HAZOP-How far do you go?

[JOM]

There were some very good links given in thread 135-78 that very well describe the HAZOP process.

I have a question - anyone with actual experience on HAZOP teams might be able to help.

When the team considers a deviation at some point in the plant, they then identify the consequence. If the consequence is undesirable, then the team agrees on a recommended measure to prevent or control the consequence. So far, so good.

If that consequence causes another deviation downstream - does the team look at that too? And what of the consequence arising from that second deviation?

Let's say "D" = deviation, "C" = consequence. D1 is the first deviation leading directly to C1, the first consequence.

So, let's say the following could be predicted:

D1 -> C1, and then
C1 -> D2,
D2 -> C2,
C2 -> D3,
D3 -> C3,

and so on....like a row of dominoes all falling as a result of that first deviation.

My question is this:
How far does a team go in following this chain of cause & effect, when examining that first deviation, D1? Would they stop at the first consequence or perhaps the second? Would you assume that the first recommedation, if properly implemented, would break the chain of falling dominoes? Is my scenario not credible?

Clearly there are limits on a team's time, so does a team operate with a guide as to how far you follow the cause and effect chain, say, "go no further than two downstream steps from the deviation point"?

Much appreciate any thoughts on this from people experienced in HAZOP.


Cheers,
John.

 

[Guidoo]

"Do you consider two separate and simultaneous deviations and what combined effect they might have?"

Normally you do not consider two unrelated failures at the same time (double jeopardy). Unless the HAZOP team considers the likelihood of such double failure relatively high.
My experience with HAZOPs is that virtually always only single deviation is studied.

Not considering double jeopardy is a quite normal engineering approach (for example also used for sizing of relief valves).

Alternative approach would be a risk based approach, so determine whether to take additional measures based on the combination of likelihood of an undesirable event and the consequences of this event.

If a HAZOP team would have to consider multiple deviations at the same time, study for a large plant would take years i.s.o. months. Plant would be outdated when design is finished...
And the HAZOP team members would end up in some mental institution, uttering words like "No Flow, causes: blockage, control valve failure, controller failure

 

[owg]

HamishMcTavish - we agree to include off-site consequences. We control offsite consequences with emergency plans including plant emergency plans, local emergency plants, mutual aid plans, and the like. Our subject is only the equipment in the current node, but the consequences are global. That is why we do HAZOP. In the Cyclohexane disaster at DSM which gave rise to HAZOP a row of houses were damaged. We need to identify and control that type of consequence.
Guidoo - I allow what I call one and a half jeopardies. These are Causes where an unrevealed fault is sitting waiting to trap a failure. An example would be a check valve in dirty service which stays open for a year. Then it is expected to close on demand say on auto-start of a spare pump. I don't think so. There usually aren't too many of these and we have not had a confirmed case of anyone being taken away.

HAZOP at

http://www.curryhydrocarbons.ca

 

[JOM]

owg,

Have you read of this case? It's well reported by the US CSB. It happenned at a chlorine receival plant at Festus, Missouri.

Rail cars loaded with liquid chlorine would be unloaded through flexible hoses. These were teflon hoses encased in braided flexible steel hose.

The steel braiding should have been Hastelloy, but someone supplied 316 stainless. Chlorine corroded the steel and it failed and the hose burst. A very large quantity of chlorine was released.

Manual ESD and auto ESD actuated by a chlorine detector were there to shut down the discharge lines. Good protection, si?

Both the manual and auto ESD systems worked...up to a point. The shutdown valves were clogged with corrosion products , so did not operate. So the release continued, instead of been nipped in the bud.

Would a HAZOP study have considered those two failures together? The wrong hose material and clogged shutdown valves. I guess not.

So many industrial catastrophes are the result of, first, some latent failure no-one is aware of, and second the obvious equipment or human failure.

Do HAZOPs assume perfect maintenance?

Cheers,
John.

 

[MikeClay]

A HAZOP must assume only what is given. If the shutdown valves were to be tested on a routine basis, then these safeguards should be listed in the HAZOP report.

However, the HAZOP team needs to look at the relative risk The matrix mentioned by pmureiko above is often used. If the risk is medium or high, the team should recommend a more detailed analysys. Additional sensors, valves and even logic solvers may be required depending on the level of redundency required.

 

[owg]

JOM - A good team might have found that problem. We always fail hoses whether or not they are the correct material. We would have identified the shut off valve as a safeguard. We would probably have asked about the frequency of testing/cleaning the valve. If not satisfied we would have recommended an appropriate cleaning/testing schedule be established.

HAZOPs do not assume perfect maintenance. I ask the team to assume that equipment will be inspected and repaired as needed rather than run until it breaks. I also tell the team to watch out for places where this assumption is not being implemented.

HAZOP at

http://www.curryhydrocarbons.ca

 

[owg]

Here is more information on the handling of "distant" consequences. The quote is from "HAZOP: Guide to Best Practice, by IChemE, 2001, page 16.

"Where an effect (consequence) occurs outside the section (node) being analysed, the team leader must decide whether to include the consequences in the immediate analysis or to note the potential problem and defer the analysis to a later, more suitable point in the the overall HAZOP study. Whichever approach is adopted it is important that consequences outside the study section are fully covered, however distant they may be."

HAZOP at

http://www.curryhydrocarbons.ca

 

[JOM]

In light of the recent massive power outage in the US, I have to ask the obvious question -

Would a HAZOP team consider total failure of externally supplied power? That is - everything electrically powered fails (apart from UPS supported items). Is this a fair scenario for a HAZOP team or would it be addressed via some other method?

There's an interesting discussion developing in the "Electric power generation" forum on the power outage and its causes. Should be interesting to follow as the data comes in.

I guess the analysis won't be confined to the power generation industry, but also all downstream users, eg, refineries, water, sewerage, public transport and so on.



Cheers,
John.

 

[Guidoo]

Total power failure is not something to deal with in a HAZOP. Of course, no electrical power can result in pumps/compressors/stirrers stopping. Therefore it can be a cause of no flow/higher temperature/lower pressure etc. In my opinion however, HAZOP is not the place to check for this issue.

Total power failure has to be considered during relief valve and flare (header) design.

Also note that normally in chemical plants/refineries etc. (part of the) electrical power is generated within the plant itself.

In offshore platforms normally all electrical power is generated by gas turbines. All critical equipment is connected to the emergency power supply (diesel electrical generator) and/or to the UPS.

 

[MarkkraM]

Guidoo,
I disagree with you here. I think it should be considered.
I think the examples you gave were reason enough.
"Of course, no electrical power can result in pumps/compressors/stirrers stopping. Therefore it can be a cause of no flow/higher temperature/lower pressure etc."

 

[Guidoo]

MarkraM,

There seems to be some misunderstanding. What I was trying to say was that total power failure is considered during a HAZOP, albeit somewhat disguised as "pump stops, stirrer stops etc. etc.".

However, I think there are other and probably more important checks during plant design to cover the consequences of total power failure. Here I am thinking of relief valve design, SIS design, automated blowdown design, flare (header) design. Here it has to be ensured that plant goes to safe situation in case of total power failure. This is not checked during the HAZOP. In my opinion the HAZOP methodology is not suited for that either.

 

[TrevorP]

This is a very interesting and useful thread.

A couple of issues I would like to raise.

Firstly, if the plant had been in the EU, the prosecution would undoubtedly be successfull. In European law, the company is responsible in law for carrying out risk assessments for all their activities. This doesn't necessarily mean that they would have had to have conducted a HAZOP, but they would have had to have shown that a HAZOP wasn't necessary, by means of a suitable alternative risk assessment. Was this done? Presumably not.

It is difficult to say whether the particular team that company would have put together, could have picked up on the failure in question. The fact is, they didn't even do a HAZOP in the first place.

An experienced HAZOP team would, I am sure, have looked at the causes and consequences of heat exchanger failure. Cold embrittlement is not the only cause. If failure was so serious, I am certain that preventing or mitigating the effects of failure would have been examined further. After all, cold embrittlement did not cause a fire and explosion, but it appears that heat exchanger failure did.

Finally, a very good point was made earlier that a HAZOP is only a part of the hazard identification process. Many opinions have been discussed around whether 2 or more failures should be considered. Surely, this MUST depend on the consequences. If the consequence is a bit of acid, say, spilt into a bund, then 2 protection devices is adequate. How about a nuclear reactor meltdown, then? I think not.

HAZOPs tend to focus on the detail, and are good at finding small problems as well as large. Other techniques look at the consequences (What is the worst case scenario), to help the design team to focus on developing protection systems to prevent the worst cases from occurring. How many major incidents in the process industries are caused by a single failure, and how many come from multiple failures - failures that a HAZOP simply doesn't address.
It's not the HAZOP is a poor tool, it's not, it's a good tool, but it's only a part of the answer. These days it should be considered a basic necessity of all but the very lowest hazard plants.

 

[TD2K]

I still don't agree that Hazop doesn't consider a total power failure.

It's true that they don't review the actual calculations of all the protective instruments, relief devices, etc but you have to have the people there who can describe the layers of protection provided, confirm that the evaluations have been done or can you flag it as something that needs to be confirmed. I agree a Hazop isn't the forum for reviewing/confirming the calculations but I'm not sure I understand the point. A Hazop also, for example, doesn't confirm that pressure vessels have been properly sized for wall thicknesses, materials on construction, etc (though those questions can definitely be raised if someone has a concern) but it can and should ask the question 'has it been considered' even if only in the noting of the design pressures. The parties involved in the Hazop need to satisfy themselves that these points have been addressed in the plant design.

System wide events (loss of air, loss of power, etc) are considered in the ones I've been involved in as global events. In the case, for example, of a plant being fed with 2 separate independent feeders, a loss of both feeders might or might not be considered depending on the reliability assigned to the power grid. If that is done incorrectly, it's not a limitation of the Hazop process but rather, the bad data used in the evaluation that the probability of a total power failure was not a realistic event when in hindsight, it is. Simultaneous loss of steam and electricity may not be normally considered but I know one site that does because it happened to them and it's now a credible event.

 

[owg]

We always list all the utilities used by the plant as the last node. We then fail each utility one at a time and make sure the plant can stay safe through each outage. So total power failure is distinct from a power failure to a pump, and total cooling water failure is distinct from cooling water failure to one cooler.

HAZOP at

http://www.curryhydrocarbons.ca

 

[25362]

It would be of interest to hear opinions about the possible linking of HAZOP and similar risk analyses with ISO 14001 environmental auditing aspects.
EMS involves a policy commitment to continual improvement of the environmental management standards to prevent pollution, and comply with applicable legislation and voluntary commitments. In Britain it corresponds to BS 7750 and the EU has the EMAS (European Union Eco-Management and Audit Scheme Regulation).

BTW "prevention of pollution" is defined by ISO 14001 as "use of processes, particles, materials, or products that avoid, reduce, or control pollution, which may include recycling, treatment, process changes, control mechanisms, efficient use of resources, and material susbstitution. Note: The potential benefits of prevention of pollution include the reduction of adverse environmental impacts, improved efficiency, and cost reduction".

Some of these issues are incorporated in risk analyses, aren't they ? Any comments ?

 

[Guidoo]

In my opinion, both TD2K and owg describe (interesting!)variants of the original HAZOP methodology. We should keep that in mind when we are discussing whether total power failure is part of the HAZOP.

 

[JOM]

TrevorP wrote:

"Firstly, if the plant had been in the EU, the prosecution would undoubtedly be successfull."

Like your confidence, Trevor

"In European law, the company is responsible in law for carrying out risk assessments for all their activities."

Same here. Our OHS law says an employer must identify the hazards of the workplace. It doesn't specify the actual method.

The charge was that no adequate hazard identification had been conducted. The judge ruled that the prosecution had to specify the actual method and they nominated HAZOP.

Furthermore the failure was defined as a failure to connect the loss of hot oil to development of cold sufficient to cause embrittlement at the heat exchanger.

So it was a very narrowly defined question for the jury - the prosecution needed to convince them beyond reasonable doubt that a HAZOP study would have made the link between loss of oil and cold embrittlement at the heat exchanger.

The defence was that this was not proven beyond reasonable doubt. They called an expert witness, skilled in HAZOP, who said you cannot guarantee the outcome of a HAZOP, it greatly depends on the quality of the team members, and that the cold embrittlement here was a consequence of a very long chain of events and involved multiple failures. Eminently sensible points, I feel. But the jury decided "guilty". Guess they know best.

A very interesting case. No court in Australia has ever dealt with a case that invlved such detailed engineering technicalities. I think they were "pushing the envelope".

Love to hear from anyone who knows of other court cases involving HAZOP .


Cheers,
John.