4 overview of hazard evaluation...

4

Overview of HazardEvaluation Techniques

The purpose of this chapter is to summarize important aspects of each of the hazardevaluation (HE) techniques covered in the Guidelines. Readers who want a quickoverview of a particular technique can read the appropriate section in this chapter.Although all 12 techniques covered in the Guidelines are given equal treatment, notall of the methods are appropriate for every set of hazard evaluation circumstances.Several of the techniques discussed in this chapter are more appropriately used forperforming general process hazard studies — usually early during the life of a process.These techniques (i.e., Safety Review, Checklist Analysis, Relative Ranking, PHA,and What-If Analysis) are efficient at taking a "broad-brush19 look at the inherenthazards of a large plant or complex process. Using these techniques before a processis commissioned can significantly improve the cost-effectiveness of subsequent safetyimprovement efforts.

Other HE techniques covered in the Guidelines (i.e., What-If7Checklist Analysis,HAZOP Analysis, and FMEA) are excellent choices for performing detailed analysesof a wide range of hazards during the design phase of the process and during routineoperation. These approaches are also used to identify hazardous situations, whichcan then be studied with even more sophisticated analysis techniques.

Some of the HE techniques covered in the Guidelines should be reserved foruse in special situations requiring detailed analysis of one or a few specific hazardoussituations of concern. These techniques, (i.e., Fault Ttee Analysis, Event TfreeAnalysis, Cause-Consequence Analysis, and Human Reliability Analysis) requirespecially trained and skilled practitioners. Analysts are cautioned to use thesemethods on tightly focused problems since they require significantly more time andeffort to perform than do the more broad-brush approaches.

For each HE technique, the following areas are covered: description, purpose,types of results, and resource requirements. The "Description,11 "Purpose," and""types of Results" sections of this chapter outline what organizations can expect toachieve with particular HE methods. This information is essential to understandingthe significance of factors that can influence the selection of an appropriate HEtechnique (Chapter 5). Those who need more information on using a specific HEtechnique should refer to Chapter 6.

The "Resource Requirements" sections provide some basic information on theskills, materials, and effort required to perform HE studies. Tb help usersunderstand the magnitude of the task they are accepting when they choose aparticular HE technique, some rough estimates of the amount of effort generallyrequired to perform a study are provided. However, estimating the time and effort

needed to apply a particular HE technique is more art than science, because theactual time to perform a study is influenced by many factors — some of which are notquantifiable.

One important factor is the complexity and size of the problem. Tb accountfor this influence and give analysts some idea of the effort that will be needed toperform HE studies, estimates are based on two typical types of analysis problems:a simple/small system and a complexflarge process.

Simple/Small System — For example, a chemical unloading and storagesystem consisting of a rail car unloading station, transfer lines, pumps,storage tank, and pressure control/vapor return lines.

Complex/Large Process — For example, a chemical reaction processconsisting of a feed system, reaction section, product separation andrecovery, emergency relief system, and associated connecting piping andcontrol systems. This process may contain from 10-20 major vessels,including reactors, columns, and accumulators.

These two examples are used to base rough estimates of the amount of timespent by each participant in an HE study. For each technique, the performance ofan HE study is divided into three basic phases: preparation, evaluation, anddocumentation. Preparation involves all the activities discussed in Chapter 2 (e.g.,collecting information, defining the analysis scope, and organizing meetings).Evaluation includes the actual analysis activity that is associated with the chosen HEtechnique (e.g., for a What-If analysis, holding the team meetings). For certaintechniques that involve construction of a complex failure logic model, a modeldevelopment phase is also included. The documentation phase includes not onlyrecording significant results in HE team meetings, but also developing, reviewing, andcompleting a formal HE report containing a brief process description, discussion ofimportant results, tables or logic models (if any), and a brief explanation of thesignificance of action items.

The technical labor estimates are given in hours, days, and weeks. Fortechniques involving a team, certain individuals may participate in only one or twophases, such as a HAZOP meeting (evaluation phase). Others, notably the HE teamleader, will work during all phases. Ranges are given to provide some idea of theinfluence that other factors can have on the time required to do the job (e.g.,experience of team).

These estimates are provided only to give analysts a rough idea of the effortthey should allocate for performing an HE study. However, because Лете are so manyother jactors that influence time and ^ort, analysts shouM use these estimates with дгеШcaution. The actual time required for a study may be much greater (or somewhat less)Лап these estimates indicate. As analysts and organizations gain experience with eachHE technique, they should become better equipped to accurately estimate the sizeof HE studies for their facilities and become more efficient in the performance ofHE studies.

4.1 Safety Review

Description

Undoubtedly, the Safety Review technique wasthe first HE method ever used. This technique, whichmay also be referred to as a Process Safety Review, aDesign Review, or a Loss Prevention Review can beused at any stage of the life of a process. Whenperformed on existing facilities, the Safety Reviewtypically involves a walk-through inspection that canvary from an informal, routine visual examination, toa formal examination, performed by a team, that takesseveral weeks. For processes that are still beingdesigned, a design project team might, for example,review a set of drawings during a meeting.

Safety Reviews are intended to identify plant conditions or operatingprocedures that could lead to an accident and result in injuries, significant propertydamage, or environmental impacts. A typical Safety Review includes interviews withmany people in the plant: operators, maintenance staff, engineers, management,safety staff, and others, depending upon the plant organization. Safety Reviewsshould be viewed as cooperative efforts to improve the overall safety andperformance of the plant, rather than as an interference to normal operations or asa punitive reaction to a perceived problem. Cooperation is essential; people arelikely to become defensive unless considerable effort is made to present the reviewas a benefit to affected plant personnel and designers. Having the support andinvolvement of all these groups results in a thorough examination.

The Safety Review usually focuses on major risk situations. Judging generalhousekeeping and morale are not the normal objectives of a safety review, althoughthey can be significant indicators of places where improvements are needed. TheSafety Review should complement other process safety activities, such as routinevisual inspections, and other HE techniques such as Checklist Analysis and What-IfAnalysis.

At the end of the Safety Review, the analyst makes recommendations forspecific actions that are needed, justifies the recommendations, recommendsresponsibilities, and lists completion dates. A follow-up evaluation or reinspectionmay be planned to verify that corrective actions have been completed correctly.

Purpose

Safety Reviews can be used to ensure that the plant and its operating andmaintenance practices match the design intent and construction standards. TheSafety Review procedure (1) keeps operating personnel alert to the process hazards,(2) reviews operating procedures for necessary revisions, (3) seeks to identifyequipment or process changes that could have introduced new hazards, (4) evaluatesthe design basis of control and safety systems, (5) reviews the application of newtechnology to existing hazards, and (6) reviews the adequacy of maintenance and

safety inspections. The Safety Review technique is often used to perform a pre-startup safety review of a process.

Types of Results

Safety Review results are qualitative descriptions of potential safety problemsand suggested corrective actions. The inspection team's report includes deviationsfrom the design intentions as well as authorized procedures and lists of newlydiscovered safety issues. Responsibility for implementing the corrective actionremains with the plant management.

Resource Requirements

For a comprehensive review, the team members will need access to applicablecodes and standards; previous safety studies; detailed plant descriptions, such asP&IDs and flowcharts; plant procedures for start-up, shutdown, normal operation,maintenance, and emergencies; personnel injury reports; hazardous incident reports;maintenance records, such as critical instrument checks, pressure relief valve tests,and pressure vessel inspections; and process material characteristics (i.e., toxicity andreactivity information).

The personnel assigned to Safety Review inspections must be very familiar withsafety standards and procedures. Special technical skills and experience are helpfulfor evaluating instrumentation, electrical systems, pressure vessels, process materialsand chemistry, and other special-emphasis topics. Tkble 4.1 lists estimates of thetime needed from each team member to perform a safety review.

4.2 Checklist Analysis

Description

A Checklist Analysis uses a written list of itemsor procedural steps to verify the status of a system.Traditional checklists vary widely in level of detailand are frequently used to indicate compliance withstandards and practices. The Checklist Analysisapproach is easy to use and can be applied at anystage of the process's lifetime. Checklists can be usedto familiarize inexperienced personnel with a processby having them compare a process's attributes tovarious checklist requirements. Checklists alsoprovide a common basis for management review ofthe analyst's assessments of a process or operation.

A detailed checklist provides the basis for a standard evaluation of processhazards. It can be as extensive as necessary to satisfy the specific situation, but itshould be applied conscientiously in order to identify problems that require furtherattention. Generic hazard checklists are often combined with other HE techniques

Tkble4.1 Tune Estimates for Using the Safety Review Tfechnique

Scope

Simple/SmallSystem

Complex/LargeProcess

Preparation*

2 to 4 hr

1 to 3 days

Evaluation

6 to 12 hr

3 to 5 days

Documentation"

4 to 8 hr

3 to 6 days

^Primarily the team leader.

to evaluate hazardous situations. Checklists are limited by their authors' experience;therefore, they should be developed by authors with varied backgrounds who haveextensive experience with the systems they are analyzing. Frequently, checklists arecreated by simply organizing information from current relevant codes, standards, andregulations. Checklists should be viewed as living documents and should be auditedand updated regularly.

Many organizations use standard checklists to control the development of aproject — from initial design through plant decommissioning. The completedchecklist must frequently be approved by various staff members and managers beforea project can move from one stage to the next. In this way, it serves as both a meansof communication and as a form of control. Checklists are normally used in hardcopy form, although in some cases computer-based versions can be used.

Purpose

Traditional checklists are used primarily to ensure that organizations arecomplying with standard practices. In some cases, analysts use a more generalchecklist in combination with another HE method to discover common hazards thatthe checklist alone might miss (see Section 4.6, What-If/Checklist Analysis).

Types of Results

lb create a traditional checklist, the analyst defines standard design oroperating practices, then uses them to generate a list of questions based ondeficiencies or differences. A completed checklist contains "yes," "no,* "notapplicable," or "needs more information11 answers to the questions. Qualitativeresults vary with the specific situation, but generally they lead to a "yes11 or "no*decision about compliance with standard procedures. In addition, knowledge of thesedeficiencies usually leads to an easily developed list of possible safety improvementalternatives for managers to consider.


Tb properly perform this technique, you need an appropriate checklist, anengineering design procedures and operating practices manual, and someone to

Tkble4.2 Time Estimates for Using the Checklist Analysis Technique

Scope Preparation Evaluation Documentation

Simple/SmallSystem 2 to 4 hr 4 to 8 hr 4 to 8 hr

Complex/LargeProcess 1 to 3 days 3 to 5 days 2 to 4 days

complete the checklist who has basic knowledge of the process being reviewed. If arelevant checklist is available from previous work, analysts should be able to use itas long as they have the necessary guidance. If no relevant checklist exists, oneperson (sometimes several people) must prepare a checklist and perform theevaluation. An experienced manager or staff engineer should then review theChecklist Analysis results and direct the next action.

The Checklist Analysis method is versatile. The type of evaluation performedwith a checklist can vary: it can be used quickly for simple evaluations or for moreexpensive in-depth evaluations. It is a highly cost-effective way to identifycustomarily recognized hazards. Table 4.2 is an estimate of the time it takes toperform an HE study using the Checklist Analysis technique.

43 Relative Ranking

Description

Relative Ranking is actually an analysis strategyrather than a single, well-defined analysis method.This strategy allows hazard analysts to compare theattributes of several processes or activities todetermine whether they possess hazardouscharacteristics that are significant enough to warrantfurther study. Relative Ranking can also be used tocompare several process siting, generic design, orequipment layout options, and provide informationconcerning which alternative appears to be the "best," or least hazardous, option.These comparisons are based on numerical values that represent the relative level ofsignificance that the analyst gives to each hazard. Relative Ranking studies shouldnormally be performed early in the life of a process, before the detailed design iscompleted, or early in the development of an existing facility's hazard analysisprogram. However, the Relative Ranking method can also be applied to an existingprocess to pinpoint the hazards of various aspects of process operation.

Several formal Relative Ranking methods are widely used. For example, theDow Fire and Explosion Index (F&EI) has been in existence for many years, and abooklet describing this method, published by the AIChE, is in its seventh printing.

The Dow F&EI evaluates the existence and significance of fire and explosion hazardsin many large areas of a process facility. The analyst divides a process or activity intoseparate process units and assigns indexes based on material, physical, and chemicalcharacteristics; process conditions; plant arrangement and equipment layoutconsiderations; and other factors. The various factors are combined into an F&EIscore that can be ranked against the scores of other process units that are evaluated.The Dow F&EI can also be used by experienced analysts to gain insights on whengeneral safety system improvements (e.g., fire protection) may be needed. Anothermethod that is less well known and documented in the U.S.A. is the ICI Mond Index.This index is used to evaluate the chemical and toxicity hazards, as well as fire andexplosion hazards, associated with a process area or operation.

Many organizations have created their own specialized indexes to rank thehazards associated with facilities, processes, and operations. For example, the DowChemical Company has several indexes that it uses to evaluate and manage the riskof its processes and activities. One of them is called the Chemical Exposure Index(CEI). The CEI is used to rank the relative acute health hazards associated withpotential chemical releases. The CEI uses a simple formula to rank the use of anytoxic chemical, based on five factors: (1) a measure of toxicity, (2) quantity of volatilematerial available for release, (3) distance to each area of concern, (4) molecularweight of the chemical being evaluated, and (5) process variables that can affect theconditions of a release such as temperature, pressure, reactivity, and so forth.

Some specialized indexes have been developed and used by organizations todetermine the application of certain recommended industry practices or regulatoryrequirements. For example, the U.S. Environmental Protection Agency developeda ranking method (the Threshold Planning Quantity [TPQ] Index) to help determinewhich materials should be considered extremely hazardous when used in emergencyresponse planning activities associated with SARA Title HI. Recently, theOccupational Safety and Health Administration and the American PetroleumInstitute have suggested using a Substance Hazard Index (SHI) to help determinewhether special process safety management efforts should be directed at particularprocesses or industrial activities.

Purpose

The main purpose of using Relative Ranking methods is to determine theprocess areas or operations that are the most significant with respect to the hazardof concern in a given study. The theory behind Relative Ranking methods has itsroots in the three basic questions used in risk analysis: (1) What can go wrong? (2)How likely is it? and (3) What would the effects be? The philosophy behindRelative Ranking approaches is to address these risk analysis questions to determinethe relative importance of processes and activities from a safety standpoint beforeperforming additional and more costly hazard evaluation or risk analysis studies.Thus, approximate relationships of process attributes are compared to determinewhich areas present the greater relative hazard or risk. Subsequently, additional HEstudies may first be performed on the more significant areas of concern.

Types of Results

All Relative Ranking methods should result in an ordered list of processes,equipment, operations, or activities. This list may have several stratified layersrepresenting levels of significance. Other results such as indexes, scores, factorscales, graphs, etc., depend upon the particular technique used to perform theranking. It is important to note that while these techniques all try to answer thethree questions of risk analysis in some way, analysts should not consider the resultsof such studies as robust estimates of the risk associated with a process or activity.The Relative Ranking technique is usually not based on specific accident sequences;thus, it does not normally lend itself to developing specific safety improvementrecommendations.


The information requirements of a Relative Ranking study depend upon eachranking method's unique needs. Generally, a Relative Ranking study will requirebasic physical and chemical data on the substances used in the process or activity.These studies do not normally require detailed process drawings; however,information on the maximum inventories of materials, the plant's process conditions,and geographic layout of material storage areas is usually needed.

A Relative Ranking study can be carried out by a single analyst. Severalanalysts can work together on a large, complex process when they are experiencedwith the Relative Ranking technique and have access to all of the input data neededfor the study. It is often better to have a trained analyst working with someone whocan quickly locate and interpret the necessary material and process data needed forthe analysis. Although more than one analyst may be needed, depending upon thecomplexity and size of the process or activity and the number and type of hazards,it is crucial that all of the analysts are "calibrated" in the same way so theirjudgments are consistent.

The time and cost of performing an HE study using the Relative Rankingapproach will depend upon the technique chosen, the input data requirements, andthe number of process areas and hazards evaluated. ТШе 4.3 lists estimates of thetime it would take to perform an HE study using a Relative Ranking technique.

Tkble43 Time Estimates for Using the Relative Ranking Technique

Scope

Simple/SmallSystem


Preparation

2 to 4 hr

1 to 3 days

Evaluation

4 to 8 hr

3 to 5 days

Documentation

4 to 8 hr

3 to 5 days

4.4 Preliminary Hazard Analysis

Description

A Preliminary Hazard Analysis (PHA) is atechnique that is derived from the U.S. MilitaryStandard System Safety Program Requirements. APHA focuses in a general way on the hazardousmaterials and major process areas of a plant. It ismost often conducted early in the development of aprocess when there is little information on designdetails or operating procedures, and is often aprecursor to further hazard analyses. It is included inthese Guidelines to illustrate a cost-effective way toidentify hazards early in a plant's life. Because of itsmilitary heritage, the PHA technique is sometimes used to review process areaswhere energy can be released in an uncontrolled manner.

A PHA formulates a list of hazards and generic hazardous situations byconsidering the following process characteristics:

• Raw materials, intermediate • Operating environmentand final products, and theirreactivity • Operational activities (testing,

maintenance, etc.)• Plant equipment

• Interfaces among system• Facility layout components

One or more hazard analysts assess the significance of process hazards andassign a criticality ranking to each particular situation. This criticality ranking isused to prioritize any recommendations for improving safety that emerge from theteam's analysis.

Purpose

The PHA is often used to evaluate hazards early in the life of a process. APHA is generally applied during the conceptual design or R&D phase of a processplant and can be very useful when making site selection decisions. It is alsocommonly used as a design review tool before a process P&ID is developed.

While the PHA technique is normally used in the preliminary phase of plantdevelopment for cases where experience provides little or no insight into potentialsafety problems, it may also be helpful when analyzing large existing facilities orwhen prioritizing hazards when circumstances prevent a more extensive techniquefrom being used.

Tfacs of Results

A PHA yields a qualitative description of the hazards related to a processdesign. A PHA also provides a qualitative ranking of hazardous situations that canbe used to prioritize recommendations for reducing or eliminating hazards insubsequent phases of the life cycle of the process.


Using the PHA technique requires that analysts have access to available plantdesign criteria, equipment specifications, material specifications, and other sourcesof information. A PHA can be performed by one or two people who have a processsafety background. Less-experienced staff can perform a PHA, but the study may notbe as exhaustive or as detailed, since this approach requires the analysts to use asignificant amount of judgment. Table 4.4 lists estimates of the time needed toperform an HE study using the PHA technique.

Tkble4.4 Time Estimates for Using the PHA Tfechnique

Scope

Simple/SmallSystem


Preparation*

4 to 8 hr

1 to 3 days

Evaluation

1 to 3 days

4 to 7 days

Documentation11

1 to 2 days

4 to 7 days

*Ibam leader only.

4.5 What-If Analysis

Description

The What-If Analysis technique is abrainstorming approach in which a group ofexperienced people familiar with the subject processask questions or voice concerns about possibleundesired events. It is not as inherently structured assome other techniques (e.g., HAZOP Analysis andFMEA). Instead, it requires the analyst to adapt thebasic concept to the specific application. Very littleinformation has been published on the What-IfAnalysis method or its application. However, it isfrequently used by industry at nearly every stage ofthe life of a process and has a good reputation among those skilled in its use.

The What-If Analysis concept encourages the HE team to think of questionsthat begin with "What-If." However, any process safety concern can be voiced, evenif it is not phrased as a question. For example:

• I'm concerned about having the wrong material delivered.

• What if Pump A stops running during start-up?

• What if the operator opens valve В insteae-of A?

Usually, the scribe records all of the questions on a chart pad, marking board,or word processor. Then the questions are divided into specific areas of investigation(usually related to consequences of interest), such as electrical safety, fire protection,or personnel safety. Each area is subsequently addressed by a team of one or moreknowledgeable people. The questions are formulated based on experience andapplied to existing drawings and process descriptions; for an operating plant, theinvestigation may include interviews with plant staff not represented on the HE team.(There may be no specific pattern or order to these questions, unless the leaderprovides a logical pattern such as dividing the process into functional systems.) Andthe questions can address any off-normal condition related to the plant, not justcomponent failures or process variations.

Purpose

The purpose of a What-If Analysis is to identify hazards, hazardous situations,or specific accident events that could produce an undesirable consequence. Anexperienced group of people identifies possible accident situations, theirconsequences, and existing safeguards, then suggests alternatives for risk reduction.The method can involve examination of possible deviations from the design,construction, modification, or operating intent. It requires a basic understanding ofthe process intention, along with the ability to mentally combine possible deviationsfrom the design intent that could result in an accident. This is a powerful procedureif the staff is experienced; otherwise, the results are likely to be incomplete.

Types of Route

In its simplest form, the What-If Analysis technique generates a list ofquestions and answers about the process. It may also result in a tabular listing ofhazardous situations (with no ranking of or quantitative implication for the identifiedpotential accident scenarios), their consequences, safeguards, and possible options forrisk reduction.


Since What-If Analysis is so flexible, it can be performed at any stage of theprocess's life, using whatever process information and knowledge is available. Foreach area of the process, two or three people should be assigned to perform theanalysis; however, a larger team may be preferred. It is better to use a larger group

4.6 What Л fTChecklist Analysis

Description

The What-H/Checklist Analysis techniquecombines the creative, brainstorming features of theWhat-If Analysis method (Section 4.5) with thesystematic features of the Checklist Analysis method(Section 4.2). This hybrid method capitalizes on thestrengths and compensates for the individualshortcomings of the separate approaches. Forexample, the Checklist Analysis method is anexperience-based technique, and the quality of an HEstudy performed using this approach is highly dependent on the experience of thechecklist's authors. If the checklist is not complete, then the analysis may noteffectively address a hazardous situation. The What-If Analysis portion of thetechnique encourages the HE team to consider potential accident events andconsequences that are beyond the experience of the authors of a good checklist, andthus are not covered on the checklist. Conversely, the checklist portion of thistechnique lends a more systematic nature to the What-If Analysis. The What-If/Checklist Analysis technique may be used at any stage of a process's life.

Like most other HE methods, the method works best when performed by ateam experienced in the subject process. This technique is generally used to analyzethe most common hazards that exist in a process. Although it is able to evaluate the

Tkble4.5 Tune Estimates for Using the What-If Analysis Tbchnique

Scope

Simple/SmallSystem


Preparation*

4 to 8 hr

1 to 3 days

Evaluation

4 to 8 hr

3 to 5 days

Documentation*

1 to 2 days

1 to 3 weeks

^Primarily, team leader and scribe.

for a complex process, dividing the process into smaller pieces, than to use a smallgroup for a long time on the whole process.

The time and cost of a What-If Analysis are proportional to the plantcomplexity and number of areas to be analyzed. Once an organization has gainedexperience with it, the What-If Analysis method can become a cost-efficient meansfor evaluating hazards during any project phase. Table 4.5 lists estimates of the timeneeded to perform an HE study using the What-If Analysis technique.

significance of accidents at almost any level of detail, the What-ItfChecklist Analysismethod usually focuses on a less detailed level of resolution than, for example, theFMEA technique. Often, a What-ItyChecklist Analysis is the first hazard evaluationperformed on a process, and as such, it is a precursor for subsequent, more detailedstudies.

Purpose

The purpose of a What-IiyChecklist Analysis is to identify hazards, consider thegeneral types of accidents that can occur in a process or activity, evaluate in aqualitative fashion the effects of these accidents, and determine whether thesafeguards against these potential accident situations appear adequate. Frequently,the HE team members will suggest ways for reducing the risk of operating theprocess.

Types of Results

An HE team using the What-WChecklist Analysis technique usually generatesa table of potential accident situations, effects, safeguards, and action items. Theresults from such a study may also include a completed checklist. However, someorganizations use a narrative style to document the results of such studies.


Most What-ItfChecklist Analyses are performed by a team of personnelexperienced in the design, operation, and maintenance of the subject process. Thenumber of people needed for such a study depends upon the complexity of theprocess, and to some extent, the stage of life at which the process is being evaluated.Normally, an HE study using this technique requires fewer people and shortermeetings than does a more structured technique such as HAZOP Analysis. Table4.6 lists estimates of the time needed to perform an HE study using the What-If/Checklist Analysis technique.

Tkbte4.6 Time Estimates for Using the What-If/Checldist Analysis Technique

Scope

Simple/SmallSystem


Preparation*

6 to 12 hr

1 to 3 days

"Primarily, team leader and scribe.

Evaluation

6 to 12 hr

4 to 7 days

Drxrumcntfltfoi/*

4 to8hr

1 to 3 weeks

4.7 Hazard and Operabffity Analysis

Description

The Hazard and Operability Analysis (HAZOP)technique was developed to identify and evaluatesafety hazards in a process plant, and to identifyOperability problems which, although not hazardous,could compromise the plant's ability to achieve designproductivity. Although originally developed to antici-pate hazards and Operability problems for technologywith which organizations have little experience, it hasbeen found to be very effective for use with existingoperations. Use of the HAZOP Analysis techniquerequires a detailed source of information concerningthe design and operation of a process. Thus, it is most often used to analyzeprocesses during or after the detailed design stage. Several variations of the HAZOPAnalysis technique are in practice in the chemical industry.

In HAZOP Analysis, an interdisciplinary team uses a creative, systematicapproach to identify hazard and Operability problems resulting from deviations fromthe process's design intent that could lead to undesirable consequences. Anexperienced team leader systematically guides the team through the plant designusing a fixed set of words (called "guide words"). These guide words are applied atspecific points or "study nodes" in the plant design and are combined with specificprocess parameters to identify potential deviations from the plant's intendedoperation.

For example, the guide word "No" combined with the process parameter"Flow" results in the deviation "No Flow." Sometimes, a leader will use checklistsor process experience to help the team develop the necessary list of deviations thatthe team will consider in the HAZOP meetings. The team then agrees on possiblecauses of the deviations (e.g., operator error blocks in pump), the consequences ofdeviations (e.g., pump overheats), and the safeguards applicable to the deviations(e.g., pressure relief valve on the pump discharge line). If the causes andconsequences are significant and the safeguards are inadequate, the team mayrecommend a follow-up action for management consideration. In some cases, theteam may identify a deviation with a realistic cause but unknown consequences (e.g.,an unknown reaction product) and recommend follow-up studies to determine thepossible consequences.

Purpose

The purpose of a HAZOP Analysis is to carefully review a process or operationin a systematic fashion to determine whether process deviations can lead toundesirable consequences. This technique can be used for continuous or batchprocesses and can be adapted to evaluate written procedures. The HAZOP teamlists potential causes and consequences of the deviation as well as existing safeguards

protecting against the deviation. When the team determines that inadequateprotection exists for a credible deviation, it usually recommends that action be takento reduce the risk.

'types of Results

The results of a HAZOP Analysis are the team's findings, which includeidentification of hazards and operating problems; recommendation's for changes indesign, procedures, etc., to improve the system; and recommendations to conductstudies of areas where no conclusion was possible due to a lack of information. Theresults of team discussions concerning the causes, effects, and safeguards fordeviations for each node or section of the process are recorded in a column-formattable.


The HAZOP Analysis requires accurate, up-to-date P&IDs or equivalentdrawings, and other detailed process information, such as operating procedures. AHAZOP Analysis also requires considerable knowledge of the process,instrumentation, and operation; this information is usually provided by teammembers who are experts in these areas. Trained and experienced leaders are anessential part of an efficient, high quality HAZOP Analysis.

The HAZOP team for a large, complex process may consist of five to sevenpeople with a variety of experience: design, engineering, operations maintenance, andso forth. One team member leads the analysis and another (the scribe) typicallyrecords the results of the team's deliberations. For a simple process or in a limitedscope review, a team can have as few as three or four people — as long as the peoplehave the necessary technical skills and experience. Tkble 4.7 lists estimates of thetime needed to perform an HE study using the HAZOP Analysis technique.

Ikble 4.7 Time Estimates for Using the HAZOP Analysis Technique

Scope

Simple/SmallSystem


Preparation*

8 to 12 hr

2 to 4 days

Evaluation

1 to 3 days

1 to 3 weeks

Documentation^

2 to 6 days

2 to 6 weeks

"Primarily, team leader and scribe, although others may work some during thisphase.

^Tfeam leader and scribe only. May be lower for experienced scribes usingcomputer software in the HAZOP Analysis meeting(s).

4.8 Failure Modes and Effects Analysis

Description

A Failure Modes and Effects Analysis (FMEA)tabulates failure modes of equipment and their effectson a system or plant. The failure mode describes howequipment fails (open, closed, on, off, leaks, etc.).The effect of the failure mode is determined by thesystem's response to the equipment failure. AnFMEA identifies single failure modes that eitherdirectly result in or contribute significantly to anaccident. Human operator errors are usually notexamined directly in an FMEA; however, the effectsof a misoperation as a result of human error areusually indicated by an equipment failure mode. An FMEA is not efficient foridentifying an exhaustive list of combinations of equipment failures that lead toaccidents.

Purpose

The purpose of an FMEA is to identify single equipment and system failuremodes and each failure mode's potential effect(s) on the system or plant. Thisanalysis typically generates recommendations for increasing equipment reliability,thus improving process safety.

'types of Results

An FMEA generates a qualitative, systematic reference list of equipment,failure modes, and effects. A worst-case estimate of consequences resulting fromsingle failures is included. The FMEA may be easily updated for design changes orsystem/plant modifications. FMEA results are usually documented in a column-format table. Hazard analysts usually include suggestions for improving safety inappropriate items in the table.


Using the FMEA approach requires the following data and information sources:a system or plant equipment list or P&ID, knowledge of equipment function andfailure modes, and knowledge of system or plant function and responses toequipment failures.

FMEAs can be performed by single analysts, but these analyses should bereviewed by others to help ensure completeness. Staff requirements will vary withthe size and complexity of equipment items being analyzed. All analysts involved inthe FMEA should be familiar with the equipment functions and failure modes andhow the failures might affect other portions of the system or plant.

The time and cost of an FMEA is proportional to the size of the process andnumber of components analyzed. On the average, an hour is sufficient for analyzing

1kble4.8 Time Estimates for Using the FMEA Technique

Scope

Simple/SmallSystem


Preparation

2 to 6 hr

1 to 3 days

Evaluation

1 to 3 days

1 to 3 weeks

Documentation I

1 to 3 days

2 to 4 weeks

two to four equipment items. As with any HE study of systems with similarequipment performing similar functions, the time requirements are reducedsignificantly due to the repetitive nature of the evaluations. Tkble 4.8 lists estimatesof the time needed to perform an HE study using the FMEA technique.

4.9 Fault Thee Analysis

Description

Fault Ttee Analysis (FTA) is a deductivetechnique that focuses on one particular accident ormain system failure, and provides a method fordetermining causes of that event. The fault tree is agraphical model that displays the variouscombinations of equipment failures and human errorsthat can result in the main system failure of interest(called the Tbp event). The strength of FTA as aqualitative tool is its ability to identify thecombinations of basic equipment failures and humanerrors that can lead to an accident. This allows thehazard analyst to focus preventive or mitigative measures on significant basic causesto reduce the likelihood of an accident.

Purpose

The purpose of an FTA is to identify combinations of equipment failures andhuman errors that can result in an accident. FTA is well suited for analyses of highlyredundant systems. For systems particularly vulnerable to single failures that canlead to accidents, it is better to use a single-failure-oriented technique such as FMEAor HAZOP Analysis. FTA is often employed in situations where another HEtechnique (e.g., HAZOP Analysis) has pinpointed an important accident of interestthat requires more detailed analysis.

'types of Results

An FTA produces system failure logic models that use Boolean logic gates (i.e.,AND, OR) to describe how equipment failures and human errors can combine to

cause a main system failure. Many fault tree models may result from the analysis ofa large process; the actual number of models depends on how selective the hazardanalyst was in choosing the Tbp event(s) of concern. The fault tree analyst usuallysolves each logic model to generate a list of failures, called minimal cut sets, that canresult in the Tbp event. These lists of minimal cut sets can be qualitatively rankedby the number and type (e.g., hardware, procedural) of failures in each cut set. Cutsets containing more failures are generally less likely than those containing fewerfailures. Inspection of these lists of minimal cut sets reveals system design/operationweaknesses for which the analysts may suggest possible safety improvementalternatives.


Using FTA requires a detailed understanding of how the plant or systemfunctions, detailed process drawings and procedures, and knowledge of componentfailure modes and their effects. Organizations wanting to perform an FTA shoulduse well-trained and experienced analysts to ensure an efficient and high qualityanalysis.

Qualified analysts can develop fault trees by themselves, but they must have adetailed understanding of the process and, even then, the models should be reviewedwith the engineers, operators, and other personnel who have operating experiencewith the systems and equipment that are included in the analysis. A singleanalyst/single fault tree approach promotes continuity within the fault tree, but theanalyst must have access to all of the information needed to define the failures thatcontribute to the Tbp event. A team approach may be used if the subject processis extremely complex or more than one fault tree is needed, with each qualified teammember concentrating on one individual fault tree. Interaction among teammembers and other experienced personnel is necessary to ensure consistency in thedevelopment of related or linked models.

Time and cost requirements for an FTA depend on the complexity of thesystems involved in the analysis and the level of resolution of the analysis. Modelinga single Tbp event involving a simple process with an experienced team could requirea day or less. Complex systems and large problems with many potential accidentevents could require many weeks or months, even with an experienced analysis team.Ikble 4.9 lists estimates for the time needed to perform an HE study using the FTAtechnique.

ЪЫе4.9 Time Estimates for Using the Rmtt "Bee Analysis Technique

Scope

Simple/SmallSystem


Preparation

1 to3 days

4 to 6 days

ModdConstruction

3 to 6 days

2 to 3 weeks

QualitativeEvaluation

2 to 4 days

1 to 4 weeks

Documentation

3 to 5 days

3 to 5 weeks

4.10 Event Ttee Analysis

Description

An event tree graphically shows the possibleoutcomes of an accident that results from aninitiating event (a specific equipment failure orhuman error). An Event Ttee Analysis (ETA)considers the responses of safety systems andoperators to the initiating event when determiningthe accident's potential outcomes. The results of theEvent Ttee Analysis are accident sequences; that is,sets of failures or errors that lead to an accident.These results describe the possible accident outcomesin terms of the sequence of events (successes orfailures of safety functions) that follow an initiating event. An Event 'Лее Analysisis well suited for analyzing complex processes that have several layers of safetysystems or emergency procedures in place to respond to specific initiating events.

Purpose

Event trees are used to identify the various accidents that can occur in acomplex process. After these individual accident sequences are identified, thespecific combinations of failures that can lead to the accidents can then bedetermined using Fault Нее Analysis.

'types of Results

The results of an Event Itee Analysis are the event tree models and the safetysystem successes or failures that lead to each defined outcome. Accident sequencesdepicted in an event tree represent logical AND combinations of events; thus, thesesequences can be put into the form of a fault tree model for further qualitativeanalysis. Analysts use these results to identify design and procedural weaknesses, andnormally provide recommendations for reducing the likelihood and/or consequencesof the analyzed potential accidents.


Using ETA requires knowledge of potential initiating events (that is, equipmentfailures or system upsets that can potentially cause an accident), and knowledge ofsafety system functions or emergency procedures that potentially mitigate the effectsof each initiating event.

An Event Itee Analysis can be performed by a single analyst as long as theanalyst has a detailed knowledge of the system, but a team of two to four people isoften preferred. The team approach promotes brainstorming, which results in amore complete event tree. The team should include at least one member withknowledge of Event Ttee Analysis, and the remaining members should haveknowledge of the processes and experience working with the systems included in theanalysis.

4.11 Cause-Consequence Analysis

Description

A Cause-Consequence Analysis (CCA) isa blend of Fault TVee and Event TVee Analyses(discussed in the preceding sections). A majorstrength of a Cause-Consequence Analysis is itsuse as a communication tool: the cause-consequence diagram displays the relationshipsbetween the accident outcomes (consequences)and their basic causes. This technique is mostcommonly used when the failure logic of theanalyzed accidents is rather simple, since thegraphical form, which combines both fault treesand event trees on the same diagram, canbecome quite detailed.

Purpose

As the name suggests, the purpose of a Cause-Consequence Analysis is toidentify the basic causes and consequences of potential accidents.

'types of Results

A Cause-Consequence Analysis generates diagrams portraying accidentsequences and qualitative descriptions of potential accident outcomes.

ТЬЫе 4.10 Time Estimates for Using the Event Ttee Analysis Tbdmique

Scope

Simple/SmallSystem


Preparation

1 to 2 days

4 to 6 days

ModelConstruction

1 to 3 days

1 to 2 weeks


1 to 2 days

1 to 2 weeks

Documentation

3 to 5 days

3 to 5 weeks

Time and cost requirements for an Event Ttee Analysis depend on the numberand complexity of initiating events and safety functions included in the analysis.Several days should be sufficient for the team to evaluate several initiating events fora simple process; complex processes could require many weeks. Tkble 4.10 listsestimates of the time needed to perform an HE study using the ETA technique.

NO YES


Using CCA requires knowledge of the following data and information sources:knowledge of component failures or process upsets that could cause accidents,knowledge of safety systems or emergency procedures that can influence the outcomeof an accident, and knowledge of the potential impacts of all of these failures.

A Cause-Consequence Analysis is best performed by a small team (two-to-fourpeople) with a variety of experience. One team member should be experienced inCCA (or Fault Tree and Event Tree Analysis), while the remaining members shouldhave experience with the design and operation of the systems included in the analysis.

Time and cost requirements for a CCA are highly dependent on the number,complexity, and level of resolution of the events included in the analysis. Scoping-type analyses for several initiating events can usually be accomplished in a week orless. Detailed CCA studies may require many weeks, depending on the complexityof any supporting fault trees. Tkble 4.11 lists estimates of the time needed toperform an HE study using the CCA technique.

4.12 Human Reliability Analysis

Description

A Human Reliability Analysis (HRA) is asystematic evaluation of the factors that influence theperformance of operators, maintenance staff,technicians, and other plant personnel. It involvesone of several types of task analyses; these types ofanalyses describe a task's physical and environmentalcharacteristics, along with the skills, knowledge, andcapabilities required of those who perform the tasks.A Human Reliability Analysis will identify error-likelysituations that can cause or lead to accidents. AHuman Reliability Analysis can also be used to tracethe causes of human errors. Human Reliability Analysis is usually performed inconjunction with other hazard evaluation techniques.

Tkble4.ll Time Estimates for Using the Cause-Consequence AnalysisTechnique

Scope

Simple/SmallSystem


Preparation

1 to 2 days

4 to 6 days

ModelConstruction

1 to 3 days

1 to 2 weeks


1 to 3 days

1 to 2 weeks

Documentation

3 to 5 days

3 to 5 weeks

Purpose

The purpose of Human Reliability Analysis is to identify potential humanerrors and their effects, or to identify the underlying causes of human errors.

'types of Results

A Human Reliability Analysis systematically lists the errors likely to beencountered during normal or emergency operation, factors contributing to sucherrors, and proposed system modifications to reduce the likelihood of such errors.The results are qualitative, but may be quantified. The analysis includes identifyingsystem interfaces affected by particular errors, and ranking these errors in relationto the others, based on probability of occurrence or severity of consequences. Theresults are easily updated for design changes or system, plant, or trainingmodifications.


Using Human Reliability Analysis requires the following data and informationsources: plant procedures; information from interviews of plant personnel; knowledgeof plant layout, function, or task allocation; control panel layout; and alarm systemlayout.

Staffing requirements vary based on the scope of the analysis. Generally, oneor two analysts with human factors training should be able to perform an HRA fora facility. The analyst(s) should be familiar with interviewing techniques and shouldhave access to plant personnel; to pertinent information, such as procedures andschematic drawings; and to the facility. The analyst should be familiar with (or knowsomeone who is familiar with) the plant response or consequences caused by varioushuman errors.

The time and cost for this type of analysis are proportional to the size andnumber of tasks, systems, or errors being analyzed. As little as an hour should besufficient to conduct a rough HRA of the tasks associated with a simple plantprocedure. The time required to identify likely sources of a given type of error willvary with the complexity of the tasks involved, but this analysis could also becompleted in as little as an hour. If the results of a single task analysis were usedto investigate several sources of potential human error, the time requirement persource of error would be significantly decreased. Identifying potential modificationsto reduce the incidence of human errors would not add materially to the timerequired for a Human Reliability Analysis. Tkble 4.12 lists estimates of the timeneeded to perform an HE study using the HRA technique.

Tkble 4.12 Time Estimates for Using the Human Reliability Analysis Technique

Scope

Simple/SmallSystem


Preparation

4 to 8 hours

1 to 3 days

ModelConstruction

1 to 3 days

1 to 2 weeks


1 to 2 days

1 to 2 weeks

Documentation

3 to 5 days

1 to 3 weeks

4 overview of hazard evaluation...

Documents