HAZARD IDENTIFICATION METHODS / Part 2 Antony Thanos Ph.D. Chem. Eng. antony.thanos@gmail

This Project is funded by the European Union

Project implemented by Human Dynamics Consortium

This project is funded by the European Union

Projekat finansira Evropska Unija


Projekat realizuje Human Dynamics Konzorcijum

HAZARD IDENTIFICATION METHODS / Part 2

Antony ThanosPh.D. Chem. [email protected]



• What-if Setting of questions : “What (will happen)

if…?” for the examination of evolution of undesired initial events (deviations from design, normal operation) in small sections of establishment

Areas covered by questions :

o Equipment failures

o Human errors (sequence of actions etc.)

o Operating conditions deviations from normal

o External events



• What-if (cont.) Examples of questions :

o What-if tank level is very high ? (deviation from normal)

o What-if gas phase connection valve remains closed during LPG tank loading ? (human error)



• What-if (cont.) Examples of questions for piping :

o What-if pipe leaks ?

o What-if pipe is plugged ?

o What-if pipe is subject to pressure surge ?

o ……. Please contribute……



• What-if (cont.) Examples of questions for piping :

(cont.)

o What-if pipe is subject to sudden flow interruption (water hammer issues) ?

o What-if pipe is subject to vibration ?

o What-if pipe supports fail ?

o What-if pipe temperature rises ?



• What-if (cont.) Examples of questions for heat

exchangers :

o What-if feed temperature increases ?

o What-if flow stops in hot feed ?

o ……. Please contribute……



• What-if (cont.) Examples of questions for heat

exchangers : (cont.)

o What-if flow stops in cold feed ?

o What-if there is excessive fouling ?

o What-if there is tube failure ?



• What-if (cont.) Example What-if table for Road tanker

movement during loading

What if

Hazard / Consequenc

eSafeguards Proposals

Tanker moves

Hose rupture, LPG leak

Handbrake onBlocks (shoes) on tyres

Break-away couplings



• What-if (cont.)

Please apply What-if in vesselPlease apply What-if in vessel

FI

LC

LIT

LCV

PRV

HV



• What-if (cont.) Example What-if table

What if

Hazard / Consequenc


Level rises

Overpressure and vessel failure

LIC controls level in vessel

Install Level Alarm High (LAH)Modify HV to automatically and remote operated for shutting vessel feed line

Pressure

rises

Vessel failure

PSV Install redundant PSV



• What-if (cont.) Example What-if table (cont.)

What if

Hazard / Consequenc


LIT fails with no

signal provid

ed

Level control fails, potential high level undetected

Install redundant LIT and alarm for bad quality level measurement

LCV fails and

stucks at

position

Level control fails, potential high level

LIT provided indication of level

Install Level Alarm High (LAH)Modify HV to automatically and remote operated for shutting vessel feed line



• What-if (cont.) Advantages :

o Simple

o Applicable even in rather early stage of design

o Correlates hazards, causes and protection measures

o General questions can be applied in every process : e.g. “What will happen if instrument air supply fails?”



• What-if (cont.) Advantages : (cont.)

o Effectively applied with combination of check lists

o Limited time requirements (in the order of 8 days for large processes)



• What-if (cont.) Disadvantages :

o Not strictly defined

o Success heavily depends on experience of work team and questions set

o Hazards can be easily overlooked

o No evaluation of deviation causeNo evaluation of deviation cause (e.g. why tank level is very low, why tanker moved?)

Can be considered as Can be considered as suitablesuitable for Safety for Safety Report, but proper Report, but proper judgmentjudgment for “what- for “what-if” questions is necessaryif” questions is necessary



• FMEA (Failure Mode and Effects Analysis) Focus on events caused by

component failures and not to deviations of operating parameters

Bottom-up approach (initial failure to top event)

Origin from military applications (MIL-P-1629)



• FMEA (cont.) FMEA development :

Identification of sub-systems to be examined

Identification of equipment/components per sub-system

Definition of failure type per equipment (failure cause could also be defined)

Definition of outcomes per failure (assuming that protection measures are not in operation)

Identification of safeguards (protection measures)

Proposals



• FMEA (cont.) General failure types :

o Failure in operation (e.g. unintended stop of agitator)

o Failure to operate at prescribed time (e.g. agitator failure to start when required by process)

o Failure to cease operation at prescribed time (e.g. feed valve failure to close after necessary time to feed reactor – batch process)

o Operation at premature time (e.g. pump starts before discharge valve opens)



• FMEA (cont.) Effects (outcomes) types: Local/System Can be complemented with probability

calculations and severity estimation (FMECA variation of method)

Applicable widely also in electronics aviation, space, automobile industry

Indispensable for reliability concept. Essential method in Safety Integrity Level (SIL) evaluation (FMEDA variation of method)



• FMEA (cont.)Example of simplified results table for LPG

road tanker loading hose

Element

Failure Effects Detection/

Compensation

(Safeguards)

Proposal

LPG Road tanker hose

Hose leaks

LPG leak with fire

Regular testing / inspection of hose

Install remote operated isolation valve in both PG establishment and road tanker piping



• FMEA (cont.)Please apply FMEA to regulating valve (FCV) Please apply FMEA to regulating valve (FCV)

at reactor inletat reactor inlet

FI

LC

LIT

LCV

PRV

FCV



• FMEA (cont.) Example FMEA table

Element

Failure Effects Detection/

Compensation

(Safeguards)

Proposal

Reactant flow control valve (FCV)

Failure in full open position

High reactant flow to reactor

High level toreactor, overpressure

Local flow indicator (FI) in feed line

Level indicatortransmitter (LIT) signal to Distributed Control System (DCS), automatic level control by LCV

Flow indicator transmitter (FIT) with signal to DCS and flow alarm high (FAH)

High/High-High alarm from level transmitter (LAHH)

Independent high-high level switch (LSHH) with interlock to feeding pump operation



• FMEA (cont.) Advantages :

o Strictly defined and systematic method (IEC 60812)

o Direct correlation of hazards and causes and effects

o Easily applied in systems with simple and in-series failures



• FMEA (cont.) Disadvantages :

o Emphasis only to component failures and not to deviations caused by failures in other processes

o Only single failures are used

o Hard to implement in systems where hazards appear as outcome of failure combinations (undetectable failures must be checked for potential hazards in combination with other failures)



• FMEA (cont.) Disadvantages : (cont.)

o Human errors are not easily encountered (only indirectly by component failures incurred)

o Not focused on system/process behaviour

o Experienced personnel required

o Time consuming (in the order of 4 weeks for large systems)



• FMEA (cont.) Can be considered as suitable for Can be considered as suitable for

Safety Reports under the condition Safety Reports under the condition of human errors taken into accountof human errors taken into account



• Fault tree Fault tree development :

o Accident (top event) selection

o Accident causes identification (all intermediate events contributing to top event, 1st stage)

o Identification of all events (2nd stage) contributing to 1st stage events …..

o … down to basic fault events (component faults)



• Fault tree (cont.) Top-down approach Application of Boolean algebra

operands (AND, OR) for definition of sequence for failures and errors (incl. human) contributing to accident

Origin from military application (Bell laboratories, 1962, Minuteman I ICBM) Missile)

Applicable in electronics, aviation, space and nuclear industry, robotics

Results presented in logic diagram form



• Fault tree (cont.) Example : Overfilling of NH3 road

tankerTOXIC RELEASE FROM SAFETY VALVE

OVERFILLINGLOADINGS

OPER.FAILS TO IDENTIFY LI

FAILURE

OPERATORABSENT DURING

LOADINGLEVELINDICATOR (LI)

FAILURE

200 per year OR

AND

10-6 per year

4x10-4 per year

10-3 per year 10-3 per year

2x10-6 per year

1x10-6 per year AND



• Fault tree (cont.) Advantages :

o Well defined (IEC 61025)

o Correlation of hazards and causes

o Combinations of human errors and equipment failures can be identified

o Accident probability calculations possible, if failure/error database is available

o Supplement to other techniques (e.g. what-if, HAZOP) for more detailed examination of causes for significant accidents



• Fault tree (cont.) Disadvantages :

o Complete dependence on final accidents (top events) selected for building trees

o Not all top events guarantied to be identified

o Sequence errors not easily taken into account

o High experienced personnel and proper software required

o Time consuming (in the order of 2 months for large processes)



• Fault tree (cont.) Can be considered as suitable for Can be considered as suitable for

Safety Report, but judgment is Safety Report, but judgment is necessary on completion of top necessary on completion of top events consideredevents considered



• HAZOP (HAZard and OPerability) Study Hazards and malfunctions are

expressed via deviation of operating parameters from normal values, or due to human errors, equipment failures

Usual parameters to be examined :

o Pressure

o Temperature

o Flow

o Level



• HAZOP (cont.) Usual deviation keywords :

ΟμάδαHAZOP

Keywords

Deviation interpretation

ΝοLack/absence, e.g.

No flow : zero flowNo mixing : mixer failure

More

Value higher than normal, e.g.More Temperature : higher temperature, e.g. high temperature in cooling water due to cooling system failure

LessValue lower than normal, e.g.

Less pressure : Lower pressure, e.g. product withdrawal from tank while PVV stuck

Reverse Usually refers to flow with direction reverse to normal



• HAZOP (cont.) Usual deviation keywords (cont.) :

ΟμάδαHAZOP

Keywords


Part ofFraction of normal value, usually for solutions concentration

As well as

Qualitative increase, as for new phase development, or presence of impurities (e.g. water in anydrous ammonia, corrosive)

Before/after

Errors in operations sequence, e.g. addition of sulphuric acid before water in dilution tank during solution preparation

Early/late

Action in wrong time (e.g. early stop of batch reaction)



• HAZOP (cont.) Usual deviation keywords (cont.) :

ΟμάδαHAZOP

Keywords


Loss of Containm

ent

Any event of “Loss of Containment”, not attributed to operation deviation, e.g. Leak from tank failure due to weld failure

Collision of road tanker

Utilities failure

e.g. lack of instrument air or electric power for pneumatic/motorized valves (lack of control action), lack of cooling water supply

Environmental Earthquakes, floods, lightnings

Other than

Complete substitution, e.g. wrong stream feed (for example, feed of propane in butane line)



• HAZOP (cont.) HAZOP examination sessions

overview

ΟμάδαHAZOP

Step 3Comments, proposals

Step 1Design

comprehension

Step 2Systematic

examination of deviations

Keyword Parameter

• NO• LOW• HIGH• AS WELL AS

• Flow• Pressure • Temperature

HAZOP Table

COMMENTS /

PROPOSALS

SAFEGUARDSCONSEQUENCESCAUSESDEVIATION

P-1

Nr

P-2

HAZOP Team



• HAZOP (cont.) HAZOP steps

ΟμάδαHAZOP

Key-words application

Identificationof deviationcauses

Consequences, safeguardsidentification

Discussion,comments, proposals

Nextparameter

Design comprehension

Unit Section (P&ID)

Nextsection



• HAZOP (cont.) Unit/Sections (Nodes)

identification based on main activities. Definition of Section borderlines and related drawings

Sections identification examples :

o Pipeline from port to tank

o Tank

o Tank pump-house

o Road tanker loading station

ΟμάδαHAZOP



• HAZOP (cont.) Main equipment definition per

Section Equipment example for Road

Tanker loading station :

o Liquid phase piping from pump-house

o Gas phase return piping to tank

o Hoses/loading arms

o Road tanker

ΟμάδαHAZOP



• HAZOP (cont.) Before each session, Leader

defines Section to be examined An outline of operation for Section

has to be given (appr. 15 min), so that all group members understand the basic elements of process examined

ΟμάδαHAZOP



• HAZOP (cont.) Example case

ΟμάδαHAZOP

FI

LC

LIT

LCV

PRV

FCV



• HAZOP (cont.) HAZOP Table example for feed line :

Please apply HAZOP for high level and Please apply HAZOP for high level and high pressure in reactorhigh pressure in reactor

ΟμάδαHAZOP

NoDeviati

onCauses

Consequences

SafeguardsComments,

Recommendations

5

High flow

Failure of feed control valve at open position

High level in reactor and potential overpressure

FI (local indicator)

LIT (remote indicator transmitter)

(R) FIT (remote flow transmitters) with flow high alarm (FAH)

HAZARD AND OPERABILITY STUDY Company : ABC S.A. Drawing : S-9871 (31/12/03)

Site : XYZ Site HAZOP Date : 01/10/13Unit : U-1234 Work group : See attendance list

Section: Reactor feed line Rev. : 5



• HAZOP (cont.) HAZOP Table example (cont.):

ΟμάδαHAZOP

NoDeviati

onCauses

Consequences

SafeguardsComments,

Recommendations

76

High pressure

High level in reactor

High temperature in feed

Blocked PSV due to ice accumulation in discharge pipe

Reactor failure PSV (R) As product is very toxic, include rupture disc upstream PSV in order to avoid product (toxic) dispersion in case of PSV leakage

(R) Light weight cup in PSV discharge pine



Section: Reactor vessel Rev. : 5




ΟμάδαHAZOP

NoDeviati

onCauses

Consequences

SafeguardsComments,

Recommendations

75

High level

Failure of either feed (open) or product (closed) valve

Reactor overpressure

LIT (remote indicator)

Level control valve (LCV)

(C) Check that error in LIT provides error signal to DCS and last good value is not retained(R) Provide level alarm high (LAH) and high –LAHH) from LIT signal







ΟμάδαHAZOP

NoDeviati

onCauses

Consequences

SafeguardsComments,

Recommendations

75

High level

(R) Provide level high-high switch (LHHS) from independent level transmitter forcing trip of feed pump






• HAZOP (cont.) HAZOP Study organisation

HAZOP team structure

o Leader/facilitator

o Recorder (Scribe)

o Members (design, operator, maintenance, H&S, I&C, inspection)

ΟμάδαHAZOP

Teamformation

P&IDsstudy

Examinationsessions



• HAZOP (cont.) HAZOP Team

o Usually 4-12 members

o Very small groups lack broad disciplines,

o Very large groups proceed very slowly and have limited discussions between members

ΟμάδαHAZOP



• HAZOP (cont.) HAZOP leader

o Facilitator of team operation

o Keeps team on track

o Avoid unnecessary delays (e.g. unclear issues which need additional information to be provided in later stage)

o Follows up pending issues

o Experienced in HAZOP method application

o Not necessarily a technical expert on the process

ΟμάδαHAZOP



• HAZOP (cont.)

o HAZOP Members disciplines :

o Design

o Operator

o Maintenance

o Health and Safety (H&S)

o Instrumentation and Control (I&C)

o Inspection

o ….

ΟμάδαHAZOP



• HAZOP (cont.) HAZOP examination sessions

organisation:

o Predefined

o Participants presence verified

o Participants do not leave during meeting (dedicated time)

ΟμάδαHAZOP



• HAZOP (cont.) HAZOP examination sessions :

o Usually 2-3 hours, up to 4-6 hours

o Longer sessions result to actually slower progress and bad quality of results due to group fatigue

o Sessions must not be interrupted

o Successive days should be avoided if possible

ΟμάδαHAZOP



• HAZOP (cont.) Necessary support material for

examination session to begin :

o Updated P&IDs

““Carrying out a HAZOP on a Carrying out a HAZOP on a incorrect line diagram is the most incorrect line diagram is the most useless occupation in the world”,useless occupation in the world”, Trevor KletzTrevor Kletz

o Plot plans

o Flow sheets

o Operating manuals, control documentation

ΟμάδαHAZOP



• HAZOP (cont.) Necessary support material for

examination session to begin (cont.) :

o ESD procedures

o Equipment specifications

o SDS

o Accident reports Support material available to

HAZOP team at least 1 week before sessions to begin

ΟμάδαHAZOP



• HAZOP (cont.) HAZOP examination session room :

o Sufficient space, isolated from other activities

o Big table available

o Laptop for HAZOP table entry during session

o Wall/floor stand for drawings

o Projector for clarifications presentation (if necessary, especially in large groups)

ΟμάδαHAZOP



• HAZOP (cont.) Advantages :

o Well defined (IEC 61882)

o Widely applied and recognised

o Systematic and comprehensive -nevertheless creative- technique

o System (process) oriented (developed by ICI)

o Covers both causes and effects of hazards, along with safeguards, in a robust format

o Human errors and equipment failures can be identified



• HAZOP (cont.) Disadvantages :

o Mature design data are needed (not suitable for early design stages)

o Interactions between sections not straightforward examined

o Special hazards need use of special keywords



• HAZOP (cont.) Disadvantages : (cont.)

o Rather time consuming (in the order of 4 weeks for large processes)

o Plant layout issues not inherently taken into account

Can be considered as suitable for Can be considered as suitable for Safety ReportsSafety Reports

Nevertheless, please do not forget …Nevertheless, please do not forget …



• HAZOP (cont.) ““A HAZOP is no substitute for A HAZOP is no substitute for

knowledge and experience. It is knowledge and experience. It is not a sausage machine which not a sausage machine which consumes line diagrams and consumes line diagrams and produces lists of modifications. It produces lists of modifications. It merely harnesses the knowledge merely harnesses the knowledge and experience of the team in a and experience of the team in a systematic and concerned waysystematic and concerned way””, , Trevor KletzTrevor Kletz



• Event tree Logic evolution of potential

outcomes (top event) of an initial event

Bottom-up approach Results in tree form (sequence of

failures leading to accident) Safety measures taken into

account



• Event tree (cont.) Development of event tree :

o Selection of initial events, such as :process upset (e.g. high

pressure)equipment failure (e.g. hose

rupture)human error (e.g. closure of

valve at pump discharge)



• Event tree (cont.) Development of event tree : (cont.)

o For each initial event, identification of safety measures, such as :

equipment for prevention of further escalation of upsets (e.g. PSV for high pressure upset, emergency shut down systems)

alarms (if mitigation actions are possible)operator actions (e.g. operator closes

remote-operated isolation valves in loading station and road tanker)

mitigation equipment (e.g. water courtains)



• Event Tree (cont.) Example case for high flow to

reactor (assuming containing LPG)

ΟμάδαHAZOP

FI

LC

LIT

LCV

PRV

FCV



• Event tree (cont.) Example tree

INITIAL EVENT

LCV PSV IGNITIONTOP EVENT

LCV OPERATES

SAFE

HIGHFLOW

LCV FAILS PSV

OPENS IMMEDIATEJET FLAME

DELAYEDFLASH FIRE/UCVE

PSV FAILS

BLEVE (FIREBALL)



• Event tree (cont.) Usually used in categorisation of final

accidents (top events) per initial release identified (e.g. jet flame after failure of pipeline due to corrosion)

Typical top events :

Pool fire, BLEVE (fire ball)

Flash fire UVCE

Toxic dispersion Missiles Technique in the borderline of hazard

identification and consequence analysis



• Event tree (cont.) Advantages :

o Can be combined with probabilities calculation for initial event and conditions for top event calculations

o Can be used in combination with Fault Trees

Disadvantages :

o Total dependence on initial event selection

o Very complex in large processes

o Time consuming (8 weeks for large processes)



• Bow-Tie Combination of Fault Tree and Event Tree Development of Bow-Tie :

o Selection of critical event

o Identification of causes leading to critical event (fault tree side)

o Identification of development of critical event to top event/final accident (event tree side)

o Safety measures (safety barriers) included :

o prevention (fault tree side)

o mitigation/recovery (event tree side)



• Bow-tie simplified example, LPG hose rupture

THREATSTHREATSHOSE

RUPTURE

Tankermoves

Materialfailure

Handbreakon

Break-awaycouplings

Inspection

OR

Remoteisolationvalves

Delugesystem

PREVENTIONPREVENTIONBARRIERSBARRIERS

MITIGATION MITIGATION BARRIERSBARRIERS

TOP EVENTTOP EVENT(final accident)(final accident)

Safe dispersion

Ignitioncontrol

Flash fire

VCE(ignitionoutside)

Jet flame/BLEVE



• Bow-Tie Advantages :

o Effective in early stage of design for identification of safety measures required

o Easy to develop, understand and communicate (graphical illustration of problem)

o Not high expertise necessary

o Visible links to competencies, systems compoments, HSE issues



• Bow-Tie Disadvantages :

o Total dependence on top event selection

o Very complex in large processes, oversimplifications possible

o Possible confusion on relation of mitigation measures with initial causes



• Conclusion for Hazard Identification Methods Not suit fits allNot suit fits all Technique selection depends on:

o project maturity stage (concept, early design, detailed design, existing establishment)

o system complexity

o required outcomes (quantitative/ qualitative results)



• Literature for Hazard Identification Methods

Lees’ Loss Prevention in the Process Industries, Elsevier Butterworth Heinemann, 3nd Edition, 2005

Guidelines for Hazard Evaluation Procedures, CCPS-AICHE, 2nd Edition,, 1995

Procedures for performing Effective pre-Startup Safety Reviews, CCPS-AICHE, 2007

HSL, Review of Hazard Identification Techniques, HSL/2005/58

Nolan D., Application of HAZOP and What-if Safety Reviews to the Petroleum, Petrochemical and Chemical Industries, Noyes Publications, 1994

Vincoly J., Basic Guide to System Safety, John Wiley and Sons, 2nd Edition, 2006

DOE Handbook, Chemical Process Hazards Analysis, US DOE, DOE-HDBK-1100-2004



• Literature for Hazard Identification Techniques (cont.)

Methods for Determining and Processing Probabilities, Red Book, CPR12E, VROM, 2005

RIVM, Reference Manual Bevi Risk Assessments, 2009

DOW Fire and Explosion Index, AICHE, 7th Edition, 1994

The basics of FMEA, CRC Press, 2nd Edition, 2009

Guide Dépôts de Liquides Inflammables, Groupe de Travail Dépôt de Liquides Inflammables (GTDLI), 2008 (in French, default fault trees included)

Syed Zaiful Hamzah, ABS Group, Use Bow Tie Tool for Easy Hazard Identification, 14th Asia Pacific Confederation of Chemical Engineering Congress Singapore, 21-24 February 2012



• Literature for Hazard Identification Techniques (cont.)

API RP 14C, Recommended Practice for Analysis, Design, Installation and Testing of Basic Surface Safety Systems for Off-shore Production Platforms, 7th Edition, 2001

API RP 14J, Recommended Practice for Design and Hazard Analysis for Off-shore Production Facilities, 2nd Edition, 2001

IEC 31010, Risk Management -Risk Assessment Techniques, 2009

IEC 60300, Dependability management , Part 3-1 Application guide – Analysis techniques for dependability – Guide on methodology, 2003

IEC 60812, Analysis techniques for system reliability – Procedure for failure mode and effects analysis (FMEA), 2nd Edition, 2006

IEC 61025, Fault Tree Analysis (FTA), 2nd Edition, 2006

IEC 61882, Hazard and Operability Studies (HAZOP), Application Guide, 2001

Documents

HAZARD IDENTIFICATION METHODS / Part 2 Antony Thanos Ph.D. Chem. Eng. antony.thanos@gmail