20 | Loss Prevention Bulletin 227

October 2012

Trevor Kletz anniversary

Lessons learned from forty years of Hazop

J.R.Taylor, Taylor Associates ApS, Denmark
These lessons learned are based on experience from 130 Hazop studies over a period of (actually) 36 years (the first four years were not true Hazops). Several of the lessons have been published before. Most of these though are the result of long term follow up of actual on-site experience, some of them from accident experience. Lesson 1. There is no such thing as a trial Hazop, all safety assessments are serious, and must be treated as such. Lesson 2. Hazop is a powerful technique. It predicted an accident quite accurately on its first use in Denmark Lesson 3. Actions listed from the Hazop must be closed before commissioning. Lesson 4. The action sheets recording the actions from the Hazop must be written sufficiently clearly that the discipline engineers implement the intent of the action, and not just the title. Lesson 5. Implementation of actions/recommendations must be checked. Lesson 6. The dynamics of accidents, and of safety measure response, needs to be taken into account when describing scenarios. About three years later, a further lesson was learned when a runaway occurred, due to too high reactor temperature, leading to the formation of sodium chlorate. Lesson 7. Check the full chemistry of any reaction or mixing of chemicals, including side reactions and unwanted reactions. Following this, several Hazop studies were carried out during the 1970s including a relatively large one for a gas receiving and sweetening plant, intended to take natural gas from the North Sea to supply Denmark. This was one of the first confrontations between US design approaches and European safety analysis and there was much discussion of the relative merits of good design standards vs. Hazop in LPB 4. Time has proved that both sides of the discussion were right.

My first introduction to Hazop was at Ris National Laboratory, in Denmark. The group I was working in, with Jens Rasmussen as department head, was preparing for a safety assessment of a nuclear power plant. My own interest, after having worked in a troubleshooting team in the nuclear industry, was in design error. A few of us were especially interested in hazard identification techniques which would perform better than widely used fault tree and event tree analysis, and especially in developing methods which could take human error into account. This led to development of cause consequence analysis1, among many other techniques. We had a request for help from a chemical company that had had an accident in making sodium methylate, and developed cause consequence analysis to give a complete interlock system covering all potential operation errors and latent hazards2. The work on improving hazard identification methods took a major step forward when Barry Gibson, of ICI Ltd, held a workshop for us in Copenhagen, in 1974. Representatives from most of the chemical and power companies participated. The introduction was followed up with a trial use Hazop on a sodium hypochlorite unit, reacting chlorine with sodium hydroxide. One of the predictions of the Hazop was that on power failure, circulation of hot water in the chlorine evaporator would stop, the temperature would drop, the water freeze, and the evaporator tubing would crack. It was decided that a temperature alarm would be fitted on the evaporator, there should be glycol in the heating water, and that there should be an emergency backup for the pump power supply. Also, that there should be a chlorine detector at the expansion tank for the heating water3. During commissioning, the power supply failed. This resulted in an accident precisely as predicted in the Hazop, with six fatalities among the local chicken population. The emergency power supply had not been delivered at the time of commissioning. The glycol addition had been forgotten. The temperature alarm had been fitted on the water discharge of the evaporator, so that it would work well at all times except when it was needed. And the response time of the chlorine detector (an aspirating type) was too long to be useful. Also, the Hazop report had been archived.

Validation of Hazop
A next major step was a research project, funded by the Danish Technical Research Committee, with some five man years of funding, to validate hazard identification and risk analysis techniques. Part of the project involved the research team joining with a chemical company to build a small chemical plant unit, initially intended to be a full urethane production, later just a urethane/methanol/water distillation unit. Because of design changes, the plant was actually hazopped three times, with fairly long periods between the studies, so that omissions could be found and changes in scenario description could be studied. The unit was also analysed using action error analysis, a technique which we developed to deal with human error and latent hazards5, 6. It seems to have been forgotten by most practitioners that the first published description of Hazop, by the Manufacturing Chemists Association7, contained two procedures, one dealing

Institution of Chemical Engineers 0260-9576/12/$17.63 + 0.00

Loss Prevention Bulletin 227

October 2012 | 21

with the plant in a steady operating state (what is now referred to as Hazop), and a second providing a step by step analysis of operations in start up, shut down and batch operations. Sadly, many modern analyses suffer because hard won lessons from the past are forgotten. Some of the guide words from the dynamic analysis approach are included into some modern Hazop studies, but never with the full power of the original. Action error analysis is a combination of techniques which combine the step by step analysis of the original second Hazop method, a check list of error modes, the Skills Rule Knowledge model providing a systematic taxonomy of error causes, and a systematic approach to discovering latent hazards for each operational step. Also included in the study was a large check list based assessment, similar to the modern Hazid approach, but with a much more extensive list of hazards than is common today (dubbed by my students as A thousand ways to die), precommissioning audit, a period actually participating in plant operation, and follow up for a number of years.8 Figure 1 shows the relative numbers of hazards found (not weighted by importance unfortunately). As can be seen Hazop detected a disappointing 22%, the action error analysis many more, the check list added only 1%. Pre commissioning audit detected some 12% of potential accidents, and 2% were found only by events and near misses in the actual operation. This description is correct, but is a little unfair to the steady state version of Hazop. Concerning the potential accidents which could have been detected by studying P&IDs, 92% were found. This leads to the following lesson. Lesson 8. Hazop is not a complete solution to hazard identification, as it analyses P&IDs which are only a representation of some aspects of the plant. The follow up of why accidents/incidents were not found is probably the most important result of the study. A problem that could not be seen on the P&ID was that of residue unloading. The residue, a white tarry substance, was regarded as a hazardous material, to be collected in drums and sent for incineration at a chemical waste plant. The drums were placed on a weighing machine to ensure that they were exactly half filled, as required for destruction. When the first batch was run, the shut off valve closed precisely at the right time. Then the afterflow from the lower part of the drain line added a few extra kilos, at which point the weigh machine set point was passed and the valve opened, allowing the barrel to fill and overflow. No one was hurt, but a nasty clean up job followed.

Cause of incompleteness

Percentage

Possible improvements Experiments Pilot plants Literature Engineer studies, Case story collections Training in risk analysis. Guidelines for scoping analyses Onsite inspection As built drawings As built drawings High quality check lists Improvement in analysis procedure Quick rule of thumb calculations which can be applied in the Hazop Good access to design calculation tools A long list of accident cases Follow up Change control

Lack of knowledge - the whole scientific and engineering community - the individual. Too narrow a framework for the analysis Analysis of documents which do not reflect the system Errors in drawings Limited resources for analysis Simple oversights Masking

.2% 6%

1 to 5% 7% 1% 22% 5% 2%

Judgement errors

5 - 15%

Problems introduced later

4%

Table 1: Cause of incompleteness in analyses (as observed in 30 hazops with follow up)

This gave the following lesson: Lesson 9. Performance of instruments must be checked for a full range of parameters. Preconceptions about how an instrument works can be dangerous. The reasons for oversights in Hazops were investigated. A list from the urethane project and later studies is given in Table 1. The phenomenon called masking arises when there is a difficult problem, discussed at length, which absorbs so much effort that a simple problem in the same area is overlooked. Judgement errors arise when there is a quantitative problem, such as can leakage from a heat exchanger tube cause overpressuring of the heat exchanger shell. Such judgements are frequently required in Hazop. A curious phenomenon identified was that of too much experience. This occurs when someone says I have seen that occur, but there was no significant consequence. Similar work in validating Hazop was carried out by Suokas and his colleagues, more or less in parallel with the urethane plant study, with similar conclusions.

% Complete
100 80 60 40 20 0 HAZOP AEA HAZTREE INSPECTION OPS

Automated hazop
One of the projects completed at Ris National Laboratory was to automate the Hazop process, using disturbance models and a disturbance propagation algorithm. This project was technically a success9, but unfortunately overlooked a major aspect of Hazop. One of the main benefits is to achieve mutual understanding and consensus in a design group. Automatic analysis fails to do this. Nevertheless, automated analysis has some useful features, in particular thoroughness and consistency. About one year after the completion of commissioning of

Method

Figure 1: Increase in analysis completeness as effort increases, for urethane distillation (Taylor 1982)

Institution of Chemical Engineers 0260-9576/12/$17.63 + 0.00

22 | Loss Prevention Bulletin 227

October 2012

the urethane distillation unit, I was building up a new Hazop analysis using the semi automatic tool. I was tracing the possible causes of contamination for the boiling urethane and tracked through the distillation condenser / dephlegmator, the reflux valve, the product manifold, the fraction vessels, and the vessel vent lines to the methanol vent trap, which was a brine condensation coil made of glass. The software correctly identified this as a possible cause of contamination, due to breakage of the coil. However, it was also obvious that cold brine, entering the 165C urethane, would cause a steam explosion. I (calmly) telephoned to the project engineer. He replied Oh, dont worry, it happened last week, but the burst disk opened and the batch collected in the vent knock out drum. The glass coils were replaced by stainless steel. Note that my judgement (imagination) made the incident much worse than the actuality. This was a relief, and a disappointment. If Hazop requires tracing causes through six nodes or more, then there is little chance of achieving completeness. The cause identified was found after investigating over 250 branches in the causal tree. On standing back though, it was possible to see that the presence of hot oil and water in a plant can in principle cause a steam explosion. All that is necessary is to determine whether there is a possible path which can bring the two substances together. This led to the adaptation of sneak analysis8 to chemical plant, and development of a more suitable algorithm for sneak path analysis10. This approach has been taken further by Whetton11. So a further lesson is: Lesson 10. Always follow up Hazop analysis on a chemical plant with a reaction matrix analysis and a sneak path analysis6. Since sneak path analysis need not take much more than 15 minutes for a unit unless there actually are significant problems, this is a good investment of effort, and has helped us prevent serious accidents.

2.

3.

4.

5.

6.

Follow up
Over the years, twelve accidents have occurred with serious consequences on plants and pipelines which were the subject of Hazops with the author as chairman. It is perhaps not surprising that there should be some accidents, over 150 plants over a period of 30 years were analysed, many of them quite large plants such as complete refineries. It is nevertheless disappointing that the analysis effort could not eliminate the accident potential. All of the accidents which occurred were predicted, some of them precisely. In each case the recommendations were made but not implemented. There are several reasons for nonimplementation: 1. In one case, a plant manager simply refused to implement a permit to work system, because of the cost. He preferred a process called safe written procedures. There was nothing the Hazop participants could do to persuade him, and one safety officer resigned from the company. As an external consultant in such a situation one is torn. Should one stay, to make the best of a bad job, or leave, hoping the protest will give pause for thought. In the actual case, the issue was moot we were all thrown out. The accident occurred three years later, due to bad maintenance practice in opening a vessel instrument flange, and a serious error 7.

on the part of the maintenance supervisor in not isolating the vessel. A flash fire/ vapour cloud explosion occurred, killing 11 people, and causing the plant to be shut down. In only one other case has a manager actually refused to implement a recommendation, for a carbon monoxide detector on an off gas furnace, where an oxygen sensor was already installed. The reason was the high cost, and in retrospect, the manager had a point. The cost would have been $1 million. He approved the installation a year later anyway as more background information became available. In one case, a modification to remove a water hose from the top of a melting furnace was approved by management and the hose removed. It was apparently reinstalled by a foreman operator some months later. He died in a steam explosion resulting from use of the hose. The most common cause of non-implementation has been deferral until the next turn round because of the high cost of shutdown for modifications. This is a reasonable argument, but breaks down completely when it is found that there isnt enough time for the modification at the next turn round. Even worse, if the modification is simply forgotten. A similar, but more culpable reason for recommendations not to be taken up is that of saying yes but meaning no. There are many ways for a manager to avoid doing what he feels is unnecessary. In one case, that of a particularly vulnerable pipeline, the recommendation was made, but in a forum far removed from the organisation where the recommendation could be acted upon. The recommendation would have had to pass up the chain of authority through four levels, and down five, for the recommendation even to be known about. The accident occurred four years later, and caused massive fatalities. In retrospect, this would have been a hazard to highlight, and a risk reduction to fight for. However in the assessment, it was only number 18 on a priority list of 40 identified. Postponement by committee is one well known way of avoiding action in political life. It can occur in engineering too.

It is always reasonable for a designer or a manager to reject a recommendation if the rejection is well argued and documented, and preferably an alternative risk reduction measure found. Just to ignore a recommendation has proven to be unsafe, and in addition, imposes a terrible liability on the company and the individual. It is worse for the company to have a Hazop and ignore the recommendations than not to have a Hazop at all. This can be seen especially in the reports from the US Chemical Safety Board. Lessons learned from these incidents: Lesson 11. Follow up is extremely important, and there needs to be a system for implementation with time limits. In modern practice, both authorities and insurance company loss prevention specialists help to stiffen the companys own resolve. Lesson 12. It is good to support Hazop recommendations with case histories of earlier accidents where recommended

Institution of Chemical Engineers 0260-9576/12/$17.63 + 0.00

Loss Prevention Bulletin 227

October 2012 | 23

measures were not available. Loss Prevention Bulletin is a good source of such stories. These are even better if supported by photographs. Lesson 13. Realistic ALARP assessments serve well to justify investment in safety. However, remember to include both asset loss and business interruption loss, and the costs and impediments arising from loss of reputation in the calculation, such as delays in licensing and refusals of planning permission. These costs can be much larger than the implied cost of avoiding a fatality. Lesson 14. ALARP calculations based on rough estimates of frequency, or risk matrices, are rarely useful. Hard frequency data is needed. Fortunately there are now several readily available sources of such data. The situation has improved through the years. I have experienced challenges to Hazop recommendations, but not outright rejection since the early 1990s, and virtually all the recommendations since have been implemented. It has though, sometimes taken some years for some of the recommendations to be actually put into operation. One amusing case (no one was hurt) was a recommendation to remove a 14 storey engineering building, or alternatively to remove the alkylation plant situated 150m away from it. On returning for a follow up visit some six months later I was surprised to find the building gone. Never had so expensive a Hazop recommendation been implemented so swiftly. On asking, I was told The Hazop risk calculations were correct, there was a pump seal leak, and the engineering staff were isolated by a cloud of hydrogen fluoride for two days. The problem of reversal of Hazop actions referred to above occurred on a tank which was blanketed with nitrogen. On recommendation from the Hazop an inlet and outlet pressure control valve were provided for each tank, so that nitrogen could flow in when needed during tank emptying, and would only flow out on tank filling. The nitrogen discharged to an incinerator. Some time after plant commissioning, the regulatory authority required that the line to the incinerator be removed (the reason was never made clear). Unfortunately, with removal of the nitrogen outlet line, the outlet valve was also removed so that the tank was open to the atmosphere. About a year later, an external lagging fire occurred, causing the contents of the tank to evaporate, and a small amount of the liquid, at the surface, close to the fire, to decompose. This ignited the vapour, now mixed with air from the open flange, causing a major fire induced tank explosion and rocketing. This leads to the next lesson: Lessons 15. Operators, maintenance engineers and contractors designing modifications, should be required to read the Hazop reports and the actions, in order to understand the hazards and the purpose of safety measures.

the primary approach to what became COMAH studies. In the event the Hazop scenarios with serious consequences were documented using safety barrier diagrams (a more flexible version of the bow tie diagrams widely used today). Semi-quantitative risk acceptance criteria were developed to determine the acceptability of the results12. One of the precautionary rules developed in the risk acceptance guidelines was that the acceptance criterion for individual scenarios should be tightened as the number of scenarios increased. For example if there were ten major hazards scenarios with consequences for the public, the frequency for each should be ten times lower than the overall frequency limit. This kind of rule is forgotten or the need not recognised in todays HAZID and HAZOP analyses, which means that many serve to systematically increase risk. So another lesson learned is: Lesson 16. If there are many accident scenarios identified in a Hazop analysis, then the acceptable risk for each must be reduced proportionately to the number of scenarios. One of the benefits of the approach to regulation based on Hazop and safety barrier diagrams was to focus on the quality of barriers, similar to the safety critical systems approach to risk management in wide use today. The approach has served our country well. However when all Seveso directive reports were completed in 1989, there arose the question of what to do about the risk level. An overall comparative quantitative risk assessment was made for 18 of the 25 major hazards plants in the country (seven were not analysed because of similarities to others). As part of this study, the quality of the Hazop reports was assessed. This was done by using a new semi automated Hazop approach, which essentially provided generic Hazop analyses for each equipment type. The generic analyses were effectively the sum of the Hazop analyses completed over the previous 15 years. The tool (HAZEX) included questions about the relevance of each hazard cause and the presence of each generic safety barrier in the actual plant. This provided at least a consistent reference analysis for each plant. Scoping rules were used to limit the amount of work for analysis of complex plants such as refineries. Lesson 17. (Semi) automated Hazop can be used for something useful, namely cross checking proper Hazop. Completeness results for the analyses are given in Table 2, from the COMAH studies, and from a number of later Hazop third party reviews. For these analyses, it was possible to weight the completeness results according to importance, because of the availability or risk analysis results. A further lesson is derived from the completeness statistics: Lesson 18. Hazop studies can be truly awful, and you often cannot tell which are bad without going into detail. Following the QRA, and presentation of the conclusions to parliament, encouragement to reduce risk was given with priority according to degree of risk. One major project was replacement of a 15,000 tonne cryogenic ammonia storage, and the associated ship transport, in the middle of the city of Fredericia, by a very high quality cryogenic pipeline from an ammonia terminal at 12 km distance13. Risk reduction results are shown in Figure 2.

Hazop as a regulatory tool

Partly as a result of good experience with Hazop and a general distrust of QRA due to the lack of data and the rather arbitrary use of assumptions in the early 1980s, the Danish Green Book on the implementation of the Seveso Directive recommended Hazop (and similar identification tools) as

Institution of Chemical Engineers 0260-9576/12/$17.63 + 0.00

24 | Loss Prevention Bulletin 227

October 2012

Table 2: Results from a series of risk analysis follow up reviews

No 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 36 37 Style Hazop Summary, Hazop Summary Hazop Hazop Hazop Hazop Hazop What if Hazop Hazop Full QRA Full QRA Consequences Consequences Consequences Consequences Consequences Consequences Hazop Summary Summary + Hazop Full QRA Hazop Hazop Consequence Hazop Hazop Hazop full QRA full QRA summary + Hazop Reference plant comparison Reference plant comparison automated Hazop automated FMEA automated design rev. Author company consultant + company consultant consultant consultant consultant + company consultant company consultant company + consultant consultant company company company company company company consultant consultant consultant consultant consultant company company consultant consultant consultant consultant consultant consultant consultant consultant consultant consultant consultant Vessel Checklist Checklist Vessel Checklist Vessel Checklist Vessel Checklist Vessel Checklist Checklist Checklist Checklist Checklist Vessel Checklist Vessel Checklist Unit level analysis Vessel, line and operation Vessel, line and operation vessel, line a operation all components all components D F D F Approach Line, guideword vessel, checklist Unit level Analysis Vessel Checklist Vessel, Checklist Vessel line Checklist Vessel line Checklist Checklist Vessel Checklist vessel Checklist vessel Checklist Q D S D S N D C D C D C D C D C D C D C D C,P C,P S,U D.C D,C D,C D,C D F D F D C D C S 6 600 10 650 10 2 2 400 2 0 2 D 6 8 8 7 7 9 7 10 7 12 8 10 120 30 140 20 4 20 60 6 6 6 6 6 6 16 C 12 40 40 28 6 22 4 2 16 12 16 10 4 10 14 2 20 320 18 20 16 10 0 80 2 16 10 8 96 16 40 84 98 98 20 22 34 10 10 10 7 144 136 247 4 4 30 120 20 50 20 24 24 10 17 15 32 48 65
2176 cmpo nents

V 122 210 210 6

H 30 22 31 40 44 25

C% 98 84 83 83 80 83 83 46

8 4 3

42

80

78 66

25 200 130 40 20 40 20 10 10 80 26 8 4

92 94 24 low low low low low 88 80 88 96 67 74 78 77 62 68 97 96 92

D F D F U F D F D F

30 30 420 17 17 17 -

5 6 6 .01

98 98 99 100 57

key
Q = degree of quantification, D = detailed identification, C = selective consequence calculation, P = selective probability calculation, F = full probabilistsic and consequence calculation S = number of explanatory scenario descriptions D = number of disturbances per vessel or failure modes per component (fmea) C = number of accident causes per vessel found V = number of vessels analysed H = number of man hours used per vessel C% = degree of completeness as measured

Institution of Chemical Engineers 0260-9576/12/$17.63 + 0.00

Loss Prevention Bulletin 227

October 2012 | 25

Fertiliser plant at Fredericia risk reduction

10-1

individual design philosophy and practice. Since such errors contribute to the record of major hazards (see reference 15) the following lesson is concluded: Lesson 24. There is a need for a well defined safety design review process to cover the problems which cannot be reached by Hazop. Such a process has been developed, involving both typical design philosophy requirements and equipment performance standards, sizing rules of thumb and simple design safety calculations. Examples of simple quick calculations are for level control valve gas blowby, and Joule Thomson cooling versus low temperature embrittlement. There is no intent in this process to repeat the detailed design calculations, just to check underlying design assumptions and to check order of magnitude of design calculation results. If discrepancies are found, the design can be questioned or more detailed calculations carried out. Lesson 25. Use a list of accident case histories to check yourHazop. The list should be long. UK HSE, US Chemical Safety Board, and especially, Loss Prevention Bulletin, are the best sources. The list should be sorted by equipment type and by process materials for efficiency. If, on checking a Hazop against an accident case, you find you have missed something, dont just modify the Hazop. Ask yourself why the case was missed.

Frequency per year

10-2 10-3 10-4 10-5 10-6

Original risk level

Risk level after Hazop improvements

Risk level after QRA 10 Risk level after QRA and emergency plan 100 1000 10000

Fatalities

Figure 2: Comparison of frequency consequence curves at different stages of risk reduction Further lessons can be learned from Figure 2: Lesson 19. Hazop and QRA are complementary and should be used to support each other. Lesson 20. QRAs should always include results from Hazop.

Hazop as a mature discipline

Through the 1990s, some 50 whole plant QRAs were carried out and followed up including some large plants (refineries, polyethylene plants, BTX plant, and fertiliser plants, and also a few oil field developments). For each, the Hazop was followed by a review of earlier accidents, using Loss Prevention Bulletin, Loss Prevention Conference reports, Ammonia Safety and our own accident investigations as sources. During the 1990s onwards, it became obvious that knowledge of accident phenomena was a big difficulty in achieving good coverage. To date, there are over 150 physical phenomena important for accident scenario identification, including nine different kinds of liquid hammer. It is unreasonable to expect plant operators or process engineers to know all of these, especially as some have not been published at all. In Hazop training courses, it was found that process engineers generally knew about 20% of the important phenomena. Lesson 21. The discipline of safety engineering is becoming mature, and it is very worthwhile to have a qualified safety engineer in the Hazop team. Lesson 22. Current published Hazid check lists are woefully inadequate, including those given in international standards. Lesson 23. There is a need for better safety engineering training material. It is often stated that Hazop is not a design review, and the design basis should not be questioned. As stated in this way, the point of view is obvious nonsense, because design error is the second largest contributor to major accidents (the largest is management error, see reference 14). Hazop is one of the few processes that can actually identify design errors. There is nevertheless a fundamental truth in the statement Hazop cannot deal with quantitative errors, such as underdimensioning of safety valves, or with deviations in detail from

Modern Hazop practice

Since 2001, the author has worked mostly with companies in the oil industry, with an extremely good Hazop practice. Hazids are required at conceptual design stage, Hazops at front end engineering stage, both at 4060% completion and at 90% completion. As-built Hazops are performed, and the Hazop is repeated every five years. Over 40 years, Hazop has really come of age. Also, QRAs are required at FEED and operational stages, and are often made for conceptual designs. Presence of persons with direct operational experience are very valuable. As an example, in an oil terminal Hazop, an operator pointed out that with time the quantity of water in the oil had increased and the separators were no longer adequate for good separation. This had little impact on the quality of exported oil, because hold up time in storage tanks was more than adequate, but it had the effect of damaging pump seals, requiring several replacements every month. Such knowledge is completely inaccessible to design engineers, or even to Hazop chairmen. Lesson 26. Try to include a senior operator or operations supervisor from the actual plant, or from a similar plant if the plant to be analysed is at the design stage. I had the pleasure of chairing a very long Hazop three months, ten hours per day, four days per week. (So much for the original guidance of two hours maximum). The team was very large at the start but settled down to five people from one of the top engineering consultancies, and five from the oil company, including some very experienced operations supervisors. Some parts of the work were done twice, because of design changes. The core of the team stayed constant but there were a few changes, corresponding to duty rosters. The result was one of the best I have experienced. The repeated

Institution of Chemical Engineers 0260-9576/12/$17.63 + 0.00

26 | Loss Prevention Bulletin 227

October 2012

Hazops were slightly different in formulation, but essentially identical in content. In other words, the best Hazops satisfy a basic requirement, of repeatability. The recommendations differed though, since one of the operations supervisors knew more about local operations philosophy. Such Hazops are expensive. One thing learned, by comparison of costs between Hazops: Lesson 27. A good scribe is worth a lot of money. A good scribe can cut 30% off the time taken to complete a Hazop, whereas a bad scribe can virtually wreck it. Scribes should be properly trained, and preferably certified for competence. Lessons 28. The recommendations made with Hazop recording software are generally too concise. There is too little room on tables to record recommendations clearly and precisely, so that they could be implemented properly. Recommendation descriptions should be penned as precisely as possible, so that they can be interpreted correctly by a process engineer. If this is done outside the meeting by the chairman and scribe, the text can often be approved the following day, and in FEED Hazops, can often be implemented one day later. This is useful, because if updating of drawings is delayed, there are many follow on costs, such as the need to update piping schedules, instrumentation specification sheets and possibly many other documents, and to reissue these. There is often pressure from project managers to minimise the time spent in Hazop. This is not surprising, not only because of cost but especially because they absorb something worth more than money, namely experienced engineer man hours. One way in which managers have tried to limit this is by limiting the number of nodes analysed, thinking that this limits the effort required. It does not. Complex nodes just make the work more confused. The same number of questions still need to be asked. Lesson 29. The ideal Hazop proved by many hundreds of trials, allocated one node to every vessel, pump, heat exchanger, tank, and one to every pipe which is manifolded or can be shut in. An example of how badly a Hazop can go using complex nodes was for a fairly small and simple system, a high pressure reciprocating compressor. It had been divided into just three nodes, the piping, filters and knock out drum upstream of the compressor, the compressor itself, and the downstream knock out drum and piping. Because of the complexity of the analysis, the problem of carry over of liquid to the compressor, which is statistically the most important accident for such equipment, was overlooked. Also, the problem of crank case explosion was not considered. During the more detailed analysis (with 10 nodes), the vendor pointed out that they normally supplied crank case explosion burst discs, but that this was an option! A review of 18 Hazop studies made with complex nodes revealed an average completeness of 35% (when compared with automated analyses that were hand edited to remove overcautious scenarios). This is not an inevitable low performance, one achieved 95% completeness. What it does show is that it is difficult to achieve good quality when studying complex nodes. In one analysis reviewed, Hazop sheets had been completed for every oil well in a new field, apparently with participation

of a full team, and with no new findings. This is a disrespectful waste of qualified professional time, and is not even constructive. The most valuable resource in a Hazop is the engagement and energy of the participants. This is quickly lost if the work becomes repetitive. Lesson 30. If there are many similar systems to be analysed, analyse one, then get the project engineer to describe carefully the differences (even for nominally identical units, there can be differences such as the length of pipes). Then record the repeated Hazops as performed by analogy, and where necessary, make a specific analysis of the differences. One big improvement in hazard identification practice in recent years is that 3D modelling and model review have become standard for new plants in many companies. A fairly simple check list of piping problems and hazards can allow the model review to cover a range of hazard and operability problems which are not feasible on the basis of P&IDs alone. Value engineering has been increasingly a factor in recent process plant design. Value engineering can wreck the safety of a design, by introducing non standard design principles, which sometimes are not operable and sometimes are not safe. This depends, of course, on the expertise of the analysts. If the two processes, value engineering and hazop overlap, the result can be chaos. Lesson 31. Ensure that all value engineering studies are completed before commencing Hazop. Modern Hazop teams have a great deal of authority, being manned by senior engineers arriving at conclusions in consensus. Very often, the Hazop is something which must be closed out before proceeding to the next stage of a project, and there may be stage payment implications. This puts a great deal of pressure on the Hazop team, and the project engineers, to close out quickly. I have observed an increasing tendency to close out actions by postponement. The action is marked CLOSED, but the recommendation is to be analysed in detailed design. This practice is dangerous, because CLOSED items tend to be forgotten. Lesson 32. Do not mark a Hazop action as CLOSED if the problem has not been solved and the solution agreed and approved. Mark these preferably as DEFERRED, and give the reason e.g. Cannot be resolved until operating procedures have been drafted. Lesson 33. Actions which require further work during the EPC stage should be listed separately, and the list appended to invitations to tender as contract conditions. Only in this way does the contractor have a fair way of assessing the work, and bidding appropriately. Additional safety work that is hidden from the contractor at the bidding stage is seldom implemented smoothly.

The future of Hazop

The reader will note that most of the lessons learned in the previous section on modern Hazop practice were concerned with organisation of the work and follow up. These lessons will hopefully be learned fairly quickly from experience. The message needs to be sent to project managers however, not

Institution of Chemical Engineers 0260-9576/12/$17.63 + 0.00

Loss Prevention Bulletin 227

October 2012 | 27

Hazop specialists. It is the projects that suffer from poor organisation and delays in closing actions, and these can become very expensive. There is a real need for more knowledge in Hazop teams, of failure modes, human error types, physical phenomena in accidents16 and the available risk reduction solutions. The CCPS books Guidelines for Design Solutions for Process Equipment Failures and Guidelines for Engineering Design for Process Safety 17, 18 show the way, at least for risk reduction, and should be required reading for all Hazop practitioners and process safety engineers. Such books are introductory however, and need regular updating. Process safety is still very dynamic, with new safety techniques being invented and introduced into practice every few years. There is a definite need for a safety design review process which deals with those aspects of design which cannot be dealt with by Hazop itself14. One of the strangest aspects of current practice though is that practical hazard identification in the process industry almost completely ignores human error. This applies even though it is widely acknowledged that human error is recognised as a major contributor to accidents, and that the techniques are extensively used in the nuclear industry. Human factors reviews, while welcome, are not yet common practice, and even then, barely scratch the surface of the problem. Re-learning the techniques from the early days of Hazop would be a good starting point for improvement.

References
1. Nielsen D.S., The Cause/Consequence Diagram Method as a Basis for Quantitative Accident Analysis, Danish Atomic Energy Commission, RISO-M-1374, May 1971 2. Taylor* J.R.: Interlock Design Using Fault Tree and Cause Consequence Analysis. Ris-M-1890, 1976. 3. Taylor, J.R: Experience with a Safety Analysis Procedure. Ris-M-1878, 1976 4. Loss Prevention Bulletin, Letters, C Solomon, J.R.Taylor 1978 5. J.R.Taylor, A Background to Risk Analysis, Vol 1 to 4, Ris National Laboratory, 1978 6. J.R.Taylor, Risk Analysis for Process Plant, Pipelines and Transport, Spon/Taylor and Francis, 1994

7. Chemical Industries Association, A Guide to Hazard and Operability Studies, 1977 8. J. R. Taylor, O. Hansen, C. Jensen, O. F. Jacobsen, M. Justesen, S. Kjaergaard, RISK ANALYSIS OF A DISTILLATION UNIT, RIS-M-2319, 1982, www.risoe.dk/ rispubl/reports/ris-m-2319.pdf 9. J.R. Taylor and E. Hollo, Algorithms and Programs for Consequence Diagram and Fault Tree Construction, RIS M-1907, 1977, and An Algorithm For Fault-Tree Construction, IEEE Transactions on Reliability, R-31, Pages 137 to 146, 1982 10. Taylor, J.R. The sneak path analysis procedure. (10pp) In Proceedings of The Sneak Analysis Workshop, ESAWPP033 (European Space Agency, ESTEC, Noordwijk, The Netherlands.) 11. C. Whetton, www.saunalahti.fi/ility/SneakAnalysis. html#Whetton2, also Whetton, C. 1993. Sneak analysis of process systems. Trans IChemE, Vol 71, Part B, August 1993, pp 169-179 and Whetton, C. and W. Armstrong. 1994. Sneak analysis of batch processes. Journal of Hazardous Materials. 38 (1994) pp 257-275 12. Qualitative and Quantitative Criteria for Risk Acceptance, Environmental project 112, Danish Environmental Agency, 1987 (In Danish, English translation available from the author) 13. J.R.Taylor, A Comparative Evaluation of Safety Features based on Risk Analysis for 25 Plants. Loss prevention and Safety Promotion in the Process Industries, Taormina, 1992 14. J.R.Taylor, Statistics of design error in the process industries, Safety Science Volume 45, Issues 12, January February 2007, Pages 6173, and Understanding and combating design error in process plant design, ibid., Pages 75105 15. J.R.Taylor, Accuracy in Quantitative Risk Assessment? 13th International Symposium on Loss Prevention, Bruges 2010 16. J.R.Taylor, Industrial Accident Physics, ITSA, 2010 17. CCPS, Guidelines for Design Solutions for Process Equipment Failures 18. CCPS, Guidelines for Engineering Design for Process Safety

Institution of Chemical Engineers 0260-9576/12/$17.63 + 0.00