HAZOP & gross negilgence 3

[JOM]

We've had a few discussions on HAZOP topics in the past.

Here's a simple question.

Do HAZOP teams consider the possibility of gross negligence from personnel? Say deliberatley de-activating a safety interlock, or removing some safety barrier, or even - heaven forbid - drunkeness?

Don't want to start a long, in-depth discussion. Just want to know if deliberate unsafe acts, or acts of gross negligence are considered. This is a distinct sub-category of human error.

If they are not considered, why not?

Cheers,
John.

 

[Guidoo]

I have done quite a number of HAZOPs, and the usual boundary conditions include:

- Qualified Operating and Maintenance personnel
- Causes based on single failure
- Good operating and maintenance procedures
- Sabotage not considered

So, to come to your question, no, I would normally not consider gross negligence etc., same for terrorist acts etc.

For example, if I have a block valve, I would consider inadvertant opening or closing of the valve. However, if the valve is locked closed, I would not consider inadvertant opening. Of course, if for example a terrorist would want to open that valve it would be easy enough to break the lock... With tools that anyone can buy at the do-it-yourself store, you can cut open any vessel or line as well!

Since you also ask for the reason why not, here are my thoughts about it:

1) HAZOP must be limited somewhat and focus on high risk scenarios. This means focussing on scenarios with a medium to high likelihood and with medium to high severity consequences.
2) Gross negligence, terrorism etc. cannot be stopped by the usual HAZOP recommendations (e.g. add a protection layer, or increase effectiveness of existing protection layers), since these additional layers will be defeated as well
3) Gross negligence, terrorism etc. have to be stopped by other means, such as:
- screening of employees
- plant security/fences
- visitors to be accompanied by plant personnel
etc.
So HAZOP team can assume that here everything will be done that can practicably be done.
4) If you would allow gross negligence, terrorism etc. to be a reasonable cause for a HAZOP, the HAZOP would end nowhere. For almost every node, you would have to investigate things like:
- someone cuts open a vessel containing toxic material with an axe
- operator bypasses instrumented safeguarding and then fully opens control valve to low pressure system
- operator blinds off safety valve and then fully opens control valve to low pressure system

etc. etc. etc.

 

[hacksaw]

Your system should be designed for safety even in the case of gross negligence and deliberate acts given that all of your equipment is properly installed and commissioned; inspected and properly maintained.

Such incidents differ from random equipment failures and acts of god only in the timing.

 

[owg]

I agree with most of what Guidoo said. However I think it is worth distinguishing between gross negligence and terrorism. HAZOP does not address terrorism, as Guidoo suggested. However HAZOP can address gross negligence which tends to not do things or do things to make life easier. We need to cover acts of omission and accidental acts in HAZOPs. An accidental act would be "operator bypasses instrumented safeguarding A when trying to bypass instrumented safeguarding B." So in Guidoo's item 4) I would cover "operator bypasses instrumented safeguarding" but I would not cover "then opens control valve to low pressure system". Similarly for the the safety valve case. However the bottom line is to agree on the ground rules before starting the HAZOP. Some clients have ground rules, some depend on the consultant to establish the ground rules.

HAZOP at

http://www.curryhydrocarbons.ca

 

[Guidoo]

To hacksaw,

You may very well be right, but it is not an answer to the question asked. Question was whether HAZOP considers gross negligence etc.

Again, my point is that considering gross negligence in HAZOP is normally not done, and it would be impractical to do it. This doesn't mean that companies should not take sufficient measures to protect against it (screening of employees, plant security, etc.).

 

[Guidoo]

I basically agree with owg. Of course we may argue where the borderlines between negligence, gross negligence and even terrorism are, but that is not the point. Whether "gross negligence" is considered or not should be included in the ground rules of the HAZOP. Still, I don't think it is common practice to include gross negligence in HAZOP. It certainly is not my experience.

Indeed, there should be sufficient safeguards in place to prevent operators to inadvertantly bypass the instrumented safeguarding or blind off a relief valve.

 

[owg]

Guidoo - we are certainly converging. I certainly agree with your last sentence. I would suggest that by considering such acts as possible, then we are able to determine whether our safeguards are robust enough. I guess we don't usually consider gross negligence explicitly. We look at the list of safeguards and make sure it is adequate. We also use "Operator due diligence" a lot which suggests we are ruling out gross negligence. I had opposition to that phrase once in a HAZOP meeting from a non operator. However the operator supported its use and said he was scheduled for a course in due diligence next month.

HAZOP at

http://www.curryhydrocarbons.ca

 

[moltenmetal]

I learned a long time ago that nothing is idiot-proof, since idiots exhibit unnatural cleverness and creativity in their idiocy. There has not been a system designed which cannot produce an undesired outcome if presented with a determined and creative idiot, much less a suicidal terrorist. To presume otherwise is folly. That doesn't mean that secondary mitigation measures are unnecessary and a waste of time- it just means that you should spend your precious HAZOP time focusing methodically on realistic and forseeable problems rather than trying to imagine what a determined idiot will do to your equipment.

Once somebody explained to me an extremely crass and insulting (nevertheless useful!) categorization for employees. All employees are, in the extreme, either smart or stupid, and either hard-working or lazy. The smart+hard working ones are your gems, making you 10x in profit what they cost you in salary etc. The smart+lazy person is less productive but still valuable. The stupid+lazy guy only costs you his salary- but the stupid+hard working guy can cost you your license, your company, or even your life...Employee selection and training- and the willingness to fire the bad ones, is therefore key!

 

[Guidoo]

I just want to add that there is an article in Chemical Engineering Progress of December 2003, called "Inherent security: Protecting Process Plants Against Threats". You can use link below to access the article.

http://www.cepmagazine.org/pdf/120335.pdf

Article describes use of inherent security principles as a defense against deliberate acts, such as terrorism, sabotage, terrorism or theft.

 

[Wolfram]

John

since 2 decades I work as a risk consultant for the oil&gas industry and never ever a client or authority requested to include acts of gross negligence into a HAZOP. I agree fully with the arguments of Guidoo that the inclusion of negligence and terrorism is another topic and should be analysed/solved with other suitable tools and methods.

Cheers

Wolfram

 

[25362]

To moltenmetal, in my past I had the experience of working with the last category of employees. However, instead of firing them I found that hard-working, under certain crcumstances, implies a sincere intention to learn. Thus, I applied one of your last advices: training. And believe me it paid itself handsomely.

 

[Latexman]

At my company we do HAZOPs, LOPA, QRAs, etc. using similar assumptions as outlined in Guidoo's first post. We also do a totally separate evaluation for security, susceptibility to terrorist attack/usage, and gross negligence.


Good luck,
Latexman

 

[JOM]

Everyone's comments have been very interesting. Thanks.

HAZOP is an absorbing topic. It's not like some strict code, such as the building code or fire code. It seems to me that one HAZOP team may do the job slightly differently to another. That's OK.

The article Guidoo referred to is worth reading. (Thanks, Guidoo) It seems to me that a grossly negligent act can be considered by the HAZOP team, but deliberate, persistent sabotage has to be addressed by other means. The grossly negiligent employee probably only commits a single negligent act and means no harm. The saboteur might commit sevearal acts and has the intention of causing harm.

The article offers common sense precautions against attack, but you can't help but feel it is all futile against determined attackers. For instance, there's a suggestion that valves be padlocked. A boltcutter overcomes that security measure. Can we hide information about petrochem facilities? You can't hide tanks. Pipelines have to be signposted to warn excavators.

The author of the article is Dr Paul Baybutt. My interest in HAZOP started when I saw Dr Baybutt give evidence as an expert witness in a high profile trial relating to a gas plant fire. He argued that HAZOP depends on the quality of the team and you cannot guarantee the outcome.

Made good sense to me. The jury decided otherwise. They decided that a HAZOP would have identified, beyond reasonable doubt, a particular hazard.

The various questions I've asked about HAZOP all arose from that case. Like, how far do you go down the chain of consequences? and do you consider multiple, simultaneous failures?



Cheers,
John.

 

[jsummerfield]

Engineers are usually specific. Guidoo provided a suitable answer to the specific question. Several process hazard analysis techniques exist. HAZOP is a specific type analysis based upon kewords such as pressure, flow, temperature and modifiers such as high, low, etc.

Several options exist for revising the question. There are many hazards not addressed by HAZOP. For example, HAZOP is used in most oil, gas, refinery, petrochemical and inorganic chemical processes. HAZOP covers process safety issues. However, the keywords often do not address the hazardous electrical area classification issues. HAZOP may not address area monitoring for combustible gas, toxic gas or flame detection. HAZOP is not likely to address lighting levels. It goes without saying that the specific HAZOP techniques are not ideal to address industrial safety, sobotage or neglegence.

Codes and standards exist to cover many of these safety issues. Laws exist to cover sabotage. However, some of process hazards due to potential errors or sabotage may be addressed by the HAZOP process. For example, an experienced team might notice that a process loop has a startup line that could eliminate cooling thus cause heating which could lead to a process reaction or equipment failure.

The HAZOP results are to CONSIDER potential changes. Usually no directives are made during the HAZOP. With the potential hazard noted, engineers later review the comments and determine the solution that avoids the hazard.

I hope that this adds some clarification to the excellent post by Guidoo and others.

John

 

[JOM]

Thanks John.

Your post does help, as have all.

It seems to me that HAZOP is a well understood process by those who apply it, although there are differences regarding specific purposes and goals. That seems OK to me.

There is a European Community standard for HAZOP and I don't think it contradicts anything mentioned here.

It's reassuring that there has been no great divide, merely "we do it this way" comments.

How would you like the performance of your HAZOP study to be assessed by a jury?

Cheers,
John.

 

[jsummerfield]

I would hate to be involved in a court situation with any aspect of a release, explosion or other unsafe event. One thing that would be helpful is to assure familiarity and compliance with the applicable codes and standards.

Review API 750, Management of Process Hazards for example. This standard recommends the order of process hazard analysis priorities.

For existing facilities the priority sequence follows:
a. High SHI value or large quantities of toxic, flammable, or explosive substances.
b. Proximity to a populous area or a plant location where large numbers of workers are present.
c. Process complexity, including strongly exothermic reactions or secondary reactions.
d. Severe operating conditions, such as high temperatures or pressures, or conditions that cause severe corrosion or erosion.

For a new process or facility, the standard recommends consideration of the following:
a. Previous experience with the process.
b. Design circumstances, such as shorter-than-normal design periods or changes in the design team or the design itself after the project is under way.

Read various process management codes and standards to obtain the flavor of the more common hazard analysis requirements. Assure compliance with 29 CFR 1910.119 (Process Safety Management) if applicable.

Good Luck.


John