios. CCPS (2008a) indicates:
plant-wide experience
L3 1 in 1000 per yr of Outside of almost all process Any qualitative hazard evaluation method that identifies
operation experience; may be within realm
scenarios in terms of their initiating causes, event sequences,
of company-wide experience
L4 1 in 10,000 per yr of Outside of most companies’ consequences and safeguards can be readily extended to record
operation experience; within realm of much of the results of a LOPA study, whenever the analyst or
industry-wide experience analysis team deems a scenario to require such analysis. The
L5 1 in 100,000 per yr May be outside the realm of What-If Analysis and HAZOP study methods are thus well-
of operation industry-wide experience, except
suited to combination with LOPA.
for common types of facilities
and operations In a tabular scenario presentation, for example, columns may be
added in which to record the order-of-magnitude frequency and
probability estimates involved in LOPA. Text that identifies
event or agency that is the first event in an incident sequence, safeguards must differentiate between independent protection
marking the transition from a normal to an abnormal situation. layer (IPL) and non-IPL safeguards. [.] In parallel to properly
Safeguards are devices, systems and actions that would likely formulated text descriptions, such scoring systems, once in
interrupt the chain of events following an initiating cause or that place, need to be extended to separate the aggregate probabil-
would mitigate loss event impacts. Examples include operator ities of failure on demand (PFDs) for IPL safeguards and non-IPL
response to an alarm, safety instrumented systems, emergency safeguards, and to indicate the integrity of each IPL when
relief systems, and post-release mitigation systems. If no safe- multiple IPLs protect against the same scenario.
guards are employed, then the overall scenario frequency is equal
to the initiating cause frequency. Other risk-reduction factors are Table 3 shows a format that can be used to document a basic
sometimes included in HAZOP/LOPA studies, such as ignition HAZOP/LOPA study. The scenario frequency magnitude (column f) is
source and/or personnel presence probabilities. the initiating cause frequency magnitude (a) minus the sum of all
The above risk equation, adding and subtracting magnitudes valid risk-reduction factor magnitudes (e). The scenario severity
instead of multiplying and dividing the factors, can be expressed as: magnitude (column g) is either the linear sum of, or the highest of, the
various impact magnitudes such as on-site worker injury impacts (b),
Initiating Cause Magnitude off-site/environmental impacts (c) and direct-cost business impacts
(d). The overall scenario risk magnitude (h) is the sum of f and g. An
 Safeguards Risk Reduction Magnitude
example risk calculation is given in the next section.
þ Scenario Impact Magnitude However, it should be noted that no standardized HAZOP/LOPA
¼ Scenario Risk Magnitude: documentation exists. For example, some analysis protocols may
include additional fields for “unmitigated risk” (calculated risk
Using the previous example, if the facility that can be affected by taking no credit for safeguards; useful for screening out scenarios
a “hundred-year flood” now has a layer of protection that has a risk- that do not need to be considered further) and/or “residual risk”
reduction factor of 100 (risk-reduction magnitude of 2), the overall (expected risk magnitude after findings and recommendations are
scenario risk magnitude for the scenario of a $107 flood loss impact implemented). Other protocols may not allow consideration of
is reduced from 5 to 3. The risk-reduction factor of 100 means that conditional modifiers such as the probability of ignition, the
out of 100 flood events, only one is likely to result in the major loss, probability of personnel being in the effect area, or the probability
thus giving an overall scenario frequency of 10L4 loss events/year or of the wind blowing toward an off-site population.
one chance in 10,000 per year that the $107 loss would be realized. One key concept that needs to be highlighted is that, for
a HAZOP study to be extended to a HAZOP/LOPA study, it must be
3. HAZOP/LOPA studies using risk magnitudes performed using a “cause-by-cause” approach that identifies each
unique cause-consequence pair. HAZOP studies that employ
Hazard and Operability studies have been documented many a “deviation-by-deviation” approach that list all of the possible
different ways since their inception, from the original ICI studies causes, all of the possible consequences and all of the possible
that only recorded “by exception” (i.e., only required actions were safeguards for each deviation are not amenable to being extended
documented) to the current practice of computerized documenta- to HAZOP/LOPA. The essence of the “cause-by-cause” approach can
tion that has the capability of capturing node divisions, design be summarized as follows.
intents, guide words, deviations, causes, consequences, safeguards, For each HAZOP deviation:
cause frequencies, loss event impacts, risk-reduction factors,
scenario risks and analysis findings, as well as all of their interre- Scenario identification
lationships. The common element to all properly conducted HAZOP - Brainstorm a complete set of initiating causes for the deviation.
studies is that the process under review is systematically and - Discuss and document, on a separate row of the HAZOP/LOPA
thoroughly analyzed by a multidisciplinary team in such a way that table for each consequence, the effects on the system as
the adequacy of safeguards is determined for all process deviations a whole following the first initiating cause, until it is deter-
and their associated loss event scenarios. mined that either a consequence of concern (loss event) can be
730 R.W. Johnson / Journal of Loss Prevention in the Process Industries 23 (2010) 727e733

Table 3
Example HAZOP/LOPA table (IPLs ¼ independent protection layers).

Guide word/ Initiating Freq Consequences Impacts IPLs and Protection Scenario Finding #
deviation cause conditional factor comments
On Off $ Freq Sev Risk
modifiers
a b c d e f g h

reached if safeguards fail, or no significant consequences are determined by analyzing HAZOP scenarios on an order-of-magni-
anticipated. tude basis.
- Identify and document each independent layer of protection In this example, the numbers in square brackets in the “IPLs and
(preventive and source-mitigative safeguard) that could conditional modifiers” column correspond to the risk-reduction
intervene between the specific cause-consequence pair, as well magnitudes assigned to each independent preventive safeguard.
as any other significant risk-reduction factors. For example, the first safeguard of “Operator response to PT-1 low
- Do the same for each of the remaining initiating causes, one at pressure alarm; adequate time to respond” has a risk-reduction
a time. magnitude of 1, indicating that if ethylene flow is lost, there is
a 10-fold (101) risk-reduction factor (i.e., on the order of nine times
Scenario risk evaluation out of ten) that loss of pressure will be detected, the operator will
- Evaluate the likelihood (frequency magnitude) of the initiating be alerted, and the system will be brought to a safe state before the
cause, the severity magnitude of the consequences, and the consequence of concern is realized.
magnitude of each risk-reduction factor for each scenario As long as multiple preventive safeguards (layers of protection)
having a consequence of concern. are truly independent, the risk-reduction magnitudes associated
- Combine these magnitudes into a risk magnitude or use a risk with each safeguard can be added. For the first scenario, the risk
matrix look-up to determine whether or not further risk reduction of factor of 1 for “Operator response to PT-1 low pressure
reduction is required. alarm; adequate time to respond” added to the risk-reduction factor
of 1 for “Detection of loss of ethylene flow by 2/h reactor sampling
CCPS (2008a, Table 7.4) has developed a useful tabulation of before chlorine release” gives a total risk-reduction factor of 2.
suggested risk-reduction magnitudes for preventive safeguards such In the example of Table 5, a single risk magnitude number is
as operator response to an alarm and emergency relief protection. used. This scenario risk magnitude is easily calculated as the initi-
Additional adjustments required when extending a HAZOP study to ating cause frequency magnitude reduced by the sum of the safe-
HAZOP/LOPA are itemized in Section 9.4 of CCPS (2008a). guard risk-reduction factors and added to the maximum-impact
magnitude.
4. Beyond-compliance use #1: determining safety The scenario risk magnitude can be compared to a facility’s
integrity levels tolerable risk criteria to determine whether the corresponding risk
criterion is met for each scenario. Alternatively, a risk matrix can be
The effectiveness of a safety instrumented system in bringing an used to express the tolerable risk boundary, with the overall scenario
abnormal operation to a safe state is expressed in terms of safety frequency on one axis and the scenario impact on the other axis.
integrity levels (SILs), with probabilities of failure on demand If the facility’s tolerable risk criterion for the example of Table 5
(PFDs) listed in Table 4. Since SILs are defined in order-of-magni- is that any scenario risk magnitude greater than 0 must be reduced,
tude categories, these categories are compatible with the initiating then only one of the four scenarios in Table 5 would require further
cause frequency and impact severity magnitudes already defined. risk reduction. The difference between the risk magnitude of D1
Industry has commonly used the SIL to be equivalent to the risk- for this one scenario and the tolerable risk criterion of 0 is one
reduction magnitude by conservatively using the lower bound of order-of-magnitude. Hence, an additional independent safeguard
the target risk-reduction range. with a risk-reduction factor of 1 would satisfy this requirement. If
Considering SIL values to be risk-reduction magnitudes allows the new safeguard was a safety instrumented system (SIS), SIL 1
SIL values to be specified at the same time scenario-based hazard would be indicated by this analysis as the SIL to be specified for the
evaluation procedures are used to evaluate the adequacy of existing new safety instrumented system if this were the only safety
safeguards. If the SIL is already specified for a given safety instru- instrumented function for the new SIS. Note that the scenario risk
mented function, the SIL can be used directly as the safeguard risk- criterion could also be met by reducing the initiating cause
reduction magnitude. frequency or the consequence impact, or adding another kind of
Table 5 is an excerpt from a HAZOP study, with columns added independent safeguard other than a SIS.
for documenting initiating cause frequency, loss event impact, risk- However, if the facility’s tolerable risk criterion for the example
reduction factors, and scenario risk magnitudes. The four example of Table 5 is that any scenario risk magnitude greater than L2 must
scenarios in this table will be used to illustrate how SIL levels can be be reduced, then all four scenarios in Table 5 would require further
risk reduction. The difference between the one scenario having
a risk magnitude of D1 and the tolerable risk criterion of L2 is
Table 4
three orders of magnitude, thus requiring a SIL 3 SIS to be specified
Safety integrity levels: probability of failure on demand (ANSI/ISA, 2004).
or other combinations of instrumented and non-instrumented
Demand mode of operation frequency and/or severity reduction measures to be implemented
Safety integrity Target average probability Target risk reduction that would add up to at least three orders of magnitude.
level of failure on demand Note that many companies may not consider this a beyond-
SIL 3 0.0001 to <0.001 >1000 to 10,000 compliance application of a HAZOP/LOPA study, since the U.S.
SIL 2 0.001 to <0.01 >100 to 1000 Occupational Safety and Health Administration (OSHA) in its
SIL 1 0.01 to <0.1 > 10 to 100
letters of interpretation associated with the OSHA Process Safety
 R.W. Johnson / Journal of Loss Prevention in the Process Industries 23 (2010) 727e733 731

Table 5
Example HAZOP study table with frequency, impact, safeguard and risk magnitudes (adapted from CCPS, 2008a, Table 15.7).

Guide word/ Initiating cause Freq Consequences Impacts IPLs and conditional modifiers Protec Scenario
deviation factor
On Off $ Freq Sev Risk
NONE FCV-1 fails closed or commanded 1 Unreacted chlorine through furnace 3 3 [1] Operator response to PT-1 2 3 3 0
No ethylene to close and incinerator to plant scrubber; low pressure alarm; adequate
Flow eventual chlorine breakthrough; time to respond
chlorine release from scrubber [1] Detection of loss of ethylene
stack; potential ground-level flow by 2/h reactor sampling
inhalation exposure to chlorine before chlorine release
vapors [0] Operator response scrubber
breakthrough alarm
(not an additional
independent layer of protection)
NONE FCV-1 fails closed or commanded 1 Unreacted chlorine to furnace; 4 3 [1] Operator response to PT-1 3 4 4 0
No ethylene to close possible failure of furnace tubes low pressure alarm; adequate
Flow from chlorine contact damage; time to respond
hot chlorine vapor release from [2] Detection of loss of
furnace; potential ground-level ethylene flow by 2/h reactor
inhalation exposure to chlorine sampling before furnace
vapors tube(s) fail
NONE PCV-1 commanded to close due 1 Unreacted chlorine through furnace 3 3 [1] Detection of loss of ethylene 2 3 3 0
No ethylene to false high signal from PT-1 and incinerator to plant scrubber; flow by 2/h reactor sampling
Flow eventual chlorine breakthrough; before chlorine release
chlorine release from scrubber stack; [1] Operator response scrubber
potential ground-level inhalation breakthrough alarm; adequate
exposure to chlorine vapors time to respond
NONE PCV-1 commanded to close due 1 Unreacted chlorine to furnace; 4 3 [2] Detection of loss of ethylene 2 3 4 1
No ethylene to false high signal from PT-1 possible failure of furnace tubes flow by 2/h reactor sampling
Flow from chlorine contact damage; before furnace tube(s) fail
hot chlorine vapor release from
furnace; potential ground-level
inhalation exposure to chlorine
vapors

Original table copyright CCPS (American Institute of Chemical Engineers). Used with permission.

Management (PSM) Standard has indicated it considers ANSI/ISA- Scenario risks could be combined in the same way to obtain
S84.00.01-2004 to be a “recognized and generally accepted good a corporate risk profile, with Fig. 1 showing the overall picture of
engineering practice,” so that PSM-covered facilities would be how scenario risks are calculated and combined.
expected to comply with the ANSI/ISA requirements or an If an organization has both individual and societal risk criteria
appropriate equivalent. that must be met, then the risks would need to be separately
calculated and added together. However, as discussed by CCPS
(2009, Section 4.10.1), combining individual risks is not meaning-
5. Beyond-compliance use #2: comparing total node,
ful beyond the site level.
process and site risks

If the HAZOP/LOPA study meets its objective of identifying and 6. Beyond-compliance use #3: verifying total process
analyzing all scenarios having a consequence of concern and risks versus risk tolerance criteria
a nontrivial likelihood, then the risk magnitudes can be combined
on a linear basis to yield the total risk by process unit. Table 6 shows According to CCPS (2009, Section 4.10), risk must be evaluated
an example of what a site profile might look like after all process and managed at all levels: at the corporate, business sector, site,
units have been evaluated. operating unit and scenario level. However, process hazard anal-
The risk profile of Table 6 points to where risk-reduction efforts yses (PHAs) as practiced by most companies evaluate risk only at
will do the most good, namely the reaction system and the raw the scenario level by qualitative judgment or by using a risk matrix
materials unloading system, followed by the purification system. to determine whether safeguards are adequate.
By summing the HAZOP/LOPA scenario risks as described in the
previous section, the total risk at the process unit level and even at
Table 6
Example site summary of process unit risk magnitudes.
higher levels can be compared to tolerable risk criteria at each of
these levels. Some companies now require this to be done, in order
Process unit Process unit Process unit risk
to verify that risk limits are not exceeded for the aggregated risks.
linear risk magnitudea
Reaction system 0.016 L1.8
Raw materials unloading 0.013 L1.9 7. Beyond-compliance use #4: prioritizing
Purification system 0.006 L2.2 risk-reduction efforts
Raw materials storage 0.003 L2.5
Waste treatment 0.0002 L3.8
Utilities 0.00008 L4.1 HAZOP/LOPA studies are typically documented in customized
Finished product pack/ship 0.00002 L4.7 database or spreadsheet applications, which are also amenable to
Total site 0.038 L1.4 extending the use of the calculated risk results to such practices
a
Total site risk magnitude of 1.4 is the log10 of 0.038, which is the sum of the as determining importance measures and prioritizing risk-
process unit linear risks. reduction efforts. Two measures already described in the
732 R.W. Johnson / Journal of Loss Prevention in the Process Industries 23 (2010) 727e733

Scenario Likelihood Scenario

1 x Risk 1
Severit y
System 1 Likelihood System 1
of 2 x Risk 2 Risk
Facility 1 Severit y
… …
Likelihood
n x Risk n
Severit y
Facility 1
Risk
Scenario Likelihood Scenario
1 x Risk 1
… Severit y …
System n Likelihood System n
of 2 x Risk 2 Risk
Facility 1 Severit y
… …
Likelihood
n x Risk n
Severit y
Corporate
… … Risk
Scenario Likelihood Scenario
1 x
Severit y
System 1 Likelihood System 1
of 2 x Risk 2 Risk
Facility n Severit y
… …
Likelihood
n x Risk n
Severit y
Facility n
Risk
Scenario Likelihood Scenario
1 x Risk 1
… Severit y …
System n Likelihood System n
of 2 x Risk 2 Risk
Facility n Severit y
… …
Likelihood
n x Risk n
Severit y

Fig. 1. Calculating and combining risks.

literature using order-of-magnitude risk calculations (Chadwell & example of the “hundred-year flood,” the annualized loss rate was
Leverenz, 2000) are termed risk-reduction worth and risk reduced from $100,000/year to $1000/year by the addition of
achievement worth. Risk-reduction worth is defined for any given a layer of protection. The $99,000/year difference between the
initiating cause or independent protection layer as the ratio annualized loss rates is the potential benefit gained by adding the
between the total process risk as-is and the total process risk if new layer of protection. Thus, if the cost of adding the new layer of
the initiating cause frequency approaches zero or the IPL reli- protection was less than $99,000/year on an annualized basis (e.g.,
ability approaches 100%. By ranking initiating causes and IPLs by by using net present value calculations and adding recurring
risk-reduction worth, the decision maker can be presented with inspection and maintenance costs), its implementation would have
the frequency-reduction measures that have the potential to be a net positive benefit. This could also be compared to the net
most effective in reducing total process risk. Similarly, risk benefit of implementing other risk-reduction measures or to the
achievement worth is defined for any given initiating cause or IPL cost of buying flood insurance. Similar calculations could be per-
as the ratio between the total process risk if the initiating cause formed for actions being considered to reduce risks identified in
or IPL has failed and the total process risk as-is. Ranking of IPLs a HAZOP/LOPA.
and potential initiating causes by risk achievement worth indi-
cates which IPLs or components are most important to be tested,
inspected and maintained to keep the current level of risk from 9. Conclusions
increasing.
Prioritizing risk-reduction efforts was demonstrated by This paper has shown how HAZOP/LOPA studies are performed
Leverenz and Aysa (2007) from an actual study of oil pipeline using order-of-magnitude estimates of initiating cause frequencies,
pumping stations using what they termed cumulative benefit loss event impacts, and risk-reduction factors. Once a thorough
analysis. Risk-reduction worth calculations and cumulative benefit HAZOP/LOPA study has been completed in this manner, the docu-
analysis are used in course examples in the ASME Continuing mented study has many possible uses that can extend its value
Education Institute short course “Advanced Concepts in Process beyond regulatory compliance. Not only can safety integrity levels
Hazard Analysis” (Leverenz & Johnson, 2010). (SILs) be determined, but risk-reduction measures can be priori-
tized and total risks can be compared to each other and to aggre-
gated risk tolerance criteria.
8. Beyond-compliance use #5: performing
costebenefit analyses
Appendix
No quantitative approach would be complete without claiming
to be of use in performing costebenefit analyses, and the approach For consistency with industry usage, the following definitions
described in this paper is no exception. Going back to the first extracted from the Glossary of CCPS (2008a) were employed and
 R.W. Johnson / Journal of Loss Prevention in the Process Industries 23 (2010) 727e733 733

apply to the terms used in this paper. Glossary is copyright CCPS harm impacts. Examples include release of a hazardous material,
(American Institute of Chemical Engineers); used with permission. ignition of flammable vapors or ignitable dust cloud, and over-
Cause: In the context of hazard evaluation procedures, an pressurization rupture of a tank or vessel. An incident might
initiating cause. involve more than one loss event, such as a flammable liquid spill
Consequence: Result of a specific event. In the context of qual- (first loss event) followed by ignition of a flash fire and pool fire
itative hazard evaluation procedures, the consequences are the (second loss event) that heats up an adjacent vessel and its contents
effects following from the initiating cause, with the consequence to the point of rupture (third loss event). Generally synonymous
description taken through to the loss event and sometimes to the with hazardous event.
loss event impacts. In the context of quantitative risk analyses, Mitigate: Reduce the impact of a loss event.
the consequence refers to the physical effects of the loss event Mitigative safeguard: A safeguard that is designed to reduce
usually involving a fire, explosion, or release of toxic or corrosive loss event impact.
material. Preventive safeguard: A safeguard that forestalls the occurrence
Deviation: A process condition outside of established design of a particular loss event, given that an initiating cause has
limits, safe operating limits, or standard operating procedures. occurred; i.e., a safeguard that intervenes between an initiating
Event: An occurrence involving the process caused by equip- cause and a loss event in an incident sequence. (Note that
ment performance or human action or by an occurrence external to containment and control measures are also preventive in the sense of
the process. preventing initiating causes from occurring; however, the term
Frequency: Number of occurrences of an event per unit time preventive safeguard in the context of hazard evaluation procedures
(e.g., 1 event in 1000 yr ¼ 1 10L3 events/yr). is used with the specific meaning given here.)
Hazard: A physical or chemical condition that has the potential Risk: The combination of the expected frequency (events/year)
for causing harm to people, property, or the environment. and severity (effects/event) of a single incident or a group of
Hazard and Operability (HAZOP) study: A scenario-based incidents.
hazard evaluation procedure in which a team uses a series of guide Safeguard: Any device, system, or action that would likely
words to identify possible deviations from the intended design or interrupt the chain of events following an initiating cause or that
operation of a process, then examines the potential consequences would mitigate loss event impacts. See Preventive safeguard;
of the deviations and the adequacy of existing safeguards. Mitigative safeguard.
Hazard evaluation: Identification of individual hazards of Scenario: An unplanned event or incident sequence that results
a system, determination of the mechanisms by which they could in a loss event and its associated impacts, including the success or
give rise to undesired events, and evaluation of the consequences of failure of safeguards involved in the incident sequence.
these events on health (including public health), environment, and
property. Uses qualitative techniques to pinpoint weaknesses in the
design and operation of facilities that could lead to incidents. References
Impact: A measure of the ultimate loss and harm of a loss event.
Impact may be expressed in terms of numbers of injuries and/or ANSI/ISA. (2004). Functional safety: safety instrumented systems for the process
fatalities, extent of environmental damage, and/or magnitude of industry sector e part 1, table 3. ANSI/ISAeS84.00.01-2004 part 1 (IEC 61511-
1 Mod).
losses such as property damage, material loss, lost production, CCPS. (2008a). Guidelines for hazard evaluation procedures (3rd ed.). New York:
market share loss, and recovery costs. American Institute of Chemical EngineerseCenter for Chemical Process Safety.
Incident: An unplanned event or sequence of events that either Tables 1 and 2, Glossary, and the original or Table 5 are copyright CCPS
(American Institute of Chemical Engineers). Used with permission.
resulted in or had the potential to result in adverse impacts.
CCPS. (2008b). Process safety leading and lagging metrics. New York: American
Incident sequence: A series of events composed of an initiating Institute of Chemical EngineerseCenter for Chemical Process Safety. Available
cause and intermediate events leading to an undesirable outcome. from. www.aiche.org/ccps.
Initiating cause: In the context of hazard evaluation procedures, CCPS. (2009). Guidelines for developing quantitative safety risk criteria. New York:
American Institute of Chemical EngineerseCenter for Chemical Process Safety.
the operational error, mechanical failure, or external event or Chadwell, G. B., & Leverenz, F. L. (August 2000). Use importance measures to reduce
agency that is the first event in an incident sequence and marks the residual risks. Chemical Engineering Progress 51e59.
transition from a normal situation to an abnormal situation. Johnson, R. W. Interfacing HAZOP studies with SIL determinations using expo-
nential frequency and severity categories. In ISA safety symposium 2008; Cal-
Synonymous with initiating event. gary, Alberta.
Layer of protection: A physical entity supported by a manage- Johnson, R. W. (1998). Risk management by risk magnitudes. Chemical Health and
ment system that is capable of preventing an initiating cause from Safety, 5(5).
Leverenz, F. L., & Aysa, J. Cumulative benefit analysis for ranking risk reduction
propagating to a specific loss event or impact. actions. In 9th Process plant safety symposium 2007; Houston, Texas.
Layer of Protection Analysis (LOPA): An approach that analyzes Leverenz, F. L., & Johnson, R. W. (2010). Advanced concepts for process hazard anal-
one incident scenario (cause-consequence pair) at a time, using ysis. Short course CH754. ASME/AIChE Continuing Education Institute. http://
catalog.asme.org/Education/ShortCourse/advanced_concepts_process.cfm.
predefined values for the initiating cause frequency, independent
protection layer failure probabilities, and consequence severity, in
order to compare an order-of-magnitude scenario risk estimate to
tolerable risk goals for determining where additional risk reduction Robert W. (Bob) Johnson earned B.S. and M.S. degrees in chemical engineering from
or more detailed analysis is needed. Scenarios are identified else- Purdue University. He has been a process safety specialist since 1978, and is now
president of the Unwin Company process risk management consultancy. Mr. Johnson
where, typically using a scenario-based hazard evaluation proce-
has authored three Center for Chemical Process Safety (CCPS) books, two sections of
dure such as a HAZOP study. Perry’s Chemical Engineers Handbook, and a CCPS Safety and Chemical Engineering
Likelihood: A measure of the expected probability or frequency Education (SAChE) safety certification module. He lectures on HAZOP studies and other
of occurrence of an event. process safety topics for the AIChE/ASME continuing education program and teaches
process safety at The Ohio State University. He is past chair of AIChE’s Safety & Health
Loss event: Point of time in an abnormal situation when an Division and the Area 11a Loss Prevention programming committee that organizes the
irreversible physical event occurs that has the potential for loss and annual AIChE Loss Prevention Symposium, and is a Fellow of AIChE.