Hazop & Hazan [PDF]

Zitiervorschau

HAZAN FouhEthtion

Trevor Kletz

I

The Author

Knownthroughoutthe process industriesas a gifted communicator on safety matters, TrevorKletz has wide knowledgeof both practice and theory. Hejoined Imperial Chemical Industries on graduating as a chemist and spent eight years in research, sixteen in production management and the last fourteen as safety adviser to the Petrochemicals Division. On retiringfrom ICI he joined Loughborough University of Technology, at first full-time and then from 1986 as a Visiting Fellow. He has written nine booksand more than a hundred papers on loss prevention and process safety and is a Fellow of the Royal AcademyofEngineering, the InstitutionofChemicalEngineers, the Royal Society of Chemistry and the American Institute of ChemicalEngineers.

ftC

Hazop and Hazan Identifying and assessing process industry hazards

0

Hazop and Hazan Identifying and assessing process industry hazards Fourth edition

Trevor Kletz

IChem

The information in this bookis given in good faith and beliefin its accuracy, but does not imply the acceptance of any legal liability or responsibility whatsoever, by the Institution, or by theauthor, for the consequences of its use or misusein any particularcircumstances. All rightsreserved.No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission ofthe publisher.

Published by Institution ofChemical Engineers, Davis Building, 165—189 Railway Terrace, Rugby, WarwickshireCV2I 3HQ, UK IChemEis a Registered Charity

© 1999 Trevor Kletz 1SBN0852954212

Printed in the United Kingdom by Galliards, GreatYarmouth

U

Preface

The Institution

of Chemical Engineers' example

syllabus for an accredited degreein chemical engineering'features 'Systematic identification and quantification ofhazards, including hazardand operability studies',and this bookis

intended to spread knowledge of these subjects. The first edition was basedon lecture notesthat I had used for several years for teaching these subjects to undergraduate and graduatestudents, to mature students attending short courses on loss prevention and to former colleagues attending in-house courses in industry. University departments of chemical engineering may therefore find the book useful. It may also be useful for in-house courses in industry, It is intended as an introduction to the subject rather than a handbook for experts. A few suggestions on the presentation of the material maybe helpful. Chapter 1 puts the material in contextand can form an introduction to the first session of a course. Chapter 2 deals with identification of hazards by hazard and operability studies (Hazop) and requires at least two hours. It could be presented as a lecture in one hour but it is better if those present can complete the various columns in Table2.2 (pages 14—15), the lecturer(or discussion leader) writing themdown on a boardas they do so. The group must, of course, be allowed to come to different conclusions than those in the table if they wish to do so. There is no right answer. The group may consider that those who drew up Table2.2 went too far ordid not go far enough, and the group could be right. If possible the group should not exceed 20 people; the fewer the better, as long as at least five or six are present. Chapter 3 deals with the quantification of hazards by hazard analysis (Hazan) and requires at least three hours. Mature students seem able to take threehours at a stretch, but not undergraduates! Chapter 4 describessome of the points to look for when reading hazard analyses carriedout by others. It is intended for maturestudents. Chapter5 briefly discusses someof the objections that have beenraised to Hazop and Hazan.

111

Chapter6 discusses sources of data and confidence limits. Chapter7 gives a brief historyof Hazop and Hazan. The subjects discussedin this book and many other aspects ofloss prevention are treatedmore extensively in F.P. Lees' Loss Prevention in the Process Industries (second edition, three volumes, Butterworth-Heinemann, 1996), especially Chapters7—9 (referred to in later pagesas Lees). Thanks are due to the many colleagueswho provided ideas forthis book or commented on the draftand to the Science and Engineering Research Council for financial support for the first edition. For the thirdeditionI corrected a few misprints, addedafew words of additional explanation here and there (especially in Sections 3.4 and 5.3 and in Chapters 6 and 7) and included some new references and some examples of accidents that could have been prevented by Hazop. In this fourth edition, about40% longerthan the third, the basic plan is unchanged. I have not added descriptions of more complex methods ofcalculation whichmight givea little more accuracy. Instead I have tried to answermore of the questions that I am often asked, tried to increase awareness of the pitfallswhich awaitthe unwary and added more examples of the applications ofHazopand Hazan. A training package on the subjectof this book is available from the Institution ofChemical Engineers2. I have often beenirritatedby authors whouse phrases such as, 'as discussed in an earlier chapter' without saying which one. I have thereforeincluded cross-references whenever a topic is discussed under more thanone heading. To avoid the clumsy phrases 'he or she' and 'him or her' I haveused 'he' and 'him'. Thoughtherehas beena welcome increase in the numberofwomen employed in the process industries the manager, designerand accidentvictim arestill usually male. I would like to thank the many people without whose work and advice I would havebeen unable to write this bookor prepare the successiveeditions. Finally, I havetried to follow the advice ofJosephPulitzer(1847—1911):

'Put it beforethembriefly so theywill read it, clearly so theywillappreciate it, picturesquely so theywill remember it, and, above all, accuratelyso theywill be guidedby its light.'

iv

References 1.

2.

Accreditation ofUniversityChemical EngineeringCourses—A GuideforUniversity Departments, November 1996, Appendix 1, paragraph 10.1 (Institution of Chemical Engineers, Rugby, UK). Anon, 1999, Interactive Training Package No. 034, Hazop and Hazan and Multi-stage HazardStudy(Institution ofChemical Engineers, Rugby, UK).

V

Pagc blank in original

Contents

Preface

Forethoughts 1

Hazard identification andassessment

xi

1

1.1

Introduction

1

1.2

A note on nomenclature

5

1.3

Legal requirements

7

Hazard and operability studies(Hazop) What is a Hazop? 2.2 Who carries out a Hazop, andwhat should be recorded? 2.3 Whenis a Hazop carried out and how long does ittake? 2.4 Some points towatchduring Hazop 2.5 An example ofa Hazop 2.6 Coulda computer carry out a Hazop? 2.7 The limitations of Hazop 2.8 'Do we need to Hazop this plant?' 'It is only a simpleproject'or 'It is similar tothe last one' 2.9 The use ofquantitative methods duringHazop 2.10 Theuse ofHazop in other industries 2.11 Other methods ofidentification 2.12 Auditing Hazop 2.13 Conclusion

2

2.1

Appendix to Chapter 2 — Someaccidentsthat could have been prevented by Hazops A2.1 Reverse flow A2.2 Bhopal A2.3 Afire in a watersump A2.4 A protective device that did notwork A2.5 Servicesand modifications — two neglected areas A2.6 A computer-controlled batch reaction

9 9 20 26 27 34 37 41

47 50 51

54 56 56

61 61

62 63 63 64 65

vii

A2.7 Abbeystead — an explosion in a water pumpingstation A2.8 TheSellafield leak A2.9 Formation of separate layers A2.10The need for different sorts of knowledge A2.1 1 An incident from another industry

67 67 71

72 75

Hazard analysis (Hazan)

77

3.1

Objective

77

3.2

78

3.3

Why do we wantto apply numerical methodsto safety problems? Thestages of Hazan

3.4

Choosing targets orcriteria

3.5

Estimating how oftenan incidentwill occur Pitfalls in Hazan

105

130

3.8

The man or woman in the middle Examples of Hazan

3.9

A summaryofthe main sources oferror in Hazan

143

3

3.6 3.7

80 83 120

133

3.10 Afinalnote

143

Appendix to Chapter 3 — Belt and braces

148

A manager's guideto hazard analysis

152

4.1

Introduction

152

4.2

Arithmetic, algebra and units Themodel

153 158

4.5

Theunforeseen hazards Theassumptions

4.6

Data

160

4.7

162

4.8

Human reliability Therecommendations

4,9

Comparison with experience

164

4

4.3

4.4

154 159

163

4.10 Closed shop or openshop?

165

Objections to Hazop and Hazan Objections to Hazop

168

5.1 5.2

Technical objections to Hazan

169

5.3

Popular objections

5.4

Theregulator's view

5

to Hazan

Appendix to Chapter 5 — Limitations on the application quantitative methods to railwaytravel 6 6.1

VIII

168

Sourcesofdata and confidence limits Data banks and data books

181

187

of 193

195 195

6.2

If failure has neveroccurred

196

6.3

Confidence limits

196

6.4

197

6.5

Data on mechanical equipment may be data on people Chaos

6.6

Pitfalls in extrapolating data

199

7

The history ofHazop and Hazan

203

Hazop Hazan

203

7.1

7.2

198

207

Conclusions

213

Addendum 1 — An atlasof safety thinking

214

Addendum 2 — Mythsof Hazop and Hazan

218

Index

224

ix

Pago blank in original

Forethoughts

'We Athenians in our persons take our decisions onpolicy and

submit them to proper discussion. The worst thing is to rush into action before the consequences have been properly debated. And this is another point where we differfrom otherpeople: we are capableat the same time oftaking risks and estimating them beforehand. Others are brave out ofignorance;and when they stop to think they begin tofear. But the man who can most truly be accountedbrave is he who best knows the meaning ofwhat is sweet in life, and what is terrible, and then goes out undeterred to meet what is to come.' From Pericles' funeral oration in Thucydides' History ofthe Peloponnesian Wars, Ca. 430 BC (quotedin ProbabilisticSafety Assessment andManagement,

P.C. Cacciabue and IA. Papazoglu, Springer, 1996)

editedby

'... there'sa tremendous gap between what can be done and

what is actuallydone, and a greatdeal hinges on the quality of the personnel in any given organisation. 'Success depends on an awareness ofallpossiblefailure modes, and whenever a designeris either ignorant of or uninterested in, or disinclined to think in termsoffailure, he can inadvertently invite it.' IvarsPeterson, FatalDefrct,Random House, 1996, page 111

xi

Hazard identification and assessment 'The great end ofltfe is notknowledge but action.' T.H. Huxley(1825—1895)

1.1 Introduction The techniquesfor identifying hazards — for finding out what hazards are and the techniques for assessingthosehazards present in a plantor process for decidinghow far we ought to go in removingthe hazardsor protecting are often confused. Figure 1.1 may help to make the people from them differences clear. The left-hand side shows someofthe methods used for identifying hazards and problems that makeoperation difficult. Some hazards and problems are obvious. For example, if we manufacture ethylene oxide by mixing oxygen and ethylene close to the explosive limitwe do not need a special technique to tell us that if we get the proportions wrong there maybe a big bang. The traditional method of identifying hazards — in use from the dawn of was to build the plant and see what technology until the present day happens 'every dog is allowedone bite'. Until it bitessomeone, we can say that we did not know it would. This is not a bad method when the size of an incidentis limited but is no longersatisfactory now that we keep dogswhich

Methods of identifying hazards Obvious Sec what happens Check-list Hazop

Figure 1.1 Methodsof identifying and assessing hazards

Methods ofassessinghazards Obvious Experience Codes ofpractice Hazard analysis (Hazan)

HAZOP AND HAZAN

maybe as big as Bhopal (over2000killedin one bite) orevenFlixborough (28 killed). We need to identify hazardsbeforethe accidents occur. Check-lists are often used to identify hazards but their disadvantage is that items not on the list are not brought forward for consideration and our minds are closed to them. Check-lists maybe satisfactory ifthere is little or no innovation and all the hazardshavebeen met before,but are least satisfactory when the design is new. For this reason the process industries havecometo preferthe more creative oropen-ended technique known as a hazardand operability study orHazop.It is described in Chapter2. It is now widely used on designs for new plants and plantextensionsbut, becauseof the effort involved, has been less widelyused on existingplants. Samuel Coleridge describedhistoryas a lantern on the stern', illuminating the hazards the ship has passed through rather than those that lie ahead. It is better to illuminate the hazards we have passed through than not illuminate themat all, as we maypass the same way again, but we should try to see them beforewe meet them. Hazop can be a lantern on the bow. Unfortunately we do not always learn from the hazards we have passed through,but that is outside the scopeofthis book1'2. Othermethods of identifying hazards are describedin Lees, Chapter8, and aresummarized in Section 2.11,page 54. After we have identifiedthe hazards we have to decide how far to go in removingthem or in protecting people and property. Some of the methods used are listedon the right-hand sideofFigure 1.1. Sometimes thereis acheap and obviousway ofremoving the hazard;sometimes our experience or a code of practicetell us what to do. Sometimes it is less easy to decide. We can then try to work out the probability of an accident and the extent of the consequences and compare them with a target or criterion. This method is called hazard analysis or Hazan in this book. Sometimes a five-minute estimation is sufficient. On other occasions detailedstudiescan take many weeks. Hazop can and should be applied to all new designs, unless we are making an exact copy of an existingplant which has been proved satisfactory, as we need to know all the hazards and all the problems that can prevent efficient there are operation. Hazan on the other hand should be used selectively neither the need, the data nor the resources to attempt to quantify every problemon every plant. Caning3 has describeda Hazop whichproduced326 recommendations of which only seven justifieda detailedhazardanalysis. In the development of a design the Hazop comes first. We identify the hazardsand the problems that preventefficientoperation and then decide what to do about them. However, ifthereisan obvious major hazardwe may starton 2

HAZARD IDENTIFICATION AND ASSESSMENT

Table 1.1 The differences between Hazop and Hazan Hazop

Hazan

identifies hazards

Assesses hazards

Preferred technique:

Selective technique: use when othersfail

use on every project Qualitative

Quantitative

Done by a team

Done by one or two people Alsocalled:

Alsocalled: 'What if'?'

Risk analysis Risk assessment Probabilistic riskassessment(PRA) Quantitative risk assessment(QRA)

the Hazan before the Hazop is carried out.In a Hazop the operability part is as important as the hazard part. In most studies more operating problems are identifiedthan hazards. Hazop and Hazan are often confused, and Hazop is sometimes used to describe any technique for identifying hazards. Figure 1.1 and Table 1.1 should makethe difference clear. However, ifsomeone asksyou to carry out a Hazop or Hazan on a design,flrst makesure that the questioner is clear on the difference betweenthem and is usingthe terms correctly. The techniques described in later chapters are sophisticated techniques which enablecompanies to use their resources more effectively. They assume that the general level ofmanagement is competent, that the plantwill be operated and maintained in the mannerassumedby the design team and in accordance with good management and engineering practice. In particular they assume that protective systemswill be tested regularly and repaired promptly when necessary. Ifthese assumptions arenot true then Hazop and Hazan are a wasteoftime. It is no use identifying hazardsor estimating theirprobability if no-onewants to do anything about them; it is no use installing trips and alarms ifno-one is going to use or maintain them. The time spent on Hazopand Hazan would be better spent on bringing the safety consciousness of employees and management up to standard. The following is a summary of a paper by Atallah and Guzman on doingthis in developing countries4 (and perhaps elsewhere): Be patientwhenyou are waitingfor data, prompt whenaskedfor advice. Include in your team someone who speaksthe local language.

• •

3

HAZOP AND HAZAN

• Submit your report in draft for comment; justify your criticisms and recommendations. • Photograph problemareas. • Visit the plant at night. • Wearall therequired protective clothing and followall the safety rules. • Expectto be askedabout subjects not coveredin theremit. • Provide theclient with copiesofreferences, codes, and so on, not just a list ofthem.

• Involve the client in your audit. • Learn as much as you can beforehand about the customsand cultureof the

country, expect a cultural shock and do not discuss politicsor religion. If you wishto introduce Hazopand/orHazan into an organization in which they have not been used before, you should start small. Do not try to set up a large team capable of studying all new and existingdesigns.Instead apply the methods to one or two problems. If your colleaguesfindthat the methods are useful they will ask for more and the use ofthe techniques will grow.If, on the other hand, the methods do not suit your organization, little has beenlost. Despite all our efforts we shall fail to foresee every hazard and some will result in accidents. We should learn from these accidents, not only froni those that result in seriousinjury or damagebut also from those that do not — for example,leaks that do not ignite. If these 'near-misses' are not investigated and the lessons made known to those concerned, next time injury or damage mayresult. In my formercompany, IC!, Hazop and Hazan form part of a series of six hazard studies carried out on new projects as theyprogress5. They are: (I) Exploratory phase — identification of basic hazards and assessment of suitability of possible sites. (2) Flowsheet phase— identification and assessment of significant hazards, using Hazan. (3) Detailed design — Hazop. a check that decisionsmade in earlier studieshave been (4) Construction implemented. (5) Commissioning — final inspection. — safety audit and reviewofmodifications. (6) Post-commissioning It seems from this list that theassessment of hazards is carriedout in Study 2 beforethe hazards havebeen identified by Hazopin Study 3 However, the obvioushazards should be assessed as soon as possible. The Hazopwill identify other hazards, most of which will be assessed qualitatively during the Hazop, but some of which will have to be assessed outside the meeting by Hazan.

4

HAZARI) IDENTIFICATION AND ASSESSMENT

Section 2.7 (page 41) discusses

the limitations of the Six-stage procedure

and of Hazop in particular. It alsomakesit clear that assessing the probability and size of a hazard, though valuable and often necessary, is always a second-best choice.When we can we shouldavoid the hazard. Before we estimate the probability that a toxic or flammable substance will leak and the injury and damage that will result, we should ask if a non-flammable or non-toxic material could be used instead or ifitis possible to use so little ofthe hazardous material that it would not matterifit all leaked out.

1.2 A note on nomenclature has several other names (see Table 1.1 on page 3). When I wrotemy firstpaper on the use ofquantitative methods ofassessing risksin the chemical industry6 I started by usingthe term 'risk analysis'. Then I realized that ICI had sponsored abookentitledRisk Analysis7whichdescribedmethods of assessing the commercial risks of a project. I therefore introduced the term 'hazardanalysis' instead, but other writersoften use 'risk analysis'. In an attempt to standardize nomenclature the Institution of Chemical Engineers has published a guide8. It suggests that 'hazard analysis' is used to describe methods of identifying hazards and estimating the probability and consequences of an incident but that it should exclude the crucial final stepof decidingwhat should be done about them (seeChapter3). The book suggests that what I call hazard analysis (or Hazan) shouldbe called 'risk assessment'. Many writers, particularly in the US,call it 'quantified (or quantitative) risk assessment' (QRA) or 'probabilistic risk assessment' (PRA) and the former term is now used by the UK Healthand SafetyExecutive9. I havenevertheless continued to use 'hazardanalysis' in thesame sense as I used it in the firsteditionof this bookbecausethe term is still widely used with this meaning, especially in the chemical industry, and becauseits contraction, Hazan, contrasts conveniently with Hazop. (Hazop and Risk Assessment would not be a good title for this book.) Figure 1 .2 (page 6) summarizes the differentways in whichthe various terms are used. The following are some ofthe other terms used: A hazard is a substance, object or situation that can give rise to injury or Hazard analysis

•

damage.

• A risk is the likelihood that an accident or damage of a particulartype and

severity will occur in a particular periodoftime or as the result of a particular action orevent. It maybe expressed as a frequency (the numberofoccurrences per year or other period of time) or as the probability that it will occur following a particular action or event. For example, if I never carry an 5

HAZOP AND HAZAN

umbrellaI estimate that I will get wet 20 times/year; if I go out today without an umbrellaI estimate that the probability that I will get wet is 0.3 (30%). Risk is thus a measure ofthe likelihood of specific consequences. A hazard may be serious but the risk from it may be small. For example, experience over many years shows that in the UK, on average, less than one person per yearhas beenkilled by the transport of flammable chemicals. The risk of being killedin this way is therefore small, less than I in 60 million per person per year, though the hazard, the potential for damage and injury, is large. Figure 1.3 shows the definition of risk adoptedby the EuropeanCommunity for use in risk assessment10. The consequences of a hazard may be immediate or long-term. Thus fires and explosions and some toxicchemicals such as chlorine produceimmediate injuries. Other chemicals such as asbestos produce ill effects only after many years have passed. Ultraviolet radiation produces both immediate effects (sunburn) and long-term effects(skincancer). Some consequences are deterministic (that is, theyalwaysfollowexposure) while others are probabilistic (that is, they may or may not follow). For example. ifan objectis dropped from the top ofa structure it will alwaysfall to the ground (deterministic) but the effects are probabilistic. It may kill someone, may cause serious injury, may cause slight injury or may merely

•

•

Operation

Hazard analysis tChemE

Thisbook

Risk assessment IChemE

Identification of hazards Estimation of how often Estimation of consequences Comparison with a

criterion and a decisiononaction

Figure1.2 Some definitions compared Quantified risk assessment (QRA) and probabilistic risk assessment(PRA) are usually synonyms for 'hazardanalysis',as used in this book, but the terms may be widenedto include the identificationof hazards

6

HAZARI) IDENTIFICATION AND ASSESSMENT

RISK related to the is a considered function hazard of

PROBABILITY OF OCCURRENCE ofthat harm

SEVERITY

ofthe

frequencyand durationofexposure

possible

harm that

and

probability ofoccunenceofhazardous event

canresult fromthe

__________________________________________

considered hazard

possibility of avoidingorlimitingtheharm S

S

Figure1.3 The European Community'sdefinition ofrisk

In the same way, exposure to high concentrations of certain chemicals will always cause injury (though the precise degree of injury will vary). Exposure to low levels may result in cancer, the extentof the exposure determining the probability of contracting the disease rather than its severity. The aim of this bookis to help readers manage probabilistic events. cause damage.

1.3 Legal requirements

In theUK thelaw requires all employers to carry out a five-step risk assessment1 1,12:

(1) (2) (3) (4) (5)

Lookfor the hazards. Decide who might be harmed and how.

Evaluate the risks. Record the findings. Review the assessment from time to time. In many casesa simplewalk round followedby aconsideration ofthe findings may be sufficient for steps (l)—(3) but in other cases a Hazop, perhaps followed by a Hazan, may be necessary. Special regulations apply to major hazards and to offshore installations and a formal hazard identification followedby a quantitative assessment ofthe risksmaybe required. Many other countries have similarrequirements.

Referencesin Chapter 1

I. Kletz, TA., 1980, Organisations haveno memory, LossPrevention, 13: 1. Kletz,TA., 1993, Lessons from Disaster How Organisationshaveno Memory

2.

and Accidents Recur (Institution of Chemical Engineers, Rugby. UK, and Gulf Publishing Company, Houston, Texas, USA). 7

HAZOP AND HAZAN

Caning,N., 1986, Hazopstudy ofBAPCO'sFCCUcomplex,AmericanPetroleum In,rtitute Committeeon Safrtvand FireProtectionSpring Meeting, Denver, Colorado, USA, 8—Il April. 4. Atallah, S. and Guzman, E., 1988, Safety audits in developing countries, Symposium SeriesNo. 1/0, 35 (Institution of Chemical Engineers, Rugby, UK). 5. Hawksley, J.L., The SatetvPractitioner,October 1987, 10. 6. Kletz, TA., 1971, Hazard analysis — a quantitativeapproachto safety, Symposium Series 75 (Institution ofChemical Engineers, Rugby, UK). 7. Imperial Chemical Industries Ltd. 1968. Assessing Projects:Book 5, RiskAnalysis (Methuen, London, UK). 8. Jones, D.A. (ed). 1992, Nomenclature for Hazard and Risk Assessment in the Process industries,2nd edition (Institution ofChemical Engineers, Rugby, UK). 9. Health and Safety Executive, 1989, Quantified Risk Assessment: Its Input toDecision Making (HMSO, London, UK). 10. European Community, 1996, EN 1050: Safety Machinery— Principlesfor Risk Assessment, quotedby Bauer,C-O., 1998. Technology, Lawandinsurance,3 (I): 63. 11. Health and Safety Executive, 1997, 5 Steps to Risk Assessment (HSE Books, Sudhury. UK). 12. Health and Safety Executive. 1998, 5 Steps to Risk Assessment — Cave Studies (HSEBooks, Sudbury. UK). 3.

8

Hazard and

operability studies (Hazop) 'Since the destructionof/he Temple, the gift

ofprophecyhasbeendeniedtoprophetsand bestoweduponscholars.' RabbiEudemusof Haifa 'Thereis a way of gomg about one'swork in chemicalengineeringmore certain and less expensive than the time-honoured processof

trialanderror.' George E. Davis34

21 What is a Hazop?

As I explained in Chapter 1, a hazard and operability study is the method recommended for identifying hazards and problemswhich prevent efficient operation. In what follows the technique is described as it would be applied to a continuous plant.Modifications of the technique, so that it can be applied to batchplants, are describedonly briefly(in Section 2.1.1,page 16).References I and 2 give more detail. Hazop is a technique which provides opportunities for people to let their imaginations go free and think of all possible ways in whichhazards or operto reduce the chance that something is ating problems might arise, but — missed it is done in a systematic way, and each pipeline and each sort of hazard is considered in turn. The study is carried out by a team so that the members can stimulate each other and build uponeach other's ideas. A pipeline for this purpose is one joining two main plant items — for example, we might start with the line leading from the feed tank through the feed pumpto the first feed heater. A seriesofguide words are appliedto this line in turn. The words are: NONE MORE OF LESS OF

PART OF MORE THAN (or AS WELLAS)

OTHERTHAN

9

HAZOP AND HAZAN

NONE, for example, means no forwardflow or reverse flow when there shouldbe forwardflow. We ask: • Couldthere be no flow? • If so,how could it arise? • Whataretheconsequences of no flow? • Are the consequences hazardous or do they prevent efficient operation? • If so, can we prevent no flow (or protect against the consequences) by changing the design or method ofoperation? If so, does the size ofthe hazard orproblem (that is, the severityofthe consequences multiplied by the probabilityofoccurrence)justify the extraexpense? The same questions are then applied to 'reverseflow' and we thenmove on to the nextguide word, MORE OF.Couldtherebe 'more flow' thandesign?If so, how could it arise? And so on. The same questions are asked about 'more pressure' and 'more temperature' and, if they are important, about other parameters such as 'more radioactivity' or 'more viscosity'.Table 2.1 summarizes the meaningsof the guide wordswhile Figure 2.1 summarizes the whole process.

•

Table 2.1 Deviations generated by each guide word Guide word

Deviations

NONE

No lorward flow when thereshould be reverse flow

MORE OF

More ofany relevant physical propertythan thereshould be eg, higher flow (rate or totalquantity), highertemperature,

LESSOF

ie, no flow or

higherpressure,higher viscosity, etc Less of any relevant physical propertythan thereshould be eg, lower flow (rate or total quantity), lower temperature, lowerpressure, etc

PART OF

Composition of system different from what it should be — eg, changein ratio of components, component missing, etc

MORE THAN

More components presentin the system than thereshould be — eg. extraphase present(vapour, solid),impurities (air, water, acids, corrosion products), etc What else can happen apartfrom normal operation — eg, start-up, shutdown, uprating, low rate running, alternative operation mode, failureofplant services, maintenance, catalystchange, etc

OTHER THAN

l0

HAZARD AND OPERABILITY STUDIES (HAZOP)

Figure 2.1 Hazopprocedure

11

HAZOP AND HAZAN

When all the lines leading into a vessel havebeen studied, the guide word OTHER THAN is applied to the vessel. It is not essential to apply the other guide wordsto this item as any problems shouldcome to light when the inlet and exit lines are studied. However, to reduce the chance that something is missed,the guide words should be applied to any operation carriedout in the vessel. For example, if settling takes place we ask if it is possible to have no settling, reverse settling (that is, mixing), more settling or less settling, and similarly for stirring, heating, cooling and any other operations (see Section 2.8.4,page 50). Some team leadersuse 'Relief' as a backup guide word (see Section 2.11, page 54). Pay special attention to intermediate storage vessels. As arule,no change is supposed to take placethereexcept emptying orfillingbutchangesintemperature orcomposition maytake place,particularly whenthe contentsare allowed

to standfor longerthan usual3. Always consider the failure of automatic equipment as a possible cause of thedeviations. Forexample, no flow maybe due to a trip or controllerfailing to open a valve or closing it at thewrongtime. Human error should also always be considered as a possible cause of the deviations. Thus no flow maybe due to someone failingto open a valve. This can occur for a number ofreasons:

• The operatormay not have known that the valveshouldhave beenopened;

theintention was wrong. We may haveto improve training and instructions or simplify thejob. • The operator mayhavedecidedthat it was unnecessary to open the valve at that time or that other tasks were more urgent. We may have to explain the reasons for instructions and makesure they are followed. The valve may havebeentoo stiffor out of reach. Most likely ofall, there mayhavebeena slip or lapse ofattention; the intention was correctbut was not fulfilled. Everyone has slips and lapses of attention from time to time and they cannot be prevented, though various actions may make them less likely. If the consequences are serious we should remove or reduce the opportunities for error by changing the design or method of working (orprotectpeoplefrom the consequences or makerecovery possible). (See Sections 3.7 and 4.7 on pages 130 and 162 and Reference 36.) The Hazop alsoprovidesan opportunity to check that a numberof detailed points havebeenconsidered during design. The team shouldask: What types of gasket have been used? Should spiral wound ones be used? Has the numberoftypesbeenkept to a minimum? (Themore typeswe use, the greaterthe chancethat the wrongsort will be used.)

• •

•

12

HAZARD AND OPERABILITY STUDIES (HAZOP)

• Has the numberof typesof nuts and bolts beenkept to a minimum? • Are the valves used ofa type, such as rising spindle valves, whoseposition

can be seen at a glance? If ball valves or cocks are used, can the handles be fittedin the wrongposition? Are spectacle plates installed whenever regular slip-plating (blinding)of a joint (for maintenance or to prevent contamination) is foreseen? Access is normally considered later in design, when a model of the plant (real or on computer) is available, but the Hazopteam should note any points that needspecialattention for example, valves that will haveto be operated frequently or in an emergency, and shouldtherefore be easy to reach. Ozog'7 describesa variation of the normal Hazop procedure in which the guide wordsare appliedto equipment(including pumps) insteadoflines. Start-up, shutdown and other abnormal conditions such as catalystregenerationshouldbe considered during Hazop as well as normal operation. Table 2.2 (pages 14—15) describes in detail the results of a Hazop on the part of the design shown in Figure 2.2. More details are given in Section 2.5, page 34. The procedure will become cleareras you go through each item in the table in turn. To get the mostout ofTable 2.2, display Figure2.2 (pages 16-l7) on a screen in front of the team, or give copies to each member, and ask everyone to carry out a Hazop on it, with the discussion leaderacting as team leader. The results can then be compared with those in Table 2.2. However, do not considerTable2.2 to be the correctanswer. Those taking part in the discussion mayfeel that the authors ofTable2.2 went toofar, or did not go far enough, and they could be right. Table2.2 was basedon a real study of an actualdesign. It is not a synthetic exercise, but it is written upin more detail thanessential in a real life situation. The use ofHazop is widespread and in the oil and chemical industries most companies now say that all new designs are Hazoped or examined in a similar way.However, becauseofthe work involved many old plantshavenever been Hazoped. If they have beenextensively modified, as most have, then a Hazop is well worth while.On an old refinery 17 Hazops over seven years resulted in

•

over 500 actions37.

13

HAZOP ANI) HAZAN

Table 2.2 Results ofHazopof proposed olefin/dimerization unit: line section from intermediate storage to buffer/settling tank (From Reference 5. Reproduced withpermission ofthe American Institute of Chemical Engineersand Dr HG. Lawley. Copyright © 1974 AIChE. All rightsreserved.) Guide word

Deviation

Pos,sible causes

NONE

No low

(I) Nohydrocarbonavailableat intermediatestorage

ii

(2) pump fails(motorfault,loss of drive, impeller corroded away,etc)

(3) Line blockage, isolation valve closed inerror, or LCVtails shut

(4) Line fracture

MORE OF

More flow

(5) LCVfailsopen or LCVbypass open inerror

More pressure

(6) Isolation valve closed inerror or LCV closes, with JI pump running

(7)Thermal expansion inan isolated valvedsection due tofireor strong sunlight

LESS OF

PART OF

More temperature

(5) Highintermediate storage temperature

Less flow

(9) Leakitig flangeofsalvedstub notblankedand leaking

Lesstemperature

(10) Winterconditions

Highwater concentration in

(II) Highwaterlevel inintermediate storage tank

Streaiii

High concentration of lower alkanes or alkenesinstream

(12) l)isturhance ondistillation columns upstream of intermediate storage

MORE THAN

Organic acids present

(13) As for(12)

OTHER

Maintenance

(14) Equipment failure. flangeleak, etc

14

HAZARD AND OPERABIL]TY STUDIES (HAZOP)

Consequences

Actionrequired

Loss of feedto reactionsectionand reduced output. Polymerformed inheat exchanger underno flow

(a) Ensuregood communicationswithintermediate

conditions.

(b) Install low level alarm on settlingtank LIC

Asbr(I)

Coveredby (hi

storage operator

Asfor(

Coveredby (h) Ic) Install kickbackon pumps (d)CheckdesignofJI pumpstrainers

Asfor(I) highway

Coveredby (b) (e) Institute regularpatrolling and inspectionof transfer line

Settlingtank overfills

(f) Install high level alarmonLIC and checksizing

it pumpoverheats Hydrocarbon dischargedinto area adjacentto public

it

ofrelief oppositeliquid overfilling

(g)Institute locking olTprocedureforLCV bypass when not in use (hiExtendJ2 pump suctionline to 12" abovetank

Incompleteseparation ofwaterphase in tank, leading to problemsonreactionsection base Transferlinesubjectedto full pumpdelivery or surge

0)Coveredby (C) exceptwhen kickbackblockedor

pressure

isolated.Checkline, EQ and flangeratingsand reducestrokingspeed of LCV necessary. install a PG upstream ofLCVandan independent PGon settling tank.

Line fractureorflangelead

(k) Install thermalexpansionreliefon valvedsection (relief discharge routeto be decidedlater in study)

Higher pressure in transferline and settlingtank

(I) ('heck whetherthereisadequate warning of high

if

temperature at intermediatestorage.

Ifnot,install.

Material lossadjacent to public highway

Coveredhy (ci and the cheeks in

Water iumpand drain line freeze up

(iii) Lag water sumpdown to drain valve and steam trace drain valve and drain line downstream

Water sumpfills up morequickly. Increased chance of waterphase passingto reaction section.

(n) Arrangeforfrequentdraining offofwaterfrom intermediatestorage tank. Install high interfacelevel alarm on sump.

Higher systcnlpressure

)p) Checkthat design ofsettling tankand associated pipework,including relief valve sizing, will cope withsudden ingressof morevolatile hydrocarbons

Increased rate

ofcorrosionof tank base, sumpand

drain line Line cannothe completelydrainedorpurged

(q) Checksuitability ofmaterials

N

ofconstruction

)r) Install tow-pointdrain and purgepoint downstream of LCV. Also N2 sent on settlingtank.

HAZOP AND HAZAN

/2mile line section

Jl transferpumps

Todrain

(oneworking. one spare)

Hydrocarbonfrom interiiediatestorage Drain and N2purge

Figure 2.2 Feed sectionofproposed olefindimerization plant

2.1.1 Batch processes In studying a batchplantit is necessary to apply the guide words to the instructions as well as to the pipelines. For example, if an instruction states that I tonne of A has to be chargedto a reactor,the team shouldconsider deviations such as:

DON'T CHARGE A CHARGEMORE A CHARGELESS A CHARGEAS WELLAS A CHARGEPARTOF A (if A is a mixture) CHARGEOTHER THAN A 16

I-IAZARD AND OPERABILITY STUDIES (HAZOP)

From reactor 200CC

260psig

20C 300psig

I60C 290 psig

and reactor

To after-cooler

Drain andN2purge

REVERSE CHARGEA (that is, can flow occur from the reactor to the A container?) This canbe the most serious deviation (seeSection A2.1, page61) A IS ADDED EARLY A IS ADDED LATE A IS ADDED TOO QUICKLY A IS ADDED TOO SLOWLY

The writing of operating instructions is often left until design is complete andconstruction is welladvanced. Ifthe Hazop is left until then any changesto the equipment may be difficult and expensive. The instructions for batch processes shouldbe written early. 17

HAZOP AND HAZAN

Delay in adding reactantsor carrying out subsequent operations can have serious results. For example, the explosion at Seveso in 197618 occurred becausea reactor was left to stand for the weekendpart way through a batch. Reference 19 describes another example. As in the Hazop ofa continuous plant,we shouldalsoask what will happen if temperature or pressure (or any other parameter of importance) deviates from the designintention. There are furtherdetails in References I and 2. Rushton38has suggested making a cup oftea as an exercise in the Hazop of a batch process. Table 2.3 shows the 'operating instructions' from a packetof

Table 2.3 Some resultsofa Hazopofa batch process: making a cup of tea The instructions studied (from apacketofone-cup tea bags) are givenopposite. Note that someinstructions are implied— for example, put water in kettle. For more detailedinstructions see British Standard 6008and ISO 3103.

Step

Guide word

Deviation

I

NONE

No watercollected in kettle

All

NONE

No understanding

I

MORE OF

Too muchwaterin kettle

3

LESS OF

Temperature

5

TOO LATE

Tea bag left in cup for too long

6

MORE OF

Pressure

18

HAZARD AND OPERABILITY STUDIES (HAZOP)

'one-cup' tea bags and a few ofthe points that mightcomeout ofa Hazop. It is easy for a team withoutpracticalexperience to cometo the conclusion that the process is so hazardous and the result so uncertain that the task should not be attempted.

The fourth deviation ('Temperature')will be familiarto anyone who has orderedtea in an American hotel. The second deviation ('No understanding') is not fanciful.Immigrant workers do not always understand instructions and misunderstandings have occurred between air traffic controllers and air crew. In one case a controllertold a pilot to 'pull up' but he did not know that this meant 'increasealtitude'.Theresult was an accident. In anothercase departure

I Use onlyfresh water(do not reboil water) Use one tea bag per cup Pourwateronto tea as soonas it has boiled

2 3 4 5 6

Stir immediately Leavefor 3—5 minutes depending on strength preferred Pressthe bag against the side ofthe cup with a spoon and remove

Possiblecauses

Consequences

Action required

I No water supply 2 Tap fails closed

No tea

a Keepbottled water for

3 Operator does not

No tea or poortea

use in emergency

h Print instructions in other languages

understand English

4 Tap fails open or is left Spillagewhilefilling c Fill oversink Overflow due to expansion d Use kettlewithexternal open for too long on heating level indicator and train operatorto check level before heating

5 Wateris belowboiling

Tea is too weak

point

e

Train operator to check that water is boiling f Avoid tea in American hotels

6 Distraction

Tea is too strong

7 Teabag pressed too hardagainst side of cup

Spillage

g Use timer h Train operator to steady cup withother hand

19

HAZOP AND 1-IAZAN

ofan aircraft was heldup becauseamemberofthecabincrew reported that the emergency lights were out.They were,in fact, illuminated but the speakerhad heard the phrase 'thesun is out' and so reported that the lights were out38. for Batch-type operations that are carried out on a continuous plant — of or should be studied in example,conditioning equipment catalystchange a similar way by listing the sequence of operations and applying the guide

wordsto each step.

Oncomputer-controlled plants the instructions to the computer (the applicationssoftware) should be studied as well as the line diagrams. For example, if the computer is instructed to take a certainaction whena temperature rises, the team considers the possible consequences of this action as well as the consequences of the computer failing to take action. On a batch plant the consequences may be different at each stage of the batch. On a continuous plant the consequences may be different during start-up, shutdown, catalyst regeneration, and so on. The appendix to this chapter (see Section A2.6, page 65) describes a dangerous incident that occurred because the design and operating teams assumed that the computer would always take care of alarmsituations and did not considerin detail the consequences ofeach actionat each stage.

2.2 Who carries out a Hazop, and what should be recorded? A Hazop is carriedout by a team. For a new design the usual team is as follows: Projector design engineer Usually a mechanical engineer and, at this stage of the project, the person responsible for keeping the costs within the sum sanctioned. The project engineerwants to minimize changes but at the same time find out now rather than later ifthere are any unknownhazards or operating problems. Process engineer Usually the chemical engineerwho drewup the flowsheet. Commissioning manager

Usually a chemical engineer, the commissioning managerwill haveto startup and operatethe plantand is therefore inclined to press for any changes that will make life easier. Control system design engineer

Modernplantscontain sophisticated control and trip systems and Hazops often result in the addition of yet more instrumentation. 20

HAZARD AN!) OPERABILITY STUDIES (HAZOP)

Research chemist

If new chemistry is involved. Independent team leader An expertin the Hazop technique, not theplant.Thejob ofthe team leader is to ensure that the team follows the procedure. To be a successful team leaderyou needto be skilled in leading a team of peoplewho are not responsible to you, and be the sort of person who pays meticulous attention to detail. It is easy to underestimate the ability required. It is not ajob that anyone can do. The team leadermay alsosupply the safetydepartment'sviewon the pointsdiscussed. If not, a representative from this department should be present.

Theteam as a whole shouldhave a widerangeofknowledge and experience (see Section A2. 10, page72). If the plant has been designed by a contractor, the Hazop team should contain people from both the contractor and client organizations, and certain functions mayhave to be duplicated. On a computer-controlled plant, particularly a computer-controlled batch plant, the software engineer should be a member of the Hazop team, which shouldinclude at least one otherpersonwhounderstands the computer logic.If the team does not includesuch a person. a dialogueis impossible and the team cannotbe sure that the softwareengineerunderstands the process and has met the design requirements. See Section A2.6, page 65. While the team members have a common objective a safe and operable the constraints on them are different. The plant designers, especially the design engineer responsible for costs, want to keep the costs down. The commissioning manager wants an easy start-up. This conflict of interests ensures that the prosand cons ofeach proposal are thoroughly explored before an agreed decision is reached. However, if the design engineerhas a much stronger personality than the other members, the team may stray too far towardseconomy. Otherteams may err the otherway. The team leadertries to correct any imbalance. To quote Sir John Harvey-Jones, 'In industry the optimallevel of conflictis not zero'20. If the team cannot agree, the team leader should suggest that the point is considered outside the meeting. Sometimes a decision is postponed while or even expert advice is sought — for example, from a materials expert while research is carried out. Sometimes a decision is postponed so that a quantitative estimateof the hazardcan be made, using the methods described in Chapter3. Sometimes a quick,quantitative estimate can be madeduring the meeting(see Section 2.9. page 50). 21

FIAZOP AND HAZAN

Normally people's views converge towardsagreement. If views are getting further apart and members of the team are starting to dig their heels in, the team leader should suggest that the discussion on the point at issue is postponed and that someone prepares a note on the pros and cons of various possible coursesof action, which can be circulated to all concerned. If an existingplant is being studied then the team should include several peoplewith experience ofthe plant. A typical team is: Plant manager

for plant operation. (Note for US readers: in the UK the term, 'plant manager' describes someonewho would be known as a supervisor or

Responsible

superintendent in most US companies.) Processforeman The foreman knows what actually happens rather than what is supposed to happen. Plant engineer Responsible for mechanical maintenance,

the plant engineerknows many of

the faults that occur. Control engineer

for instrument maintenance (including testing trips), as well as the installation ofnew instruments. Responsible

Process investigation manager Responsible for investigating technical problems

tory results to plant-scale operations.

of alarms and

and for transferring labora-

Independentteam leader

Ifan existing plantis being modified orextended, the team shouldconsistof a combination of thosedescribed, but do not lettheteam get too big as it holds up progress.Six or seven peopleare usually enough. 1-lazop teams, apart from the team leader, do not require much training. They can pick up the techniques as they go along. If anyone is presentfor the first time, the team leader should start with 10 minutes of explanation. However, ifpossible, new team members should attend a half-daylectureand discussion based on this chapter. The Institution of Chemical Engineers can supply a training package33.The team leader should, however, start the discussion of each line or plant item by explaining, or asking someoneto explain, its purpose. 22

I-IAZARD ANI) OPERABILITY STUDIES (HAZOP;

It mightbe thoughtthat membership of a Hazop team is 'thepropertoil of artless industry, a task that requires neither the light of learning, nor the of genius, but may be successfully performed without any higher qualitythan that ofbearing burthenswith dull patience and ... sluggishresolution',to quote Dr Johnson21. This is not the case. The best team members are creativeand uninhibited people who can think of new and original ways for thingstogo wrong and are nottoo shy to suggest them. In a Hazop, donot hesitate to suggest impossibly crazydeviations, causes,consequences or solutions as they may lead other people to think of similar but possible deviations, etc. Zetlin writes. '1 look at everything and try to imagine disaster. I am always scared. Imagination and fear arc among the best engineering tools for activity

preventing tragedy' Another featureofgoodteam members is a mental ragbag ofbits and pieces of knowledge that they have built up over theyears. Such peoplemay be able to recall that a situation similar to that under discussion caused an incident elsewhere. They need not remember the details so long as they can alert the team to possibilities that should be considered and perhaps investigated further. For an example, see Section A2.7, page67. Note that the team members, except for the team leader, are experts on the process. They will,by this stage,havebeenimmersed in it for between one and two years. Hazop is not a technique for bringing fresh minds to work on a problem. It is a technique for allowing thoseexpertin the process to bring their knowledge and experience to bear systematically, so that problems are less likely to be missed. The complexity of modern plantsmakeit difficult orimpossible to see what mightgo wrongunless we go through the design systematically. Fewaccidents occur becausethe design team members lack knowledge; most errors in design occur because they fail to apply their knowledge. Hazop givesthem an opportunity to go through the design line by line, deviation by deviation, to see what they havemissed. The team should have the authority to agreemost changes there and then. Progress is slow if every change has to be referred to someone who is not present. The team members shouldtry toavoid sending deputies. They lack the knowledge of previous meetings and might not havethe authority to approve changes: as a result progress is held up. Somepeoplehave told me that this is impracticable in their companies as all changeshave to be approved at a high level. This does not matter so long as the team members feel confident that most of their recommendations will he accepted withoutargument. However, ifthediscussions in theHazop meetings haveto be gone through again, time is wasted. In addition, the team mayhe temptedto add somefat so that the boss 23

HAZOP AND HAZAN

has something to remove. But he may not know the fat from the meat. I haveknown somepeople saythat thejob of the Flazop team is to identify problems and that finding solutionsshould be left to the project team. If the Hazop team is made up as I havesuggested, experience shows that it can find solutions to most problems, withoutthe needforanothermeeting with many of the same people present. However, some problems may have to left until expertadvice has been obtained. The team leaderoften acts as secretary as well as safety department representative. He writes up his notes after the meetingand circulates them before the next meeting. As alreadystated,it is not necessary to write them up in the degree of detail shown in Table 2.2 (pages 14—15). Figure 2.3 shows a suggested form for the first few actions agreed in Table 2.2. However, the tendency today is to write up the notes in more detail than in the past, in the style of Table 2.2 rather than that of Figure 2.3, so that the company can demonstrate, if necessary, that it has done everything reasonably possible to identify the hazards. Some companies consider that all Hazops should be written up in great detail. If the design is queried in the future, the Hazop records can be consulted. There is some force in the argument but the extrawork is considerable and, in practice, most Hazopreports are rarely,if ever, consultedoncethe plant is on line. A numberofcomputerprograms are nowavailable forrecordingthe results ofHazopstudiesas they arise. Copiesof the actionsagreed and thereasonsfor them are available immediately after the meeting, without rewriting or retyping. The display can be projected onto a largescreen, so that all the team members can see it and can confirmthat they agree with the decisions. The programs also remind the team of the deviations to be considered and their usual causes. A survey in 1995 in the UK showed that about half the compaflies questioned were using computerized recording and the number is growing. Table2.4 (page 26) shows some ofthe factors to be considered when choosinga program. Turney32 says that these programs produce more effective meetings, more accurate action lists (and thus quicker action) and fewer misunderstandings (seealso Section 2.6, page37). A few weeks after the Hazop the team leadershouldcall the team together, check on progress made and recirculate the report form (Figure 2.3) with the 'Follow-up'column completed. Although Hazop is a valuable technique, no-one jumps out of bed on a Monday morning shouting, 'Hooray! I've got a Hazop today!'. The need to consider every deviation on every line can becometedious. Bewareof making it more so by bureaucratic procedures such as insistingon excessiverecording 24

HA/ARt) AN!) OP1RABILITY STuDIES (HA/OP)

Study title:

OLEFIN DIMERIZATION UNIT

Preparedby: independentTeam Leader (IC) Study team: DesignEngineer(DE) ProcessEngineer(PE) Commissioning Manager(CM) Instrument Design Engineer (IDE) ResearchChemist (RC) Independent TeamLeader (IC)

Project No Sheet 1 of Line Diagram Nos

Date

Study Operating Action notes and queries ref. no. deviation

No flow

Action Follow-up review by comments

Ensure goodcommunications with intermediate storage

CM

Install low level alarmon settling tank LIC

IDE

3

Install kick-back on JI pumps

DE

4

Check designofJI pumpstrainers

DE

5

Instituteregularpatrolling and inspection oftransferline

CM

6

More flow Installhighlevel alarm on LIC

I

IDE

7

Check sizingofrelief valve opposite liquidoverfilling

PE

8

Institute locking offprocedure for LIC bypasswhen not in use

CM

9

Extend J2 pump suction line to 12 above tank base

DE

Figure 2.3 Hazard and operability study actionreport 25

HAZOP AND HAZAN

Table2.4 Some factorsto be considered when choosing a programfor recording the results ofHazops (Based in part on a list issued by the Safety and LossPrevention Subject Group of the Institution of Chemical Engineers, January 1998)

• Is it simple to use? I-low muchtraining is required? • Is it well-proven? • What are the initialand ongoingcosts? • What is the availability and quality of support?

• Are updates available?

• Is it compatible withother programs (including e-mail and internet)? • What other studies are included? (eg, FMEA. see Section 2.12 on page56) • Can it be customized? (eg, can additional columns be added to indicate items whichhaveto he reported to internal or external authorities?) • Does it include a comprehensive list ofprompts? • How does it monitoractionsarid changes? How are data ofl failureratesincluded? (for use in rankingprobabilities) Can it be linked to accidentdatabases? Does it havea spell-check facility? Is it possible to carry out a freetext search ofreports?

• • • •

or discussing everything twice (or three times) — in the Hazop meeting and afterwards with the boss or the projectteam.There is a net loss if in our eagerness to document everything and explain it to everybody we discover less information worth documenting. If Hazop and similarsystemsare not acceptable to creativeminds, they will never succeed.

2.3 When is a Hazop carried out and how long does it take?

A Hazop cannotbe carriedout beforethe line diagrams, complete with control instrumentation (that is, process and instrumentation diagrams) are complete. It should be carried out as soon as possible thereafter, before detailed design starts. The 'window of opportunity' is thus limited, so plan the meetings well in advance. It is no use waiting until the line diagrams are ready and then expecting the members of the team to he available. Ifan existingplantis being studied the firststepis tobringtheline diagrams up to date or check that they are up to date.Carryingout a Hazop on an incorrect line diagram is the most useless occupation in the world. It is as effective as settingOUt on ajourney with a railway timetableten yearsout ofdate. 26

HAZARI) AND OPERABILITY STUDIES (1-IAZOP)

A Hazop usually takes 1.5—3 hours per main plant item (still, furnace, reactor, heater, and so on). ifthe plantis similarto an existingone it will take 1 .5 hours per item but ifthe process is new it maytake 3 hours per item. inexperienced teams, of course,take longerthan experienced ones. References 40 and 41 describemore sophisticated methods ofestimating the time required. Meetings are usually restricted to 3 hours, 2 or 3 days perweek,to givethe team time to attend to their other dutiesand becausethe imagination tiresafter 3 hours at a stretch. If the members of the team have to be gathered from a distance, longer periods of working, perhapsevery morning for a week, may haveto be accepted. Resist any temptation to work 8 or more hours per day for a week, as attention inevitably Ilags. It is the results of a Hazopthat are important, not the numberof hours spenton it. The Hazop on a large project may take several months, even with two or three teams working in parallel on different sections of the plant. It is thus necessary to either: (a) Holdup detaileddesign and construction until the Hazopis complete; or (b) Allow detailed design and construction to go ahead and risk having to modify the detailed design or evenalter the plantwhen the results of the Hazop are known. Ideally, the design should be plannedto allow time for(a) but ifcompletion is urgent(b) may haveto be accepted. Section 2.7 (page 41) suggests that a preliminary Hazop is carriedout on the flowsheet beforedetaileddesign starts. This will take much less time than the Hazop ofthe line diagrams. Investigations of Hazop by a combined industry/university team showed that time spenton explanation at the startofaHazopreducedthe time spenton the Hazop itself. They also found that interesting or difficult cases can take excessive time and that inexperienced teams tend to be too rigid in their approach and that this causes delay. For example, teams usually discuss the possible causes ofa deviation beforetheydiscuss the consequences, as ifthere is no possible cause the consequences do not matter. However, experienced teams are flexible and sometimes find it better to discuss the consequences tirst

4

2.4 Some points to watch during Hazop 2.4.1 Don't get carriedaway

it is possible for a team to get carried away by enthusiasm and install expensiveequipmentto guard against unlikely hazards. The team leadercan counter

27

hA/OP AN!) HAtAN this by asking how often the hazard will occur and how serious the consequences will be. Sometimes the team leader maysuggest a full hazardanalysis, as described in Chapter 3. but more often a problem can be brought into perspective by just quoting a few figures or asking a team memberto do so. How often havesimilarpumps leaked in the past? How often do flanged joints leak and howfar do the leaks spread? How often do operators forgetto close a valve when an alarm sounds? Section 2.9 (page 50) describesa five-minute Hazancarried out during a Hazop meeting. The mosteffectiveteam leaders are trainedin Hazan as well as Hazop. 2.4.2 Different sorts of actions The team consistsmainly of engineers. They like hardware solutions, but sometimes a hardwaresolution is impossible or too expensiveand we have to makea change in methods or improve the training of the operators — thatis, we change the software. We cannotspend our way out of every problem. Table 2.2 (pages 14—IS) gives examples of software solutions as well as hardware ones. (See the notes on human error in Section 2. I on page 12.) Contractors, in particular, should choose solutions appropriate to the sophistication and experience of their client. It is no use installing elaborate trips if the client has neither the skill nor the will to use them. Look for less sophisticated solutions. The actions agreed are normally changes (in equipmentor procedures) to prevent deviations occurring (or to giveprotection against the consequences or toprovideopportunities forrecovery), not actions to deal with theresultsofthe deviation (such as handling a leak or fighting a fire). I have known Hazop teams merely decide what they would do if a leak occurred, not how they would prevent it. While we shouldconsider how we deal with thoseleaks that occur despite our efforts, the main emphasis in a Hazop should be on prevention. 2.4.3 Modifications When Hazop team members approve a design they are approving what they see on the drawings in front of them. If the design is changed, either before construction or on the completed plant. then the approval is longer valid. All modifications should therefore be Hazoped before they take place and then inspected after completion to make sure that they have been carried out correctly and look right. What does not look right is usually not right and shouldat least be checked. For example, duringa shutdown a heat exchanger was found to be so dirty that it could not be cleaned in the time available. It was thereforedecided to 28

HAZARD AND OPERABILITY STUDIES (HAZOP) bypassit until the next shutdown. Figure 2.4 shows the bypass pipework. The largehorizontal pipe bypassesthe tubesand the inverted U bypassesthe shell. Shortly before start-upthe senior engineer on the site had a final look round. Something did not look right. What?The answeris on page 30. Many people believe that Hazop is unsuitable for small modifications becauseit is difficult to assemble a team every time we wish to install a new valveor sample point orraisethe operating temperature. However, many accidents have occurred because modifications had unforeseen and unpleasant side-effects3'4'43.If proposals are not 'Hazoped',therefore, they should still be thoroughly probed beforethey are authorized. A guide sheet for helping us to do this is shown in Table2.5 (pages 31—32). Donot overlookthefollowing modifications: temporary modifications as wellas permanentones; start-upmodifications as well as thoseon established plants; cheap modifications as well as expensiveones; modifications to procedures, process materials or operating conditions, as wellas modifications to equipment. Reference 44 includestables, similarto Table2.5, for examining changes to process materials and procedures. Reference 45 describes an alternative approach.

• • • •

Figure 2.4 Does this equipmentlookright?Ifnot, what is wrong? 29

HAZOP AND HAZAN

Whatwas wrongwith the equipment shown in Figure 2.4 Before the shutdown the heat exchangersat on the floor and supported the large pipes leading to and from the tubes. Now these pipes have to supportthe large horizontal pipe which has replaced the tube side of the heat exchanger. This will subject the connecting pipes to a downward thrustthat theywere not designedto take. There is an isometricdrawing

in Reference 3.

If the effects of a modification are not realized beforehand, then further modifications may be needed later. A modification that has not been thoroughly thought through can result in a chain of further modifications during the subsequent months, possibly in distantparts of the plant46. 2.4.4 'We don't need a Hazop. We employ goodpeople and rely on their knowledge and experience' A Hazop is no substitutefor knowledge and experience. It is not a sausage machine which consumes line diagrams and produces listsofmodifications. It merely harnesses the knowledge and experience of the team in a systematic and concerted way. Because designs are so complicated the team members cannot apply their knowledge and experience without this crutch for their thinking. If the team lacks knowledge and experience the Hazop will produce nothing worthwhile. 'Good people' sometimes work in isolation. Pegram writes, 'workingindependently, the solving of a problem by one discipline can become a problem of another' and 'low costengineering solutions from one point of view may not necessarily end up as overalllow cost'22. Hazop ensures that hazardsandoperating problemsare considered systematically by people from different functions working together. Experience shows that start-up, shutdown and other abnormal conditions are often overlooked by functional groups working in isolation. For an example,see Section A2.l0.4, page74. The opposite of the heading to this section is the beliefthat good systems can be a substitute for goodpeople. All that systemscan do, however, is ensure that people's knowledge and experience are applied systematically and thus reduce the chancethat something is missed. Ifpeoplelack knowledge or experience (or commitment) then systems such as Hazop are empty shells. People will go through the motions but theoutputwill be poor. Good peoplewithout a system will achieve less than their full potential, but if people lack knowledge and experience thensystemswill achieve nothing. This is a particulardangerat 30

HAZARD AND OPERABILITY STUDIES (HAZOP)

Table2.5 A procedure for safety assessment of modifications (from Reference 3) A possibleextraquestion is 'What is the worstthing that can go wrong?' Plant:

Title:

Reg. No.:

Underlinethose factors that have been changed by the proposal Process conditions temperature pressure flow level composition toxicity flash point reaction conditions

Operating methods start-up

routineoperation shutdown preparation for maintenance abnormal operation emergency operation layoutand positioning ofcontrols and instruments

Engineeringmethods trip and alarm testing maintenance procedures inspection portableequipment controllogic

Safety equipment fire-fighting and detection systems meansofescape safetyequipment for personnel Environmental conditions liquid effluent solid effluent gaseouseffluent noise

Engineeringhardwareand design line diagram

wiringdiagram plant layout designpressure designtemperature

materials ofconstruction loads on, or strength of: foundations, structures, vessels pipework/supports/bellows temporary orpermanent: pipeworklsupports/bellows valves, slip-plates restriction plates, filters instrumentation and controlsystems tripsand alarms staticelectricity lightning protection radioactivity rate ofcorrosion rate oferosion isolation for maintenance mechanical-electrical fire protection ofcables handrails ladders platforms walkways trippinghazard access for: operation, maintenance, vehicles, plant, fire-fighting underground/overhead: services equipment

(Continued overleaf)

31

HAZOP AND HAZAN

Within the categories listed below,does the proposal:

Yes What problemsare Signed or createdaffecting plant and no orpersonnelsafety? dated Recommended action?

Reliefand blowdown (I) Introduceoralterany potential cause of over/underpressuringthe systemorpart ofit? (2) tntroduceor alter any potential cause of higheror lower temperaturein the system or

part of it? (3) Introduce a risk ofcreating a vacuum in the systenior part of it? (4) In any way affect equipmentalready installed for the purpose ofpreventing or mininli/ing over or under pressure?

Area classification (5) Introduceor alter the locationofpotential leaks of flammablematerial? (6) Alter the chemical compositionor the physicalpropertiesofthe process material? i7) Introduce ness or alter existing electrical equipment? Safety equipment (8) Require the provisionofadditionalsafety equipment? (9) Affect existing safety equipment?

Operationand design (10) Introduce new oralterexisting hardware?

(II) Requireconsiderationof the relevant Codes of Practiceand Specifications? (12) Aflèct the processorequipmentupstream or downstreamofthe change?

(13) Affectsafe access for personnel and equipment.safe places of work and safe layout? (14) Require resision of equipmentinspection liequencies?

(IS) Affect any existingtripor alarm system or require additionaltrip oralarm protection? (16) Aft)ct the reactionstability or controllabilityof the process? (17) Affect existing operatingor maintenance procedures or require ness procedures? I8) Alter the coniposiIion ol. or means of disposal of, eflinent? (19) Alter noise levels? Safety assessor Checked by

32

Date

Plant Manager

Checked by

ngineer

HAZARI) AND OPERABILITY STEDIES (HAZOP)

a time when companies are reducing manning and the over-tfties are looked upon as expenses to be eliminated rather than assets in which thirty years' salary has been invested. Seniormanagers should systematically assess, from time to time, the levels of knowledge and experience needed and ensure that they are maintained. This is an area where systematic methods have not been applied as thoroughly as elsewhere. In the UK the Health and Safety Executive has recently instructed a major company to set up a formal systemfor controlling changesto its organization. 2.4.5 'Do it for us'

to say to a design contractor, 'We are understaffed and you are the experts, so why don't you do the Hazop for us?'23. The client should be involved as well as the contractor becausethe client will have to operate the plant. The Hazop gives the client's staff an understanding of the reasons for various design featuresand helps them write the operating instructions. Even if the client's staff know little to start with about the problems specific to the particular process, they will be able to apply general chemical engineering and scientific knowledge as well as common Companies have been known

sense knowledge (see Section 2.6, page 38). Writing in a differentcontext, Pegram says, '... The only effective team is one that owns the problem. The team must therefore comprise the individuals who are responsible for implementing the results of the study, not an external group of experts'22. The actions agreed at a Hazop include changesin procedures as well as changes to equipment (see Section 2.4.2, page 28) and while the contractoris responsible for the latter, the client is responsible for the former. (In addition, Section 2.13 on page 56 containsa note on the less obviousbenefitsofHazop.) 2.4.6 Knock-on effects Whena changein design (or operating conditions) is made during a Hazop, it mayhaveeffectselsewherein the plant,including the sections already studied. For example, during a Hazop the team decided to connect an alternative cooling water supply to a heat exchanger. The original water supplywas clean but the alternative was contaminated, and so the team had to changethe grade of steel used for the heat exchanger and connecting lines. It also had to consider the effectsof reverse flow in the original lines24. 2.4.7 'Leave it until the Hazop' Design engineershavebeenknownto say, when someonesuggests a changein

design. 'Don't bother me now. We'll be having a Hazop later on. Let's talk about it then'. 33

1-IAZOP

AN!) HAZAN

This is the wrongapproach. A Hazopis a final check on a basically sound design to make sure that no unforeseen effectshavebeenoverlooked. It should not replace the normal consultations and discussions that take place while a design is being developed. A Hazop meeting is not the right place for redesigning the plant;there are too many people present and it distracts from the mainpurposeofthe meeting which is the criticalexamination of the design on the table9 2.4.8 Just look at deviations from design standards Onecompanyhas tried to simplify Hazop byjust looking for deviationsfrom its design codes and standards. This maybe OK if there is little or no innovation butifthereis innovation and thereusually is some— the existingcodes may not cover the new circumstances. For example, a hydraulic crane tried to lifi a load that was too heavy for the fully extended jib and fell onto the plant; no alarm sounded. The crane was fitted with all the alarms required by the current codes and they were all in working order. However, the codes were wr!tten for mechanical strut cranes. Hydraulic cranes have an extra degree of freedom the length of thejib can be changed and therefore an extraalarm is needed, but no-one had realizedthis47.

2.4.9 Relevance Thoughthe members ofa Hazop team havethe necessary knowledge they may fail to see its relevance. Thus, they may not realize that an open vent on a vessel is, in effect, a relief valveand should be treated with the same respect. Its size should not be altered unless we have gone though the same procedure as we would gothrough before changing the sizeofa reliefvalve, and it should be registered for regular inspection. Another example: chimneys are commonplace, we all know how they work,but we sometimes fail to recognize that an open drain and an open venton the same unit may producean upward flow of air, in effecta chimney48. Leathley and Nicholls suggest that presenting case studies(sometimes from unrelated industries) beforea Hazopcan widenthe team's view ofwhat might happen and encourage widerthinking49.

2.5 An example of a Hazop

Table 2.2 (pages14—15) gives the results of a Hazop on the plant shown in Figure 2.2 (pages 16—17). It shows the feed section of a proposed olefin dimerization unit and details are as follows. 34

HAZARD AND OPF;RARILITY STUDIES (HAZOP)

An alkene/alkane fraction containingsmall amounts of suspended water is continuously pumped from a bulk intermediate storage tank via a 1 km (half-mile) pipeline into a buffer/settling tank where residual water is settled out. The alkene/alkane mixture then passes via a feed/product heat exchanger and preheater to the reaction section. The water, whichhas an adverse effecton thedimerization catalyst, is runoffmanually from the settling tank at intervals. Residencetime in the reaction section must be held within closely defined limits to ensure adequate conversion of the alkene but to avoid excessive formation ofpolymer. This design has proved valuable as a training exercise as it provides examples of many differentaspects of Hazop and may also introduce students to a number of chemical engineering points that they have not previously met, as shown by the following notes. The item numbers referto the 'Possiblecauses' column of Table2.2 and the letters to the 'Action required' column.

(I) Right at the start we see that the first two actions required are a software one and a hardwareone, thus emphasizing that Hazop is not just concerned with the hardware. This flrstitem brought thecommissioning manager'sattention to the fact that his raw material came from a storage area 1 km away controlled by a different manager and operators who did not haveto cope with the results of a loss offeed. Whosejob was it to monitorthe stock and see that

it did not run out?Although the storage operatorwas Ofl the job, the plantoperators had more incentive as theyhad to deal with the consequences ifthe stock runs out. Note that a deviation in one line may produce consequences elsewhere in the plant. Thus 'no flow' in the line we are studying in this example may have effectsfurtheron in the plant,in the line leadingto the reactor, where'no flow' may result in higher temperatures and the formation of polymer. In a batch process a deviation at one stage may have consequences at a later stage (see Section A2.9. page 71).

(I )(b) A low flow alarmmight be installed instead ofa low level alarmbut it is better to measure directly what we want to know, and the low level alarm is cheaper. (3)(c) Note that a kick-back line is shown after pumpJ2 on the next line to be studied. A kick-back is cheaperthan a high-temperature trip and requires less maintenance. Students shouldbe reminded that the lifetimecost of an instrument is about twice the capital cost (afterdiscounting) if testing and maintenance are included. Instruments (and computers) cost twice what you think 35

HAZOP AND HAZAN

they will cost.In addition,management effort is needed to makesure that the testing and maintenance are carried out. (4) Line fracture is unlikely but serious. How far should we go in taking precautions? This item caii produce a livelydebate betweenthosewho wishto ignore the problem and those who want leak detectors, emergency isolation valves, etc. The action agreed is a compromise. (5)(f) This illustrates the need, in sizing reliefvalves, to ask whethertheyhave

to passgas or liquid.

(5)(g) Locking-off the bypass makes it harderto open it quickly if the control valve fails shut. Do we need a bypass?How often will the control valve fail

shut? (5)(h) The team members might havedecided that they wished to increase the sizeofthe buffer/settling tank, originally sufficient for 20 minutes settling time but reducedby the action proposed. If so, theymighthavefound that it was too late to do so asthe vessel was on the critical pathandhad already beenordered. Section 2.7 (page 41) recommends a preliminary Hazop on the flowsheet at a time whensuch changes can be made. (6) This item introduces students met before.

to liquid hammer,which they may not have

Note that we often have more than one chance to pick up a hazard. When discussing no flow' item (3)] the team members realizedthat line blockage would cause a rise in pressure but they decided to leave discussion of the consequences until they cameto the deviation 'more pressure'. If theyhad not realized, when discussing item (3), that line blockage could cause a rise in pressure, then they had another opportunity to do so later. Sections 2.8.4and A2.8 (pages 50 and 67) describe other examples.

(9) Somedrainsin Figure 2.2 are shown blanked, others not. All drainsshould be blanked unless used regularly by the process team.

(I l)Regular draining of the intermediate storage tank will prevent gross amounts of water going forwardto the settling tank. Can we not rely on the storage operator? Is a high interface alarm necessary? On the other hand, excess water will damagethe catalyst. It is unwiseto rely for its removal on a 36

HAZARD AND OPERABILITY STUDIES (HAZOP)

man in another plant who may not realizeits importance and does not haveto handlethe consequences if the water goes forward. An automatic controllerto remove water, operatedby the interface level indicator, is not recommended as ifit failsoil will flow to drain and maynot be detected. (1 2)Havethe distillation columns

been designedfor a particular concentration

of loweralkanes and alkenes (and a particular alkane/alkene ratio) or a range ofconcentrations? If the former,what will be theeffectofchanges in concentration and ratio on throughputand performance? This item brings home to students that in designing equipment they should always ask what departure from flowsheetcan he expectedand estimatethe effects on their design. Reference 5 gives the results of a Hazop ofa second line in thedimerization unit.Otherexamples of Hazops can be found in References 6, 7. 8, ID, 13 and 14. The examples described in References 7 and 8 are rathercomplexfor a first exercise but those describedin References 6, 13 and 14 should be suitable. Reference 6 deals with a plant in which a gas stream is heated and then passes to a compressor suction catchpot which is fittedwith a high level alarm and a high level trip. Reference 13 studies a systemfor heatingrefrigerated propane before pumpingit down a long mild steel pipeline to a receivingplant. The reliability of the heating system must be high or the pipeline mayget too cold and become brittle. Reference 14 studiesa nitric acid plant,and Reference 10 laboratory design. Reference 7 describes a study on a complex, highly-instrumented system for preventing reverse flow while Reference 8, part ofan Institution of Chemical Engineers model design project. describesa system of several reactors fittedwith remotely-operated changeovervalves. Roach and Lees9 and Jefferson e! 0j42have analysed the activities that take placeduring a Hazop.

2.6 Could a computer carry out a Hazop? Computers can certainly

be used as an aid in Hazop studies. Programs are

available for recordingthe results ofstudies(seeSection 2.2. page 24), and the programs can also remind teams of the possible causes of various deviations and possible remedies so that they are less likely to overlook them.Thus ifthe team is considering no flow' in a pipeline, the computercan remind them that possible causes are an empty suction vessel, a pump failure (which in turn could he due to failure of the power supply, the motor, the coupling or the pump itself), a blockage, a closed valve, a slip-plate, a broken pipe or high 37

HAZOP AND HAZAN

pressure in the delivery vessel. Pitt et a150 have devised a procedure for calcu-

lating the effects of deviations. However, these programs are not what people mean when they ask the question about computers and a Hazop. They are asking if the computer could examinethe line diagram,say what deviations can occur,and why, and suggest changes to the design or method ofoperation, perhaps using an expert system. Before answering this question, two points shouldbe considered. The first is that Hazop is a creativeexercise and those who are best at it are people who can let their minds go free and think of all the possible ways in whichdeviations might occur and possible methods of prevention and control (seeSection 2.2, page 20). To quote from a bookon artificial intelligence25: these sort of techniques ... ,nay eventual/vproduce machines with a capacityfor manipulating logical rules that will match, or even exceed, our own. But logic is just one aspect ofhuman intelligence, andone whose importance can easily be overrated. For ...ftictorssuch as intuition andflairpay a very large part in our thinking, even in areas like science wherelogic ostensihls'reigns supreme. For example, most ofthe scientists whohave recounted how they came to make an important discovery or to achieve a significant breakthrough have stressed that when they fbund the answer to the crucial problem they intuitively recognised it to he right and on/v subsequent/v went back and worked out why it was right.' The secondpoint is that the knowledge used in a Hazopis 'broad and deep' while expert systems are suitableonly for 'narrow and deep' knowledge26. The knowledge used in a Hazop canbe divided into fourtypes26 (seeFigure 2.5). The following examples of each type are taken from the Hazop of the dimerization plant described in Section 2.5: Plant-specific knowledge

For example: the monomermay polymerize if it is kept too long at reaction temperature. It shouldbe possible to put this knowledgeinto an expertsystem but the information would be useful for one studyonly (and perhaps for later studies of plantextensions or modifications). General process engineeringknowledge

For example: a pumppumpingagainstadead headwill overheatand this may lead to gland failure, a leak and a fire; if the residence time in a settler falls, settling may be incomplete. It should be possible in theory to put this knowledge into an expert system but the taskwould be enormous avastamountof 38

HAZARD AND OPERABILITY STUDIES(HAZOP)

Plant specific

The easiesttoput intoan expert system but not worth theeffortas itwould he used so little

Generalprocess engineering Generalscientific

Difficulty ofputting into an expert system increases

Everyday (common sense)

Figure 2.5 Typesofknowledge knowledge would have to he incorporated, much ofit 'good engineering practice' which is not usually written down. Expertsystemsare most suitable for restricted subject areas (knowledge domains). Furthermore, engineers 'know what they don't know' — know (or should know) the limitations of their knowledge and when they ought to call in an expert. It would be difficultto incorporate this 'negative knowledge'into an expert system. An expert system could he used during Hazop to answer questions on, say, corrosion to avoid calling in a corrosion expert,but only the team members can tell that they are getting out of their depth and that it is time to call in the expert (human or otherwise). General scientific knowledge For example:water mayfreeze ifthe temperature falls below 0°C; if a closed system full of liquid is heated, the pressure will rise. The difficulty of putting the knowledge into an expert system is even greater than for general process engineering knowledge. Everyday or common sense knowledge

For example:if a line is broken, the contents will leakout; the men whohaveto cope with the effects of plant upsets are more likely than other men to take actionto prevent them;a mancannot hearthe telephone ifhe is out ofearshot. The difficulties here are greater still and may be beyond the power of any expert system. To quote from Reference 25 again: 39

HAZOP AND HAZAN

'The knowledge employed by an expert, unlike the commonplace, casual/v acquiredknowledge we re/v on in our ever'day afJirs, is likely to beJbrmalized, codifiable and, aboveall, alreadyfitted into a deductive framework. The reasoningprocesses employed by a doctor making a diagnosis, an engineer analysinga design or a lawyer preparing briefare, in other words, much more nearly analogous to a computerrunninga program than the vague and ill-defined sort ofreasoning we engagein when we think about more mundane matters'.

a

In Hazop we are concerned with mundane matters as well as purely technical ones,as Section 2.5 shows (page 35). Despite these difficulties, attempts have been made to computerize the identification of deviations, their causes and their consequences and the assessment ofthe precautions taken.For example, Venkatsumbramanian and Vaidhyanathan5' and Wakeman et a!52 have describedcomputer Hazops of the dimerization unit describedin Sections 2.1 and 2.5. Taking the deviation 'no flow' as an example, the programs found the same causes as in the original study (suction tankempty, pumpfails, line blockage and line rupture)and the same consequences (pump overheats and possibly leaks, loss offeed to reaction section with consequent overheating and formation of polymer). In the original study the discussion of the first cause (suction tank empty) drew the plantmanager'sattention to the fact that the raw material came from a storage area 1 km away controlled by a differentmanagerand by operatorswhowould not haveto copewith the results of a loss of supply. He decidedthat he could not trust them to monitorthe stock and would have to make his own team responsible. Someonein the Hazop team pointed out that the solitary storage area operatoron duty at any one time was often out ofearshot ofhis telephone and alarms; shouldthe new plant supplyhim with a radio? The discussion of these facts at the original Hazop is summed up in Table 2.1 by the action, 'Ensure good communication with the intermediate storage operator'. Software has a long way to go before it can uncoverthe facts that lie behind this statement! (Plant manager is used in the UK sense, equivalentto supervisor in the USA.) Wakeman ef a!52 are commendably frank about the limitations and objectives of their program. called Auto-HAZID. Theirpaper lists problems rather than solutions. Auto-HAZID is not intended to replace the Hazopmeeting but to save time by producing a list of problems for consideration at the meeting. The problems identified are those that arise out of the failureof equipmentor interactions between items of equipment, not those that arise out of 40

HAZARD AND OPERABILITY STUDIES (HAZOP)

interactions between people. So hazardteams are unlikely to become redundant in the foreseeable future. So far there has been little industrial experience of these techniques, but industry has been involved in their development. Duringa Hazop study, particularly whenthe technology is new to the team, someone often half-remembers a hazard. It would be useful to be able to call up detailsof hazards, of accidents which they have caused and of the actions recommended to prevent a recurrence. Although computerized databases are available they suffer from a common weakness: they are eithergo or no-go that is, they find a precise match with the chosen keywords or they do not. To overcome this Chung et al are developing a fuzzy search tool which uses case-based reasoning. The key words are arranged in hierarchies resembling family trees. If the program cannot find a precise match it looks for matches with the parents or siblings of the keywords and, ifthat is unsuccessful, with more distant relatives. For example, suppose we wish to find information on the road transportof sulphuric acid. If no match can befound,the program will look for matches with the rail transport of sulphuric acid, with its transportby any means, or with the road transport(or just transport) of other acids, or for their storage. If these searches fail it mightlook for the transportofcorrosive chemicals or their storage. The program is not intended merely, or even primarily, for use by Hazop teams.It could be used by designers, by anyone lookingfor information and, in a somewhat different form, by process operators. In this case information would be displayed automatically when hazardous conditions are approached5355.

2.7 The limitationsof Hazop (see also SectionA2.lO,page 72)

Hazop cannot, of course, detect every weakness in design. in particular, it cannotdraw attention to weaknesses in layout. It will also miss hazardsdue to leaks on lines that pass through or close to a unit but carry a material that is not used on that unit. This can be overcome by using an additional guide word such as PASSING THROUGH or NEARBY72. Hazop assumes that the design assumptions are followedduring construction and operation. If, say, the wrong material of construction is used or equipmentis not tested as assumed, then problems may result. Hazop teams may,of course, draw attention to circumstances where special measures should be taken to ensure that the rightmaterials are used or tests carried out, and may question the wisdom of including equipment such as bypasses around trip valves or isolation valves belowrelief valves. 41

i-IAZOP ANI) HAZAN

Hazop as describedaboveis carried out late in design.Itbrings hazards and

operating problems to light at a time whenthey can be put right with an indiarubberrather than a welding set, but at a time when it is too late to makefundamental changes in design.

For example, referring to Section 2.5, note (12) (page 37), the Hazop might bring to light the fact that the concentration of light ends mightvary markedly from design and that the still shouldbe redesigned to allow for this. It is probably too late to do this; the still may havealready been ordered. Section 2.5, note (5)(h) (page 36), contains another example: by the time of the Hazop it mayhavebeen too late to increase the size of the settling tank. Such problemscan be picked up earlier if a preliminary or coarse-scale' Hazop is carried out on the Ilowsheet before it is passed to the engineering department for detailed design, a year or more before the line diagrams are available. Like a normal Hazop it can be applied to continuous and batch plants.

The following are someof the pointsbrought out in a preliminary Hazop of the design for a batch reactor, followed by a stripping section in which an excess ofone reactantis removed undervacuum. • If the reactoris overfilled it overflowsinto a pot which is fittedwith a high level alarm. Why not fit the high level alarm on the reactorand dispense with the pot? • What would it cost to design thereactorto withstand the vacuumproduced by the stripper, thus avoiding the need for a vacuumrelief valve which would allow air to be sucked into the reactor, producing a flammable mixture? • Why do we need two filters per reactor?Will a change in type allow us to manage with one? • By suitable choice ofbottomspump, canwe reducethe height ofthestripper aboveground level and thus reduce the cost of the structure? • Can the heat exchangers be designedto withstand the maximum pressures that can be developed under all but fire conditions, thus avoiding the needfor reliefvalves? • A material proposed for removal ofcolourmay be unsuitable on toxicological grounds.

These arejust a few of the 66 points that came up during three three-hour meetings. Many of the points would have come up in any case but withouta Hazopmany might have been missedor might not have come up until it was too late to change the design. While the results of several line diagram Hazops have been described in detail (see the list at end of Section 2.5, page 37), very few fiowsheet Hazops havebeendescribed in the same way.Table2.6 (pages 44-45) lists someofthe 42

HAZARD ANI) OPERABILITY STUDIES (HAZOP)

that came out of a coarse-scale Hazop of the polyethylene plant shown in Figure2.6. Ethyleneat 1500 bar and 175°C is fed, with a reaction initiator, into the reactorwhere 15—25% of it polymerizes. A cooling jacket removes the heat of reaction. The product is separated from the unconverted gas in two separators and thegas is recycled56.As with the dimerization unit discussed in Section 2.5, you may feel that the recommendations go too far or not far enough. Reference 15 describes many changes that havebeenmadeas a result of flowsheet Hazops and References I I and 12 describetwo early studies of tlowsheets using critical examination (see Section 7.1, page 203) rather than Hazop. points

Figure 2.6 Simplified diagram ofa polyethylene plant (Reproduced by permission ofthe National institute ofOccupational Health and Saléty) 43

HA/OP AND HAZAN

Table 2.6 Part ofa coarse-scale Hazopof apolyethylene plant (Reproduced by permission oftheNational Institute ofOccupational Safety and Health) Guide word

Deviation

Consequences

Parameter: Reactor temperature HIGHER

Higherreactortemperature

Runaway reaction in reactor

Lowerreactortemperature

Pooror no reaction; poor quality product

*,

LOWER

Parameter: Flow rate ofethylene, polyethyleneand initiator NO (polyethylene)

No flow

LESS (ethylene)

Less flow

Levelbuild-upin reactor System upset;

productquality affected; system shutdown MORE (initiator)

More flow

More polymerization; possibility of runaway conditions; productquality offspecification

LESS(initiator)

Less flow

Less polymerization; reactortemperature imbalance affects downstream equipment such as heat exchangers

There is an important difference between an ordinary Hazop and a coarse-scale Hazop of a flowsheet. In an ordinary Hazop deviations from design are considered undesirable. We look for causes of deviations and ways of preventing them. In coarse-scale Hazop, however, we are also trying to generate alternatives. In considering, say, 'more of' temperature, we do not just ask if it can occur and if itwould be undesirable but we alsoask ifit might 44

HAZARD AND OPERABILITY STUDIES (HAZOP)

Causes

Recommendedactions

Coolantpumpto reactor fails

• Provide temperaturecontrol • Provide high temperature sensor/alarm

• Provide pressurereliefvalve withautomatic feed from temperature control system • Provide sparecoolantpump Coolanttemperature high

• Use heatexchangertemperature control to adjUSt inletcoolertemperature

Coolanttemperature low

• Provide temperature monitoring in reactor • Use heatexchangerto adjustinletcoolant temperature

Meltpump I fails Make-uporrecyclecompressor failure Initiator pumpmalfunction

• Providelevel controlin reactor with automatic flow through a sparepump • Provide a sparecompressor withautomatic switch from the failedcompressor

• Provide adequate flow controls on both initiator and monomer linesto maintain the desired initiator to monomer ratio

Make-up and recyclegas compressor failure

• Provide flow controllers on ethyleneand initiatorlines

not be better to operate at higher temperatures. Some Hazop teams always

question the adequacy ofthe design parameters. Hazop designedto generate deviations was developed from a techcritical examination which was designedto generate alternatives. nique To generate alternatives we may therefore need to go back to something akin to the original technique. In particular, we may need an extra guide word, 45

HAZOP AND HAZAN

AVOID (the need). Table 2.7 (from Reference II) is an extractfrom an early criticalexamination of a flowsheet. Even a coarse-scale Hazop is too late for some major changes in plant design. A similartypeofstudyis needed at the conceptual or business analysis stage when we decide which product to make, by what route and where to locate the plant. For example, at Bhopal in 1984 an intermediate, methyl isocyanate (MIC), leakedout ofa large continuous plant and killedover 2000 people. Ifthe same raw materials are allowed to react in a different order, no MICis produced. It is too late to suggest at the flowsheet stage that the orderof reaction, on a continuous plant, should be changed. That decision has to be made rightat the beginning of the design process (seealso Section A2.2. page 62). Alternatively, ifwe use the MICroute we can reduceor eliminate the intermediatestock and use the MIC as soon as it is formed. The decision to do so can he made at any time, even when the plant is on line, but money will be saved ifthe decision is made early in design.

Table 2.7 An extractfrom the critical examination ofa flowsheet showing the generation ofalternatives by successive questioning (From Reference II) Statement: Designa distillationcolumn Successive questionsand answers

Alternativeideas generated

Why? To separate A Irom B.

(i) Separate them someother way

Why? Because the recycle reactor won't crack A mixed with B.

(i) Find an alternative market which will take A and B. (ii) Change the process so we don't

eg, fractional crystallization (ii) Don't separatethemat all

make B. Why? Because the furnace temperature isn't

(i) Change the reactorconditions so that A and B can he cracked.

highenough. Why? Because tube materials won'tstand a highertemperature.

46

(i) Find anothertube materialto stand higher temperatures. (ii) Find catalyst to permitcrackingat lowertemperature.

HAZARD AND OPERABILITY STUDIES (HAZOP)

Couldwe go further?Woulda differentinsecticide be safer to manufacture than theone madeat Bhopal? Instead ofmanufacturing an insecticide could we developinsect-resistant plants or use natural predators? I am not saying we should; only that such questions might be asked. A theologian27 once said, '... all great controversies depend on both sides sharing a false premise'. In controversies about whether or not to spend money on a particular safety proposal, the design engineer may think he has gone far enough and the commissioning manager may disagree. The common false premise is the belief that we have to spend money to increase safety. If safety studies are made early in design this may not be the case — plants can be both cheaper and safer15, for two reasons: (I) if we can reduce the amount of hazardous material in a plant or use a safer material instead we need less added-on protective equipment; and (2) if we can reduce the amount of hazardous material the plant will be smaller and therefore cheaper'5. Plants in which hazards have been avoided are inherently safe. Their safety does not depend on protective equipment which might fail orbe neglected. Theirsafetyis more robust.

A clever man has been described as one who finds ways out of an unpleasant situation into which a wise man would never have got himself. Wise men cany out safety studiesearly in design. Of course, every company carriesout many studies beforeembarking on a design. What is lacking in most companies at the conceptual and flowsheet stages of projects, however, is the systematic. formal, structured examination which is characteristic of a Hazop. The normal Hazop questions are not suitable at the conceptual stage but Chapter 10 of Reference 15 suggests some alternatives. It also gives many examples of hazards that have been or could be reduced or avoided by Hazop type studiesat the conceptualor tlowsheet stages. A nuisance during a conventional Hazop is the person who asksif the right product is being made in the right way at the rightplace. It is by then far too late to ask such questions.If the person asks them then, perhaps there was no opportunity to ask themearlier.

2.8 'Do we need to Hazop this plant?' 'It is only a simple project' or 'It is similarto the last one' 2.8.1 An example So many of the things that go wrong occur on small, simple

or repeat units where people feel that the full treatment is unnecessary. 'It is only a storage project and we have done many of these before!' 'It is only a pipeline and a coupleofpumps.' 'It is only a service system.' 47

HAZ0P AND HAZAN

Restriction

Feed todistillation column To later stagesofplant Used forstart-uponly

Figure 2.7 Twelvepointscameout of a 1-lazop in this bitofplant

Ifdesigners talk like this, suggest they try a Hazopand see what comes out of it. Afterthefirstmeetingor two they usually want to continue. Figure 2.7 shows part of a line diagram on which the design team was

persuaded, somewhat reluctantly, to carry out a Hazop. 12 points which had been overlooked came out of the study. Here are fourofthem: if the pump stops, reverse flow will occur through the kick-back line. The non-return valveshouldbe downstream ofthis line. If the pumpstops, reverse flow mayoccur through the start-up line. Should there be a non-return valve in this line? The restriction plate in the kick-hack line might be replaced by a flow controllerto save power. No provision has been made for slip-rings or spectacle plates so that the pump can be isolated by slip-plates for maintenance. The design team readilyagreedto study the rest of the plant. Similar studieshave recommended the use of a length of narrowbore line instead ofa restriction plate, as it is less easy to remove a length ofline.

• • • •

2.8.2 Another example Thetank shown in Figure 2.8 was being filledfrom another tanksomedistance away. The pumpused for emptyingthe tank was not running but its kick-back line had beenleft open.When the tankwas nearlyfull the high level tripclosed the valve in the filling line. The gaugepressure in the fillingline rose to 20 bar (300 psi) and burstthe pumpwhich normally operated at a gaugepressure of3

bar (45 psi). 48

HAZARD AND OPERABILITY STUDIES (HAZOP)

Line used forfillingtank

Figure 2.8 When the automatic valve closed, the pump was overpressured

A Hazop had been carried out on the plant,but this section was not studied as it was 'only an off-plot'— a tank,apumpanda few valves —too simplefor any hazardsto pass unnoticed, or so it was thought. Consideration of 'reverse flow' through the kick-back line (or 'more of pressure' in the filling line) would have disclosed the hazard. Afterthe incident the kick-back line was rerouted backto the tank. 2.8.3 Servicesystems All service lines (including steam, water, compressed air, nitrogenand drain lines) should be 'Hazoped'as well as process lines (seeSections A2.3 and A2.5, pages 63 and 64). Pearson16 lists some of the questions which arise during

Hazops of service systems: Should power supplies to equipmentbe duplicated? Should equipmentbe duplicated or triplicated? Should we use steam or electricity or a combination for pumps and compressors? Should we provideautomatic start for spare pumps? Should we provide voltage protection for key equipmentwhich must be kept on line or restartedquickly? In whichorder should equipmentbe restartedafter a powerfailure? Dowe need emergency power supplies for lighting,communication equipment, and so on? Shouldcontrol valves fail open or shut or 'stay put'? How will emergency equipment such as diesel generators be cooled ifplant cooling water is not available?

• • • • • • • • •

49

1-IAZOP

AND HAZAN

2.8.4 Small branches

Donotoverlooksmall brancheswhich may not havebeengiven a line number. For example,a tank was fitted with a tundish so that it could be dosed with stabilizing chemicals. The effects of adding too much or too little additive(or thewrong additive, or adding it atthewrong time) should obviously be considered during Hazop but might be overlookedif the team studied only lineswith line numbers. (On the other hand, theymighthavepickedit up by considering operations taking place insidea vessel, as suggested in Section 2.1 on page 12; anotherexample ofthe way in which Hazopoften givesus a second chance24.)

2.9 The use of quantitative methods during Hazop The following exampleshowshowa quick calculation can resolve adifference of opinion between the members of a Hazop team. It acts as a link to the next chapter in which numerical methods are considered in more detail. Ona design a compressor suction catchpot was fittedwith a level controller and a high level trip to shut down the machine (Figure 2.9). The commissioning manageraskedfor a secondindependent trip becausefailure ofthe trip could result in damage to the machine which wouldbe expensive to repair. The

Powersupply

LZ Highlevel trip LC Level controller

Figure 2.9 Do we needa second highlevel trip? 50

I-IAZARD AND OPERABILITY STUDIES (HAZOP)

design engineer, responsible for controlling the cost, was opposed: this, he said, would be gold-plating. A simple calculation (see Section 3.5 on page 105 for an explanation ofthe terms used)helpedto resolve the conflict. The trip will have a fail-danger rate of about once in two years. With monthly testing the fractional deadtime will be 0.02. The demand rate results from the failureofthe level controller. Experience shows that a typical figure is onceevery two years or 0.5/year. A hazard will therefore occur once in 100 yearsor, more precisely, thereis a I in 100 chance that it will occur in any one yearor a I in 10 chancethat it will occurduringthe 10-year life ofthe plant. Everyone agreed that this was too high. They also saw that therewas more thanone way of reducing the hazard rate. They could improvethe control system and reduce the demand rate, or they could improve the trip system and reducethe fractional dead time. It may not he necessary to duplicate all the trip system; it may be sufficient to duplicate the trip initiator. If thehazardunder discussion is a runaway reaction, then quantihcation is more difficult. A key question to ask, according to Stoessel57,is, 'If cooling is lost, howlong do we havebeforea runaway occurs?' Iflthe time is less than20 minutes, automatic protection is probably necessary. It maybe necessary for a longertimescale if the operatorcoversmany units.Another key question is, 'If a reaction mixture is left standing, and the cooling cannotpreventa runaway, howlong do we have beforea runaway occurs?' Ifthe time is less thana day an alarm or automatic protection maybe necessary.

2.10 The use of Hazop in other industries

Hazop was pioneered in the chemical industry (see Chapter7) and soonspread

to the oil and pharmaceutical55industries and later to food processing3559,all basically similar industries. In the food industry the emphasis has been on

identifying ways in whichcontamination could occur rather than other operatingand safetyproblems. This section discussessomeother applications. In considering whether or not Hazop could be applied in a new context, remember that Hazop grew out of critical examination (see Sections 2.7 and 7.1, pages 45 and 203) and that the original form ofthe techniquemay he more suitable than the modification (Hazop) developed to meet the process industry's needs. Hazop has beenappliedto laboratory design1° and to laboratory operations. One study of a new operation disclosedthe fact that the chemists intended to convey cylinders of hydrogen cyanide to the top floor in the lift! 51

HAZOP AND I-1AZAN

Hazop has alsobeen applied to the manufacture of a product usinggenetically modified organisms (GMOs)28. A modification of Hazop known as GENHAZ has been proposed for identifying ways in which GMOs might affect the environment29.Table2.8 isan extract from a hypothetical GENHAZ study: the proposed experimental insertion into potatoesof an imaginary gene (TP) that is toxic to a specific caterpillar. The studyraises questions for investigation; theycannothe answered on the spot. 2.10.1 Mechanicalhazards Knowlton2 has describedthe application of Hazopto some mechanical problems. For example, a sterilization autoclave had to be loaded with a stack of trays using a fork-lifttruck. Application of the deviation 'more of' disclosed that if the driver moved the load too far forwardit could damage the rear wall of theautoclave. Application of thedeviation 'as well as' disclosed that if the driver raised the load it could damage an instrument that measured the humidity and perhaps also damage the roof. Similarly, too rapid operation could cause spillage and led the team to ask how spillages would be handled. 2.10.2 Nuclear power The nuclear power industry was slow to adopt Hazop, preferring instead a technique known as failure mode and effect analysis (FMEA) (see Section 2.11. page 54). In Hazop we startwith adeviation and ask howit might occur.For example, 'more offlow' in a pipeline mightbe caused by the failure of aflow controller. There will probably be other possible causes as well (see Table 2.2, pages 14—15).In FMEAwestart with a component andwork out the consequences of failure. If we start with the flow controller, one of the consequences of its failure may be too high a flow in a pipeline. There will probably be other consequences as well. in the line diagram sense, the essentials of a nuclearreactor arerelatively simple: a hot coreheats water.In this senseit is much simpler than the average chemical plant. On the other hand, the nuclear reactor contains far more protective equipment to prevent it getting out of control and to commission emergency cooling systems, and so on. The obvious first approach of the nuclearengineers was therefore to ask, 'What will happen if a component of the protective systems fails'?' and then examine each component in turn. However, the cooling systems(normal and stand-by) and service lines on nuclear power stations would benefit from Hazopand this is now recognized. 52

HAZARD AND OPERABILITY STUDIES (HAZOP)

Table 2.8 An extractfrom a hypothetical GENHAZ study: the experimental insertion into potatoes of an imaginery gene(TP) whichis toxic to a specific caterpillar (Reproduced by permission ofthe RoyalCommission on Environmental Pollution)

Reference: MAKE orSELECT/PRODUCT Guideword:

WHEREELSE

Deviation:

The TP genemightbe expressed in another part of the plant besides the leaves.

Consequences:

(a) Otherregions ofthe plant, apartfrom the leaves, might becometoxicto non-target organisms.For example: Roots and tubers.-Toxic to humans, soil organisms? Hairs.- Urticaceous ifTP is in the planthairs? Cultivated potatoes are not normally hairy but thereis a wildhairy type whichis highly pest resistant and is used in breeding. Pollen: Would pollen containingTP be poisonous to beesor induce an allergic reaction in humans or other animals? Nectar:Wouldnectarcontaining TP produce toxic honey? (b) TP mightconcentrate in atissueother than the leaves.

Causes:

The TP geneand promoter mighthave mutated to he activein another region ofthe plant.

Actions:

Forconsequences (a) and (b), consider: (i) What mightcome into contactwith, or eat, the different parts ofthe plant. (ii) The mode ofactionofTP on boththe targetand non-target organisms, including humans. (iii) The toxicological information on proteins similartoTP.

Deviation: Consequences:

TP mightbe present in deadcaterpillars. Thesecaterpillars mighthe toxicto predatorsor decomposer organisms.

Causes:

The caterpillars have ingested the leaves containing TP which is lethally toxic to them.

Actions:

Considerthis possibility and its implications.

53

HAZOP AND HAZAN

2.10.3 Other activities

McElvey ci al have applied Hazop to the use ofliquid ammoniaas a fertilizer by farmers. Their 95 recommendations were addressed to several different groups — equipment manufacturers,vendors and distributors as well as farmers60. Medical equipment seems an obviousfield for the application of Hazop (and otherrisk management methods) but little has been published. Somework has been done on blood transfusion equipment61. Hazop has been applied to defence systems, including a helicopterfault warning system. Causes, consequences and recommendations are quoted for 25 deviations to 'data flow'62. Tweeddale et a163 have applied a technique similarto Hazop to railways. Government decisions often have unforeseen outcomes, the result of 'narrowness of view, impatience, unreflectiveness and self-delusion', according to one writer64. Could Hazop help?Perhaps, but only if there is a willingness to look more deeplyat proposals.

2.11 Other methodsof identification This sectiondiscussespossiblealternativesto Hazop for identifying hazards, all of which arc discussedin Lees. As discussed in Chapter 1, building the plant and waiting to see what happens is no longeracceptable and check-lists cannot spot new hazards. Failure mode and effect analysis (FMEA) was described in Section 2.10.2 (page 52), which explainedwhy Hazop is more suitable for the process industries. Event tree analysis (ETA) is a variation on FMEA. A weakness of FMEA and ETA is that theycannot detect those incidentswhich occur when equipment functions as required, but the requirement (that is, the specification) is wrong. Safetyand reliability are not the same. To someextentthis can also be true of Hazop, as Hazop teams normally assume, when discussing, say, 'more of pressure', that the design pressure is adequate. However, in practice, a team that discovers that 'more ofpressure' and 'less of pressure' are both hazardous is bound to ask if the design pressureis adequate. Some teams alwaysquestion the design pressure, temperature, and so on. And someteam leaders use 'Relief' as a backup guide word. In computer-controlled plants specification errors are the major cause of problems, as shown by the example in Section A2.6, page 65. A flowsheet Hazop (Section 2.7, page 41) should discuss alternatives as well as deviations and ask if the design pressure is the optimumone. 'What if' analysis is a sort of simplified FMEA;we ask what would be the result of a limited number of major upsets such as failure of power, cooling 54

HAZARI) AN!) OPERABILITY STUDIES (HAZOP)

water,pumps,andso on. Some 'What if' analyses are more detailed. They ask, for example,for each pipeline, what will be the result of more or less flow, temperature, pressure, and so on. If we also ask, as we obviously should, if these deviations are possible, then we havegot a Hazop. Fault trees(Section 3.5.9, page 113), mainlyused as a method ofestimating theprobability ofan event, have sometimes beenrecommended for identifying hazards. A fault tree is the reverse of an FMEA. In FMEA we start with a component failure and deduce possible results. In a fault tree we start with a top event' such as a fire or explosion and work back to find the errors and component failures that could lead to it. Its weakness as a method of identification is that we may not realize that certain top eventscan occur and therefore not look for the routes to them.Fault treestell us howtop eventsoccurbut not what top eventscanoccur. Auditsand inspectionsare a necessary complement to Hazops because they can tell us whether or not the plant is built, operated and maintained in accordance with the design assumptions. They are particularly necessary during and after construction as the failure of construction teams to follow the design in detail or to follow good engineering practicewhen details are left to them is a major cause of incidents65. A weakness of many auditsis that they check that methods of working are sound and are followed but do not check that all the hazards havebeen identified. Turney and Roff havedescribed a 'process hazards review (PHR), a mixture of What if' and check-lists, which is designed to overcome this. Many past incidents were studied to identify possible hazards. Unlike many ofthe techniquesdescribed in the literature, over a hundred studies had been carried out by the time their paper was published66. Auditors are not policemen. Theirjob is to spot the hazards, physical and procedural, that the plantstaff have missed through lack of specialized knowledge, shortage oftime or overfamiliarity. STOPHAZ is a group of computer programs designed to bring hazards to theattention ofdesigners at an early stage and thus reduce thenumberofproblenis that are not discovered until a Hazop is carried out late in design67. It includesAuto-HAZID, describedin Section 2.6, page 37. Several attempts have been made to comparethe effectiveness of various identification techniques. According to Turney and Pitblado, a study of past incidentsshowed that Hazop could haveprevented 29% ofthe design incidents and 6% of the operational incidents, a higherproportion than any other technique.Reviewsof human factors could haveprevented 24% ofthe operational incidents68. one continTaylor69 has describedan experiment in whichtwo designs one batch were each studied in various found 80% ofthe uous, ways. Hazop 55

HAZOP ANI) HAZAN

faults on the continuous plant but only 22% of those on the batch plant. However, his batch Hazop did not include consideration of the deviations listed in Section 2.1.1 (page 16) which were considered under action error analysis' rather than Hazop. Most of the other faults were detected during commissioning and were not spotted during the Hazop becausethe team did not havethe necessary knowledge. As stated in Section 2.4.4(page 30), Hazop is no substitutefor knowledge and experience and its effectiveness depends on theknowledge and experience ofthe team.Accordingto Skelton, even inexperienced teams, such as students on a Hazop course, find about 80% of the hazardsand those missed are mainly minor72.

2.12 Auditing Hazop

As the use of any technique becomes more widespread its quality is liable to decrease. There is therefore aneedto beable to auditthe qualityof a Hazop. At a workshop on Hazop held in 1995 theauditing of Hazop was selectedas the most pressing current topic70. The best method of auditing is to sit in on a because the Hazop is complete Hazop. Ifthat is not practicable — forexample, — Rushton71 has described an audit scheme. The auditor samples the documentation produced by theHazopand looks for evidencethat various modes of operation — such as start-up, shutdown and maintenance havebeenconsidered in addition to normal operation, that the knowledge and experience ofthe team members were adequate, that the same people attended throughout and did so regularly, that the recommendations made were carriedout,andthat any late changes in design were studied. If the plant has already been commissioned the auditorshould examine the problems that have arisen and see ifthey could reasonably havebeen spotted duringthe Hazop. Altogetherthere are six pages of suggested questions. The auditorshouldtalk to the team members to gaintheir impressions and assesstheir knowledge and experience.

2.13 Conclusion Carling30 has described the effects of using Hazop in his company. The bene-

fits went far beyond a simple list of recommendations for a safer plant. The interaction between team members broughtabout a profound change in individual and departmental attitudes. Staff began to seek one another out to discuss possible consequences ofproposed changes, problems were discussed more openly, departmental rivalries and barriers receded. The dangers of working in isolation and the consequences of ill-judged and hasty actions became better appreciated. Knowledge, ideas and experience became shared more fully to the benefit of the individual and the company. 56

HAZARD AND OPERABILIT'Y STUDIES (HAV.OP)

Carting's companyadoptedHazop after experiencing several serious incidents. Buzzelli writes31, 'For an industry so proud of its technical sal'ety achievement it is humbling to have to admitthat most of our significant safety improvements were developed in response to plantaccidents'. It does not have to be so. Hazop provides us with a lantern on the bow (Chapter 1). a way of seeing hazardsbeforethey wreckour ship.

References in Chapter I. 2.

3. 4.

5. 6. 7.

8. 9.

10. 11. 12. 13. 14. 15. 16. 17. 18. 19.

20. 21.

2

ChemicalIndustriesAssociation,London, 1977,Hazardand OperabilityStudies. Knowlton, R.E.. 1981, An introduction to Hazard And Operability Studies (Chemetics International, Vancouver, Canada). Kletz,T.A.. 1976, Chemical EngineeringProgress, 72 (II): 48. Kletz, T.A., 1988, What Went Wrong? — Case Historiesof Process Plant Disaslers, 2nd edition, Chapter 2 (Gulf Publishing Company,Houston. Texas, USA), and Lees, Chapter21. Lawley,HG.. 1974. Chemical Engineering Progress,70 (4): 45. Rushford, R., 1977, North-East Coastinstitution ofEngineersand Shipbuilders: Transactions. 93: 117. Lawley, H.G., 1976, Hydrocarbon Processing,55 (4): 247. Reprinted in Vervalin, C.H. (Cd), 1981, Fire ProtectionManual For HydrocarbonProcessmg Plants. Volume 2, 94 (Gulf Publishing Company, Houston, Texas, USA). Austin, D.G. and Jeffreys. G.V., 1979. The Manufticture ofMethyl Ethyl Ketone from 2-hutanol, Chapter 12 (Institution ofChemical Engineers, Rugby, UK). Roach, J. and Lees, F.P., 1981. The Chemical Engineer, No. 373: 456. Knowlton, RE. 1976. R & D Management, 7 (1): 1. Elliott, D.M. and Owen,J.M., 1968.The Chemical Engineer, No. 223: CE 377. Binstead, D.S., 16 January 1960, Chemistry and industry, 59. KletL,T.A., 1 April 1985, Chemical Engineering, 92(7): 48. Sinnott, R.K.. 1983, in Coulson,J.M. and Richardson, iF. (eds), Chemical Engineering, Volume 6, Chapter9.5 (Pergamon Press, Oxford, UK). Kletz, T.A., 1998, ProcessPlants —A Handbook ftrInherently SaferDesign.2nd edition (Taylor & Francis, Philadelphia, Pennsylvania, USA). Pearson, L., 1984, The operation of utilitysystems, institution ofChemical Engineer.s Loss' Prevention Subject Group Meeting, September. 18 1985. Chemical 161. H., February Engineering, Ozog, Kletz. T.A., 1994, Learning from Accidents, 2nd edition, Chapter 9 (Butterworth-Heinemann. Oxford,UK). Health and Safety Executive, March 1977, The Explosion at the Dow Chemical iactorv, King'sLynn,27 June 1976 (HMSO, London, UK). Harvey-Jones, J.H.. l988, Making itHappen,28 (Collins, London, UK). Johnson. 5.. 1755, A Dictionary ofthe English Language, Introduction.

Ii

57

HAZOP AND HAZAN

22. Pegram, N., 1990, The Chemical Engineer, No. 482: 37. 23. McKelvey, T.C. and Zerafa, M.J., 1990, Vital 1-lazop leadership skills and techniques, American Institute oJ Chemwal EngineersSummer NaiionalMeeting, San Diego, California, 19—22August. 24. Rushton, AG.. 1989. Computerintegrated process engineering, Symposium Series No. /14,27 (Institution ofChemical Engineers, Rugby.UK). 25. Aleksander, 1. and Burnett, P., 1987, Thinking Machines, 107. 196 (Knopf, New York. USA). 26. Ferguson, G. and Andow, P.K.. 1986, Process plant safety and artificial intelligence, World Congress of Chemical Engineering, Tokyo,Paper 14—153. Volume

II, 1092. 27. A 4th century theologian quoted by N. MacGregor, 1991. RoyalSociety ofArts journal, 139 (5415): 191. 28. Gustafson, R.M., Stahr. J.J. and Burke, D.H., 1987, The use of safety and risk assessment procedures in the analysis of biological process systems: a ease study ofthe VeraxSystem 2000, ASME /05th WinterAnnualMeeting, 13—/S December. 29. Royal Commission on Ensironmental Pollution, 1991, Fourteenth Report: GENHAZ A System for the Critical Appraisal of Proposals /0 Release Genetically Moditted Organismsinto the Environment(1-IMSO, London. UK). 30. Carling. N., 1986. Hazop study ofBAPCO'sFCCUconiplex,American Petroleum institute Committee on Satciv and Fire ProjectionSpringMeeting. Denver, Colo-

/

rado, 8—/ April. 31. Buzzelli, D.T., 1990, Plant/OperationsProgress,

9(3): 145.

32. Turney. RD., 1991, The application of Total Quality Management to hazard studies and their recording, SymposiumSerie,sNo. /24, 299 (Institution ofChem-

cal Engineers. Rugby, UK). 33. Anon, 1999, Interactive Training Package No. 034, Hazop and 34. 35. 36. 37. 38. 39. 40. 41. 42.

58

Hazan

and

Multi-stage Hazard Study (Institution ofChemical Engineers, Rugby. UK). Davis, G.E..quotedby Hodgson, M., 1982, The Chemical Engineer, No. 380: 163. van Schothorsi, M. and Jongeneel, 5.. 1994. Food Control, 5 (4): 107. Kletz, TA.. 199l.An Engineer'.s View ofHuman Error. 2nd edition (Institution of Chemical Engineers, Rugby. UK). Goyal. R.K.. 1993, LossPrevention Bulletin. No. 112: 7. Rushton. AG., 1997. private communication. Zeilin. L.. quoted by Pelrowski, H., 1994. Design Paradigms, 3 (Cambridge University Press, New York, USA). Freeman, R.A., L,cc,R. and McNamara, T.P., 1992, Chemical Engineering Progress, 88 (8): 28. Khan Fl. and Ahhasi, S.A., 997, Journal of Lo.s.s Prevention in the Proce,s,s lndu,strit,s, It) (4):249. Jefferson,M., Illidge,iT. and Rushton, AG., 1995. Activities and time usage in hazard and operability studies, The 1995IChemE Research Event. 16 (Institution of Chemical Engineers, Rugby. UK).

HAZARI) ANt) OPERABILITY STUDIES (HAZOP) 43. Sanders, RE., 1999. Chemical Process Safely: Learning,trom Case Histories (Butterworth-Heinemann, Newton, Massachusetts, USA).

44. Anon, 1994,LossPrevention Bulletin, No. 120: 13. 45. West, Hi-I., Mannan, MS., Danna, R. and Stafford, E.M., 1998, Chemical EngineeringProgress,94 (6): 25. 46. Kletz, TA., 1986, Plant/Operations Progress,5 (3): 136. 47. Kletz, TA.. 1991. An Engineer's View ofHuman Error, 2nd edition, Section 3.3 (Institution ofChemical Engineers, Rugby, UK).

48. Kletz, T.A.. 1998, What Went Wrong— Case HistoriesofProcessPlant Disasters. 4th edition, Section 17.13 (Gulf Publishing Company.Houston, Texas,USA). 49. Leathley, B. and Nicholls, D., 1998. LossPreventionBulletin, No 139:8. 50. Pitt, M.J., Flower, J.R. and Ben-Emhmmed, M.K., 1995. Computer simulation in

SI. 52.

53.

54. 55.

Hazop studies, SymposiumSeries No. 139,499(Institution ofChemical Engineers. Rugby. UK). Venkatsumbrarnanian. V. and Vaidhyanathan, R.. 1994, AJChE Journal, 40 (3): 496. Wakeman, Si. et a!. 1997. Computeraided hazard identification: fault propagation and fault-consequence scenario filtering, and Larkin, F.D. et al, Computer aided hazard identification: methodology and system architecture, Symposium SeriesNo. /4/, 305 and 337 (Institution ofChemical Engineers, Rugby,UK). Jefferson, M.. Chung, P.W.H. and Kletz, TA., 1997. Learningthe lessons from pastaccidents, SymposiumSeriesNo. /4/, 217 (Institution ofChemical Engineers, Rugby, UK). Chung, P.W.H. and Jefferson,M., 1998, Computers and Chemical Engineering, 22 (supplement): s729. Chung, P.W.H. and Jefferson, M.. 1998, internationalJournal ofAppliedintelli-

gence, 9: 129. 56. Kavianian, H.R.. Rao, J.K. and Brown, G.V.. 1992, Application ofHazardEvaluation Techniques to the Design of Potentially Hazardous industrial Chemical Processe,r (US Department of Health and Human Resources, Cincinnati. Ohio, USA).

57. Stoessel, F., 1993, Chemical Engineering Progress,89(10): 68. 58. Gillett, J.E., 1997, Hazard Study and Risk Assessment in the Pharmaceutical industry(Interpharm Press. Buffalo Grove, Illinois, USA). 59. Mayes. T. and Kilsby, D.C.. 1989, I'oodQuality Pref. I: 53. 60. McElvey, T. et al, 1992, Journal ofLossPrevention in the Process industries,5 (5): 297. 61. Tweeddale, H.M.. 1994. Transfimsion Science, 15 (1): 5. 62. A Guideline fer Hazop Studies on Systems which include a ProgrammableElectronic System, 1995 (Ministry of Delénce. London, UK). 63. Tweeddale, N.M.. Cameron. R.F. and Sylvester, S.S., 1992, Journal of Loss Preventionin the Processindustries,5 (5): 279. 64. Burgess. T., April 1995 (reviewing Failure ofBritishGovernment: The Politicsof

59

1-IAZOP

ANI) IIAZAN

the Poll Tax by D. Butlerci ul, Oxford University Press,1994). RoyalSocietyof Art.v Journal, 66.

65. Kletz, TA., 1994, Learning trom Accidents, 2nd edition, Chapter l6 (Butterworth-Heinernann, Oxford, UK). 66. Turney, R.D and Roff.M.F., 1995, in Mewis. J.J. etal, LossPreventionand Safi-tv Promotion in the Proces.r Jndustrie.r Proceedingsof the 8th International Symposium.93 (Elsevier, Amsterdam, The Netherlands). 67. Preston, M.L. and Richards. D.C., 1995, STOPHAZ: A tool supporting safer process design, Symposium Series No. 139, 5 17 (Institution of Chemical Engineers, Rugby, UK). 68. Turney, R. and Pitbiado,R., 1996, Risk Assessment in the Process industries, 14 (institution ofChemical Engineers, Rugby, UK). 69. Taylor, JR., 1982, Evaluation ofcosts, completeness and benefits for risk analysis procedures, international Symposium on Risk and Safety Analysis, Bonn, Germany, 6—8July. 70. Turner,S., 1996. The Chemical Engineer, No.606: 13. 71. Rushton, AG., 1996, Quality Assurance of Hazop, Report No. OTO 96 002 (Health and Safety Executive. Sheffield, UK). 72. Skelton, R.L., 1998, Loss PreventionBulletin, No. 142: 12.

Two new reports on Hazopwere announced while this bookwas in production:

• The European Process Safety Centre, the Chemical Industries Association and the Institution of Chemical Engineers arejointly revising Reference I above,for publication in late 1999. • The International Electrotechnical Commission has prepared a draft standard(IEC 61882),defining Hazop. It may be issuedin final form in 2000and copied as a British Standard.

60

Appendix to Chapter 2 — Some accidents that could have been prevented by Hazops

A2.1

Reverse flow

Many accidentshave occurred because process materials flowed in the opposite direction to that expected and the fact that this could occur was not foreseen. For example, ethylene oxide and ammonia were reacted to make ethanolamine. Someammonia flowed from the reactor, in the wrong direction, along the ethylene oxide transferline into the ethylene oxide tank,past several non-return valvesand a positivepump. It got past the pumpthrough the relief valve whichdischarged into the pump suction line. The ammoniareacted with 30 m3 of ethylene oxide in the tank which ruptured violently. The released ethyleneoxide vapour exploded causing damage and destruction over a wide area1. A hazard and operability study would have disclosedthe fact that reverse flow could occur. Reference 7 of Chapter2 describes in detail a Hazop of a similarinstallation. On another occasion some paraffinpassed from a reactor up a chlorine transferline and reacted with liquid chlorine in a catchpot. Bitsof the catchpot were found 30 m away2. On many occasions process materials have entered service lines, either becausethe service pressure was lower thanusual or the process pressure was higher than usual. The contamination has then spread via the service lines (steam, air, nitrogen, water) to other parts of the plant. On one occasion ethylene entered a steam main through a leaking heat exchanger. Another branch ofthe steam main supplied a space heaterin the basement ofthe control room and the condensate was discharged to an open drain inside the building. Ethyleneaccumulated in the basement, and was ignited (probably by the electric equipment, which was not protected), destroying the building. Again, a Hazop would have disclosed the route takenby the ethylene. Forother examples of accidents due to reverse flow that could be prevented by Hazop, see Reference 3.

61

HA/OP AND HA/AN

A2.2 Bhopal

On 3 December1984therewas a leak ofmethylisocyanate from a storage tank in the Union Carbideplantat Bhopal, India, and the vapour spread beyondthe plant boundary to a shanty town which had grown up aroundthe plant. Over 2000people were killed. According to the official company report4 the material in the tankhad become contaminated with water and chloroform, causing a it runaway reaction. The precise route of the contamination is not known mayhavebeendue to sabotage8 but a Hazop might have shown up possible ways in which contamination could have occurred and would have drawn attention to the need to keep all supplies of water well away from methyl isocyanate, with which it reacts violently. However, therewas much more wrongat Bhopal than the lack of a Hazop. When the relief valve on the storage tank lifted, the scrubbing system which should haveabsorbed the vapour, the flare system which should have burned any vapour which got past the scrubbing system, and the refrigeration system which should have kept the tank cool were out of commission or not in full working order. As stated in Chapter1. Hazopis a waste oftime ifthe assumptions on which it is based — that the plant will be operated in the manner assumed by the designer and in accordance with goodpractice —are nottrue. Equally important, was it reallynecessary to store so much hazardous material? Methyl isocyanate was an intermediate, not a product or raw material, convenient hut not essential to store. A Hazop on the flowsheet or a similar study at the earlier conceptual stage, as suggested in Section 2.7 (page 41), might haveled the decision team to question the need forso much intermediate 'Whatyou don't have, can't leak'5. storage

A2.3 A fire in a water sump

The sumpshownin Figure 2.10 contained water with a layerof light oil on top. Welding had to take placenearby so the sumpwas emptied completely with an ejector and filled with clean water to the level of the overflow pipe. When a spark fell into the sump, there was an explosion and fire. The U-bend had not been emptied and there was a layerof oil in the bend on top ofthe water. A Hazop would havedisclosedthe hazard if the preparation of the equipment for maintenance had been considered. The equipment got little consideration during design as it was not part of the main plant, only a system for collecting a wastewater stream (seeSection 2.8, page47).

62

APPENDIX TO CHAPTER

2

Overflow to drain (12 inch diameter)

Figure 2.10 The sump was emptiedand filledwithclean waterhut oil was left in the U-bend Vent

Water (reactor stopper)

Remotely operated valve

Reactor

Figure 2.11 Whena runaway reaction occurred, instead ofthe waterenteringthe reactor, the increased pressure blew out the water

A2.4 A protective device that did not work A reactor was fitted with a head tank containing water (Figure 2.11). If the contents of the reactor got too hot and the reaction started to run away, the operator was supposed to open the remotely operatedvalve SO that the water 63

1-IAZOP

ANI) HAZAN

would flow by gravity into the reactorand coolthe contents. Unfortunately the designers overlooked the fact that when the reaction started to run away the pressure in the reactorwould rise. Whenthe valve was opened the water was blown out ofthe vent! The reactorexploded and the subsequent fire destroyed theunit9.

A2.5 Services and modifications — two neglectedareas A blown fuse dc-energized part of an instrument panel and thetrip systemshut the plant down safely: a turbine and pumps stopped, flows stopped and the furnace tripped. The condensate pumps continued to run, as planned, so that the steam drum which fed the waste heat boilers did not get empty. In fact it filled up completely in two minutes and the condensate overflowed into the steam main (Figure 2.12). The turbine was driven by hot gases from the furnace hut could be started with steam. The operators decided to turn the turbine slowly (to prevent damage to the shaft). As no furnace gas was available they cracked open the steam valve. Condensate came into contact with the hot line from the furnace and the line ruptured. Three men were sprayed with steam and hot condensate and two of themwere killed. Hazops shouldconsider the results of powerand other service failures (see Section 2.8, page 47) and the action to be taken should be covered in plant training and instructions.

Rupture

Hot furnace Steam (start-up power supply)

Toother steam users

To waste heat boilers

Condensate make-up

Figure 2.12 When the steam valve was opened, condensate enteredthe hot line from the furnace 64

APPENDIX TO CHAPTER 2

The plant instrumentation had originally been very well organized but, as instruments were removed and others added, it became difficult to tell which instruments were connected to which power supply. All modifications, including modifications to instrument and electrical systems, should be reviewed by Hazop or. if they are minor, by a similartechnique (see Section 2.4.3, page 28). After the incident the steam drum was made larger so that it contained enough condensate to remove residualheat from the process withoutmake-up, an inherently safer design It)

A2.6 A computer-controlled batch reaction (Figure 2.13) The computer was programmed so that, if a fault occurred in the plant, all controlled variables would be left as they were and an alarm sounded. The computer received a signaltellingit that therewas a low oil level in a gearbox. The computer did as it had been told: sounded an alarmand left the controls as theywere. By coincidence, a catalyst hadjust beenaddedto the reactorand the

Vent

Vapour Cooling waler

Computer

H Figure 2.13 Computer-controlled batch reactor 65

HA/OP ANI) HA/AN

computer had just started to increase the cooling water flow to the reflux condenser. The computer kept the flow at a low value. The reactoroverheated, the relief valve lifted, and the contents of the reactor were discharged to atmosphere. The operators responded to the alarm by looking for the cause ofthe low oil level. They established that the level was normal and that the low-level signal was false, hut by this time the reactorhad overheated. A Hazop had beendone on the plant but those concerned did not understand what went on inside the computer and treated it as a black box' something that will do what we want it to do withoutthe need to understand what goes on inside it. They did not Hazop the instructions to the computer. Whatthey should havedone is: (I) Ask precisely what action the computer will take for all possible deviations (reverse how, more flow, loss of power, loss of input or output signal, and SO on). (2) Ask what the consequences will be. (3) Ifthe consequences are hazardous or prevent efficientoperation, consider what alternative instructions might he given to the computer or what independent backup system might he required. The incident provides a goodexample of the results of blanketinstructions (to computers or people) such as, 'When a fault develops, do this'. All faults shouldbe considered separately duringa Hazop,for all operating modes. The action to be takenduring start-up maybe differentfrom that to be takenduring normal running or later in a hatch. This is a lot of work, but is unavoidable if accidents are to be prevented. As technologists we like to know how machines work and like to take them to bits. We should extend this curiosity to computer programs and not treat them as 'black boxes'. It is not necessary to understand all the details of the electronics, but it is necessary to understand the details of the logic to know precisely what instructions havebeen given to the computer. There may have been a misunderstanding between the operating manager and the softwareengineer. Whenthe manager asked forall controlled variables to be left as they are whenan alarm sounds, did he mean that the cooling water flow should remain steady or that the temperature should remain steady?As stated in Section 2.2 (page 21). when a computer-controlled plant is 'Hazoped' the software engineershould be a member ofthe team. An amusing example of a failure to consider all eventualities occurred during the night when summer time ended. An operator put the clock on a computer back one hour. The computer then shut the plant down for an hour until the clockcaught up with the program'7. 66

APPENDIX TO CHAPTER

2

gives other examples of incidents on computer-controlled that could have beenprevented by Hazops. It alsoreviews modifications plants ofHazop, knownas Chazop, that are suitable for studyingthe specifications of Reference 12

computer-controlled systems.

A2.7 Abbeystead

— an

explosion in a water

pumping station

At Abbeystead, water was pumpedfrom one river to another through a tunnel. In an incidentin May 1984, whenpumping stopped somewater was allowedto drain out ofthe tunnel leaving a void. Methane from the rocks below accumulated in the void and, when pumpingwas restarted, was pushed through vent valves into a pumphouse where it exploded, killing 16 people, most of them local residents whowere visiting the plant. If anyone had realizedthat methane might be present, the explosion could havebeen prevented by keepingthe tunnel full of water or by discharging the vent valves into the open air. In addition, smoking, the probablecause ofignition, could have been prohibited (though we should not rely on this alone). None ofthesethingswere done becauseno-onerealizedthat methane might be present. Published papers contain references to the presence of dissolved methane in water supplies but these references were not known to the water supplyengineers. The knowledge was in the wrong place'. Could a 1-lazop haveprevented the accident? Only if one of the team knew or suspected that methane might be present. He need not have known the details so long as he could recall the fact from the depths of his memory. As mentioned in Section 2.2 (page 23). good Hazop team members are people who haveaccumulated, by experience and reading, a mental ragbag of bits and pieces of knowledge that may come in useful one day. A Hazop provides opportunities for the recall of long-forgotten bits of knowledge that might otherwise never pass through the conscious mind again.

A2.8 The Sellafield leak Acause célèbre in 1983 was a leak ofradioactive material intothesea from the British NuclearFuelsLimited(BNFL) plant at Sellafield, Cumbria. It was the subject of two official reports6'7 which agreed that the discharge was due to human error,though it is not entirelyclear whether theerror was duetolack of communication between shifts, poor training or wrongjudgement. Both official reports failedto point out that the leak was the result of a simple design error that would havebeen detected by a Hazop,if one had beencarriedout. 67

HAZOP AND HAZAN

50 mm (2 inch) return line to plant

From plant

line to sea

250mm (10 inch) lineto sea

Figure 2.14 Simplified line diagram ofthe waste disposal system at Sellafield

As a result of the human error some material which was not suitable for discharge to sea was moved to the sea tanks (seeFigure 2.14). This should not havemattered as BNFI. thought it had 'secondchance' design the ability to pump material back from the sea tanks to the plant. Unfortunately the return route used part ofthe discharge line to sea. The return line was 2 inches diameter, the sea line was 10 inches diameter, so solids settled out in the section of the sea line where the linearflow rate was low and were later washed out to sea. The design looks as if it might have been the result of a modification. Whetherit was or not,it is the sort of design errorthat would be pickedup by a 1-lazop.

At a meeting where I suggested this someonedoubted it, so I asked three

experienced Hazop team leaders if theyagreed. All three saidthat a competent team should pick up the design error but they suggested different ways in which this would be done. I describe them here to demonstrate that a point missedwhile considering one deviation can often be pickedup underanother. (Thereis some redundancy in Hazop.) Team leader I 'I feel sure that the cause described would have been identified by a Hazop with a competent team. This is because, when studyingthe recycle mode of operation for reprocessing of off-spec waste product, the team's attention would be focused on the very important matter of achieving complete transfer of the material, including the contents of the common section of line, back to the plant. If the off-spec waste product happened to he a solution, questions would he asked 68

APPENDIX TO CI-]APTER

2

on, for example,the effectiveness of water displacement by flushing back to the plant. If the off-spec waste product happened to be a solid/liquid mixture (as for the case in point), questions would similarlybe asked on the effectivenessof water flushing of the 10 inchline bearing in mind the restriction to flow viathe 2 inchdownstream system, and also possible changes in elevation. In thelatter case,the team would alsobe particularly concerned with howto wash theoff-spec solid out of the sea tank. Forsuch a hazardous system. attention would, in fact, be focused throughout on how best to get all the solid safely back to the plantfor reprocessing. 'The final outcome of a Hazop on this systemwould probably be to opt for an entirely independent returnline from the sea tanksto the plant, thereby not only avoiding the common line section, but also reducing the chanceofinadvertent discharge of off-spec waste to sea via passing or wrongly opened valves.'

Team leader 2 'Onecan never be absolutely certain that all possible situations are considered during a Hazop, but I feel reasonably certain that this operability problem would have been discussed in some detail (providing the technique was applied by experienced people) underone or more ofthe following headings:

(a) NO FLOW: One reason for 'No flow' in the 2 inch line could be wrong routing for example, all the off-spec material entering the seadue to leaking valves, incorrect valve operation, etc. How would we know that we were putting off-spec material into the sea?

(h) LESS FLOW: Again, leaking valves would allow off-spec material into the sea, and a reduced flow to the plant, etc. Also, possible restriction or blockage due to settlement ofsolids would certainly be discussed. (c) MORE FLOW: The team would have checked design flow rates and commented on the differentvelocities in the 10 inch and 2 inch line sections and possible consequences. (d) COMPOSITION CHANGE/CONTAMINATION: The team would have questioned methods of analysis, where samples were taken, and how we ensured that the contents ofboth the sea tank and the 10 inch line section were suitable to dump into the sea. Indeed, when the 10 inch route to the sea was studied the problem ofcontamination would againbe discussed. 69

1-IA/OP AND HA/AN

(e) SAFETY: Environmentalconsiderationswould haveagainmadethe team ask how we would know that the material being dumped was safe, and what were the consequences ofdumpingunsafe material?'

Team leader 3 'I believe that theline ofquestioning would be as follows:

(a) NO FLOW: Misrouting —opening of the 10 inch sea line in error when material should be returned to the plant for reprocessing; this would raise furtherpoints of sampling, valvelocations and the need for interlocks. (h) REVERSE FLOW: Direct connection between plant and sea via the common manifold — whatpreventshackflowand howreliable isthe system? (c) LESS FLOW: Contamination — implications of incomplete purging of the systembetween batchdischarges. How will the operatorsknow that the sea tankand dischargeline havebeen emptied and purged following a discharge? What are the consequences of contamination due to accumulation of material in dead spaces in the common dischargesystem? A team with knowledge of slurry-handling plants would be aware ofthe problems of deposition resulting from reduced flow velocities. For example, it is common practice to provide recirculating ring mains on centrifuge feed systems to avoid deposition and blockage.

(d) MORE TEMPERATURE: Again, a team with knowledge of slurry handling would raisecomments on solubility effects. (e) PARTOF: The team would ask how the operatorwould know that the end point had been established.'

I raised these questions myself. With an experienced team more points

would he raised.

Settling of a solid when the linear flow rate is reducedis a well-known hazard. When the River Irwell was diverted into the Manchester Ship Canal, GeorgeE. Davts.one ofthe founders ofchemicalengineering, forecastthat the canal and the lower reaches of the river would form a large settling tank and organic material would putrefy. In the summerafter the canalopened the smell was so had that passenger boattrafficwas abandoned13. 70

APPENDIX TO CFIAPTER

2

From reactor aiidcentrifuge

Circulation line

Valves closedbut

Distillation feedvessel

To distillation column

Figure 2.15 Waterenteredthe feed vessel through leakingvalves

A2.9 Formation of separate layers Reaction productwas stored in a feed vessel until it could be batch distilled. Water used for washing out some equipment passed through two closed but leaking valves into the feed vessel. Some water was always present and was removed early in the distillation when the temperature was low. On this occasion, so much water was present that, unknown to the operators. it formed a separate, upper layer in the feed vessel (Figure 2.15). The lower layer was pumped into the distillation column first and the water in it removed. The temperature in the column then rose. When the upper layerwas pumped into the column an unexpected (and previously unknown) reaction occurred between water and a solvent. The product of this reaction was recycled to the reactor with the recoveredsolvent where it causeda runaway reaction and an explosion. The chemistry involved is describedin References 14 and 15. This incidentshows that Hazop teams should pay particularattention to the following points:

• Whatwill be theconsequence ofadding water (or addingmore water if it is normally present)? This question should always be asked because unwanted 71

HAZOP AND HAZAN

water can so easily turn up as the result of corrosion, leaking valves, failure to disconnect a hose or accumulation in a dead-end or becauseit has been left behind after a wash-out. Can the presence of water (or anything else) cause formation of a separate layerand, if so, what will he the consequence? Forany deviation, look for consequences in other parts of the plant and at later times, notjust for local and immediate ones (seeSection 2.5(1), page35). Unexpected formation of a separate layer was the cause of one of the few serious criticality incidents that have occurred on nuclear processing plants. In 1958. at Los Alamos, USA, the liquid in four tanks had to he washed with solvent to recover some plutonium. Each tank should have been treated separately hut instead their contents were combined in a single tank, together with plutonium residues that had accumulated in the tanks over a period of seven years. The acid present in one ofthe streams caused an emulsion to break and the plutonium concentrated in the upper layer. This layerwas too thin to be critical but when the stirrerwas started up the layerbecame thickernearthe axisofthe stirrer and criticality occurred. One man was killed. Afterwards unnecessary transfer lines were blocked to reduce opportunities for incorrect movements. A review of criticality incidents shows that many could have been prevented by Hazop as they were due to reliance on valves which leaked, excessivecomplication, unforeseen flows through temporary lines, inadvertent siphoning and entrainment.

• •

A2.10 The need for differentsorts of knowledge

This sectionshows how hazards have been or could be missed, becausethe team did not include people with the right sort ofknowledge. A2.lO.1 The needfor practical knowledge Figure2. 16 shows a floating rooftank located in a bund. The tank contains oil. Rainwater can be drained from the roofinto the bund and from there into the main drainage system. Suppose a Hazop team is considering whether any substance 'other than' water can get into the main drainage system. For this to occurthere would haveto be a holein thehose, and both valves would have to he left open. An inexperienced team mightdecidethat a triplecoincidence is so improbable that thereis no needto consider it further. However, someone with knowledge of the practicalities of plant operation would realize that during prolonged rain the operators may leave both drain valves open, whatever the instructions say. to avoid frequent visitsto the tank. Any hole in the hose will thencontaminate the main drainage systemwith oil 8 72

APPFND1X TO

CHAPTtR 2

To waterway valve

Figure 2.16 Shouldwe assume that the hose mightleak and the two valves mightbe left open all at the same time? (Reprinted by permission of Hydrocarbon Processing, April 1992, copyright 1992 by Gulf PublishingCo. all rights reserved) Accidents are sometimes said to be due to an unlikely coincidence that could not havebeenforeseen, but theyare usually not true coincidences. As in this case, two (or more) failures are latent or ongoing faults that exist for significant periods of time. When a third failure occurs, an incident is inevitable. A2.10.2 The need for specialized knowledge A vessel containedliquid sulphur (melting point 120°C). A Hazop was carried out on the t1owsheet the team considered 'more of pressure' and decided that the precautions taken to prevent choking of the vent, which included a lute, were adequate. At a later Hazop ofthe line diagram, when considering 'more oftemperature'. someonepointed out that the viscosity ofsulphur rises sharply aboveabout 200°C. This temperature could not be reached in normal operation hut could he reached ifthe vessel was exposed to fire. The sulphur in the lute could then become so viscous that it would prevent relief of the vessel. The relief systemhad to be redesigned'9. A solvent tank was ventedthrough a seal pot.An electricheaterwas added later. The reason is not stated in the report, but was presumably to prevent freezing in cold weather. The modification was Hazoped hut all the members of the team were chemicalengineers no electrical engineeror representative of the supplierwas present. None of the chemical engineersrealizedthat the temperature ofthe heatercould rise abovethe auto-ignition temperature of the solvent ii' the liquid level in the seal pot was lost20. 73

FIAZOP AN!) HAZAN

A2.10.3 The need for local knowledge During the Hazop of a batchprocess the team askedwhatmight be addedto the reactor other than' the materials that shouldbe present. The word they actually used was 'contamination'.Someonepointed out that organic acids could cause a runaway. Further discussion revealed the fact that organic acids were used in another process and were stored in the same warehouse and in the same colourand type of drum as one of the reactants21. A2.10.4 The need for knowledge of other people's activities A plant was fitted with blowdown valves which were operated by high-pressure gas. On a cold day, a leak on the plantcaughtfire. The operators isolated the feed and tried to blow off the pressurein the plant. The blowdown valves failed to open as there was some water in the impulselines and it had frozen. As a result the fire continued for longer and caused more damage than it would otherwise have done. I-low the water got into the impulselineswas at first a mystery. At a Hazop two years earlier, when the plant was modified, the team were asked if water could get into the impulse lines and they said 'No'. Occasionally the valves had to be operatedduring a shutdown, when no high-pressure gas was available. The maintenance team members were asked to operate the valves but not told how to do so. They used water and a hydraulic pump. None of the Hazop team members, which includedthe operator shopsteward,knewthat the valves had been operated in this way. Hazops are only as good as the knowledge and experience of the people present. If they do not know what goes on, the Hazop cannot bring out the hazards.

A2.10.5 The need for knowledge of what happens beyond the edge of the drawing The output of one plant is often the raw material of another. A change in quality or reliability, of little or no importance to the supplier, may affect the consumer. Here are threeexamples: • Someusers of nitrogen require tracesofoxygen. An increase in the purityof thesupply can upsettheir process. • The source of a high pressure drop in a hydrogenation reactor was, after much lost production, traced to a change in the plant that supplied the hydrogen. Charcoal was used to remove traces of oil. A slightly finer grade was supplied and charged. Some of it passed through its support, travelled along the pipe to the hydrogenation reactorand choked thedistributionholes in

its catalyst retaining plate22. 74

APPENDIX TO CHAPtER 2

• Designers in many countries take the high reliability of public electricity suppliers for granted. They then do the same when designing country where the supplyis unreliable.

Alil

a plant for a

An incident from another industry

The Therac—25,a development of earlier machines, produces electron beams

for irradiating cancer patients. They can he irradiated directly or with X-rays generated by the electronbeam hitting a target. Much higherenergybeams arc used to produce X-rays than for direct irradiation. As the result of a software error a number ofpatients were directly irradiated with high energy beams. A systematic hazard identification procedure would have shown that absenceof the target was potentially dangerous and that it should be physically impossible to operate in high energy mode unless the target was in place. The fatal error was relying on software interlocks23'24.

Acknowledgements

Thanks are due to Messrs. H.G. Lawley, FR. Mitchell and R. Parvin for assistance with Section A2.8. Sections A2.3—5 are reprinted from Journal of Los's

Prevention in the Processindustries.4, TrevorKletz, Incidents that could have been prevented by HAZOP, 128—129, Copyright 1991, with permission from Elsevier Science.

References in Appendix to Chapter 2 I.

2. 3. 4. 5. 6. 7.

Troyan,i.E. and Le Vine, L.Y.. 1968. Lays Prevention. 2: 125. Oliveria. l).B., 1973. HydrocarbonProcessing, 52 (3): I 12. Kleti., TA.. 1998. What Went Wroig? Case Historiesa! Chemical Plajit Disasters,4th edition, Chapter 18 (Gull Publishing Company. Houston, Texas. USA). Union Carbide Corporation, Danbury, Connecticut, USA. March 1985, Bhopal Met/ni l,socvanate incident iniestiganan Team Report. Klcts, TA.. 1998, Process Plants: A Handbook fir Inherent/i' Safr Design (Taylor & Francis, Philadelphia. Pennsylvania. USA). Health and Salety Executive, 1984. The Contamination ofthe Beach incident at BNFL Sc//afield (HMSO, London, UK). Radiochemical Inspectorate. 1984. ,4n incident Lewling to Contcanj,iation ofthe Beaches Near to the BIVEL WindscaleandCaider Works(Department ofthe Environment. London. UK).

75

HAZOP AND 1-IAZAN

Kalelkar, AS., 1988. Investigations of large magnitude incidents — Bhopal as a case study, Symposium Series No. 1/0, 553 (Institution of Chemical Engineers. Rugby, UK). 9. Hill, R., 1988, JournalofLossPrevention in the Process Industries. I (1): 25. 10. Gibson, TO.. 989,Plant/Operarions Progress,8 (4): 209. II. Health and Safety Executive. 1985. The Abbeystead Explosion (HMSO, London. 8.

UK). KIds, TA., Chung, P.W.l-l., Broomfield, E. and Shen-Orr. C., 1995, Computer Controland Human Error(Institution of Chemical Engineers, Rugby. UK). 13. Slainthorp, F., 1990, The Chemical Engineer, No. 480: 16. 14. Mooney. D.G.. 1991. An overview of the Shell fluoroaromalics plant explosion. SymposiumSeries No. /24, 381 (Institution ofChemical Engineers, Rugby.UK). IS. Kletz. TA., 1991, Loss PreventionBulletin, No. 100: 21. 16. Stratton, WE., 1989, A Review ofCriticality Accidents, ReportNo. DOE/NCT—04 12.

(US Dept of Energy). AM.,8 September 1988, New Scientist. 18. Jones. D.W.. 1992. Hydrocarbon Processing, 71(4): 77. 19. Kolodji. B.P., 1992, Hazard resolutions in sulfur plants from design through start-up, AIChE Summer NationalMeeting, Paper 70d. 20. Vaughan, N., 998, iChemE.Saftv and Loss Prevention Subject Group News17. Wray,

letter, No.9: 3. 21. Collins. R.L., 1995, Chemical EngineeringProgress.91(4): 48. 22. Klctz, TA., 1998. What Went Wrong— Case Historie,sofProces,sPlantDisasters. 4th edition. Section 2.6(a) (Gulf Publishing Company,Houston. Texas, USA). 23. Lcveson, N.G., 1995. Safeware: System Saft'ty and Computers. Appendix A (Addison-Wesley).

24. Peterson, 1.,

76

1996.

FatalDefrct. Chapter2 (Random House, NewYork. USA).

Hazard analysis (Hazan) When von can measure what von are speaking aboutandexpress it in numbers, you know something about it. Lord Kelvin

'The swift do notwin the race,

nor the strong the battle; bread does not belongto the wise, nor wealth to the shrewd, nor success to the skil,t111; for timeand chancegocernall. Ecclesiastes, 9: Il

3.1 Objective

The objectiveof this chapteris to helpreaders manage probabilistic events or, more precisely, to apply quantitative methods to safety problems. Youcannot, however, expect a brief guide like this to make you fully competent. You shoulddiscuss your first attempts with an experienced analyst. Hazard analysis is not an esoteric technique that can be practisedonly by those who haveserved an apprenticeship in the art. It can be practised by any competent technologist provided he discusses his first attempts with someone more experienced (seeSection 4.10, page 165). Assessing a hazard, by Hazan or any other technique, shouldbe our second choice. Wheneverwe can we should avoidthehazardby changing the design27 (seeSection 2.7, page41). Many booksand courses on Hazanfail to makethis clear. They seem to assume that the hazard is unavoidable and therefore we should estimate the probability that it will occur and its consequences and make them as low as is required by our criteria(or, to use the legal phrase, as low as reasonably practicable—see Section 3.3, page 81). They rarely point out that it is often possible to avoid a hazard. Of course, we cannot always do so; it is often impossible or too expensive, but we can do so more often than most peoplebelieve.

77

HAZOP AND HAZAN

3.2 Why do we want to apply numerical methods to safety problems? The horizontalaxis ofFigure3.1 shows expenditure on safetyover and above that necessary for a workableplant, and the vertical axis shows the money we getbackin return. In the left-hand area safetyis goodbusiness by spending money on safety, apart from preventing injuries, our plants blow up or burn down less often and we make more profit. In the nextarea safetyis poor business we get somemoney backfor our safetyexpenditure but not as much as we would get by investing our money in other ways. If we go on spending money on safety we move into the third area where safety is bad business hut good humanity moneyis spent so that people do not get hurt and we do not expect to get any material profit backin return and finally into the fourth area where we are spending so much on safety that we go out ofbusiness. Ourproductsbecome SO expensive that no-onewill buy them; our company is bankrupt and we are out of a job. The public are deprived of the benefitsthey could get from our products. We have to decide whereto draw the line between the last two areas.Usually this is a qualitative judgement but it is often possible to make it quantitative. The methods for doing so are called, in this book, hazard analysis or Hazan. Other names are risk analysis, quantitative risk assessment (QRA) and probabilistic risk assessment (PRA) (see Section 1.2, page5).

H w

z 4:

zC MONEY SPENT ON SAFETY

Figure 3.1 The effects of increasing expenditure on safety 78

HAZARD ANALYSIS (HAZAN)

I use the term hazard analysisratherthan risk analysis as risk analysis has beenused to describe methods of estimating commercial risks (seeReferences I and 2) and hazard analysis because, as we shall see, an essential step is breaking down the events leading to the hazardinto their constituent steps. While Hazop is a technique that can, and I think should, be appliedto every new design and major modification, Hazanis, as stated in Section 1 .1 (page 1), a selective technique. It is neither necessary nor possible to quantify every hazard on every plant. Unfortunately the apparentprecision of Hazan appeals to the legislative mind and in some countries the authorities have suggested that every hazard should be quantified. Hazan is not,ofcourse, a technique for showing that expenditure on additional safety measures is necessary. Often it shows that the hazardis small and that furtherexpenditure is unnecessary. 1-lazan does more than tell us the size of a risk. Especially when fault trees (Section 3.5.9, page 113) are used, it shows how the hazard arises, which contributing factors are the most important and which are the most effective ways of reducing the risk. Most of all, it helps us to allocate our resources in themost effective way. If we deal with each problem as it arises, theend result maybe the opposite of that intended. This is common in politics28 and can also occur in engineering. It can result in massive expenditure on preventing a repetition of the last accident while greater risks, which have not so far caused injury, are unrecognized and ignored. When hazard analysis was first used in the chemical industry, in the late 1960s and early l970s, it was applied mainly to well-defined (though often complex) problems, such as those involving instrumented protectivesystems, for which good reliability data were available(for examples see Section 3.8, page 133). ('Good' means that the data did not vary greatly between different plantsor industries or conditions of use.) Later, hazard analysis was extended to much more ill-defined problems involving many sequential steps for example, how often will a piece of equipmentleak, how big will the leak be, howfar will it spread, howoften will it ignite, what overpressure will be devel()ped ifit does and what injuries and damage will be caused by the explosion or heatradiation? Confidence in the accuracy was obviously lowerhut comparative values were better than absolute ones. Most of the controversy that has been attached to hazard analysis (see Section 5.3, page 181) applies to these studies. Those describedin Section 3.8 (page 133) are typical of the various types of study carriedout today.

79

HAZOP AND HAZAN

3.3 The stages of Hazan

Every Hazan,howeversimple. consistsof three steps: (i) Estimating how often theincidentwill occur. (ii) Estimating the consequences to: employees; the public and the environment; plantand profits. In both (i) and (ii), whenever possible, estimatesshouldbe based on past experience. However, sometimes there is no past experience, either because the design is new or the incident has never happened, and in these cases we haveto use synthetic methods. By combining theprobability of an incidentand the size of the consequences we are able to compareinfrequentbut serious incidents with more frequentbut less serious incidents (but see Section 3.4.3. page 90). (iii) Comparing the results of (i) and (ii) with a targetor criterion in order to decide whether or not action to reduce the probability of occurrence or minimize the consequences is desirable, or whether the hazardcan be ignored. at least for the time being. The methods used in step (i) are probabilistic. We estimate how often, on average, the incident will occur but not whenit will occur. The methods used in step (ii) are partly probabilistic, partly deterministic. Forexample. ifthereis a leak offlammable gas, we can only estimate the probability that it will ignite. If it does we can estimate the heat radiation and the way in which it will attenuate with distance (deterministic). If a person is exposed to the radiation, we can estimate the probability that deathor certain degreesofinjury will occur. At high levels deathsare certain and the estimate is deterministic. High levels of radioactivity cause burns (deterministic). At low levels the probability of disease, not the seriousness of the disease, increases with the dose. My elder granddaughter, when not quite three years old, was seen to be picking up crumbsfrom the floor and eating them.Her parents said, 'Don'tdo that: it will make you poorly'. With commendable logic, she said, 'I'm not poorly'. Her parents had not explained to her the difference between a probabilistic and a deterministic result or, more simply, the difference between 'sometimes' and 'always'. (They had also not explained that results can be immediate or delayed: see Sections 1.2 and 5.2.6, pages 5 and 176.) In the following pages we first discuss step (iii), then step(i). Discussion of step (ii) is not attempted. The methods used differ for each type of hazard — fires, explosions and releasesof toxic gas and the number of calculation methods available is enormous; for example, over a hundred methods for

• • •

80

HAZARD ANALYSIS (HAZAN)

calculating gas dispersion havebeenpublished49. Referto specialist textbooks or to Lees. Pitbiado and Turney have provided a good summary of the methods54. Some of the pitfalls in consequence calculations are discussedin Chapters4 and 5 ofthis book; theycan affectthe accuracyoftheoverallcalculation. Computer programs are available for carrying out these consequence analyses and in the more sophisticated programs the resultsare combined with estimates of probability and risk contours are drawn. For an example, see Reference 25. When using these models it is important to understand the methods they use and their limitations. If this is not done they may be used outside their range of application (see Section 3.5.4, page 108). The biggest uncertainty in step(ii is determining the size of the leak. Gas dispersion or explosion overpressure calculations are often carried out with great accuracy although the amount of material leaking out can only be guessed. Withersis one of the few authors who has providedestimatesofthe probability of leaks of various magnitude29. Many writers are reluctant to discuss step (iii). but it is little use knowing that a plant will blow up once in 1000 yearswith a 50% chancethat someone will be killed, unless we can use this information to help us decide whetherwe should reduce the probability (or protect people from the consequences) or whetherthe risk is so small, compared with all the other risks around us, that we should ignore it and devote our attention to biggerrisks. For this reason step (iii), setting a targetorcriterion, is discussed (in Section 3.4, page90) before step (i), estimating howoften an incident will occur (Section 3.5, page 105). Who should answerthe threequestions? The firsttwo questions can only be answered by expert knowledge, or by expert judgement if information is lacking. The third question is a matter on which everybody, and especially those exposed to the risk, has a right to comment. The expert has a duty to provide information on comparative risks, in a way that the audience can understand, but has no greaterrightthan anyone else to decide what risksother people should accept. If the public wish to spend money on removing what the expert thinks is a trivial risk, they have a right, in a democracy, to do so. In the end it is the public'smoney that is spent. not a company's or the government's, as the cost is passed on to them through prices or taxes (see Section 3.4.4, page 93). In the UK the law has long recognized that we cannot do everything possible to prevent accidents. We are required to do only what is reasonably practicable', weighing in the balance the cost of prevention, in money,time and trouble, and comparing it with the size ofthe risk, ifthereis agrossdisproportion between them, the risk being insignificant in relation to the cost, removal or reduction of the risk is not necessary. To use the legal phrase, it is not as low as reasonably practicable (ALARP) (see Section 3.4, page 86).

81

HAZOP AN[) HAZAN

Hazan attempts to quantify this phrase and has therefore been accepted fairly readily by the Health and Safety Executive and safety professionals. (ALARP does not meanAs Low As Regulations Permit;ifit is reasonably practicable to reduce risksfurtherwe are expectedto do so.) In contrast, in the United States there has been much more pressure to remove every risk and companies have been reluctant to admitthat there is a low level of risk that is tolerable or acceptable. However, there are signs of change in both regulatory and case law. The US Office ofNuclearand Facility Safety. part of the Department of the Environment, usesALARA(As Low As Reasonably Achievable) and a Supreme CourtRuling states56:

'if ... the odds are one in a billion thataperson willdiefrom cancerby taking a drink of chlorinated water, the risk clearly could not be considered significant. On the otherhand, if the odds are one in a thousandthat regular inhala— lion qf gasoline vapors that are 2% henzenewill heflital, a reasonable person might wellconsiderthe risk significant and takeappropriatesteps to decrease or eliminateit. Note that the Supreme Court make the common error of not stating their units. Are they referring to one drink of chlorinated water and to a lifetime's exposure to 2% benzene in gasoline? Similarly in Germany, according to Brown57: in German law ... one maynot legal/vpose a risk to the public from one '5 enterprise. Thispositively inhibits' the development of assessmentsthat recognize risk as an inevitableconstituent of lif'.' it makes people tread warily, and keepslawyersrich. The EuropeanCommunityas awholehas not accepted the use ofthe phrase 'reasonably practicable' but it has accepted a requirement to carry out risk assessments. This shouldcome to much the same,as therewould he no point in assessing risk unless the action required depends on the size of the risk. However, while 'reasonably practicable' is backed by case law, there is so far no case law on risk assessment58, The concept of' ALARA goes hack a long way. In the 16th century Rabbi Schlomo Cohen of Greece wrote59: 'The damage causedto thetownspeople by the vats used by the dyeingindustry is extremely great and has to be considered as similar to smoke and bad odours, Howevem; sincethe textile industryis the main basisforthe livelihood 82

HAZARD ANALYSIS (HA/AN)

of thepeopleof this town, it is incwnhent upon the neighbours to suffer the damage. This is an enlargementof the principle that where a person is doing work that is essentialto his livelihood and which it is notpossible to do elsewhere. the neighbours do not havethe right toprevent it.

in practice. of course, the decision whether or not to reduce a particular hazard will usually be made by the responsible manager, taking into account any generally accepted or company criteria, the views of employees and the public and, of course, the views of the Health and Safety Executive (see Section 3.4, page 85) or other regulatory authority. However, the hazard analyst who calculates the probability and consequences of the hazard should not merely display them to the manager, but should say what he thinksshould be done. The managerdoes not have to accept the analyst's views hut the analyst, like all experts. should not merely provide information and display alternatives but should make clear recommendations. Only when he does so can he expect a salary comparable with that ofthe managerhe advises. In brief, the stages in hazardanalysis are: (I) How often? (ii) How big? (iii) So what? If you can remember these six words you will know what to do (though not howto do it) if you are ever askedto carry out a hazardanalysis. You will also know what to look forin hazardanalyses carriedout by others (seeChapter4). As mentioned in Section 1.2 (page 5). the Institution ofChemical Engineers defines hazard analysis as the identification of undesired events that lead to thematerialization of a hazard. the analysis of the mechanisms by whichthese undesired events could occur and usually the estimation of the extent, magnitude and likelihood of any harmful effects' According to this definition hazard analysis includes the identification of hazards (considered in Chapter2) and stages (i) and (ii) above, but not stage (iii). The reportsuggests that what I call hazard analysis should he called risk assessment. As already stated, stages (i) and (ii) are pointlessunless we also carry out stage (iii). If you are asked to carry out a hazard analysis or you ask someone else to carry one out, make sure that you both understand what is meant by thesewords.

.

3.4 Choosing targets or criteria

When injury is unlikely we can comparethe annual cost of preventing an accident with the average annual cost of the accident. Suppose an accident will 83

I-IA/OP ANI) I-IA/AN

cause £1 M worth of damage and is estimatedto occur oncein 1000 years, an average cost of £1000/year. Then it is worth spending up to £1000/year to prevent it but not more.Capitalcostscan be converted to maintenance, depreciation and interest. Future costs should be discounted, although the data are often not accurate enough to make this worthwhile (but see Section 6.1, last paragraph, page 196). This method could be used for all accidents if we could put a valueon injuries and life, but thereis no generally agreedfigureforthem (seeSection 3.4.7, page 100). So instead we set a target. Forexample,in fixingtheheight ofhandrails rounda placeofwork,the law does not ask us to compare the costoffitting themwith the value ofthe lives of thepeoplewho would otherwise fall off. It fixes a height for thehandrails (36 inchesto 45 inches). A sort of intuitive Hazan shows that with handrails ofthis height the chanceoffalling over them,thoughnot zero, is so small that we are justified in ignoring it. Similarly, we fix a 'height' or level for the risk to life. In settingthis level we should remember that we areall at risk all thetime, whatever we do, evenstaying at home.We acceptthe riskswhen we consider that, by doing so, something worthwhile is achieved. We go rock climbingor sailing or we smoke becausewe consider the pleasure is worth the risk. We takejobs as airlinepilots or soldiers or we become missionaries among cannibalsbecausewe considerthat the pay, orthe interest of thejob, or the benefitit brings to others, makesthe risk worthwhile. At work there is likely to be a slight risk, whatever we do to remove known risks. By accepting this risk we earn our living and we makegoodsthat enable us and others to lead a fullerlife. A widely-used targetfor the risk to lifeofemployees, discussed in the next section, is the fatal accident rate (FAR). Risks to the public are discussedin Section 3.4.4, page93. But it is not always necessary to estimate the risk to life. When we are making a change it is often sufficient to say that the new design must be as safe as, preferably safer than, that which has been generally accepted without complaint. For example: If trips are used instead of relief valves they should have a probability of failure 10 timeslower3'4 (seeSection 3.8.5, page 138). If equipment which might cause ignition is introduced into a Zone 2 area it shouldbe no more likely to spark thanthe electrical equipment already there. A new form of transport should be no more hazardous, preferably less hazardous, thanthe old form.

• •

•

For other examples, see Section 3.4.8, page 103. 84

HAZARD ANALYSIS (HAZAN)

Risks which are within a target or criterion are sometimes called 'acceptable risks', but I do not like this phrase.We haveno rightto decide what risks are acceptable to other peopleand we shouldnever knowingly fail to act when otherpeople's livesare at risk; but we cannot do everything at once we have to set priorities. More pragmatically, particularly when talking to a wider audience than fellow technologists, the use of the phrase 'acceptable risk' often causes people to takeexception. 'Whatrighthaveyou,' theysay, to decide what risks are acceptable to me?' But everyone has problems with priorities; most people realize that we cannotdo everything at once, and theyare more likelyto listen ifwe talk about priorities. The UK Health and Safety Executive proposes30 that the phrase 'tolerable risk' should be used instead of 'acceptable risk'. 'Tolerable' has been defined31 as 'that which is borne, albeit reluctantly, while "acceptable" denotes somehigherdegreeofapprobation'. The UK Health and SafetyExecutive alsoproposesthat instead of one level ofrisk thereshouldbe two: an upperlevel which is never exceeded and a lower level which should be regarded as 'broadly acceptable'.This is defined as a level which does not worry us or cause us to alter our ordinary behaviourin any way; it would not be reasonable to consider further improvements ifthese involved a cost. In between theupperand lowerlevels the risk is reducedifitis reasonably practicable to do so. Risks near the upperlevel are tolerated only when reduction is impracticable or grossly disproportionate to the cost (see Figure 3.2 on page 86). Cost-benefit analysis, comparing the costofreducing a hazard with the benefits,shouldbe used to determine whetheror not an action is reasonably practicable30'32. We do not, of course, remove priority problems by asking for more resources. We merely move the targetlevel to a different point. Apart from the main uses of Hazan in helping us decide whether or not that is, in helping us expenditure on particularsafetymeasures is justified set priorities it can alsohelp us to: resolve design choices, forexample,between reliefvalvesand instrumented protective systems(trips) (see Section 3.8.5, page 138); decide how much redundancy or diversity (see Section 3.6.4, page 123) to build into a protective system; settesting, inspectionand maintenanceschedules(see Section 3.5.3, page107). The proposals illustrated in Figure 3.2 (page 86) have been widely quoted buttheir full implications have not yet beenrealizedoracted upon. We still fix absolute standards for measurements such as the concentration of harmful gases and vapours in the workplace atmosphere or the concentration of

• • •

85

HAZOP AND HAZAN

AS LOW AS REASONABLY PRACTICABLE Risk cannotbe justifiedexcept in

Unacceptable

region

extraordinary circumstances

Tolerable only ifreduction is not practicable orits cost is disproportionate to the improvement gained

The 'as lowas reasonably

practicable' or Tolerability region (Risk is undertaken only if benefitis desired)

\

/

Broadlyacceptableregion (Noneedfordetailed working to demonstrate that the risk is as low as

Tolerable ifcost of reduction would exceedthe improvement gained

Necessary to maintain assurance that risk staysat this level

reasonably practicable)

NEGLIGIBLE RISK

Figure 3.2 Levels ofrisk and ALARP(Table 3.1(b)suggestsvalues for the horizontal lines)

(Reproduced by permission ofthe Health and Safety Executive)

86

HAZARD ANALYSIS (HAZAN) impurities in drinking water or seawateron bathing beaches. There is a large measure of judgement in fixing such limits, and they incorporate generous safety factors, yet we act as if exceeding them is dangerous and spare no expense to get below them, It would he more sensible, and consistent with the tolerable risk policy,to fix an intolerable level,to beexceededonly in the most exceptional circumstances, and a broadly acceptable level, and in-between to reducethe concentration in so far as is reasonab]y practicable. 3.4.1 Risksto employees — the fatal accident rate (FAR) FAR is defined as the numberof fatal accidents in a group of 1000 men in a working lifetime (108 hours). Table 3.1(a) (page 88) shows sometypical figures. Forweekly-paid employees in the chemical industry the FAR was, at the time thefollowing criterion was drawnup. about 4 (the same as the average for all activities coveredby the UK Factories Act). This was made up of: ordinary industrial risks (eg, falling downstairs or getting run over): 2; chemical risks (eg.fire, toxic releaseor spillage ofcorrosive chemical): 2. If we were sure that we had identified all the chemical risks attached to a particular job, we said that the man doing the job should not be exposed, for these chemical risks, to a FAR greaterthan 2. We would eliminate or reduce, as a matter of priority, any such riskson new or existingplants. It would be wrong to spend our resources on reducing the risk to people who are already exposed to below-average risks, instead we should give priority to those riskswhichare aboveaverage. Often we are not sure that we haveidentifiedall the chemical risks and so we say that any single one, considered in isolation, should not expose an employee to a FAR greaterthan0.4. We will eliminateorreduce, as a matterof priority, any hazardon a new or existingplantthat exceeds this figure. We are thus assuming that there are about five significant chemical risks on a typical plant. There is a case for reducing these figures of 2 and 0.4 now that the average FAR in the chemical industry has come down. Experience has shown that the costs ofachieving the original target, though often substantial, are not unbearable. They may involve the company in an

• •

If you spend your working lifetime in a factory of 1000 men, then during your time there, if the FAR is 4, 4 of your fellow workers will be killed in industrial accidents, but about20 will be killedin other accidents (mostly Ofl the roads and in the home) and about370 will die from disease,including about40 from the effects of smoking, ifpresent ratescontinue.

87

HAZOP AND HAZAN

Table3.1 Risks to life from employment (a) UK 1987—1990 (exceptwhere stated) FAR

Risk per person

per year Firemen in London 1940

1000

Policemen in Northern Ireland 1973—1992

70

Health and Safety Executive tolerablelimit

50

Offshore oil and gas

62

Deep sea fishing Coal mining

42 7.3

Construction

5

Railways

4.8

All premises coveredby the Factories Act

4

Agriculture

3.7

Chemical and alliedindustries

1.2

All manufacturing industry

1.2

Vehicle manufacture

0.6

Clothing manufacture

0.05

Health and Safety Executive broadly acceptable limit

0.05

The FAR is the numberof fatalities in 1000 people in a working lifetime.

l0 working hours

l0 100 x to 125 x io 84 x l0 14.5 x l0 10 x l0 9.6 x l0 8 X l0 7.4 x l0 2.4 x l0 2.3 x l0 1.2 x l0 0.1 x io 0.1 x l0 2000 X 140 x

that is, in a groupof

The figurefor offshoreoil and gas includes the 165 people killedby the fire and explosion on the PiperAlphaoil platform in 1988. The figures in the first two rows are from Reference 60, the Health and Safety Executive figures from Reference 32 and the remainder from Lees, page 2/9. expenditure which some of its competitors do not incur. Some of the extra expenditure can be recouped in lower insurance premiums; some can be recouped by the greaterplant reliability which safetymeasures often produce; the rest is a self-imposed 'tax' which has to be balancedby greaterefficiency. Note that when estimating a FAR for comparison with the targetwe should estimatethe FAR for the personor group at highestrisk, not the average for all theemployees on theplant. It would be no consolation to me, if I complained that I was exposed to a high risk, to be told, 'Don'tworry. The averagefor you 88

HAZARD ANALYSIS (HAZAN)

Table3.1 Risks to life from employment (b) The Health and Safety Executive'sproposals FAR

Risk per person

per year Maximum tolerablerisk:

• employees • public • public (nuclear)

l0-

50

i04

l0

Legal limit from ionizing radiation: • employees (50 niSv/yr)

75

1.5

Maximum toleratedrisk from ionizing radiation: • employees (15 mSv/yr)

20—25

5x

Broadly acceptable risk: • employees and public

0.05

Negligible risk: employees and public

0.005

•

?

x l0-

l0 l0

?

See Section 5.2.6(page 176) for an explanation ofthe limitsfor ionizing radiation. FARs are not quotedfor public risks because the number of hoursfor whichpeople are exposedis so variable. The risk per year is a bettermeasure.

and your fellowworkers is low'. It may be all rightfor thembut it certainly is not for me. Also, if we used the average risk, we could reduceit by employing more people in low risk activities. As mentioned already, the Health and Safety Executive has proposed an upper limit of risk which should not be exceeded and a lower level below which risks should be regarded as broadly acceptable. For employees, the proposed upper level is per year (FAR50) whichseemsrather high but, as the figuresin Table3.1(a)show, somerisksofthis size are in fact tolerated. For the public the upper level is 10 timeslower per year) but 100 times lower for nuclear risks Section (see 3.4.4, page 93). The per year) level for both and thepublic is 10—6 proposed broadIy acceptable' employees this is a FAR of achieved 0.05, by only relatively safe per year. For employees industries such as clothing manufacture, so most industry is in the ALARP region. The ratio between the unacceptable and the broadly acceptable region is 1000for employees and 100 for the public32(see Table 3.1(b)).

l0

(l0

(l0

89

HA/OP AND HA/AN

Sincethe passage of the Health and Safety at Work, etc Act in 1974 there has been a gradual move awayfrom prescriptive regulations, which tell people exactly what they should do, to goal-setting ones, which set objectives to be achieved. There is advice on how to achieve them, but it does not have to be followed. The requirement to assess risks and the settingofrisk targets are part of this new approach. It is not,ofcourse, necessary or even possible to assess every risk quantitatively. Most risks are minor and can be assessed qualitatively. The Healthand Safety Executive usually requires quantitative assessments of nuclear and offshore risks and may ask for them in other cases. Major hazards are more likely to be accepted by them if they are supported by a quantitative assessment.

34.2 Converting FARto hazard rate The hazard (or incident) rate is the rate at which dangerous incidents occur. Suppose the man at greatest risk is killed every time the dangerous incident occurs (this is an example, not a typical situation), then it must not occur more often than:

0.4 incident in 108 working hours or oncein 2.5 X 108 workinghours

= 30.000 years

or 3 X I—5 incident/year that is, the probability of occurrence should not exceed 3 x l0/year (for a shift job). For ajob manned only during day hours the corresponding figuresare once in 120.000 yearsor 8 X I06 incident/year. If the man at greatest risk is killed every tenth time the incident occurs then the target hazard rate is:

0

oncein 3000 yearsor 3 X I occasion/year and so on.

3.4.3 Multiple casualties What is the target hazard rate if more than one person is killed? Consider two eases: (A) One person is killedevery year for 100 years. (B) IOU peopleare killedonce in 100 years. 90

HAZARD ANALYSIS (HAZAN) Should the preventionof(B) have higher priority than thepreventionof (A), or vice versa? The arguments in favour ofgiving priorityto thepreventionof(B) are: The press, public and Parliament make more fuss about (B), whilst they usually ignore (A). The public perceive' (B) as worse: as servants ofthe public we must therefore givepriority to the prevention of(B). (B) disruptsthe organization and the local community and the wounds take longerto heal. It maycause production to be haltedfor a long time, perhapsfor ever,and new requirements may he introduced. Various writers have therefore proposed that the tolerable hazard rate for (B) should be the tolerable hazard rate for (A) divided by log N, or N or N2, whereN is the numberof people killedper incident. However, these formulae arequite arbitrary and if we divide thehazardrate by N2, or even N, we may getsuch low hazard ratesthat they are impossible to achieve. Gibson5 has suggested that we can allow for the widereffectsby estimating thefinancial costs of disruption of production, etc. and comparing them with thecosts ofprevention. This maybe a more effective and defensible method than introducing arbitrary factors. It is true that as servants of the public we shoulddo what they want, but a good servant does not obey unthinkingly; he points out the consequences ofhis instructions. If we think the public's perception of risks is wrong, we should say so. and say why we think so. Perhaps the public think that preventing events like (B) will reduce the numberof people killed accidentally; it would actuallyhave very little effecton the total numberkilled. The argument in favourof giving priority to the prevention of(A) is that (B) will probably never happen (if the plant lasts 10 years the odds are 10 to I against) but that(A) almost certainly will happen one person will probably be killedevery year so why not give priority to preventing the deaths of those who will probably be killed, rather than to preventing events which will probably never happen? This argument becomes stronger ifwe consider case(C): (C) 1000 people are killed once in 1000 years. In this case it is 100 to I that nobody will be killed during the life of the plant. The simplest and fairest view seems to be to give equal priority to the prevention of(A) and (B) — we're just as dead in case (A) as in case (B). If we give priority to the prevention of (B) we are taking resources away from the prevention of (A) and, in effect. saying to the people who will be killedone at a time that we considertheir deathsas less important than others. We should treat all people the same. There may, however, he an economic argument for preventing (B), as arguedby Gibson, even though the risk is so small that we would not normally spend resources on reducing it further.

• •

91

HAZOP AND HAZAN

Considernowtwo more cases: (D) A plantblows up oncein 1000 years killing the singleoperator. (E) A similarplant, less automated, alsoblowsup oncein 1000 yearsbut kills all 10 operators. The FAR is the same in both cases, therisk to all 11 operators is the same but some way of drawing attention to the higherexposure involved in Case (E) is desirable. Lees6suggests that the number killed, the accident fatality number, should be quoted as well as the FAR (see Section 3.8.4, page 137).

Table 3.2 Somenon-occupationalrisks Risk ofdeathper personper year Cancer

Roadaccidents (UK) Road accidents (US) All accidents (UK) Murder (UK) Smoking 20 cigarettes/day

Drinking(I bottle wine/day) Rock climbing (100 h/yr) All risks, man aged 20 All risks, man aged60 Lightning (UK) Release from nuclearpower station (at 1 km)

280 X

l0-

l0 24 x 30 I0 iO5 500 X l0 75 x l0400 x l0 100 x I0 1000 0 l0 10 X

X

1

X

X 1

l0

Floodingofdykes (Holland) Fall of aircraft (UK)

0.2 x

Hit by meteorite

l0''

i07

(1

in 360)

(1 in 10,000) (1 in 4000) (1 in 3300) (1 in 100,000)

(I in 200) (I in 1300) (I in 250) (I in 1000)

(I in 100) (I in 10 million) (1 in 10 million) (I in 10 million) (I in 50 million) (1

in 100 billion)

Notes:

• Mostfiguresare taken from References 32, 34 and 35. • Mostofthe risks are averaged over the wholepopulation but are notalways

equally distributed; the veryold and the veryyoung,for example, are more likely than others to be killedin an accident;smokers are more likely than non-smokers to

get cancer.

• The figures for smoking, drinkingand rockclimbing apply onlyto thosewho carry out these activities. 92

HAZARD ANALYSIS (HAZAN)

3.4.4 Risks to the public

Table3.2 shows the risk ofdeath, per year, for a number of non-occupational activities, including activities such as driving and smoking that we accept voluntarily and others that are imposed on us without our permission. The figures are approximate and should be used with caution. Nevertheless they show that we accept voluntarily activities that expose us to risks of iO— or more per year, sometimes a lot more, while many of the involuntary risksare much lower. We accept, with little or no complaint, a number of involuntary risks (forexample,from lightning or falling aircraft) whichexposeus to arisk of deathof about I or less per year. We thus have a possible basis for considering risks to the public at large from an industrial activity.If the average risk to those exposed is more than per person per year, we will eliminateor reduce the risk as a matteror priority.If it is already less it would not be rightto spend scarceresources on reducing the risk further. It would be like spending additional money, above that already spent, on protecting peoplefrom lightning. There are more important hazards to be dealt with first. The lasttwo paragraphs appeared in the earliereditionsof this book. Since thenthe Health and Safety Executive has made the proposalsdescribed at the end of Section 3.4.1 and summarized in Figure 3.2 and Table 3.1(b). It suggests that a risk of 10—6 per yearis 'broadly acceptable',though not negligible. Itquotesthe following example to show howsmall this risk is compared to the other risksto which we are exposed. Suppose 10,000 peoplelive near a nuclear power station and as a result are exposed to an average risk of death (fromcancer) of 10—6 per yearin addition to the normal risk; 10—6 per yearis ratherless than Io— per lifetime. Regardlessofwherethey live, about 2500of the 10,000 people will die from cancer. As a result of the nuclear plant, this number will rise to 250161. And this estimate is based on the pessimistic assumption that the risk is proportional to the dose. As well as considering the average risk we should consider the person at greatest risk. A man aged20 yearshas aprobability ofdeathfrom all causes of 1 in 1000 per year. (The figure for a younger man is not much less.) An increase of 1% from industrial risks is hardly likely to cause him much concern, and an increase of0.1%shouldcertainly not do so. This gives arange of to 10—6 per year. The peopleatgreatestrisk are usually thosewholive nearest to the factorybut in the case of nuclearrisk may be those whosediet

0

iO

l0

exposesthem to more radiationthan otherpeople— for example, peoplewho consume a large amount of shellfish. Why did I suggest a lowerfigure per year) for the average risk than to 10—6 range for the person at greatest risk? Consider a town of the

l0

(l0

93

l-IAZOP AND HAZAN

I0

H

> C U

108

Li

10

10

NUMBER OF CASUALTIES, N

Figure 3.3

F—Ncurvefor chlorineinstallation. AB shows

a suggested criterion.

(Crown copyright is reproduced withthe permission ofthe Controller of Her

Majesty'sStationery Office) 500,000 peoplein which a chemical plantimposes somerisk on all the inhabitants, though some of them, of course, are at greater risk than others. If the average risk is I per year, on average one person will be killed every 20 the time a second death occurs the firstone will probablyhave been years; by forgotten. If the average risk is 106, on average someone will be killedevery two years and the public would considerthis quite intolerable. In a democracy all criteriafor risk (and everything else that affects them) must be acceptable to thepublic (seeSection 5.3, page 181).There is adifference, ofcourse, between

94

HAZARD ANALYSIS (HAZAN)

deaths that are clearly due to an industry and a theoretical rise (of one in several thousand) in the number ofpeopledyingfrom disease. We have considered averagerisks and the person at greatestrisk. Another way ofexpressing risk to the public is to draw a graphof the numberof people killed (N) againstthe cumulative frequency of the event (F). Figure3.3 (from Reference 30) shows an F—N line for a particularchlorine installation and, for comparison, a proposed criterion (the line AB). Both lines refer to casualties, not deaths; Reference 30 suggests that about one third of them will result in death. Note that the probability that 10 or 100 peoplewill becomecasualties is higher than allowed by the criterion, but that there is a limit to the possible numberofcasualties. Note also that the frequenciesare cumulative that is, thepoint on the graph for N=10 (say), gives the frequency of events which cause 10 or more casualties. Thejagged line in Figure 3.3 isa prediction byexperts ofwhat will occur (if the assumptions on which it is based are correct); only experts in the technology are able to derive it. (In other cases the F—N line may be based on the historical record.) In contrast, the line AB is basedonjudgement;it shows the level of risk that people will, it is believed, tolerate.Everyonehas a right to commenton its position, especially those exposed to the risk, and the expert has no greaterrightto do so than anyone else (see Section 3.3, page80).

MY BOSS LIKES TO SEE

GAPM6

ThAT RISE

95

1-IAZOP

AND HAZAN

It is difficultto explainF—Ncurves to the public.They pick on the fact that

a largenumberofcasualties or deaths can occurbut do not graspthat theprob-

ability ofthis happening is astronomically low. In Figure3.3, for example, the frequency of an incidentcausing 100 casualties is less than iO— per year. If 100,000 people live near the chlorine installation, the chance that a particular person, picked at random, will become a casualty in such an incident is less than 10—8 per year. Imagine this page being so long that it stretches from London to Newcastle (about 500 km); 10—8 is the probability that if two peopleareaskedto choosea line oftype at random they will pickthe same one. This probability is nevertheless considered too high and if the risk can be reduced to the level shown by the target line AB, the page would have to stretch from London to New York. 10_I

I

I

I

17

102

—

2 14

®

II

••N \I'4

101 I

io—

I

16

I

N

I\

10 -

'' N "N N

'

\\ \\ N

4

N3 N

15

N

N

N N

N

N

iü

-

11

10I 1

10

I

I

I

100

1000

10,000

NOR MOREDEATHS Figure 3.4

F—Ncurvesfor someUK societalrisks(see opposite for key) (Reproduced by permission ofthe Health and Safety Executive)

96

N

N

HAZARI) ANALYSIS (HAZAN) Figure 3.4 is an F—N curvefor a numberof societal risks62. We shouldneverdecide that arisk is tolerable on the basisof an F—N curve alone. We should alsoconsiderthe peopleat greatestrisk. Other criteria for risks to the public are reviewed in Reference 17. The criteria vary but it is generally agreed that the public should be exposed to much lower risks than employees. People choose to work for a particular company or industry but members of the public have risks imposed on them against their will. Butthe public are furtherawayfrom the source ofthe hazard so in practicethe risk to employees may be more important. For example, the pressure developed by an explosion decreases with distance; the risk to the public is usually so much less than the risk to employees that reducing the latter is the more important task. However, this maynot be the case if houses havebeen built close to the factoryfence. Key to Figure3.4 I: Collapse of a tower block, before the collapse at Ronan Point(a block offlats in London which collapsedin 1968as the result ofa gas leak and explosion), assumingthere are 300 such blocks in the UK

2: Collapse oftower block, after changes made followingRonan Point. 3: Canvey Island,an island in the Thames Estuary containingmany oil and chemical

plants,before improvements. 4: Ditto, with recommendedimprovements. 5: Ditto, 2nd report. This wasjudged tobejust about tolerable.

6: A harbour: risk to the population onshore from a spillage ofLPG from a ship — before improvements. 7: The harbour,after improvements.

8: EllesmerePort: proposedretail development near a complex of chemical plants. 9: Level crossings. It): Recommended bytheAdvisory CommitteeonMajorHazards(1st Report, 1976) as tolerabletbr asingleplant.

II: Sizewell nuclear power station, design requirement(includingdelayed deaths).

Note that the risk is much lower than theothers. 12: Maximum tolerable level to thepublic from an industrial activity. Fornuclear risks the maximumtolerable level is a tenthof this (see Section 3.4.1 and Reference32). 13: Suggestedmaximum tolerable level forapossibleprogramme ofpressured water reactors(see Reference 32). 14: Goole Hook: housing developmentsnear an ammoniumnitrate plant. 15: A harbourhandling explosives,near atown, before improvements. Although the risk was less than at Canvey island, public concern caused it to be reduced even further. 16: St Fergus to Moss Morrannaturalgas liquids pipeline(200 km). 17: Flooding ofthe River Thames.before constructionofthe Thames Barrier. 18: Ditto, after constructionofthe Barrier.

97

FIAZOP AN!) HAZAN

3.4.5 Why consider only fatal accidents? As pointed out by Heinrich many years ago, there is a relationship between fatal, lost-time, minorand no-injury accidents (in which only material damage is caused). If we halve fatal accidents from a particular cause, we halve lost-time accidents, minoraccidents and no-injuryaccidents fromthat cause.If we halve the number of deaths from explosions on a particular plant, for example, we probably alsohalvethe number of lost-time accidents and minor accidents caused by explosions and the material damage they cause. Note that halving the total number of fatal accidents in a factory will not necessarily halve the total number of lost-time(or minor) accidents, as the ratio of lost-time to fatal accidents differs for differentsorts of accidents. For example, it is about 25() for transportaccidents, but about 20,000 foraccidents involving the use oftools. Several writershavesuggested combining measures ofdeath, injury, illness and damage into a 'unified index of woe'63. For example, Christen er a!64 suggest the nine measures shown in Table 3.3 with their suggested relative weightings. However, such figures are quitearbitrary. If such an index is used, it should be possible for to see howit is derived so that the effectofvaryingthe measures and their weightings can be studied. 98

HAZARD ANALYSIS (FIAZAN)

Table 3.3 Relative measuresfor computing a unified indexofwoe (From Reference 64. Reproduced withpermission ofthe American Instituteof Chemical Engineers. Copyright 1994 AIChE.All rights reserved.) Measure

Value giving an impact of0.2

Value giving an impact of 0.6

Number of deaths

4

100

Number of injuredpersons

40

800

Number of evacuees

30

1000

Duration ofalarm,person-days

20,000

5,1)00,000

Number of deadanimals

20t)

8000

Area ofdamaged ecosystem, km2

1

100

Area ofcontaminated soil,km2

0.5

Area ofpollutedgroundwater, km2

0.5

40 40

Discounted expenditure, £

It),000,000

200,000,000

The numbers in the centre column arc considered to produce a similar impacton the public (to be precise.the same membership of a fuzzy set).Those in the righthand column produce a similarbut greaterimpact. The Impacts are combined (sec Reference 64 for details)to produce a total impact, called a disastervalue'. (Others call it an indexofwoe.) For Bhopal (over2000 killed) the index is set at I. Flixhorough (28 killed) is then 0.50, Seveso (t) killed) is 0.71 and the 986 pollution ofthe Rhine at BasIc (0 killed)is 0.51.The authorsof Reference 64 admit that the assignment ofrelative impacts is verysubjective but the method does allow various factors besidesthe risk to life to be taken into account.

3.4.6 Removefirstthe risks that are cheapest to remove An alternative approach to target Setting is to give priority to the expenditure which saves the most livesperM spentt6. This method would save morelives for a given expenditure so whydo we not use it? There are threereasons: The first is moral.An employee or a member ofthe public mayacceptthat a risk is SO small, compared with other risksaroundus, that it is tolerable, but he (or she) will hardly accepta risk becauseit is expensive to remove. It may be betterfor societyas a whole, but not for him (or her). Restating the same objection in other words, although we might reducethe total numberofpeoplekilled in an organization orsociety by concentrating the riskson afew individuals, we are notpreparedtodo so: we preferto spread the risksmore or less equally, or at least ensure that no-oneis exposed to a level of risk that would be regarded as intolerable. Note that in industry the lives saved

•

99

HAZOP AN!) HAZAN

are notional. If we do spend money on reducing a particularrisk, all we are doing is making the already low risk of an accident even lower. It is unlikely that anyone's life will actually be savedand this makes it easier to adopt the moral attitude just described. In road safety, on the other hand, we are dealing with real lives; more lives will actually be saved if we spend our money in a more cost-effective way, and in this field of activity attempts are made to spend money in ways that do save the most livesper £M spent.We do not try to equalize the risks between differentcategories ofroad user,thoughit could perhaps be argued that pedestrians — who are exposed against their will should be subjected to a lowerrisk (seeSection 4.3.1,page 157). • The secondreasonis pragmatic. If we agree to removerisksthat arecheap to remove but to accept those that are expensiveto remove, then there is a temptation for every design engineerand manager to say that the risks on his plant are expensive to remove. If, however, all risks must be reducedbelow a certain level,then experience shows that design engineers and plant managers do find 'reasonablypracticable'ways of reducing thembelowthat level. • A third reason is that the usual procedure in industry has alwaysbeen to work to a risk criterion, not a cost one. (See the note on handrails in Section 3.4, page 84.) Despite these comments, the cost of saving a life is useful in industry as a secondary criterion. If the notional costof saving a life is greatlyin excess of the normal for the industry, then we shouldnot exceedthe usualrisk criterion, but we should look for a cheaper solution. Experience shows that in practiceit can usually he found. There is usually more than one solution to every problem. As already discussed (see Section 3.4, page 85), the Health and Safety Executive has suggested the use of two criteria, an upper one that should neverbe exceeded and a lower, broadly acceptable, one whichwe need not strive to get below. In between therisk should be reduced ifit is reasonably practicable to do so, and cost-benefit analysis shouldbe used to helpus decide if a particularproposal is reasonably practicable. To carry out such calculations we needto know the valueto put on a life. 3.4.7 The cost of saving a life Variouswayshavebeen suggested for estimating the cost ofsavingalife. One is the valueof a person's futurecontribution to society; anotheris the cost of damagesawarded by the Courts. But the valueof any articleor service is not what it coststo produce it. or the futurebenefitsit will bring, but what people areprepared to pay for it — the test ofthe marketplace.Table 3.4 summarizes someofthe pricesthat are actuallypaidto save a life and it will be seenthat the 100

HAZARD ANALYSIS (HAZAN)

() spent to savealife

Table 3.4 Some estimatesof the money Health

Increasing tax on cigarettes Anti-smoking propaganda Cervical cancerscreening Artificial kidneys Intensive care

Liver transplants

Negative Small 8K 50K 25K 125K

Road travel

Various schemes implemented

25K—1OM

Industry

Agriculture (employees) Rolloverprotection for tractors Steelhandling(employees) Pharmaceuticals (employees) Pharmaceuticals (public) Chemical industry (employees) (typicalfigure) Nuclearindustry (employees and public)

13K 500K I .3M 25M 70K SM

Social

Smoke alarms

policy

700K I25M

Preventing collapseof high-rise flats Giving members of social class 5 a socialclass 2 I.3M income(familyof4 youngpeople) relief 13K ThirdWorld starvation l00 nimunization(Indonesia)

13M

20—40M

Notes: • All figures are takenfrom Reference 36, are corrected to 1999 pricesand referto the UK.They are approximate and somemay havebeenoutdated by changes in technology. US figures are often higher. A 10% increase in the tax on tobacco decreases smoking by about5% so there is a net increase in revenue. Ifwe spend£lOMon anti-smoking propaganda and as a result 2000people (less than I smoker in 10,000)give up smoking, S00 liveswould be savedat a cost of £20,000each. • The death rate (for almost all agesand causes) of members of socialclass 5 (unskilled occupations) is about 1.8 times that of members of social classes I (professional occupations) and 2 (managerial occupations). It can be arguedthat, in the longrun,a risk in income to the social class 2 level will produce a socialclass 2

• •

lifestyle.

101

HAZOP AND HAZAN

range is enormous. Doctors can save livesfor a few thousands or tensof thousands of pounds per life savedand road engineers fora few hundred thousands per life saved, while industry spends millions and the nuclearindustry tens of millions (even more according to someestimates) per life saved. Most of the values in Table 3.4 are implicit that is, unknown to the people who authorize the expenditure, as they rarely divide the costs of their proposals by the numberof lives that will be saved. No other commodity or service shows such a variation, a range of 106, in the price paid. (Electricity from watch batteries costs I O timeselectricity from the mainsbut we pay for the convenience.) What value then should we use in cost-benefit calculations? I suggest the typical value for the particular industry or activity (such as the chemical industry or road safety) in which we are engaged. Society as a whole might benefitifthe chemical or nuclear industries spentless on safetyand the money saved was given to the road engineersor to doctors, but there is no social mechanism formaking the transfer. All we can do, as technologists, is to spend theresources we control to thebest advantage. As citizens, of course, we can advocatea transferof resources if we wish to do so. The figuresin Table 3.4 are far from accurate. They are takenfrom various estimates published between 1967 and 1985, corrected to 1999 prices (for details see Reference 36), and some may have been made out of date by changes in technology. They vary over such a wide range, however, that errors introduced in this way are probablyunimportant (see also Section 3.8.1. page 133).

The Health and Safety Executive has published a review of the extent to which risk assessment, including cost-benefit analysis, is used withingovernment departments65'66.It shows that these methods are often used to decide priorities within departments but that they are not used to decide priorities between departments. as can be seen from the figuresin Table 3.4. This can also be seen by comparing the standard of safety required in the Channel Tunnel with that required in the ferries which offer an alternative method oftransportfrom England to the Continent. In the Channel Tunnel the Health and SafetyExecutive has insisted on standards higherthan those used on any other tunnel anywhere in the world67. But despite the disaster at Zeebrugge in 1987 and similar incidents elsewhere in the world68, there has been little improvement in ferry standards69. Ofcourse, inconsistency is thepriceofprogress and we cannot expectevery piece ofold equipment to meet the highest contemporary standards, but nevertheless would some ofthe money spenton the Channel Tunnelpotentially save more lives ifit had been spenton the ferries? 102

HAZARD ANALYSIS (HAZAN)

The US regulatoryagenciesare requiredto estimate the cost per life saved beforeintroducing new regulations. The valuesobtained by differentagencies vary betweenone and eightmillion dollars (at 1991 prices)70. 3.4.8 Comparing old and new In Section 3.4 1 pointed out that insteadof comparing a risk with a target or criterion we can comparealternatives. For example,a chemical intermediate was carried200 milesby road from one plantto another for furtherprocessing. The intermediate was in the form of an aqueous solution and so was harmless, but money was being spent to transportwater. It was therefore proposed to transportan alternative intermediate which was water-free but corrosive. The quantity of material to be transported would be reduced by over 80%. The question was whetherthe risk to the public from the transportofthe hazardous chemical was so low that it should be accepted,bearing in mind that a safer, though bulkier, material could be transported instead. It was assumed that the chemical could be carried in high-quality vehicles by well-trained drivers. Calculations using average figuresfor the number of people killed in ordinary road accidents and in accidents involving chemicals showedthat reducing thevolume of material to he transportedby 80% would, on average, save one life every 12 years, even allowing for the fact than an accident involving a tanker ofcorrosive chemicals is very slightly more likely to result in a fatality than an accident involving a tanker ofharmlessmaterial. A detailed quantitative study of the risks of transporting hazardous substances7t concludes that the risks are tolerable but not negligible and should therefore he reduced when it is reasonably practicable to do so. The report is a good example of the use of quantitative risk assessment. it suggests that £2M(at 1991 values) shouldbe used, in cost-benefit calculations, for the valueof a life. (Compare the figures in Table3.4.) The report,however, has a major weakness. Chapter 10 concludes that one cannotgenerally say that road is safer thanrail or vice versa. However, it does not take ordinary road accidents into account. if it did so, rail transportwould probablyhe safer than road. The Health and Safety Executive said that any consideration of ordinary road accidents was outside their remit but for the accident victim the result is much the same whetherhe or she is killedby the vehicle or by the contents, and the probability ofbeing killedby the vehicle is much greater. Another omissionin the report is any mention of the claim that vehicles carrying hazardous loads are involved in fewer accidents than other heavy vehicles. According to Reference 72. 'the involvement of hazardous materials 103

HAZOP AND HAZAN

in accidents seems to be at least one orderofmagnitudelowerthanthat ofordinary traffic'. If this is true, chlorine tankers are less hazardous than milk tankers.

AfterFlixborough a BBC reporter, standing in front ofthe plant, described the explosion as 'theprice ofnylon'. Many peoplemust havewondered ifit is worth taking riskswith men's livesso that we can havebettershirtsand underclothes. However, in our climate we have to wear something. How does the 'fatal accidentcontent' ofwool or cotton clothescomparewith that of clothes made from synthetic fibres? The former is certainly higher. The price of any article is the price of the labour used to make it, capital costs being other people's labour. Agriculture is a high accident industry; so therewill be more fatal accidents in wool or cotton shirts than in nylon shirts. In general, thenewertechnologies are safer thanthe old.Nuclearelectricity claims fewer lives than electricity made from coal; plastic goods 'contain' feweraccidents than similararticles made from ironor wood. 3.4.9 Risks to the environment Increasingly,companiesare having to consider risks to the environment as well as risksto people. The principle to be followed is much the same as for safety. According to a government guide73: 'Where appropriate (for exanple, where there is uncertaintycombined with the possibility ofthe irreversibleloss ofvaluedresources), actions shouldbe based on the precautionaryprincipleifthe balance oflikely costsand benefits just(fies it. Even then, the action taken and the costs incurred should be in proportion to the risk.'

Theterm ALARP (As Low As is Reasonably Practical)is not used for environmental risks. The terms used instead are Best Practicable Environmental Option(BPEO) and Best Available Technology Not Entailing Excessive Cost (BATNEEC). A BPEOis the optionwhichprovidesthe most benefit or least harm to the environment as a whole at an acceptable cost. BATNEEC means that the costsofavoiding damage to the environment should bejustifiedby the benefits. Old reportsuse the phraseBest Practicable Means instead. Reference 74 discusses the precisemeaningsof these terms. Both BPEO and BATNEEC imply the use of cost-benefit analysis when possible and References 38 and 53 describe attempts to apply it to environmental risks that is, to compare the costs of pollution with the costs of The latter are comparatively easy to estimate. Someof the costs of prevention. can also be estimated; for example, the costsof cleaning, corrosion pollution 104

HAZARD ANALYSIS (HAZAN)

and soundinsulation.We can also estimate the amountpeople are willing to pay in extra travel and housing costs to avoid living in polluted areas. It is much more difficult to put a price on the intangibles,such as the aesthetic value of pleasant surroundings or the desire to preserveas much as possible of the natural worldand theevidenceof thepast. As with the value of a life (Section 3.4.7, page 100), their valueis whateverwe are prepared to pay to preserve them; this can be estimatedby subtracting all the tangible benefits from the cost ofpreventionwe are willingto pay, and seeingwhat is left. As with the valueof life, thecalculationis rarely made. Peoplewant the benefits and would rather not know the price, unaware that they are paying it. In a world in which many people are still sufferingmalnutritionand preventable disease, the valueofsomeexpenditureon improving the environmentmaybe doubted. We should at least know what it is costing and what else could be done with the money. It is also difficult to specify types of incidentand frequencies that can be considered intolerable or broadly acceptable. A first attempt in that direction has been made by the UK Department of the Environment. It has listed 13 events that could constitute major environmental accidents. They include permanent or long-term damage to defined areas of land and water, damage (undefined) to an ancient monument, contamination of a water supply, making it unfitto drink and affectingmore than 10,000 people, and death (or inability to reproduce) of 1% ofany species97.Ifthese events areto be considered intolerable, we may wellend up payingmore to save the life ofan animal than of a person. Whileloss of 1% ofthe world's population of, say, chimpanzees, may wellbe a major accident, it is difficultto feel the same about 1% of a species of beetle.

3.5 Estimatinghow often an incident will occur

As alreadymentioned,the methods described in this section are used whenwe cannotuse past experience.

3.5.1 Some definitions Hazard (or incident) rate, H The rate (occasions/year) at which hazards occur; for example, the rate at whichthe pressure in a vessel exceeds the designpressureor the rate at which thelevel in a tank getstoo high and the tank overflows. 105

HAZOP AND HAZAN

Protective system

A device installed to prevent the hazard occurring; for example, a relief valve or a high level trip. Test interval. T Protective systems shouldbe tested at regularintervals to see ifthey are inactive or dead'. The time between successivetests is the test interval. Demand rate, D

The rate (occasions/year) at which a protectivesystem is called on to act; for example, the rate at which the pressure rises to the reliefvalve set pressureor the rale at which a level rises to the set point of the high level trip. Demand' is used in the Frenchsense(demander = to ask). Failure rate. f The rate (occasions/year) at which a protective system develops faults. The faults of most interest to us are fail-danger faults which prevent the protective systemoperating, but fail-safe faults can alsooccur. Theseresult in the protective systemoperating when it should not; forexample,a reliefvalve lifts below its set pressure or a high level trip operates when the level is normal (see Section 3.5.10, page 118). Most failures are random and this is assumedin what follows. However. failures can be high when equipment is new and when it is worn out (that is, just after birthand during old age). Fractional dead time, fdt The fraction of the time that a protective system is inactive. This means that it is the non-availability or the probability that it will fail to operate when required (fdt = I — availability).

If the protective

system never failed to operate when required, then the hazard rate H would he 0. If there were no protective system then the hazard rate would be equal to the demand rate D. Usually the protective system is inoperative or deadfor a (small) fraction ofthe time. A hazardresultswhena demandoccurs during a deadperiod,hence:

H = D x fdt (but see Section 3.5.6, page 110). For other definitions see Reference 33. Some ofthe figures used in the following examples are typical while others

are merelyexamples.

I06

HAZARD ANALYSIS (HAZAN) 3.5.2 Example 1 — relief valves The failure ofsomeequipment is obvious and is soonnoticed by the operators.

Reliefvalves and trips, however, are normally not operating and their failures renlain latent or unrevealed until a demand occurs. Hence we haveto test them regularly to detect failures. Tests on relief valves show that fail-dangerfaults which will prevent them lifting within 20% of the set pressure occur at a rate of 0.01/year(once in 100 years — a typical figure). Let test interval T = 1 year (a typical figure). Failure occurs on average half-way betweentests. Thereforethe reliefvalve is dead for six months ('2 T) every 100 (1/f) yearsor for 1/200 or 0.005 of the time ('2jT). This is the fractional dead time. Suppose the demand rateD is 1/year (an example). A hazard results when a demandoccurs during the time that the reliefvalve is dead. The reliefvalveis deadfor 1/200ofthe time, there is one demandper year. so there is a hazard once iii 200 years.

f

Expressed more precisely: hazard rate

= demand rate X fractional dead time = I) X '2fT = I x 0.005 = 0.005/year

or once in 200 years. (The more accurate formula in Section 3.5.6, page 110, givesonce in 250 years.) We could not determine this figureby countingthe numberof occasions on which vessels have been overpressured becausethis occurs so rarely, but we have been able to estimateit from the results of tests on relief valves. Note that in this example a hazard is defined as taking a vessel more than 20% above its design pressure.Not all these 'hazards' will result in vessel rupture or even a leak. Relief valvefailures are discussed in detail by Maher ci ai. 3.5.3 Example2 — simple trips Assume that:

• Fail-danger faults develop at a rate fof onceevery twoyears, or0.5/year(a typical figure). much more frequently than with reliefvalves. • The test interval T is I week(0.02/year, rather frequent). • The demandrate D is I/year(an example).

107

HAZOP AND HAZAN

Calculatethe fractionaldead time and the hazard rate. Answer: The trip is deadfor 3.5 days every two years;therefore

= 0.005

fractional deadtime

=

and hazardrate

= I X 0.005 = 0.005/year or I in 200 years. = 0.02

2 x 365

With monthly testing, fractional dead time = I in 48 years. and hazardrate Withannualtesting,fractional deadtime and hazardrate

=

0.25

= I in 4 years.

(Themore accurateformulain Section 3.5.6, page 110, gives 1 in 5 years.)

If a trip is never tested, then after a few yearsthefractionaldeadtime will that is, the trip will be 'dead', and the hazard rate will be the probably be I same as the demandrate. Some companies test 'critical' trips and alarms but not 'non-critical'ones. Ifa trip or alarmis so unimportantthat it does not needto be tested, it is probably not needed. If its failure rate is 0.5/yearthen after four years the probabilitythat it will be in working orderis less than 10%. (However, ifan alarmis fittedto a controlor indicating instrument, certain failures such as a failure of the sensor may be obvious to the operators and it will then be repaired.) If the trip is tested yearly, then the hazard rate is only reduced from once/year with no trip to once in five years. If the trip is so unimportantthat annual testingis sufficient, then the trip is probably not necessary. Ifwe take into account the time thetrip is deadwhile it is being tested,then weekly testing maynot givethe lowest hazard rate and monthly testing maybe better. Because trips fail more often than relief valves they have to be tested more often. 3.5A Example3 — frequentdemands on a trip Let failure ratef = 0.5/year(as before) test interval T = 0.1 year (fiveweeks,a typical figure) demand rate D = 100/year (much greaterthan before).

108

HAZARD ANALYSIS (HAZAN)

Calculatethe fractional dead time and the hazard rate. Answer: Usingthe formula: Hazard rate Hazard rate

= D x 0.5 fT = 100 X 0.5 X 0.5 X 0.1 = 2.5/year.

In fact, the hazard will be almost the same as the failure rate (0.5/year) because: therewill almost always be a demand in the deadperiod; the fault will then be disclosed and repaired. 2.5/yearwould be the right answer if, when a hazardoccurred,we did not repair the trip but left ii in a failed state until the next test was due. Testing in this situation is a wasteoftime as almostall failures are followed by a demand beforethe nexttestis due. ifyou findthis example hard to follow, consider the brakes on a car.

• •

3.5.5 Brakes on cars — anotherexample of frequentdemands on a trip Let failure ratef = 0.1/year(a typical figure') test interval T = 1 year (as requiredby law) demandrateD = l04/year(a guess).

Usingthe formula: Hazard rate

= D x 0.5fT =

x 0.5 x 0.1 x 1

= 500/year!

Not even the worst drivers have this many accidents. The true answer is 0.1/year(why?). Thesetwo examples showhow we can get absurd answers if we substitute figuresin a formula(or computerprogram) without understanding the reality behind them. For another example see Reference 39. So the simple intuitive formuladerived in Section 3.5.1 (page 105): hazard rate = demand rate X fractional dead time must be incorrect.

109

NAZOP AND HAZAN

3.5.6 A more accurate formula — eTI2) Hazard rate = = where failure rate T = test interval D = demand rate

f(l

f

IfDT/2 is small, this becomes Hazard rate

= 0.5fDT

IfDT/2 is large, this becomes Hazard rate

=

The exponentialformulaaboveis correctonly whenfTis small and applies only to a singleprotective system. Forn identical systems, all testedat the same time, Hazard rate

=

f° P1

—

I

—

r

1)T

ex[_ ii + I

when fT is small. The applicability of the two equations can be understood by looking at Figure 3.5 which shows the relationship between the hazard rate H and demand rate D.

f H =t(1 e J)1L2) LU

N

DEMAND RATE, D

Figure 3.5 The relationship between hazard rate and demand rate 110

HAZARD ANALYSIS (HAZAN)

Table3.5 Dependence of hazard rate on test interval and demandrate D

DT

per year

H = '2JDT

H =f(1

peryear

per year

0.1

0.2

0.001

0.00095

0.2

0.4

0.002

0.0018

0.4

0.8

0.004

0.0033

0.5

1.0

0.005

0.0039

1.0

2.0

0.0!

0.0063

5.0

lt).0

0.05

0.0099

10.0

20.0

0.!

0.0!

WhenDT = I thedifference between the two values ofH is only about25% hut for higher values ofDT the difference increases veryquickly.

Table 3.5 shows how the methodused for calculating H becomes increasingly important as DTrises. The figuresapply to a reliefvalve; thefailureratef is assumedto be 0.01/yearand thetest interval Tis assumedto be 2 years. 3.5.7 Two protedive systemsin parallel Examples are two 100% relief valves in parallel or two high level trips (see Figure 3.6). Let FA, FB be the fractional deadtimesofsystemsA and B. The set points of the two systems are, by accident or design.never exactly the same. Assume A respondsfirst— that is, ifA and B are two relief valves. A is set at a slightly lowerpressure; if A and B are two high level trips, A is set at a lowerlevel.

Demand rate =D

Figure 3.6 Two protectivesystems in parallel

Ill

FiAZOP AND FIAZAN

The demandrate on A = D. The frequency ofdemandsto which A does not respondis FAD. This is the demandrate on B. Therefore it seems at first sight that the fractional dead time of the combined systemshouldbe FAFB and the hazardrate shouldbe D FAFB. FAFB and the hazard rate is Actually the fractional dead time is D FAFBbecausethedemands on B tendto occur towards theend ofa proof test interval when there is a more-than-average likelihood that B will have failed.

If A and B are tested at different timesthehazard rate can be shown to be 0.83 D FAFB40. Like the example in Section 3.5.4, this shows the perils of intuitivemathematics.For another example ofnon-random demands, see Section 3.6.7 (page 130).

Systems containing two (or more) identical devices in parallel are called redundant. Systems containing two (or more) differentdevices in parallel are called diverse.

3.5.8 Twoprotectivesystemsin series An example is a relief valve and a bursting disc in series (Figure3.7). ('Failure' of a bursting disc in this contextmeansfailure to burstwhen the required bursting pressure is reached.) If A or B fails the system is dead. The fdt of the whole system = + FB — FAFB, or FA + FB (if FA, FB are small). If we connectin series many itemsof equipment each of which has a high theoverall systemmay be reliability — that is, a low fractional dead time very unreliable. For example, ifthere are 10 items and each has an fdt of 0.05, the overall fdt will be about 0.4. For this reason, in high-risksituations, novel systems take a long time to become established and provendesignsof aircraft and nuclearreactorscontinueto dominate the market75.

A

Demand rate D

A

Figure3.7 Twoprotective systems in series 112

B

HAZARD ANALYSIS (HAZAN)

Pressurerises 1/year

____________________

AND overpressured

Reliefvalve dead

Figure 3.8 Fault treeswith AND' gates. Note that afrequency is multiplied by

aprobubiluy.

3.5.9 Fault trees Fault trees are widely used in Hazan to set down in a logical way the events leading to a hazardous occurrence. They allow us to see the variouscombinations of events that are needed and the various ways in which the chain of events can be broken. They allow us to calculate the probability of the hazardous event from other probabilities that are known. Some examples of fault trees are shown in Figures 3.8 and 3.9 (page 114). In drawing a fault tree we start on the left with the hazardous event; for example, that common industrial hazard a free meal* (the logic is the same if you regard it as a desirable event) or the overpressuring of a vessel. Some people startat the top instead of the left so the hazardous eventis often called thetop event. We thenwork from leftto right(or top to bottom) drawing in the various events that lead up to the top event. Then we work back inserting numbers and estimate the frequency of the top event. The points at which two branchesofa treejoin are known as gates; they can be AND' or OR gates.

Not a problem in universities.

113

HA/OP ANt) HAZA Figure3.8 showstwo examples of SAND' gates. Both a meeting with lunch AND an invitation are required for a free meal.Note that a frequency is multiplied by a probability. A common beginner's mistake is to multiply two frequencies. Two or more probabilities can be multiplied together (as in Section 3.5.7, page III). In Figure 3.9 the fault treeshave been extended and OR' gates are shown. We needvisitorsor a training course hut not both to get a free meal. Note that at an OR gate the two rates are added (or two or more probabilities as in Section 3.5.8, page 112). In practice we stop drawing when we have data for the frequency of the events or the probability of the conditions on the right (or the bottom) of the tree. Suppose we are asked to revise Figure 3.9(a). We examine records for 10 years. carry out a regression analysis, allow for the effect of the changing economic situation atid conclude that the visitor rate is more likely to be 12/year or 20/year instead of 15/year. The effect on the frequency of the top event is negligible. Similarly, detailed study may show that instead of 5

Top event

(a)

(b

Figure 3.9 Fault trees with AND and OR' gates. Note that frequeneic.sare added at the OR' gates.

114

HAZARD ANALYSIS (HAZAN)

trainingcoursesperyear we should expect 3, or perhaps 8. Again, the effecton the final answeris small. The numberoffree meals isbetween 1.5 and 2.8/year and is unlikely to be nearthese limits. A more serioussource oferror is that we haveoverlooked the fact that some visitors may stay to dinner. If half of themdo and the probability of an invitation is the same, the free meal rate rises to 2.75/year. More serious still, suppose a new boss decides that all the staff should meet together over a free lunch onceper week for an informal discussion. The free meal rate rises to 48/year (assuming 4 weeks holiday) + 2/year from other causes = 50/year. Our original result is out by a factor of25 This simpleexample shows that most errors in Hazanare not due to errors in the data but to errors in drawing the fault tree, to a failure to foresee all the hazards or all the ways in which the hazard could arise. Time is usually better spent looking for all the hazards and all the sources of hazard than in quantifying with evergreaterprecision thosewe have alreadyfound. There is another example of an unforeseen error in Section 4.4. page 158. In Figures 3.8 and 3.9 we assume that the probability of being invited to lunch isthe same forthe two sorts oflunch. This maynot be so. In Figure3.10, Figure 3.9(a) has been redrawn to aIlcw for the fact that the probability of being invited to lunch with visitorsmayhe different to the probability ofbeing invited to lunch with a training course.

Figure 3.10 Figure3.9(a) redrawn to showdifferent probabilities on different branches

115

HA/OP AND IA/AN

An industrialequivalentmight be that the probability that an operator will take the correct action when an alarm sounds is not fixed. hut differs for different alarms. Some alarms might be morenoticeable orhe might he trained to pay more attention to them. It may he useful to summarize what has been said about 'AND' and 'OR' gates. At school we were taught that AND means add. Remember that in drawing fault trees:

• OR meansadd • AND means multiply (as in probabilitycalculations). As already stated, estimating hazard rates is not the only use of faulttrees. They helpus think out all the ways in which the hazard can arise and they show us which branchesofthe tree contribute themost towards the hazard rate.They show us how we can reduce the hazard rate and which methods will be most effective. For example, in the case of the free meal, we can reduce the hazard rate,the numberoffree meals per year,by reducing the numberof visitors or the numberof training courses or by reducing the probability that we shall be invited. We also see that halving the numberof visitorswill he more effective than halving the numberof trainingcourses. In accountancy the figure produced at the end of a calculation, the bottom line, is the one that counts. Risk assessment is different. The way the final figure, the frequency of the top event, is derivedis as important,perhaps more important,than the figure itself76. To prevent confusion between rates and probabilities,always enterthe units when drawing fault trees. If we are not clear whether the figure for the top eventis a rate or a probability we cannot draw the tree correctly. The firsttime Figure 3.9(a) was published the editor thought that '/year' had been omitted from the invitation' box in error, as it appeared in every other box, so he inserted it! Some authors suggest that we should write '/demand' after fractional dead times, as I have done in Figure 3.10. Confusion over units is a common mistake in Hazan as a whole, notjust in drawing fault trees. I considerthis furtherin Section 4.2, page 153. Another common error is confusing rates and duration.In one of the Andy Capp cartoons the eponymous hero was asked it rained during a week he spent in the Lake District. He said ii rained twice, 'Once for three days and once for fburdays'. The rate was low, twice per week, but the fractional dead time for dry weather was almost 100%. As an exercise draw a faulttree for 'car fails to start'. Many people producefault trees like Figure 3.11. A better one is shown in Figure 3.12. The need to take humanfailures into account as well as equipment failures is discussed furtherin Section 3.7, page 130.

if

116

HAZARD ANALYSIS HAZAN)

Figure 3.11 Fault tree

fir car fails to start'

As Figure 3.11 Operator error

ffic1entQR

Operatoruntrained Operatorerror

ta'is

Operatoruntrained

Incorrect

edure0R

L Wrong

Operatorerror __________________

tIonkey0R

Operatoruntrained

toruntrained

Figure 3.12 Revised faulttree for 'carfails to start' 117

HAZOP ANI) HAZAN

3.5.10 Redundancyand voting systems As well as fail-dangerfaults,there are the so-called fail-safe faults or spurious trips — the protective equipmentoperates although there is no hazard. For example,a relief valve lifts light or a high level trip operates when the level is normal. I say 'so-called' becausethey maybe unsafe in other ways; theymay result in a dischargeto atmosphere or an unnecessary suddenshutdown of the plant, which may cause a leak. They give protective systems a bad nameand make them unpopular with plant operators who may be tempted to bypass them (see later). The 1996 Channel Tunnel fire providesa good example of the hazards of some 'fail-safe' designs. Heavy road vehicles are carried through the tunnel on railway wagons. These are fitted with supports (props) which are lowered when vehicles are being loaded and unloaded. If a prop descends at other times, an alarm sounds in the driving cab and the driveris instructed to stop the train. Ifa fire occurs drivers are instructed not to stop until theyare out ofthe tunnel. Soon after the fire alarm sounded another alarm indicated that a prop had dropped. The driverthenhad contradictory instructions and decided to stop the train (as a dropped prop might derail it). The prop had not dropped, the alarm was spurious and stopping the train greatly increased the damage to the train and to the tunnel. The official reportis not entirelyclearhut it seems likely that the prop alarm was the result ofdamage tothe alarmsystem by the fire and that the alarm system had been designed to 'fail safe' if an alarm occurred. It is highly improbable that a random failure occurred by coincidence during the fire77'78. Fail-safe failures maybe safe in one respect but hazardous in another. Table 3.6 shows how the fractional dead time depends on the fail-danger fault rate and fail-safe fault rate S when there is some duplication of the protective system. This is calledredundancyif the protective systemsare the same or diversity if they are different. For example, two level measuring devices on a tank is an example ofredundancy while a level measuring device combined with a device for measuring the weight of liquid in the tank is an example of diversity. Section 3.5.7 (page III) explains why the fractional dead time of a l-out-of-2 system is '3f2T2 and not '2fT X '2fT '4f2T2.Similar arguments apply to the other systems40. In a I -out-of-2 system the trip operates if eitherof two devices indicates a hazard — forexample, a high level. A I-out-of-3 systemis similar. The whole trip, including the valve, may he duplicated (or triplicated) but often only the measuring instrument is duplicated (or triplicated). A 2-out-of-3 system (lastline) is an example ofa voting system. Two out of threemeasuring instruments haveto indicatea hazardbeforethe trip operates.

I

118

HAZARD ANALYSIS (HAZAN)

Table 3.6

Hazard rates for various combinations ofprotectivesystems

Faults/year Fail-safe

Fail-danger

Fractional deadtime (simultaneoustesting)

I-out-Of-I

5

f

'2 fT

I-out-of-2

2S

JT

I

I-out-ot-3

3S

j3T2

'4f3T3

S2T

3/I

/27.2

2-oul-of-3

2

2

Only the measuring instruments are 2-out-of-3, not the valve. The valve may, ofcourse, be duplicated(or even triplicated) if this is necessary to achieve the required reliability. Voting reduces the fail-safeor spurious trip rate and is used when spurious trips would upset production. It does not give increased safety. A l-out-of-2 system is three times safer than a 2-out-of-3 system. It is helpful to remember thatfail-safefaults are normally disclosed as soon as they occur. They result in a spurious trip. But fail-danger faults remain hidden(latent,or unrevealed) until there is a test ordemand. The formula 3S2T for the fail-safe faults/year of a 2-out-of-3 system assumes that the faults are not disclosed. In practice, a singlefault signal usually sounds an alarm and the fault is thereby disclosed. this is the case, then instead ofthe test interval T the repairtime shouldbe used in the frmula (or. more precisely,the timefrom the alarm sounding to the completionof the repair). On both voting and non-voting systems it is sometimes possible. by a change in design, to turn a hidden fault into a revealed one. For example, the failure ofan alarm bell or hooter is hidden. If it fails, it is out of action until it is tested and repaired. We test frequentlyand accept a small chance that we may not know when an alarm occurs. we wantgreater reliability, then instead ofa bell that rings when an alarm is signalled we can have a device that sounds continuallyhut becomes louderwhen there is an alarm. the sound stops, we know something is wrong. Another example: failure of the front light on a bicycle is noticed at once; failure of the rear light is not. the two lights are in series, failure of eitheris noticed(hut then we have no lights at all)79. Before installing voting systems to reduce spurious trips we shouldcheck that the spurious trips are due to the inherentfeatures of the instrumentation

If

If

If If

119

HAZOP AND HAZAN

and not to someother factorsuch as poor testingor maintenance. Forexample. in 1984 84% ofthe trips on US nuclearpower stations were spurious but half of them occurred on only 10% of the plants; this suggests that standards on these plants were lower than on others. (In the worst incident several people were nearly drowned when water sprays. equivalent to 60 inches of rain per hour,operatedinside a containment building41.) Rushton50 has devised a systematic procedure for deciding which trip system configuration (I-out-of-I. I -out-of-2, 2-out-of-3, and so on) is most suitable for a particular application.

3.6 Pitfalls in Hazan So far the methods of Hazan appear straightforward. But a numberof pitfalls awaitthe unwary. Two are discussed in Sections 3.5.4(frequent demands) and 3.5.9 (fault trees) on pages 108 and 113. Others are discussedbelow. We start with data. Although errors in data, as shown in Section 3.5.9 on page 113, are not the most important errors, they nevertheless do occurand we should be on the lookout for them. Chapter6 gives someinformation on sources of data. 3.6.1 Data may be inapplicable For example,publisheddata on pumps may apply to differenttypes, liquids, pressures, temperatures, corrosivities, and so on. If we use the data without checkingthat conditions are similar, we may introduce serious errors. Leakage ratesfrom flanged joints in afactoryhandling a corrosive chemical werefound to be many times higherthanin afactoryhandling cleanpetroleum liquids. In a study of a cross-country sulphuric acid pipeline, failure rates for other cross-country pipelineswere at first used. It was then realizedthat the failure mechanism was quite different, because a major cause of corrosion in sulphuric acid pipelines is turbulent scouring of the protective sulphate film that forms on the insideof the pipelines80. Instruments arc similar wherever they are installed and their failure rates in differentindustries are unlikely to differ7 by a factor of more than 3 or 4. This is not true of mechanical equipment. Sections 4.6 and 6.4 (pages 160 and 197) havemore to say oti this. Note that a failure rate that is acceptablefor one application may be quite unacceptable for another. A man drove30,000 miles/year on business. His car brokedown 3 times/year, usually far from home, so he discarded it as unreliable, bought another and gave the old one to his wife. She drove 3000 miles/year. The carbrokedown,near home, once in 3 years. She found it quite satisfactory 120

HAZARD ANALYSIS (HAZAN)

3.6.2 Data applyto the past Designs change, and not necessarily for the better. For example, a component in an instrument might be made nowadays of aluminium alloy or plastic instead of steel. The manufacturer regards the change as trivial and does not tell his customers. But thenew component failsmorefrequentlyor soonerthan the old one. A plant contained equipment to restart it automatically if powerfailed and was restored within 0.1 second. The manufacturer of the equipment, without tellinganyone, changed the delay time to I second. This led to an explosion. Data on the frequency of fires on equipment (forexample,storage tanks) or plants (for example, ammonia plants) may he no longer valid as people may have learnt the lessons of past fires and changed the designs or methods of operation. I have often complained that organizations soon forget the lessons of the pastand allow accidents to recur,but it would he goingtoo farto saythat organizations never remember. 3.6.3 Data affected by maintenance or operating policy On beveragevendingmachines,for every 100 'demands': the right drink was obtained 94 times: and the wrong drink was obtained6 times. Therefore the FAILURE RATE = 6%. Before we assume that better machines are needed, let us see how the failure rate is made up. Wrong drink includes cold drinks, no drinks, short measures, and so on. (We niust always definewhat is meant by a failure.)

• •

(a) Two of the failures in every 100 were due to the operator pressing the wrong button. Therefore: = 2% OPERATOR FAILURE RATE = 4% MACHINE FAILURE RATE will therefore Bettermechanical reliability remove, at the most, two thirds of the faults.To remove the otherswe would have to look at the factorswhich affect operator error (such as better layout of the panel, locating the machine wheredistraction is less, and so on).

(b) 98 demandsin every 100 were made on machines in the office and there were 2 failures. The remaining 2 demandswere made on machines in a local entertainment centre and every demand(2% of the total) resulted in a failure. Therefore: 121

FIAZOP ANL) HAZAN

= 2% OPERATOR FAILURE RATE = 2% MACHINE FAILURERATE OFFICE MACHINE FAILURERATE = 100% ENTERTAINMENT CENTRE This shows that misleading results can be obtained if we group together widely differing data.For example, you can drown in a lakeofaverage depth 6 inches (Figure 3.13). A similarerror was madeby a politician whosaid, ... provisionallaboratory identificationsof Salmonella infections in humans amounted to 24,000 cases in 1988 ... otherfigures suggest that half of these were due to a strain associated with poultry and eggs', and went on to imply that action was therefore necessary to counter the infection in eggs42. However, many people believed that nearly all the infections were due to poultry. According to one estimate only one egg in 7000was infected. Similarly, the former Albanian dictator Enver Hoxha was quoted in the press43 as saying, 'Togetherwith the Chinese, the Albanians form one quarter of the world's population.

(c) One failure was due to a brokencup. Therefore: OPERATOR FAILURE RATE FAILURE RATE DUE TO RAW MATERIAL QUALITY MACHINE FAILURE RATE — OFFICE MACHINE FAILURE RATE ENTERTAINMENT CENTRE

T

= 2% =I

= 1% = 100%

LIKE 6TA11PTICIt YOU OAN EIROVF' LW A. LAKE OI AVRA& DEPTI4 0T

Figure 3.13 122

HAZARD ANALYSIS (I-IAZAN)

We now see that a more reliable machine would reducethe failurerate by only 1%. We could do as well by buyingbettercups or perhaps by redesigning the panel to reduceoperatorerror. Are the machines at the entertainment centreofatypethat are more liableto break down or is the management the system for reporting and repairing faults — different?Perhapsthe users treat the machines differently. Here is a more technical example of the way in whichdata can he affected by maintenance policy. Bellows were found to fail at a rate of I in 50 per year. Most ofthe failures did not result in largeleaks but theycaused shutdowns and loss of production. The failure rate seems high. Do we needa betterproduct? Analysis ofthe failures showed that some were due to specifying the wrong material of construction but most were due to poor installation. The failurerate does not give us information about bellows but information about the engineers who specify and install them. Data on the failure rate of mechanical equipmentis often really data on the failure rate of people (see Section 6.4. page 197). If we wishto reducethe failure rate we should: specify material ofconstruction correctly; take more care over installation. The first should not he difficult but the second is difficult. In practice bellows should he avoided when possible (by building expansion bends into the pipework) and more care taken over the installation of thosewe have. A man had three Ford cars and crashed each of them, so he decided to try another make. Does this tell us something about Fordcars or about the man? In the extreme, failure rates may not tell us anything about the equipment hut instead may tell us howoften the equipment experiences circumstances it cannot survive. A common cause of the failure of cross-country pipelines is damage by excavation machines.

• •

3.6.4 The impossibly low fractional dead time — redundancy and diversity Consider a I -out-of-3 trip systeni. Assume that the fractional dead time of each system = 10—2 = 2 X (l02)3 Then the fractional dead time of the total system

= 2x

l0

(that is, 1 minuteper year). It would be if testingwere staggered (seeSection 3.5.7, page III). Do we really believe that our instrument engineerscan provide us with a protective system that is dead for only 1 minute per year? This calculation is wrong as it ignorestwo factors: (a) The time the trips are out ofactionfor testing.

I0

123

1-IAZOP ANO NAZAN

(b) Common niode failures. For example, all three instruments are from the same manufacturer's batch and have a common manufacturing fault, all three instruments are affected by contaminants in the instrumentair or process stream, all three impulse linesare affected by mechanical damage or flooding ofa duct, or all three instruments are maintained by the same nian who makes the same error.Two orthreeprotective systems are never completely independent. Therefore, we assume that the fractional dead time ofa redundant system is never less than to—a(that is, 1 hour peryear) and is often only (that is, 10 hours per year). As we can get lo— with two trips, a third trip is not worth installing(exceptas part of a voting system). For example, wearing a secondpair ofbraces attached to the same buttons may reducethe chanceofour trousers fallingdown. Failure ofthe buttons (the common mode) is now the biggest cause of failure and adding a third pair of braces, attached to the same buttons, will make no further improvement. With a diverse system (that is. one in which the approach to a hazardous condition is measured in differentways say by a change in an analysis. a change in pressure and a change in temperature), b—5 (6 minutesper year) may he possible with an extremely complex protectivesystem44.For example, belt and bracesare betterthantwo pairs ofbraces. This example illustrates the perils of using thorough mathematics and ignoring practicalities. Another example of a common mode failure is shown in Figure 3. 14(a), (b) and (c). A pressure switch installed on a firewater main switcheson a pump when the pressurefalls. The failure rate is 0.8/year, the test interval T is 0.1 year and the demand rate D is 10/year. The hazard rate H. the frequency with which the pump failsto starton demand,

l0

f

= D x 0.5 fT = 10 x 0.5 x 0.8 x 0.1 = 0.4/yearor once in 2.5 years or oncein 3.2 years if we use the more accurate formulain Section 3.5.6(page I It)).

The systemshown in (b) was therefore installed. The hazardrate fell to only once in 4 years as the most likely reason for failure of the pressure switch is choking ofthe impulseline. The system shown in (c) has a hazardrate of once in 77 years. Watch out for phoney redundancy parallel or series systems that look as if they are duplicated but the duplication is ineffective. Here are three examples. Two bursting discs were installed in series so that the failure of one (below the intended failure pressure) would not interrupt production. The upstream

•

124

HAZARD ANALYSIS (HAZAN)

Firewatermain

(a)

Fire watermain

* (h)

Fire watermain

Figure 3.14 A commonmodefailure; (h) is little more reliable than (a); (c) is better

one was accidentally installed upside down and it rupturedat a low pressure. The second disc was then ruptured by the shock wave and pieces of the first disc8'

• The casingof the Challengerspace shuttle was madein two parts. with an 0-ring seal between the two parts. Realizing that the 0-rings were weak features, the designers decided to duplicate them. However, this was ineffective as one ring in a pair is liable to be grippedmore tightly than the other83. • If twodevices,connected in seriesor parallel, are tested as a pairthen failure is not detected until both have failed. For example, if there are two valves in series and we wish to check that they are isolating, we should check them 125

HAZOP AND HAZAN

individually. Ifwe check themas a pair we are not getting thefull advantage of redundancy. Two valves in parallel can, of course, be tested as a pair if we wish to check that both are isolating, but not ifwe wishto check that neither is blocked. Several incidents have occurred on US nuclear power stations becauseduplicate systems were tested as a unit84. Redundancy and diversity are effective when failures are random. They are less effective when failures are due to wear (see Section 3.6.7, page 130) and least effective when failures are systemic. For example, if failure is due to corrosion two identical systems will corrode at the same rate. Two diverse systems made, say, from different materials of construction, may give extra protection but they may both corrode. The ultimate example of a systemic failure is an error or ambiguity in an instruction (to people or computers). People may (and often do) say, 'This can't be right, whoever wrote it must meansomething else'; computers can't. 3.6.5 More about common mode failures What is wrong with the trip system shown in Figure 3. 15?. The pressurein the vessel is measured by the pressuretransmitter (PT) and controlled by the pressure indicatorcontroller (PlC) which adjuststhe setting

/1

II

Process

Electric

Pneumatic

Solenoid operated valve

Figure 3.15 Original trip system. What is wrong withit? 126

HAZARD ANALYSIS (HAZAN)

on the motor valve. If this control systemfails to work and the pressure rises above the set point, then the high pressure switch and trip (PSZ) operate to close the motor valve. At the same time the high pressure alarm (PA') operates.

This trip system is almost useless. The most likelycauses ofthe pressurein the vessel gettingtoo high are: (I) Failureofthe pressure transmitter (PT) or choking of the impulseline. If eitheroccursthe trip will not know thereis a high pressurein the vessel. (2) Motor valve sticks open. In this case the trip will know that there is a high pressure in the vessel and will send a signalto the motor valve, but the motor valve will not respond. (3) Failure of the pressureindicator(PlC). In this case the trip will work. (3) is less likely than (I) or (2) as the PlC is in the clean atmosphere of the control roomwhile the PT and valve are out on the plant. The trip will therefore operate on less than one thirdofthe occasions when we want it to operate. Such a trip is not worth having. It is neither'nowt nor summat'.It maydo more harm than good, as we mayexpect itto operate and notwatch thepressure so closely. The system shown in Figure 3.16 has a high reliability. The high pressure trip and alarm(PSZAHI)has an independent connection to the vessel and operates a separate motor valve. There is a cross-connection to the control valve.

Pre-alarm

Figure 3.16 Modifiedtrip system 127

HAZOP AN[) HAZAN

A high pressure switch (PS) and pre-alarm (PA) give a warning that the pressure is approaching the trip setting and allow the operatorto take action. This pre-alarm will operateif the rise in pressure is due to failureof the pressure indicatorcontroller (PlC) or motor valvebut not if it is due to failure of the pressure transmitter (PT). if a high pressure occurs the pre-alarm will operate on about two occasions out of three and the trip on almost all occasions. The system shown in Figure 3.16 is expensive. That shown in Figure 3.15 mayhave beena compromise between no trip and the design shown in Figure 3. 16, but it is a compromise that is worsethan eitherextreme. Another example of common mode failure: a group of chemical factories believed that power failure was impossible as their supply was duplicated. They did not realizethat both supplies came from the same 132 kV overhead power lines. A fire in a warehouse underneath the power lines caused a complete loss of power and several incidents in the chemical factories, including a fire51. 3.6.6 Designer's intentions not followed The tank shown in Figure 3.17 was filled once/day. Originally the operator switchedoff the pump when the tank was full. After 5 years the inevitable happened. One day the operator allowed his attention to wander and the tank was overfilled. A high-level trip was theninstalled. To everyone'ssurprise, the tank was overfilled again after 1 year.

Figure 3.17 Tank fitted withhighlevel trip 128

HAZARD ANALYSIS (HAZAN)

The trip had been used as a process controller to switch off the pumpwhen thelevel rose to the set point. The operatorno longer watched the level. The managerknew this and thought that better use was being made of the operator's time. When the trip failed, as it was bound to do after a year or two, another spillage occurred. It is almost inevitable that the operator will use the trip in this way. We should either remove the trip and accept an occasional spillage or install two trips — one to function as a process controller and one to act when the controller fails. The singletrip increased the probability of a spillage. In this example and the last one we saw that no trip was a reasonable soluti()n and so was a good trip. The compromise solution was a wasteof money. On occasions eitherof two extremes makessensebut a compromise does not. (Because this is true of instrumentation do not assume it is true elsewhere.) A similar incident occurred on a plant in which a delivery tank was filled frequently from a suction tank. To reduce effort, the operators switched offthe pump between transfers but did not close any valves. They relied on a non-return valve to prevent reverse flow. Inevitably, one day the non-return valve failed (a piece of wire had become trapped in it). and reverse flow occurred from the delivery tank, backwards through the pump to the suction tank,which was overfilled. If we increase the demand rate on a protective system we increase the failure rate. When more protective systems are addedto a plantthere maybe a tendency for operators to increase the demandrate on them and if they do we may soon be back with the old failure rate. For example, suppose a high temperature alarm is added to a reactor. The operator may say. 'There is no need to watch the temperature now. The alarm will do it for me'. The extra equipmenthas then achieved nothing except more expense and more equipment to maintain. It is a useful exercise to calculate the hazardrates ofour trip systems, from failure rates, demand rates and test intervals (as described in Section 3.5.3, page 107). We mayfind that to get an acceptable hazard rate we haveto assume that nine out often deviations are spotted by operatorsbefore the trip operates. Do operatorsrealizethis? Do managersrealizethis? If we comment Ofl a design and thedesigner says, Don't bothermewith it now. Bring it up at the Hazop?', we are increasingthe demandrate on the Hazop. The chance that the meeting will miss something increases. Hazop should he a final check that nothing has been missed, not an occasion to discuss known weaknesses in the design (see Section 2.4.7, page 33).

129

JIAZOP AND HA/AN

3.6.7 Non-random failures

A new plant had two 100% compressors (one working, one spare). The failure rate and the time required for repair were known.Calculation showed that if failures are random, the off-line time would be 0.04% (3 hours per year). The actual off-line time was 1.8% (144 hours per year). Why? The failure ratesand repair timeswere as expectedbut the failures were not

random; most occurred soonaftera compressor had been put on line. This may have been due to wrong diagnosis of the fault, installation of wrong parts or incorrect re-assembly. Mathematical techniques (Weihull analysis) for handling non-random failure are available ifthe needto use them is recognized5. Most machinery, perhaps all equipmentwith movingparts, seems to fail in a non-random way. One study showedthat valve failure is due to wear45. Motor cars provide another example of non-random failure — they are more likely to require attention during the week after servicing than at any other time. If you had two cars (one working, one spare) and one had just been serviced, would you leave it unused until the other broke down or required servicing? Equipment after repair is asbad as new,rather thanas goodas new. Non-random incidents can he due to non-random demands as well as non-random failures of equipment. A study showed that bank cash machines failed to operate when required on 17% of the occasions on which they were used. The banks said that the non-availability of the machines was only half this figure. The banks quoted an average availability round the clock but the trials measured the availability at the time ofuse. Usageis heavy at weekends when thereis usually no-one available to repair or refill the niachines46. There is another example ofnon-random demands in Section 3.5.7, page 111.

3.7 The man or woman in the middle Figure 3.18 illustratesa common plant situation. When the alarm sounds the operator has to go outside and close a valvewithin, say, 10 minutes. The reliability of the alarm is known. Ifit is too low it is easy to improve it that is, by adding in parallel identical by adding redundancy or diversity components or differentcomponents capable ofperforming the same function (see Section 3.5.10. page 118). The reliability of the valve is known roughly and if we do not think it is high enough we can use a betterqualityvalve or two valves in series. But what about the reliability of the operator? Will he always close the right valve in the required time? At one time peopleassumed he would — or should.Ifhe did not he should he told to pay more attention. Otherpeoplehavegone to the otherextremeand 130

HAZARD ANALYSIS (HAZAN)

Alarm

Reliability Easy to improve?

Valve

Known accurately

?

Known roughly

Yes

?

Yes

Figure 3.18 Reliabilities in a man/machine system

saidthat sooner or later all operatorsmake errors and therefore we need fully automatic equipment. Both these extremes are unscientific. We should not say, 'The operator always should' or 'The operator never will' but ask why he does not always close the right valve in the required time and how often he will do so. The failure to close the valve in the required time may be due to lack oftraining or instructions (mistakes he does not know he should do so), to a deliberate decision not to do so (violations), to lack of physical or mental ability or (and this is the most likely reason) to a momentary slip or lapse of attention. It is difficult to estimate the probability of the first three causes (but see later), though we can assume that failures for these reasons will continue in an organization at the same rate as in the past, unless there is evidence ofchange. Violations would be better called non-compliances as many (and perhaps most) ofthemare due toa genuinebeliefthat therules are unnecessary or inappropriate and that thereis a better method of doingthe job. The probability ofa slip or lapse of attention can he estimatedroughly. The answerwill depend on the degreeof stress and distraction and the suggestions in Table 3.7 (page 132) mayhelp us make ajudgement. En carrying out a familiar routine, such as starting up a batch reactor, a typical failure rate is I in 1000 ftr each operation (frr example, close valve). Some of these failures will be immediately apparent hut others will not9 Note that the figuresin Table3.7 assume that the operators are welltrained, capable and willing. As already stated, it is difficult to give a figure for the probabilitythat this assumption is correct; it can vary from 0 to I depending on the policy ofthe company.We can howevermake a rough estimateof the as we all do in probabilitythat a man will have a moment's aberration life and to out a task (see Section 4.7, everyday forget carry prescribed page 162).

—

131

HAZOP

iNi) HAZAN

Table3.7 Suggestedhumanfailurerates I in

I

When complex and rapid action is needed to avoida serious incident. The operator will not really be as unreliable as this hut he will he very unreliable and we should assume this figure and install fullyautomatic systems.

I in 10 I in 100

In a busycontrolroom whereotheralarms are sounding, the telephone is ringing, people are asking for permits-to-work. and so on. In a quietcontrolrooni. for example. a storage area control room ifthe man is present.

A figure between these last two may be estimated. I in 1000

Ifthe valve to he closed is immediately belowthe alarm

It must alsobe remembered that not all tasks can he prescribed. Sometimes the operatorhas to diagnosethe correctactionfrom the alarmand other instrument signals and maynot do SC) correctly, particularly ifthe instruments are not reading correctly. This happened at Three Mile Islandt0. Poor management may result in neglect and a high rate of equipment failure. A method proposed for allowing for this is to multiply generic hardware failure rates by a factor between 0.1 and 10 which is a measure of the competence of the management. The factor is derived from an audit using a standard set of questions85.In a more advanced method developed by Hurst et a!86 a detailedanalysis of the underlying causes of various types of failure is used to weightthe audit factor. For example,according to the authors 24% of vessel failures could be prevented by human factor reviews. In deriving the audit factor for vessel failures the auditmarksfor human factors are weighted accordingly. This method does providea possible way ofmaking someallowance for the fact that employees may be poorly trained,instructed or supervised, lack motivation, or do not have the necessary ability. It is rough justice, however, as managers may not be uniformly weak in all these areas. More importantly, bettermanagement will havelittle effecton slips and lapses ofattention, which are due to innate weaknesses in human nature. To prevent them,or makethem less likely, we havett) remove or reduceopportunities for human error, a task for designers as well as managers. We can estimatethe frequency of slips and lapsesof attention from data such as those in Table3.7. Like all Hazans, data derived from these studies may not he accurate but may pinpoint the areas in which improvement will be most effective. 132

HAZARD ANALYSIS (HAZAN) Finally, rememberthat installing a fully-automatic systemdoes not remove our dependence on people. instead of relying on the operator we are now dependenton the people whodesign, install, test and maintain the fully automatic equipment. They also make errors. They work underconditions of less stress so we may improve the overall reliability by installing fully-automatic systems but we shouldnot kid ourselves that wehave removed our dependence on people. For a fullerdiscussion of human error, see Reference 9.

3.8 Examples of Hazan

The descriptionswhich follow are typical of Hazans carried out today. They include well-defined problems using good data, mainly on instruments (for example, Sections 3.8.2 and 3.8.5 and those referenced in 3.8.9). and less well-defined problems where order-of-magnitude accuracy is the bestthat can be expected (for example. Sections 3.8.4 and 3.8.6), though conclusions should err on the safe side. Sections 3.8.1 and 3.8.3 lie between these two extremes (see alsoSection 6.3. page 196).

3.8.1 A betterprotectivesystemor a better material of construction' A plant47handled ethylene gas at — 100°C. Afterconstruction was complete. it was realized that instrument failure could result in the cold gas reaching some mild steel pipework. If it did, the pipework might fractureand the gas would then escape and might ignite. Two methods of protection were considered: replacing the mild steel by stainless steel at a considerable cost or improving the trip system at one quarterof the cost. The improved trip systemcontained three independent layers of protection (seeFigure3.19 on page 134): (1) A high level alarm on a catchpot. (2) A high level trip, set at ahigherlevel,which closeda valve on the inlet line to the catchpot. (3) A low temperature trip on the gas exit line from the catchpot whichclosed a valve in the gasline. (Thecatchpot and overhead line were madefrom stainless steel but the line led to a mild steel line.) The fractional deadtime ofthe redesigned trip system was calculated from data on the reliability ofthe components and the test frequency. It was assumed that the operator would ignore the alarm on one quarter of the occasions on which it operated. The demand rate was estimated from experience on similar 133

1-IAZOP AND HAZAN

Gas (normal route) Gas(not intended for use when gas is cold)

Stainlesssteel

Mild steel

TZLO Low temperature trip LAH Highlevel alarm LZ'1

Highlevel trip

LC

Level controller

Liquid

Figure 3.19 Protective system to prevent overcoolingof mild steel pipeline

plants. The hazardrate — thefrequencywith whichcoldgas would contactthe mild steel was found to be once in 10,000 years or once in 2500years for the wholeplantwhichcontained four similarsystems. It was assumedthat on one tenth of the occasions on which the tripsystem failedthere would be a leak and an explosion and the operatorwould bekilled, almostcertainly an overestimate. The operatorwill therefore be killed oncein 25,000 years giving a FAR of 0.45 (see Section 3.4.2, page 90), close to the target of 0.4 for a single risk considered in isolation (see Section 3.4.1, page 87). It was therefore agreed that the protective system, as modified, was adequate. and that it was not necessary to replace the mild steel. If the mild steel had been replaced, the already low risk would have been made even lower and the cost per life saved (see Section 3.4.7, page 100) would havebeen about £ 15DM at 1970 prices(about£1500M at 1999 prices). 134

HAZARD ANALYSIS (HAZAN)

This cost is a notional one — that is, spending the money would make an already low risk even lowerbut it is very unlikely that anyone will be killed if the money is not spent. In contrast, many of the costsof saving a life listed in Table 3.4 are not notional real lives will be savedif more money is spent on health or road safety. Note that the decision might have been differentif the hazard had been identified during design. Unfortunately no Hazop was carriedout.

3.8.2 Stopping a reaction

A reactor (Figure 3.20) was fitted with a kill system48. If measurements showed that the reaction was getting out of control, the kill valves openedand

a catalystpoison, stored undernitrogen pressure, was injected. To preventthe poison leaking into the reactorand to reducethe chanceof spurious operation, the kill valve was duplicated in series and both kill valves were 'fail closed'. The kill system could alsobe activated by the operator. Originally, ifthe kill systemfailed to operate, a bursting disc, connected to acatchpol,would burstand prevent damage to the reactor. After a plantexpansion the bursting disc was flU longer big enough to prevent damage and it

Nitrogen

Kill signal to

solenoidvalves

Tocatchpot

Figure 3.20 Reactor with kill system 135

HAZOP AND HAZAN

Table 3• Comparison ofreliability ofkill system configurations Case

Designoption

Failurerate (freq/yr)

Probability offailure compared to Case 4

Single valve (fail closed)

1.6 X

102

.95

2

Seriesvalves (fail closed)

2.6 N

10—2

3.17

3

Single valve (fail open)

1.1 N 10—2

1.34

4

Single valve (fail open) (includes operator action)

8.2 x I

1.0

5

Parallel valves

6.6 X

I

l0

0.8

(fail open) (includes operator action)

became necessary to improve the reliability ofthe kill system. Table 3.8 shows several cases that were considered. Case 2 was the existingsystem. It can be seen that the kill systemwould be over threetimesmore reliable ifthe two 'fail closed' valveswere replaced by a single 'fail open' valve (Case4). If the site coolingwater supplyfailed, the operatorwould haveto activate the killsystem and an allowance was madeforthe probability that he would fail to do so. Installing two parallel kill valves (Case 5) makes only a slight improvement in reliability. If a Hazan had not been carried out, this optionwould probably have been adoptedon the philosophy that 'ifone is good, two must be better'. The Hazan showed that the least reliable component ofthe kill system was the solenoid valve that actuated the kill valve. Duplication of the solenoid valve gave almost the same reliability as Case 5.

3.8.3 Inset or parallel berths for gas tankers? A company wanted to construct a berth alongsidea river bank for loading liquefied gas. The port authority was concerned that while a ship was at the berth another ship, passing along the river, might go out ofcontrol and collide with the gas ship.They suggested that the berth shouldbe located in a specially constructed inlet at right angles to the bank. 136

HAZARD ANALYSIS (1-IAZAN)

Few, ifany. liquefied gas ships havebeen involved in collisions in harbours. The probability of a collision was therefore estimated from the frequency of collisions to other ships serious enough to haveruptured the tankson agas ship. This study showed that a collision between a ship and the bank, while it was manoeuvring into a confined space, was several times more likely than a collision between two ships while one was tied up at a berth. Constructing an inlet would havemade acollision more,not less, probable. This conclusion was valid fir the particular riverbut maynot be true forotherrivers. At first sight constructing an insetberth seemed an obvious way of increasing safety. Numerical treatment of the problem showed that the obvious solution actually increased therisk. The study also showedthat the most effective way of reducing the probability ofa collision is to prohibit the movement ofships in the opposite direction when a gas ship is moving. Some of the staff of the port authority had not seen a problem dealt with in this way before. Although they accepted the conclusion they felt it was not in accordance with common sense and had an uneasy feeling that theywere being blinded by science. 3.8.4 The effects of plants on nearbyhouses Tweeddale76 has described the studies carried out with a computer model on

the risk imposed by a petrochemical site on its neighbourhood. The first study was madewhenthreetenders were received for a new unit.Two of the designs required a bufferzoneof 100 iii between the unit and the nearest houses while the third design required 300 m. The difference between the estimates was more significant than the actual figuresand detailedexamination of the calculations drew attention to a feature in the third design which had been overlooked. The model was then used to look at the total risk from all the units on the site. It was about three times the target that the company had set itself, though within the margin of error. This confirmed the gut feeling of the staff that the nearest houses were rather closer than they would haveliked but not so close as to be demonstrably unsafe. The model was thenused to pinpointthe features that contributed most to the risk. When another new unit was planned the model was run oncemore.Againit showed a risk on the wrongsideofborderline and changes were made to the design and layout to reduce the risk. Without the results of these calculations the project team would have found it hard to justify the extra cost. However, the studies assumed good standards of management and operation. Tweeddale comments that perhaps the studies shouldhave assessed the probability that this would continue to he the case. Management standards, like hardware, can fail. 137

HAZOF AND HAZAN

Ellis87 (of the Health and Safety Executive) has described a similar but simpler study of a hypothetical application for planning permission for a 130-bedroom hotel. The proposed site was 500—650 m from a water treatment plantcontaining two 40 tonne chlorine tanks and a road tanker offloading hay. Calculation showed that the contourrepresenting a risk of 10—6 per personper year passed through the hotel. This is just on the limit of acceptability (see Section 3.4.1,page87) but,as a large number ofpeoplemight he in the hotelat the same time, the Health and Safety Executive would suggest that the hotelbe moved further away (see Section 3.4.3. page90). 3.8.5 Use ofslam-shut valves instead of relief valves In the UK, naturalgas is distributed ata gaugepressureof 70 bar and letdown to 35 bar and thento 7 bar and 2 bar for customer use. Ifreliefvalves were used to protect against failure of the let-down control system there would be noisy discharges of gas in built-upareas and the releases might catchfire or explode. Slam-shut ball valves, powered by high-pressure gas or bottled nitrogen, have therefore been used for over 20 years instead of relief valves. They isolate the high-pressure gas if the pressure downstream of the let-down valves rises above a pre-set value. The use ofinstrumented protective systemsinstead ofrelief valves has been advocated within ICI since the early 1970s4 (for example, in a paper called 'Are safety valves old hat?'88), hut many engineers were at first reluctant to use them. (They were, however, used to protect against explosions as relief valves could not operate quickly enough.)Startingin 1985, a detailed study was made of the use of slam-shut valves in place of relief valves on an ammonia plant.Nine valves were needed. To achieve the reliability required it was necessary to have two pressure switches, made by different manufacturers, sending electrical signals to a one-out-of-two voting system (that is, either signal trips the valve shut). The output from the voting system triggers three solenoid valves; two of them vent compressed air from the cylinder which is holding the isolation valve open and the third sends air to the other side of the piston. There is a spring on this side of the piston hut the air provides diversity (Figure 3.21). The valvesare tested every three months and the probability that any one will fail to operate is less than I in 1000 per demand or about 1.5 X per year. A single valve failing to operate is to cause of unlikely rupture equipment. The design was discussed with the Health and Safety Executive which raised no objection. Anyone considering a similar installation should consult the original paper89 which gives details of the design, the testing arrangements, code requirements, and so on. The paper shows Hazan at its best: the problem is

l0

138

HAZARD ANAIYSIS (HAZAN)

Manual by-passvalve (locked shutexcept fortesting)

Figure 3.21 Arrangement ofslamshut valves on a let-down system (Reproduced by permission of the American Institute ofChemical Engineers. Copyright © 1997 AIChE)

clearly defined; goodquality data are available; the assumptions, including the testing necessary, are clearly set out: the model of the process is realistic. Whateverone'sreservations about the application ofHazan to risks from a site as a whole, there is no reason to doubt the valueof studies such as this one (see the last paragraph of Section 3.2, page 79). 3.8.6 Fermi estimates and electrical area classification The physicistEnrico Fermi had a reputation for making quick numerical estimales of the answer to a problem or query90. For example, how many piano tuners are therein the area coveredby my telephone directory? The population is about a million, say250,00() households. If one in five owns a piano which is tuned every five yearstherewill be about 50,000tunings per year. Ifeach tuner tunesfive pianos per day for 250 days per year,or 1250 per year,there will be about eight tuners. But many piano tuners are part-time they tune other 139

HA/OP ANI) HA/AN

carry out repairs, sell pianos — so the actual number will be higher, perhaps 12. Thisestimateis not accurate, the true figurecould easily be five or 30. butit givesus aquick,approximate answer. Yellow pagesshowthat the actual figure is 16. Thesequick estimates are usually not too far out as we are unlikely to over(or under-) estimate every figure. They are sometimes adequatefor a first look ata problem and mayshowthat the answeris so clearthat thereis no needfor a detailedstudy. For example, consider electrical area classification. Zone 2 areas are those in which a flammable atmosphere is not likely to occur undernormaloperation and if it does occur will exist for only a short time. Can we be more precise? How long can it exist? • Assunie a motoror otheritemofZone2 electricequipmentis surrounded by flammable gas or vapourfor 10 hours per year. • Experience shows that equipmentcertified for use in Zone 2 will develop faults which cause sparking or overheating oncein 100 years. • There are about hours per year so a spark will coincide with gas or vapour and there will be a fire or explosion about once in l0 years. • Observation shows that someone is within 3 m ofa particularmotorfor 5% of the time. Assume that anyone within this distance is killed. • A fatality will therefore occur oncein 20 x l0 years. Ifthere are 100 items of electric equipmenton the plant there will a fatality oncein 20.000 years. If we makethe pessimistic assumption that it is alwaysthe same four people (on shifts) whocomewithin3 m, then they are exposed to a risk ofdeath ofoncein 80,000 yearsor 1.25 X I per year(FAR0.625, close to our targetof0.4 for any risk considered in isolation (see Section 3.4. I, page87). • In this case the estimates are almostall biased in one direction. It takestime for gas to diffuseinto Zone 2 equipment, it is unlikely thateveryone within3 m would he killed and we have assumed that all the risk is concentrated on one person in each shift. In many parts of a Zone 2 area leaks are very rare, thus reducing the average risk. We can therefore, as a practical ru1e of thumb', define a Zone 2 area as one in which flammable gas is present for up to 10 hours per year91. instruments,

l0

3.8.7 The resuI of not quantifyingrisks In 198731 peoplewere killed and many injured by a fire in King's Cross Underground railway station in London. The official report92 made 157 recommendations. In 1992 the new managing director of London Underground accepted the 'damning criticism of the way we were managing the company'.However, he felt that in someplaces the reporthad gone too far as it 140

HAZARD ANALYSIS (HAZAN)

had failed to use quantitative risk assessment (QRA) or cost-benefit analysis and had made recommendations that would produce little benefit. For example, London Underground faced expenditure of £100M over a year to

comply with fire precaution regulations to save about a fifthofa life per year; 'We don't think that'sgood value for money'. After the fire London Underground had brought London virtually to its kneesby attacking every escalator and tearing out all the wood'. Intuitively, that had seemed a good idea but calculations showed that this would reduce the probability of a serious escalator fire from once in six yearsto once in nine, while installation of sophisticated sensors and automatic sprinklers would reducethe probability to once in a thousand years. The managing director also praised QRA for compelling people to face the setting of safety spending priorities and the valuation of human life and accused media persons, politicians and others of publicly implying infinite value foreach life. Yet motoring, flying,and indeed all activity,would ceaseif we did not accepta trade-offbetween risk and benefit. Nevertheless, QRA did not supersede judgementbut should lie alongsideit93. Similar criticisms were made in a report produced for the Health and Safety Executive following an incident in 1992 when two suspect briefcases were found in a train. Seven trains were stopped in tunnels during a morning rushhour as there were more trains on the line thantherewere stations to stop them at. It took five hours to evacuate all 6000 passengers, 70 of whom were taken to hospital with heat exhaustion. Smoke from a short circuit on one of the trains added to the confusion and if it had developed into a fire the result might have disastrous. The briefcases turned out to be harmless pieces oflost luggage. The report says that closure and evacuation of stations may not alwaysbe theright response. It recommends that railway staff are given training,similar to that given to airportstaff, to helpthemassessthe seriousness of bombwarnings.On fireprevention thereport is morepositive. It saysthat as a result of the actiontakensince 1987 the situationhas been transformed and fire prevention shouldno longerclaim a lion's shareofresources. Instead QRAshouldbe used to assess priorities. The existing legislation, based on regulations whichmust he followed, shouldbe replaced by one basedon the quantitative assessment of risk94.

3.8.8 Balancing probabilitiesand consequences The risk of injury or damage depends on the size andprobabilityofa leak.Is it more effective to reducethe size or reducethe probability? Hazan mayhelpus answerthis question. 141

HA/OP AND HA/AN

If the inventoryin aplant or storage area is reduced, the maximum size ofa leak will be less and so the consequences will be less but the probability of a leak will not be changed. Reducing the numberof leak points such as valves, drains, pumps, and soon, maybe more effective than reducing the inventory in the existingequipment. If it is possible to take a vessel out of service, however, thenthere will he fewerplacesfrom whichleaks can occur and both the probability and maximum size ofa leak will be lower52. Is it betterto enclose equipmentthat handles chlorine in a building, so that any leaks are confined, or would the money be better spent on reducing the probability and/or the size of leaks?Detailed examination of a particularcase showedthat containment was very expensive, had disadvantages and did not greatlyreducethe risk95. Liquefied petroleum gas (LPG) had to be piped across country for storage in a well. Two options were considered: pumping at high pressure(about 100 bar) so that the LPG could go straight into the well, and pumpingat low pressure (35 bar), when another pump would be needed near the well. With the secondoptionthere would be more sources of leaks and more leaks,as pumps leak far more often than pipes. However, with the first option, if the pipe did rupture the leak would be larger. As the pipelinefollowedopen country the first option was chosen, as it was cheaper,but the decision would havebeen different ifpeoplehad lived near the pipeline96. 3.8.9 Other examples Lawley'1"2'3 hasdescribed three hazard analyses in detail, showing fault treesand explainingthe derivation of each item ofdata used. The first11, which is quoted by Lees, Chapter 9, analyses the precautions taken to prevent a series of crystallizers overflowing, the second12 analyses the precautions taken to prevent a pipeline gettingso cold that it becomes brittleand might fail, and the third13 analyses the precautions takento prevent loss of level in the base of a distillation column and discharge of high pressuregas intoa low pressure tank. Reference 24 describes how the methods of Hazan have been applied to a numberof other high-technology industries. The subject ofthis chapter is discussed more fully in References 13—17 and in Lees. Chapter 9. References 16 and 17 deal particularly with risks to the public. Reference 17 reviews the various targets or criteria that have been proposed. There is an enormous literature on the philosophy of risk acceptability, most of which deals with the more philosophical difficulties, and does not offer much advice to the practitioner. References 18—22 and 26 are typical of these publications while References 23, 98 and 99 are more practical in their approach. 142

HAZARD ANALYSIS (HAZAN)

3.9 A summary of the main sources of error in Hazan

(1) Failureto foresee all the hazards or all the ways in which a hazard can arise (seeSection 3.5.9,page 113). (2) Errorsin the logic (see Sections 3.5.4and3.6.5,pages 108 and 126). (3) Failure to foresee that protection may not be fully effective becauseof poor design (see Section 3.6.4, page 123) or becausetime of action has been ignored. (4) Design assumptions not correct; for example,less testing, more demands, failures not random (seeSection 3.6.7, page 130), differentmode ofoperation (seeSection 3.6.6, page 128). (5) Common mode failures (seeSections 3.6.4and 3.6.5,pages 123 and 126). (6) Wrong data (see Sections 3.6.1—3.6.3, pages 120—121). Some other errors are discussed in Chapter4.

3.10 Afinal note To many peoplethe calculations of this chapterand others on the subjectmay seem cold-blooded or evencallous. Safety, like everything else,can be bought at a price. The more we spend on safety, the less we have with which to fight poverty and disease or to spend on those goodsand services which make life worth living,for ourselves and others. Whatever money we makeavailable for safety we should spend in such a way that it produces the maximum benefit. There is nothing humanitarian in spending lavishly to reduce a particular hazard which has been brought to our attention, and ignoring the others. Those whomakethe sort ofcalculations describedin this chapter, far from being cold-blooded or callous, are the most effective humanitarians, as they allocate the resources available in a way which will produce the maximum benefit to their fellow men.

References in Chapter 3

I. ICI, 1968,Assessing Projects:Book 5, RiskAnalysis (Methuen,London. UK). 2. 3. 4. 5. 6.

7.

Kerridge,A.E., 1982,HydrocarbonProcessing, 61(12): 56. Kletz, TA., 1996, Dispelling Chemical Engineering Myths, 3rd edition.5 (Taylor & Francis, Washington, DC, USA). Kletz,T.A. and Lawley, HG., 12 May 1975, Chemical Engineering, 81. Gibson. S.B.. 1976, Chemical Engineering Progress,72(2): 59. Lees, F.P., 1980, in Proceedingsof the Third international Symposium on Loss Prevention and Sali'tv Promotionin the Process industries.6/426(Swiss Society of Chemical Industries). Lees, F.P., 1976, A reviewofinstrument failuredata,Symposium SeriesNo. 47, 73 (Institution of Chemical Engineers. Rugby, UK). See also Lees, Section 13.6. 143

HA/OP AND I-1AZAN

8.

9.

10.

II. 12. 13. 14.

IS. 16.

17. 18.

19.

Aird, R.J., 1980,Reliability assessment ofpumps,Convention on FluidMachinery Failure, paperC145/80 (Institution of MechanicalEngineers,London, UK). See also Lees, Chapter7. KIetz. TA., 199!, An Engineer'sView of1-luman Error. 2nd edition (Institution of Chemical Engineers, Rugby, UK). Kletz, T.A., 1994. Learning from Accidents, 2nd edition, Chapter II (Butterworth-Heinemann, Oxford, UK). Lawley, 1-1G.. 1974, Chemical Engineering Progress,70(4): 45. Lawley, H.G., 1980. Reliability Engineering, (2): 89. Kletz, T.A. and Lawley. 1-1G.. 1982, in High Risk Safety Technology, edited by A.E. Green, Chapter2.1 (Wiley, London. UK). Kletz,T.A., 1977, HydrocarbonProcessing, 56 (5): 297. Kletz,TA., 197$, Chemical EngineeringProgress,74(10): 47. Kletz, T.A., 1976, in Chemical Engineering in a Changing World, Proceedingsof the World Congress of Chemical Engineering, edited by W.T. Koetsier, 397 (Elsevier, Amsterdam, The Netherlands). Klctz,TA., 1982, Reliability Engineering, 3 (4): 325. Lowrance, W.W., 1976, OfAcceptable Risk (Kaufmann, Los Altos, California, USA). Council for Science and Society. 1975, TheAcceptability ofRisks(Rose, London,

UK). 20. The RoyalSociety, 1992, TheAssessment and Perception of Risk (London, UK). 21. Schwing. R.C. and Albers, W.A. (eds), 1980. Societal Risk Assessmeni (Plenum Press, NewYork, USAand London, UK). 22. The Royal Society, 1992, Risk:Analysis, Perception and Management — Report

ofa Study Group (London, UK). 23. Griffiths, R.F. (ed), 198!, Dealingwith Risk (Manchester University Press, UK). 24. Green, A.E. (cd), 1982. HighRisk Saftiv Technology (Wiley, London.UK). 25. Pitblado. R.M.. Shaw, Si. and Stevens. G., 1990, The SAFETI risk assessment packageand case study applications, .Svmposium SeriesNo. 120.5 I (Institution of Chemical Engineers, Rugby, UK).

26. Risk Ana( .sis in the Process Industries — Report ofthe International StudyGroup on Risk Analysis, 1985 (Institution ofChemical Engineers. Rugby,UK). 27. KIet,, T.A., 1998. Process Plants: A Handbook jir Inherently Saft'r Design (Taylor& Francis, Philadelphia, Pennsylvania, USA). 28. Mann, M.. 1986, Journal ofthe RoyalSociety ofArts, 134 (5358): 396. 29. Withers. J., 198$, MajorindustrialHazards,85—97 (Gower, Aldershot. UK). 30. Health and Safety Executive, 1989, Risk Criteria Land-usePlanning in the Vicinityof MajorindustrialHazard.r (HMSO, London, UK). 3!. Barnes, M., 1988. The Hincklev PointPublic Inquiry: Report,Chapters 34 and 35

.tr

(HMSO, London, UK).

32. Health and Safety Executive, 1992, The Tolerability of Risk from Nuclear Power Stations, 2nd edition (HMSO. London. UK).

144

HAZAR[) ANALYSIS (IIAZAN) 33. Jones.D.A. (ed). 1992, Nomenclature jhr Hazard and Risk Assessment in the Process Industries. 2nd edition(Institution of Chemical Engineers, Rugby, UK). 34. British Medical Association. 1987, Living with Risk (Wiley, Chichester, UK). 35. Risk Communication, Risk Statistics and Risk Comparisons, 1988 (Chemical Manufacturers Association, Washington, DC. USA). 36. Kletz. TA., 1988. in EngineeringRisk and Hazard Assessment, edited by A. Kandel and E. Avni, II (CRCPress, Boca Raton,Florida. USA). 37. Mahcr, S.T. ci al, 1988, Relief valve testing optimisation programme for the cost-effective control ol major hazards, Symposium Series No. /10. 117 (Institution of Chemical Engineers. Rugby, UK). 38. Programmes Analysis Unit, 1972, An Economic and Technical Appraisal ofAir Pollution in the UK (HMSO, London, UK). 39. Kletz. TA., 1996, Dispelling Chemical Engineering Myths, 125 (Taylor & Francis, Philadelphia. Pennsylvania. USA). 40. Lees',Tables 13.17 and 13.18. 41. O'Mara, R.L. and Bergeron, C.B., 1987. Inherent safety —how to keep a new safety system from causingan accident. American Institute ofChemicalEngineers' AnnualMeeting,New York, 15—20 November. 42. Lloyd, T., 1989, The Chemical Engineer,No 458: 15. 43. NetTer. S., 1 June 1991, The DailyTelegraph, IS. 44. Stewart, R.M., 1971, High integrity protective systems, SymposiumSerie.vNo. 34, 99 (InstitutionofChemical Engineers. Rugby, UK). 45. Process News. July 1989. 8 (Institution of Mechanical Engineers Process Industries Division. London.UK)(summary ofpaperby D.W. Heckle and Dr Young). 46. Which?. February 1991, 71. 47. Kletz, TA.. 1971. Hazard analysis — a quantitativeapproachto safety, Sympo,rium Series No.34.75(Institution ofChemical Engineers, Rugby,UK). 48. French. R.W., Olsen, R.E. and Peloquin, G.L.. 1990, Transactions' of the institution ofChemicalEngineers, Part B, Process Safety andEnvironmentalProtection, 68 (BI): 7, 49. Goyal, R.K.and Al-Jurashi, N.M., 1991, .lournalofLoss Prevention in the Process Industries. 4 (3): 151 50. Rushton, AG., 1991. Transactions' of the institution of ChemicalEngineers, Part B, Process' Sofety and Environmental Protection.69 (B4): 200. SI. Ratcliffe, KB., 1991, Los's'PreventionBulletin, No. 098: 21. 52. Schaler, L.C.. 1990. Plant/OperationsProgress, 9 (1)50. 53. Barde. J-P. and Pearce, D.W.. 1991, Valuingthe Environment (Earthscan, London,

UK).

54. Pithlado, R. and Turney. R. (eds), 1996, Risk Assessment in the Process'industries', 2nd edition,Chapter3 (Institution ofChemical Engineers, Rugby, UK). 55. US Department of the Environment, 1998. Operating Experience Weekly Summary, No. 98—26, 6 (Washington, DC, USA). 56. DNV, 1998, Techin/. Winter/Spring,3.

145

1-IAZOP

AND 1-IAZAN

ofthe institution ofChemical Engineers, Part B, ProcessSatetv and Environmental Protection,72 (B I): I

57. Brown. M., 1994, Transactions

58. Everley, M., 1996, Health & Safely at Work, 18 (10): 18. 59. Hoffman, R. and Schmidt. S.L., 1997, old Wine — New Flasks, 49(Freeman, New York, USA). 60. Hambly. E.C.. I May 1992. PreventingDisasters, RoyalinstitutionDiscourse. 61. Health and Safety Executive Nuclear Safety Division, 1995, NuclearSafety Newsletter.7: 3. 62. Health and Safety Executive, 1989, Quantified Rick Assessment: its Inputto Decision Making (HMSO, London, UK). 63. Cohen,A.V. and Pritchard, D.K., 1980, Comparative risk ofelectricity production systems: a critical survey of the literature. HSE Research Paper (1-IMSO, London, UK). 64. Christen, P., Bohnenhlust, H. and Seitz, S., 1994. Proces.s SafrtyProgress, 13 (4): 234. 65. Interdepartmental Liaison Group on Risk Assessment. 1996. Use of Risk Assessnientin Government Departments (Health and Safety Executive, London, UK). 66. McQuaid. J.. 1995, Transaction.co/the institution of Chemical Engineers, Part B, ProcessSafi'iv and 1:nvironmenlal Protection,73 (B4): S39. 67. Mortcn, A., 1995, Eliminating Risksfirthe Travelling Public (Royal Academy of Engineering, London. UK). 68. Kletz. TA.. 1994. Learning from Accidents, 2nd edition, Chapter 20 (Butterworth-Heinemann, Oxford, UK). 69. Ro-Ro Ferries and the Safety of the Travelling Public, 1997 (Royal Academy of Engineering, London. UK). 70. Philley, JO., 1992, Plant/Operations Progress, 11(4): 218. 71 . Health and Salety Commission, 1991, Major HazardAspects ofthe Transportof DangerousSub,stance,s (HMSO, London, UK). 72. The Risks of Fuel Transport, 1982, Proceedings of a conference sponsored by HazardousCargo Bulletin (Oyez. London, UK). Quoted by Clifton,ii., April 1984, The effect of wall thickness on the behaviourof aluminium and steel road tankers carrying flammable liquidswhen they are engulfedin flames, ReportNo. SRD R 29/. page6 (UKAEA). 73. Department of the Environment. 1995, A Guide to Risk Assessment and Risk Management/orEnvironmental Protection(HMSO, l..ondon,UK). 74. Goats, G.C., 1996, The Safrtv & Health Practitioner, 14 (12): 20. 75. Withers, J., 1988. Major Industrial Hazards,208 (Gower. Aldershot, UK). 76. Tweeddale, H.M., 1992. Tran,saction,sof the Institution of Chemical Engineers, PartB, Process .Sa/etv and Environmental Protection,70 (B2): 70. 77. Lindley, J., 1997, Ls,s Prevention Bulletin, No. 136: 7. 78. Inquiryinto the Fire on Heavy Goocl,s VehicleShuttle 7539 on 18 November /996, 1997 (1-IMSO. London, UK). 79. Rushton. AG.. 1997. private communication.

ii

146

I-IA/ARE) ANALYSIS (HAZAN)

80. Tweeddale, l-l.M., 1994, Risk assessment models,

81.

82. 83. 84.

85.

National Safety Conference, Sydney, Australia, May. Rushton, AG., l995, The allocationof failurerates to containment components, with particular referenceto hydraulic transients, Symposium Series No. /39, 453 (Institution ofChemical Engineers, Rugby, UK). Anon, 1996, LossPrevention Bulletin, No. 130: 8. Bell, T.E. and Esch, E., February 1987, IEEE Spectrum, 136. Corcoran, W.R., 1993, Risk Management Quarterly(published by US Department ofEnergy, Washington, DC), 1 (3): 2. Pitblado, R.M.. Williams.J.C. and Slater, D.H., 1989, Plant/OperationsProgress,

9(3): 169. 86. Hurst, NW.. Bellamy. Li. and Wright, M.S., 1992, Research models of safety management of onshore majorhazards and their possible application to offshore safety,SymposiumSeriesNo. J30, 129 (Institution ofChemical Engineers. Rugby, UK).

87. Ellis, A.F. and Pokorny. B., 1992, Continuous and episodic risks—The assessment link, Center/icrChemical Process Scitetyinternational Conforence on Risk Analysis, Human Factors and Human Reliability in Process Safety. 88. Kletz, T.A.,September 1974, Chemical Processing, 77. 89. McConnell. R.A., 1997. Process Sati'tv Progress, 16 (2): 61. 90. von Bayer, H.C.. 1988, The Sciences, 28 (5): 2. 91. Benjaminsen, J.M. and Wiechen. RH., 1968, HydrocarbonProcessing. 47: 121. 92. Fennell. D., 1988, investigation into the King's CrossUndergroundFire (HMSO, London, UK). 93. Conway, A., 1992, Atom, No 420:9. 94. Appleton, B., 1992, TheAppleton Report (HMSO, London, UK). 95. Purdy, G. and Wasilewski, 1994,JournalofLo,rsPreventionin the Process indus-

tries,7 (2): 147. 96. Goyal. R.K.. 1993, Transactions of the Institution otChemical Engineers, PartB, Process Safety and Environmental Protection, 71 (B2): 117. 97. interpretation at Major Accident to the Environment for the Purposes of the CJMAH Regulations —A Guidance Note. 1991 (Department of the Environment, London, UK). Quotedby Wilday, A.J., Ali, M.W.and Wu,Y., 1998, Index method br cost-effective assessment of risk to the environment from accidental releases, Symposium SeriesNo. /44,475 (Institution of Chemical Engineers, Rugby, UK). 98. Cooper. MG., 1985. Risk: Man-mac/cHazardsto Man (Clarendon Press, Oxford. UK).

99. Williams, D.R.. 1998, What isSafo?, The Risks ofLiving in a NuclearAge(Royal Society of Chemistry, Cambridge, UK).

147

Appendix to Chapter 3 — Belt and braces

is a simple example of the application of numerical methods to safety problems, showing how a hazard can be reduced to any desired level but not Here

eliminated completely. The accident we wish to prevent is our trousers falling down and injuring our self-esteem. Braces are liable to break and the protection they give is not considered adequate. Assume that breakagethrough wear and tear is prevented by regular inspection and replacementand that we are concernedonly with failure due to inherent weaknesses or faults in manufacture which cannotbe detected beforehand and which are randomevents. Experience shows that, on average, each pair of braces breaks after ten years' service. Experience also shows that belts fail in the same way and as frequently as braces. Collapse of our trousersonce in ten years is not considered acceptable. How often will a belt and braces fail together? Ifone failsthen itwill not be detecteduntil the item is removed at the end ofthe day. Assuming it is worn for sixteen hours per day, then, on average,every manis wearing a broken belt for eight hours every ten yearsand brokenbracesfor eighthours every ten years. The fractional deadtime (fdt) ofthe braces is 16

I 10

365

=0.000137

and the fdt of the belt is the same. The chance of the second protective device failing while the first one is

dead' is:

hazard rate = demand rate x fdt

=2X 10

X 0.000137 = 2.74 X l05/year

or once in 3650() years.

148

APPENDIX TO CHAPTER 3

Failure of belt and bracestogether, therefore, occurs once in 36,500 years. At the individual level this risk is tolerable. However, there are about 25,000,000 men in Great Britain so that, even if every man wears 'belt and braces', 685 men will lose their trousersevery year. At the national level it is considered intolerable that so many menshouldbe embarrassed in this way. To reducethe risk further,every man could wear a thirdprotective device,a second pair ofbraces. This would reducethe failure rate forthe individual man to once in 133,000,000 years and for the country as a whole to once in five years. A thirdprotective device, however, involves considerable extra capital expenditure and makes the system so complicated that peoplemay fail to use it. An alternative is to get every man to inspecthis belt and bracesevery two hours to see if eitherhas broken. This will reducethe failure rate for the individual to oncein 36,500 x 8 = 292,000yearsand forthe country as a wholeto 685/8 = 85 men/year.This may be considered tolerable but is it possible to persuademen to inspect their 'protectivesystems' with the necessary regularity and what would it cost in education to persuadethem to do so?

*

Coincidentfailure ofbelt and braces can occurin three ways: (a)Beltfails when bothpairs ofbraces havealreadyfailed; (b)Braces I fail when belt and braces 2 havealreadyfailed; (c)Braces 2 fail when belt and braces I havealreadyfailed.

The fdt for a l-out-of-2system is 'f2T2 (see Table3.5, page III) where f = failure rate (0.1/year) and

T = test interval (1/365 year)

For each failure mode the hazard rate = demand rate x fdt

= 0.1 x 'f2T2 0.1

365)

= 7.5 X l0/year or oncein 133,000,000 years. The calculations are approximate as they do not make any allowance for commonmodefailures (see Sections3.6.4and 3.6.5, pages 123 and 126).

149

1-IAZOP

ANt) HAZAN

This example illustrates the following general points:

(I) The risk can be reduced to any desired level by duplication ofprotective

equipmentbut it cannot be completely eliminated. Some slight risk always remains. Even with three protective devices it could happen that coincident failure occurs not after 133,000,000 years.but next year. (2) The method used here is sound but the result is only as good as the input data.Ifthe failure rate forbelt orbracesis notonce in ten yearsbut oncein five ortwentyyears, thentheconclusion will be in error, notby a factor of two, but by a factor of four for two protective devices and by a factor ofeight for three protective devices. (3) The event which we wish to prevent is not collapse of our trousersbut injury to our self-esteem. Half (say) of the collapses will occur when we are alone or at home and will not matter, thus introducing an extrafactoroftwo. (It is not explosions we wish to prevent but the damage and injury they cause; explosions which produce neither may be acceptable.) (4) A risk which is tolerable community as a whole.

to an individual may not be tolerable to the

(5) It is easier to devise protective equipmentor systems than to persuade people to use them. More accidents result from a failure to use equipment properly than from faults in the equipment. The large number of unwanted pregnancies, for example,is not due to failure of the 'protectiveequipment' but to the failure of the 'operators', through ignorance, unpreparedness or deliberate choice to use the equipment and methods available. (6) This account is incomplete in one respect. It does not allow for the fact that men may occasionally forget to wear all their protective equipmentor may decide not to bother(seeSection 3.7, page 130).

ISO

APPENDIX TO CHAPTER 3

Braces havc prevented more serious accidents thanthe loss ofone'strousers. This plaque is displayed at the Clontarf Picnic Grounds, Sydney, Australia.

Prince Alfred, IDuke of Edinburgh (Son 0f Queen

Victoria) At the Clontarf Picnic Grounds on the i2th lvtarch, 8G8, one

Henry

0'Farrell attempted to

the then Duke of Prince Alfred. Edinburgh, Prince Alfred miraculously escaped serious injury. The assassin's bullet was impeded by the double thickness 0f the Duke's trouser braces. The Prince was conveyed to Government House where he was operated on a few days later. The surgeon was assisted in the operation by two nurses assassinate

trained by Florence Nightingale. The young prince recovered quickly.

151

A manager's guide to hazard analysis 'Aristotle maintainedthat women havefewer tee/h than men;althoughhe was twice marriedit neveroccurredto himto verify this statement by examining his wives' mouths. BertrandRussell

'We havetofinda way otmaking the important measurable, notthe measurableimportant.' RobertMacnarnara, formerUS Secretary ofDefense

4.1 Introduction During the last 100 years managershave become increasingly dependenton the adviceofexperts of all sorts. The days have long gone when one man— George Stephenson — could survey and construct a railway line, design and construct the engineand drive it on the firstjourney. Perhaps an unconscious desire to be such an engineer is shown by those who display one of Stephenson'sengineson their ties! it is always temptingfor a busy person, whether he is managing a plant, workshop or design team, to simplylook at the last pageof the expert's report and accept his conclusion. The managercannot, as a rule, check the whole report and, even given the time, such reports often contain incomprehensible mathematics. This chapter is intended to help managers locateand check a few

key pointsin reports on hazardanalysis. Tweeddale6 has described an extreme example of the results of leaving decisions to hired experts: a regulatory authority asked a company to preparea safety casefor aproposed new plant. The company'sown staff were busywith the design so the company asked a consultant to prepare the safety case for them. The regulatory authority did not havesufficient staffto review the report so they hired another consultant to do so for them. Tweeddale comments that this was rather like a student hiring someone to attend a course and sit an examination on his behalf,becausehe is too busy or incompetent to do so himself while, for the same reason, the examinerhires someone to set and mark the exampapers. There should, of course, be a continuing dialogue between the experts (hired or in-house) and the clients during the development ofa hazard analysis, 152

A

MANAGERS GUIDE TO HAZARD ANALYSIS

and in the course of it the managershould ask the questions below. Nevertheless, on someoccasions a seniormanagermay be presented with an analysis as the justification for a proposal to spend (or not spend) some money, and in these cases he will be questioning a finished or draftreport.As a rule the first issuesofHazanreports should be drafts. The following, for ease of style, is addressed to managers. The firstpoint to check is that the three questions in Section 3.3 (page 80) havebeen answered.

Does the

report: • Say how often the incident will occur?

• Sayhow big theconsequences will be? • Recommend what we shoulddo?

Blinding decision-makers with incomprehensible calculations is nothing new. The Roman emperor Valentian III (reigned 425—455 AD) complained that 'those responsible put out a smokescreen of minute calculations involved in impenetrable obscurity'. (He was discussing tax collectors. They continued 'their corrupt bullying with arrogance and impunity scarcely disturbedby the distantsoundofunenforceable Imperial threats')7.

4.2 Arithmetic, algebra and units

As a rule there is no need for the manager to check the arithmetic. To do so is very time-consuming. it is unusual to find errors (most that are found do not matteranyway)and the analyst should havehad it checked already. Similarly, there should be no need to check the algebra. If the analyst is experienced he will havecombined his rates and probabilities correctlyat the 'AND' and 'OR' gates of his fault trees (seeSection 3.5.9, page 113). Ifhe is not experienced, he should have had his algebra checked by a more experienced person. If you think that the analyst may be new to the game, ask him who has been over his algebra. It is, however, useful to look at fault treesor calculations and see that the units are clearly stated at each point,andthat ratesand probabilities are clearly distinguished. If they are not, they can easily get muddled. Two rates have beenmultiplied on more than one occasion (seeSection 3.5.9, page 113). Also look out for statements in the text, particularly in the conclusion and summaries, such as 'the probability (or target) is Probability of what? incident or of someone killed or Of an occurring, being injured (and, if so, any personor a particular person?), per year,per event, per hour orper what?(See thequotation from the US SupremeCourtin Section 3.3, page82.) These, of course, are elementary mistakes made only by inexperienced or

l0'.

amateuranalysts. 153

HA/OP AND HA/AN An amusing example ofa failure to quote units is provided by a newspaper article which stated that members ofsocial classes I and 2 havea lowerprobability of dyingthan the rest of the population. The probability ofdying is, of course, I for all ofus! The writermeantthat the probability ofdyingperyear is lower for a member of social classes I and 2. A readercommented that about half the scientists who have ever lived are still alive, so on the basisof historical evidence, for a scientist the probability of dying is nearer0.5 than I! This has beentrue every year since 16508. This shows how wrong conclusions can he drawn if we use data unthinkingly without understanding their limitations (seeSection 3.6.3, page 121). Look out for meaningless units in comparisons and conclusions. For example, if two radioactive hazardsare being compared, a comparison based on becquerels (or curies) is meaningless unless the isotope mix is exactly the sanie. A becquerel (Bq) is defined as one atom undergoing a transition per second but the energy released can vary over a range of (A curie,the old unit,is 3.7 x 1010 Bq.) Similarly, a comparison of two plants or companies on the basis of the numbers of dangerous occurrences is usually meaningless as standards of reporting are so variable. Ifatargetis set for the number, it is almost always met! The most widely used measure of safety, the lost-time accident rate, is deeply flawed. All lost-time accidents are not comparable: better that 100 peopleare absentfor a few days with minorbruisesthanone personis blinded or paralysed. In addition, lost-timeaccidents are now so few in most companies that their rate measures luck and the willingness of injured people to continue at work. A low lost-lime accident rate does not indicate that technical safety problems are undergood control.

l0.

4.3 The model Every Hazanis based on a model ofthe plantandthe way hazards arise. Asthis is frequently expressed as,a fault tree themodel is often called 'the logic'. The analyst rarely knows enough about the plant to draw up the model unaided, and discussion with plant staff is necessary. Nevertheless misunderstandings may arise. If the analystis an engineerhe may not fully understand the chemistry: ifhe is a chemist he may not fully understand the engineering. On a new design the drawings, in theory, contain the necessary information on the hardware hut do not showhow it will be used. Often a managerexplaininga plant to an expert will fail to mention facts which he has come to take for granted but which are not obvious to outsiders. He maythus fail to tell the analystthat one ofthe chemicals handledfreezes at

'54

A MANAGER'SGUIDE TO HAZARD ANALYSIS

5°C. The analyst then fails to include frozen pipelines in the list of initiating events which can cause a pipeline to block. Similarly, an analystmaydecide to estimate the leak rate from a circulating gas system in the eventofpipe failure. The analyst asks for the flow rate and is told that it is, say, 10,000 m3/h. He does not ask and is not told that the total amount of gas in the system is only 1000 m3. It is. ofcourse, an advantage to employ analysts with experience of design and/or production. In checking an analysis, the managershouldtherefore ask: Haveany unusual propertiesof the process materials beenconsidered? Haveany limitations on flow rates, heat inputs, etc, providedby the inventory orequipmentbeenconsidered? Have alternative methods of operation, such as regeneration of catalyst beds, been considered? Havestart-upand shutdown been considered? • Does automatic protection protect against all demands or only someofthem? Has the model been discussed with the maintenance organization (particularly the instrument maintenance organization) as well as the operating team? If the model is buried in a computer program it will not be transparent and the managerwill haveto dig deepwhenhe questions the analyst. An example of a sophisticated error in the model is provided by the anti-growth movementand theircalculations of impending doom:

• • • • •

'In eflect, what the Club of Rome report did was to assume that all "had.s such as pollution, demand for ftod and raw materials, and so on, would increase exponentially tar everand ever, and all "goods ", suchas techniques to reducepollutionper unil o/ output, or supplies oftbod and raw materials, could only in 'i-ease by finite a/flaunts. 'Clearly, however generous are these finite amounts, it does not need a computerto show that, one day, the "hads" must exceedthe 'goods in the words of Lord Ashhyt — "if we fed doom-laden assumptions into computers it is notsurprisingthat theypredict doom Thomas Malthus made the same error in 1816 in his book Essay on the Principle ofPopulation. He forecastthat the production of food would rise arithmetically while the population would rise geometrically. If he had been correctEuropeans would havebegun starving to deathin a few generations. In fact, agricultural production increased substantially as a result ofthe discovery by Justus von Liebig that minerals were essential to plantgrowth21. The manager should look out for features in a model which make the answers inevitable, regardless of the data (seealso Section 6.6, page 199). 155

HAZOP AND HAZAN

A classical example of a wrong model is the estimation of the age of the earthby William Thomson (later Lord Kelvin)in 1842. By assuming that the earth was originally as hot as the sun and has been cooling ever since it was formed, he estimated its age as 100 million years (with a possible range of 20—400 million years). This was too short, biologists and geologists said, for the evolution of today's floraand fauna and rocks. Thomsons reputation was immense and his advocacy of his view held up the acceptance ofother views on the evolution of both rocks and life. The error in his model was not found until the end of the century when radioactivity was found to be keeping the earth warm9. 4.3.1 The parameters Related to a wrong model is the choice of the wrongparameterfor measurement of a target. Here are someexamples: (a) Formany yearsambulance crews werejudgedby the speed with which the first casualties from an accident reached hospital. As a result victims were rushed to hospital when it would have beenbetterto treat themon the spott0.

C) Cs

C)

C)

C 5)

C) C)

55

C

C

5C

4C

C)

5)

55

5)

E

z

Cs

C

Level ofexposure

Figure 4.1 Relationbetweenrisk ofdisease and the distribution ofdifferentlevelsof exposureto acausalfactor. The broken curve shows the new (lower) distribution of exposureafter a population-wide controlmeasure. (Based on Reference 10) 156

A

MANAGER'S GUIDE TO HAZARI) ANALYSIS

(b) People with high blood pressureare more likely to havea stroke thanthose with lower blood pressure. Nevertheless most strokes occur to people with bloodpressures in the middlerange as thereare many more peoplewith blood pressure in this range. The most successful way to reduce the number of strokes would be to lowerthe blood pressure of the population as a whole, to move from curve A to curve B in Figure 4.1. A 5% reduction in bloodpressure would prevent 75,000 strokes per year (30% of the total) while targetingthe 5% of the population with the highest bloodpressurewould prevent only half as many''. (This illustrates the dilemma discussed in Section 3.4.6 on page99: shouldwe try to save the most livesper million pounds spentor shouldwe try to protectthepeopleat greatest risk?) It is possible that similar arguments might apply to, say, corrosion prevention.

(c) Students at the FrenchGrande Ecoles cost threetimes as much, per term, as those at French universities. But the Grand Ecoles have virtually no drop-outs while the universities havea 60% drop-out ratet2. (d) Railway companies are under pressure to improve timekeeping. As a result connections leavebeforethe connecting train has arrivedand passengers reach their destination later than if the connection had waited. The correct parameter is not the lateness ofthe trains but the lateness of the passengers.

(e) The conclusion of an investigation can be influenced by the choice of criterion. Did UK trains get faster between 1980/1 and 198 1/2? The figures in the first line ofTable4.1 were produced to prove that theyhad. The numberof trains travelling at more than 90 mph between stops rose by 26%. Critics

Table 4.1 Did trainsget fasterbetween 1980/8! and 198 1/82? 1980/81

1981/82

% change

Numberoftrainsat >90 mph

167

210

+26

Numberoftrainsat >95 mph

84

67

—20

Numberoftrainsat >100 mph

10

16

+60

Miles at >90 mph

12,48!

14,643

+ 17

Miles at >95 mph

5674

4414

—22

Mi!esat>lOOmph

689

1157

+68

157

1-IAZOP AND HAZAN

the figures in the next lineto showthat numberoftrains travelling at more than 95 mph had fallen by 20%. However, the (small) numberof trains travelling at more than 100 mph rose by 60%. The lowerpart of Table 4.1 shows that similarvariations in the conclusions are reached if we compare the distances coveredin excess ofthe three speeds instead of numbersof trains13. produced

4.4 The unforeseen hazards The biggesterrors in Hazan arisenot in the analysis itselfbut in the failure to foresee all the causes of hazards or all the hazards that can arise. For example, a study of variousmethods of transporting a liquefiedflammable gas showed that road transport was safer than a pipeline — fewer people would be killed permillion tons transported. A manager presented with thisresult found it hard to believe. By questioning the analyst he discovered that he had taken into accountthe probability that the tanker driver and others would be killed by a fire or explosion hut had ignored the probability that they would be killed by an ordinary road accident. As described in Section 3.4.8 on page 103, a detailedquantitative study by the Health and Safety Executive of the risks of transporting dangerous substances is flawedby the same error. It compares the risks of road and rail transportbut does not consider ordinary road accidents and thus ignores the largest contribution by far to the road transportrisk14. In the UK about 3500 peopleperyear are killedby road accidents but on average less thanone person per year by a road accident in which a dangerous substance is directly involved. Analysts sometimes concentrate so much on serious but unlikely accidents that they overlook simpleones. For example, a Hazan showed that the probability of a leak of a toxic material was acceptably low. At times small fragile packages containing toxicsubstances had to be moved but they were conveyed in trolleys and keptin them. However, when theliftwas out of orderapackage was carried downstairs and placed on a table. It slid off and the contents leaked. A light-hearted example of failure to foresee all the causes of a hazard is providedby a studyof free meals' (seeSection 3.5.9,page 113). There can, of course, sometimes be unforeseen benefits. See the Appendix to Chapter 3,

page 151. In general, ask what methods havebeen used to identify all the hazards. Has a Hazop been carriedout? Ifnot, what other methods have been used to identify hazards? 158

A

MANAGER'S GUIDE TO HAZARD ANALYSIS

4.5 The assumptions

a list of assumptions on which it is based. The these to see ifhe agrees with them. For example,how managershould look for often are trips, relief valves and other protective devices tested?How often is stand-by equipment tried out? Are the figures quoted realistic and likely to be followed? Is there a monitoring system? Will the testing still be carried out when the start-up managerhas left and others have taken his place? These questions are particularly important ifthe plantis to be located overseasand/or operatedby anothercompany whichmay not have the same attitude towards testing and is not underdirectcontrol. In addition to the listedassumptions, every Hazan makes certain assumptions which are usually not written down. The managershould be aware of these and check their applicability to the particular case. The principal unwritten assumptions are listedin Table4.2. The analysis should include

Table4.2 Assumptions which may not be true Assumption

Cases in which itmaynot be true

(a) Failure is random.

Duringthe birthpangsand old age of equipment, and following repairsto machinery. See Section 3.6.7, page 130. When failure ratesordemandratesare high. (Many of the equations used applyonlywhen failureand demandratesare low.) See Section 3.5.4, page 108.

(b) Failure ratesand demand ratesare low.

(c) Testing is perfect.

Whentesting interferes with production.

(d) Repair timeis negligible.

Whenspares are not stocked.

Whenflowsare high but inventories small. See Section 4.3. page 154. inventory. (f) Substances haveno unusual Whensubstances haveunusually high(or low) properties. melting or boiling points, are near their critical pointsor have otherunusual properties for example, the viscosity of sulphur increases as the (e) Flows are not limited by

temperature rises.

(g) The plant is designed, operated and maintained according to good management and engineering standards,

Overseas, subsidiary or remotely-situated plants whichdo not receive as muchmanagement attention as the main plants ('Rot starts atthe edges').

159

HAZOP AND HAZAN

if assumptions

are not true, then mathematical techniques are available for handling other assumptions, but the need to use them must be recognized(seeLees, Chapter7). Similarly, ifwe recognize that assumptions (e) and (f) are not true, we can allow for this, If assumption (g) is not true, Hazan is a waste of time. As I pointed out in Chapter 1, it is no use calculatingthe probability of unlikely events if serious incidentsare likely as the result of a poor permit-to-worksystem, lack of instructions, 'Heath Robinson' methods of maintenance, and so on. Hazan is a sophisticated technique for good organizations which wish to allocate their resources sensibly and improve their standards.It should not be used until the basic management is (a)—(d)

satisfactory.

For example,a leak of a toxic chemical produced unpleasant effects in a shopping centreseveral hundred metresaway. A recorderhad beenshowing an abnormal reading for threeweeksbeforethe leak occurred but no-one operator, supervisor or manager had noticed (or, if theynoticed it, they ignored it). The investigators decided that estimating the probability of a recurrence would be a waste ofeffort;training in the fundamentals ofplantoperation was

more important15. In some cases it may be possible to assess the probability that an assumption will cease to be true. For example, in my firstpaper on Hazant6I assumed that for 10% of the time the nitrogen blanketing on a storage tank would not he in operation. At the time I had experience of a factory in which moribund nitrogen blanketing equipment had been brought back into operation. The operators (and some more senior people) wondered why this was necessary as there had been no incidents that nitrogen blanketing could haveprevented. Standards ofcompliance were therefore poor. (This changed after an explosion in a storage tank, described elsewhere'7.) Actions imposed by authority rather than conviction soonceasewhen the boss moves or loses interest. When aHazanassumes higher standards of management than have been usual, perhaps it should assess the probability that theywill he maintained (seeSection 3.S.4, page 137). Working closely with clients, a hazard analystmay 'go native' and accept uncritically their estimates of the adequacy of existingand proposed procedural safeguards.

4.6 Data Errors can arisebecausedata are inapplicable or misinterpreted

(see Sections pages 120—121). The managershould therefore look at the data used to see if they seem about right. For instruments the data are well 3.6.1—3.6.3,

160

A MANAGER'S GUIDE TO HAZARD ANALYSIS

the analyst is unlikely to be far out, but this is not true of mechanical equipment(see Section 6.4, page 197). established and

Two examples

ofinapplicable data:

• The probability of a leak on a flanged pipejoint in a workshandling corro-

sivechemicals was found tobe about 10timeshigherthanon a works handling cleanhydrocarbons. • The probability ofa leak on a sulphuric acid pipeline was unusually high as erosion removed a protective film of sulphate (see Section 3.6.1,page 120). An example of misinterpreted data: • A largegearbox required forced lubrication and was providedwith two oil pumps. one on-line, one on auto-start. Nevertheless, the calculated rate of failure resultedin the gearbox being starved of oil once in 30 years, a probability that was judged to be too high. Furtherexamination of the data showed that it was based on a published figure for the failureof pumps, but that only 10% of the failures would actuallyresult in immediateloss of oil pressure. The source of data should be stated even if it is only the 'plant manager's guesstimate'.The example of the Canvey Island Report2 could usefully be followedand data classified as follows: • Assessed statistically from historical data: a scientifically-based figure to which a standard deviation could be attached. • Based on statistics as far as possible but withsomemissing figures supplied

byjudgement.

• Estimated by comparison with previous cases for which fault tree assessments havebeen made.

• 'Dummy' figures: likely to be always uncertain; a subjective judgement must be made. Fault tree synthesis: an analytically-based figure which can entlyarrivedat by others.

•

be independ-

Managers can reasonably expect analysts to classify their data in this or a similarway. In many Hazans some data are inaccurate, little better than informed guesses, while others are based on a largenumberof observations. If the inaccurate data havea largeeffecton the probability ofthe top event, tryingto estimate the otherswith greataccuracyis a waste oftime. Yet it is often done.For example, when estimating the effect of a leak of hazardous material, the size assumed forthe leak (called the 'source term') is often little more thana guess. Yet very precise and complex calculations are thencarriedout to findout how it will disperse and what the effects will be. In estimating the probability that an operatorwill respond to an alarm in the correct way within the required 161

HAZOP AND FIAZAN

time, people hesitatebetweenestimatesof I in 10 and I in 100, and then use the chosenfigure in calculations madeto several significantfigures. F. Hoyle quotes the following figuresused for the percentage ofsolar radiation reflected by various surfaces in estimations of the greenhouse effect: Clouds

33%

Dustand ozone— 7% Surface (average) 5% (it can vary from 3% foroceans to 80% forsnowfields) He then continues18:

'it really isn't very sensible to make approximations like those and then to perthrna highly complicated computercalculation, while claiming the arithmeticalaccuracyofthe computeras the standard for the whole investigation. Once the precise detail of the Earth's reflectivity has beenlost, the investigation has been so degradedthat meritcannot be recoveredby attention toarithJfleliC.'

The Victorian biologist, Thomas Henry Huxley, said much the same in

l876: what you gel out depends on what you put in; and as the grandest mill in theworld will not extractwheatflour from peascods, sopages offormulaewill not get a frtinite result outof loosedata.'

It is important to distinguish between those data that affect the final result

significantly andthose that do not.Consequence calculations are usually series calculations in which errors in the data are carried through to the final figure. In most probability calculations data from many branches of a fault tree are combined and errors in some data mayhave little effect(see Section 6.2, page 196).

4.7 Humanreliability

ignored the operator, assuming he would always do what he was required to do. Other analysts went to the other extreme, assuming the operator would always fail, and recommended fully-automatic Some early hazard analyses

systems. 162

A

MANAGER'S GLIDE TO HAZARD ANALYSIS

Nowadays, analysts realize that it is necessary to estimate how often an operatorwill,for example, close the right valve within the required time when an alarm sounds. However, there is a temptation to overestimate human reliability in order to get the result required. Ask what figures have been used. Some suggestions are given in Section 3.7 (page 130) and in Reference 4. If theanalyst has madesignificantly different assumptions, his reasons for doing so should he questioned. As well as errors by operators, errors by people testing and maintaining equipmenthaveto be considered. Has the analyst done so? The error rates listed in Section 3.7 are about the minimum that can be expected in a well-run organization due to the inevitable failures of human nature. The remarks made in Section 4.5 (page 159) about the quality of the management apply here as well. If they do not run a 'tightship', if peopleare not trained, ifthereare no instructions, ifno-onecares and monitors, then error rates will be much higher and Hazan is a waste of time. First improve the management. The following is an example of the errors that can easily arise in assessing human reliability. An analysis included an assessment of the probability that a road tanker would be connected up to the wrong pipe. As the two types of tanker in use were fitted with differentsize connections corresponding to the two sizes of pipe, the chanceof a wrong connection seemed small. This view was later revised when it was realized that the operatorshad collected a vast array of adaptors which enabled them to connect any tanker to any pipe.

4.8 The recommendations Suppose the analyst has proved to your satisfaction that a hazard is too high

and that a proposed course of action will reduce it to an acceptablelevel at a reasonable cost. The solution has probably been generated by the plant or design team, rather than by the analyst alone, but you should still ask what other solutions havebeenconsidered. In particular, is it possible to providean inherently safer solution, to avoid the hazard rather than control it? (See Section 2.7, page 41.) Donotconfusea low probability with zero probability. A youngdoctorwas giving patients with Hodgkin's disease (a form of cancer) a treatment which was known to have a cure rate of90%. He has describedhis distress whenhis sixth patientdied. He had translated a 90% cure rate into a 100% curerate and was mentally unprepared for the inevitable failures5. 163

HAZOP AND 1-IAZAN

Figure 4.2

IO

In the process industries we often forecastmuch lower hazardrates; per year is not uncommon. When a hazard occurs it may be that an unlikely event has occurred by chance (Figure 4.2); it is more likely that one of the assumptions on which the calculation was based is no longer true. For example, testingmay havelapsed.

4.9 Comparison with experience

Is the result ofthe Hazanin accordance with experience and common sense? If not the Hazan must be wrong. This is obvious, of course, and would not be worth saying if analysts had not, on a number of occasions, been so carried away by enthusiasm for their calculations that they forgot (like Aristotle)to comparethem with experience. For example, a numberof theoretical studies of chlorine and ammonia releaseshave forecastlarge numbersof casualties. When releaseshave actuallyoccurred, the casualties have been few. Yet the studies do not say this. It was alwaysrealizedthat casualties could be high if 164

A

MANAGER'S GUIDE TO FIAZARD ANALYSIS

conditionswere exactlyright and this has beentragically demonstrated by the events at Bhopal. However, most toxic gas releasesproduce nothing like the theoretically possible numberof casualties and the reports should state this. One studyconcluded that the probability of the drain valve Ofl a tank bund being left open after draining was 1 in 108 operations as the valve was fitted with a warning light whichwas illuminated wheneverthe valvewas open and could be seen by the operatoron his rounds. This conclusion would be absurd to anyone with experience of plantoperations as it apparently madeno allowance ftr failure ofthe bulb or for the varioustypes ofhuman error that might occur, from ignorance of the purposeof the light to failure to carry out the tour19,

4.10 Closed shop or open shop?

Should the managers and the designers call in experts to carry out hazardanal-

yses for them (a closed shop policy) or should managers and designers make their own analyses (an open shoppolicy)? To quote Kelly et a13: As the level of detail required by the reliabilityanalyst increases, so do his demands on the designer's time and experience. At somepoint it becomes more effective to train the designer in reliability techniques than to train the reliability analyst in design techniques. Hazan is not so esoteric that it can be practised only by an eliteband of the initiated. Engineers engaged mainly in design or operations can be trainedto apply it. It should be our long-term objective for design teams tocarry out their ownstudies. The experts in Hazan should train,check,helpand encourage, but not necessarily do all the work, They shouldbe sharersofthe tools,not keepers of the tools. At the same time we should remember the words of Thomas

Hobbes(1588—1679): in Arithmetic, unpractisedmenmust, and Professorsthemselves ,nay often,

erreand end upftilse'. Table 4.3 (page 166) comparesthe ways in which experts in Hazan (and those in other specialized branches of engineering, in-houseand contracted) should try to act today and the ways in which they have often acted in the past20 (see alsoFigure 5. I on page 178).

165

HAZOP AND FIAZAN

Table4.3 Old andnewstyleadvisers compared

Old styleadviser

Newstyle adviser

Waitsfor requests

Offers his services

Dealswithadhoc problems Does all the work

Develops long-term relationships

Uses jargon

Uses the client'svocabulary

Issuesa report Works in his own department

Issuesajoint reportwiththe client

Concentrates on use of the tools

Concentrates on helpingthe client

Works for his supervisor

Works for the client

Keeper ofthe tools

Sharerofthe tools

Develops the technology

Givesequal weightto applyingthe

Trains, checks,helps, encourages

Spends time in the client's department

technology Works on technically challenging projects

Works on projects important to the client

Is a world class expert

Belongsto a worldclass company Does not get so close to the client that he 'goes native' and acceptsthe client's

Accepts the client's assumptions

assumptions uncritically

References in Chapter 4

Beckerman, W., 23 November 1979, TheTimes HigherEducation Supplement, 14.

2. 3.

4. 5. 6.

7.

166

Convey An Investigation ofPotential Hazards in the Canvev Island/J'hurrock Area, 1978,48(HMSO, London, UK). Kelly. A.P., Torn, A. and Emon,D,E., 1979, The role ofprobability analysis in the GCFR safety programme, NEA/IAEA GCFE Safety SpecialistMeeting, Brussels, /3—/5 March. Kletz. TA.. 1991, An Engineer's View of Human Error, 2nd edition, especially Chapter 7 (Institution ofChemical Engineers, Rugby, UK). Peschel, R. and E., 28 April 1990, BritishMedicalJournal, 1145. Tweeddale, H.M., 1993, in Health, Safety and Loss Prevention in the Oil, Chemical and Process Industries (proceedings ofa conference held in Singapore on 15—19 February), 124 (Butterworth-Heinemann, Oxford,UK). Grant, M., 1990. The Fall ofthe Roman Empire, 56 (Macmillan, NewYork,USA and Weidenfeld and Nicolson, London, UK).

A

8.

9. 10.

11. 12. 13. 14. 15. 16. 17.

MANAGER'S GUIDE TO HAZARD ANALYSIS

Price,D., quotedby Kealey,T., 1997 in What Risk? —Science, PolicyandPublic Health,editedby R. Bate,26! (Butterworth-Heinemann, Oxford, UK). Heilman,H., 1998, Great Feudsin Science, Chapter6 (Wiley, NewYork,USA). Hines, K., 1992, Foreword to Neal, W., With DisastrousConsequences ..., xvii (Hisarlik, Weiwyn Garden City, UK). Kurtz. Z., March 1993,Journal ofthe Royal Society ofArts, 244 (reviewing Rose, G., TheStrategyof Preventive Medicine (Oxford Medical Publications, UK)). RoyalAcademy ofEngineeringNewsletter, Spring 1998,2. These figuresappeared in a railway magazine in late 1982 or early 1983. Advisory Committee on Dangerous Substances, 1991, Major HazardAspectsof the Transport ofHazardous Substances (1-IMSO, London, UK). Tweeddale, H.M., 1992, Transactions of the institution ot Chemical Engineers, PartB. Process Safrtvand Environmental Protection,70 (B2):70. Kletz, T.A., 1971, Hazard analysis — A quantitative approach to safety, Svmposium Series No.34. 75 (Institution ofChemical Engineers, Rugby, UK). Kletz, T.A., 1994. Learning from Accidents, 2nd edition, Chapter 6 (Butterworth-Heinemann, Oxford, UK).

18. Hoyle. F., 1996, in TheGlobal WarmingDebate,editedby R. Bate, 180 (European

Science & Environment Forum. London. UK). 19. Tweeddale, H.M., 1994, Conducting a peer reviewof a safetystudy,Chemeca94 Conterence, Perth, Australia,September. 20. Based on White, J., Agreda, C. and Rauch, H., 1993. Old thinking vs. New thinking for statisticians, CACHE Conference on Computer-Aided ProcessOperations. Crested Butte, Colorado, 18—13July. 21. Victorin, M. and Warren, N.. 1998, Chemistry in Britain,34(12): 45. Some ot the material in this chapter is reprinted Imm ReliahthtvEngineering.I, T.A. K!etz, Hazard analysis — the managerand the expert, 35—43, Copyright 1981, with permission Irom ElsevierScience.

167

Objections to Hazop and Hazan She hadonemajor jailing in thatshe tended to quantify benefits. Thus areas ofendeavour which

could not he quantified, suchas education, fell into decline. Newspaper reporton Mrs Thatcher, November 1990

'To capture thepublic's imagination... we have to make simplified dramatic statements, and little mention ofany doubtsone might have Each ofus has to decide the right balance between being effective and beinghonest. S. Schneider28

This chapter discusses some of the objections that have been raised to the methods discussed in Chapters 2 and 3, mainlyChapter3.

5.1 Objectionsto Hazop

The main objection to Hazop is that it results in expensive additions to plant cost and results in the project being overspent. The main objection to visiting the doctoris that it may result in expensive bills for treatment. Hazop is a technique for identifying problems. Ifthe remedy is too expensive (and we cannotfind a cheaperone) thenwe can, ifwe wish, decide to live with the problem. We can say that the remedy is not 'reasonablypracticable'. This is a perfectly justifiable stance, though experience shows that there is always, or nearly always, a reasonably practicable way of meeting the targets described in Chapter3. Ifthe obvious remedy is too expensive, our ability as engineersenables us to findacheapersolution. It is notjustifiable,however, to fail to look for problems becausewe may not like what we find. If you wish to adopt Hazop in your company, do not start by setting up a large team. Start by applying it to one or two designs and see if you find it useful. If so, the demandfor it will grow (seeSection 2.8, page47). Another objection to Hazop is that it takes up the time ofthe designers and prevents themgettingon with thedesign.Again, this is like not goingtosee the 168

OBJECTIONS TO HAZOP AND HAZAN

doctorbecausewe do not havetime to do so. If we waituntil we become seriouslyill we may losemore time in theend. Experiencehas shown that the time spent in carryingout a Hazop. thoughit maydelaycompletion of the design,is well repaidin asmootherstart-up, earlierachievement of flowsheet output and trouble-free operation. One survey of four Hazop studies showed that apart from an increase in safetythe financial savings werebetweenfive and 80 times the additional cost29. A thirdobjection, that 'goodpeople' are a substitutefor Hazop,is discussed in Section 2.4.4, page 30. One company has suggested that to save time a Hazop shouldlook only for departures from its design standards5. This maybe acceptable if the process is a familiar one in which all hazardshavebeenrecognized and allowed forbut if we arc innovating, and thereis usually someinnovation, new hazardsmay not be recognized. Also, in most companies, standards lag behindthe latest informationand ideas.

5.2 Technical objections to Flazan Insufficientdata are available for meaningful calculations It is true that theapplication ofthetechnique is often limitedby the availability ofdata.Good dataare available on instruments and on standard fittings such as relief valves, and such data from one company or organization can be applied in another, with little error. Rut the same is nottrue ofmost mechanical equipment, as discussed in Sections 3.6.1—3.6.3 (pages 120—121) and 6.4 (page 197). Failureratesdepend on the environment, on the maintenance policy and on the way the equipment is treated. In-house data usually haveto be used. However, even if little data are available, meaningful calculations may be possible, as illustrated by Section 3.8.6 (page 139) and by the following. Should a remotely-operated emergency isolation valve be installed in the suction line of a pumpto isolate any major leaks that occur?Manual isolation will be impossible as most leaks will catch fire. The fire damage,including loss of production. is estimated at about £100,000 but we do not know how 5.2.1

often the pumpwill leak. The cost of installing the remotely-operated valve is £10,000 or, say, £3000/year(depreciation, maintenance and return on capital). If the probability of a major leak is greaterthan once in 33 years the expenditure is justified. We may not need to start looking for failure data on pumps. Our experience maytell us that, particularly on a hot or cold duty, the failure rates of our pumps are well abovethis figure. 169

hA/OP AND HAZAN 5.2.2 The models of the accidentsare so oversimplified that they

bearlittle relationto reality Many incidentscenariosare simple. For example, suppose the failure oflevel control and trip systems can result in a vessel overflowing; Hazan can tell us how often the trip should be tested and whether any additional protective equipment is necessary to reducethe overflow to any desired level (seeSection 2.9, page 50). Section 3.8 (page 133) describes some more complex but well-defined examples and also some less well-defined situations where nevertheless Hazan was helpful in arriving at a decision. Very complex systems have been analysed on nuclear reactors and on an ethylene oxide plant1. 5.2.3 Not all hazards will have been identifiedso it is pointless quantifyingthosethat have been This can be a validobjection. Chapters 2 and 3 stress the importance ofidentifying hazards. It is little use quantifying somehazards iflarger ones have been overlooked. Time is usually better spent looking for other hazards, or other ways in which the hazards can occur, than in quantifying with ever greater accuracy the hazards we havealreadydiscovered. 5.2.4 Human errors,including management errors, cannot be allowedfor Section 3.7 (page 130) shows that it is possible to take human error into accountand the examples discussed in References 11—13 and 25 ofChapter3 describe in detail how this is done. Several systems have now been devised 1or carrying out an audit of the management, awardingmarks undervarious headingsand multiplying equipment failure rates, or theoverall risk for a site, by factors which may vary over a wide range2022 (seeSection 3.7, page 132). However, as stated in ChapterI and Section 4.5 (page 159), ifmanagement is incompetent, it is betterto improve the management thanintroduce sophisticated techniques. 5.2.5 The resources requiredare excessive As with Hazop,do not start with a large team. Start by applying Hazan to one or two problems and see if peoplefindit useful. Ifso, the demandfor the technique will grow. All service functions can grow out-of-hand if they are allowed to tackle every problem that the clients bringforward. As discussedin Chapter1, Hazan should be applied only to thoseproblemsthat cannotbe answered by reference to experience or generally accepted up-to-date codesof practice. 170

OBJECTIONS TO I-IAZOP AND 1-IAZAN

Table 5.1 Principlesofhazard categorization for rapid ranking (FromReference 6, reproduced by permission ofMr i.E. Gillett and Process Engineering) Area atrisk

1)escription

of risk

Hazard category 1

2

3

4

5

Minor

Appreciable

Major

Severe

Total