HAZARD & OPERABILITY STUDIES (1 of 2)
Mike Lihou - Lihou Technical & Software Services
INTRODUCTION
The technique of Hazard and Operability Studies, or in more common terms HAZOPS, has been used and developed over approximately four decades for 'identifying potential hazards and operability problems' caused by 'deviations from the design intent' in both new and existing process plants. Before progressing further, it might be as well to clarify some aspects of these statements.
Potential Hazard AND Operability Problems
You will note the capitalised 'AND' in the heading above. Because of the high profile of production plant accidents, emphasis is too often placed upon the identification of hazards to the neglect of potential operability problems. Yet it is in the latter area that benefits of a Hazop Study are usually the greatest. To quote an example, a study was commissioned for a new plant. Some two years previously, and for the first time, a similar study had been carried out on different plant at the same site that was then in the process of being designed. Before the latest review commenced, the Production Manager expressed the hope that the same benefits would accrue as before, stating that "in his twenty years of experience, never had a new plant been commissioned with so few problems, and no other plant had ever achieved its production targets and break-even position in so short a time".
To deal firstly with 'design intent', all industrial plant is designed with an overall purpose in mind. It may be to produce a certain tonnage per year of a particular chemical, to manufacture a specified number of cars, to process and dispose of a certain volume of effluent per annum, etc. That could be said to be the main design intent of the plant, but in the vast majority of cases it would also be understood that an important subsidiary intent would be to conduct the operation in the safest and most efficient manner possible.
With this in mind equipment is designed and constructed which, when it is all assembled and working together, will achieve the desired goals. However, in order to do so, each item of equipment, each pump and length of pipework, will need to consistently function in a particular manner. It is this manner that could be classified as the 'design intent' for that particular item. To illustrate, imagine that as part of the overall production requirement we needed a cooling water facility. For this we would almost certainly have cooling water circuit pipework in which would be installed a pump as very roughly illustrated below.
A much simplified statement as to the design intent of this small section of the plant would be "to continuously circulate cooling water at an initial temperature of xx°C and at a rate of xxx litres per hour". It is usually at this low level of design intent that a Hazop Study is directed. The use of the word 'deviation' now becomes more easy to understand. A deviation or departure from the design intent in the case of our cooling facility would be a cessation of circulation, or the water being at too high an initial temperature. Note the difference between a deviation and its cause. In the case above, failure of the pump would be a cause, not a deviation.
Industries in which the technique is employed
Hazops were initially 'invented' by ICI in the United Kingdom, but the technique only started to be more widely used within the chemical process industry after the Flixborough disaster in 1974. This chemical plant explosion killed twenty eight people and injured scores of others, many of those being members of the public living nearby. Through the general exchange of ideas and personnel, the system was then adopted by the petroleum industry, which has a similar potential for major disasters. This was then followed by the food and water industries, where the hazard potential is as great, but of a different nature, the concerns being more to do with contamination rather than explosions or chemical releases.
The reasons for such widespread use of Hazops
Safety and reliability in the design of plant initially relies upon the application of various codes of practise, or design codes and standards. These represent the accumulation of knowledge and experience of both individual experts and the industry as a whole. Such application is usually backed up by the experience of the engineers involved, who might well have been previously concerned with the design, commissioning or operation of similar plant.
However, it is considered that although codes of practise are extremely valuable, it is important to supplement them with an imaginative anticipation of deviations that might occur because of, for example, equipment malfunction or operator error. In addition, most companies will admit to the fact that for a new plant, design personnel are under pressure to keep the project on schedule. This pressure always results in errors and oversights. The Hazop Study is an opportunity to correct these before such changes become too expensive, or 'impossible' to accomplish.
Although no statistics are available to verify the claim, it is believed that the Hazop methodology is perhaps the most widely used aid to loss prevention. The reason for this can most probably be summarised as follows:
- It is easy to learn.
- It can be easily adapted to almost all the operations that are carried out within process industries.
- No special level of academic qualification is required. One does not need to be a university graduate to participate in a study.
Essentially the Hazops procedure involves taking a full description of a process and systematically questioning every part of it to establish how deviations from the design intent can arise. Once identified, an assessment is made as to whether such deviations and their consequences can have a negative effect upon the safe and efficient operation of the plant. If considered necessary, action is then taken to remedy the situation.
This critical analysis is applied in a structured way by the Hazop team, and it relies upon them releasing their imagination in an effort to discover credible causes of deviations. In practice, many of the causes will be fairly obvious, such as pump failure causing a loss of circulation in the cooling water facility mentioned above. However, the great advantage of the technique is that it encourages the team to consider other less obvious ways in which a deviation may occur, however unlikely they may seem at first consideration. In this way the study becomes much more than a mechanistic check-list type of review. The result is that there is a good chance that potential failures and problems will be identified that had not previously been experienced in the type of plant being studied.
An essential feature in this process of questioning and systematic analysis is the use of keywords to focus the attention of the team upon deviations and their possible causes. These keywords are divided into two sub-sets:
- Primary Keywords that focus attention upon a particular aspect of the design intent or an associated process condition or parameter.
- Secondary Keywords that, when combined with a primary keyword, suggest possible deviations.
The entire technique of Hazops revolves around the effective use of these keywords, so their meaning and use must be clearly understood by the team. Examples of often used keywords are listed below.
These reflect both the process design intent and operational aspects of the plant being studied. Typical process oriented words might be as follows. The list below is purely illustrative, as the words employed in a review will depend upon the plant being studied.
| Flow | Temperature |
| Pressure | Level |
| Composition | Separate (settle, filter, centrifuge) |
| React | Mix |
| Reduce (grind, crush, etc.) | Absorb |
| Corrode | Erode |
Note that some words may be included that appear at first glance to be completely unrelated to any reasonable interpretation of the design intent of a process. For example, one may question the use of the word Corrode, on the assumption that no one would intend that corrosion should occur. Bear in mind, however, that most plant is designed with a certain life span in mind, and implicit in the design intent is that corrosion should not occur, or if it is expected, it should not exceed a certain rate. An increased corrosion rate in such circumstances would be a deviation from the design intent.
Remembering that the technique is called Hazard & Operability Studies, added to the above might be relevant operational words such as:
| Isolate | Drain |
| Vent | Purge |
| Inspect | Maintain |
| Startup | Shutdown |
This latter type of Primary Keyword is sometimes either overlooked or given secondary importance. This can result in the plant operator having, for example, to devise impromptu and sometimes hazardous means of taking a non-essential item of equipment off-line for running repairs because no secure means of isolation has been provided. Alternatively, it may be discovered that it is necessary to shut down the entire plant just to re-calibrate or replace a pressure gauge. Or perhaps during commissioning it is found that the plant cannot be brought on-stream because no provision for safe manual override of the safety system trips has been provided.
As mentioned above, when applied in conjunction with a Primary Keyword, these suggest potential deviations or problems. They tend to be a standard set as listed below:
| Word | Meaning |
| No | The design intent does not occur (e.g. Flow/No), or the operational aspect is not achievable (Isolate/No) |
| Less | A quantitative decrease in the design intent occurs (e.g. Pressure/Less) |
| More | A quantitative increase in the design intent occurs (e.g. Temperature/More) |
| Reverse | The opposite of the design intent occurs (e.g. Flow/Reverse) |
| Also | The design intent is completely fulfilled, but in addition some other related activity occurs (e.g. Flow/Also indicating contamination in a product stream, or Level/Also meaning material in a tank or vessel that should not be there) |
| Other | The activity occurs, but not in the way intended (e.g. Flow/Other could indicate a leak or product flowing where it should not, or Composition/Other might suggest unexpected proportions in a feedstock) |
| Fluctuation | The design intention is achieved only part of the time (e.g. an air-lock in a pipeline might result in Flow/Fluctuation) |
| Early | Usually used when studying sequential operations, this would indicate that a step is started at the wrong time or done out of sequence |
| Late | As for Early |
It should be noted that not all combinations of Primary/Secondary words are appropriate. For example, Temperature/No (absolute zero or -273°C !) or Pressure/Reverse could be considered as meaningless.
In simple terms, the Hazop study process involves applying in a systematic way all relevant keyword combinations to the plant in question in an effort to uncover potential problems. The results are recorded in columnar format under the following headings:
| DEVIATION | CAUSE | CONSEQUENCE | SAFEGUARDS | ACTION |
In considering the information to be recorded in each of these columns, it may be helpful to take as an example the simple schematic below. Note that this is purely representational, and not intended to illustrate an actual system.
DEVIATION
The keyword combination being applied (e.g. Flow/No).
CAUSE
Potential causes that would result in the deviation occurring. For example "Strainer S1 blockage due to impurities in Dosing Tank T1" might be a cause of Flow/No.
CONSEQUENCE
The consequences that would arise, both from the effect of the deviation such as "Loss of dosing results in incomplete separation in V1" and if appropriate, from the cause itself, for example "Cavitation in Pump P1, with possible damage if prolonged".
Always be explicit in recording the consequences. Do not assume that the reader at some later date will be fully aware of the significance of a statement such as "No dosing chemical to Mixer". It is much better to add the explanation as set out above.
When assessing the consequences, one should not take any credit for protective systems or instruments that are already included in the design. For example, suppose the team had identified a cause of Flow/No (in a system that has nothing to do with the one illustrated above) as being spurious closure of an actuated valve. It is noticed that there is valve position indication within the Central Control Room, with a software alarm on spurious closure. They may be tempted to curtail consideration of the problem immediately, recording something to the effect of "Minimal consequences, alarm would allow operator to take remedial action". However, had they investigated further they might have found that the result of that spurious valve closure would be overpressure of an upstream system, leading to a loss of containment and risk of fire if the cause is not rectified within three minutes. It only then becomes apparent how inadequate is the protection afforded by this software alarm.
SAFEGUARDS
Any existing protective devices that either prevent the cause or safeguard against the adverse consequences would be recorded in this column. For example, you may consider recording "Local pressure gauge in discharge from pump might indicate problem was arising". Note that safeguards need not be restricted to hardware… where appropriate, credit can be taken for procedural aspects such as regular plant inspections (if you are sure that they will actually be carried out!).
ACTION
Where a credible cause results in a negative consequence, it must be decided whether some action should be taken. It is at this stage that consequences and associated safeguards are considered. If it is deemed that the protective measures are adequate, then no action need be taken, and words to that effect are recorded in the Action column.
Actions fall into two groups:
- Actions that remove the cause.
- Actions that mitigate or eliminate the consequences.
Whereas the former is to be preferred, it is not always possible, especially when dealing with equipment malfunction. However, always investigate removing the cause first, and only where necessary mitigate the consequences. For example, to return to the "Strainer S1 blockage due to impurities etc." entry referred to above, we might approach the problem in a number of ways:
- Ensure that impurities cannot get into T1 by fitting a strainer in the road tanker offloading line.
- Consider carefully whether a strainer is required in the suction to the pump. Will particulate matter pass through the pump without causing any damage, and is it necessary to ensure that no such matter gets into V1. If we can dispense with the strainer altogether, we have removed the cause of the problem.
- Fit a differential pressure gauge across the strainer, with perhaps a high dP alarm to give clear indication that a total blockage is imminent.
- Fit a duplex strainer, with a regular schedule of changeover and cleaning of the standby unit.
Three notes of caution need to be borne in mind when formulating actions. Do not automatically opt for an engineered solution, adding additional instrumentation, alarms, trips, etc. Due regard must be taken of the reliability of such devices, and their potential for spurious operation causing unnecessary plant down-time. In addition, the increased operational cost in terms of maintenance, regular calibration, etc. should also be considered (the lifetime cost of a simple instrument will be at least twice its purchase price… for more complex instrumentation this figure would be significantly greater). It is not unknown for an over-engineered solution to be less reliable than the original design because of inadequate testing and maintenance.
Finally, always take into account the level of training and experience of the personnel who will be operating the plant. Actions that call for elaborate and sophisticated protective systems are wasted, as well as being inherently dangerous, if operators do not, and never will, understand how they function. It is not unknown for such devices to be disabled, either deliberately or in error, because no one knows how to maintain or calibrate them.
Considering all Keywords - The Hazop procedure
Having gone through the operations involved in recording a single deviation, these can now be put into the context of the actual study meeting procedure. From the flow diagram below it can be seen that it is very much an iterative process, applying in a structured and systematic way the relevant keyword combinations in order to identify potential problems.
FULL RECORDING versus RECORDING BY EXCEPTION
In the early days of Hazop Studies, it was usual to record only the potential deviations that carried with them some negative consequence. This might well have been because such studies were only for internal use within a company. Also, with manually handwritten records, it certainly reduced the time taken, both in the study itself and the subsequent production of the Hazop Report. Such methodology is classed as "Recording by exception", where it is assumed that anything not included is deemed to be satisfactory.
Latterly, it has become more the accepted practice to set down everything, stating clearly each keyword combination applied to the system. Where applicable, this would be followed by a statement indicating either that no Cause could be identified, or alternatively that no Consequence arose from the Cause recorded. This is classified as "Full recording", and it results in a Hazop Report that demonstrates unambiguously to outside parties that a rigorous study has been undertaken. In addition, it produces a comprehensive document that will greatly assist in the speedy assessment of the safety and operability of later plant modifications (do they impinge upon a potential deviation that was originally recognised as being credible, but which involved at that time no negative consequences ?).
Bearing the above in mind, it is recommended that "Full recording" is instituted. With the use of a computer, the previous concern regarding time, both in the study and the reporting, is all but eliminated. To make this methodology easier to handle efficiently, text macros should be set up as follows:
- No potential causes identified.
- No significant negative consequences identified.
- No action required - existing safeguards considered adequate.
These macros can be used in the appropriate circumstances to quickly record the reason for not pursuing a keyword combination.
In addition to the above, the pseudo Secondary words 'All' and 'Remainder' are often used. These are employed in the following circumstances:
- For a particular Primary Keyword (e.g. Flow), some combinations have been identified as having credible Causes (e.g. Flow/No, Flow/Reverse). Having explored all other relevant combinations (Flow/Less, Flow/More, Flow/Other, etc.), no other Causes could be identified. The combination "Flow/Remainder" is therefore used, with the macro in (1) above.
- Having explored all relevant combinations for a particular Primary word, no potential deviations could be identified. The combination "Flow/All" is therefore used, with the macro in (1) above.
Use of these pseudo Secondary Keywords greatly improves the readability of the final report, as it eliminates countless repetitive entries, all with a similar format (i.e. Keyword combination with "No potential causes identified"). However, to make it a robust system, the introduction to the Hazop Report must list clearly the Secondary Keywords that were globally applied to each Primary Keyword; in other words, the 'relevant combinations'. This will give an unambiguous meaning to the words 'All' and 'Remainder'.
Note that such an approach should only be adopted where no credible Cause is identified. In cases where the potential deviation is considered possible, but no significant consequence ensues, then both keywords should be recorded, together with the actual Cause identified, and macro (2) in the Consequence column.
