HAZOP-How far do you go?

[JOM]

There were some very good links given in thread 135-78 that very well describe the HAZOP process.

I have a question - anyone with actual experience on HAZOP teams might be able to help.

When the team considers a deviation at some point in the plant, they then identify the consequence. If the consequence is undesirable, then the team agrees on a recommended measure to prevent or control the consequence. So far, so good.

If that consequence causes another deviation downstream - does the team look at that too? And what of the consequence arising from that second deviation?

Let's say "D" = deviation, "C" = consequence. D1 is the first deviation leading directly to C1, the first consequence.

So, let's say the following could be predicted:

D1 -> C1, and then
C1 -> D2,
D2 -> C2,
C2 -> D3,
D3 -> C3,

and so on....like a row of dominoes all falling as a result of that first deviation.

My question is this:
How far does a team go in following this chain of cause & effect, when examining that first deviation, D1? Would they stop at the first consequence or perhaps the second? Would you assume that the first recommedation, if properly implemented, would break the chain of falling dominoes? Is my scenario not credible?

Clearly there are limits on a team's time, so does a team operate with a guide as to how far you follow the cause and effect chain, say, "go no further than two downstream steps from the deviation point"?

Much appreciate any thoughts on this from people experienced in HAZOP.


Cheers,
John.

 

[MortenA]

one item: You dont need to solve the question at the spot cf, your statement:

"When the team considers a deviation at some point in the plant, they then identify the consequence. If the consequence is undesirable, then the team agrees on a recommended measure to prevent or control the consequence. So far, so good."

You should investigate all items within the system that you are to HAZOP. But one of the easiest pittfalls is to "venture off toppic". That is starting to look in other areas of the system than you curently look in. Doint try to turn your HAZOP into a design review. The HAZOP is a methode - in order for it to work you must follow it.

Look at each node separately and go through your actionwords.

Sometimes you may have persons at the table with their own agenda - they may try to sabotage (maybe without relialising it) the methode. A good HAZOP teamleader is therefor preferrable somebody with as small a stake in the project as possible so that he can passify these attempts.

Best regards

Morten

 

[Guidoo]

In my experience I HAZOP team should not spend to much time in thinking out recommended measures in case an undesirable consequence is found. Recommendation is only given when the measure is obvious (e.g. consider high level alarm or trip in case overfilling of a vessel is undesirable). In case measure is not obvious, the HAZOP team just makes the recommendation that "additional measures should be considered". Remember that a HAZOP study is a brainstorm type of study meant to identify hazards, not to remove the identified hazards or to the design a plant!

The design team should pick-up the HAZOP recommendations and either reject the recommendations (based on arguments!), or come with solutions. In case there are (major) changes after the first HAZOP, a second HAZOP should be done to HAZOP the changes etc. In theory, this could continue indefinetely. In practice, there are normally 2-3 separate HAZOP sessions performed.

 

[HamishMcTavish]

see also thread 391-65384

Generally the HAZOP part of the design process gives you a list of initiating events for fault conditions at each node of the plant considered.

These are then analysed in more detail outside the HAZOP itself to determine the initiating event frequency and the potential consequences. Once this has been done you can screen hazards based on frequency or consequence (or risk which is the product of the two). The hazards that are left after the screening process are the ones which your design must accomodate. This could be via safeguards featuring diversity, redundancy segregation etc or by modifying the preliminary design to reduce inventories of hazardous chemicals /materials, reducing pressures etc.

Usually the HAZOP of a complex plant is split into HAZOPs of subsystems and (if possible) in the logical order that they come into effect in the overall process so that (some) domino effects can be considered. Usually the initiating event results in a consequence that bounds a series of faults of a similar nature but you have rightly identified that the trick is also to consider interactions between systems.

Ultimately the HAZOP is only as good as the variety and experience of the people participating.

Regards, HM

No more things should be presumed to exist than are absolutely necessary - William of Occam

 

[pmureiko]

Some good HAZOP practices are listed.

1) Identify the deviation that causes a problem. That is the purpose of the meeting and you do not want to get bogged down with solutions or invalidate the ideas of team members (good brain storming).
2) Rate the risk as minor, very bad, or in between. Typically done using a probability vs. consequence severity matrix. Many companies do not mitigate minor risks.
3) Do not try to solve the problem. This is distracting to the HAZOP and will waste time. The team is probably not in a position to implement the solutions they come up with.
4) Have a safety team involving upper management from various departments check the list to see if these are valid SAFETY problems and have the appropriate rating. This will eliminate deviations that aren't safety problems.
5) Assign the items to the appropriate plant personel. For example modify procedures to operations, testing to maintenance, and physical modifications ($) to engineering.
6) Engineering will study the problem and propose a solution. This will involve the management of change process and its own safety review. It's surprising how many "solutions" actually create more problems.

 

[JOM]

Hi All.

Absolutely thrilled with the rapid and good repsonses. Thanks, one and all.

I don't think I'm getting a direct answer to my question, and maybe there isn't one. The general thrust seems to be be: don't overcomplicate the task.

Two important points (for me) that have been made are:

. HAZOP is not a plant design tool
. the HAZOP team does not solve the problems they identify

I have never been involved in a HAZOP study. I have read the available literature and I think the method is not hard to understand and makes good sense. The practical tips you've all given are a great addition to the published material.

I'll tell you the reason I asked the question.

There was a criminal trial in Australia of a gas plant company over an explosion and fire. The first charge was that the company had not conducted any adequate hazard identification process. The prosecution depended on proving to the jury that a HAZOP, if done, would have identified the particular hazard that lead to the explosion. The verdict was guilty, so that means the jury was convinced beyond reasonable doubt. (I can hear your groans over the notion of a jury of twelve ordinary folk making that judgement.)

The deviation was loss of heating medium when a pump stopped. The consequence was cooling of a large heat exchanger to way below zero Celcius. That produced cold embrittlement, which was the hazard they failed to identify, according to the prosecution. They argued that any reasonable HAZOP team would have certainly linked the loss of heating medium to cold embrittlement.

The problem I'm trying to sort out is this - to predict the exchanger becoming cold meant following a trail of "dominoes" from the failed pump, through 5 or six exchangers, another pump, two tanks, absorption towers, several level and flow and temperature control loops with ascociated alarms and trips. I suspect a HAZOP study would not go that far. The prosecution sort of short-circuited the process flow, and linked the loss of medium directly to the embrittlement.

It also seems naive to make the judgement that a HAZOP team would come up with any particular result. Seems to me that you cannot guarantee the outcome, as you might for some analytical laboratory test. All this was argued by an expert witness but the prosecution won the day.




Cheers,
John.

 

[MortenA]

It is most likely that a HAZOP session would have identified that a situation where the heat exchanger became colder than during normal operating temperature due to "no (or low) flow".

Whether or not those responding to the identified HAZard would have thought about the material spec. problem is another item.

Best regards

Morten

 

[HamishMcTavish]

JOM,
You seem to have siezed the wrong end of the stick! HAZOP is most definitely a design tool. It is much cheaper to resolve the main issues BEFORE you build a plant which is why you do the HAZOP, otherwise you end up putting 'band-aid' solutions to problems which arise through commissioning that should have been eliminated at the design stage.

Each part of the process you described in the court case would have been HAZOPed and one of the keywords at the interface to the exchanger would have been 'loss of flow' or 'loss of pressure' or even 'low flow'. This would have been logged, and potential ways in which it could happen identified (links to other HAZOPs of other systems) the consequences evaluated (cold embrittlement) and safeguards put into place.

Regarding your other conclusion that 'HAZOP members do not solve the problems they identify'. This may or may not be true, what will happen is that the most appropriate person in the team will take an action to resolve the issue. The key point we were trying to make is that you do not try to solve the problem DURING the HAZOP itself! Quite often the HAZOP process is long and involved sometimes taking days to weeks for a complex plant and to get sidetracked by solving the problems just extends the time taken. It is more important to get as complete a view of all the problems that are reasonably foreseeable than to start to try to solve them straight away.

Hope that this clarifies matters, HM

No more things should be presumed to exist than are absolutely necessary - William of Occam

 

[Guidoo]

Interesting story, JOM.

I agree with your remark that it seems naive that a HAZOP always identifies every possible hazard. A HAZOP is as good as the quality of the team members.

Although I do not know all details of this partical plant, I have the feeling that this particular problem should have been identified by a good HAZOP team. When looking at the heat exchange node, team should have looked at possibility of loss of heating medium. This could have been done with the deviations such as "No Flow" or "Lower Temperature". The team may not have identified that loss of this particular pump would have been the cause, but I don't think that really matters.

When looking at the consequences of the loss of heating medium, an experienced HAZOP team should have considered that temperature could drop below the lower design temperature, resulting in embrittlement, which could result in loss of containment and, if ignited, in a fire or explosion.

To make a long story short: Although the HAZOP team may not have identified the complete chain of causes and effects, they should have identified the possibility that loss of heating medium could result in severe consequences (such as fire/explosion). Recommendation could have been that "It should be ensured that heating medium supply is highly reliable".
This would not be found at the pump node, but at the heat exchanger node.

 

[JOM]

Hamish,

>You seem to have siezed the wrong end of the stick! HAZOP >is most definitely a design tool.

I think I expressed myself badly there, Hamish. I meant that the HAZOP team does not design the plant - is that right? It's a checking process on a design that comes from somewhere else.

I get your point that it reduces costs if used at the design stage, but it can be applied to an existing plant, can't it?

I also see your point that the problems are not solved in the HAZOP process itself but might be dealt with by members of the team outside the HAZOP meetings. All helps to clarify things, thanks.

Morten - arrgh! sorry, I left out probably the most important piece of information. The heat exchangers were regenerators, that is the heating medium was also the cooling medium. The hot liquid flowed through the critical exchanger, then through all the other items I mentioned. By that time it would have become cold. Then it flowed back through the exchangers to the last one which was the one that failed from cold embrittlement. Then it was heated and the cycle repeated.

So, if the hot flow ceased, yes the heat exchanger would lose heat. But since the hot and cold medium were one and the same physical fluid (an oil), then it follows that the cold medium must also cease flowing. There was a tank in this oil circuit which provided a reservoir of oil and this emptied in ten minutes. So there should have been only ten minutes of operation of the exchanger with cold flow and no hot flow. Would that lead to cold embrittlement? Don't know. The jury wasn't asked to decide on that one.

Does that explain why I asked about falling dominoes? How far would a HAZOP team predict the consequences of a deviation? It wasn't just "hot medium failed, so exchanger becomes very cold". You have to follow this complex circuit. I feel a HAZOP team might not take it that far, and if they did, they might have decided the system was fail-safe. I don't know.

This isn't easy to describe as there are layers of complexity. The prosecution had to prove a very particular point - that the severe cold was an obvious consequence of the failure of heating medium flow at the pump, and a HAZOP study would have identified this "beyond reasonable doubt".

All very interesting. Did anybody ever contemplate that their work on HAZOP teams might be scrutinised by a jury?

Cheers,
John.

 

[HamishMcTavish]

Hi JOM,

Responding to your queries,

"I think I expressed myself badly there, Hamish. I meant that the HAZOP team does not design the plant - is that right? It's a checking process on a design that comes from somewhere else."

The HAZOP team may include people from design/safety who are also on the actual design team, it helps when allocating actions that the people involved have a stake in the solution! Other team members would include representatives from operations and maintenance.


"I get your point that it reduces costs if used at the design stage, but it can be applied to an existing plant, can't it?"

The HAZOP process can be applied in retrospect but problems that arise can be due to the age of the plant being compared against 'modern standards'. Even if a HAZOP was carried out at the design stage it should also be periodically updated, especially if modifications are made to the plant. See 'Revalidating Process Hazard Analyses' by W Frank and D Whittle, AIChE 2001, ISBN 0-8169-0830-3 if you are interested. There is a copy on the Knovel Interactive Books and Databases site

http://www.knovel.com/knovel2/default.jsp

if you have access.

Regards, HM


No more things should be presumed to exist than are absolutely necessary - William of Occam

 

[25362]

As MortenA says, the team has first to identify or recognize or foresee the hazard by the techniques used in HAZOP or WHAT IF methods.

However, the jury is still out, so to say, on whether assessment of the risk as pmureiko details, by:

(a) measuring the consequences to plant, employees, the public, the environment as well as to profits;

(b) estimating the frequency of its occurrence (by probabilistic methods based on experience, if possible);

(c) comparing (a) and (b) with predetermined criteria, or targets to enable management to take a decision on whether to act by reducing the probability of the incident or by minimizing its consequences, by removing the hazard altogether, or just to ignore it for the time being;

is indeed an inherent part of the HAZOP job, or just a separate issue covered by HAZAN techniques done by a completely different team of experts. (Occam's razor?)

 

[HamishMcTavish]

Hi 25362

I would say that the HAZOP method is part of a larger suite of Hazard Identification (HAZID) tools that a responsible designer / operator will use.

The HAZAN process is the flipside that MUST take place after having identified the risks, whether that is done by participants of the HAZOP is a moot point. Once you have identified the risk it could be very risky to do nothing else.

....yes your honour we did a HAZOP (small round of applause) but we thought that just because we could reasonably forsee a fault condition that didn't mean that we thought that it would actually happen or that it would kill /maim / injure XX people!!! OOOps.

Yours in a cheerful Friday kind of mood, HM.

No more things should be presumed to exist than are absolutely necessary - William of Occam

 

[25362]

To HamishMcTavish, as I see it the HAZOP technique is the issue pondered in this thread. The subject in hand is only whether -as you rightly say- the risk analysis and evaluation should be included under the HAZOP umbrella or under a wider "safety, loss prevention, operability and reliability" hazards' identification and quantification study (you call it HAZID ?) in which HAZOP would be a first step.

Your points are clear and logical, however, there is no need to take things to extremes. Nobody, myself included, suggested that an analysis of the operability risks shouldn't be done. BTW, safety hazards aren't the only ones to be analyzed.

"Experience is the best of schoolmasters, only the school-fees are heavy." Thomas Carlyle.

 

[JOM]

Stop arguing - this is my thread. <grin>

This plant was old and had never been subject to a HAZOP. So, if done, it would have been a retrospective HAZOP.

No information is public as to what hazard i.d. and risk analysis was done at the time of design in the late '60s.

I'm still doubtful about the certainty that a team would identify cold embrittlement as a hazard arising from loss of heating medium. I have the benefit of having the PID - it really is a complicated plant (sorry - &quot;was&quot. But twelve jurors thought otherwise, so who am I to disagree?

The second charge against this company was that they did not perform a risk analysis of the hazard. (Guilty)

Nine more charges - all guilty.


Cheers,
John.

 

[owg]

I would like to address the original question which was something like &quot;how far do you go with the consequences&quot;. I always tell my teams to remember that causes are local but consequences are global. You may have to go through downstream equipment out into the air, across the fence, across the state line, and out to the ocean. That sounds like a long way but with an expert team it only takes a few minutes. If you don't cover downstream in enough detail this time you will come to it later in the study, or someone else will have it their equipment scope. You know you have reached the end of the consequence when you come to &quot;fatality&quot;, &quot;major release&quot;, or &quot;long term unit outage&quot; or something of that severity.

HAZOP at

http://www.curryhydrocarbons.ca

 

[25362]

There are specific cases exemplified in the technical literature, where failure mode and effect analysis (FMEA) that focuses on hardware failures, would, with human factors added, be considered superior to HAZOP.

 

[MarkkraM]

&quot;So there should have been only ten minutes of operation of the exchanger with cold flow and no hot flow. Would that lead to cold embrittlement?&quot;

This is a question any process engineer should be able to work out given the flow and temperature of the fluid.
What exactly was the oil's ultimate purpose anyway? Where was the reservoir located (was it cold?)


&quot;I'm still doubtful about the certainty that a team would identify cold embrittlement as a hazard arising from loss of heating medium. I have the benefit of having the PID&quot;

Without the benefit of the P&IDs! but from what I've heard so far I am not convinced of the remoteness or the distance in the chain of events from the initial cause to the failure.

 

[HamishMcTavish]

Hi 25362,

I wasn't taking a potshot at you!

&quot;BTW, safety hazards aren't the only ones to be analyzed.&quot;

Absolutely, hazards affecting the environment and the business SHOULD also be identified, however sometimes they are not because the HAZOP is too expensive and takes a huge chunk of time from people's day jobs.


OWG, you stated that:
&quot;You may have to go through downstream equipment out into the air, across the fence, across the state line, and out to the ocean.&quot;

I would argue that you can only really HAZOP something that you control. Yes you need to know if your on-site hazard has an off-site consequence (and what that is...) but surely that is as far as you can go?


No more things should be presumed to exist than are absolutely necessary - William of Occam

 

[JOM]

Hi MarkkraM.

I can't find the normal temp. of the cold oil entering the critical exchanger. That's so important, isn't it? But that was not put to the jury either.

The oil was used to absorb ethane from the raw natural gas stream in two absorption towers operating at low temps. The ethane was stripped from the oil in a de-ethaniser tower, running at hot temps. This &quot;lean&quot; oil was then sent back to the cold absorption towers where it absorbed ethane and became &quot;rich&quot; oil. It continually circulated in this fashion.

The hot lean oil went through six exchangers heating the counter flow of cold rich oil. So, if the hot oil flow ceased, the flow of cold oil also had to cease. The lean oil tank, between the exchangers and the absorbers provided a reservoir of ten minutes supply. There was also a low temp shutdown switch.

I haven't convinced you of the remoteness between the cause and effect? Not surprised, cos I'm not at all sure either.

Just to add to the mix, the prosecution claimed that hydrocarbon condensate entered the rich oil line from the absorbers (it normally went elsewhere), because of a separate process upset. They argued that this is what made the exchangers cold, not the cold rich oil.

This was to be my second question to HAZOPpers. Do you consider two separate and simultaneous deviations and what combined effect they might have? If you do, then where's the stopping point? Why not consider three or four independent deviations occurring at the same time? The job would never get done.

You've all given great contributions and I've learnt much more than I was asking for. The interesting part of this is that a jury of twelve ordinary folks were asked to decide. That doesn't seem wise.

Cheers,
John.