Hazop Estudy in Risk Analysis

The role of hazard and operability study in
risk analysis of major hazard plant
A. R. Qureshi
Snamprogetti Ltd., Snamprogetti House, Basing View, Basingstoke,
Hampshire RG 21 277, UK
Under the CIMAH Regulations and the Seveso Directive the operators of major hazard plant and
storage are required to prepare a safety case. The essential elements of a safety case are: the safety
policy, description of hazards arising from the activity, account of controls to minimize the effects of
these hazards, consequences should these controls fail, on/off site emergency plans etc. The
proven method of hazard identification, called the Hazard and Operability Study, is used extensively
to enhance the safety of plant during design and for existing plant. The study gives a better value
for money in tne art of hazard identification than the checklist approach and may be used for (a)
future modifications; and lb) as a support document for ‘Safety Case’ preparation for identification
of top events and for constructing fault/event trees for further frequency analysis. This paper
highlights how the technique has been used in Snamprogetti Ltd at the design and operational
stages of the plant.
(Keywords: hazard and operability study; safety case; risk analysis)
During the past decade, due to a number of major
accidents around the world and their consequences,
public awareness of the risks posed by major hazard
installations has led to the enactment of the CIMAH
(Control of Industrial Major Accident Hazards)
Regulations, 1984 in the UK and the Seveso Directive
(1982) in the EEC, and increasing involvement of
regulatory authorities in siting and operation of such
plants. Past accidents have shown that industrial
activities involving certain dangerous substances have
the potential to cause serious injury or death beyond the
immediate vicinity of such a plant. The CIMAH regulations and the Health and Safety at Work etc. Act
(HASWA), 1974 place an onus on operators and
designers of such plant to ensure that the employees and
the
public
at
large
are
not
exposed
to an unacceptable degree of risk. This duty requires
that the hazards are identified, and where necessary
quantified. The major hazard plants are defined in the
CIMAH Regulations. Hazard may be defined as a
physical situation with a potential for harm to life, limb,
property or the environment. Risk is defined as the
probability of the realization of the potential of a
hazard and its consequences.
In the UK and to varying extents in EEC countries
three basic elements of control are applied:
0 Identification (Notification of Installations Handling
Hazardous Substances (NIHSS) Regulations, 1982)
Received 2 November 1987
OS?04230/68~020104-06S3.00
0 1988 Butterworth & Co. (Publishers) Ltd
104 J. Loss Prev. Process lnd., 1988, Vol I, A p r i l
l
Location (control over siting of major hazard plant);
and
l Assessment (CIMAH Regulations requiring preparation of a Safety Case and on/off-site emergency
plans).
The requirements of the CIMAH Regulations can be
considered as being at two levels (Figure I ). The general
or low-level requirements apply widely and require the
operator of the industrial activity to take the necessary
precautions to prevent major accidents, to report those
that do arise and to take steps to limit their consequences. The specific or upper level requirements apply
only to potentially more hazardous activities. These
requirements are stringent and require the operator to
carry out a safety assessment of the site and submit a
‘Safety Case’ to the Health and Safety Executive (HSE).
The objectives’ of the Safety Case are:
to identify the nature and scale of the dangerous
substances;
to give an account of the arrangements for safe
operation of the installation, for control of serious
deviations that could lead to a major accident and
for emergency procedures at the site;
to identify the type, relative likelihood and consequences of major accidents that might occur; and
to demonstrate that the manufacturer (operator) has
identified the major hazard potential of his activities
and has provided appropriate controls.
Although the regulatory and stringent development
Role of hazop in the risk analysis of major hazard plant: R. Qureshi
Is my installation
excluded (Reg 3) ?
START HERE
Is it an industrial activity
within the meaning of Reg 2 ?
NO ACTION
Have I a dangerous
substance within the
meaning of Reg 2 ?
NO ACTION
Yes
tI
Is my activity
I
EITHER
a use specified
in Schedule 4 ?
Does the dangerous
substance come
within the criteria
NO ACTION
OR
isolated storage ?
I
I
I
I
ACTION in the event of
a major accident
Reg 5
Notif major accident to
HSE bf not notified
under NADOR)
Provide information to
HSE on major accident
I
I
Is the quantity large
enough to render the
operation capable of
presenting major
accident hazards ?
No
No
,
IS the dangerous
substance listed
in Schedule 2 ?
1
Yes V
the threshold in Schedule 3,
column 2 ?
1 ACTION
-4
Reg 4
Demonstrate safe
operation at any time
I
No
\
I
I
7
Yes
t
c
Does the quantity
exceed the threshold
in Schedule 2, column 2 ?
1
ACTIONS
Reg 7
Provide notification
to HSE (if activity
not already notified
under NIHHS Regs)
Prepare &submit
to HSE a written
report (safety case)
igure 1
Reg 8
Provide information
to HSE on
significant modifications
Reg 9
Provide further
information at request
of HSE
Reg 10
Prepare an on-site
emergency plan
Reg 11
Provide information
to local authority to
enable them to draw
up an off-site
emergency plan
Reg 12
Inform the public
about the major
accident hazard
Yes
plus
Reg 4
Demonstrate safe
operation at any
time
A manufacturer’s guide to the CIMAH regulations (Ref.1)
J. Loss Prev. Process Ind., 1988, Vol 1, April 105
Role of hazop in the risk analysis of major hazard plant: R. Qureshi
controls are not universally applicable, incidents at
Bhopal and Mexico City, among others, have shown
that in future the designers and operators of such plant
irrespective of their location would have to demonstrate
that the plant offers a degree of safety comparable with
those located in the Western world*.
This paper deals with how a hazard and operability
study differs from other hazard identification techniques and its role in risk analysis of major hazard
plants for both the design and operational stages of a
plant.
Hazard identification techniques and their
application
Until recently, it has been customary to examine a
project for inadequacies in design on an ad hoc basis
and any one or a combination of the following techniques have been used for hazard identification either in
a team or on an individual basis:
Obvious: for example in the manufacture of ethyl
oxide, oxygen and ethylene are mixed in proportions
close to the explosive limit, it is also very toxic - the
hazards are therefore obvious.
0 See what happens approach.
l Checklist approach: the main disadvantages are that
items not on the list are not considered and plants
dealing with new design and chemicals not experienced before are inadequately covered. It is not
possible to produce a checklist which could meet all
situations.
0
A more effective way to identify potential hazards is to
look at the design in a dynamic manner. The technique
is known as a hazard and operability (hazop) study
and is defined by the Chemical Industry Association
(CIA) in their guide3 as follows:
‘The application of a formal systematic critical
examination to the process and engineering intentions
of the new facilities to assess the hazard potential of
maloperation or malfunction of individual items of
equipment and the consequential effects on the facility
as a whole’.
HAZARD
AND
Although the definition implies the use of this technique
for ‘new facilities’ it is equally intended for existing
plants, as will be demonstrated later on.
It is not the intention to deal with the hazop study
technique in detail here (for further guidance reference
should be made to Ref. 3 and 4), but to describe its
application. For the success of the study it is essential
that a multi-disciplined team is selected under the
chairmanship of an independent and experienced
person.
The team structure depends upon the type of plant
being studied but would normally consist of the designer
(process engineer when an existing plant is undergoing
a hazop), client’s representative (for plant being
designed), specialists (instrument/mechanical/safety
advisor etc.), as and when required. It is best to start
with the raw materials first and work towards the
products. Each piping and instrument diagram (PID) is
divided into meaningful sections, and each section is
systematically examined using guide words how deviations from the desired intention of the design can occur
and whether such deviations can lead to hazardous
situations. Any means of protection against hazards are
noted and if there are further requirements for qualitative and quantitative studies these are actioned on
members of the study team. The need for further action
depends upon the product of consequence and frequency of occurrence, and is determined by rough and
ready evaluation. The procedure for study consists of
the following steps:
1. definition of the objective and scope of the study;
selection of team;
preparation for the study;
carrying out study and recording of results; and
follow up.
2.
3.
4.
5.
The proceedings of the study are recorded on ‘working
sheets’ (a specimen is shown in Figure 2), and the
follow up is recorded on another sheet (Figure 3).
The designer and the operator have very important
roles to play in the hazop study which are crucial to its
success. The designer explains the design intention and
OPERABILITY STUDY WORKING S H E E T S
TITLE ..,_.................................
DATE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
REFERENCE DOCUMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TEAM MEMBERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
N O D E S ; PARAMETER
, DEVIATION ,
I
I
I
I
I
I
I
I
I
I
I
I
I
Figure 2
I
I
I
I
I
I
I
I
I
;
POSSIBLE CAUSE
;
CONSEQUENCES
I
I
I
I
I
I
I
I
I
i
I
I
Hazard and operability study working sheets
106 J. Loss Prev. Process Ind., 1988, VoJ 1, April
SHEET ,......_........ of . . . . . . . . . . . . . . . . . .
1
PROTECTION MEANS
I
I
I
I
I
I
I
I
I
I
I
I
; NOTES
I
I
I
I
I
I
I
I
I
I
I
I
& ACTIONS REQD.
Role of hazop in the risk analysis of major hazard plant: .R. Qureshi
SHT .......... OF ..........
VENUE .........................
DATE ...............
THOSE PRESENT ................................................................................
HAZ. OP.
SHEET
P.I.D.
Figure 3
,
I
;
DESCRIPTION
OF ACTION
REQUIRED
;
;
I
RESPONSE
; ACTION BY
I
Action/response on hazop study
the operator elaborates the operational philosophy/
constraints and historical data relevant to the plant, as
such information is not readily available. In their
absence one may have to spend a lot of time going
through operating instructions, management philosophy etc., and even then the quality of information
would not be the same.
Risk analysis
General risk analysis consists of the following steps:
(a) the likelihood of a specified undesired event occurring within a specified period or in specified circumstances. It may be either frequency (number of
occurrences per unit time) or probability (scale O-l)
depending on circumstances5;
(b) estimating the consequences to employees, members
of the public and plant/profits; and
(c) comparing the results of (a) and (b) with a target or
set criteria to decide the appropriate course of
action.
The information for items (a) and (b) may be derived
from hazop, incident and failure rate and chemical data
banks, meterological conditions etc. Information on
random failure and the extent of gaseous and liquid
releases can be generated from well-documented hazop
study working sheets.
An experienced chairman, using his subjective judgement, can eliminate the need for numerical analysis in a
large proportion of events.
Application of hazop in Snamprogetti Ltd
As mentioned earlier, hazop can be conducted on a
plant under design or on an existing plant. Snamprogetti
Ltd has applied the technique on both categories of
plants and our experience is briefly described in this
section.
In our experience, contrary to common belief, hazop
does not take any longer than reviews based on the
checklist approach, provided it is conducted under the
Chairmanship of an experienced and independent
person and the team members are proficient in their
discipline. It does. however, take time in producing
typed versions of the hazop working sheets.
To process
Ammonium
FCV
NO
nitrate
solution
NO
W
Demin water make up
Ammonia
Nitric acid
KEY.
*
Added as a result of HAZOP
BJ
G
NO,NC
FCV,LCV
QVI ,QV2
TV
Figure 4
A
Valve with actuator and failure mode shown
Pumps (working/standby)
Normally open/closed
Flow and level control valves
Quench valves
Trip valve
Ammonium nitrate reactor quench water System
J. Loss Prev. Process Ind., 1988, Vol I, April 107
Role of hazop in the risk analysis of major hazard plant: R. Qureshi
l-l
UncontrollexJ
temperature rise
in reactor
evcntslvear
pi$Egg$qpj&iq
Figure 5 Basic fault tree for uncontrolled temperature rise in
ammonium nitrate reactor
Application of hazop to plant under design
While conducting hazop on a fertilizer plant design in
which the client representative was a team member it
was discovered that the ammonium nitrate reactor was a
critical item where runaway reaction could give disastrous consequences. By keeping operational parameters
under control the situation could be avoided, but once
realized, the only way the reaction can be arrested is by
quick introduction of water. The water for this purpose
was supplied from a demineralized water supply system
which normally fed the process stream and the boiler.
The system is shown in Figure 4 (the hazop recommendations are also marked). Because of the very
serious nature of the problem the client requested a
reliability analysis of the quench water to be carried
out to ensure that is was within acceptable limits. It was
found that the system availability was considerably
enhanced by taking account of the recomendations of
the hazop study (a basic fault tree is shown in Figure 5).
It has been experienced time and time again that a
properly conducted hazop improves considerably the
plant design and saves time on detailed assessment.
Application to existing plants
Conducting a hazop study on existing plant could be an
expensive and laborious exercise and it should, therefore, be selectively applied. It may be that part of the
plant is giving problems or a number of incidents have
occurred in certain parts of the plant to warrant hazop.
The classification of units of major hazard plants can
be done on the basis of an integrated method proposed
108 J.
L OSS
P r e v . P r o c e s s lnd., 7988, Vol I, A p r i l
by Dow Chemical & TN0 and ICI Mond6 as a first
analysis of major hazards and should not be a replacement for more detailed and sophisticated hazard assessment and consequence analysis. Either method can be
used at any phase of design of a new plant or on an
existing plant to highlight those areas where hazard
levels are comparatively high and which require an
in-depth study. The methods can be applied to a wide
range of processes, storage installations, loading/
unloading operations, and failure of pipes handling
flammable as well as toxic substances. The toxicity
index does not take into account all the possible effects
on the human body, therefore care should be exercised
when formulating recommendations based on this
methodology.
The plant is divided into units. A unit is defined as
part of a plant that can be readily and logically characterized as a separate entity. It may consist of a portion
of the plant which is (or could be) separated from the
remainder of the plant either by distance or by fire
barriers, walls or bunds etc. The portion of the plant
selected as a unit will normally be the area where a
particular process and/or material hazard exists which is
somewhat different to those present in other units
nearby.
There are two ways of ranking various units on a site
Table
1
The Fire & Explosion and Toxicity Indices
FEI
TI
less than 65
65-95
above 95
less than 6
6610
above 10
Hazard category
Ill
II
I
Kategory
I being the most hazardous)
Table 2 The Mond index
Hazard category
Index R
Ill
II
I
up to 500
between 500 and 2500
above 2500
(Category I being the most hazardous)
The extent of safety analysis is determined as per Table 3
Table 3
Safety analysis to be applied
Hazard categories
Extent of safety analysis
I
Level 1
Level 2
Level 3
X
II
Ill
X
X
The levels are defined as follows:
Level 1: Qualitative (hazard and operability study) and quantitative treatment
Level 2: Qualitative (hazard and operability study) and offset
Mend Index R2 (Mend Index which takes into account
operational aspects)
Level 3: Offset Mond Index R2 only
Role of hazop in the risk analysis of major hazard plant: R. Qureshi
and these are briefly described as follows:
(a) Using the Fire 8z Explosion Index (FEI) and
Toxicity Index (TI). From the values of FE1 and TI
(Table I), Hazard Categories are assigned and the
extent of safety analysis to be applied is determined
from Table 3 .
(b) Using the Mond Index R6. This is a slightly longer
method and the value of R determines the Hazard
Category (Table 2) and the extent of the safety
analysis to be applied is determined from Table 3 .
Acknowledgements
The author is grateful to Snamprogetti Ltd for the
preparation and presentation of this paper and for
providing secretarial and graphical services.
References
I
Z
3
4
5
6
A guide to the Control of Industrial Major Accident Hazards
Regulations, 1984, HS(R) 21
Qureshi, A. R. and Grille, P., Health and Safety at Work,
September 1987
A Guide to Hazard and Operability Studies, Chemical lndusrries
Association, 1985
Kletz, T. A., ‘Hazop and Hazon - Notes on the Identification and
Assessment of Hazards’, IChemE, Rugby,
‘Nomenclature for Hazard and Risk Assessment in the Process
Industries’ IChcmE, Rugby, 1985
Snamprogetti Ltd. ‘Internal Procedures Technical Information’,
RISK 13 and 15
J. Loss Prev. Process Ind., 1988, Vol 7, April 109