Functional Safety Insights by Kamran Mojtehedi

HAZOP Preparation – Critical Technical Steps Often Missed:
Based on practical project experience, many issues attributed to “poor HAZOP quality” do not originate during the HAZOP sessions themselves.
They arise before the first workshop even begins, due to gaps in preparation and methodology.
The following critical steps are still frequently missed:
HAZOP Template Validation
The HAZOP worksheet or template must be proven and suitable for the specific application, considering process type, system complexity, and regulatory expectations.
Generic templates often introduce blind spots in hazard identification, safeguard recognition, and recommendation quality.
Parameters and Guidewords – Finalize Before the Sessions
Process parameters and guidewords must be clearly defined, discussed, and agreed prior to starting the HAZOP.
Late changes during workshops undermine consistency, traceability, and the validity of identified deviations and safeguards.
Node Definition
Nodes must be clearly defined with finalized and agreed boundaries, supported by up-to-date P&IDs.
Poor node definition frequently results in duplicated discussions, inefficient sessions, or missed hazards.
Inclusion of External Events
External events—such as utility failures, loss of instrument air, and total or partial power failures—must be explicitly included in the HAZOP scope, not assumed.
Omitting these scenarios can leave significant risk contributors unaddressed.
Operating Modes Are Not Optional
All relevant operating modes must be considered, including start-up, shutdown, maintenance, abnormal, and emergency conditions.
Many major incidents occur outside normal steady-state operation, yet these modes are still underestimated in many HAZOP studies.
A well-executed HAZOP is not defined by facilitation skills alone.
It depends on rigorous preparation, an agreed methodology, disciplined scope definition, and technical completeness.e your paragraph here.

Functional Safety Assessor Independence – Why It Matters (IEC 61511, Process Sector)
IEC 61511 requires competence and adequate independence for Functional Safety Assessments (FSA).
In my opinion, the key benefits of an independent assessor are:
Independence is not only technical — it is also organizational:
• Not involved in project design, verification, or implementation
• Not reporting to the same project manager, line manager, or director
• Free to challenge design decisions and prevent unsafe shortcuts
This independence adds real value by:
• Providing objective challenge to SIS design, IPL assumptions, and testing practices
• Increasing credibility with regulators, insurers, and auditors
• Offering stronger protection for the company’s Functional Safety department
In the process sector, where consequences are high,
independence directly supports real functional safety — not just compliance.

Functional Safety Insights by Kamran Mojtehedi

Why Loop / Wiring Diagrams Are Critical for Functional Safety
One of the most important source documents for SIL calculation, SIF response time calculation, and proof-test procedures is the loop wiring diagram.
Why?
Because the loop wiring diagram is the place where most of the devices that form a SIF are represented and clearly identified.
It shows the wired and signal path portions of the loop, including instrumentation and associated components.
(Items such as impulse lines and final elements like valves and actuators are typically covered in other drawings.
The loop wiring diagram allows you to clearly identify most of component that contributes to the Safety Instrumented Function, including:
• Sensors and transmitters
• Signal conditioning, barriers, and isolators
• Logic solver
• Relays and solenoids
Any device whose dangerous failure can prevent the SIF from bringing the process to its defined safe state must be included.
Therefore, the loop wiring diagram is a key input for:
• SIL calculations
• Proof-test procedures
• SIF response time calculation
If a component is part of the loop but excluded from:
• SIL calculations
• Proof-test procedures
• Response time verification
— then the functional safety goal and integrity target is not achieved.
This is why Functional Safety Assessments shall include this type of detailed loop-level review.
Anything that contributes to the SIF belongs in the analysis, the calculations, and the proof test.

Connect with Kamran Mojtehedi – Functional Safety Expert (LinkedIn)

Why must FSAs account for hazardous area classification, EMI/RFI, and operating environment?
Because Functional Safety does NOT exist in isolation from the operating environment.
A Safety Instrumented Function (SIF) is only as good as the real-world performance of its devices—sensors, logic solvers, and final elements.
If a device:
·      Cannot measure correctly, or
·      Cannot function reliably under actual site conditions,
then Functional safety , SIL, PFDavg, and calculations become meaningless.
That is exactly why IEC 61511 explicitly requires consideration of operating environment, including:
·      Hazardous area classification
·      Ambient temperature extremes
·      Pressure, vibration, corrosive or dusty atmospheres
·      EMI / RFI and electrical interference
·      Utilities quality (power, air, hydraulics),
.....
IEC 61511 (Ed.2) clearly states that operating environment conditions inherent to the installation can affect device functionality and safety integrity.
Bottom line:
✔ SIS and credited IPL devices must be correctly selected,
✔ properly rated for area classification,
✔ installed within manufacturer limits, and
✔ capable of reliable operation under actual process and environmental conditions.
Otherwise, functional safety and reliability are just assumptions—not protection.
This is exactly why FSA Stage 3 must go beyond documents and calculations and verify real installation, environment, and device suitability.
IEC61511 , clause 10.3.2,...

Hydrogen Electrolyzers: Functional Safety Must Be Engineered In — Not Added Later
Hydrogen electrolyzers operate with high energy density, high pressures, and wide flammability ranges.
That means functional safety is not optional — it is fundamental.
From my experience working on electrolyzer projects, real safety depends on more than documents and SIL numbers. It requires:
• Correct hazard identification (HAZOP / What-If)
• Clear SIF definition tied to specific hydrogen hazards
• Proper independence between BPCS and SIS
• Verified sensors, final elements, and logic suitable for hydrogen service
• FSA involvement early — not only at the end of the project
Finding gaps at FSA Stage 3 or later is often too late and too costly.
Hydrogen projects succeed when process design, controls, and functional safety are engineered together — not treated as checkboxes.
Real functional safety protects people, assets, and project credibility.

One recurring gap I still see during FSA Stages is a disconnect between process engineering and SIS engineering when calculating SIF response time.
In many projects, the SIF response time is calculated correctly from the SIS perspective:
• Sensor response time
• Logic solver scan time
• Configured delay time
• Final element, for example (valve) stroke time
However, process lag (if any)is often missing from the equation.
Process lag is not an SIS parameter—it belongs to process engineering—but it directly affects whether the SIF can bring the process to a safe state before the hazardous consequence occurs.
A SIF may meet its calculated response time , yet still fail to prevent the hazard if process dynamics are not considered.
There are other disconnects observed during FSA as well. I’ll try to share them here when time allows.

Practical engineering lessons from Real projects and Functional Safety Assessments (FSA)

Client Feedback (LinkedIn)

LOPA Question for Functional Safety Professionals
What would you do if, in a quantitative LOPA, the required risk reduction factor (RRF) is 800 (within the SIL 2 range), but the designed SIF achieves SIL 2 with an RRF of only ~300?
Even though SIL 2 is nominally achieved, this is NOT acceptable.
If the LOPA documents a required RRF, the achieved RRF must be equal to or greater than the required RRF.
Meeting the SIL band alone is insufficient if the quantitative target is not met.
Otherwise, the residual risk remains higher than what was deemed tolerable in LOPA.