A hazard and operability study (HAZOP) is a structured and systematic examination of a complex system, usually a process facility, in order to identify hazards to personnel, equipment or the environment, as well as operability problems that could affect operations efficiency. It is the foremost hazard identification tool in the domain of process safety. The intention of performing a HAZOP is to review the design to pick up design and engineering issues that may otherwise not have been found. The technique is based on breaking the overall complex design of the process into a number of simpler sections called nodes which are then individually reviewed. It is carried out by a suitably experienced multi-disciplinary team during a series of meetings. The HAZOP technique is qualitative and aims to stimulate the imagination of participants to identify potential hazards and operability problems. Structure and direction are given to the review process by applying standardized guideword prompts to the review of each node. A relevant IEC standard [1] calls for team members to display 'intuition and good judgement' and for the meetings to be held in "an atmosphere of critical thinking in a frank and open atmosphere [ sic ]."
The HAZOP technique was initially developed for systems involving the treatment of a fluid medium or other material flow in the process industries, where it is now a major element of process safety management. It was later expanded to the analysis of batch reactions and process plant operational procedures. Recently, it has been used in domains other than or only loosely related to the process industries, namely: software applications including programmable electronic systems; software and code development; systems involving the movement of people by transport modes such as road, rail, and air; assessing administrative procedures in different industries; assessing medical devices; etc. [1] This article focuses on the technique as it is used in the process industries.
The technique is generally considered to have originated in the Heavy Organic Chemicals Division of Imperial Chemical Industries (ICI), which was then a major British and international chemical company.
Its origins have been described by Trevor Kletz, [2] [3] who was the company's safety advisor from 1968 to 1982. In 1963 a team of three people met for three days a week for four months to study the design of a new phenol plant. They started with a technique called critical examination which asked for alternatives but changed this to look for deviations. The method was further refined within the company, under the name operability studies, and became the third stage of its hazard analysis procedure (the first two being done at the conceptual and specification stages) when the first detailed design was produced.
In 1974 a one-week safety course including this procedure was offered by the Institution of Chemical Engineers (IChemE) at Teesside Polytechnic. Coming shortly after the Flixborough disaster, the course was fully booked, as were ones in the next few years. In the same year the first paper in the open literature was also published. [4] In 1977 the Chemical Industries Association published a guide. [5] Up to this time the term 'HAZOP' had not been used in formal publications. The first to do this was Kletz in 1983, with what were essentially the course notes (revised and updated) from the IChemE courses. [2] By this time, hazard and operability studies had become an expected part of chemical engineering degree courses in the UK. [2]
Nowadays, regulators and the process industry at large (including operators and contractors) consider HAZOP a strictly necessary step of project development, at the very least during the detailed design phase.
The method is applied to complex processes, for which sufficient design information is available and not likely to change significantly. This range of data should be explicitly identified and taken as the "design intent" basis for the HAZOP study. For example, a prudent designer will have allowed for foreseeable variations within the process, creating a larger design envelope than just the basic requirements, and the HAZOP will be looking at ways in which this might not be sufficient.
A common use of the HAZOP is relatively early through the detailed design of a plant or process. However, it can also be applied at other stages, including later operational life of existing plants, in which case it is usefully applied as a revalidation tool to ensure that unduly managed changes have not crept in since first plant start-up. Where design information is not fully available, such as during front-end loading, a coarse HAZOP can be conducted; however, where a design is required to have a HAZOP performed to meet legislative or regulatory requirements, such an early exercise cannot be considered sufficient and a later, detailed design HAZOP also becomes necessary.
For process plants, identifiable sections (nodes) are chosen so that for each a meaningful design intent can be specified [ citation needed ]. They are commonly indicated on piping and instrumentation diagrams (P&IDs) and process flow diagrams (PFDs). P&IDs in particular are the foremost reference document for conducting a HAZOP. The extent of each node should be appropriate to the complexity of the system and the magnitude of the hazards it might pose. However, it will also need to balance between "too large and complex" (fewer nodes, but the team members may not be able to consider issues within the whole node at once) and "too small and simple" (many trivial and repetitive nodes, each of which has to be reviewed independently and documented).
For each node, in turn, the HAZOP team uses a list of standardized guidewords and process parameters to identify potential deviations from the design intent. For each deviation, the team identifies feasible causes and likely consequences then decides (with confirmation by risk analysis where necessary, e.g., by way of an agreed upon risk matrix) whether the existing safeguards are sufficient, or whether an action or recommendation to install additional safeguards or put in place administrative controls is necessary to reduce the risks to an acceptable level.
The degree of preparation for the HAZOP is critical to the overall success of the review. "Frozen" design information provided to the team members with time for them to familiarize themselves with the process, an adequate schedule allowed for the performance of the HAZOP, provision of the best team members for their role. Those scheduling a HAZOP should take into account the review scope, the number of nodes to be reviewed, the provision of completed design drawings and documentation and the need to maintain team performance over an extended time-frame. The team members may also need to perform some of their normal tasks during this period and the HAZOP team members can tend to lose focus unless adequate time is allowed for them to refresh their mental capabilities.
The team meetings should be managed by an independent, trained HAZOP facilitator (also referred to as HAZOP leader or chairperson), who is responsible for the overall quality of the review, partnered with a dedicated scribe to minute the meetings. As the IEC standard puts it: [1]
The success of the study strongly depends on the alertness and concentration of the team members and it is therefore important that the sessions are not too long and that there are appropriate intervals between sessions. How these requirements are achieved is ultimately the responsibility of the study leader.
For a medium-sized chemical plant, where the total number of items to be considered is around 1200 pieces of equipment and piping, about 40 such meetings would be needed. [6] Various software programs are now available to assist in the management and scribing of the workshop.
Source: [7]
In order to identify deviations, the team applies (systematically i.e. in a given order [lower-alpha 1] ) a set of guidewords to each node in the process. To prompt discussion, or to ensure completeness, appropriate process parameters are considered in turn, which apply to the design intent. Typical parameters are flow (or flowrate), temperature, pressure, level, composition, etc. The IEC standard notes guidewords should be chosen that are appropriate to the study, neither too specific (limiting ideas and discussion) nor too general (allowing loss of focus). A fairly standard set of guidewords (given as an example the standard) is as follows:
Guideword | Meaning |
---|---|
No (not, none) | None of the design intent is achieved |
More (more of, higher) | Quantitative increase in a parameter |
Less (less of, lower) | Quantitative decrease in a parameter |
As well as (more than) | An additional activity occurs |
Part of | Only some of the design intention is achieved |
Reverse | Logical opposite of the design intent occurs |
Other than (other) | Complete substitution (another activity takes place or an unusual activity occurs or uncommon condition exists) |
Where a guide word is meaningfully applicable to a parameter (e.g., "no flow", "more temperature"), their combination should be recorded as a credible potential deviation from the design intent that requires review.
The following table gives an overview of commonly used guideword-parameter pairs (deviations) and common interpretations of them.
Parameter / Guide Word | No | More | Less | As well as | Part of | Reverse | Other than |
---|---|---|---|---|---|---|---|
Flow | no flow | high flow | low flow | deviating concentration | reverse flow | ||
Pressure | vacuum | high pressure | low pressure | ||||
Temperature | high temperature | low temperature | |||||
Level | no level | high level | low level | ||||
Time | sequence step skipped | too long / too late | too short / too soon | extra actions | missing actions | backwards | wrong time |
Agitation | no mixing | fast mixing | slow mixing | ||||
Reaction | no reaction | fast reaction / runaway | slow reaction | ||||
Start-up / Shut-down | too fast | too slow | actions missed | wrong recipe | |||
Draining / Venting | none | too long | too short | deviating pressure | wrong timing | ||
Inerting | none | high pressure | low pressure | contamination | wrong material | ||
Utility failure (e.g., instrument air, power) | failure | ||||||
DCS failure [lower-alpha 2] | failure | ||||||
Maintenance | none |
Once the causes and effects of any potential hazards have been established, the system being studied can then be modified to improve its safety. The modified design should then be subject to a formal HAZOP close-out, to ensure that no new problems have been added.
A HAZOP study is a team effort. The team should be as small as practicable and having relevant skills and experience. Where a system has been designed by a contractor, the HAZOP team should contain personnel from both the contractor and the client company. A minimum team size of five [8] is recommended. In a large process there will be many HAZOP meetings and the individuals within the team may change, as different specialists and deputies will be required for the various roles. As many as 20 individuals may be involved. [2] Each team member should have a definite role as follows: [1]
Name | Role |
---|---|
Study leader / Chairman / Facilitator | Someone experienced in leading HAZOPs, who is familiar with this type of process but is independent of the design team. Responsible for progressing through the series of nodes, moderating the team discussions, maintaining the accuracy of the record, ensuring the clarity of the recommended actions and identifying appropriate actionees. |
Recorder / secretary / scribe | To document the causes, consequences, safeguards and actions identified for each deviation, to record the conclusions and recommendations of the team discussions (accurately but comprehensibly). |
Design engineer | To explain the design and its representation, to explains how a defined deviation can occur and the corresponding system or organizational response. |
Operator / user | Explains the operational context within which the system will operate, the operational consequences of a deviation and the extent to which deviations might lead to unacceptable consequences. |
Specialists | Provide expertise relevant to the system, the study, the hazards and their consequences. They could be called upon for limited participation. |
Maintainer | Someone who will maintain the system going forward. |
In earlier publications it was suggested that the study leader could also be the recorder [2] but separate roles are now generally recommended.
The use of computers and projector screens enhances the recording of meeting minutes (the team can see what is minuted and ensure that it is accurate), the display of P&IDs for the team to review, the provision of supplemental documented information to the team and the logging of non-HAZOP issues that may arise during the review, e.g., drawing/document corrections and clarifications. Specialist software is now available from several suppliers to support the recording of meeting minutes and tracking the completion of recommended actions.
Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.
The Flixborough disaster was an explosion at a chemical plant close to the village of Flixborough, North Lincolnshire, England, on 1 June 1974. It killed 28 and seriously injured 36 of the 72 people on site at the time. The casualty figures could have been much higher if the explosion had occurred on a weekday, when the main office area would have been occupied. A contemporary campaigner on process safety wrote "the shock waves rattled the confidence of every chemical engineer in the country".
Process Safety Managementof Highly Hazardous Chemicals is a regulation promulgated by the U.S. Occupational Safety and Health Administration (OSHA). It defines and regulates a process safety management (PSM) program for plants using, storing, manufacturing, handling or carrying out on-site movement of hazardous materials above defined amount thresholds. Companies affected by the regulation usually build a compliant process safety management system and integrate it in their safety management system. Non-U.S. companies frequently choose on a voluntary basis to use the OSHA scheme in their business.
A piping and instrumentation diagram is a detailed diagram in the process industry which shows the piping and process equipment together with the instrumentation and control devices. It is also called as mechanical flow diagram (MFD).
On 25 September 1998 a catastrophic accident occurred at the Esso natural gas plant in Longford, Victoria, Australia. A pressure vessel ruptured resulting in a serious jet fire, which escalated to a conflagration extending to a large part of the plant. Fires lasted two days before they were finally extinguished.
In functional safety, safety integrity level (SIL) is defined as the relative level of risk-reduction provided by a safety instrumented function (SIF), i.e. the measurement of the performance required of the SIF.
A hazard analysis is used as the first step in a process used to assess risk. The result of a hazard analysis is the identification of different types of hazards. A hazard is a potential condition and exists or not. It may, in single existence or in combination with other hazards and conditions, become an actual Functional Failure or Accident (Mishap). The way this exactly happens in one particular sequence is called a scenario. This scenario has a probability of occurrence. Often a system has many potential failure scenarios. It also is assigned a classification, based on the worst case severity of the end condition. Risk is the combination of probability and severity. Preliminary risk levels can be provided in the hazard analysis. The validation, more precise prediction (verification) and acceptance of risk is determined in the risk assessment (analysis). The main goal of both is to provide the best selection of means of controlling or eliminating the risk. The term is used in several engineering specialties, including avionics, food safety, occupational safety and health, process safety, reliability engineering.
In the chemical and process industries, a process has inherent safety if it has a low level of danger even if things go wrong. Inherent safety contrasts with other processes where a high degree of hazard is controlled by protective systems. As perfect safety cannot be achieved, common practice is to talk about inherently safer design. “An inherently safer design is one that avoids hazards instead of controlling them, particularly by reducing the amount of hazardous material and the number of hazardous operations in the plant.”
IEC 61508 is an international standard published by the International Electrotechnical Commission (IEC) consisting of methods on how to apply, design, deploy and maintain automatic protection systems called safety-related systems. It is titled Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems.
IEC standard 61511 is a technical standard which sets out practices in the engineering of systems that ensure the safety of an industrial process through the use of instrumentation. Such systems are referred to as Safety Instrumented Systems. The title of the standard is "Functional safety - Safety instrumented systems for the process industry sector".
In functional safety a safety instrumented system (SIS) is an engineered set of hardware and software controls which provides a protection layer that shuts down a chemical, nuclear, electrical, or mechanical system, or part of it, if a hazardous condition is detected.
Trevor Asher Kletz, OBE, FREng, FRSC, FIChemE was a prolific British author on the topic of chemical engineering safety. He was a central figure in establishing the discipline of process safety. He is credited with introducing the concept of inherent safety and was a major promoter of Hazop. He is listed in The Palgrave Dictionary of Anglo-Jewish History.
The Institution of Chemical Engineers (IChemE) is a global professional engineering institution with 30,000 members in 114 countries. It was founded in 1922 and awarded a Royal Charter in 1957.
Process safety is an interdisciplinary engineering domain focusing on the study, prevention, and management of large-scale fires, explosions and chemical accidents in process plants or other facilities dealing with hazardous materials, such as refineries and oil and gas production installations. Thus, process safety is generally concerned with the prevention of, control of, mitigation of and recovery from unintentional hazardous materials releases that can have a serious effect to people, plant and/or the environment.
A process hazard analysis (PHA) (or process hazard evaluation) is an exercise for the identification of hazards of a process facility and the qualitative or semi-quantitative assessment of the associated risk. A PHA provides information intended to assist managers and employees in making decisions for improving safety and reducing the consequences of unwanted or unplanned releases of hazardous materials. A PHA is directed toward analyzing potential causes and consequences of fires, explosions, releases of toxic or flammable chemicals and major spills of hazardous chemicals, and it focuses on equipment, instrumentation, utilities, human actions, and external factors that might impact the process. It is one of the elements of OSHA's program for Process Safety Management.
Functional safety is the part of the overall safety of a system or piece of equipment that depends on automatic protection operating correctly in response to its inputs or failure in a predictable manner (fail-safe). The automatic protection system should be designed to properly handle likely systematic errors, hardware failures and operational/environmental stress.
ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems that are installed in serial production road vehicles, defined by the International Organization for Standardization (ISO) in 2011, and revised in 2018.
ISO/IEC 31010 is a standard concerning risk management codified by The International Organization for Standardization and The International Electrotechnical Commission (IEC). The full name of the standard is ISO.IEC 31010:2019 – Risk management – Risk assessment techniques.
A cyber PHA or cyber HAZOP is a safety-oriented methodology to conduct a cybersecurity risk assessment for an industrial control system (ICS) or safety instrumented system (SIS). It is a systematic, consequence-driven approach that is based upon industry standards such as ISA 62443-3-2, ISA TR84.00.09, ISO/IEC 27005:2018, ISO 31000:2009 and NIST Special Publication (SP) 800-39.
Layers of protection analysis (LOPA) is a technique for evaluating the hazards, risks and layers of protection associated with a system, such as a chemical process plant. In terms of complexity and rigour LOPA lies between qualitative techniques such as hazard and operability studies (HAZOP) and quantitative techniques such as fault trees and event trees. LOPA is used to identify scenarios that present the greatest risk and assists in considering how that risk could be reduced.