×
INTELLIGENT WORK FORUMS
FOR ENGINEERING PROFESSIONALS

Log In

Come Join Us!

Are you an
Engineering professional?
Join Eng-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Eng-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

HAZOP-How far do you go?

HAZOP-How far do you go?

HAZOP-How far do you go?

(OP)
There were some very good links given in thread 135-78 that very well describe the HAZOP process.

I have a question - anyone with actual experience on HAZOP teams might be able to help.

When the team considers a deviation at some point in the plant, they then identify the consequence. If the consequence is undesirable, then the team agrees on a recommended measure to prevent or control the consequence. So far, so good.

If that consequence causes another deviation downstream - does the team look at that too? And what of the consequence arising from that second deviation?

Let's say "D" = deviation, "C" = consequence. D1 is the first deviation leading directly to C1, the first consequence.

So, let's say the following could be predicted:

D1 -> C1, and then
C1 -> D2,
D2 -> C2,
C2 -> D3,
D3 -> C3,

and so on....like a row of dominoes all falling as a result of that first deviation.

My question is this:
How far does a team go in following this chain of cause & effect, when examining that first deviation, D1? Would they stop at the first consequence or perhaps the second? Would you assume that the first recommedation, if properly implemented, would break the chain of falling dominoes? Is my scenario not credible?

Clearly there are limits on a team's time, so does a team operate with a guide as to how far you follow the cause and effect chain, say, "go no further than two downstream steps from the deviation point"?

Much appreciate any thoughts on this from people experienced in HAZOP.

Cheers,
John.

RE: HAZOP-How far do you go?

one item: You dont need to solve the question at the spot cf, your statement:

"When the team considers a deviation at some point in the plant, they then identify the consequence. If the consequence is undesirable, then the team agrees on a recommended measure to prevent or control the consequence. So far, so good."

You should investigate all items within the system that you are to HAZOP. But one of the easiest pittfalls is to "venture off toppic". That is starting to look in other areas of the system than you curently look in. Doint try to turn your HAZOP into a design review. The HAZOP is a methode - in order for it to work you must follow it.

Look at each node separately and go through your actionwords.

Sometimes you may have persons at the table with their own agenda - they may try to sabotage (maybe without relialising it) the methode. A good HAZOP teamleader is therefor preferrable somebody with as small a stake in the project as possible so that he can passify these attempts.

Best regards

Morten

RE: HAZOP-How far do you go?

In my experience I HAZOP team should not spend to much time in thinking out recommended measures in case an undesirable consequence is found. Recommendation is only given when the measure is obvious (e.g. consider high level alarm or trip in case overfilling of a vessel is undesirable). In case measure is not obvious, the HAZOP team just makes the recommendation that "additional measures should be considered". Remember that a HAZOP study is a brainstorm type of study meant to identify hazards, not to remove the identified hazards or to the design a plant!

The design team should pick-up the HAZOP recommendations and either reject the recommendations (based on arguments!), or come with solutions. In case there are (major) changes after the first HAZOP, a second HAZOP should be done to HAZOP the changes etc. In theory, this could continue indefinetely. In practice, there are normally 2-3 separate HAZOP sessions performed.

 

RE: HAZOP-How far do you go?

see also thread 391-65384

Generally the HAZOP part of the design process gives you a list of initiating events for fault conditions at each node of the plant considered.

These are then analysed in more detail outside the HAZOP itself to determine the initiating event frequency and the potential consequences. Once this has been done you can screen hazards based on frequency or consequence (or risk which is the product of the two). The hazards that are left after the screening process are the ones which your design must accomodate. This could be via safeguards featuring diversity, redundancy segregation etc or by modifying the preliminary design to reduce inventories of hazardous chemicals /materials, reducing pressures etc.

Usually the HAZOP of a complex plant is split into HAZOPs of subsystems and (if possible) in the logical order that they come into effect in the overall process so that (some) domino effects can be considered. Usually the initiating event results in a consequence that bounds a series of faults of a similar nature but you have rightly identified that the trick is also to consider interactions between systems.

Ultimately the HAZOP is only as good as the variety and experience of the people participating.

Regards, HM

No more things should be presumed to exist than are absolutely necessary - William of Occam

RE: HAZOP-How far do you go?

Some good HAZOP practices are listed.

1) Identify the deviation that causes a problem.  That is the purpose of the meeting and you do not want to get bogged down with solutions or invalidate the ideas of team members (good brain storming).
2) Rate the risk as minor, very bad, or in between. Typically done using a probability vs. consequence severity matrix.  Many companies do not mitigate minor risks.
3) Do not try to solve the problem.  This is distracting to the HAZOP and will waste time.  The team is probably not in a position to implement the solutions they come up with.
4) Have a safety team involving upper management from various departments check the list to see if these are valid SAFETY problems and have the appropriate rating.  This will eliminate deviations that aren't safety problems.
5) Assign the items to the appropriate plant personel. For example modify procedures to operations, testing to maintenance, and physical modifications ($) to engineering.
6) Engineering will study the problem and propose a solution.  This will involve the management of change process and its own safety review. It's surprising how many "solutions" actually create more problems.

RE: HAZOP-How far do you go?

(OP)
Hi All.

Absolutely thrilled with the rapid and good repsonses. Thanks, one and all.

I don't think I'm getting a direct answer to my question, and maybe there isn't one. The general thrust seems to be be: don't overcomplicate the task.

Two important points (for me) that have been made are:

. HAZOP is not a plant design tool
. the HAZOP team does not solve the problems they identify

I have never been involved in a HAZOP study. I have read the available literature and I think the method is not hard to understand and makes good sense. The practical tips you've all given are a great addition to the published material.

I'll tell you the reason I asked the question.

There was a criminal trial in Australia of a gas plant company over an explosion and fire. The first charge was that the company had not conducted any adequate hazard identification process. The prosecution depended on proving to the jury that a HAZOP, if done, would have identified the particular hazard that lead to the explosion. The verdict was guilty, so that means the jury was convinced beyond reasonable doubt. (I can hear your groans over the notion of a jury of twelve ordinary folk making that judgement.)

The deviation was loss of heating medium when a pump stopped. The consequence was cooling of a large heat exchanger to way below zero Celcius. That produced cold embrittlement, which was the hazard they failed to identify, according to the prosecution. They argued that any reasonable HAZOP team would have certainly linked the loss of heating medium to cold embrittlement.

The problem I'm trying to sort out is this - to predict the exchanger becoming cold meant following a trail of "dominoes" from the failed pump, through 5 or six exchangers, another pump, two tanks, absorption towers, several level and flow and temperature control loops with ascociated alarms and trips. I suspect a HAZOP study would not go that far. The prosecution sort of short-circuited the process flow, and linked the loss of medium directly to the embrittlement.

It also seems naive to make the judgement that a HAZOP team would come up with any particular result. Seems to me that you cannot guarantee the outcome, as you might for some analytical laboratory test. All this was argued by an expert witness but the prosecution won the day.


Cheers,
John.

RE: HAZOP-How far do you go?

It is most likely that a HAZOP session would have identified that a situation where the heat exchanger became colder than during normal operating temperature due to "no (or low) flow".

Whether or not those responding to the identified HAZard would have thought about the material spec. problem is another item.

Best regards

Morten

RE: HAZOP-How far do you go?

JOM,
You seem to have siezed the wrong end of the stick! HAZOP is most definitely a design tool. It is much cheaper to resolve the main issues BEFORE you build a plant which is why you do the HAZOP, otherwise you end up putting 'band-aid' solutions to problems which arise through commissioning that should have been eliminated at the design stage.

Each part of the process you described in the court case would have been HAZOPed and one of the keywords at the interface to the exchanger would have been 'loss of flow' or 'loss of pressure' or even 'low flow'. This would have been logged, and potential ways in which it could happen identified (links to other HAZOPs of other systems) the consequences evaluated (cold embrittlement) and safeguards put into place.

Regarding your other conclusion that 'HAZOP members do not solve the problems they identify'. This may or may not be true, what will happen is that the most appropriate person in the team will take an action to resolve the issue. The key point we were trying to make is that you do not try to solve the problem DURING the HAZOP itself! Quite often the HAZOP process is long and involved sometimes taking days to weeks for a complex plant and to get sidetracked by solving the problems just extends the time taken. It is more important to get as complete a view of all the problems that are reasonably foreseeable than to start to try to solve them straight away.

Hope that this clarifies matters, HM

No more things should be presumed to exist than are absolutely necessary - William of Occam

RE: HAZOP-How far do you go?

Interesting story, JOM.

I agree with your remark that it seems naive that a HAZOP always identifies every possible hazard. A HAZOP is as good as the quality of the team members.

Although I do not know all details of this partical plant, I have the feeling that this particular problem should have been identified by a good HAZOP team. When looking at the heat exchange node, team should have looked at possibility of loss of heating medium. This could have been done with the deviations such as "No Flow" or "Lower Temperature". The team may not have identified that loss of this particular pump would have been the cause, but I don't think that really matters.

When looking at the consequences of the loss of heating medium, an experienced HAZOP team should have considered that temperature could drop below the lower design temperature, resulting in embrittlement, which could result in loss of containment and, if ignited, in a fire or explosion.

To make a long story short: Although the HAZOP team may not have identified the complete chain of causes and effects, they should have identified the possibility that loss of heating medium could result in severe consequences (such as fire/explosion). Recommendation could have been that "It should be ensured that heating medium supply is highly reliable".
This would not be found at the pump node, but at the heat exchanger node.

RE: HAZOP-How far do you go?

(OP)
Hamish,

>You seem to have siezed the wrong end of the stick! HAZOP >is most definitely a design tool.

I think I expressed myself badly there, Hamish. I meant that the HAZOP team does not design the plant - is that right? It's a checking process on a design that comes from somewhere else.

I get your point that it reduces costs if used at the design stage, but it can be applied to an existing plant, can't it?

I also see your point that the problems are not solved in the HAZOP process itself but might be dealt with by members of the team outside the HAZOP meetings. All helps to clarify things, thanks.

Morten - arrgh! sorry, I left out probably the most important piece of information. The heat exchangers were regenerators, that is the heating medium was also the cooling medium. The hot liquid flowed through the critical exchanger, then through all the other items I mentioned. By that time it would have become cold. Then it flowed back through the exchangers to the last one which was the one that failed from cold embrittlement. Then it was heated and the cycle repeated.

So, if the hot flow ceased, yes the heat exchanger would lose heat. But since the hot and cold medium were one and the same physical fluid (an oil), then it follows that the cold medium must also cease flowing. There was a tank in this oil circuit which provided a reservoir of oil and this emptied in ten minutes. So there should have been only ten minutes of operation of the exchanger with cold flow and no hot flow. Would that lead to cold embrittlement? Don't know. The jury wasn't asked to decide on that one.

Does that explain why I asked about falling dominoes? How far would a HAZOP team predict the consequences of a deviation? It wasn't just "hot medium failed, so exchanger becomes very cold". You have to follow this complex circuit. I feel a HAZOP team might not take it that far, and if they did, they might have decided the system was fail-safe. I don't know.

This isn't easy to describe as there are layers of complexity. The prosecution had to prove a very particular point - that the severe cold was an obvious consequence of the failure of heating medium flow at the pump, and a HAZOP study would have identified this "beyond reasonable doubt".

All very interesting. Did anybody ever contemplate that their work on HAZOP teams might be scrutinised by a jury?

Cheers,
John.

RE: HAZOP-How far do you go?

Hi JOM,

Responding to your queries,

"I think I expressed myself badly there, Hamish. I meant that the HAZOP team does not design the plant - is that right? It's a checking process on a design that comes from somewhere else."

The HAZOP team may include people from design/safety who are also on the actual design team, it helps when allocating actions that the people involved have a stake in the solution! Other team members would include representatives from operations and maintenance.


"I get your point that it reduces costs if used at the design stage, but it can be applied to an existing plant, can't it?"

The HAZOP process can be applied in retrospect but problems that arise can be due to the age of the plant being compared against 'modern standards'. Even if a HAZOP was carried out at the design stage it should also be periodically updated, especially if modifications are made to the plant. See 'Revalidating Process Hazard Analyses' by W Frank and D Whittle, AIChE 2001, ISBN 0-8169-0830-3 if you are interested. There is a copy on the Knovel Interactive Books and Databases site www.knovel.com/knovel2/default.jsp if you have access.

Regards, HM

No more things should be presumed to exist than are absolutely necessary - William of Occam

RE: HAZOP-How far do you go?

As MortenA says, the team has first to identify or recognize or foresee the hazard by the techniques used in HAZOP or WHAT IF methods.

However, the jury is still out, so to say, on whether assessment of the risk as pmureiko details, by:

(a) measuring the consequences to plant, employees, the public, the environment as well as to profits;

(b) estimating the frequency of its occurrence (by probabilistic methods based on experience, if possible);

(c) comparing (a) and (b) with predetermined criteria, or targets to enable management to take a decision on whether to act by reducing the probability of the incident or by minimizing its consequences, by removing the hazard altogether, or just to ignore it for the time being;

is indeed an inherent part of the HAZOP job, or just a separate issue covered by HAZAN techniques done by a completely different team of experts. (Occam's razor?)

RE: HAZOP-How far do you go?

Hi 25362

I would say that the HAZOP method is part of a larger suite of Hazard Identification (HAZID) tools that a responsible designer / operator will use.

The HAZAN process is the flipside that MUST take place after having identified the risks, whether that is done by participants of the HAZOP is a moot point. Once you have identified the risk it could be very risky to do nothing else.

....yes your honour we did a HAZOP (small round of applause) but we thought that just because we could reasonably forsee a fault condition that didn't mean that we thought that it would actually happen or that it would kill /maim / injure XX people!!! OOOps.

Yours in a cheerful Friday kind of mood, HM.

No more things should be presumed to exist than are absolutely necessary - William of Occam

RE: HAZOP-How far do you go?

To HamishMcTavish, as I see it the HAZOP technique is the issue pondered in this thread. The subject in hand is only whether -as you rightly say- the risk analysis and evaluation should be included under the HAZOP umbrella or under a wider "safety, loss prevention, operability and reliability" hazards' identification and quantification study (you call it HAZID ?) in which HAZOP would be a first step.

Your points are clear and logical, however, there is no need to take things to extremes. Nobody, myself included, suggested that an analysis of the operability risks shouldn't be done. BTW, safety hazards aren't the only ones to be analyzed.

"Experience is the best of schoolmasters, only the school-fees are heavy." Thomas Carlyle.

RE: HAZOP-How far do you go?

(OP)
Stop arguing - this is my thread. <grin>

This plant was old and had never been subject to a HAZOP. So, if done, it would have been a retrospective HAZOP.

No information is public as to what hazard i.d. and risk analysis was done at the time of design in the late '60s.

I'm still doubtful about the certainty that a team would identify cold embrittlement as a hazard arising from loss of heating medium. I have the benefit of having the PID - it really is a complicated plant (sorry - "was"). But twelve jurors thought otherwise, so who am I to disagree?

The second charge against this company was that they did not perform a risk analysis of the hazard. (Guilty)

Nine more charges - all guilty.

Cheers,
John.

RE: HAZOP-How far do you go?

I would like to address the original question which was something like "how far do you go with the consequences". I always tell my teams to remember that causes are local but consequences are global. You may have to go through downstream equipment out into the air, across the fence, across the state line, and out to the ocean. That sounds like a long way but with an expert team it only takes a few minutes. If you don't cover downstream in enough detail this time you will come to it later in the study, or someone else will have it their equipment scope. You know you have reached the end of the consequence when you come to "fatality", "major release", or "long term unit outage" or something of that severity.

HAZOP at www.curryhydrocarbons.ca

RE: HAZOP-How far do you go?

There are specific cases exemplified in the technical literature, where failure mode and effect analysis (FMEA) that focuses on hardware failures, would, with human factors added, be considered superior to HAZOP.

RE: HAZOP-How far do you go?


"So there should have been only ten minutes of operation of the exchanger with cold flow and no hot flow. Would that lead to cold embrittlement?"

This is a question any process engineer should be able to work out given the flow and temperature of the fluid.
What exactly was the oil's ultimate purpose anyway? Where was the reservoir located (was it cold?)


"I'm still doubtful about the certainty that a team would identify cold embrittlement as a hazard arising from loss of heating medium. I have the benefit of having the PID"

Without the benefit of the P&IDs! but from what I've heard so far I am not convinced of the remoteness or the distance in the chain of events from the initial cause to the failure.

RE: HAZOP-How far do you go?

Hi 25362,

I wasn't taking a potshot at you!

"BTW, safety hazards aren't the only ones to be analyzed."

Absolutely, hazards affecting the environment and the business SHOULD also be identified, however sometimes they are not because the HAZOP is too expensive and takes a huge chunk of time from people's day jobs.


OWG, you stated that:
"You may have to go through downstream equipment out into the air, across the fence, across the state line, and out to the ocean."

I would argue that you can only really HAZOP something that you control. Yes you need to know if your on-site hazard has an off-site consequence (and what that is...) but surely that is as far as you can go?

No more things should be presumed to exist than are absolutely necessary - William of Occam

RE: HAZOP-How far do you go?

(OP)
Hi MarkkraM.

I can't find the normal temp. of the cold oil entering the critical exchanger. That's so important, isn't it? But that was not put to the jury either.

The oil was used to absorb ethane from the raw natural gas stream in two absorption towers operating at low temps. The ethane was stripped from the oil in a de-ethaniser tower, running at hot temps. This "lean" oil was then sent back to the cold absorption towers where it absorbed ethane and became "rich" oil. It continually circulated in this fashion.

The hot lean oil went through six exchangers heating the counter flow of cold rich oil. So, if the hot oil flow ceased, the flow of cold oil also had to cease. The lean oil tank, between the exchangers and the absorbers provided a reservoir of ten minutes supply. There was also a low temp shutdown switch.

I haven't convinced you of the remoteness between the cause and effect? Not surprised, cos I'm not at all sure either.

Just to add to the mix, the prosecution claimed that hydrocarbon condensate entered the rich oil line from the absorbers (it normally went elsewhere), because of a separate process upset. They argued that this is what made the exchangers cold, not the cold rich oil.

This was to be my second question to HAZOPpers. Do you consider two separate and simultaneous deviations and what combined effect they might have? If you do, then where's the stopping point? Why not consider three or four independent deviations occurring at the same time? The job would never get done.

You've all given great contributions and I've learnt much more than I was asking for. The interesting part of this is that a jury of twelve ordinary folks were asked to decide. That doesn't seem wise.

Cheers,
John.

RE: HAZOP-How far do you go?

"Do you consider two separate and simultaneous deviations and what combined effect they might have?"

Normally you do not consider two unrelated failures at the same time (double jeopardy). Unless the HAZOP team considers the likelihood of such double failure relatively high.
My experience with HAZOPs is that virtually always only single deviation is studied.

Not considering double jeopardy is a quite normal engineering approach (for example also used for sizing of relief valves).

Alternative approach would be a risk based approach, so determine whether to take additional measures based on the combination of likelihood of an undesirable event and the consequences of this event.

If a HAZOP team would have to consider multiple deviations at the same time, study for a large plant would take years i.s.o. months. Plant would be outdated when design is finished...
And the HAZOP team members would end up in some mental institution, uttering words like "No Flow, causes: blockage, control valve failure, controller failure ;)

RE: HAZOP-How far do you go?

HamishMcTavish - we agree to include off-site consequences. We control offsite consequences with emergency plans including plant emergency plans, local emergency plants, mutual aid plans, and the like. Our subject is only the equipment in the current node, but the consequences are global. That is why we do HAZOP. In the Cyclohexane disaster at DSM which gave rise to HAZOP a row of houses were damaged. We need to identify and control that type of consequence.
Guidoo - I allow what I call one and a half jeopardies. These are Causes where an unrevealed fault is sitting waiting to trap a failure. An example would be a check valve in dirty service which stays open for a year. Then it is expected to close on demand say on auto-start of a spare pump. I don't think so. There usually aren't too many of these and we have not had a confirmed case of anyone being taken away.

HAZOP at www.curryhydrocarbons.ca

RE: HAZOP-How far do you go?

(OP)
owg,

Have you read of this case? It's well reported by the US CSB. It happenned at a chlorine receival plant at Festus, Missouri.

Rail cars loaded with liquid chlorine would be unloaded through flexible hoses. These were teflon hoses encased in braided flexible steel hose.

The steel braiding should have been Hastelloy, but someone supplied 316 stainless. Chlorine corroded the steel and it failed and the hose burst. A very large quantity of chlorine was released.

Manual ESD and auto ESD actuated by a chlorine detector were there to shut down the discharge lines. Good protection, si?

Both the manual and auto ESD systems worked...up to a point. The shutdown valves were clogged with corrosion products , so did not operate. So the release continued, instead of been nipped in the bud.

Would a HAZOP study have considered those two failures together? The wrong hose material and clogged shutdown valves. I guess not.

So many industrial catastrophes are the result of, first, some latent failure no-one is aware of, and second the obvious equipment or human failure.

Do HAZOPs assume perfect maintenance?

Cheers,
John.

RE: HAZOP-How far do you go?

A HAZOP must assume only what is given. If the shutdown valves were to be tested on a routine basis, then these safeguards should be listed in the HAZOP report.

However, the HAZOP team needs to look at the relative risk The matrix mentioned by pmureiko above is often used. If the risk is medium or high, the team should recommend a more detailed analysys. Additional sensors, valves and even logic solvers may be required depending on the level of redundency required.

RE: HAZOP-How far do you go?

JOM - A good team might have found that problem. We always fail hoses whether or not they are the correct material. We would have identified the shut off valve as a safeguard. We would probably have asked about the frequency of testing/cleaning the valve. If not satisfied we would have recommended an appropriate cleaning/testing schedule be established.

HAZOPs do not assume perfect maintenance. I ask the team to assume that equipment will be inspected and repaired as needed rather than run until it breaks. I also tell the team to watch out for places where this assumption is not being implemented.

HAZOP at www.curryhydrocarbons.ca

RE: HAZOP-How far do you go?

Here is more information on the handling of "distant" consequences. The quote is from "HAZOP: Guide to Best Practice, by IChemE, 2001, page 16.

"Where an effect (consequence) occurs outside the section (node) being analysed, the team leader must decide whether to include the consequences in the immediate analysis or to note the potential problem and defer the analysis to a later, more suitable point in the the overall HAZOP study. Whichever approach is adopted it is important that consequences outside the study section are fully covered, however distant they may be."

HAZOP at www.curryhydrocarbons.ca

RE: HAZOP-How far do you go?

(OP)
In light of the recent massive power outage in the US, I have to ask the obvious question -

Would a HAZOP team consider total failure of externally supplied power? That is - everything electrically powered fails (apart from UPS supported items). Is this a fair scenario for a HAZOP team or would it be addressed via some other method?

There's an interesting discussion developing in the "Electric power generation" forum on the power outage and its causes. Should be interesting to follow as the data comes in.

I guess the analysis won't be confined to the power generation industry, but also all downstream users, eg, refineries, water, sewerage, public transport and so on.

Cheers,
John.

RE: HAZOP-How far do you go?

Total power failure is not something to deal with in a HAZOP. Of course, no electrical power can result in pumps/compressors/stirrers stopping. Therefore it can be a cause of no flow/higher temperature/lower pressure etc. In my opinion however, HAZOP is not the place to check for this issue.

Total power failure has to be considered during relief valve and flare (header) design.

Also note that normally in chemical plants/refineries etc. (part of the) electrical power is generated within the plant itself.

In offshore platforms normally all electrical power is generated by gas turbines. All critical equipment is connected to the emergency power supply (diesel electrical generator) and/or to the UPS.

RE: HAZOP-How far do you go?

Guidoo,
I disagree with you here. I think it should be considered.
I think the examples you gave were reason enough.
"Of course, no electrical power can result in pumps/compressors/stirrers stopping. Therefore it can be a cause of no flow/higher temperature/lower pressure etc."

RE: HAZOP-How far do you go?

MarkraM,

There seems to be some misunderstanding. What I was trying to say was that total power failure is considered during a HAZOP, albeit somewhat disguised as "pump stops, stirrer stops etc. etc.".

However, I think there are other and probably more important checks during plant design to cover the consequences of total power failure. Here I am thinking of relief valve design, SIS design, automated blowdown design, flare (header) design. Here it has to be ensured that plant goes to safe situation in case of total power failure. This is not checked during the HAZOP. In my opinion the HAZOP methodology is not suited for that either.

RE: HAZOP-How far do you go?

This is a very interesting and useful thread.  

A couple of issues I would like to raise.

Firstly, if the plant had been in the EU, the prosecution would undoubtedly be successfull.  In European law, the company is responsible in law for carrying out risk assessments for all their activities.  This doesn't necessarily mean that they would have had to have conducted a HAZOP, but they would have had to have shown that a HAZOP wasn't necessary, by means of a suitable alternative risk assessment.  Was this done? Presumably not.

It is difficult to say whether the particular team that company would have put together, could have picked up on the failure in question.  The fact is, they didn't even do a HAZOP in the first place.

An experienced HAZOP team would, I am sure, have looked at the causes and consequences of heat exchanger failure.  Cold embrittlement is not the only cause.  If failure was so serious, I am certain that preventing or mitigating the effects of failure would have been examined further.  After all, cold embrittlement did not cause a fire and explosion, but it appears that heat exchanger failure did.

Finally, a very good point was made earlier that a HAZOP is only a part of the hazard identification process. Many opinions have been discussed around whether 2 or more failures should be considered.  Surely, this MUST depend on the consequences.  If the consequence is a bit of acid, say, spilt into a bund, then 2 protection devices is adequate.  How about a nuclear reactor meltdown, then?  I think not.  

HAZOPs tend to focus on the detail, and are good at finding small problems as well as large.  Other techniques look at the consequences (What is the worst case scenario), to help the design team to focus on developing protection systems to prevent the worst cases from occurring.  How many major incidents in the process industries are caused by a single failure, and how many come from multiple failures - failures that a HAZOP simply doesn't address.
It's not the HAZOP is a poor tool, it's not, it's a good tool, but it's only a part of the answer.  These days it should be considered a basic necessity of all but the very lowest hazard plants.

RE: HAZOP-How far do you go?

I still don't agree that Hazop doesn't consider a total power failure.  

It's true that they don't review the actual calculations of all the protective instruments, relief devices, etc but you have to have the people there who can describe the layers of protection provided, confirm that the evaluations have been done or can you flag it as something that needs to be confirmed.  I agree a Hazop isn't the forum for reviewing/confirming the calculations but I'm not sure I understand the point.  A Hazop also, for example, doesn't confirm that pressure vessels have been properly sized for wall thicknesses, materials on construction, etc (though those questions can definitely be raised if someone has a concern) but it can and should ask the question 'has it been considered' even if only in the noting of the design pressures.  The parties involved in the Hazop need to satisfy themselves that these points have been addressed in the plant design.

System wide events (loss of air, loss of power, etc) are considered in the ones I've been involved in as global events.  In the case, for example, of a plant being fed with 2 separate independent feeders, a loss of both feeders might or might not be considered depending on the reliability assigned to the power grid.  If that is done incorrectly, it's not a limitation of the Hazop process but rather, the bad data used in the evaluation that the probability of a total power failure was not a realistic event when in hindsight, it is.  Simultaneous loss of steam and electricity may not be normally considered but I know one site that does because it happened to them and it's now a credible event.

RE: HAZOP-How far do you go?

We always list all the utilities used by the plant as the last node. We then fail each utility one at a time and make sure the plant can stay safe through each outage. So total power failure is distinct from a power failure to a pump, and total cooling water failure is distinct from cooling water failure to one cooler.

HAZOP at www.curryhydrocarbons.ca

RE: HAZOP-How far do you go?

It would be of interest to hear opinions about the possible linking of HAZOP and similar risk analyses with ISO 14001 environmental auditing aspects.
EMS involves a policy commitment to continual improvement of the environmental management standards to prevent pollution, and comply with applicable legislation and voluntary commitments. In Britain it corresponds to BS 7750 and the EU has the EMAS (European Union Eco-Management and Audit Scheme Regulation).

BTW "prevention of pollution" is defined by ISO 14001 as "use of processes, particles, materials, or products that avoid, reduce, or control pollution, which may include recycling, treatment, process changes, control mechanisms, efficient use of resources, and material susbstitution. Note: The potential benefits of prevention of pollution include the reduction of adverse environmental impacts, improved efficiency, and cost reduction".

Some of these issues are incorporated in risk analyses, aren't they ? Any comments ?

RE: HAZOP-How far do you go?

In my opinion, both TD2K and owg describe (interesting!)variants of the original HAZOP methodology. We should keep that in mind when we are discussing whether total power failure is part of the HAZOP.

RE: HAZOP-How far do you go?

(OP)
TrevorP wrote:

"Firstly, if the plant had been in the EU, the prosecution would undoubtedly be successfull."

Like your confidence, Trevor

"In European law, the company is responsible in law for carrying out risk assessments for all their activities."

Same here. Our OHS law says an employer must identify the hazards of the workplace. It doesn't specify the actual method.

The charge was that no adequate hazard identification had been conducted. The judge ruled that the prosecution had to specify the actual method and they nominated HAZOP.

Furthermore the failure was defined as a failure to connect the loss of hot oil to development of cold sufficient to cause embrittlement at the heat exchanger.

So it was a very narrowly defined question for the jury - the prosecution needed to convince them beyond reasonable doubt that a HAZOP study would have made the link between loss of oil and cold embrittlement at the heat exchanger.

The defence was that this was not proven beyond reasonable doubt. They called an expert witness, skilled in HAZOP, who said you cannot guarantee the outcome of a HAZOP, it greatly depends on the quality of the team members, and that the cold embrittlement here was a consequence of a very long chain of events and involved multiple failures. Eminently sensible points, I feel. But the jury decided "guilty". Guess they know best.

A very interesting case. No court in Australia has ever dealt with a case that invlved such detailed engineering technicalities. I think they were "pushing the envelope".

Love to hear from anyone who knows of other court cases involving HAZOP .

Cheers,
John.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Eng-Tips Forums free from inappropriate posts.
The Eng-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Eng-Tips forums is a member-only feature.

Click Here to join Eng-Tips and talk with other members!


Resources