A hazard and operability (HAZOP) study is used to identify major hazards, including the release of hazardous materials or energy, or operability issues related to design, installation and operation within a facility. The focus of these studies is to address incidents that might impact public health and safety, worker safety, the environment, or the plant’s reputation or which might create an economic loss.
In a HAZOP study, a package (or a facility) is broken down into “nodes” on a piping and instrumentation diagram (P&ID). Each node is examined under the direction of a number of guidewords such as high pressure, low pressure, low flow, high flow, no flow, reverse flow, etc. Some guidewords are specific to each system or team. For example, operation team, commissioning team, etc., each have their own guidewords. The two major inputs to HAZOP are the P&IDs and cause-and-effect charts.
One primary purpose of HAZOP is the identification of scenarios that would lead to the release of a hazardous or flammable material into the atmosphere, thus exposing to danger workers and people in the area surrounding a process plant. In order to make the hazardous determination, it is always necessary to identify, as exactly as possible, all consequences of any credible causes of a hazard.
Ensuring a HAZOP meeting covers the required scope of HAZOP study is an important task. Too often, HAZOP studies fail to completely cover the whole intended scope of potential hazards, or sometimes they exceed defined battery limits. A clear scope definition is the key for a HAZOP.
Considering all possible modes of operation, start up and shutdown for the machinery or package is another important element that is essential for a successful machinery or package HAZOP study. A machinery, package or facility has different modes of operation. All modes should be considered, and proper guidewords should be applied for each mode of operation. Care should be taken to identify less obvious modes, particularly those associated with different shut-down situations — such as normal shutdown cases and different emergency-shutdown situations in various circumstances — and the subsequent start up and their combinations.
The scope of a HAZOP study should ensure that all possible deviations from design intent (and normal operation) are not only identified within the immediate scope of the machinery or package under the HAZOP study, but also that they are identified with respect to upstream and downstream systems. Past experiences have shown that some post-start-up problems have not been identified at the HAZOP stage for machineries or packages because a HAZOP study did not look far enough into upstream or downstream systems.
In large machineries, packages or facilities, the HAZOP study is usually conducted in stages. Under these circumstances, there is the potential for incomplete follow-through of problems, issues and consequences as well as potential for things to slip between the individual boundaries.
Modifications on machineries or packages, in particular, relief and blowdown systems, emergency shutdown systems, alarms, interlocks and hazardous area classifications, should be reviewed to ensure they are adequate after the modifications have been implemented. The impacts of modifications on product quality and utilities (e.g. a fuel gas system) should also be identified and assessed.
Machineries and facilities involved in batch-operated plants require special attention. Following up on recommendations arising from a HAZOP study is a key part of the HAZOP study procedure. The validity and effectiveness of HAZOP studies are seriously compromised when recommendations are not followed through.
Safety versus operability
The “hazard” in a HAZOP study is any item or operation that could possibly cause a catastrophic release of toxic, flammable, or explosive chemicals or any action that could result in injury to personnel. The identification of hazards is the main focus of a HAZOP. However, a HAZOP also is expected to identify “operability problems,” which are any operation inside the HAZOP scope that would cause a shutdown, particularly those problems that could possibly lead to a violation of environmental, health, or safety regulations or might negatively impact profitability. While the HAZOP study is designed to identify hazards through a systematic approach, more than 50 percent of all HAZOP study recommendations are operability problems and not actual hazards.
Operation and maintenance are important parts of a HAZOP study. For example, the study should verify that a machinery package can be adequately vented or drained. The venting is important for startups and shutdowns, and draining is critical for the maintenance. A machinery package should be properly isolated.
A short perspective review at the start of a HAZOP meeting for each system is recommended by some experts. This should be a brief review, and the study should be transferred to a line-by-line basis. It is always best to follow each line through the P&ID because a general overview is usually much less affective in a HAZOP. One of the reason is that, in a line-by-line review, the team focuses on each item at the same time. Poorly placed valves, inadequate access and potential for non-draining low points can be problematic.
Recommendations should be made when the safeguards for a given hazard scenario, as judged by an assessment of the risk of the scenario, are inadequate to protect against the hazard. Action items are those recommendations for which an individual or department has been assigned. For some cases, information needs might be identified as recommendations for follow up by one of the team members. The following guidelines are suggested for the implementation of hazard analysis recommendations:
- High-priority action items should be resolved within one to three
- Medium-priority action items should be resolved within three to four
- Lower-priority action items should be resolved following medium-priority items.
Relative priorities of all actions must be determined. After each recommendation has been reviewed, the resolution of each recommendation should be recorded in a tracking document such as a spreadsheet and kept on file. Recommendations can include design, operation, or maintenance changes that reduce or eliminate deviations. Recommendations identified in a hazard analysis are considered preliminary in nature; additional information or study might be needed, or a comprehensive analysis may be required.
A CHAZOP study is a HAZOP study for a control system. In other words, a CHAZOP study is primarily concerned with control systems and not the underlying process. The underlying process will be reviewed using a conventional HAZOP. Two of the important questions in a CHAZOP are:
- Are the control loops adequate for the intended operation?
- Can the control loops create any potential problems?
There are dedicated keywords for CHAZOP studies, and the three most important CHAZOP keywords are:
- Possible interaction
- Control system at the start-up
A critical CHAZOP consideration is proper integration with the plant control system of the machinery or package control system. Possible interactions — such the interaction between the package control system and another independent control loop, i.e., the plant control loop, which can affected the package, or an anti-surge loop — can cause an interaction and problems.
A package control system can receive its most important test at the machinery/package startup. Proper evaluation, precaution and provisions should be respected in the CHAZOP for the startup and initial operation. Control loops should be adequate, and they must not create any potential problems in the operation of the machinery or package in different modes under various plant situations. Electrical and control systems are typically identified by highlighting single-line diagrams and control system architecture drawings.
The CHAZOP should study the controls under normal operation cases, turndown situations, alternative operating cases and emergency situations. Instrument and actuator locations are important, and an emergency shut-down loop deserves special attention. After all, this is the control loop that should bring the machinery or package to a safe shutdown in an emergency.
A CHAZOP might require an alarm review in which it reevaluates justifications for each alarm, their activation points and the actions required of an operator in the event of an alarm. Some experts believe this alarm review can take place after startup when initial operational experience has been gained for better evaluation of the situation. However, in the author’s view, the best recommendation is to plan for three alarm reviews at the following points:
- Before the commissioning
- A few weeks after the startup
- A few months after the second one review
Too often, operation personnel need help to manage the machinery/package and surrounding facilities in the event of infrequent alarms. The alarm review should identify and eliminate nuisance alarms. Sometimes alarms with a low priority can repeatedly alarm in a control room, which can distract the operator and result in confusion and operational problems. Control system testing procedures and steps are important. Control sequence testing procedures, interlock test procedures and emergency shutdown testing procedures should be carefully reviewed.
A safety integrity level (SIL)/layers of protection analysis (LOPA) study is used to assess the adequacy of the Safety Protection Layers (SPLs), or safeguards, in place to mitigate hazardous events relating to major process hazards, identify those SPLs or safeguards that do not meet the risk-reduction requirements for a particular hazard, and make reasonable recommendations when a hazard generates a residual risk that needs further risk reduction. This is done by defining the tolerable frequency (TF).
The TF of the process deviation is a number derived from the level of the risk, which is identified through the HAZOP. It indicates the period of occurrence, in terms of years, of the process deviation that the operating company can tolerate. For example, a TF of 10-4 indicates a company can tolerate the occurrence of the process deviation once in 10,000 years. The mitigation frequency is derived as a calculation from the likelihood of each cause.
The inputs to the SIL/LOPA assessment are the process deviations, causes, risk levels and safeguards identified during the HAZOP. The SIL/LOPA assessment recommends the safety protection layers be designed to meet the process hazard. It is usually possible to integrate the SIL/LOPA studies with the CHAZOP or even the HAZOP, which reduces the time and cost to conduct these sessions, provides more data integrity since the same team conducts both studies, and removes the subjectivity that can come out of a pure CHAZOP session. An integrated study is a semi-quantitative technique that applies much more rigor than a CHAZOP or HAZOP alone. It determines if the existing safeguards are enough and if proposed safeguards are warranted as well as tightly couples the risk tools (matrices, risk graphs, etc.) of a corporation.
The risk assessment and hazard identification performed during construction is known as “HAZCON” study. While a HAZCON for specific machinery, packages or equipment might not be common, the commissioning team and machinery engineers should attend the HAZCON study and discuss machinery issues related to each unit or facility under the HAZCON. Particularly the hazards, problems and issues related to machinery-completion activities and machinery pre-commissioning need attention.
Amin Almasi is a senior rotating machinery consultant in Australia. He is a chartered professional engineer of Engineers Australia and IMechE and holds bachelor’s and master’s degrees in mechanical engineering and RPEQ. He is an active member of Engineers Australia, IMechE, ASME and SPE and has authored more than 100 papers and articles dealing with rotating equipment, condition monitoring, offshore, subsea and reliability. He may be reached at firstname.lastname@example.org.