HAZARD
& OPERABILITY STUDIES
Bayu Nurwinanto
Introduction
The technique of Hazard and Operability Studies,
or in more common terms HAZOPS, has been used and developed over approximately
four decades for 'identifying potential hazards and operability problems'
caused by 'deviations from the design intent' in both new and existing process
plants. Before progressing further, it might be as well to clarify some
aspects of these statements.
Potential Hazard and Operability Problems
You will note the capitalised 'AND' in the
heading above. Because of the high profile of production plant accidents,
emphasis is too often placed upon the identification of hazards to the neglect
of potential operability problems. Yet it is in the latter area that
benefits of a Hazop Study are usually the greatest. To quote an example,
a study was commissioned for a new plant. Some two years previously, and
for the first time, a similar study had been carried out on different plant at
the same site that was then in the process of being designed. Before the
latest review commenced, the Production Manager expressed the hope that the
same benefits would accrue as before, stating that "in his twenty years of
experience, never had a new plant been commissioned with so few problems, and
no other plant had ever achieved its production targets and break-even position
in so short a time.
Deviation from Design Intent
To deal firstly with 'design intent', all
industrial plant is designed with an overall purpose in mind. It may be
to produce a certain tonnage per year of a particular chemical, to manufacture
a specified number of cars, to process and dispose of a certain volume of
effluent per annum, etc. That could be said to be the main design intent
of the plant, but in the vast majority of cases it would also be understood
that an important subsidiary intent would be to conduct the operation in the
safest and most efficient manner possible.
With this in mind equipment is designed and
constructed which, when it is all assembled and working together, will achieve
the desired goals. However, in order to do so, each item of equipment,
each pump and length of pipework, will need to consistently function in a
particular manner. It is this manner that could be classified as the
'design intent' for that particular item. To illustrate, imagine that as
part of the overall production requirement we needed a cooling water
facility. For this we would almost certainly have cooling water circuit
pipework in which would be installed a pump as very roughly illustrated below.
A much simplified statement as to the design
intent of this small section of the plant would be "to continuously
circulate cooling water at an initial temperature of xx°C and at a rate of xxx
litres per hour". It is usually at this low level of design intent
that a Hazop Study is directed. The use of the word 'deviation' now
becomes more easy to understand. A deviation or departure from the design
intent in the case of our cooling facility would be a cessation of circulation,
or the water being at too high an initial temperature. Note the
difference between adeviation and its cause.
In the case above, failure of the pump would be a cause, not a deviation.
Industries in which the technique is employed
Hazops were initially 'invented' by ICI in the
United Kingdom, but the technique only started to be more widely used within
the chemical process industry after the Flixborough disaster in 1974.
This chemical plant explosion killed twenty eight people and injured scores of
others, many of those being members of the public living nearby. Through
the general exchange of ideas and personnel, the system was then adopted by the
petroleum industry, which has a similar potential for major disasters. This
was then followed by the food and water industries, where the hazard potential
is as great, but of a different nature, the concerns being more to do with
contamination rather than explosions or chemical releases.
The reasons for such widespread use of Hazops
Safety and reliability in the design of plant
initially relies upon the application of various codes of practise, or design
codes and standards. These represent the accumulation of knowledge and
experience of both individual experts and the industry as a whole. Such application
is usually backed up by the experience of the engineers involved, who might
well have been previously concerned with the design, commissioning or operation
of similar plant.
However, it is considered that although codes of
practise are extremely valuable, it is important to supplement them with an
imaginative anticipation of deviations that might occur because of, for
example, equipment malfunction or operator error. In addition, most
companies will admit to the fact that for a new plant, design personnel are
under pressure to keep the project on schedule. This pressure always results in errors and
oversights. The Hazop Study is an opportunity to correct these before
such changes become too expensive, or 'impossible' to accomplish.
Although no statistics are available to verify
the claim, it is believed that the Hazop methodology is perhaps the most widely
used aid to loss prevention. The reason for this can most probably be
summarised as follows :
- It is easy to learn.
- It can be easily adapted to almost all the
operations that are carried out within process industries.
- No special level of academic qualification is required.
One does not need to be a university graduate to participate in a study.
THE BASIC CONCEPT
Essentially the Hazops procedure involves taking
a full description of a process and systematically questioning every part of it
to establish how deviations from the design intent can arise. Once
identified, an assessment is made as to whether such deviations and their
consequences can have a negative effect upon the safe and efficient operation
of the plant. If considered necessary, action is then taken to remedy the
situation.
This critical analysis is applied in a
structured way by the Hazop team, and it relies upon them releasing their
imagination in an effort to discover credible causes of deviations. In
practice, many of the causes will be fairly obvious, such as pump failure
causing a loss of circulation in the cooling water facility mentioned
above. However, the great advantage of the technique is that it encourages
the team to consider other less obvious ways in which a deviation may occur,
however unlikely they may seem at first consideration. In this way the
study becomes much more than a mechanistic check-list type of review. The
result is that there is a good chance that potential failures and problems will
be identified that had not previously been experienced in the type of plant
being studied.
Keywords
An essential feature in this process of
questioning and systematic analysis is the use of keywords to focus the
attention of the team upon deviations and their possible causes. These
keywords are divided into two sub-sets :
- Primary Keywords: that focus attention upon a particular aspect of
the design intent or an associated process condition or parameter.
- Secondary Keywords: that, when combined with a primary keyword,
suggest possible deviations.
The entire technique of Hazops revolves around
the effective use of these keywords, so their meaning and use must be clearly
understood by the team. Examples of often used keywords are listed below.
Primary Keywords
These reflect both the process design intent and
operational aspects of the plant being studied. Typical process oriented
words might be as follows. The list below is purely illustrative, as the
words employed in a review will depend upon the plant being studied.
Flow
|
Temperature
|
Pressure
|
Level
|
Composition
|
Separate (settle, filter, centrifuge)
|
React
|
Mix
|
Reduce (grind, crush, etc.)
|
Absorb
|
Corrode
|
Erode
|
Note that some words may be included that appear
at first glance to be completely unrelated to any reasonable interpretation of
the design intent of a process. For example, one may question the use of
the word Corrode, on the assumption that no one would intend that corrosion
should occur. Bear in mind, however, that most plant is designed with a
certain life span in mind, and implicit in the design intent is that corrosion
should not occur, or if it is expected, it should not exceed a certain
rate. An increased corrosion rate in such circumstances would be a
deviation from the design intent.
Remembering that the technique is called Hazard
& Operability Studies,
added to the above might be relevant operational words such as :
Isolate
|
Drain
|
Vent
|
Purge
|
Inspect
|
Maintain
|
Startup
|
Shutdown
|
This latter type of Primary Keyword is sometimes
either overlooked or given secondary importance. This can result in the
plant operator having, for example, to devise impromptu and sometimes hazardous
means of taking a non-essential item of equipment off-line for running repairs
because no secure means of isolation has been provided. Alternatively, it
may be discovered that it is necessary to shut down the entire plant just to
re-calibrate or replace a pressure gauge. Or perhaps during commissioning
it is found that the plant cannot be brought on-stream because no provision for
safe manual override of the safety system trips has been provided.
Secondary Keywords
As mentioned above, when applied in conjunction
with a Primary Keyword, these suggest potential deviations or problems. They
tend to be a standard set as listed below :
Word
|
Meaning
|
No
|
The design intent does not occur (e.g.
Flow/No), or the operational aspect is not achievable (Isolate/No)
|
Less
|
A quantitative decrease in the design intent
occurs (e.g. Pressure/Less)
|
More
|
A quantitative increase in the design intent
occurs (e.g. Temperature/More)
|
Reverse
|
The opposite of the design intent occurs (e.g.
Flow/Reverse)
|
Also
|
The design intent is completely fulfilled, but
in addition some other related activity occurs (e.g. Flow/Also indicating
contamination in a product stream, or Level/Also meaning material in a tank
or vessel that should not be there)
|
Other
|
The activity occurs, but not in the way
intended (e.g. Flow/Other could indicate a leak or product flowing where it
should not, or Composition/Other might suggest unexpected proportions in a
feedstock)
|
Fluctuation
|
The design intention is achieved only part of
the time (e.g. an air-lock in a pipeline might result in Flow/Fluctuation)
|
Early
|
Usually used when studying sequential
operations, this would indicate that a step is started at the wrong time or
done out of sequence
|
Late
|
As for Early
|
It should be noted that not all combinations of
Primary/Secondary words are appropriate. For example, Temperature/No
(absolute zero or -273°C !) or Pressure/Reverse could be considered as meaningless.
In simple terms, the Hazop study process involves
applying in a systematic way all relevant keyword combinations to the plant in
question in an effort to uncover potential problems. The results are
recorded in columnar format under the following headings:
DEVIATION
|
CAUSE
|
CONSEQUENCE
|
SAFEGUARDS
|
ACTION
|
|
|
|
|
|
In considering the information to be recorded in
each of these columns, it may be helpful to take as an example the simple
schematic below. Note that this is purely representational, and not
intended to illustrate an actual system.
DEVIATION
The keyword combination being applied (e.g.
Flow/No).
CAUSE
Potential causes that would result in the
deviation occurring. For example "Strainer S1 blockage due to
impurities in Dosing Tank T1" might be a cause of Flow/No.
CONSEQUENCE
The consequences that would arise, both from the
effect of the deviation such as "Loss of dosing results in incomplete
separation in V1" and if appropriate, from the cause itself, for example
"Cavitation in Pump P1, with possible damage if prolonged'.
Always be explicit in recording the
consequences. Do not assume that the reader at some later date will be
fully aware of the significance of a statement such as "No dosing chemical
to Mixer". It is much better to add the explanation as set out above.
When assessing the consequences, one should not
take any credit for protective systems or instruments that are already included
in the design. For example, suppose the team had identified a cause of
Flow/No (in a system that has nothing to do with the one illustrated above) as
being spurious closure of an actuated valve. It is noticed that there is
valve position indication within the Central Control Room, with a software
alarm on spurious closure. They may be tempted to curtail consideration
of the problem immediately, recording something to the effect of "Minimal
consequences, alarm would allow operator to take remedial action".
However, had they investigated further they might have found that the result of
that spurious valve closure would be overpressure of an upstream system,
leading to a loss of containment and risk of fire if the cause is not rectified
within three minutes. It only then becomes apparent how inadequate is the
protection afforded by this software alarm.
SAFEGUARDS
Any existing protective devices that either
prevent the cause or safeguard against the adverse consequences would be
recorded in this column. For example, you may consider recording
"Local pressure gauge in discharge from pump might indicate problem was
arising". Note that safeguards need not be restricted to hardware…
where appropriate, credit can be taken for procedural aspects such as regular
plant inspections (if you are sure that they will actually be carried out!).
ACTION
Where a credible cause results in a negative
consequence, it must be decided whether some action should be taken. It
is at this stage that consequences and associated safeguards are
considered. If it is deemed that the protective measures are adequate,
then no action need be taken, and words to that effect are recorded in the
Action column.
Actions fall into two groups :
- Actions that remove the cause.
- Actions that mitigate or eliminate the
consequences.
Whereas the former is to be preferred, it is not
always possible, especially when dealing with equipment malfunction.
However, always investigate removing the cause first, and only where necessary
mitigate the consequences. For example, to return to the "Strainer
S1 blockage due to impurities etc." entry referred to above, we might
approach the problem in a number of ways.
- Ensure that impurities cannot get into T1 by
fitting a strainer in the road tanker offloading line.
- Consider carefully whether a strainer is required in
the suction to the pump. Will particulate matter pass through the pump
without causing any damage, and is it necessary to ensure that no such matter
gets into V1. If we can dispense with the strainer altogether, we have
removed the cause of the problem.
- Fit a differential pressure gauge across the strainer,
with perhaps a high dP alarm to give clear indication that a total blockage is
imminent.
- Fit a duplex strainer, with a regular schedule of
changeover and cleaning of the standby unit.
Three notes of caution need to be borne in mind
when formulating actions. Do not automatically opt for an engineered
solution, adding additional instrumentation, alarms, trips, etc. Due
regard must be taken of the reliability of such devices, and their potential
for spurious operation causing unnecessary plant down-time. In addition,
the increased operational cost in terms of maintenance, regular calibration,
etc. should also be considered (the lifetime cost of a simple instrument will
be at least twice its purchase price for more complex instrumentation this
figure would be significantly greater). It is not unknown for an
over-engineered solution to be less reliable than the original design because
of inadequate testing and maintenance.
Finally,
always take into account the level of training and experience of the personnel
who will be operating the plant. Actions that call for elaborate and
sophisticated protective systems are wasted, as well as being inherently
dangerous, if operators do not, and never will, understand how they
function. It is not unknown for such devices to be disabled, either
deliberately or in error, because no one knows how to maintain or calibrate them.
Considering all Keywords - The Hazop procedure
Having
gone through the operations involved in recording a single deviation, these can
now be put into the context of the actual study meeting procedure. From
the flow diagram below it can be seen that it is very much an iterative process,
applying in a structured and systematic way the relevant keyword combinations
in order to identify potential problems.
P & ID (Hazard and Operability Studies)