HAZARD & OPERABILITY STUDIES
INTRODUCTION
The technique of Hazard and Operability Studies, or in more common terms HAZOPS, has been used and developed over approximately four decades for 'identifying potential hazards and operability problems' caused by 'deviations from the design intent' of both new and existing process plants. Before progressing further, it might be as well to clarify some aspects of these statements.Potential Hazard AND Operability Problems
You will note the capitalised 'AND' in the heading above. Because of the high profile of production plant accidents, emphasis is too often placed upon the identification of hazards to the neglect of potential operability problems. Yet it is in the latter area that benefits of a Hazop Study are usually the greatest. To quote an example, a study was commissioned for a new plant. Some two years previously, and for the first time, a similar study had been carried out on different plant at the same site which was then in the process of being designed. Before the latest review commenced, the Production Manager expressed the hope that the same benefits would accrue as before, stating that "in his twenty years of experience, never had a new plant been commissioned with so few problems, and no other plant had ever achieved its production targets and break-even position in so short a time".Deviation from design intent
To deal firstly with 'design intent', all industrial plant is designed with an overall purpose in mind. It may be to produce a certain tonnage per year of a particular chemical, to manufacture a specified number of cars, to process and dispose of a certain volume of effluent per annum, etc. That could be said to be the main design intent of the plant, but in the vast majority of cases it would also be understood that an important subsidiary intent would be to conduct the operation in the safest and most efficient manner possible.With this in mind equipment is designed and constructed which, when it is all assembled and working together, will achieve the desired goals. However, in order to do so, each item of equipment, each pump and length of pipework, will need to consistently function in a particular manner. It is this manner which could be classified as the 'design intent' for that particular item. To illustrate, imagine that as part of the overall production requirement we needed a cooling water facility. For this we would almost certainly have cooling water circuit pipework in which would be installed a pump as very roughly illustrated below.
A much simplified statement as to the design intent of this small section of the plant would be "to continuously circulate cooling water at an initial temperature of xºC and at a rate of xxx litres per hour". It is usually at this low level of design intent that a Hazop Study is directed. The use of the word 'deviation' now becomes more easy to understand. A deviation or departure from the design intent in the case of our cooling facility would be a cessation of circulation, or the water being at too high an initial temperature. Note the difference between a deviation and its cause. In the case above, failure of the pump would be a cause, not a deviation.
Industries in which the technique is employed
Hazops were initially 'invented' by ICI in the United Kingdom, but the technique only started to be more widely used within the chemical process industry after the Flixborough disaster in 1974. This chemical plant explosion killed twenty eight people and injured scores of others, many of those being members of the public living nearby. Through the general exchange of ideas and personnel, the system was then adopted by the petroleum industry, which has a similar potential for major disasters. This was then followed by the food and water industries, where the hazard potential is as great, but of a different nature, the concerns being more to do with contamination rather than explosions or chemical releases.The reasons for such widespread use of Hazops
Safety and reliability in the design of plant initially relies upon the application of various codes of practise, or design codes and standards. These represent the accumulation of knowledge and experience of both individual experts and the industry as a whole. Such application is usually backed up by the experience of the engineers involved, who might well have been previously concerned with the design, commissioning or operation of similar plant.However, it is considered that although codes of practise are extremely valuable, it is important to supplement them with an imaginative anticipation of deviations which might occur because of, for example, equipment malfunction or operator error. In addition, most companies will admit to the fact that for a new plant, design personnel are under pressure to keep the project on schedule. This pressure always results in errors and oversights. The Hazop Study is an opportunity to correct these before such changes become too expensive, or 'impossible' to accomplish.
Although no statistics are available to verify the claim, it is believed that the Hazop methodology is perhaps the most widely used aid to loss prevention. The reason for this can most probably be summarised as follows:
- It is easy to learn.
- It can be easily adapted to almost all the operations that are carried out within process industries.
- No special level of academic qualification is required. One does not need to be a university graduate to participate in a study.
THE BASIC CONCEPT
Essentially the Hazops procedure involves taking a full description of a process and systematically questioning every part of it to establish how deviations from the design intent can arise. Once identified, an assessment is made as to whether such deviations and their consequences can have a negative effect upon the safe and efficient operation of the plant. If considered necessary, action is then taken to remedy the situation.This critical analysis is applied in a structured way by the Hazop team, and it relies upon them releasing their imagination in an effort to discover credible causes of deviations. In practice, many of the causes will be fairly obvious, such as pump failure causing a loss of circulation in the cooling water facility mentioned above. However, the great advantage of the technique is that it encourages the team to consider other less obvious ways in which a deviation may occur, however unlikely they may seem at first consideration. In this way the study becomes much more than a mechanistic check-list type of review. The result is that there is a good chance that potential failures and problems will be identified which had not previously been experienced in the type of plant being studied.
Keywords
An essential feature in this process of questioning and systematic analysis is the use of keywords to focus the attention of the team upon deviations and their possible causes. These keywords are divided into two sub-sets:- Primary Keywords which focus attention upon a particular aspect of the design intent or an associated process condition or parameter.
- Secondary Keywords which, when combined with a primary keyword, suggest possible deviations.
Primary Keywords
These reflect both the process design intent and operational aspects of the plant being studied. Typical process oriented words might be as follows. The list below is purely illustrative, as the words employed in a review will depend upon the plant being studied.Flow | Temperature | |
Pressure | Level | |
Separate (settle, filter, centrifuge) | Composition | |
React | Mix | |
Reduce (grind, crush, etc.) | Absorb | |
Corrode | Erode |
Remembering that the technique is called Hazard & OperabilityStudies, added to the above might be relevant operational words such as:
Isolate | Drain | |
Vent | Purge | |
Inspect | Maintain | |
Start-up | Shutdown |
Secondary Keywords
As mentioned above, when applied in conjunction with a Primary Keyword, these suggest potential deviations or problems. They tend to be a standard set as listed below:Word | Meaning | |
---|---|---|
No | The design intent does not occur (e.g. Flow/No), or the operational aspect is not achievable (Isolate/No) | |
Less | A quantitative decrease in the design intent occurs (e.g. Pressure/Less) | |
More | A quantitative increase in the design intent occurs (e.g. Temperature/More) | |
Reverse | The opposite of the design intent occurs (e.g. Flow/Reverse) | |
Also | The design intent is completely fulfilled, but in addition some other related activity occurs (e.g. Flow/Also indicating contamination in a product stream, or Level/Also meaning material in a tank or vessel which should not be there) | |
Other | The activity occurs, but not in the way intended (e.g. Flow/Other could indicate a leak or product flowing where it should not, or Composition/Other might suggest unexpected proportions in a feedstock) | |
Fluctuation | The design intention is achieved only part of the time (e.g. an air-lock in a pipeline might result in Flow/Fluctuation) | |
Early | Usually used when studying sequential operations, this would indicate that a step is started at the wrong time or done out of sequence | |
Late | As for Early |
HAZOP STUDY METHODOLOGY
In simple terms, the Hazop study process involves applying in a systematic way all relevant keyword combinations to the plant in question in an effort to uncover potential problems. The results are recorded in columnar format under the following headings:DEVIATION | CAUSE | CONSEQUENCE | SAFEGUARDS | ACTION |
Cause
Potential causes which would result in the deviation occurring. (e.g. "Strainer S1 blockage due to impurities in Dosing Tank T1" might be a cause of Flow/No).
Potential causes which would result in the deviation occurring. (e.g. "Strainer S1 blockage due to impurities in Dosing Tank T1" might be a cause of Flow/No).
Consequence
The consequences which would arise, both from the effect of the deviation (e.g. "Loss of dosing results in incomplete separation in V1") and, if appropriate, from the cause itself (e.g. "Cavitation in Pump P1, with possible damage if prolonged").
The consequences which would arise, both from the effect of the deviation (e.g. "Loss of dosing results in incomplete separation in V1") and, if appropriate, from the cause itself (e.g. "Cavitation in Pump P1, with possible damage if prolonged").
Always be explicit in recording the consequences. Do not assume that the reader at some later date will be fully aware of the significance of a statement such as "No dosing chemical to Mixer". It is much better to add the explanation as set out above.
When assessing the consequences, one should not take any credit for protective systems or instruments which are already included in the design. For example, suppose the team had identified a cause of Flow/No (in a system which has nothing to do with the one illustrated above) as being spurious closure of an actuated valve. It is noticed that there is valve position indication within the Central Control Room, with a software alarm on spurious closure. They may be tempted to curtail consideration of the problem immediately, recording something to the effect of "Minimal consequences, alarm would allow operator to take immediate remedial action". However, had they investigated further they might have found that the result of that spurious valve closure would be over pressure of an upstream system, leading to a loss of containment and risk of fire if the cause is not rectified within three minutes. It only then becomes apparent how inadequate is the protection afforded by this software alarm.
Safeguards
Any existing protective devices which either prevent the cause or safeguard against the adverse consequences would be recorded in this column. For example, you may consider recording "Local pressure gauge in discharge from pump might indicate problem was arising". Note that safeguards need not be restricted to hardware… where appropriate, credit can be taken for procedural aspects such as regular plant inspections (if you are sure that they will actually be carried out!).
Any existing protective devices which either prevent the cause or safeguard against the adverse consequences would be recorded in this column. For example, you may consider recording "Local pressure gauge in discharge from pump might indicate problem was arising". Note that safeguards need not be restricted to hardware… where appropriate, credit can be taken for procedural aspects such as regular plant inspections (if you are sure that they will actually be carried out!).
Action
Where a credible cause results in a negative consequence, it must be decided whether some action should be taken. It is at this stage that consequences and associated safeguards are considered. If it is deemed that the protective measures are adequate, then no action need be taken, and words to that effect are recorded in the Action column.
Where a credible cause results in a negative consequence, it must be decided whether some action should be taken. It is at this stage that consequences and associated safeguards are considered. If it is deemed that the protective measures are adequate, then no action need be taken, and words to that effect are recorded in the Action column.
Actions fall into two groups:
- Actions that remove the cause.
- Actions that mitigate or eliminate the consequences.
Whereas the former is to be preferred, it is not always possible, especially when dealing with equipment malfunction. However, always investigate removing the cause first, and only where necessary mitigate the consequences. For example, to return to the "Strainer S1 blockage due to impurities etc." entry referred to above, we might approach the problem in a number of ways:
- Ensure that impurities cannot get into T1 by fitting a strainer in the road tanker offloading line.
- Consider carefully whether a strainer is required in the suction to the pump. Will particulate matter pass through the pump without causing any damage, and is it necessary to ensure that no such matter gets into V1. If we can dispense with the strainer altogether, we have removed the cause of the problem.
- Fit a differential pressure gauge across the strainer, with perhaps a high dP alarm to give clear indication that a total blockage is imminent.
- Fit a duplex strainer, with a regular schedule of changeover and cleaning of the standby unit.
Three notes of caution need to be borne in mind when formulating actions. Do not automatically opt for an engineered solution, adding additional instrumentation, alarms, trips, etc. Due regard must be taken of the reliability of such devices, and their potential for spurious operation causing unnecessary plant down-time. In addition, the increased operational cost in terms of maintenance, regular calibration, etc. should also be considered (the lifetime cost of a simple instrument will be at least twice its purchase price… for more complex instrumentation this figure will be significantly greater). It is not unknown for an over-engineered solution to be less reliable than the original design because of inadequate testing and maintenance.
Finally, always take into account the level of training and experience of the personnel who will be operating the plant. Actions which call for elaborate and sophisticated protective systems are wasted, as well as being inherently dangerous, if operators do not, and never will, understand how they function. It is not unknown for such devices to be disabled, either deliberately or in error, because no one knows how to maintain or calibrate them.
Considering all Keywords - The Hazop procedure
Having gone through the operations involved in recording a single deviation, these can now be put into the context of the actual study meeting procedure. From the flow diagram below it can be seen that it is very much an iterative process, applying in a structured and systematic way the relevant keyword combinations in order to identify potential problems.